Beruflich Dokumente
Kultur Dokumente
“Companies rarely fail because of poor financial controls, but they fail
frequently due to their inability to understand and address disruptive
technologies, market fluctuations, changing customer expectations, and
competitive pressures.”
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
URL:
4 http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
7 W’s of Auditing and Investigations
1 5
What: On What:
What activity occurred? What was the result? On What resource did the Activity Target?
Key Attributes: Action, Outcome, Type, Reason Key Attributes: Device/Role ID
2
When: 6
When did the action happen? When was it observed?
FromWhere:
How long did it take? From Where the Action was initiated?
Key Attributes:
Key Attributes: Universal Timestamp, Time Zone, Duration
• logical/physical addresses ex: host IP address, server
3 name
Who: • precise geolocations ex: ISO-6709-2008
Who (user/service) initiated the Action?
Key Attributes: User, ID, Type, Name, Role/Credentials, 7
Assertions ToWhere:
To Where was the Action Targeted?
4 Key Attributes:
Where: • logical/physical addresses ex: host IP address, server
Where was the Action observed, reported or, name
modified? What role does the event serve? How was • precise geolocations ex: ISO-6709-2008
it recorded?
Key Attributes: User/Observer, ID, Type, Name,
5 Role/Credentials, Location
Agile SCRUM
Scrum is an iterative and incremental agile software development methodology for managing product development.
Key concepts
Roles Artifacts, Ceremonies & Processes
Product Product User Story Daily Standup
Owner Vision Estimation Meetings
Scrum Product Release
Sprint Demo
Master Backlog Burndown
Team Release Sprint Sprint
Member Backlog Retrospective Burndown
Sprint
Stakeholder Story Board Capacity
Backlog
6
The IT Industry Paradigm is Shifting…
Microservices: Virtualization: Vertical abstraction Containerization: Horizontal
A software architecture style, in Each virtualized application includes the
segmentation
which complex applications are application, the required binaries & libraries, Docker Container: The Docker Engine
and a Guest OS. The application may be in the container needs just the application and it’s
composed of small, independent order of 10s of MB, however the Guest OS dependencies. It runs as an isolated process in
processes communicating with each may be in the order of 10s of GB. userspace on the host OS, sharing the kernel
other using language-agnostic APIs. with other containers. Thus, it enjoys the
resource isolation & allocation benefits of VMs
These services are small, highly
but is much more portable & efficient.
decoupled and focus on doing a App A App B App A App B
small task. Bins / Libs Bins / Libs Bins / Libs Bins / Libs
App A App B
Guest OS Guest OS Guest OS Guest OS
Bins / Libs Bins / Libs
Hypervisor Hypervisor
Docker Engine
Server Host OS
Host OS
Type 1 Hypervisor Server
Type 2 Hypervisor Server
Kubernetes:
Open source orchestration system (container cluster manager) for Docker containers. It handles
scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their
state matches the users declared intentions. Runs on Public Cloud, Private Cloud, and Bare Metal.
Microservices
7
by James Lewis and Martin Fowler URL: http://martinfowler.com/articles/microservices.html
Containers & VMs Michael Daconta URL: http://www.quora.com/How-is-containerization-different-from-virtualization
The IT Industry Paradigm is Shifting…
Continuous Delivery (CD): API Management:
Continuous Integration (CI):
A software engineering approach in The process of publishing,
A development practice that
which teams keep producing promoting and overseeing
requires developers to integrate
valuable software in short cycles application programming interfaces
code into a shared repository
and ensure that the software can (APIs) in a secure, scalable
several times a day. Each check-in is
be reliably released at any time. It is environment. It also includes the
then verified by an automated
used in software development to creation of end user support
build, allowing teams to detect
automate and improve the process resources that define and
problems early.
of software delivery. document the API.
Wall of Confusion
Wall of Confusion
Wall of Confusion
Development Operation Development tools Operation tools
Development Operation
URL:
11
http://theagileadmin.com/what-is-devops/
URL: http://en.wikipedia.org/wiki/DevOps
What is different in DevOps…
Configuration Management:
Traditional CMDB Cloud environment CMDB
Application Application
Further details
App code (e.g. web, app, DB
Platform
Web site Database nodes, IPs,
(build) software versions) instance
in automation/CD
Apache Tomcat MySQL DB toolchain
HTTP instance instance
e.g. AWS, Google, Hosting
Rackspace, HP,
IBM
platform
HP Server Linux VM Server
Data Ctr
Zone
Data Ctr
12
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
What is different in DevOps…
Release and Change Management:
URL: https://www.chef.io/solutions/continuous-delivery/
Incident Management: DevOps changes primarily who gets involved in Incident Mgmt at which stage and what
their stake is in the process. Even bigger impact may be achieved by ensuring there’s the right culture and mindset
that puts customers, service, reliability, and quick mean time to repair (MTTR) at the center of the approach.
Event Management Monitoring & Logging: Key difference is the complexity, scale, and speed in DevOps makes it
imperative to focus on Internet Scale vs. Enterprise Scale solutions.
13
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
DevOps Success Factors
DevOps Success factors:
Continuous Assessment & Adjust
• Culture, Collaboration & Mindset
Continuous Integration • Effective Team Collaboration
Continuous Testing • Identify & Eliminate Waste
Continuous Delivery • Improve Automation Efficiencies for
Technology
Continuous Deployment Internet Scale
Continuous Performance • Unified Processes for Development
to Operations
• Unified Tooling (Key Capabilities)
Process • Version-control software library
Planning • Deeply modeled systems
Governance • Automation
Lifecycle management Culture
• Key Industry dynamics:
Release Automation • Infrastructure as code
Lifecycle Management • Model driven automation
Collaboration
• Continuous integration (CI)
Accountability
• Continuous deployment (CD)
14
DevOps Best Practices
Practice 1: Active Stakeholders Participation The Road to DevOps
Practice 2: Automated Testing
6. Organization Culture
Practice 3: Integrated Configuration Management
5. Process Optimization
Practice 4: Integrated Change Management
4. Interoperability & Automation
Practice 5: Continuous Integration
3. Standardization
Practice 6: Integrated Deployment Planning
2. Cloud Platform
Practice 7: Continuous Deployment
1. Execs Commitment
Practice 8: Production Support
Practice 9: Application Monitoring
Practice 10: Automated Dashboards
URL:
15 http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/240149363
DevOps lifecycle
DEVOPS DOMAINS
OPERATIONS
MANAGEMENT
CONTINUOUS
DEPLOYMENT / DELIVERY
CONTINUOUS
INTEGRATION
SOURCE DEVL
CONTROL ENVIRON
COLLABORATION
CONFIGURATION
MANAGEMENT
MONITORING
ISSUE TRACKING
PLANNING
16
Sample of DevOps Tools and Technologies
HP Agile
Plan Manager
HP PPM MS Project Trello
Continuous
TeamCity TravisCI Jenkins BuildHive
Integration
HP Quality
Test Center
Ant Gradle Maven ThoughtWork
sGo
Continuous HPOO,SA,NA,
HP CODAR Docker CoreOS Packer Octopus Capistrano
Delivery/Deploy DMA,NNMi
HP Quality MS Visual artifactory
Issue Tracking HP SM & SAW
Center
Jira ZenDesk
Studio Online
HP vPV, HP Performance
Monitoring HP Site Scope
OMi, HP BSM Manager
Graphite Logstash Cloudyn New Relic
Configuration PowerShell
HP CMS Puppet Chef CFEngine Ansible SaltStack
Management DSC
Ubuntu Juju
Analyze HP Fortify HP ArcSight Splunk SonarCube Kibana logentries
Collaboration
17 HP MyRoom Campfire Slack IRC SharePoint GoToMeeting
Cloud Management Tools, Technologies & Companies
HP Cloud Sys Newvem/
Cost/Chargeback Chargeback
Cloudability Cloudyn Cloud Cruiser
Datapipe
IBM / Cast
Integration Dell Bhoomi Azure
Iron
Amazon SQS Informatica TIBCO MuleSoft
AWS OpenStack
18
Security Management Tools, Technologies & Companies
Palo Alto Proofpoint Guidance
Cyber Security Fireeye
Networks
Check Point
Technologies Software
Lancope Alienvault
ClearWater
RSA/EMC Norse Blue Coat Akamai Trend Micro Qualys
Compliance
Computer
Intel Security Symantec AVG
Security
Beyond AT&T Bradford
Network Security Cisco
Security Network Sec
Bayshore
Networks
19
Service Delivery Models
TRADITIONAL INFRASTRUCTURE PLATFORM SOFTWARE
(ON PREMISE) (AS A SERVICE) (AS A SERVICE) (AS A SERVICE)
CLIENT MANAGED
User Experience User Experience User Experience User Experience
JOINTLY MANAGED
Applications Applications Applications Applications
CLIENT MANAGED
Data Data Data Data
VENDOR MANAGED
CLIENT MANAGED
VENDOR MANAGED
O/S O/S O/S O/S
VENDOR MANAGED
Virtualization Virtualization Virtualization Virtualization
21
Cloud Services Integration and Management (CSIM/CSIAM)
Business Support Operations Support Provisioning/ Integration
Configuration (Portability &
Customer Mgmt IT Operations Rapid Provisioning & Interoperability)
Fulfillment
Contract Mgmt Service Delivery Data Management
Resource Change
Inventory Mgmt Service Support Data Portability
Monitoring & Reporting
Service Catalog/Request Copy Data
Accounting & Billing
Management Bulk Data Transfer
Reporting & Auditing Service Assets & Governance, Security Service Interoperability
Cloud Configuration Mgmt Cloud
Pricing, Costing & Rating Event Management &
& Risk Management Unified Management
Consumers Governance, Risk Mgmt Interface
Brokers
Monitoring
& Controls
Systems Portability
Incident Management
Metering
VM Images Migration
Problem Management SLA Management App/SVC Migration
Containers Migration
Knowledge Mgmt Security Management
Change Management
Cloud
Auditors Release Management
Availability & Capacity
Mgmt
Service Providers
Database (Trove)
Bare Metal Provisioning
(Ironic)
Messaging (Zaqar)
Elastic Map Reduce
(Sahara)
Telemetry (Ceilometer)
Orchestration (Heat)
Identity Management
(Keystone)
Image Management
(Glance)
Object Storage (Swift)
Networking (Neutron)
23
Compute (Nova)
Sample Standards and Compliance Controls
• Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1)
• NIST SP 800-53 Rev. 4
• NIST Cybersecurity Framework
• ISO/IEC 27002
• FISMA and FedRAMP
• Meaningful Use, HITECH and HIPAA
• CoBIT 5
• ITIL v3 / 2011
• Payment Card Industry Data Security Standard (PCI DSS 3.1)
• Distributed Management Task Force (DMTF)
• Cloud Infrastructure Management Interface (CIMI)
• Cloud Auditing Data Federation (CADF)
24
Sample Standards and Compliance Controls
Legend:
CSA: Cloud Security Alliance
26
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf TCI: Trusted Cloud Initiative
Cloud Security Alliance TCI Reference Architecture
BOSS Services: SRM Services:
• Compliance • Governance Risk and Compliance
• Data Governance • Information Security Management
• Operational Risk Management • Privilege Management Infrastructure
• Human Resources Security • Threat and Vulnerability Management
• Security Monitoring Services • Infrastructure Protection Services
• Legal Services • Data Protection
• Internal Investigation • Policies and Standards
ACCESS
Security Controls
Determine security control effectiveness (i.e.
controls implemented correctly, operating as
intended, meeting security requirements for
information system).
29
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NIST SP 800-53 Rev. 4 Security and Privacy Controls
31
NIST Cybersecurity Framework version 1.0
# of
Subcategories
6
5
4 24
6
3
5
5
7
12 35
2
4
5
8 18
5
1
5
4 15
3
2
1
2 6
3
32
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
ISO/IEC 27002:2015
Source
36 URL: http://www.isaca.org/COBIT/Pages/default.aspx
COBIT 5
Evaluate, Direct and Align, Plan and Build, Acquire and Deliver, Service and Monitor, Evaluate
Monitor (EDM) 5 Organize (APO) 13 Implement (BAI) 10 Support (DSS) 6 and Assess (MEA) 3
EDM01 Ensure APO01 Manage the APO08 Manage BAI01 Manage BAI08 Manage DSS01 Manage MEA01 Monitor,
Governance Framework IT Management Relationships Programs and Knowledge Operations Evaluate and Assess
Setting and Maintenance Framework Projects Performance and
Conformance
EDM02 Ensure Benefits APO02 Manage APO09 Manage BAI02 Manage BAI09 Manage DSS02 Manage MEA02 Monitor,
Delivery Strategy Service Agreements Requirements Assets Service Requests Evaluate and Assess the
Definition and Incidents System of Internal
Control
EDM03 Ensure Risk APO03 Manage APO10 Manage BAI03 Manage BAI10 Manage DSS03 Manage MEA03 Monitor,
Optimization Enterprise Suppliers Solutions Configuration Problems Evaluate and Assess
Architecture Identification and Compliance with
External Requirements
Build
EDM04 Ensure Resource APO04 Manage APO11 Manage BAI04 Manage DSS04 Manage
Optimization Innovation Quality Availability and Continuity
Capacity
EDM05 Ensure APO05 Manage APO12 Manage Risk BAI05 Manage DSS05 Manage
Stakeholder Portfolio Organizational Security Services
Transparency Change Enablement
Governance Management
37 URL: http://www.isaca.org/COBIT/Pages/default.aspx
Ref
ITIL 2011
Service Design (SD) 8 Processes
Service Strategy (SS) 5 Processes
• Design coordination
• Business relationship management
• Service catalog management
• Financial management for IT services
• Service level management
• Service portfolio management
• IT Service continuity management
• Strategy for IT services
• Supplier management
• Demand management
• Availability management
• Capacity management
Service Operation (SO) 5 Processses • IT Security management
• Event management
• Incident management
Service Transition (ST) 7 Processes
• Problem management
• Transition planning & support
• Request management
• Change management
• Access management
• Change evaluation
4 Functions:
• Service validation & testing
• Service desk
• Service asset & configuration management
• Technical management
• Release & deployment management
• IT Operations management
• Knowledge management
• Application management
Service Catalog
Knowledge Management
Management
12 Requirements
231+ Detailed reqs
40
Source PCI DSS Standards URL: https://www.pcisecuritystandards.org 5 reqs for Shared Hosting Providers
DMTF Cloud Auditing Data Federation (CADF) Standard
Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage
and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud
Management Initiative.
Company A’s
OSS/BSS Processes
OSS: Operational Support Services
BSS: Business Support Services
Company A’s Hybrid Applications
42
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Cloud Provider P2
Example: 7 essential W’s auditing and monitoring
Distributed Management Task Force (DMTF) Cloud Auditing Data Federation (CADF)
CADF Event Model and it’s components
• Work for any Activity Monitoring or, Control event
• Provides guidance on how to record Basic, Detailed or, Precise information for each component
4 Where
1
What Where was the Action observed, reported or,
What activity occurred? What was the result? modified? What role does the event serve? How
event.action was it recorded?
event.outcome observer.id, observer.type
event.type (activity, monitoring, control) reporterstep.role, reporterstep.reporterTime
event.reason (ex: security, reason code, policy id)
2 5 On What
On What resource did the Activity Target?
When target.id
When did the action happen? When was it observed?
How long did it take? ISO 8601 transactions Timestamp
event.eventTime 6 FromWhere
reporter.timestamp, event.duration From Where the Action was initiated?
May include
• logical/physical addresses
3 Who • ISO-6709-2008, precise geolocations
Who (user/service) initiated the Action? initiator.addresses, initiator.host, initiator.geolocation
initiator.id; initiator.type CADF Event Model: Basic and conditional
initiator.id (id, name) model components 7 ToWhere
initiator.credential To Where was the Action Targeted?
initiator.credential.assertions Can be as simple as an IP address or server name.
target.addresses, target.host, target.geolocation
43
Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf Legend: Italics are optional properties
Challenges & Opportunities in Cloud Management
• Transparency is Crucial
• Regulations can’t keep up
• Need for continuous real-time security audits & monitoring
• Bridge the gaps between the academic world innovations and the business world
• Security requires a Big Picture approach
• BYOD brings additional challenges
• Bare-metal security features are not available in virtual world
• Accidental key sharing in appliances
• Leave security implementations to the experts
• Data partitioning for hybrid clouds
• Do consumers care? i.e. willing to pay
• Products can end up being used in industries they aren't designed for
• Security guarantees are impossible to "prove“
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it
44
Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
Challenges & Opportunities in Cloud Management
• Containers and portable VM snapshots are too portable
• Encryption efforts are vulnerable if physical access to a machine is available
• Controlling physical access to the data center is not enough
• Privacy and security are at odds
• Lack of control over assets and physical security
• Integration and Interoperability of systems / API Management
• Who controls the encryption/decryption keys for data in store & in transit?
• Lack of standard for data integrity
• Virtual machines / Containers transition between Private to Public to Hybrid environments
• Establishing and Management of Service Level Agreements (SLA)
• Usage based Costing, Invoicing & Chargeback
• Data migration in and out of the Cloud Service Provider
• Plan for an exit strategy from the beginning
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it
45
Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
Reference URLs
• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines
• OpenStack wiki
• OpenStack Main Page
• OpenStack Developers Guides
• Cloud Audit Data Federation - OpenStack Profile
• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)
• CADF Event Model and Taxonomies
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730
• FedRAMP: https://www.fedramp.gov/
• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma
46
References & Credits
47
Conclusion
• Migration to Cloud will continue due to the efficiencies and economics.
• Cloud is all about services and service delivery.
• The Cloud is only worth the services it delivers securely.
• Cloud is all about a hybrid world.
• Security, Risk Management & Audit practices are at the center for Agile, DevOps, and Cloud
Management transformation.
48
sukumar.nayak@hp.com
sukumar.nayak@gmail.com
240.506.2305
linkedin.com/in/sukumarnayak/
Backup
50
Open Security Architecture
51
Open Security Architecture URL: http://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy
DevOps & Cloud: Key is Automated Provisioning
Fully automated provisioning: the ability to deploy, update, and repair application
infrastructure using only pre-defined automated procedures.
52
Extending the scope and value delivered by GRC & ERM
Ref:
53
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
Source URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
DevOps Maturity Model
Source
54 HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Maturity-Model-Works/ba-p/6042901#.VWJZ0k3bKM8
Sample of DevOps Tools and Technologies
Continuous Continuous Delivery /
Plan Develop / Build Test
Integration (CI) Deploy (CD)
HP Agile Manager Git TeamCity HP Quality Center HP CODAR
HP PPM CVS TravisCI Ant HP OO, SA, DMA, NA, NNMi
MS Project MS TFS Jenkins Gradle Docker
Trello Vagrant BuildHive Maven CoreOS Rocket
Cloud 9 IDE Packer
Codenvy Octopus
ThoughtWorksGo
Capistrano
artifactory
55
Sample of DevOps Tools and Technologies
Configuration
Issue Tracking Monitoring Analyze Collaboration
Management
HP SM & SAW HP Site Scope HP CMS (UD & CMDB) HP ArcSight HP MyRoom
HP Quality Center HP vPV, HP OMi, HP BSM Puppet HP Fortify Campfire
Jira Performance Manager Chef Splunk Slack
ZenDesk Graphite CFEngine SonarCube IRC
MS Visual Studio Online Logstash Ansible Kibana SharePoint
Cloudyn SaltStack logentries GoToMeeting
New Relic (APM & Server) PowerShell DSC
Cloudyn Ubuntu Juju
56
Lean principles
Queues and total throughput
Variability, innovation, and economic consequences
Batch sizes
Work in progress
Fast feedback
Decentralized control
57
COBIT 5
URL:
58 http://www.isaca.org/COBIT/Pages/default.aspx
OLD
Service Delivery Models
TRADITIONAL INFRASTRUCTURE PLATFORM SOFTWARE
(ON PREMISE) (AS A SERVICE) (AS A SERVICE) (AS A SERVICE)
CLIENT MANAGED
JOINTLY MANAGED
Applications Applications Applications Applications
CLIENT MANAGED
Data Data Data Data
VENDOR MANAGED
CLIENT MANAGED
VENDOR MANAGED
O/S O/S O/S O/S
VENDOR MANAGED
Virtualization Virtualization Virtualization Virtualization