IDG Contributor Network: 4 frameworks you need to protect your digital enterprise against the latest cybersecurity threats

Organizations are spending millions of dollars to armor themselves against vicious and debilitating cyberattacks that are unrelenting and potent. The fear of digital disruption is pervasive and driving a frenetic search for “silver bullets” including hiring CISO’s, buying lots of cybersecurity tools and contracting an army of consultants. But now what? Is the current security posture good enough? Are there any benchmarks and reliable guideposts?  

CIO’s and CISO’s especially in regulated industries with high-value data should consider leveraging the pioneering work done by the US Federal Government and Department of Defense protecting a global enterprise with a $80 Billion annual IT budget and loads of super sensitive data. The US Government with its vast resources and cyber intelligence has developed several security frameworks to protect Government and Defense agencies. These frameworks include Secure Cloud Computing Architecture (SCCA), Cyber Threat Framework (CTF), Federal Risk & Authorization Management Program (FedRAMP) and Continuous Diagnostics & Mitigation (CDM). Each of these frameworks are described in greater detail below and should be in the toolkit of every CIO and CISO tasked with protecting sensitive data.

1. Secure Cloud Computing Architecture (SCCA)

The rapid consumption of commercial cloud services like Amazon Web Services (AWS), Microsoft Azure, and Microsoft Office365 amongst others by government agencies prompted the Defense Information Systems Agency (DISA) to create the Secure Cloud Computing Architecture (SCCA) framework. SCCA is designed to cover security concerns inherent in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) cloud services. SCCA consists of four key enterprise-level cloud security and management services. The framework uses a standard approach for boundary and application level security for sensitive (but not classified) data hosted in commercial cloud environments. Each of these four enterprise services are described in greater detail below.

  • Cloud Access Point (CAP). CAP provides access to the cloud and protects the enterprise network from the cloud by streamlining protections focused on protecting the network boundary. CAP serves two major functions: a) provide dedicated connectivity to approved commercial cloud providers, and b) protect the corporate network from any attack that originates from the cloud environment. There are two categories of solutions – either single cloud access using AWS DirectConnect for access to AWS or multi-cloud access hubs like AT&T NetBond or Equinix Cloud Exchange amongst others. It is critical to ensure that the chosen CAP provides integrated network security and access services meet specific compliance certifications such as FedRAMP, SOC2 or HIPAA as applicable.
  • Virtual Data Center Managed Services (VDMS). VDMS provides application host security for privileged user access in commercial cloud environments. Management, security, and privileged user access are all handled within VDMS. This includes Host-Based Security System and Assured Compliance Assessment services including the ability to deliver security policies, push upgrades, and manage roles and security policies. Trend Micro Deep Security is an example of a commercial solution offering host-based protection services amongst many others.
  • Virtual Data Center Security Stack (VDSS). VDSS provides a virtual network enclave security to protect applications and data in commercial cloud offerings. It includes two core services: Web Application Firewall (WAF) and Next Generation Firewall to detect and prevent threats facing web applications and workloads. There are several readily available solutions including cloud-native services like AWS Web Application Firewall (WAF) or third-party providers like Palo Alto Networks amongst others.
  • Trusted Cloud Credential Manager (TCCM). TCCM is the cloud credential manager to enforce role-based access control (RBAC) and least privileged access. It includes processes and procedures to control and monitor privileged user access for cloud environments. Specific capabilities include privileged password management and control, SSH Key security and management, session management to control and monitor privileged user access to cloud services and bastion host services for access into all management and security services.

Given the rapid proliferation of commercial cloud services like AWS, Salesforce, ServiceNow and Microsoft O365 amongst others, organizations should tailor SCCA to develop a secure cloud architecture.