Understanding Protection (SC)
Understanding Protection (SC)
These controls focus on protecting system boundaries, communications, and preventing unauthorized data exposure. Let's break down the key SC controls with examples.
SC-1: Policy and Procedures
This foundational control requires documented policies and procedures for system and communications protection.
Example:
SYSTEM AND COMMUNICATIONS PROTECTION POLICY
Version: 2.1
Last Updated: 2025-01-02
1. PURPOSE
This policy establishes requirements for protecting the organization’s cloud infrastructure and communications.
2. SCOPE
Applies to all cloud systems within the authorization boundary.
3. POLICIES
3.1 Encryption Requirements
- All data in transit must use TLS 1.2 or higher
- All data at rest must use FIPS 140-2 validated encryption
- Key rotation required every 365 days
3.2 Network Security
- All external connections must traverse a DMZ
- Firewall rules follow deny-by-default principle
- Monthly review of access control lists
4. PROCEDURES
4.1 Firewall Change Management
- Submit change request via add your preferred ticketing systems
- Include business justification
- Require security team review
- Implement during approved maintenance window
- Document and test changes
5. ROLES AND RESPONSIBILITIES
Security Team:
- Monthly policy review
- Approve security changes
- Monitor compliance
System Administrators:
- Implement security controls
- Report security incidents
- Maintain documentation
6. REVIEW AND UPDATES
- Annual policy review required
- Quarterly procedure updates
- Emergency updates as needed
SC-5: Denial of Service Protection
CSPs must implement DoS/DDoS protection at system boundaries and critical internal points.
Example:
DDoS Protections-
1. AWS WAF Rule
2. Nginx Rate Limiting Configuration
3. CloudWatch Alert Configuration
SC-7: Boundary Protection
A critical control requiring monitored and controlled communications at external and key internal boundaries.
Example:
Network Architecture and Firewall Rules
1. DMZ Configuration
[Internet] --- [ WAF/DDoS Protection ]
|
--- [ External Load Balancer ]
|
--- [ DMZ Subnet ]
| Public Web Servers
| Reverse Proxy
2. Internal Zones
[ DMZ ] --- [ Internal Firewall ]
|
--- [ App Subnet ]
| Application Servers
|
--- [ Data Subnet ]
| Database Servers
3. Sample Firewall Rules
External Firewall (Ingress)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT HTTPS
iptables -A INPUT -p tcp --dport 80 -j REJECT HTTP -> HTTPS redirect
iptables -P INPUT DROP Deny all other incoming
DMZ to Internal (Sample ACL)
access-list DMZ-TO-APP permit tcp 10.0.1.0/24 10.0.2.0/24 eq 8443
access-list DMZ-TO-APP deny ip any any log
Internal Segmentation
access-list APP-TO-DB permit tcp 10.0.2.0/24 10.0.3.0/24 eq 5432
access-list APP-TO-DB deny ip any any log
4. Monitoring Configuration
Splunk Search (Boundary Crossing)
index=firewall src_zone=DMZ dest_zone=internal
| stats count by src_ip, dest_ip, dest_port
| where count > 1000
SC-8: Transmission Confidentiality and Integrity
All data in transit must be protected.
Example:
1. Nginx HTTPS Configuration
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
}
SC-12: Cryptographic Key Management
Establishes and manages cryptographic keys throughout their lifecycle.
Example:
1. AWS KMS Key Policy
2. Key Rotation Schedule (AWS Lambda)
SC-13: Cryptographic Protection
Requires FIPS-validated or NSA-approved cryptography.
Example:
1. OpenSSL FIPS Configuration
Activate the module, if present
The version number for the install process should be 1
Determine the condition errors for your environment
Use 1 (default) to perform security checks
Use config-diagnostics to avoid accident use of non-FIPs algorithms
Technical approach:
Enable storage-level encryption (e.g., EBS encryption)
Implement application-level encryption for sensitive fields
Use encrypted databases
Enable secure key storage
Implement secure backup encryption
Best Practices for Implementation
Documentation
Maintain detailed system architecture diagrams
Document all security configurations
Keep updated network diagrams
Record all approved exceptions
Monitoring
Implement continuous monitoring
Set up automated alerting
Conduct regular security assessments
Review logs daily
Testing
Perform regular penetration testing
Conduct vulnerability assessments
Test incident response procedures
Validate security configurations
Common Pitfalls to Avoid
Configuration Mistakes
Forgetting to enable encryption in all environments
Missing network segments in boundary protection
Incomplete key rotation procedures
Inadequate logging configurations
Process Failures
Not updating documentation regularly
Skipping regular reviews
Inadequate testing of security controls
Poor incident response preparation
Conclusion
Implementing SC controls requires a systematic approach and attention to detail. Success depends on:
Understanding the technical requirements
Maintaining comprehensive documentation
Regular testing and validation
Continuous monitoring and improvement
Strong change management processes
Remember that FedRAMP Moderate SC controls are minimum requirements - your organization may need additional protections based on specific threat models and risk assessments.
Comments
Post a Comment