How KernelCare Works to Keep You FedRAMP Compliant

Keeping servers safe and keeping them secure and compliant, becomes a full-time job, one that can’t be left to chance, one that must be fully automated and fully supported. To do that, you need a live patching tool that integrates with automation tools and vulnerability scanners, one that is supported with the latest patches, and one that lets you decide what patches are rolled out across your organization and one that runs inside the firewall. A live patching solution not only makes software updates easier, but it also keeps you compliant with two sections of FedRAMP requirements including flaw remediation (SI-2) and malicious code protection (SI-3) of Security and Privacy Controls for Information Systems and Organizations.

Contents:

1. Cyber-Threats Cost the Enterprise Millions per Breach
2. Why FedRAMP is Important
3. How KernelCare Confers a Compliant Environment 
4. Conclusion

Cyber-Threats Cost the Enterprise Millions per Breach

State-sponsored attacks are nothing new, but studies show that cyber-criminals have ramped up their efforts in recent years. Cyber-defenses tend to be reactive to the latest attack landscape, but this approach costs companies millions in containment, remediation, customer reparations, lawsuits, and brand damage. For government entities, the information can be used in state-sponsored espionage and could even threaten the lives of government workers.

According to a recent Accenture report, attackers don’t just aim to steal data, but destroy it as well. Destroying data through malware such as ransomware could potentially have a bigger impact on reliability, productivity, and data integrity. The survey found that attacks have increased by 72% in the last 5 years and the cost for a breach increased from $11.7 million to $13 million. Ponemon’s Cost of a Data Breach research shows that it takes an average of 280 days to identify and contain a breach — meaning that attackers have access to data for almost a year before the organization responds and remediates the compromise.

Accenture also reports that automation contributed to an average $2.09 million cost savings. For large organizations including CSPs, automation is a necessity especially for security patching. It reduces the window of opportunity for an attacker and proactively remediaties vulnerabilities.

Why FedRAMP is Important

Whether you’re a cloud provider or represent a government IT, FedRAMP certification is essential.  As a cloud provider, you need FedRAMP to host government services. As a government representative, you’re not only required to find a FedRAMP-approved provider, but you also have the peace of mind that sensitive data is hosted on infrastructure with a high-level of cybersecurity standards and procedures.

For a Cloud Service Provider (CSP), FedRAMP certification requires rigorous cybersecurity controls that meet regulatory standards. The process requires assessment and review and lasts several weeks. Once authorized, the CSP can do business with any federal agency including the Department of Justice or the Department of Defense. FedRAMP can also be used to assure other customers that the CSP’s infrastructure meets stringent compliance standards. Once a CSP is FedRAMP certified, they are added to a central government database where they can be selected as a cloud service provider.

US federal agencies like the Department of Defense (DoD) have specific requirements to work with them that CSPs should review. Many FedRAMP security controls cover DoD requirements, but their Cloud Security Requirements Guide must be followed to stay compliant with their standards. The Cybersecurity Maturity Model Certification (CMMC) is another DoD-specific program where FedRAMP certification helps. The CMMC uses NIST SP 800-171 as a standard and FedRAMP uses NIST SP 800-53, but many of the security requirements in these two NIST standards overlap giving a CSP an advantage should they decide to move forward with additional DoD requirements.

FedRAMP was established to guide providers in creating sufficient cybersecurity, but also to help excel the adoption of the cloud. Government agencies are one of the few industries where legacy systems still run much of their productivity, so the cloud gives federal administrators a way to leverage newer technology and migrate older infrastructure to more efficient and cost-effective environments. Although adoption accelerated in the last few years, FedRAMP ensures that sensitive data is safeguarded from attackers and administrators have access to hardened security controls.

How KernelCare Confers a Compliant Environment

Effective security will directly support compliance, particularly when compliance intends to foster better security. In days gone by, Unix and Linux servers were viewed to be impervious to such attacks. However, that is simply not the case today. There are as many vulnerabilities reported for Unix and Linux systems as there are for Windows systems. As many countries are moving away from Microsoft and adopting custom Linux distributions as their national operating systems, the need for protection against Linux vulnerabilities rises. 

KernelCare’s automated way of patching Linux kernels, shared libraries and databases helps cloud providers with FedRAMP and other compliance standards such as SOC 2, ISO 27001, HIPAA, PCI-DSS, and Sarbanes-Oxley. KernelCare Enterprise runs in your local infrastructure via ePortal – a dedicated patch server that runs internally, but outside of your firewall. It acts as a bridge between internal patch servers and the main KernelCare patch server. This approach is ideal for staging and production environments that need strict isolation from external networks, or which requires stricter control over the patches to be applied.

To run KernelCare Enterprise, a small agent is installed on a server. This agent installs patches directly from our repository. In an ePortal environment, your server communicates with the KernelCare ePortal server that acts as an intermediary. It’s beneficial for servers in strict isolation from external networks, or when you need more control over patching procedures. For large environments with hundreds of servers, the KernelCare agent can be deployed using automation tools such as Ansible, Puppet, Chef and others.

Full documentation to install and manage KernelCare ePortal can be found here, but here is a brief overview of the installation process:

1. Prior to installation, start with a minimal image of Enterprise Linux 7 and a stable version of nginx. 

2. Use the following KernelCare.ePortal repo:

$ cat > /etc/yum.repos.d/kcare-eportal.repo <<EOL

[kcare-eportal]

name=KernelCare ePortal

baseurl=https://repo.eportal.kernelcare.com/x86_64.el7/

enabled=1

gpgkey=https://repo.cloudlinux.com/kernelcare/RPM-GPG-KEY-KernelCare

gpgcheck=1

EOL 

3. Install KernelCare.ePortal using the following command:

    $ yum install kcare-eportal

4. Set up your proxy on the ePortal machine. Add the following line to the /usr/share/kcare-eportal/config/local.py  file:

    PROXY = ‘https://example.com’

If the file does not exist, you can create it using the following command:

echo “PROXY = ‘https://example.com'” > /usr/share/kcare-eportal/config/local.py

chown nginx:nginx /usr/share/kcare-eportal/config/local.py

5. Restart the ePortal server.

6. Add a user. You can also use LDAP to manage user access to ePortal.

To automate KernelCare Enterprise deployment, you can use any of the popular automation tools (e.g. Ansible, Puppet, Chef, etc). The following steps automate deployment:

1. Distribute the KernelCare agent package (only necessary on servers with no Internet access).
2. Distribute the KernelCare agent configuration file/etc/sysconfig/kcare/kcare.conf.
3. Set environment variables.
4. Install the KernelCare agent from either local or remote download servers.
5. Register KernelCare.

To activate KernelCare Enterprise ePortal, contact us at [email protected].  Our  team will provide you with the script and automatically set up the installation and deployment processes.

Conclusion

Using KernelCare Enterprise ePortal, an enterprise cloud provider can maintain compliance with FedRAMP and several other regulatory standards. The agent and portal work within an enterprise environment and can be set up so that you have more control over patches. Remember that KernelCare’s live patching also keeps you on point for SLAs because it’s a rebootless service that ensures your servers are patched for the latest vulnerabilities.