White Paper
WHAT MAKES A
SECURE CLOUD?
Security Overview of Verizon Cloud
Security is not a reason to avoid moving workloads to the cloud. This was the clear conclusion of a majority of respondents from large and midsize global enterprises to a recent Harvard Business Review study.1 They said cloud does not negatively impact security (65 percent), and many believe it
can actually improve security (36 percent).
It’s true: Enterprise cloud security is no longer a barrier to cloud adoption. But that doesn’t mean enterprises should ignore cloud security solutions when considering infrastructure and service providers. In fact, keeping data secure in the cloud will continue to be a priority. And as threats increase, businesses need to ensure they address security vulnerabilities in a way that is both effective and cost-effective.
Verizon Cloud’s layered-security approach helps protect your sensitive data as you expand globally. And by teaming with a proven partner like Verizon—we monitor more than 500 million security incidents on average each year—you can maintain business growth and keep customer trust intact. From perimeter and logical controls all the way up the security stack, Verizon Cloud provides a secure environment for the most sensitive workloads.
WHAT IS A SECURE CLOUD?
We believe secure clouds have three essential features:
• Strong logical and physical controls that provide a secure base to build on
• Governance and controls that create standardized, repeatable processes that streamline operations, help make the cloud stable and reliable, and maintain strong security for data and apps
• Value-added security services that allow enterprises to expand their security posture To secure the cloud inside a secure infrastructure, we establish a three-level threat perimeter.
• Threat 1. We protect the web portal and application programming interface (API) perimeter from threats from the outside network, such as stolen access credentials.
• Threat 2. The second threat stems from externally caused service disruption. We protect the perimeter of the network itself at the logical network layer, and the network infrastructure through our network firewalls and intrusion detection system (IDS). We also offer distributed denial-of-service (DDoS) attack services, where, for an additional charge, we can detect and mitigate distributed attacks against your cloud infrastructure and workloads.
Designed with
security in mind,
Verizon Cloud uses
a layered security
approach that helps
protect your
sensitive data as you
expand globally.
THREAT 1 Auth-Hacker, Stolen Credentials Cross-Site Attack THREAT 2 Perimeter Eavesdropper Drops In THREAT 3 Operations Rouge Operator Web API Applications Database Web Portal INTERNET PRIVATE LINE• Threat 3. The third threat is internal—where many threats occur. This is when someone on the inside attempts to steal data at the management layer. We make it harder to bypass controls by adhering to a least-privilege model. On a per-needed basis, we escalate privileges that time out, expire, and are revoked for any given system operation.
LAYERED SECURITY
We recognize your need for secure products and services, and believe that our security portfolio, combined with enterprise-class cloud computing, offers strong protection for your network, data, and applications—even your most sensitive workloads. Through industry leadership, experience, understanding, and stringent security controls, we can help you manage risk and improve business performance.
BASE SECURITY FEATURES
Resilient cloud security starts at the base level. We deploy our cloud solutions in purpose-built data centers, using redundant power and cooling systems that help preserve operations. Advanced cloud-computing security control systems include interior and exterior video monitoring, access control systems, and 24x7 monitoring by an on-site guard and our Network Operations Center (NOC). We use some of the highest-level physical security features available to deploy the Verizon Cloud. Each data center has the following security controls:
• Support for Statement on Standards for Attestation Engagements (SSAE) 16/State of Auditing Standards (SAS) 70 Type II specifications
• Electronic security-access control system and biometric readers
• Multiple alarm points integrated with a closed-circuit television (CCTV) system, pan/tilt/zoom cameras throughout the data center and property perimeter, and digital video recorders that store multiple events and 90 days’ worth of video
• Video images from before, during, and after an event, stored on redundant digital video recorders (and during an alarm event or an attempt at unauthorized access, the system directs the camera to that location)
• 24x7 monitoring of all essential systems, including humidity, temperature, water, fuel sensors, and all related environmental systems
• 24x7 on-site guard services personnel
• Inbound shipment security processes: no packages accepted unless prior notification has been provided
Our base security for Verizon Cloud emphasizes access control, background checks, and continuous training.
• Access control. We define, manage, and document access control policies. We grant only authorized personnel access to critical business applications and systems, based on position and job requirements. They receive the minimum level of access necessary to do their jobs. Policies take into account classification, business requirements, relevant legal considerations, and any contractual obligations. We restrict access to network, system, or application functions in production systems to the operationally feasible number of employees required, and allocation is on a “need to know” or “event by event” basis. We also assign each user a unique ID for
To secure the cloud
inside a secure
infrastructure,
we establish
a three-level
threat perimeter.
Our cloud-enabled
facilities are built
to support SSAE
16/SAS 70 Type II
specifications.
BASE SECURITY
Physical and Personnel
LOGICAL SECURITY
Verizon Cloud Framework and Design
VALUE-ADDED SECURITY
Enterprise, Capabilities, and Services Governance, Risk, and Compliance Design, Implantation, and Operations
accountability. Authorization review and aging processes alert administrators of status changes, so they can immediately revoke access rights when a user no longer requires access or no longer works for Verizon.
• Background checks. We are committed to hiring employees who meet the requirements and qualifications for our open positions. This includes verifying the information from applicants extended a conditional offer of employment. Unless prohibited by law, the investigation covers criminal history, employment history, educational verification, Social Security number trace (U.S. only), international search (where applicable), Prohibited Parties/Office of Foreign Assets Control (OFAC) search, and Sex Offender Registry search. We also check driver’s license status and driving record when candidates will drive a company or personal vehicle in the regular performance of their duties.
• Training. All employees receive initial security-awareness training for both physical and information security. We also regularly reinforce this training. We communicate security policies through new-hire orientations, the employee handbook (which includes an annual security responsibility awareness certification), monthly security awareness articles, and security awareness tips posted to the corporate web. Security policies are available internally from Verizon’s corporate intranet. Finally, managers are responsible for confirming that all employees understand their obligations to protect the information of Verizon and its employees, customers, and third parties.
LOGICAL SECURITY FEATURES
In addition to the physical security at our facilities, we operate a second logical layer of defenses through virtualization tools and a complete suite of security services that our 24x7 NOC and Security Operations Centers (SOCs) deliver, manage, and maintain.
Compute layer. We implement security controls at the compute layer in several ways, including: • Strong security at the hypervisor layer. Internally, Verizon Cloud infrastructure uses a minimal
baseline build for the hypervisor and all components.
• Strong security at the operating system (OS) layer. Externally, customer virtual machines (VMs) use pre-engineered OS templates that follow Center for Internet Security (CIS) Level 1
benchmarks with applicable patches and stripped-down components. We update these templates on a regular basis upon patch release, evaluation, and testing.
• The ability to specify locations for compute and storage. With Verizon Cloud, you can select the location (or locations) where data will reside. Once selected, that is where your data remains. • Strong administrator authentication. You access the Verizon Cloud Console via a Secure Sockets
Layer (SSL) web connection. We encrypt all information that passes through this portal with a password or optional two-factor authentication.
• Strong backend authentication. Our engineers maintain our infrastructure backend using either perimeter-based or host-based two-factor authentication.
• Advanced password policies. We enforce complex passwords and avoid password reuse.
Network layer. We secure the network layer in a variety of areas, including: • Core virtualization network controls
• Network data segmentation • Firewall capabilities • Intrusion detection
• Distributed denial-of-service (DDoS) detection and mitigation
• We implement security controls at the core virtualization network layer by:
– Hardening management networks according to industry best practices and experience
– Cautiously monitoring network activities
– Expanding network segmentation into the hypervisor • We segment data on the network using either:
– Software-Defined Networking (SDN)—In our Public Cloud, named endpoints within the compute fabric segregate traffic at the hardware level, and provide virtual isolation that meets security and performance requirements.
We implement
security controls
at the compute
layer through
strong security
at the hypervisor,
operating system,
and administrator
authentication levels.
In addition, you can
specify locations
where data will
reside for compute
and storage.
– Industry-standard network segmentation techniques at the hypervisor and network layers—In our Virtual Private Cloud, the RAM, processor, and storage area network (SAN) resources are logically separated and don’t have visibility to other client instances. From a network perspective, each client is separated from the next using a private virtual LAN (VLAN). • We have added firewall capabilities within the platform to help you protect your networks by
either one of the following or a hybrid approach:
– Our integrated firewall capabilities
– Firewall solutions from Verizon Cloud Marketplace
– Our IDS at critical management systems of the base platform layer at all Verizon Cloud locations, and DDoS detection and mitigation mechanisms at all Verizon Cloud locations, which provide insight into and mitigation for attacks occurring on the core infrastructure
Always looking to improve our security posture, we have plans to offer these same services throughout 2015 as part of our layered security services vision.
Storage layer. We secure storage at all layers:
• Industry-standard SAN segmentation logically separates SAN resources and prevents visibility into other client instances—Zoning provides access control in a SAN topology. It defines which host bus adapters (HBAs) can connect to which SAN device service processors. Devices inside the zone cannot detect devices outside the zone.
Zoning also isolates SAN traffic. In a complex SAN environment, SAN switches provide zoning, defining and configuring the necessary security and access rights. At the storage processor or server level, logical unit number (LUN) masking often provides permission management. Known as selective storage presentation, access control, or partitioning, depending on the vendor, LUN masking makes a LUN invisible when a target is scanned. The administrator configures the disk array so each server or group of servers can detect only certain LUNs.
• Hypervisor-level segmentation isolates data at the operating system (OS); no two client OSes are shared.
• On our Public Cloud, we unify both networking and storage by using a Layer 2 storage protocol to encapsulate storage flows between virtualized storage devices and the virtualized computing endpoints over our virtualized networks.
Verizon Cloud Storage supports encryption of data at rest and in flight using a symmetric Advanced Encryption Standard (AES) 256-bit cipher. SSL provides the additional security our customers demand. You can encrypt your data before sending it to Verizon Cloud Storage and retain your keys for the added confidence that only you can view the data. Even if data is pre-encrypted, however, Verizon Cloud Storage encrypts all data, and we secure the keys our encryption uses. Verizon Cloud Storage does not encrypt storage automatically; however, to protect or encrypt sensitive information, you can:
– Use OS-level encryption software, including Pretty Good Privacy (PGP), BitLocker, Vormetric, and others.
– Use database encryption at the application layer through Microsoft® SQL Server and Oracle.
– Access encryption solutions through Verizon Cloud Marketplace (future).
We maintain a formal media sanitation and disposal policy that was designed to address DoD 550.22-M. We also employ additional sanitization mechanisms for classified or sensitive information that apply to all media.
Management layer. For identity and access management, the Verizon Cloud Console uses two-factor authentication for login purposes.
Our Virtual Private Cloud supports role-based access control (RBAC), defined and implemented for business operations at the organization, environment, and security group levels. For future feature releases, Verizon Cloud will support the Security Assertion Markup Language (SAML) 2.0 framework, and we plan to offer these same services throughout 2015 as part of our layered security services vision.
Verizon Cloud’s RBAC capabilities will continue to evolve over time.
We secure the network
layer in a variety of
areas, including core
virtualization network
controls, network
data segmentation,
firewall capabilities,
intrusion detection,
and DDoS detection
and mitigation.
In addition, a Security Information and Event Manager (SIEM) captures and correlates all relevant information and events. We take appropriate action—which can include isolation—when an issue is detected. And by moving logs off of the individual host and onto the highly secured, centralized SIEM, we protect them from modification.
In addition to base platform security, you can and should acquire layered security services specific to your solution. You need visibility into security information and events, as well as the ability to isolate attacks to a specific component of the solution.
VALUE-ADDED SECURITY
Because you will require tailored and layered security solutions that address specific needs, in addition to base and logical security controls, we provide access to key security features and services that help protect your workloads.
Verizon Cloud firewall and VPN capabilities allow you to control access to your data and applications at both the VM and application-tier levels.
Create and modify firewall rule sets to manage how VMs connect to the Internet. Firewall rules control the flow of data between networks and devices in a cloud space. You can permit or deny access from an IP address or a network source to an IP address or network destination, a protocol, and source and destination ports. You can also send firewall logs to a syslog server configured within your cloud environment, or externally if required. Depending on the chosen deployment model and compute option, Verizon Cloud lets you use integrated software firewalling; dedicated, highly available hardware firewalls; and Verizon Cloud Marketplace independent software vendor (ISV) firewall solutions.
• In Virtual Private Cloud, software and dedicated hardware firewalls are available. Creating services generates common firewall rules. You can manage your rules though the Verizon Cloud Console. You can also view and change the location to which you send your firewall logs (for example, to a centralized syslog server).
• In Public Cloud, we provide software-based firewalls for each VM connected to a public IP address. You can manage a firewall via the user interface and create up to 15 firewall rules for each VM.
Multiple options exist for secure connectivity to VMs. Verizon Cloud provides SSL VPN or LAN-to-LAN (L2L) connectivity into the cloud through integrated VPN capabilities. You can also select a third-party solution from the Verizon Cloud Marketplace. Depending on the type of cloud deployment, built-in or Marketplace solutions will be available.
• Virtual Private Cloud:
– Secure Shell (SSH) directly to the server over the Internet
– Remote Desktop Protocol (RDP) directly to the server over the Internet (limited key size)
– Integrated Cloud Console VM options leveraging SSL to connect to the VM console directly
– A pfSense template configured to build an L2L VPN tunnel, with VMs routed to the template
– Utility SSL VPN
– Dedicated and utility VPN L2L • Public Cloud:
– SSH directly to the server over the Internet
– RDP directly to the server over the Internet (limited key size)
– Integrated Cloud Console VM options leveraging SSL to connect to the VM console directly
– A pfSense template configured to build an L2L VPN tunnel, with VMs routed to the template
– L2L or SSL VPN solutions deployed through Verizon Cloud Marketplace, with VMs routed to the Marketplace appliance
Preconfigured security solutions through Verizon Cloud Marketplace ISVs. In addition to the layered security services we offer, you can leverage Verizon Cloud Marketplace. The Marketplace delivers certified, leading applications in Big Data, software development, and also security—helping you deploy applications quickly with low risk.
• Juniper Networks Firefly is a virtual security appliance that provides security and networking services at the perimeter in virtualized private or public cloud environments. It runs as a virtual machine on a standard x86 server, and delivers features similar to those available on branch SRX Series devices.
Because you
will require tailored
and layered security
solutions that address
specific needs, we
provide access
to key security
features and services.
Verizon Cloud
Marketplace delivers
certified, leading
applications in Big
Data, software
development, and
security—helping you
deploy applications
quickly with low risk.
• F5 Big-IP is an application-delivery services platform that enables traffic management and service offloading for acceleration, security, agility, and high availability (scheduled for availability in 2015).
• pfSense is an open-source network firewall based on the FreeBSD operating system.
Managed Security Services. Maintaining a strong security posture presents its own set of challenges. Verizon’s Managed Security Services provides comprehensive monitoring and timely expert analysis. We can help you:
• Identify vulnerabilities proactively and prioritize threats in the cloud and on premises.
• Refine information technology security policies and processes so that you can increase visibility, enhance cloud computing security, and manage risk.
The introduction of new technologies and systems continually challenges the ability of even the largest enterprises to maintain the confidentiality, integrity, and availability of applications, devices, and other network resources. Risk can present itself in operational challenges and vulnerabilities, as well as continuously evolving cyber threats. To reduce your risk exposure, you need a methodology and a security platform that allows you to anticipate problems, take corrective action, and show practical results. Addressing security risk management as a business process, rather than just blocking threats and fixing vulnerabilities, creates greater value in terms of technology efficiency, better resource allocation, and security compliance.
Our security management approach goes far beyond first-generation threat and vulnerability strategies to address the underlying risks, including:
• New vulnerabilities and attack methodologies • Changing business requirements
• Management of multiple platforms
• Increased information-security compliance requirements • Lack of security expertise and infrastructure
We provide a full portfolio of Managed Security Services, and can work with you to refine security policies and processes to identify vulnerabilities proactively and prioritize threats to your enterprise. Our Managed Security Services helps enterprises:
• Mitigate the impact of security breaches: information and revenue loss and business disruption. • Implement strong policies and controls, which help address security requirements.
• Maintain customer trust and shareholder confidence.
Our proprietary technology platform, which supports all our Managed Security Service offerings, collects, processes, and monitors billions of events each year. This helps our security analysts provide corrective action recommendations and mitigate threats. Through our Security and Compliance Dashboard, you can view your security posture and the effectiveness of your security devices at various levels—from the big-picture view all the way down to the details of an individual security incident. And if you want to measure and quantify security risks, address information-security compliance requirements, or conduct third-party due diligence? Our security management and Payment Card Industry (PCI) online compliance programs, along with our Professional Services engagements, are designed to meet these common needs, and are delivered by certified and leading experts.
Our managed data and managed application security services, as well as our application scanning service, were designed to help you logically and comprehensively protect your applications, guard against data loss, and control who accesses what information across your enterprise. We also deliver managed network security, vulnerability management, and identity management services to help foster business continuity, monitor and manage security data, and support secure mobile communications.
Finally, Secure Cloud Interconnect is an essential part of our value-added security services. It uses the high-performing connections of our Private IP network to quickly and securely link your workloads to your existing locations, your partners, and even a select and expanding ecosystem of cloud service providers (CSPs)—without additional engineering, equipment, circuits, or complexity.
Our Managed Security
Services help you
proactively identify
vulnerabilities and
prioritize threats
in the cloud and
on-premises.
Our proprietary
technology platform,
which supports all our
Managed Security
Service offerings,
collects, processes,
and monitors billions
of events each year.
You can even connect your Private IP networks to Verizon Cloud without installing brand new local loops supporting dedicated Private IP ports into the cloud data center. Simply add a virtual port to your Private IP VPN.
The reliability, speed, and diversity of the network provides a high-availability environment for cloud-based applications. And Secure Cloud Interconnect enables you manage risk by helping to reduce complexity, keep privileges private and secure, and maintain application availability with reliable connectivity and around-the-clock support.
You can combine Secure Cloud Interconnect with other network services for a complete, integrated solution.
GOVERNANCE, RISK, AND COMPLIANCE
Security requirements are always increasing and are a concern in every area of business. And that’s why we dedicate an entire team of governance, risk, and compliance (GRC) experts to keep Verizon Cloud current with the latest security controls. We also offer GRC assessments through Professional Services engagements.
Virtual Private Cloud meets the following standards (at select data centers): • SSAE No. 16 Service Organization Control 1 (SOC) 1
• SSAE 16 SOC 2
• Payment Card Industry Data Security Standard (PCI DSS)
• International Organization for Standardization (ISO) 270001:2005 • Health Insurance Portability and Accountability Act (HIPAA) enabled
We also support the public sector with our Federal Risk and Authorization Management Program (FedRAMP) cloud offering. Contact your account representative for more details.
Strong life-cycle and change-management controls allow rapid innovation in conjunction with strong controls that help maintain uptime and reduce risk:
• Life-cycle management. We use agile development techniques to release features, enhancements, and bug fixes for Verizon Cloud. This technique promotes rapid and flexible development cycles that have predefined start and stop dates. We can release new features on a more frequent basis and quickly adapt to any necessary business changes. Each Verizon Cloud development cycle contains the current list of priorities that fit within the release cycle. Because this method allows us to adapt quickly to changes in the business, only near-term sprints (current and next) are “locked in” and committed.
CLOUD VIA VERIZON PRIVATE IP
Enterprise Customers PRIVATE IP NETWORK INFRASTRUCTURE, PLATFORM, STORAGE PROVIDERS BUSINESS PROCESS CLOUD PROVIDERS User Devices and Networks
Secure Cloud
Interconnect uses
the high-performing
connections of our
Private IP network
to quickly and securely
link your
workloads to your
existing locations,
your partners,
and a select
ecosystem of cloud
service providers.
verizonenterprise.com
1. Business Agility in the Cloud, Harvard Business Review Analytic Services (sponsored by Verizon), June 2014, www.verizonenterprise.com/resources/reports/rp_hbr-business-agility-in-the-cloud_en_xg.pdf.
• Change management. In our controlled process, all changes are submitted, reviewed, approved, scheduled, and implemented with little impact on service quality, so that Verizon Cloud maintains a high level of availability. We record all requests for changes, and include information such as risk/severity levels, maintenance verification steps, rollback procedures, and prerequisites. Our professional consulting expertise complements Verizon Cloud. Our Professional Services suite includes a leading portfolio of consulting and integration services in key areas, including networking, cloud, security, and the Internet of Things. We don’t just bring theories and “one-size-fits-all” solutions to the table. We get deep into your business. Understanding the nuances of how you run it allows us to better address the big picture. We can help you evaluate your current systems, plan your next steps, design a cost-effective strategy, and implement it. And we don’t just implement the technology and run. We can provide project management for all engagements, helping your new solutions realize their full potential.
Whether it involves a short-term project or long-term outsourcing, we can extend the knowledge of your internal resources and provide the expert help you need. Our credentials include:
• More than 130 specialized consulting services available in more than 20 countries • Support around the globe with local service
• Recognition as an ideal partner by industry analysts
• Recognition as an industry leader in security, managed, and hosted services • Ability to leverage a global IP network
• A vendor-neutral approach to get the right solution
• An end-to-end solution led by the same team of professionals • Planning, design, implementation, and migration expertise SUMMARY
Very few hosting organizations or cloud providers can demonstrate the physical security and network infrastructure that Verizon provides. The logical security measures we incorporate on top of physical security capabilities help Verizon Cloud meet the unique security requirements of many enterprises.
We have the tools, processes, and capabilities to protect the confidentiality, integrity, and availability of your data. Our services, combined with your prudent and aggressive information-assurance measures and oversight, create a secure cloud environment second to none for hosting and securing enterprise production workloads.
