Going for FedRAMP? Make DNSSEC a quick win.

DNSSEC is a key requirement of the FedRAMP and CMMC authorization process, as any 3PAO will tell you. Here’s how to make compliance quick and easy.

The growing use of FedRAMP as a security compliance certification (in both the public sector and commercial markets) has many companies working to get their cloud-based SaaS platforms up to speed.

Obtaining FedRAMP authorization is an extremely complicated process, primarily because it can involve major changes to internal security procedures.  In many cases, this isn’t just a one-time effort.  Recurring audits mean that security managers will have to prove compliance going forward to keep their FedRAMP authorization.

DNSSEC, FedRAMP, and CMMC

DNS Security is one of those many internal security procedures that tends to sit on the back burner until FedRAMP makes it an immediate necessity.  Everyone knows that it’s a good idea, and it’s a line item for compliance standards like NIST 800-53 and the SANS CIS framework.  But until the Federal government won’t buy your product until DNSSEC is implemented, it can be difficult to create a link to the company’s bottom line.

For many companies, FedRAMP can be that critical requirement for federal agencies that leads to a conversation around securing the domain name system (DNS).  Implementing DNSSEC is a requirement contained in section 4.1 of the FedRAMP Readiness Assessment Report (RAR) – the one used by third party assessment organizations (3PAOs) to create the “to-do” list for FedRAMP authorization.

Deploying FedRAMP-compliant DNSSEC

The relative ease or difficulty of implementing DNSSEC depends greatly on how DNS, DHCP, and IPAM (DDI) are managed on your network.  If you have a decentralized architecture which runs on Microsoft or BIND, implementing DNSSEC means reconfiguring all of your servers one-by-one – an extremely time-consuming, resource intensive, and painful process.  Maintaining those DNSSEC configurations over time in a decentralized environment can be just as annoying – it’s just another thing you have to think about when a new server is added to the network.  (For more details, check out this post about how DNSSEC works.)

On the contrary, centralized management of DDI makes implementation and maintenance of DNSSEC a breeze.  Once you have a back-end management system which can push out configurations automatically throughout the enterprise, DNSSEC is easy to roll out and even easier to change.  In BlueCat, it’s literally a check box.  (Beyond securing DNS as a protocol, we also use DNS data to secure your network, but that’s a separate discussion.)

Beyond mere DNSSEC – the cloud angle

In many cases, pulling the string of DNSSEC can lead to some uncomfortable questions about how DNS is secured across the enterprise.  This is particularly true for the very organizations that are going after FedRAMP authorization – companies which offer cloud products and services.

In order to implement DNSSEC for assets in the cloud, you have to identify where those assets are.  That’s not as easy as it sounds, particularly when cloud and DevOps teams are off creating their own parallel infrastructure assets in parallel with what the network team provides on-prem.  To ensure a consistent (and auditable) approach to DNSSEC, all of those cloud computing resources have to be visible to the network team and allow for a simple way to push out configurations.

This is why it’s important to have a DDI infrastructure which extends into the cloud or interacts seamlessly with cloud-native resources, providing full visibility for the network teams which implement and maintain DNSSEC deployments.  Beyond the ease of compliance with FedRAMP requirements, it makes provisioning of IP addresses and deployment of compute a much faster, more reliable process.

Making FedRAMP authorization easier

Of all the many FedRAMP requirements, DNSSEC should count as low-hanging fruit.  Unfortunately, for many organizations their legacy infrastructure makes compliance with the DNSSEC requirement harder than it really should be.

That’s why BlueCat’s Adaptive DNS approach makes so much sense for companies in the beginning stages of the FedRAMP process.  Aligning all of your DDI resources across on-prem and cloud environments will not only satisfy the immediate need for DNSSEC, but also lay the foundation for greater visibility and control over the increasingly complex networks many network teams struggle with.

How do we know this?  Because we’ve been going through the security assessment, authorization, and continuous monitoring process for FedRAMP ourselves.  We know as well as anyone the importance of tackling the low hanging fruit in this complex and onerous process.

Want to learn more about how BlueCat makes regulatory compliance a snap?  Check out our compliance eBook.


An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Article

Network Device Configuration Standardization – Thoughts on Ethan Banks’ post

Ethan Banks has an interesting newsletter called The Hot Aisle. Worth following if you’re not familiar with it, basically the thoughts of a very…

Read more
Article

Gold Standard Configuration for Network Devices

  Network and security teams in large enterprises spend quite a bit of time defining their “Gold Standard Configuration” for network…

Read more
Article

Comparing Check Point’s SmartEvent and SmartReporter vs indeni

Check Point’s SmartEvent and SmartReporter blades have made quite some progress over the last two years. The database used for collecting log data has…

Read more
Article

NERC Compliance Best Practices for Critical Infrastructure Protection (CIP) v5

We have a number of US-based energy grid operators that are leveraging indeni’s capabilities to meet the NERC CIP v5 requirements, that are soon to be…

Read more