Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2014-04-28 cloud security frameworks and enforcement

100 views

Published on

Cloud Security: Frameworks and Enforcement

Published in: Software
  • Be the first to comment

  • Be the first to like this

2014-04-28 cloud security frameworks and enforcement

  1. 1. Cloud Security: Frameworks and Enforcement SHAWN WELLS Director, Innovation Programs, U.S. Public Sector shawn@redhat.com || 443-534-0130 1UNCLASSIFIED
  2. 2. 35 MINUTES, 2 GOALS 2
  3. 3. 35 MINUTES, 2 GOALS 1.  Cloud Security Lifecycle •  Government Certification & Accreditation Models •  Case Study: Westfield’s MADFW/MITE 3
  4. 4. 35 MINUTES, 2 GOALS 1.  Cloud Security Lifecycle •  Government Certification & Accreditation Models •  Case Study: Westfield’s MADFW/MITE 2.  Enabling Security Technologies •  Security Content Automation Protocol (SCAP) •  Containers 4
  5. 5. WHAT IS THE CLOUD? •  Infrastructure as a Service (IaaS) •  CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE 5
  6. 6. WHAT IS THE CLOUD? •  Infrastructure as a Service (IaaS) •  CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE •  Platform as a Service (PaaS) •  DLT CODEvolved, Autonomic ARCWRX 6
  7. 7. WHAT IS THE CLOUD? •  Infrastructure as a Service (IaaS) •  CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE •  Platform as a Service (PaaS) •  DLT CODEvolved, Autonomic ARCWRX •  Software as a Service (SaaS) •  salesforce.com 7
  8. 8. IaaS Case Study: Westfield’s MADFW •  Also known as MITE, falls under MID •  Development environment for ~117 tenants •  Anything beyond operating system is responsibility of tenant (applications, continuous monitoring, etc) •  ICD 503, High/Low/Low 13
  9. 9. Continuous Monitoring •  NIST 800-53, 800-137, and many other regulations require continuous monitoring •  We’ve been using the SCAP Security Guide •  Large body of Linux security controls •  Logically grouped into profiles (e.g. DoD STIG, FISMA Moderate, C2S…) https://fedorahosted.org/scap-security-guide/ 14
  10. 10. Contributors Include . . .
  11. 11. Control Tailoring
  12. 12. Sample Output
  13. 13. SCAP Content Repositories NIST maintains SCAP content repository for U.S. Government. Plenty of non-Linux content! http://web.nvd.nist.gov/view/ncp/repository 18
  14. 14. MADFW v2: PaaS (via containers) •  Think of the containers as boxes, nodes as the truck •  We don’t care what’s inside the box, it’s just cargo 19
  15. 15. Multi-tenancy 20 RHEL HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…)
  16. 16. Multi-tenancy 21 RHEL system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368 HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…)
  17. 17. Multi-tenancy 22

×