In the previous-already the third article in the series "Multi-factor Authentication as a service" - we discussed not quite obvious, and often completely hidden issues of choosing and implementing two-factor authentication cloud services. These are the so-called "pitfalls "in 2FA services, which are usually" discovered " only on their own experience. Today we will look at a special type of cloud service-based on a certified 2FA solution. Can a service based on a certified solution be "cloud-based" at all? Does this contradict the law? What tasks can this service help you solve? What conditions should the supplier meet and what are the advantages of such services for the customer?
So, even employees of the company with experience in providing real services in the field of information security have not sufficiently understood how services are built and provided for state information systems( GIS), critical information infrastructure objects (CII) and other information systems. They thought that if a service company deployed a certain certified virtualization environment, certified it, then it automatically became free! And now it can deploy any solutions you want and provide anyone and any services based on them! By the way, our other potential partners, on the contrary, considered that a service based on a certified 2FA solution cannot be "cloud-based" at all. So where is the truth? Let's try to figure it out.
State information systems. According to FSTEC Order No. 17 of February 11, 2013, GIS owners are required to perform certification of their systems and use only certified information security tools. Multi-factor authentication is one of the mechanisms for ensuring information security, so the 2FA solution used must be certified. At the same time, many manufacturers of certified information security tools (even those certified for a high level of trust and a high class) officially notify that they use external multi-factor authentication mechanisms. And, despite the fact that the solutions of these manufacturers are certified, customers will inevitably face the fact that an important part of the mechanisms for providing information security with these certified tools is not implemented when certifying their information systems. It turns out that you will need to take separately certified 2FA solutions somewhere! As you can see, there are two options:
So, when an organization that operates or connects to GIS has chosen to use a 2FA service (and we discussed how to make a decision in favor of the service and what to pay attention to in the second and third articles), you need to get a "certified" service from the supplier. This means that the service itself must be implemented on the basis of a certified 2FA solution, and the vendor's information system (information infrastructure) in which the service is deployed must be certified.
In our experience, a certified 2FA service is suitable for organizations that operate or connect to GIS in the following cases:
Other information systems — ISPDn, automated process control system, CII. According to the requirements of the legislation (in particular, No. 152-FZ "On Personal Data, No. 187-FZ" On the Security of the Critical Information Infrastructure of the Russian Federation", No. 149-FZ "On Information, Information Technologies and Information Protection", as well as Order No. 235 of the FSTEC of Russia dated December 21, 2017 and Order FSTEC of Russia No. 239 dated December 25, 2017) the decision on the use of certified information security tools in such systems is made by the operator itself. If they have decided that they need certified funds, then they can(!) use them. And if he has decided that he will not use certified information security tools, then no one can force him or demand it. Accordingly, when such an organization is faced with the need to strengthen the basic authentication functions in its information systems and decides to use the 2FA service, it can determine whether to use the service based on a certified solution or not.
We believe that a certified service based on a certified 2FA solution can only be suitable for those operators of ISPDn, automated process control systems and CII systems who refrain or for some reason do not have the opportunity to conduct an independent assessment of compliance with the requirements in the form of acceptance or testing of the information security tools used. In this case, a 2FA-certified service can help reduce the risks associated with regulatory audits.
Those information security services that have experience in developing ORDS, modeling security threats to their information systems, have experience in implementing software and hardware information protection tools and independently testing them, and, most importantly, that employ the appropriate highly qualified employees — such information security services will most likely prefer not to use certified tools. First, this is a more budget-friendly option, since, as a rule, certified solutions are more expensive than their non-certified counterparts. And secondly, the use of non-certified solutions and, accordingly, "cloud" services based on them can provide the necessary flexibility and ease of use of information systems that end users and management expect from an information security service.
If the organization does not have a sufficient number of highly qualified information security employees with such experience (especially in the specific field of multi-factor authentication), then the option of using certified information security tools and cloud-certified services based on them may well be considered.
By deciding to use non-certified solutions to provide information security for their information systems (this applies only to ISPDn, automated process control systems, and CII) and assuming responsibility for their independent testing and acceptance, organizations gain the opportunity to choose and use the information security tools that are most suitable for them: both certified and non-certified. There is absolutely no need to be afraid to use non-certified tools and services built on their basis. As we discussed earlier, they can provide more flexibility for users, but they can save money for an organization. But are there any advantages to using certified solutions and certified services? What are these advantages?
Quality of testing. Our experience shows that currently all the results of tests carried out during certification are subject to regulatory verification. Therefore, all organizations that conduct tests do not conduct them formally, but carefully, meticulously and professionally. All inspections are related not only to the formal verification of regulatory requirements, but also to "field" tests of the implementation of security functions and the design of relevant protocols. In particular, the certification processes include: checking the existence of a threat model and its detailed analysis, checking the coordination of the threat model with the regulator, analyzing project documentation that confirms the effectiveness of combating current threats, as well as analyzing vulnerabilities (which are actually detected and eliminated) and functional testing that confirms the implementation of the required security measures.
Checking for the presence of ORDS. Of course, we can't check absolutely all processes during the certification tests, but we do check that the processes are documented, which allows us to detect errors in their organization. During certification, it is necessary to check: the availability of project documentation, its completeness, and compliance with the current implementation of the security system for this project documentation. We believe that these questions are very important, because preparing for certification allows you to ensure information security.
Analyze information system vulnerabilities and take measures to eliminate them. When certifying systems, it is mandatory. Moreover, the presence of unresolved vulnerabilities prevents the issuance of a Certificate, so developers and companies conducting certification tests pay close attention to this.
Checking employees. It consists in monitoring that the cloud service provider-the information system operator-has trained specialists and that they have real (!) knowledge and experience. The results of the audit are reflected in the protocols, which are also transmitted to the regulator. It is obvious that trained and experienced specialists who have passed all stages of preparation and certification can not only provide a cloud-based 2FA service, but also provide the customer with even more specific, more complex consulting services than the employees of a regular 2FA service provider.
Implementation of an information security system. This stage precedes the certification process. It includes system design and ORD development, risk analysis, installation and configuration of the necessary information security tools, their functional testing, vulnerability analysis, trial operation, acceptance tests, and putting the system into commercial operation. All this is also carefully documented and provided to the regulator for verification.
In the most general case, the cloud service provider can perform both certification and conformity assessment, which simply declares the implementation of security measures. When a non-disclosure agreement is signed with a potential customer. Non Disclosure Agreement (NDA), then it can be provided with information about how and by what means this security is provided. Request these documents and analyze the information received, and then you can verify the reliability, quality, and availability of the cloud service you plan to use.
Today we talked about a cloud-based two-factor authentication service based on a certified solution. We discussed what information systems it is intended for and what its specifics are. We will offer the following article to cloud IT service providers. Let's talk about the expectations and prerequisites for including multi-factor authentication in the portfolio of cloud services, the company's needs for deploying and promoting such services, the technological basis of 2FA services and the necessary expertise for deploying and providing such services.
2FA-certified service — who can and who should use it?
Let's start with an example. Some time ago, we were contacted by representatives of a real service company, who asked: "What do we need to do so that our service can be used for GIS? As well as for ISPDn, automated process control systems, and CII objects... We only need a certified environment, don't we?" We began to clarify: "As soon as the certified environment? And the product itself, and your service? And to whom, in fact, is this service offered?". Then colleagues, already with some doubt, answered: "And we were told that the product itself does not need to be certified!".So, even employees of the company with experience in providing real services in the field of information security have not sufficiently understood how services are built and provided for state information systems( GIS), critical information infrastructure objects (CII) and other information systems. They thought that if a service company deployed a certain certified virtualization environment, certified it, then it automatically became free! And now it can deploy any solutions you want and provide anyone and any services based on them! By the way, our other potential partners, on the contrary, considered that a service based on a certified 2FA solution cannot be "cloud-based" at all. So where is the truth? Let's try to figure it out.
State information systems. According to FSTEC Order No. 17 of February 11, 2013, GIS owners are required to perform certification of their systems and use only certified information security tools. Multi-factor authentication is one of the mechanisms for ensuring information security, so the 2FA solution used must be certified. At the same time, many manufacturers of certified information security tools (even those certified for a high level of trust and a high class) officially notify that they use external multi-factor authentication mechanisms. And, despite the fact that the solutions of these manufacturers are certified, customers will inevitably face the fact that an important part of the mechanisms for providing information security with these certified tools is not implemented when certifying their information systems. It turns out that you will need to take separately certified 2FA solutions somewhere! As you can see, there are two options:
- Purchase and deploy a certified 2FA tool in your information infrastructure. How to do this correctly, we do not consider in our series of articles, the manufacturer himself will certainly help and advise in detail.
- Use the service deployed on the basis of a certified 2FA tool. But you need to get this service, relatively speaking, "as certified".
So, when an organization that operates or connects to GIS has chosen to use a 2FA service (and we discussed how to make a decision in favor of the service and what to pay attention to in the second and third articles), you need to get a "certified" service from the supplier. This means that the service itself must be implemented on the basis of a certified 2FA solution, and the vendor's information system (information infrastructure) in which the service is deployed must be certified.
In our experience, a certified 2FA service is suitable for organizations that operate or connect to GIS in the following cases:
- a small number of users of the two-factor authentication service (for example, several administrators and several key users);
- lack of opportunities and / or necessary resources for implementing a certified 2FA tool and organizing your own internal service;
- other restrictions that arise due to the specifics of the organization that operates or connects to GIS.
Other information systems — ISPDn, automated process control system, CII. According to the requirements of the legislation (in particular, No. 152-FZ "On Personal Data, No. 187-FZ" On the Security of the Critical Information Infrastructure of the Russian Federation", No. 149-FZ "On Information, Information Technologies and Information Protection", as well as Order No. 235 of the FSTEC of Russia dated December 21, 2017 and Order FSTEC of Russia No. 239 dated December 25, 2017) the decision on the use of certified information security tools in such systems is made by the operator itself. If they have decided that they need certified funds, then they can(!) use them. And if he has decided that he will not use certified information security tools, then no one can force him or demand it. Accordingly, when such an organization is faced with the need to strengthen the basic authentication functions in its information systems and decides to use the 2FA service, it can determine whether to use the service based on a certified solution or not.
We believe that a certified service based on a certified 2FA solution can only be suitable for those operators of ISPDn, automated process control systems and CII systems who refrain or for some reason do not have the opportunity to conduct an independent assessment of compliance with the requirements in the form of acceptance or testing of the information security tools used. In this case, a 2FA-certified service can help reduce the risks associated with regulatory audits.
The main criterion is the maturity of the information security service!
Let us venture to assume that when operating the information systems listed above (ISPDn, automated process control system, CII), the criterion for choosing between a certified or non-certified 2FA solution, as well as services based on them, is the maturity of the information security support service at a particular enterprise.Those information security services that have experience in developing ORDS, modeling security threats to their information systems, have experience in implementing software and hardware information protection tools and independently testing them, and, most importantly, that employ the appropriate highly qualified employees — such information security services will most likely prefer not to use certified tools. First, this is a more budget-friendly option, since, as a rule, certified solutions are more expensive than their non-certified counterparts. And secondly, the use of non-certified solutions and, accordingly, "cloud" services based on them can provide the necessary flexibility and ease of use of information systems that end users and management expect from an information security service.
If the organization does not have a sufficient number of highly qualified information security employees with such experience (especially in the specific field of multi-factor authentication), then the option of using certified information security tools and cloud-certified services based on them may well be considered.
By deciding to use non-certified solutions to provide information security for their information systems (this applies only to ISPDn, automated process control systems, and CII) and assuming responsibility for their independent testing and acceptance, organizations gain the opportunity to choose and use the information security tools that are most suitable for them: both certified and non-certified. There is absolutely no need to be afraid to use non-certified tools and services built on their basis. As we discussed earlier, they can provide more flexibility for users, but they can save money for an organization. But are there any advantages to using certified solutions and certified services? What are these advantages?
Certification as one of the proofs of reliability and security of cloud services
Let's imagine that a service provider provides a cloud-based multi-factor authentication service that the customer uses in a critical process – to authenticate users in their key systems. Obviously, the availability of such a service should be high. The loss of availability may occur due to technical equipment failure, due to administrative errors, but also due to NSD. Therefore, the mechanisms for ensuring the information security of such a service are extremely important. And when choosing a cloud service based on a certified 2FA solution, the customer, in addition to the selection and implementation stages that we formulated in the previous article, simply has to make sure that all security issues in the organization of the service are resolved. And certification is one of the proofs of this! Why can we say that?Quality of testing. Our experience shows that currently all the results of tests carried out during certification are subject to regulatory verification. Therefore, all organizations that conduct tests do not conduct them formally, but carefully, meticulously and professionally. All inspections are related not only to the formal verification of regulatory requirements, but also to "field" tests of the implementation of security functions and the design of relevant protocols. In particular, the certification processes include: checking the existence of a threat model and its detailed analysis, checking the coordination of the threat model with the regulator, analyzing project documentation that confirms the effectiveness of combating current threats, as well as analyzing vulnerabilities (which are actually detected and eliminated) and functional testing that confirms the implementation of the required security measures.
Checking for the presence of ORDS. Of course, we can't check absolutely all processes during the certification tests, but we do check that the processes are documented, which allows us to detect errors in their organization. During certification, it is necessary to check: the availability of project documentation, its completeness, and compliance with the current implementation of the security system for this project documentation. We believe that these questions are very important, because preparing for certification allows you to ensure information security.
Analyze information system vulnerabilities and take measures to eliminate them. When certifying systems, it is mandatory. Moreover, the presence of unresolved vulnerabilities prevents the issuance of a Certificate, so developers and companies conducting certification tests pay close attention to this.
Checking employees. It consists in monitoring that the cloud service provider-the information system operator-has trained specialists and that they have real (!) knowledge and experience. The results of the audit are reflected in the protocols, which are also transmitted to the regulator. It is obvious that trained and experienced specialists who have passed all stages of preparation and certification can not only provide a cloud-based 2FA service, but also provide the customer with even more specific, more complex consulting services than the employees of a regular 2FA service provider.
Implementation of an information security system. This stage precedes the certification process. It includes system design and ORD development, risk analysis, installation and configuration of the necessary information security tools, their functional testing, vulnerability analysis, trial operation, acceptance tests, and putting the system into commercial operation. All this is also carefully documented and provided to the regulator for verification.
In the most general case, the cloud service provider can perform both certification and conformity assessment, which simply declares the implementation of security measures. When a non-disclosure agreement is signed with a potential customer. Non Disclosure Agreement (NDA), then it can be provided with information about how and by what means this security is provided. Request these documents and analyze the information received, and then you can verify the reliability, quality, and availability of the cloud service you plan to use.
Today we talked about a cloud-based two-factor authentication service based on a certified solution. We discussed what information systems it is intended for and what its specifics are. We will offer the following article to cloud IT service providers. Let's talk about the expectations and prerequisites for including multi-factor authentication in the portfolio of cloud services, the company's needs for deploying and promoting such services, the technological basis of 2FA services and the necessary expertise for deploying and providing such services.
