BWC Audit Assignment and Tracking Application

BWC Cloud Adoption/Usage Policy

1.0 Purpose

The purpose of this policy is to provide guidance for the adoption and usage of cloud services.

2.0 Scope

This policy applies to all BWC IT employees who would be responsible for migrating systems and data to a cloud platform. Examples include all external cloud services e.g, cloud-based E-mail, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

Please reference section 4.0 definitions included below for additional clarifying information as to what entails a cloud service. Even though private cloud services which BWC are mandated to consume such as those provided by OIT are not in scope for this policy the goal would be to ensure as many of these requirements are being met by those services to minimize the risks to BWC systems and data.

3.0 Policy

Due to the enhanced risk of exposure of BWC sensitive data as a result of adopting cloud services, all cloud services must be scrutinized and approved by BWC IT Management and the Risk Management Office.

Because using cloud services increases the chance of exposing sensitive data, additional controls must be implemented to mitigate those risks. If any of these requirements are not met, the RMO will do a formal review to determine the risks associated with not meeting the requirement and will recommend additional compensating controls which should be implemented prior to adoption. Only after implementation of the recommended compensating controls and formal approval from BWC IT Management and the RMO should adoption be allowed.

The following are the requirements which cloud services must meet to be recommended for adoption:

3.1 Requirements for adopting cloud services

In addition to adhering to the requirements laid out in state security standard ITS-SEC-02, the following requirements will apply to adopting cloud services regardless of the sensitivity level of the data contained in it.

Requirement 1): All cloud services chosen by BWC must be compliant with the Governor’s Executive Order 2019 – 12D governing the expenditures of public funds for offshore services

Any cloud service adopted by BWC must be compliant with the above-mentioned executive order, which would require all data stored and/or processed by a cloud service to reside on US soil. For more details please reference the executive order here.

Requirement 2): Only solutions hosted on a Tier3 or equivalent cloud provider, which meets FedRAMP, StateRAMP, HITRUST or similar certification based on NIST 800-53 will be approved for adoption

Passing a security certification for cloud products which is based on the NIST 800-53 catalog of controls required for all federal entities will ensure a cohesive level of assurances to protect sensitive data and computing resources.

BWC prefers the entire vendor solution to be FedRAMP, StateRAMP, HITRUST, or similar certification based on NIST 800-53. However, if the entire solution is not certified, then the vendor must submit a SOC2 Type 2 audit report annually.

Requirement 3): Control privileged accounts used to manage the service configuration

BWC shall ensure proper protection of the accounts that are used to configure, update and manage cloud services. All accounts shall be secured in BWC’s PAM tool (i.e. Password Vault) and those account passwords shall be rotated frequently. However, if the cloud service provides a PAM solution designed to better control access to and usage of privileged accounts that can be adopted as an alternative. The RMO should be consulted to determine a rotation frequency which supports compliance standards as well as minimize the risks of password compromise.

3.2 Requirements for adopting cloud services which will store, process and/or transmit sensitive data

In addition to the requirements listed above the following additional requirements will apply when sensitive data will be stored, processed and/or transmitted in a cloud service.

Requirement 1): Implement FIPS 140-2 or greater certified encryption for data in transit and at rest

Public cloud services are shared environments and often the data stored there is intermingled with other 3rd parties and access to this data is exposed to a much broader set of administrators. Due to this broader exposure factor, BWC shall ensure that data stored in cloud services is encrypted with FIPS 140-2 level assurance. Historically breaches against encryption key management have been much more successful than attacks against the encryption algorithms themselves. Because of this, proper key management and storage should be emphasized. Key management scenarios where the cloud provider has no access to the encryption keys should be chosen where possible. This scenario is favorable because a breach of the cloud provider would not result in a breach of BWC data since the breached data would be encrypted and the keys not available to the attacker.

Requirement 2): Implement Enhanced Authentication Services where BWC sensitive data is exposed to the Internet

Due to the risks of having BWC sensitive data exposed to the broader audience provided by public cloud services, Enhanced Authentication should be evaluated and implemented to mitigate risk (see definitions in section 4.0 for more details on Enhanced Authentication). Proper implementation of Enhanced Authentication will help mitigate the risk associated with sensitive data exposure to improper sources.

Requirement 3): Utilize site to site VPN to restrict access to BWC sensitive data where feasible

Where possible BWC shall utilize a site to site VPN to manage access to the cloud provider. Scenarios where BWC manages the updating of configuration and data placed in the cloud service, a site to site VPN will better protect BWC data stored and managed in the service.

Requirement 4): Restrict access to BWC data stored, processed or transmitted in cloud services to the minimum audience required to meet business need

In situations where sensitive data doesn’t need to be exposed to the entire population of the internet, access to the data will be restricted using IP restrictions, country restrictions or any other access restriction tools provided by the cloud service. Allowing the total population of the internet to potentially access BWC data shall only be approved where no other option is available.

Requirement 5): Ensure all administrative channels utilize MFA to protect access to BWC sensitive data stored, processed or transmitted in cloud services

BWC shall ensure that cloud services be configured to require MFA (multifactor authentication) for access for the purpose of administering settings and uploading sensitive data.

Requirement 6) Vendors shall be required to carry cyber liability insurance commensurate with the risk level to BWC

Please see the DAS Office of Risk Management’s recommendations for minimum coverage and legal language to include in the contract.

4.0 Definitions

Cloud Service/Cloud Computing: On-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. The term is generally used to describe data centers available to many users over the Internet. This can include data centers providing these services as part of an application offering or as a cloud computing organization providing fee-based platform as a service (PaaS), Software as a Service (SaaS) or Infrastructure as a Service (IaaS) computing environments. For the purpose of this policy, BWC defines any of the above computing environments where BWC systems and data would be migrated into as a cloud computing service. (1)

Software as a Service: Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted via the Internet. (2)

Platform as a Service: A category of cloud computing services that provides a platform allowing organizations to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application. (3)

Infrastructure as a Service: Infrastructure as a service are online services that provide high-level APIs used to dereference various low-level details of underlying network infrastructure like physical computing resources, location, data partitioning, scaling, security, backup etc. (4)

Enhanced Authentication Service: A category of security features which utilize multiple factors to better validate the identity of a subject. Examples are IP location services (where are you located), client fingerprinting (identifies and remembers your client) and additional factors to identify users such as physical tokens or single use pins sent via E-mail or phone.

MFA (Multifactor Authentication): An authentication technique where multiple identifying factors are used to positively validate a subject. The factors are; A) something you know such as a password, B) something you are such as a fingerprint or retinal scan and C) something you have like a physical token or one-time pad.

FIPS 140-2: The Federal Information Processing Standard Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. Put simply, it is a federally mandated program to evaluate and approve cryptographic technology for use in federal agencies. (5)

FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP) is

a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP prescribes the security requirements and process cloud service providers must follow for the government to use their service. (6)

StateRAMP : a consortium of cybersecurity officials across the public and private sectors, who have come together to “promote cybersecurity best practices through education, advocacy, and policy development.” Formed in late 2020, the organization is charged with assisting state and local governments in vetting third party vendors’ cyber and cloud security posture. As such, it has leveraged the structure from its federal counterpart FedRAMP basing the methodology holistically on FedRAMP’s framework. This will allow state and local governments to be able to authorize vendors that do not work with Federal Agencies using a baseline that follows the stringent example set at the Federal Level, where State and Local governmental organizations do not have the ability to act as Federal sponsors to Cloud Service Providers. (7)

HITRUST: The HITRUST CSF (Certifiable Security Framework) is the leading information security framework for the healthcare industry. According to the Health Information Trust Alliance, the HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations through a comprehensive and flexible framework of prescriptive and scalable security controls. (8)

The CSF includes federal and state regulations, standards, and frameworks, and incorporates a risk-based approach that provides specific criteria to assess the protection of confidentiality, integrity, and availability of information systems — all particularly relevant to healthcare.

NIST SP 800-53: (National Institute of Standards and Technology special publication 800-53): provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non- regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Revision History

Version 1 – Initial draft 01/2020 draft revised again with input from RMO 7/2020 and again from IT management 8/1/2020

Version 1.1 – Update to include the governors executive order 2019-12D, clarifications about mandated private cloud adoption not being in scope and clarifications on the necessity of requirement 2, Tier3/FedRamp 10/20/2020 – Posted to the IT Policy site 11/02/2020

Version 1.2 – Nov 2021, RMO Annual update, grammar fix to scope (example cloud services), and additional minor grammar changes

Version 1.3 – July 2022, RMO update to include additional standards which would be accepted for adopting cloud services

Version 1.4 – August 2022, RMO update to better reflect requirements for all flavors of cloud Version 1.5 – Nov 2022, RMO annual update, no changes

Version 1.6 – Nov 2023, RMO annual update, added the phrase “or greater” in 3.2 requirement 1, no further changes

5.0 Approval

Andy Robson, Manager, IT Risk Management Office