Whitepaper. Canopy Security. Simplicity, Agility, Transparency. An Atos company. Powered by EMC 2 and VMware



Similar documents
Information Security Management System for Microsoft s Cloud Infrastructure

German IT-Grundschutz Cloud Management

A Flexible and Comprehensive Approach to a Cloud Compliance Program

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Securing the Microsoft Cloud

Open Certification Framework. Vision Statement

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

Security Issues in Cloud Computing

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Microsoft s Compliance Framework for Online Services

Cloud Computing in a Regulated Environment

G-Cloud Service Definition. Canopy Unmanaged Enterprise Private Cloud (IL3 Capable) IaaS

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Cloud Security. DLT Solutions LLC June #DLTCloud

Assessing Risks in the Cloud

Anypoint Platform Cloud Security and Compliance. Whitepaper

Cloud Security Trust Cisco to Protect Your Data

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Securing the Microsoft Cloud

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Addressing Cloud Computing Security Considerations

Cloud Computing An Auditor s Perspective

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

VMware Vision Accelerating the Journey to Your Cloud

Understanding ISO and Preparing for the Modern Era of Cloud Security

Cloud Services Overview

KeyLock Solutions Security and Privacy Protection Practices

The Education Fellowship Finance Centralisation IT Security Strategy

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

How To Understand Cloud Computing

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Securing The Cloud With Confidence. Opinion Piece

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Ensuring security the last barrier to Cloud adoption

Orchestrating the New Paradigm Cloud Assurance

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

A Comprehensive Cloud Management Platform with Vblock Systems and Cisco Intelligent Automation for Cloud

RSA ARCHER OPERATIONAL RISK MANAGEMENT

IT Services. Capita Private Cloud. Cloud potential unleashed

Seeing Though the Clouds

An example ITIL -based model for effective Service Integration and Management. Kevin Holland. AXELOS.com

Data Protection Act Guidance on the use of cloud computing

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

HYBRID CLOUD SERVICES HYBRID CLOUD

Security & Trust in the Cloud

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Cloud Security Who do you trust?

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

How To Protect Your Cloud From Attack

Managing Cloud Computing Risk

With Eversync s cloud data tiering, the customer can tier data protection as follows:

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Service Definition Document

Leveraging the Private Cloud for Competitive Advantage

How to ensure control and security when moving to SaaS/cloud applications

EMA Radar for Private Cloud Platforms: Q1 2013

Key Considerations of Regulatory Compliance in the Public Cloud

Paxata Security Overview

The Need for Service Catalog Design in Cloud Services Development

Can PCI DSS Compliance Be Achieved in a Cloud Environment?

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

BUSINESS MANAGEMENT SUPPORT

Amazon Web Services: Risk and Compliance May 2011

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Protecting your brand in the cloud Transparency and trust through enhanced reporting

THE BLUENOSE SECURITY FRAMEWORK

Hans Bos Microsoft Nederland.

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

GRC Stack Research Sponsorship

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Caretower s SIEM Managed Security Services

WALKME WHITEPAPER. WalkMe Architecture

Internal Audit Takes On Emerging Technologies

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Ensuring Cloud Security Using Cloud Control Matrix

Using Cloud Computing to Drive Innovation: Technological Opportunities and

IT Audit in the Cloud

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

Governance, Risk, and Compliance (GRC) White Paper

White Paper How Noah Mobile uses Microsoft Azure Core Services

Trusted Geolocation in The Cloud Technical Demonstration

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Adding value as a Cloud Broker. Nick Hyner Director Cloud Services EMEA Twitter Dell.com/Cloud

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Cybersecurity The role of Internal Audit

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

Why Plan B DR? Benefits of Plan B Disaster Recovery Service:

How RSA has helped EMC to secure its Virtual Infrastructure

Accelerate private cloud with Data#3 and IBM

Governance and Management of Information Security

Cloud Computing What Auditors need to know

Datacenter Management and Virtualization. Microsoft Corporation

Validating Enterprise Systems: A Practical Guide

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Security Introduction and Overview

Cloud Computing Governance & Security. Security Risks in the Cloud

Transcription:

Whitepaper Canopy Security Simplicity, Agility, Transparency

2 Whitepaper Summary Introduction While business is turning to the cloud to save costs and improve agility, for many enterprises security is still a big barrier to the adoption of cloud services. Canopy s founders, Atos, EMC and VMware, have addressed security from the outset with their Enterprise Application Store, Canopy s SaaS implementation. Canopy has strengthened its information security management and has committed to the principles of simplicity, agility and transparency in order to meet the security challenges of large-scale cloud environments. These principles are adhered to through all Canopy s processes, right down to technical implementation. This means that Canopy can offer flexible cloud solutions and also support extensive security management, so that security can be managed even at account and server level. The Canopy Cloud Canopy implements all of the essential characteristics of the well-known NIST model. Resource pooling Broad network access Rapid elasticity Measured service On-demand self-service Universally, information security concerns override all others when businesses consider moving data to the cloud, as demonstrated by a study from the CSA and ISACA. Canopy s formation Atos, EMC and VMware formed Canopy last year specifically to address the current barriers to cloud adoption. RSA is a leading brand in IT security, addressing security actively by design, and part of EMC. VMware is the market-leading provider of Virtualisation technologies, offering best-of-breed security already built in. Atos is Europe s largest provider of IT services, a leader in secure and efficient enterprise computing. Last Year, Atos managed the IT system security at the Olympic Games. We can liken the ascendance of cloud computing to the industrial revolution of the 19th century when mass production took over from artisans and small workshops.

Whitepaper 3 Cloud security challenges Outsourcing and cloud computing relationships may feature similar sorts of contracts, but they are very different in both business perspective and technical implementation. The advantages of cloud computing economies of scale, agility and time to market are themselves challenges to the implementation of security, which is designed to be static and to ring-fence data. This contradiction needs to be resolved so that customers can realise the benefits of cloud computing and know that their data is secure. We can liken the ascendance of cloud computing to the industrial revolution of the 19th century when mass production took over from artisans and small workshops. In the same way, the IT industry is moving away from special application environments maintained by dedicated teams to large standardised cloud environments. Canopy s response to different risk environments is to strengthen the management of information security accordingly, and align security with the movement and consumption of client data. The next section explains how Canopy s security management principles reduce the risk for the customer. Table 4 Positive and negative influences on Cloud Adoption and Innovation Positive influence on Cloud Adoption/Innovation Mean Score Rank Negative influence on Cloud Adoption/Innovation Mean Score Cost management 3.77 01 Information security 4.22 01 Agility 3.75 02 Data ownership/custodian responsibilities Rank 4.12 02 Time to market 3.73 03 Legal and contractual issues 4.04 03 Efficiency 3.65 04 Regulatory compliance 4.01 04 Productivity 3.61 05 Information assurance 3.77 05 Business unit demand 3.55 06 Longevity of suppliers 3.44 06 Resilience 3.52 07 Contract lock-in 3.42 07 New technology 3.46 08 Performance standards 3.30 08 Customer demand 3.42 09 Disaster recovery/business continuity 3.25 09 Technical resources 3.37 10 Performance monitoring 3.21 10 New markets 3.33 11 Technology stability 3.10 11 Summary mean 3.56 Summary mean 3.62 Figure 1 Information Security is top barrier to market adoption of cloud (from 2012 Cloud Computing Market Maturity Study Results, published by CSA and ISACA)

4 Whitepaper Canopy Security principles Simplicity As mentioned above, traditional security management, with its reliance on static methods, does not deliver adequate protection for the information assets of many enterprises. The shortcomings in traditional security management are often successfully hidden until a security incident becomes publicly known and causes a crisis in confidence with the provider. To bridge the gaps in the traditional ways of maintaining security, Canopy adheres to three abiding principles. Simplicity, Agility, Transparency By adhering to these principles, Canopy allows its customers to perform meaningful risk management with their contracted services. Canopy acknowledges that the customer is probably bearing the greatest risk and has a legitimate interest in minimising that risk. Canopy s commitment to keeping security simple manifests itself in the systematic re-use of successful standards wherever possible. Canopy aims to pass on the benefits of this approach to its customer base via its Enterprise Application Store (EAS). By ordering from a catalogue of standard applications from ISVs the customer can simplify software acquisition. Through all layers of service, from hardware to application management, Canopy uses standard components with well-understood behaviour. Canopy uses Vblock as its hardware platform. Vblock integrates processor, network and storage so that Canopy operations can manage many pieces of uniform hardware with standardised processes. All management is performed from one console; regular tasks can be performed without co-ordination between different departments. Canopy uses VMware products for virtual resource management. Canopy uses templates to standardise deployment. Templates include simultaneous configuration for processor, network and storage. This significantly speeds up deployment across all layers of the virtual infrastructure and reduces the error rate in deployments. Businesses have to be increasingly agile to deal with ever-changing environments, and information security needs to support this. The evolving landscape, with constantly changing threats, itself demands more agile security models.

Whitepaper 5 Agility Transparency As a result, the following processes in security management are simplified, delivering a number of security benefits: Vulnerability Management has to consider only a small number of target types with few variations, which helps in maintaining a small attack surface. Canopy performs patch management on the images via deployment templates under centralised management. Because all images and templates are managed centrally, Canopy can easily investigate patch state and enforce patch policy through direct control, if needed. VCE, which patches the Vblock, covers patch management on the infrastructure. At the customer-facing layer, Canopy offers standardised components: The customer can simplify acquisition of standard software by the Enterprise Application Store. Canopy s Enterprise Application Store sets a common standard for application use. It contains mandatory security checks in the form of penetration tests, and additional source code scans, if the application source code is available. Lifecycle management can be further simplified by standardised release and patch management cycles, which keep software up-to-date. The management of information security for both customer and Canopy is simplified by using a general ISMS (Information Security Management System) as a baseline for security. Specific controls are tailored to the requirements of the application. Businesses have to be increasingly agile to deal with ever-changing environments, and information security needs to support this. The evolving landscape, with constantly changing threats, itself demands more agile security models. With the help from partner RSA, Canopy s security architecture includes the following components: Security dashboard Security dashboards give customers a quick overview of the current state of compliance, with underlying KPI (Key Performance Indicators) collected automatically. Active risk management The changing landscape on the internet shows again and again that preventive security measures are no longer enough. To limit the damage, the threat window from break-in to detection must be reduced to the minimum. Security operations Centre Canopy is part of Atos SOC (Security Operations Centre), which operates 24x7, with dedicated staff independent of application management teams. Duty officers are authorised to execute pre-agreed plans based on defined conditions. Staff also perform regular duties, including log monitoring, which are often neglected. Security incident management Canopy implements a staggered response to security incidents. At the first level the virtual infrastructure responds automatically when a breakin is detected by automatic compliance checks. At the next level, the incident is treated according to the asset register and acceptable risk levels. Security incidents are raised by the SOC and are treated separately from regular incidents. The alerts are forwarded to the customer only, via previously agreed communications channels. In most cloud scenarios, the customer bears most of the risk because cloud applications support the customer s business. Canopy realises this is a major barrier for many businesses and is adopting a transparent approach to enable joint risk management between provider and customer. This approach is supported by the following implementations: Shared knowledge Canopy has a shared repository with each of its customers, where all relevant information is collected. Everyone authorised by the customer has access to it. This practice aligns with Atos strategy of zero-email. Security control set The control objectives and implementation required for ISO 27001 are shared with all customers. For controls where Canopy relies on other providers, particularly Atos for building and network infrastructure, Canopy may only be allowed to disclose certain information. Security KPIs Canopy delivers an indication of the relative performance of each individual control. The information is kept current appropriate to the execution frequency of the control. If possible, it is supported by automatic compliance monitoring. Independent audits Canopy provides the assurance of independent audits. Atos auditors, who are independent of Canopy, perform internal audits. ISO 27001 audits are performed annually by accredited certification organisations. Third-party auditors (in 2012 this was Ernst & Young) perform ISAE 3402 audits annually for physical and infrastructure security and can be extended to application security at the customers request.

6 Whitepaper Canopy Security implementation Hardware Canopy s hardware consists of Vblock systems from VCE which integrate compute, network and storage technologies. Vblock Systems can be managed as a single entity with a common interface. VCE is partially owned by VMware and addresses security in its product design, an advantage to cloud systems assembled from standard, off-the-shelf components. Canopy has implemented VCE s guidance on multi-tenant implementations. Virtualisation software Canopy uses Virtualisation software from VMware, a Gartner magic quadrant leader for x86 Server Virtualisation infrastructure. The security of VMware products is arguably the best on the market. Canopy implements many of VMware s leading technologies, including: vsphere for Virtualisation (version 5.1 as of February 2013). vcloud Networking and Security for network separation. vcloud Director for administrative separation through assigning each customer its own virtual data centre. Canopy s robust isolation mechanisms help to safeguard the data of those customers with high security requirements from threats introduced by fellow tenants with different risk profiles. Enterprise Application Store Canopy s Enterprise Application Store (EAS) provides a large number of applications as a service, following the SaaS delivery model. To counteract rogue application use within organisations, Canopy implements the following safeguards: 1. Before listing the application in the EAS, Canopy performs a due-diligence process on the application, including mandatory security tests. 2. The customer selects which applications should be used for its organisation, evaluates fulfilment of the security requirements of the organisation and orders the service from Canopy. 3. The customer then assigns authorisation to individual users, who are the only ones with access to the application. This process is repeated for additional users. Security management functionality Canopy s security management builds on the functionality of its Enterprise Application Store platform. The Enterprise Application Store enables Canopy, with its customers, to manage security at an account and application level. Established security management processes from Atos While Canopy manages all cloud-specific processes, other processes are linked back to its parent Atos. Atos has all the extensive resources and experience necessary for enterprise computing support. It can, for example, react to business continuity management and disaster recovery emergencies, including crisis management. In most cloud scenarios, the customer bears most of the risk because cloud applications support the customer s business. Canopy realises this is a major barrier for many businesses and is adopting a transparent approach to enable joint risk management between provider and customer. Infrastructure and networking Atos provides Canopy with all data centre infrastructure and external network connectivity. As a world-class provider, Atos guarantees the highest standards, suitable for the largest enterprises. The internal networking of the cloud systems is fully contained in the Vblock, and Canopy has full insight into all networking elements.

Whitepaper 7 Canopy compliance Regulatory compliance is a time-consuming issue for organisations, occupying ever-increasing amounts of management resource. Regulations can frequently overlap in scope so that the same issue may need to be dealt with several times in a different context. Canopy can help customers when it comes to IT compliance. Firstly, Canopy implements best practice for all its services, assuring a common basis for compliance. Additionally, the usual compliance requirements from the application s domain (e.g. payment, healthcare) are evaluated and mapped to the application, creating a vertical compliant application. The implementation is performed as part of application management. Customers can inform Canopy of any specific requirements so that they can be mapped to the implementation and Canopy can alert the customer to any possible gaps. Compliance standards ISO 27001: This is the generally accepted standard for information security. Our parent company Atos, from whom Canopy buys the majority of its services, has been ISO 27001 certified for over 10 years. Canopy acquires its own ISO 27001 certification in 2013. ISAE 3402/SSAE 16: Companies, or their financial auditors, may decide that an application managed by Canopy requires internal control over financial reporting under the terms of the Sarbanes-Oxley Act (SOX), or similar laws in Europe or Japan. In this case, the customer should inform Canopy of the SOX relevance of the application and the required reporting period. Canopy can then organise the necessary audits specific for the application and deliver the corresponding ISAE 3402 report (SOC-1). Services contracted from Atos are audited annually. CSA CCM: An increasingly popular standard is the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA), which Canopy has also adopted. There is no formal CCM certification; Canopy can supply implementation details on request. Compliance monitoring Canopy maintains all policies in the RSA Archer central database. Monitoring is performed automatically wherever possible. In all other cases, workflows are defined in Archer to organise manual checks and ensure timely feedback. Compliance dashboard Canopy provides its customers with a security dashboard, which gives a quick overview of the current state of compliance for their applications. This means any blind spot on the compliance map, for example arising from new installations or organisational changes, is quickly detected and corrected. The security dashboard empowers the customer to perform active risk management, as the information about the control can be traced back via the control objective to the risk it is meant to reduce.

Abbreviations CCM COSO CSA EAS IaaS ICFR ISACA Cloud Controls Matrix, a control set from CSA Committee of Sponsoring Organisations of the Treadway Commission Cloud Security Alliance, https://cloudsecurityalliance.org/ Enterprise Application Store, Canopy s SaaS offering Infrastructure as a Service, one of the three cloud delivery models Internal Control over Financial Reporting formerly: Information Systems Audit and Control Association http://www.isaca.org ISAE 3402 International Standard on Assurance Engagements No. 3402, new auditing standard, which replaced the SAS-70 standard. ISMS Information Security Management System, standardised in ISO 27001 KPI PaaS SaaS SOC Key Performance Indicator Platform as a Service, one of the three cloud delivery models Software as a Service, one of the three cloud delivery models Security Operations Centre SOC-1 report Report on Service Organisation Controls over ICFR (as ISAE 3402); There are also SOC-2 (privacy) and SOC-3 (Trust Services) reports SOX SSAE 16 TAI Sarbanes-Oxley Act Statement on Standards for Attestation Engagements No. 16, largely synonymous to ISAE 3402 with focus on USA. Trusted Agile Infrastructure, the Atos cloud platform 1 Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, as retrieved from http://csrc.nist.gov/publications/ nistpubs/800-145/sp800-145.pdf 2 CSA and ISACA: 2012 Cloud Computing Market Maturity Study Results http://www.isaca.org/ Knowledge-Centre/Research/ResearchDeliverables/ Pages/2012-Cloud-Computing-Market-Maturity-Study- Results.aspx 3 VCE website is http://www.vce.com 4 VCE website, Vblock systems security and compliance http://www.vce.com/products/auxiliaryproducts/security 5 VCE website: Vblock solution for trusted multitenancy: Design Guide http://www.vce.com/asset/documents/tmt-designguide.pdf 6 Gartner Magic Quadrant for x86 Server Virtualisation Infrastructure, by Thomas J. Bittman, George J. Weiss, Mark A. Margevicius, Philip Dawson, June 11, 2012, as cited in VMware Named a Leader in Magic Quadrant for x86 Server Virtualisation Infrastructure 7 VMware website: vcloud Networking and Security, http://www.vmware.com/products/datacentervirtualisation/vcloud-network-security/overview.html 8 VMware website: VMware vcloud Director http://www.vmware.com/products/vcloud-director/ overview.html 9 Cloud Security Alliance, Cloud Controls Matrix, with download of v1.3 available at https:// cloudsecurityalliance.org/research/ccm/ Contact: www.canopy-cloud.com Mail: Canopy Ltd info@canopy-cloud.com +44 (0)20 8555 1637 4 Triton Square, Regents Place London NW 3HG

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information