NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP

Transcription

1 NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP Nick Lewis Internet2 NET+ Program Manager, Security and Identity 2015 Internet2

2 Welcome Goals, logistics, etc Want your feedback, so please comment and be interactive! We will have several small group discussions and each table will need a facilitator We will have a working lunch and a break after the lunch exercise Goal is to get out by 3pm if not earlier Boxnote for the agenda and notes: Could I get a couple volunteers to take notes?

3 Schedule for the day 8:00am Start of the day 8:05 Introductions 8:20 NET+ Program 9:00 How information security is currently integrated into NET+ 10:00 Break 10:30 Continue How information security is currently integrated into NET+ 12:00 Working lunch 12:30 Break 1:00 Future information security improvement to NET+ program 3:00 Wrap-up and next steps

4 Introductions Introductions and what are you expecting to get out of today? Anything you want to add to the agenda? What Cloud Services are your campus using? Who has adopted Cloud Security Assessments? What standard? Roll your own? What are your top concerns they have on security services in the cloud?

5 Campus Experience with NET+ Any campuses using NET+ services? What do you think? Any campuses not NET+ campuses? Why? Any examples where something worked better (or worse) than you expected?

6 Outline for this portion What is NET+ How information security is currently integrated into NET+ How it currently works Security assessments and requirements Identity Management and InCommon Ongoing oversight of service provider Service Provider perspective on NET+ program and information security aspects Integration into broader information security community

7 ADVANCING HIGHER EDUCATION in the AND BEYOND

8 The Genesis of NET NACUBO / EDUCAUSE Cloud Summit

9 Major Recommendations from 2010 Thirteen overall recommendations (Pg 21-22), which include: Create a cloud computing roadmap. Develop a risk-assessment framework and guide. Develop audit guidelines for cloud-based offerings. Identify needed skills and training for cloud-based services. Develop and publish model service level agreements. Encourage identity management. Create a higher education demand aggregator.

10 NET+ Three Year Review 2015 All of the areas of improvement include the security aspects Catalog Configuration monitoring performance and enhancing standards Time To Market more visibility into service validation Streamlined Agreements simpler and easier to use Procurement Improvements further streamline procurement First Service Adoption Barriers lower adoption barriers Reduce Complexity of Business Models

11 Core Objectives of NET+ Services A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community: Define a new generation of value-added services Leverage Internet2 R&E Network and other services such as InCommon Drive down the costs of provisioning/consuming services Provide a strategic partnership with service providers (new service offerings) Leverage community scale for better pricing and terms Develop solutions that meet performance, usability, and security requirements Provide a single point of contracting and provisioning

12 My vision for NET+ When a campus has a problem, audit finding, incident, etc, they can look in the NET+ portfolio to find a solution they can quickly adopt at a price they can afford Pre-vetted, standard terms, community oversight Meets the unique needs of higher education Mobile, highly decentralized, locally managed, etc Facilitate campuses improving how they do information security Assist campuses adopt cloud services Advances NET+ program

13 What is Internet2 NET+ Cloud? Tailored Cloud service portfolios to: Enhance academic & research user mobility in the Cloud Accelerate trusted Cloud application deployment for the enterprise Ensure standards-based Cloud security, accessibility, reliability and performance with enterprise scalability Security & Identity Software as a Service Infrastructure and Platform Video, Voice & Collaboration Digital Content for Research & Education Enables trusted and responsive user mobility in the cloud, while delivering efficiencies to the enterprise. 13

14 What NET+ Is NOT What NET+ Is A Vendor A Buying Club A Channel Partner A Reseller Exclusive (or picking winners) Community driven and a way for the community to act on its own behalf A benefit of membership (benefits that accrue to par<cipants) A means of influencing the direc<on of IT services development A (growing) porbolio of IT assets that campuses can chose from with consistent terms, best pricing and highest value.

15 370 Par(cipa(ng Campuses In Days the Community Has Built Available Services 600+ Ac(ve Subscrip(ons $250,000,000+ in Community Benefit 89 Valida(on Campuses 15 Service Valida(ons 9 New Evalua(ons WOW! 2015 Internet2

16 Internet2 NET+ Services: Engagements 16 16

17 Examples of Cloud Services Deployed at Scale Leveraging community developed offerings, preferred pricing and business terms 105+ universi<es cloud storage and collabora<on campus- wide (38 months GA) 69+ universi<es leveraging the NET+ Splunk offering (18 months from EA) 35+ universi<es moved their LMS to Instructure s Canvas (18 months from GA) universi<es leveraging Amazon Web Service offering (9 months from EA) 21+ universi<es leveraging Code42 s CrashPlan offering (23 months from EA) Up to July

18 Campus Expectations for the Cloud Any workloads not going to the cloud? Why? Any data types / security requirements not going to the cloud? Why?

19 GET INVOLVED IN THE NET+ SERVICE LIFECYCLE Sponsored by Community Members Designed by par<cipa<ng campuses, providers and Internet2 Subscrip)on by Community Members, Regional and Global partners All delivered at global scale, tailored to R&E needs, and benefi<ng all par)cipa)ng ins)tu)ons

20 The Internet2 NET+ Phases Explore Research Incubator? Inquiry Less than 50% reach Service Valida(on Service Validation Develop Evaluation Timeline variable days

21 The Internet2 NET+ Phases Develop Service Validation Apply community standards Greater than 90% reach General Availability Deploy Timeline variable days

22 Inquiry and Evaluation Inquiry Phase Discovery Understanding the opportunity (what are the possibili<es? Market scope?) Alignment Are the provider and community goals strategically aligned (are we headed in the same direc<on?) Feasibility Are the investments and mutual accommoda<ons required likely to materialize? Community engagement Membership and strategic engagement with the community Evalua(on Phase Iden(fying a Sponsor A CIO or execu<ve from a member ins<tu<on Developing a Proposal With support of the Sponsor Iden(fying addi(onal SV par(cipants Review of Requirements Networking, Iden<ty, Security, Business model and terms Membership in Internet2

23 Requirements of SPs Identified Sponsor: CIO or other senior exec from a member institution Membership in Internet2 and InCommon Federation Adoption of InCommon -Shibboleth/SAML2.0 and Connection of services to the R&E Network Completion of the Internet2 NET+ Cloud Control Matrix Commitment to: A formal Service Validation with 5-7 member institutions Enterprise wide offerings and best pricing at community scale Establishing a service advisory board for each service offering Community business terms (NET+ Business / Customer agreements) support the community s security, privacy, compliance and accessibility obligations Willingness to work with the Internet2 community to customize services to meet the unique needs of education and research

24 How NET+ Providers are Selected: ALWAYS Sponsored by Internet2 Member Campus Can the services scales at least nationally? Can it be delivered over global R&E networks? Develop a business model that scales globally and serves significant portion of community? Will provider work with community to meet unique R&E needs today and into the future? Adopts R&E federated identity standards? Commit to community s Security, Privacy, Compliance, and Accessibility needs? Supportive of common, community contracting terms and conditions (negotiate once, use many times)

25 Quick-Start Program: Requirements Identified Sponsoring CIO ( or other senior executive from a member) Membership in Internet2 and InCommon Federation Adoption of InCommon -Shibboleth/SAML2.0 (within 6 months) Connection to the R&E Network (within 6 months) Completion of the NET+ Cloud Control Matrix Commitment to enterprise wide offerings and best pricing Commitment to establish of a service advisory group within the first 6 months and to a formal Service Validation (within 24 months or after 10 campus enrollments) Acceptance of the Internet2 NET+ template business and customer agreement terms and the community BAA (for HIPAA compliance) with minimal negotiation. Offerings will be limited to a 2 year renewable term and customer agreements will be between the service provider and consuming institution.

26 Quick-Start Program: Additional Considerations Program is for services where the standard requirements and business terms are immediately acceptable Modifications to the template made only to ensure appropriate representation of specific types of services The advantages of the program: Provide fast-track onboarding services to community requirements Minimizing the cost/effort required for on-boarding Benefit to Providers: faster time to revenue generation within the portfolio rubric and to community specifications Benefit to Members: faster time to value, minimum investment until scale economies and persistent interest is established, consistent adoption of community requirements

27 Internet2 NET+ Service Validation Assessment of the service for inclusion in the catalog Applying a consistent process / standard Available at scale to the entire higher education community SV Group is led by the sponsoring institution and 5-7 campus participants Facilitated by Internet2 Program Manager SV participants represent o Themselves AND the Community o Assess the service for inclusion in the catalogue o Negotiate terms, business model and pricing for the entire R&E community

28 Service Validation Func(onal Assessment Review features and func<onality Tune service for research and educa<on community Technical Integra(on Network: determine op<mal connec<on and op<mize service to use the Internet2 R&E network Iden<ty: InCommon integra<on Security and Compliance Security assessment: Cloud Controls Matrix FERPA, HIPAA, privacy, data handling Accessibility Business o Legal: customized agreement using NET+ community contract templates o Business model o Define pricing and value proposi<on Deployment o Documenta<on o Use cases o Support model

29 NET+ Service Validation: Functional Assessment Review current features and func(onality Discuss exis<ng Service Provider product roadmap (under NDA) Determine ways in which service needs to be tuned for research and educa(on community Priori(ze feature requests among the par<cipa<ng universi<es in the Service Valida<on group and discuss priori<za<on with Service Provider s product team Process and Deliverables: customized roadmap for higher educa2on from the Service Provider; feature, func2onality, and bug report priori2za2on from the universi2es

30 NET+ Service Validation: Technical Integration Network: Integrate service with the Internet2 R&E network and op<mize for enhanced delivery Test the network connec<on to create benchmarks Iden(ty: Review Service Provider s iden<ty strategy and determine InCommon integra<on NET+ Iden<ty Guidance for Services Process and Deliverables: Service Provider and par2cipa2ng universi2es assign technical team members on networking and iden2ty; develop and review tes2ng plans; and produce reference documents for service subscribers

31 Identity Management and InCommon NET+ Identity Service Validation Process Collect use cases. Assess current implementation and roadmap. Compare implementation, roadmap, and use cases. Prioritize implementation and refine roadmap. Implement and document. Schools sign off. Iterate. NET Plus Identity Guidance for Services +Services

32 IDM and InCommon Discussion Any feedback from campuses?

33 SV: Business & Legal Legal: customized agreement using NET+ community contract templates MOU between Internet2 and Service Provider is signed in order to begin the Service Valida<on phase Business Agreement between Internet2 and Service Provider is nego<ated during the Service Valida<on phase and reviewed and approved by university counsel Business Model: customized approach to pricing that leverages community assets and captures aggrega<on to reduce costs to the Service Provider and provide savings and addi<onal value to universi<es Process and Deliverables: Par2es nego2ate business agreements, enterprise customer agreements and any associated terms of use

34 NET+ Agreements: Mitigating Risk Reduces business risk by vehng service providers for performance, security and compliance Reduces contrac(ng risk via standard (and beneficial) contract terms Reduces pricing risk by leveraging purchasing power of the community (including waterfall pricing) Ensures fair treatment in the market (no hidden clauses) Providing op(ons as the number of providers in each porbolio services category increases

35 NET+ Agreements: An Emerging Standard Many universi<es may find it valuable to consider service valida<on via NET+ to be a standard specifica<on and pre- qualifying evalua<on/review process that might allow: Formal procurement processes to be simplified or waived Not requiring formal bidding from Internet2 or NET+ validated service providers Elimina<ng the need for sole- source jus<fica<on for NET+ validated service providers when only one source is available for a par<cular category of service Allowing simplified proposals from NET+ validated service providers when mul<ple sources are available for a par<cular category of service

36 NET+ Template Contract One of the templates is in the Box folder Developed working with campus legal counsels to identify community terms Definition of confidential information, accounts, data, etc Indemnification and Liability (Sec 5) Availability / Zero impact maintenance Termination and data transfer

37 NET+ Template Contract Security improvements to be included back into the NET+ offering. (Sec 3.2 Modifications and 8.9 Features) Data ownership is the participant (Sec 8.1(a)) Data Privacy, Security, and Integrity Sec Response to Legal orders Sec 8.5 Incident Response Sec 8.6 Data Retention and Disposal Sec 8.7

38 How NET+ Contrac<ng Supports Procurement Community based due diligence Improves risk management by vehng service providers, standard and beneficial contract terms Ensures fair treatment in the market (no hidden clauses for other universi<es) Reduces costs of administra<on Leverages purchasing power of the en<re community Provides compe<<ve op<ons as the number of providers in each porbolio services category increases

39 Procurement Analysis Worksheets Completed for services once they complete early adopter General: Service Provider; Service; Service Type (IaaS, PaaS, SaaS, other (specify)); Admitted to Service Validation; Completed Service Validation; Schools leading the service validation were; Schools involved in legal discussions; Schools involved in business terms negotiation; Business Agreement signed Categories General details on service. Service level commitments, compliance, technical, data, use and legal concerns, and termination

40 How information security is currently integrated into NET+

41 Background Working group pulled together develop how NET+ should incorporate security Developed this guidance: Recommended Process for the Use of the Cloud Controls Matrix (CCM) in the NET + Program /04/22/ brammer-netsecurity-2.pdf Security aspects began in June 2012, delivered initial version of security controls in December 2012, now in use by NET+ Program Service validation security aspects have evolved over time.

42 Pre-Service Validation Program Manager to work with service provider Help them understand NET+ security and what campuses will expect from them Start gathering security documentation Cursory review of their security documentation to give SP feedback to help have a successful service validation Determine if NDAs are necessary and if so, start getting them from campuses in service validation

43 SV: Security & Compliance Security assessment: Customized version of the Cloud Controls Matrix (CCM) developed by the Cloud Security Alliance and SOC 2 Type 2 Report hmps://cloudsecurityalliance.org/research/collaborate/#_internet2 Accessibility review and Roadmap commitment. WCAG 3C Data handling: FERPA, HIPAA, privacy, data handling Process and Deliverables: Service Provider completes Cloud Controls Matrix and/or SOC2 Type 2 Report for review by universi<es; campus accessibility engineers review service and communicate needs to Service Provider

44 Service Validation Security Aspects NDAs if requested by SP Review of security docs from SP by campuses Call with campuses and SP security staff Whole picture from a campus perspective. What security controls does a campus need because of the SP or does the SP expect of the campus? Example - LastPass security review

45 Security Assessments / Frameworks All of the security assessments in the world will not stop all attackers. CSA CCM - The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. SOC 2 - focuses on a business s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. ISO Developed to provide a model for establishing, implementing, operating, monitoring, and maintaining an information security management system, it is widely recognized as the highest security standard in the industry for examining the efficacy of an organization s overall security posture.

46 Security Requirements Use cases to flesh out security requirements Depending on the use cases will determine the security requirements FERPA is addressed by defauly If there is a healthcare use case covered with HIPAA requirements, then HIPAA is included A HIPAA BAA is included in default template Export control

47 Small group discussion on service validation What do you think of service validation? What are your experiences with service validation? How security assessments should work? How can we raise the bar to improve security? How to streamline information security aspects of SV? How to do this faster to bring tools to campuses??

48 Ongoing oversight of service providers What is currently done Internet2 NET+ Service Advisory Board (SAB) Review feedback from the community and SAB schools Performed during service validation Follow-up on security items from service validation Requirement in contract for annual updates from service providers on SOC2 or CCM Integrates with what is done on a campus for their oversight

49 Ongoing oversight of service providers What should we do? Should it be a requirement for the SAB to annually review the updated security documentation from the service provider? When there are major updates, to update the security documentation on the provider? Do current campus subscribers get notified? Follow-up on future security controls Example: Service provider promised CCM What to do if there are issues a service provider needs to address? Violation of security requirement from contract? Other contract violations Handled via the breach sections with service provider potential remedy Example: Service provider lapses in performing SOC2

50 How should ongoing oversight be handled? What can we do? What is Internet2 s role and what is the SAB s role? (20 min)

51 Service provider perspective What all of this means to them? More than a buying vehicle Potential to help them engage the HE market Help them identify features and functionality HE needs How does this help them? Streamlined legal and procurement (along with security, etc) NET+ legal work with their final approval if necessary Additional insight into what works for their customers Potential costs for the service provider Our security requirements require significant resources to meet Potential development costs to add functionality

52 How this is or should be integrated into information security community?

53 Relationship within Internet2 InCommon Require NET+ Service Providers to participate in InCommon Work with InCommon on Identity Management TIER Community Created and Curated Services could become a NET+ service Internet2 Network Services Working with Paul Howell, Chief Cyberinfrastructure Security Officer Collaborating on DDoS discussions for potential NET+ DDoS Response service CINO Working Groups CINO Working Groups Home End-to-End Trust and Security Identifying any potential service providers or areas NET+ service providers might be interested in engaging with the community

54 Higher Education Relationships Educause/HEISC Supporting HEISC mission major activity - Providing effective practices and guidance and fostering communication within the community Supporting out of scope activities for Developing or brokering information security fee based services or tool needed by the HE information security community Suggestions for potential service providers, broad direction setting and priorities REN-ISAC Support information sharing by REN-ISAC Work with the community on threat intelligence or information sharing service providers Coordination with both on HE-wide issues

55 Relationships Outside of Edu Cloud Security Alliance Updates on Cloud Control Matrix Certified Cloud Security Professional with ISC2 Training on cloud security for HE information security staff CSA Security, Trust & Assurance Registry (STAR) International Information System Security Certification Consortium, Inc., (ISC)² Certified Cloud Security Professional Training on cloud security for HE information security staff SANS, International Association of Privacy Professionals, others? Should the relationships with external organizations be lead by a campus person or Internet2?

56 Group Discussion: How this is or should be integrated into information security community? (20min)

57 NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP Nick Lewis Internet2 NET+ Program Manager, Security and Identity 2015 Internet2