Ian Graham (PDF)

Document Sample
Ian Graham (PDF) Powered By Docstoc
					Security in the Cloud:
Embracing the Technology
While Minimizing Risk

                           For Conference Purposes Only
Today’s Discussion

  Virtualization and Cloud Technology

  Security and Compliance

  Panelist Q&A

                       For Conference Purposes Only   2
Benefits of Virtualization
and Cloud Technology

Better…                  Rapid…
  Resource Utilization     Host creation
    Physical               Environment creation
    Environmental             Development/Test
    Space                     Prototyping/Sandbox
  Host Consistency         Backup/Restoration
    Application          Other…
                           Standardize system
    Operating System       maintenance
  Load Distribution        Can lower licensing
    Dynamic Resources      costs
    Long Distance          Additional security

                          For Conference Purposes Only   3
Adoption Challenges

                   Systems Management
                   Tools and techniques               Business Management
                                                       Project or program focused
                                                       Internal or customer based

   Financial Management
   Project or program focused
   Liability driven

   Technical Management
    Support focused
    Internal IT organization
    Customer service driven

                     Security and Compliance

                                 For Conference Purposes Only                        4
Security and Compliance –
The Problem/Challenge

 Traditional security technology, process,
 and training will not secure this environment
 Data security in a multitenant environment
 Making security measureable
 Assuring compliance
  “The key element to managing an information security
  program is information – about agencies’ security postures,
  activities and threats. Agencies need to be able to
  continuously monitor security-related information from
  across the enterprise in a manageable and actionable way.”
   - Vivek Kundra, Federal Chief Information Officer (CIO)

                                      Security and Compliance

                                 For Conference Purposes Only   5
Security and Compliance –
Areas of Concern

 Inventory Management
 Access Control
 Vulnerability Management
 Change Management
 Configuration Management
 Incident Response

                        Security and Compliance

                   For Conference Purposes Only   6
Governance and Policy

Technology                                  Compliance
 VLAN and other Layer 1-4                      FISMA / FIPS
 management issues                             DIACAP
 JBOD, SAN, NAS                                DISA STIGs
   Identity Management                         CobIT / ITIL
 Host resource distribution                    HIPAA, PCI, etc.
 Host connectivity: Database,                  ISO/IEC 17799 / 27002
 Middleware, Application Server,
                                               Special Publications (800 Series)
                                               OMB A-130
 PKI, DSS, SSL, Session state, etc.
                                               HSPD-7 and 12
                                               Data Retention Policies

    Virtualization exponentially increases the complexity and demands on
       all traditional IT services; thereby complicating the C&A process.

                          For Conference Purposes Only                             7
About Our Panelists

 Herb Goodfellow Jr.
   Guident Security Practice Manager
   More than 20 years of experience designing secure enterprise systems for Federal
   large corporate clients
   Delivered large scale real time biometric, user and operational management
   Recently authored DHS Virtualization Security Best Practices Guide

 Michael Berman
   Catbird Chief Technology Officer (CTO)
   More than 20 years experience in system engineering, architecture, design and
   implementation of secure computing
   Performed hundreds of computer forensic investigations, designed enterprise
   security solutions, lead security assessments, and provided expert support in the
   prosecution of high profile computer crimes such as “United States v. Robert S.

                             For Conference Purposes Only                              8
           With all of the evolving NIST and Federal
           information assurance standards/regulations,
           how can EPA be compliant in a virtual/cloud

           For Conference Purposes Only                   9

           What can EPA do TODAY to ensure
           compliance in the future?

           For Conference Purposes Only      10
           How can the EPA take advantage of private
           and public cloud offerings safely and


           For Conference Purposes Only                11
           What kind of techniques and best practices
           are available to assist EPA in achieving its
           information assurance objectives in the

           For Conference Purposes Only                   12

           When properly managed, what does a secure
           cloud and virtualized environment get you?

           For Conference Purposes Only             13
Minimizing the Risks

 Virtualization and Cloud
 Computing are Complex
  Have a plan!
  Focus on a Holistic
  Avoid Inflated Expectations
  Evaluate Technology Fairly
  Gather Metrics
  Address the Gaps
  Implement Continuous

                    For Conference Purposes Only   14
Supplemental Information

                           For Conference Purposes Only   15
Technical Management Concerns

 Licensing – Hypervisor selection and software on
 VM images
 Skills Matrix – Does my staff have the proper
 skills to support virtualization?
 Management Plan – How do I plan to support and
 implement this new technology & what do I do with
 after it is here?
 Security – Does this virtualization expose the
 organization to new security risk and
 what will it take to put compensating
 controls in place?

                                       Technical Management
                                        Support focused
                                        Internal IT organization
                                        Customer service driven

                       For Conference Purposes Only                16
Technical Management Concerns

 Hypervisor Selection – VMWare, Xen, Hyper-V,
 Cultural Impact – Like OS and language zealots,
 there are virtualization fans.
 COOP & DR – How does virtualization impact my
 organization’s COOP and DR plans?
 Performance – How can virtualization be
 implemented without impacting the performance
 SLE / SLA the customers currently have?

                                      Technical Management
                                       Support focused
                                       Internal IT organization
                                       Customer service driven

                      For Conference Purposes Only                17
Business Management Concerns

 Change To The Status Quo – Risk inherent
 with change
 Time To Market – How long before we can                Business
 leverage the new technology?                           Management
                                                         Project or
                                                        program focused
 Who’s Paying For It?                                    Internal or
                                                        customer based
  Project costs vs. deferred costs
  Customer costs vs. deferred costs
 Compliance Issues
  Remediation alters the solution architecture
  Increased research and development time
  Potentially jeopardize go-live dates

                         For Conference Purposes Only             18
Business Management Concerns

 Entrenched Interests – How do I introduce
 virtualization without threatening existing
 political environment?                                Business
 Implementation Risks – Reliance on an                 Management
                                                        Project or
 internal IT staff with competing priorities.          program focused
 Security – Does this virtualization create             Internal or
                                                       customer based
 security risks that could jeopardize both
 my project’s success and my business

 Process Risks
   Purchase/Acquisition of VMs

                        For Conference Purposes Only             19
Financial Management Concerns

 Who Pays For Virtualization?
  Deferred costs
 Chargeback Models
  Standard per host
  Usage driven fees

                                   Financial Management
                                    Project or program focused
                                    Liability driven

                      For Conference Purposes Only               20
Financial Management Concerns

 True Costs vs. Real Costs
 Return On Investment
 Changes & Impacts:
  Procurement Process
  Depreciation Process
  Budgeting Process

                                Financial Management
                                 Project or program focused
                                 Liability driven

                   For Conference Purposes Only               21
Systems Management Impact

 Enterprise Architecture
  Application to server matrix
  Virtual server to physical server
                                                    Systems Management
  reconciliation                                     Tools and techniques
  Application to controlling
  organization matrix
  Technical reference model
 Provisioning – To automate or
 not automate?

                     For Conference Purposes Only                    22
Systems Management Impact

 Resource utilization and planning policies are impacted
 All end-point management solutions must be virtualization
  Antivirus and malware detection                  Systems Management
  systems                                           Tools and techniques
  Asset management solutions
  IPS and IDS software
 SEM and other log aggregation
 solutions are impacted.
 SAN management solutions are
 stressed by virtualization

                    For Conference Purposes Only                    23
Additional Resources


                    For Conference Purposes Only         24