hyper converged security - cloud-council.org · hyper converged security said tabet ... common text...
TRANSCRIPT
1 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY
HYPER CONVERGED SECURITY
SAID TABET – SENIOR TECHNOLOGIST
DANIEL REICH – CLOUD SECURITY BUSINESS DEVELOPMENT
2 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
INDUSTRY IN THE CROSSHAIRS
• 20 Years ago …
• Media coverage of breaches …
© Copyright 2015 EMC Corporation. All rights reserved.
3 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
FRAMING THE PROBLEM
1400
1.5 Million
4 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
RAISING AN INFOSEC CHILD
Infant
Child
Teenager
5 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
SECURITY & COMPLIANCE TRANSFORMATION
9:00AM Annual compliance training
6 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
SIMPLE
SECURE AGILE
AUTOMATED
REDEFINE CHECK THE BOX
Easy to understand Easy to deploy Easy to consume
7 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
SECURE YOUR CLOUD
Isola
ted
Segm
ente
d
8 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
DESIGN CONSIDERATIONS
Designed for purpose
Bolt-on Upgrade
9 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
SUPPLY CHAIN MANAGEMENT
Product security response center
Secure development
Security certifications
Industry collaboration on best practices
10 © Copyright 2015 EMC Corporation. All rights reserved.
STANDARDS ACTIVITIES
© Copyright 2015 EMC Corporation. All rights reserved.
11 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
ISO/IEC JTC 1/SC 38 Information Technology – Distributed Application Platforms & Services
• ISO/IEC 17788 (Cloud computing – Vocabulary and overview) – Defines key cloud terminology and provides an overview of cloud
computing – Intended to be a foundation document for cloud computing
• ISO/IEC 17789 (Reference architecture) – Collaborative Team (CT) with ITU-T/SG13 to develop common text – Covers general concepts and characteristics of cloud computing, the
components/functions and roles and their capabilities and inter-relationships
– Focused on the requirements of what Cloud services provide, not how to design solutions and implementations
12 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.
ISO/IEC JTC 1/SC 38 (Cont’d) Information Technology – Distributed Application Platforms & Services
ISO/IEC 19086 (Service Level Agreement Guidance)
• Provides an overview of SLAs for cloud services • Identifies the relationship between the master service agreement and the
SLA • Addresses SLA concepts and requirements that can be used to build SLAs • Specifies terms and conditions as well as metrics commonly used in SLAs for
cloud services • Seeks to establish a set of common SLA building blocks (concepts, terms,
definitions, contexts) that can then be used to create SLAs that will help avoid confusion and facilitate common understanding between the Cloud Service Providers and the Cloud Service Customers
13 © Copyright 2015 EMC Corporation. All rights reserved.
CLOUD STANDARDS - PUBLISHED
ISO/IEC 27018: Code of practice for data protection controls for public cloud computing services
Applies to organizations providing public cloud computing services that act as
PII processors (possibly PII controllers)
Establishes commonly accepted control objectives, controls and guidelines for implementing controls
© Copyright 2015 EMC Corporation. All rights reserved.
14 © Copyright 2015 EMC Corporation. All rights reserved.
CLOUD STANDARDS -ACTIVE
ISO/IEC 27017: Code of practice for information security controls for cloud computing services based on ISO/IEC 27002 Common text standard with ITU-T/SG17 Additional implementation guidance for relevant information security controls specified in ISO/IEC
27002; Additional controls and implementation guidance that specifically relate to cloud computing
services.
ISO/IEC 27036-4 (Information security for supplier relationships – Part 4: Guidelines for security of cloud services) Provides cloud service providers and customers
Managing the information security risks caused by using cloud services Integrating information security processes and practices into the cloud-based product and
service lifecycle processes Responding to risks specific to the acquisition or provision of cloud-based services
Defines guidelines supporting the implementation of information security management for the use of cloud services
© Copyright 2015 EMC Corporation. All rights reserved.
15 © Copyright 2015 EMC Corporation. All rights reserved.
CLOUD STANDARDS – ACTIVE
ISO/IEC 19086-4 (Cloud Service Level Agreement (SLA) Framework – Part 4: Security and Privacy)
Specifies the Security and Privacy aspects of Service Level Agreements (SLA) for cloud services including requirements and guidance.
Facilitate common understanding between the Cloud Service Providers and the Cloud Service Customers
Service Level Agreement (SLA) concepts are covered in general in ISO/IEC 19086-1
ISO/IEC 27008 (Guidelines for auditors on information security management systems controls)
Annex C (Informative) Technical compliance checking Practice guide for Cloud Services (IAAS)
© Copyright 2015 EMC Corporation. All rights reserved.
16 © Copyright 2015 EMC Corporation. All rights reserved.
Cloud adapted risk management framework
Cloud security use cases and potential standardization gaps
Virtualization security
STUDY PERIODS
17 © Copyright 2015 EMC Corporation. All rights reserved.
DELIVERING RESULTS
We gather requirements
Universities
Business Units
Partners
Peer Industrials
We create a research portfolio
Differentiated products and services
Knowledge Transfer to EMC BUs
Start-ups
2011 2012 2013 FAME
3DCloud
Cloud4Gov
SPARKS
SPECS
SOLAS
Market Forces
Standards
Technology Disruptions
We interpret
• Analysis of Products in Future Use Cases • Inform Product Strategy
Industry Partners
Universities
Government Agencies
Customers
2014 ESCUDO
NEAT
SAFEcrypto
© Copyright 2015 EMC Corporation. All rights reserved.
THROUGH RESEARCH AND COLLABORATION
18 © Copyright 2015 EMC Corporation. All rights reserved.
Proposal under Objective ICT-2013.1.5 Trustworthy ICT, Target outcome: a) Security and Privacy in Cloud computing
Details 30 month project – EU FP7 STREP, started Nov. 2013
Developing and implementing an open source framework to offer Security-as-a-Service
Total Funding: €3.5m
Research Themes Security as a service (SECaaS)
Cloud security Service Level Agreements (SLA)
Security parameters in SLAs
Semantic to evaluate Cloud Service Provider offering
Exploitation Presentations at Industry events
Customer engagements in progress
Scientific paper in pipeline
• Proof of Concept demonstrator development with EMC product in progress, prototype ready by end of 2015.
Status
© Copyright 2015 EMC Corporation. All rights reserved.
SPECS Secure Provisioning of Cloud Services based on SLA management
SCENARIO: You are a corporate security manager. You want to
migrate some applications to the Cloud
Data resides on a remote Cloud Service Provider(CSP)
Data is security sensitive: Assurance that the CSP's personnel will not have access to your data
Guarantee that only authorized people can access your data
Assess a CSP's ability to meet the security requirements, and select a CSP on this basis
Cloud Service
Provider
© Copyright 2015 EMC Corporation. All rights reserved.
SPECS: PROBLEM STATEMENT`
Actors: Storage Admin
Acquiring Storage: Customer has already acquired storage
Available resources for storage change over time (faults, peak of
requests, ordinary maintenance)
Admin has to acquire additional resources from a remote site
Limitations: Admin has to verify manually that all the grants offered locally can be
respected in the scenario where the storage is hosted on remote site
© Copyright 2015 EMC Corporation. All rights reserved.
WITHOUT SPECS
Allow you to select a regional endpoint to make your
requests Reduce data latency
Offers control over data location w.r.t. legislation, regulatory bodies, etc.
© Copyright 2015 EMC Corporation. All rights reserved.
GEOLOCATION SERVICES
Region SPECS Region AWS Map ViPR Map
US East SP-US-EAST us-east-1 SP-US-EAST
US West SP-US-WEST us-west-2 / us-west-1 SP-US-WEST
California, USA US-CA us-west-1 US-CA
Florida, USA US-FL - US-FL
Dublin, Ireland IE-D eu-west-1 IE-D
Italy IT - IT
Singapore SG ap-southeast-1 SG
Tokyo, Japan JP-13 ap-northeast-1 JP-13
Japan JP - AUS-SYD
Sao Paulo, Brazil BR-SP sa-east-1 BR-SP
EU Central SP-EU-CENTRAL eu-central-1 SP-EU-CENTRAL
Leverage ISO 3661-2 standard for country codes
Mapping scheme easy to implement (YAML)
© Copyright 2015 EMC Corporation. All rights reserved.
DEFINING THE REGIONS
Process
Customer negotiates Security SLAs (capabilities, controls, metrics, SLOs)
SPECS automatically configures the storage and makes it available
Admin does not intervene in the process, but can supervise it
Customer has a dedicated interface to check its own security
requirements
Advantages
Admin role simplified
Cover semantic gap among customer and admin
Customers can verify security levels
© Copyright 2015 EMC Corporation. All rights reserved.
CLOUD SLA BENEFITS