Cloud Security: Frameworks and Enforcement SHAWN WELLS Director, Innovation Programs, U.S. Public Sector shawn@redhat.com || 443-534-0130 UNCLASSIFIED 1

35 MINUTES, 2 GOALS 2

35 MINUTES, 2 GOALS 1. Cloud Security Lifecycle • Government Certification & Accreditation Models • Case Study: Westfield’s MADFW/MITE 3

35 MINUTES, 2 GOALS 1. Cloud Security Lifecycle • Government Certification & Accreditation Models • Case Study: Westfield’s MADFW/MITE 2. Enabling Security Technologies • Security Content Automation Protocol (SCAP) • Containers 4

WHAT IS THE CLOUD? • Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE 5

WHAT IS THE CLOUD? • Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE • Platform as a Service (PaaS) • DLT CODEvolved, Autonomic ARCWRX 6

WHAT IS THE CLOUD? • Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE • Platform as a Service (PaaS) • DLT CODEvolved, Autonomic ARCWRX • Software as a Service (SaaS) • salesforce.com 7

IaaS Case Study: Westfield’s MADFW • Also known as MITE, falls under MID • Development environment for ~117 tenants • Anything beyond operating system is responsibility of tenant (applications, continuous monitoring, etc) • ICD 503, High/Low/Low 13

Continuous Monitoring • NIST 800-53, 800-137, and many other regulations require continuous monitoring • We’ve been using the SCAP Security Guide • Large body of Linux security controls • Logically grouped into profiles (e.g. DoD STIG, FISMA Moderate, C2S…) https://fedorahosted.org/scap-security-guide/ 14

Contributors Include …

Control Tailoring

Sample Output

SCAP Content Repositories NIST maintains SCAP content repository for U.S. Government. Plenty of non-Linux content! http://web.nvd.nist.gov/view/ncp/repository 18

MADFW v2: PaaS (via containers) • Think of the containers as boxes, nodes as the truck • We don’t care what’s inside the box, it’s just cargo 19

Multi-tenancy RHEL HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…) 20

Multi-tenancy system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368 RHEL HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…) 21

Multi-tenancy 22