Interconnection Security

The most fundamental reason to interconnect systems is to share data, but that can be accomplished at a variety of levels. A system interconnection can be limited and simple, using email to transfer data between systems, or it could allow two databases to share data. It can be a connection that is only used when needed or one that is active all of the time. It can allow full interactivity and collaboration amongst users and can perform network infrastructure functions such as data backup and more. Likewise, interconnections can use different forms of connection media, from dial-up to leased lines to authenticated and encrypted VPNs.

Any form of data sharing or interconnection creates an environment of shared risk and requires a fresh assessment of the new risk environment. The two sides of the interconnection may have different security requirements and corresponding differences in their security controls and configurations. How sensitive data is protected may be different and the users may operate under different rules of behavior.

For organizations involved with the US Federal Government, security controls are guided by NIST SP 800-53 and guidance for the security of interconnections is provided in NIST SP 800-47 “SECURITY GUIDE FOR INTERCONNECTING INFORMATION TECHNOLOGY SYSTEMS”. OMB Circular A-130 Appendix III requires federal agencies to obtain written authorization for all interconnections (prior to connecting) that is based upon an assessment of acceptable risk and security controls that are in accordance with NIST guidance.

Security control CA-3 INFORMATION SYSTEM CONNECTIONS requires an authorization of all connections outside the accreditation boundary and ongoing monitoring of the connection. Based on a determination of need, a document called the “Interconnection Security Agreement” (ISA) may be required and is often accompanied by a “Memorandum of Understanding” (MOU). The need is usually determined by the similarity and commonality of the information systems. For a connection to an outside, non-federal organization, the ISA is likely to be required. For a connection to another federal agency that operates under NIST guidance and has a robust Assessment and Authorization (aka C&A) process, the need may not be great or the document may be less rigorous. On the other hand, it is possible to require close scrutiny and documentation of a system that resides on the same network inside the same agency if the security requirements and protections are very different.

In order to maintain security, when an interconnection is created between information systems, the level of security protections and risk involved must be assessed and compared from both sides of the connection. Even if both sides have done their own security well, one side may have risks involved (threats and vulnerabilities) that the other side does not, or may not have protections in place because of an absence of risks. Once the connection is established, the risks become shared and new protections may be required. This also requires a high level of knowledge sharing and transparency between the groups involved.

Depending upon the organizational environment, it may be necessary to create a joint planning team, layout the business case for the interconnection and if there is a federal agency involved, collect assessment and authorization (C&A) documentation. In ANY case, requirements will need to be determined and should consider the following areas:

  • The method and level of the interconnection and potential impact on the security posture on both ends.
  • Hardware, software and data involved.
  • Users, services and applications involved.
  • Security controls
    • Most of the PM family controls should be considered as a prelude
    • CA-3 INFORMATION SYSTEM CONNECTIONS – Requires authorization of all connections outside the accreditation boundary, requires ongoing monitoring, requires risk analysis
    • AC-4 INFORMATION FLOW ENFORCEMENT – authorizations for controlling the flow of information within the system and between interconnected systems
    • SC-7 BOUNDARY PROTECTION – establishes boundary protection devices that monitor and control communications through specified managed interfaces
    • Virus Scanning (SI-3)
    • Intrusion Detection (SI-4)
    • Identification and Authentication (IA) controls
    • Physical/Environmental Security (PE) controls
    • Auditing (AU) controls
    • Incident Handling/Reporting (IR)
    • Assessment and Authorization (CA) controls
  • Security process areas:
    • Contingency planning
    • Configuration management (with specific focus on change control)
    • Incident response
    • Data ownership and backups
    • Rules of behavior
    • Awareness and training
  • Scheduling
  • Cost and budget issues

Once the requirements have been established and a plan has been fabricated, it must be documented and approved. The process continues with implementing the plan to establish the connection, maintaining the connection and eventually, disconnection.

It’s interesting to note that if no interconnection is ever established for an information system (an “air-gap”), security requirements may be significantly lessened. In a way, interconnection security is often a microcosm of the whole world of information security. And cloud security can easily be considered in the same manner.

SEE ALSO:
The NIST PM Security Control Family
Security Control Matrix

Comments are closed.