This white paper proposes that virtualized as-a-service environments can be made as secure as physical ones. The paper describes security challenges inherent in multi-tenant as-a-service environments. Design considerations of tenants and service providers, and how design is affected by information security or compliance requirements, are discussed.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments
1. White Paper
EMC SECURITY DESIGN PRINCIPLES FOR
MULTI-TENANT AS-A-SERVICE
ENVIRONMENTS
• Information security in multi-tenant cloud environments
• Regulatory compliance in cloud environments
• Considerations for migrating to the cloud
EMC Solutions Group
Abstract
This white paper proposes that virtualized as-a-service environments can be
made as secure as, if not more secure than, physical environments. The paper
describes security challenges inherent in multi-tenant as-a-service
environments. Design considerations of tenants and service providers, and how
design factors are affected by information security or compliance requirements,
are discussed.
August 2012
3. Table of contents
Executive summary ............................................................................................................................. 5
Business case .................................................................................................................................. 5
Solution overview ............................................................................................................................ 5
Key results/ recommendations ........................................................................................................ 5
Introduction ....................................................................................................................................... 6
Purpose ........................................................................................................................................... 6
Scope .............................................................................................................................................. 6
Audience.......................................................................................................................................... 6
Information security versus compliance .............................................................................................. 7
Introduction to information security versus compliance ................................................................... 7
Compliance ................................................................................................................................. 7
Information security .................................................................................................................... 7
Information security design principles ............................................................................................. 7
Information security in a virtualized environment ............................................................................... 8
Virtual versus physical environments ............................................................................................... 8
Scale is the challenge ...................................................................................................................... 8
Compliance and risk in a virtualized environment ............................................................................... 9
Compliance ...................................................................................................................................... 9
Risk management ............................................................................................................................ 9
Moving to the cloud .......................................................................................................................... 11
Information security goals .............................................................................................................. 11
Control in a cloud-based solution .................................................................................................. 11
Multi-tenant access........................................................................................................................ 11
Information security in the cloud .................................................................................................... 11
Private versus Public cloud-based environments............................................................................ 12
Visibility and control in the cloud ..................................................................................................... 13
Visibility and control in the cloud ................................................................................................... 13
Secure Content Automation Protocol (SCAP) .................................................................................. 13
Customer-specific visibility ............................................................................................................ 13
EMC SCAP-based solution .............................................................................................................. 13
Conclusion ....................................................................................................................................... 15
Summary ....................................................................................................................................... 15
Findings ......................................................................................................................................... 15
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 3
5. Executive summary
Business case Every organization is dealing with the challenges and risks inherent in moving their
workloads from legacy IT environments to private cloud, and ultimately to public
cloud multi-tenant as-a-service environments.
Information security is a significant challenge when moving to the cloud. Tenants and
services providers need to understand and address the security implications of
virtualization and multi-tenancy to ensure that their solutions comply with all relevant
standards.
Solution overview This white paper discusses the security challenges inherent in multi-tenant as-a-
service environments, and focuses on the design considerations for both tenants and
service providers:
• The tenant is concerned with the compliance of the as-a-service environment.
• The service provider is concerned with providing appropriate information
security capabilities and the corresponding configuration, processes, and
procedures.
EMC categorizes the design factors that a service provider must address, as follows::
• Secure separation
• Service assurance
• Service provider in control
• Tenant in control
• Security and compliance
• Data protection
Each design factor is affected directly or indirectly by information security or
compliance requirements. Considerations include:
• The impact on separation and assurance of a virtualized environment.
• How the service provider and tenant can maintain control of the environment,
yet not violate governance requirements.
This white paper provides an overview of the security challenges, while focusing on
what information security and governance mean in these contexts.
Key results/ From an information security and compliance perspective, this white paper proposes
recommendations that virtualized as-a-service environments can be as secure as, or more secure than,
non-virtualized physical environments.
The information security controls required to meet the governance requirements of a
physical environment map directly to the requirements of a virtualized environment.
In addition, virtual environments can provide additional security capabilities and
features not possible or practical in a physical environment.
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 5
6. Introduction
Purpose The purpose of this white paper is to discuss design considerations that take into
account the information security and compliance challenges inherent in multi-tenant
service provider environments.
Scope The scope of this white paper is to provide an overview of the information security
and compliance design considerations that must be investigated during an
organization’s workload migration from legacy IT to public cloud environments.
The white paper does not include detailed configuration recommendations.
Audience This white paper targets technical architects, who are responsible for developing and
implementing their organization’s workload migration. The reader has proficient
knowledge of information security, governance, and cloud terminology.
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 6
7. Information security versus compliance
Introduction to One of the first challenges faced by a security professional, during a conversation
information about information security with a non-security professional, is to clarify the subject of
security versus the conversation. Often, security conversations are about compliance or cover only
compliance one aspect of information security. Due to the frequent misunderstandings about
information security and compliance, it is important to clarify the differences between
the two.
Compliance
Compliance is typically defined as “…conforming to a rule, such as a specification,
policy, standard, or law. Regulatory compliance describes the goal that corporations
or public agencies aspire to in their efforts to ensure that personnel are aware of and
take steps to comply with relevant laws and regulations.” 1
The Payment Card Industry Data Security Standard (PCI DSS) is an example of a
regulatory specification.
Information security
Information security is defined as “…a means of protecting information and
information systems from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording, or destruction...This is frequently
summarized as protecting the confidentiality, integrity, and availability of
information.” 2
Information This white paper focuses on the information security design principles that must be
security design considered in multi-tenant as-a-service environments so that they can be configured
principles to be compliant with specific regulatory requirements. We provide you with an
overview of the security capabilities and controls that you must have in your
environment.
1
Wikipedia, Regulatory compliance, as of August 8, 2012 page update
2
Wikipedia, Information security, as of August 15, 2012 page update
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 7
8. Information security in a virtualized environment
Virtual versus The question of whether or not virtualized environments can be made as secure as
physical physical environments has been going on for years.
environments
Historically speaking, IBM successfully passed an independent security review and
accreditation of its mainframe LPARs implementation in the 1980s. VMware® started
submitting its virtualization products for independent accreditation a decade or two
later. Despite this long history of accredited virtualized environments, there is still a
significant level of distrust and misunderstanding about information security
capabilities and controls in these environments.
This lack of confidence is indicated by the very high level of interest in the topic. A
quick web search on “virtualized environment security” returns over nine million hits
and an abundance of articles.
Scale is the The challenge of securing virtualized environments is not a new problem. What is
challenge different in today’s as-a-service and cloud-based environments is the scale of the
environments that are being secured and reviewed for regulatory compliance. This
challenge is the one that demands new solutions to the information security issues of
confidentiality, integrity, and assurance.
Therefore, the question is not whether virtualized environments can be as secure as
physical environments. The real question is how to apply the lessons learned from
securing physical environments to the much larger scale environments that underlie
public, private, and hybrid cloud offerings.
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 8
9. Compliance and risk in a virtualized environment
Compliance How does an auditor validate compliance in a virtualized environment? This is a
question that we hear repeatedly when talking with organizations considering
migrating to cloud-based environments.
The controls that an auditor validates in a physical environment also apply to a virtual
environment. Having the correct controls in place is as critical in a virtual environment
as they are in a physical environment. The common set of controls most industry and
government regulations focus on includes, but is not limited to:
• Anti-virus and anti-malware
• Authentication
• Authorization
• Change control
• Identify management
• Intrusion detection
• Security incident and event monitoring (SIEM)
• Network controls and forensics
• Monitoring and management (GRC)
However, in a virtual environment, there is likely to be additional software
components to which these controls must be applied. At a minimum, there will be
some type of hypervisor providing abstraction to CPU and memory of the systems.
There is likely to be some network virtualization in addition to physical network
devices. There is almost certainly network and storage virtualization present in the
current legacy IT environment.
Several regulatory bodies have issued virtualization-specific recommendations. For
example, PCI’s Virtualization Special Interest Group (SIG) created the information
supplement: PCI DSS Virtualization Guidelines. This document discusses not only the
risks of virtualized environments but also provides recommendations on the impact
of virtualization on compliance with PCI DSS. However, this document was released in
2011, though virtualization has been in use for decades.
Risk management Information security is all about managing risks in the environment. The Certified
Information Systems Auditor (CISA) Review Manual 2006 provides the following
definition of risk management:
"Risk management is the process of identifying vulnerabilities and threats to the
information resources used by an organization in achieving business objectives, and
deciding what counter measures, if any, to take in reducing risk to an acceptable
level, based on the value of the information resource to the organization."
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 9
10. While determining and managing risk is critical to any organizations’ migration to
private, public, and hybrid cloud environments, any decisions on when and where to
move workloads to the cloud is beyond the scope of this white paper. Your
organization must consider, in detail, the risks inherent in moving data into the
cloud.
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 10
11. Moving to the cloud
Information There is no substantive difference between the information security and compliance
security goals requirements for cloud and non-cloud environments. There are, of course, some
additional components in a cloud environment, but these are minor.
The information security goals are the same for cloud and non-cloud environments
and for virtualized and non-virtualized environments. It is critical that organizations
keep in mind that they must apply the same processes to cloud-based solutions as to
other solutions. It is the “how” of information security that has changed and not the
“what” that has changed.
Control in a cloud- Cloud computing removes many of the traditional, physical boundaries that help
based solution define and protect an organization’s data assets. Physical servers are replaced by
virtual ones. Perimeters are established not just by firewalls, but also by the transit of
virtual machines. Risk factors become more complex as the cloud introduces ever-
expanding, transient chains of custody for sensitive enterprise data and applications.
As organizations migrate their IT workloads to the cloud, they effectively relinquish
some control over their information infrastructure and processes, even while they are
required to bear greater responsibility for data confidentiality and compliance. This
shift has wide-ranging implications for a broad set of corporate stakeholders,
especially leaders who are responsible for information security.
This is particularly true in a public cloud environment. Meanwhile, the trend is for
regulatory oversight and compliance requirements to become stricter and more
demanding. Therefore, it is critical that any cloud-based solution considered by your
organization includes information security and regulatory compliance requirements
from its initial conception.
Multi-tenant Building an environment that provides multi-tenant access is critical for any public
access cloud service provider offering. Multi-tenancy, in this context, means that the service
provider can provide a tenant with an environment in which it appears, from the
tenant’s perspective, that all resources are dedicated to that tenant. In addition, the
infrastructure must ensure that no tenant can influence the behavior of another
tenant’s environment in any way. This is one of the biggest differences between
private and public cloud environments. However, you must consider that in any
virtualized environment, there is a significant degree of multi-tenancy implied.
Depending on the type of environment, multi-tenancy may be significant.
Information As organizations begin to migrate to the cloud, there is still confusion about how best
security in the to handle information security in the cloud. In a report commissioned by RSA, As
cloud Hyper-extended Enterprises Grow, So Do Security Risks, two-thirds of the
respondents, who are running applications or business processes in the cloud,
admitted that they had not developed a security strategy for cloud computing. A
majority of respondents were not sure how prospective cloud-computing vendors
would safeguard data or how corporate security teams would meet compliance
requirements for moving data into the cloud.
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 11
12. Private versus The main differences between private and public cloud-based environments are:
Public cloud-based
• Automation of provisioning
environments
• Operation
• Self-service
• Large-scale virtualization
This ability to scale out virtualized environments, either in a private or public cloud
environment, is what makes cloud different.
Information security controls must be integrated into these scaled-out architectures.
Otherwise, it is impossible to report, with any accuracy, the security position of such
an environment. Areas that a service provider must address include:
• Authentication
• Configuration and service pack management
• Data loss prevention and forensics
• Dashboard (eGRC)
• Identity and access management
• Multi-tenancy
• Network monitoring and analysis
• Security information and event logging
• Security management (dashboard)
You must place particular emphasis on security management and the eGRC
dashboard, which is used to report on the environment.
Similarly, tenants of cloud-based solutions must apply their normal information
security and risk-management policies and procedures to any cloud-based
deployment. At a minimum, they must:
• Define policies
• Evaluate cloud providers
• Require transparency and visibility into the cloud
• Maintain segregation of administrative privileges
• Manage provisioning policies (virtual machine, storage, and network)
• Encrypt and tokenize sensitive data
• Adopt federated identity management and strong authentication
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 12
13. Visibility and control in the cloud
Visibility and In the cloud, “visibility plus control equals trust”.
control in the
cloud The most important step that a service provider must take towards building a trusted
cloud-based as-a-service solution is to provide visibility and control into its
information security and compliance processes and procedures. The message
customers and potential customers convey to as-a-service providers is that visibility
generates trust and without trust the service provider will not get their business.
Similarly, the service provider must implement information security controls in their
virtualized multi-tenant infrastructure to meet customer requirements. In order for the
service provider to gain a customer’s trust, the service provider must provide details
on the how and what of their information security and compliance strategies. This
does not mean that the service provider needs to provide copies of their audit
monitoring procedures on their website. What it does mean is that the service
provider must make available, in as close to real-time as possible, the ability for a
customer to view the service providers’ entire compliance configuration through a
single management GUI (also known as a “single-pane-of-glass”). If that is not
possible, then service providers must share information in other ways.
Secure Content The most promising solution to enable visibility into a multi-tenant as-a-service
Automation environment is a relatively new protocol called Secure Content Automation Protocol
Protocol (SCAP) (SCAP) that was developed by the National Institute of Standards and Technology
(NIST). “SCAP is a method for using specific standards to enable automated
vulnerability management, measurement, and policy compliance evaluation (for
example, Federal Information Security Management Act (FISMA) compliance)...It
combines several open standards that are used to enumerate software flaws and
configuration issues related to security.” 3
Information security practitioners are enthusiastic about open standards. SCAP uses
Common Vulnerabilities and Exposures (CVE) and Open Vulnerability and
Assessment Language (OVAL), for example.
Today, SCAP compliant software is already available, for example, VMware vCenter®
Configuration Management (vCM). For more information on SCAP capabilities, see the
National Vulnerability Database.
Customer-specific One challenge that SCAP does not address is how to provide customer-specific
visibility visibility into as-a-service environments. How does a service provider do the
correlation (also known as “mashup”) of all the data collected in these types of
environments? Specifically, how will a specific log entry be associated with the
tenants that it affects? And how will a tenant receive only the security related
information for the network switches that are used for that tenant’s data? These are
important issues and concerns.
EMC SCAP-based The good news is that several of the challenges in providing visibility into as-a-service
solution environments have been solved with SCAP. One of those challenges is how to get the
security configuration information to the service provider’s tenants. EMC’s Office of
the CTO has been doing demos of a prototype SCAP-based solution. The idea is to
3
Wikipedia, Secure Content Automation Protocol, as of July 20, 2012 page update
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 13
14. use SCAP and its associated protocols to forward vulnerability-related information
from the service provider’s environment to an external “air-gapped” repository that
will collect the information.
Air gap is “…a security measure often taken for computers and computer networks
that must be extraordinarily secure. It consists of ensuring that a secure network is
completely physically, electrically, and electromagnetically isolated from unsecured
networks, such as the public Internet or an unsecured local area network.” 4
Tenants subscribe to the repository and receive SCAP information applicable only to
them. The SCAP feed is then displayed in a local dashboard, which is SCAP-aware. In
this model, the customer only subscribes to those data-feeds that are relevant to
them.
In this way, a customer of a cloud-based solution can use an eGRC dashboard for
their as-a-service environment as well as their internal IT systems.
4
Wikipedia, Air gap (networking), as of July 25, 2012 page update
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 14
15. Conclusion
Summary The goal of this paper is to show that the information security and compliance
challenges of multi-tenant as-a-service environments are largely the same as those
for physical environments and can be successfully addressed. The controls that must
be put in place are the same in both environments and include:
• Anti-virus and anti-malware
• Authentication
• Authorization
• Change control
• Identify management
• Intrusion detection
• Security incident and event monitoring (SIEM)
• Network controls and forensics
• Monitoring and management (GRC)
The key element to consider is the equation of “visibility plus control equals trust” -
how the service provider will provide that and how the tenant will consume it.
Findings This white paper highlights a couple of solutions that enable visibility into multi-
tenant as-a-service environments:
• SCAP solution
The most promising solution is the protocol Secure Content Automation
Protocol (SCAP), which was developed by the National Institute of Standards
and Technology (NIST). However, SCAP by itself does not address the problem
of how to provide customer-specific visibility into as-a-service environments.
• EMC SCAP-based solution
EMC’s prototype solution solves the customer-specific visibility problem. The
solution uses SCAP and its associated protocols to forward vulnerability-related
information from the service provider’s environment to an external air-gapped
repository that collects the information. Tenants subscribe to the repository
and receive SCAP information applicable only to them.
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 15
16. References
White papers For more information, see the following white papers:
• Design Principles and Considerations for Configuring VMware vShield in Service
Provider Environments
• EMC Compute-as-a-service - Design Principles and Considerations for
Deployment
Other For more information, see the following documentation:
documentation
• Information Supplement: PCI DSS Virtualization Guidelines by the Virtualization
Special Interest Group PCI Security Standards Council, Version 2.0, June 2011
• RSA Security Brief: Identity & Data Protection in the Cloud, November 2009
• On the Security of Cloud Storage Services, Fraunhofer Institute for Secure
Information Technology, Moritz Borgmann, et al, March 2012
• Governance of Enterprise Security - CyLab 2012 Report: How Boards and Senior
Executives are Managing Cyber Risks, Carnegie Mellon University, May 16,
2012
• Design Guide: Vblock Solutions for Trusted Multi-Tenancy, VCE, February 2012
EMC Security Design Principles for Multi-Tenant As-a-Service Environments 16