Security, Risk Management & Audit

in the Crossroads of Agile, DevOps and

Cloud Management
Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation
Date Created: 04/21/2015
Date last updated: 07/14/2015
Agenda
Objective: Provide an overview of Agile, DevOps and Cloud Management from Security,
Risk Management and Audit Compliance perspectives.
Scope:
• Motivation
• Agile Development
• The IT Industry Paradigm is Shifting
• DevOps
• Cloud Management
• Tools & Technologies in the New Style IT
• Standards & Compliance Controls
• Implementation best practices for Security & Audit in the Cloud
• Challenges and Opportunities for Security, Risk Management & Audit practices
2
• Q&A
Audience Poll Audit, CFO
Business Services, Executive
Consultant, Entrepreneur
Finance, CFO
What is your primary role at your company?
Government, Nonprofit Org
IT Operation, CIO
Security & Compliance, CISO, CCO
Technologist, CTO

What is your level of experience with Agile Development? Evaluating

What is your level of experience with DevOps? 1-3 years

What is your level of experience with Cloud environment? 3-5 years

5+ years
What is your level of experience with Big Data environment?
3
Motivation

“Companies rarely fail because of poor financial controls, but they fail
frequently due to their inability to understand and address disruptive
technologies, market fluctuations, changing customer expectations, and
competitive pressures.”
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong

URL:
4 http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
7 W’s of Auditing and Investigations
1 5
What: On What:
What activity occurred? What was the result? On What resource did the Activity Target?
Key Attributes: Action, Outcome, Type, Reason Key Attributes: Device/Role ID

2
When: 6
When did the action happen? When was it observed?
FromWhere:
How long did it take? From Where the Action was initiated?
Key Attributes:
Key Attributes: Universal Timestamp, Time Zone, Duration
• logical/physical addresses ex: host IP address, server
3 name
Who: • precise geolocations ex: ISO-6709-2008
Who (user/service) initiated the Action?
Key Attributes: User, ID, Type, Name, Role/Credentials, 7
Assertions ToWhere:
To Where was the Action Targeted?
4 Key Attributes:
Where: • logical/physical addresses ex: host IP address, server
Where was the Action observed, reported or, name
modified? What role does the event serve? How was • precise geolocations ex: ISO-6709-2008
it recorded?
Key Attributes: User/Observer, ID, Type, Name,
5 Role/Credentials, Location
Agile SCRUM
Scrum is an iterative and incremental agile software development methodology for managing product development.

Key concepts
Roles Artifacts, Ceremonies & Processes
Product Product User Story Daily Standup
Owner Vision Estimation Meetings
Scrum Product Release
Sprint Demo
Master Backlog Burndown
Team Release Sprint Sprint
Member Backlog Retrospective Burndown
Sprint
Stakeholder Story Board Capacity
Backlog

User Stories Story Points Velocity

6
 The IT Industry Paradigm is Shifting…
Microservices:
A software architecture style, in
which complex applications are
composed of small, independent
processes communicating with each
other using language-agnostic APIs.
These services are small, highly
decoupled and focus on doing a
Virtualization: Vertical abstraction
Each virtualized application includes the
application, the required binaries & libraries,
and a Guest OS. The application may be in the
order of 10s of MB, however the Guest OS
may be in the order of 10s of GB.
App A App B App A
Containerization: Horizontal
segmentation
Docker Container: The Docker Engine
container needs just the application and it’s
dependencies. It runs as an isolated process in
userspace on the host OS, sharing the kernel
with other containers. Thus, it enjoys the
resource isolation & allocation benefits of VMs
but is much more portable & efficient.
App B

small task. Bins / Libs Bins / Libs Bins / Libs Bins / Libs
App A App B
Guest OS Guest OS Guest OS Guest OS
Bins / Libs Bins / Libs
Hypervisor Hypervisor
Docker Engine
Server Host OS
Host OS
Type 1 Hypervisor Server
Type 2 Hypervisor Server

Kubernetes:
Open source orchestration system (container cluster manager) for Docker containers. It handles
scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their
state matches the users declared intentions. Runs on Public Cloud, Private Cloud, and Bare Metal.
Microservices
7
by James Lewis and Martin Fowler URL: http://martinfowler.com/articles/microservices.html
Containers & VMs Michael Daconta URL: http://www.quora.com/How-is-containerization-different-from-virtualization
The IT Industry Paradigm is Shifting…
Continuous Delivery (CD): API Management:
Continuous Integration (CI):
A software engineering approach in The process of publishing,
A development practice that
which teams keep producing promoting and overseeing
requires developers to integrate
valuable software in short cycles application programming interfaces
code into a shared repository
and ensure that the software can (APIs) in a secure, scalable
several times a day. Each check-in is
be reliably released at any time. It is environment. It also includes the
then verified by an automated
used in software development to creation of end user support
build, allowing teams to detect
automate and improve the process resources that define and
problems early.
of software delivery. document the API.

Continuous Deployment (CD):

The deployment or release of code
to Production as soon as it is
ready. There is no large batching in
Staging nor long UAT process that is
directly before Production. Testing
is done prior to merging to the
Mainline branch and is performed
8 on Production-like environments.
 The IT Industry Paradigm is Shifting…
Cloud Foundry:
Open source cloud computing
platform as a service (PaaS)
originally developed by VMware
and now owned by Pivotal
Software, a joint venture by EMC,
VMware and General Electric. The
Cloud Foundry is primarily written
in Ruby and Go.
Comes in 3 flavors:
• Cloud Foundry Open Source Software
(OSS)
• Pivotal Cloud Foundry (Pivotal CF)
• Pivotal Web Services (PWS)
Cloud Foundry URL: http://www.cloudfoundry.org/index.html
9
DataGravity URL: http://datagravity.com/
DataGravity:
Data gravity is an analogy of the
nature of data and its ability to
attract additional applications and
services. The Law of Gravity states
that the attraction between objects
is directly proportional to their
weight (or mass). Dave McCrory
coined the term data gravity to
describe the phenomenon in which
the number or quantity and the
speed at which services, applications,
and even customers are attracted to
data increases as the mass of the
data also increases.
 Development to Operation: Business Challenges
Faster Stable
changes environment

Wall of Confusion

Wall of Confusion

Wall of Confusion
Development Operation Development tools Operation tools
Development Operation

Traditional IT Challenges: ~70-80% of all downtime is due to changes (self-inflicted wounds)

Requirements
Design
Code Often results in:
Test
Package
Release
Deploy to Stage
UAT Test
10 Deploy to Prod
DevOps URL: http://dev2ops.org/2010/02/what-is-devops/
 DevOps
What is DevOps?
DevOps is the practice of operations and development engineers participating together in the entire service lifecycle,
from design through the development process to production support.
DevOps is a software development method that stresses communication, collaboration, integration, automation, and
measurement of cooperation between software developers and other IT professionals.

DevOps Composition DevOps Motivation

Bring Applications to Customers Faster
Development
Development Quality IT Operations
(Software
Engineering) “Be more agile - deliver faster” Automation “Be predictable – minimize risk”
Collaboration
DevOps Features & code
Quality changes
IT Faster Release
Assurance
Operations Agile Smaller Packages
(QA)
Development
DevOps
Feedback loop

URL:
11
http://theagileadmin.com/what-is-devops/
URL: http://en.wikipedia.org/wiki/DevOps
What is different in DevOps…
Configuration Management:
Traditional CMDB Cloud environment CMDB

Business Service Business Service

Application Application
Further details
App code (e.g. web, app, DB
Platform
Web site Database nodes, IPs,
(build) software versions) instance
in automation/CD
Apache Tomcat MySQL DB toolchain
HTTP instance instance
e.g. AWS, Google, Hosting
Rackspace, HP,
IBM
platform
HP Server Linux VM Server

e.g. EMEA, AMS,

Rack APJ Location

Data Ctr
Zone

Data Ctr
12
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
What is different in DevOps…
Release and Change Management:

URL: https://www.chef.io/solutions/continuous-delivery/

Incident Management: DevOps changes primarily who gets involved in Incident Mgmt at which stage and what
their stake is in the process. Even bigger impact may be achieved by ensuring there’s the right culture and mindset
that puts customers, service, reliability, and quick mean time to repair (MTTR) at the center of the approach.

Event Management Monitoring & Logging: Key difference is the complexity, scale, and speed in DevOps makes it
imperative to focus on Internet Scale vs. Enterprise Scale solutions.
13
Adapted from Torsten Rueten at URL: https://www.linkedin.com/pulse/devops-itil-match-made-heaven-hell-part-1-torsten-rueter
DevOps Success Factors
DevOps Success factors:
Continuous Assessment & Adjust
• Culture, Collaboration & Mindset
Continuous Integration • Effective Team Collaboration
Continuous Testing • Identify & Eliminate Waste
Continuous Delivery • Improve Automation Efficiencies for
Technology
Continuous Deployment Internet Scale
Continuous Performance • Unified Processes for Development
to Operations
• Unified Tooling (Key Capabilities)
Process • Version-control software library
Planning • Deeply modeled systems
Governance • Automation
Lifecycle management Culture
• Key Industry dynamics:
Release Automation • Infrastructure as code
Lifecycle Management • Model driven automation
Collaboration
• Continuous integration (CI)
Accountability
• Continuous deployment (CD)
14
DevOps Best Practices
Practice 1: Active Stakeholders Participation The Road to DevOps
Practice 2: Automated Testing
6. Organization Culture
Practice 3: Integrated Configuration Management
5. Process Optimization
Practice 4: Integrated Change Management
4. Interoperability & Automation
Practice 5: Continuous Integration
3. Standardization
Practice 6: Integrated Deployment Planning
2. Cloud Platform
Practice 7: Continuous Deployment
1. Execs Commitment
Practice 8: Production Support
Practice 9: Application Monitoring
Practice 10: Automated Dashboards

URL:
15 http://www.drdobbs.com/architecture-and-design/top-10-practices-for-effective-devops/240149363
DevOps lifecycle
DEVOPS DOMAINS
OPERATIONS
MANAGEMENT
CONTINUOUS
DEPLOYMENT / DELIVERY
CONTINUOUS
INTEGRATION
SOURCE DEVL
CONTROL ENVIRON
COLLABORATION
CONFIGURATION
MANAGEMENT

MONITORING

ISSUE TRACKING

PLANNING

16
 Sample of DevOps Tools and Technologies
HP Agile
Plan Manager
HP PPM MS Project Trello

Develop / Build Git CVS MS TFS Vagrant Cloud 9 IDE Codenvy

Continuous
TeamCity TravisCI Jenkins BuildHive
Integration
HP Quality
Test Center
Ant Gradle Maven ThoughtWork
sGo
Continuous HPOO,SA,NA,
HP CODAR Docker CoreOS Packer Octopus Capistrano
Delivery/Deploy DMA,NNMi
HP Quality MS Visual artifactory
Issue Tracking HP SM & SAW
Center
Jira ZenDesk
Studio Online
HP vPV, HP Performance
Monitoring HP Site Scope
OMi, HP BSM Manager
Graphite Logstash Cloudyn New Relic

Configuration PowerShell
HP CMS Puppet Chef CFEngine Ansible SaltStack
Management DSC
Ubuntu Juju
Analyze HP Fortify HP ArcSight Splunk SonarCube Kibana logentries

Collaboration
17 HP MyRoom Campfire Slack IRC SharePoint GoToMeeting
 Cloud Management Tools, Technologies & Companies
HP Cloud Sys Newvem/
Cost/Chargeback Chargeback
Cloudability Cloudyn Cloud Cruiser
Datapipe

Automation & HP CSA, SA, enStratius/

Chef Puppet RightScale GigaSpaces
Provisioning NA, DMA Dell

IBM / Cast
Integration Dell Bhoomi Azure
Iron
Amazon SQS Informatica TIBCO MuleSoft

Management CA vRealize/ ServiceMesh/

HP Helion IBM BMC Capgemini
Platform Technologies VMWare CSC

AWS OpenStack

18
 Security Management Tools, Technologies & Companies
Palo Alto Proofpoint Guidance
Cyber Security Fireeye
Networks
Check Point
Technologies Software
Lancope Alienvault

ClearWater
RSA/EMC Norse Blue Coat Akamai Trend Micro Qualys
Compliance

HP ESS IBM ESS F5 F-Secure

Investigation Column Case

Perspective i-Sight Report Exec EHSInsight logikcull HRAcuity
Management Investigate

Computer
Intel Security Symantec AVG
Security
Beyond AT&T Bradford
Network Security Cisco
Security Network Sec
Bayshore
Networks

19
 Service Delivery Models
TRADITIONAL INFRASTRUCTURE PLATFORM SOFTWARE
(ON PREMISE) (AS A SERVICE) (AS A SERVICE) (AS A SERVICE)

CLIENT MANAGED
User Experience User Experience User Experience User Experience

JOINTLY MANAGED
Applications Applications Applications Applications

CLIENT MANAGED
Data Data Data Data

Devl Tools Devl Tools Devl Tools Devl Tools

VENDOR MANAGED
CLIENT MANAGED

Runtime Runtime Runtime Runtime

Middleware Middleware Middleware Middleware

VENDOR MANAGED
O/S O/S O/S O/S

VENDOR MANAGED
Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers

Storage Storage Storage Storage

20 Networking Networking Networking Networking

Cloud Actors
• Cloud Consumer: Person or organization that maintains a business relationship with, and uses
service from, Cloud Providers.
• Cloud Provider: Person, organization or entity responsible for making a service available to
Cloud Consumers.
• Cloud Auditor: A party that can conduct independent assessment of cloud services,
information system operations, performance and security of the cloud implementation.
• Cloud Broker: An entity manages the use, performance and delivery of cloud services, and
negotiates relationships between Cloud Providers and Cloud Consumers.
• Cloud Carrier: The intermediary that provides connectivity and transport of cloud services from
Cloud Providers to Cloud Consumers.

21
 Cloud Services Integration and Management (CSIM/CSIAM)
Business Support Operations Support Provisioning/ Integration
Configuration (Portability &
Customer Mgmt IT Operations Rapid Provisioning & Interoperability)
Fulfillment
Contract Mgmt Service Delivery Data Management
Resource Change
Inventory Mgmt Service Support Data Portability
Monitoring & Reporting
Service Catalog/Request Copy Data
Accounting & Billing
Management Bulk Data Transfer
Reporting & Auditing Service Assets & Governance, Security Service Interoperability
Cloud Configuration Mgmt Cloud
Pricing, Costing & Rating Event Management &
& Risk Management Unified Management
Consumers Governance, Risk Mgmt Interface
Brokers
Monitoring
& Controls
Systems Portability
Incident Management
Metering
VM Images Migration
Problem Management SLA Management App/SVC Migration
Containers Migration
Knowledge Mgmt Security Management

Change Management
Cloud
Auditors Release Management
Availability & Capacity
Mgmt
Service Providers

22 Services Facility Data Ctr Network Storage Workload Workplace Security

OpenStack key components
Dashboard (Horizon)

Database (Trove)
Bare Metal Provisioning
(Ironic)
Messaging (Zaqar)
Elastic Map Reduce
(Sahara)
Telemetry (Ceilometer)

Orchestration (Heat)
Identity Management
(Keystone)
Image Management
(Glance)
Object Storage (Swift)

Block Storage (Cinder)

Networking (Neutron)

23
Compute (Nova)
Sample Standards and Compliance Controls
• Cloud Security Alliance Cloud Control Matrix (CSA CCM 3.0.1)
• NIST SP 800-53 Rev. 4
• NIST Cybersecurity Framework
• ISO/IEC 27002
• FISMA and FedRAMP
• Meaningful Use, HITECH and HIPAA
• CoBIT 5
• ITIL v3 / 2011
• Payment Card Industry Data Security Standard (PCI DSS 3.1)
• Distributed Management Task Force (DMTF)
• Cloud Infrastructure Management Interface (CIMI)
• Cloud Auditing Data Federation (CADF)

24
Sample Standards and Compliance Controls

Distributed Management Task

CSA Cloud Controls Matrix 3.0.1 Force (DMTF)
• Cloud Auditing Data Federation
(CADF) Standard
• Cloud Infrastructure Management
Interface (CIMI)

PCI DSS 3.1

NIST Special Publication 800-53 Revision 4

Security and Privacy Controls for Federal
Information Systems and Organizations
NIST Cybersecurity Framework
25
ISO/IEC 27002:2013 Information
technology. Security techniques
Code of practice for information
security controls
 Cloud Security Alliance TCI Reference Architecture

Legend:
CSA: Cloud Security Alliance
26
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf TCI: Trusted Cloud Initiative
 Cloud Security Alliance TCI Reference Architecture
BOSS Services: SRM Services:
• Compliance • Governance Risk and Compliance
• Data Governance • Information Security Management
• Operational Risk Management • Privilege Management Infrastructure
• Human Resources Security • Threat and Vulnerability Management
• Security Monitoring Services • Infrastructure Protection Services
• Legal Services • Data Protection
• Internal Investigation • Policies and Standards

ITOS Services: Presentation Services: Information Services: Infrastructure Services:

• IT Operations
• Service Delivery
• Service Support
• Incident Management
• Problem Management
• Knowledge Management
• Change Management
• Release Management
27
Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf
• Presentation Modality
• Presentation Platform
Application Services:
• Development Process
• Security Knowledge Lifecycle
• Programming Interfaces
• Integration Middleware
• Connectivity & Delivery
• Abstraction
• User Directory Services • Facility Services
• Security Monitoring Data • Servers
Management
• Storage Services
• Service Delivery Data Management • Network Services
• Service Support Data Management • Availability Services
• Data Governance Data Management • Patch Management
• Risk Management Data Management • Equipment Maintenance
• ITOS Data Management • Virtualization (Desktop, Storage,
• BOSS Data Management Server, Network)
• Reporting Services
CSA Cloud Control Matrix CCM v3.0.1 16 Domains 133 Controls
1. AIS: Application & Interface Security (4)
2. AAC: Audit Assurance & Compliance (3)
3. BCR: Business Continuity Management & Operational Resilience (11)
4. CCC: Change Control & Configuration Management (5)
5. DSI: Data Security & Information Lifecycle Management (7)
6. DCS: Datacenter Security (9)
7. EKM: Encryption & Key Management (4)
8. GRM: Governance and Risk Management (11)
9. HRS: Human Resources (11)
10. IAM: Identity & Access Management (13)
11. IVS: Infrastructure & Virtualization Security (13)
12. IPY: Interoperability & Portability (5)
13. MOS: Mobile Security (20)
14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5)
15. STA: Supply Chain Management, Transparency and Accountability (9) Legend:
CSA: Cloud Security Alliance
16. TVM: Threat and Vulnerability Management (3) CCM: Cloud Control Matrix
28
(Number of controls) for each Domain
Source: https://cloudsecurityalliance.org/research/ccm/
 NIST SP 800-53 Rev. 4 Security and Privacy Controls
Architecture Description
• Mission/Business Processes
• Reference Models
• Segment and Solution Architectures
• Information System Boundaries
MONITOR
Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness.
AUTHORIZE
Information Systems
Determine risk to organizational operations and
assets, individuals, other organizations, and the
Nation; if acceptable, authorize operation.
Organizational Inputs
Starting Point • Laws, Directives, Policy, Guidance
CATEGORIZE • Strategic Goals and Objectives
Information Systems • Information Security Requirements
• Priorities and Resource Availability
Define criticality/sensitivity of information
system according to potential worst-case,
adverse impact to mission/business. SELECT
Security Controls
Select baseline security controls, apply tailoring
guidance and supplement controls as needed
based on risk assessment.
Security Life Cycle
Risk Management IMPLEMENT
Framework (RMF) Security Controls
Implement security controls within enterprise
architecture using sound systems engineering
practices; apply security configuration settings.

ACCESS
Security Controls
Determine security control effectiveness (i.e.
controls implemented correctly, operating as
intended, meeting security requirements for
information system).

29
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
 NIST SP 800-53 Rev. 4 Security and Privacy Controls

Identifier Family Class Ctrls Identifier Family Class Ctrls

AC Access Control Tech 25 MP Media Protection Ops 8
AT Awareness and Training Ops 5 PE Physical and Environmental Ops 20
Protection
AU Audit and Accountability Tech 16
PL Planning Mgmt 9
CA Security Assessment and Mgmt 9
Authorization PS Personnel Security Ops 8
CM Configuration Management Ops 11 RA Risk Assessment Mgmt 6
CP Contingency Planning Ops 13 SA System and Services Acquisition Mgmt 22
IA Identification and Authentication Tech 11 SC System and Communications Tech 44
Protection
IR Incident Response Ops 10
SI System and Information Integrity Ops 17
MA Maintenance Ops 6
PM Program Management Mgmt 16
Legend:
Tech: Technical Ops: Operational Mgmt: Management
30 Number of Controls
Ctrls: Ref: URL: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NIST SP 800-53 Rev. 4 Security and Privacy Controls
Technical: (4)
AC: Access Control
AU: Audit and Accountability
IA: Identification and
Authentication
SC: System and
Communications Protection
Management: (5)
Operational: (9)
CA: Security Assessment and
AT: Awareness and Training
Authorization
CM: Configuration Management
RA: Risk Assessment
CP: Contingency Planning
SA: System and Services
Acquisition IR: Incident Response
PL: Planning MA: Maintenance
PM: Program Management PE: Physical and Environmental Protection
PL: Planning
PS: Personnel Security
SI: System and Information Integrity

31
NIST Cybersecurity Framework version 1.0
# of
Subcategories
6
5
4 24
6
3
5
5
7
12 35
2
4
5
8 18
5
1
5
4 15
3
2
1
2 6
3
32
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
 ISO/IEC 27002:2015

Source URL: http://iso27001security.com/html/27002.html

33
URL: http://iso27001security.com/html/iso27k_toolkit.html
 FISMA & FedRAMP FedRAMP:
• Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP: • A government-wide program leveraging a “do once, use many times”
125 Low framework (not legislation)
FedRAMP 326 Moderate • Provides a standardized approach to security assessment, authorization,
N/A High and continuous monitoring for cloud products and services Managed by
individual agencies
• Purpose: Ensure that cloud based services have adequate information
security; Eliminate duplication of effort and reduce risk management
Additional Controls costs; Enable rapid and cost-effective procurement of information
systems/services for Federal agencies
• GSA oversees and Accredited 3PAO’s validate proposed offers before
GSA approves
FISMA:
FISMA 124 Low
FISMA:
261 Moderate • Federal Information Security Management Act (FISMA)
343 High • United States legislation (not an agency program)
• A comprehensive framework to protect government information,
operations and assets against natural or man-made threats
NIST 800-53 • Assigns responsibilities to various agencies to ensure the security of data
• Managed by individual agencies
• Requires annual reviews of information security programs, with the
intent of keeping risks at or below specified acceptable levels
Note: 3rd party assessment organizations (3PAOs)
34 http://csrc.nist.gov/groups/SMA/forum/documents/FedRAMP-Goodrich-020912.pdf
URL:
URL: http://1105govinfoevents.com/custom/Face-to-Face/2-15/FISMA-FedRAMP-Controls-and-Authorization-Differences-Whitepaper-Coalfire.pdf
Meaningful Use, HITECH & HIPAA
HIPAA:
HIPAA • Health Insurance Portability and Accountability Act (HIPAA) of
Health Insurance Privacy 1996. The primary goal of the law is to make it easier for
Portability and Security people to keep health insurance, protect the confidentiality
Accountability Act (1996)
Enforcement and security of healthcare information and help the healthcare
industry control administrative costs.
HITECH
Health Information
Technology for Economic HITECH:
15 measure groups
and Clinical Health (2009) • The Health Information Technology for Economic and Clinical
25 criteria & measures
for meaningful use Health (HITECH) Act, enacted as part of the American
Recovery and Reinvestment Act of 2009, was signed into law
Meaningful Use on February 17, 2009, to promote the adoption and
meaningful use of health information technology.
Meaning Use guidelines 15 core measures
for Electronic Health 10 menu set objectives Meaningful Use:
Records (2010)
• Using certified electronic health record (EHR) technology to:
Improve quality, safety, efficiency, and reduce health
disparities. Engage patients and family. Improve care
coordination, and population and public health. Maintain
URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/ privacy and security of patient health information.
URL: http://pitchengine.com/pitches/9bbbb1a7-9fd0-4fcf-81ce-a397f82fd99a
URL: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EP-MU-TOC.pdf
35
URL: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl
COBIT 5

Source
36 URL: http://www.isaca.org/COBIT/Pages/default.aspx
COBIT 5
Evaluate, Direct and Align, Plan and Build, Acquire and Deliver, Service and Monitor, Evaluate
Monitor (EDM) 5 Organize (APO) 13 Implement (BAI) 10 Support (DSS) 6 and Assess (MEA) 3
EDM01 Ensure APO01 Manage the APO08 Manage BAI01 Manage BAI08 Manage DSS01 Manage MEA01 Monitor,
Governance Framework IT Management Relationships Programs and Knowledge Operations Evaluate and Assess
Setting and Maintenance Framework Projects Performance and
Conformance

EDM02 Ensure Benefits APO02 Manage APO09 Manage BAI02 Manage BAI09 Manage DSS02 Manage MEA02 Monitor,
Delivery Strategy Service Agreements Requirements Assets Service Requests Evaluate and Assess the
Definition and Incidents System of Internal
Control

EDM03 Ensure Risk APO03 Manage APO10 Manage BAI03 Manage BAI10 Manage DSS03 Manage MEA03 Monitor,
Optimization Enterprise Suppliers Solutions Configuration Problems Evaluate and Assess
Architecture Identification and Compliance with
External Requirements
Build
EDM04 Ensure Resource APO04 Manage APO11 Manage BAI04 Manage DSS04 Manage
Optimization Innovation Quality Availability and Continuity
Capacity

EDM05 Ensure APO05 Manage APO12 Manage Risk BAI05 Manage DSS05 Manage
Stakeholder Portfolio Organizational Security Services
Transparency Change Enablement

APO06 Manage APO13 Manage BAI06 Manage DSS06 Manage

Budget and Costs Security Changes Business Process
Controls

APO07 Manage BAI07 Manage

Human Resources Change Acceptance
and Transitioning

Governance Management
37 URL: http://www.isaca.org/COBIT/Pages/default.aspx
Ref
ITIL 2011
Service Design (SD) 8 Processes
Service Strategy (SS) 5 Processes
• Design coordination
• Business relationship management
• Service catalog management
• Financial management for IT services
• Service level management
• Service portfolio management
• IT Service continuity management
• Strategy for IT services
• Supplier management
• Demand management
• Availability management
• Capacity management
Service Operation (SO) 5 Processses • IT Security management
• Event management
• Incident management
Service Transition (ST) 7 Processes
• Problem management
• Transition planning & support
• Request management
• Change management
• Access management
• Change evaluation
4 Functions:
• Service validation & testing
• Service desk
• Service asset & configuration management
• Technical management
• Release & deployment management
• IT Operations management
• Knowledge management
• Application management

Continual Service Improvement (CSI) 1 Process

38
• 7 steps improvement process
ITIL v3 Value Chain (Level 1)
Service Strategy (SS)
Business Relationship
Management
Management of IT
Service Strategy
Demand Management
Service Portfolio
Management
Financial Management
 Business Relationship Management
 Management of IT Service Strategy
 Demand Management
39Service Portfolio Management (SPM)
 
 Financial Management (FM)
Service Design (SD)
Service Design
Coordination
Service Level
Management
Capacity Management
Availability
Management
Risk Management
Security Management
Service Continuity
Management
Supplier Management
Service Catalog
Management
 Service Design Coordination
 Service Level Management (SLM)
 Capacity Management
 Availability Management
 Risk Management
 Security Management
 Service Continuity Management
Supplier Management
 Service Catalog Management
Service Transition Service Operations Continual Service
(ST) (SO) Improvements (CSI)
Transition Planning and
Event Management Service Evaluation
Support
Change Management Incident Management Process Management
Improvement Management
Change Evaluation Problem Management
and Reporting
Release and Deployment
Access Management
Management
Service Request
Service Validation and Test Management
Service Asset and Operations Control
Configuration Management
Application Development
and Customizing
End of Life for IT Services
Knowledge Management
 Transition Planning and Support
 Change Management
 Change Evaluation
 Release & Deployment Mgmt  Event Management
 Service Validation and Test  Incident Management
 Service Asset and Configuration Mgmt  Problem Management
 Application Devl & Customizing  Access Management  Service Evaluation
 End of Life for IT Services  Service Request Management  Process Management
 Knowledge Management  Operations Control  Improvement Mgmt & Reporting
Payment Card Industry Data Security Standard PCI DSS 3.1
12 High level requirements Detailed
1. Install and maintain a firewall configuration to protect cardholder data 20
Build and Maintain a Secure Network
and Systems 2. Do not use vendor-supplied defaults for system passwords and other security
10
parameters
3. Protect stored cardholder data 18
Protect Cardholder Data
4. Encrypt transmission of cardholder data across open, public networks 3
5. Protect all systems against malware and regularly update anti-virus software or
Maintain a Vulnerability Management 5
programs
Program
6. Develop and maintain secure systems and applications 28
7. Restrict access to cardholder data by business need to know 10
Implement Strong Access Control
8. Identify and authenticate access to system components 23
Measures
9. Restrict physical access to cardholder data 27
10. Track and monitor all access to network resources and cardholder data 32
Regularly Monitor and Test Networks
11. Regularly test security systems and processes 16
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 39

12 Requirements
231+ Detailed reqs
40
Source PCI DSS Standards URL: https://www.pcisecuritystandards.org 5 reqs for Shared Hosting Providers
 DMTF Cloud Auditing Data Federation (CADF) Standard
Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage
and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud
Management Initiative.

Auditing using a standard such as CADF has many benefits:

• Create and request customized views for Audit & Compliance data
• Track regional, industry and corporate policy compliance using standardized APIs / Reports
• Key event data is normalized and categorized to support auditing of hybrid Cloud applications
• CADF assures consistent mappings across cloud components and cloud providers
• Format is agnostic to the underlying provider infrastructure
• Provides transparency for low-level operational processes
Customer Benefits:
• Ability to self manage auditing of their data
• Similar reports from different Cloud service providers
• Aggregate audit data from different Clouds / Partners
• Auditing processes & tools unchanged
41
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
 Cloud Auditing Data aggregated from multiple sources
Company A
Standard API’s for requesting
Audit Data

Aggregate Audit Data Standard Audit Data

from Hybrid Applications (Logs and Reports) Company A’s Hybrid Applications

requesting Audit Data

Standard API’s for
Company A’s
Auditor
Cloud Provider P1

Company A’s
OSS/BSS Processes
OSS: Operational Support Services
BSS: Business Support Services
Company A’s Hybrid Applications

Company A’s Hybrid Applications

42
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Cloud Provider P2
 Example: 7 essential W’s auditing and monitoring
Distributed Management Task Force (DMTF) Cloud Auditing Data Federation (CADF)
CADF Event Model and it’s components
• Work for any Activity Monitoring or, Control event
• Provides guidance on how to record Basic, Detailed or, Precise information for each component
4 Where
1
What Where was the Action observed, reported or,
What activity occurred? What was the result? modified? What role does the event serve? How
event.action was it recorded?
event.outcome observer.id, observer.type
event.type (activity, monitoring, control) reporterstep.role, reporterstep.reporterTime
event.reason (ex: security, reason code, policy id)
2 5 On What
On What resource did the Activity Target?
When target.id
When did the action happen? When was it observed?
How long did it take? ISO 8601 transactions Timestamp
event.eventTime 6 FromWhere
reporter.timestamp, event.duration From Where the Action was initiated?
May include
• logical/physical addresses
3 Who • ISO-6709-2008, precise geolocations
Who (user/service) initiated the Action? initiator.addresses, initiator.host, initiator.geolocation
initiator.id; initiator.type CADF Event Model: Basic and conditional
initiator.id (id, name) model components 7 ToWhere
initiator.credential To Where was the Action Targeted?
initiator.credential.assertions Can be as simple as an IP address or server name.
target.addresses, target.host, target.geolocation
43
Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf Legend: Italics are optional properties
Challenges & Opportunities in Cloud Management
• Transparency is Crucial
• Regulations can’t keep up
• Need for continuous real-time security audits & monitoring
• Bridge the gaps between the academic world innovations and the business world
• Security requires a Big Picture approach
• BYOD brings additional challenges
• Bare-metal security features are not available in virtual world
• Accidental key sharing in appliances
• Leave security implementations to the experts
• Data partitioning for hybrid clouds
• Do consumers care? i.e. willing to pay
• Products can end up being used in industries they aren't designed for
• Security guarantees are impossible to "prove“
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it
44
Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
Challenges & Opportunities in Cloud Management
• Containers and portable VM snapshots are too portable
• Encryption efforts are vulnerable if physical access to a machine is available
• Controlling physical access to the data center is not enough
• Privacy and security are at odds
• Lack of control over assets and physical security
• Integration and Interoperability of systems / API Management
• Who controls the encryption/decryption keys for data in store & in transit?
• Lack of standard for data integrity
• Virtual machines / Containers transition between Private to Public to Hybrid environments
• Establishing and Management of Service Level Agreements (SLA)
• Usage based Costing, Invoicing & Chargeback
• Data migration in and out of the Cloud Service Provider
• Plan for an exit strategy from the beginning
Source John Wetherill URL: http://www.activestate.com/blog/2015/02/locking-down-cloud-18-security-issues-faced-enterprise-it
45
Source URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
Reference URLs
• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines
• OpenStack wiki
• OpenStack Main Page
• OpenStack Developers Guides
• Cloud Audit Data Federation - OpenStack Profile
• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)
• CADF Event Model and Taxonomies
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730
• FedRAMP: https://www.fedramp.gov/
• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma
46
References & Credits

47
Conclusion
• Migration to Cloud will continue due to the efficiencies and economics.
• Cloud is all about services and service delivery.
• The Cloud is only worth the services it delivers securely.
• Cloud is all about a hybrid world.
• Security, Risk Management & Audit practices are at the center for Agile, DevOps, and Cloud
Management transformation.

48
sukumar.nayak@hp.com
sukumar.nayak@gmail.com
240.506.2305
linkedin.com/in/sukumarnayak/
 Backup

50
 Open Security Architecture

51
Open Security Architecture URL: http://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy
DevOps & Cloud: Key is Automated Provisioning
Fully automated provisioning: the ability to deploy, update, and repair application
infrastructure using only pre-defined automated procedures.

Criteria for achieving fully automated provisioning:

• Be able to automatically provision an entire environment — from “bare-metal” to
running business services — completely from specification
• No direct management of individual boxes
• Be able to revert to a “previously known good” state at any time
• It’s easier to re-provision than it is to repair
• Anyone on your team with minimal domain specific knowledge can deploy or update
an environment

52
 Extending the scope and value delivered by GRC & ERM

Ref:
53
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
Source URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
 DevOps Maturity Model

Source
54 HP: http://h30499.www3.hp.com/t5/Business-Service-Management-BAC/DevOps-and-OpsDev-How-Maturity-Model-Works/ba-p/6042901#.VWJZ0k3bKM8
Sample of DevOps Tools and Technologies
Continuous Continuous Delivery /
Plan Develop / Build Test
Integration (CI) Deploy (CD)
HP Agile Manager Git TeamCity HP Quality Center HP CODAR
HP PPM CVS TravisCI Ant HP OO, SA, DMA, NA, NNMi
MS Project MS TFS Jenkins Gradle Docker
Trello Vagrant BuildHive Maven CoreOS Rocket
Cloud 9 IDE Packer
Codenvy Octopus
ThoughtWorksGo
Capistrano
artifactory

55
Sample of DevOps Tools and Technologies
Configuration
Issue Tracking Monitoring Analyze Collaboration
Management
HP SM & SAW HP Site Scope HP CMS (UD & CMDB) HP ArcSight HP MyRoom
HP Quality Center HP vPV, HP OMi, HP BSM Puppet HP Fortify Campfire
Jira Performance Manager Chef Splunk Slack
ZenDesk Graphite CFEngine SonarCube IRC
MS Visual Studio Online Logstash Ansible Kibana SharePoint
Cloudyn SaltStack logentries GoToMeeting
New Relic (APM & Server) PowerShell DSC
Cloudyn Ubuntu Juju

56
Lean principles
Queues and total throughput
Variability, innovation, and economic consequences
Batch sizes
Work in progress
Fast feedback
Decentralized control

57
COBIT 5

URL:
58 http://www.isaca.org/COBIT/Pages/default.aspx
 OLD
Service Delivery Models
TRADITIONAL INFRASTRUCTURE PLATFORM SOFTWARE
(ON PREMISE) (AS A SERVICE) (AS A SERVICE) (AS A SERVICE)

User Experience User Experience User Experience User Experience

CLIENT MANAGED

JOINTLY MANAGED
Applications Applications Applications Applications

CLIENT MANAGED
Data Data Data Data

Runtime Runtime Runtime Runtime

VENDOR MANAGED
CLIENT MANAGED

Middleware Middleware Middleware Middleware

VENDOR MANAGED
O/S O/S O/S O/S

VENDOR MANAGED
Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

59
Definitions of Key Terms & Acronyms
• ADFS: Active Directory Federated Services
• CADF: Cloud Auditing Data Federation
• CSA: Cloud Security Alliance
• CSCC: Cloud Standards Customers Council
• Continuous Integration (CI)
• Continuous Deployment / Continuous Delivery (CD)
• DMTF: Distributed Management Task Force
• ENISA: European Network and Information Security Agency
• GRC: Global Regulatory Compliance
• LDAP: Lightweight Directory Access Protocol
• NIST: National Institute of Standards and Technology
• NIST CC SRA: Cloud Computing Standard Reference Architecture
• Payment Card Industry Data Security Standard (PCI DSS)
• SAML: Security Authorization Markup Language
• SCIM: System for Cross-domain Identity Management
• SLA: Service Level Agreement
• SLO: Service Level Objectives
• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16
• XACML: eXtensible Access Control Markup Language
•60 SAFe: Scaled Agile Framework