The National Institute of Standards and Technology (NIST) is a non-regulatory government agency of the United States Department of Commerce whose mission is to promote US innovation and industrial competitiveness. NIST aims to achieve this goal by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST runs several laboratories, including the Information Technology Laboratory (ITL), which aspires to cultivate trust in information technology (IT) and maximize benefits of IT through fundamental research, applied IT research and development, and standards development. In this article, I focus on the third aspect, i.e. IT standards development, wherein NIST develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems.
Liferay is a modern, industry-leading Digital Experience Platform, Portal, and Content Management System that is widely used in many industries, including a number of federal, state, and local government agencies. Some of the most security-conscious US Government entities use Liferay including the US Department of Defense, US Department of Homeland Security, US Navy, US Air Force, US Department of Veteran Affairs, and many others. Additionally, many other institutions that span government and industry or government and educational/research institutions use Liferay. In these cases, there are varying security and compliance requirements that Liferay must meet, and many of these originate from NIST. In this article, I focus on the intersection of some of the more common NIST standards that our Liferay customers must comply with.
Common NIST Compliance Standards
NIST develops and maintains various NIST publication series, one of which is the Federal Information Processing Standards (FIPS) in accordance with the Federal Information Security Management Act (FISMA) FISMA. While not all FIPS are mandatory, some of them are, and can apply not just to Federal agencies but also state agencies and private sector companies with government contracts. NIST also provides Special Publications (SP) that consist of guidelines, technical specifications, recommendations and reference materials. The SP series includes multiple sub-series, one of which is SP800, that NIST develops in accordance with its statutory responsibilities under the FISMA, and some of these are recommended while others are required for federal agencies. Entities outside of the U.S. Federal Government may voluntarily adopt NIST’s SP 800-series publications, unless they are contractually obligated to do so.
Some of the more common NIST standards that agencies (governmental and non-governmental) need to comply with include FIPS 140-2, NIST SP 800-53, and NIST SP 800-171.
FIPS 140-2
FIPS 140-2 specifies security requirements for Cryptographic Modules and FISMA requires that U.S. government agencies must use FIPS 140-2 validated cryptography modules. Additionally, U.S. government contractors and third parties working for federal agencies are also required to meet FIPS 140-2 specifications. This standard has made its way into other industries that have nothing to do with the U.S. government but need to demonstrate their commitment to securing their sensitive data—this includes financial, healthcare, insurance and many other verticals.
NIST SP 800-53
NIST SP 800-53 is a special publication that provides a catalog of security and privacy controls for federal information systems and organizations as well as other non-governmental entities that may wish to or need to manage information security and privacy risk. This SP also provides a framework for selecting controls from the catalog to protect organizational operations, organizational assets, individuals, and other organizations from a diverse set of threats—hostile cyber-attacks, human errors (both intentional and unintentional) and more. Some of the key activities under SP 800-53 require creating policies, establishing oversight, ensuring communication, defining controls, creating time frames, selecting audit/assessor teams, and storing documentation.
NIST SP 800-171
NIST SP 800-171 is geared towards protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, and it does so by providing federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations. CUI is data or information that while not classified, is still sensitive enough to require safeguarding. One perspective on SP 800-171 is that it is a lighter version of SP 800-53 with 800-171 calling out 14 security requirement families:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
SP 800-53 covers the requirement families covered by 800-171 and expands these to a total of 20 security requirement families. Key additions include:
- Assessment, Authorization and Monitoring
- Contingency Planning
- Program Management
- Personally Identifiable Information Processing and Transparency
- System and Services Acquisition
- Supply Chain Management
Making Liferay Comply With Common NIST Standards
As discussed in the section above, FIPS 140-2, NIST 800-171 and NIST 800-53 are common standards outlining cybersecurity requirements for government agencies, contractors, and subcontractors. However, it is overwhelming for most IT executives and practitioners to determine what it takes to comply with these standards and publications, especially in the realm of Liferay implementations in the cloud. And this is where XTIVIA can help.
Liferay Compliance with FIPS 140-2 on AWS
Some aspects that we need to take care of in setting up Liferay on AWS to be FIPS 140-2 compliant include:
- Use FIPS compliant endpoints for various AWS services
- Encrypt Liferay data at rest using AES-256 in both S3 and the Liferay database
- Configure Tomcat to be FIPS compliant
Liferay Compliance with NIST SP 800-171 on AWS
Some of our best practices and recommendations that we take care of in setting up Liferay on AWS to be NIST SP 800-171 compliant include:
- AWS multi-account strategy to separate test and production environments
- Leverage Infrastructure-as-Code (IaC) automation to ensure that we know exactly what system resources are provisioned
- All infrastructure code is committed and managed just like application code allowing full tracking and change management
- Implement multi-layer security of AWS components. For example: The database is only exposed to traffic from the preceding AppServer layer. And the AppServer layer is only exposed to traffic from the load balancer.
- Leverage AWS KMS and Secrets Manager to secure credentials
- Deny all traffic, permit by exception. For example, block all outbound connectivity to the internet from the VMs.
- Enable 2FA in AWS authentication
- Principle of least privilege (for example, Liferay process does not run as root)
- Separation of duties (admin vs normal user accounts)
- Audit execution of privileged functions using AWS CloudTrail
- Leverage Amazon GuardDuty for continuous threat detection
- Leverage Amazon Macie to analyze S3 bucket data for compliance
- Ensure that you have an active Liferay DXP subscription to receive Liferay security bulletins and implement related security patches/workarounds.
- Set up Liferay and/or LDAP password policy to ensure password complexity, account lockout and other requirements
- Set up Liferay data backup and retention policies
- Set up monitoring and alerting
- Create appropriate documentation
This is not a comprehensive list but gives you a good idea of what is involved in ensuring NIST SP 800-171 compliance when operating Liferay DXP on AWS. And to be clear, there are multiple steps involved in achieving compliance—you typically start with a self-assessment, put together a System Security Plan (SSP), then implement controls, and then you go through an audit. However compliance does not end with passing an audit. Organizations need to maintain information system audit records to prove ongoing monitoring, analysis, investigation, and reporting of unlawful, unauthorized, suspicious or unusual activities in their information systems.
In Closing: Liferay Compliance with NIST Standards
If you are overwhelmed by the NIST security standards and guidelines, and what that means for your Liferay DXP implementation, rest assured that you are not alone. This article exposes you to some of the best practices that you must follow when setting up Liferay DXP on AWS cloud to be compliant with two common NIST publications. Whether this is your use case, or you are looking to run Liferay on Azure and need help complying with the NIST standards, reach out to us and see how XTIVIA can help.