The document summarizes a security POC conducted by the ODCA to test provider assurance requirements for different cloud assurance levels (bronze, silver, gold, platinum). It discusses the challenges in implementing the requirements, outlines the testing methodology used, and summarizes the results and impact. Currently, no service providers are meeting all the requirements for gold-level assurance. The POC highlighted the need to refine both the usage models and RFP requirements to better enable adoption of these tiered security offerings.

1. Security POC
June 12, 2012
Matt Lowth Jeffrey Deacon Albert Caballero
Principal Security Architect Chief Cloud Strategist Chief Technology Officer
1

2. 2

3. NAB and the ODCA
About Us NAB and the ODCA
National Australia Bank Group
(the Group) is a financial services Part of the ODCA as a Steering
organisation with over Committee Member since 2010.
12,000,000 customers and
Chair of Security Workgroup and
50,000 people, operating more
helped develop Security Usage
than 1,750 stores and Service
Models.
Centres globally.
Currently developing our Internal
Private Cloud Capability.
3

4. Challenges and Role of Usage Models
Challenges Usage Models
• Common understanding • Usage models developed
of security standards to overcome these issues
is a big hurdle to enterprise
cloud adoption • Provider assurance
• Very difficult to determine • Security monitoring
“what is secure”
• Bronze/Silver/Gold/Platinum
4

5. ODCA Proof of Concept Process
Pre-engagement Project Project Project
Match Making Planning Execution Closure
• SP checklist • Generate/Agree on • Acquire equipment, • Reports
submitted statement of work SW, and licensing
• WG feedback
• Members select SP • Determine PM • Configure Test bed
method • Demos
• Initiate kick-off • Execute test
meeting • Generate test plan plan/document • Other
• WG, steering comm. • WG approval
notified of test plan
REAL WORLD SOLUTIONS built on industry driven guidelines
PM = Project Management, SP= Solution Provider, SW = Software, WG = Work Group,
5

6. ODCA Security POC Usage Model
Security Provider Security
Assurance Monitoring
• 26 security requirements • Requires proof of achieving
requirements
• 8 test cases
• 2 success scenarios
6

7. Enterprise Cloud
Services
7

8. Terremark Vision for Enterprise Cloud
Core Capabilities
Purpose-Built Data Centers
Secure and Isolate Customer Data
Automated and Efficient
Programmable with Application Services
Attributes
Global
Extensible Hybrid Capability
Service Levels
Simplicity of Use
Predictability and Control
Investment
Expansion
Expertise and People Globally Delivered
New Solutions and Markets from World-Class
Facilities
8

9. Virtual Farm with Intelligent Networking
The Building Block of Your Environment
The virtual farm creates the individual customer network construct
and delivers a secure and resilient configuration to access and protect
customer data.
Directly provisioned from the portal
Virtual Farm N
Virtual
Carves out secure access to resources
Load
Balancer and creates customer VLAN
Virtual
Firewall
Every virtual farm contains:
• Virtual Firewall
DMZ Network • Virtual Load Balancer
Trusted (Public IP-Facing)
Network
Two-tiered networking space:
Server Server • Trusted network accessible only to other CaaS servers
Resources Resources
• DMZ network can be configured for Public IP-facing
applications
Virtual Farm is key part of security story
Storage
9

10. ODCA Gold Provider Assurance
Terremark Verizon Managed Cloud
Cloud Subscriber Security Infrastructure
Internet
CP Firewall 01
ODCA Gold Remote Connections
Name: CP Bastion 02 Name: CP Bastion 01 Firewall 01 CP Load
Server OS: RH Linux Server OS: Windows 2003 Balancer Remote Sites
Role: Remote Access Role: Remote Access
DMZ
CP Firewall 02
SecApp02 SecApp01 WebApp02 WebApp01
Server OS: Windows 2003 Server OS: Windows 2008 Server OS: RH Linux Server OS: RH Linux
Role: ODCA Gold Demos Role: Security Management Role: Application Server Role: Application Server
ODCA Gold
Firewall 02
Internal Network
SecMgmt01 SecScanner01 SecSIEM01 SecPol01 SecDB01
Server OS: Windows 2003 Server OS: Windows 2003 Server OS: Windows 2008 Server OS: Windows 2008 Server OS: Linux Red Hat 5.6
Role: Directory Services Role: Vulnerability Scanner Role: Log Management Role: Policy Management Role: Database Server
10

11. 11

12. Testing Methodology
1. Assess Provider Assurance Requirements
2. Identify Security Technologies and Provider Policies Needed to
Support the Solution
3. Implement ODCA Solution:
• Trapezoid Interoperability Lab
• Terremark Managed VMware Cloud
• Applied Innovations HyperV Cloud
4. Security Monitoring
12

13. ODCA Gold Assurance: Challenges
Providers don’t perform Proof of Concepts Steps
many of the security
requirements yet 1. Multiple service providers
2. 8 test cases covering provider
assurance requirements
Surfacing data from tools
that aren’t truly multi- 3. Subscriber validation of
tenant requirements
4. Also designing a portal that
All security requirements provides a web interface to
needs to be in place prior to tools that have multiple views
the security monitoring and reports for Platinum ODCA
reports
13

14. ODCA Gold Assurance: Results
Currently no service providers are meeting all of the
requirements
Service Providers must work more closely with cloud
subscriber
Third party security providers can help facilitate the process
by adding layers of security required by each assurance
level
14

15. Impact of PoC
Elements of usage model
Usage model developed well defined, however some
with best intention controls difficult to assess
and/or implement
Further refinement of the
Purpose of the PoC was usage model to come to allow
to determine whether the the more broad adoption
standards we’d created of these tiered offerings,
were implementable including distinction between
managed/unmanaged service
15

16. RFP / Adoption
Additional refresh of usage model to take into account
results of the PoC
RFP requirements also refined as part of this process
Your Opportunity:
Learn from this POC to form your organizational strategy.
Demand secure and standard solutions based on ODCA requirements
16

17. Thank You
17

18. Resources
Learn the latest about ODCA requirements
PRIORITIZE at www.opendatacenteralliance.org
Use ODCA PEAT Tool for Upcoming RFPs
DELIVER Explore the Latest Solutions at ODCA's
Cloud Expo Showcase Booth #411
Actively Participate in Today's Sessions #Forecast12
SHARE Scale your Knowledge with ODCA MEET