Questions 49 to 52 — standard operating environments

Table 1 lists who is responsible for answering each question.

Context and help for questions 49 to 52

Questions to answer

49. Are there appropriate build and hardening standards defined and documented for the service components the government organisation is responsible for managing?
50. Can the government organisation deploy operating systems and applications in accordance with internal build or hardening standards?
    
    1. If no — does the service provider have appropriate build and hardening standards that meet the government organisation’s security requirements?
    2. Does the virtual image include a host-based firewall configured to only allow the inbound and outbound traffic necessary to support the service?
    3. Does the service provider allow host-based intrusion detection and prevention service agents to be installed within the virtual machines?
51. Does the service provider perform regular tests of its security processes and controls?
    
    1. Will they provide customers with a copy of the associated reports?
52. Can a penetration test of the service be performed to ensure that it has been securely deployed?

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

• direct communication with the provider
• the provider’s policies and audit reports on their website
• previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

• the provider does not give you their answers or other information you need for your risk assessment
• you cannot get acceptable third-party assurance
• there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 49 to 52

The following guidance gives you context and help for answering questions about standard operating environments.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

• joining the Cloud Capabilities Network (CCN), if you’re not already a member
• searching the CCN’s chart of risk assessments for public cloud services.

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

• an all-of-government agreement
• a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Hardening

A process intended to eliminate a means of attack by:

• turning off nonessential services
• patching vulnerabilities.

Hardening — National Institute of Standards and Technology

Proper configuration and management

One of the biggest causes of information security incidents is poorly configured and managed information systems. Public cloud services are no different — you need to set up proper security configurations.

Security ownership in public cloud services

Government organisations always own the risks of their information in public cloud services — regardless of which service model is used.

Security ownership in all service models

Service models — configure and manage

Government organisations and service providers share responsibilities for configuring and managing security in the different service models for public cloud.

Shared responsibilities for security in each service model

Software as a Service

Even though government organisations have the fewest hands-on security responsibilities in Software-as-a-Service models, they:

• still own the risk
• must make sure their security controls are set up properly — this often means getting help from the technical owner of your information or a subject matter expert.

Software as a Service (SaaS)

Platform, Infrastructure and other types of service models

Government organisations have more hands-on security responsibilities in:

• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
• other types of service models.

Get the build and hardening standards

For the service models that need more involvement from government organisations, get the build and hardening standards for the operating systems and applications you’re planning to use.

The standards should be defined and documented. They help you to protect your systems against unauthorised access while using the operating systems and applications that you deploy in public cloud services.

Provider’s standards or define your own

In your agreement with the service provider, determine who is responsible for the build and hardening of the operating systems and applications. If you choose to delegate this to the service provider, you’ll need to see if it’s best to:

• accept the provider’s standards
• define your own standards.

Test the services before deploying them

In all cases, it’s important to carry out a penetration test. This way, you can be sure the services are safely deployed in the service model you’re using.