| |
1346 - Create Application Configuration Vault for AOC Applications
|
|
| Request Status Summary |
| Request Status |
In Progress |
| JISC Priority |
7 |
|
| Request Detail |
| Requestor Name: |
| |
Gibson, Scott |
| Origination Date: |
| |
08/29/2022 |
| |
|
|
Recommended Endorser:
|
| |
AOC (endorses for other communities) |
|
| Request Type: |
New System
|
| Which Systems are affected? |
Juvenile and Corrections System (JCS)
Other
|
| Other affected Systems / Business Processes |
JIS-Link |
| Business Area: |
Security
|
| Communities Impacted: |
AOC
|
| Impact if not Resolved: |
High |
| Impact Description: |
There are several risks associated with implementing a common application configuration key vault beyond normal project risks. These include:
· Potential exposure of configuration data including database access credentials as the configurations transit from the WA Courts Azure tenant to the AOC datacenter. This will be mitigated by making sure all communications between the Azure tenant and the AOC datacenter are done over encrypted and secured data channels. This risk will get further mitigated once dedicated communication channels between the two clouds are established.
· Potential misconfiguration of applications in differing environments or as staff toggle between legacy .NET Framework configuration management and this new form of configuration management. This will be mitigated by establishing clear patterns for configuration stores and ensuring only trained and authorized staff can make configuration data changes.
|
|
|
| What is the Business Problem or Opportunity |
In the .NET Framework format, application configuration information (information including: database connection strings service access credentials) is stored in a “web.config” file which is then encrypted by the server IIS host for security while still readily accessible by the application itself. .NET Core, though, moves away from this construct in favor of either having the configuration data stored locally in unencrypted configuration files or accessed remotely from a secure configuration key vault. Since configuration data not only drives many sensitive operations within an application, but also often contains sensitive access credentials to other systems it is imperative for AOC to establish a secure configuration key vault for its .NET Core web applications and services.
The Architecture & Strategy team in partnership with the Cyber Security Team researched multiple alternatives for such a solution including: Microsoft Azure Key Vault (the base recommendation from Microsoft), two different forms of a key vault system from HashiCorp, and a key vault solution offered by Delinea. All but one of these solutions is a cloud-based solution.
While the HashiCorp On Prem provides almost as good of a solution as the Microsoft Azure Key Vault option, it was determined that its requirement to run on Linux servers and more complex implementation pathway combined with much higher price point made it not the right solution for AOC compared to the Microsoft Azure-based one. As such, this project is meant to expand the existing AOC Azure tenant to include an Azure Key Vault presence and establish policies, training and protocols to reliably and safely run that system for all AOC .NET Core web applications and services.
|
| Expected Benefit: |
This project will be considered successful if the following objectives are achieved:
· Encrypted storage and communication of application configuration data for all environments is available for applications using .NET CORE.
· Auditing of value and access changes to application configuration data exists.
· Least privilege access controls and processes to application configuration data are established and followed.
|
| Any Additional Information: |
|
See attached vision and scope.
|
| Endorsement Detail
|
| Endorsing Committee |
| |
AOC (endorses for other communities) |
| Endorser Name: |
| |
Ammons, Kevin on behalf of the AOC Endorsing Group |
| Origination Date: |
| |
08/30/2022 |
|
| Endorsing Action: |
Endorsed |
| Endorser’s Explanation and Comments |
|
Please provide more information in the text boxes on this request.
|
|
|
| AOC Analysis Detail
|
| Analysis Date: |
11/16/2022
|
| Request Rationale |
| Aligns with JIS Business Priorities, IT Strategies & Plans: |
Yes |
| Aligns with applicable policies and with ISD Standards: |
Yes |
| Breadth of Solution Benefit: |
Wide |
| Cost Estimates |
| Cost Benefit Analysis Complete? |
No |
| Cost to Implement? |
$52,500 |
| Positive Return on Investment? |
No |
| Feasibility Study needed? |
No |
| Court Level User Group |
| Non-JIS |
| Approving Authority |
CIO |
|
| Request Summary: |
This is a request for the creation of an application configuration vault system for internally developed systems and compatible commercial off the shelf software systems.
|
| Business Impacts: |
This change will impact only IT management of application configuration information and have no impact to business consumption of those applications.
|
| Summary of Proposed Solution |
The Administrative Office of the Courts (AOC) would establish protocols, usage patterns, governance, and implementation of an application configuration vault utilizing Microsoft Azure Key Vault.
|
| Proposed Solution |
AOC proposes to implement a program for use of Microsoft Azure Key Vault for securing and managing application configuration information following recommendations outlined by Microsoft (as outlined in Azure Key Vault configuration provider in ASP.NET Core). To achieve this, an outline for a basic governing structure of the AOC Azure tenant will be developed. This will allow for efficient security and policy management and ease of cost accounting for each system domain to maintain their own Azure Key Vault instance per recommendations from the Microsoft's Washington State Azure advisory team.
Each of these instances will have their auditing logs linked to a central monitoring instance managed by the security team for monitoring of key events in the configuration systems related to their security. The security team may opt to create actionable alerts within that monitoring instance to aid in achieving that goal.
In order to increase the probability of successfully achieving the goals of this project, the security team, along with support engineers and software engineers, will complete training to provide them with the knowledge base to sustain the program. The trainings will be based upon recommendations from Microsoft's advisory team.
|
| Additional Systems Affected |
Juvenile and Corrections System (JCS)
Other
|
| Communities Impacted |
AOC
|
|
|
| Confirmation of Endorsing Action Detail
|
| Endorsing Committee |
| |
AOC (endorses for other communities) |
| Endorser Name: |
| |
Kevin Ammons on behalf of the AOC Endorsing Group |
| Origination Date: |
| |
11/16/2022 |
|
| Endorsing Action: |
Endorsed |
|
|
| Court Level User Group Decision Detail
|
| CLUG |
Non-JIS |
| Chair of Group |
Kevin Ammons on behalf of the Non-JIS CLUG |
| Date of Decision |
11/16/2022 |
| Decision |
| Decision to Recommend for Approval |
Unamimously recommended to the approving authority |
| Priority Processing Status |
Prioritized |
|
| Scoring Detail |
|
In making their decision, detailed score values were not provided by Non-JIS.
|
|
|
| Implementation Detail
– Superseded
|
| Analysis Date: |
|
|
Implementation Stage
|
Authorized
|
|
Prioritization Option:
|
Prioritized
|
|
|
Comments:
|
|
Authorized by Vonnie Diseth.
|
|
|
| Implementation Detail
– Superseded
|
| Analysis Date: |
|
|
Implementation Stage
|
In Progress
|
|
Prioritization Option:
|
Prioritized
|
|
|
|
| Implementation Detail
– Superseded
|
| Analysis Date: |
|
|
Implementation Stage
|
Authorized
|
|
Prioritization Option:
|
Prioritized
|
|
|
|
| Implementation Detail
|
| Analysis Date: |
|
|
Implementation Stage
|
In Progress
|
|
Prioritization Option:
|
Prioritized
|
|
|
|
|
|
