AT&T, Inc.

Challenge

When AT&T was tasked with providing cloud and network services to the Department of the Treasury and the General Services Administration (GSA), the company was faced with multiple challenges. As part of those services, it was required to accurately assess general support systems containing more than 50 discrete technology types deployed across multiple data centers, Enterprise Management Centers (EMCs), Security Operation Centers (SOCs), and nation-wide office locations within very limited time constraints.

Treasury Network (TNet): The Department of the Treasury, in transitioning to the GSA Networx contract, asked AT&T to design and build the TNet, a secure Multiprotocol Label Switching (MPLS) network spanning more than 1,000 locations and offering Infrastructure as a Service (IaaS) to Treasury Bureaus. TNet supports more than 100,000 users in the Department of the Treasury and its twelve respective bureaus.

GSA Cloud IT Services: AT&T is also one of twelve authorized service providers for GSA’s Cloud IT services contract, and its cloud infrastructure service offering supports GSA’s Cloud IT Services contract vehicle which is open to all federal agencies.

With AT&T’s network and cloud services to Treasury and the GSA requiring storage, virtualization, hosting, virtual routing & firewall management, and web application as well as additionally layered security services including firewall, proxy, intrusion detection/prevention, and spam and malicious code protection mechanisms, the company needed a strong teaming partner with the experience, skills, and human capital to support the two contracts.

Solution

AT&T selected Veris Group to provide that essential support. Veris Group leveraged its team of subject matter experts to provide an in-depth analysis of the transport, operational, and security components within TNet and the Cloud Computing Infrastructure through customized testing, analysis, and continuous monitoring at the network, system, application, and database levels within the systems.

By working with key stakeholders to define the boundary scope of the systems, Veris Group rapidly created tailored technology test cases in accordance with NIST SP 800-53a. The team was able to isolate technologies to test the 50+ independent technology types and enterprise controls within projected timelines. Additionally, Veris Group performed a variety of in-depth vulnerability scans of the Cloud Computing infrastructure to include network, application, and database vulnerability scan and analysis, as well as independent Security Control Assessments (SCAs) and penetration tests to assist AT&T with continuous monitoring activities in accordance with the NIST SP 800-37, Revision 1 framework. Veris Group also performed penetration testing of the StaaS and CaaS customer interface, web portal, application programming interface (API), database environment, authentication mechanisms, and the underlying business logic used within the cloud infrastructure.

Once testing was complete, Veris Group was instrumental in conducting issue resolution of identified findings with AT&T while working closely with the Treasury Program Management Office (PMO) and GSA Cloud PMO. During this period, Veris Group assisted AT&T security and operations personnel in completing the Security Assessment Report (SAR), finalize the accreditation package, and ensure the Plan of Action and Milestones (POA&M) accurately identified open findings and assigned the appropriate risk levels. Throughout the process, Veris Group ensured that the government system owners and stakeholders were briefed on all findings and provided validation that all findings and corrective actions met government requirements.

Results

The comprehensive SCA, penetration test, SAR, and Risk Assessment (RA) completed by Veris Group provided AT&T and the Department of the Treasury with a clear understanding of the overall security posture of TNet and the inherent security risks to the program. Mitigation of these findings has resulted in a significant improvement in the security controls that are in place to ensure that the agency’s production backbone will provide an adequate level of security, automation, and next-generation technology that will transform the way the Department of the Treasury communicates. In addition, Veris Group continues to provide continuous monitoring guidance and support, including extracting all security related metrics, testing, frequency and best practices needed to meet the intent of the Risk Management Framework (RMF).

The successful completion of the SCA, penetration test, SAR, and RA for AT&T’s CaaS and StaaS cloud infrastructure environments has enabled AT&T to clearly understand the risks and required safeguards to be implemented to secure the Cloud computing environment. Veris Group was instrumental in working with GSA Cloud security stakeholders to identify realistic threat sources and vulnerabilities unique to cloud infrastructure environments and to tailor RMF and traditional C&A processes to address the unique challenges of securing the Cloud.