WHAT MAKES A SECURE CLOUD? Security Overview of Verizon Cloud

Transcription

1 White Paper WHAT MAKES A SECURE CLOUD? Security Overview of Verizon Cloud Designed with security in mind, Verizon Cloud uses a layered security approach that helps protect your sensitive data as you expand globally. Security is not a reason to avoid moving workloads to the cloud. This was the clear conclusion of a majority of respondents from large and midsize global enterprises to a recent Harvard Business Review study. 1 They said cloud does not negatively impact security (65 percent), and many believe it can actually improve security (36 percent). It s true: Enterprise cloud security is no longer a barrier to cloud adoption. But that doesn t mean enterprises should ignore cloud security solutions when considering infrastructure and service providers. In fact, keeping data secure in the cloud will continue to be a priority. And as threats increase, businesses need to ensure they address security vulnerabilities in a way that is both effective and cost-effective. Verizon Cloud s layered-security approach helps protect your sensitive data as you expand globally. And by teaming with a proven partner like Verizon we monitor more than 500 million security incidents on average each year you can maintain business growth and keep customer trust intact. From perimeter and logical controls all the way up the security stack, Verizon Cloud provides a secure environment for the most sensitive workloads. WHAT IS A SECURE CLOUD? We believe secure clouds have three essential features: Strong logical and physical controls that provide a secure base to build on Governance and controls that create standardized, repeatable processes that streamline operations, help make the cloud stable and reliable, and maintain strong security for data and apps Value-added security services that allow enterprises to expand their security posture To secure the cloud inside a secure infrastructure, we establish a three-level threat perimeter. THREAT 2 Perimeter Eavesdropper Drops In Web Web Portal THREAT 1 Auth-Hacker, Stolen Credentials Cross-Site Attack INTERNET PRIVATE LINE Database Applications API THREAT 3 Operations Rouge Operator VERIZON CLOUD INFRASTRUCTURE Threat 1. We protect the web portal and application programming interface (API) perimeter from threats from the outside network, such as stolen access credentials. Threat 2. The second threat stems from externally caused service disruption. We protect the perimeter of the network itself at the logical network layer, and the network infrastructure through our network firewalls and intrusion detection system (IDS). We also offer distributed denial-of-service (DDoS) attack services, where, for an additional charge, we can detect and mitigate distributed attacks against your cloud infrastructure and workloads.

2 To secure the cloud inside a secure infrastructure, we establish a three-level threat perimeter. Threat 3. The third threat is internal where many threats occur. This is when someone on the inside attempts to steal data at the management layer. We make it harder to bypass controls by adhering to a least-privilege model. On a per-needed basis, we escalate privileges that time out, expire, and are revoked for any given system operation. LAYERED SECURITY We recognize your need for secure products and services, and believe that our security portfolio, combined with enterprise-class cloud computing, offers strong protection for your network, data, and applications even your most sensitive workloads. Through industry leadership, experience, understanding, and stringent security controls, we can help you manage risk and improve business performance. Our cloud-enabled facilities are built to support SSAE 16/SAS 70 Type II specifications. BASE SECURITY Physical and Personnel LOGICAL SECURITY Verizon Cloud Framework and Design VALUE-ADDED SECURITY Enterprise, Capabilities, and Services Governance, Risk, and Compliance Design, Implantation, and Operations BASE SECURITY FEATURES Resilient cloud security starts at the base level. We deploy our cloud solutions in purpose-built data centers, using redundant power and cooling systems that help preserve operations. Advanced cloudcomputing security control systems include interior and exterior video monitoring, access control systems, and 24x7 monitoring by an on-site guard and our Network Operations Center (NOC). We use some of the highest-level physical security features available to deploy the Verizon Cloud. Each data center has the following security controls: Support for Statement on Standards for Attestation Engagements (SSAE) 16/State of Auditing Standards (SAS) 70 Type II specifications Electronic security-access control system and biometric readers Multiple alarm points integrated with a closed-circuit television (CCTV) system, pan/tilt/zoom cameras throughout the data center and property perimeter, and digital video recorders that store multiple events and 90 days worth of video Video images from before, during, and after an event, stored on redundant digital video recorders (and during an alarm event or an attempt at unauthorized access, the system directs the camera to that location) 24x7 monitoring of all essential systems, including humidity, temperature, water, fuel sensors, and all related environmental systems 24x7 on-site guard services personnel Inbound shipment security processes: no packages accepted unless prior notification has been provided Our base security for Verizon Cloud emphasizes access control, background checks, and continuous training. Access control. We define, manage, and document access control policies. We grant only authorized personnel access to critical business applications and systems, based on position and job requirements. They receive the minimum level of access necessary to do their jobs. Policies take into account classification, business requirements, relevant legal considerations, and any contractual obligations. We restrict access to network, system, or application functions in production systems to the operationally feasible number of employees required, and allocation is on a need to know or event by event basis. We also assign each user a unique ID for 2 VERIZON ENTERPRISE SOLUTIONS

3 We implement security controls at the compute layer through strong security at the hypervisor, operating system, and administrator authentication levels. In addition, you can specify locations where data will reside for compute and storage. accountability. Authorization review and aging processes alert administrators of status changes, so they can immediately revoke access rights when a user no longer requires access or no longer works for Verizon. Background checks. We are committed to hiring employees who meet the requirements and qualifications for our open positions. This includes verifying the information from applicants extended a conditional offer of employment. Unless prohibited by law, the investigation covers criminal history, employment history, educational verification, Social Security number trace (U.S. only), international search (where applicable), Prohibited Parties/Office of Foreign Assets Control (OFAC) search, and Sex Offender Registry search. We also check driver s license status and driving record when candidates will drive a company or personal vehicle in the regular performance of their duties. Training. All employees receive initial security-awareness training for both physical and information security. We also regularly reinforce this training. We communicate security policies through new-hire orientations, the employee handbook (which includes an annual security responsibility awareness certification), monthly security awareness articles, and security awareness tips posted to the corporate web. Security policies are available internally from Verizon s corporate intranet. Finally, managers are responsible for confirming that all employees understand their obligations to protect the information of Verizon and its employees, customers, and third parties. LOGICAL SECURITY FEATURES In addition to the physical security at our facilities, we operate a second logical layer of defenses through virtualization tools and a complete suite of security services that our 24x7 NOC and Security Operations Centers (SOCs) deliver, manage, and maintain. Compute layer. We implement security controls at the compute layer in several ways, including: Strong security at the hypervisor layer. Internally, Verizon Cloud infrastructure uses a minimal baseline build for the hypervisor and all components. Strong security at the operating system (OS) layer. Externally, customer virtual machines (VMs) use pre-engineered OS templates that follow Center for Internet Security (CIS) Level 1 benchmarks with applicable patches and stripped-down components. We update these templates on a regular basis upon patch release, evaluation, and testing. The ability to specify locations for compute and storage. With Verizon Cloud, you can select the location (or locations) where data will reside. Once selected, that is where your data remains. Strong administrator authentication. You access the Verizon Cloud Console via a Secure Sockets Layer (SSL) web connection. We encrypt all information that passes through this portal with a password or optional two-factor authentication. Strong backend authentication. Our engineers maintain our infrastructure backend using either perimeter-based or host-based two-factor authentication. Advanced password policies. We enforce complex passwords and avoid password reuse. Network layer. We secure the network layer in a variety of areas, including: Core virtualization network controls Network data segmentation Firewall capabilities Intrusion detection Distributed denial-of-service (DDoS) detection and mitigation We implement security controls at the core virtualization network layer by: Hardening management networks according to industry best practices and experience Cautiously monitoring network activities Expanding network segmentation into the hypervisor We segment data on the network using either: Software-Defined Networking (SDN) In our Public Cloud, named endpoints within the compute fabric segregate traffic at the hardware level, and provide virtual isolation that meets security and performance requirements. 3 VERIZON ENTERPRISE SOLUTIONS

4 We secure the network layer in a variety of areas, including core virtualization network controls, network data segmentation, firewall capabilities, intrusion detection, and DDoS detection and mitigation. Industry-standard network segmentation techniques at the hypervisor and network layers In our Virtual Private Cloud, the RAM, processor, and storage area network (SAN) resources are logically separated and don t have visibility to other client instances. From a network perspective, each client is separated from the next using a private virtual LAN (VLAN). We have added firewall capabilities within the platform to help you protect your networks by either one of the following or a hybrid approach: Our integrated firewall capabilities Firewall solutions from Verizon Cloud Marketplace Our IDS at critical management systems of the base platform layer at all Verizon Cloud locations, and DDoS detection and mitigation mechanisms at all Verizon Cloud locations, which provide insight into and mitigation for attacks occurring on the core infrastructure Always looking to improve our security posture, we have plans to offer these same services throughout 2015 as part of our layered security services vision. Storage layer. We secure storage at all layers: Industry-standard SAN segmentation logically separates SAN resources and prevents visibility into other client instances Zoning provides access control in a SAN topology. It defines which host bus adapters (HBAs) can connect to which SAN device service processors. Devices inside the zone cannot detect devices outside the zone. Zoning also isolates SAN traffic. In a complex SAN environment, SAN switches provide zoning, defining and configuring the necessary security and access rights. At the storage processor or server level, logical unit number (LUN) masking often provides permission management. Known as selective storage presentation, access control, or partitioning, depending on the vendor, LUN masking makes a LUN invisible when a target is scanned. The administrator configures the disk array so each server or group of servers can detect only certain LUNs. Hypervisor-level segmentation isolates data at the operating system (OS); no two client OSes are shared. On our Public Cloud, we unify both networking and storage by using a Layer 2 storage protocol to encapsulate storage flows between virtualized storage devices and the virtualized computing endpoints over our virtualized networks. Verizon Cloud Storage supports encryption of data at rest and in flight using a symmetric Advanced Encryption Standard (AES) 256-bit cipher. SSL provides the additional security our customers demand. You can encrypt your data before sending it to Verizon Cloud Storage and retain your keys for the added confidence that only you can view the data. Even if data is pre-encrypted, however, Verizon Cloud Storage encrypts all data, and we secure the keys our encryption uses. Verizon Cloud Storage does not encrypt storage automatically; however, to protect or encrypt sensitive information, you can: Use OS-level encryption software, including Pretty Good Privacy (PGP), BitLocker, Vormetric, and others. Use database encryption at the application layer through Microsoft SQL Server and Oracle. Access encryption solutions through Verizon Cloud Marketplace (future). We maintain a formal media sanitation and disposal policy that was designed to address DoD M. We also employ additional sanitization mechanisms for classified or sensitive information that apply to all media. Management layer. For identity and access management, the Verizon Cloud Console uses two-factor authentication for login purposes. Our Virtual Private Cloud supports role-based access control (RBAC), defined and implemented for business operations at the organization, environment, and security group levels. For future feature releases, Verizon Cloud will support the Security Assertion Markup Language (SAML) 2.0 framework, and we plan to offer these same services throughout 2015 as part of our layered security services vision. Verizon Cloud s RBAC capabilities will continue to evolve over time. 4 VERIZON ENTERPRISE SOLUTIONS

5 Because you will require tailored and layered security solutions that address specific needs, we provide access to key security features and services. In addition, a Security Information and Event Manager (SIEM) captures and correlates all relevant information and events. We take appropriate action which can include isolation when an issue is detected. And by moving logs off of the individual host and onto the highly secured, centralized SIEM, we protect them from modification. In addition to base platform security, you can and should acquire layered security services specific to your solution. You need visibility into security information and events, as well as the ability to isolate attacks to a specific component of the solution. VALUE-ADDED SECURITY Because you will require tailored and layered security solutions that address specific needs, in addition to base and logical security controls, we provide access to key security features and services that help protect your workloads. Verizon Cloud firewall and VPN capabilities allow you to control access to your data and applications at both the VM and application-tier levels. Verizon Cloud Marketplace delivers certified, leading applications in Big Data, software development, and security helping you deploy applications quickly with low risk. Create and modify firewall rule sets to manage how VMs connect to the Internet. Firewall rules control the flow of data between networks and devices in a cloud space. You can permit or deny access from an IP address or a network source to an IP address or network destination, a protocol, and source and destination ports. You can also send firewall logs to a syslog server configured within your cloud environment, or externally if required. Depending on the chosen deployment model and compute option, Verizon Cloud lets you use integrated software firewalling; dedicated, highly available hardware firewalls; and Verizon Cloud Marketplace independent software vendor (ISV) firewall solutions. In Virtual Private Cloud, software and dedicated hardware firewalls are available. Creating services generates common firewall rules. You can manage your rules though the Verizon Cloud Console. You can also view and change the location to which you send your firewall logs (for example, to a centralized syslog server). In Public Cloud, we provide software-based firewalls for each VM connected to a public IP address. You can manage a firewall via the user interface and create up to 15 firewall rules for each VM. Multiple options exist for secure connectivity to VMs. Verizon Cloud provides SSL VPN or LAN-to-LAN (L2L) connectivity into the cloud through integrated VPN capabilities. You can also select a third-party solution from the Verizon Cloud Marketplace. Depending on the type of cloud deployment, built-in or Marketplace solutions will be available. Virtual Private Cloud: Secure Shell (SSH) directly to the server over the Internet Remote Desktop Protocol (RDP) directly to the server over the Internet (limited key size) Integrated Cloud Console VM options leveraging SSL to connect to the VM console directly A pfsense template configured to build an L2L VPN tunnel, with VMs routed to the template Utility SSL VPN Dedicated and utility VPN L2L Public Cloud: SSH directly to the server over the Internet RDP directly to the server over the Internet (limited key size) Integrated Cloud Console VM options leveraging SSL to connect to the VM console directly A pfsense template configured to build an L2L VPN tunnel, with VMs routed to the template L2L or SSL VPN solutions deployed through Verizon Cloud Marketplace, with VMs routed to the Marketplace appliance Preconfigured security solutions through Verizon Cloud Marketplace ISVs. In addition to the layered security services we offer, you can leverage Verizon Cloud Marketplace. The Marketplace delivers certified, leading applications in Big Data, software development, and also security helping you deploy applications quickly with low risk. Juniper Networks Firefly is a virtual security appliance that provides security and networking services at the perimeter in virtualized private or public cloud environments. It runs as a virtual machine on a standard x86 server, and delivers features similar to those available on branch SRX Series devices. 5 VERIZON ENTERPRISE SOLUTIONS

6 Our Managed Security Services help you proactively identify vulnerabilities and prioritize threats in the cloud and on-premises. Our proprietary technology platform, which supports all our Managed Security Service offerings, collects, processes, and monitors billions of events each year. F5 Big-IP is an application-delivery services platform that enables traffic management and service offloading for acceleration, security, agility, and high availability (scheduled for availability in 2015). pfsense is an open-source network firewall based on the FreeBSD operating system. Managed Security Services. Maintaining a strong security posture presents its own set of challenges. Verizon s Managed Security Services provides comprehensive monitoring and timely expert analysis. We can help you: Identify vulnerabilities proactively and prioritize threats in the cloud and on premises. Refine information technology security policies and processes so that you can increase visibility, enhance cloud computing security, and manage risk. The introduction of new technologies and systems continually challenges the ability of even the largest enterprises to maintain the confidentiality, integrity, and availability of applications, devices, and other network resources. Risk can present itself in operational challenges and vulnerabilities, as well as continuously evolving cyber threats. To reduce your risk exposure, you need a methodology and a security platform that allows you to anticipate problems, take corrective action, and show practical results. Addressing security risk management as a business process, rather than just blocking threats and fixing vulnerabilities, creates greater value in terms of technology efficiency, better resource allocation, and security compliance. Our security management approach goes far beyond first-generation threat and vulnerability strategies to address the underlying risks, including: New vulnerabilities and attack methodologies Changing business requirements Management of multiple platforms Increased information-security compliance requirements Lack of security expertise and infrastructure We provide a full portfolio of Managed Security Services, and can work with you to refine security policies and processes to identify vulnerabilities proactively and prioritize threats to your enterprise. Our Managed Security Services helps enterprises: Mitigate the impact of security breaches: information and revenue loss and business disruption. Implement strong policies and controls, which help address security requirements. Maintain customer trust and shareholder confidence. Our proprietary technology platform, which supports all our Managed Security Service offerings, collects, processes, and monitors billions of events each year. This helps our security analysts provide corrective action recommendations and mitigate threats. Through our Security and Compliance Dashboard, you can view your security posture and the effectiveness of your security devices at various levels from the big-picture view all the way down to the details of an individual security incident. And if you want to measure and quantify security risks, address information-security compliance requirements, or conduct third-party due diligence? Our security management and Payment Card Industry (PCI) online compliance programs, along with our Professional Services engagements, are designed to meet these common needs, and are delivered by certified and leading experts. Our managed data and managed application security services, as well as our application scanning service, were designed to help you logically and comprehensively protect your applications, guard against data loss, and control who accesses what information across your enterprise. We also deliver managed network security, vulnerability management, and identity management services to help foster business continuity, monitor and manage security data, and support secure mobile communications. Finally, Secure Cloud Interconnect is an essential part of our value-added security services. It uses the high-performing connections of our Private IP network to quickly and securely link your workloads to your existing locations, your partners, and even a select and expanding ecosystem of cloud service providers (CSPs) without additional engineering, equipment, circuits, or complexity. 6 VERIZON ENTERPRISE SOLUTIONS

7 Secure Cloud Interconnect uses the high-performing connections of our Private IP network to quickly and securely link your workloads to your existing locations, your partners, and a select ecosystem of cloud service providers. INFRASTRUCTURE, PLATFORM, STORAGE PROVIDERS CLOUD VIA VERIZON PRIVATE IP Enterprise Customers User Devices and Networks PRIVATE IP NETWORK BUSINESS PROCESS CLOUD PROVIDERS You can even connect your Private IP networks to Verizon Cloud without installing brand new local loops supporting dedicated Private IP ports into the cloud data center. Simply add a virtual port to your Private IP VPN. The reliability, speed, and diversity of the network provides a high-availability environment for cloud-based applications. And Secure Cloud Interconnect enables you manage risk by helping to reduce complexity, keep privileges private and secure, and maintain application availability with reliable connectivity and around-the-clock support. You can combine Secure Cloud Interconnect with other network services for a complete, integrated solution. GOVERNANCE, RISK, AND COMPLIANCE Security requirements are always increasing and are a concern in every area of business. And that s why we dedicate an entire team of governance, risk, and compliance (GRC) experts to keep Verizon Cloud current with the latest security controls. We also offer GRC assessments through Professional Services engagements. Virtual Private Cloud meets the following standards (at select data centers): SSAE No. 16 Service Organization Control 1 (SOC) 1 SSAE 16 SOC 2 Payment Card Industry Data Security Standard (PCI DSS) International Organization for Standardization (ISO) :2005 Health Insurance Portability and Accountability Act (HIPAA) enabled We also support the public sector with our Federal Risk and Authorization Management Program (FedRAMP) cloud offering. Contact your account representative for more details. Strong life-cycle and change-management controls allow rapid innovation in conjunction with strong controls that help maintain uptime and reduce risk: Life-cycle management. We use agile development techniques to release features, enhancements, and bug fixes for Verizon Cloud. This technique promotes rapid and flexible development cycles that have predefined start and stop dates. We can release new features on a more frequent basis and quickly adapt to any necessary business changes. Each Verizon Cloud development cycle contains the current list of priorities that fit within the release cycle. Because this method allows us to adapt quickly to changes in the business, only near-term sprints (current and next) are locked in and committed. 7 VERIZON ENTERPRISE SOLUTIONS

8 Change management. In our controlled process, all changes are submitted, reviewed, approved, scheduled, and implemented with little impact on service quality, so that Verizon Cloud maintains a high level of availability. We record all requests for changes, and include information such as risk/severity levels, maintenance verification steps, rollback procedures, and prerequisites. Our professional consulting expertise complements Verizon Cloud. Our Professional Services suite includes a leading portfolio of consulting and integration services in key areas, including networking, cloud, security, and the Internet of Things. We don t just bring theories and one-size-fits-all solutions to the table. We get deep into your business. Understanding the nuances of how you run it allows us to better address the big picture. We can help you evaluate your current systems, plan your next steps, design a cost-effective strategy, and implement it. And we don t just implement the technology and run. We can provide project management for all engagements, helping your new solutions realize their full potential. Whether it involves a short-term project or long-term outsourcing, we can extend the knowledge of your internal resources and provide the expert help you need. Our credentials include: More than 130 specialized consulting services available in more than 20 countries Support around the globe with local service Recognition as an ideal partner by industry analysts Recognition as an industry leader in security, managed, and hosted services Ability to leverage a global IP network A vendor-neutral approach to get the right solution An end-to-end solution led by the same team of professionals Planning, design, implementation, and migration expertise SUMMARY Very few hosting organizations or cloud providers can demonstrate the physical security and network infrastructure that Verizon provides. The logical security measures we incorporate on top of physical security capabilities help Verizon Cloud meet the unique security requirements of many enterprises. We have the tools, processes, and capabilities to protect the confidentiality, integrity, and availability of your data. Our services, combined with your prudent and aggressive informationassurance measures and oversight, create a secure cloud environment second to none for hosting and securing enterprise production workloads. verizonenterprise.com 1. Business Agility in the Cloud, Harvard Business Review Analytic Services (sponsored by Verizon), June 2014, Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WP /15