The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business. Violations of regulatory compliance regulations often result in regulatory actions, including federal fines, and the possibility of litigation.
There are different regulatory compliance laws for different market verticals, such as the following:
Regulatory compliance not only creates a defense against the threat, but it also offers an opportunity to consistently strengthen your organization through strategic, proactive measures-such as best practices, employee training, internal technical and process controls.
Virtualization is a significant movement within IT environments that enables many organizations to reduce storage and processing costs while simplifying overall management and improving scalability. It does provide the improvement and efficiency of their workloads but on the other side it has a dependency on the hardware platform it is built on and the security of that hardware in terms of access and control. There are many degrees of virtualization, but all create a virtual representation of an operating system, server, storage device, or network resource in order to abstract operations from physical devices.
Virtualization has generated a trend toward cloud computing environments in which data, applications, and software based network overlay infrastructure can reside anywhere and services are delivered where needed, as needed, on demand to any device or end user.
Public clouds enable organizations to reduce their capitalized IT infrastructure, as well as management costs and complexity, by storing assets on a shared, but secured, hosted infrastructure. Enterprises can also build their own private clouds, with data center environments that can deliver cloud-based services within their own organization.
As there are benefits of public cloud and virtualization world, there are unique challenges, including but not limited to segmentation, data storage, access control, forensic auditing, logging, monitoring and alerting across complete network paradigm.
Compliance is not a one-time process, rather it is a continuous cycle of assessing the environment, re-mediating the issues, and then reporting and filing it.
Figure 5-1 Compliance Process Cycle
Although achieving compliance requires more than just technology, the network is critical in supporting organizations' compliance strategies. Cisco VMDC Cloud Security 1.0 offers a Unified Compliance Solution Framework with guidelines that facilitate addressing multiple regulatory compliance requirements from one network infrastructure. When working with the network, it is essential to address the scope of the compliance. The cost of compliance and complexity increases in proportion to the scope. Certain techniques and guidelines are provided on how to minimize the scope of the compliance more effectively and efficiently. There are some common themes among various compliance objectives, such as segmentation of traffic among tenants, identity and access control, and encryption of data at rest and in motion.
For example, it is recommended to use secure HTTP (HTTPS) and secure shell (SSH) Protocol that are secure replacements for the HTTP and Telnet protocols. The replacement protocols use secure sockets layer (SSL) and transport layer security (TLS) to provide device authentication and data encryption. These protocols are encrypted for privacy, and the unsecured protocols—Telnet and HTTP—are turned off on all the devices within the reference architecture.
In general there is a cost associated with achieving compliance that should be balanced against a potentially much larger set of costs if the organization is non-compliant.
Providing regulatory compliance on a cloud deployment infrastructure requires a larger initial investment for service providers. The following list shows a few areas where compliance can increase costs.
2. Audits (Internal & External)
Other areas that can increase cost include proper processes, physical security, policies and planning.
As stated above, there are various factors that incur cost for achieving compliance as well as factors that incur much higher cost for non-compliance. Some of the key factors are shown below:
2. Reputation of the service provider
6. Litigation or Arbitration Settlement Costs
To help reduce the risk of non-compliance, VMDC Cloud Security facilitates a service provider to achieve compliance for their cloud deployment in a more efficient manner by providing guidance and gap analysis in all three vertical deployments.
The PCI Data Security Standard (PCI DSS) provides guidance for securing payment card data. It includes a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. PCI DSS provides an actionable framework for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents.
PCI Version 3.0 introduces new changes to the standard. The core 12 security areas as shown below are remain the same, but the updates include several new sub-requirements that did not exist previously. PCI version 2.0 will remain active until December 31st 2014 and organizations are required to comply with PCI, and PCI DSS version 3.0 officially goes into full effect on January 1, 2015 ( Table 5-1 ).
The PCI 3.0 new requirements are:
1. Lack of education and awareness
2. Weak passwords, authentication
3. Third-party security challenges
4. Slow self-detection, malware
5. Inconsistency in assessment
PCI DSS 3.0 changes are designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.
To overcome the challenge to meet these requirements, the VMDC Cloud Security 1.0 architecture includes next generation IPS, centralized password and authentication service, intelligent monitoring and network visibility tools such as Splunk and Cisco CTD, as described in the detail design section earlier in this document.
When service provider delivers cloud-based services to organizations such as financial institutions or organizations that store, process, or transmit cardholder data, those consumers are required to be compliant with PCI. However, not all organizations are required to meet the same number of controls. Control requirements are based on annual volume of credit card transactions, and the manner in which these credit cards are processed, transmitted, and/or stored. In some cases, the organization has the ability to self-assess for PCI Compliance. Organizations that process over six million transactions per year must have an annual assessment completed by a Security Assessor (independent third party or internal resource which has been approved by the PCI Security Standards Council).
In a multi services and multi-tenant cloud data center deployment model, the intelligent centralized log management is a key element for attaining PCI compliance. Cisco collaborated with technology partner Splunk to gather and aggregate logs from various components of the network and provide real time security event analysis and history of log management that can assist in a forensic investigation.
One of the greatest challenges to maintaining compliance the scope of the data center environment because if the service provider maintain their entire data center environment, it may not meet the PCI scope standards. A large scope may have devices and components that do not need to comply, but once in the scope, the PCI standards require these devices to be evaluated and audited. Figure 5-2 shows the layout of a complete data center network scope.
Figure 5-2 Scope of a Complete Data Center Network
As shown above, a service provider can bring in the 3rd party auditors to audit the entire data center including the NGA (Netflow generator appliance), WAN edge PE, and North VRF of Nexus 7K. This increases the scope of the PCI audit to include components outside the compliance scope. When scoping out network components within a data center, understanding the network and information flow is the primary step before properly selecting components.
In the network diagram above, there are various locations from where the security data has been collected, such as NetFlow traffic from Nexus 7K aggregation using NGA, and NSEL traffic from ASA, to the logging and monitoring device Splunk. The data collected from N7K and ASA are redundant in nature, due to the fact that all the customer traffic goes through the ASA firewall and thus, NetFlow traffic can be eliminated from the PCI scope, as shown in Figure 5-3.
Figure 5-3 Traffic Flow Through the ASA Firewall
In VMDC cloud security architecture, we have narrowed the scope to a limited section of the data center and eliminate the components that may not be required for PCI compliance.
Limiting the scope of the data center from a PCI perspective, as shown above, provides the ability for the VMDC cloud security architecture to achieve compliance efficiently.
PCI DSS 3.0 technical Control Mapping to VMDC Cloud Security 1.0 reference architecture is provided in Table 5-2 .
Note This mapping is done based on the external audit with reference to the 12 major PCI DSS 3.0 requirements mentioned earlier.
|
|
|
|
|
---|---|---|---|---|
For further details, refer to the Cisco Design Zone VMDC landing page .
Note The completion of a PCI DSS 3.0 assessment or guidance alone will not prevent a compromise of data. This information only addresses the capability of compliance for VMDC Cloud Security 1.0 reference architecture against PCI DSS 3.0 security requirements as published. Recommendations within this guidance are intended only to aid in compliance against the assessed control baselines and prioritized based on perceived business requirements.
VMDC Cloud Security 1.0 reference architecture provides guidance and tactical designs for HIPAA compliance. It clarifies how the data center network components can address requirements when a service provider delivers services to health professional or health related enterprises.
The HIPAA Omnibus Final Rule, released in January 2013, included updates from the Health Information Technology for Economic and Clinical Health (HITECH) Act, breach notification, penalty tiers, and extended HIPAA compliance obligations to include both covered entities and business associates. Any transaction that includes reception, transmission, storage or processing of protected health information (PHI) in electronic format need to comply with the HIPAA standards.
The VMDC Cloud Security 1.0 reference architecture uses the National Institute of Standards and Technology (NIST) publication 800-66, revision #1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. NIST 800-66 encompasses requirements for Healthcare organizations and their downstream partners to ensure security and privacy of electronic Protected Health Information (ePHI).
Note NIST 800-66 control set applies solely within the United States in the form of the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA is a United States statute, VMDC Cloud Security 1.0 reference architecture is versatile and supports configurations to meet stringent security and privacy requirements as they apply to International or Non-United States based entities.
The service provider - when deploying the data center for providing services to healthcare enterprises - may be required to meet certain administrative, physical and technical safeguards as described by the US Department of Health and Human Services.
The HIPAA Omnibus Final Rule consists of three main sections:
– Subpart A—General Provisions §164.1xx
– Subpart C—Security Standards for the Protection of Electronic Protected Health Information §164.3xx
– Subpart D—Notification in Case of Breach of Unsecured Protected Health Information §164.4xx
– Subpart E—Privacy of Individually Identifiable Health Information §164.5xx
Note From infrastructure perspective, the VMDC Cloud Security 1.0 reference architecture is primarily focused on Part 164 subpart C (§164.3xx).
The VMDC Cloud Security 1.0 reference architecture does not guarantee HIPPA compliance; rather it facilitates and provides guidance for achieving compliance. The responsibility for compliance is always on the data owner.
Table 5-3 shows the mapping of the HIPAA rule controls to VMDC components. It should be noted that there are many controls under each section. For example, under 164.312 rule, there are more than 20 controls.
For details about the complete list of controls, service provider needs to review the HIPAA compliance standards.
There are four major categories that reduce the risk of losing control over PHI data:
Segmentation is a basic building block when becoming HIPAA compliant. In a multi-tenant cloud deployment model, the service provider needs to ensure all tenants are completely segmented into their individual containers. In some cases within an enterprise, segmentation and isolation is required from HIPAA perspective, especially if one department is dealing with PHI data and others are not. The VMDC Cloud Security 1.0 reference architecture built the segmentation and isolation of each tenant end-to-end, using techniques like Layer 3 VRF, Layer 2 VLAN, separate firewall context, VSAN and intra-tenant segmentation VSG. This segmentation using switches may apply to the HIPAA Safeguard for guarding against malicious software as described in 164.308(a)(5)(ii)(B).
The need to segment, separate, and isolate administrative and PHI data is huge in limiting the scope and depth of security controls that are applied for HIPAA compliance. By segmenting PHI data from administrative information, service providers can protect PHI data by applying the appropriate controls. Proper segmentation and QoS play a key role in terms of hosting a health care provider. Huge files, such as imaging, xrays, can be transferred across a server safely and rapidly.
Firewalls also play a key role in segmenting the traffic and protecting PHI data. The Access Control Lists (ACLs) provide explicitly permitted and/or denied IP traffic that may traverse between inside, outside, and DMZ zones. Routing and access control lists provide segmentation between authorized and unauthorized access on the network. This capability can be mapped to the HIPAA requirement for preventing, detecting, and containing security violations as listed in the Security Management Process 164.308(a)(i); and protecting ePHI from parts of an organization that are not authorized such as Isolating Healthcare Clearinghouse Functions 164.308(a)(4)(i).
VMDC Cloud Security 1.0 reference architecture recommends the centralized identity and access management using Cisco ACS server. Cisco Secure Access Control System (ACS) is a highly scalable, policy-based network access and device access administration control platform that centralizes:
Identity management, authentication, authorization, and access control of users and systems to PHI is the central theme in the HIPAA Security Rule safeguards. A strong and manageable identity and access control solution is critical for achieving an assessment finding of a low level of risk under a risk management program in HIPAA.
As mentioned above, Identity Management should be centralized from the compliance perspective, however in case of failure of the centralized system, compliance requirements may specify that local identity and access management be configured for emergency access. For example, if an ACS server went down and a health professional needed to access a certain critical application, the service provider administrator should be able to provide some emergency access. This ensures that the ability to control system access during both routine and emergency events is supported. The HIPAA security rule 164.312.(a)(1) Access Control requires that technical policies and procedures be implemented to allow access only to authorized persons or software programs. All non-authorized personnel should not have access even during the potential failure of the centralized authorization service.
A particularly critical requirement of the HIPAA Security Rule is the logging, auditing, intrusion detection and monitoring of PHI data within the service provider environment. In this reference architecture, Splunk plays a key role as a centralized component for collecting application, database, device and user access logging as well as the enablement of auditing that is critical to effectively supporting a service provider or business associates breach management strategy. For HIPAA compliance, real time intrusion detection and protection of all the tenants that generate PHI or ePHI data is paramount, especially in a large and complex data center deployment such as the VMDC Cloud Security 1.0 reference architecture, where such intrusions and malware may become breaches if not detected in a timely fashion. To provide such services, the reference architecture uses NextGen IPS that detects and applies deep packet analysis and inspection at line rate. It performs the following:
For example, the IPS/IDS identify, protect or block individuals or data that post suspicious activity within the data center. This falls under the HIPAA requirement for identifying and responding to suspected or known security incidents (164.308(a)(6)(ii)).
Logging, auditing, and monitoring are critical factors for a service provider to meet HIPAA Accounting Rule 164.528, and can help identify whether a compromise has occurred that may lead to a breach notification.
As mentioned above, the logging should be centralized, but to meet compliance in case of centralized system failure, the logging should be enabled on each of the HIPAA scoped components locally.
According to the HIPAA Security Rule, the PHI data must be kept secure during transmission under the addressable implementation specification for encryption. There should be application layer encryption, but additional consideration should be given when PHI leaves the health related enterprise, such as clinics over Internet service provider (VPN). For example, in this reference design, the recommendation is to have SSL VPN between end customers and the service provider cloud data center where the services are deployed. To protect the PHI data and prevent unnecessary exposure, encryption and decryption plays a most effective role. This enables service providers to meet the HIPAA Safeguard 164.312(a)(1)(2)(iv) Encryption and Decryption. Providing encryption of traffic over public networks meets the HIPAA requirement for Transmission Security 164.312(e)(1), Integrity 164.312(e)(2)(i), and Encryption 164.312(e)(2)(ii).
Typically, when healthcare-related tenants transmit PHI data over the Internet to the centralized data center, is the data is secured as a demilitarized zone (known as DMZ). In this reference architecture, firewall and IPS are used to provide a DMZ zone for all Internet access from any healthcare related tenants.
Details on how to create DMZ zone within the VMDC Cloud Security 1.0 reference architecture can be found using the link below:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/2-3/design_guide/VMDC_2-3_DG.pdf
Note The completion of a HIPAA assessment or guidance alone will not prevent a compromise of data. This information addresses only the capability of compliance for VMDC Cloud Security 1.0 reference architecture against HIPAA security requirements as addressed by NIST. Recommendations within this guidance are intended only to aid in compliance against the assessed control baselines and prioritized based on perceived business requirements.
Title III of the E-Government Act, also known as FISMA, requires federal agencies or their service providers to implement risk-based information security programs. The National Institute of Standards and Technology (NIST) provides the Risk Management Framework in a series of Federal Information Processing Standards (FIPS) and special publications.
To meet compliance requirements of the Federal Information Security Management Act (FISMA), service providers and federal agencies must include planning, processes, and technology together to make effective use of resources and money while protecting the confidentiality, integrity, and accessibility of mission-critical information systems.
To aid in both cost-effectiveness and risk-based decision making, information systems are categorized based on the type of information being processed. The resulting categorization is then utilized to select the appropriate security controls to be implemented. Once implemented, the controls are assessed and if appropriately applied, are authorized for operation within the federal sector. Continuous monitoring activities take place to ensure security controls continue to operate and provide sufficient protection.
Without a thorough understanding of FISMA and security control implementations, many solutions do not integrate FISMA compliance into their development life cycles. Without security integration, configuring solutions to comply with FISMA becomes a complicated and tedious process contributing to excessive financial and labor costs. Organizations will find implementing new solutions into an existing architecture is similar to fitting a square peg into a round hole for each individual control. In some instances, system customization must be performed to meet requirements. These complications add onto an existing high-dollar compliance program.
The Self-Defending Network is Cisco's strategy to protect federal organizations from security threats caused by both internal and external sources. This protection enables government agencies and their service providers to take better advantage of the intelligence in network resources, thus improving overall security while addressing FISMA requirements.
The VMDC Cloud Security 1.0 solution can facilitate service providers to meet FISMA requirements, including mitigations for unauthorized access, malicious code, scans and probes, improper usage, and denial-of-service attacks.
In an increasingly dynamic environment facing advanced persistent threats, the challenge of effectively achieving and maintaining FISMA compliance can be significant. Within a data center, virtualization is another key challenge that can delay and jeopardize compliance if not properly deployed with various security controls.
The biggest challenge with FISMA is that most organizations do not have personnel that fully understand the FISMA compliance process. The NIST recommended controls are very non-prescriptive and thus are not easily understood by typical IT staff. This means that the already time consuming task of working towards FISMA compliance becomes almost impossible with inexperienced staff.
Another challenge is that there are no “out of the box/off the shelf” solutions to ensure compliance with specific technical controls. Most hardware and software put into place have to be meticulously configured in a way that is not covered in the manufacturer’s guide to meet the control requirements. Configuring the hardware and software considered in scope for FISMA compliance requires extra time to research, test, and implement these changes, all while still being unsure whether or not it’s actually meeting the requirement.
The FISMA Gap Assessment process focused on the security of information systems by determining whether Cisco has effectively implemented the capabilities required to apply adequate security measures that comply with the requirements as outlined by NIST.
VMDC Cloud Security 1.0 reference architecture was assessed against a moderate impact baseline. 86 of 265 controls were applicable, including controls within Access Control, Audit and Accountability, Identification and Authentication, System and Services Acquisition, System and Communication Protection, and System and Information Integrity families.
The VMDC Cloud Security 1.0 reference architecture assessment found all 86 of the controls identified above as being satisfied when an organization implements the Cisco VMDC architecture in accordance with Cisco's configuration documentation. These controls aid service providers by providing guidance with numerous NIST control families including Access Control, Audit and Accountability, Identification and Authentication, System and Services Acquisition, System and Communication Protection, and System and Information Integrity. Leveraging the technical controls defined by and audited within the Cisco VMDC architecture provides better guidance for service providers who need to meet the FISMA requirements.
Integration of the VMDC solution into a FISMA compliant architecture will allow service providers, large enterprises, and federal agencies to mitigate impacts on two levels: system integration, and system management. Service providers deploying VMDC 2.x-based reference architecture are capable of implementing predefined configurations that are known to be compliant, and more importantly, secure, using Cisco best practices and recommendations.
During the FISMA audit, auditors subject the VMDC solution to a rigorous assessment that resulted in 86 security controls for direct implementation. The second level of impact exists where organizations have the capability of integrating the VMDC solution into a secure environment and adapting existing operational and management controls. This two-tiered benefit achieves FISMA alignment for secure system integration and management within the environment.
The VMDC Validated Design feature enables a transparent network flow from the physical to the virtual network, enabling agile operations and simpler management. It can create multiple security zones that logically separate tenant resources from one another in the virtual network and allow fault-tolerant virtual machine movement. Edge security protects the data center from external threats and offers secure contextual access to data center resources. The NextGen IPS provides deep packet inspection and blocks all possible cyber threats before they can impact the network. Similarly the network visibility tools and log monitoring help service providers to see the full picture of their network continually to better enable proactive management in a timely fashion. All of these security features within VMDC provide a seamless mapping and integration of FISMA controls.
The Federal Information Security Management Act (FISMA) framework establishes baseline security criteria for all Federal Agencies and contractors for the United States Government. Currently the standard is on Revision 4 and applies solely within the United States. Applicable only within the United States, many common requirements are shared by International Standards. The reference architecture is a versatile solution and supports configurations to meet stringent security and privacy requirements as they apply to international or non-United States based entities.
There are various areas that FISMA requires to be addressed before any organization attempts to attain FISMA compliance. A summary of the VMDC solution's ability to meet such compliance requirements are shown in the table below. There are controls from various sections of FISMA guidance that may not apply to directly to VMDC. For example: training and awareness for information security personnel, maintenance, and physical protection for the network and data center.
With all the complexity surrounding FISMA, organizations can find the compliance process challenging. VMDC alleviates obstacles by taking care of the majority of the most difficult technical requirements to implement. By using VMDC, organizations can focus their efforts on the operational and management controls associated with FISMA, allowing them to move quickly through the compliance process.
Several tools are available within the VMDC environment to help facilitate FISMA compliance; including ASA firewalls, Cisco FirePOWER IDS/IPS, Lancope StealthWatch, Cisco ACS, and Splunk.
Customized ASA firewalls are used to properly segment each organization's FISMA boundary from other environments. Firewalls are required between any FISMA and non-FISMA environment per the System and Communication Protection family of FISMA controls.
Splunk, which is Security Information and Event Management (SIEM) software, covers many of the FISMA controls within the environment, including the Audit and Accountability family of controls. Audit and Accountability requires the use of a centralized log server that has the ability to discover and alert upon anomalies within the logs.
The Cisco FirePOWER Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) monitor both inbound and outbound network traffic. If anomalies are found throughout the monitoring process, Cisco FirePOWER can be configured to email an organizational resource an alert when it has identified malicious traffic. For specific types of anomalies, the IPS function of the appliance will automatically identify attack signatures and prevent the malicious traffic from occurring in the future. This layer of security helps cover requirements across all areas, but mainly assists in the implementation of controls within the System and Communication Protection family of FISMA controls.
Cisco CTD uses network device telemetry to provide deep, complete visibility across the network core, enabling security operators to understand and use network traffic details to discover anomalies. Deploying Cisco CTD across networks can provide information and visibility to support security operators in a variety of threat detection tasks, including:
Implementation of Cisco CTD assists in meeting FISMA requirements mainly from Audit and Accounting and Incident Reporting that include forensic audit capability.
Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control server that operates as a centralized RADIUS and TACACS+ server. It extends access security by combining authentication, user access, and administrator access with policy control within a centralized identity networking solution, allowing greater flexibility and mobility, increased security, and user-productivity gains.
Cisco Secure ACS enforces a uniform security policy for all users regardless of how they access the network. It reduces the administrative and management burden involved in scaling user and administrator access to the network. By using a central database for all user accounts, Cisco Secure ACS centralizes the control of all user privileges and distributes them to hundreds or thousands of access points throughout the network.
Cisco Secure ACS provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. It helps to ensure enforcement of assigned policies by allowing network administrators to control:
Cisco Secure ACS addresses concerns about compliance by supporting features associated with administrator permission and audit reports:
ACS helps service provider to meet FISMA requirements in multiple areas such as Access control, Audit and Accounting, Risk Management and Identification and Authentication.
|
|
|
|
|
---|---|---|---|---|
For further details, refer to the Cisco Design Zone VMDC landing page .
Note The completion of a FISMA assessment or guidance alone does not prevent a compromise of data. This guide addresses only the capability of compliance for VMDC Cloud Security 1.0 reference architecture against FISMA security requirements as published by NIST. Recommendations within this guidance are intended only to aid in compliance against the assessed control baselines and prioritized based on perceived business requirements.
1. Demonstrated solutions to critical technology-related problems in evolving IT infrastructure—Provides support for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business continuity.
2. Reduced time to deployment—Provides best-practice recommendations based on a fully tested and validated architecture, facilitating technology adoption and rapid deployment.
3. Reduced Risk—Enables enterprises and service providers to deploy new architectures and technologies with confidence.
4. Increased Flexibility—Provides rapid, on-demand, workload deployment in a multi-tenant environment using a comprehensive automation framework with portal-based resource provisioning and management capabilities.
5. Improved Operating Efficiency—Integrates automation with a multi-tenant pool of computing, networking, and storage resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors.