Composite Compliance: Demonstra1ng Suitability of Cloud Layering for Sensi1ve and Regulated Workloads

Transcription

1 Composite Compliance: Demonstra1ng Suitability of Cloud Layering for Sensi1ve and Regulated Workloads Heather Hinton, PhD IBM Dis1nguished Engineer Master Inventor, Member IBM AoT 7 December 2015

2 Agenda 1 Composite Compliance : What is it, why do we need it? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?

3 As customers move from tradi0on hos0ng and co- loca0on arrangements to cloud hosted scenarios, they are being forced to change how they sa0sfy their requirements for end- to- end compliance (*) SoVware as a Service Marketplace of high value consumable business applica1ons How do I know you are taking all due and required care of my (sensi0ve) data? PlaWorm as a Service Composable and integrated applica1on development plaworm If I build my applica0on using provided plahorms, are they hardened and patched to my specifica0ons? Infrastructure as a Service Enterprise class, op1mized infrastructure If I host my regulated data here, how do I know it won t be read or exfiltrated by the provider? (*) Note that in this world, compliance with interna0onal and regulatory standards typically is how we provide evidence of security

4 Background: Tradi0onal Data Centers Customer A Auditors Customer B Auditors Customer C Auditors Tradi&onal Data Center Customer A Support Staff Customer B Support Staff Customer C Support Staff Data Center Support Staff Cage: Customer A Cage: Customer B Cage: Customer C Hos0ng Provider manages the data center (physical and environmental) security May or may not publish policies Will describe what and how managed Will perform independent audits Customer (or managed services provider) manages servers, devices, cages To internally published policies Will perform independent audits! These audits will include access to the data center and raised floor to inspect and audit the cages and their contents Small number of customers on dedicated, labelled servers hosted in locked racks and cages Customers have physical and logical access to servers for maintenance, audit, checkup Data Center support staff will maintain raised floor and may have access to customer s racks/ servers based on hos0ng agreement Customer retains right to enter at any 0me, including for purposes of audit

5 Background: Cloud Data Centers Cloud Provider manages the data center (physical and environmental) security XXX May or may not publish policies Customer Cloud Data Center Will describe what and how managed Support Will perform independent audits Staff Not Cloud Provider manages physical servers ALLOWED health and maintenance Customer manages O/S layer and up for servers through logical/remote access Data Center Support Staff Will perform independent audits ONLY! They want these audits to include access Thousands of customers on co- mingled, unlabeled servers to the data center and raised floor to What changes? inspect and audit their servers Small large number of customers on dedicated, labelled shared, unmarked servers hosted in locked racks and cages hosted in open, accessible racks and rows Customers have physical and logical access to servers for maintenance, audit, checkup Data Center support staff will maintain raised floor and may have access to customer s racks/servers based on hos0ng agreement Customer retains right to enter at any 0me, including for purposes of audit Servers instrumented for transparency through extensive logging and repor0ng available through Web portal/api X Customer A Auditors X Customer B Auditors X Customer C Auditors

6 Tradi0onal & Cloud Hosted Servers : A Banking Analogy The model of cash deposit and withdrawal is analogous to server use in a Cloud/IaaS model Bank Client uses bank provided money on demand Cloud Client uses Cloud provided servers on demand 1. Client takes money (bills, coins, checks) to the bank 2. Bank keeps safe in the bank vault. Client trusts bank to safely hold money and is not allowed to see the vault 3. Client accesses money as needed but almost certainly these are not the exact same bills that were deposited The model of safety box deposit / bank vault use is analogous to the tradi0onal hos0ng model Bank Client uses bank s safety deposit to isolate and store client s owned and iden=fiable valuables Tradi=onal Client uses physical cages in Data Center to isolate and protect client s iden=fiable servers 1. Client takes iden0fiable valuables to the bank 2. Bank keeps valuables in customer iden0fied safety deposit box. Client has access to the safety deposit box 3. Client withdraws their iden0fiable valuables the exact same valuables that were deposited. Customer does not get access to other customer s valuables #

7 Composite Compliance allows workloads to leverage compliance asser0ons of their hos0ng plahorms to demonstrate compliance of their workloads without having to do an end- to- end audit SoVware as a Service Marketplace of high value consumable business applica1ons Service Compliance (including as a statement of security) is demonstrated by Service s E2E compliance statements and audit reports PlaWorm as a Service Composable and integrated applica1on development plaworm PlaHorm s Readiness (applicability) for a given workload is demonstrated by PaaS provider s compliance statements and audit reports Customer s E2E security and compliance depends on PlaHorm provider Infrastructure as a Service Enterprise class, op1mized infrastructure Infrastructure s Readiness (applicability) for a given workload is demonstrated by IaaS provider s compliance statements and audit reports Customer s E2E security and compliance depends on IaaS provider

8 Composite compliance : Described using a bigger, beber cake metaphor $ Transi0ve trust is the means by which we do most cryptographic rela0onships Provides guidelines that allow building blocks to work together Secret sauce is in providing evidence that trust is deserved and is based on mathema0cal proofs $ Composite compliance: emerging approach for cloud Provides guidelines for making bigger building blocks out of smaller starter- set building blocks Secret sauce is in how to connect these building blocks into a bigger, seamless building block With compliance, this secret sauce is based on the clear ar0cula0on of the division of labor and communica0ons between A, B and assump0ons governing these Transi1ve Trust Composite Compliance Alice Trusts Bob Bob Trusts Carol Chocolate cake Vanilla Cake Means that because of Transi0ve Trust Alice Trusts Carol Means that with Composite Compliance, Vanilla Cake layered with Chocolate Cake is also a cake as long as combined with icing and not extra spicy salsa (nouvelle cuisine aside)

9 Reprise 1 Composite Compliance : What is it, why do we need it? What is it: A means of demonstra0ng that users can trust the lower levels of an E2E applica0on/infrastructure stack, even when they can t touch it or test it Why do we need it: This allows us to describe security and compliance of lower levels in the stack to a customer s risk management and audit teams. This is necessary as risk management teams have the ability to block or restrict adop0on of Cloud solu0ons.

10 Agenda 1 Composite Compliance : What is it, why do we need it? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?

11 Composi0on compliance builds on the founda0on laid by policy frameworks such as NIST and standards such as ISO27001 Using these types of frameworks, it becomes possible for us to frame a discussion based on who does what and build a decision process to guide our assessment NIST ISO / IEC 27001: 2013 AC Access Control A.5 Informa0on Security Policy AT Awareness and Training A.6 Organiza0on of Info Security AU Audit and Accountability A.7 Asset Management CA Security Assessment and Authoriza0on A.8 Human Resources Security CM Configura0on Management A.9 Access Control CP Con0ngency Planning A.10 Cryptography IA Iden0ty and Authen0ca0on A.11 Physical and environmental Security IR Incident Response A.12 Opera0ons Security MA Maintenance A.13 Communica0ons Security MP Media Protec0on A.14 Systems Acquisi0on, Development and Maintenance PE Physical and Envrionmental Protec0on A.15 Supplier Rela0onships PL Planning A.16 Informa0on Security Incident Management PS Personnel Security A.17 Info Security aspects of Business Con0nuity Management RA Risk Assessment A.18 Compliance SA Systems and Services Acquisi0on SC Systems and Communica0ons Protec0on SI Systems and Informa0on Integrity

12 Composite compliance can be assessed with a simple decision process CFP = Cloud Founda0on Provider Start Assert: CFP Manages To Published, Recognised Standards or Frameworks Assert: CFP is Audited/Cer0fied to Interna0onally Accepted Standards 12 Do standards match client requirements? Does audit report demonstrate required controls and maturity? NO NO NO NO % Regulated, Sensi0ve Workloads Roles and responsibili0es very clearly defined? Is Yrequired evidence available for use? Op0onal Asser0on: Supported Workloads Require Addi0onal Workload Specific Evidence from CFP

13 Assert: CFP Manages To Published, Recognised Standards or Frameworks Having internal security policies that align with a published framework means that - Regulators can iden0fy a meets- min set of requirements that founda0on layers must sa0sfy, and - Clients can assess if cloud founda0on providers sa0sfy the requirements of their regulators, and - Clients can asset the types of risks and controls that the cloud founda0on providers manage to in the context of the client s specific workload Provider Manages To Published, Recognised Standards or Frameworks: (*) NIST ISO family NIST and ISO are two well- known, interna0onally recognized standards that are suited to a Composite compliance founda0onal model. TAKEWAY: Cloud Founda0on Provider MUST iden0fy a public standard or published framework to which their security policies and controls align EVIDENCE: Cloud Founda0on Provider SHOULD provide a formal statement that they manage to policies based on a given framework / standard (in addi0on to audit reports) BENEFIT: Client can evaluate maturity of Cloud Founda0on Provider s policy scope and coverage (*) This is not intended to be an exhaus0ve list

14 Assert: CFP is Audited/Cer0fied to Interna0onally Accepted Standards Publishing a detailed audit report assessing effec0veness of controls means that - Regulators can use this as evidence as part of inves0ga0on of client workload compliance - Client can rely on the audit reports/asser0ons of an independent third- party auditor to abest to readiness/suitability of cloud founda0on Provider is Audited/Cer0fied to Interna0onally Accepted Standards: SOC1/SOC2 ISO family TAKEWAY: Cloud Founda0on Provider MUST undergo a detailed unedited assessment such as a SOC2, ISO27001, FISMA EVIDENCE: Cloud Founda0on Provider MUST provide the associated details of the assessment in the form of a SOC2 Type II report or an ISO27001 Statement of Applicability BENEFIT: Client can evaluate maturity and effec0veness of controls implementa0on by Cloud Founda0on Provider Audit to standards that are appropriate/ representa0ve of the controls in place by cloud founda0on provider 14 (*) This is not intended to be an exhaus0ve list

15 Op0onal Asser0on: Supported Workloads Require Addi0onal Workload Specific Evidence from CFP Par0al compliance assessments (assessment of Cloud Founda0on Provider s relevant controls) supports Composite compliance by allowing addi0vity of controls as we move up the stack - Regulators can use this as evidence as part of inves0ga0on of client workload compliance - Client can rely on the audit reports/asser0ons of an independent third- party auditor to abest to readiness/suitability of cloud founda0on IaaS Support for Explicit Workloads: PCI DSS v3.0 AOC for Physical Security TAKEWAY: For those workloads that support explicit par0al assessments, Cloud Founda0on Provider must have appropriate assessments in place EVIDENCE: Cloud Founda0on Provider MUST provide (at least) the public facing cer0fica0on, including scope, of required workload assessment BENEFIT: Client can evaluate maturity controls implementa0on for a specific workload

16 Regulated, Sensi0ve Workloads Clients SHOULD leverage evidence from IaaS Cloud Founda0on Provider - This is how clients make the move from tradi0onal IT I need to do it all myself to cloud- based the founda0on is suited to my needs Supported Workloads Require Addi0onal Workload Specific Evidence from IaaS Provider (*) Full transparency for evidence API based access to evidence Portal based visualiza0on (*) RIN (Really Important Note): This is very difficult to do if roles and responsibili0es are not very clearly defined and delineated (Think of how hard it is to use a func0on or class if its interface is not defined) TAKEWAY: Cloud Founda0on Provider MUST provide full visibility and transparency into both how client uses IaaS tools to manage the environment and how IaaS tools and privileged users interact with client s provisioned environment and hosted workload EVIDENCE: Cloud Founda0on Provider MUST provide evidence of founda0on usage by Cloud Founda0on Provider and client s users in support of client s workload BENEFIT: Client can build a complete picture of what their Cloud Founda0on Provider hosted environment looks like and how it is managed

17 HOWEVER: Composite compliance with appropriate Cloud Founda0on Providers is NOT sufficient to support regulated/sensi0ve workloads WHAT DOES THIS MEAN? Not only must client must have full visibility into their workload as hosted on the cloud founda0on, client must also have opera0onal prac0ces and controls in place for their management of their workload TAKEWAY: Client is s0ll responsible for security and compliance of their workload; Composite compliance allows client to reduce their individual opera0onal requirements but does not remove all opera0onal requirements Supported Workloads May Include EU Data Privacy

18 Composite compliance can be assessed with a simple decision process CFP = Cloud Founda0on Provider Start Assert: CFP Manages To Published, Recognised Standards or Frameworks Assert: CFP is Audited/Cer0fied to Interna0onally Accepted Standards 18 Do standards match client requirements? Does audit report demonstrate required controls and maturity? NO NO NO NO % Regulated, Sensi0ve Workloads Roles and responsibili0es very clearly defined? Is Yrequired evidence available for use? Op0onal Asser0on: Supported Workloads Require Addi0onal Workload Specific Evidence from CFP

19 Reprise 2 Composite Compliance: How does it work? How does it work: Through a structured means of assessing who does what at each layer and how the roles and responsibili0es are split at the boundary between the provider and the customer, we can demonstrate to risk assessment and compliance teams how they can rely on the assessments of others (how to break away from the risk management equivalent of not invented here )

20 Agenda 1 Composite Compliance : What is it, why do we need it, how does it work? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?

21 Example: Transi0ve Decision Process with Provider for PCI Workloads Start Desired Workload Support & E2E can be shown to be compliant %. Do standards match client requirements? Is required evidence available for use? %. Ready for HIPAA PCI DSS v3.0 AoC % AOC Available for Customer Does audit report demonstrate required controls and maturity? Roles and responsibili0es Y very clearly defined? Cloudiness ensues. 21

22 IaaS Provider has clearly defined roles and responsibili0es covering E2E workload management Applica1on Stack Workload, Applica0on Manage Opera0ng System Replace / Manage Hardware Monitor Opera0ng System Provision Hardware Provision Automa0on Hardware Manage (hands & feet Upgrade/ Repair) Infrastructure Manage Facili0es Manage Opera1onal Management by Security Governed by Compliance Demonstrated by Client / Authorized Agent Client s security policy Client- driven workload audit Provider s Automa0on N/A (*) N/A (*) Provider Automa0on Provider Server Technicians Provider Automa0on, Infra Mgmt Teams Provider s Data Center Providers Provider s NIST based Security Policy and Opera0onal Controls Provider s NIST based Security Policy and Opera0onal Controls Provider NIST based Security Policy and Opera0onal Controls Use Provider SOC2, ISO27001, FISMA, PCI AOC as needed for infrastructure, facili0es management and compliance Provider Portal/API and Service Tickets as evidence Provider Service Tickets, Audit Logs and Compliance Reports Provider SOC1, SOC2, SOC3, ISO27001, FISMA, PCI AOC (*) Provider cannot ensure opera0ng system is provisioned as compliant with client s policies ; client handles as part of O/S Manage responsibility

23 But, sor0ng through R&R for an IaaS model, there are s0ll areas that both customer and provider have role Scope of Cloud Provider s responsibility Scope of Customer s responsibility Clear roles, but customer wants evidence Clear R&R, unclear evidence Internet Facing Customer User/ Customer, Public Network Switches Routers Devices Customer s provisioned servers (physical or virtual) VPN Out- of- Band Management Network Cloud Data Center Internal, VPN- enabled Customer Server Admin Customer responsibility Public Network Internet Facing Customer Provider Admin Provider provided management tools Direct API access Web Portal access Provider s support teams Provider s scope and access

24 Reprise 2 Composite Compliance and Roles and Responsibili1es How does it work: Through a structured means of assessing who does what at each layer and how the roles and responsibili0es are split at the boundary between the provider and the customer But Heather, you sort of sidestepped a detailed discussion of the roles and responsibili0es angle here

25 Agenda 1 Composite Compliance : What is it, why do we need it, how does it work? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?

26 What s next? 1. Pick a framework (my preference is NIST v4) 2. Iden0fy controls that are single- owner, shared/split, EDT (each do this) 1. Single Owner: responsibility is 100% with either Provider XOR Customer 2. Shared/Split: One provides input, the other provides ac0on 3. EDT: each has to maintain informa0on/perform ac0on for their clearly defined responsibility area 3. For each, 1. Look at what evidence is provided, 2. What addi0onal evidence is needed. 3. Are secondary controls required? 4. Look for gaps, fix them NIST AC AT AU CA CM CP IA IR MA MP PE PL PS RA SA SC SI Access Control Awareness and Training Audit and Accountability Security Assessment and Authoriza0on Configura0on Management Con0ngency Planning Iden0ty and Authen0ca0on Incident Response Maintenance Media Protec0on Physical and Envrionmental Protec0on Planning Personnel Security Risk Assessment Systems and Services Acquisi0on Systems and Communica0ons Protec0on Systems and Informa0on Integrity

27 What s next?: A call to arms and research We need to do the work described (or similar of other approaches prove to have more trac0on) We need to get buy in from customers, and their risk assessment teams We need to be able to ar0culate this to regulators so that they get it & Research results that prove or at least demonstrate provability of this (or similar) approaches would really help. Formal proves are great for papers and theses, but industry needs something that they can wrap their heads around so proofs need to have good examples and use cases as part of their demonstra0ons