Sukumar Nayak-Detailed-Cloud Risk Management and Audit
-
Upload
sukumar-nayak -
Category
Documents
-
view
153 -
download
4
Transcript of Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Cloud Risk Management and Audit
Sukumar Nayak, CTO Cloud Services Integration & Automation Leader
Date Created: 01/27/2014Date last updated: 03/15/2015
2
Scope:
• Cloud Fundamentals• Cloud Models & Approaches• Intro to OpenStack• Reference Architecture & Framework• Intro to CSA1 Cloud Control Matrix (CCM)
• 16 Domains & 133 Controls• Intro to DMTF2 Cloud Auditing Data Federation (CADF)• Risks Management Challenges & Opportunities• 10 Steps to Manage Cloud Security by CSCC3
• Q&A
Objective: Provide an overview of Cloud Risk Management and Audit
1. CSA: Cloud Security Alliance2. DMTF: Distributed Management Task Force
3. CSCC: Cloud Standards Customers Council
3
Acronyms• ADFS: Active Directory Federated Services• CADF: Cloud Auditing Data Federation• CSA: Cloud Security Alliance• CSCC: Cloud Standards Customers Council• DMTF: Distributed Management Task Force• ENISA: European Network and Information Security Agency• GRC: Global Regulatory Compliance• LDAP: Lightweight Directory Access Protocol • NIST: National Institute of Standards and Technology• NIST CC SRA: Cloud Computing Standard Reference Architecture• SAML: Security Authorization Markup Language• SCIM: System for Cross-domain Identity Management • SLA: Service Level Agreement• SLO: Service Level Objectives• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16• XACML: eXtensible Access Control Markup Language
4
Cloud… where is the money?
Example recent news:Deutsche Bank signs 10 years multibillion-dollar IT deal with HP in Feb 2015Solution: HP Helion OpenStack based Cloud ServicesHP will provide computing capacity and data storage to host Deutsche's operations.Deutsche will retain activities such as IT architecture and information security.
Pareto Principle
Infrastructure/Platform Management
Data Center
Server Resources
OS
Platforms
Application Management
Business Focus20%
80%
Application Management
Business Focus
Innovations
Creativity
Agility
80%
Infrastructure/Platform Management
Cloud Resources20%
Traditional Environment Cloud Environment
5
Cloud computing basicsNIST Definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
5 Essential Characteristics• On-demand self-service• Resource pooling• Rapid elasticity• Measured service• Broad network access
3 Service Delivery Models• Software as a Service (SaaS)• Platform as a Service (PaaS)• Infrastructure as a Service (IaaS)
4 Deployment Models• Public Cloud• Private Cloud• Community Cloud• Hybrid Cloud
6
Essential Characteristics Of Cloud Computing Characteristics Description
On-Demand Self Service Authorized agencies must be able to provide and release capabilities, as needed, automatically, without requiring human interaction with each services provider.
Broad Network Access Once provisioned, the software, platform, or infrastructure maintained by the cloud provider should be available over a network using thin or thick clients.
Resource Pooling The resources provisioned from the cloud provider should be pooled to serve multiple agencies or programs using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to the agency’s self-service demand.
Rapid Elasticity Elasticity is defined as the ability to scale resources both up and down as needed. Cloud Computing capabilities should be rapidly and elastically provisioned and released.
Measured Service Cloud resource usage should be monitored, controlled, and reported providing transparency for both the provider and consumer of the service.
Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
7
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
CLIE
NTM
ANAG
ED
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
INFRASTRUCTURE(AS A SERVICE)
VENDOR
MANAGED Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
PLATFORM(AS A SERVICE)
CLIE
NTM
ANAG
EDV
ENDORM
ANAGED
CLIE
NTM
ANAG
ED
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
SOFTWARE(AS A SERVICE)
VENDOR
MANAGED
Service Delivery ModelsTRADITIONAL
(ON PREMISE)
JOIN
TLY
MAN
AGED
8
Private vs. Public: Understanding the Trade-Offs
Enterprise 1 Enterprise 2
Private Cloud
Private Cloud• Designated enterprise data
center (or segment) managed centrally
• Data center resources shared by all divisions, protected by enterprise central controls
• Divisions of enterprise act as independent tenants
• Some elasticity of resources; good resource utilization; reduced cost of business
No Cloud
Enterprise IT• Each enterprise division
manages its own data center (or a subdivision)
• Exclusive local control of resources
• Internally borne costs and burdens of management
• High-cost overcapacity, low resource utilization
Virtual Private Cloud
Virtual Private Cloud• Third-party data center providers
(public cloud characteristic)
• Data center sharing is restricted to only the divisions of this enterprise (private cloud characteristic)
• Divisions of enterprise act as independent tenants (private cloud characteristic)
• Some elasticity; good resource utilization; low cost of business
Community Cloud
Community Cloud• Consortium or a government
scope data center (larger than private, but smaller than public)
• Members of the consortium or government agencies act as independent tenants
• Data center resources are shared by all members; consortium provides security, privacy and capacity
• Good elasticity of resources; high resource utilization; reduced cost of business
Public Cloud• Third-party data center
providers
• Computing resources shared by independent enterprises (tenants), protected by third parties in cloud
• Maximum elasticity; maximum resource utilization; low cost of business
Public Cloud
9
Private vs. Public: Understanding the Trade-Offs
Enterprise 1 Enterprise 2
Private Cloud
Private Cloud• Designated enterprise data
center (or segment) managed centrally
• Data center resources shared by all divisions, protected by enterprise central controls
• Divisions of enterprise act as independent tenants
• Some elasticity of resources; good resource utilization; reduced cost of business
No Cloud
Enterprise IT• Each enterprise division
manages its own data center (or a subdivision)
• Exclusive local control of resources
• Internally borne costs and burdens of management
• High-cost overcapacity, low resource utilization
Virtual Private Cloud
Virtual Private Cloud• Third-party data center providers
(public cloud characteristic)
• Data center sharing is restricted to only the divisions of this enterprise (private cloud characteristic)
• Divisions of enterprise act as independent tenants (private cloud characteristic)
• Some elasticity; good resource utilization; low cost of business
Community Cloud
Community Cloud• Consortium or a government
scope data center (larger than private, but smaller than public)
• Members of the consortium or government agencies act as independent tenants
• Data center resources are shared by all members; consortium provides security, privacy and capacity
• Good elasticity of resources; high resource utilization; reduced cost of business
Public Cloud• Third-party data center
providers
• Computing resources shared by independent enterprises (tenants), protected by third parties in cloud
• Maximum elasticity; maximum resource utilization; low cost of business
Public Cloud
Autonomy
Cost-Efficiency
10
Workloads shifting to the Cloud
Traditional IT
• Server capacity on demand• Business apps (CRM, ERP)
• IT management
• Email• Personal productivity apps
• Website creation & management• Storage capacity on demand• Server capacity on demand• App dev. & test
• Tech. computing apps• Data analysis and mining
• Custom apps• Apps with sensitive data
Private cloud Public cloud• IT help desk
• Collaborative apps• Data backup/archive svcs
Cloud computing complements traditional IT
11
Enterprise Architecture and Cloud ArchitectureBusiness
ArchitectureInformation Architecture
Application Architecture
Technology & Infrastructure Architecture
Service Delivery
What, Who, Why• Mission• Vision• Stakeholders• Operating
Model & Processes
• Value Chain Models
• Metrics & Measures
• Align Business Strategy to IT Strategy
What, How• Data Models• Data Flows• Interface,
Integration & Interoperability
• Relevance to Business functions
With what• Applications• Tools• Functions• Capabilities• Workflows
With what• Servers• Software• Network• Storage• GRC, Legal,
Security & Privacy
• Data Centers Sites
How & How much• Deployment• Chargeback• Break fix• SLAs/SLOs• Operations &
Management
Enterprise Architecture focusCloud Architecture focusIaaS & PaaS
12
Promise of Cloud ComputingCloud will not necessarily help map IT to business but…
Cloud could enable:• Economies of scale & Improved resources utilization
• Reduced capital spending on technology infrastructure• Lower barriers to entry for small businesses & lower start-up costs
• Usage based billing (pay as you go)
• Globalization of workforce
• Faster Deployment, Onboarding, Provisioning & De-provisioning
• Improved accessibility anytime & anywhere
• Improved transparency for Integration & flexibility
• Implementation of Chargebacks
• Improved Operations support & Provide SLAs / SLOs
• More predictable delivery of projects
• Reduced software licensing costs
Challenges & success factors…• Legacy migration
• Integration & Interoperability
• Data & Applications Architecture
• Technology compatibility Issues
• Security & Privacy risks
• Legal & Regulatory Compliance
• Management of Change
13
Cloud simplifies IT services, but realize there is a lot behind this
Security management
services
Access devices
Cloud services
SaaS PaaS IaaS
Cloud platform
Demand
Identity & access management services
IT management services with security impact
IT management framework
Delivery
Supply
14
And make sure you understand security
Security m
anagement
services
Access devices
Malware protection
Network security
Client security
Data protection
Application security
Cloud services
SaaS PaaS IaaSApplication
securitySecureSDLC
Instancesecurity
Cloud platform
Supply
Delivery
Demand
Account management
Access control management
Authentication
Key management
Identity provisioning
Federation
Auditing
Change management
Patch management
Configuration management
GRC
Capacity management
Availability management
Incident management
Virtualization managment
Vulnerability management
SIEMCompliance management
Security service portal
Identity & access
managem
ent services
IT managem
ent services w
ith security impact
IT management framework
Application security, data protection and availability
Malware protection
Network security
Server security
Client security
Storage security
Data protection
Virtualization security
Platform availability
Cloud platform security
Security monitoring
Physical security
15
Secure Cloud Environment technologies & conceptsSegmentation and Isolation
Threat Detection and Mitigation
Security Information & Event Management (SEIM) / Log Management
Incident Response and ForensicsIdentity & Access ManagementData Protection; Data & Information Security
Secure Software Development
Vulnerability Scanning and Patch Management
Physical & Personnel Security
Security Policy Management
Endpoint Management
16
Cloud Models & Approaches
Ref: OpenNebula.org http://opennebula.org/eucalyptus-cloudstack-openstack-and-opennebula-a-tale-of-two-cloud-models/
Datacenter Virtualization: Cloud as an extension of virtualization in the datacenter; hence looking for a vCloud-like infrastructure automation tool to orchestrate and simplify the management of the virtualized resources.
Infrastructure Provision: Cloud as an AWS-like cloud on-premise; hence looking for a provisioning tool to supply virtualized resources on-demand.
17
Factors for choosing Cloud Models & ApproachesDatacenter Virtualization Infrastructure Provision
Applications Multi-tiered applications defined in a traditional, “enterprise” way
“Re-architected” applications to fit into the cloud paradigm
Interfaces Feature-rich API and administration portal Simple cloud APIs and self-service portal
Management Capabilities
Complete life-cycle management of virtual and physical resources
Simplified life-cycle management of virtual resources with abstraction of underlying infrastructure
Cloud Deployment Mostly private Mostly public
Internal Design Bottom-up design dictated by the management of datacenter complexity
Top-down design dictated by the efficient implementation of cloud interfaces
Enterprise CapabilitiesHigh availability, fault tolerance, replication, scheduling… provided by the cloud management platform
Most of them built into the application, as in “design for failure”
Datacenter IntegrationEasy to adapt to fit into any existing infrastructure environment to leverage IT investments
Built on new, homogeneous commodity infrastructure
18
OpenStack introductionKey Components:
• Compute (Nova)• Image Service (Glance)• Networking (Neutron)• Object Storage (Swift)• Block Storage (Cinder)• Dashboard (Horizon)• Identity Service (Keystone)• Telemetry (Ceilometer)• Orchestration (Heat)• Database (Trove)• Bare Metal Provisioning (Ironic)• Multiple Tenant Cloud Messaging (Zaqar)• Elastic Map Reduce (Sahara)
19
OpenStack Basic Deployment
Automation
Database
Blobs
Files
MessagesDatabase
Identity
Library
Compute
Network
Portal Network Compute
Network
Metering
Portal
Identity
Library
Compute
Network
Automation
Database
Blobs
Files
Database
Messages
Metering
Portal
Identity
Library / Images
Compute
Network
Block Storage
Object Storage
Database Services
Automation
Message Broker
Metering
Config Database
Metering
20
OpenStack Feature Releases
ComputeCompute
BlobsObject Storage
LibraryLibrary / Images
Portal
Identity
Portal
Identity
Network
Files
Network
Block Storage
AutomationAutomation
MeteringMetering
DatabaseDatabase Services
Nov 2010 Feb 2011 Apr 2011 Sep 2011 Apr 2012 Sep 2012 Apr 2013 Oct 2013 Apr 2014
DatabaseHadoop Cluster
Nov 2014
21
Cloud Security Alliance TCI Reference Architecture
Legend:CSA: Cloud Security Alliance
TCI: Trusted Cloud InitiativeSource: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
22
Cloud Security Alliance TCI Reference Architecture
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
SRM Services:• Governance Risk and Compliance
• Information Security Management• Privilege Management Infrastructure• Threat and Vulnerability Management
• Infrastructure Protection Services• Data Protection• Policies and Standards
ITOS Services:• IT Operations
• Service Delivery• Service Support• Incident Management
• Problem Management• Knowledge Management• Change Management
• Release Management
BOSS Services:• Compliance
• Data Governance• Operational Risk Management• Human Resources Security
• Security Monitoring Services• Legal Services• Internal Investigation
Presentation Services:• Presentation Modality
• Presentation Platform
Application Services:• Development Process
• Security Knowledge Lifecycle• Programming Interfaces• Integration Middleware
• Connectivity & Delivery• Abstraction
Infrastructure Services:• Facility Services
• Servers• Storage Services• Network Services
• Availability Services• Patch Management• Equipment Maintenance
• Virtualization (Desktop, Storage, Server, Network)
Information Services:• User Directory Services
• Security Monitoring Data Management• Service Delivery Data Management• Service Support Data Management
• Data Governance Data Management• Risk Management Data Management• ITOS Data Management
• BOSS Data Management• Reporting Services
23
CSA Cloud Control Matrix CCM v3.0.1; 16 Domains
Source: https://cloudsecurityalliance.org/research/ccm/
Legend:CSA: Cloud Security Alliance
CCM: Cloud Control Matrix(Number of controls) for each Domain
1. AIS: Application & Interface Security (4)
2. AAC: Audit Assurance & Compliance (3)
3. BCR: Business Continuity Management & Operational Resilience (11)
4. CCC: Change Control & Configuration Management (5)5. DSI: Data Security & Information Lifecycle Management (7)6. DCS: Datacenter Security (9)
7. EKM: Encryption & Key Management (4)
8. GRM: Governance and Risk Management (11)
9. HRS: Human Resources (11)
10. IAM: Identity & Access Management (13)
11. IVS: Infrastructure & Virtualization Security (13)
12. IPY: Interoperability & Portability (5)
13. MOS: Mobile Security (20)
14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5)
15. STA: Supply Chain Management, Transparency and Accountability (9)
16. TVM: Threat and Vulnerability Management (3)
24
CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsApplication & Interface Security (AIS)
• AIS-01: Application Security• AIS-02: Customer Access Requirements• AIS-03: Data Integrity• AIS-04: Data Security / Integrity
Audit Assurance & Compliance (AAC)• AAC-01: Audit Planning• AAC-02: Independent Audits• AAC-03: Information System Regulatory Mapping
Business Continuity Management & Operational Resilience (BCR)• BCR-01: Business Continuity Planning• BCR-02: Business Continuity Testing• BCR-03: Datacenter Utilities / Environmental Conditions• BCR-04: Documentation• BCR-05: Environmental Risks• BCR-06: Equipment Location• BCR-07: Equipment Maintenance• BCR-08: Equipment Power Failures• BCR-09: Impact Analysis• BCR-10: Policy• BCR-11: Retention Policy
Change Control & Configuration Management (CCC)• CCC-01: New Development / Acquisition• CCC-02: Outsourced Development• CCC-03: Quality Testing• CCC-04: Unauthorized Software Installations• CCC-05: Production Changes
Data Security & Information Lifecycle Management (DSI)• DSI-01: Classification• DSI-02: Data Inventory / Flows• DSI-03: eCommerce Transactions• DSI-04: Handling / Labeling / Security Policy• DSI-05: Non-Production Data• DSI-06: Ownership / Stewardship• DSI-07: Secure Disposal
Source: https://cloudsecurityalliance.org/research/ccm/
25
CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsDatacenter Security (DCS)
• DCS-01: Asset Management• DCS-02: Controlled Access Points• DCS-03: Equipment Identification• DCS-04: Off-Site Authorization• DCS-05: Off-Site Equipment• DCS-06: Policy• DCS-07: Secure Area Authorization• DCS-08: Unauthorized Persons Entry• DCS-09: User Access
Encryption & Key Management (EKM)• EKM-01: Entitlement• EKM-02: Key Generation• EKM-03: Sensitive Data Protection• EKM-04: Storage and Access
Governance and Risk Management (GRM)• GRM-01: Baseline Requirements• GRM-02: Data Focus Risk Assessments• GRM-03: Management Oversight• GRM-04: Management Program• GRM-05: Management Support/Involvement• GRM-06: Policy• GRM-07: Policy Enforcement• GRM-08: Policy Impact on Risk Assessments• GRM-09: Policy Reviews• GRM-10: Risk Assessments• GRM-11: Risk Management Framework
Source: https://cloudsecurityalliance.org/research/ccm/
26
CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsHuman Resources (HRS)
• HRS-01: Asset Returns• HRS-02: Background Screening• HRS-03: Employment Agreements• HRS-04: Employment Termination• HRS-05: Mobile Device Management• HRS-06: Non-Disclosure Agreements• HRS-07: Roles / Responsibilities• HRS-08: Technology Acceptable Use• HRS-09: Training / Awareness• HRS-10: User Responsibility• HRS-11: Workspace
Identity & Access Management (IAM)• IAM-01: Audit Tools Access• IAM-02: Credential Lifecycle / Provision Management• IAM-03: Diagnostic / Configuration Ports Access• IAM-04: Policies and Procedures• IAM-05: Segregation of Duties• IAM-06: Source Code Access Restriction• IAM-07: Third Party Access• IAM-08: Trusted Sources• IAM-09: User Access Authorization• IAM-10: User Access Reviews• IAM-11: User Access Revocation• IAM-12: User ID Credentials• IAM-13: Utility Programs Access
Source: https://cloudsecurityalliance.org/research/ccm/
27
CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsInfrastructure & Virtualization Security (IVS)
• IVS-01: Audit Logging / Intrusion Detection• IVS-02: Change Detection• IVS-03: Clock Synchronization• IVS-04: Information System Documentation• IVS-05: Management - Vulnerability Management• IVS-06: Network Security• IVS-07: OS Hardening and Base Controls• IVS-08: Production / Non-Production Environments• IVS-09: Segmentation• IVS-10: VM Security - vMotion Data Protection• IVS-11: VMM Security - Hypervisor Hardening• IVS-12: Wireless Security• IVS-13: Network Architecture
Interoperability & Portability (IPY)• IPY-01: APIs• IPY-02: Data Request• IPY-03: Policy & Legal• IPY-04: Standardized Network Protocols• IPY-05: Virtualization
Mobility Security (MOS)• MOS-01: Anti-Malware• MOS-02: Application Stores• MOS-03: Approved Applications• MOS-04: Approved Software for BYOD• MOS-05: Awareness and Training• MOS-06: Cloud Based Services• MOS-07: Compatibility• MOS-08: Device Eligibility• MOS-09: Device Inventory• MOS-10: Device Management• MOS-11: Encryption• MOS-12: Jailbreaking and Rooting• MOS-13: Legal• MOS-14: Lockout Screen• MOS-15: Operating Systems• MOS-16: Passwords• MOS-17: Policy• MOS-18: Remote Wipe• MOS-19: Security Patches• MOS-20: Users
Source: https://cloudsecurityalliance.org/research/ccm/
28
CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsSecurity Incident Management, E-Discovery & Cloud Forensics (SEF)
• SEF-01: Contact / Authority Maintenance• SEF-02: Incident Management• SEF-03: Incident Reporting• SEF-04: Incident Response Legal Preparation• SEF-05: Incident Response Metrics
Supply Chain Management, Transparency and Accountability (STA)• STA-01: Data Quality and Integrity• STA-02: Incident Reporting• STA-03: Network / Infrastructure Services• STA-04: Provider Internal Assessments• STA-05: Supply Chain Agreements• STA-06: Supply Chain Governance Reviews• STA-07: Supply Chain Metrics• STA-08: Third Party Assessment• STA-09: Third Party Audits
Threat and Vulnerability Management (TVM)• TVM-01: Anti-Virus / Malicious Software• TVM-02: Vulnerability / Patch Management• TVM-03: Mobile Code
Source: https://cloudsecurityalliance.org/research/ccm/
29
DMTF Cloud Auditing Data Federation (CADF) StandardDefines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud Management Initiative.
Auditing using a standard such as CADF has many benefits: • Create and request customized views for Audit & Compliance data
• Track regional, industry and corporate policy compliance using standardized APIs / Reports• Key event data is normalized and categorized to support auditing of hybrid Cloud applications
• CADF assures consistent mappings across cloud components and cloud providers• Format is agnostic to the underlying provider infrastructure
• Provides transparency for low-level operational processes
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Customer Benefits:• Ability to self manage auditing of their data• Similar reports from different Cloud service providers• Aggregate audit data from different Clouds / Partners • Auditing processes & tools unchanged
30
Cloud Auditing Data aggregated from multiple sources
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Company A’s OSS/BSS Processes
Company A
Company A’sAuditor
Company A’s Hybrid Applications
Standard API’s for requesting Audit Data
Standard Audit Data (Logs and Reports)
Cloud Provider P1
Company A’s Hybrid Applications
Cloud Provider P2
Company A’s Hybrid Applications
Aggregate Audit Data from Hybrid Applications
Standard API’s for requesting Audit Data
OSS: Operational Support Services
BSS: Business Support Services
31
CADF Taxonomy
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Includes:• Resources by the role played in the event ex: Initiator, Target, Observer.• Actions used to classify the event by the activity that caused it to be generated.• Outcomes used to describe the outcome of the attempted action of the event.
CADF Event Model: Basic and conditional model components
Model Component CADF Definition
OBSERVER The RESOURCE that generates the CADF Event Record based on its observation (directly or indirectly) of the Actual Event.
INITIATOR The RESOURCE that initiated, originated, or instigated the event's ACTION, according to the OBSERVER.
ACTIONThe operation or activity the INITIATOR has performed, attempted to perform or has pending against the event's TARGET, according to the OBSERVER.
TARGET
The RESOURCE against which the ACTION of a CADF Event Record was performed, was attempted, or is pending, according to the OBSERVER. NOTE A TARGET (in the CADF Event Model) can represent a plurality of target resources.
OUTCOME The result or status of the ACTION against the TARGET, according to the OBSERVER.
32
CADF Event Model and REPORTERCHAIN construction
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
CADF Event Model: Basic and conditional model components
Example of REPORTERCHAIN construction
33
CADF 7 essential W’s auditing and monitoring
CADF Event Model: Basic and conditional model components
WhatWhat activity occurred? What was the result?event.actionevent.outcomeevent.type (activity, monitoring, control)event.reason (ex: security, reason code, policy id)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf
CADF Event Model and it’s components• Work for any Activity Monitoring or, Control event• Provides guidance on how to record Basic, Detailed or, Precise information for each component
WhenWhen did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestampevent.eventTimereporter.timestamp, event.duration
WhoWho (user/service) initiated the Action?initiator.id; initiator.typeinitiator.id (id, name)initiator.credentialinitiator.credential.assertions
Legend: Italics are optional properties
1
2
3
WhereWhere was the Action observed, reported or, modified? What role does the event serve? How was it recorded?observer.id, observer.typereporterstep.role, reporterstep.reporterTime
4
On WhatOn What resource did the Activity Target?target.id
5
FromWhereFrom Where the Action was initiated? May include
• logical/physical addresses• ISO-6709-2008, precise geolocations
initiator.addresses, initiator.host, initiator.geolocation
6
ToWhereTo Where was the Action Targeted? Can be as simple as an IP address or server name.target.addresses, target.host, target.geolocation
7
34
CADF Resource Top-level Taxonomy hierarchy
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
storage Logical resources that represent storage containers.
compute Logical resources that are used to perform logical operations or calculations on data.
network Logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged.
data Logical named sets of information (objectified data) that are referenced and managed by services.
service Logical set of operations, packaged into a single entity, that provides access to and management of cloud resources (for a given domain).
system Logical resources that are a combination of several other [cloud] resources that operate as a functional whole, this combination being manageable (created, operated, audited, etc.) as a unit, i.e., offering some operations that could activate lower-level operations over each of the subresources.
unknown This resource indicates that the OBSERVER of the event is not, to the best of its ability, able to classify a resource that contributed to the actual event it is reporting on using any other valid resource taxonomy value.
35
CADF Resource Taxonomy - Storage subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
node Logical resource that contains the necessary processing components to store data.
volume Logical unit of persistent data storage that may or may not be physically removable from the computer or storage system.
memory Logical unit of data storage that is used for dynamically processing data.
container Logical unit of storage where data objects are deposited and organized for persistent storage.
directory Logical storage used to organize records about resources (e.g., files, subscribers, etc.) along with their locations and other metadata. Typically, these records are organized in a hierarchical structure.
database Logical storage used to organize data to a model (schema) that reflects relevant aspects of a specific real-world application.
queue Logical storage of a list of data waiting to be processed.
36
CADF Resource Taxonomy - Compute subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
node Logical resource that contains the necessary processing components to execute a workload.
cpu Logical resource that represents a unit processing power that can consume a workload.
machine Logical resource that encapsulates both CPU and Memory.
process An instance of a granular workload, such as an application or service that is being executed.
thread A separable function of a running process that shares its virtual address space and system resources.
37
CADF Resource Taxonomy - Network subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
node A logical resource that can be networked and can provide services on data from network connections. A node may export zero or more endpoints (zero implies it is has not been provisioned).
host A network node that can perform operations or calculations on data.
connection A single network interaction involving two or more endpoints (sources and destinations).
domain Represents a logical grouping of networked resources.
cluster Represents a logical combination of tightly coupled, network resources.
38
CADF Resource Taxonomy - Service subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
bss Business Support Services (BSS), The logical classification grouping for services that are identified to support business activities.
composition The logical classification grouping for services that supports the compositing of independent services into a new service offering
compute Infrastructure services for managing computing (fabric).
database Database Services (or DB-as-a-Service) Database services that permit substitutability to various provider implementations.
image Infrastructure services for managing virtual machine images and associated metadata.
network Infrastructure services for managing networking (fabric).
oss Operational Support Services (OSS); The logical classification grouping for services that are identified to support operations including communication, control, analysis, etc.
security Security Services (or Sec-as-a-Service) The logical classification grouping for security services including Identity Mgmt., Policy Mgmt., Authentication, Authorization, Access Mgmt., etc. (a.k.a. “Security-as-a-Service”)
storage Infrastructure services for managing storage (fabric).
storage block Infrastructure services for managing Block storage.
storage object Infrastructure services for managing Object storage.
39
CADF Resource Taxonomy Composition, OSS & BSS subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
bss\billing Business services to manage different types of charges for cloud-based resources relevant to a given customer.
bss\location Business services to manage the location, physical or virtual, of cloud-based resources as well as clients (e.g., mobile devices).
bss\metering Business Services to manage the measurement of cloud-based resources (e.g., utilization, transactions, performance, etc.), often to determine how to bill for service usage.
composition\orchestration Composition services that automate the management of complex applications, services, platforms and/or infrastructures to align them to fulfill business and service agreements and operational policies.
composition\workflow Composition services that sequence connected steps that support management of a document (e.g., transaction, order, service template, etc.) through a complex system of applications, services, platforms and/or infrastructures.
oss\capacity Operational services that ensure that the resource capacity allocated to an application (including compute, storage and networking resources) matches its current utilization.
oss\configuration Operational services that manage and monitor configuration changes on applications to avoid incompatibilities that can result in reduced performance or compliance failures.
oss\logging Operational services that capture or record information and identifying data about actions that occur in a system. This includes data that could be or contribute to auditable event records,
oss\monitoring Operational services that monitor for ensure the availability of services and that they are provided in accordance with terms of Service License Agreements (SLAs).
oss\virtualization Operational services that manage virtualization of ‘compute’, ‘storage’, and ‘network’ infrastructure.
bss\crm Customer Relationship Mgmt. (CRM) Services (example extension of the “bss” classification)
bss\erp Enterprise Risk Mgmt. (ERM) Services (example extension of the “bss” classification)
bss\srm Service Request Mgmt. (SRM) Services (example extension of the “bss” classification)
40
CADF Resource Taxonomy - Data subtree (1 of 2)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
catalog A data resource used to register resources along with information or metadata about them and perhaps provide links to them.
config A data resource that contains information such as settings and parameters that could be used for configuring a resource (or parts of it).
directory The parent classification for all directory related data objects.
file A logical block of data for storing information in a filesystem, which is available to computer programs
image A readily usable or processable set of data that can be easily transferred between processing domains.
log A data resource used to record events from automated computer programs. Typically used to provide an audit trail that can be used to understand the activity of a system and to diagnose problems.
message A block of information that is transmitted over a connection between networked endpoints.
message/stream A continuous message or series of messages between networked endpoints.
module A portion of a program typically aligned with a specific functional set.
package A wrapped collection of files and data, along with metadata, meaningful to the processing domain that will utilize it.
41
CADF Resource Taxonomy - Data subtree (2 of 2)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
report A data resource that contains one or more event records that are compiled with other auditing information in response to some step within an auditing process.
template A data resource that serves as a pattern, stencil, or gauge for instantiating a new resource or set of resources. For example, a template that describes the topology and relationships of an application’s services and its network to a cloud provider for deployment and management.
workload A set of data that represents the amount of work that computational nodes can consume at a given time.
Workload/application A workload that performs a wide range of operations, some may be exported as services.
Workload/service
A workload that perform a single or a few specialized operations. See A.2.10 when specific services are described in events apart from generic management as compute workloads.
database (obj)
The parent classification for all database-related data objects. See clause A.2.13 ("Database (data object) subtree classifications“), which shows the full set of database-related classifications.
security (obj)
The parent classification for all security-related data objects. See clause A.2.12 (“Security (data objects) subtree classifications“), which shows the full set of security-related classifications.
42
CADF Resource Taxonomy - Security subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
account Represents a business agreement for providing regular services between a provider and consumer.
acc/user Is an account representing a person assigned access to use cloud resources or applications.
acc/admin Is an account representing a person assigned administrative access to resources.
credential Represents security data that is transferred to establish a claimed identity. [SAML Gloss]
group Represents named groups to which users or roles can be assigned that carries access rights or entitlements its members inherit.
identity Represents the essence of an entity (e.g., a user or service) and may describe the entity’s characteristics and properties.
key Is a secret token used to protect data typically through signing or encryption. The key (or its public variant) can be provided to one or more parties that enable access to the protected data
license Represents an authorization or permission to do something on, or with, somebody else’s resources.
policy Represents security data that contains rules and procedures that regulates resources within a system.
profile Represents security data that defines extended rules, constraints or properties that apply to particular domains
role Represents named jobs or functions users may be assigned. A role may carry access rights and entitlements that users inherit from being assigned to that role.
node Represents a network node (e.g., router, server, etc.) acting with some (perceived) credential or authority to perform some action against another resource. This would be used if limited information is known to the event's observer (e.g., perhaps only an endpoint address is known).
43
CADF Resource Taxonomy - Database subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
alias An alias is an alternative name for an object such as a table, a view or another alias. It can be used to reference an object wherever that object can be referenced directly.
index A set of pointers that are logically ordered by the values of one or more keys. They are typically used to improve performance and ensure key uniqueness.
instance A logical representation of the structures, memory and storage used to realize a database, its objects and data.
key A property used to identify data stored in a database table. Typically, each table has a primary key that uniquely identifies records.
routine An executable database object that perform operations on other database objects.
schema A collection of named objects that are grouped logically. A schema is also a name qualifier; it provides a way to use the same natural name for several objects, and to prevent ambiguous references to those objects.
sequence A stored object that simply generates a sequence of numbers in a monotonically ascending (or descending) order. Sequences provide a way to have the database manager automatically generate unique keys and to coordinate keys across multiple rows and tables.
table A logical structure made up of columns and rows. At the intersection of every column and row is a specific data item called a value. There is no inherent order of the rows within a table.
view An alternative way of looking at the data in one or more tables.
44
CADF Action Taxonomy hierarchy (1 of 3)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
create The target resource described in the event was created (or an attempt was made to do so) by the initiator resource.
read Data was read from the target resource by the initiating resource (or an attempt was made to do so).
update One or more of the target resource's properties were modified or changed by the initiator resource.
delete The target resource described in the event was deleted (or an attempt was made to do so) by the initiator resource.
monitor The target resource is the subject of a monitoring action from the initiating resource.
backup The target resource described in the event is being persisted to storage without regard to environment, context, or state at the time of storage.
capture The target resource described in the event is being persisted to storage along with relevant environment and state information (e.g., program settings, network state, memory/cache, etc.). Conceptually, a “snapshot” of the resource is being captured at a moment in time.
configure The target resource described in the event is being set-up to enable it to run on a particular environment or for a particular application or use.
deploy The target resource is being positioned or made available for use by the initiator resource, but is not yet started.
General Resource MgmtLegend:
Monitoring
Workload & Data Mgmt
45
CADF Action Taxonomy hierarchy (2 of 3)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
disable The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions.
enable The target resource (that has been started) is being changed by the initiator resource to allow or permit some set of functions.
restore The initiator is requesting the target resource (or some portion of it) be restored from persistent storage.
start The target resource is being made functional by the initiator resource and able to perform or execute operations.
stop The initiator resource is causing the target resource to no longer be functional or able to perform or execute operations.
Undeploy The initiator resource is causing the target resource to no longer be positioned or available for use.
receive The initiator resource is receiving a message or data from the target resource. Note that this is a separate action from any action the receiver performs based upon the content of the message or with the data.
send The initiator resource is transmitting a message or data to the target resource. Note that this is a separate action from that of "creating" the message.
Legend:
Messaging
Workload & Data Mgmt
46
CADF Action Taxonomy hierarchy (3 of 3)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
authenticate The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions.
login An extension of the authenticate action.
renew A security request from the initiator resource to renew a resource’s identity, credentials, or related attributes or privileges sent to the target resource (an authority).
revoke A security request from the initiator resource to remove entitlements or privileges from a resource’s identity and/or credentials sent to the target resource (an authority).
allow Indicates that the initiating resource has allowed access to the target resource.
deny Indicates that the initiating resource has denied access to the target resource.
evaluate Indicates the evaluation or application of a policy, rule, or algorithm to a set of inputs.
notify Indicates that the initiating resource has sent a notification based on some policy or algorithm application – perhaps it has generated an alert to indicate a system problem.
unknown Indicates that the OBSERVER of the event is not, to the best of its ability, able to classify the exact action for the actual event it is reporting using any other valid action taxonomy value.
Legend: Security, Policy, Access ControlSecurity Identity
47
CADF Outcome Taxonomy hierarchy
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Value Description
success The attempted action completed successfully with the expected results.
failure The attempted action failed due to some form of operational system failure or because the action was denied, blocked or refused in some way.
unknown The outcome of the attempted action is unknown and it is not expected that it will ever be known.
pending The outcome of the attempted action is unknown, but it is expected that it will be known at some point in the future.A future event correlated with the current event may provide additional detail.
48
10 Steps to Manage Cloud SecurityFocus areas Standards Certifications
Step 1: Ensure effective governance, risks & compliance
• ISO 38500 – IT Governance1• COBIT• ITIL (ISO 27002)• ISO 20000-7 & ISO 20000-11 (jn devl)• SSAE 16• PCI-DSS
• ISO 27002 (ISO 27017)• SSAE 16• HIPAA• PCI-DSS• FedRAMP• FISMA
Step 2: Audit operational and business processes • DMTF Cloud Auditing Data Federation (CADF)
• ISO 27002 (ISO 27017)• SSAE 16
Step 3: Manage people, roles and identities
• ISO 27002• IAM Kerberos, LDAP, SAML 2.0, Oauth
2.0, WS-Federation, OpenID Connect• SCIM• Active Directory Federated Services
(ADFS2)• XACML• PKCS, X.509, OpenPGP
• ISO 27002 (ISO 27017)
Step 4: Ensure proper protection of data & information
• ISO 27002 / 27017 (in devl)• Data in motion: HTTPS, SFTP, VPC
using IPSec or SSL• US FIPS 140-2• OASIS KMIP
• ISO 27002 (ISO 27017)
Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf
49
10 Steps to Manage Cloud SecurityFocus areas Standards Certifications
Step 5: Enforce privacy policies• Personally Identifiable Information
(PII)• U.S – EU Safe Harbor framework• ISO 27018 (in devl)
• TRUSTe Safe Harbor certification seal program
• ISO 27018 (in devl)
Step 6: Assess the security provisions for cloud apps
• NIST Guidelines on Firewalls and Firewall Policy
• Open Web Application Security Project (OWASP)
• OVF 2.0 & OASIS TOSCA
• ISO 27002 (ISO 27017)
Step 7: Ensure cloud networks and connections are secure
• ISO 27001 & 27002• ISO/IEC 27033-1/2/3• FISMA (FIPS 199 & 200)• OpenFlow, TM Forum Frameworx, NIST
SP 800-53
• ISO 27002 (ISO 27017)
Step 8: Evaluate security controls on physical infrastructure & facilities
• ISO 27002• ISO 27017 & 18 (in devl)
• ISO 27002 (ISO 27017)
Step 9: Manage security terms in the cloud SLA • CSCC Practical Guide to SLA• ISO 27004, NIST SP 800-55• CIS Consensus Security Metrics• ENISA
• ISO 27002 (ISO 27017)• SSAE 16 (financial)
Step 10: Understand the security requirements of exit process • None, ISO SC38 WG3 (future) • None
Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf
50
References• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines
• OpenStack wiki
• OpenStack Main Page
• OpenStack Developers Guides
• Cloud Audit Data Federation - OpenStack Profile
• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)
• CADF Event Model and Taxonomies
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
51
References & Credits
52
Conclusion
• The world is becoming more digital
• Cloud is all about services and service delivery
• The cloud is only worth the services it delivers
• Cloud is all about a hybrid world
Thank you
[email protected]@gmail.com240.506.2305linkedin.com/in/sukumarnayak/
54
Backup
55
Cloud expected benefits and trade-offsExpected Benefits:• Economies of Scale• Multi-Tenancy• Capacity Utilization• “Zero” capex model• Long term Total Cost of Ownership for IT Services• Lower barriers to entry for new business models which
were constrained by the IT resources in the past• Allows Businesses to focus more on their core
competencies• Speed and Flexibility of business Changes
• On Demand self service• Automation• Standardization• Elasticity• Pay per Use Model• Reduced time to market
• Efficiency in global communication and collaboration
Potential risks & trade-offs:• Security, Privacy, and Data Confidentiality• Loss of Control & Governance• Vendor Lock-in• Management Interface Compromise• Incomplete or Insecure Data Deletion, Data Protection• Malicious Insider & Investigative Support• Segmentation or, Isolation Failure• Availability, Reliability, Speed, Cost• Learning Curve• Quality of support• Change in organization culture• Interoperability Standards; Portability for Legacy IT in Clouds• Shift in Liability• Regulatory Compliance• Transparent Infrastructure Scalability• Application Deployment Mechanisms• Economic Modeling of new Market
56
OpenStack Feature ReleasesRelease Date Projects
Austin Nov 2010 Nova and Swift
Bexar Feb 2011 Nova, Swift, and Glance
Cactus Apr 2011 Nova, Swift, and Glance
Diablo Sep 2011 Nova, Swift, and Glance
Essex Apr 2012 Nova, Swift, Glance, Horizon, and Keystone
Folsom Sep 2012 Nova, Swift, Glance, Horizon, and Keystone
Grizzly Apr 2013 Nova, Swift, Glance, Horizon, and Keystone
Havana Oct 2013 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, and Cinder
Icehouse Apr 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, and Trove
Juno Nov 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, Trove, and Sahara
Kilo Apr 2015 TBD
57
NIST CC Security Reference Architecture
Cloud Consumer
Cloud Provider
Cloud Service Management
Cloud Carrier
Cloud Auditor
Cloud Consumer
Provisioning/Configuration
Portability/Interoperability
SecurityAudit
Privacy Impact Audit
Performance Audit
Business Support
Physical Resource LayerHardware
Facility
Resource Abstraction and Control Layer
Service Layer
IaaS
SaaS
PaaS
Cloud Orchestration
Cross Cutting Concerns: Security, Privacy, etc
Cloud Broker
Service Intermediation
Service Aggregation
Service Arbitrage
58
NIST CC Security Reference Architecture
59
Cloud Security Alliance TCI Reference Architecture
Legend:CSA: Cloud Security Alliance
TCI: Trusted Cloud Initiative
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI-Reference-Architecture-v1.1.pdf
60
Planning Guide for Infrastructure as a Service (IaaS)
Source: http://blogs.technet.com/b/privatecloud/archive/2012/04/05/planning-guide-for-infrastructure-as-a-service-iaas.aspx
61
Cloud Computing Audit Checklist
Ref Book: Auditing Cloud Computing: A Security and Privacy Guide by Ben Halpert and Jeff FentonSource: http://onlinelibrary.wiley.com/doi/10.1002/9781118269091.app1/pdf
• Cloud-Based IT Audit Process (11)• Cloud-Based IT Governance (4)• System and Infrastructure Life Cycle Management for the Cloud (3)• Cloud-Based IT Service Delivery and Support (5)• Protection and Privacy of Information Assets in the Cloud (5)• Business Continuity and Disaster Recovery (4)• Global Regulation and Cloud Computing (5)• Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit (4)
62
Cloud Security’s Split Responsibilities
Source: http://interconnectgo.com/wp-content/uploads/2015/01/Cloud-Cloud-Security-White-Paper.pdf
63
How the Audit Filter Pushes Audit Events to Ceilometer
Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
64
CADF API Auditing with Ceilometer - How it works…
Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
65
Audit approaches
Security Content Automation Protocol (SCAP), CloudTrust, …(standardized/automated format)
Audit and assurance initiatives
Questionnaire: CloudAudit, ENISA AF, ISACA, … (cloud specific)
ISO 27001, FISMA, PCI, NIST 800-53, …(non-cloud specific)