Cloud And Security and Enterprise

As the story goes…first there was mainframe then server  then comes public cloud. So major concern about public cloud is mult-tenancy of hardware, sensitive data in external environment out of corporate reach etc.  Then comes private cloud but it is too costly and data might still reside in some foreign environment.
So companies have been trying very hard to focus on the security aspect of the cloud deployment and security at different areas are being worked on.
Security are being considered at the VM hypervisor level, VM machines level, inter VM level, network level etc. One thing that is always lingering and does not go away is the data protection. Most service provider or any enterprise does not do storage encryption due to performance overhead. Some actually suggested using the software OS file level encryption. But that is still prone to OS attack or adminstrator access. So what does that leave us with? We need to look for a solution that is able to prevent the encryption mechanism from breaking down at the OS and file level.
For that, there is a new solution that actually acts as a intermediate layer between the VM and the underlying hardware. It attempts to encapsulate if I may put it that way, so that the service provider does not see the details of the VM and is not able to make any thing useful out of the data hosted. For this solution to work, the  proposed solution and the service provide cloud must be able to work hand in hand..via a API for example.
So now, everything does seem fine for now since we are able to safely protect all data in all ways we can. However, a factor to consider is that with the additional ‘power’ by the customer to ‘encapsulate’ all data and VM from the provider. With this reduction of so called ‘power’, the service provider might have limited visibility and capability to monitor and manage the customer environment. Not a show stopper , just a matter of how a customer wants and needs at the end of the day.

Network and Appliance Audit for PCI DSS

There are probably more than half of the PCI controls that are applicable to network devices and appliances.
What is traditional applicable to systems are also applicable to the network devices and appliances.
Key network components that needs to be audited for the network devices includes Network perimeter protection e.g firewall, ACL, vlans, routing, IDS
Challenges face while doing such audit faced are as per followed
- Diversed hardware platforms make it difficult for a single person to uderstand or grasp the different command and syntax
-All network devices perform and behave different due to function e.g. routing, switching, firewall, IDS monitoring etc.
-Management of network devices typically go through one or more intermediate management consoles. Thereby making it difficult to track if the communication between the end user and the end devices. For example, CheckPoint Firewall has a agent at the end user desktop that connects to a management console. The management console then connects to the firewall. In between this, there are a few protocol that are being used and also a couple of different authentication mechanism  in place as well e.g. local and/or RADIUS
-Due to the different variation of devices, a standard list of hardening guideline is not possible or there might not be a widely accepted guideline in general. Some guideline are too brief and while others are too comphrehensive that covers every single possible scenario which might or might not be relevant to the environment. However, a couple of guideline by NIST and NSA will provide a good starting point for the router and switches.

TOGAF Summary Cheatsheet for Exam

TOGAF is a framework (not Architecture)  to create Enteprise Architecture.

TOGAF has ADM, Guidelines, Reference model, Enterprise Continuum, Architecture Capability Framework and Architecture Content Framework

ADM has eight phases
-Preliminary ( IT/tech/architecture governanc e.g. cobit for it
Architecture Content Framework has the building block (ABB and SBB)

Guideline refers to that ways to apply iteration to ADM and techinque contains A principle, stakehold mgt, scenario, Gap analysis, migration planning, risk management, capability-based planning, business transformational readiness assessment


Components contain Enterprise Consortium and Architecture Repository
Enterprise Cosortium in turn contains Architecure Consortium and Solution Consortium (Foundation-Common Sys-Industry-Organization) from generic to specific

Architecture Repository contains  metalmodel, landscape, reference library, SIB, Governance Log, Architecture Capability


Architecture Consortium in turn contain FS and CS


There are two reference model - RM and III TRM

Document from sponsor committee is the request for ADM

PCI and Remediation tools

As we all know PCI has easily more than 200 controls, which is more than enough requirements for any CISO or any security managers to handle. There are actually more than enough document on the internet talking about the controls but what I would like to discuss is on the remediation portion. The reason being this has been the focus of the work I have been doing professionally and also there does not seem to be much comphrensive or detail info on the factors to consider when getting a tool and also which are the tools available.

As there is really alot to cover as mentioned earlier, I will try to come up with something and progressively update it along the way when time permits and based on what I gathered in my work.

Now first, lets look at the key requirements and challenges and tools

Focus area; Network security and segmentation
What is required:Ensure FW rules are restricting traffic to the different Zones e.g. (Internet to DMZ only).
Challenges: There are hundreds of lines of rules and also different types of hardware such as Checkpoint, Cisco, Juniper.
What to consider in a tool :A tools that can help to analyze the rules for different hardware and also generate report based on PCI DSS most importantly. A tool might be Firemon
What you need on top of tools: The tools in the market will help to a certain extend by show the rules in more readable format and highighting critical subnet in the CDE environment. But all networks are different so you still need some human intervention and knowledge to analyze the rules. But of course, the tool will help to save hours of work.



Focus area; Encryption of data at rest
What is required: Any data that contain credit card information ( 16-digit CC info) has to be encrypted when stored.
Challenges:
1) Encryption typically means overheads and lost of data format (important in a database)
2) Many enterprise still uses legacy system e.g. mainframe, AS400 and HP Non-stop.
3) Hiding of data can come in different ways e.g. encryption, tokenization , masking etc.
What to consider in a tool: What type of encryption mechanism is being used e.g. encryption (e.g. HSM) or tokenization
What is needed on top of tools:
The technology is there but professional help is needed to determine what data should be encrpyted. This should not be done by first looking at files but should be done by looking at a process and transaction) and
which method to be used (which encryption method is better)

Focus area; Activity monitoring and audit trail
What is required: User activities in the OS, application and DB has to be monitored
Challenges: Having too much monitoring result in data overload and CPU overhead
What to consider in a tool: Ensure the overhead introduced by the monitoring solution does not impact performance ( especially for database). Different tools has different ways of dealing (or not dealing) with it. Some of the tools includes OSSEC and Tripwire
What is needed on top of tools: Professional help is needed to ensure only the correct and necessary information is logged so as to avoid overwhelming amount of data and at the same time ensure sufficient information is gathered for audit trail purposes.

Focus area; Access control
What is required: Ensure that the access to system and network device are secured and restricted in terms of privilege
Challenges: OS access control is nothing new to most of us (provided it is open systems) but what is new  and unfamiliar are the access control in  applications, network devices and of course the fearful threesome of AS400, IBM mainframe and HP Non-Stop.
What to look for in tool: There is probably no single solution for this but in general the idea is to combine solution for different vendors. For network devices you might consider RAT and reference to the NIST guideline. For application you will probably need to work with the developer. As for the legacy systems, it will vary depending on the environment to know which solution to deploy.
What is needed on top of tools: The key factor here is to have knowledge and understanding of the tools available and their capability and supported platform


Focus area; Log consolidation
What is required: A centralized log to capture the information from the different end devices and system for audit trail purposes
Challenges: Overwhelming data (see previous point), and lack of review. Prevent changes to the logs which will result in data integrity issue.
What to look for in tool: The solution should be able to scale in terms of storage and also has the capability to do automated review and alerts. Also, it must be altered-proof. Some tool might be Splunk
What is needed on top of tools: Similar to previous item above