Security, Risk Management & Auditin the Crossroads of Agile, DevOps and Cloud Management

Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation

Date Created: 04/21/2015Date last updated: 07/14/2015

2

Objective: Provide an overview of Agile, DevOps and Cloud Management from Security, Risk Management and Audit Compliance perspectives.Scope:

• Motivation• Agile Development• The IT Industry Paradigm is Shifting• DevOps• Cloud Management• Tools & Technologies in the New Style IT• Standards & Compliance Controls• Implementation best practices for Security & Audit in the Cloud• Challenges and Opportunities for Security, Risk Management & Audit practices• Q&A

Agenda

3

Audience Poll

Technologist, CTO

Finance, CFO

Audit, CFO

Security & Compliance, CISO, CCO

What is your primary role at your company?

IT Operation, CIO

Business Services, Executive

Consultant, Entrepreneur

What is your level of experience with Agile Development?

What is your level of experience with DevOps?

What is your level of experience with Cloud environment?

What is your level of experience with Big Data environment?

Evaluating

5+ years

1-3 years

3-5 years

Government, Nonprofit Org

4

Motivation

“Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.”

2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong

URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf

5

7 W’s of Auditing and InvestigationsWhat:What activity occurred? What was the result?Key Attributes: Action, Outcome, Type, Reason

1

When:When did the action happen? When was it observed? How long did it take? Key Attributes: Universal Timestamp, Time Zone, Duration

2

Who:Who (user/service) initiated the Action?Key Attributes: User, ID, Type, Name, Role/Credentials, Assertions

3

Where:Where was the Action observed, reported or, modified? What role does the event serve? How was it recorded?Key Attributes: User/Observer, ID, Type, Name, Role/Credentials, Location

4

On What:On What resource did the Activity Target?Key Attributes: Device/Role ID

5

FromWhere:From Where the Action was initiated? Key Attributes:

• logical/physical addresses ex: host IP address, server name

• precise geolocations ex: ISO-6709-2008

6

ToWhere:To Where was the Action Targeted? Key Attributes:

• logical/physical addresses ex: host IP address, server name

• precise geolocations ex: ISO-6709-2008

7

6

Agile SCRUM

Product Owner

Scrum Master

Team Member

Stakeholder

Product Vision

Product Backlog

Release Backlog

Sprint Backlog

User Stories

User Story Estimation

Sprint Demo

Sprint Retrospective

Daily Standup Meetings

Release Burndown

Sprint Burndown

Story Board Capacity

VelocityStory Points

Key conceptsRoles Artifacts, Ceremonies & Processes

Scrum is an iterative and incremental agile software development methodology for managing product development.

7

App A

Bins / Libs

App B

Bins / Libs

Docker Engine

Host OS

Server

The IT Industry Paradigm is Shifting…

Microservices by James Lewis and Martin Fowler URL: http://martinfowler.com/articles/microservices.htmlContainers & VMs Michael Daconta URL: http://www.quora.com/How-is-containerization-different-from-virtualization

Microservices:A software architecture style, in which complex applications are composed of small, independent processes communicating with each other using language-agnostic APIs. These services are small, highly decoupled and focus on doing a small task.

Containerization: Horizontal segmentationDocker Container: The Docker Engine container needs just the application and it’s dependencies. It runs as an isolated process in userspace on the host OS, sharing the kernel with other containers. Thus, it enjoys the resource isolation & allocation benefits of VMs but is much more portable & efficient.

Kubernetes:Open source orchestration system (container cluster manager) for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions. Runs on Public Cloud, Private Cloud, and Bare Metal.

Virtualization: Vertical abstractionEach virtualized application includes the application, the required binaries & libraries, and a Guest OS. The application may be in the order of 10s of MB, however the Guest OS may be in the order of 10s of GB.

App A

Bins / Libs

Guest OS

App B

Bins / Libs

Guest OS

Hypervisor

Host OS

Server

Type 2 Hypervisor

App A

Bins / Libs

Guest OS

App B

Bins / Libs

Guest OS

Hypervisor

Server

Type 1 Hypervisor

8

The IT Industry Paradigm is Shifting…Continuous Delivery (CD):A software engineering approach in which teams keep producing valuable software in short cycles and ensure that the software can be reliably released at any time. It is used in software development to automate and improve the process of software delivery.

API Management: The process of publishing, promoting and overseeing application programming interfaces (APIs) in a secure, scalable environment. It also includes the creation of end user support resources that define and document the API.

Continuous Integration (CI): A development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.

Continuous Deployment (CD):The deployment or release of code to Production as soon as it is ready. There is no large batching in Staging nor long UAT process that is directly before Production. Testing is done prior to merging to the Mainline branch and is performed on Production-like environments.

9

The IT Industry Paradigm is Shifting…

Cloud Foundry URL: http://www.cloudfoundry.org/index.htmlDataGravity URL: http://datagravity.com/

Cloud Foundry:Open source cloud computing platform as a service (PaaS) originally developed by VMware and now owned by Pivotal Software, a joint venture by EMC, VMware and General Electric. The Cloud Foundry is primarily written in Ruby and Go.Comes in 3 flavors:• Cloud Foundry Open Source Software

(OSS)• Pivotal Cloud Foundry (Pivotal CF)• Pivotal Web Services (PWS)

DataGravity:Data gravity is an analogy of the nature of data and its ability to attract additional applications and services. The Law of Gravity states that the attraction between objects is directly proportional to their weight (or mass). Dave McCrorycoined the term data gravity to describe the phenomenon in which the number or quantity and the speed at which services, applications, and even customers are attracted to data increases as the mass of the data also increases.

10

Development to Operation: Business Challenges

DevOps URL: http://dev2ops.org/2010/02/what-is-devops/

Traditional IT Challenges: ~70-80% of all downtime is due to changes (self-inflicted wounds)

Often results in:

Requirements

DesignCode

Test

Package

Release

Deploy to Stage

UAT Test

Deploy to Prod

Development Operation

Wal

l of C

onfu

sion

Faster changes

Stable environment

Development tools Operation tools

Wal

l of C

onfu

sion

Development Operation

Wal

l of C

onfu

sion

11

DevOpsWhat is DevOps?DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.DevOps is a software development method that stresses communication, collaboration, integration, automation, and measurement of cooperation between software developers and other IT professionals.

URL: http://theagileadmin.com/what-is-devops/URL: http://en.wikipedia.org/wiki/DevOps

Development (Software

Engineering)

Quality Assurance

(QA)IT

Operations

DevOps

IT Operations“Be predictable – minimize risk”

Features & code changes

Development“Be more agile - deliver faster”

AgileDevelopment DevOps

QualityAutomation

Collaboration

Feedback loop

Faster ReleaseSmaller Packages

Bring Applications to Customers Faster

DevOps MotivationDevOps Composition

12

What is different in DevOps…Configuration Management:

Business Service

Application

Web site

Apache HTTP

HP Server

Rack

Data CtrZone

Data Ctr

App code (build)

Tomcat instance

Linux VM

Database

MySQL DB instance

Server

Traditional CMDB

Business Service

Application

Platform instance

Hosting platform

Location

Cloud environment CMDB

Further details (e.g. web, app, DB nodes, IPs, software versions) in automation/CD toolchain

e.g. AWS, Google, Rackspace, HP, IBM

e.g. EMEA, AMS, APJ

Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter

13

What is different in DevOps…Release and Change Management:

URL: https://www.chef.io/solutions/continuous-delivery/

Incident Management: DevOps changes primarily who gets involved in Incident Mgmt at which stage and what their stake is in the process. Even bigger impact may be achieved by ensuring there’s the right culture and mindset that puts customers, service, reliability, and quick mean time to repair (MTTR) at the center of the approach.

Event Management Monitoring & Logging: Key difference is the complexity, scale, and speed in DevOps makes it imperative to focus on Internet Scale vs. Enterprise Scale solutions.

Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter

14

DevOps Success FactorsDevOps Success factors:• Culture, Collaboration & Mindset

• Effective Team Collaboration• Identify & Eliminate Waste• Improve Automation Efficiencies for

Internet Scale

• Unified Processes for Development to Operations

• Unified Tooling (Key Capabilities)• Version-control software library• Deeply modeled systems• Automation

• Key Industry dynamics:• Infrastructure as code• Model driven automation• Continuous integration (CI)• Continuous deployment (CD)

Continuous Assessment & Adjust

PlanningGovernanceLifecycle managementRelease AutomationLifecycle Management

CollaborationAccountability

Continuous IntegrationContinuous TestingContinuous DeliveryContinuous DeploymentContinuous Performance

Culture

Process

Technology

15

DevOps Best Practices

URL: http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/240149363

Practice 1: Active Stakeholders Participation

Practice 2: Automated Testing

Practice 3: Integrated Configuration Management

Practice 4: Integrated Change ManagementPractice 5: Continuous IntegrationPractice 6: Integrated Deployment Planning

Practice 7: Continuous Deployment

Practice 8: Production Support

Practice 9: Application Monitoring

Practice 10: Automated Dashboards

1. Execs Commitment

2. Cloud Platform

3. Standardization

4. Interoperability & Automation

5. Process Optimization

6. Organization Culture

The Road to DevOps

16

DevOps lifecycle

DEVOPS DOMAINS

COLLABORATION

CONTINUOUS DEPLOYMENT / DELIVERY

CONTINUOUS INTEGRATION

SOURCE CONTROL

DEVL ENVIRON

CONFIGURATION MANAGEMENT

MONITORING

ISSUE TRACKING

PLANNING

OPERATIONS MANAGEMENT

17

Sample of DevOps Tools and TechnologiesPlan

Develop / Build

Test

Continuous Delivery/Deploy

Issue Tracking

Monitoring

Continuous Integration

Analyze

Collaboration

Configuration Management

Campfire Slack IRC SharePoint GoToMeetingHP MyRoom

MS Project TrelloHP Agile Manager HP PPM

Jira

HP Quality Center

ZenDeskHP SM & SAW MS Visual Studio Online

HP Quality Center

Graphite Logstash

Kibana

HP Site Scope HP vPV, HP OMi, HP BSM

Performance Manager

Puppet Chef CFEngine Ansible SaltStackHP CMS PowerShell DSC

Git CVS MS TFS Vagrant Cloud 9 IDE Codenvy

TeamCity TravisCI

Octopus

ThoughtWorksGo

Packer

Ubuntu Juju

Capistrano

Jenkins

Ant Gradle Maven

BuildHive

New Relic

Docker CoreOS

HP Fortify SonarCube

artifactory

SplunkHP ArcSight

HP CODAR HPOO,SA,NA,DMA,NNMi

Cloudyn

logentries

18

Cloud Management Tools, Technologies & CompaniesCost/Chargeback Cloudability Cloudyn Cloud Cruiser

Automation & Provisioning

Management Platform

Newvem/ Datapipe

PuppetChef enStratius/ Dell RightScale GigaSpaces

BMC CapgeminiCA TechnologiesHP Helion IBM ServiceMesh/

CSCvRealize/ VMWare

HP CSA, SA, NA, DMA

Dell BhoomiIntegration Azure IBM / Cast Iron Amazon SQS Informatica TIBCO MuleSoft

HP Cloud Sys Chargeback

AWS OpenStack

19

Security Management Tools, Technologies & CompaniesCyber Security Fireeye Palo Alto

Networks Check Point ProofpointTechnologies

Guidance Software

Investigation Management

Perspective i-Sight Report Exec Column Case Investigate EHSInsight

Computer Security

Network Security

logikcull HRAcuity

Lancope Alienvault

NorseRSA/EMC

HP ESS

Blue Coat Akamai Trend Micro

IBM ESS

Intel Security Symantec

F5

AVG

ClearWaterCompliance

F-Secure

Cisco Beyond Security

AT&T Network Sec

Qualys

Bayshore Bradford Networks

20

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

CLIE

NT

MAN

AGED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

INFRASTRUCTURE(AS A SERVICE)

VEN

DOR

MAN

AGED Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

PLATFORM(AS A SERVICE)

CLIE

NT

MAN

AGED

VEN

DOR

MAN

AGED

CLIE

NT

MAN

AGED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

SOFTWARE(AS A SERVICE)

VEN

DOR

MAN

AGED

Service Delivery ModelsTRADITIONAL

(ON PREMISE)

JOIN

TLY

MAN

AGED

User Experience User Experience User Experience User Experience

Devl Tools Devl Tools Devl Tools Devl Tools

21

Cloud Actors• Cloud Consumer: Person or organization that maintains a business relationship with, and uses

service from, Cloud Providers.• Cloud Provider: Person, organization or entity responsible for making a service available to

Cloud Consumers.• Cloud Auditor: A party that can conduct independent assessment of cloud services,

information system operations, performance and security of the cloud implementation.• Cloud Broker: An entity manages the use, performance and delivery of cloud services, and

negotiates relationships between Cloud Providers and Cloud Consumers.• Cloud Carrier: The intermediary that provides connectivity and transport of cloud services from

Cloud Providers to Cloud Consumers.

22

Cloud Services Integration and Management (CSIM/CSIAM)

Cloud Consumers

Cloud Brokers

IT Operations

Service Delivery

Service Support

Incident Management

Problem Management

Knowledge Mgmt

Change Management

Release Management

Availability & Capacity Mgmt

Service Catalog/Request Management

Service Assets & Configuration Mgmt

Event Management & Monitoring

Operations Support

Customer Mgmt

Contract Mgmt

Inventory Mgmt

Accounting & Billing

Reporting & Auditing

Pricing, Costing & Rating

Business Support

Data Portability

Service Interoperability

Systems Portability

Copy Data

Bulk Data Transfer

Unified Management Interface

VM Images Migration

App/SVC Migration

Containers Migration

Integration (Portability &

Interoperability)Data Management

Rapid Provisioning & Fulfillment

Resource Change

Provisioning/Configuration

Monitoring & Reporting

Metering

SLA Management

Security Management

Governance, Security & Risk ManagementGovernance, Risk Mgmt

& Controls

Facility Network WorkplaceWorkloadStorage SecurityData CtrServices

Service Providers

Cloud Auditors

23

OpenStack key componentsDashboard (Horizon)

Compute (Nova)

Object Storage (Swift)

Block Storage (Cinder)

Networking (Neutron)

Image Management(Glance)

Identity Management(Keystone)

Telemetry (Ceilometer)

Orchestration (Heat)

Database (Trove)

Bare Metal Provisioning(Ironic)

Messaging (Zaqar)

Elastic Map Reduce(Sahara)

24

Sample Standards and Compliance Controls• Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1)• NIST SP 800-53 Rev. 4• NIST Cybersecurity Framework• ISO/IEC 27002• FISMA and FedRAMP• Meaningful Use, HITECH and HIPAA• CoBIT 5• ITIL v3 / 2011• Payment Card Industry Data Security Standard (PCI DSS 3.1)• Distributed Management Task Force (DMTF)

• Cloud Infrastructure Management Interface (CIMI)• Cloud Auditing Data Federation (CADF)

25

Sample Standards and Compliance Controls

CSA Cloud Controls Matrix 3.0.1

NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations

NIST Cybersecurity Framework

ISO/IEC 27002:2013 Information technology. Security techniques Code of practice for information security controls

PCI DSS 3.1

Distributed Management Task Force (DMTF)• Cloud Auditing Data Federation

(CADF) Standard• Cloud Infrastructure Management

Interface (CIMI)

26

Cloud Security Alliance TCI Reference Architecture

Legend:CSA: Cloud Security AllianceTCI: Trusted Cloud InitiativeSource: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

27

Cloud Security Alliance TCI Reference Architecture

Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

SRM Services:• Governance Risk and Compliance

• Information Security Management

• Privilege Management Infrastructure

• Threat and Vulnerability Management

• Infrastructure Protection Services

• Data Protection

• Policies and Standards

ITOS Services:• IT Operations

• Service Delivery

• Service Support

• Incident Management

• Problem Management

• Knowledge Management

• Change Management

• Release Management

BOSS Services:• Compliance

• Data Governance

• Operational Risk Management

• Human Resources Security

• Security Monitoring Services

• Legal Services

• Internal Investigation

Presentation Services:• Presentation Modality

• Presentation Platform

Application Services:• Development Process

• Security Knowledge Lifecycle

• Programming Interfaces

• Integration Middleware

• Connectivity & Delivery

• Abstraction

Infrastructure Services:• Facility Services

• Servers

• Storage Services

• Network Services

• Availability Services

• Patch Management

• Equipment Maintenance

• Virtualization (Desktop, Storage, Server, Network)

Information Services:• User Directory Services

• Security Monitoring Data Management

• Service Delivery Data Management

• Service Support Data Management

• Data Governance Data Management

• Risk Management Data Management

• ITOS Data Management

• BOSS Data Management

• Reporting Services

28

CSA Cloud Control Matrix CCM v3.0.1 16 Domains 133 Controls

Source: https://cloudsecurityalliance.org/research/ccm/

Legend:CSA: Cloud Security AllianceCCM: Cloud Control Matrix(Number of controls) for each Domain

1. AIS: Application & Interface Security (4)

2. AAC: Audit Assurance & Compliance (3)

3. BCR: Business Continuity Management & Operational Resilience (11)

4. CCC: Change Control & Configuration Management (5)5. DSI: Data Security & Information Lifecycle Management (7)

6. DCS: Datacenter Security (9)

7. EKM: Encryption & Key Management (4)

8. GRM: Governance and Risk Management (11)

9. HRS: Human Resources (11)

10. IAM: Identity & Access Management (13)

11. IVS: Infrastructure & Virtualization Security (13)

12. IPY: Interoperability & Portability (5)

13. MOS: Mobile Security (20)

14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5)

15. STA: Supply Chain Management, Transparency and Accountability (9)

16. TVM: Threat and Vulnerability Management (3)

29

Select baseline security controls, apply tailoring guidance and supplement controls as needed based on risk assessment.

Continuously track changes to the information system that may affect security controls and reassess control effectiveness.

NIST SP 800-53 Rev. 4 Security and Privacy Controls

Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Starting Point

Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.

Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings.

Determine security control effectiveness (i.e. controls implemented correctly, operating as intended, meeting security requirements for information system).

Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation.

Security Life CycleRisk Management Framework (RMF)

CATEGORIZEInformation Systems

SELECTSecurity Controls

ACCESSSecurity Controls

MONITORSecurity Controls

IMPLEMENTSecurity Controls

AUTHORIZEInformation Systems

Architecture Description• Mission/Business Processes• Reference Models• Segment and Solution Architectures• Information System Boundaries

Organizational Inputs• Laws, Directives, Policy, Guidance• Strategic Goals and Objectives• Information Security Requirements• Priorities and Resource Availability

30

NIST SP 800-53 Rev. 4 Security and Privacy Controls

Identifier Family Class Ctrls

AC Access Control Tech 25

AT Awareness and Training Ops 5

AU Audit and Accountability Tech 16

CA Security Assessment and Authorization

Mgmt 9

CM Configuration Management Ops 11

CP Contingency Planning Ops 13

IA Identification and Authentication Tech 11

IR Incident Response Ops 10

MA Maintenance Ops 6

Identifier Family Class Ctrls

MP Media Protection Ops 8

PE Physical and Environmental Protection

Ops 20

PL Planning Mgmt 9

PS Personnel Security Ops 8

RA Risk Assessment Mgmt 6

SA System and Services Acquisition Mgmt 22

SC System and Communications Protection

Tech 44

SI System and Information Integrity Ops 17

PM Program Management Mgmt 16

Legend:Tech: Technical Ops: Operational Mgmt: ManagementCtrls: Number of Controls Ref: URL: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

31

NIST SP 800-53 Rev. 4 Security and Privacy Controls

Management: (5)

CA: Security Assessment and Authorization

RA: Risk Assessment

SA: System and Services Acquisition

PL: Planning

PM: Program Management

Operational: (9)

AT: Awareness and Training

CM: Configuration Management

CP: Contingency Planning

IR: Incident Response

MA: Maintenance

PE: Physical and Environmental Protection

PL: Planning

PS: Personnel Security

SI: System and Information Integrity

Technical: (4)

AC: Access Control

AU: Audit and Accountability

IA: Identification and Authentication

SC: System and Communications Protection

32

NIST Cybersecurity Framework version 1.0

Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

# of Subcategories

65463557122458515432123

24

35

18

15

6

33

ISO/IEC 27002:2015

Source URL: http://iso27001security.com/html/27002.htmlURL: http://iso27001security.com/html/iso27k_toolkit.html

34

FISMA & FedRAMP

FedRAMP

Additional Controls

FISMA

NIST 800-53

FISMA: • Federal Information Security Management Act (FISMA)• United States legislation (not an agency program)• A comprehensive framework to protect government information,

operations and assets against natural or man-made threats• Assigns responsibilities to various agencies to ensure the security of data• Managed by individual agencies • Requires annual reviews of information security programs, with the

intent of keeping risks at or below specified acceptable levels

FedRAMP: • Federal Risk and Authorization Management Program (FedRAMP)• A government-wide program leveraging a “do once, use many times”

framework (not legislation) • Provides a standardized approach to security assessment, authorization,

and continuous monitoring for cloud products and services Managed by individual agencies

• Purpose: Ensure that cloud based services have adequate information security; Eliminate duplication of effort and reduce risk management costs; Enable rapid and cost-effective procurement of information systems/services for Federal agencies

• GSA oversees and Accredited 3PAO’s validate proposed offers before GSA approves

Note: 3rd party assessment organizations (3PAOs)URL: http://csrc.nist.gov/groups/SMA/forum/documents/FedRAMP-Goodrich-020912.pdfURL: http://1105govinfoevents.com/custom/Face-to-Face/2-15/FISMA-FedRAMP-Controls-and-Authorization-Differences-Whitepaper-Coalfire.pdf

FedRAMP:125 Low326 ModerateN/A High

FISMA:124 Low261 Moderate343 High

35

URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/URL: http://pitchengine.com/pitches/9bbbb1a7-9fd0-4fcf-81ce-a397f82fd99aURL: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EP-MU-TOC.pdfURL: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl

Meaningful Use, HITECH & HIPAAHIPAA: • Health Insurance Portability and Accountability Act (HIPAA) of

1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

HIPAA

HITECH

Meaningful Use

Health Insurance Portability and

Accountability Act (1996)

Health Information Technology for Economic and Clinical Health (2009)

Meaning Use guidelines for Electronic Health

Records (2010)

15 core measures10 menu set objectives Meaningful Use:

• Using certified electronic health record (EHR) technology to: Improve quality, safety, efficiency, and reduce health disparities. Engage patients and family. Improve care coordination, and population and public health. Maintain privacy and security of patient health information.

HITECH: • The Health Information Technology for Economic and Clinical

Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.

15 measure groups25 criteria & measures for meaningful use

PrivacySecurityEnforcement

36

COBIT 5

Source URL: http://www.isaca.org/COBIT/Pages/default.aspx

37

COBIT 5

Ref URL: http://www.isaca.org/COBIT/Pages/default.aspx

EDM01 Ensure Governance Framework Setting and Maintenance

EDM02 Ensure Benefits Delivery

EDM03 Ensure Risk Optimization

EDM04 Ensure Resource Optimization

EDM05 Ensure Stakeholder Transparency

Evaluate, Direct and Monitor (EDM)

APO01 Manage the IT Management Framework

APO02 Manage Strategy

APO03 Manage Enterprise Architecture

APO04 Manage Innovation

APO05 Manage Portfolio

APO06 Manage Budget and Costs

APO07 Manage Human Resources

Align, Plan and Organize (APO)

APO08 Manage Relationships

APO09 Manage Service Agreements

APO10 Manage Suppliers

APO11 Manage Quality

APO12 Manage Risk

APO13 Manage Security

BAI01 Manage Programs and Projects

BAI02 Manage Requirements Definition

BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity

BAI05 Manage OrganizationalChange Enablement

BAI06 Manage Changes

BAI07 Manage Change Acceptance and Transitioning

BAI08 Manage Knowledge

BAI09 Manage Assets

BAI10 Manage Configuration

Build, Acquire and Implement (BAI)

Deliver, Service and Support (DSS)

DSS01 Manage Operations

DSS02 Manage Service Requests and Incidents

DSS03 Manage Problems

DSS04 Manage Continuity

DSS05 Manage Security Services

DSS06 Manage Business Process Controls

Monitor, Evaluate and Assess (MEA)

MEA01 Monitor, Evaluate and Assess Performance and Conformance

MEA02 Monitor, Evaluate and Assess the System of Internal Control

MEA03 Monitor, Evaluate and Assess Compliance with External Requirements

ManagementGovernance

135 10 6 3

38

ITIL 2011

Service Strategy (SS) 5 Processes• Business relationship management• Financial management for IT services• Service portfolio management• Strategy for IT services• Demand management

Service Design (SD) 8 Processes• Design coordination• Service catalog management• Service level management• IT Service continuity management• Supplier management• Availability management• Capacity management• IT Security managementService Operation (SO) 5 Processses

• Event management• Incident management• Problem management• Request management• Access management4 Functions:• Service desk• Technical management• IT Operations management• Application management

Service Transition (ST) 7 Processes• Transition planning & support• Change management• Change evaluation• Service validation & testing• Service asset & configuration management• Release & deployment management• Knowledge management

Continual Service Improvement (CSI) 1 Process• 7 steps improvement process

39

ITIL v3 Value Chain (Level 1)Service Strategy (SS) Service Design (SD) Service Transition

(ST)Service Operations (SO)

Continual Service Improvements (CSI)

Business Relationship Management

Management of IT Service Strategy

Demand Management

Service Portfolio Management

Financial Management

Service Design Coordination

Service Level Management

Capacity Management

Availability Management

Risk Management

Security Management

Service Continuity Management

Supplier Management

Service Catalog Management

Transition Planning and Support

Change Management

Change Evaluation

Release and Deployment Management

Service Validation and Test

Service Asset and Configuration Management

Application Development and Customizing

End of Life for IT Services

Knowledge Management

Event Management

Incident Management

Problem Management

Access Management

Service Request Management

Operations Control

Service Evaluation

Process Management

Improvement Management and Reporting

Business Relationship Management Management of IT Service Strategy Demand Management Service Portfolio Management (SPM) Financial Management (FM)

Service Design Coordination Service Level Management (SLM) Capacity Management Availability Management Risk Management Security Management Service Continuity Management Supplier Management Service Catalog Management

Transition Planning and Support Change Management Change Evaluation Release & Deployment Mgmt Service Validation and Test Service Asset and Configuration Mgmt Application Devl & Customizing End of Life for IT Services Knowledge Management

Event Management Incident Management Problem Management Access Management Service Request Management Operations Control

Service Evaluation Process Management Improvement Mgmt & Reporting

40

Payment Card Industry Data Security Standard PCI DSS 3.112 High level requirements Detailed

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data 20

2. Do not use vendor-supplied defaults for system passwords and other security parameters 10

Protect Cardholder Data3. Protect stored cardholder data 18

4. Encrypt transmission of cardholder data across open, public networks 3

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs 5

6. Develop and maintain secure systems and applications 28

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 10

8. Identify and authenticate access to system components 23

9. Restrict physical access to cardholder data 27

Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data 32

11. Regularly test security systems and processes 16

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 39

12 Requirements231+ Detailed reqs5 reqs for Shared Hosting ProvidersSource PCI DSS Standards URL: https://www.pcisecuritystandards.org

41

DMTF Cloud Auditing Data Federation (CADF) StandardDefines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud Management Initiative.

Auditing using a standard such as CADF has many benefits: • Create and request customized views for Audit & Compliance data

• Track regional, industry and corporate policy compliance using standardized APIs / Reports

• Key event data is normalized and categorized to support auditing of hybrid Cloud applications• CADF assures consistent mappings across cloud components and cloud providers

• Format is agnostic to the underlying provider infrastructure• Provides transparency for low-level operational processes

Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf

Customer Benefits:• Ability to self manage auditing of their data• Similar reports from different Cloud service providers• Aggregate audit data from different Clouds / Partners • Auditing processes & tools unchanged

42

Cloud Auditing Data aggregated from multiple sources

Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf

Company A’s

OSS/BSS Processes

Company A

Company A’sAuditor

Company A’s Hybrid Applications

Standard API’s for requesting Audit Data

Standard Audit Data (Logs and Reports)

Cloud Provider P1

Company A’s Hybrid Applications

Cloud Provider P2

Company A’s Hybrid Applications

Aggregate Audit Data from Hybrid Applications

Standard API’s for requesting Audit Data

OSS: Operational Support Services

BSS: Business Support Services

43

Example: 7 essential W’s auditing and monitoring

CADF Event Model: Basic and conditional model components

WhatWhat activity occurred? What was the result?event.actionevent.outcomeevent.type (activity, monitoring, control)event.reason (ex: security, reason code, policy id)

Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf

Distributed Management Task Force (DMTF) Cloud Auditing Data Federation (CADF) CADF Event Model and it’s components

• Work for any Activity Monitoring or, Control event• Provides guidance on how to record Basic, Detailed or, Precise information for each component

WhenWhen did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestampevent.eventTimereporter.timestamp, event.duration

WhoWho (user/service) initiated the Action?initiator.id; initiator.typeinitiator.id (id, name)initiator.credentialinitiator.credential.assertions

Legend: Italics are optional properties

1

2

3

WhereWhere was the Action observed, reported or, modified? What role does the event serve? How was it recorded?observer.id, observer.typereporterstep.role, reporterstep.reporterTime

4

On WhatOn What resource did the Activity Target?target.id

5

FromWhereFrom Where the Action was initiated? May include

• logical/physical addresses• ISO-6709-2008, precise geolocations

initiator.addresses, initiator.host, initiator.geolocation

6

ToWhereTo Where was the Action Targeted? Can be as simple as an IP address or server name.target.addresses, target.host, target.geolocation

7

44

Challenges & Opportunities in Cloud Management• Transparency is Crucial• Regulations can’t keep up• Need for continuous real-time security audits & monitoring• Bridge the gaps between the academic world innovations and the business world• Security requires a Big Picture approach• BYOD brings additional challenges• Bare-metal security features are not available in virtual world• Accidental key sharing in appliances• Leave security implementations to the experts• Data partitioning for hybrid clouds• Do consumers care? i.e. willing to pay• Products can end up being used in industries they aren't designed for• Security guarantees are impossible to "prove“

Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-itSource URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm

45

Challenges & Opportunities in Cloud Management• Containers and portable VM snapshots are too portable• Encryption efforts are vulnerable if physical access to a machine is available• Controlling physical access to the data center is not enough• Privacy and security are at odds• Lack of control over assets and physical security• Integration and Interoperability of systems / API Management• Who controls the encryption/decryption keys for data in store & in transit?• Lack of standard for data integrity• Virtual machines / Containers transition between Private to Public to Hybrid environments• Establishing and Management of Service Level Agreements (SLA)• Usage based Costing, Invoicing & Chargeback• Data migration in and out of the Cloud Service Provider• Plan for an exit strategy from the beginning

Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-itSource URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm

46

Reference URLs• Cloud Standards Customer Council (CSCC) Cloud Security Standards

• Cloud Auditing Data Federation

• NIST Cloud Computing Standards Roadmap

• Detailed CSA TCI Reference Architecture

• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines

• OpenStack wiki

• OpenStack Main Page

• OpenStack Developers Guides

• Cloud Audit Data Federation - OpenStack Profile

• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)

• CADF Event Model and Taxonomies

• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm

• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730

• FedRAMP: https://www.fedramp.gov/

• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma

47

References & Credits

48

Conclusion• Migration to Cloud will continue due to the efficiencies and economics.

• Cloud is all about services and service delivery.

• The Cloud is only worth the services it delivers securely.

• Cloud is all about a hybrid world.

• Security, Risk Management & Audit practices are at the center for Agile, DevOps, and Cloud Management transformation.

sukumar.nayak@hp.comsukumar.nayak@gmail.com240.506.2305linkedin.com/in/sukumarnayak/

50

Backup

51

Open Security Architecture

Open Security Architecture URL: http://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy

52

DevOps & Cloud: Key is Automated ProvisioningFully automated provisioning: the ability to deploy, update, and repair application infrastructure using only pre-defined automated procedures.

Criteria for achieving fully automated provisioning:• Be able to automatically provision an entire environment — from “bare-metal” to

running business services — completely from specification• No direct management of individual boxes• Be able to revert to a “previously known good” state at any time• It’s easier to re-provision than it is to repair• Anyone on your team with minimal domain specific knowledge can deploy or update

an environment

53

Extending the scope and value delivered by GRC & ERM

Ref: 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie DuongSource URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf

54

DevOps Maturity Model

Source HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Maturity-Model-Works/ba-p/6042901#.VWJZ0k3bKM8

55

Sample of DevOps Tools and TechnologiesPlan Develop / Build Continuous

Integration (CI) Test Continuous Delivery / Deploy (CD)

HP Agile Manager Git TeamCity HP Quality Center HP CODAR

HP PPM CVS TravisCI Ant HP OO, SA, DMA, NA, NNMi

MS Project MS TFS Jenkins Gradle Docker

Trello Vagrant BuildHive Maven CoreOS Rocket

Cloud 9 IDE Packer

Codenvy Octopus

ThoughtWorksGo

Capistrano

artifactory

56

Sample of DevOps Tools and TechnologiesIssue Tracking Monitoring Configuration

Management Analyze Collaboration

HP SM & SAW HP Site Scope HP CMS (UD & CMDB) HP ArcSight HP MyRoom

HP Quality Center HP vPV, HP OMi, HP BSM Puppet HP Fortify Campfire

Jira Performance Manager Chef Splunk Slack

ZenDesk Graphite CFEngine SonarCube IRC

MS Visual Studio Online Logstash Ansible Kibana SharePoint

Cloudyn SaltStack logentries GoToMeeting

New Relic (APM & Server) PowerShell DSC

Cloudyn Ubuntu Juju

57

Lean principles

Queues and total throughputVariability, innovation, and economic consequencesBatch sizesWork in progressFast feedbackDecentralized control

58

COBIT 5

URL: http://www.isaca.org/COBIT/Pages/default.aspx

59

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

CLIE

NT

MAN

AGED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

INFRASTRUCTURE(AS A SERVICE)

VEN

DOR

MAN

AGED Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

PLATFORM(AS A SERVICE)

CLIE

NT

MAN

AGED

VEN

DOR

MAN

AGED

CLIE

NT

MAN

AGED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

SOFTWARE(AS A SERVICE)

VEN

DOR

MAN

AGED

Service Delivery ModelsTRADITIONAL

(ON PREMISE)

JOIN

TLY

MAN

AGED

User Experience User Experience User Experience User Experience

OLD

60

Definitions of Key Terms & Acronyms• ADFS: Active Directory Federated Services• CADF: Cloud Auditing Data Federation• CSA: Cloud Security Alliance• CSCC: Cloud Standards Customers Council• Continuous Integration (CI)• Continuous Deployment / Continuous Delivery (CD)• DMTF: Distributed Management Task Force• ENISA: European Network and Information Security Agency• GRC: Global Regulatory Compliance• LDAP: Lightweight Directory Access Protocol • NIST: National Institute of Standards and Technology• NIST CC SRA: Cloud Computing Standard Reference Architecture• Payment Card Industry Data Security Standard (PCI DSS)• SAML: Security Authorization Markup Language• SCIM: System for Cross-domain Identity Management • SLA: Service Level Agreement• SLO: Service Level Objectives• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16• XACML: eXtensible Access Control Markup Language• SAFe: Scaled Agile Framework