Achieving CJIS Compliance - Amazon AWS

Achieving CJIS Compliance EXECUTIVE SUMMARY Commvault provides software and services that have been designed with security and compliance throughout: secure user access; secure communication between software components; and the security of knowing your data is protected and accessible. This paper discusses the importance of achieving and maintaining Criminal Justice Information Services (CJIS) security compliance and how Commvault® software can be used in CJIS security initiatives to address incident response, data backup and storage, access control, auditing and accountability, identification and authentication, media protection, systems and communications protection, information integrity, formal audits, and mobile devices. The FBI Criminal Justice Information Services Division provides services and data to various government bodies at the federal, state, and local level as well as to commercial entities and the public. This division publishes a set of guidelines outlined in CJISD-ITS-DOC-08140-5.4 titled Criminal Justice Information Services (CJIS) Security Policy which is designed to protect criminal justice information (CJI). The latest version (5.4) of the CJIS Security Policy is dated October 6th, 2015, and describes its purpose:

“The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with a minimum set of security requirements for access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard Criminal Justice Information (CJI). This minimum standard of security requirements ensures continuity of information protection. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit. The CJIS Security Policy integrates presidential directives, federal laws, FBI directives, the criminal justice community’s Advisory Policy Board (APB) decisions along with nationally recognized guidance from the National Institute of Standards and Technology (NIST) and the National Crime Prevention and Privacy Compact Council (Compact Council).” The CJIS Security Policy defines 13 key policy areas. Although not meant to be a comprehensive guide to CJIS compliance, this whitepaper suggests focus considerations while outlining Commvault software’s capabilities and features that map to areas of CJIS policy and can be used by customers in CJIS compliance initiatives. Note that there is no CJIS certification process provided by the FBI for either software or systems, and not all customers will be subject to every policy area. CJIS Policy Areas: • Policy Area 1—Information Exchange Agreements • Policy Area 2—Security Awareness Training • Policy Area 3—Incident Response • Policy Area 4—Auditing and Accountability • Policy Area 5—Access Control • Policy Area 6—Identification and Authentication • Policy Area 7—Configuration Management • Policy Area 8—Media Protection • Policy Area 9—Physical Protection • Policy Area 10—Systems and Communications Protection and Information Integrity • Policy Area 11—Formal Audits • Policy Area 12—Personnel Security • Policy Area 13—Mobile Devices

A HOLISTIC APPROACH TO DATA AND INFORMATION MANAGEMENT Among policy areas covering processes, training, physical security considerations, and other measures, proper handling of CJIS data includes managing storage, backup & archiving, availability, access controls, auditing, reporting, encryption, information governance and

2

Before the Breach: Proving the Business Value of Software that Enables Risk Reduction Learn about all the added business values you can add through your risk reduction investment.

retention, as well as sanitized deletion. A holistic approach to overall data and information management can help organizations avoid procuring and managing multiple point solutions, reducing complexity and costs while easing administrative burdens. The latest version of the CJIS Security Policy recognizes that technological innovations will continue to occur, and encourages a flexible approach to architecture which can evolve and adapt while maintaining appropriate controls over data and services provided by CJIS.

COMMVAULT SOLUTION OVERVIEW The Commvault® software is an enterprise level, integrated data and information management solution, built from the ground up on a single platform and unified code base. All functions share the same back-end technologies to deliver the unparalleled advantages and benefits of a truly holistic approach to protecting, managing, and accessing data. The software contains modules to protect and archive, analyze, replicate, and search your data, which all share a common set of back-end services and advanced capabilities, seamlessly interacting with one another. This addresses all aspects of data management in the enterprise, while providing infinite scalability and unprecedented control of data and information. Production data is protected by installing agent software on the physical or virtual hosts which use operating system or application native APIs to properly protect data in a consistent state. Production data is processed by the agent software on client computers and backed up through a data manager — to disk, tape, or cloud storage. All data and information management activity in the environment is tracked by a centralized server, and can be managed by administrators through a central user interface. End users can access protected data using web browsers or mobile devices. Key features of the software platform: • Encryption technology that is both flexible and secure and certified to the Federal Information Processing System standards (FIPS) 140-1 and 140-2, with Commvault technology it is possible to manage when and where encryption happens and assure data cannot be decrypted inappropriately. • Complete data protection solution supporting all major operating systems, applications, and databases on virtual and physical servers, NAS shares, cloud-based infrastructures, and mobile devices. • Simplified management through a single console; view, manage, and access all functions and all data and information across the enterprise. • Multiple protection methods including backup and archive, snapshot management, replication, and content indexing for eDiscovery.

3

• Efficient storage management using deduplication for disk and tape. • Integrated with the industry’s top storage arrays to automate the creation of indexed, application-aware hardware snapshot copies across multi-vendor storage environments. • Complete virtual infrastructure management supporting both VMware and Hyper-V. • Advanced security capabilities to limit access to critical data, provide granular management capabilities, and provide single sign on access for Active Directory users. • Policy-based data management, transcending limitations of legacy backup products by managing data based on business needs and not physical location. • Cutting-edge end-user experience empowering them to protect, find and recover their own data using common tools such as web browsers, Microsoft Outlook and File Explorer. • You can use third-party screen readers with a Web Console, Admin Console, and Command Line Interface.

SECURITY OVERVIEW Commvault software securely protects data and information - whether it’s on premises, at the edge, or in the cloud. Security is baked in to the platform to secure data on desktops or laptops, in the office or on the road, at rest or in flight, utilizing efficient encryption, granular and customizable access controls for content and operations, role-based security, single sign-on, alerting, and audit trails to keep your information secure. Protected data is efficiently stored in a virtual repository of all managed information. This security will reduce privacy breaches and exposure events, and reduce costs by efficiently securing stored data. Commvault was one of the first data and information management vendors certified for the U.S. DoD/Canadian DND FIPS encryption accreditation for information security. Data protection is our highest priority. Security is built into every step of our data management services from an end user’s computer all the way to backup storage. Use our security features and administrative tools to enhance your own data security plan to ensure that your data is kept private and safe from unauthorized users.

4

Solving Your Top 5 Security & Risk Challenges with Commvault See how Commvault tackles some of today’s biggest security and risk challenges

commvau.lt/1WGN9C5

User Security FEATURE

DETAILS

Two-Factor Authentication

When Two-Factor Authentication is activated, users must enter a 6-digit PIN (Personal Identification Number) along with their passwords to access the central server environment.

Role-Based Security

A role is a collection of permissions administrators assign to users and entities to create a three-way security association. Roles can be assigned to any external or internal user or user group.

Integration with Microsoft Active Directory and IBM Domino Directory Services

Administrators can manage a single set of users through integration with external directory services. Commvault roles and entities can be assigned directly to an Active Directory external group or user.

Integration with Social Media Provider

End users who log on to the Web Console can be authenticated by a social media provider, for example, a user can log on by using credentials from a Google account.

SAML Support

Security Assertion Markup Language (SAML) is an XML-based open standard that allows authentication by an Identity Provider (IdP) for Web Console users. SAML can be used to create a single identity for each user for a single sign-on log on for all applications. A SAML User Registration Workflow is available to create user names in the CommServe database.

Owners

Assigning client owners simplifies laptop security. Administrators can set security for all client owners at once by assigning client owner permissions. Administrators also have the flexibility to set client owner security at the client computer group and client levels.

Privacy

The Privacy feature prevents users and administrators who are not client owners from seeing the data on the client, which can help support managed cloud environments where access to information needs to be restricted at all times.

Data Encryption

SOFTWARE The Commvault software supports both online (client to media) and offline (media to media) data encryption. For online data encryption that transits over a network, the location where the encryption takes place is configurable. HARDWARE Commvault software supports tape devices with built-in encryption. The tape device must provide the necessary controls to get the encryption capabilities and to set the encryption properties on the drive. KEY MANAGEMENT Commvault technology provides encryption key management services for its software encryption ciphers and for supported encryption-enabled hardware devices. You can provide additional protection for Commvault encryption keys with the use of SafeNet before storing the keys.

5

FEATURE

DETAILS

Endpoint Data Security

CLIENT CERTIFICATES Client certificates are used to authenticate connections between client computers and the CommServe host. The authentication process reveals and confirms the identity of the client attempting to establish connections with the CommServe host during installation. DATA LOSS PREVENTION DLP locks files on a laptop and requires a passkey to open the locked files. If the laptop is lost or stolen, this prevents unauthorized access to the data. SECURE ERASE Protect sensitive data on laptops by specifying certain files to be erased if the laptop is offline without connectivity with the backup server host for a specified number of days or if a computer marked as lost or stolen is turned on and connects with the backup server host.

Network Security

NETWORK PASSWORD The centralized server network password is an internal security measure used to ensure that communications occur only between networked computers. By default, the software assigns each computer in the network a different password. ENCRYPTED CHALLENGE AND REPLY All communication between the centralized sever and client use encrypted challengeand-reply to validate the hosts involved. FIREWALL SUPPORT Components separated by a firewall can be configured to use authorized ports and connection routes (inbound, outbound, and two-way) through the firewall to communicate and perform data management operations. THIRD PARTY PORT MAPPING In addition to the firewall routes configured in your protected environment, you can also establish connectivity between the centralized server and third-party ports using existing firewall tunnels. These ports are used by third-party applications and are not configured with the Commvault firewall access feature.

Data Security

MEDIA PASSWORD The media password prevents unauthorized access of data from removable media when using external recovery tools to restore data. This ensures that only the originating, licensed environment can recover data. ERASE DATA The Erase Data feature allows you to permanently erase any data that has been backed up. Erasure may be necessary to meet compliance requirements or to remove an unauthorized or inadvertent copy of the data. You can erase folders, files, mailboxes, folders in a mailbox, messages within a folder, and attachments.

Monitoring

AUDIT TRAIL Administrators can track the operations of users who have access to the environment. This capability is useful when you want to determine the source of a detrimental operation performed in the environment. LOG MONITORING The Log Monitoring tool monitors system events, user operations, logs, and analytic information for trend analysis and automated, centralized reporting as may be required for compliance. Auditors and administrators can customize what, where, and how often information is collected and can monitor the results from a single point of view, which makes it easier to spot patterns that require attention.

6

DATA ENCRYPTION OVERVIEW Data Encryption provides the ability to encrypt data both for transmission over non-secure networks and for storage on media. The flexibility of key management schemes makes data encryption useful in a wide variety of configurations. The following data encryption methods are provided: • Software encryption allows you to encrypt data during backup jobs, auxiliary copy job, and data replication job. • Hardware encryption allows you to encrypt data on tape drives that have built-in encryption capabilities. With any of the encryption methods, keys are always stored in the server database. Optionally, you can store keys on the media. This can be useful when using the external tools such as Media Explorer to recover the data from the media. Commvault® Software Encryption Support CIPHER

DETAILS

BLOCK SIZE

PERFORMANCE RATING*

KEY LENGTH OPTIONS

Blowfish

• Symmetric Key Block Cipher • Fast (fastest of the ciphers supported) • Secure • Finalist in the Advanced Encryption Standard Content

64 bits

10.00

128, 256 bits

GOST

• Symmetric Key Block Cipher

64 bits

8.00

256 bits

Serpent

• Symmetric Key Block Cipher • Very Secure (Considered more secure than AES) • Finalist in the Advanced Encryption Standard Content

128 bits

8.00

128, 256 bits

AES (Advanced Encryption Standard) or Rijndael

• Symmetric Key Block Cipher • Fast • Secure • Winner of the Advanced Encryption Standard Content • Adopted as the Government Standard (Only cipher approved by the National Security Agency to be used for top secret information.) • AES 256 - CBC mode.

128 bits

7.00

128, 256 bits

Twofish

• Symmetric Key Block Cipher • Fast • Secure • Not standardized • Finalist in the Advanced Encryption Standard Content

128 bits

4.00

128, 256 bits

3-DES (Triple Data Encryption Standard)

• Symmetric Key Block Cipher • Slow • May be susceptible to certain attacks

64 bits

1.50

192 bits

7

DATA STORAGE, REPLICATION, BACKUP & ARCHIVING

Data Security: A Commvault Engineering Whitepaper

Commvault offers a singular code base for “cradle to grave” information lifecycle management. Data is collected from primary storage systems for backup and recovery, with the ability to apply granular retention policies to archive and retain less frequently accessed data to any tier of storage, including cloud providers. Information is protected at rest and in motion through several methodologies which may be combined to enhance security.

Understand the main security features incorporated into Commvault software and how they assist you in your data governance and compliance goals.

CLOUD CONSIDERATIONS Consumers of CJIS data are not prohibited from utilizing cloud providers, as long as those providers can meet the requirements of the CJIS security policy. Appendix G3 of CJISD-ITS-DOC-08140-5.4 explains cloud services and addresses the areas of policy that must be considered when cloud computing is utilized. Microsoft Government Cloud and Amazon Web Services are two examples of providers with experience in CJIS. Because there is no FBI certification process, cloud providers typically provide letters of attestation essentially self-certifying CJIS compliance. Commvault offers deployment scenarios onsite, offsite (cloud or dedicated hosted environments), and hybrid modes. This flexibility includes native integration with both Amazon AWS and Microsoft Azure. Because security and encryption are built-in to Commvault software, CJIS access and data are fully protected.

LAPTOPS Laptops are frequently used by the law enforcement community to access CJIS data. A common implementation is laptops installed in patrol cars with wireless access to CJIS provider systems. Policy requires encryption of the data on the laptops. Commvault endpoint data protection can be deployed to enable document encryption, synchronization of files, laptop backup, secure file sharing, remote data wiping, and location services.

MOBILE DEVICES A technology progresses, the category of mobile devices continues to grow to include smartphones, tablet computers, and smartwatches. The portability of these devices makes physical security a challenge. Mobile device management must take into consideration password or PIN access controls, device encryption, and encryption of data on removable memory devices such as microSD cards and USB drives. Commvault offers apps for iOS, Android, and Windows systems that enable users of mobile devices to download, share, and upload document files,

8

commvau.lt/1TXX0xH

images, and videos. The apps also allow users to access data that is backed-up, synchronized, or shared by other users from Commvault software from desktops, laptops, and file servers. Multiple layers of security include SSL encryption, default deletion of app data after closure, and other features.

REPORTING AND ANALYTICS A primary element of CJIS Security Policy is the ability to monitor and track information access. Who was able to access what information when? Where is information stored? How is the information lifecycle managed? Routine monitoring as well as formal audits are essential to any security protocol. Commvault offers a large number of reports that can be used to audit information lifecycle management including data backups, restores, searches, and access as well as configuration monitoring. These reports can be accessed through a variety of methods including web browser and email. Thresholds and alerts can be configured for operation monitoring and actionable intelligence.

CONCLUSION Achieving CJIS compliance can be challenging and expensive for organizations. Processes and procedures must be accompanied by appropriate data security and lifecycle management. Given the extensive monetary costs associated with procuring, integrating, and managing multiple point solutions, as well as the opportunity costs that come with proprietary hardware and software, organizations may benefit from unitary solutions that offer support for legacy, contemporary, and future operating systems and platforms. Commvault software, hardware, and services can be used to address the primary technological areas of CJIS Security Policy. Customers are assured a mature and proven solution with an extensive record of use in government, law enforcement, and the criminal justice community including the United States Department of Justice and FBI. Because Commvault offers a platform of features on a unified code base, multiple security policy areas can be managed from a single administrative console, reducing acquisition costs and management overhead. Flexible deployment options that are location independent and hardware agnostic allow customers to change and grow as CJIS data and services evolve. The highly scalable architecture of Commvault software ensures the ability to securely and effectively manage large amounts of data throughout its lifecycle no matter where that data may reside.

Learn how to modernize data management with Commvault Software at commvault.com/government.

© 2016 Commvault Systems, Inc. All rights reserved. Commvault, Commvault and logo, the “C hexagon ” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Simpana OnePass, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, IntelliSnap, ROMS, Commvault Edge, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.

PROTECT. ACCESS. COMPLY. SHARE. COMMVAULT.COM | 888.746.3849 | [email protected] © 2016 COMMVAULT SYSTEMS, INC. ALL RIGHTS RESERVED.