2014-04-28 cloud security frameworks and enforcement
TRANSCRIPT
![Page 1: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/1.jpg)
Cloud Security: Frameworks and Enforcement
SHAWN WELLS Director, Innovation Programs, U.S. Public Sector [email protected] || 443-534-0130
1 UNCLASSIFIED
![Page 2: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/2.jpg)
35 MINUTES, 2 GOALS
2
![Page 3: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/3.jpg)
35 MINUTES, 2 GOALS
1. Cloud Security Lifecycle • Government Certification & Accreditation Models
• Case Study: Westfield’s MADFW/MITE
3
![Page 4: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/4.jpg)
35 MINUTES, 2 GOALS
1. Cloud Security Lifecycle • Government Certification & Accreditation Models
• Case Study: Westfield’s MADFW/MITE
2. Enabling Security Technologies • Security Content Automation Protocol (SCAP)
• Containers
4
![Page 5: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/5.jpg)
WHAT IS THE CLOUD?
• Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P,
Westfield’s MITE
5
![Page 6: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/6.jpg)
WHAT IS THE CLOUD?
• Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P,
Westfield’s MITE
• Platform as a Service (PaaS) • DLT CODEvolved, Autonomic ARCWRX
6
![Page 7: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/7.jpg)
WHAT IS THE CLOUD?
• Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P,
Westfield’s MITE
• Platform as a Service (PaaS) • DLT CODEvolved, Autonomic ARCWRX
• Software as a Service (SaaS) • salesforce.com
7
![Page 8: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/8.jpg)
![Page 9: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/9.jpg)
![Page 10: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/10.jpg)
![Page 11: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/11.jpg)
![Page 12: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/12.jpg)
![Page 13: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/13.jpg)
IaaS Case Study: Westfield’s MADFW
• Also known as MITE, falls under MID
• Development environment for ~117 tenants
• Anything beyond operating system is responsibility of tenant (applications, continuous monitoring, etc)
• ICD 503, High/Low/Low
13
![Page 14: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/14.jpg)
Continuous Monitoring
• NIST 800-53, 800-137, and many other regulations require continuous monitoring
• We’ve been using the SCAP Security Guide • Large body of Linux security controls
• Logically grouped into profiles (e.g. DoD STIG, FISMA Moderate, C2S…) https://fedorahosted.org/scap-security-guide/
14
![Page 15: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/15.jpg)
Contributors Include . . .
![Page 16: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/16.jpg)
Control Tailoring
![Page 17: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/17.jpg)
Sample Output
![Page 18: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/18.jpg)
SCAP Content Repositories
NIST maintains SCAP content repository for U.S. Government. Plenty of non-Linux content! http://web.nvd.nist.gov/view/ncp/repository
18
![Page 19: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/19.jpg)
MADFW v2: PaaS (via containers)
• Think of the containers as boxes, nodes as the truck
• We don’t care what’s inside the box, it’s just cargo
19
![Page 20: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/20.jpg)
Multi-tenancy
20
RHEL
HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…)
![Page 21: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/21.jpg)
Multi-tenancy
21
RHEL
system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368
HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…)
![Page 22: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/22.jpg)
Multi-tenancy
22
![Page 23: 2014-04-28 cloud security frameworks and enforcement](https://reader031.vdocuments.net/reader031/viewer/2022022419/58a2cfa01a28ab692e8b4c6b/html5/thumbnails/23.jpg)