Miyakawa
12345
2017/10/12new

NISTIR 8176: Security Assurance Requirements for Linux Application Container Deployments

Tweet ThisSend to Facebook | by miyakawa
Application containers are now slowly finding adoption in production environments due to agile deployment process, efficient resource utilization and availability of automation tools. At the same time, to ensure secure deployment, security guidelines and countermeasures have been proposed (Application Container Security Guide, NIST Special Publication 800-190) to cover various components of a container environment such as: Hardware, Host Operating System (OS), Container Runtime, Image, Registry and Orchestrator.

To carry out these recommendations in the form of countermeasures, one or more security solutions are needed with defined metrics in the form of security assurance requirements. Linux (and its various distributions) being open-source and being the predominant host OS in the deployed container platforms, has sufficient reservoir of information to analyze the security impact of its various configuration options. The focus of this document is to derive the security assurance requirements for various security solutions for application containers hosted on Linux. The target audience includes system security architects and administrators who are responsible for the actual design and deployment of security solutions in enterprise infrastructures hosting containerized hosts.

23:00 | 投票する | 投票数(0) | コメント(0) | SP 800
2017/10/05

RFC 8264: PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols

Tweet ThisSend to Facebook | by miyakawa
Application protocols using Unicode code points in protocol strings need to properly handle such strings in order to enforce internationalization rules for strings placed in various protocol slots (such as addresses and identifiers) and to perform valid comparison operations (e.g., for purposes of authentication or authorization). This document defines a framework enabling application protocols to perform the preparation, enforcement, and comparison of internationalized strings ("PRECIS") in a way that depends on the properties of Unicode code points and thus is more agile with respect to versions of Unicode. As a result, this framework provides a more sustainable approach to the handling of internationalized strings than the previous framework, known as Stringprep (RFC 3454). This document obsoletes RFC 7564.

23:00 | 投票する | 投票数(0) | コメント(0) | RFC
2017/10/02

Draft SP 1800-12: Derived Personal Identity Verification (PIV) Credentials

Tweet ThisSend to Facebook | by miyakawa
The Federal Government utilizes PIV cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems. PIV cards require the use of a smart card reader that is typically integrated in desktop and laptop computers. Increasingly, users are performing their work on mobile devices, such as cell phones and tablets, which lack smart card readers needed to authenticate users. External readers are available, but they are an additional cost and cumbersome to use. As a result, the mandate to use PIV systems has pushed for new means to extend into mobile devices to enforce the same security policies as on desktop and laptop computers.

The NCCoE identified an architecture that use common mobile device families to demonstrate the use of Derived PIV Credentials in a manner that meets security policies. This example implementation is documented as a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system using standards-based cybersecurity technology. This practice guide helps organizations to meet authentication standards and provide users access to the information they need using the devices the want without having to purchase expensive and cumbersome external smart card readers. Users of mobile devices are authenticated using secure cryptographic authentication exchanges using a public key infrastructure (PKI) with credentials derived from a PIV card ensuring that strict security policies are met.

Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity.

23:15 | 投票する | 投票数(0) | コメント(0) | SP 800
2017/09/28

Discussion Draft SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Tweet ThisSend to Facebook | by miyakawa
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle. Applying the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the security and privacy controls deployed within organizational systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the currently established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.

23:00 | 投票する | 投票数(0) | コメント(0) | SP 800
2017/09/25

SP 800-190: Application Container Security Guide

Tweet ThisSend to Facebook | by miyakawa
Application container technologies, better known as containers, are a form of operating system virtualization combined with application software packaging. SP 800-190 explains the security concerns associated with container technologies and makes practical recommendations for addressing those concerns when planning for, implementing, and maintaining containers.

23:00 | 投票する | 投票数(0) | コメント(0) | SP 800
2017/09/21

RFC 8248: Security Automation and Continuous Monitoring (SACM) Requirements

Tweet ThisSend to Facebook | by miyakawa
This document defines the scope and set of requirements for the Security Automation and Continuous Monitoring (SACM) architecture, data model, and transfer protocols. The requirements and scope are based on the agreed-upon use cases described in RFC 7632.

23:30 | 投票する | 投票数(0) | コメント(0) | RFC
12345