RealMe Re-Platforming Certification and Accreditation Status Department of Internal Affairs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RealMe Re-Platforming Certification and Accreditation Status Department of Internal Affairs Project Ref: 600101 Version: 6.0 Date: 17th March 2021 Performed by: Anna Thomson
RealMe Re-Platforming C&A Status Document Control Author(s) Barry Brailey and Anna Thomson Version Number 6.0 Document Status Issued Document File Name DIA RealMe Re-Platforming C&A Status Issue date 17/03/2021 Classification COMMERCIAL IN CONFIDENCE Revision Status Quantum holds the master copy of this document. Change History Version Date Author Update Status 1.0 18/11/2020 Barry Brailey Monthly Update Draft 2.0 18/11/2020 Anna Thomson Review Issued 3.0 17/12/2020 Barry Brailey Monthly Update Issued 4.0 19/01/2021 Barry Brailey Monthly Update Issued 5.0 18/02/2021 Anna Thomson Monthly Update Issued 6.0 17/03/2021 Anna Thomson Monthly Update Issued Distribution List Quantum Name Title Eugene Gibney Managing Director Barry Brailey Practice Manager Stephen Penman Principal Security Consultant Anna Thomson Senior Security Consultant Department of Internal Affairs Name Title David Philp General Manager Partners & Products, Service Delivery & Operations Russell Burnard General Manager Operations, Service Delivery & Operations Tim Waldron Manager Business & Market Development Grant Stark Senior Product Owner Venkat Maddali Solutions Architect COMMERCIAL IN CONFIDENCE 2 of 6
RealMe Re-Platforming C&A Status Table of Contents 1 Executive Summary ............................................................................................................... 4 1.1 Introduction ............................................................................................................................................ 4 1.2 Scope ...................................................................................................................................................... 4 2 C&A Deliverable Status.......................................................................................................... 6 COMMERCIAL IN CONFIDENCE 3 of 6
RealMe Re-Platforming C&A Status 1 Executive Summary 1.1 Introduction Quantum Security Services Limited (Quantum) was requested to perform security assurance activities for the Department of Internal Affairs’ (DIA) RealMe Login and Assertion Service. In performing these assurance activities, Quantum have worked alongside the project since March 2020. Quantum’s role in this is as an independent auditor for DIA. The services are being audited against the applicable standards and controls from the Protective Security Requirements and New Zealand Information Security Manual v3.4 and will align with the All of Government (AoG) Certification and Accreditation (C&A) process. There are two components which make up the service being re-platformed. The RealMe Login Service is used for authenticating users to integrated services, and the RealMe Assertion Service is required for verifying the identity of users and linking them directly to a RealMe account. The RealMe platform currently has a mixed operational support model and requires significant technology upgrades to remain current and maintain appropriate security levels. Therefore, DIA have evaluated and confirmed Microsoft Azure Business to-Consumer (B2C) as an alternative Platform-as- a-Service (PaaS) option, as opposed to enhancing the existing RealMe platform. DIA has requested a broad range of tasks and reports as part of this engagement. An update on the status of the deliverables is at Section 2 below. 1.2 Scope The following items are in scope for this Certification and Accreditation of the RealMe Re-Platforming Project: • All Microsoft Azure AD B2C environments configured under DIA’s Microsoft Azure tenancy, including: o Development: for configuration changes and customer developments and enhancements; o Message Testing Suite: for developing integration code to test SAMLv2.0 requests and response messages; o System Integration Test: for integrating Azure AD B2C with other RealMe Azure components; o User Acceptance Testing: for functional testing performed by DIA; o Integrated Test Environment: for integrated testing with relying parties’ test environment(s); o Pre-Production Environment: for production support activities in an environment identical to Production; and o Production: for live state use of the RealMe Login and Assertion service. • Microsoft Azure AD B2C components, including the Azure Portal used to access: o RealMe key store: for secure storage of cryptographic keys and certificates; and o RealMe credential store: for secure storage of user credentials. • RealMe Azure resources, including: o RealMe system monitor: to monitor and alert on RealMe components; o RealMe insights: to provide system and application level user logging; o RealMe analytics: to provide dashboards on user experience and performance metrics for RealMe components; o RealMe health and performance check: to monitor overall system performance in line with agreed Service Level Agreements (SLAs); o RealMe storage account: for storage for non-user specific data; and COMMERCIAL IN CONFIDENCE 4 of 6
RealMe Re-Platforming C&A Status o RealMe key vault: for secure storage of cryptographic keys and certificates including those of relying parties. • RealMe Front Door: the web application acceleration platform and global HTTP(s) load balancer. • RealMe Helpdesk Federation Hub and Web Application: for DIA and relying parties’ service desk functionality. The assurance activities have been focussing on the common supporting elements of DIA’s environment that support the RealMe Login and Assertion Service. These include but are not limited to the controls listed below. The full list of controls in scope are highlighted in the Controls Validation Plan (CVP). • Due diligence; • Vendor management; • Access control; • Documentation; • Incident response; • Logging, alerting and monitoring; • Backup and restoration processes; • Change management; • Patching processes; • Performance and capacity management; and • Business continuity and disaster recovery. Out of scope: The following items are out of scope as they do not sit within DIA’s direct control and are instead the responsibility of relying parties: • Relying Parties’ Service Desk Operations, for resetting passwords and providing user support; and • Relying Parties’ Integrated Services, i.e. online services using RealMe. The following services are out of scope as they will remain unchanged as a result of the RealMe re- platforming: • Consent Service, which gives users the right to consent to share their details with integrated services; and • Verified Account Services, which enables users to share verified account details (identity and address) with integrated services. COMMERCIAL IN CONFIDENCE 5 of 6
RealMe Re-Platforming Scoping Document 2 C&A Deliverable Status The following is an indication of the status of C&A related activities and deliverables: Deliverable Status Comment / Summary Complete; delivered 26 March 2020. This was reviewed by key The scoping document outlines the scope of the C&A activities, similar to the scope Scoping Document stakeholders and has been finalised. outlined in Section 1 above. Complete; delivered 17 April 2020. This was reviewed by key The risk assessment identified a total of 11 risks and 41 key controls. The key Security Risk Assessment stakeholders and has been finalised. recommendations are in line with expected service management controls. Complete; delivered 17 April 2020. This was reviewed by key The controls validation plan was compiled based on all 41 controls identified in the Controls Validation Plan stakeholders and has been finalised. risk assessment. Complete; Delivered December 2020. This was updated to reflect Seven controls were assessed as non-compliant, 23 controls were assessed as Controls Validation Audit changes in code and configuration review reports and finalised. partially compliant and 11 controls were assessed compliant. Complete and updated; delivered 16 October 2020. A total of 11 issues Review of findings conducted following remediation work. Seven of the 11 findings Code Review were identified, no high severity issues were raised and only three have been remediated There are now four low to medium severity issues that have medium severity issues were identified. not yet been remediated. Complete and updated; delivered 6 November 2020. A total of seven Review of findings conducted following remediation work. There are now two low Configuration Review issues were identified, no high severity issues were raised and only one severity issues that have not yet been remediated. medium severity issues were identified. Penetration Testing Complete and updated; Retest report (v3.0) delivered 11/02/2021. One low severity and one information finding remain. Complete; Delivered December 2020. This was updated to reflect Identified a small number of areas that would benefit from further remediation. Audit Report changes in code and configuration review reports and finalised. In progress; Draft report provided 16/03/2021 Quantum obtained system generated evidence and documentation and was able to Remediation Review independently verify that a number of findings had been resolved by the project. In progress; Draft report provided 16/03/2021 Quantum is planned to meet with members of SDO, Security and Risk, and GCDO on 18/03/2021 to present current risk position and draft SSC. Once finalised DIA will Service Security Certificate begin circulating for sign off. Quantum and DIA are meeting with Agencies in 23/02/2021 to present SSC and discuss Agency responsibilities for their own C&A processes. COMMERCIAL IN CONFIDENCE 6 of 6
You can also read