RealMe Re-Platforming Certification and Accreditation Status Department of Internal Affairs

Page created by Nicholas Yates
 
CONTINUE READING
RealMe Re-Platforming Certification and Accreditation Status Department of Internal Affairs
RealMe Re-Platforming

Certification and Accreditation
                     Status

Department of Internal Affairs

Project Ref:    600101
Version:        6.0
Date:           17th March 2021
Performed by:   Anna Thomson
RealMe Re-Platforming C&A Status

Document Control
 Author(s)                           Barry Brailey and Anna Thomson
 Version Number                      6.0
 Document Status                     Issued
 Document File Name                  DIA RealMe Re-Platforming C&A Status
 Issue date                          17/03/2021
 Classification                      COMMERCIAL IN CONFIDENCE

Revision Status
Quantum holds the master copy of this document.

Change History
 Version              Date                 Author             Update               Status
 1.0                  18/11/2020           Barry Brailey      Monthly Update       Draft
 2.0                  18/11/2020           Anna Thomson       Review               Issued
 3.0                  17/12/2020           Barry Brailey      Monthly Update       Issued
 4.0                  19/01/2021           Barry Brailey      Monthly Update       Issued
 5.0                  18/02/2021           Anna Thomson       Monthly Update       Issued
 6.0                  17/03/2021           Anna Thomson       Monthly Update       Issued

Distribution List
Quantum
 Name                        Title
 Eugene Gibney               Managing Director
 Barry Brailey               Practice Manager
 Stephen Penman              Principal Security Consultant
 Anna Thomson                Senior Security Consultant

Department of Internal Affairs
 Name                        Title

 David Philp                 General Manager Partners & Products, Service Delivery & Operations
 Russell Burnard             General Manager Operations, Service Delivery & Operations
 Tim Waldron                 Manager Business & Market Development
 Grant Stark                 Senior Product Owner
 Venkat Maddali              Solutions Architect

                                     COMMERCIAL IN CONFIDENCE                                     2 of 6
RealMe Re-Platforming C&A Status

Table of Contents
1     Executive Summary ............................................................................................................... 4
    1.1     Introduction ............................................................................................................................................ 4
    1.2     Scope ...................................................................................................................................................... 4
2     C&A Deliverable Status.......................................................................................................... 6

                                                          COMMERCIAL IN CONFIDENCE                                                                              3 of 6
RealMe Re-Platforming C&A Status

1 Executive Summary
1.1 Introduction
Quantum Security Services Limited (Quantum) was requested to perform security assurance
activities for the Department of Internal Affairs’ (DIA) RealMe Login and Assertion Service. In
performing these assurance activities, Quantum have worked alongside the project since March
2020. Quantum’s role in this is as an independent auditor for DIA. The services are being audited
against the applicable standards and controls from the Protective Security Requirements and New
Zealand Information Security Manual v3.4 and will align with the All of Government (AoG)
Certification and Accreditation (C&A) process.
There are two components which make up the service being re-platformed. The RealMe Login
Service is used for authenticating users to integrated services, and the RealMe Assertion Service
is required for verifying the identity of users and linking them directly to a RealMe account.
The RealMe platform currently has a mixed operational support model and requires significant
technology upgrades to remain current and maintain appropriate security levels. Therefore, DIA have
evaluated and confirmed Microsoft Azure Business to-Consumer (B2C) as an alternative Platform-as-
a-Service (PaaS) option, as opposed to enhancing the existing RealMe platform.
DIA has requested a broad range of tasks and reports as part of this engagement. An update on
the status of the deliverables is at Section 2 below.

1.2 Scope
The following items are in scope for this Certification and Accreditation of the RealMe Re-Platforming
Project:
    •   All Microsoft Azure AD B2C environments configured under DIA’s Microsoft Azure tenancy,
        including:
            o Development: for configuration changes and customer developments and
                enhancements;
            o Message Testing Suite: for developing integration code to test SAMLv2.0 requests and
                response messages;
            o System Integration Test: for integrating Azure AD B2C with other RealMe Azure
                components;
            o User Acceptance Testing: for functional testing performed by DIA;
            o Integrated Test Environment: for integrated testing with relying parties’ test
                environment(s);
            o Pre-Production Environment: for production support activities in an environment
                identical to Production; and
            o Production: for live state use of the RealMe Login and Assertion service.
    •   Microsoft Azure AD B2C components, including the Azure Portal used to access:
            o RealMe key store: for secure storage of cryptographic keys and certificates; and
            o RealMe credential store: for secure storage of user credentials.
    •   RealMe Azure resources, including:
            o RealMe system monitor: to monitor and alert on RealMe components;
            o RealMe insights: to provide system and application level user logging;
            o RealMe analytics: to provide dashboards on user experience and performance metrics
                for RealMe components;
            o RealMe health and performance check: to monitor overall system performance in line
                with agreed Service Level Agreements (SLAs);
            o RealMe storage account: for storage for non-user specific data; and

                                    COMMERCIAL IN CONFIDENCE                                    4 of 6
RealMe Re-Platforming C&A Status

            o   RealMe key vault: for secure storage of cryptographic keys and certificates including
                those of relying parties.
    •   RealMe Front Door: the web application acceleration platform and global HTTP(s) load
        balancer.
    •   RealMe Helpdesk Federation Hub and Web Application: for DIA and relying parties’ service
        desk functionality.
The assurance activities have been focussing on the common supporting elements of DIA’s
environment that support the RealMe Login and Assertion Service. These include but are not limited
to the controls listed below. The full list of controls in scope are highlighted in the Controls Validation
Plan (CVP).
    • Due diligence;
    • Vendor management;
    • Access control;
    • Documentation;
    • Incident response;
    • Logging, alerting and monitoring;
    • Backup and restoration processes;
    • Change management;
    • Patching processes;
    • Performance and capacity management; and
    • Business continuity and disaster recovery.
Out of scope:
The following items are out of scope as they do not sit within DIA’s direct control and are instead the
responsibility of relying parties:
    •   Relying Parties’ Service Desk Operations, for resetting passwords and providing user support;
        and
    •   Relying Parties’ Integrated Services, i.e. online services using RealMe.
The following services are out of scope as they will remain unchanged as a result of the RealMe re-
platforming:
    •   Consent Service, which gives users the right to consent to share their details with integrated
        services; and
    •   Verified Account Services, which enables users to share verified account details (identity and
        address) with integrated services.

                                      COMMERCIAL IN CONFIDENCE                                      5 of 6
RealMe Re-Platforming Scoping Document

2 C&A Deliverable Status
The following is an indication of the status of C&A related activities and deliverables:

         Deliverable                                             Status                                                                    Comment / Summary
                                Complete; delivered 26 March 2020. This was reviewed by key                The scoping document outlines the scope of the C&A activities, similar to the scope
     Scoping Document
                                stakeholders and has been finalised.                                       outlined in Section 1 above.
                                Complete; delivered 17 April 2020. This was reviewed by key                The risk assessment identified a total of 11 risks and 41 key controls. The key
  Security Risk Assessment
                                stakeholders and has been finalised.                                       recommendations are in line with expected service management controls.
                                Complete; delivered 17 April 2020. This was reviewed by key                The controls validation plan was compiled based on all 41 controls identified in the
   Controls Validation Plan
                                stakeholders and has been finalised.                                       risk assessment.
                                Complete; Delivered December 2020. This was updated to reflect             Seven controls were assessed as non-compliant, 23 controls were assessed as
  Controls Validation Audit
                                changes in code and configuration review reports and finalised.            partially compliant and 11 controls were assessed compliant.
                                Complete and updated; delivered 16 October 2020. A total of 11 issues      Review of findings conducted following remediation work. Seven of the 11 findings
        Code Review             were identified, no high severity issues were raised and only three        have been remediated There are now four low to medium severity issues that have
                                medium severity issues were identified.                                    not yet been remediated.
                                Complete and updated; delivered 6 November 2020. A total of seven          Review of findings conducted following remediation work. There are now two low
    Configuration Review        issues were identified, no high severity issues were raised and only one   severity issues that have not yet been remediated.
                                medium severity issues were identified.
     Penetration Testing        Complete and updated; Retest report (v3.0) delivered 11/02/2021.           One low severity and one information finding remain.
                                Complete; Delivered December 2020. This was updated to reflect             Identified a small number of areas that would benefit from further remediation.
        Audit Report
                                changes in code and configuration review reports and finalised.
                                In progress; Draft report provided 16/03/2021                              Quantum obtained system generated evidence and documentation and was able to
    Remediation Review
                                                                                                           independently verify that a number of findings had been resolved by the project.
                                In progress; Draft report provided 16/03/2021                              Quantum is planned to meet with members of SDO, Security and Risk, and GCDO on
                                                                                                           18/03/2021 to present current risk position and draft SSC. Once finalised DIA will
 Service Security Certificate                                                                              begin circulating for sign off.
                                                                                                           Quantum and DIA are meeting with Agencies in 23/02/2021 to present SSC and
                                                                                                           discuss Agency responsibilities for their own C&A processes.

                                                                                COMMERCIAL IN CONFIDENCE                                                                                     6 of 6
You can also read