3. Introduction
•
Achieving Restricted (IL3) accreditation of service is not easy
•
Presentation covers experiences gained from achieving accreditation of Restricted
(IL3) services for Atos
•
Not an exhaustive list – just the highlights
| Identity, Security and Risk Management from Atos Consulting
4. Before You Start …
•
Review your solution against:
•
•
•
•
CESG Architectural Patters
CESG Good Practice Guides
IS Standards
Check that your ISO 27001 Certification is:
•
•
•
Current
Suitably scoped
UKAS Certified (recognized)
CESG like compliancy matrices against the relevant GPG’s
Read the PSN Code
| Identity, Security and Risk Management from Atos Consulting
5. Key Security Controls
•
Make sure applications:
•
•
•
Address the OWASP Top Ten
Think about limiting concurrent logins
Think about defense in depth
• Input Validation
• Parameterized Stored Procedures
• Output Validation
•
Manage Out-of-Bands
• Separate Interface
• Not via the Internet
•
Lock everything down against Industry Guides (Centre for Internet Security)
•
Use CPA approved or Common Criteria Approved products
| Identity, Security and Risk Management from Atos Consulting
6. Support
•
Keep it in the UK at Restricted (IL3)
•
Use secure protocols
• SSH
• HTTPS
•
Use dedicated support terminals
•
CESG approved encryption across insecure networks
• Issue with approved products
•
Support from the office – not via Internet/Remote Access
•
Cleared staff
• Another issue
6
| Identity, Security and Risk Management from Atos Consulting
7. Consider hosting in a pre-accredited Service
A number of accredited ‘hosting’ environments:
•
•
•
•
•
Atos
Skyscape
Lockheed Martin
SCC
•
Not all the same, each has its strengths and weaknesses
•
Look at what you get against your needs:
• Internet Connection
• PSN Connection
• Support Connections
• Monitoring
• Patching
• Disaster Recovery
• Protective Monitoring
7
| Identity, Security and Risk Management from Atos Consulting
8. Things that catch you out ….
•
Staff Clearances
• Cabinet Office will clear small number
• SC for privileged users
•
Key Material for CAPS products
• No easy route to gain
• No real alternative
•
Penetration Tests
• Recent – many month old test is no good
•
Single vulnerability allowing inter-network connection
•
CESG Design Review
8
| Identity, Security and Risk Management from Atos Consulting
9. The PGA is ….
•
Risk adverse
•
Well briefed
•
Has a lot of backup
•
Aligned with CESG Guidance
9
| Identity, Security and Risk Management from Atos Consulting