Security and Compliance in a Hybrid World · Security and Compliance in a Hybrid World Matt Mosley, CISSP, CISM, CISA Senior Solution Strategist

Security and Compliance in a Hybrid World

Matt Mosley, CISSP, CISM, CISASenior Solution Strategist

© 2012 NetIQ Corporation. All rights reserved.2

Cloud is The IT Disrupter

CloudComputing

Era

Underpenetrated and New IT

Growth Markets Emerging

(BRIC + Markets, SMB, Online

Media & Entertainment, et

al.)

TraditionalIT Markets

Maturing/Slowing

Internet-driven

Models & Technologies

Coming of Age

Traditional IT Models

Inadequate for Growth

Markets (costs, speed,

complexity)

Disruptors (e.g., Google,

Amazon, Salesforce.com)

Forcing the Pace

The Search forNew Market Growth

The Need for- And Emergence of -

New Approaches

Competitive Pressure


•Cloud is an operational model, not a technology.

•There are many different types of clouds.

What do we mean by “cloud”?


The Sales Manager (SaaS)She’s got a corporate card, is way too busy to wait for IT, and finds it much easier to use salesforce.com than your legacy CRM

The Developer (PaaS)He’s agile, needs to be able to quickly develop and test new code, and wants to collaborate easily with colleagues around the globe

The IT Guy (IaaS)He has limited capital budget, is under pressure to deliver quickly, and figures that public cloud can beat his aging infrastructure

Who’s using the cloud?


How are cloud services deployed?

Public• Designed for a market, not a

single enterprise• Open to a largely unrestricted

universe of potential users• Customers buy at specific

level of abstraction (server, application, platform)

• Single-vendor or multi-vendor

Multiple unrelated enterprises

(shared)

Hybrid• Enterprise’s cloud services

portfolio includes both private and public cloud services

• Some specific services are delivered in a combination of public and private models (e.g., private cloud “bursting to” a public cloud service)

Virtual and physical (non-cloud) resources

and applications

Private• Designed for, and access

restricted to, a singleenterprise (or extended enterprise)

• An internal shared resource, not a commercial offering

• IT Org is the “vendor” of the shared/std service to its users

Single enterprise/ extended enterprise

(dedicated)


Why isn’t everything in the cloud?

Enterprises already have the capital invested in existing data center space

Public clouds are external – security, protection and auditing is difficultoutside the boundaries of the enterprise


The hybrid model is here to stay

• Most organizations use a mix of legacy systems, private and public clouds

• Hybrid models have the advantage of additional control where needed

• The primary disadvantage is the need to manage mixed trust levels

* Source: CloudPassage infographic based on 451 Group survey


Caution: level of control may vary

Graphic © Gartner, Inc.


•According to a Ponemon Institute study, 69% of cloud providers believe that security is the end user’s responsibility.

•Unfortunately for you, they are right!

Who’s accountable?

PCI DSS Cloud Computing GuidelinesWhile responsibility for security of cardholder data in a cloud environment is shared between the customer and cloud vendor, the customer remains accountable for ensuring that its cardholder data is properly secured.

NIST Scientist Tim Grance, co-author of NIST SP 800-144“Accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfill.”


• You’re still responsible for protecting your information assets, regardless of whose network they are on

• You still have to keep your systems available (now from everywhere!)

• You still have to follow rules and regulations on consumer privacy – and figure out the differences between countries if you have global customers!

• You’re still on the hook for security…but you have to balance risk with user compliance

How does the cloud affect me?


Where should you start?

• Integration is the #1 challenge of security in the cloud

• Avoid “bolt-on” security; it is always easier to build it in from the start

• Identify and classify data• Manage and control access• Monitor and audit user activity


Foundational Technology Start Points

SIEM/Log Management

Change Management/File Integrity Monitoring

Identity & Access Management


Foundational Technology Start Point

Musts:• Manage user entitlements based on role• Provision users to appropriate resources• Control access to systems and data

Identity and Access Management


The New Extended Enterprise RealityExtended Enterprise Presents Challenges In Three Dimensions

Forrester Research, Inc. “Navigate The Future Of Identity And Access Management” - Eve Maler


What is an Identity? - Who/What are you?

- Name, location, etc.

- Roles- Title, Manager, etc.

- Relationships- Employee, Contractor, etc.

What should an Identity be able to access?

- Applications- Systems- Data- Resources- Physical Facilities

Access management as a process

How is the access being utilized?- Is activity aligned to roles?

- Orphans, dormant access and entitlement creep

- Distinguish attacker from insider activity


Users Demand Seamless Access

Access Management

Travel Booking Tool(Web Resources)

Exchange Server(Desktop Apps)

Code Repository(SSH, FTP)

LoginFingerprint(Strong Authentication)

User/Password

WebEx(SaaS)


Map IT Process Needs to Business Needs

Access Management

LoginAuthorized

Not Authorized(Runtime context)

User logs in using mobile device

Travel Booking Tool(Web Resources)

Exchange Server(Desktop Apps)

Code Repository(SSH, FTP)

WebEx(SaaS)


The impact of mobility (BYOD)

• Cloud is as much about the consumption model as the delivery mechanism

• Mobility drives both an expectation for rapid access to services and data even when remote, and an expectation that access will be provided regardless of the physical device in question.

• Businesses must enable access, and access controls, for a growing range of mobile devices, many of which will belong to the user and not the business itself.



Musts:• Protect critical data• Real-time track, trace, report…

– Who is making system changes?– What changes were made?– When were changes made?– Where were changes made?– Were the changes authorized?

Change Management/File Integrity Monitoring


What Does It Mean to MonitorUser Activity?• Everything from physical security cameras to how users utilize social media on their computers

• Scope depends on objectives and charter• Most often, targets active review of ‘administrator’and end-user activity to identify misuse of privileges

– Misuse, mistake, malicious intent

Objectives:Protect information, ensure complianceand system availability


What Should a User Activity Monitoring Solution Look Like?• Clear objectives and charter approved by executive

and legal team

• Account for governing law in all jurisdictions

• Supervision of team performing monitoring

• Ability to quickly identify ‘actionable’ information based on:– Associated risk

– Context, e.g., time of day, user role, location

– Defined policies

• Must support detailed analysis of historical activity

Must answer, “Who did what, when, how and where?”


Things To Look For

• Clinician accessing records of ‘celebrity’patient not in their care

• Sales rep downloading client lists andsales pipeline, or Billing Manager downloading SSNs

• IT Administrator reading email betweenexecutive team and board members

• IT Administrator taking shortcuts aroundchange control process to save time

…and deeper in the Engine:– System overrides, file modifications, credential sharing, etc.



Musts:• Protect critical data

– Capture logs

– Review logs

– Store logs

– Prioritize log records collection

– Don’t forget application logs

SIEM/Log Management


The ‘Historical’ Problem with SIEM

• Too complex• Not flexible• Unable to deliver true ‘actionable intelligence’

• Difficult to justify investment


Event Data

Advanced Data Analytics

Identityand

ActivityContext

Security Information and Event Mgmt.What to Look For

• Ease of deployment• Simplicity of configuration,tuning, and administration

• Contextual / identity dataenrichment foradvanced useractivity monitoring

• Integration with changeand activity monitoring


Using Correlation to Detect Threats

Anomaly Detection

• Discrepancy or deviation froman established trend or pattern

• Something I can’t necessarily foresee but I want to monitor

Correlation

• Relationship between twoor more sets of data

• Something I can foreseeand want to takeimmediate action


Avoid Blind Spots in the Cloud• Consider

monitoring needs when evaluating workloads for cloud-based services

• Provide requirements to cloud providers

• When evaluating SIEM technologies, pay attention to external data integration capabilities

User activity events

Cloud application

Cloud infrastructure

Cloud application

Data center

Application

InfrastructureApplication

Unified view Graphic © Gartner, Inc.


Security Intelligence will set you free

Physical Virtual Cloud

Compliance and Risk AnalysisUser Activity Monitoring

Historical Activity Analysis

Threat AnalysisIncident Response Context

Risk State Visualization

Security State and Response Intelligence

Security Risk and Compliance Intelligence

Identity

Security Applications

Directory

Asset / Service

Business Objectives

Hosts

Network and Security Devices

Database

Applications


•The best way to achieve compliance is to get the security basics right.

•Close existing gaps and address findings, then apply the same set of controls to the cloud.

•Make sure you review cloud specific guidance where available, and when in doubt ask!

What about compliance?


Where to go for guidance and research

www.cloudsecurityalliance.org www.nist.gov


In closing… some words of wisdom

“If your security sucks now, you’ll be pleasantly surprised by the lack of change as you move to the cloud.” – Chris Hoff, CSA Summit

•Security in the cloud is the responsibility of the organization, not the cloud provider.

•Cloud does not create new security problems, it just magnifies the ones that already exist.

•Extend your existing technical controls to secure, manage and measure your cloud infrastructure.


NetIQ Solutions for Identity, Access, and Security Management

• Identity Manager Family• Access Governance Suite• Directory and

Resource Administrator• Group Policy Administrator

Identity Management

• Access Manager• SecureLogin• Privileged User Manager• Cloud Access• Social Access

Access Management

• Sentinel• Sentinel Log Manager• Change Guardian• Secure Configuration

Manager

Security Management

Secure, Manage and Measure Computing ServicesFrom, In and To the Cloud


+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]

Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA

http://community.netiq.com

Documents

Security and Compliance in a Hybrid World · Security and Compliance in a Hybrid World Matt Mosley, CISSP, CISM, CISA Senior Solution Strategist