1. Security, Risk Management & Audit
in the Crossroads of Agile, DevOps and
Cloud Management
Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation
Date Created: 04/21/2015
Date last updated: 07/14/2015
2. 2
Objective: Provide an overview of Agile, DevOps and Cloud Management from Security,
Risk Management and Audit Compliance perspectives.
Scope:
• Motivation
• Agile Development
• The IT Industry Paradigm is Shifting
• DevOps
• Cloud Management
• Tools & Technologies in the New Style IT
• Standards & Compliance Controls
• Implementation best practices for Security & Audit in the Cloud
• Challenges and Opportunities for Security, Risk Management & Audit practices
• Q&A
Agenda
3. 3
Audience Poll
Technologist, CTO
Finance, CFO
Audit, CFO
Security & Compliance, CISO, CCO
What is your primary role at your company?
IT Operation, CIO
Business Services, Executive
Consultant, Entrepreneur
What is your level of experience with Agile Development?
What is your level of experience with DevOps?
What is your level of experience with Cloud environment?
What is your level of experience with Big Data environment?
Evaluating
5+ years
1-3 years
3-5 years
Government, Nonprofit Org
4. 4
Motivation
“Companies rarely fail because of poor financial controls, but they fail
frequently due to their inability to understand and address disruptive
technologies, market fluctuations, changing customer expectations, and
competitive pressures.”
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
5. 5
7 W’s of Auditing and Investigations
What:
What activity occurred? What was the result?
Key Attributes: Action, Outcome, Type, Reason
1
When:
When did the action happen? When was it observed?
How long did it take?
Key Attributes: Universal Timestamp, Time Zone, Duration
2
Who:
Who (user/service) initiated the Action?
Key Attributes: User, ID, Type, Name, Role/Credentials,
Assertions
3
Where:
Where was the Action observed, reported or,
modified? What role does the event serve? How was
it recorded?
Key Attributes: User/Observer, ID, Type, Name,
Role/Credentials, Location
4
On What:
On What resource did the Activity Target?
Key Attributes: Device/Role ID
5
FromWhere:
From Where the Action was initiated?
Key Attributes:
• logical/physical addresses ex: host IP address, server
name
• precise geolocations ex: ISO-6709-2008
6
ToWhere:
To Where was the Action Targeted?
Key Attributes:
• logical/physical addresses ex: host IP address, server
name
• precise geolocations ex: ISO-6709-2008
7
7. 7
App A
Bins / Libs
App B
Bins / Libs
Docker Engine
Host OS
Server
The IT Industry Paradigm is Shifting…
Microservices by James Lewis and Martin Fowler URL: http://martinfowler.com/articles/microservices.html
Containers & VMs Michael Daconta URL: http://www.quora.com/How-is-containerization-different-from-virtualization
Microservices:
A software architecture style, in
which complex applications are
composed of small, independent
processes communicating with each
other using language-agnostic APIs.
These services are small, highly
decoupled and focus on doing a
small task.
Containerization: Horizontal
segmentation
Docker Container: The Docker Engine
container needs just the application and it’s
dependencies. It runs as an isolated process in
userspace on the host OS, sharing the kernel
with other containers. Thus, it enjoys the
resource isolation & allocation benefits of VMs
but is much more portable & efficient.
Kubernetes:
Open source orchestration system (container cluster manager) for Docker containers. It handles
scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their
state matches the users declared intentions. Runs on Public Cloud, Private Cloud, and Bare Metal.
Virtualization: Vertical abstraction
Each virtualized application includes the
application, the required binaries & libraries,
and a Guest OS. The application may be in the
order of 10s of MB, however the Guest OS
may be in the order of 10s of GB.
App A
Bins / Libs
Guest OS
App B
Bins / Libs
Guest OS
Hypervisor
Host OS
Server
Type 2 Hypervisor
App A
Bins / Libs
Guest OS
App B
Bins / Libs
Guest OS
Hypervisor
Server
Type 1 Hypervisor
8. 8
The IT Industry Paradigm is Shifting…
Continuous Delivery (CD):
A software engineering approach in
which teams keep producing
valuable software in short cycles
and ensure that the software can
be reliably released at any time. It is
used in software development to
automate and improve the process
of software delivery.
API Management:
The process of publishing,
promoting and overseeing
application programming interfaces
(APIs) in a secure, scalable
environment. It also includes the
creation of end user support
resources that define and
document the API.
Continuous Integration (CI):
A development practice that
requires developers to integrate
code into a shared repository
several times a day. Each check-in is
then verified by an automated
build, allowing teams to detect
problems early.
Continuous Deployment (CD):
The deployment or release of code
to Production as soon as it is
ready. There is no large batching in
Staging nor long UAT process that is
directly before Production. Testing
is done prior to merging to the
Mainline branch and is performed
on Production-like environments.
9. 9
The IT Industry Paradigm is Shifting…
Cloud Foundry URL: http://www.cloudfoundry.org/index.html
DataGravity URL: http://datagravity.com/
Cloud Foundry:
Open source cloud computing
platform as a service (PaaS)
originally developed by VMware
and now owned by Pivotal
Software, a joint venture by EMC,
VMware and General Electric. The
Cloud Foundry is primarily written
in Ruby and Go.
Comes in 3 flavors:
• Cloud Foundry Open Source Software
(OSS)
• Pivotal Cloud Foundry (Pivotal CF)
• Pivotal Web Services (PWS)
DataGravity:
Data gravity is an analogy of the
nature of data and its ability to
attract additional applications and
services. The Law of Gravity states
that the attraction between objects
is directly proportional to their
weight (or mass). Dave McCrory
coined the term data gravity to
describe the phenomenon in which
the number or quantity and the
speed at which services, applications,
and even customers are attracted to
data increases as the mass of the
data also increases.
10. 10
Development to Operation: Business Challenges
DevOps URL: http://dev2ops.org/2010/02/what-is-devops/
Traditional IT Challenges: ~70-80% of all downtime is due to changes (self-inflicted wounds)
Often results in:
Requirements
Design
Code
Test
Package
Release
Deploy to Stage
UAT Test
Deploy to Prod
Development Operation
WallofConfusion
Faster
changes
Stable
environment
Development tools Operation tools
WallofConfusion
Development Operation
WallofConfusion
11. 11
DevOps
What is DevOps?
DevOps is the practice of operations and development engineers participating together in the entire service lifecycle,
from design through the development process to production support.
DevOps is a software development method that stresses communication, collaboration, integration, automation, and
measurement of cooperation between software developers and other IT professionals.
URL: http://theagileadmin.com/what-is-devops/
URL: http://en.wikipedia.org/wiki/DevOps
Development
(Software
Engineering)
Quality
Assurance
(QA)
IT
Operations
DevOps
IT Operations
“Be predictable – minimize risk”
Features & code
changes
Development
“Be more agile - deliver faster”
Agile
Development
DevOps
Quality
Automation
Collaboration
Feedback loop
Faster Release
Smaller Packages
Bring Applications to Customers Faster
DevOps MotivationDevOps Composition
12. 12
What is different in DevOps…
Configuration Management:
Business Service
Application
Web site
Apache
HTTP
HP Server
Rack
Data Ctr
Zone
Data Ctr
App code
(build)
Tomcat
instance
Linux VM
Database
MySQL DB
instance
Server
Traditional CMDB
Business Service
Application
Platform
instance
Hosting
platform
Location
Cloud environment CMDB
Further details
(e.g. web, app, DB
nodes, IPs,
software versions)
in automation/CD
toolchain
e.g. AWS, Google,
Rackspace, HP,
IBM
e.g. EMEA, AMS,
APJ
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
13. 13
What is different in DevOps…
Release and Change Management:
URL: https://www.chef.io/solutions/continuous-delivery/
Incident Management: DevOps changes primarily who gets involved in Incident Mgmt at which stage and what
their stake is in the process. Even bigger impact may be achieved by ensuring there’s the right culture and mindset
that puts customers, service, reliability, and quick mean time to repair (MTTR) at the center of the approach.
Event Management Monitoring & Logging: Key difference is the complexity, scale, and speed in DevOps makes it
imperative to focus on Internet Scale vs. Enterprise Scale solutions.
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
14. 14
DevOps Success Factors
DevOps Success factors:
• Culture, Collaboration & Mindset
• Effective Team Collaboration
• Identify & Eliminate Waste
• Improve Automation Efficiencies for
Internet Scale
• Unified Processes for Development
to Operations
• Unified Tooling (Key Capabilities)
• Version-control software library
• Deeply modeled systems
• Automation
• Key Industry dynamics:
• Infrastructure as code
• Model driven automation
• Continuous integration (CI)
• Continuous deployment (CD)
Continuous Assessment & Adjust
Planning
Governance
Lifecycle management
Release Automation
Lifecycle Management
Collaboration
Accountability
Continuous Integration
Continuous Testing
Continuous Delivery
Continuous Deployment
Continuous Performance
Culture
Process
Technology
15. 15
DevOps Best Practices
URL: http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/240149363
Practice 1: Active Stakeholders Participation
Practice 2: Automated Testing
Practice 3: Integrated Configuration Management
Practice 4: Integrated Change Management
Practice 5: Continuous Integration
Practice 6: Integrated Deployment Planning
Practice 7: Continuous Deployment
Practice 8: Production Support
Practice 9: Application Monitoring
Practice 10: Automated Dashboards
1. Execs Commitment
2. Cloud Platform
3. Standardization
4. Interoperability & Automation
5. Process Optimization
6. Organization Culture
The Road to DevOps
17. 17
Sample of DevOps Tools and Technologies
Plan
Develop / Build
Test
Continuous
Delivery/Deploy
Issue Tracking
Monitoring
Continuous
Integration
Analyze
Collaboration
Configuration
Management
Campfire Slack IRC SharePoint GoToMeetingHP MyRoom
MS Project Trello
HP Agile
Manager
HP PPM
Jira
HP Quality
Center
ZenDeskHP SM & SAW
MS Visual
Studio Online
HP Quality
Center
Graphite Logstash
Kibana
HP Site Scope
HP vPV, HP
OMi, HP BSM
Performance
Manager
Puppet Chef CFEngine Ansible SaltStackHP CMS
PowerShell
DSC
Git CVS MS TFS Vagrant Cloud 9 IDE Codenvy
TeamCity TravisCI
Octopus
ThoughtWork
sGo
Packer
Ubuntu Juju
Capistrano
Jenkins
Ant Gradle Maven
BuildHive
New Relic
Docker CoreOS
HP Fortify SonarCube
artifactory
SplunkHP ArcSight
HP CODAR
HPOO,SA,NA,
DMA,NNMi
Cloudyn
logentries
18. 18
Cloud Management Tools, Technologies & Companies
Cost/Chargeback Cloudability Cloudyn Cloud Cruiser
Automation &
Provisioning
Management
Platform
Newvem/
Datapipe
PuppetChef
enStratius/
Dell
RightScale GigaSpaces
BMC Capgemini
CA
Technologies
HP Helion IBM
ServiceMesh/
CSC
vRealize/
VMWare
HP CSA, SA,
NA, DMA
Dell BhoomiIntegration Azure
IBM / Cast
Iron
Amazon SQS Informatica TIBCO MuleSoft
HP Cloud Sys
Chargeback
AWS OpenStack
21. 21
Cloud Actors
• Cloud Consumer: Person or organization that maintains a business relationship with, and uses
service from, Cloud Providers.
• Cloud Provider: Person, organization or entity responsible for making a service available to
Cloud Consumers.
• Cloud Auditor: A party that can conduct independent assessment of cloud services,
information system operations, performance and security of the cloud implementation.
• Cloud Broker: An entity manages the use, performance and delivery of cloud services, and
negotiates relationships between Cloud Providers and Cloud Consumers.
• Cloud Carrier: The intermediary that provides connectivity and transport of cloud services from
Cloud Providers to Cloud Consumers.
22. 22
Cloud Services Integration and Management (CSIM/CSIAM)
Cloud
Consumers
Cloud
Brokers
IT Operations
Service Delivery
Service Support
Incident Management
Problem Management
Knowledge Mgmt
Change Management
Release Management
Availability & Capacity
Mgmt
Service Catalog/Request
Management
Service Assets &
Configuration Mgmt
Event Management &
Monitoring
Operations Support
Customer Mgmt
Contract Mgmt
Inventory Mgmt
Accounting & Billing
Reporting & Auditing
Pricing, Costing & Rating
Business Support
Data Portability
Service Interoperability
Systems Portability
Copy Data
Bulk Data Transfer
Unified Management
Interface
VM Images Migration
App/SVC Migration
Containers Migration
Integration
(Portability &
Interoperability)
Data Management
Rapid Provisioning &
Fulfillment
Resource Change
Provisioning/
Configuration
Monitoring & Reporting
Metering
SLA Management
Security Management
Governance, Security
& Risk Management
Governance, Risk Mgmt
& Controls
Facility Network WorkplaceWorkloadStorage SecurityData CtrServices
Service Providers
Cloud
Auditors
24. 24
Sample Standards and Compliance Controls
• Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1)
• NIST SP 800-53 Rev. 4
• NIST Cybersecurity Framework
• ISO/IEC 27002
• FISMA and FedRAMP
• Meaningful Use, HITECH and HIPAA
• CoBIT 5
• ITIL v3 / 2011
• Payment Card Industry Data Security Standard (PCI DSS 3.1)
• Distributed Management Task Force (DMTF)
• Cloud Infrastructure Management Interface (CIMI)
• Cloud Auditing Data Federation (CADF)
25. 25
Sample Standards and Compliance Controls
CSA Cloud Controls Matrix 3.0.1
NIST Special Publication 800-53 Revision 4
Security and Privacy Controls for Federal
Information Systems and Organizations
NIST Cybersecurity Framework
ISO/IEC 27002:2013 Information
technology. Security techniques
Code of practice for information
security controls
PCI DSS 3.1
Distributed Management Task
Force (DMTF)
• Cloud Auditing Data Federation
(CADF) Standard
• Cloud Infrastructure Management
Interface (CIMI)
29. 29
Select baseline security controls, apply tailoring
guidance and supplement controls as needed
based on risk assessment.
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness.
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Starting Point
Define criticality/sensitivity of information
system according to potential worst-case,
adverse impact to mission/business.
Implement security controls within enterprise
architecture using sound systems engineering
practices; apply security configuration settings.
Determine security control effectiveness (i.e.
controls implemented correctly, operating as
intended, meeting security requirements for
information system).
Determine risk to organizational operations and
assets, individuals, other organizations, and the
Nation; if acceptable, authorize operation.
Security Life Cycle
Risk Management
Framework (RMF)
CATEGORIZE
Information Systems
SELECT
Security Controls
ACCESS
Security Controls
MONITOR
Security Controls
IMPLEMENT
Security Controls
AUTHORIZE
Information Systems
Architecture Description
• Mission/Business Processes
• Reference Models
• Segment and Solution Architectures
• Information System Boundaries
Organizational Inputs
• Laws, Directives, Policy, Guidance
• Strategic Goals and Objectives
• Information Security Requirements
• Priorities and Resource Availability
30. 30
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Identifier Family Class Ctrls
AC Access Control Tech 25
AT Awareness and Training Ops 5
AU Audit and Accountability Tech 16
CA Security Assessment and
Authorization
Mgmt 9
CM Configuration Management Ops 11
CP Contingency Planning Ops 13
IA Identification and Authentication Tech 11
IR Incident Response Ops 10
MA Maintenance Ops 6
Identifier Family Class Ctrls
MP Media Protection Ops 8
PE Physical and Environmental
Protection
Ops 20
PL Planning Mgmt 9
PS Personnel Security Ops 8
RA Risk Assessment Mgmt 6
SA System and Services Acquisition Mgmt 22
SC System and Communications
Protection
Tech 44
SI System and Information Integrity Ops 17
PM Program Management Mgmt 16
Legend:
Tech: Technical Ops: Operational Mgmt: Management
Ctrls: Number of Controls Ref: URL: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
31. 31
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Management: (5)
CA: Security Assessment and
Authorization
RA: Risk Assessment
SA: System and Services
Acquisition
PL: Planning
PM: Program Management
Operational: (9)
AT: Awareness and Training
CM: Configuration Management
CP: Contingency Planning
IR: Incident Response
MA: Maintenance
PE: Physical and Environmental Protection
PL: Planning
PS: Personnel Security
SI: System and Information Integrity
Technical: (4)
AC: Access Control
AU: Audit and Accountability
IA: Identification and
Authentication
SC: System and
Communications Protection
34. 34
FISMA & FedRAMP
FedRAMP
Additional Controls
FISMA
NIST 800-53
FISMA:
• Federal Information Security Management Act (FISMA)
• United States legislation (not an agency program)
• A comprehensive framework to protect government information,
operations and assets against natural or man-made threats
• Assigns responsibilities to various agencies to ensure the security of data
• Managed by individual agencies
• Requires annual reviews of information security programs, with the
intent of keeping risks at or below specified acceptable levels
FedRAMP:
• Federal Risk and Authorization Management Program (FedRAMP)
• A government-wide program leveraging a “do once, use many times”
framework (not legislation)
• Provides a standardized approach to security assessment, authorization,
and continuous monitoring for cloud products and services Managed by
individual agencies
• Purpose: Ensure that cloud based services have adequate information
security; Eliminate duplication of effort and reduce risk management
costs; Enable rapid and cost-effective procurement of information
systems/services for Federal agencies
• GSA oversees and Accredited 3PAO’s validate proposed offers before
GSA approves
Note: 3rd party assessment organizations (3PAOs)
URL: http://csrc.nist.gov/groups/SMA/forum/documents/FedRAMP-Goodrich-020912.pdf
URL: http://1105govinfoevents.com/custom/Face-to-Face/2-15/FISMA-FedRAMP-Controls-and-Authorization-Differences-Whitepaper-Coalfire.pdf
FedRAMP:
125 Low
326 Moderate
N/A High
FISMA:
124 Low
261 Moderate
343 High
35. 35
URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/
URL: http://pitchengine.com/pitches/9bbbb1a7-9fd0-4fcf-81ce-a397f82fd99a
URL: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EP-MU-TOC.pdf
URL: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl
Meaningful Use, HITECH & HIPAA
HIPAA:
• Health Insurance Portability and Accountability Act (HIPAA) of
1996. The primary goal of the law is to make it easier for
people to keep health insurance, protect the confidentiality
and security of healthcare information and help the healthcare
industry control administrative costs.
HIPAA
HITECH
Meaningful Use
Health Insurance
Portability and
Accountability Act (1996)
Health Information
Technology for Economic
and Clinical Health (2009)
Meaning Use guidelines
for Electronic Health
Records (2010)
15 core measures
10 menu set objectives Meaningful Use:
• Using certified electronic health record (EHR) technology to:
Improve quality, safety, efficiency, and reduce health
disparities. Engage patients and family. Improve care
coordination, and population and public health. Maintain
privacy and security of patient health information.
HITECH:
• The Health Information Technology for Economic and Clinical
Health (HITECH) Act, enacted as part of the American
Recovery and Reinvestment Act of 2009, was signed into law
on February 17, 2009, to promote the adoption and
meaningful use of health information technology.
15 measure groups
25 criteria & measures
for meaningful use
Privacy
Security
Enforcement
37. 37
COBIT 5
Ref URL: http://www.isaca.org/COBIT/Pages/default.aspx
EDM01 Ensure
Governance Framework
Setting and Maintenance
EDM02 Ensure Benefits
Delivery
EDM03 Ensure Risk
Optimization
EDM04 Ensure Resource
Optimization
EDM05 Ensure
Stakeholder
Transparency
Evaluate, Direct and
Monitor (EDM)
APO01 Manage the
IT Management
Framework
APO02 Manage
Strategy
APO03 Manage
Enterprise
Architecture
APO04 Manage
Innovation
APO05 Manage
Portfolio
APO06 Manage
Budget and Costs
APO07 Manage
Human Resources
Align, Plan and
Organize (APO)
APO08 Manage
Relationships
APO09 Manage
Service Agreements
APO10 Manage
Suppliers
APO11 Manage
Quality
APO12 Manage Risk
APO13 Manage
Security
BAI01 Manage
Programs and
Projects
BAI02 Manage
Requirements
Definition
BAI03 Manage
Solutions
Identification and
Build
BAI04 Manage
Availability and
Capacity
BAI05 Manage
Organizational
Change Enablement
BAI06 Manage
Changes
BAI07 Manage
Change Acceptance
and Transitioning
BAI08 Manage
Knowledge
BAI09 Manage
Assets
BAI10 Manage
Configuration
Build, Acquire and
Implement (BAI)
Deliver, Service and
Support (DSS)
DSS01 Manage
Operations
DSS02 Manage
Service Requests
and Incidents
DSS03 Manage
Problems
DSS04 Manage
Continuity
DSS05 Manage
Security Services
DSS06 Manage
Business Process
Controls
Monitor, Evaluate
and Assess (MEA)
MEA01 Monitor,
Evaluate and Assess
Performance and
Conformance
MEA02 Monitor,
Evaluate and Assess the
System of Internal
Control
MEA03 Monitor,
Evaluate and Assess
Compliance with
External Requirements
ManagementGovernance
135 10 6 3
38. 38
ITIL 2011
Service Strategy (SS) 5 Processes
• Business relationship management
• Financial management for IT services
• Service portfolio management
• Strategy for IT services
• Demand management
Service Design (SD) 8 Processes
• Design coordination
• Service catalog management
• Service level management
• IT Service continuity management
• Supplier management
• Availability management
• Capacity management
• IT Security managementService Operation (SO) 5 Processses
• Event management
• Incident management
• Problem management
• Request management
• Access management
4 Functions:
• Service desk
• Technical management
• IT Operations management
• Application management
Service Transition (ST) 7 Processes
• Transition planning & support
• Change management
• Change evaluation
• Service validation & testing
• Service asset & configuration management
• Release & deployment management
• Knowledge management
Continual Service Improvement (CSI) 1 Process
• 7 steps improvement process
39. 39
ITIL v3 Value Chain (Level 1)
Service Strategy (SS) Service Design (SD)
Service Transition
(ST)
Service Operations
(SO)
Continual Service
Improvements (CSI)
Business Relationship
Management
Management of IT
Service Strategy
Demand Management
Service Portfolio
Management
Financial Management
Service Design
Coordination
Service Level
Management
Capacity Management
Availability
Management
Risk Management
Security Management
Service Continuity
Management
Supplier Management
Service Catalog
Management
Transition Planning and
Support
Change Management
Change Evaluation
Release and Deployment
Management
Service Validation and Test
Service Asset and
Configuration Management
Application Development
and Customizing
End of Life for IT Services
Knowledge Management
Event Management
Incident Management
Problem Management
Access Management
Service Request
Management
Operations Control
Service Evaluation
Process Management
Improvement Management
and Reporting
Business Relationship Management
Management of IT Service Strategy
Demand Management
Service Portfolio Management (SPM)
Financial Management (FM)
Service Design Coordination
Service Level Management (SLM)
Capacity Management
Availability Management
Risk Management
Security Management
Service Continuity Management
Supplier Management
Service Catalog Management
Transition Planning and Support
Change Management
Change Evaluation
Release & Deployment Mgmt
Service Validation and Test
Service Asset and Configuration Mgmt
Application Devl & Customizing
End of Life for IT Services
Knowledge Management
Event Management
Incident Management
Problem Management
Access Management
Service Request Management
Operations Control
Service Evaluation
Process Management
Improvement Mgmt & Reporting
40. 40
Payment Card Industry Data Security Standard PCI DSS 3.1
12 High level requirements Detailed
Build and Maintain a Secure Network
and Systems
1. Install and maintain a firewall configuration to protect cardholder data 20
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
10
Protect Cardholder Data
3. Protect stored cardholder data 18
4. Encrypt transmission of cardholder data across open, public networks 3
Maintain a Vulnerability Management
Program
5. Protect all systems against malware and regularly update anti-virus software or
programs
5
6. Develop and maintain secure systems and applications 28
Implement Strong Access Control
Measures
7. Restrict access to cardholder data by business need to know 10
8. Identify and authenticate access to system components 23
9. Restrict physical access to cardholder data 27
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 32
11. Regularly test security systems and processes 16
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 39
12 Requirements
231+ Detailed reqs
5 reqs for Shared Hosting ProvidersSource PCI DSS Standards URL: https://www.pcisecuritystandards.org
41. 41
DMTF Cloud Auditing Data Federation (CADF) Standard
Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage
and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud
Management Initiative.
Auditing using a standard such as CADF has many benefits:
• Create and request customized views for Audit & Compliance data
• Track regional, industry and corporate policy compliance using standardized APIs / Reports
• Key event data is normalized and categorized to support auditing of hybrid Cloud applications
• CADF assures consistent mappings across cloud components and cloud providers
• Format is agnostic to the underlying provider infrastructure
• Provides transparency for low-level operational processes
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Customer Benefits:
• Ability to self manage auditing of their data
• Similar reports from different Cloud service providers
• Aggregate audit data from different Clouds / Partners
• Auditing processes & tools unchanged
42. 42
Cloud Auditing Data aggregated from multiple sources
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Company A’s
OSS/BSS Processes
Company A
Company A’s
Auditor
Company A’s Hybrid Applications
Standard API’s for requesting
Audit Data
Standard Audit Data
(Logs and Reports)
Cloud Provider P1
Company A’s Hybrid Applications
Cloud Provider P2
Company A’s Hybrid Applications
Aggregate Audit Data
from Hybrid Applications
StandardAPI’sfor
requestingAuditData
OSS: Operational Support Services
BSS: Business Support Services
43. 43
Example: 7 essential W’s auditing and monitoring
CADF Event Model: Basic and conditional
model components
What
What activity occurred? What was the result?
event.action
event.outcome
event.type (activity, monitoring, control)
event.reason (ex: security, reason code, policy id)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf
Distributed Management Task Force (DMTF) Cloud Auditing Data Federation (CADF)
CADF Event Model and it’s components
• Work for any Activity Monitoring or, Control event
• Provides guidance on how to record Basic, Detailed or, Precise information for each component
When
When did the action happen? When was it observed?
How long did it take? ISO 8601 transactions Timestamp
event.eventTime
reporter.timestamp, event.duration
Who
Who (user/service) initiated the Action?
initiator.id; initiator.type
initiator.id (id, name)
initiator.credential
initiator.credential.assertions
Legend: Italics are optional properties
1
2
3
Where
Where was the Action observed, reported or,
modified? What role does the event serve? How
was it recorded?
observer.id, observer.type
reporterstep.role, reporterstep.reporterTime
4
On What
On What resource did the Activity Target?
target.id
5
FromWhere
From Where the Action was initiated?
May include
• logical/physical addresses
• ISO-6709-2008, precise geolocations
initiator.addresses, initiator.host, initiator.geolocation
6
ToWhere
To Where was the Action Targeted?
Can be as simple as an IP address or server name.
target.addresses, target.host, target.geolocation
7
44. 44
Challenges & Opportunities in Cloud Management
• Transparency is Crucial
• Regulations can’t keep up
• Need for continuous real-time security audits & monitoring
• Bridge the gaps between the academic world innovations and the business world
• Security requires a Big Picture approach
• BYOD brings additional challenges
• Bare-metal security features are not available in virtual world
• Accidental key sharing in appliances
• Leave security implementations to the experts
• Data partitioning for hybrid clouds
• Do consumers care? i.e. willing to pay
• Products can end up being used in industries they aren't designed for
• Security guarantees are impossible to "prove“
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it
Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
45. 45
Challenges & Opportunities in Cloud Management
• Containers and portable VM snapshots are too portable
• Encryption efforts are vulnerable if physical access to a machine is available
• Controlling physical access to the data center is not enough
• Privacy and security are at odds
• Lack of control over assets and physical security
• Integration and Interoperability of systems / API Management
• Who controls the encryption/decryption keys for data in store & in transit?
• Lack of standard for data integrity
• Virtual machines / Containers transition between Private to Public to Hybrid environments
• Establishing and Management of Service Level Agreements (SLA)
• Usage based Costing, Invoicing & Chargeback
• Data migration in and out of the Cloud Service Provider
• Plan for an exit strategy from the beginning
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it
Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
46. 46
Reference URLs
• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines
• OpenStack wiki
• OpenStack Main Page
• OpenStack Developers Guides
• Cloud Audit Data Federation - OpenStack Profile
• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)
• CADF Event Model and Taxonomies
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730
• FedRAMP: https://www.fedramp.gov/
• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma
48. 48
Conclusion
• Migration to Cloud will continue due to the efficiencies and economics.
• Cloud is all about services and service delivery.
• The Cloud is only worth the services it delivers securely.
• Cloud is all about a hybrid world.
• Security, Risk Management & Audit practices are at the center for Agile, DevOps, and Cloud
Management transformation.
52. 52
DevOps & Cloud: Key is Automated Provisioning
Fully automated provisioning: the ability to deploy, update, and repair application
infrastructure using only pre-defined automated procedures.
Criteria for achieving fully automated provisioning:
• Be able to automatically provision an entire environment — from “bare-metal” to
running business services — completely from specification
• No direct management of individual boxes
• Be able to revert to a “previously known good” state at any time
• It’s easier to re-provision than it is to repair
• Anyone on your team with minimal domain specific knowledge can deploy or update
an environment
53. 53
Extending the scope and value delivered by GRC & ERM
Ref: 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
Source URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
54. 54
DevOps Maturity Model
Source HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Maturity-Model-Works/ba-p/6042901#.VWJZ0k3bKM8
55. 55
Sample of DevOps Tools and Technologies
Plan Develop / Build
Continuous
Integration (CI)
Test
Continuous Delivery /
Deploy (CD)
HP Agile Manager Git TeamCity HP Quality Center HP CODAR
HP PPM CVS TravisCI Ant HP OO, SA, DMA, NA, NNMi
MS Project MS TFS Jenkins Gradle Docker
Trello Vagrant BuildHive Maven CoreOS Rocket
Cloud 9 IDE Packer
Codenvy Octopus
ThoughtWorksGo
Capistrano
artifactory
56. 56
Sample of DevOps Tools and Technologies
Issue Tracking Monitoring
Configuration
Management
Analyze Collaboration
HP SM & SAW HP Site Scope HP CMS (UD & CMDB) HP ArcSight HP MyRoom
HP Quality Center HP vPV, HP OMi, HP BSM Puppet HP Fortify Campfire
Jira Performance Manager Chef Splunk Slack
ZenDesk Graphite CFEngine SonarCube IRC
MS Visual Studio Online Logstash Ansible Kibana SharePoint
Cloudyn SaltStack logentries GoToMeeting
New Relic (APM & Server) PowerShell DSC
Cloudyn Ubuntu Juju
57. 57
Lean principles
Queues and total throughput
Variability, innovation, and economic consequences
Batch sizes
Work in progress
Fast feedback
Decentralized control
