Cloud Security: Frameworks and Enforcement

A presentation at Intelligence Community Cloud Day in April 2014 in Chantilly, VA, USA by Shawn Wells

Slide 1

Slide 1

Cloud Security: Frameworks and Enforcement SHAWN WELLS Director, Innovation Programs, U.S. Public Sector shawn@redhat.com || 443-534-0130 UNCLASSIFIED 1

Slide 2

Slide 2

35 MINUTES, 2 GOALS 2

Slide 3

Slide 3

35 MINUTES, 2 GOALS 1. Cloud Security Lifecycle • Government Certification & Accreditation Models • Case Study: Westfield’s MADFW/MITE 3

Slide 4

Slide 4

35 MINUTES, 2 GOALS 1. Cloud Security Lifecycle • Government Certification & Accreditation Models • Case Study: Westfield’s MADFW/MITE 2. Enabling Security Technologies • Security Content Automation Protocol (SCAP) • Containers 4

Slide 5

Slide 5

WHAT IS THE CLOUD? • Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE 5

Slide 6

Slide 6

WHAT IS THE CLOUD? • Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE • Platform as a Service (PaaS) • DLT CODEvolved, Autonomic ARCWRX 6

Slide 7

Slide 7

WHAT IS THE CLOUD? • Infrastructure as a Service (IaaS) • CIA C2S, NSA MACHINESHOP, ARC-P, Westfield’s MITE • Platform as a Service (PaaS) • DLT CODEvolved, Autonomic ARCWRX • Software as a Service (SaaS) • salesforce.com 7

Slide 8

Slide 8

Slide 9

Slide 9

Slide 10

Slide 10

Slide 11

Slide 11

Slide 12

Slide 12

Slide 13

Slide 13

IaaS Case Study: Westfield’s MADFW • Also known as MITE, falls under MID • Development environment for ~117 tenants • Anything beyond operating system is responsibility of tenant (applications, continuous monitoring, etc) • ICD 503, High/Low/Low 13

Slide 14

Slide 14

Continuous Monitoring • NIST 800-53, 800-137, and many other regulations require continuous monitoring • We’ve been using the SCAP Security Guide • Large body of Linux security controls • Logically grouped into profiles (e.g. DoD STIG, FISMA Moderate, C2S…) https://fedorahosted.org/scap-security-guide/ 14

Slide 15

Slide 15

Contributors Include …

Slide 16

Slide 16

Control Tailoring

Slide 17

Slide 17

Sample Output

Slide 18

Slide 18

SCAP Content Repositories NIST maintains SCAP content repository for U.S. Government. Plenty of non-Linux content! http://web.nvd.nist.gov/view/ncp/repository 18

Slide 19

Slide 19

MADFW v2: PaaS (via containers) • Think of the containers as boxes, nodes as the truck • We don’t care what’s inside the box, it’s just cargo 19

Slide 20

Slide 20

Multi-tenancy RHEL HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…) 20

Slide 21

Slide 21

Multi-tenancy system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368 RHEL HYPERVISOR (RHEV, OpenStack, KVM, even VMWare…) 21

Slide 22

Slide 22

Multi-tenancy 22

Slide 23

Slide 23