The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
Thales support US government agencies in implementing and sustaining compliance through:
The NIST 800-53 publication details security controls for Federal information systems as required by the FIPS 200 publication, and was recently updated to revision 4 to detail the extended security controls required for agency use of cloud computing under FedRAMP.
FIPS 200 supports the FISMA Act of 2002 requiring Federal agencies to implement and document information security programs.
For more details on the specific regulations, see the links below.
Vormetric’s Data Security Management is available as a FIPS 140-2 Level 2 or Level 3 validated appliance. The Data Security Manager appliance is also in Common Criteria evaluation.
NIST 800-53 Revision 4 Compliance Solutions
Core Thales product capabilities that support the NIST 800-53 Revision 4 include:
For a full look at how Vormetric solutions map to NIST 800-53 requirements, see our Thales NIST 800-53 Mapping white paper with detailed mapping of security controls to Thales features here, and listed below is an overview of security control family requirements for Thales solutions.
Overview - Vormetric Transparent Encryption & NIST 800-53 revision 4
Security Control FamilyCompliance BaselineThales
Access Controls(AC)• Access Controls(AC)
• Account Management
• Separation of Duties
• Least PrivilegeThrough the use of kernel level agents providing AES 256 encryption, Vormetric Transparent Encryption exceeds and augments current access control solutions at the file, directory, drive, or target level at the Operating System and provides Least Privilege.
Awareness and Training(AT)• Training Policies
• Security Awareness Training
• Role Based Security TrainingVormetric Professional Services makes available both, personal and online, training options to educated staff on use of the solution. Thales solutions have few administrative requirements, and the available training covers tasks and responsibilities for each desired/deployed role, with appropriate documentation.
Audit and Accountability(AU)• Audit Events
• Report GenerationVormetric Transparent Encryption provides full audit data at the Vormetric Data Security Manager appliance and at host agents in an open format and can integrate with a program or agency’s audit reduction tool or SIEM solution.
Security Assessment and Authorization(CA)• System Interconnects
• Plan of Action and Milestones
• Continuous MonitoringVormetric Transparent Encryption can be tested as a part of an Information System. The agents are installed on operating systems that undergo security hardening and STIG configurations. The Data Security Manager is FIPS 140-2 Level 2 or Level 3 Compliant depending upon configuration.
Configuration Management(CM)• Baseline Configuration
• Change Control
• Security Impact Analysis
• Least FunctionalityThe configuration of the Vormetric DSM can be changed to match operational requirements for access control and encryption at rest, and can be saved, backed up, and added to a CMDB in order to track changes over time.
Contingency Planning(CP)• Contingency Plan
• Contingency TestingThe Vormetric DSM component can operate in a clustered environment in active or standby mode, and can be added to a program’s COOP/DR strategy.
Identification and Authentication(IA)• Organizational Users
• Device Login
• Authentication Management
• Crytpographic Module
• Incident HandlingIdentification is provided through local web GUI login or Active Directory/LDAP Integration at the Data Security Manager appliance. Authentication is provided through the use of kernel level system access to files, folders, and applications.
Incident Response(IR)• Incident Response Testing
• MonitoringThe Vormetric Data Security Platform processes incidents at the individual component level (host system, web GUI, DSM). These incidents and audit events are in an open syslog format that can be sent to an information system’s monitoring/reporting tool, including 3rd party SIEM solutions. Log file formats can be tailored to match a program’s security policy for user and application behavior.
Maintenance(MA)• Controlled Maintenance
• ToolsAs a part of the FIPS 140-2 certification, the Vormetric Data Security Manager is tamper resistant. Additionally, maintenance and audit sessions can be separated by domain and by administrator login.
Media Protection(MP)• Media Access
• Media Marking
• Storage TransportAs a part of the FIPS 140-2 level 3 compliance evaluation the Vormetric Data Security Manager has the ability to be zeroized at the appliance console.
Physical and Environmental Protection(PE)• Access Authorizations
• TransmissionThe Vormetric Data Security Management appliance used as a component of the solution is available as 17”x17”x3” hardware device and can be secured in a lockable data center rack enclosure.
Planning(PL)• Security Architecture
• Concept of OperationsVormetric Transparent Encryption provides fine-grained access policies and AES-256 encryption that can be used to limit privileged user access and implement least-privilege principles for users authorized for access to sensitive data.
Personnel Security(PS)• Personnel Termination and TransferThe Vormetric Transparent Encryption Solution should be operated by personnel at the appropriate level of clearance and information system access. Administrative group links to LDAP compatible Directory Services solutions.
System and Services Acquisition(SA)• Allocation of Resources
• System Development Life CycleSystem Components of the Vormetric Data Security Manager are assembled in the US at the corporate headquarters in San Jose, CA. The DSM is FIPS 140-2 Level 3 certified when the optional Hardware Security Module (HSM) is installed, and FIPS 140-2 Level 2 certified without the HSM.
Systems and Communications Protection(SC)• Application Partitioning
• Security Function Isolation
• Confidentiality and Integrity
• Cryptographic Key Management
• Platform AgnosticismAs a part of the Vormetric Transparent Encryption solution, AES-256 encryption keys are passed through an encrypted wrapper. The Administrator Web Interface is accessed through HTTPS. Agent to DSM communication is accomplished through the use of ephemeral ports and is encrypted using Suite B algorithms.
Systems and Information Integrity(SI)• Security Alerts and Advisories
• Software and Information IntegritySystem Integrity on the Data Security Manager Appliance is satisfied through the DSM’s FIPS 140-2 validation. Host agents installed on an Information System’s server provide encryption at rest capabilities to enhance system integrity.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.
Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.