hyper converged security - cloud-council.org · hyper converged security said tabet ... common text...

1 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

HYPER CONVERGED SECURITY

SAID TABET – SENIOR TECHNOLOGIST

DANIEL REICH – CLOUD SECURITY BUSINESS DEVELOPMENT

2 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.

INDUSTRY IN THE CROSSHAIRS

• 20 Years ago …

• Media coverage of breaches …

© Copyright 2015 EMC Corporation. All rights reserved.

3 © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved. © Copyright 2015 EMC Corporation. All rights reserved.

FRAMING THE PROBLEM

1400

1.5 Million


RAISING AN INFOSEC CHILD

Infant

Child

Teenager


SECURITY & COMPLIANCE TRANSFORMATION

9:00AM Annual compliance training


SIMPLE

SECURE AGILE

AUTOMATED

REDEFINE CHECK THE BOX

Easy to understand Easy to deploy Easy to consume


SECURE YOUR CLOUD

Isola

ted

Segm

ente

d


DESIGN CONSIDERATIONS

Designed for purpose

Bolt-on Upgrade


SUPPLY CHAIN MANAGEMENT

Product security response center

Secure development

Security certifications

Industry collaboration on best practices

10 © Copyright 2015 EMC Corporation. All rights reserved.

STANDARDS ACTIVITIES



ISO/IEC JTC 1/SC 38 Information Technology – Distributed Application Platforms & Services

• ISO/IEC 17788 (Cloud computing – Vocabulary and overview) – Defines key cloud terminology and provides an overview of cloud

computing – Intended to be a foundation document for cloud computing

• ISO/IEC 17789 (Reference architecture) – Collaborative Team (CT) with ITU-T/SG13 to develop common text – Covers general concepts and characteristics of cloud computing, the

components/functions and roles and their capabilities and inter-relationships

– Focused on the requirements of what Cloud services provide, not how to design solutions and implementations


ISO/IEC JTC 1/SC 38 (Cont’d) Information Technology – Distributed Application Platforms & Services

ISO/IEC 19086 (Service Level Agreement Guidance)

• Provides an overview of SLAs for cloud services • Identifies the relationship between the master service agreement and the

SLA • Addresses SLA concepts and requirements that can be used to build SLAs • Specifies terms and conditions as well as metrics commonly used in SLAs for

cloud services • Seeks to establish a set of common SLA building blocks (concepts, terms,

definitions, contexts) that can then be used to create SLAs that will help avoid confusion and facilitate common understanding between the Cloud Service Providers and the Cloud Service Customers


CLOUD STANDARDS - PUBLISHED

ISO/IEC 27018: Code of practice for data protection controls for public cloud computing services

Applies to organizations providing public cloud computing services that act as

PII processors (possibly PII controllers)

Establishes commonly accepted control objectives, controls and guidelines for implementing controls



CLOUD STANDARDS -ACTIVE

ISO/IEC 27017: Code of practice for information security controls for cloud computing services based on ISO/IEC 27002 Common text standard with ITU-T/SG17 Additional implementation guidance for relevant information security controls specified in ISO/IEC

27002; Additional controls and implementation guidance that specifically relate to cloud computing

services.

ISO/IEC 27036-4 (Information security for supplier relationships – Part 4: Guidelines for security of cloud services) Provides cloud service providers and customers

Managing the information security risks caused by using cloud services Integrating information security processes and practices into the cloud-based product and

service lifecycle processes Responding to risks specific to the acquisition or provision of cloud-based services

Defines guidelines supporting the implementation of information security management for the use of cloud services



CLOUD STANDARDS – ACTIVE

ISO/IEC 19086-4 (Cloud Service Level Agreement (SLA) Framework – Part 4: Security and Privacy)

Specifies the Security and Privacy aspects of Service Level Agreements (SLA) for cloud services including requirements and guidance.

Facilitate common understanding between the Cloud Service Providers and the Cloud Service Customers

Service Level Agreement (SLA) concepts are covered in general in ISO/IEC 19086-1

ISO/IEC 27008 (Guidelines for auditors on information security management systems controls)

Annex C (Informative) Technical compliance checking Practice guide for Cloud Services (IAAS)



Cloud adapted risk management framework

Cloud security use cases and potential standardization gaps

Virtualization security

STUDY PERIODS


DELIVERING RESULTS

We gather requirements

Universities

Business Units

Partners

Peer Industrials

We create a research portfolio

Differentiated products and services

Knowledge Transfer to EMC BUs

Start-ups

2011 2012 2013 FAME

3DCloud

Cloud4Gov

SPARKS

SPECS

SOLAS

Market Forces

Standards

Technology Disruptions

We interpret

• Analysis of Products in Future Use Cases • Inform Product Strategy

Industry Partners

Universities

Government Agencies

Customers

2014 ESCUDO

NEAT

SAFEcrypto


THROUGH RESEARCH AND COLLABORATION

http://www.sfi.ie/index/

http://www.google.co.uk/url?sa=i&rct=j&q=&source=images&cd=&docid=bkFZxxSZEw0xEM&tbnid=s-WRmZ1ReKHGjM:&ved=0CAUQjRw&url=http://fp7-saveme.com/&ei=huG1UcKELpG34AO1koCgCg&bvm=bv.47534661,d.dmg&psig=AFQjCNF3b22PAdZsH4IK9g67fR4I7jez8g&ust=1370960621790419

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&ved=0CAcQjRw&url=http://cordis.europa.eu/fp7/ict/ssai/fp8preparations_en.html&ei=WT9RVNTjGYHesASvzYK4Aw&bvm=bv.78597519,d.cWc&psig=AFQjCNFkMXuohLkvKgFSQsJmrSLzI-gTjA&ust=1414697170556254

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://en.wikipedia.org/wiki/Energy_Sciences_Network&ei=jD9RVPPuEc3bsASsvoCYDw&bvm=bv.78597519,d.cWc&psig=AFQjCNFJQrv8jd9FLZJxyAHiAWHodlcXgA&ust=1414697223103484

https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=https://www.ietf.org/&ei=wj9RVLjjKNOJsQT2rYLoDA&bvm=bv.78597519,d.cWc&psig=AFQjCNHYxbHomlkGFrxN2OzjJD7tToX1ww&ust=1414697273656034


Proposal under Objective ICT-2013.1.5 Trustworthy ICT, Target outcome: a) Security and Privacy in Cloud computing

Details 30 month project – EU FP7 STREP, started Nov. 2013

Developing and implementing an open source framework to offer Security-as-a-Service

Total Funding: €3.5m

Research Themes Security as a service (SECaaS)

Cloud security Service Level Agreements (SLA)

Security parameters in SLAs

Semantic to evaluate Cloud Service Provider offering

Exploitation Presentations at Industry events

Customer engagements in progress

Scientific paper in pipeline

• Proof of Concept demonstrator development with EMC product in progress, prototype ready by end of 2015.

Status


SPECS Secure Provisioning of Cloud Services based on SLA management

SCENARIO: You are a corporate security manager. You want to

migrate some applications to the Cloud

Data resides on a remote Cloud Service Provider(CSP)

Data is security sensitive: Assurance that the CSP's personnel will not have access to your data

Guarantee that only authorized people can access your data

Assess a CSP's ability to meet the security requirements, and select a CSP on this basis

Cloud Service

Provider


SPECS: PROBLEM STATEMENT`

Actors: Storage Admin

Acquiring Storage: Customer has already acquired storage

Available resources for storage change over time (faults, peak of

requests, ordinary maintenance)

Admin has to acquire additional resources from a remote site

Limitations: Admin has to verify manually that all the grants offered locally can be

respected in the scenario where the storage is hosted on remote site


WITHOUT SPECS

Allow you to select a regional endpoint to make your

requests Reduce data latency

Offers control over data location w.r.t. legislation, regulatory bodies, etc.


GEOLOCATION SERVICES

Region SPECS Region AWS Map ViPR Map

US East SP-US-EAST us-east-1 SP-US-EAST

US West SP-US-WEST us-west-2 / us-west-1 SP-US-WEST

California, USA US-CA us-west-1 US-CA

Florida, USA US-FL - US-FL

Dublin, Ireland IE-D eu-west-1 IE-D

Italy IT - IT

Singapore SG ap-southeast-1 SG

Tokyo, Japan JP-13 ap-northeast-1 JP-13

Japan JP - AUS-SYD

Sao Paulo, Brazil BR-SP sa-east-1 BR-SP

EU Central SP-EU-CENTRAL eu-central-1 SP-EU-CENTRAL

Leverage ISO 3661-2 standard for country codes

Mapping scheme easy to implement (YAML)


DEFINING THE REGIONS

Process

Customer negotiates Security SLAs (capabilities, controls, metrics, SLOs)

SPECS automatically configures the storage and makes it available

Admin does not intervene in the process, but can supervise it

Customer has a dedicated interface to check its own security

requirements

Advantages

Admin role simplified

Cover semantic gap among customer and admin

Customers can verify security levels


CLOUD SLA BENEFITS

hyper converged security - cloud-council.org · hyper converged security said tabet ... common text...

Documents