Session Four. Heads in the icloud. Moderated By. Sonny Segal. Chief Information Officer Montgomery County Maryland

Session Four

Heads in the iCloud

Moderated By

Sonny Segal

Introductions

• Mr. John W. Lainhart IV

IBM Global Business Services

Partner, Cybersecurity & Privacy

Public Sector Cybersecurity & Privacy Service Area Leader Bethesda, MD 20817

• Mr. Peter Romness

Cisco Systems, Inc.

Business Development Manager Public Sector Cybersecurity Herndon, VA

• Mr. Jeff Stratton

Lockheed Martin Information Systems &Global Solutions (IS &GS) Civil

What is the Cloud?

Types of Clouds

• Public cloud

A cloud infrastructure shared by the general public or industry, typically owned and managed by an organization that sells cloud services.

• Community cloud

A cloud infrastructure shared exclusively by certain groups, such as civil agencies or others with like missions, and managed by the group or a third party. It can be hosted on or off premises.

• Private cloud

Cloud resources confined inside a firewall with private control over the cloud infrastructure. Some organizations run their data centers as a private cloud.

• Hybrid cloud

An approach that uses a public cloud for some services, such as general business needs, but uses a private data center for others, such as storage of sensitive data.

• Government cloud

There is no specific certification for this.

Potential Benefits

• Citizen services

Drive innovation with data services in the cloud that citizens can reuse. Offer your own data mashups on a portal.

• Infrastructure

Get IT resources when needed. Pay only for what you use. Reduce need to build, manage, support data centers. Consolidate budget and facilities. • Flexibility

Adjust resources up and down to meet real-time needs; offload onsite

data to the cloud; access via web browser from anywhere for remote work and continuity of operations.

• Collaboration

More effectively communicate/collaborate; employees‘ can access work the same way they access personal information.

• Disaster recovery / Continuity of Operations

Centralized data storage, management, backups, data recovery in disruptions.

• Applications and content

Rather than waiting in the software procurement line, get hosted software, datasets, and services as they are released so you can focus your mission.

• Policies and regulations

Cloud computing can help meet compliance requirements.

• Creative IT

Centrally managed, frees from “keep-lights-on” to creative problem-solving.

• Secure-ability

Better secure-ability in cloud according to Vivek Kundra, Former U.S. CIO

• Speed of platform delivery

Data-intensive computing in the cloud can be six times faster than in isolated data centers.

Potential Benefits(2)

Security Considerations

• Integration. With security and identity management technologies, i.e., Active Directory, and controls for role-based access and entity-level applications.

• Privacy. Data encryption, effective data anonymization, and mobile location privacy (compliance with the Privacy Act of 1974).

• Identity and access. Means of preventing inadvertent access. Ability to federate across different services and from your internal environment to the cloud? How are the databases protected for access?

• Compliance. What certifications does your provider possess? How do you handle dispute resolution and liability issues? What industry or

government standards must you comply with? Clearly defined metrics for the cloud service monitoring? How are e-discovery and criminal

compliance requests handled? What processes to move into cloud and back? Backup purged? What requirements with regard to physical location of your data?

• Service integrity. How is the software protected from corruption

(malicious or accidental)? How does your provider ensure the security of the written code? How do they do threat modeling? What is the hiring process for the personnel doing administrative operations? What levels of access do they have?

• Jurisdiction. The location of a cloud provider’s operations can affect the privacy laws that apply to the data it hosts. Does your data need to reside within your legal jurisdiction? Federal records management and disposal laws may limit the ability of agencies to store official records in the cloud. • Information protection. Who owns your data? Can it be encrypted? Who

has access to encryption keys? Where is the backup located, and do you have an on-premise backup? How is

Security Considerations(2)

Other Considerations

• Compliance

HIPAA, SOX, and FISMA requirements, and FISMA accreditation and certification. Data

centers’ Statement on Auditing Standards (SAS) 70 and International Standards Organization (ISO) 27001 certification, audited by independent, third-party security organizations.

• Uptime

Guaranteed 99.9 percent uptime at data centers outfitted to operate during power outages and after natural disasters. Data replication between primary and secondary data centers for redundancy, without storing any data off-site.

• Data with or without borders

Is data guaranteed to stay within the U.S. borders? Multiple data centers across the U.S. provide reliability and failover for government customers.

Is the chain of custody for documents preserved when moving documents between on-premise and cloud ? Do documents retain the format /fidelity for investigations/FOIA? • How green is the cloud?

Designed to reduce energy consumption (typically 25–40%) compared to traditional facilities. • Who’s who in your cloud?

Who else is in the cloud?

Contractual Safeguards

• Service Level Agreement. SLAs should include availability of services, permissible failure rate,

response time on malfunction, and recovery time on crash.

• Security and privacy protection. SLAs should define security-relevant aspects and privacy

protection agreements. Provider should agree to update security strategy in line with technological developments.

• Penalties for non-compliance. Agree on penalties if provider fails to deliver on contract

terms.

• Sub-contracting. Agree whether and in what form the provider may subcontract out certain

services. Need to assure subcontractors provide same level of protection as themselves, e.g., HIPAA compliance.

• Monitoring rights. Ensure they have the contractual right to monitor the cloud provider's

data-processing activities, including its protective measures. Relying on the service provider's reports is insufficient.

• Contract term and return of data. Contract must include duration and exactly how data is to

be returned or deleted when the contract expires or if the provider's business model changes.

• Exit strategy. Early return of data if the provider and/or subcontractor goes out of business

or merges.

Cloud Security

IBM Cloud Offerings:

IBM SmartCloud

Leading portfolio of products and services to help secure cloud environments. Allows customers to address concerns when adopting private, public and hybrid cloud services by adopting security controls to match

requirements of the workload. Leveraging IBM’s deep security skillset, hosting and

strategic outsourcing experience, broad security portfolio, history of security innovation, and commitment to client trust as the foundation for building security into all cloud offerings.

To address these concerns, IBM is working with clients as both a cloud

service provider and trusted advisor

12

Secure IBM Clouds IBM Security Solutions

IBM Security Framework

(Cloud Security On Ramps)

IBM Cloud Reference Model

(Foundational Security Controls)

IBM SmartCloud provides a robust platform for the full IBM

cloud portfolio, built on the IBM cloud reference model

13 Management, support and deployment Security and isolation Availability and performance Technology platform Payment and billing

IBM Cloud Reference Model Business Process as a Service

Capabilities provided to

consumers for using a provider’s applications

Key security focus:

Compliance and Governance

 Harden exposed applications

 Securely federate identity

 Deploy access controls

 Encrypt communications

 Manage application policies

Integrated service management, automation, provisioning, self service

Key security focus:

Infrastructure and Identity

 Manage datacenter identities

 Secure virtual machines

 Patch default images

 Monitor logs on all resources

 Network isolation

Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

Key security focus: Applications and Data

 Secure shared databases

 Encrypt private information

 Build secure applications

 Keep an audit trail

 Integrate existing security

Advanced platform for creating, managing, and monetizing cloud services

Key security focus: Data and Compliance

 Isolate cloud tenants

 Policy and regulations

 Manage security operations

 Build compliant data centers

 Offer backup and resiliency

Adoption patterns are emerging and each

pattern has its own set of key security concerns

Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud

14

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud

data centers

Platform-as-a-Service (PaaS): Accelerate time

to market with cloud platform

services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business

For U.S. Federal Government there is also FedRAMP

•FedRAMP is a U.S. government-wide program that

provides a standardized approach to security

assessment, authorization, and continuous

monitoring for cloud products and services.

•The JAB is the primary governance group of the

FedRAMP program, consisting of the chief

information officers for the:

– Department of Defense,

– Department of Homeland Security, and – U.S. General Services Administration.

16

PROGRAM GOALS PROGRAM BENEFITS

Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations

Increases re-use of existing security assessments across agencies Increase confidence in security of cloud solutions Saves significant cost, time and resources – "do once, use many

times" Achieve consistent security authorizations using a baseline set of

agreed upon standards to be used for Cloud product approval in or outside of FedRAMP

Improves real-time security visibility

Ensure consistent application of existing security practices Provides a uniform approach to risk-based management

Increase confidence in security assessments Enhances transparency between government and cloud service providers (CSPs)

Increase automation and near real-time data for continuous monitoring

FedRAMP Security Control Pyramid Summary

17 17

IaaS

Provides on demand processing, storage, networks, and other fundamental computing resources

9 FedRAMP IaaS CSPs*

PaaS

Tools and services designed to make coding and deploying applications (SaaS, web apps, DBs) quick

and efficient

e.g. PureApp / System, Big Data

1 FedRAMP PaaS CSP*

SaaS

Applications are designed for end-users, delivered over the web

1 FedRAMP SaaS CSP*

*CSP #’s as of 7Jan14

http://www.gsa.gov/portal/category/105279

Security Control Pyramid

The # of controls the client is responsible for reduces as mores cloud services are purchased

IaaS controls PaaS controls SaaS controls Client ctrls

Security Control Count: Total Base Enhancements FISMA (NIST r3) MODERATE 252 (159 , 93)

FedRAMP (Cloud) MODERATE 297 (168 , 129)

• The more Cloud Services a client purchases, the fewer controls that they will be responsible for:

• Each service builds on the foundation below it

18

Peter Romness

Business Development Management

Public Sector Cybersecurity

Cisco Systems Inc.

Cybersecurity

Mobility

Cloud

Threat

Consumer centric market

DC | CLOUD TRANSITION

services Securing multi-tenancy designs Extending security posture # ! %

AGILITY FLEXIBITY AUTOMATION AGILITY

AUTOMATION

EFFICIENCY

VISIBILITY

CONSISTENCY CONSISTENCY

CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATION

ELASTIC

AGILITY FLEXIBITY AUTOMATION AGILITY

AUTOMATION

EFFICIENCY

VISIBILITY

CONSISTENCY CONSISTENCY

CONSOLIDATION COST REDUCTION ELASTIC _{CONSOLIDATION}

ELASTIC

Physi cal

Workload s Apps / Services Infrastruct ure public tenants hybrid private

IT Megatrends are creating the “Any to Any”

problem

Endpoint Proliferation Blending of Personal & Business Use

Access Assets through Multiple Medians

Market Direction

Integrated Platforms - Threat Centric

Firewall Content Gateways Integrated Platform Virtual Cloud

The New Security Model

BEFORE

DURING

AFTER

Network Endpoint Mobile Virtual Cloud

24

Peter Romness

Business Development Management

Public Sector Cybersecurity

Cisco Systems Inc.

Cybersecurity

Increase Telemetry for Analysis

Cyber Threat Defense

• Meraki

• Monitored Threat Defense

• Virtual Network Appliances

Lockheed Martin

Comprehensive Cyber Security Services

(CS)

2

Lockheed Martin Proprietary Information 27

March 5th ₂₀₁₄

High Level Approach

• The primary goal is to provide customers with a comprehensive assessment. • Avoid surface level penetration testing (when possible).

• Accurate and relevant reporting of results

– No false positives

– No inflated or deflated risks

• Remediation assistance

• Training for long term security sustainment

– Developers

– System Administrators – Leadership

– STEM

Penetration Testing

• Simulate real-world threats against

production-ready applications

• Determine feasibility of particular attack

vectors

• Analyze system resilience to certain attacks

• Identify high-risk vulnerabilities – low hanging

fruit

• Identify business logic flaws and access control

flaws that scanners cannot easily assess

• The Problem:

– You can hire 10 Penetration Testers and get 10

different results.

Type of Penetration Testing

• Blackbox Penetration Testing

– Does not simulate adversaries

– Because its supposed to be stealthy it only finds limited attack vectors, you just can’t find it all and be quiet.

– Testers always find 1 way in, but their could be 50 more. – Relying on Blackbox testing for web apps is a big mistake! – Good for scaring the customer into spending more money

– Unfortunately some organizations need this to get the money they need to do things right.

• Comprehensive Whitebox Testing

– More effective at finding your most concerning issues

– Testers have full knowledge of the environment so testers can quickly uncover major problems, without wasting precious labor hours on searching for them.

• Great for Testing Defenses

– Focuses mainly on the response to the Kill Chain

Methodology:

– Not designed to be a comprehensive Penetration Test.

APT Simulation Testing

Code Review – Mobile and Web

Applications

• Thoroughly inspect source code

for vulnerabilities and eliminate

them at their root level

• Analyze frameworks and software

architecture for weaknesses

• Offer guidance at software

architecture and code level to

strengthen overall software

security approach

Application Risk Analysis

• Holistic approach to software risk analysis

• Utilize all system artifacts (design, architecture, code, test

environment)

• Utilize all security analysis techniques (architecture review,

threat modeling, code review, pen-testing)

• Provides the most thorough understanding of system risks

and vulnerabilities

Software Security Touchpoints

Requirements and Use Cases

Architecture

and Design Test Plans Code

Security Lifecycle Management

35

Security Training

• Secure Coding and Secure Software Engineering

– Can be Customized specific to customer requirements – Utilization of Customer Code Examples

– Specific Programming Languages and Frameworks

– Can also be based on vulnerabilities and findings in the Customer’s Environment.

– Help Developers understand how to consistently develop secure applications

_.

• Customized Network and Systems Security Training

– Network Segmentation – Monitoring Capabilities

– Network and Application Layer Firewall Configuration – General Network Security Engineering

– Wireless Security

– Vulnerability Management

36

Security In the Cloud

• If you are using a cloud, where is your data actually stored physically from a brick and mortar perspective?

– Is it even in the US?

– Where are the datacenters?

• Who has access to it? Is it encrypted?

• Are you using shared databases, shared operating systems, shared applications, services?

• If another tenant gets compromised, is your data at risk?

– Has the cloud service provider had “comprehensive” penetration testing performed?

• Is your environment meeting the compliance standards required for your business set forth by federal, state and local regulations?

Certification, Accreditation and Audit Preparation

• NIST 800-53

• FEDRAMP Certification

• FISMA Low, Moderate, High

• ISO-17799/27000 Series

(CS)

2

History

• Cyber Monitoring & Analysis • Information Design Assurance Red

Team

• Counter Intelligence • Initial CIRT/SIC Concept & Design

• Next Generation Intrusion Detection System Architect

• DNS Blocking & Intercept Concept

LM Corporate Information Security SRT Red Team, ASE Team

• CEWL Support

• Reverse Engineering • Vulnerability Research • Web Application Security

• Commercial Cyber Security Consulting

• Source Code Analysis

• Software Architectural Review • Secure Software Development

Lifecycle

• Embedded Software Security Concepts

A Wealth of Experience with Diversified Backgrounds Fused Together

JSF Software Security Program