3. Introduction
â˘
Achieving Restricted (IL3) accreditation of service is not easy
â˘
Presentation covers experiences gained from achieving accreditation of Restricted
(IL3) services for Atos
â˘
Not an exhaustive list â just the highlights
| Identity, Security and Risk Management from Atos Consulting
4. Before You Start âŚ
â˘
Review your solution against:
â˘
â˘
â˘
â˘
CESG Architectural Patters
CESG Good Practice Guides
IS Standards
Check that your ISO 27001 Certification is:
â˘
â˘
â˘
Current
Suitably scoped
UKAS Certified (recognized)
CESG like compliancy matrices against the relevant GPGâs
Read the PSN Code
| Identity, Security and Risk Management from Atos Consulting
5. Key Security Controls
â˘
Make sure applications:
â˘
â˘
â˘
Address the OWASP Top Ten
Think about limiting concurrent logins
Think about defense in depth
⢠Input Validation
⢠Parameterized Stored Procedures
⢠Output Validation
â˘
Manage Out-of-Bands
⢠Separate Interface
⢠Not via the Internet
â˘
Lock everything down against Industry Guides (Centre for Internet Security)
â˘
Use CPA approved or Common Criteria Approved products
| Identity, Security and Risk Management from Atos Consulting
6. Support
â˘
Keep it in the UK at Restricted (IL3)
â˘
Use secure protocols
⢠SSH
⢠HTTPS
â˘
Use dedicated support terminals
â˘
CESG approved encryption across insecure networks
⢠Issue with approved products
â˘
Support from the office â not via Internet/Remote Access
â˘
Cleared staff
⢠Another issue
6
| Identity, Security and Risk Management from Atos Consulting
7. Consider hosting in a pre-accredited Service
A number of accredited âhostingâ environments:
â˘
â˘
â˘
â˘
â˘
Atos
Skyscape
Lockheed Martin
SCC
â˘
Not all the same, each has its strengths and weaknesses
â˘
Look at what you get against your needs:
⢠Internet Connection
⢠PSN Connection
⢠Support Connections
⢠Monitoring
⢠Patching
⢠Disaster Recovery
⢠Protective Monitoring
7
| Identity, Security and Risk Management from Atos Consulting
8. Things that catch you out âŚ.
â˘
Staff Clearances
⢠Cabinet Office will clear small number
⢠SC for privileged users
â˘
Key Material for CAPS products
⢠No easy route to gain
⢠No real alternative
â˘
Penetration Tests
⢠Recent â many month old test is no good
â˘
Single vulnerability allowing inter-network connection
â˘
CESG Design Review
8
| Identity, Security and Risk Management from Atos Consulting
9. The PGA is âŚ.
â˘
Risk adverse
â˘
Well briefed
â˘
Has a lot of backup
â˘
Aligned with CESG Guidance
9
| Identity, Security and Risk Management from Atos Consulting