Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sukumar Nayak-Detailed-Cloud Risk Management and Audit

3,173 views

Published on

Sukumar Nayak-Detailed-Cloud Risk Management and Audit

  1. 1. CloudRiskManagementandAudit Sukumar Nayak, CTO Cloud Services Integration & Automation Leader Date Created: 01/27/2014 Date last updated: 03/15/2015
  2. 2. 2 Scope: • Cloud Fundamentals • Cloud Models & Approaches • Intro to OpenStack • Reference Architecture & Framework • Intro to CSA1 Cloud Control Matrix (CCM) • 16 Domains & 133 Controls • Intro to DMTF2 Cloud Auditing Data Federation (CADF) • Risks Management Challenges & Opportunities • 10 Steps to Manage Cloud Security by CSCC3 • Q&A Objective: Provide an overview of Cloud Risk Management and Audit 1. CSA: Cloud Security Alliance 2. DMTF: Distributed Management Task Force 3. CSCC: Cloud Standards Customers Council
  3. 3. 3 Acronyms • ADFS: Active Directory Federated Services • CADF: Cloud Auditing Data Federation • CSA: Cloud Security Alliance • CSCC: Cloud Standards Customers Council • DMTF: Distributed Management Task Force • ENISA: European Network and Information Security Agency • GRC: Global Regulatory Compliance • LDAP: Lightweight Directory Access Protocol • NIST: National Institute of Standards and Technology • NIST CC SRA: Cloud Computing Standard Reference Architecture • SAML: Security Authorization Markup Language • SCIM: System for Cross-domain Identity Management • SLA: Service Level Agreement • SLO: Service Level Objectives • SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16 • XACML: eXtensible Access Control Markup Language
  4. 4. 4 Cloud… where is the money? Example recent news: Deutsche Bank signs 10 years multibillion-dollar IT deal with HP in Feb 2015 Solution: HP Helion OpenStack based Cloud Services HP will provide computing capacity and data storage to host Deutsche's operations. Deutsche will retain activities such as IT architecture and information security. Pareto Principle Infrastructure/Platform Management Data Center Server Resources OS Platforms Application Management Business Focus 20% 80% Application Management Business Focus Innovations Creativity Agility 80% Infrastructure/Platform Management CloudResources 20% Traditional Environment Cloud Environment
  5. 5. 5 Cloud computing basics NIST Definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf 5 Essential Characteristics • On-demand self-service • Resource pooling • Rapid elasticity • Measured service • Broad network access 3 Service Delivery Models • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) 4 Deployment Models • Public Cloud • Private Cloud • Community Cloud • Hybrid Cloud
  6. 6. 6 Essential Characteristics Of Cloud Computing Characteristics Description On-Demand Self Service Authorized agencies must be able to provide and release capabilities, as needed, automatically, without requiring human interaction with each services provider. Broad Network Access Once provisioned, the software, platform, or infrastructure maintained by the cloud provider should be available over a network using thin or thick clients. Resource Pooling The resources provisioned from the cloud provider should be pooled to serve multiple agencies or programs using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to the agency’s self-service demand. Rapid Elasticity Elasticity is defined as the ability to scale resources both up and down as needed. Cloud Computing capabilities should be rapidly and elastically provisioned and released. Measured Service Cloud resource usage should be monitored, controlled, and reported providing transparency for both the provider and consumer of the service. Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
  7. 7. 7 Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime CLIENTMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime INFRASTRUCTURE (AS A SERVICE) VENDORMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime PLATFORM (AS A SERVICE) CLIENTMANAGED VENDORMANAGED CLIENTMANAGED Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime SOFTWARE (AS A SERVICE) VENDORMANAGED Service Delivery Models TRADITIONAL (ON PREMISE) JOINTLYMANAGED
  8. 8. 8 Private vs. Public: Understanding the Trade-Offs Enterprise 1 Enterprise 2 Private Cloud Private Cloud • Designated enterprise data center (or segment) managed centrally • Data center resources shared by all divisions, protected by enterprise central controls • Divisions of enterprise act as independent tenants • Some elasticity of resources; good resource utilization; reduced cost of business No Cloud Enterprise IT • Each enterprise division manages its own data center (or a subdivision) • Exclusive local control of resources • Internally borne costs and burdens of management • High-cost overcapacity, low resource utilization Virtual Private Cloud Virtual Private Cloud • Third-party data center providers (public cloud characteristic) • Data center sharing is restricted to only the divisions of this enterprise (private cloud characteristic) • Divisions of enterprise act as independent tenants (private cloud characteristic) • Some elasticity; good resource utilization; low cost of business Community Cloud Community Cloud • Consortium or a government scope data center (larger than private, but smaller than public) • Members of the consortium or government agencies act as independent tenants • Data center resources are shared by all members; consortium provides security, privacy and capacity • Good elasticity of resources; high resource utilization; reduced cost of business Public Cloud • Third-party data center providers • Computing resources shared by independent enterprises (tenants), protected by third parties in cloud • Maximum elasticity; maximum resource utilization; low cost of business Public Cloud
  9. 9. 9 Private vs. Public: Understanding the Trade-Offs Enterprise 1 Enterprise 2 Private Cloud Private Cloud • Designated enterprise data center (or segment) managed centrally • Data center resources shared by all divisions, protected by enterprise central controls • Divisions of enterprise act as independent tenants • Some elasticity of resources; good resource utilization; reduced cost of business No Cloud Enterprise IT • Each enterprise division manages its own data center (or a subdivision) • Exclusive local control of resources • Internally borne costs and burdens of management • High-cost overcapacity, low resource utilization Virtual Private Cloud Virtual Private Cloud • Third-party data center providers (public cloud characteristic) • Data center sharing is restricted to only the divisions of this enterprise (private cloud characteristic) • Divisions of enterprise act as independent tenants (private cloud characteristic) • Some elasticity; good resource utilization; low cost of business Community Cloud Community Cloud • Consortium or a government scope data center (larger than private, but smaller than public) • Members of the consortium or government agencies act as independent tenants • Data center resources are shared by all members; consortium provides security, privacy and capacity • Good elasticity of resources; high resource utilization; reduced cost of business Public Cloud • Third-party data center providers • Computing resources shared by independent enterprises (tenants), protected by third parties in cloud • Maximum elasticity; maximum resource utilization; low cost of business Public Cloud Autonomy Cost-Efficiency
  10. 10. 10 Workloads shifting to the Cloud Traditional IT • Server capacity on demand • Business apps (CRM, ERP) • IT management • Email • Personal productivity apps • Website creation & management • Storage capacity on demand • Server capacity on demand• App dev. & test • Tech. computing apps • Data analysis and mining • Custom apps • Apps with sensitive data Private cloud Public cloud • IT help desk • Collaborative apps • Data backup/archive svcs Cloud computing complements traditional IT
  11. 11. 11 Enterprise Architecture and Cloud Architecture Business Architecture Information Architecture Application Architecture Technology & Infrastructure Architecture Service Delivery What, Who, Why • Mission • Vision • Stakeholders • Operating Model & Processes • Value Chain Models • Metrics & Measures • Align Business Strategy to IT Strategy What, How • Data Models • Data Flows • Interface, Integration & Interoperability • Relevance to Business functions With what • Applications • Tools • Functions • Capabilities • Workflows With what • Servers • Software • Network • Storage • GRC, Legal, Security & Privacy • Data Centers Sites How & How much • Deployment • Chargeback • Break fix • SLAs/SLOs • Operations & Management Enterprise Architecture focus Cloud Architecture focus IaaS & PaaS
  12. 12. 12 Promise of Cloud Computing Cloud will not necessarily help map IT to business but… Cloud could enable: • Economies of scale & Improved resources utilization • Reduced capital spending on technology infrastructure • Lower barriers to entry for small businesses & lower start-up costs • Usage based billing (pay as you go) • Globalization of workforce • Faster Deployment, Onboarding, Provisioning & De-provisioning • Improved accessibility anytime & anywhere • Improved transparency for Integration & flexibility • Implementation of Chargebacks • Improved Operations support & Provide SLAs / SLOs • More predictable delivery of projects • Reduced software licensing costs Challenges & success factors… • Legacy migration • Integration & Interoperability • Data & Applications Architecture • Technology compatibility Issues • Security & Privacy risks • Legal & Regulatory Compliance • Management of Change
  13. 13. 13 Cloud simplifies IT services, but realize there is a lot behind this Security management services Access devices Cloud services SaaS PaaS IaaS Cloud platform Demand Identity & access management services IT management services with security impact IT management framework Delivery Supply
  14. 14. 14 And make sure you understand security Security management services Access devices Malware protection Network security Client security Data protection Application security Cloud services SaaS PaaS IaaS Application security Secure SDLC Instance security Cloud platform Supply Delivery Demand Account management Access control management Authentication Key management Identity provisioning Federation Auditing Change management Patch management Configuration management GRC Capacity management Availability management Incident management Virtualization managment Vulnerability management SIEM Compliance management Security service portal Identity&access management services ITmanagementservices withsecurityimpact IT management framework Application security, data protection and availability Malware protection Network security Server security Client security Storage security Data protection Virtualization security Platform availability Cloudplatformsecurity Securitymonitoring Physical security
  15. 15. 15 Secure Cloud Environment technologies & concepts Segmentation and Isolation Threat Detection and Mitigation Security Information & Event Management (SEIM) / Log Management Incident Response and Forensics Identity & Access Management Data Protection; Data & Information Security Secure Software Development Vulnerability Scanning and Patch Management Physical & Personnel Security Security Policy Management Endpoint Management
  16. 16. 16 Cloud Models & Approaches Ref: OpenNebula.org http://opennebula.org/eucalyptus-cloudstack-openstack-and-opennebula-a-tale-of-two-cloud-models/ Datacenter Virtualization: Cloud as an extension of virtualization in the datacenter; hence looking for a vCloud-like infrastructure automation tool to orchestrate and simplify the management of the virtualized resources. Infrastructure Provision: Cloud as an AWS-like cloud on- premise; hence looking for a provisioning tool to supply virtualized resources on-demand.
  17. 17. 17 Factors for choosing Cloud Models & Approaches Datacenter Virtualization Infrastructure Provision Applications Multi-tiered applications defined in a traditional, “enterprise” way “Re-architected” applications to fit into the cloud paradigm Interfaces Feature-rich API and administration portal Simple cloud APIs and self-service portal Management Capabilities Complete life-cycle management of virtual and physical resources Simplified life-cycle management of virtual resources with abstraction of underlying infrastructure Cloud Deployment Mostly private Mostly public Internal Design Bottom-up design dictated by the management of datacenter complexity Top-down design dictated by the efficient implementation of cloud interfaces Enterprise Capabilities High availability, fault tolerance, replication, scheduling… provided by the cloud management platform Most of them built into the application, as in “design for failure” Datacenter Integration Easy to adapt to fit into any existing infrastructure environment to leverage IT investments Built on new, homogeneous commodity infrastructure
  18. 18. 18 OpenStack introduction Key Components: • Compute (Nova) • Image Service (Glance) • Networking (Neutron) • Object Storage (Swift) • Block Storage (Cinder) • Dashboard (Horizon) • Identity Service (Keystone) • Telemetry (Ceilometer) • Orchestration (Heat) • Database (Trove) • Bare Metal Provisioning (Ironic) • Multiple Tenant Cloud Messaging (Zaqar) • Elastic Map Reduce (Sahara)
  19. 19. 19 OpenStack Basic Deployment Automation Database Blobs Files MessagesDatabase Identity Library Compute Network Portal Network Compute Network Metering Portal Identity Library Compute Network Automation Database Blobs Files Database Messages Metering Portal Identity Library/Images Compute Network BlockStorage ObjectStorage DatabaseServices Automation MessageBroker Metering ConfigDatabase Metering
  20. 20. 20 OpenStack Feature Releases ComputeCompute BlobsObjectStorage LibraryLibrary/Images Portal Identity Portal Identity Network Files Network BlockStorage AutomationAutomation MeteringMetering DatabaseDatabaseServices                                                  Nov 2010 Feb 2011 Apr 2011 Sep 2011 Apr 2012 Sep 2012 Apr 2013 Oct 2013 Apr 2014 DatabaseHadoopCluster           Nov 2014 
  21. 21. 21 Cloud Security Alliance TCI Reference Architecture Legend: CSA: Cloud Security Alliance TCI: Trusted Cloud Initiative Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
  22. 22. 22 Cloud Security Alliance TCI Reference Architecture Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf SRM Services: • Governance Risk and Compliance • Information Security Management • Privilege Management Infrastructure • Threat and Vulnerability Management • Infrastructure Protection Services • Data Protection • Policies and Standards ITOS Services: • IT Operations • Service Delivery • Service Support • Incident Management • Problem Management • Knowledge Management • Change Management • Release Management BOSS Services: • Compliance • Data Governance • Operational Risk Management • Human Resources Security • Security Monitoring Services • Legal Services • Internal Investigation Presentation Services: • Presentation Modality • Presentation Platform Application Services: • Development Process • Security Knowledge Lifecycle • Programming Interfaces • Integration Middleware • Connectivity & Delivery • Abstraction Infrastructure Services: • Facility Services • Servers • Storage Services • Network Services • Availability Services • Patch Management • Equipment Maintenance • Virtualization (Desktop, Storage, Server, Network) Information Services: • User Directory Services • Security Monitoring Data Management • Service Delivery Data Management • Service Support Data Management • Data Governance Data Management • Risk Management Data Management • ITOS Data Management • BOSS Data Management • Reporting Services
  23. 23. 23 CSA Cloud Control Matrix CCM v3.0.1; 16 Domains Source: https://cloudsecurityalliance.org/research/ccm/ Legend: CSA: Cloud Security Alliance CCM: Cloud Control Matrix (Number of controls) for each Domain 1. AIS: Application & Interface Security (4) 2. AAC: Audit Assurance & Compliance (3) 3. BCR: Business Continuity Management & Operational Resilience (11) 4. CCC: Change Control & Configuration Management (5) 5. DSI: Data Security & Information Lifecycle Management (7) 6. DCS: Datacenter Security (9) 7. EKM: Encryption & Key Management (4) 8. GRM: Governance and Risk Management (11) 9. HRS: Human Resources (11) 10. IAM: Identity & Access Management (13) 11. IVS: Infrastructure & Virtualization Security (13) 12. IPY: Interoperability & Portability (5) 13. MOS: Mobile Security (20) 14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5) 15. STA: Supply Chain Management, Transparency and Accountability (9) 16. TVM: Threat and Vulnerability Management (3)
  24. 24. 24 CSA Cloud Control Matrix CCM v3.0.1; 133 Controls Application & Interface Security (AIS) • AIS-01: Application Security • AIS-02: Customer Access Requirements • AIS-03: Data Integrity • AIS-04: Data Security / Integrity Audit Assurance & Compliance (AAC) • AAC-01: Audit Planning • AAC-02: Independent Audits • AAC-03: Information System Regulatory Mapping Business Continuity Management & Operational Resilience (BCR) • BCR-01: Business Continuity Planning • BCR-02: Business Continuity Testing • BCR-03: Datacenter Utilities / Environmental Conditions • BCR-04: Documentation • BCR-05: Environmental Risks • BCR-06: Equipment Location • BCR-07: Equipment Maintenance • BCR-08: Equipment Power Failures • BCR-09: Impact Analysis • BCR-10: Policy • BCR-11: Retention Policy Change Control & Configuration Management (CCC) • CCC-01: New Development / Acquisition • CCC-02: Outsourced Development • CCC-03: Quality Testing • CCC-04: Unauthorized Software Installations • CCC-05: Production Changes Data Security & Information Lifecycle Management (DSI) • DSI-01: Classification • DSI-02: Data Inventory / Flows • DSI-03: eCommerce Transactions • DSI-04: Handling / Labeling / Security Policy • DSI-05: Non-Production Data • DSI-06: Ownership / Stewardship • DSI-07: Secure Disposal Source: https://cloudsecurityalliance.org/research/ccm/
  25. 25. 25 CSA Cloud Control Matrix CCM v3.0.1; 133 Controls Datacenter Security (DCS) • DCS-01: Asset Management • DCS-02: Controlled Access Points • DCS-03: Equipment Identification • DCS-04: Off-Site Authorization • DCS-05: Off-Site Equipment • DCS-06: Policy • DCS-07: Secure Area Authorization • DCS-08: Unauthorized Persons Entry • DCS-09: User Access Encryption & Key Management (EKM) • EKM-01: Entitlement • EKM-02: Key Generation • EKM-03: Sensitive Data Protection • EKM-04: Storage and Access Governance and Risk Management (GRM) • GRM-01: Baseline Requirements • GRM-02: Data Focus Risk Assessments • GRM-03: Management Oversight • GRM-04: Management Program • GRM-05: Management Support/Involvement • GRM-06: Policy • GRM-07: Policy Enforcement • GRM-08: Policy Impact on Risk Assessments • GRM-09: Policy Reviews • GRM-10: Risk Assessments • GRM-11: Risk Management Framework Source: https://cloudsecurityalliance.org/research/ccm/
  26. 26. 26 CSA Cloud Control Matrix CCM v3.0.1; 133 Controls Human Resources (HRS) • HRS-01: Asset Returns • HRS-02: Background Screening • HRS-03: Employment Agreements • HRS-04: Employment Termination • HRS-05: Mobile Device Management • HRS-06: Non-Disclosure Agreements • HRS-07: Roles / Responsibilities • HRS-08: Technology Acceptable Use • HRS-09: Training / Awareness • HRS-10: User Responsibility • HRS-11: Workspace Identity & Access Management (IAM) • IAM-01: Audit Tools Access • IAM-02: Credential Lifecycle / Provision Management • IAM-03: Diagnostic / Configuration Ports Access • IAM-04: Policies and Procedures • IAM-05: Segregation of Duties • IAM-06: Source Code Access Restriction • IAM-07: Third Party Access • IAM-08: Trusted Sources • IAM-09: User Access Authorization • IAM-10: User Access Reviews • IAM-11: User Access Revocation • IAM-12: User ID Credentials • IAM-13: Utility Programs Access Source: https://cloudsecurityalliance.org/research/ccm/
  27. 27. 27 CSA Cloud Control Matrix CCM v3.0.1; 133 Controls Infrastructure & Virtualization Security (IVS) • IVS-01: Audit Logging / Intrusion Detection • IVS-02: Change Detection • IVS-03: Clock Synchronization • IVS-04: Information System Documentation • IVS-05: Management - Vulnerability Management • IVS-06: Network Security • IVS-07: OS Hardening and Base Controls • IVS-08: Production / Non-Production Environments • IVS-09: Segmentation • IVS-10: VM Security - vMotion Data Protection • IVS-11: VMM Security - Hypervisor Hardening • IVS-12: Wireless Security • IVS-13: Network Architecture Interoperability & Portability (IPY) • IPY-01: APIs • IPY-02: Data Request • IPY-03: Policy & Legal • IPY-04: Standardized Network Protocols • IPY-05: Virtualization Mobility Security (MOS) • MOS-01: Anti-Malware • MOS-02: Application Stores • MOS-03: Approved Applications • MOS-04: Approved Software for BYOD • MOS-05: Awareness and Training • MOS-06: Cloud Based Services • MOS-07: Compatibility • MOS-08: Device Eligibility • MOS-09: Device Inventory • MOS-10: Device Management • MOS-11: Encryption • MOS-12: Jailbreaking and Rooting • MOS-13: Legal • MOS-14: Lockout Screen • MOS-15: Operating Systems • MOS-16: Passwords • MOS-17: Policy • MOS-18: Remote Wipe • MOS-19: Security Patches • MOS-20: Users Source: https://cloudsecurityalliance.org/research/ccm/
  28. 28. 28 CSA Cloud Control Matrix CCM v3.0.1; 133 Controls Security Incident Management, E-Discovery & Cloud Forensics (SEF) • SEF-01: Contact / Authority Maintenance • SEF-02: Incident Management • SEF-03: Incident Reporting • SEF-04: Incident Response Legal Preparation • SEF-05: Incident Response Metrics Supply Chain Management, Transparency and Accountability (STA) • STA-01: Data Quality and Integrity • STA-02: Incident Reporting • STA-03: Network / Infrastructure Services • STA-04: Provider Internal Assessments • STA-05: Supply Chain Agreements • STA-06: Supply Chain Governance Reviews • STA-07: Supply Chain Metrics • STA-08: Third Party Assessment • STA-09: Third Party Audits Threat and Vulnerability Management (TVM) • TVM-01: Anti-Virus / Malicious Software • TVM-02: Vulnerability / Patch Management • TVM-03: Mobile Code Source: https://cloudsecurityalliance.org/research/ccm/
  29. 29. 29 DMTF Cloud Auditing Data Federation (CADF) Standard Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud Management Initiative. Auditing using a standard such as CADF has many benefits: • Create and request customized views for Audit & Compliance data • Track regional, industry and corporate policy compliance using standardized APIs / Reports • Key event data is normalized and categorized to support auditing of hybrid Cloud applications • CADF assures consistent mappings across cloud components and cloud providers • Format is agnostic to the underlying provider infrastructure • Provides transparency for low-level operational processes Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Customer Benefits: • Ability to self manage auditing of their data • Similar reports from different Cloud service providers • Aggregate audit data from different Clouds / Partners • Auditing processes & tools unchanged
  30. 30. 30 Cloud Auditing Data aggregated from multiple sources Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Company A’s OSS/BSS Processes Company A Company A’s Auditor Company A’s Hybrid Applications Standard API’s for requesting Audit Data Standard Audit Data (Logs and Reports) Cloud Provider P1 Company A’s Hybrid Applications Cloud Provider P2 Company A’s Hybrid Applications Aggregate Audit Data from Hybrid Applications StandardAPI’sfor requestingAuditData OSS: Operational Support Services BSS: Business Support Services
  31. 31. 31 CADF Taxonomy Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Includes: • Resources by the role played in the event ex: Initiator, Target, Observer. • Actions used to classify the event by the activity that caused it to be generated. • Outcomes used to describe the outcome of the attempted action of the event. CADF Event Model: Basic and conditional model components Model Component CADF Definition OBSERVER The RESOURCE that generates the CADF Event Record based on its observation (directly or indirectly) of the Actual Event. INITIATOR The RESOURCE that initiated, originated, or instigated the event's ACTION, according to the OBSERVER. ACTION The operation or activity the INITIATOR has performed, attempted to perform or has pending against the event's TARGET, according to the OBSERVER. TARGET The RESOURCE against which the ACTION of a CADF Event Record was performed, was attempted, or is pending, according to the OBSERVER. NOTE A TARGET (in the CADF Event Model) can represent a plurality of target resources. OUTCOME The result or status of the ACTION against the TARGET, according to the OBSERVER.
  32. 32. 32 CADF Event Model and REPORTERCHAIN construction Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf CADF Event Model: Basic and conditional model components Example of REPORTERCHAIN construction
  33. 33. 33 CADF 7 essential W’s auditing and monitoring CADF Event Model: Basic and conditional model components What What activity occurred? What was the result? event.action event.outcome event.type (activity, monitoring, control) event.reason (ex: security, reason code, policy id) Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf CADF Event Model and it’s components • Work for any Activity Monitoring or, Control event • Provides guidance on how to record Basic, Detailed or, Precise information for each component When When did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestamp event.eventTime reporter.timestamp, event.duration Who Who (user/service) initiated the Action? initiator.id; initiator.type initiator.id (id, name) initiator.credential initiator.credential.assertions Legend: Italics are optional properties 1 2 3 Where Where was the Action observed, reported or, modified? What role does the event serve? How was it recorded? observer.id, observer.type reporterstep.role, reporterstep.reporterTime 4 On What On What resource did the Activity Target? target.id 5 FromWhere From Where the Action was initiated? May include • logical/physical addresses • ISO-6709-2008, precise geolocations initiator.addresses, initiator.host, initiator.geolocation 6 ToWhere To Where was the Action Targeted? Can be as simple as an IP address or server name. target.addresses, target.host, target.geolocation 7
  34. 34. 34 CADF Resource Top-level Taxonomy hierarchy Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description storage Logical resources that represent storage containers. compute Logical resources that are used to perform logical operations or calculations on data. network Logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged. data Logical named sets of information (objectified data) that are referenced and managed by services. service Logical set of operations, packaged into a single entity, that provides access to and management of cloud resources (for a given domain). system Logical resources that are a combination of several other [cloud] resources that operate as a functional whole, this combination being manageable (created, operated, audited, etc.) as a unit, i.e., offering some operations that could activate lower-level operations over each of the subresources. unknown This resource indicates that the OBSERVER of the event is not, to the best of its ability, able to classify a resource that contributed to the actual event it is reporting on using any other valid resource taxonomy value.
  35. 35. 35 CADF Resource Taxonomy - Storage subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description node Logical resource that contains the necessary processing components to store data. volume Logical unit of persistent data storage that may or may not be physically removable from the computer or storage system. memory Logical unit of data storage that is used for dynamically processing data. container Logical unit of storage where data objects are deposited and organized for persistent storage. directory Logical storage used to organize records about resources (e.g., files, subscribers, etc.) along with their locations and other metadata. Typically, these records are organized in a hierarchical structure. database Logical storage used to organize data to a model (schema) that reflects relevant aspects of a specific real-world application. queue Logical storage of a list of data waiting to be processed.
  36. 36. 36 CADF Resource Taxonomy - Compute subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description node Logical resource that contains the necessary processing components to execute a workload. cpu Logical resource that represents a unit processing power that can consume a workload. machine Logical resource that encapsulates both CPU and Memory. process An instance of a granular workload, such as an application or service that is being executed. thread A separable function of a running process that shares its virtual address space and system resources.
  37. 37. 37 CADF Resource Taxonomy - Network subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description node A logical resource that can be networked and can provide services on data from network connections. A node may export zero or more endpoints (zero implies it is has not been provisioned). host A network node that can perform operations or calculations on data. connection A single network interaction involving two or more endpoints (sources and destinations). domain Represents a logical grouping of networked resources. cluster Represents a logical combination of tightly coupled, network resources.
  38. 38. 38 CADF Resource Taxonomy - Service subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description bss Business Support Services (BSS), The logical classification grouping for services that are identified to support business activities. composition The logical classification grouping for services that supports the compositing of independent services into a new service offering compute Infrastructure services for managing computing (fabric). database Database Services (or DB-as-a-Service) Database services that permit substitutability to various provider implementations. image Infrastructure services for managing virtual machine images and associated metadata. network Infrastructure services for managing networking (fabric). oss Operational Support Services (OSS); The logical classification grouping for services that are identified to support operations including communication, control, analysis, etc. security Security Services (or Sec-as-a-Service) The logical classification grouping for security services including Identity Mgmt., Policy Mgmt., Authentication, Authorization, Access Mgmt., etc. (a.k.a. “Security-as-a-Service”) storage Infrastructure services for managing storage (fabric). storage block Infrastructure services for managing Block storage. storage object Infrastructure services for managing Object storage.
  39. 39. 39 CADF Resource Taxonomy Composition, OSS & BSS subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description bssbilling Business services to manage different types of charges for cloud-based resources relevant to a given customer. bsslocation Business services to manage the location, physical or virtual, of cloud-based resources as well as clients (e.g., mobile devices). bssmetering Business Services to manage the measurement of cloud-based resources (e.g., utilization, transactions, performance, etc.), often to determine how to bill for service usage. composition orchestration Composition services that automate the management of complex applications, services, platforms and/or infrastructures to align them to fulfill business and service agreements and operational policies. composition workflow Composition services that sequence connected steps that support management of a document (e.g., transaction, order, service template, etc.) through a complex system of applications, services, platforms and/or infrastructures. osscapacity Operational services that ensure that the resource capacity allocated to an application (including compute, storage and networking resources) matches its current utilization. ossconfiguration Operational services that manage and monitor configuration changes on applications to avoid incompatibilities that can result in reduced performance or compliance failures. osslogging Operational services that capture or record information and identifying data about actions that occur in a system. This includes data that could be or contribute to auditable event records, ossmonitoring Operational services that monitor for ensure the availability of services and that they are provided in accordance with terms of Service License Agreements (SLAs). ossvirtualization Operational services that manage virtualization of ‘compute’, ‘storage’, and ‘network’ infrastructure. bsscrm Customer Relationship Mgmt. (CRM) Services (example extension of the “bss” classification) bsserp Enterprise Risk Mgmt. (ERM) Services (example extension of the “bss” classification) bsssrm Service Request Mgmt. (SRM) Services (example extension of the “bss” classification)
  40. 40. 40 CADF Resource Taxonomy - Data subtree (1 of 2) Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description catalog A data resource used to register resources along with information or metadata about them and perhaps provide links to them. config A data resource that contains information such as settings and parameters that could be used for configuring a resource (or parts of it). directory The parent classification for all directory related data objects. file A logical block of data for storing information in a filesystem, which is available to computer programs image A readily usable or processable set of data that can be easily transferred between processing domains. log A data resource used to record events from automated computer programs. Typically used to provide an audit trail that can be used to understand the activity of a system and to diagnose problems. message A block of information that is transmitted over a connection between networked endpoints. message/str eam A continuous message or series of messages between networked endpoints. module A portion of a program typically aligned with a specific functional set. package A wrapped collection of files and data, along with metadata, meaningful to the processing domain that will utilize it.
  41. 41. 41 CADF Resource Taxonomy - Data subtree (2 of 2) Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description report A data resource that contains one or more event records that are compiled with other auditing information in response to some step within an auditing process. template A data resource that serves as a pattern, stencil, or gauge for instantiating a new resource or set of resources. For example, a template that describes the topology and relationships of an application’s services and its network to a cloud provider for deployment and management. workload A set of data that represents the amount of work that computational nodes can consume at a given time. Workload/a pplication A workload that performs a wide range of operations, some may be exported as services. Workload/se rvice A workload that perform a single or a few specialized operations. See A.2.10 when specific services are described in events apart from generic management as compute workloads. database (obj) The parent classification for all database-related data objects. See clause A.2.13 ("Database (data object) subtree classifications“), which shows the full set of database-related classifications. security (obj) The parent classification for all security-related data objects. See clause A.2.12 (“Security (data objects) subtree classifications“), which shows the full set of security-related classifications.
  42. 42. 42 CADF Resource Taxonomy - Security subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description account Represents a business agreement for providing regular services between a provider and consumer. acc/user Is an account representing a person assigned access to use cloud resources or applications. acc/admin Is an account representing a person assigned administrative access to resources. credential Represents security data that is transferred to establish a claimed identity. [SAML Gloss] group Represents named groups to which users or roles can be assigned that carries access rights or entitlements its members inherit. identity Represents the essence of an entity (e.g., a user or service) and may describe the entity’s characteristics and properties. key Is a secret token used to protect data typically through signing or encryption. The key (or its public variant) can be provided to one or more parties that enable access to the protected data license Represents an authorization or permission to do something on, or with, somebody else’s resources. policy Represents security data that contains rules and procedures that regulates resources within a system. profile Represents security data that defines extended rules, constraints or properties that apply to particular domains role Represents named jobs or functions users may be assigned. A role may carry access rights and entitlements that users inherit from being assigned to that role. node Represents a network node (e.g., router, server, etc.) acting with some (perceived) credential or authority to perform some action against another resource. This would be used if limited information is known to the event's observer (e.g., perhaps only an endpoint address is known).
  43. 43. 43 CADF Resource Taxonomy - Database subtree Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description alias An alias is an alternative name for an object such as a table, a view or another alias. It can be used to reference an object wherever that object can be referenced directly. index A set of pointers that are logically ordered by the values of one or more keys. They are typically used to improve performance and ensure key uniqueness. instance A logical representation of the structures, memory and storage used to realize a database, its objects and data. key A property used to identify data stored in a database table. Typically, each table has a primary key that uniquely identifies records. routine An executable database object that perform operations on other database objects. schema A collection of named objects that are grouped logically. A schema is also a name qualifier; it provides a way to use the same natural name for several objects, and to prevent ambiguous references to those objects. sequence A stored object that simply generates a sequence of numbers in a monotonically ascending (or descending) order. Sequences provide a way to have the database manager automatically generate unique keys and to coordinate keys across multiple rows and tables. table A logical structure made up of columns and rows. At the intersection of every column and row is a specific data item called a value. There is no inherent order of the rows within a table. view An alternative way of looking at the data in one or more tables.
  44. 44. 44 CADF Action Taxonomy hierarchy (1 of 3) Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description create The target resource described in the event was created (or an attempt was made to do so) by the initiator resource. read Data was read from the target resource by the initiating resource (or an attempt was made to do so). update One or more of the target resource's properties were modified or changed by the initiator resource. delete The target resource described in the event was deleted (or an attempt was made to do so) by the initiator resource. monitor The target resource is the subject of a monitoring action from the initiating resource. backup The target resource described in the event is being persisted to storage without regard to environment, context, or state at the time of storage. capture The target resource described in the event is being persisted to storage along with relevant environment and state information (e.g., program settings, network state, memory/cache, etc.). Conceptually, a “snapshot” of the resource is being captured at a moment in time. configure The target resource described in the event is being set-up to enable it to run on a particular environment or for a particular application or use. deploy The target resource is being positioned or made available for use by the initiator resource, but is not yet started. General Resource MgmtLegend: Monitoring Workload & Data Mgmt
  45. 45. 45 CADF Action Taxonomy hierarchy (2 of 3) Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description disable The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions. enable The target resource (that has been started) is being changed by the initiator resource to allow or permit some set of functions. restore The initiator is requesting the target resource (or some portion of it) be restored from persistent storage. start The target resource is being made functional by the initiator resource and able to perform or execute operations. stop The initiator resource is causing the target resource to no longer be functional or able to perform or execute operations. Undeploy The initiator resource is causing the target resource to no longer be positioned or available for use. receive The initiator resource is receiving a message or data from the target resource. Note that this is a separate action from any action the receiver performs based upon the content of the message or with the data. send The initiator resource is transmitting a message or data to the target resource. Note that this is a separate action from that of "creating" the message. Legend: Messaging Workload & Data Mgmt
  46. 46. 46 CADF Action Taxonomy hierarchy (3 of 3) Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Name Description authenticate The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions. login An extension of the authenticate action. renew A security request from the initiator resource to renew a resource’s identity, credentials, or related attributes or privileges sent to the target resource (an authority). revoke A security request from the initiator resource to remove entitlements or privileges from a resource’s identity and/or credentials sent to the target resource (an authority). allow Indicates that the initiating resource has allowed access to the target resource. deny Indicates that the initiating resource has denied access to the target resource. evaluate Indicates the evaluation or application of a policy, rule, or algorithm to a set of inputs. notify Indicates that the initiating resource has sent a notification based on some policy or algorithm application – perhaps it has generated an alert to indicate a system problem. unknown Indicates that the OBSERVER of the event is not, to the best of its ability, able to classify the exact action for the actual event it is reporting using any other valid action taxonomy value. Legend: Security, Policy, Access Control Security Identity
  47. 47. 47 CADF Outcome Taxonomy hierarchy Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Value Description success The attempted action completed successfully with the expected results. failure The attempted action failed due to some form of operational system failure or because the action was denied, blocked or refused in some way. unknown The outcome of the attempted action is unknown and it is not expected that it will ever be known. pending The outcome of the attempted action is unknown, but it is expected that it will be known at some point in the future. A future event correlated with the current event may provide additional detail.
  48. 48. 48 10 Steps to Manage Cloud Security Focus areas Standards Certifications Step 1: Ensure effective governance, risks & compliance • ISO 38500 – IT Governance1 • COBIT • ITIL (ISO 27002) • ISO 20000-7 & ISO 20000-11 (jn devl) • SSAE 16 • PCI-DSS • ISO 27002 (ISO 27017) • SSAE 16 • HIPAA • PCI-DSS • FedRAMP • FISMA Step 2: Audit operational and business processes • DMTF Cloud Auditing Data Federation (CADF) • ISO 27002 (ISO 27017) • SSAE 16 Step 3: Manage people, roles and identities • ISO 27002 • IAM Kerberos, LDAP, SAML 2.0, Oauth 2.0, WS-Federation, OpenID Connect • SCIM • Active Directory Federated Services (ADFS2) • XACML • PKCS, X.509, OpenPGP • ISO 27002 (ISO 27017) Step 4: Ensure proper protection of data & information • ISO 27002 / 27017 (in devl) • Data in motion: HTTPS, SFTP, VPC using IPSec or SSL • US FIPS 140-2 • OASIS KMIP • ISO 27002 (ISO 27017) Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf
  49. 49. 49 10 Steps to Manage Cloud Security Focus areas Standards Certifications Step 5: Enforce privacy policies • Personally Identifiable Information (PII) • U.S – EU Safe Harbor framework • ISO 27018 (in devl) • TRUSTe Safe Harbor certification seal program • ISO 27018 (in devl) Step 6: Assess the security provisions for cloud apps • NIST Guidelines on Firewalls and Firewall Policy • Open Web Application Security Project (OWASP) • OVF 2.0 & OASIS TOSCA • ISO 27002 (ISO 27017) Step 7: Ensure cloud networks and connections are secure • ISO 27001 & 27002 • ISO/IEC 27033-1/2/3 • FISMA (FIPS 199 & 200) • OpenFlow, TM Forum Frameworx, NIST SP 800-53 • ISO 27002 (ISO 27017) Step 8: Evaluate security controls on physical infrastructure & facilities • ISO 27002 • ISO 27017 & 18 (in devl) • ISO 27002 (ISO 27017) Step 9: Manage security terms in the cloud SLA • CSCC Practical Guide to SLA • ISO 27004, NIST SP 800-55 • CIS Consensus Security Metrics • ENISA • ISO 27002 (ISO 27017) • SSAE 16 (financial) Step 10: Understand the security requirements of exit process • None, ISO SC38 WG3 (future) • None Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf
  50. 50. 50 References • Cloud Standards Customer Council (CSCC) Cloud Security Standards • Cloud Auditing Data Federation • NIST Cloud Computing Standards Roadmap • Detailed CSA TCI Reference Architecture • Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines • OpenStack wiki • OpenStack Main Page • OpenStack Developers Guides • Cloud Audit Data Federation - OpenStack Profile • Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0) • CADF Event Model and Taxonomies • NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
  51. 51. 51 References & Credits
  52. 52. 52 Conclusion • The world is becoming more digital • Cloud is all about services and service delivery • The cloud is only worth the services it delivers • Cloud is all about a hybrid world
  53. 53. Thankyou sukumar.nayak@hp.com sukumar.nayak@gmail.com 240.506.2305 linkedin.com/in/sukumarnayak/
  54. 54. 54 Backup
  55. 55. 55 Cloud expected benefits and trade-offs Expected Benefits: • Economies of Scale • Multi-Tenancy • Capacity Utilization • “Zero” capex model • Long term Total Cost of Ownership for IT Services • Lower barriers to entry for new business models which were constrained by the IT resources in the past • Allows Businesses to focus more on their core competencies • Speed and Flexibility of business Changes • On Demand self service • Automation • Standardization • Elasticity • Pay per Use Model • Reduced time to market • Efficiency in global communication and collaboration Potential risks & trade-offs: • Security, Privacy, and Data Confidentiality • Loss of Control & Governance • Vendor Lock-in • Management Interface Compromise • Incomplete or Insecure Data Deletion, Data Protection • Malicious Insider & Investigative Support • Segmentation or, Isolation Failure • Availability, Reliability, Speed, Cost • Learning Curve • Quality of support • Change in organization culture • Interoperability Standards; Portability for Legacy IT in Clouds • Shift in Liability • Regulatory Compliance • Transparent Infrastructure Scalability • Application Deployment Mechanisms • Economic Modeling of new Market
  56. 56. 56 OpenStack Feature Releases Release Date Projects Austin Nov 2010 Nova and Swift Bexar Feb 2011 Nova, Swift, and Glance Cactus Apr 2011 Nova, Swift, and Glance Diablo Sep 2011 Nova, Swift, and Glance Essex Apr 2012 Nova, Swift, Glance, Horizon, and Keystone Folsom Sep 2012 Nova, Swift, Glance, Horizon, and Keystone Grizzly Apr 2013 Nova, Swift, Glance, Horizon, and Keystone Havana Oct 2013 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, and Cinder Icehouse Apr 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, and Trove Juno Nov 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, Trove, and Sahara Kilo Apr 2015 TBD
  57. 57. 57 NIST CC Security Reference Architecture Cloud Consumer Cloud Provider Cloud Service Management Cloud Carrier Cloud Auditor Cloud Consumer Provisioning/ Configuration Portability/ Interoperability Security Audit Privacy Impact Audit Performance Audit Business Support Physical Resource Layer Hardware Facility Resource Abstraction and Control Layer Service Layer IaaS SaaS PaaS Cloud Orchestration Cross Cutting Concerns: Security, Privacy, etc Cloud Broker Service Intermediation Service Aggregation Service Arbitrage
  58. 58. 58 NIST CC Security Reference Architecture
  59. 59. 59 Cloud Security Alliance TCI Reference Architecture Legend: CSA: Cloud Security Alliance TCI: Trusted Cloud Initiative Source: https://cloudsecurityalliance.org/wp- content/uploads/2011/10/TCI- Reference-Architecture-v1.1.pdf
  60. 60. 60 Planning Guide for Infrastructure as a Service (IaaS) Source: http://blogs.technet.com/b/privatecloud/archive/2012/04/05/planning-guide-for-infrastructure-as-a-service-iaas.aspx
  61. 61. 61 Cloud Computing Audit Checklist Ref Book: Auditing Cloud Computing: A Security and Privacy Guide by Ben Halpert and Jeff Fenton Source: http://onlinelibrary.wiley.com/doi/10.1002/9781118269091.app1/pdf • Cloud-Based IT Audit Process (11) • Cloud-Based IT Governance (4) • System and Infrastructure Life Cycle Management for the Cloud (3) • Cloud-Based IT Service Delivery and Support (5) • Protection and Privacy of Information Assets in the Cloud (5) • Business Continuity and Disaster Recovery (4) • Global Regulation and Cloud Computing (5) • Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit (4)
  62. 62. 62 Cloud Security’s Split Responsibilities Source: http://interconnectgo.com/wp-content/uploads/2015/01/Cloud-Cloud-Security-White-Paper.pdf
  63. 63. 63 How the Audit Filter Pushes Audit Events to Ceilometer Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
  64. 64. 64 CADF API Auditing with Ceilometer - How it works… Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
  65. 65. 65 Audit approaches Security Content Automation Protocol (SCAP), CloudTrust, … (standardized/automated format) Audit and assurance initiatives Questionnaire: CloudAudit, ENISA AF, ISACA, … (cloud specific) ISO 27001, FISMA, PCI, NIST 800-53, … (non-cloud specific)

×