session four heads in the icloud - natoa | home · pdf filesession four heads in the icloud...
TRANSCRIPT
Session Four
Heads in the iCloud
Moderated By
Sonny Segal Chief Information Officer
Montgomery County Maryland
Introductions
• Mr. John W. Lainhart IV IBM Global Business Services
Partner, Cybersecurity & Privacy Public Sector Cybersecurity & Privacy Service Area Leader Bethesda, MD 20817
• Mr. Peter Romness Cisco Systems, Inc.
Business Development Manager
Public Sector Cybersecurity
Herndon, VA
• Mr. Jeff Stratton Lockheed Martin Information Systems &Global Solutions (IS &GS) Civil
Manager, Comprehensive Cyber Security Services - (CS)2
Gaithersburg, MD
Types of Clouds • Public cloud
A cloud infrastructure shared by the general public or industry, typically owned and managed by an organization that sells cloud services.
• Community cloud A cloud infrastructure shared exclusively by certain groups, such as civil agencies or others with like missions, and managed by the group or a third party. It can be hosted on or off premises.
• Private cloud Cloud resources confined inside a firewall with private control over the cloud infrastructure. Some organizations run their data centers as a private cloud.
• Hybrid cloud An approach that uses a public cloud for some services, such as general business needs, but uses a private data center for others, such as storage of sensitive data.
• Government cloud There is no specific certification for this.
Courtesy: Microsoft, inc.
Potential Benefits • Citizen services
Drive innovation with data services in the cloud that citizens can reuse. Offer your own data mashups on a portal.
• Infrastructure
Get IT resources when needed. Pay only for what you use. Reduce need to build, manage, support data centers. Consolidate budget and facilities.
• Flexibility
Adjust resources up and down to meet real-time needs; offload onsite data to the cloud; access via web browser from anywhere for remote work and continuity of operations.
• Collaboration
More effectively communicate/collaborate; employees‘ can access work the same way they access personal information.
Courtesy: Microsoft, inc.
• Disaster recovery / Continuity of Operations
Centralized data storage, management, backups, data recovery in disruptions.
• Applications and content
Rather than waiting in the software procurement line, get hosted software, datasets, and services as they are released so you can focus your mission.
• Policies and regulations
Cloud computing can help meet compliance requirements.
• Creative IT
Centrally managed, frees from “keep-lights-on” to creative problem-solving.
• Secure-ability
Better secure-ability in cloud according to Vivek Kundra, Former U.S. CIO
• Speed of platform delivery
Data-intensive computing in the cloud can be six times faster than in isolated data centers.
Potential Benefits(2)
Courtesy: Microsoft, inc.
Security Considerations • Integration. With security and identity management technologies, i.e.,
Active Directory, and controls for role-based access and entity-level applications.
• Privacy. Data encryption, effective data anonymization, and mobile location privacy (compliance with the Privacy Act of 1974).
• Identity and access. Means of preventing inadvertent access. Ability to federate across different services and from your internal environment to the cloud? How are the databases protected for access?
• Compliance. What certifications does your provider possess? How do you handle dispute resolution and liability issues? What industry or government standards must you comply with? Clearly defined metrics for the cloud service monitoring? How are e-discovery and criminal compliance requests handled? What processes to move into cloud and back? Backup purged? What requirements with regard to physical location of your data?
Courtesy: Microsoft, inc.
• Service integrity. How is the software protected from corruption (malicious or accidental)? How does your provider ensure the security of the written code? How do they do threat modeling? What is the hiring process for the personnel doing administrative operations? What levels of access do they have?
• Jurisdiction. The location of a cloud provider’s operations can affect the privacy laws that apply to the data it hosts. Does your data need to reside within your legal jurisdiction? Federal records management and disposal laws may limit the ability of agencies to store official records in the cloud.
• Information protection. Who owns your data? Can it be encrypted? Who has access to encryption keys? Where is the backup located, and do you have an on-premise backup? How is
Security Considerations(2)
Courtesy: Microsoft, inc.
Other Considerations • Compliance
HIPAA, SOX, and FISMA requirements, and FISMA accreditation and certification. Data centers’ Statement on Auditing Standards (SAS) 70 and International Standards Organization (ISO) 27001 certification, audited by independent, third-party security organizations.
• Uptime Guaranteed 99.9 percent uptime at data centers outfitted to operate during power outages and after natural disasters. Data replication between primary and secondary data centers for redundancy, without storing any data off-site.
• Data with or without borders
Is data guaranteed to stay within the U.S. borders? Multiple data centers across the U.S. provide reliability and failover for government customers.
Is the chain of custody for documents preserved when moving documents between on-premise and cloud ? Do documents retain the format /fidelity for investigations/FOIA?
• How green is the cloud? Designed to reduce energy consumption (typically 25–40%) compared to traditional facilities.
• Who’s who in your cloud? Who else is in the cloud?
Courtesy: Microsoft, inc.
Contractual Safeguards • Service Level Agreement. SLAs should include availability of services, permissible failure rate,
response time on malfunction, and recovery time on crash.
• Security and privacy protection. SLAs should define security-relevant aspects and privacy protection agreements. Provider should agree to update security strategy in line with technological developments.
• Penalties for non-compliance. Agree on penalties if provider fails to deliver on contract terms.
• Sub-contracting. Agree whether and in what form the provider may subcontract out certain services. Need to assure subcontractors provide same level of protection as themselves, e.g., HIPAA compliance.
• Monitoring rights. Ensure they have the contractual right to monitor the cloud provider's data-processing activities, including its protective measures. Relying on the service provider's reports is insufficient.
• Contract term and return of data. Contract must include duration and exactly how data is to be returned or deleted when the contract expires or if the provider's business model changes.
• Exit strategy. Early return of data if the provider and/or subcontractor goes out of business or merges.
Courtesy: Internet Revolution
Leading portfolio of products and services to help secure cloud environments. Allows customers to address concerns when adopting private, public and hybrid cloud services by adopting security controls to match requirements of the workload.
Leveraging IBM’s deep security skillset, hosting and strategic outsourcing experience, broad security portfolio, history of security innovation, and commitment to client trust as the foundation for building security into all cloud offerings.
To address these concerns, IBM is working with clients as both a cloud service provider and trusted advisor
12
Secure IBM Clouds IBM Security Solutions
IBM Security Framework (Cloud Security On Ramps)
IBM Cloud Reference Model (Foundational Security Controls)
Capabilities
Knowledge
IBM SmartCloud provides a robust platform for the full IBM cloud portfolio, built on the IBM cloud reference model
13
Management, support and deployment
Security and isolation
Availability and performance
Technology platform
Payment and billing
IBM Cloud Reference Model
Business Process as a Service
Software as a Service
Platform as a Service
Infrastructure as a Service
Capabilities provided to consumers for using a provider’s applications
Key security focus:
Compliance and Governance
Harden exposed applications
Securely federate identity
Deploy access controls
Encrypt communications
Manage application policies
Integrated service management, automation, provisioning, self service
Key security focus:
Infrastructure and Identity
Manage datacenter identities
Secure virtual machines
Patch default images
Monitor logs on all resources
Network isolation
Pre-built, pre-integrated IT infrastructures tuned to application-specific needs
Key security focus:
Applications and Data
Secure shared databases
Encrypt private information
Build secure applications
Keep an audit trail
Integrate existing security
Advanced platform for creating, managing, and monetizing cloud services
Key security focus:
Data and Compliance
Isolate cloud tenants
Policy and regulations
Manage security operations
Build compliant data centers
Offer backup and resiliency
Adoption patterns are emerging and each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
14
Infrastructure as a Service
(IaaS): Cut IT expense and
complexity through cloud
data centers
Platform-as-a-Service (PaaS):
Accelerate time
to market with cloud platform
services
Innovate
business models by
becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
For U.S. Federal Government there is also FedRAMP
•FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
•The JAB is the primary governance group of the FedRAMP program, consisting of the chief information officers for the:
– Department of Defense,
– Department of Homeland Security, and
– U.S. General Services Administration.
16
PROGRAM GOALS PROGRAM BENEFITS
Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
Increases re-use of existing security assessments across agencies
Increase confidence in security of cloud solutions Saves significant cost, time and resources – "do once, use many times"
Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in or outside of FedRAMP
Improves real-time security visibility
Ensure consistent application of existing security practices Provides a uniform approach to risk-based management
Increase confidence in security assessments Enhances transparency between government and cloud service providers (CSPs)
Increase automation and near real-time data for continuous monitoring
Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
FedRAMP Security Control Pyramid Summary
17 17
IaaS Provides on demand processing,
storage, networks, and other fundamental computing resources
9 FedRAMP IaaS CSPs*
PaaS Tools and services designed to make coding and
deploying applications (SaaS, web apps, DBs) quick and efficient
e.g. PureApp / System, Big Data
1 FedRAMP PaaS CSP*
SaaS Applications are designed for end-users,
delivered over the web
1 FedRAMP SaaS CSP*
*CSP #’s as of 7Jan14 http://www.gsa.gov/portal/category/105279
Security Control Pyramid The # of controls the client is responsible for reduces
as mores cloud services are purchased
IaaS controls
PaaS controls
SaaS controls
Client ctrls
Security Control Count: Total Base Enhancements FISMA (NIST r3) MODERATE 252 (159 , 93) FedRAMP (Cloud) MODERATE 297 (168 , 129) • The more Cloud Services a client purchases, the fewer controls that they will be
responsible for: • Each service builds on the foundation below it • The client will always be responsible for their personnel and facilities
18
Peter Romness
Business Development Management
Public Sector Cybersecurity
Cisco Systems Inc.
Cybersecurity In a Cloud Environment
DC | CLOUD TRANSITION
Unifying the network
services
Securing multi-
tenancy designs Extending security
posture
# !
%
AGILITY FLEXIBITY AUTOMATION AGILITY AUTOMATION
EFFICIENCY VISIBILITY CONSISTENCY CONSISTENCY
CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC
AGILITY FLEXIBITY AUTOMATION AGILITY AUTOMATION
EFFICIENCY VISIBILITY CONSISTENCY CONSISTENCY
CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC
Physi
cal
Virtual Cloud
Workloads
Apps / Services
Infrastructure
public
tenantshybrid
private
IT Megatrends are creating the “Any to Any” problem
Endpoint Proliferation Blending of Personal
& Business Use Access Assets through
Multiple Medians Services Reside In Many Clouds
Market Direction Integrated Platforms - Threat Centric
Firewall Content Gateways Integrated Platform Virtual Cloud
Device
Data
Center
Network
Access Control Firewall
Content Aware Applications
Context
Aware Identity, Data,
Location
Threat Aware Malware, APT
The New Security Model
BEFORE Detect Block
Defend
DURING AFTER Control Enforce Harden
Scope Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
24
Peter Romness
Business Development Management
Public Sector Cybersecurity
Cisco Systems Inc.
Cybersecurity In a Cloud Environment
Increase Telemetry for Analysis
Cyber Threat Defense
AI-based Threat Detection
Future
Application Centric Infrastructure
Identity
Reputation www
Global Threat Intelligence
NextGen Firewall
FW
NexGen IPS AMP
IPS
Self-Learning and Evasion Resistance
Lockheed Martin Comprehensive Cyber Security Services
(CS)2
Lockheed Martin Proprietary Information 27
March 5th 2014 Jeff Stratton - Manager, (CS)2
High Level Approach
• The primary goal is to provide customers with a comprehensive assessment. • Avoid surface level penetration testing (when possible). • Accurate and relevant reporting of results
– No false positives – No inflated or deflated risks
• Remediation assistance • Training for long term security sustainment
– Developers – System Administrators – Leadership – STEM
28
Penetration Testing
• Simulate real-world threats against production-ready applications
• Determine feasibility of particular attack vectors
• Analyze system resilience to certain attacks • Identify high-risk vulnerabilities – low hanging
fruit • Identify business logic flaws and access control
flaws that scanners cannot easily assess
• The Problem: – You can hire 10 Penetration Testers and get 10
different results. 29
Type of Penetration Testing
• Blackbox Penetration Testing – Does not simulate adversaries – Because its supposed to be stealthy it only finds limited attack
vectors, you just can’t find it all and be quiet. – Testers always find 1 way in, but their could be 50 more. – Relying on Blackbox testing for web apps is a big mistake! – Good for scaring the customer into spending more money – Unfortunately some organizations need this to get the money they
need to do things right.
• Comprehensive Whitebox Testing – More effective at finding your most concerning issues – Testers have full knowledge of the environment so testers can quickly
uncover major problems, without wasting precious labor hours on searching for them.
30
• Great for Testing Defenses – Focuses mainly on the response to the Kill ChainTM
Methodology:
– Not designed to be a comprehensive Penetration Test.
APT Simulation Testing
31
Code Review – Mobile and Web Applications
• Thoroughly inspect source code for vulnerabilities and eliminate them at their root level
• Analyze frameworks and software architecture for weaknesses
• Offer guidance at software architecture and code level to strengthen overall software security approach
32
Application Risk Analysis • Holistic approach to software risk analysis
• Utilize all system artifacts (design, architecture, code, test environment)
• Utilize all security analysis techniques (architecture review, threat modeling, code review, pen-testing)
• Provides the most thorough understanding of system risks and vulnerabilities
33
Software Security Touchpoints
Requirements and Use Cases
Architecture and Design
Test Plans Code Tests and
Test Results Feedback From
the Field
External Review
External Review
Abuse Cases
Security Requirements
Risk Analysis
Risk-Based Security
Tests
Code Review (tools)
Risk Analysis
Penetration Testing
Security Operations
34
Security Training
• Secure Coding and Secure Software Engineering
– Can be Customized specific to customer requirements
– Utilization of Customer Code Examples
– Specific Programming Languages and Frameworks
– Can also be based on vulnerabilities and findings in the Customer’s Environment.
– Help Developers understand how to consistently develop secure applications.
• Customized Network and Systems Security Training
– Network Segmentation
– Monitoring Capabilities
– Network and Application Layer Firewall Configuration
– General Network Security Engineering
– Wireless Security
– Vulnerability Management
36 36
Security In the Cloud
• If you are using a cloud, where is your data actually stored physically from a brick and mortar perspective? – Is it even in the US? – Where are the datacenters?
• Who has access to it? Is it encrypted?
• Are you using shared databases, shared operating systems, shared applications,
services?
• If another tenant gets compromised, is your data at risk? – Has the cloud service provider had “comprehensive” penetration testing performed?
• Is your environment meeting the compliance standards required for your business
set forth by federal, state and local regulations?
37
Certification, Accreditation and Audit Preparation
• NIST 800-53
• FEDRAMP Certification
• FISMA Low, Moderate, High
• ISO-17799/27000 Series
38
(CS)2 History
• Cyber Monitoring & Analysis • Information Design Assurance Red
Team • Counter Intelligence
• Initial CIRT/SIC Concept & Design • Next Generation Intrusion Detection
System Architect • DNS Blocking & Intercept Concept
LM Corporate Information Security SRT Red Team, ASE Team • CEWL Support • Reverse Engineering • Vulnerability Research • Web Application Security
• Commercial Cyber Security Consulting
• Source Code Analysis • Software Architectural Review • Secure Software Development
Lifecycle • Embedded Software Security
Concepts
A Wealth of Experience with Diversified Backgrounds Fused Together
JSF Software Security Program
39