Day 3 started off early and I jumped right into any advanced technical topics I could find. Overall the sessions were very good with a single disappointment. My apologies for odd english and incomplete notes… pretty tough recalling all the points that jumped up during each session. The great news is that these presentations will be available online!
Nomrod Vax of CA spoke on “Reversing of the Roles in IT – IAM Aspects of Cloud Computing”:
- Key issue in virtualization is that audit and security requirements must consider virtual “images” as they are files and can be moved, copied, and such very easily. In addition, a balance must be established to ensure that the inherent flexibility of virtual machines of being transportable is not handicapped (as this is a key value point).
- Copying a virtual machine (file / directory) is equal to stealing a server from the server room.
- Virtual machine storage can be mounted while they are operating and data can be modified / accessed during operation
A developer took a virtual machine that ran the check transactions for an organization that was having errors into a QA environment for testing, and placed it onto a clean QA server. He then ran tests against the system.
What happened is that the system didn’t “know” it was in the QA environment, and began process the transactions that were queued in the system. The result was the system completed its open tasks and these were duplicates of the ones being run by the other ‘original’ image running the checks.
Reverting back from snapshots can have the following effects:
- Audit events are LOST
- Security Configurations are reverted
- Security Policies are reverted
- **Snapshots are brilliant, but their use has massive impacts**
Users and privileged users exist, but in virtual environments there is a new level of problems by introducing a new privilege layer. This new layer resides in the hypervisor / underlying system (depending on the virtualization model)
One host running multiple virtual machines = Critical infrastructure
Critical infrastructure = Business impact
Business impact = Compliance requirements
- Cloud can be considered as a new IT service that is commoditized and cheap. Resulting in a lower barrier of entry, lower switching costs, and lower visibility and control.
- How do you know the cloud environment provider is able to satisfy the concerns that exist within the Cloud?
- Less than 20% state they are interested in deploying cloud technology, and the majority state they are going to put it on internally managed systems.
- Primary concern is security and control.
- Assurance related to performance, trust, and reliability are primary drivers away from greater adoption.
- Barriers to Enterprise adoption include – Security & control and Protecting sensitive information.
IT teams are becoming the Auditors of the Cloud providers – a role has tremendous risks to both the enterprise and the Cloud experiment.
Challenges with Auditing:
- Regulatory compliance is the major driver for Identity Management
- Auditors are not virtualization savvy
- virtualization audit issues have not been flagged
- What will drive priorities? – Education; compliance & regulatory pressures; public exposure.
- Will require adjusted controls for separate management, and control
Cloud – Due Diligence:
- Attain assurance from the Cloud provider
- Establish visibility and accountability through performance and service agreements (note this does not transfer the duty)
- Demand full privileged user management
- Restrict privileged access (provide process for allowing elevated and policy based activities)
- Ensure accountability
- Restrict access to logs
- Restrict access to virtual environment (resources)
Central Access Policy Management:
- Enforce the policy across all VMs and Virtualization platform
- Centralization – do not rely on local policies
- Enforce policy change control
- Manage deviations from the policy
- Report on Policy Compliance
Complete and Secure Auditing:
- Monitor administrative activity (including impersonation)
- Monitor all access to virtualization resources
- Centralize audit logs
- Notify on significant events
- Integrate with central SIEM systems (including triggers to provide automation and actions seamlessly)
- Security and Controls are the Number 1 inhibitors for cloud adoption
- Cloud providers need to reassure their enterprise customers
- Automation is imperative
- Security will become a cloud differentiation
- The IT roles are reversing
*Nimrod Vax gave a nice presentation. He started off very basic focusing on definitions, but the middle and end focused nicely on specific risks related Cloud and Virtualization. I felt the session sometimes overlapped the two environments – Cloud vs. Virtualization, and subsequently the risks and controls. Overall very good and well worth it. Well done.
Hemma Prafullchandra of HyTrust lead a great discussion on Assurance Framework for Internal and External clouds
A lively discussion with 8 people was held in the main conference area on Cloud computing. Specifically we were discussing the risks and levels of assurance that can be achieved in the market, as it is today. In addition to myself, there was Becky Bace (renowned technology expert), Tim Minster (Cloud afficionado), Lynn (Executive chewing on this Cloud thing in ‘real life’), and several others who I could not recognize.
Key points that I captured:
- Assumptions must be challenged regarding Cloud systems
- Premises of security
- Premises of what is prudent in the environment
- The intent of using the Cloud – i.e., is this a pet project business case or the payroll systems?
- Clouds today should not house PII, PHI, Regulated, or Confidential information.
- When putting Cloud technology to work the parties must understand what they are receiving from each specific Cloud provider – each one provides different levels of granularity and assurance through service level agreements and access to 3rd party audit reports.
- Consider Cloud as a Utility – such as power. If you want to protect your assets in your home you buy a security strip and UPS. Same should be considered on low cost Cloud-Utilities, in that deployment of end-level encryption, firewalls, IDS, and proper system level security are required. These additions, which would exist regardless of the physical locality (meaning Data Center or Cloud, they are needed regardless for certain levels of assurance), provide degrees of assurance based on the intent of the organization.
- Translating the Cloud architecture to the ‘Old Data Center’ model is key to providing the clean mapping of Common Controls and regulations to these systems.
- These Cloud Systems should be managed with the understanding of the new risks as a result of being multi-tenant and hosted.
- Data management and classification are still required in a Cloud environment, and must be considered for such things as cross border data crossings and long term management.
- Action items – support Cloud initiatives; understand the risks to such operations; place sufficient controls in place, and communicate these to the auditors and management accurately.
Ben Rothke (Sr. Security consultant with BT) spoke on Establishing a SOC,
Great session on SOC – best practices; setting one up; auditing a 3rd parties, and ensuring success in the long term. I didn’t see the entire session as I was in another session and left it early and found Ben’s very helpful. I would recommend downloading his presentation for auditors or 3rd parties vetting a SOC, as he gives tremendous detail on how these facilities should be run; how to measure them; and how to make the business case for setting these up.
Hugely valuable session.
The evening discussions were with 13 unique individuals from Visa Europe, KOBIL, People Security, and several other organizations. The discussions went through an immense amount of topics and was hugely valuable. Thank everyone for joining and sharing their great experiences!
Day 2 was fantastic. Mid-point opinion of RSA Europe = Above Average (RSA SFO being average), but the sessions need to be increased in complexity… Consensus is that sessions that are advanced could be more advanced with less basic definitions and high level concepts. Otherwise brilliant.
James DeLuccia IV