RealMe Re-Platforming Certification and Accreditation Status Department of Internal Affairs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RealMe Re-Platforming
Certification and Accreditation
Status
Department of Internal Affairs
Project Ref: 600101
Version: 6.0
Date: 17th March 2021
Performed by: Anna ThomsonRealMe Re-Platforming C&A Status
Document Control
Author(s) Barry Brailey and Anna Thomson
Version Number 6.0
Document Status Issued
Document File Name DIA RealMe Re-Platforming C&A Status
Issue date 17/03/2021
Classification COMMERCIAL IN CONFIDENCE
Revision Status
Quantum holds the master copy of this document.
Change History
Version Date Author Update Status
1.0 18/11/2020 Barry Brailey Monthly Update Draft
2.0 18/11/2020 Anna Thomson Review Issued
3.0 17/12/2020 Barry Brailey Monthly Update Issued
4.0 19/01/2021 Barry Brailey Monthly Update Issued
5.0 18/02/2021 Anna Thomson Monthly Update Issued
6.0 17/03/2021 Anna Thomson Monthly Update Issued
Distribution List
Quantum
Name Title
Eugene Gibney Managing Director
Barry Brailey Practice Manager
Stephen Penman Principal Security Consultant
Anna Thomson Senior Security Consultant
Department of Internal Affairs
Name Title
David Philp General Manager Partners & Products, Service Delivery & Operations
Russell Burnard General Manager Operations, Service Delivery & Operations
Tim Waldron Manager Business & Market Development
Grant Stark Senior Product Owner
Venkat Maddali Solutions Architect
COMMERCIAL IN CONFIDENCE 2 of 6RealMe Re-Platforming C&A Status
Table of Contents
1 Executive Summary ............................................................................................................... 4
1.1 Introduction ............................................................................................................................................ 4
1.2 Scope ...................................................................................................................................................... 4
2 C&A Deliverable Status.......................................................................................................... 6
COMMERCIAL IN CONFIDENCE 3 of 6RealMe Re-Platforming C&A Status
1 Executive Summary
1.1 Introduction
Quantum Security Services Limited (Quantum) was requested to perform security assurance
activities for the Department of Internal Affairs’ (DIA) RealMe Login and Assertion Service. In
performing these assurance activities, Quantum have worked alongside the project since March
2020. Quantum’s role in this is as an independent auditor for DIA. The services are being audited
against the applicable standards and controls from the Protective Security Requirements and New
Zealand Information Security Manual v3.4 and will align with the All of Government (AoG)
Certification and Accreditation (C&A) process.
There are two components which make up the service being re-platformed. The RealMe Login
Service is used for authenticating users to integrated services, and the RealMe Assertion Service
is required for verifying the identity of users and linking them directly to a RealMe account.
The RealMe platform currently has a mixed operational support model and requires significant
technology upgrades to remain current and maintain appropriate security levels. Therefore, DIA have
evaluated and confirmed Microsoft Azure Business to-Consumer (B2C) as an alternative Platform-as-
a-Service (PaaS) option, as opposed to enhancing the existing RealMe platform.
DIA has requested a broad range of tasks and reports as part of this engagement. An update on
the status of the deliverables is at Section 2 below.
1.2 Scope
The following items are in scope for this Certification and Accreditation of the RealMe Re-Platforming
Project:
• All Microsoft Azure AD B2C environments configured under DIA’s Microsoft Azure tenancy,
including:
o Development: for configuration changes and customer developments and
enhancements;
o Message Testing Suite: for developing integration code to test SAMLv2.0 requests and
response messages;
o System Integration Test: for integrating Azure AD B2C with other RealMe Azure
components;
o User Acceptance Testing: for functional testing performed by DIA;
o Integrated Test Environment: for integrated testing with relying parties’ test
environment(s);
o Pre-Production Environment: for production support activities in an environment
identical to Production; and
o Production: for live state use of the RealMe Login and Assertion service.
• Microsoft Azure AD B2C components, including the Azure Portal used to access:
o RealMe key store: for secure storage of cryptographic keys and certificates; and
o RealMe credential store: for secure storage of user credentials.
• RealMe Azure resources, including:
o RealMe system monitor: to monitor and alert on RealMe components;
o RealMe insights: to provide system and application level user logging;
o RealMe analytics: to provide dashboards on user experience and performance metrics
for RealMe components;
o RealMe health and performance check: to monitor overall system performance in line
with agreed Service Level Agreements (SLAs);
o RealMe storage account: for storage for non-user specific data; and
COMMERCIAL IN CONFIDENCE 4 of 6RealMe Re-Platforming C&A Status
o RealMe key vault: for secure storage of cryptographic keys and certificates including
those of relying parties.
• RealMe Front Door: the web application acceleration platform and global HTTP(s) load
balancer.
• RealMe Helpdesk Federation Hub and Web Application: for DIA and relying parties’ service
desk functionality.
The assurance activities have been focussing on the common supporting elements of DIA’s
environment that support the RealMe Login and Assertion Service. These include but are not limited
to the controls listed below. The full list of controls in scope are highlighted in the Controls Validation
Plan (CVP).
• Due diligence;
• Vendor management;
• Access control;
• Documentation;
• Incident response;
• Logging, alerting and monitoring;
• Backup and restoration processes;
• Change management;
• Patching processes;
• Performance and capacity management; and
• Business continuity and disaster recovery.
Out of scope:
The following items are out of scope as they do not sit within DIA’s direct control and are instead the
responsibility of relying parties:
• Relying Parties’ Service Desk Operations, for resetting passwords and providing user support;
and
• Relying Parties’ Integrated Services, i.e. online services using RealMe.
The following services are out of scope as they will remain unchanged as a result of the RealMe re-
platforming:
• Consent Service, which gives users the right to consent to share their details with integrated
services; and
• Verified Account Services, which enables users to share verified account details (identity and
address) with integrated services.
COMMERCIAL IN CONFIDENCE 5 of 6RealMe Re-Platforming Scoping Document
2 C&A Deliverable Status
The following is an indication of the status of C&A related activities and deliverables:
Deliverable Status Comment / Summary
Complete; delivered 26 March 2020. This was reviewed by key The scoping document outlines the scope of the C&A activities, similar to the scope
Scoping Document
stakeholders and has been finalised. outlined in Section 1 above.
Complete; delivered 17 April 2020. This was reviewed by key The risk assessment identified a total of 11 risks and 41 key controls. The key
Security Risk Assessment
stakeholders and has been finalised. recommendations are in line with expected service management controls.
Complete; delivered 17 April 2020. This was reviewed by key The controls validation plan was compiled based on all 41 controls identified in the
Controls Validation Plan
stakeholders and has been finalised. risk assessment.
Complete; Delivered December 2020. This was updated to reflect Seven controls were assessed as non-compliant, 23 controls were assessed as
Controls Validation Audit
changes in code and configuration review reports and finalised. partially compliant and 11 controls were assessed compliant.
Complete and updated; delivered 16 October 2020. A total of 11 issues Review of findings conducted following remediation work. Seven of the 11 findings
Code Review were identified, no high severity issues were raised and only three have been remediated There are now four low to medium severity issues that have
medium severity issues were identified. not yet been remediated.
Complete and updated; delivered 6 November 2020. A total of seven Review of findings conducted following remediation work. There are now two low
Configuration Review issues were identified, no high severity issues were raised and only one severity issues that have not yet been remediated.
medium severity issues were identified.
Penetration Testing Complete and updated; Retest report (v3.0) delivered 11/02/2021. One low severity and one information finding remain.
Complete; Delivered December 2020. This was updated to reflect Identified a small number of areas that would benefit from further remediation.
Audit Report
changes in code and configuration review reports and finalised.
In progress; Draft report provided 16/03/2021 Quantum obtained system generated evidence and documentation and was able to
Remediation Review
independently verify that a number of findings had been resolved by the project.
In progress; Draft report provided 16/03/2021 Quantum is planned to meet with members of SDO, Security and Risk, and GCDO on
18/03/2021 to present current risk position and draft SSC. Once finalised DIA will
Service Security Certificate begin circulating for sign off.
Quantum and DIA are meeting with Agencies in 23/02/2021 to present SSC and
discuss Agency responsibilities for their own C&A processes.
COMMERCIAL IN CONFIDENCE 6 of 6You can also read
