HP CloudSystem Enterprise

Transcription

1 Technical white paper HP CloudSystem Enterprise Securing CloudSystem Enterprise with HP Enterprise Security Table of contents Executive summary... 2 HP CloudSystem Enterprise overview... 2 HP CloudSystem Enterprise supply layer... 2 HP CloudSystem Enterprise demand and delivery: HP Cloud Service Automation... 2 HP CloudSystem Enterprise components... 3 Cloud Security (CloudSystem Enterprise and Cloud Security Alliance)... 3 Cloud Security and Cloud Security Alliance... 3 Cloud System Enterprise and HP Enterprise Security products... 4 Network security... 5 HP TippingPoint and Cloud Security Alliance: Network security... 5 HP TippingPoint product overview... 5 Security information and event monitoring... 6 HP ArcSight and Cloud Security Alliance: SIEM... 6 HP ArcSight product overview... 7 Secure development, test, and deployment... 8 HP Fortify and Cloud Security Alliance: Secure development... 8 HP Fortify product overview... 9 CloudSystem Enterprise EcoSystem Securing the Cloud with HP TippingPoint Building and maintaining secure applications with HP Fortify and HP WebInspect Correlating the mountains of data with HP ArcSight Cloud Security Alliance Domain 5 Information Management and Data Security Domain 6 Interoperability and Portability Domain 9 Incident Response Domain 10 Application Security Domain Domain 14 Security As A Service Summary For more information... 24

2 Executive summary Organizations are faced with threats that could disrupt operations and critical IT services. HP CloudSystem Enterprise provides automation to rapidly deliver compute resources to cloud consumers. Security must be a key component to ensure availability of the components that deliver and provision cloud based services. Security is a key concern of organizations deploying resources into private and public cloud environments. This document describes how to incorporate HP Enterprise Security products, ArcSight, TippingPoint, and Fortify, into your private cloud deployments to provide enhanced protection for your CloudSystem Enterprise infrastructure and provisioned services. This paper will also explain how CloudSystem Enterprise, when combined with HP Enterprise Security products, address the concerns with cloud security as defined by the Cloud Security Alliance. Target audience: The intended audience of this white paper is system integrators, installers, and administrators of HP CloudSystem Enterprise. The reader should be familiar with CloudSystem Enterprise and HP CloudSystem Matrix. HP CloudSystem Enterprise overview With HP CloudSystem Enterprise, an organization can deliver not only infrastructure as a service (IaaS), but also anything as a service (XaaS) directly to line-of-business teams. That is, in addition to delivering virtual servers and storage as services, CloudSystem Enterprise can manage and provision enterprise-grade applications such as Microsoft Exchange, or even custom developed applications, such as cloud-based services. Figure 1 illustrates the HP CloudSystem Enterprise architecture. HP CloudSystem Enterprise extends the foundation of HP CloudSystem Matrix with the seamless integration of HP Cloud Service Automation (CSA). HP CloudSystem Enterprise manages the entire application-to-infrastructure lifecycle from provisioning, to managing and monitoring, to releasing resources back to the cloud. The diagram shows how Cloud Service Automation, with its cloud management platform for brokering and managing enterprise grade application and infrastructure cloud services, and HP Matrix Operating Environment are engineered to work together, as well as with additional HP CloudSystem extensions and third-party assets. HP CloudSystem Enterprise supply layer Like the HP CloudSystem Matrix offering, the supply layer in HP CloudSystem Enterprise calls on the Matrix Operating Environment for service delivery of infrastructure elements such as compute, network, storage, and other resources, both physical and virtual. HP CloudSystem Enterprise can also leverage VMware vcloud Director for infrastructure services. Supported infrastructure includes HP BladeSystem servers, HP storage, and HP networking, as well as servers, storage, and networking from third parties. Figure 1. CloudSystem Enterprise Functional Architecture 2 HP CloudSystem Enterprise demand and delivery: HP Cloud Service Automation HP Cloud Service Automation software enables and manages the delivery of application services. It includes user interfaces that allow infrastructure design, specifying what assets will be available, and service design, in which a service designer can add to and manage service catalogs. Cloud Service Automation orchestrates the deployment of compute resources and complex multitier application architectures. It integrates and leverages the strengths of several mature HP management and automation products. And it adds workload management, service design, and a customer portal to create a comprehensive service automation solution. Cloud Service Automation (CSA) can leverage CloudSystem Matrix

3 infrastructure services, and adds applications to the supply layer. It also expands the system s infrastructure capabilities: for example, with CSA, HP CloudSystem Enterprise can support multiple hypervisors such as those from VMware, Microsoft, Kernel Virtual Machine (KVM), and Xen within the supply layer. Cloud Service Automation also provides portal services for the demand layer, where consumers or business users can request services. The software delivers IaaS and platform as a service (PaaS) in a heterogeneous environment, as well as virtual desktop infrastructure (VDI or Desktop as a Service ) and XaaS. Cloud Service Automation manages the entire cloud service lifecycle, including provisioning the infrastructure, whether by extension to one or several Matrix Operating Environment resource pools, or from non-matrix infrastructure pools. It also handles provisioning, patching, and ensuring compliance of business and custom applications; managing and monitoring the cloud; and releasing resources back to the cloud. Extensions allow adding further service assurance, enhanced security, storage management, and network management. HP CloudSystem Enterprise users can: Broker and manage on-demand application and infrastructure services Enforce compliance Meet service-level agreements (SLAs) with performance and availability management Secure data with multi-tenancy and role-based access Deliver comprehensive, unified service lifecycle management HP CloudSystem Enterprise components Besides Cloud Service Automation, components of CloudSystem Enterprise that enable its capabilities include: HP Operations Orchestration (OO) OO coordinates communication between integrated products and managed devices. HP Server Automation (SA) SA deploys operating systems and policies to managed devices. It provides lifecycle server management and automated application deployment, and automates tasks such as provisioning, patching, configuration management, and compliance management. This software can also provision operating systems, and can automate the ongoing lifecycle management of a deployed OS or application with policy-based patching and compliance capabilities. HP Database and Middleware Automation (DMA) DMA provides a content library for database and middleware management. It provisions application architectures onto existing infrastructure, and can also manage those applications, providing pre-packaged workflows for application patching, compliance, and code release. DMA eliminates the need for manual customization. HP SiteScope SiteScope provides agentless monitoring of infrastructure platforms and the key performance indicators (KPIs) of applications. KPIs include CPU, disk, and memory usage, etc. HP Universal Configuration Management Database (UCMDB) UCMDB maintains accurate, up-to-date information regarding the relationships between infrastructure, applications, and cloud services. HP Matrix Operating Environment Matrix Operating Environment supplies infrastructure services. Cloud Service Automation is thoroughly integrated with the infrastructure services created by the Matrix Operating Environment and through this layer can burst to public cloud services. Cloud Security (CloudSystem Enterprise and Cloud Security Alliance) Cloud Security and Cloud Security Alliance The Cloud Security Alliance has identified 14 security domains that deal with securing and operating in a cloud computing environment. In this document we have applied HP Enterprise Security products to HP CloudSystem Enterprise in an effort to address the guidelines and recommendations documented by the Cloud Security Alliance. Securing cloud based resources and assets is a collaborative effort between the cloud provider and the cloud consumer. In a private cloud solution the cloud provider would be the organization s IT department, while the cloud consumer would be an organization s departments that consume cloud services provided by the organization. HP CloudSystem Enterprise is a private cloud solution that must be secured at an infrastructure level and a service level. Securing the underlying infrastructure is the 3

4 responsibility of the cloud provider; in a private or hybrid cloud solution the cloud provider could be an organization s IT department. Securing a private cloud solution at a service offering level provides the cloud consumer protection at an IaaS or application level. The solutions described below will demonstrate how to secure CloudSystem Enterprise at both the infrastructure level and the service level. HP Enterprise Security products can be implemented by the cloud provider to secure HP CloudSystem Enterprise at an infrastructure level through traditional IT security best practices. HP Enterprise Security products can also be integrated into CloudSystem Enterprise service offerings to provide cloud consumers with the ability to secure their cloud based resources (IaaS and PaaS). Cloud System Enterprise and HP Enterprise Security products By applying the HP Enterprise Security products to the HP CloudSystem Enterprise functional architecture we can achieve a comprehensive security solution for CloudSystem Enterprise. The illustration below in Figure 2 shows where the HP Enterprise Security products can be applied to the HP CloudSystem Functional Architecture to enhance security for CloudSystem Enterprise deployments. Figure 2. CloudSystem Enterprise Functional Architecture with HP Enterprise Security This comprehensive security solution provides protection for CloudSystem Enterprise infrastructure components by implementing traditional security controls to the private cloud environment and adapting these controls to facilitate the dynamic nature of cloud based services. This solution also provides recommendations for protecting cloud based resources that have been requested by cloud consumers. Securing cloud based subscriptions and offerings is accomplished by: Hardening virtual machine images Remediating application vulnerabilities during development 4

5 Incorporating Security Information and Event Management (SIEM) log and event collection Implementing Intrusion Prevention System / Intrusion Detection System (IPS / IDS) and firewall into virtual machines Network security HP TippingPoint and Cloud Security Alliance: Network security Protecting the network infrastructure is primarily the responsibility of the cloud provider securing the physical network assets. This is can be accomplished with HP TippingPoint NX Platform Next Generation Intrusion Prevention System (NGIPS) inspecting network traffic for known threats. In a cloud environment the hypervisor management plane is a threat that is difficult to protect with traditional IPS / IDS devices. Additionally multitenant environments introduce VM to VM threat. HP TippingPoint CloudArmour can provide intrusion prevention and detection at the virtual machine network interface level by redirecting select virtual machine traffic to HP TippingPoint NGIPS nodes for inspection. TippingPoint CloudArmour can also be used to isolate virtual machine traffic between specific virtual machines. Integrating HP TippingPoint into CloudSystem Enterprise and Cloud Service Automation service designs can provide instant on IPS / IDS and firewall protection of virtual machine traffic. HP TippingPoint CloudArmour addresses concerns identified by the Cloud Security Alliance in Domain 13 Virtualization of the Security Guidance for Critical Areas of Focus in Cloud Computing. Specific areas that are addressed by HP TippingPoint CloudArmour include: VM Guest Hardening Including CloudArmour firewall and IPS protection into cloud based virtual machine deployments Inter-VM Attacks and Blind Spots CloudArmour integrates with the hypervisor security APIs to protect and isolate virtual machine traffic. This isolation can restrict traffic between specific virtual machines that are defined during deployment Instant-On Gaps HP TippingPoint CloudArmour is integrated into the Cloud Service Automation service offerings to enable IPS / IDS and firewall protection of virtual machines at the time of deployment. Domain 14 Security As A Service Network Security HP CloudArmour integration into Cloud Service Automation service offerings provides cloud consumers with a network security Security as a Service (SecaaS) offering by providing IPS / IDS and firewall protection to cloud based virtual machine resources Intrusion Detection SecaaS Requirements TippingPoint CloudArmour and NGIPS, when integrated with CloudSystem Enterprise, meet the requirements of an Intrusion Detection SecaaS by providing identification of intrusions and policy violations, providing automatic remediation, providing integration with the Virtual Machine Management (VMM) plane, and providing deep packet inspection based on behavioral, signature, heuristic, and statistical techniques. Additionally HP TippingPoint can be integrated with HP ArcSight to ensure logging of IPS / IDS activity. HP TippingPoint product overview HP TippingPoint NX Platform Next Generation Intrusion Prevention Systems The HP TippingPoint NX Platform Next Generation Intrusion Prevention System (NGIPS) achieves a new level of in-line, realtime protection, providing proactive network security in a smaller footprint for today s and tomorrow s real-world network traffic and data centers. The NX Platform next-generation architecture adds significant capacity for deep packet traffic inspection, and its modular software and hardware design enables the addition of valuable network protection services as NGIPS continues to evolve from first generation IPS technology. This new improved NGIPS platform redefines the next generation of intrusion prevention as a foundation for comprehensive network security across all critical areas in the enterprise. The HP TippingPoint NX Platform NGIPS can be a critical component in any IT compliance program. It addresses many compliance program objectives, including vulnerability management with the Digital Vaccine Service, and network monitoring objectives with the security management system. In addition, the NGIPS may provide a compensating control, where a requirement is not specifically satisfied with other solutions or processes. Digital Vaccine DVLabs HP TippingPoint Digital Vaccine Labs (DVLabs) is an acknowledged leader in IT security research and intelligence. Our researchers and developers apply cutting-edge reverse engineering and analysis techniques to create comprehensive threat protection for customer networks. HP DVLabs security experts monitor global Internet activity, analyze malware, and discover previously unknown vulnerabilities to deliver a variety of security services that protect customer networks. 5

6 6 HP TippingPoint Security Management System (SMS) The HP TippingPoint Security Management System (SMS) appliance gives you global vision and security policy control for your large-scale deployments of all HP TippingPoint products, including the HP TippingPoint Next Generation Intrusion Prevention Systems (NGIPS), Core Controllers and SSL appliances. It delivers robust management functionality and flexible deployment. Multiple models are available to match your current requirements and provide a growth path. Key features: Enterprise management of HP TippingPoint security products and policies Supports multi-tenant environments Customizable log formats Integration with HP ArcSight Security Intelligence and Event Management Flexible deployment options HP TippingPoint CloudArmour HP TippingPoint CloudArmour extends our leading next-generation intrusion prevention system (NGIPS) platform for data center security from the physical to the virtual data center by enforcing security policies in virtual machines (VMs) and mobile VMs. HP TippingPoint CloudArmour consists of Virtual Controller (vcontroller), Virtual Firewall (vfw), and Virtual Management Center (vmc), which are purpose-built software solutions designed to enable and enforce full data center firewall segmentation and NGIPS inspection between trust zones for physical hosts, VMs, and even mobile VMs. CloudArmour intercepts all packets within the hypervisor and then based on user-defined policies permits traffic, blocks traffic, or tunnels packets to an HP TippingPoint NGIPS for inspection. CloudArmour provides protection for virtual machine network traffic. The protection is provided for VM to VM traffic on an ESXi host as well and VM to VM traffic for virtual machines residing on different ESXi hosts. Key features: Single solution for physical, virtual data center Purpose built for virtualization security Real-time visibility of entire virtual data center VMware certified Security policies follow VMs Security information and event monitoring HP ArcSight and Cloud Security Alliance: SIEM Domain 9 Incident Response in the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing v3.0 discusses the difficulty with coordination of incident reporting between a cloud provider and cloud consumer. The relationship between a cloud provider and a cloud consumer can be a relationship between a public cloud provider and an autonomous company operating on the public cloud provider s infrastructure; or this relationship could be within an organization between a company s IT organization and the company s departments and organizations operating in a private cloud model. In a public cloud relationship, the cloud consumer may not have access to the log data of the underlying infrastructure making forensic investigation and root cause investigation difficult or impossible. The ArcSight SIEM solution collects and correlates logging and event information from systems and applications throughout the enterprise. This data when correlated can provide the organization with valuable data that can be used to monitor the current status or conduct forensic investigation in the event of a security breach or outage. The cloud provider and cloud consumer have shared responsibilities with respect to identifying and reporting security breaches and outages that may affect SLA agreements or customer data security. Using ArcSight Enterprise Security Manager (ESM) and logging applications at the provider level allows the cloud provider to capture log and event information at the infrastructure level. A cloud consumer can also implement ArcSight logging into their applications and operating systems that are running on the cloud provider s infrastructure. This provides the customer with their own set of event information and log data that can be used for forensic and root cause investigation. ArcSight CEF (common event format) can normalize log data from many different sources into a single format that provides the cloud consumer with portable log information that can be used for historical analysis. As previously mentioned both the cloud provider and cloud consumer have a shared responsibility for identifying breaches and outages. If the cloud consumer chooses, they can share the application and operating system log information captured by the ArcSight logger with their cloud provider to aid in forensic investigations. Domain Data Sources Discusses the importance of logging incident response and root cause analysis. The section identifies how logging should be accomplished in a cloud environment and the importance of the relationship between the cloud provider and cloud consumer. Insight into application logging that is captured by the cloud consumer can aid a cloud provider with fault analysis. This section also discusses the importance of filtering large amounts of data that can be

7 generated by logging activity. The ability to capture, store and correlate large amounts of log data is a key benefit of ArcSight ESM and ArcSight Logger. Domain 5 Domain Database and File Activity Monitoring requires that database and file activity, SQL statements and Administrator actions against corporate databases and file repositories should be tracked. This requirement is addressed by ArcSight s ability to track and correlate activity throughout the enterprise. CSA Domain 13 Virtualization VM Guest Hardening log monitoring of cloud based subscriptions is accomplished by integrating the automatic installation and configuration of ArcSight connectors via Cloud Service Automation service offerings. Domain 14 Security as a Service SecaaS SIEM SecaaS Requirements this section outlines the requirements of a SIEM Security as a Service. ArcSight Logger and ESM meet these requirements by providing normalization and correlation of cloud consumer log data. CloudSystem Enterprise and Cloud Service Automation can integrate ArcSight logging and connector deployment into service offerings that enable logging and reporting of cloud based applications allowing cloud consumers to meet these requirements. HP ArcSight product overview HP ArcSight Enterprise Security Manager HP ArcSight Enterprise Security Manager (ESM) is the premiere security event manager that analyzes and correlates every operational event (login, logoff, file access, database query), or other event in order to support your IT team in every aspect of security event monitoring, from compliance and risk management to security intelligence and operations. The ArcSight ESM event log monitor sifts through millions of log records to find the targeted critical events, and presents them in real time via dashboards, notifications, and reports, so you can accurately prioritize security risks and compliance violations. By adding HP Reputation Security Monitor (RepSM), vetted reputation-based threat intelligence can be correlated with security events to identify threats earlier and to detect and avert even the most sophisticated attacks. Key benefits: A cost-effective solution for all your regulatory compliance needs Automated log collection and archiving Fraud and Real-time threat detection Forensic analysis capabilities for cyber security Detect threats early using timely reputation data with HP RepSM HP ArcSight Logger With HP ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT operations to efforts that prevent insider and advanced persistent threats. This universal log management solution collects machine data from any log-generating source and unifies the data for searching, indexing, reporting, analysis, and retention. And in the age of Bring Your Own Device (BYOD) and mobility, it enables you to comprehensively manage an increasing volume of log data from an increasing number of sources. Key features: Collect logs from any log generating source through 300+ connectors from any device and in any format Unify data across IT through normalization and categorization, into a common event format (CEF registered) Search through millions of events using a text-based search tool with a simple interface Store years' worth of logs and events in a unified format through a high compression ratio at low cost Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT Governance Risk Management and Compliance (GRC), and log analytics 7

8 HP ArcSight Connectors HP ArcSight Connectors solve the problem of managing log records in hundreds of different formats. While the HP ArcSight SIEM Platform can collect log records in native formats, HP ArcSight Connectors provide normalization to a common format, which greatly improves reporting and analysis. By normalizing all events into one common event taxonomy, HP ArcSight Connectors decouple analysis from vendor selection. This approach has four significant advantages: Centrally manage 300+ connectors through HP ArcSight Connector Appliance (ConApp) HP ArcSight Connector appliance manages the ongoing updates, upgrades, configuration changes and administration of a distributed log collection deployment through a simple and centralized web-based interface. ConApp can be deployed both as an appliance and software. Future proofing If a Cisco router is swapped for a Juniper router or if a new SQL database is added to a network that previously only had Oracle, no reporting or rules changes are required and the organization retains continuous visibility into all activity. Ease of analysis The HP ArcSight common event format eliminates the need for end users to be familiar with hundreds of different log syntaxes across products. As a result, non-technical line of business users can easily conduct analysis on their own, reducing the burden on IT. Universal content relevance With the HP ArcSight normalized format, a report that shows authentication failures will cover every system automatically, even though one application may refer to authentication failures with a specific event ID while a database refers to the same as an unsuccessful login. This unique architecture is supported across hundreds of commercial products out-of-the-box as well as legacy systems. HP ArcSight Connectors also offer various audit quality controls including secure, reliable transmission and bandwidth controls. In addition to software-based deployments, HP ArcSight Connectors are available in a range of plug-and-play appliances that can cost-effectively scale from small store or branch office locations to large data centers. Connector appliances enable rapid deployment and eliminate delays associated with hardware selection, procurement and testing. Secure development, test, and deployment HP Fortify and Cloud Security Alliance: Secure development Before applications are deployed into a public or private cloud infrastructure the applications should be subjected to thorough vulnerability testing to identify vulnerabilities that can be exploited. Vulnerability testing should be an integral part of development, QA, and deployment of an application s lifecycle. Minimizing threats and risks from poor coding practices can enhance overall security of the application deployed into a shared environment. HP Fortify has several products that can be used to aid in identifying application vulnerabilities, Fortify Static Code Analyzer (SCA), Software Security Center (SSC), WebInspect, and Runtime. These products when used throughout the Software Development Life Cycle (SDLC) can help reduce application vulnerabilities. The Cloud Security Alliance discusses the importance of application security in Domain 10 Application Security of the Security Guidance For Critical Areas of Focus in Cloud Computing v3.0. In this section the CSA discusses the open and shared nature of cloud computing requires the implementation of a Secure Software Development Life Cycle and the importance of a Software Security Assurance program. The HP Fortify product suite provides the core components of a Software Security Assurance program. CSA Domain provides an outline of an Application Security Assurance Program. CSA Domain Construction CSA Domain Code Review discusses the importance of Static Application Security Testing (SAST) and Dynamic code analysis or Dynamic Application Security Testing (DAST) to understand vulnerabilities of an application. SAST testing can be performed with HP Fortify Static Code Analyzer and HP Fortify CloudScan, while DAST can be accomplished using HP Fortify WebInspect. CSA Domain Security Testing This section discusses penetration testing and attack simulations to test an organizations network and application security. HP WebInspect is an automated and configurable web application security and penetration testing tool that mimics real-world hacking techniques and attacks, enabling you to thoroughly analyze your complex web applications and services for security vulnerabilities. CSA Domain Quantitative Improvement Can be managed by HP Fortify Software Security Center 8

9 CSA Metrics discusses the importance of collecting metrics as part of a Software Security Program. HP Fortify SSC provides a historical view of the vulnerabilities that have been identified and resolved by tracking the test results of security testing performed by HP Fortify products. CSA Use of Automated SDLC Security Technology Tools and Features discusses the use of automated security testing tools to identify vulnerabilities in applications, this would include tools such as HP Fortify SCA, Runtime, and WebInspect that can be integrated into your SDLC. CSA Domain 10. Application Penetration Testing HP Fortify WebInspect provides an organization with powerful penetration testing to identify vulnerabilities in running applications, during development or after deployment. CSA Domain 10.5 Monitoring Applications in the Cloud CSA Domain Application Monitoring in the Cloud: Give and Take This section identifies two key areas that are addressed by HP Fortify Runtime: Monitoring for malicious use and Monitoring for compromise. HP Fortify Runtime monitors running applications allowing the organization to automatically block suspicious activity and report back to the Fortify Software Security Center. Domain 14 Security as a Service WebServices Fortify Runtime integrated into Cloud Service Automation service designs that deploy web applications provide the ability to identify, block, and report unauthorized access and suspicious activity Security Assessment HP Fortify CloudScan allows developers to offload Static Code Analysis software scans to a cloud-based resource. Fortify WebInspect allows cloud consumers to perform penetration testing and dynamic application security testing of cloud-based applications. HP Fortify product overview HP Fortify Software Security Center HP Fortify Software Security Center enables any organization of any size to automate any or all aspects of a successful Software Security Assurance (SSA) program. Part of the family of HP Enterprise Security Products, HP Fortify Software Security Center is comprised of industry-leading products, solutions, and features that address the complete spectrum of your application security needs. HP Fortify Software Security Center can help you: Address immediate security issues in software you ve already deployed. Reduce systemic risk in software you re developing or acquiring from vendors. Meet compliance goals for internal and external security mandates. Key benefits: Reduces time to find and fix vulnerability issues in software. Lowers costs associated with development, remediation, and compliance. Boosts productivity by automating application security procedures. Accelerates time to market HP Fortify CloudScan With HP Fortify CloudScan (CloudScan), users of HP Fortify Static Code Analyzer can better manage their resources by offloading the processor-intensive scanning phase of the analysis from their build machines to a cloud of machines provided for this purpose. The translation phase, which is less processor- and time-intensive, is completed on the build machine. After translation is completed, an HP Fortify Static Code Analyzer (SCA) mobile build session is generated and moved to a distributed cloud of machines for scanning. In addition to freeing up the build machines, this process makes it easy to grow the system by adding more resources to the cloud as needed, without having to interrupt your build process. In addition, users of HP Fortify Software Security Center (SSC) can direct CloudScan output to a Fortify Project Results (security results) output file directly to Software Security Center. 9

10 HP Fortify Static Code Analyzer HP Fortify Static Code Analyzer helps verify that your software is trustworthy, reduce costs, increase productivity and implement secure coding best practices. Static Code Analyzer scans source code, identifies root causes of software security vulnerabilities and correlates and prioritizes results giving you line of code guidance for closing gaps in your security. To verify that the most serious issues are addressed first, it correlates and prioritizes results to deliver an accurate, risk ranked list of issues. Static Analysis, also known as Static Application Security Testing (SAST), can be accomplished using HP Fortify Static Code Analyzer (SCA). HP Fortify Static Code Analyzer provides organizations with the following benefits: Reduce business risk by identifying vulnerabilities that pose the biggest threat Identify and remove exploitable vulnerabilities quickly with a repeatable process Reduce development cost by identifying vulnerabilities early in the Software Development Life Cycle (SDLC) Educate developers in secure coding practices while they work Bring development and security teams together to find and fix security issues Detects more types of potential vulnerabilities than any other detection method Pinpoints the root cause of vulnerabilities with line-of-code detail Helps you identify critical issues during development when they are easiest and least expensive to fix HP Fortify Runtime application protection Protect your company from security attacks against applications in production with HP Fortify Runtime. Fortify Runtime is a software solution for Java- and.net-based applications that works inside an application to actively monitor and protect against directed attacks as well as other potential threats posed against an application and the data behind it. The solution automatically identifies security critical code inside the application and actively monitors these locations. As applications are running, it detects security events, mitigates attacks, and can log monitored events to HP Fortify Software Security Center, HP ArcSight Logger or ESM, and the file system. HP Fortify Runtime application protection provides the following benefits: Out-of-the-box security application monitoring, logging and protection Better protection against cyber-attacks and fraud in deployed applications Streamlined regulatory compliance and application-level security audit controls Enterprise-wide threat visibility and centralized management of security threats Risk prioritization via real-time correlation across networks, systems and applications Integration with HP ArcSight Security Information and Event Management (SIEM) 10

11 CloudSystem Enterprise EcoSystem With the inclusion of HP TippingPoint, ArcSight and Fortify into an HP CloudSystem Enterprise environment, as the cloud administrator you will have greater visibility, control and security of your cloud environment. Figure 3 is a simple example of the Cloud Security EcoSystem with the inclusion of HP Security products. We will dive into each product as it pertains to the ecosystem in this section. Figure 3. HP CloudSystem Enterprise Security Ecosystem Securing the Cloud with HP TippingPoint In traditional networking, products like the HP TippingPoint s IPS would be placed in line between systems and/or different networks to scan traffic for known vulnerabilities as well as identify trends and adapt automatically as new threats emerged. However, this tradition style of network intrusion detection and prevention could not and did not extend into the virtual environment. If two virtual machines are on the same host, traffic between the VMs would go uninspected since it would stay within the host (Figure 4). 11

12 Figure 4. Traditional vs. Virtual networking. Virtual networking not getting traffic inspected. With HP TippingPoint CloudArmour, the protection provided by HP TippingPoint can be extended into your virtualized environment (Figure 5). Figure 5. CloudArmour 12

13 In addition to IPS protection, HP TippingPoint CloudArmour can also provide tenant isolation (called a security zone), regardless of whether a VM is in the same or different layer 2 or 3 network. With HP CloudArmour and its built in firewall capabilities, Administrators can restrict and/or inspect the traffic allowed between VMs in the same zone as well as between zones (Figure 6 and Figure 7). Figure 6. Allowing traffic between zones Figure 7. Blocking traffic between zones 13

14 Administrators can also control the traffic between systems in the same zone with HP TippingPoint CloudArmour vfirewall. This allows even greater control over your virtual environment. You could block SSH between two virtual machines for example to help mitigate risk during an attack from either internal or external sources (Figure 8). Again this happens even if the VMs are on the same layer 2/3 network. Figure 8. Restricting traffic within the zone For more information on using HP TippingPoint CloudArmour in a HP Cloud System Enterprise environment, please refer to the following white paper: HP TippingPoint CloudArmour and HP Cloud Service Automation Now that you can see what HP TippingPoint CloudArmour can do, you can also leverage its capabilities through subscriptions for your private cloud deployments. HP has developed CloudSystem Enterprise service designs that will deploy new subscriptions into separate security zones in order to provide automatic tenant isolation. You can also leverage the firewall capabilities of HP TippingPoint CloudArmour to secure your multi-tiered applications without having to set up separate networks and configure firewalls and routers to allow/restrict the traffic needed to make it work. For more information, please refer to the HP TippingPoint CloudArmour Security Provider Integration Guide available at: (Access to HP Live Networks is required.) 14

15 Building and maintaining secure applications with HP Fortify and HP WebInspect In addition to securing the network and subscription in your CloudSystem Enterprise environment, cloud administrators and users also need to be concerned about the application security of those subscriptions to further protect the systems and the data on them. The HP Fortify application suite can assist in securing cloud applications throughout the entire software development life cycle (Figure 9). Figure 9. Integration of HP Fortify and WebInspect into a virtual environment 15

16 HP Fortify Static Code Analyzer When developing an application, your developers will work in a dev/test type of environment. Using HP CloudArmour, this could be a separate zone in your CloudSystem Enterprise environment, or could be traditionally another network/vlan. When writing code, developers may try to write it to the best of their knowledge/ability to be secure, however it is unrealistic to assume your developers will always write perfect secure code. There are too many vulnerabilities out there for one developer, or group of developers, to fully understand and know how to mitigate them in their code. HP Fortify Static Code Analyzer (SCA) allows developers to scan their code for all known vulnerabilities in their applications. The results of their scan will be sent to HP Fortify Software Security Center, where a report with an issue list will be generated (Figure 10) for the developer to analyze. Figure 10. Sample PHP Project Issue List The reports will tell the developer what vulnerabilities are present in their code, the line of code that is in question, and recommendations how to fix it. By double clicking on the issue, the exact location within a project is displayed; below we can see the location of the issues in our sample project are located in line 3 (Cross-Site Scripting) and line 4 (SQL Injection) of the sink.php script in the project. Figure 11. Sample PHP Project Issue Location 16

17 If we were to view the details we would see the exact lines of code affected and an explanation of the issue along with a recommendation on how to remediate the problem. Figure 12. Issue Details and Recommendations HP Fortify CloudScan Leveraging HP Fortify CloudScan in your private cloud dev/test deployments allows you to offload the static code analysis from the developer s virtual machine to a Hadoop cluster that administrators can flex based on the user workloads. This will enable much faster scan times by the HP Fortify Static Code Analyzer while allowing for less resources needed on the developers VMs since the scanning will be pushed out to CloudScan. The results of the scan will be sent to the SSC where the developer can look at the results, just like if the scan was done on their local system. To assist HP CloudSystem Enterprise Administrators administrating a dev/test environment, HP has developed a CloudSystem Enterprise service designs to create and flex CloudScan and the Hadoop cluster it leverages. For more information, please refer to: Service Design for HP Fortify CloudScan Reference Implementation HP WebInspect During the dev/test cycle of application development, and even in a production environment, developers and administrators will want to run penetration testing on their compiled and running application. To do this, one can leverage HP WebInspect that mimics real-world hacking techniques and attacks, enabling you to thoroughly analyze your complex web applications and services for security vulnerabilities. HP Fortify Runtime In addition to use of HP WebInspect for your production environment, HP Fortify Runtime automatically identifies and monitors security critical code inside applications, detects security events and mitigates attacks. HP Fortify Runtime provides the ability to detect new vulnerabilities that may not have been known at the time of development. Runtime application protection can also block security attacks on a running application. The Runtime application protection is integrated into the application and when a new vulnerability is detected the results are reported to the HP Software Security Center for tracking and analysis. This information can be provided to developers for patching and remediation. HP Fortify Runtime application protection can be integrated into your CloudSystem Enterprise service designs and offerings to provide out of the box runtime application protection for Java- and.net-based applications. For more information on how to integrate HP Fortify runtime into your service design, and for more information on integrating HP Fortify with HP CloudSystem Enterprise, please refer to the following white paper: Correlating the mountains of data with HP ArcSight With HP TippingPoint protecting the network, and HP Fortify and WebInspect protecting and identifying issues with your applications, administrators need something that can help them correlate all the data coming from those products as well as from all of the systems (servers, storage, network, applications, etc.) in their private cloud in order to satisfy auditing, forensics and compliance needs. HP s industry leading ArcSight platform provides this capability and will give administrators 17

18 the visibility and capabilities they need to be in compliance with government regulations as well as identify, react, and implement changes/fixes when issues arise. HP ArcSight Connectors Administrators can install ArcSight Connectors to send log data from applications or send system logs to ArcSight Logger or Enterprise Security Manager (ESM). Installation of the ArcSight Connectors can be incorporated into your CSA service designs to ensure proper installation and configuration so that the proper log data is sent to your HP ArcSight Logger or ESM servers. For more information on how to integrate HP ArcSight Connectors into your service designs, please refer to the following white paper: HP ArcSight Logger HP ArcSight Logger can gather log data from the CloudSystem Enterprise s infrastructure components in order to log, store, and forward events to ESM for correlation and action. The Suggested implementation section has a recommended implementation for CloudSystem Enterprise and other scenarios are discussed in the white paper at HP ArcSight Logger can also be deployed and receive information from your user s subscriptions. HP has developed a CloudSystem Enterprise Service Design to deploy HP ArcSight Logger into user subscriptions. For more information, please refer to the following white paper: It is important to note that it is the shared responsibility of both the consumer and the provider to share data, in the event of a breach or audit for example. Leveraging the HP CloudSystem Enterprise: Service Design for HP ArcSight Logger, consumers can pick and choose what data to provide the provider, and have that data automatically forward to the provider s HP ArcSight Logger and/or ESM. Suggested implementation HP recommends using ArcSight Connectors whenever possible. Most of the components of CloudSystem Enterprise support the use of ArcSight Connectors, and those that do not can send data directly to ArcSight Logger as raw data. (Figure 13) Figure 13. Example Deployment of logging with ArcSight 18

19 In Figure 13 above, the following components are running HP ArcSight Connectors and are sending their log data to HP ArcSight Logger via a Connector Receiver listening on port TCP/443. CloudSystem Enterprise Software stack HP Matrix Operating Environment HP Server Automation HP Cloud Service Automation HP Operations Orchestration HP SiteScope HP ucmdb Hypervisor Management Server (VMware vcenter, Microsoft System Center, etc.) HP TippingPoint SMS HP Fortify Software Security Center In Figure 13 above, the following components send their raw log data to HP ArcSight via port UDP/514. The reason for not using a smart connector is there is not currently one available for those components. By sending the raw log to logger from these components, the data can be searched, normalized, and sent to ESM for correlation. HP Virtual Connect Interconnects HP c-class Onboard Administrators HP Networking Switches HP StoreServ Storage Cloud Security Alliance The Cloud Security Alliance is a not-for-profit-organization that provides guidance, education, and promotes best practices for security in cloud computing. The Cloud Security Alliance s mission statement is: To promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing. In accordance with their mission statement, the Cloud Security Alliance publishes security guidance and a cloud controls matrix to address security concerns in cloud computing. The Cloud Security Alliance guidance document, Security Guidance for Critical Areas of Focus in Cloud Computing, defines 14 domains for operating in a cloud environment and provides recommendations on how to securely operate in those domains. Each domain addresses a specific area of concern with respect to security and cloud computing. The HP Enterprise Security products address many of the areas that are outlined in the security guidance document. The HP Enterprise Security products address areas of concern in the Cloud Security Alliance Domains listed below: Domain 5 Information Management and Data Security Locations and Access ArcSight ESM can track and correlate access data access Database and File Activity Monitoring ArcSight ESM and IdentityView can monitor user activity Domain 6 Interoperability and Portability Portability Recommendations (logging) Using ArcSight connectors normalizes log data in CEF (common event format) Recommendations for Different Cloud Models log traces Addressed by the ArcSight CEF log format Domain 9 Incident Response Detection and Analysis ArcSight ESM can be configured to monitor systems and applications for specific events. When an event is triggered an ArcSight Rule can perform a predefined action in response to the triggered event Forensic and Other Investigative Support for Incident Analysis Log data collected by ArcSight Logger and ESM can be used for forensic and incident analysis. 19

20 9.3.5 Containment, Eradication, and Recovery ArcSight ESM can trigger operations when a breach is detected, blocking user access for example; HP TippingPoint will block network based threats, and HP Fortify Runtime can block attempts to exploit application vulnerabilities. Domain 10 Application Security CSA Domain 10. Application Penetration Testing HP Fortify WebInspect provides an organization with powerful penetration testing to identify vulnerabilities in running applications, during development or after deployment. CSA Domain provides an outline of an Application Security Assurance Program. CSA Domain Code Review discusses the importance of Static Application Security Testing (SAST) and Dynamic code analysis or Dynamic Application Security Testing (DAST) to understand vulnerabilities of an application. SAST testing can be performed with HP Fortify Static Code Analyzer and HP Fortify CloudScan, while DAST can be accomplished using HP Fortify WebInspect and HP Fortify Runtime. CSA Domain Security Testing This section discusses penetration testing and attack simulations to test an organizations network and application security. CSA Metrics discusses the importance of collecting metrics as part of a Software Security Program. HP Fortify SSC provides a historical view of the vulnerabilities that have been identified and resolved by tracking the test results of security testing performed by HP Fortify products. CSA Use of Automated SDLC Security Technology Tools and Features discusses the use of automated security testing tools to identify vulnerabilities in applications, this would include tools such as HP Fortify SCA, Runtime, and WebInspect that can be integrated into your SDLC Authentication, Authorization, and Compliance Application Security Architecture in the Cloud CSA Domain 10.5 Monitoring Applications in the Cloud This area is addressed by both Fortify Runtime and the ArcSight SIEM solution CSA Domain Application Monitoring in the Cloud: Give and Take This section identifies two key areas that are addressed by HP Fortify Runtime: Monitoring for malicious use and Monitoring for compromise. HP Fortify Runtime monitors running applications allowing the organization to automatically block suspicious activity and report back to the Fortify Software Security Center. Domain VM Guest Hardening Including CloudArmour firewall and IPS protection into cloud based virtual machine deployments. Hardening of applications deployed in the cloud is also accomplished through an HP Fortify based Software Security Assurance program Inter-VM Attacks and Blind Spots CloudArmour integrates with the hypervisor security APIs to protect and isolate virtual machine traffic. This isolation can restrict traffic between specific virtual machines that are defined during deployment Instant-On Gaps HP TippingPoint CloudArmour is integrated into the Cloud Service Automation service offerings to enable IPS / IDS and firewall protection of virtual machines at the time of deployment. HP Fortify Runtime provides instant on protection at an application level by monitoring running applications for vulnerabilities and detecting attempts to exploit exposed vulnerabilities. Domain 14 Security As A Service Network Security HP CloudArmour integration into Cloud Service Automation service offerings provides cloud consumers with a network security SecaaS offering by providing IPS / IDS and firewall protection to cloud based virtual machine resources Security Information & Event Management (SIEM) Cloud consumers can integrate ArcSight connectors into their cloud service offerings. Organizations can deploy a virtual instance of ArcSight Logger through a service offering. TippingPoint CloudArmour can be integrated into cloud service offerings enabling instant on protection of virtual machine network interfaces. HP Fortify Runtime can be integrated into cloud service offerings to provide post deployment application protection and monitoring SIEM SecaaS Requirements SecaaS Category 7 Security Information and Event Management Implementation Guidance 20