How API Security Can Help You Prepare For FedRAMP

What is FedRAMP?

FedRAMP came into existence in 2012 after the federal Office of Management and Budget (OMB) recognized the need for cloud security as government agencies began to adopt cloud services. It is a government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Cloud service providers and other cloud vendors, such as Software-as-a-Service (SaaS) companies, must adhere to FedRAMP standards in order to work with federal government clients. Prior to FedRAMP, each federal agency managed its own security assessment based on guidance set by the Federal Information Security Management Act of 2002 (FISMA).

How do Companies Get Authorized for FedRAMP?

Getting authorized for FedRAMP is a process that requires some commitment. It’s telling that in the 10 years since the FedRAMP Project Management Office (PMO) went into operation, just 279 products and services have been authorized. These include big names like Oracle and Salesforce.com. It is an attainable goal, however, for companies that are up for making the effort.

To get authorized, a cloud product has to pass a security assessment performed by a Third Party Assessment Organization, or FedRAMP 3PAO. This setup will be familiar to companies seeking certification with PCI-DSS payment card security standards. A 3PAO, which itself must be accredited by FedRAMP, is an independent firm that specializes in the rigorous process of assessing cloud products for security.

In particular, the 3PAO examines the cloud product’s security characteristics and determines if they are in alignment with controls defined by the National Institute of Standards and Technology (NIST) Special Publication number 800-53. This is a common practice for companies that work with the U.S. federal government or are subject to government regulation. Many of the technology and security requirements in FedRAMP are derived from standards developed by NIST.

APIs and FedRAMP Authorization

APIs are relevant to FedRAMP authorization because APIs represent a source of risk to cloud products. A cloud product needs to show that its API security aligns with relevant controls in NIST 800-53. There are over 300 controls in the framework, grouped into “families” or control groups that apply to the “Moderate” level of FedRAMP authorization. For example, under the Access Control (AC) family, NIST 800-53 specifies 25 separate controls. These include AC-17, which deals with remote access, AC-12, which covers session termination, and so forth.

For the sake of simplicity, API security fits with nine of the 18 control families in NIST 800-53. Each of these nine families has controls that are affected by the presence and operation of APIs. For example, under Security Assessment and Authorization, known as “CA” in the framework, the CA-1 control requires policies and procedures. These include details like “Develop, document, and disseminate to [someone in a role] procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls.”

CA-1 must be applied to APIs because APIs must be subject to security policies if they are to be secure. The 3PAO will be examining a cloud product’s APIs to see if they are covered by necessary procedures to facilitate the implementation of monitoring policies.

The following are the FedRAMP NIST control families that align with API security. In each case, the Noname API security solution provides functionality that bolsters the cloud product’s potential for FedRAMP authorization:

AC (Access Control) —The security of a cloud product depends on controlling access to front-end functions and back-end administrative features. If malicious actors can access the product’s APIs, they can disrupt its operations and gain improper access to sensitive data. It is therefore essential to inspect API configurations for authentication controls. Noname posture management and runtime protection can monitor API access and detect and report on access- and authorization-related issues.

AU (Audit and Accountability) —The AU family of controls covers things like session audits. Noname posture management and runtime protection can monitor API sessions, devices, users, and data. These include sessions in the customer-to-FedRAMP-boundary, within the boundary itself, and outbound boundary connections.

CA (Security Assessment and Authorization) —CA deals with continuous monitoring, penetration testing, and internal system connections, all of which are relevant to APIs. Noname active testing offers “black box” testing of APIs, which enables penetrating testing. Noname posture management and runtime protection cover the continuous monitoring and internal system connection aspects of the CA control family.

CM (Configuration Management) —API configuration issues are at the heart of API security risks. Noname posture management and runtime protection enable mitigation of configuration risks by detecting risky configurations, misconfigurations, and configurations that have “drifted” outside of what was authorized.

IR (Incident Response) —A cloud product must demonstrate that it has sufficient incident response capabilities to handle an attack. Noname posture management and runtime protection support this capability by providing incident details related to known and unknown APIs and data, threats, and attackers as part of an incident response workflow. The platform is also able to orchestrate incident response workflows with other security tools to ensure rapid MTTR (Mean-Time-To-Respond).

RA (Risk Assessment) —The FedRAMP authorization process requires cloud products to assess risks and report on the states of their remediation. Noname posture management and runtime protection can do just this: assessing and reporting on risky API and infrastructure configurations, vulnerabilities, threats, and data flows. Active testing addresses pre-production vulnerability scanning for detecting a wide range of API vulnerabilities.

SA (Systems and Services) —API functionality and configurations can be opaque to system owners. If admins don’t understand how their APIs are set up, this can create risk exposure. Noname posture management (discovery) function addresses such risks by identifying and providing documentation around API calls and resulting data flows in the architecture.

SC (System Communications Protection)—FedRAMP wants cloud products to defend their system communications. Noname posture management addresses this need by handling runtime protection along with active testing that deals with out-of-band use cases involving management systems’ APIs. This includes discovery, documentation, monitoring, and threat response for APIs and related data.

SI (System and Information Integrity) —The NIST 800-53 controls in the SI family have to do with securing the systems that power the cloud product itself, e.g., error handling, non-persistence, and so forth. Noname posture management, runtime protection, and active testing can assist with system integrity through runtime and pre-production API application, traffic, and data inspection and reporting.

These are some of the ways that API security is a factor in FedRAMP authorization. 3PAOs take API security into consideration when assessing the security characteristics of a cloud product applying for the FedRAMP program. API security solutions from Noname Security enable the controls and processes that help you address the API security issues in the FedRAMP authorization process.