Information security controls help protect against vulnerabilities and risk. In this article, we share details of the RIPE NCC Cloud Security Controls Framework that we'll be using to assess whether cloud providers meet the security requirements for our services.
When we shared the final version of the RIPE NCC Cloud Strategy Framework last October, one of the tasks we put on ourselves was to publish details of the process we would use to ensure the ongoing security of our services when considering potential cloud service providers.
In this article, true to our word, we've put these details into writing. The RIPE NCC Cloud Security Controls Framework outlined here will enable us to assess whether external services are suitable for the processing and storage of RIPE NCC data.
In terms of scope, the kinds of external services covered by this framework include (but are not limited to): SaaS (Software as a Service), CDN (Content Delivery Network) and CSP (Cloud Service Provider). When it comes to cloud service providers such as AWS, we will not only assess their general security posture, but also that of each individual AWS cloud service that will be used. Specific requirements will be set per service.
What's Our Approach?
Basis
The RIPE NCC Cloud Security Controls Framework is based on best security practices as documented in related frameworks such as the CIS Critical Security Controls, the CSA Cloud Control Matrix, and ISO 27002. Although all such frameworks have different approaches, their goal is the same - reduce risk and keep the data secure. In our framework, there are also certain legal requirements that we have to take into account, for example from the GDPR.
As an organisation, we have a low risk appetite, which translates to a rather strict Cloud Security Controls Framework.
Our framework is not static, but will be reviewed and refined on a yearly basis to make sure the controls are up-to-date and relevant for the risks we are addressing.
Assessment
We assess all publicly documented information on a company's security posture. This includes information on their policies, security certifications, assurance and compliance reports, and all other documentation we can find relating to their security and compliance controls. If we are unable to find sufficient authoritative information, we will request additional information. This usually means that we're required to sign a NDA with that company.
Additionally, we will look for information on previous security incidents to understand how mature their incident management process is and to better understand the state of security of their services. Other useful resources are publications on cloud strategy and cloud service provider assessments as they are sometimes published by governmental bodies and the financial industry, where security is key.
Per security control, we have set a requirement depending on the following data classification:
- Public Information
- Company Confidential Information
- Restricted Information
- Sensitive Personal Information
The higher the data classification, the stricter the security requirements. This means that for sensitive personal information, the security controls are the strictest.
Outcome
The outcome of the assessment is a document that contains advice and lists potential risks and additional implementation requirements (to satisfy security and compliance controls) as needed.
This information security advice is shared with internal stakeholders and the RIPE NCC Legal team and serves as a critical input to the decision making process on whether or not to use a certain cloud-based service.
It can happen that not all security requirements can be satisfied sufficiently. In that case, we will assess if there are other compensating security controls in place that will sufficiently mitigate the residual risk. If there is still a significant residual risk, the Risk Type Owner (RTO) will decide whether it is acceptable (and formally accept the risks) or whether additional mitigations need to be put in place. It can also be that the risks are deemed unacceptable, and we need to look for an alternative solution or even stop a project.
RIPE NCC Cloud Security Controls Framework
The following topics are included in our assessments (listed in alphabetical order):
- Access Control
- Audit & Compliance Controls
- Backups Controls
- Bug Bounty / Responsible Disclosure Process
- Business Continuity & Data Recovery Controls
- Change Control & Configuration Management
- Destruction of Data / Data Retention
- Disclosure of Information
- Employee Security Controls
- Encryption & Key Management Controls
- Hardware & Software Inventory Controls
- Incident Management Process
- Labelling of Data Controls
- Network Security Controls
- Physical Security Controls
- Privacy Controls
- Secure Operations Controls
- Security Awareness Controls
- Software Security Controls
- Storage
- Vulnerability & Patch Management Process
For most of these topics, we set a requirement based on the data classification. Below is an example for two controls that are very important for security in general, and also to protect privacy: access controls and encryption.
| Access Control | Requirements |
|---|---|
| 1. Public Data |
1. System and application access control is required to identify and authenticate each user - it MUST be configured to provide the least privilege level of access necessary to perform job function. For developers and administrators, 2-factor authentication (2-FA) should always be used. 2. End-user access: no authentication necessary. |
| 2. Company Confidential Data |
1. System and application access control is required to identify and authenticate each user - it MUST be configured to provide the least privilege level of access necessary to perform job function. 2. Access granting decisions MUST be made by authorised RIPE NCC roles. 3. End user access: minimal username+password authentication (MUST), preferred is 2-FA. |
| 3. Restricted Data |
1. System and application access control is required to identify and authenticate each user - it MUST be configured to provide the least privilege level of access necessary to perform job function. 2. Access granting decisions MUST be made by authorised RIPE NCC roles. 3. A user MUST be automatically logged out after an agreed period of inactivity. 4. Applications MUST use session cookies (or similar control) with a short validity time, to minimise the access window. 5. End-user access: 2-FA (MUST). |
| 4. Sensitive Personal Information |
1. System and application access control is required to identify and authenticate each user - it MUST be configured to provide the least privilege level of access necessary to perform job function. 2. Access granting decisions MUST be made by authorised RIPE NCC roles. 3. A user MUST be automatically logged out after an agreed period of inactivity. 4. Applications MUST use session cookies (or similar control) with a short validity time, to minimise the access window. 5. End-user access: 2-FA (MUST - Legal requirement) |
| Encryption & Key Management | Requirements |
|---|---|
| 1. Public Data |
One of our Cloud principles is: “encrypt unless …”. However, for Public data there are no strict requirements for encrypting data in transit, or at rest. |
| 2. Company Confidential Data |
1. Data in transit MUST be encrypted 2. Data at rest SHOULD be encrypted |
| 3. Restricted Data |
1. Data in transit MUST be encrypted 2. Data at rest MUST be encrypted |
| 4. Sensitive Personal Information |
1. Data in transit MUST be encrypted 2. Data at rest MUST be encrypted 3. The master key used for encryption MUST be managed by RIPE NCC and must not be accessible by the cloud provider |
The framework specifies the requirements at a high level. What it means in practice: if we consider putting sensitive personal data in a cloud-based service, we must be in control of the cryptographic keys. To achieve this, we can consider solutions such as a cloud-based HSM, Bring-Your-Own-Keys (BYOK), or similar solutions. We understand that each solution will come with its own operational challenges and risks, which we will carefully balance against the benefits it offers.
Summing Up
The Cloud Security Controls Framework helps the RIPE NCC assess whether a cloud provider/environment or a cloud-based service meets our security requirements and what the potential risks are. Multiple inputs - including those from the technical departments, the legal team, and the information security team - are used to make a final decision on whether a cloud provider or cloud-based service is suitable for a certain purpose.
In the end, the use of cloud-based services must have clear benefits for the RIPE NCC and support us in fulfilling our strategic objectives, while staying aligned with our vision, mission and values.
Comments 0
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.