sukumar nayak-agile-devops-cloud management
TRANSCRIPT
Security, Risk Management & Auditin the Crossroads of Agile, DevOps and Cloud Management
Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation
Date Created: 04/21/2015Date last updated: 07/14/2015
2
Objective: Provide an overview of Agile, DevOps and Cloud Management from Security, Risk Management and Audit Compliance perspectives.Scope:
• Motivation• Agile Development• The IT Industry Paradigm is Shifting• DevOps• Cloud Management• Tools & Technologies in the New Style IT• Standards & Compliance Controls• Implementation best practices for Security & Audit in the Cloud• Challenges and Opportunities for Security, Risk Management & Audit practices• Q&A
Agenda
3
Audience Poll
Technologist, CTO
Finance, CFO
Audit, CFO
Security & Compliance, CISO, CCO
What is your primary role at your company?
IT Operation, CIO
Business Services, Executive
Consultant, Entrepreneur
What is your level of experience with Agile Development?
What is your level of experience with DevOps?
What is your level of experience with Cloud environment?
What is your level of experience with Big Data environment?
Evaluating
5+ years
1-3 years
3-5 years
Government, Nonprofit Org
4
Motivation
“Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.”
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
5
7 W’s of Auditing and InvestigationsWhat:What activity occurred? What was the result?Key Attributes: Action, Outcome, Type, Reason
1
When:When did the action happen? When was it observed? How long did it take? Key Attributes: Universal Timestamp, Time Zone, Duration
2
Who:Who (user/service) initiated the Action?Key Attributes: User, ID, Type, Name, Role/Credentials, Assertions
3
Where:Where was the Action observed, reported or, modified? What role does the event serve? How was it recorded?Key Attributes: User/Observer, ID, Type, Name, Role/Credentials, Location
4
On What:On What resource did the Activity Target?Key Attributes: Device/Role ID
5
FromWhere:From Where the Action was initiated? Key Attributes:
• logical/physical addresses ex: host IP address, server name
• precise geolocations ex: ISO-6709-2008
6
ToWhere:To Where was the Action Targeted? Key Attributes:
• logical/physical addresses ex: host IP address, server name
• precise geolocations ex: ISO-6709-2008
7
6
Agile SCRUM
Product Owner
Scrum Master
Team Member
Stakeholder
Product Vision
Product Backlog
Release Backlog
Sprint Backlog
User Stories
User Story Estimation
Sprint Demo
Sprint Retrospective
Daily Standup Meetings
Release Burndown
Sprint Burndown
Story Board Capacity
VelocityStory Points
Key conceptsRoles Artifacts, Ceremonies & Processes
Scrum is an iterative and incremental agile software development methodology for managing product development.
7
App A
Bins / Libs
App B
Bins / Libs
Docker Engine
Host OS
Server
The IT Industry Paradigm is Shifting…
Microservices by James Lewis and Martin Fowler URL: http://martinfowler.com/articles/microservices.htmlContainers & VMs Michael Daconta URL: http://www.quora.com/How-is-containerization-different-from-virtualization
Microservices:A software architecture style, in which complex applications are composed of small, independent processes communicating with each other using language-agnostic APIs. These services are small, highly decoupled and focus on doing a small task.
Containerization: Horizontal segmentationDocker Container: The Docker Engine container needs just the application and it’s dependencies. It runs as an isolated process in userspace on the host OS, sharing the kernel with other containers. Thus, it enjoys the resource isolation & allocation benefits of VMs but is much more portable & efficient.
Kubernetes:Open source orchestration system (container cluster manager) for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions. Runs on Public Cloud, Private Cloud, and Bare Metal.
Virtualization: Vertical abstractionEach virtualized application includes the application, the required binaries & libraries, and a Guest OS. The application may be in the order of 10s of MB, however the Guest OS may be in the order of 10s of GB.
App A
Bins / Libs
Guest OS
App B
Bins / Libs
Guest OS
Hypervisor
Host OS
Server
Type 2 Hypervisor
App A
Bins / Libs
Guest OS
App B
Bins / Libs
Guest OS
Hypervisor
Server
Type 1 Hypervisor
8
The IT Industry Paradigm is Shifting…Continuous Delivery (CD):A software engineering approach in which teams keep producing valuable software in short cycles and ensure that the software can be reliably released at any time. It is used in software development to automate and improve the process of software delivery.
API Management: The process of publishing, promoting and overseeing application programming interfaces (APIs) in a secure, scalable environment. It also includes the creation of end user support resources that define and document the API.
Continuous Integration (CI): A development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.
Continuous Deployment (CD):The deployment or release of code to Production as soon as it is ready. There is no large batching in Staging nor long UAT process that is directly before Production. Testing is done prior to merging to the Mainline branch and is performed on Production-like environments.
9
The IT Industry Paradigm is Shifting…
Cloud Foundry URL: http://www.cloudfoundry.org/index.htmlDataGravity URL: http://datagravity.com/
Cloud Foundry:Open source cloud computing platform as a service (PaaS) originally developed by VMware and now owned by Pivotal Software, a joint venture by EMC, VMware and General Electric. The Cloud Foundry is primarily written in Ruby and Go.Comes in 3 flavors:• Cloud Foundry Open Source Software
(OSS)• Pivotal Cloud Foundry (Pivotal CF)• Pivotal Web Services (PWS)
DataGravity:Data gravity is an analogy of the nature of data and its ability to attract additional applications and services. The Law of Gravity states that the attraction between objects is directly proportional to their weight (or mass). Dave McCrorycoined the term data gravity to describe the phenomenon in which the number or quantity and the speed at which services, applications, and even customers are attracted to data increases as the mass of the data also increases.
10
Development to Operation: Business Challenges
DevOps URL: http://dev2ops.org/2010/02/what-is-devops/
Traditional IT Challenges: ~70-80% of all downtime is due to changes (self-inflicted wounds)
Often results in:
Requirements
DesignCode
Test
Package
Release
Deploy to Stage
UAT Test
Deploy to Prod
Development Operation
Wal
l of C
onfu
sion
Faster changes
Stable environment
Development tools Operation tools
Wal
l of C
onfu
sion
Development Operation
Wal
l of C
onfu
sion
11
DevOpsWhat is DevOps?DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.DevOps is a software development method that stresses communication, collaboration, integration, automation, and measurement of cooperation between software developers and other IT professionals.
URL: http://theagileadmin.com/what-is-devops/URL: http://en.wikipedia.org/wiki/DevOps
Development (Software
Engineering)
Quality Assurance
(QA)IT
Operations
DevOps
IT Operations“Be predictable – minimize risk”
Features & code changes
Development“Be more agile - deliver faster”
AgileDevelopment DevOps
QualityAutomation
Collaboration
Feedback loop
Faster ReleaseSmaller Packages
Bring Applications to Customers Faster
DevOps MotivationDevOps Composition
12
What is different in DevOps…Configuration Management:
Business Service
Application
Web site
Apache HTTP
HP Server
Rack
Data CtrZone
Data Ctr
App code (build)
Tomcat instance
Linux VM
Database
MySQL DB instance
Server
Traditional CMDB
Business Service
Application
Platform instance
Hosting platform
Location
Cloud environment CMDB
Further details (e.g. web, app, DB nodes, IPs, software versions) in automation/CD toolchain
e.g. AWS, Google, Rackspace, HP, IBM
e.g. EMEA, AMS, APJ
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
13
What is different in DevOps…Release and Change Management:
URL: https://www.chef.io/solutions/continuous-delivery/
Incident Management: DevOps changes primarily who gets involved in Incident Mgmt at which stage and what their stake is in the process. Even bigger impact may be achieved by ensuring there’s the right culture and mindset that puts customers, service, reliability, and quick mean time to repair (MTTR) at the center of the approach.
Event Management Monitoring & Logging: Key difference is the complexity, scale, and speed in DevOps makes it imperative to focus on Internet Scale vs. Enterprise Scale solutions.
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
14
DevOps Success FactorsDevOps Success factors:• Culture, Collaboration & Mindset
• Effective Team Collaboration• Identify & Eliminate Waste• Improve Automation Efficiencies for
Internet Scale
• Unified Processes for Development to Operations
• Unified Tooling (Key Capabilities)• Version-control software library• Deeply modeled systems• Automation
• Key Industry dynamics:• Infrastructure as code• Model driven automation• Continuous integration (CI)• Continuous deployment (CD)
Continuous Assessment & Adjust
PlanningGovernanceLifecycle managementRelease AutomationLifecycle Management
CollaborationAccountability
Continuous IntegrationContinuous TestingContinuous DeliveryContinuous DeploymentContinuous Performance
Culture
Process
Technology
15
DevOps Best Practices
URL: http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/240149363
Practice 1: Active Stakeholders Participation
Practice 2: Automated Testing
Practice 3: Integrated Configuration Management
Practice 4: Integrated Change ManagementPractice 5: Continuous IntegrationPractice 6: Integrated Deployment Planning
Practice 7: Continuous Deployment
Practice 8: Production Support
Practice 9: Application Monitoring
Practice 10: Automated Dashboards
1. Execs Commitment
2. Cloud Platform
3. Standardization
4. Interoperability & Automation
5. Process Optimization
6. Organization Culture
The Road to DevOps
16
DevOps lifecycle
DEVOPS DOMAINS
COLLABORATION
CONTINUOUS DEPLOYMENT / DELIVERY
CONTINUOUS INTEGRATION
SOURCE CONTROL
DEVL ENVIRON
CONFIGURATION MANAGEMENT
MONITORING
ISSUE TRACKING
PLANNING
OPERATIONS MANAGEMENT
17
Sample of DevOps Tools and TechnologiesPlan
Develop / Build
Test
Continuous Delivery/Deploy
Issue Tracking
Monitoring
Continuous Integration
Analyze
Collaboration
Configuration Management
Campfire Slack IRC SharePoint GoToMeetingHP MyRoom
MS Project TrelloHP Agile Manager HP PPM
Jira
HP Quality Center
ZenDeskHP SM & SAW MS Visual Studio Online
HP Quality Center
Graphite Logstash
Kibana
HP Site Scope HP vPV, HP OMi, HP BSM
Performance Manager
Puppet Chef CFEngine Ansible SaltStackHP CMS PowerShell DSC
Git CVS MS TFS Vagrant Cloud 9 IDE Codenvy
TeamCity TravisCI
Octopus
ThoughtWorksGo
Packer
Ubuntu Juju
Capistrano
Jenkins
Ant Gradle Maven
BuildHive
New Relic
Docker CoreOS
HP Fortify SonarCube
artifactory
SplunkHP ArcSight
HP CODAR HPOO,SA,NA,DMA,NNMi
Cloudyn
logentries
18
Cloud Management Tools, Technologies & CompaniesCost/Chargeback Cloudability Cloudyn Cloud Cruiser
Automation & Provisioning
Management Platform
Newvem/ Datapipe
PuppetChef enStratius/ Dell RightScale GigaSpaces
BMC CapgeminiCA TechnologiesHP Helion IBM ServiceMesh/
CSCvRealize/ VMWare
HP CSA, SA, NA, DMA
Dell BhoomiIntegration Azure IBM / Cast Iron Amazon SQS Informatica TIBCO MuleSoft
HP Cloud Sys Chargeback
AWS OpenStack
19
Security Management Tools, Technologies & CompaniesCyber Security Fireeye Palo Alto
Networks Check Point ProofpointTechnologies
Guidance Software
Investigation Management
Perspective i-Sight Report Exec Column Case Investigate EHSInsight
Computer Security
Network Security
logikcull HRAcuity
Lancope Alienvault
NorseRSA/EMC
HP ESS
Blue Coat Akamai Trend Micro
IBM ESS
Intel Security Symantec
F5
AVG
ClearWaterCompliance
F-Secure
Cisco Beyond Security
AT&T Network Sec
Qualys
Bayshore Bradford Networks
20
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
CLIE
NT
MAN
AGED
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
INFRASTRUCTURE(AS A SERVICE)
VEN
DOR
MAN
AGED Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
PLATFORM(AS A SERVICE)
CLIE
NT
MAN
AGED
VEN
DOR
MAN
AGED
CLIE
NT
MAN
AGED
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
SOFTWARE(AS A SERVICE)
VEN
DOR
MAN
AGED
Service Delivery ModelsTRADITIONAL
(ON PREMISE)
JOIN
TLY
MAN
AGED
User Experience User Experience User Experience User Experience
Devl Tools Devl Tools Devl Tools Devl Tools
21
Cloud Actors• Cloud Consumer: Person or organization that maintains a business relationship with, and uses
service from, Cloud Providers.• Cloud Provider: Person, organization or entity responsible for making a service available to
Cloud Consumers.• Cloud Auditor: A party that can conduct independent assessment of cloud services,
information system operations, performance and security of the cloud implementation.• Cloud Broker: An entity manages the use, performance and delivery of cloud services, and
negotiates relationships between Cloud Providers and Cloud Consumers.• Cloud Carrier: The intermediary that provides connectivity and transport of cloud services from
Cloud Providers to Cloud Consumers.
22
Cloud Services Integration and Management (CSIM/CSIAM)
Cloud Consumers
Cloud Brokers
IT Operations
Service Delivery
Service Support
Incident Management
Problem Management
Knowledge Mgmt
Change Management
Release Management
Availability & Capacity Mgmt
Service Catalog/Request Management
Service Assets & Configuration Mgmt
Event Management & Monitoring
Operations Support
Customer Mgmt
Contract Mgmt
Inventory Mgmt
Accounting & Billing
Reporting & Auditing
Pricing, Costing & Rating
Business Support
Data Portability
Service Interoperability
Systems Portability
Copy Data
Bulk Data Transfer
Unified Management Interface
VM Images Migration
App/SVC Migration
Containers Migration
Integration (Portability &
Interoperability)Data Management
Rapid Provisioning & Fulfillment
Resource Change
Provisioning/Configuration
Monitoring & Reporting
Metering
SLA Management
Security Management
Governance, Security & Risk ManagementGovernance, Risk Mgmt
& Controls
Facility Network WorkplaceWorkloadStorage SecurityData CtrServices
Service Providers
Cloud Auditors
23
OpenStack key componentsDashboard (Horizon)
Compute (Nova)
Object Storage (Swift)
Block Storage (Cinder)
Networking (Neutron)
Image Management(Glance)
Identity Management(Keystone)
Telemetry (Ceilometer)
Orchestration (Heat)
Database (Trove)
Bare Metal Provisioning(Ironic)
Messaging (Zaqar)
Elastic Map Reduce(Sahara)
24
Sample Standards and Compliance Controls• Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1)• NIST SP 800-53 Rev. 4• NIST Cybersecurity Framework• ISO/IEC 27002• FISMA and FedRAMP• Meaningful Use, HITECH and HIPAA• CoBIT 5• ITIL v3 / 2011• Payment Card Industry Data Security Standard (PCI DSS 3.1)• Distributed Management Task Force (DMTF)
• Cloud Infrastructure Management Interface (CIMI)• Cloud Auditing Data Federation (CADF)
25
Sample Standards and Compliance Controls
CSA Cloud Controls Matrix 3.0.1
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations
NIST Cybersecurity Framework
ISO/IEC 27002:2013 Information technology. Security techniques Code of practice for information security controls
PCI DSS 3.1
Distributed Management Task Force (DMTF)• Cloud Auditing Data Federation
(CADF) Standard• Cloud Infrastructure Management
Interface (CIMI)
26
Cloud Security Alliance TCI Reference Architecture
Legend:CSA: Cloud Security AllianceTCI: Trusted Cloud InitiativeSource: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
27
Cloud Security Alliance TCI Reference Architecture
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
SRM Services:• Governance Risk and Compliance
• Information Security Management
• Privilege Management Infrastructure
• Threat and Vulnerability Management
• Infrastructure Protection Services
• Data Protection
• Policies and Standards
ITOS Services:• IT Operations
• Service Delivery
• Service Support
• Incident Management
• Problem Management
• Knowledge Management
• Change Management
• Release Management
BOSS Services:• Compliance
• Data Governance
• Operational Risk Management
• Human Resources Security
• Security Monitoring Services
• Legal Services
• Internal Investigation
Presentation Services:• Presentation Modality
• Presentation Platform
Application Services:• Development Process
• Security Knowledge Lifecycle
• Programming Interfaces
• Integration Middleware
• Connectivity & Delivery
• Abstraction
Infrastructure Services:• Facility Services
• Servers
• Storage Services
• Network Services
• Availability Services
• Patch Management
• Equipment Maintenance
• Virtualization (Desktop, Storage, Server, Network)
Information Services:• User Directory Services
• Security Monitoring Data Management
• Service Delivery Data Management
• Service Support Data Management
• Data Governance Data Management
• Risk Management Data Management
• ITOS Data Management
• BOSS Data Management
• Reporting Services
28
CSA Cloud Control Matrix CCM v3.0.1 16 Domains 133 Controls
Source: https://cloudsecurityalliance.org/research/ccm/
Legend:CSA: Cloud Security AllianceCCM: Cloud Control Matrix(Number of controls) for each Domain
1. AIS: Application & Interface Security (4)
2. AAC: Audit Assurance & Compliance (3)
3. BCR: Business Continuity Management & Operational Resilience (11)
4. CCC: Change Control & Configuration Management (5)5. DSI: Data Security & Information Lifecycle Management (7)
6. DCS: Datacenter Security (9)
7. EKM: Encryption & Key Management (4)
8. GRM: Governance and Risk Management (11)
9. HRS: Human Resources (11)
10. IAM: Identity & Access Management (13)
11. IVS: Infrastructure & Virtualization Security (13)
12. IPY: Interoperability & Portability (5)
13. MOS: Mobile Security (20)
14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5)
15. STA: Supply Chain Management, Transparency and Accountability (9)
16. TVM: Threat and Vulnerability Management (3)
29
Select baseline security controls, apply tailoring guidance and supplement controls as needed based on risk assessment.
Continuously track changes to the information system that may affect security controls and reassess control effectiveness.
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Starting Point
Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.
Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings.
Determine security control effectiveness (i.e. controls implemented correctly, operating as intended, meeting security requirements for information system).
Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation.
Security Life CycleRisk Management Framework (RMF)
CATEGORIZEInformation Systems
SELECTSecurity Controls
ACCESSSecurity Controls
MONITORSecurity Controls
IMPLEMENTSecurity Controls
AUTHORIZEInformation Systems
Architecture Description• Mission/Business Processes• Reference Models• Segment and Solution Architectures• Information System Boundaries
Organizational Inputs• Laws, Directives, Policy, Guidance• Strategic Goals and Objectives• Information Security Requirements• Priorities and Resource Availability
30
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Identifier Family Class Ctrls
AC Access Control Tech 25
AT Awareness and Training Ops 5
AU Audit and Accountability Tech 16
CA Security Assessment and Authorization
Mgmt 9
CM Configuration Management Ops 11
CP Contingency Planning Ops 13
IA Identification and Authentication Tech 11
IR Incident Response Ops 10
MA Maintenance Ops 6
Identifier Family Class Ctrls
MP Media Protection Ops 8
PE Physical and Environmental Protection
Ops 20
PL Planning Mgmt 9
PS Personnel Security Ops 8
RA Risk Assessment Mgmt 6
SA System and Services Acquisition Mgmt 22
SC System and Communications Protection
Tech 44
SI System and Information Integrity Ops 17
PM Program Management Mgmt 16
Legend:Tech: Technical Ops: Operational Mgmt: ManagementCtrls: Number of Controls Ref: URL: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
31
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Management: (5)
CA: Security Assessment and Authorization
RA: Risk Assessment
SA: System and Services Acquisition
PL: Planning
PM: Program Management
Operational: (9)
AT: Awareness and Training
CM: Configuration Management
CP: Contingency Planning
IR: Incident Response
MA: Maintenance
PE: Physical and Environmental Protection
PL: Planning
PS: Personnel Security
SI: System and Information Integrity
Technical: (4)
AC: Access Control
AU: Audit and Accountability
IA: Identification and Authentication
SC: System and Communications Protection
32
NIST Cybersecurity Framework version 1.0
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
# of Subcategories
65463557122458515432123
24
35
18
15
6
33
ISO/IEC 27002:2015
Source URL: http://iso27001security.com/html/27002.htmlURL: http://iso27001security.com/html/iso27k_toolkit.html
34
FISMA & FedRAMP
FedRAMP
Additional Controls
FISMA
NIST 800-53
FISMA: • Federal Information Security Management Act (FISMA)• United States legislation (not an agency program)• A comprehensive framework to protect government information,
operations and assets against natural or man-made threats• Assigns responsibilities to various agencies to ensure the security of data• Managed by individual agencies • Requires annual reviews of information security programs, with the
intent of keeping risks at or below specified acceptable levels
FedRAMP: • Federal Risk and Authorization Management Program (FedRAMP)• A government-wide program leveraging a “do once, use many times”
framework (not legislation) • Provides a standardized approach to security assessment, authorization,
and continuous monitoring for cloud products and services Managed by individual agencies
• Purpose: Ensure that cloud based services have adequate information security; Eliminate duplication of effort and reduce risk management costs; Enable rapid and cost-effective procurement of information systems/services for Federal agencies
• GSA oversees and Accredited 3PAO’s validate proposed offers before GSA approves
Note: 3rd party assessment organizations (3PAOs)URL: http://csrc.nist.gov/groups/SMA/forum/documents/FedRAMP-Goodrich-020912.pdfURL: http://1105govinfoevents.com/custom/Face-to-Face/2-15/FISMA-FedRAMP-Controls-and-Authorization-Differences-Whitepaper-Coalfire.pdf
FedRAMP:125 Low326 ModerateN/A High
FISMA:124 Low261 Moderate343 High
35
URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/URL: http://pitchengine.com/pitches/9bbbb1a7-9fd0-4fcf-81ce-a397f82fd99aURL: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EP-MU-TOC.pdfURL: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl
Meaningful Use, HITECH & HIPAAHIPAA: • Health Insurance Portability and Accountability Act (HIPAA) of
1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
HIPAA
HITECH
Meaningful Use
Health Insurance Portability and
Accountability Act (1996)
Health Information Technology for Economic and Clinical Health (2009)
Meaning Use guidelines for Electronic Health
Records (2010)
15 core measures10 menu set objectives Meaningful Use:
• Using certified electronic health record (EHR) technology to: Improve quality, safety, efficiency, and reduce health disparities. Engage patients and family. Improve care coordination, and population and public health. Maintain privacy and security of patient health information.
HITECH: • The Health Information Technology for Economic and Clinical
Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
15 measure groups25 criteria & measures for meaningful use
PrivacySecurityEnforcement
36
COBIT 5
Source URL: http://www.isaca.org/COBIT/Pages/default.aspx
37
COBIT 5
Ref URL: http://www.isaca.org/COBIT/Pages/default.aspx
EDM01 Ensure Governance Framework Setting and Maintenance
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimization
EDM04 Ensure Resource Optimization
EDM05 Ensure Stakeholder Transparency
Evaluate, Direct and Monitor (EDM)
APO01 Manage the IT Management Framework
APO02 Manage Strategy
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio
APO06 Manage Budget and Costs
APO07 Manage Human Resources
Align, Plan and Organize (APO)
APO08 Manage Relationships
APO09 Manage Service Agreements
APO10 Manage Suppliers
APO11 Manage Quality
APO12 Manage Risk
APO13 Manage Security
BAI01 Manage Programs and Projects
BAI02 Manage Requirements Definition
BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity
BAI05 Manage OrganizationalChange Enablement
BAI06 Manage Changes
BAI07 Manage Change Acceptance and Transitioning
BAI08 Manage Knowledge
BAI09 Manage Assets
BAI10 Manage Configuration
Build, Acquire and Implement (BAI)
Deliver, Service and Support (DSS)
DSS01 Manage Operations
DSS02 Manage Service Requests and Incidents
DSS03 Manage Problems
DSS04 Manage Continuity
DSS05 Manage Security Services
DSS06 Manage Business Process Controls
Monitor, Evaluate and Assess (MEA)
MEA01 Monitor, Evaluate and Assess Performance and Conformance
MEA02 Monitor, Evaluate and Assess the System of Internal Control
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements
ManagementGovernance
135 10 6 3
38
ITIL 2011
Service Strategy (SS) 5 Processes• Business relationship management• Financial management for IT services• Service portfolio management• Strategy for IT services• Demand management
Service Design (SD) 8 Processes• Design coordination• Service catalog management• Service level management• IT Service continuity management• Supplier management• Availability management• Capacity management• IT Security managementService Operation (SO) 5 Processses
• Event management• Incident management• Problem management• Request management• Access management4 Functions:• Service desk• Technical management• IT Operations management• Application management
Service Transition (ST) 7 Processes• Transition planning & support• Change management• Change evaluation• Service validation & testing• Service asset & configuration management• Release & deployment management• Knowledge management
Continual Service Improvement (CSI) 1 Process• 7 steps improvement process
39
ITIL v3 Value Chain (Level 1)Service Strategy (SS) Service Design (SD) Service Transition
(ST)Service Operations (SO)
Continual Service Improvements (CSI)
Business Relationship Management
Management of IT Service Strategy
Demand Management
Service Portfolio Management
Financial Management
Service Design Coordination
Service Level Management
Capacity Management
Availability Management
Risk Management
Security Management
Service Continuity Management
Supplier Management
Service Catalog Management
Transition Planning and Support
Change Management
Change Evaluation
Release and Deployment Management
Service Validation and Test
Service Asset and Configuration Management
Application Development and Customizing
End of Life for IT Services
Knowledge Management
Event Management
Incident Management
Problem Management
Access Management
Service Request Management
Operations Control
Service Evaluation
Process Management
Improvement Management and Reporting
Business Relationship Management Management of IT Service Strategy Demand Management Service Portfolio Management (SPM) Financial Management (FM)
Service Design Coordination Service Level Management (SLM) Capacity Management Availability Management Risk Management Security Management Service Continuity Management Supplier Management Service Catalog Management
Transition Planning and Support Change Management Change Evaluation Release & Deployment Mgmt Service Validation and Test Service Asset and Configuration Mgmt Application Devl & Customizing End of Life for IT Services Knowledge Management
Event Management Incident Management Problem Management Access Management Service Request Management Operations Control
Service Evaluation Process Management Improvement Mgmt & Reporting
40
Payment Card Industry Data Security Standard PCI DSS 3.112 High level requirements Detailed
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data 20
2. Do not use vendor-supplied defaults for system passwords and other security parameters 10
Protect Cardholder Data3. Protect stored cardholder data 18
4. Encrypt transmission of cardholder data across open, public networks 3
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs 5
6. Develop and maintain secure systems and applications 28
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know 10
8. Identify and authenticate access to system components 23
9. Restrict physical access to cardholder data 27
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data 32
11. Regularly test security systems and processes 16
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 39
12 Requirements231+ Detailed reqs5 reqs for Shared Hosting ProvidersSource PCI DSS Standards URL: https://www.pcisecuritystandards.org
41
DMTF Cloud Auditing Data Federation (CADF) StandardDefines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud Management Initiative.
Auditing using a standard such as CADF has many benefits: • Create and request customized views for Audit & Compliance data
• Track regional, industry and corporate policy compliance using standardized APIs / Reports
• Key event data is normalized and categorized to support auditing of hybrid Cloud applications• CADF assures consistent mappings across cloud components and cloud providers
• Format is agnostic to the underlying provider infrastructure• Provides transparency for low-level operational processes
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Customer Benefits:• Ability to self manage auditing of their data• Similar reports from different Cloud service providers• Aggregate audit data from different Clouds / Partners • Auditing processes & tools unchanged
42
Cloud Auditing Data aggregated from multiple sources
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Company A’s
OSS/BSS Processes
Company A
Company A’sAuditor
Company A’s Hybrid Applications
Standard API’s for requesting Audit Data
Standard Audit Data (Logs and Reports)
Cloud Provider P1
Company A’s Hybrid Applications
Cloud Provider P2
Company A’s Hybrid Applications
Aggregate Audit Data from Hybrid Applications
Standard API’s for requesting Audit Data
OSS: Operational Support Services
BSS: Business Support Services
43
Example: 7 essential W’s auditing and monitoring
CADF Event Model: Basic and conditional model components
WhatWhat activity occurred? What was the result?event.actionevent.outcomeevent.type (activity, monitoring, control)event.reason (ex: security, reason code, policy id)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf
Distributed Management Task Force (DMTF) Cloud Auditing Data Federation (CADF) CADF Event Model and it’s components
• Work for any Activity Monitoring or, Control event• Provides guidance on how to record Basic, Detailed or, Precise information for each component
WhenWhen did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestampevent.eventTimereporter.timestamp, event.duration
WhoWho (user/service) initiated the Action?initiator.id; initiator.typeinitiator.id (id, name)initiator.credentialinitiator.credential.assertions
Legend: Italics are optional properties
1
2
3
WhereWhere was the Action observed, reported or, modified? What role does the event serve? How was it recorded?observer.id, observer.typereporterstep.role, reporterstep.reporterTime
4
On WhatOn What resource did the Activity Target?target.id
5
FromWhereFrom Where the Action was initiated? May include
• logical/physical addresses• ISO-6709-2008, precise geolocations
initiator.addresses, initiator.host, initiator.geolocation
6
ToWhereTo Where was the Action Targeted? Can be as simple as an IP address or server name.target.addresses, target.host, target.geolocation
7
44
Challenges & Opportunities in Cloud Management• Transparency is Crucial• Regulations can’t keep up• Need for continuous real-time security audits & monitoring• Bridge the gaps between the academic world innovations and the business world• Security requires a Big Picture approach• BYOD brings additional challenges• Bare-metal security features are not available in virtual world• Accidental key sharing in appliances• Leave security implementations to the experts• Data partitioning for hybrid clouds• Do consumers care? i.e. willing to pay• Products can end up being used in industries they aren't designed for• Security guarantees are impossible to "prove“
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-itSource URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
45
Challenges & Opportunities in Cloud Management• Containers and portable VM snapshots are too portable• Encryption efforts are vulnerable if physical access to a machine is available• Controlling physical access to the data center is not enough• Privacy and security are at odds• Lack of control over assets and physical security• Integration and Interoperability of systems / API Management• Who controls the encryption/decryption keys for data in store & in transit?• Lack of standard for data integrity• Virtual machines / Containers transition between Private to Public to Hybrid environments• Establishing and Management of Service Level Agreements (SLA)• Usage based Costing, Invoicing & Chargeback• Data migration in and out of the Cloud Service Provider• Plan for an exit strategy from the beginning
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-itSource URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
46
Reference URLs• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines
• OpenStack wiki
• OpenStack Main Page
• OpenStack Developers Guides
• Cloud Audit Data Federation - OpenStack Profile
• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)
• CADF Event Model and Taxonomies
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730
• FedRAMP: https://www.fedramp.gov/
• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma
47
References & Credits
48
Conclusion• Migration to Cloud will continue due to the efficiencies and economics.
• Cloud is all about services and service delivery.
• The Cloud is only worth the services it delivers securely.
• Cloud is all about a hybrid world.
• Security, Risk Management & Audit practices are at the center for Agile, DevOps, and Cloud Management transformation.
[email protected]@gmail.com240.506.2305linkedin.com/in/sukumarnayak/
50
Backup
51
Open Security Architecture
Open Security Architecture URL: http://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy
52
DevOps & Cloud: Key is Automated ProvisioningFully automated provisioning: the ability to deploy, update, and repair application infrastructure using only pre-defined automated procedures.
Criteria for achieving fully automated provisioning:• Be able to automatically provision an entire environment — from “bare-metal” to
running business services — completely from specification• No direct management of individual boxes• Be able to revert to a “previously known good” state at any time• It’s easier to re-provision than it is to repair• Anyone on your team with minimal domain specific knowledge can deploy or update
an environment
53
Extending the scope and value delivered by GRC & ERM
Ref: 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie DuongSource URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
54
DevOps Maturity Model
Source HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Maturity-Model-Works/ba-p/6042901#.VWJZ0k3bKM8
55
Sample of DevOps Tools and TechnologiesPlan Develop / Build Continuous
Integration (CI) Test Continuous Delivery / Deploy (CD)
HP Agile Manager Git TeamCity HP Quality Center HP CODAR
HP PPM CVS TravisCI Ant HP OO, SA, DMA, NA, NNMi
MS Project MS TFS Jenkins Gradle Docker
Trello Vagrant BuildHive Maven CoreOS Rocket
Cloud 9 IDE Packer
Codenvy Octopus
ThoughtWorksGo
Capistrano
artifactory
56
Sample of DevOps Tools and TechnologiesIssue Tracking Monitoring Configuration
Management Analyze Collaboration
HP SM & SAW HP Site Scope HP CMS (UD & CMDB) HP ArcSight HP MyRoom
HP Quality Center HP vPV, HP OMi, HP BSM Puppet HP Fortify Campfire
Jira Performance Manager Chef Splunk Slack
ZenDesk Graphite CFEngine SonarCube IRC
MS Visual Studio Online Logstash Ansible Kibana SharePoint
Cloudyn SaltStack logentries GoToMeeting
New Relic (APM & Server) PowerShell DSC
Cloudyn Ubuntu Juju
57
Lean principles
Queues and total throughputVariability, innovation, and economic consequencesBatch sizesWork in progressFast feedbackDecentralized control
58
COBIT 5
URL: http://www.isaca.org/COBIT/Pages/default.aspx
59
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
CLIE
NT
MAN
AGED
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
INFRASTRUCTURE(AS A SERVICE)
VEN
DOR
MAN
AGED Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
PLATFORM(AS A SERVICE)
CLIE
NT
MAN
AGED
VEN
DOR
MAN
AGED
CLIE
NT
MAN
AGED
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
SOFTWARE(AS A SERVICE)
VEN
DOR
MAN
AGED
Service Delivery ModelsTRADITIONAL
(ON PREMISE)
JOIN
TLY
MAN
AGED
User Experience User Experience User Experience User Experience
OLD
60
Definitions of Key Terms & Acronyms• ADFS: Active Directory Federated Services• CADF: Cloud Auditing Data Federation• CSA: Cloud Security Alliance• CSCC: Cloud Standards Customers Council• Continuous Integration (CI)• Continuous Deployment / Continuous Delivery (CD)• DMTF: Distributed Management Task Force• ENISA: European Network and Information Security Agency• GRC: Global Regulatory Compliance• LDAP: Lightweight Directory Access Protocol • NIST: National Institute of Standards and Technology• NIST CC SRA: Cloud Computing Standard Reference Architecture• Payment Card Industry Data Security Standard (PCI DSS)• SAML: Security Authorization Markup Language• SCIM: System for Cross-domain Identity Management • SLA: Service Level Agreement• SLO: Service Level Objectives• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16• XACML: eXtensible Access Control Markup Language• SAFe: Scaled Agile Framework