Automate the ATO Process and Repair Configuration Errors as they Occur

Tech Blog / Automate the ATO Process and Repair Configuration Errors as they Occur
Gold lock in a bubble on a digital board

In response to a host of cyberattacks on critical commercial and government systems, the Biden Administration signed an executive order mandating that the federal government improve its cybersecurity defenses. Broken into seven sections, it is a clear directive to strengthen cybersecurity requirements and increase the use of secure cloud services. While NIST and FedRAMP compliance requirements are expected to expand in response, agencies needn’t wait. Whether you are part of a federal, state, or local agency, you can begin automating cybersecurity compliance now.  
  
Traditionally, agencies have struggled with siloed security that lacks real-time visibility. When combined with an IT environment in a constant state of change, it can be challenging to maintain continuous compliance to security controls and configurations, delaying the authority to operate (ATO) that comes from the security authorization process.  

Cloud-based continuous compliance 

According to Gartner, “up to 95% of cloud breaches occur due to human errors such as configuration mistakes.” (For more on this, see our recent article, Avoiding Cloud Configuration Conundrums.) Clearly, despite best efforts, misconfiguration happens.  To overcome this challenge, we offer clients the NTT DATA Trust Acceleration Platform (NTAP). It offers real-time automated security configuration, compliance to controls like NIST 800-53 and remediation to help ensure that configurations remain in their desired, compliant state. 

Shared responsibility model 

Cloud platforms use a shared responsibility model for security. AWS, for example, states that it is responsible for security from the host OS and virtualization layer down and users are responsible for everything from the guest OS up including the firewall. With a tool like NTAP, agencies can proactively ensure that security controls are consistently followed, confirming continuous compliance for their portion of shared security. 

Automated remediation 

NTAP provides rolling real-time compliance of the entire information system security controls ecosystem. NTAP addresses security silos with automation that enables most security tools to be unified under a single interface to simplify implementation, maintenance and costs. It does so with: 
 
  • Inventories enterprise software and hardware, identifying and managing the correct configuration for each through a “fingerprint” approach. In addition to managing server configurations, IoT devices and employee laptops can be managed for configuration compliance.  

  • Manages configuration compliance using a rules-based management approach across the enterprise information systems landscape, including sub-information systems. Always on monitoring (in agent or agent-less mode) checks against baseline and customized security controls to ensure continuous compliance. These automated checks can ensure compliance to custom security controls, control regimes like FIPS and HIPAA and has built in support for NIST 800-53 and NIST 800-171.  
     
  • Remediates non-compliant configurations automatically when found. Failed controls can also be reported for manual remediation. In this way, NTAP helps agencies avoid falling victim to breaches that take advantage of system misconfigurations.  
     
    For example, because it can be complicated to set up a properly configured AWS S3 bucket, users often make errors when configuring the service.  The Department of Defense is just one of many organizations that have left their repositories open to the public due to misconfiguration errors. Configuration errors like these can be avoided with NTAP as it identifies the proper configurations for systems like these and helps manage configuration compliance to ensure system security. 

  • Reports a real-time view of system compliance via customizable dashboards. Users can also create comprehensive reports available across roles (e.g. CIO, CISO, ISSO, Auditor, ISM, Sys Admin) showing compliance status. Reporting also supports comprehensive plan of action and milestone (POA&M) management. 

  • Drives real-time ATOs with a Digital System Security Plan (SSP).  
     
NTAP Process Illustration

Gain system confidence  

Knowing that all your systems are in a known good state is invaluable. For example, at NTT DATA we built a cold chain tracking solution. It helps keep the COVID-19 vaccine at a required temperature of minus 18 to minus 70 degrees Celsius as it travels. The solution uses an IoT device equipped with a sensor tag that monitors the temperature of vaccine batches as they travel. NTT DATA created a custom configuration control for the IoT sensors, continuously tracking the sensor’s reported temperature, benchmarking it against the rule for required temperatures. Should the rule threshold be triggered, the system remediates it , ensuring the vaccine remains at the desired temperature. Historically, cold chain reporting was conducted upon arrival – when a shipment had potentially already spoiled. This solution helps prevents spoilage, ensuring more vaccine arrives safely to its destination. 

Move to secure cloud 

The Biden Administration’s executive order requires federal agencies to accelerate their movement to the cloud to take advantage of secure cloud services. And, indeed state and local entities are embracing federal recommendations like this as a best practice to manage risk, moving more and more of their assets to the cloud.   

Taking it one step further, leading agencies are automating the ATO process, achieving continuous configuration and security control compliance. In the process, they free human resources to focus on more strategic risk mitigation activities. While this level of automation can be achieved on-premises, it is most well-suited for the advanced automation enabled by the cloud – further supporting the goals of the executive order to increase the use of secure cloud services. 

Pairing the extreme automation capabilities and security functionality of the cloud with ongoing configuration compliance allows you to build out an automated ATO process that keeps you in continuous control. Interested in learning more? Learn more here about safeguarding agency systems. 

 

Post Date: 07/26/2021

Noel Hara, NTT DATA Services

About the Author:

Noel Hara

Noel Hara is an experienced strategist that infuses technology solutions across the public sector to help solve the most challenging problems. As Chief Technology Officer with NTT DATA’s public sector, he blends over two decades of experience in the public and private sector with an insatiable curiosity for technology and applications. Since the start of the global pandemic, Noel has been responsible for adapting the company’s offering portfolio to support clients in their shift to remote working and learning while continuing to support constituents through the expansion of digital government.

Industries:
Public Sector
Technology:
CloudComplianceConfiguration
X