Level 2

Description:

Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.  [SP 800-77], [SP 800-95], and [SP 800-3] provide guidance on secure communications sessions. 


Priority: High


Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC)


Category
Network Security 


Services Associated with AWS:

  • AWS Shield
  • Amazon GuardDuty
  • AWS Certificate Manager
  • AWS Key Management Service (KMS)
  • Amazon API Gateway

Services Associated with Azure: 

  • Azure Active Directory (Azure AD)
  • Azure Key Vault
  • Azure Traffic Manager
  • Azure Web Application Firewall (WAF)
  • Azure Application Gateway

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of cryptography in use


Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Cryptographic Solution (data in transit)


What needs to be answered?

Are implemented controls in place to protect session communications (e.g., the controls implemented to validate identities and information transmitted to protect against man-in-the-middle attacks, session hijacking, and insertion of false information into sessions)? Does the system provide mechanisms to protect the authenticity of device-to-device communications sessions?

Checks for AWS 

  • Session Authenticity Protection Check
    Description: This check ensures that the authenticity of communications sessions is protected. It verifies that measures are in place to prevent man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. It also ensures that there is confidence in the ongoing identities of other parties and the validity of the information transmitted.
  • Secure Communication Session Check
    Description: This check ensures that secure communications sessions are established and maintained. It verifies that protocols and mechanisms for secure communication are in place, including TLS/SSL encryption, secure key exchange, and other methods for ensuring the security and integrity of data in transit.

Checks for Azure

  • Session Authenticity Protection Check:
    Description: This Azure Policy check ensures that communication sessions within Azure resources are monitored and encrypted to prevent man-in-the-middle attacks. It verifies that appropriate measures are in place to protect the authenticity of communications sessions, preventing unauthorized entities from intercepting or tampering with the data being transmitted. This check helps ensure that identities of communicating parties are validated, and the information transmitted remains valid and secure.
  • Secure Communication Session Check:
    Description: This Azure Policy check verifies that secure communication sessions are established and maintained for Azure resources. It ensures that protocols like TLS/SSL encryption are used to secure data in transit between Azure services and other endpoints. Additionally, the check ensures that secure key exchange mechanisms are in place, and other methods for maintaining the security and integrity of data during transit are employed. By enforcing this policy, the system aims to protect against session hijacking and ensure the confidentiality and integrity of sensitive data during communication

More Details:

Communication sessions monitored and encrypted to prevent man in the middle attacks.