sukumar nayak-detailed-cloud risk management and audit

Cloud Risk Management and Audit

Sukumar Nayak, CTO Cloud Services Integration & Automation Leader

Date Created: 01/27/2014Date last updated: 03/15/2015

2

Scope:

• Cloud Fundamentals• Cloud Models & Approaches• Intro to OpenStack• Reference Architecture & Framework• Intro to CSA1 Cloud Control Matrix (CCM)

• 16 Domains & 133 Controls• Intro to DMTF2 Cloud Auditing Data Federation (CADF)• Risks Management Challenges & Opportunities• 10 Steps to Manage Cloud Security by CSCC3

• Q&A

Objective: Provide an overview of Cloud Risk Management and Audit

1. CSA: Cloud Security Alliance2. DMTF: Distributed Management Task Force

3. CSCC: Cloud Standards Customers Council

3

Acronyms• ADFS: Active Directory Federated Services• CADF: Cloud Auditing Data Federation• CSA: Cloud Security Alliance• CSCC: Cloud Standards Customers Council• DMTF: Distributed Management Task Force• ENISA: European Network and Information Security Agency• GRC: Global Regulatory Compliance• LDAP: Lightweight Directory Access Protocol • NIST: National Institute of Standards and Technology• NIST CC SRA: Cloud Computing Standard Reference Architecture• SAML: Security Authorization Markup Language• SCIM: System for Cross-domain Identity Management • SLA: Service Level Agreement• SLO: Service Level Objectives• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16• XACML: eXtensible Access Control Markup Language

4

Cloud… where is the money?

Example recent news:Deutsche Bank signs 10 years multibillion-dollar IT deal with HP in Feb 2015Solution: HP Helion OpenStack based Cloud ServicesHP will provide computing capacity and data storage to host Deutsche's operations.Deutsche will retain activities such as IT architecture and information security.

Pareto Principle

Infrastructure/Platform Management

Data Center

Server Resources

OS

Platforms

Application Management

Business Focus20%

80%

Application Management

Business Focus

Innovations

Creativity

Agility

80%

Infrastructure/Platform Management

Cloud Resources20%

Traditional Environment Cloud Environment

5

Cloud computing basicsNIST Definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

5 Essential Characteristics• On-demand self-service• Resource pooling• Rapid elasticity• Measured service• Broad network access

3 Service Delivery Models• Software as a Service (SaaS)• Platform as a Service (PaaS)• Infrastructure as a Service (IaaS)

4 Deployment Models• Public Cloud• Private Cloud• Community Cloud• Hybrid Cloud

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

6

Essential Characteristics Of Cloud Computing Characteristics Description

On-Demand Self Service Authorized agencies must be able to provide and release capabilities, as needed, automatically, without requiring human interaction with each services provider.

Broad Network Access Once provisioned, the software, platform, or infrastructure maintained by the cloud provider should be available over a network using thin or thick clients.

Resource Pooling The resources provisioned from the cloud provider should be pooled to serve multiple agencies or programs using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to the agency’s self-service demand.

Rapid Elasticity Elasticity is defined as the ability to scale resources both up and down as needed. Cloud Computing capabilities should be rapidly and elastically provisioned and released.

Measured Service Cloud resource usage should be monitored, controlled, and reported providing transparency for both the provider and consumer of the service.

Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

7

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

CLIE

NTM

ANAG

ED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

INFRASTRUCTURE(AS A SERVICE)

VENDOR

MANAGED Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

PLATFORM(AS A SERVICE)

CLIE

NTM

ANAG

EDV

ENDORM

ANAGED

CLIE

NTM

ANAG

ED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

SOFTWARE(AS A SERVICE)

VENDOR

MANAGED

Service Delivery ModelsTRADITIONAL

(ON PREMISE)

JOIN

TLY

MAN

AGED

8

Private vs. Public: Understanding the Trade-Offs

Enterprise 1 Enterprise 2

Private Cloud

Private Cloud• Designated enterprise data

center (or segment) managed centrally

• Data center resources shared by all divisions, protected by enterprise central controls

• Divisions of enterprise act as independent tenants

• Some elasticity of resources; good resource utilization; reduced cost of business

No Cloud

Enterprise IT• Each enterprise division

manages its own data center (or a subdivision)

• Exclusive local control of resources

• Internally borne costs and burdens of management

• High-cost overcapacity, low resource utilization

Virtual Private Cloud

Virtual Private Cloud• Third-party data center providers

(public cloud characteristic)

• Data center sharing is restricted to only the divisions of this enterprise (private cloud characteristic)

• Divisions of enterprise act as independent tenants (private cloud characteristic)

• Some elasticity; good resource utilization; low cost of business

Community Cloud

Community Cloud• Consortium or a government

scope data center (larger than private, but smaller than public)

• Members of the consortium or government agencies act as independent tenants

• Data center resources are shared by all members; consortium provides security, privacy and capacity

• Good elasticity of resources; high resource utilization; reduced cost of business

Public Cloud• Third-party data center

providers

• Computing resources shared by independent enterprises (tenants), protected by third parties in cloud

• Maximum elasticity; maximum resource utilization; low cost of business

Public Cloud

9

Private vs. Public: Understanding the Trade-Offs

Enterprise 1 Enterprise 2

Private Cloud

Private Cloud• Designated enterprise data

center (or segment) managed centrally

• Data center resources shared by all divisions, protected by enterprise central controls

• Divisions of enterprise act as independent tenants

• Some elasticity of resources; good resource utilization; reduced cost of business

No Cloud

Enterprise IT• Each enterprise division

manages its own data center (or a subdivision)

• Exclusive local control of resources

• Internally borne costs and burdens of management

• High-cost overcapacity, low resource utilization

Virtual Private Cloud

Virtual Private Cloud• Third-party data center providers

(public cloud characteristic)

• Data center sharing is restricted to only the divisions of this enterprise (private cloud characteristic)

• Divisions of enterprise act as independent tenants (private cloud characteristic)

• Some elasticity; good resource utilization; low cost of business

Community Cloud

Community Cloud• Consortium or a government

scope data center (larger than private, but smaller than public)

• Members of the consortium or government agencies act as independent tenants

• Data center resources are shared by all members; consortium provides security, privacy and capacity

• Good elasticity of resources; high resource utilization; reduced cost of business

Public Cloud• Third-party data center

providers

• Computing resources shared by independent enterprises (tenants), protected by third parties in cloud

• Maximum elasticity; maximum resource utilization; low cost of business

Public Cloud

Autonomy

Cost-Efficiency

10

Workloads shifting to the Cloud

Traditional IT

• Server capacity on demand• Business apps (CRM, ERP)

• IT management

• Email• Personal productivity apps

• Website creation & management• Storage capacity on demand• Server capacity on demand• App dev. & test

• Tech. computing apps• Data analysis and mining

• Custom apps• Apps with sensitive data

Private cloud Public cloud• IT help desk

• Collaborative apps• Data backup/archive svcs

Cloud computing complements traditional IT

11

Enterprise Architecture and Cloud ArchitectureBusiness

ArchitectureInformation Architecture

Application Architecture

Technology & Infrastructure Architecture

Service Delivery

What, Who, Why• Mission• Vision• Stakeholders• Operating

Model & Processes

• Value Chain Models

• Metrics & Measures

• Align Business Strategy to IT Strategy

What, How• Data Models• Data Flows• Interface,

Integration & Interoperability

• Relevance to Business functions

With what• Applications• Tools• Functions• Capabilities• Workflows

With what• Servers• Software• Network• Storage• GRC, Legal,

Security & Privacy

• Data Centers Sites

How & How much• Deployment• Chargeback• Break fix• SLAs/SLOs• Operations &

Management

Enterprise Architecture focusCloud Architecture focusIaaS & PaaS

12

Promise of Cloud ComputingCloud will not necessarily help map IT to business but…

Cloud could enable:• Economies of scale & Improved resources utilization

• Reduced capital spending on technology infrastructure• Lower barriers to entry for small businesses & lower start-up costs

• Usage based billing (pay as you go)

• Globalization of workforce

• Faster Deployment, Onboarding, Provisioning & De-provisioning

• Improved accessibility anytime & anywhere

• Improved transparency for Integration & flexibility

• Implementation of Chargebacks

• Improved Operations support & Provide SLAs / SLOs

• More predictable delivery of projects

• Reduced software licensing costs

Challenges & success factors…• Legacy migration

• Integration & Interoperability

• Data & Applications Architecture

• Technology compatibility Issues

• Security & Privacy risks

• Legal & Regulatory Compliance

• Management of Change

13

Cloud simplifies IT services, but realize there is a lot behind this

Security management

services

Access devices

Cloud services

SaaS PaaS IaaS

Cloud platform

Demand

Identity & access management services

IT management services with security impact

IT management framework

Delivery

Supply

14

And make sure you understand security

Security m

anagement

services

Access devices

Malware protection

Network security

Client security

Data protection

Application security

Cloud services

SaaS PaaS IaaSApplication

securitySecureSDLC

Instancesecurity

Cloud platform

Supply

Delivery

Demand

Account management

Access control management

Authentication

Key management

Identity provisioning

Federation

Auditing

Change management

Patch management

Configuration management

GRC

Capacity management

Availability management

Incident management

Virtualization managment

Vulnerability management

SIEMCompliance management

Security service portal

Identity & access

managem

ent services

IT managem

ent services w

ith security impact

IT management framework

Application security, data protection and availability

Malware protection

Network security

Server security

Client security

Storage security

Data protection

Virtualization security

Platform availability

Cloud platform security

Security monitoring

Physical security

15

Secure Cloud Environment technologies & conceptsSegmentation and Isolation

Threat Detection and Mitigation

Security Information & Event Management (SEIM) / Log Management

Incident Response and ForensicsIdentity & Access ManagementData Protection; Data & Information Security

Secure Software Development

Vulnerability Scanning and Patch Management

Physical & Personnel Security

Security Policy Management

Endpoint Management

16

Cloud Models & Approaches

Ref: OpenNebula.org http://opennebula.org/eucalyptus-cloudstack-openstack-and-opennebula-a-tale-of-two-cloud-models/

Datacenter Virtualization: Cloud as an extension of virtualization in the datacenter; hence looking for a vCloud-like infrastructure automation tool to orchestrate and simplify the management of the virtualized resources.

Infrastructure Provision: Cloud as an AWS-like cloud on-premise; hence looking for a provisioning tool to supply virtualized resources on-demand.

http://opennebula.org/eucalyptus-cloudstack-openstack-and-opennebula-a-tale-of-two-cloud-models/

17

Factors for choosing Cloud Models & ApproachesDatacenter Virtualization Infrastructure Provision

Applications Multi-tiered applications defined in a traditional, “enterprise” way

“Re-architected” applications to fit into the cloud paradigm

Interfaces Feature-rich API and administration portal Simple cloud APIs and self-service portal

Management Capabilities

Complete life-cycle management of virtual and physical resources

Simplified life-cycle management of virtual resources with abstraction of underlying infrastructure

Cloud Deployment Mostly private Mostly public

Internal Design Bottom-up design dictated by the management of datacenter complexity

Top-down design dictated by the efficient implementation of cloud interfaces

Enterprise CapabilitiesHigh availability, fault tolerance, replication, scheduling… provided by the cloud management platform

Most of them built into the application, as in “design for failure”

Datacenter IntegrationEasy to adapt to fit into any existing infrastructure environment to leverage IT investments

Built on new, homogeneous commodity infrastructure

18

OpenStack introductionKey Components:

• Compute (Nova)• Image Service (Glance)• Networking (Neutron)• Object Storage (Swift)• Block Storage (Cinder)• Dashboard (Horizon)• Identity Service (Keystone)• Telemetry (Ceilometer)• Orchestration (Heat)• Database (Trove)• Bare Metal Provisioning (Ironic)• Multiple Tenant Cloud Messaging (Zaqar)• Elastic Map Reduce (Sahara)

19

OpenStack Basic Deployment

Automation

Database

Blobs

Files

MessagesDatabase

Identity

Library

Compute

Network

Portal Network Compute

Network

Metering

Portal

Identity

Library

Compute

Network

Automation

Database

Blobs

Files

Database

Messages

Metering

Portal

Identity

Library / Images

Compute

Network

Block Storage

Object Storage

Database Services

Automation

Message Broker

Metering

Config Database

Metering

20

OpenStack Feature Releases

ComputeCompute

BlobsObject Storage

LibraryLibrary / Images

Portal

Identity

Portal

Identity

Network

Files

Network

Block Storage

AutomationAutomation

MeteringMetering

DatabaseDatabase Services

Nov 2010 Feb 2011 Apr 2011 Sep 2011 Apr 2012 Sep 2012 Apr 2013 Oct 2013 Apr 2014

DatabaseHadoop Cluster

Nov 2014

21

Cloud Security Alliance TCI Reference Architecture

Legend:CSA: Cloud Security Alliance

TCI: Trusted Cloud InitiativeSource: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

22


Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

SRM Services:• Governance Risk and Compliance

• Information Security Management• Privilege Management Infrastructure• Threat and Vulnerability Management

• Infrastructure Protection Services• Data Protection• Policies and Standards

ITOS Services:• IT Operations

• Service Delivery• Service Support• Incident Management

• Problem Management• Knowledge Management• Change Management

• Release Management

BOSS Services:• Compliance

• Data Governance• Operational Risk Management• Human Resources Security

• Security Monitoring Services• Legal Services• Internal Investigation

Presentation Services:• Presentation Modality

• Presentation Platform

Application Services:• Development Process

• Security Knowledge Lifecycle• Programming Interfaces• Integration Middleware

• Connectivity & Delivery• Abstraction

Infrastructure Services:• Facility Services

• Servers• Storage Services• Network Services

• Availability Services• Patch Management• Equipment Maintenance

• Virtualization (Desktop, Storage, Server, Network)

Information Services:• User Directory Services

• Security Monitoring Data Management• Service Delivery Data Management• Service Support Data Management

• Data Governance Data Management• Risk Management Data Management• ITOS Data Management

• BOSS Data Management• Reporting Services

https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

23

CSA Cloud Control Matrix CCM v3.0.1; 16 Domains

Source: https://cloudsecurityalliance.org/research/ccm/


CCM: Cloud Control Matrix(Number of controls) for each Domain

1. AIS: Application & Interface Security (4)

2. AAC: Audit Assurance & Compliance (3)

3. BCR: Business Continuity Management & Operational Resilience (11)

4. CCC: Change Control & Configuration Management (5)5. DSI: Data Security & Information Lifecycle Management (7)6. DCS: Datacenter Security (9)

7. EKM: Encryption & Key Management (4)

8. GRM: Governance and Risk Management (11)

9. HRS: Human Resources (11)

10. IAM: Identity & Access Management (13)

11. IVS: Infrastructure & Virtualization Security (13)

12. IPY: Interoperability & Portability (5)

13. MOS: Mobile Security (20)

14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5)

15. STA: Supply Chain Management, Transparency and Accountability (9)

16. TVM: Threat and Vulnerability Management (3)

https://cloudsecurityalliance.org/research/ccm/

24

CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsApplication & Interface Security (AIS)

• AIS-01: Application Security• AIS-02: Customer Access Requirements• AIS-03: Data Integrity• AIS-04: Data Security / Integrity

Audit Assurance & Compliance (AAC)• AAC-01: Audit Planning• AAC-02: Independent Audits• AAC-03: Information System Regulatory Mapping

Business Continuity Management & Operational Resilience (BCR)• BCR-01: Business Continuity Planning• BCR-02: Business Continuity Testing• BCR-03: Datacenter Utilities / Environmental Conditions• BCR-04: Documentation• BCR-05: Environmental Risks• BCR-06: Equipment Location• BCR-07: Equipment Maintenance• BCR-08: Equipment Power Failures• BCR-09: Impact Analysis• BCR-10: Policy• BCR-11: Retention Policy

Change Control & Configuration Management (CCC)• CCC-01: New Development / Acquisition• CCC-02: Outsourced Development• CCC-03: Quality Testing• CCC-04: Unauthorized Software Installations• CCC-05: Production Changes

Data Security & Information Lifecycle Management (DSI)• DSI-01: Classification• DSI-02: Data Inventory / Flows• DSI-03: eCommerce Transactions• DSI-04: Handling / Labeling / Security Policy• DSI-05: Non-Production Data• DSI-06: Ownership / Stewardship• DSI-07: Secure Disposal



25

CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsDatacenter Security (DCS)

• DCS-01: Asset Management• DCS-02: Controlled Access Points• DCS-03: Equipment Identification• DCS-04: Off-Site Authorization• DCS-05: Off-Site Equipment• DCS-06: Policy• DCS-07: Secure Area Authorization• DCS-08: Unauthorized Persons Entry• DCS-09: User Access

Encryption & Key Management (EKM)• EKM-01: Entitlement• EKM-02: Key Generation• EKM-03: Sensitive Data Protection• EKM-04: Storage and Access

Governance and Risk Management (GRM)• GRM-01: Baseline Requirements• GRM-02: Data Focus Risk Assessments• GRM-03: Management Oversight• GRM-04: Management Program• GRM-05: Management Support/Involvement• GRM-06: Policy• GRM-07: Policy Enforcement• GRM-08: Policy Impact on Risk Assessments• GRM-09: Policy Reviews• GRM-10: Risk Assessments• GRM-11: Risk Management Framework



26

CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsHuman Resources (HRS)

• HRS-01: Asset Returns• HRS-02: Background Screening• HRS-03: Employment Agreements• HRS-04: Employment Termination• HRS-05: Mobile Device Management• HRS-06: Non-Disclosure Agreements• HRS-07: Roles / Responsibilities• HRS-08: Technology Acceptable Use• HRS-09: Training / Awareness• HRS-10: User Responsibility• HRS-11: Workspace

Identity & Access Management (IAM)• IAM-01: Audit Tools Access• IAM-02: Credential Lifecycle / Provision Management• IAM-03: Diagnostic / Configuration Ports Access• IAM-04: Policies and Procedures• IAM-05: Segregation of Duties• IAM-06: Source Code Access Restriction• IAM-07: Third Party Access• IAM-08: Trusted Sources• IAM-09: User Access Authorization• IAM-10: User Access Reviews• IAM-11: User Access Revocation• IAM-12: User ID Credentials• IAM-13: Utility Programs Access



27

CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsInfrastructure & Virtualization Security (IVS)

• IVS-01: Audit Logging / Intrusion Detection• IVS-02: Change Detection• IVS-03: Clock Synchronization• IVS-04: Information System Documentation• IVS-05: Management - Vulnerability Management• IVS-06: Network Security• IVS-07: OS Hardening and Base Controls• IVS-08: Production / Non-Production Environments• IVS-09: Segmentation• IVS-10: VM Security - vMotion Data Protection• IVS-11: VMM Security - Hypervisor Hardening• IVS-12: Wireless Security• IVS-13: Network Architecture

Interoperability & Portability (IPY)• IPY-01: APIs• IPY-02: Data Request• IPY-03: Policy & Legal• IPY-04: Standardized Network Protocols• IPY-05: Virtualization

Mobility Security (MOS)• MOS-01: Anti-Malware• MOS-02: Application Stores• MOS-03: Approved Applications• MOS-04: Approved Software for BYOD• MOS-05: Awareness and Training• MOS-06: Cloud Based Services• MOS-07: Compatibility• MOS-08: Device Eligibility• MOS-09: Device Inventory• MOS-10: Device Management• MOS-11: Encryption• MOS-12: Jailbreaking and Rooting• MOS-13: Legal• MOS-14: Lockout Screen• MOS-15: Operating Systems• MOS-16: Passwords• MOS-17: Policy• MOS-18: Remote Wipe• MOS-19: Security Patches• MOS-20: Users



28

CSA Cloud Control Matrix CCM v3.0.1; 133 ControlsSecurity Incident Management, E-Discovery & Cloud Forensics (SEF)

• SEF-01: Contact / Authority Maintenance• SEF-02: Incident Management• SEF-03: Incident Reporting• SEF-04: Incident Response Legal Preparation• SEF-05: Incident Response Metrics

Supply Chain Management, Transparency and Accountability (STA)• STA-01: Data Quality and Integrity• STA-02: Incident Reporting• STA-03: Network / Infrastructure Services• STA-04: Provider Internal Assessments• STA-05: Supply Chain Agreements• STA-06: Supply Chain Governance Reviews• STA-07: Supply Chain Metrics• STA-08: Third Party Assessment• STA-09: Third Party Audits

Threat and Vulnerability Management (TVM)• TVM-01: Anti-Virus / Malicious Software• TVM-02: Vulnerability / Patch Management• TVM-03: Mobile Code



29

DMTF Cloud Auditing Data Federation (CADF) StandardDefines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud Management Initiative.

Auditing using a standard such as CADF has many benefits: • Create and request customized views for Audit & Compliance data

• Track regional, industry and corporate policy compliance using standardized APIs / Reports• Key event data is normalized and categorized to support auditing of hybrid Cloud applications

• CADF assures consistent mappings across cloud components and cloud providers• Format is agnostic to the underlying provider infrastructure

• Provides transparency for low-level operational processes

Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf

Customer Benefits:• Ability to self manage auditing of their data• Similar reports from different Cloud service providers• Aggregate audit data from different Clouds / Partners • Auditing processes & tools unchanged

http://dmtf.org/standards/cloud

http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf

30

Cloud Auditing Data aggregated from multiple sources


Company A’s OSS/BSS Processes

Company A

Company A’sAuditor

Company A’s Hybrid Applications

Standard API’s for requesting Audit Data

Standard Audit Data (Logs and Reports)

Cloud Provider P1


Cloud Provider P2


Aggregate Audit Data from Hybrid Applications

Standard API’s for requesting Audit Data

OSS: Operational Support Services

BSS: Business Support Services


31

CADF Taxonomy


Includes:• Resources by the role played in the event ex: Initiator, Target, Observer.• Actions used to classify the event by the activity that caused it to be generated.• Outcomes used to describe the outcome of the attempted action of the event.

CADF Event Model: Basic and conditional model components

Model Component CADF Definition

OBSERVER The RESOURCE that generates the CADF Event Record based on its observation (directly or indirectly) of the Actual Event.

INITIATOR The RESOURCE that initiated, originated, or instigated the event's ACTION, according to the OBSERVER.

ACTIONThe operation or activity the INITIATOR has performed, attempted to perform or has pending against the event's TARGET, according to the OBSERVER.

TARGET

The RESOURCE against which the ACTION of a CADF Event Record was performed, was attempted, or is pending, according to the OBSERVER. NOTE A TARGET (in the CADF Event Model) can represent a plurality of target resources.

OUTCOME The result or status of the ACTION against the TARGET, according to the OBSERVER.


32

CADF Event Model and REPORTERCHAIN construction



Example of REPORTERCHAIN construction


33

CADF 7 essential W’s auditing and monitoring


WhatWhat activity occurred? What was the result?event.actionevent.outcomeevent.type (activity, monitoring, control)event.reason (ex: security, reason code, policy id)


CADF Event Model and it’s components• Work for any Activity Monitoring or, Control event• Provides guidance on how to record Basic, Detailed or, Precise information for each component

WhenWhen did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestampevent.eventTimereporter.timestamp, event.duration

WhoWho (user/service) initiated the Action?initiator.id; initiator.typeinitiator.id (id, name)initiator.credentialinitiator.credential.assertions

Legend: Italics are optional properties

1

2

3

WhereWhere was the Action observed, reported or, modified? What role does the event serve? How was it recorded?observer.id, observer.typereporterstep.role, reporterstep.reporterTime

4

On WhatOn What resource did the Activity Target?target.id

5

FromWhereFrom Where the Action was initiated? May include

• logical/physical addresses• ISO-6709-2008, precise geolocations

initiator.addresses, initiator.host, initiator.geolocation

6

ToWhereTo Where was the Action Targeted? Can be as simple as an IP address or server name.target.addresses, target.host, target.geolocation

7


34

CADF Resource Top-level Taxonomy hierarchy


Name Description

storage Logical resources that represent storage containers.

compute Logical resources that are used to perform logical operations or calculations on data.

network Logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged.

data Logical named sets of information (objectified data) that are referenced and managed by services.

service Logical set of operations, packaged into a single entity, that provides access to and management of cloud resources (for a given domain).

system Logical resources that are a combination of several other [cloud] resources that operate as a functional whole, this combination being manageable (created, operated, audited, etc.) as a unit, i.e., offering some operations that could activate lower-level operations over each of the subresources.

unknown This resource indicates that the OBSERVER of the event is not, to the best of its ability, able to classify a resource that contributed to the actual event it is reporting on using any other valid resource taxonomy value.


35

CADF Resource Taxonomy - Storage subtree


Name Description

node Logical resource that contains the necessary processing components to store data.

volume Logical unit of persistent data storage that may or may not be physically removable from the computer or storage system.

memory Logical unit of data storage that is used for dynamically processing data.

container Logical unit of storage where data objects are deposited and organized for persistent storage.

directory Logical storage used to organize records about resources (e.g., files, subscribers, etc.) along with their locations and other metadata. Typically, these records are organized in a hierarchical structure.

database Logical storage used to organize data to a model (schema) that reflects relevant aspects of a specific real-world application.

queue Logical storage of a list of data waiting to be processed.


36

CADF Resource Taxonomy - Compute subtree


Name Description

node Logical resource that contains the necessary processing components to execute a workload.

cpu Logical resource that represents a unit processing power that can consume a workload.

machine Logical resource that encapsulates both CPU and Memory.

process An instance of a granular workload, such as an application or service that is being executed.

thread A separable function of a running process that shares its virtual address space and system resources.


37

CADF Resource Taxonomy - Network subtree


Name Description

node A logical resource that can be networked and can provide services on data from network connections. A node may export zero or more endpoints (zero implies it is has not been provisioned).

host A network node that can perform operations or calculations on data.

connection A single network interaction involving two or more endpoints (sources and destinations).

domain Represents a logical grouping of networked resources.

cluster Represents a logical combination of tightly coupled, network resources.


38

CADF Resource Taxonomy - Service subtree


Name Description

bss Business Support Services (BSS), The logical classification grouping for services that are identified to support business activities.

composition The logical classification grouping for services that supports the compositing of independent services into a new service offering

compute Infrastructure services for managing computing (fabric).

database Database Services (or DB-as-a-Service) Database services that permit substitutability to various provider implementations.

image Infrastructure services for managing virtual machine images and associated metadata.

network Infrastructure services for managing networking (fabric).

oss Operational Support Services (OSS); The logical classification grouping for services that are identified to support operations including communication, control, analysis, etc.

security Security Services (or Sec-as-a-Service) The logical classification grouping for security services including Identity Mgmt., Policy Mgmt., Authentication, Authorization, Access Mgmt., etc. (a.k.a. “Security-as-a-Service”)

storage Infrastructure services for managing storage (fabric).

storage block Infrastructure services for managing Block storage.

storage object Infrastructure services for managing Object storage.


39

CADF Resource Taxonomy Composition, OSS & BSS subtree


Name Description

bss\billing Business services to manage different types of charges for cloud-based resources relevant to a given customer.

bss\location Business services to manage the location, physical or virtual, of cloud-based resources as well as clients (e.g., mobile devices).

bss\metering Business Services to manage the measurement of cloud-based resources (e.g., utilization, transactions, performance, etc.), often to determine how to bill for service usage.

composition\orchestration Composition services that automate the management of complex applications, services, platforms and/or infrastructures to align them to fulfill business and service agreements and operational policies.

composition\workflow Composition services that sequence connected steps that support management of a document (e.g., transaction, order, service template, etc.) through a complex system of applications, services, platforms and/or infrastructures.

oss\capacity Operational services that ensure that the resource capacity allocated to an application (including compute, storage and networking resources) matches its current utilization.

oss\configuration Operational services that manage and monitor configuration changes on applications to avoid incompatibilities that can result in reduced performance or compliance failures.

oss\logging Operational services that capture or record information and identifying data about actions that occur in a system. This includes data that could be or contribute to auditable event records,

oss\monitoring Operational services that monitor for ensure the availability of services and that they are provided in accordance with terms of Service License Agreements (SLAs).

oss\virtualization Operational services that manage virtualization of ‘compute’, ‘storage’, and ‘network’ infrastructure.

bss\crm Customer Relationship Mgmt. (CRM) Services (example extension of the “bss” classification)

bss\erp Enterprise Risk Mgmt. (ERM) Services (example extension of the “bss” classification)

bss\srm Service Request Mgmt. (SRM) Services (example extension of the “bss” classification)


40

CADF Resource Taxonomy - Data subtree (1 of 2)


Name Description

catalog A data resource used to register resources along with information or metadata about them and perhaps provide links to them.

config A data resource that contains information such as settings and parameters that could be used for configuring a resource (or parts of it).

directory The parent classification for all directory related data objects.

file A logical block of data for storing information in a filesystem, which is available to computer programs

image A readily usable or processable set of data that can be easily transferred between processing domains.

log A data resource used to record events from automated computer programs. Typically used to provide an audit trail that can be used to understand the activity of a system and to diagnose problems.

message A block of information that is transmitted over a connection between networked endpoints.

message/stream A continuous message or series of messages between networked endpoints.

module A portion of a program typically aligned with a specific functional set.

package A wrapped collection of files and data, along with metadata, meaningful to the processing domain that will utilize it.


41

CADF Resource Taxonomy - Data subtree (2 of 2)


Name Description

report A data resource that contains one or more event records that are compiled with other auditing information in response to some step within an auditing process.

template A data resource that serves as a pattern, stencil, or gauge for instantiating a new resource or set of resources. For example, a template that describes the topology and relationships of an application’s services and its network to a cloud provider for deployment and management.

workload A set of data that represents the amount of work that computational nodes can consume at a given time.

Workload/application A workload that performs a wide range of operations, some may be exported as services.

Workload/service

A workload that perform a single or a few specialized operations. See A.2.10 when specific services are described in events apart from generic management as compute workloads.

database (obj)

The parent classification for all database-related data objects. See clause A.2.13 ("Database (data object) subtree classifications“), which shows the full set of database-related classifications.

security (obj)

The parent classification for all security-related data objects. See clause A.2.12 (“Security (data objects) subtree classifications“), which shows the full set of security-related classifications.


42

CADF Resource Taxonomy - Security subtree


Name Description

account Represents a business agreement for providing regular services between a provider and consumer.

acc/user Is an account representing a person assigned access to use cloud resources or applications.

acc/admin Is an account representing a person assigned administrative access to resources.

credential Represents security data that is transferred to establish a claimed identity. [SAML Gloss]

group Represents named groups to which users or roles can be assigned that carries access rights or entitlements its members inherit.

identity Represents the essence of an entity (e.g., a user or service) and may describe the entity’s characteristics and properties.

key Is a secret token used to protect data typically through signing or encryption. The key (or its public variant) can be provided to one or more parties that enable access to the protected data

license Represents an authorization or permission to do something on, or with, somebody else’s resources.

policy Represents security data that contains rules and procedures that regulates resources within a system.

profile Represents security data that defines extended rules, constraints or properties that apply to particular domains

role Represents named jobs or functions users may be assigned. A role may carry access rights and entitlements that users inherit from being assigned to that role.

node Represents a network node (e.g., router, server, etc.) acting with some (perceived) credential or authority to perform some action against another resource. This would be used if limited information is known to the event's observer (e.g., perhaps only an endpoint address is known).


43

CADF Resource Taxonomy - Database subtree


Name Description

alias An alias is an alternative name for an object such as a table, a view or another alias. It can be used to reference an object wherever that object can be referenced directly.

index A set of pointers that are logically ordered by the values of one or more keys. They are typically used to improve performance and ensure key uniqueness.

instance A logical representation of the structures, memory and storage used to realize a database, its objects and data.

key A property used to identify data stored in a database table. Typically, each table has a primary key that uniquely identifies records.

routine An executable database object that perform operations on other database objects.

schema A collection of named objects that are grouped logically. A schema is also a name qualifier; it provides a way to use the same natural name for several objects, and to prevent ambiguous references to those objects.

sequence A stored object that simply generates a sequence of numbers in a monotonically ascending (or descending) order. Sequences provide a way to have the database manager automatically generate unique keys and to coordinate keys across multiple rows and tables.

table A logical structure made up of columns and rows. At the intersection of every column and row is a specific data item called a value. There is no inherent order of the rows within a table.

view An alternative way of looking at the data in one or more tables.


44

CADF Action Taxonomy hierarchy (1 of 3)


Name Description

create The target resource described in the event was created (or an attempt was made to do so) by the initiator resource.

read Data was read from the target resource by the initiating resource (or an attempt was made to do so).

update One or more of the target resource's properties were modified or changed by the initiator resource.

delete The target resource described in the event was deleted (or an attempt was made to do so) by the initiator resource.

monitor The target resource is the subject of a monitoring action from the initiating resource.

backup The target resource described in the event is being persisted to storage without regard to environment, context, or state at the time of storage.

capture The target resource described in the event is being persisted to storage along with relevant environment and state information (e.g., program settings, network state, memory/cache, etc.). Conceptually, a “snapshot” of the resource is being captured at a moment in time.

configure The target resource described in the event is being set-up to enable it to run on a particular environment or for a particular application or use.

deploy The target resource is being positioned or made available for use by the initiator resource, but is not yet started.

General Resource MgmtLegend:

Monitoring

Workload & Data Mgmt


45



Name Description

disable The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions.

enable The target resource (that has been started) is being changed by the initiator resource to allow or permit some set of functions.

restore The initiator is requesting the target resource (or some portion of it) be restored from persistent storage.

start The target resource is being made functional by the initiator resource and able to perform or execute operations.

stop The initiator resource is causing the target resource to no longer be functional or able to perform or execute operations.

Undeploy The initiator resource is causing the target resource to no longer be positioned or available for use.

receive The initiator resource is receiving a message or data from the target resource. Note that this is a separate action from any action the receiver performs based upon the content of the message or with the data.

send The initiator resource is transmitting a message or data to the target resource. Note that this is a separate action from that of "creating" the message.

Legend:

Messaging

Workload & Data Mgmt


46



Name Description

authenticate The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions.

login An extension of the authenticate action.

renew A security request from the initiator resource to renew a resource’s identity, credentials, or related attributes or privileges sent to the target resource (an authority).

revoke A security request from the initiator resource to remove entitlements or privileges from a resource’s identity and/or credentials sent to the target resource (an authority).

allow Indicates that the initiating resource has allowed access to the target resource.

deny Indicates that the initiating resource has denied access to the target resource.

evaluate Indicates the evaluation or application of a policy, rule, or algorithm to a set of inputs.

notify Indicates that the initiating resource has sent a notification based on some policy or algorithm application – perhaps it has generated an alert to indicate a system problem.

unknown Indicates that the OBSERVER of the event is not, to the best of its ability, able to classify the exact action for the actual event it is reporting using any other valid action taxonomy value.

Legend: Security, Policy, Access ControlSecurity Identity


47

CADF Outcome Taxonomy hierarchy


Value Description

success The attempted action completed successfully with the expected results.

failure The attempted action failed due to some form of operational system failure or because the action was denied, blocked or refused in some way.

unknown The outcome of the attempted action is unknown and it is not expected that it will ever be known.

pending The outcome of the attempted action is unknown, but it is expected that it will be known at some point in the future.A future event correlated with the current event may provide additional detail.


48

10 Steps to Manage Cloud SecurityFocus areas Standards Certifications

Step 1: Ensure effective governance, risks & compliance

• ISO 38500 – IT Governance1• COBIT• ITIL (ISO 27002)• ISO 20000-7 & ISO 20000-11 (jn devl)• SSAE 16• PCI-DSS

• ISO 27002 (ISO 27017)• SSAE 16• HIPAA• PCI-DSS• FedRAMP• FISMA

Step 2: Audit operational and business processes • DMTF Cloud Auditing Data Federation (CADF)

• ISO 27002 (ISO 27017)• SSAE 16

Step 3: Manage people, roles and identities

• ISO 27002• IAM Kerberos, LDAP, SAML 2.0, Oauth

2.0, WS-Federation, OpenID Connect• SCIM• Active Directory Federated Services

(ADFS2)• XACML• PKCS, X.509, OpenPGP

• ISO 27002 (ISO 27017)

Step 4: Ensure proper protection of data & information

• ISO 27002 / 27017 (in devl)• Data in motion: HTTPS, SFTP, VPC

using IPSec or SSL• US FIPS 140-2• OASIS KMIP

• ISO 27002 (ISO 27017)

Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf

http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf

49

10 Steps to Manage Cloud SecurityFocus areas Standards Certifications

Step 5: Enforce privacy policies• Personally Identifiable Information

(PII)• U.S – EU Safe Harbor framework• ISO 27018 (in devl)

• TRUSTe Safe Harbor certification seal program

• ISO 27018 (in devl)

Step 6: Assess the security provisions for cloud apps

• NIST Guidelines on Firewalls and Firewall Policy

• Open Web Application Security Project (OWASP)

• OVF 2.0 & OASIS TOSCA

• ISO 27002 (ISO 27017)

Step 7: Ensure cloud networks and connections are secure

• ISO 27001 & 27002• ISO/IEC 27033-1/2/3• FISMA (FIPS 199 & 200)• OpenFlow, TM Forum Frameworx, NIST

SP 800-53

• ISO 27002 (ISO 27017)

Step 8: Evaluate security controls on physical infrastructure & facilities

• ISO 27002• ISO 27017 & 18 (in devl)

• ISO 27002 (ISO 27017)

Step 9: Manage security terms in the cloud SLA • CSCC Practical Guide to SLA• ISO 27004, NIST SP 800-55• CIS Consensus Security Metrics• ENISA

• ISO 27002 (ISO 27017)• SSAE 16 (financial)

Step 10: Understand the security requirements of exit process • None, ISO SC38 WG3 (future) • None

Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf


50

References• Cloud Standards Customer Council (CSCC) Cloud Security Standards

• Cloud Auditing Data Federation

• NIST Cloud Computing Standards Roadmap

• Detailed CSA TCI Reference Architecture

• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines

• OpenStack wiki

• OpenStack Main Page

• OpenStack Developers Guides

• Cloud Audit Data Federation - OpenStack Profile

• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)

• CADF Event Model and Taxonomies

• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations


http://www.dmtf.org/standards/cadf

http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf

https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI-Reference-Architecture-v1.1.pdf

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

https://wiki.openstack.org/wiki/Main_Page

http://www.openstack.org/

http://developer.openstack.org/



https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

51

References & Credits

52

Conclusion

• The world is becoming more digital

• Cloud is all about services and service delivery

• The cloud is only worth the services it delivers

• Cloud is all about a hybrid world

Thank you

[email protected]@gmail.com240.506.2305linkedin.com/in/sukumarnayak/

mailto:[email protected]

mailto:[email protected]

54

Backup

55

Cloud expected benefits and trade-offsExpected Benefits:• Economies of Scale• Multi-Tenancy• Capacity Utilization• “Zero” capex model• Long term Total Cost of Ownership for IT Services• Lower barriers to entry for new business models which

were constrained by the IT resources in the past• Allows Businesses to focus more on their core

competencies• Speed and Flexibility of business Changes

• On Demand self service• Automation• Standardization• Elasticity• Pay per Use Model• Reduced time to market

• Efficiency in global communication and collaboration

Potential risks & trade-offs:• Security, Privacy, and Data Confidentiality• Loss of Control & Governance• Vendor Lock-in• Management Interface Compromise• Incomplete or Insecure Data Deletion, Data Protection• Malicious Insider & Investigative Support• Segmentation or, Isolation Failure• Availability, Reliability, Speed, Cost• Learning Curve• Quality of support• Change in organization culture• Interoperability Standards; Portability for Legacy IT in Clouds• Shift in Liability• Regulatory Compliance• Transparent Infrastructure Scalability• Application Deployment Mechanisms• Economic Modeling of new Market

56

OpenStack Feature ReleasesRelease Date Projects

Austin Nov 2010 Nova and Swift

Bexar Feb 2011 Nova, Swift, and Glance

Cactus Apr 2011 Nova, Swift, and Glance

Diablo Sep 2011 Nova, Swift, and Glance

Essex Apr 2012 Nova, Swift, Glance, Horizon, and Keystone

Folsom Sep 2012 Nova, Swift, Glance, Horizon, and Keystone

Grizzly Apr 2013 Nova, Swift, Glance, Horizon, and Keystone

Havana Oct 2013 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, and Cinder

Icehouse Apr 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, and Trove

Juno Nov 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, Trove, and Sahara

Kilo Apr 2015 TBD

57

NIST CC Security Reference Architecture

Cloud Consumer

Cloud Provider

Cloud Service Management

Cloud Carrier

Cloud Auditor

Cloud Consumer

Provisioning/Configuration

Portability/Interoperability

SecurityAudit

Privacy Impact Audit

Performance Audit

Business Support

Physical Resource LayerHardware

Facility

Resource Abstraction and Control Layer

Service Layer

IaaS

SaaS

PaaS

Cloud Orchestration

Cross Cutting Concerns: Security, Privacy, etc

Cloud Broker

Service Intermediation

Service Aggregation

Service Arbitrage

58

NIST CC Security Reference Architecture

59



TCI: Trusted Cloud Initiative

Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI-Reference-Architecture-v1.1.pdf

https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI-Reference-Architecture-v1.1.pdf

60

Planning Guide for Infrastructure as a Service (IaaS)

Source: http://blogs.technet.com/b/privatecloud/archive/2012/04/05/planning-guide-for-infrastructure-as-a-service-iaas.aspx

http://blogs.technet.com/b/privatecloud/archive/2012/04/05/planning-guide-for-infrastructure-as-a-service-iaas.aspx

61

Cloud Computing Audit Checklist

Ref Book: Auditing Cloud Computing: A Security and Privacy Guide by Ben Halpert and Jeff FentonSource: http://onlinelibrary.wiley.com/doi/10.1002/9781118269091.app1/pdf

• Cloud-Based IT Audit Process (11)• Cloud-Based IT Governance (4)• System and Infrastructure Life Cycle Management for the Cloud (3)• Cloud-Based IT Service Delivery and Support (5)• Protection and Privacy of Information Assets in the Cloud (5)• Business Continuity and Disaster Recovery (4)• Global Regulation and Cloud Computing (5)• Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit (4)

http://onlinelibrary.wiley.com/doi/10.1002/9781118269091.app1/pdf

62

Cloud Security’s Split Responsibilities

Source: http://interconnectgo.com/wp-content/uploads/2015/01/Cloud-Cloud-Security-White-Paper.pdf

http://interconnectgo.com/wp-content/uploads/2015/01/Cloud-Cloud-Security-White-Paper.pdf

63

How the Audit Filter Pushes Audit Events to Ceilometer

Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf


64

CADF API Auditing with Ceilometer - How it works…

Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf


65

Audit approaches

Security Content Automation Protocol (SCAP), CloudTrust, …(standardized/automated format)

Audit and assurance initiatives

Questionnaire: CloudAudit, ENISA AF, ISACA, … (cloud specific)

ISO 27001, FISMA, PCI, NIST 800-53, …(non-cloud specific)

sukumar nayak-detailed-cloud risk management and audit

Documents

cloud serviceshp

cloud security alliance2

cloud security alliance

service models

csa1 cloud control matrix

service provider interaction

service paas infrastructure

service saas platform