Whitepaper Canopy Security Simplicity, Agility, Transparency
2 Whitepaper Summary Introduction While business is turning to the cloud to save costs and improve agility, for many enterprises security is still a big barrier to the adoption of cloud services. Canopy s founders, Atos, EMC and VMware, have addressed security from the outset with their Enterprise Application Store, Canopy s SaaS implementation. Canopy has strengthened its information security management and has committed to the principles of simplicity, agility and transparency in order to meet the security challenges of large-scale cloud environments. These principles are adhered to through all Canopy s processes, right down to technical implementation. This means that Canopy can offer flexible cloud solutions and also support extensive security management, so that security can be managed even at account and server level. The Canopy Cloud Canopy implements all of the essential characteristics of the well-known NIST model. Resource pooling Broad network access Rapid elasticity Measured service On-demand self-service Universally, information security concerns override all others when businesses consider moving data to the cloud, as demonstrated by a study from the CSA and ISACA. Canopy s formation Atos, EMC and VMware formed Canopy last year specifically to address the current barriers to cloud adoption. RSA is a leading brand in IT security, addressing security actively by design, and part of EMC. VMware is the market-leading provider of Virtualisation technologies, offering best-of-breed security already built in. Atos is Europe s largest provider of IT services, a leader in secure and efficient enterprise computing. Last Year, Atos managed the IT system security at the Olympic Games. We can liken the ascendance of cloud computing to the industrial revolution of the 19th century when mass production took over from artisans and small workshops.
Whitepaper 3 Cloud security challenges Outsourcing and cloud computing relationships may feature similar sorts of contracts, but they are very different in both business perspective and technical implementation. The advantages of cloud computing economies of scale, agility and time to market are themselves challenges to the implementation of security, which is designed to be static and to ring-fence data. This contradiction needs to be resolved so that customers can realise the benefits of cloud computing and know that their data is secure. We can liken the ascendance of cloud computing to the industrial revolution of the 19th century when mass production took over from artisans and small workshops. In the same way, the IT industry is moving away from special application environments maintained by dedicated teams to large standardised cloud environments. Canopy s response to different risk environments is to strengthen the management of information security accordingly, and align security with the movement and consumption of client data. The next section explains how Canopy s security management principles reduce the risk for the customer. Table 4 Positive and negative influences on Cloud Adoption and Innovation Positive influence on Cloud Adoption/Innovation Mean Score Rank Negative influence on Cloud Adoption/Innovation Mean Score Cost management 3.77 01 Information security 4.22 01 Agility 3.75 02 Data ownership/custodian responsibilities Rank 4.12 02 Time to market 3.73 03 Legal and contractual issues 4.04 03 Efficiency 3.65 04 Regulatory compliance 4.01 04 Productivity 3.61 05 Information assurance 3.77 05 Business unit demand 3.55 06 Longevity of suppliers 3.44 06 Resilience 3.52 07 Contract lock-in 3.42 07 New technology 3.46 08 Performance standards 3.30 08 Customer demand 3.42 09 Disaster recovery/business continuity 3.25 09 Technical resources 3.37 10 Performance monitoring 3.21 10 New markets 3.33 11 Technology stability 3.10 11 Summary mean 3.56 Summary mean 3.62 Figure 1 Information Security is top barrier to market adoption of cloud (from 2012 Cloud Computing Market Maturity Study Results, published by CSA and ISACA)
4 Whitepaper Canopy Security principles Simplicity As mentioned above, traditional security management, with its reliance on static methods, does not deliver adequate protection for the information assets of many enterprises. The shortcomings in traditional security management are often successfully hidden until a security incident becomes publicly known and causes a crisis in confidence with the provider. To bridge the gaps in the traditional ways of maintaining security, Canopy adheres to three abiding principles. Simplicity, Agility, Transparency By adhering to these principles, Canopy allows its customers to perform meaningful risk management with their contracted services. Canopy acknowledges that the customer is probably bearing the greatest risk and has a legitimate interest in minimising that risk. Canopy s commitment to keeping security simple manifests itself in the systematic re-use of successful standards wherever possible. Canopy aims to pass on the benefits of this approach to its customer base via its Enterprise Application Store (EAS). By ordering from a catalogue of standard applications from ISVs the customer can simplify software acquisition. Through all layers of service, from hardware to application management, Canopy uses standard components with well-understood behaviour. Canopy uses Vblock as its hardware platform. Vblock integrates processor, network and storage so that Canopy operations can manage many pieces of uniform hardware with standardised processes. All management is performed from one console; regular tasks can be performed without co-ordination between different departments. Canopy uses VMware products for virtual resource management. Canopy uses templates to standardise deployment. Templates include simultaneous configuration for processor, network and storage. This significantly speeds up deployment across all layers of the virtual infrastructure and reduces the error rate in deployments. Businesses have to be increasingly agile to deal with ever-changing environments, and information security needs to support this. The evolving landscape, with constantly changing threats, itself demands more agile security models.
Whitepaper 5 Agility Transparency As a result, the following processes in security management are simplified, delivering a number of security benefits: Vulnerability Management has to consider only a small number of target types with few variations, which helps in maintaining a small attack surface. Canopy performs patch management on the images via deployment templates under centralised management. Because all images and templates are managed centrally, Canopy can easily investigate patch state and enforce patch policy through direct control, if needed. VCE, which patches the Vblock, covers patch management on the infrastructure. At the customer-facing layer, Canopy offers standardised components: The customer can simplify acquisition of standard software by the Enterprise Application Store. Canopy s Enterprise Application Store sets a common standard for application use. It contains mandatory security checks in the form of penetration tests, and additional source code scans, if the application source code is available. Lifecycle management can be further simplified by standardised release and patch management cycles, which keep software up-to-date. The management of information security for both customer and Canopy is simplified by using a general ISMS (Information Security Management System) as a baseline for security. Specific controls are tailored to the requirements of the application. Businesses have to be increasingly agile to deal with ever-changing environments, and information security needs to support this. The evolving landscape, with constantly changing threats, itself demands more agile security models. With the help from partner RSA, Canopy s security architecture includes the following components: Security dashboard Security dashboards give customers a quick overview of the current state of compliance, with underlying KPI (Key Performance Indicators) collected automatically. Active risk management The changing landscape on the internet shows again and again that preventive security measures are no longer enough. To limit the damage, the threat window from break-in to detection must be reduced to the minimum. Security operations Centre Canopy is part of Atos SOC (Security Operations Centre), which operates 24x7, with dedicated staff independent of application management teams. Duty officers are authorised to execute pre-agreed plans based on defined conditions. Staff also perform regular duties, including log monitoring, which are often neglected. Security incident management Canopy implements a staggered response to security incidents. At the first level the virtual infrastructure responds automatically when a breakin is detected by automatic compliance checks. At the next level, the incident is treated according to the asset register and acceptable risk levels. Security incidents are raised by the SOC and are treated separately from regular incidents. The alerts are forwarded to the customer only, via previously agreed communications channels. In most cloud scenarios, the customer bears most of the risk because cloud applications support the customer s business. Canopy realises this is a major barrier for many businesses and is adopting a transparent approach to enable joint risk management between provider and customer. This approach is supported by the following implementations: Shared knowledge Canopy has a shared repository with each of its customers, where all relevant information is collected. Everyone authorised by the customer has access to it. This practice aligns with Atos strategy of zero-email. Security control set The control objectives and implementation required for ISO 27001 are shared with all customers. For controls where Canopy relies on other providers, particularly Atos for building and network infrastructure, Canopy may only be allowed to disclose certain information. Security KPIs Canopy delivers an indication of the relative performance of each individual control. The information is kept current appropriate to the execution frequency of the control. If possible, it is supported by automatic compliance monitoring. Independent audits Canopy provides the assurance of independent audits. Atos auditors, who are independent of Canopy, perform internal audits. ISO 27001 audits are performed annually by accredited certification organisations. Third-party auditors (in 2012 this was Ernst & Young) perform ISAE 3402 audits annually for physical and infrastructure security and can be extended to application security at the customers request.
6 Whitepaper Canopy Security implementation Hardware Canopy s hardware consists of Vblock systems from VCE which integrate compute, network and storage technologies. Vblock Systems can be managed as a single entity with a common interface. VCE is partially owned by VMware and addresses security in its product design, an advantage to cloud systems assembled from standard, off-the-shelf components. Canopy has implemented VCE s guidance on multi-tenant implementations. Virtualisation software Canopy uses Virtualisation software from VMware, a Gartner magic quadrant leader for x86 Server Virtualisation infrastructure. The security of VMware products is arguably the best on the market. Canopy implements many of VMware s leading technologies, including: vsphere for Virtualisation (version 5.1 as of February 2013). vcloud Networking and Security for network separation. vcloud Director for administrative separation through assigning each customer its own virtual data centre. Canopy s robust isolation mechanisms help to safeguard the data of those customers with high security requirements from threats introduced by fellow tenants with different risk profiles. Enterprise Application Store Canopy s Enterprise Application Store (EAS) provides a large number of applications as a service, following the SaaS delivery model. To counteract rogue application use within organisations, Canopy implements the following safeguards: 1. Before listing the application in the EAS, Canopy performs a due-diligence process on the application, including mandatory security tests. 2. The customer selects which applications should be used for its organisation, evaluates fulfilment of the security requirements of the organisation and orders the service from Canopy. 3. The customer then assigns authorisation to individual users, who are the only ones with access to the application. This process is repeated for additional users. Security management functionality Canopy s security management builds on the functionality of its Enterprise Application Store platform. The Enterprise Application Store enables Canopy, with its customers, to manage security at an account and application level. Established security management processes from Atos While Canopy manages all cloud-specific processes, other processes are linked back to its parent Atos. Atos has all the extensive resources and experience necessary for enterprise computing support. It can, for example, react to business continuity management and disaster recovery emergencies, including crisis management. In most cloud scenarios, the customer bears most of the risk because cloud applications support the customer s business. Canopy realises this is a major barrier for many businesses and is adopting a transparent approach to enable joint risk management between provider and customer. Infrastructure and networking Atos provides Canopy with all data centre infrastructure and external network connectivity. As a world-class provider, Atos guarantees the highest standards, suitable for the largest enterprises. The internal networking of the cloud systems is fully contained in the Vblock, and Canopy has full insight into all networking elements.
Whitepaper 7 Canopy compliance Regulatory compliance is a time-consuming issue for organisations, occupying ever-increasing amounts of management resource. Regulations can frequently overlap in scope so that the same issue may need to be dealt with several times in a different context. Canopy can help customers when it comes to IT compliance. Firstly, Canopy implements best practice for all its services, assuring a common basis for compliance. Additionally, the usual compliance requirements from the application s domain (e.g. payment, healthcare) are evaluated and mapped to the application, creating a vertical compliant application. The implementation is performed as part of application management. Customers can inform Canopy of any specific requirements so that they can be mapped to the implementation and Canopy can alert the customer to any possible gaps. Compliance standards ISO 27001: This is the generally accepted standard for information security. Our parent company Atos, from whom Canopy buys the majority of its services, has been ISO 27001 certified for over 10 years. Canopy acquires its own ISO 27001 certification in 2013. ISAE 3402/SSAE 16: Companies, or their financial auditors, may decide that an application managed by Canopy requires internal control over financial reporting under the terms of the Sarbanes-Oxley Act (SOX), or similar laws in Europe or Japan. In this case, the customer should inform Canopy of the SOX relevance of the application and the required reporting period. Canopy can then organise the necessary audits specific for the application and deliver the corresponding ISAE 3402 report (SOC-1). Services contracted from Atos are audited annually. CSA CCM: An increasingly popular standard is the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA), which Canopy has also adopted. There is no formal CCM certification; Canopy can supply implementation details on request. Compliance monitoring Canopy maintains all policies in the RSA Archer central database. Monitoring is performed automatically wherever possible. In all other cases, workflows are defined in Archer to organise manual checks and ensure timely feedback. Compliance dashboard Canopy provides its customers with a security dashboard, which gives a quick overview of the current state of compliance for their applications. This means any blind spot on the compliance map, for example arising from new installations or organisational changes, is quickly detected and corrected. The security dashboard empowers the customer to perform active risk management, as the information about the control can be traced back via the control objective to the risk it is meant to reduce.
Abbreviations CCM COSO CSA EAS IaaS ICFR ISACA Cloud Controls Matrix, a control set from CSA Committee of Sponsoring Organisations of the Treadway Commission Cloud Security Alliance, https://cloudsecurityalliance.org/ Enterprise Application Store, Canopy s SaaS offering Infrastructure as a Service, one of the three cloud delivery models Internal Control over Financial Reporting formerly: Information Systems Audit and Control Association http://www.isaca.org ISAE 3402 International Standard on Assurance Engagements No. 3402, new auditing standard, which replaced the SAS-70 standard. ISMS Information Security Management System, standardised in ISO 27001 KPI PaaS SaaS SOC Key Performance Indicator Platform as a Service, one of the three cloud delivery models Software as a Service, one of the three cloud delivery models Security Operations Centre SOC-1 report Report on Service Organisation Controls over ICFR (as ISAE 3402); There are also SOC-2 (privacy) and SOC-3 (Trust Services) reports SOX SSAE 16 TAI Sarbanes-Oxley Act Statement on Standards for Attestation Engagements No. 16, largely synonymous to ISAE 3402 with focus on USA. Trusted Agile Infrastructure, the Atos cloud platform 1 Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, as retrieved from http://csrc.nist.gov/publications/ nistpubs/800-145/sp800-145.pdf 2 CSA and ISACA: 2012 Cloud Computing Market Maturity Study Results http://www.isaca.org/ Knowledge-Centre/Research/ResearchDeliverables/ Pages/2012-Cloud-Computing-Market-Maturity-Study- Results.aspx 3 VCE website is http://www.vce.com 4 VCE website, Vblock systems security and compliance http://www.vce.com/products/auxiliaryproducts/security 5 VCE website: Vblock solution for trusted multitenancy: Design Guide http://www.vce.com/asset/documents/tmt-designguide.pdf 6 Gartner Magic Quadrant for x86 Server Virtualisation Infrastructure, by Thomas J. Bittman, George J. Weiss, Mark A. Margevicius, Philip Dawson, June 11, 2012, as cited in VMware Named a Leader in Magic Quadrant for x86 Server Virtualisation Infrastructure 7 VMware website: vcloud Networking and Security, http://www.vmware.com/products/datacentervirtualisation/vcloud-network-security/overview.html 8 VMware website: VMware vcloud Director http://www.vmware.com/products/vcloud-director/ overview.html 9 Cloud Security Alliance, Cloud Controls Matrix, with download of v1.3 available at https:// cloudsecurityalliance.org/research/ccm/ Contact: www.canopy-cloud.com Mail: Canopy Ltd info@canopy-cloud.com +44 (0)20 8555 1637 4 Triton Square, Regents Place London NW 3HG