Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security, Risk Management & Audit
in the Crossroads of Agile, DevOps and
Cloud Management
Sukumar Nayak, Chief Technologis...
2
Objective: Provide an overview of Agile, DevOps and Cloud Management from Security,
Risk Management and Audit Compliance...
3
Audience Poll
Technologist, CTO
Finance, CFO
Audit, CFO
Security & Compliance, CISO, CCO
What is your primary role at yo...
4
Motivation
“Companies rarely fail because of poor financial controls, but they fail
frequently due to their inability to...
5
7 W’s of Auditing and Investigations
What:
What activity occurred? What was the result?
Key Attributes: Action, Outcome,...
6
Agile SCRUM
Product
Owner
Scrum
Master
Team
Member
Stakeholder
Product
Vision
Product
Backlog
Release
Backlog
Sprint
Bac...
7
App A
Bins / Libs
App B
Bins / Libs
Docker Engine
Host OS
Server
The IT Industry Paradigm is Shifting…
Microservices by ...
8
The IT Industry Paradigm is Shifting…
Continuous Delivery (CD):
A software engineering approach in
which teams keep prod...
9
The IT Industry Paradigm is Shifting…
Cloud Foundry URL: http://www.cloudfoundry.org/index.html
DataGravity URL: http://...
10
Development to Operation: Business Challenges
DevOps URL: http://dev2ops.org/2010/02/what-is-devops/
Traditional IT Cha...
11
DevOps
What is DevOps?
DevOps is the practice of operations and development engineers participating together in the ent...
12
What is different in DevOps…
Configuration Management:
Business Service
Application
Web site
Apache
HTTP
HP Server
Rack...
13
What is different in DevOps…
Release and Change Management:
URL: https://www.chef.io/solutions/continuous-delivery/
Inc...
14
DevOps Success Factors
DevOps Success factors:
• Culture, Collaboration & Mindset
• Effective Team Collaboration
• Iden...
15
DevOps Best Practices
URL: http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/2401493...
16
DevOps lifecycle
DEVOPS DOMAINS
COLLABORATION
CONTINUOUS
DEPLOYMENT / DELIVERY
CONTINUOUS
INTEGRATION
SOURCE
CONTROL
DE...
17
Sample of DevOps Tools and Technologies
Plan
Develop / Build
Test
Continuous
Delivery/Deploy
Issue Tracking
Monitoring
...
18
Cloud Management Tools, Technologies & Companies
Cost/Chargeback Cloudability Cloudyn Cloud Cruiser
Automation &
Provis...
19
Security Management Tools, Technologies & Companies
Cyber Security Fireeye
Palo Alto
Networks
Check Point
Proofpoint
Te...
20
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
CLIENTMANAGED
Storage
Servers
Networ...
21
Cloud Actors
• Cloud Consumer: Person or organization that maintains a business relationship with, and uses
service fro...
22
Cloud Services Integration and Management (CSIM/CSIAM)
Cloud
Consumers
Cloud
Brokers
IT Operations
Service Delivery
Ser...
23
OpenStack key components
Dashboard (Horizon)
Compute (Nova)
Object Storage (Swift)
Block Storage (Cinder)
Networking (N...
24
Sample Standards and Compliance Controls
• Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1)
• NIST SP 800-5...
25
Sample Standards and Compliance Controls
CSA Cloud Controls Matrix 3.0.1
NIST Special Publication 800-53 Revision 4
Sec...
26
Cloud Security Alliance TCI Reference Architecture
Legend:
CSA: Cloud Security Alliance
TCI: Trusted Cloud InitiativeSo...
27
Cloud Security Alliance TCI Reference Architecture
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10...
28
CSA Cloud Control Matrix CCM v3.0.1 16 Domains 133 Controls
Source: https://cloudsecurityalliance.org/research/ccm/
Leg...
29
Select baseline security controls, apply tailoring
guidance and supplement controls as needed
based on risk assessment....
30
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Identifier Family Class Ctrls
AC Access Control Tech 25
AT Awarenes...
31
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Management: (5)
CA: Security Assessment and
Authorization
RA: Risk ...
32
NIST Cybersecurity Framework version 1.0
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-0212...
33
ISO/IEC 27002:2015
Source URL: http://iso27001security.com/html/27002.html
URL: http://iso27001security.com/html/iso27k...
34
FISMA & FedRAMP
FedRAMP
Additional Controls
FISMA
NIST 800-53
FISMA:
• Federal Information Security Management Act (FIS...
35
URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/
URL: http://pitchengine.com/pitches/9bbbb1a7-9fd0-4fcf-81ce-a3...
36
COBIT 5
Source URL: http://www.isaca.org/COBIT/Pages/default.aspx
37
COBIT 5
Ref URL: http://www.isaca.org/COBIT/Pages/default.aspx
EDM01 Ensure
Governance Framework
Setting and Maintenanc...
38
ITIL 2011
Service Strategy (SS) 5 Processes
• Business relationship management
• Financial management for IT services
•...
39
ITIL v3 Value Chain (Level 1)
Service Strategy (SS) Service Design (SD)
Service Transition
(ST)
Service Operations
(SO)...
40
Payment Card Industry Data Security Standard PCI DSS 3.1
12 High level requirements Detailed
Build and Maintain a Secur...
41
DMTF Cloud Auditing Data Federation (CADF) Standard
Defines a full event model anyone can use to fill in the essential ...
42
Cloud Auditing Data aggregated from multiple sources
Source: http://dmtf.org/sites/default/files/standards/documents/DS...
43
Example: 7 essential W’s auditing and monitoring
CADF Event Model: Basic and conditional
model components
What
What act...
44
Challenges & Opportunities in Cloud Management
• Transparency is Crucial
• Regulations can’t keep up
• Need for continu...
45
Challenges & Opportunities in Cloud Management
• Containers and portable VM snapshots are too portable
• Encryption eff...
46
Reference URLs
• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NI...
47
References & Credits
48
Conclusion
• Migration to Cloud will continue due to the efficiencies and economics.
• Cloud is all about services and ...
sukumar.nayak@hp.com
sukumar.nayak@gmail.com
240.506.2305
linkedin.com/in/sukumarnayak/
50
Backup
51
Open Security Architecture
Open Security Architecture URL: http://www.opensecurityarchitecture.org/cms/foundations/osa-...
52
DevOps & Cloud: Key is Automated Provisioning
Fully automated provisioning: the ability to deploy, update, and repair a...
53
Extending the scope and value delivered by GRC & ERM
Ref: 2014 Forrester report by Chris McClean, Stepahnie Balaouras &...
54
DevOps Maturity Model
Source HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Mat...
55
Sample of DevOps Tools and Technologies
Plan Develop / Build
Continuous
Integration (CI)
Test
Continuous Delivery /
Dep...
56
Sample of DevOps Tools and Technologies
Issue Tracking Monitoring
Configuration
Management
Analyze Collaboration
HP SM ...
57
Lean principles
Queues and total throughput
Variability, innovation, and economic consequences
Batch sizes
Work in prog...
58
COBIT 5
URL: http://www.isaca.org/COBIT/Pages/default.aspx
59
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
CLIENTMANAGED
Storage
Servers
Networ...
60
Definitions of Key Terms & Acronyms
• ADFS: Active Directory Federated Services
• CADF: Cloud Auditing Data Federation
...
Upcoming SlideShare
Loading in …5
×

Sukumar Nayak-Agile-DevOps-Cloud Management

3,579 views

Published on

Sukumar Nayak-Agile-DevOps-Cloud Management

  1. 1. Security, Risk Management & Audit in the Crossroads of Agile, DevOps and Cloud Management Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation Date Created: 04/21/2015 Date last updated: 07/14/2015
  2. 2. 2 Objective: Provide an overview of Agile, DevOps and Cloud Management from Security, Risk Management and Audit Compliance perspectives. Scope: • Motivation • Agile Development • The IT Industry Paradigm is Shifting • DevOps • Cloud Management • Tools & Technologies in the New Style IT • Standards & Compliance Controls • Implementation best practices for Security & Audit in the Cloud • Challenges and Opportunities for Security, Risk Management & Audit practices • Q&A Agenda
  3. 3. 3 Audience Poll Technologist, CTO Finance, CFO Audit, CFO Security & Compliance, CISO, CCO What is your primary role at your company? IT Operation, CIO Business Services, Executive Consultant, Entrepreneur What is your level of experience with Agile Development? What is your level of experience with DevOps? What is your level of experience with Cloud environment? What is your level of experience with Big Data environment? Evaluating 5+ years 1-3 years 3-5 years Government, Nonprofit Org
  4. 4. 4 Motivation “Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.” 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
  5. 5. 5 7 W’s of Auditing and Investigations What: What activity occurred? What was the result? Key Attributes: Action, Outcome, Type, Reason 1 When: When did the action happen? When was it observed? How long did it take? Key Attributes: Universal Timestamp, Time Zone, Duration 2 Who: Who (user/service) initiated the Action? Key Attributes: User, ID, Type, Name, Role/Credentials, Assertions 3 Where: Where was the Action observed, reported or, modified? What role does the event serve? How was it recorded? Key Attributes: User/Observer, ID, Type, Name, Role/Credentials, Location 4 On What: On What resource did the Activity Target? Key Attributes: Device/Role ID 5 FromWhere: From Where the Action was initiated? Key Attributes: • logical/physical addresses ex: host IP address, server name • precise geolocations ex: ISO-6709-2008 6 ToWhere: To Where was the Action Targeted? Key Attributes: • logical/physical addresses ex: host IP address, server name • precise geolocations ex: ISO-6709-2008 7
  6. 6. 6 Agile SCRUM Product Owner Scrum Master Team Member Stakeholder Product Vision Product Backlog Release Backlog Sprint Backlog User Stories User Story Estimation Sprint Demo Sprint Retrospective Daily Standup Meetings Release Burndown Sprint Burndown Story Board Capacity VelocityStory Points Key concepts Roles Artifacts, Ceremonies & Processes Scrum is an iterative and incremental agile software development methodology for managing product development.
  7. 7. 7 App A Bins / Libs App B Bins / Libs Docker Engine Host OS Server The IT Industry Paradigm is Shifting… Microservices by James Lewis and Martin Fowler URL: http://martinfowler.com/articles/microservices.html Containers & VMs Michael Daconta URL: http://www.quora.com/How-is-containerization-different-from-virtualization Microservices: A software architecture style, in which complex applications are composed of small, independent processes communicating with each other using language-agnostic APIs. These services are small, highly decoupled and focus on doing a small task. Containerization: Horizontal segmentation Docker Container: The Docker Engine container needs just the application and it’s dependencies. It runs as an isolated process in userspace on the host OS, sharing the kernel with other containers. Thus, it enjoys the resource isolation & allocation benefits of VMs but is much more portable & efficient. Kubernetes: Open source orchestration system (container cluster manager) for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions. Runs on Public Cloud, Private Cloud, and Bare Metal. Virtualization: Vertical abstraction Each virtualized application includes the application, the required binaries & libraries, and a Guest OS. The application may be in the order of 10s of MB, however the Guest OS may be in the order of 10s of GB. App A Bins / Libs Guest OS App B Bins / Libs Guest OS Hypervisor Host OS Server Type 2 Hypervisor App A Bins / Libs Guest OS App B Bins / Libs Guest OS Hypervisor Server Type 1 Hypervisor
  8. 8. 8 The IT Industry Paradigm is Shifting… Continuous Delivery (CD): A software engineering approach in which teams keep producing valuable software in short cycles and ensure that the software can be reliably released at any time. It is used in software development to automate and improve the process of software delivery. API Management: The process of publishing, promoting and overseeing application programming interfaces (APIs) in a secure, scalable environment. It also includes the creation of end user support resources that define and document the API. Continuous Integration (CI): A development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. Continuous Deployment (CD): The deployment or release of code to Production as soon as it is ready. There is no large batching in Staging nor long UAT process that is directly before Production. Testing is done prior to merging to the Mainline branch and is performed on Production-like environments.
  9. 9. 9 The IT Industry Paradigm is Shifting… Cloud Foundry URL: http://www.cloudfoundry.org/index.html DataGravity URL: http://datagravity.com/ Cloud Foundry: Open source cloud computing platform as a service (PaaS) originally developed by VMware and now owned by Pivotal Software, a joint venture by EMC, VMware and General Electric. The Cloud Foundry is primarily written in Ruby and Go. Comes in 3 flavors: • Cloud Foundry Open Source Software (OSS) • Pivotal Cloud Foundry (Pivotal CF) • Pivotal Web Services (PWS) DataGravity: Data gravity is an analogy of the nature of data and its ability to attract additional applications and services. The Law of Gravity states that the attraction between objects is directly proportional to their weight (or mass). Dave McCrory coined the term data gravity to describe the phenomenon in which the number or quantity and the speed at which services, applications, and even customers are attracted to data increases as the mass of the data also increases.
  10. 10. 10 Development to Operation: Business Challenges DevOps URL: http://dev2ops.org/2010/02/what-is-devops/ Traditional IT Challenges: ~70-80% of all downtime is due to changes (self-inflicted wounds) Often results in: Requirements Design Code Test Package Release Deploy to Stage UAT Test Deploy to Prod Development Operation WallofConfusion Faster changes Stable environment Development tools Operation tools WallofConfusion Development Operation WallofConfusion
  11. 11. 11 DevOps What is DevOps? DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support. DevOps is a software development method that stresses communication, collaboration, integration, automation, and measurement of cooperation between software developers and other IT professionals. URL: http://theagileadmin.com/what-is-devops/ URL: http://en.wikipedia.org/wiki/DevOps Development (Software Engineering) Quality Assurance (QA) IT Operations DevOps IT Operations “Be predictable – minimize risk” Features & code changes Development “Be more agile - deliver faster” Agile Development DevOps Quality Automation Collaboration Feedback loop Faster Release Smaller Packages Bring Applications to Customers Faster DevOps MotivationDevOps Composition
  12. 12. 12 What is different in DevOps… Configuration Management: Business Service Application Web site Apache HTTP HP Server Rack Data Ctr Zone Data Ctr App code (build) Tomcat instance Linux VM Database MySQL DB instance Server Traditional CMDB Business Service Application Platform instance Hosting platform Location Cloud environment CMDB Further details (e.g. web, app, DB nodes, IPs, software versions) in automation/CD toolchain e.g. AWS, Google, Rackspace, HP, IBM e.g. EMEA, AMS, APJ Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
  13. 13. 13 What is different in DevOps… Release and Change Management: URL: https://www.chef.io/solutions/continuous-delivery/ Incident Management: DevOps changes primarily who gets involved in Incident Mgmt at which stage and what their stake is in the process. Even bigger impact may be achieved by ensuring there’s the right culture and mindset that puts customers, service, reliability, and quick mean time to repair (MTTR) at the center of the approach. Event Management Monitoring & Logging: Key difference is the complexity, scale, and speed in DevOps makes it imperative to focus on Internet Scale vs. Enterprise Scale solutions. Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
  14. 14. 14 DevOps Success Factors DevOps Success factors: • Culture, Collaboration & Mindset • Effective Team Collaboration • Identify & Eliminate Waste • Improve Automation Efficiencies for Internet Scale • Unified Processes for Development to Operations • Unified Tooling (Key Capabilities) • Version-control software library • Deeply modeled systems • Automation • Key Industry dynamics: • Infrastructure as code • Model driven automation • Continuous integration (CI) • Continuous deployment (CD) Continuous Assessment & Adjust Planning Governance Lifecycle management Release Automation Lifecycle Management Collaboration Accountability Continuous Integration Continuous Testing Continuous Delivery Continuous Deployment Continuous Performance Culture Process Technology
  15. 15. 15 DevOps Best Practices URL: http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/240149363 Practice 1: Active Stakeholders Participation Practice 2: Automated Testing Practice 3: Integrated Configuration Management Practice 4: Integrated Change Management Practice 5: Continuous Integration Practice 6: Integrated Deployment Planning Practice 7: Continuous Deployment Practice 8: Production Support Practice 9: Application Monitoring Practice 10: Automated Dashboards 1. Execs Commitment 2. Cloud Platform 3. Standardization 4. Interoperability & Automation 5. Process Optimization 6. Organization Culture The Road to DevOps
  16. 16. 16 DevOps lifecycle DEVOPS DOMAINS COLLABORATION CONTINUOUS DEPLOYMENT / DELIVERY CONTINUOUS INTEGRATION SOURCE CONTROL DEVL ENVIRON CONFIGURATION MANAGEMENT MONITORING ISSUE TRACKING PLANNING OPERATIONS MANAGEMENT
  17. 17. 17 Sample of DevOps Tools and Technologies Plan Develop / Build Test Continuous Delivery/Deploy Issue Tracking Monitoring Continuous Integration Analyze Collaboration Configuration Management Campfire Slack IRC SharePoint GoToMeetingHP MyRoom MS Project Trello HP Agile Manager HP PPM Jira HP Quality Center ZenDeskHP SM & SAW MS Visual Studio Online HP Quality Center Graphite Logstash Kibana HP Site Scope HP vPV, HP OMi, HP BSM Performance Manager Puppet Chef CFEngine Ansible SaltStackHP CMS PowerShell DSC Git CVS MS TFS Vagrant Cloud 9 IDE Codenvy TeamCity TravisCI Octopus ThoughtWork sGo Packer Ubuntu Juju Capistrano Jenkins Ant Gradle Maven BuildHive New Relic Docker CoreOS HP Fortify SonarCube artifactory SplunkHP ArcSight HP CODAR HPOO,SA,NA, DMA,NNMi Cloudyn logentries
  18. 18. 18 Cloud Management Tools, Technologies & Companies Cost/Chargeback Cloudability Cloudyn Cloud Cruiser Automation & Provisioning Management Platform Newvem/ Datapipe PuppetChef enStratius/ Dell RightScale GigaSpaces BMC Capgemini CA Technologies HP Helion IBM ServiceMesh/ CSC vRealize/ VMWare HP CSA, SA, NA, DMA Dell BhoomiIntegration Azure IBM / Cast Iron Amazon SQS Informatica TIBCO MuleSoft HP Cloud Sys Chargeback AWS OpenStack
  19. 19. 19 Security Management Tools, Technologies & Companies Cyber Security Fireeye Palo Alto Networks Check Point Proofpoint Technologies Guidance Software Investigation Management Perspective i-Sight Report Exec Column Case Investigate EHSInsight Computer Security Network Security logikcull HRAcuity Lancope Alienvault NorseRSA/EMC HP ESS Blue Coat Akamai Trend Micro IBM ESS Intel Security Symantec F5 AVG ClearWater Compliance F-Secure Cisco Beyond Security AT&T Network Sec Qualys Bayshore Bradford Networks
  20. 20. 20 Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime CLIENTMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime INFRASTRUCTURE (AS A SERVICE) VENDORMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime PLATFORM (AS A SERVICE) CLIENTMANAGED VENDORMANAGED CLIENTMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime SOFTWARE (AS A SERVICE) VENDORMANAGED Service Delivery Models TRADITIONAL (ON PREMISE) JOINTLYMANAGED User Experience User Experience User Experience User Experience Devl Tools Devl Tools Devl Tools Devl Tools
  21. 21. 21 Cloud Actors • Cloud Consumer: Person or organization that maintains a business relationship with, and uses service from, Cloud Providers. • Cloud Provider: Person, organization or entity responsible for making a service available to Cloud Consumers. • Cloud Auditor: A party that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation. • Cloud Broker: An entity manages the use, performance and delivery of cloud services, and negotiates relationships between Cloud Providers and Cloud Consumers. • Cloud Carrier: The intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers.
  22. 22. 22 Cloud Services Integration and Management (CSIM/CSIAM) Cloud Consumers Cloud Brokers IT Operations Service Delivery Service Support Incident Management Problem Management Knowledge Mgmt Change Management Release Management Availability & Capacity Mgmt Service Catalog/Request Management Service Assets & Configuration Mgmt Event Management & Monitoring Operations Support Customer Mgmt Contract Mgmt Inventory Mgmt Accounting & Billing Reporting & Auditing Pricing, Costing & Rating Business Support Data Portability Service Interoperability Systems Portability Copy Data Bulk Data Transfer Unified Management Interface VM Images Migration App/SVC Migration Containers Migration Integration (Portability & Interoperability) Data Management Rapid Provisioning & Fulfillment Resource Change Provisioning/ Configuration Monitoring & Reporting Metering SLA Management Security Management Governance, Security & Risk Management Governance, Risk Mgmt & Controls Facility Network WorkplaceWorkloadStorage SecurityData CtrServices Service Providers Cloud Auditors
  23. 23. 23 OpenStack key components Dashboard (Horizon) Compute (Nova) Object Storage (Swift) Block Storage (Cinder) Networking (Neutron) Image Management (Glance) Identity Management (Keystone) Telemetry (Ceilometer) Orchestration (Heat) Database (Trove) Bare Metal Provisioning (Ironic) Messaging (Zaqar) Elastic Map Reduce (Sahara)
  24. 24. 24 Sample Standards and Compliance Controls • Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1) • NIST SP 800-53 Rev. 4 • NIST Cybersecurity Framework • ISO/IEC 27002 • FISMA and FedRAMP • Meaningful Use, HITECH and HIPAA • CoBIT 5 • ITIL v3 / 2011 • Payment Card Industry Data Security Standard (PCI DSS 3.1) • Distributed Management Task Force (DMTF) • Cloud Infrastructure Management Interface (CIMI) • Cloud Auditing Data Federation (CADF)
  25. 25. 25 Sample Standards and Compliance Controls CSA Cloud Controls Matrix 3.0.1 NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations NIST Cybersecurity Framework ISO/IEC 27002:2013 Information technology. Security techniques Code of practice for information security controls PCI DSS 3.1 Distributed Management Task Force (DMTF) • Cloud Auditing Data Federation (CADF) Standard • Cloud Infrastructure Management Interface (CIMI)
  26. 26. 26 Cloud Security Alliance TCI Reference Architecture Legend: CSA: Cloud Security Alliance TCI: Trusted Cloud InitiativeSource: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
  27. 27. 27 Cloud Security Alliance TCI Reference Architecture Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf SRM Services: • Governance Risk and Compliance • Information Security Management • Privilege Management Infrastructure • Threat and Vulnerability Management • Infrastructure Protection Services • Data Protection • Policies and Standards ITOS Services: • IT Operations • Service Delivery • Service Support • Incident Management • Problem Management • Knowledge Management • Change Management • Release Management BOSS Services: • Compliance • Data Governance • Operational Risk Management • Human Resources Security • Security Monitoring Services • Legal Services • Internal Investigation Presentation Services: • Presentation Modality • Presentation Platform Application Services: • Development Process • Security Knowledge Lifecycle • Programming Interfaces • Integration Middleware • Connectivity & Delivery • Abstraction Infrastructure Services: • Facility Services • Servers • Storage Services • Network Services • Availability Services • Patch Management • Equipment Maintenance • Virtualization (Desktop, Storage, Server, Network) Information Services: • User Directory Services • Security Monitoring Data Management • Service Delivery Data Management • Service Support Data Management • Data Governance Data Management • Risk Management Data Management • ITOS Data Management • BOSS Data Management • Reporting Services
  28. 28. 28 CSA Cloud Control Matrix CCM v3.0.1 16 Domains 133 Controls Source: https://cloudsecurityalliance.org/research/ccm/ Legend: CSA: Cloud Security Alliance CCM: Cloud Control Matrix (Number of controls) for each Domain 1. AIS: Application & Interface Security (4) 2. AAC: Audit Assurance & Compliance (3) 3. BCR: Business Continuity Management & Operational Resilience (11) 4. CCC: Change Control & Configuration Management (5) 5. DSI: Data Security & Information Lifecycle Management (7) 6. DCS: Datacenter Security (9) 7. EKM: Encryption & Key Management (4) 8. GRM: Governance and Risk Management (11) 9. HRS: Human Resources (11) 10. IAM: Identity & Access Management (13) 11. IVS: Infrastructure & Virtualization Security (13) 12. IPY: Interoperability & Portability (5) 13. MOS: Mobile Security (20) 14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5) 15. STA: Supply Chain Management, Transparency and Accountability (9) 16. TVM: Threat and Vulnerability Management (3)
  29. 29. 29 Select baseline security controls, apply tailoring guidance and supplement controls as needed based on risk assessment. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. NIST SP 800-53 Rev. 4 Security and Privacy Controls Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf Starting Point Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Determine security control effectiveness (i.e. controls implemented correctly, operating as intended, meeting security requirements for information system). Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Security Life Cycle Risk Management Framework (RMF) CATEGORIZE Information Systems SELECT Security Controls ACCESS Security Controls MONITOR Security Controls IMPLEMENT Security Controls AUTHORIZE Information Systems Architecture Description • Mission/Business Processes • Reference Models • Segment and Solution Architectures • Information System Boundaries Organizational Inputs • Laws, Directives, Policy, Guidance • Strategic Goals and Objectives • Information Security Requirements • Priorities and Resource Availability
  30. 30. 30 NIST SP 800-53 Rev. 4 Security and Privacy Controls Identifier Family Class Ctrls AC Access Control Tech 25 AT Awareness and Training Ops 5 AU Audit and Accountability Tech 16 CA Security Assessment and Authorization Mgmt 9 CM Configuration Management Ops 11 CP Contingency Planning Ops 13 IA Identification and Authentication Tech 11 IR Incident Response Ops 10 MA Maintenance Ops 6 Identifier Family Class Ctrls MP Media Protection Ops 8 PE Physical and Environmental Protection Ops 20 PL Planning Mgmt 9 PS Personnel Security Ops 8 RA Risk Assessment Mgmt 6 SA System and Services Acquisition Mgmt 22 SC System and Communications Protection Tech 44 SI System and Information Integrity Ops 17 PM Program Management Mgmt 16 Legend: Tech: Technical Ops: Operational Mgmt: Management Ctrls: Number of Controls Ref: URL: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
  31. 31. 31 NIST SP 800-53 Rev. 4 Security and Privacy Controls Management: (5) CA: Security Assessment and Authorization RA: Risk Assessment SA: System and Services Acquisition PL: Planning PM: Program Management Operational: (9) AT: Awareness and Training CM: Configuration Management CP: Contingency Planning IR: Incident Response MA: Maintenance PE: Physical and Environmental Protection PL: Planning PS: Personnel Security SI: System and Information Integrity Technical: (4) AC: Access Control AU: Audit and Accountability IA: Identification and Authentication SC: System and Communications Protection
  32. 32. 32 NIST Cybersecurity Framework version 1.0 Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf # of Subcategories 6 5 4 6 3 5 5 7 12 2 4 5 8 5 1 5 4 3 2 1 2 3 24 35 18 15 6
  33. 33. 33 ISO/IEC 27002:2015 Source URL: http://iso27001security.com/html/27002.html URL: http://iso27001security.com/html/iso27k_toolkit.html
  34. 34. 34 FISMA & FedRAMP FedRAMP Additional Controls FISMA NIST 800-53 FISMA: • Federal Information Security Management Act (FISMA) • United States legislation (not an agency program) • A comprehensive framework to protect government information, operations and assets against natural or man-made threats • Assigns responsibilities to various agencies to ensure the security of data • Managed by individual agencies • Requires annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels FedRAMP: • Federal Risk and Authorization Management Program (FedRAMP) • A government-wide program leveraging a “do once, use many times” framework (not legislation) • Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services Managed by individual agencies • Purpose: Ensure that cloud based services have adequate information security; Eliminate duplication of effort and reduce risk management costs; Enable rapid and cost-effective procurement of information systems/services for Federal agencies • GSA oversees and Accredited 3PAO’s validate proposed offers before GSA approves Note: 3rd party assessment organizations (3PAOs) URL: http://csrc.nist.gov/groups/SMA/forum/documents/FedRAMP-Goodrich-020912.pdf URL: http://1105govinfoevents.com/custom/Face-to-Face/2-15/FISMA-FedRAMP-Controls-and-Authorization-Differences-Whitepaper-Coalfire.pdf FedRAMP: 125 Low 326 Moderate N/A High FISMA: 124 Low 261 Moderate 343 High
  35. 35. 35 URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/ URL: http://pitchengine.com/pitches/9bbbb1a7-9fd0-4fcf-81ce-a397f82fd99a URL: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EP-MU-TOC.pdf URL: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl Meaningful Use, HITECH & HIPAA HIPAA: • Health Insurance Portability and Accountability Act (HIPAA) of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. HIPAA HITECH Meaningful Use Health Insurance Portability and Accountability Act (1996) Health Information Technology for Economic and Clinical Health (2009) Meaning Use guidelines for Electronic Health Records (2010) 15 core measures 10 menu set objectives Meaningful Use: • Using certified electronic health record (EHR) technology to: Improve quality, safety, efficiency, and reduce health disparities. Engage patients and family. Improve care coordination, and population and public health. Maintain privacy and security of patient health information. HITECH: • The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. 15 measure groups 25 criteria & measures for meaningful use Privacy Security Enforcement
  36. 36. 36 COBIT 5 Source URL: http://www.isaca.org/COBIT/Pages/default.aspx
  37. 37. 37 COBIT 5 Ref URL: http://www.isaca.org/COBIT/Pages/default.aspx EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimization EDM04 Ensure Resource Optimization EDM05 Ensure Stakeholder Transparency Evaluate, Direct and Monitor (EDM) APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources Align, Plan and Organize (APO) APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security BAI01 Manage Programs and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organizational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration Build, Acquire and Implement (BAI) Deliver, Service and Support (DSS) DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls Monitor, Evaluate and Assess (MEA) MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance with External Requirements ManagementGovernance 135 10 6 3
  38. 38. 38 ITIL 2011 Service Strategy (SS) 5 Processes • Business relationship management • Financial management for IT services • Service portfolio management • Strategy for IT services • Demand management Service Design (SD) 8 Processes • Design coordination • Service catalog management • Service level management • IT Service continuity management • Supplier management • Availability management • Capacity management • IT Security managementService Operation (SO) 5 Processses • Event management • Incident management • Problem management • Request management • Access management 4 Functions: • Service desk • Technical management • IT Operations management • Application management Service Transition (ST) 7 Processes • Transition planning & support • Change management • Change evaluation • Service validation & testing • Service asset & configuration management • Release & deployment management • Knowledge management Continual Service Improvement (CSI) 1 Process • 7 steps improvement process
  39. 39. 39 ITIL v3 Value Chain (Level 1) Service Strategy (SS) Service Design (SD) Service Transition (ST) Service Operations (SO) Continual Service Improvements (CSI) Business Relationship Management Management of IT Service Strategy Demand Management Service Portfolio Management Financial Management Service Design Coordination Service Level Management Capacity Management Availability Management Risk Management Security Management Service Continuity Management Supplier Management Service Catalog Management Transition Planning and Support Change Management Change Evaluation Release and Deployment Management Service Validation and Test Service Asset and Configuration Management Application Development and Customizing End of Life for IT Services Knowledge Management Event Management Incident Management Problem Management Access Management Service Request Management Operations Control Service Evaluation Process Management Improvement Management and Reporting  Business Relationship Management  Management of IT Service Strategy  Demand Management  Service Portfolio Management (SPM)  Financial Management (FM)  Service Design Coordination  Service Level Management (SLM)  Capacity Management  Availability Management  Risk Management  Security Management  Service Continuity Management  Supplier Management  Service Catalog Management  Transition Planning and Support  Change Management  Change Evaluation  Release & Deployment Mgmt  Service Validation and Test  Service Asset and Configuration Mgmt  Application Devl & Customizing  End of Life for IT Services  Knowledge Management  Event Management  Incident Management  Problem Management  Access Management  Service Request Management  Operations Control  Service Evaluation  Process Management  Improvement Mgmt & Reporting
  40. 40. 40 Payment Card Industry Data Security Standard PCI DSS 3.1 12 High level requirements Detailed Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 20 2. Do not use vendor-supplied defaults for system passwords and other security parameters 10 Protect Cardholder Data 3. Protect stored cardholder data 18 4. Encrypt transmission of cardholder data across open, public networks 3 Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 5 6. Develop and maintain secure systems and applications 28 Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 10 8. Identify and authenticate access to system components 23 9. Restrict physical access to cardholder data 27 Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 32 11. Regularly test security systems and processes 16 Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 39 12 Requirements 231+ Detailed reqs 5 reqs for Shared Hosting ProvidersSource PCI DSS Standards URL: https://www.pcisecuritystandards.org
  41. 41. 41 DMTF Cloud Auditing Data Federation (CADF) Standard Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud Management Initiative. Auditing using a standard such as CADF has many benefits: • Create and request customized views for Audit & Compliance data • Track regional, industry and corporate policy compliance using standardized APIs / Reports • Key event data is normalized and categorized to support auditing of hybrid Cloud applications • CADF assures consistent mappings across cloud components and cloud providers • Format is agnostic to the underlying provider infrastructure • Provides transparency for low-level operational processes Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Customer Benefits: • Ability to self manage auditing of their data • Similar reports from different Cloud service providers • Aggregate audit data from different Clouds / Partners • Auditing processes & tools unchanged
  42. 42. 42 Cloud Auditing Data aggregated from multiple sources Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Company A’s OSS/BSS Processes Company A Company A’s Auditor Company A’s Hybrid Applications Standard API’s for requesting Audit Data Standard Audit Data (Logs and Reports) Cloud Provider P1 Company A’s Hybrid Applications Cloud Provider P2 Company A’s Hybrid Applications Aggregate Audit Data from Hybrid Applications StandardAPI’sfor requestingAuditData OSS: Operational Support Services BSS: Business Support Services
  43. 43. 43 Example: 7 essential W’s auditing and monitoring CADF Event Model: Basic and conditional model components What What activity occurred? What was the result? event.action event.outcome event.type (activity, monitoring, control) event.reason (ex: security, reason code, policy id) Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf Distributed Management Task Force (DMTF) Cloud Auditing Data Federation (CADF) CADF Event Model and it’s components • Work for any Activity Monitoring or, Control event • Provides guidance on how to record Basic, Detailed or, Precise information for each component When When did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestamp event.eventTime reporter.timestamp, event.duration Who Who (user/service) initiated the Action? initiator.id; initiator.type initiator.id (id, name) initiator.credential initiator.credential.assertions Legend: Italics are optional properties 1 2 3 Where Where was the Action observed, reported or, modified? What role does the event serve? How was it recorded? observer.id, observer.type reporterstep.role, reporterstep.reporterTime 4 On What On What resource did the Activity Target? target.id 5 FromWhere From Where the Action was initiated? May include • logical/physical addresses • ISO-6709-2008, precise geolocations initiator.addresses, initiator.host, initiator.geolocation 6 ToWhere To Where was the Action Targeted? Can be as simple as an IP address or server name. target.addresses, target.host, target.geolocation 7
  44. 44. 44 Challenges & Opportunities in Cloud Management • Transparency is Crucial • Regulations can’t keep up • Need for continuous real-time security audits & monitoring • Bridge the gaps between the academic world innovations and the business world • Security requires a Big Picture approach • BYOD brings additional challenges • Bare-metal security features are not available in virtual world • Accidental key sharing in appliances • Leave security implementations to the experts • Data partitioning for hybrid clouds • Do consumers care? i.e. willing to pay • Products can end up being used in industries they aren't designed for • Security guarantees are impossible to "prove“ Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
  45. 45. 45 Challenges & Opportunities in Cloud Management • Containers and portable VM snapshots are too portable • Encryption efforts are vulnerable if physical access to a machine is available • Controlling physical access to the data center is not enough • Privacy and security are at odds • Lack of control over assets and physical security • Integration and Interoperability of systems / API Management • Who controls the encryption/decryption keys for data in store & in transit? • Lack of standard for data integrity • Virtual machines / Containers transition between Private to Public to Hybrid environments • Establishing and Management of Service Level Agreements (SLA) • Usage based Costing, Invoicing & Chargeback • Data migration in and out of the Cloud Service Provider • Plan for an exit strategy from the beginning Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
  46. 46. 46 Reference URLs • Cloud Standards Customer Council (CSCC) Cloud Security Standards • Cloud Auditing Data Federation • NIST Cloud Computing Standards Roadmap • Detailed CSA TCI Reference Architecture • Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines • OpenStack wiki • OpenStack Main Page • OpenStack Developers Guides • Cloud Audit Data Federation - OpenStack Profile • Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0) • CADF Event Model and Taxonomies • NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations • URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm • CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730 • FedRAMP: https://www.fedramp.gov/ • FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma
  47. 47. 47 References & Credits
  48. 48. 48 Conclusion • Migration to Cloud will continue due to the efficiencies and economics. • Cloud is all about services and service delivery. • The Cloud is only worth the services it delivers securely. • Cloud is all about a hybrid world. • Security, Risk Management & Audit practices are at the center for Agile, DevOps, and Cloud Management transformation.
  49. 49. sukumar.nayak@hp.com sukumar.nayak@gmail.com 240.506.2305 linkedin.com/in/sukumarnayak/
  50. 50. 50 Backup
  51. 51. 51 Open Security Architecture Open Security Architecture URL: http://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy
  52. 52. 52 DevOps & Cloud: Key is Automated Provisioning Fully automated provisioning: the ability to deploy, update, and repair application infrastructure using only pre-defined automated procedures. Criteria for achieving fully automated provisioning: • Be able to automatically provision an entire environment — from “bare-metal” to running business services — completely from specification • No direct management of individual boxes • Be able to revert to a “previously known good” state at any time • It’s easier to re-provision than it is to repair • Anyone on your team with minimal domain specific knowledge can deploy or update an environment
  53. 53. 53 Extending the scope and value delivered by GRC & ERM Ref: 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong Source URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
  54. 54. 54 DevOps Maturity Model Source HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Maturity-Model-Works/ba-p/6042901#.VWJZ0k3bKM8
  55. 55. 55 Sample of DevOps Tools and Technologies Plan Develop / Build Continuous Integration (CI) Test Continuous Delivery / Deploy (CD) HP Agile Manager Git TeamCity HP Quality Center HP CODAR HP PPM CVS TravisCI Ant HP OO, SA, DMA, NA, NNMi MS Project MS TFS Jenkins Gradle Docker Trello Vagrant BuildHive Maven CoreOS Rocket Cloud 9 IDE Packer Codenvy Octopus ThoughtWorksGo Capistrano artifactory
  56. 56. 56 Sample of DevOps Tools and Technologies Issue Tracking Monitoring Configuration Management Analyze Collaboration HP SM & SAW HP Site Scope HP CMS (UD & CMDB) HP ArcSight HP MyRoom HP Quality Center HP vPV, HP OMi, HP BSM Puppet HP Fortify Campfire Jira Performance Manager Chef Splunk Slack ZenDesk Graphite CFEngine SonarCube IRC MS Visual Studio Online Logstash Ansible Kibana SharePoint Cloudyn SaltStack logentries GoToMeeting New Relic (APM & Server) PowerShell DSC Cloudyn Ubuntu Juju
  57. 57. 57 Lean principles Queues and total throughput Variability, innovation, and economic consequences Batch sizes Work in progress Fast feedback Decentralized control
  58. 58. 58 COBIT 5 URL: http://www.isaca.org/COBIT/Pages/default.aspx
  59. 59. 59 Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime CLIENTMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime INFRASTRUCTURE (AS A SERVICE) VENDORMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime PLATFORM (AS A SERVICE) CLIENTMANAGED VENDORMANAGED CLIENTMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime SOFTWARE (AS A SERVICE) VENDORMANAGED Service Delivery Models TRADITIONAL (ON PREMISE) JOINTLYMANAGED User Experience User Experience User Experience User Experience OLD
  60. 60. 60 Definitions of Key Terms & Acronyms • ADFS: Active Directory Federated Services • CADF: Cloud Auditing Data Federation • CSA: Cloud Security Alliance • CSCC: Cloud Standards Customers Council • Continuous Integration (CI) • Continuous Deployment / Continuous Delivery (CD) • DMTF: Distributed Management Task Force • ENISA: European Network and Information Security Agency • GRC: Global Regulatory Compliance • LDAP: Lightweight Directory Access Protocol • NIST: National Institute of Standards and Technology • NIST CC SRA: Cloud Computing Standard Reference Architecture • Payment Card Industry Data Security Standard (PCI DSS) • SAML: Security Authorization Markup Language • SCIM: System for Cross-domain Identity Management • SLA: Service Level Agreement • SLO: Service Level Objectives • SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16 • XACML: eXtensible Access Control Markup Language • SAFe: Scaled Agile Framework

×