• Share
  • Email
  • Embed
  • Like
  • Private Content
White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments
 

White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments

on

  • 1,368 views

This white paper proposes that virtualized as-a-service environments can be made as secure as physical ones. The paper describes security challenges inherent in multi-tenant as-a-service environments. ...

This white paper proposes that virtualized as-a-service environments can be made as secure as physical ones. The paper describes security challenges inherent in multi-tenant as-a-service environments. Design considerations of tenants and service providers, and how design is affected by information security or compliance requirements, are discussed.

Statistics

Views

Total Views
1,368
Views on SlideShare
1,358
Embed Views
10

Actions

Likes
0
Downloads
21
Comments
0

3 Embeds 10

http://www.linkedin.com 7
https://twitter.com 2
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments   White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments Document Transcript

    • White PaperEMC SECURITY DESIGN PRINCIPLES FORMULTI-TENANT AS-A-SERVICEENVIRONMENTS • Information security in multi-tenant cloud environments • Regulatory compliance in cloud environments • Considerations for migrating to the cloud EMC Solutions Group Abstract This white paper proposes that virtualized as-a-service environments can be made as secure as, if not more secure than, physical environments. The paper describes security challenges inherent in multi-tenant as-a-service environments. Design considerations of tenants and service providers, and how design factors are affected by information security or compliance requirements, are discussed. August 2012
    • Copyright © 2012 EMC Corporation. All Rights Reserved.EMC believes the information in this publication is accurate as of itspublication date. The information is subject to change without notice.The information in this publication is provided “as is.” EMC Corporation makesno representations or warranties of any kind with respect to the information inthis publication, and specifically disclaims implied warranties ofmerchantability or fitness for a particular purpose.Use, copying, and distribution of any EMC software described in thispublication requires an applicable software license.For the most up-to-date listing of EMC product names, see EMC CorporationTrademarks on EMC.com.VMware and VMware vCenter are registered trademarks or trademarks ofVMware, Inc. in the United States and/or other jurisdictions. All othertrademarks used herein are the property of their respective owners.Part Number: H10814 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 2
    • Table of contents Executive summary ............................................................................................................................. 5 Business case .................................................................................................................................. 5 Solution overview ............................................................................................................................ 5 Key results/ recommendations ........................................................................................................ 5 Introduction ....................................................................................................................................... 6 Purpose ........................................................................................................................................... 6 Scope .............................................................................................................................................. 6 Audience.......................................................................................................................................... 6 Information security versus compliance .............................................................................................. 7 Introduction to information security versus compliance ................................................................... 7 Compliance ................................................................................................................................. 7 Information security .................................................................................................................... 7 Information security design principles ............................................................................................. 7 Information security in a virtualized environment ............................................................................... 8 Virtual versus physical environments ............................................................................................... 8 Scale is the challenge ...................................................................................................................... 8 Compliance and risk in a virtualized environment ............................................................................... 9 Compliance ...................................................................................................................................... 9 Risk management ............................................................................................................................ 9 Moving to the cloud .......................................................................................................................... 11 Information security goals .............................................................................................................. 11 Control in a cloud-based solution .................................................................................................. 11 Multi-tenant access........................................................................................................................ 11 Information security in the cloud .................................................................................................... 11 Private versus Public cloud-based environments............................................................................ 12 Visibility and control in the cloud ..................................................................................................... 13 Visibility and control in the cloud ................................................................................................... 13 Secure Content Automation Protocol (SCAP) .................................................................................. 13 Customer-specific visibility ............................................................................................................ 13 EMC SCAP-based solution .............................................................................................................. 13 Conclusion ....................................................................................................................................... 15 Summary ....................................................................................................................................... 15 Findings ......................................................................................................................................... 15 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 3
    • References ....................................................................................................................................... 16 White papers ................................................................................................................................. 16 Other documentation ..................................................................................................................... 16 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 4
    • Executive summaryBusiness case Every organization is dealing with the challenges and risks inherent in moving their workloads from legacy IT environments to private cloud, and ultimately to public cloud multi-tenant as-a-service environments. Information security is a significant challenge when moving to the cloud. Tenants and services providers need to understand and address the security implications of virtualization and multi-tenancy to ensure that their solutions comply with all relevant standards.Solution overview This white paper discusses the security challenges inherent in multi-tenant as-a- service environments, and focuses on the design considerations for both tenants and service providers: • The tenant is concerned with the compliance of the as-a-service environment. • The service provider is concerned with providing appropriate information security capabilities and the corresponding configuration, processes, and procedures. EMC categorizes the design factors that a service provider must address, as follows:: • Secure separation • Service assurance • Service provider in control • Tenant in control • Security and compliance • Data protection Each design factor is affected directly or indirectly by information security or compliance requirements. Considerations include: • The impact on separation and assurance of a virtualized environment. • How the service provider and tenant can maintain control of the environment, yet not violate governance requirements. This white paper provides an overview of the security challenges, while focusing on what information security and governance mean in these contexts.Key results/ From an information security and compliance perspective, this white paper proposesrecommendations that virtualized as-a-service environments can be as secure as, or more secure than, non-virtualized physical environments. The information security controls required to meet the governance requirements of a physical environment map directly to the requirements of a virtualized environment. In addition, virtual environments can provide additional security capabilities and features not possible or practical in a physical environment. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 5
    • IntroductionPurpose The purpose of this white paper is to discuss design considerations that take into account the information security and compliance challenges inherent in multi-tenant service provider environments.Scope The scope of this white paper is to provide an overview of the information security and compliance design considerations that must be investigated during an organization’s workload migration from legacy IT to public cloud environments. The white paper does not include detailed configuration recommendations.Audience This white paper targets technical architects, who are responsible for developing and implementing their organization’s workload migration. The reader has proficient knowledge of information security, governance, and cloud terminology. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 6
    • Information security versus complianceIntroduction to One of the first challenges faced by a security professional, during a conversationinformation about information security with a non-security professional, is to clarify the subject ofsecurity versus the conversation. Often, security conversations are about compliance or cover onlycompliance one aspect of information security. Due to the frequent misunderstandings about information security and compliance, it is important to clarify the differences between the two. Compliance Compliance is typically defined as “…conforming to a rule, such as a specification, policy, standard, or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.” 1 The Payment Card Industry Data Security Standard (PCI DSS) is an example of a regulatory specification. Information security Information security is defined as “…a means of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction...This is frequently summarized as protecting the confidentiality, integrity, and availability of information.” 2Information This white paper focuses on the information security design principles that must besecurity design considered in multi-tenant as-a-service environments so that they can be configuredprinciples to be compliant with specific regulatory requirements. We provide you with an overview of the security capabilities and controls that you must have in your environment. 1 Wikipedia, Regulatory compliance, as of August 8, 2012 page update 2 Wikipedia, Information security, as of August 15, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 7
    • Information security in a virtualized environmentVirtual versus The question of whether or not virtualized environments can be made as secure asphysical physical environments has been going on for years.environments Historically speaking, IBM successfully passed an independent security review and accreditation of its mainframe LPARs implementation in the 1980s. VMware® started submitting its virtualization products for independent accreditation a decade or two later. Despite this long history of accredited virtualized environments, there is still a significant level of distrust and misunderstanding about information security capabilities and controls in these environments. This lack of confidence is indicated by the very high level of interest in the topic. A quick web search on “virtualized environment security” returns over nine million hits and an abundance of articles.Scale is the The challenge of securing virtualized environments is not a new problem. What ischallenge different in today’s as-a-service and cloud-based environments is the scale of the environments that are being secured and reviewed for regulatory compliance. This challenge is the one that demands new solutions to the information security issues of confidentiality, integrity, and assurance. Therefore, the question is not whether virtualized environments can be as secure as physical environments. The real question is how to apply the lessons learned from securing physical environments to the much larger scale environments that underlie public, private, and hybrid cloud offerings. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 8
    • Compliance and risk in a virtualized environmentCompliance How does an auditor validate compliance in a virtualized environment? This is a question that we hear repeatedly when talking with organizations considering migrating to cloud-based environments. The controls that an auditor validates in a physical environment also apply to a virtual environment. Having the correct controls in place is as critical in a virtual environment as they are in a physical environment. The common set of controls most industry and government regulations focus on includes, but is not limited to: • Anti-virus and anti-malware • Authentication • Authorization • Change control • Identify management • Intrusion detection • Security incident and event monitoring (SIEM) • Network controls and forensics • Monitoring and management (GRC) However, in a virtual environment, there is likely to be additional software components to which these controls must be applied. At a minimum, there will be some type of hypervisor providing abstraction to CPU and memory of the systems. There is likely to be some network virtualization in addition to physical network devices. There is almost certainly network and storage virtualization present in the current legacy IT environment. Several regulatory bodies have issued virtualization-specific recommendations. For example, PCI’s Virtualization Special Interest Group (SIG) created the information supplement: PCI DSS Virtualization Guidelines. This document discusses not only the risks of virtualized environments but also provides recommendations on the impact of virtualization on compliance with PCI DSS. However, this document was released in 2011, though virtualization has been in use for decades.Risk management Information security is all about managing risks in the environment. The Certified Information Systems Auditor (CISA) Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what counter measures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." EMC Security Design Principles for Multi-Tenant As-a-Service Environments 9
    • While determining and managing risk is critical to any organizations’ migration toprivate, public, and hybrid cloud environments, any decisions on when and where tomove workloads to the cloud is beyond the scope of this white paper. Yourorganization must consider, in detail, the risks inherent in moving data into thecloud. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 10
    • Moving to the cloudInformation There is no substantive difference between the information security and compliancesecurity goals requirements for cloud and non-cloud environments. There are, of course, some additional components in a cloud environment, but these are minor. The information security goals are the same for cloud and non-cloud environments and for virtualized and non-virtualized environments. It is critical that organizations keep in mind that they must apply the same processes to cloud-based solutions as to other solutions. It is the “how” of information security that has changed and not the “what” that has changed.Control in a cloud- Cloud computing removes many of the traditional, physical boundaries that helpbased solution define and protect an organization’s data assets. Physical servers are replaced by virtual ones. Perimeters are established not just by firewalls, but also by the transit of virtual machines. Risk factors become more complex as the cloud introduces ever- expanding, transient chains of custody for sensitive enterprise data and applications. As organizations migrate their IT workloads to the cloud, they effectively relinquish some control over their information infrastructure and processes, even while they are required to bear greater responsibility for data confidentiality and compliance. This shift has wide-ranging implications for a broad set of corporate stakeholders, especially leaders who are responsible for information security. This is particularly true in a public cloud environment. Meanwhile, the trend is for regulatory oversight and compliance requirements to become stricter and more demanding. Therefore, it is critical that any cloud-based solution considered by your organization includes information security and regulatory compliance requirements from its initial conception.Multi-tenant Building an environment that provides multi-tenant access is critical for any publicaccess cloud service provider offering. Multi-tenancy, in this context, means that the service provider can provide a tenant with an environment in which it appears, from the tenant’s perspective, that all resources are dedicated to that tenant. In addition, the infrastructure must ensure that no tenant can influence the behavior of another tenant’s environment in any way. This is one of the biggest differences between private and public cloud environments. However, you must consider that in any virtualized environment, there is a significant degree of multi-tenancy implied. Depending on the type of environment, multi-tenancy may be significant.Information As organizations begin to migrate to the cloud, there is still confusion about how bestsecurity in the to handle information security in the cloud. In a report commissioned by RSA, Ascloud Hyper-extended Enterprises Grow, So Do Security Risks, two-thirds of the respondents, who are running applications or business processes in the cloud, admitted that they had not developed a security strategy for cloud computing. A majority of respondents were not sure how prospective cloud-computing vendors would safeguard data or how corporate security teams would meet compliance requirements for moving data into the cloud. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 11
    • Private versus The main differences between private and public cloud-based environments are:Public cloud-based • Automation of provisioningenvironments • Operation • Self-service • Large-scale virtualization This ability to scale out virtualized environments, either in a private or public cloud environment, is what makes cloud different. Information security controls must be integrated into these scaled-out architectures. Otherwise, it is impossible to report, with any accuracy, the security position of such an environment. Areas that a service provider must address include: • Authentication • Configuration and service pack management • Data loss prevention and forensics • Dashboard (eGRC) • Identity and access management • Multi-tenancy • Network monitoring and analysis • Security information and event logging • Security management (dashboard) You must place particular emphasis on security management and the eGRC dashboard, which is used to report on the environment. Similarly, tenants of cloud-based solutions must apply their normal information security and risk-management policies and procedures to any cloud-based deployment. At a minimum, they must: • Define policies • Evaluate cloud providers • Require transparency and visibility into the cloud • Maintain segregation of administrative privileges • Manage provisioning policies (virtual machine, storage, and network) • Encrypt and tokenize sensitive data • Adopt federated identity management and strong authentication EMC Security Design Principles for Multi-Tenant As-a-Service Environments 12
    • Visibility and control in the cloudVisibility and In the cloud, “visibility plus control equals trust”.control in thecloud The most important step that a service provider must take towards building a trusted cloud-based as-a-service solution is to provide visibility and control into its information security and compliance processes and procedures. The message customers and potential customers convey to as-a-service providers is that visibility generates trust and without trust the service provider will not get their business. Similarly, the service provider must implement information security controls in their virtualized multi-tenant infrastructure to meet customer requirements. In order for the service provider to gain a customer’s trust, the service provider must provide details on the how and what of their information security and compliance strategies. This does not mean that the service provider needs to provide copies of their audit monitoring procedures on their website. What it does mean is that the service provider must make available, in as close to real-time as possible, the ability for a customer to view the service providers’ entire compliance configuration through a single management GUI (also known as a “single-pane-of-glass”). If that is not possible, then service providers must share information in other ways.Secure Content The most promising solution to enable visibility into a multi-tenant as-a-serviceAutomation environment is a relatively new protocol called Secure Content Automation ProtocolProtocol (SCAP) (SCAP) that was developed by the National Institute of Standards and Technology (NIST). “SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (for example, Federal Information Security Management Act (FISMA) compliance)...It combines several open standards that are used to enumerate software flaws and configuration issues related to security.” 3 Information security practitioners are enthusiastic about open standards. SCAP uses Common Vulnerabilities and Exposures (CVE) and Open Vulnerability and Assessment Language (OVAL), for example. Today, SCAP compliant software is already available, for example, VMware vCenter® Configuration Management (vCM). For more information on SCAP capabilities, see the National Vulnerability Database.Customer-specific One challenge that SCAP does not address is how to provide customer-specificvisibility visibility into as-a-service environments. How does a service provider do the correlation (also known as “mashup”) of all the data collected in these types of environments? Specifically, how will a specific log entry be associated with the tenants that it affects? And how will a tenant receive only the security related information for the network switches that are used for that tenant’s data? These are important issues and concerns.EMC SCAP-based The good news is that several of the challenges in providing visibility into as-a-servicesolution environments have been solved with SCAP. One of those challenges is how to get the security configuration information to the service provider’s tenants. EMC’s Office of the CTO has been doing demos of a prototype SCAP-based solution. The idea is to 3 Wikipedia, Secure Content Automation Protocol, as of July 20, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 13
    • use SCAP and its associated protocols to forward vulnerability-related informationfrom the service provider’s environment to an external “air-gapped” repository thatwill collect the information.Air gap is “…a security measure often taken for computers and computer networksthat must be extraordinarily secure. It consists of ensuring that a secure network iscompletely physically, electrically, and electromagnetically isolated from unsecurednetworks, such as the public Internet or an unsecured local area network.” 4Tenants subscribe to the repository and receive SCAP information applicable only tothem. The SCAP feed is then displayed in a local dashboard, which is SCAP-aware. Inthis model, the customer only subscribes to those data-feeds that are relevant tothem.In this way, a customer of a cloud-based solution can use an eGRC dashboard fortheir as-a-service environment as well as their internal IT systems.4 Wikipedia, Air gap (networking), as of July 25, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 14
    • ConclusionSummary The goal of this paper is to show that the information security and compliance challenges of multi-tenant as-a-service environments are largely the same as those for physical environments and can be successfully addressed. The controls that must be put in place are the same in both environments and include: • Anti-virus and anti-malware • Authentication • Authorization • Change control • Identify management • Intrusion detection • Security incident and event monitoring (SIEM) • Network controls and forensics • Monitoring and management (GRC) The key element to consider is the equation of “visibility plus control equals trust” - how the service provider will provide that and how the tenant will consume it.Findings This white paper highlights a couple of solutions that enable visibility into multi- tenant as-a-service environments: • SCAP solution The most promising solution is the protocol Secure Content Automation Protocol (SCAP), which was developed by the National Institute of Standards and Technology (NIST). However, SCAP by itself does not address the problem of how to provide customer-specific visibility into as-a-service environments. • EMC SCAP-based solution EMC’s prototype solution solves the customer-specific visibility problem. The solution uses SCAP and its associated protocols to forward vulnerability-related information from the service provider’s environment to an external air-gapped repository that collects the information. Tenants subscribe to the repository and receive SCAP information applicable only to them. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 15
    • ReferencesWhite papers For more information, see the following white papers: • Design Principles and Considerations for Configuring VMware vShield in Service Provider Environments • EMC Compute-as-a-service - Design Principles and Considerations for DeploymentOther For more information, see the following documentation:documentation • Information Supplement: PCI DSS Virtualization Guidelines by the Virtualization Special Interest Group PCI Security Standards Council, Version 2.0, June 2011 • RSA Security Brief: Identity & Data Protection in the Cloud, November 2009 • On the Security of Cloud Storage Services, Fraunhofer Institute for Secure Information Technology, Moritz Borgmann, et al, March 2012 • Governance of Enterprise Security - CyLab 2012 Report: How Boards and Senior Executives are Managing Cyber Risks, Carnegie Mellon University, May 16, 2012 • Design Guide: Vblock Solutions for Trusted Multi-Tenancy, VCE, February 2012 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 16