Ian Graham (PDF)

Document Sample
Ian Graham (PDF) Powered By Docstoc
					Security in the Cloud:
Embracing the Technology
While Minimizing Risk




                           For Conference Purposes Only
Today’s Discussion




  Virtualization and Cloud Technology

  Security and Compliance

  Panelist Q&A




                       For Conference Purposes Only   2
Benefits of Virtualization
and Cloud Technology

Better…                  Rapid…
  Resource Utilization     Host creation
    Physical               Environment creation
    Environmental             Development/Test
    Space                     Prototyping/Sandbox
  Host Consistency         Backup/Restoration
    Application          Other…
    Hardware
                           Standardize system
    Operating System       maintenance
  Load Distribution        Can lower licensing
    Dynamic Resources      costs
    Long Distance          Additional security
    Migration
                           benefits



                          For Conference Purposes Only   3
Adoption Challenges

                   Systems Management
                   Tools and techniques               Business Management
                                                       Project or program focused
                                                       Internal or customer based




   Financial Management
   Project or program focused
   Liability driven

   Technical Management
    Support focused
    Internal IT organization
    Customer service driven


                     Security and Compliance


                                 For Conference Purposes Only                        4
Security and Compliance –
The Problem/Challenge


 Traditional security technology, process,
 and training will not secure this environment
 Data security in a multitenant environment
 Making security measureable
 Assuring compliance
  “The key element to managing an information security
  program is information – about agencies’ security postures,
  activities and threats. Agencies need to be able to
  continuously monitor security-related information from
  across the enterprise in a manageable and actionable way.”
   - Vivek Kundra, Federal Chief Information Officer (CIO)



                                      Security and Compliance


                                 For Conference Purposes Only   5
Security and Compliance –
Areas of Concern


 Auditing
 Inventory Management
 Access Control
 Vulnerability Management
 Change Management
 Configuration Management
 Incident Response




                        Security and Compliance


                   For Conference Purposes Only   6
Governance and Policy

Technology                                  Compliance
 VLAN and other Layer 1-4                      FISMA / FIPS
 management issues                             DIACAP
 JBOD, SAN, NAS                                DISA STIGs
   Identity Management                         CobIT / ITIL
 Host resource distribution                    HIPAA, PCI, etc.
 Host connectivity: Database,                  ISO/IEC 17799 / 27002
 Middleware, Application Server,
                                               Special Publications (800 Series)
 etc.
                                               OMB A-130
 PKI, DSS, SSL, Session state, etc.
                                               HSPD-7 and 12
                                               Data Retention Policies


    Virtualization exponentially increases the complexity and demands on
       all traditional IT services; thereby complicating the C&A process.

                          For Conference Purposes Only                             7
About Our Panelists

 Herb Goodfellow Jr.
   Guident Security Practice Manager
   More than 20 years of experience designing secure enterprise systems for Federal
   large corporate clients
   Delivered large scale real time biometric, user and operational management
   solutions
   Recently authored DHS Virtualization Security Best Practices Guide

 Michael Berman
   Catbird Chief Technology Officer (CTO)
   More than 20 years experience in system engineering, architecture, design and
   implementation of secure computing
   Performed hundreds of computer forensic investigations, designed enterprise
   security solutions, lead security assessments, and provided expert support in the
   prosecution of high profile computer crimes such as “United States v. Robert S.
   Gordon”




                             For Conference Purposes Only                              8
Question
           With all of the evolving NIST and Federal
           information assurance standards/regulations,
   1
           how can EPA be compliant in a virtual/cloud
           environment?




           For Conference Purposes Only                   9
Question

           What can EPA do TODAY to ensure
   2
           compliance in the future?




           For Conference Purposes Only      10
Question
           How can the EPA take advantage of private
           and public cloud offerings safely and
   3

           securely?




           For Conference Purposes Only                11
Question
           What kind of techniques and best practices
           are available to assist EPA in achieving its
   4
           information assurance objectives in the
           cloud?




           For Conference Purposes Only                   12
Question

           When properly managed, what does a secure
   5
           cloud and virtualized environment get you?




           For Conference Purposes Only             13
Minimizing the Risks


 Virtualization and Cloud
 Computing are Complex
 Technologies
  Have a plan!
  Focus on a Holistic
  Solution
  Avoid Inflated Expectations
  Evaluate Technology Fairly
  Gather Metrics
  Address the Gaps
  Implement Continuous
  Compliance

                    For Conference Purposes Only   14
Supplemental Information




                           For Conference Purposes Only   15
Technical Management Concerns

 Licensing – Hypervisor selection and software on
 VM images
 Skills Matrix – Does my staff have the proper
 skills to support virtualization?
 Management Plan – How do I plan to support and
 implement this new technology & what do I do with
 after it is here?
 Security – Does this virtualization expose the
 organization to new security risk and
 what will it take to put compensating
 controls in place?

                                       Technical Management
                                        Support focused
                                        Internal IT organization
                                        Customer service driven

                       For Conference Purposes Only                16
Technical Management Concerns

 Hypervisor Selection – VMWare, Xen, Hyper-V,
 KVM
 Cultural Impact – Like OS and language zealots,
 there are virtualization fans.
 COOP & DR – How does virtualization impact my
 organization’s COOP and DR plans?
 Performance – How can virtualization be
 implemented without impacting the performance
 SLE / SLA the customers currently have?



                                      Technical Management
                                       Support focused
                                       Internal IT organization
                                       Customer service driven

                      For Conference Purposes Only                17
Business Management Concerns

 Change To The Status Quo – Risk inherent
 with change
 Time To Market – How long before we can                Business
 leverage the new technology?                           Management
                                                         Project or
                                                        program focused
 Who’s Paying For It?                                    Internal or
                                                        customer based
  Project costs vs. deferred costs
  Customer costs vs. deferred costs
 Compliance Issues
  Remediation alters the solution architecture
  Increased research and development time
  Potentially jeopardize go-live dates




                         For Conference Purposes Only             18
Business Management Concerns

 Entrenched Interests – How do I introduce
 virtualization without threatening existing
 political environment?                                Business
 Implementation Risks – Reliance on an                 Management
                                                        Project or
 internal IT staff with competing priorities.          program focused
 Security – Does this virtualization create             Internal or
                                                       customer based
 security risks that could jeopardize both
 my project’s success and my business
 reputation?

 Process Risks
   Purchase/Acquisition of VMs
   Installation/Provisioning
   Support


                        For Conference Purposes Only             19
Financial Management Concerns

 Who Pays For Virtualization?
  Licensing
  Labor
  Training
  Deferred costs
 Chargeback Models
  Standard per host
  Usage driven fees


                                   Financial Management
                                    Project or program focused
                                    Liability driven




                      For Conference Purposes Only               20
Financial Management Concerns

 True Costs vs. Real Costs
 Return On Investment
 Changes & Impacts:
  Procurement Process
  Depreciation Process
  Budgeting Process




                                Financial Management
                                 Project or program focused
                                 Liability driven




                   For Conference Purposes Only               21
Systems Management Impact

 Enterprise Architecture
  Application to server matrix
  modification
  Virtual server to physical server
                                                    Systems Management
  reconciliation                                     Tools and techniques
  Application to controlling
  organization matrix
  Technical reference model
  changes
 Provisioning – To automate or
 not automate?



                     For Conference Purposes Only                    22
Systems Management Impact

 Resource utilization and planning policies are impacted
 All end-point management solutions must be virtualization
 aware.
  Antivirus and malware detection                  Systems Management
  systems                                           Tools and techniques
  Asset management solutions
  IPS and IDS software
 SEM and other log aggregation
 solutions are impacted.
 SAN management solutions are
 stressed by virtualization


                    For Conference Purposes Only                    23
Additional Resources

 http://tinyurl.com/vcompliance
 http://cloudbook.net/michael-berman
 http://www.vmware.com/security/
 http://tinyurl.com/54wret
 http://broadcast.oreilly.com/2008/11/20-rules-for-amazon-
 cloud-security.html
 http://cloudsecurityalliance.org/
 http://cloudcomputing.sys-con.com/node/1056876
 http://www.scribd.com/doc/18031511/US-Federal-Cloud-
 Computing-Initiative-Overview-Presentation-GSA



                    For Conference Purposes Only         24