SlideShare une entreprise Scribd logo

White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments

E
EMC

This white paper proposes that virtualized as-a-service environments can be made as secure as physical ones. The paper describes security challenges inherent in multi-tenant as-a-service environments. Design considerations of tenants and service providers, and how design is affected by information security or compliance requirements, are discussed.

Technologie
1  sur  16
Télécharger pour lire hors ligne
White Paper EMC SECURITY DESIGN PRINCIPLES FOR MULTI-TENANT AS-A-SERVICE ENVIRONMENTS • Information security in multi-tenant cloud environments • Regulatory compliance in cloud environments • Considerations for migrating to the cloud EMC Solutions Group Abstract This white paper proposes that virtualized as-a-service environments can be made as secure as, if not more secure than, physical environments. The paper describes security challenges inherent in multi-tenant as-a-service environments. Design considerations of tenants and service providers, and how design factors are affected by information security or compliance requirements, are discussed. August 2012
Copyright © 2012 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided “as is.” EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. VMware and VMware vCenter are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other trademarks used herein are the property of their respective owners. Part Number: H10814 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 2
Table of contents Executive summary ............................................................................................................................. 5 Business case .................................................................................................................................. 5 Solution overview ............................................................................................................................ 5 Key results/ recommendations ........................................................................................................ 5 Introduction ....................................................................................................................................... 6 Purpose ........................................................................................................................................... 6 Scope .............................................................................................................................................. 6 Audience.......................................................................................................................................... 6 Information security versus compliance .............................................................................................. 7 Introduction to information security versus compliance ................................................................... 7 Compliance ................................................................................................................................. 7 Information security .................................................................................................................... 7 Information security design principles ............................................................................................. 7 Information security in a virtualized environment ............................................................................... 8 Virtual versus physical environments ............................................................................................... 8 Scale is the challenge ...................................................................................................................... 8 Compliance and risk in a virtualized environment ............................................................................... 9 Compliance ...................................................................................................................................... 9 Risk management ............................................................................................................................ 9 Moving to the cloud .......................................................................................................................... 11 Information security goals .............................................................................................................. 11 Control in a cloud-based solution .................................................................................................. 11 Multi-tenant access........................................................................................................................ 11 Information security in the cloud .................................................................................................... 11 Private versus Public cloud-based environments............................................................................ 12 Visibility and control in the cloud ..................................................................................................... 13 Visibility and control in the cloud ................................................................................................... 13 Secure Content Automation Protocol (SCAP) .................................................................................. 13 Customer-specific visibility ............................................................................................................ 13 EMC SCAP-based solution .............................................................................................................. 13 Conclusion ....................................................................................................................................... 15 Summary ....................................................................................................................................... 15 Findings ......................................................................................................................................... 15 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 3
References ....................................................................................................................................... 16 White papers ................................................................................................................................. 16 Other documentation ..................................................................................................................... 16 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 4
Executive summary Business case Every organization is dealing with the challenges and risks inherent in moving their workloads from legacy IT environments to private cloud, and ultimately to public cloud multi-tenant as-a-service environments. Information security is a significant challenge when moving to the cloud. Tenants and services providers need to understand and address the security implications of virtualization and multi-tenancy to ensure that their solutions comply with all relevant standards. Solution overview This white paper discusses the security challenges inherent in multi-tenant as-a- service environments, and focuses on the design considerations for both tenants and service providers: • The tenant is concerned with the compliance of the as-a-service environment. • The service provider is concerned with providing appropriate information security capabilities and the corresponding configuration, processes, and procedures. EMC categorizes the design factors that a service provider must address, as follows:: • Secure separation • Service assurance • Service provider in control • Tenant in control • Security and compliance • Data protection Each design factor is affected directly or indirectly by information security or compliance requirements. Considerations include: • The impact on separation and assurance of a virtualized environment. • How the service provider and tenant can maintain control of the environment, yet not violate governance requirements. This white paper provides an overview of the security challenges, while focusing on what information security and governance mean in these contexts. Key results/ From an information security and compliance perspective, this white paper proposes recommendations that virtualized as-a-service environments can be as secure as, or more secure than, non-virtualized physical environments. The information security controls required to meet the governance requirements of a physical environment map directly to the requirements of a virtualized environment. In addition, virtual environments can provide additional security capabilities and features not possible or practical in a physical environment. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 5
Introduction Purpose The purpose of this white paper is to discuss design considerations that take into account the information security and compliance challenges inherent in multi-tenant service provider environments. Scope The scope of this white paper is to provide an overview of the information security and compliance design considerations that must be investigated during an organization’s workload migration from legacy IT to public cloud environments. The white paper does not include detailed configuration recommendations. Audience This white paper targets technical architects, who are responsible for developing and implementing their organization’s workload migration. The reader has proficient knowledge of information security, governance, and cloud terminology. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 6
Information security versus compliance Introduction to One of the first challenges faced by a security professional, during a conversation information about information security with a non-security professional, is to clarify the subject of security versus the conversation. Often, security conversations are about compliance or cover only compliance one aspect of information security. Due to the frequent misunderstandings about information security and compliance, it is important to clarify the differences between the two. Compliance Compliance is typically defined as “…conforming to a rule, such as a specification, policy, standard, or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.” 1 The Payment Card Industry Data Security Standard (PCI DSS) is an example of a regulatory specification. Information security Information security is defined as “…a means of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction...This is frequently summarized as protecting the confidentiality, integrity, and availability of information.” 2 Information This white paper focuses on the information security design principles that must be security design considered in multi-tenant as-a-service environments so that they can be configured principles to be compliant with specific regulatory requirements. We provide you with an overview of the security capabilities and controls that you must have in your environment. 1 Wikipedia, Regulatory compliance, as of August 8, 2012 page update 2 Wikipedia, Information security, as of August 15, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 7
Information security in a virtualized environment Virtual versus The question of whether or not virtualized environments can be made as secure as physical physical environments has been going on for years. environments Historically speaking, IBM successfully passed an independent security review and accreditation of its mainframe LPARs implementation in the 1980s. VMware® started submitting its virtualization products for independent accreditation a decade or two later. Despite this long history of accredited virtualized environments, there is still a significant level of distrust and misunderstanding about information security capabilities and controls in these environments. This lack of confidence is indicated by the very high level of interest in the topic. A quick web search on “virtualized environment security” returns over nine million hits and an abundance of articles. Scale is the The challenge of securing virtualized environments is not a new problem. What is challenge different in today’s as-a-service and cloud-based environments is the scale of the environments that are being secured and reviewed for regulatory compliance. This challenge is the one that demands new solutions to the information security issues of confidentiality, integrity, and assurance. Therefore, the question is not whether virtualized environments can be as secure as physical environments. The real question is how to apply the lessons learned from securing physical environments to the much larger scale environments that underlie public, private, and hybrid cloud offerings. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 8
Compliance and risk in a virtualized environment Compliance How does an auditor validate compliance in a virtualized environment? This is a question that we hear repeatedly when talking with organizations considering migrating to cloud-based environments. The controls that an auditor validates in a physical environment also apply to a virtual environment. Having the correct controls in place is as critical in a virtual environment as they are in a physical environment. The common set of controls most industry and government regulations focus on includes, but is not limited to: • Anti-virus and anti-malware • Authentication • Authorization • Change control • Identify management • Intrusion detection • Security incident and event monitoring (SIEM) • Network controls and forensics • Monitoring and management (GRC) However, in a virtual environment, there is likely to be additional software components to which these controls must be applied. At a minimum, there will be some type of hypervisor providing abstraction to CPU and memory of the systems. There is likely to be some network virtualization in addition to physical network devices. There is almost certainly network and storage virtualization present in the current legacy IT environment. Several regulatory bodies have issued virtualization-specific recommendations. For example, PCI’s Virtualization Special Interest Group (SIG) created the information supplement: PCI DSS Virtualization Guidelines. This document discusses not only the risks of virtualized environments but also provides recommendations on the impact of virtualization on compliance with PCI DSS. However, this document was released in 2011, though virtualization has been in use for decades. Risk management Information security is all about managing risks in the environment. The Certified Information Systems Auditor (CISA) Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what counter measures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." EMC Security Design Principles for Multi-Tenant As-a-Service Environments 9
While determining and managing risk is critical to any organizations’ migration to private, public, and hybrid cloud environments, any decisions on when and where to move workloads to the cloud is beyond the scope of this white paper. Your organization must consider, in detail, the risks inherent in moving data into the cloud. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 10
Moving to the cloud Information There is no substantive difference between the information security and compliance security goals requirements for cloud and non-cloud environments. There are, of course, some additional components in a cloud environment, but these are minor. The information security goals are the same for cloud and non-cloud environments and for virtualized and non-virtualized environments. It is critical that organizations keep in mind that they must apply the same processes to cloud-based solutions as to other solutions. It is the “how” of information security that has changed and not the “what” that has changed. Control in a cloud- Cloud computing removes many of the traditional, physical boundaries that help based solution define and protect an organization’s data assets. Physical servers are replaced by virtual ones. Perimeters are established not just by firewalls, but also by the transit of virtual machines. Risk factors become more complex as the cloud introduces ever- expanding, transient chains of custody for sensitive enterprise data and applications. As organizations migrate their IT workloads to the cloud, they effectively relinquish some control over their information infrastructure and processes, even while they are required to bear greater responsibility for data confidentiality and compliance. This shift has wide-ranging implications for a broad set of corporate stakeholders, especially leaders who are responsible for information security. This is particularly true in a public cloud environment. Meanwhile, the trend is for regulatory oversight and compliance requirements to become stricter and more demanding. Therefore, it is critical that any cloud-based solution considered by your organization includes information security and regulatory compliance requirements from its initial conception. Multi-tenant Building an environment that provides multi-tenant access is critical for any public access cloud service provider offering. Multi-tenancy, in this context, means that the service provider can provide a tenant with an environment in which it appears, from the tenant’s perspective, that all resources are dedicated to that tenant. In addition, the infrastructure must ensure that no tenant can influence the behavior of another tenant’s environment in any way. This is one of the biggest differences between private and public cloud environments. However, you must consider that in any virtualized environment, there is a significant degree of multi-tenancy implied. Depending on the type of environment, multi-tenancy may be significant. Information As organizations begin to migrate to the cloud, there is still confusion about how best security in the to handle information security in the cloud. In a report commissioned by RSA, As cloud Hyper-extended Enterprises Grow, So Do Security Risks, two-thirds of the respondents, who are running applications or business processes in the cloud, admitted that they had not developed a security strategy for cloud computing. A majority of respondents were not sure how prospective cloud-computing vendors would safeguard data or how corporate security teams would meet compliance requirements for moving data into the cloud. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 11
Private versus The main differences between private and public cloud-based environments are: Public cloud-based • Automation of provisioning environments • Operation • Self-service • Large-scale virtualization This ability to scale out virtualized environments, either in a private or public cloud environment, is what makes cloud different. Information security controls must be integrated into these scaled-out architectures. Otherwise, it is impossible to report, with any accuracy, the security position of such an environment. Areas that a service provider must address include: • Authentication • Configuration and service pack management • Data loss prevention and forensics • Dashboard (eGRC) • Identity and access management • Multi-tenancy • Network monitoring and analysis • Security information and event logging • Security management (dashboard) You must place particular emphasis on security management and the eGRC dashboard, which is used to report on the environment. Similarly, tenants of cloud-based solutions must apply their normal information security and risk-management policies and procedures to any cloud-based deployment. At a minimum, they must: • Define policies • Evaluate cloud providers • Require transparency and visibility into the cloud • Maintain segregation of administrative privileges • Manage provisioning policies (virtual machine, storage, and network) • Encrypt and tokenize sensitive data • Adopt federated identity management and strong authentication EMC Security Design Principles for Multi-Tenant As-a-Service Environments 12
Visibility and control in the cloud Visibility and In the cloud, “visibility plus control equals trust”. control in the cloud The most important step that a service provider must take towards building a trusted cloud-based as-a-service solution is to provide visibility and control into its information security and compliance processes and procedures. The message customers and potential customers convey to as-a-service providers is that visibility generates trust and without trust the service provider will not get their business. Similarly, the service provider must implement information security controls in their virtualized multi-tenant infrastructure to meet customer requirements. In order for the service provider to gain a customer’s trust, the service provider must provide details on the how and what of their information security and compliance strategies. This does not mean that the service provider needs to provide copies of their audit monitoring procedures on their website. What it does mean is that the service provider must make available, in as close to real-time as possible, the ability for a customer to view the service providers’ entire compliance configuration through a single management GUI (also known as a “single-pane-of-glass”). If that is not possible, then service providers must share information in other ways. Secure Content The most promising solution to enable visibility into a multi-tenant as-a-service Automation environment is a relatively new protocol called Secure Content Automation Protocol Protocol (SCAP) (SCAP) that was developed by the National Institute of Standards and Technology (NIST). “SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (for example, Federal Information Security Management Act (FISMA) compliance)...It combines several open standards that are used to enumerate software flaws and configuration issues related to security.” 3 Information security practitioners are enthusiastic about open standards. SCAP uses Common Vulnerabilities and Exposures (CVE) and Open Vulnerability and Assessment Language (OVAL), for example. Today, SCAP compliant software is already available, for example, VMware vCenter® Configuration Management (vCM). For more information on SCAP capabilities, see the National Vulnerability Database. Customer-specific One challenge that SCAP does not address is how to provide customer-specific visibility visibility into as-a-service environments. How does a service provider do the correlation (also known as “mashup”) of all the data collected in these types of environments? Specifically, how will a specific log entry be associated with the tenants that it affects? And how will a tenant receive only the security related information for the network switches that are used for that tenant’s data? These are important issues and concerns. EMC SCAP-based The good news is that several of the challenges in providing visibility into as-a-service solution environments have been solved with SCAP. One of those challenges is how to get the security configuration information to the service provider’s tenants. EMC’s Office of the CTO has been doing demos of a prototype SCAP-based solution. The idea is to 3 Wikipedia, Secure Content Automation Protocol, as of July 20, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 13
use SCAP and its associated protocols to forward vulnerability-related information from the service provider’s environment to an external “air-gapped” repository that will collect the information. Air gap is “…a security measure often taken for computers and computer networks that must be extraordinarily secure. It consists of ensuring that a secure network is completely physically, electrically, and electromagnetically isolated from unsecured networks, such as the public Internet or an unsecured local area network.” 4 Tenants subscribe to the repository and receive SCAP information applicable only to them. The SCAP feed is then displayed in a local dashboard, which is SCAP-aware. In this model, the customer only subscribes to those data-feeds that are relevant to them. In this way, a customer of a cloud-based solution can use an eGRC dashboard for their as-a-service environment as well as their internal IT systems. 4 Wikipedia, Air gap (networking), as of July 25, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 14
Conclusion Summary The goal of this paper is to show that the information security and compliance challenges of multi-tenant as-a-service environments are largely the same as those for physical environments and can be successfully addressed. The controls that must be put in place are the same in both environments and include: • Anti-virus and anti-malware • Authentication • Authorization • Change control • Identify management • Intrusion detection • Security incident and event monitoring (SIEM) • Network controls and forensics • Monitoring and management (GRC) The key element to consider is the equation of “visibility plus control equals trust” - how the service provider will provide that and how the tenant will consume it. Findings This white paper highlights a couple of solutions that enable visibility into multi- tenant as-a-service environments: • SCAP solution The most promising solution is the protocol Secure Content Automation Protocol (SCAP), which was developed by the National Institute of Standards and Technology (NIST). However, SCAP by itself does not address the problem of how to provide customer-specific visibility into as-a-service environments. • EMC SCAP-based solution EMC’s prototype solution solves the customer-specific visibility problem. The solution uses SCAP and its associated protocols to forward vulnerability-related information from the service provider’s environment to an external air-gapped repository that collects the information. Tenants subscribe to the repository and receive SCAP information applicable only to them. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 15
References White papers For more information, see the following white papers: • Design Principles and Considerations for Configuring VMware vShield in Service Provider Environments • EMC Compute-as-a-service - Design Principles and Considerations for Deployment Other For more information, see the following documentation: documentation • Information Supplement: PCI DSS Virtualization Guidelines by the Virtualization Special Interest Group PCI Security Standards Council, Version 2.0, June 2011 • RSA Security Brief: Identity & Data Protection in the Cloud, November 2009 • On the Security of Cloud Storage Services, Fraunhofer Institute for Secure Information Technology, Moritz Borgmann, et al, March 2012 • Governance of Enterprise Security - CyLab 2012 Report: How Boards and Senior Executives are Managing Cyber Risks, Carnegie Mellon University, May 16, 2012 • Design Guide: Vblock Solutions for Trusted Multi-Tenancy, VCE, February 2012 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 16

Recommandé

Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Enhancing intelligence with the Internet of Things
Enhancing intelligence with the Internet of ThingsEnhancing intelligence with the Internet of Things
Enhancing intelligence with the Internet of ThingsThe Marketing Distillery
 
Security Architecture for Thin Client Network
Security Architecture for Thin Client NetworkSecurity Architecture for Thin Client Network
Security Architecture for Thin Client NetworkOyeniyi Samuel
 
Security issues in cloud computing for msmes
Security issues in cloud computing for msmesSecurity issues in cloud computing for msmes
Security issues in cloud computing for msmesIAEME Publication
 
Security issues in cloud computing for msmes
Security issues in cloud computing for msmesSecurity issues in cloud computing for msmes
Security issues in cloud computing for msmesIAEME Publication
 
IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...
IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...
IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...IRJET Journal
 
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...csandit
 
Cloud security
Cloud securityCloud security
Cloud securityNiharika Varshney
 

Recommandé

Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Enhancing intelligence with the Internet of Things
Enhancing intelligence with the Internet of ThingsEnhancing intelligence with the Internet of Things
Enhancing intelligence with the Internet of ThingsThe Marketing Distillery
 
Security Architecture for Thin Client Network
Security Architecture for Thin Client NetworkSecurity Architecture for Thin Client Network
Security Architecture for Thin Client NetworkOyeniyi Samuel
 
Security issues in cloud computing for msmes
Security issues in cloud computing for msmesSecurity issues in cloud computing for msmes
Security issues in cloud computing for msmesIAEME Publication
 
Security issues in cloud computing for msmes
Security issues in cloud computing for msmesSecurity issues in cloud computing for msmes
Security issues in cloud computing for msmesIAEME Publication
 
IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...
IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...
IRJET - A Comprehensive Review on Security Issues and Challenges in Lightweig...IRJET Journal
 
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...csandit
 
Cloud security
Cloud securityCloud security
Cloud securityNiharika Varshney
 
Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awahpvsa_8990
 
Virtual Campus
Virtual CampusVirtual Campus
Virtual CampusWilliam Scotti
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Modelli di business e di servizio digitali nell'industria dell'informazione
Modelli di business e di servizio digitali nell'industria dell'informazioneModelli di business e di servizio digitali nell'industria dell'informazione
Modelli di business e di servizio digitali nell'industria dell'informazioneSara M
 
Flss Test Plan
Flss Test PlanFlss Test Plan
Flss Test PlanSara M
 
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics WorkbenchPivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics WorkbenchEMC
 
How Does Long-term Care Insurance Work?
How Does Long-term Care Insurance Work?How Does Long-term Care Insurance Work?
How Does Long-term Care Insurance Work?Laurel Blond
 
Natural disaster modo compatible
Natural disaster modo compatibleNatural disaster modo compatible
Natural disaster modo compatibleOmar Berrouho
 
Spain
SpainSpain
Spainstephenmoore1010
 
Nessa
NessaNessa
Nessa6thclassClareCastle
 
Organigrama
OrganigramaOrganigrama
Organigramaguidobeltranlazaro
 
教案分享 拼圖Ppt
教案分享 拼圖Ppt教案分享 拼圖Ppt
教案分享 拼圖Ppt浩哲 武
 
Informe datos del paciente criterio
Informe datos del paciente criterioInforme datos del paciente criterio
Informe datos del paciente criterioNathalia Sanchez
 
MDP on Advance Corporate Finance
MDP on Advance Corporate FinanceMDP on Advance Corporate Finance
MDP on Advance Corporate Financekanagaraj300
 
Metrographics
MetrographicsMetrographics
Metrographicstklubert
 
Recording Reccy
Recording ReccyRecording Reccy
Recording Reccysophiemcavoy1
 
Mon roman empire lang
Mon roman empire langMon roman empire lang
Mon roman empire langTravis Klein
 
Linux kursu-arnavutkoy
Linux kursu-arnavutkoyLinux kursu-arnavutkoy
Linux kursu-arnavutkoysersld67
 
Insaat kursu-samsun
Insaat kursu-samsunInsaat kursu-samsun
Insaat kursu-samsunsersld54
 
Thur sp civil war
Thur sp civil warThur sp civil war
Thur sp civil warTravis Klein
 
Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server EMC
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudIntegrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudJohn Atchison
 

Contenu connexe

En vedette

Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awahpvsa_8990
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Modelli di business e di servizio digitali nell'industria dell'informazione
Modelli di business e di servizio digitali nell'industria dell'informazioneModelli di business e di servizio digitali nell'industria dell'informazione
Modelli di business e di servizio digitali nell'industria dell'informazioneSara M
 
Flss Test Plan
Flss Test PlanFlss Test Plan
Flss Test PlanSara M
 
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics WorkbenchPivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics WorkbenchEMC
 
How Does Long-term Care Insurance Work?
How Does Long-term Care Insurance Work?How Does Long-term Care Insurance Work?
How Does Long-term Care Insurance Work?Laurel Blond
 
Natural disaster modo compatible
Natural disaster modo compatibleNatural disaster modo compatible
Natural disaster modo compatibleOmar Berrouho
 
教案分享 拼圖Ppt
教案分享 拼圖Ppt教案分享 拼圖Ppt
教案分享 拼圖Ppt浩哲 武
 
Informe datos del paciente criterio
Informe datos del paciente criterioInforme datos del paciente criterio
Informe datos del paciente criterioNathalia Sanchez
 
MDP on Advance Corporate Finance
MDP on Advance Corporate FinanceMDP on Advance Corporate Finance
MDP on Advance Corporate Financekanagaraj300
 
Metrographics
MetrographicsMetrographics
Metrographicstklubert
 
Mon roman empire lang
Mon roman empire langMon roman empire lang
Mon roman empire langTravis Klein
 
Linux kursu-arnavutkoy
Linux kursu-arnavutkoyLinux kursu-arnavutkoy
Linux kursu-arnavutkoysersld67
 
Insaat kursu-samsun
Insaat kursu-samsunInsaat kursu-samsun
Insaat kursu-samsunsersld54
 

En vedette (20)

Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awah
 
Virtual Campus
Virtual CampusVirtual Campus
Virtual Campus
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Modelli di business e di servizio digitali nell'industria dell'informazione
Modelli di business e di servizio digitali nell'industria dell'informazioneModelli di business e di servizio digitali nell'industria dell'informazione
Modelli di business e di servizio digitali nell'industria dell'informazione
 
Flss Test Plan
Flss Test PlanFlss Test Plan
Flss Test Plan
 
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics WorkbenchPivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
Pivotal: Operationalizing 1000 Node Hadoop Cluster - Analytics Workbench
 
How Does Long-term Care Insurance Work?
How Does Long-term Care Insurance Work?How Does Long-term Care Insurance Work?
How Does Long-term Care Insurance Work?
 
Natural disaster modo compatible
Natural disaster modo compatibleNatural disaster modo compatible
Natural disaster modo compatible
 
Spain
SpainSpain
Spain
 
Nessa
NessaNessa
Nessa
 
Organigrama
OrganigramaOrganigrama
Organigrama
 
教案分享 拼圖Ppt
教案分享 拼圖Ppt教案分享 拼圖Ppt
教案分享 拼圖Ppt
 
Informe datos del paciente criterio
Informe datos del paciente criterioInforme datos del paciente criterio
Informe datos del paciente criterio
 
MDP on Advance Corporate Finance
MDP on Advance Corporate FinanceMDP on Advance Corporate Finance
MDP on Advance Corporate Finance
 
Metrographics
MetrographicsMetrographics
Metrographics
 
Recording Reccy
Recording ReccyRecording Reccy
Recording Reccy
 
Mon roman empire lang
Mon roman empire langMon roman empire lang
Mon roman empire lang
 
Linux kursu-arnavutkoy
Linux kursu-arnavutkoyLinux kursu-arnavutkoy
Linux kursu-arnavutkoy
 
Insaat kursu-samsun
Insaat kursu-samsunInsaat kursu-samsun
Insaat kursu-samsun
 
Thur sp civil war
Thur sp civil warThur sp civil war
Thur sp civil war
 

Similaire à White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments

Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server EMC
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudIntegrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudJohn Atchison
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Cisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Russia
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
Cloud Computing Use Cases Whitepaper
Cloud Computing Use Cases WhitepaperCloud Computing Use Cases Whitepaper
Cloud Computing Use Cases WhitepaperBill Annibell
 
Cloud Computing Use Cases Whitepaper 3 0
Cloud Computing Use Cases Whitepaper 3 0Cloud Computing Use Cases Whitepaper 3 0
Cloud Computing Use Cases Whitepaper 3 0Jason Reed
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...
White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...
White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...EMC
 
Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceErlinkencana
 
Vce vdi reference_architecture_knowledgeworkerenvironments
Vce vdi reference_architecture_knowledgeworkerenvironmentsVce vdi reference_architecture_knowledgeworkerenvironments
Vce vdi reference_architecture_knowledgeworkerenvironmentsItzik Reich
 
Virtualize With Confidence
Virtualize With ConfidenceVirtualize With Confidence
Virtualize With Confidencebenscheerer
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksJustin Cletus
 
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERSUSING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERSJuniper Networks
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 

Similaire à White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments (20)

Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server Configuration Compliance For Storage, Network & Server
Configuration Compliance For Storage, Network & Server
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudIntegrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Cisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Secure Enclaves Architecture
Cisco Secure Enclaves Architecture
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
Cloud Computing Use Cases Whitepaper
Cloud Computing Use Cases WhitepaperCloud Computing Use Cases Whitepaper
Cloud Computing Use Cases Whitepaper
 
Cloud Computing Use Cases Whitepaper 3 0
Cloud Computing Use Cases Whitepaper 3 0Cloud Computing Use Cases Whitepaper 3 0
Cloud Computing Use Cases Whitepaper 3 0
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...
White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...
White Paper: EMC Compute-as-a-Service — EMC Ionix IT Orchestrator, VCE Vblock...
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 compliance
 
Vce vdi reference_architecture_knowledgeworkerenvironments
Vce vdi reference_architecture_knowledgeworkerenvironmentsVce vdi reference_architecture_knowledgeworkerenvironments
Vce vdi reference_architecture_knowledgeworkerenvironments
 
Virtualize With Confidence
Virtualize With ConfidenceVirtualize With Confidence
Virtualize With Confidence
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networks
 
3.pptx
3.pptx3.pptx
3.pptx
 
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERSUSING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 

Plus de EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereEMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewEMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeEMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsEMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookEMC
 

Plus de EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Dernier

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

White Paper: EMC Security Design Principles for Multi-Tenant As-a-Service Environments

  • 1. White Paper EMC SECURITY DESIGN PRINCIPLES FOR MULTI-TENANT AS-A-SERVICE ENVIRONMENTS • Information security in multi-tenant cloud environments • Regulatory compliance in cloud environments • Considerations for migrating to the cloud EMC Solutions Group Abstract This white paper proposes that virtualized as-a-service environments can be made as secure as, if not more secure than, physical environments. The paper describes security challenges inherent in multi-tenant as-a-service environments. Design considerations of tenants and service providers, and how design factors are affected by information security or compliance requirements, are discussed. August 2012
  • 2. Copyright © 2012 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided “as is.” EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. VMware and VMware vCenter are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other trademarks used herein are the property of their respective owners. Part Number: H10814 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 2
  • 3. Table of contents Executive summary ............................................................................................................................. 5 Business case .................................................................................................................................. 5 Solution overview ............................................................................................................................ 5 Key results/ recommendations ........................................................................................................ 5 Introduction ....................................................................................................................................... 6 Purpose ........................................................................................................................................... 6 Scope .............................................................................................................................................. 6 Audience.......................................................................................................................................... 6 Information security versus compliance .............................................................................................. 7 Introduction to information security versus compliance ................................................................... 7 Compliance ................................................................................................................................. 7 Information security .................................................................................................................... 7 Information security design principles ............................................................................................. 7 Information security in a virtualized environment ............................................................................... 8 Virtual versus physical environments ............................................................................................... 8 Scale is the challenge ...................................................................................................................... 8 Compliance and risk in a virtualized environment ............................................................................... 9 Compliance ...................................................................................................................................... 9 Risk management ............................................................................................................................ 9 Moving to the cloud .......................................................................................................................... 11 Information security goals .............................................................................................................. 11 Control in a cloud-based solution .................................................................................................. 11 Multi-tenant access........................................................................................................................ 11 Information security in the cloud .................................................................................................... 11 Private versus Public cloud-based environments............................................................................ 12 Visibility and control in the cloud ..................................................................................................... 13 Visibility and control in the cloud ................................................................................................... 13 Secure Content Automation Protocol (SCAP) .................................................................................. 13 Customer-specific visibility ............................................................................................................ 13 EMC SCAP-based solution .............................................................................................................. 13 Conclusion ....................................................................................................................................... 15 Summary ....................................................................................................................................... 15 Findings ......................................................................................................................................... 15 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 3
  • 4. References ....................................................................................................................................... 16 White papers ................................................................................................................................. 16 Other documentation ..................................................................................................................... 16 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 4
  • 5. Executive summary Business case Every organization is dealing with the challenges and risks inherent in moving their workloads from legacy IT environments to private cloud, and ultimately to public cloud multi-tenant as-a-service environments. Information security is a significant challenge when moving to the cloud. Tenants and services providers need to understand and address the security implications of virtualization and multi-tenancy to ensure that their solutions comply with all relevant standards. Solution overview This white paper discusses the security challenges inherent in multi-tenant as-a- service environments, and focuses on the design considerations for both tenants and service providers: • The tenant is concerned with the compliance of the as-a-service environment. • The service provider is concerned with providing appropriate information security capabilities and the corresponding configuration, processes, and procedures. EMC categorizes the design factors that a service provider must address, as follows:: • Secure separation • Service assurance • Service provider in control • Tenant in control • Security and compliance • Data protection Each design factor is affected directly or indirectly by information security or compliance requirements. Considerations include: • The impact on separation and assurance of a virtualized environment. • How the service provider and tenant can maintain control of the environment, yet not violate governance requirements. This white paper provides an overview of the security challenges, while focusing on what information security and governance mean in these contexts. Key results/ From an information security and compliance perspective, this white paper proposes recommendations that virtualized as-a-service environments can be as secure as, or more secure than, non-virtualized physical environments. The information security controls required to meet the governance requirements of a physical environment map directly to the requirements of a virtualized environment. In addition, virtual environments can provide additional security capabilities and features not possible or practical in a physical environment. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 5
  • 6. Introduction Purpose The purpose of this white paper is to discuss design considerations that take into account the information security and compliance challenges inherent in multi-tenant service provider environments. Scope The scope of this white paper is to provide an overview of the information security and compliance design considerations that must be investigated during an organization’s workload migration from legacy IT to public cloud environments. The white paper does not include detailed configuration recommendations. Audience This white paper targets technical architects, who are responsible for developing and implementing their organization’s workload migration. The reader has proficient knowledge of information security, governance, and cloud terminology. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 6
  • 7. Information security versus compliance Introduction to One of the first challenges faced by a security professional, during a conversation information about information security with a non-security professional, is to clarify the subject of security versus the conversation. Often, security conversations are about compliance or cover only compliance one aspect of information security. Due to the frequent misunderstandings about information security and compliance, it is important to clarify the differences between the two. Compliance Compliance is typically defined as “…conforming to a rule, such as a specification, policy, standard, or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.” 1 The Payment Card Industry Data Security Standard (PCI DSS) is an example of a regulatory specification. Information security Information security is defined as “…a means of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction...This is frequently summarized as protecting the confidentiality, integrity, and availability of information.” 2 Information This white paper focuses on the information security design principles that must be security design considered in multi-tenant as-a-service environments so that they can be configured principles to be compliant with specific regulatory requirements. We provide you with an overview of the security capabilities and controls that you must have in your environment. 1 Wikipedia, Regulatory compliance, as of August 8, 2012 page update 2 Wikipedia, Information security, as of August 15, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 7
  • 8. Information security in a virtualized environment Virtual versus The question of whether or not virtualized environments can be made as secure as physical physical environments has been going on for years. environments Historically speaking, IBM successfully passed an independent security review and accreditation of its mainframe LPARs implementation in the 1980s. VMware® started submitting its virtualization products for independent accreditation a decade or two later. Despite this long history of accredited virtualized environments, there is still a significant level of distrust and misunderstanding about information security capabilities and controls in these environments. This lack of confidence is indicated by the very high level of interest in the topic. A quick web search on “virtualized environment security” returns over nine million hits and an abundance of articles. Scale is the The challenge of securing virtualized environments is not a new problem. What is challenge different in today’s as-a-service and cloud-based environments is the scale of the environments that are being secured and reviewed for regulatory compliance. This challenge is the one that demands new solutions to the information security issues of confidentiality, integrity, and assurance. Therefore, the question is not whether virtualized environments can be as secure as physical environments. The real question is how to apply the lessons learned from securing physical environments to the much larger scale environments that underlie public, private, and hybrid cloud offerings. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 8
  • 9. Compliance and risk in a virtualized environment Compliance How does an auditor validate compliance in a virtualized environment? This is a question that we hear repeatedly when talking with organizations considering migrating to cloud-based environments. The controls that an auditor validates in a physical environment also apply to a virtual environment. Having the correct controls in place is as critical in a virtual environment as they are in a physical environment. The common set of controls most industry and government regulations focus on includes, but is not limited to: • Anti-virus and anti-malware • Authentication • Authorization • Change control • Identify management • Intrusion detection • Security incident and event monitoring (SIEM) • Network controls and forensics • Monitoring and management (GRC) However, in a virtual environment, there is likely to be additional software components to which these controls must be applied. At a minimum, there will be some type of hypervisor providing abstraction to CPU and memory of the systems. There is likely to be some network virtualization in addition to physical network devices. There is almost certainly network and storage virtualization present in the current legacy IT environment. Several regulatory bodies have issued virtualization-specific recommendations. For example, PCI’s Virtualization Special Interest Group (SIG) created the information supplement: PCI DSS Virtualization Guidelines. This document discusses not only the risks of virtualized environments but also provides recommendations on the impact of virtualization on compliance with PCI DSS. However, this document was released in 2011, though virtualization has been in use for decades. Risk management Information security is all about managing risks in the environment. The Certified Information Systems Auditor (CISA) Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what counter measures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." EMC Security Design Principles for Multi-Tenant As-a-Service Environments 9
  • 10. While determining and managing risk is critical to any organizations’ migration to private, public, and hybrid cloud environments, any decisions on when and where to move workloads to the cloud is beyond the scope of this white paper. Your organization must consider, in detail, the risks inherent in moving data into the cloud. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 10
  • 11. Moving to the cloud Information There is no substantive difference between the information security and compliance security goals requirements for cloud and non-cloud environments. There are, of course, some additional components in a cloud environment, but these are minor. The information security goals are the same for cloud and non-cloud environments and for virtualized and non-virtualized environments. It is critical that organizations keep in mind that they must apply the same processes to cloud-based solutions as to other solutions. It is the “how” of information security that has changed and not the “what” that has changed. Control in a cloud- Cloud computing removes many of the traditional, physical boundaries that help based solution define and protect an organization’s data assets. Physical servers are replaced by virtual ones. Perimeters are established not just by firewalls, but also by the transit of virtual machines. Risk factors become more complex as the cloud introduces ever- expanding, transient chains of custody for sensitive enterprise data and applications. As organizations migrate their IT workloads to the cloud, they effectively relinquish some control over their information infrastructure and processes, even while they are required to bear greater responsibility for data confidentiality and compliance. This shift has wide-ranging implications for a broad set of corporate stakeholders, especially leaders who are responsible for information security. This is particularly true in a public cloud environment. Meanwhile, the trend is for regulatory oversight and compliance requirements to become stricter and more demanding. Therefore, it is critical that any cloud-based solution considered by your organization includes information security and regulatory compliance requirements from its initial conception. Multi-tenant Building an environment that provides multi-tenant access is critical for any public access cloud service provider offering. Multi-tenancy, in this context, means that the service provider can provide a tenant with an environment in which it appears, from the tenant’s perspective, that all resources are dedicated to that tenant. In addition, the infrastructure must ensure that no tenant can influence the behavior of another tenant’s environment in any way. This is one of the biggest differences between private and public cloud environments. However, you must consider that in any virtualized environment, there is a significant degree of multi-tenancy implied. Depending on the type of environment, multi-tenancy may be significant. Information As organizations begin to migrate to the cloud, there is still confusion about how best security in the to handle information security in the cloud. In a report commissioned by RSA, As cloud Hyper-extended Enterprises Grow, So Do Security Risks, two-thirds of the respondents, who are running applications or business processes in the cloud, admitted that they had not developed a security strategy for cloud computing. A majority of respondents were not sure how prospective cloud-computing vendors would safeguard data or how corporate security teams would meet compliance requirements for moving data into the cloud. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 11
  • 12. Private versus The main differences between private and public cloud-based environments are: Public cloud-based • Automation of provisioning environments • Operation • Self-service • Large-scale virtualization This ability to scale out virtualized environments, either in a private or public cloud environment, is what makes cloud different. Information security controls must be integrated into these scaled-out architectures. Otherwise, it is impossible to report, with any accuracy, the security position of such an environment. Areas that a service provider must address include: • Authentication • Configuration and service pack management • Data loss prevention and forensics • Dashboard (eGRC) • Identity and access management • Multi-tenancy • Network monitoring and analysis • Security information and event logging • Security management (dashboard) You must place particular emphasis on security management and the eGRC dashboard, which is used to report on the environment. Similarly, tenants of cloud-based solutions must apply their normal information security and risk-management policies and procedures to any cloud-based deployment. At a minimum, they must: • Define policies • Evaluate cloud providers • Require transparency and visibility into the cloud • Maintain segregation of administrative privileges • Manage provisioning policies (virtual machine, storage, and network) • Encrypt and tokenize sensitive data • Adopt federated identity management and strong authentication EMC Security Design Principles for Multi-Tenant As-a-Service Environments 12
  • 13. Visibility and control in the cloud Visibility and In the cloud, “visibility plus control equals trust”. control in the cloud The most important step that a service provider must take towards building a trusted cloud-based as-a-service solution is to provide visibility and control into its information security and compliance processes and procedures. The message customers and potential customers convey to as-a-service providers is that visibility generates trust and without trust the service provider will not get their business. Similarly, the service provider must implement information security controls in their virtualized multi-tenant infrastructure to meet customer requirements. In order for the service provider to gain a customer’s trust, the service provider must provide details on the how and what of their information security and compliance strategies. This does not mean that the service provider needs to provide copies of their audit monitoring procedures on their website. What it does mean is that the service provider must make available, in as close to real-time as possible, the ability for a customer to view the service providers’ entire compliance configuration through a single management GUI (also known as a “single-pane-of-glass”). If that is not possible, then service providers must share information in other ways. Secure Content The most promising solution to enable visibility into a multi-tenant as-a-service Automation environment is a relatively new protocol called Secure Content Automation Protocol Protocol (SCAP) (SCAP) that was developed by the National Institute of Standards and Technology (NIST). “SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (for example, Federal Information Security Management Act (FISMA) compliance)...It combines several open standards that are used to enumerate software flaws and configuration issues related to security.” 3 Information security practitioners are enthusiastic about open standards. SCAP uses Common Vulnerabilities and Exposures (CVE) and Open Vulnerability and Assessment Language (OVAL), for example. Today, SCAP compliant software is already available, for example, VMware vCenter® Configuration Management (vCM). For more information on SCAP capabilities, see the National Vulnerability Database. Customer-specific One challenge that SCAP does not address is how to provide customer-specific visibility visibility into as-a-service environments. How does a service provider do the correlation (also known as “mashup”) of all the data collected in these types of environments? Specifically, how will a specific log entry be associated with the tenants that it affects? And how will a tenant receive only the security related information for the network switches that are used for that tenant’s data? These are important issues and concerns. EMC SCAP-based The good news is that several of the challenges in providing visibility into as-a-service solution environments have been solved with SCAP. One of those challenges is how to get the security configuration information to the service provider’s tenants. EMC’s Office of the CTO has been doing demos of a prototype SCAP-based solution. The idea is to 3 Wikipedia, Secure Content Automation Protocol, as of July 20, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 13
  • 14. use SCAP and its associated protocols to forward vulnerability-related information from the service provider’s environment to an external “air-gapped” repository that will collect the information. Air gap is “…a security measure often taken for computers and computer networks that must be extraordinarily secure. It consists of ensuring that a secure network is completely physically, electrically, and electromagnetically isolated from unsecured networks, such as the public Internet or an unsecured local area network.” 4 Tenants subscribe to the repository and receive SCAP information applicable only to them. The SCAP feed is then displayed in a local dashboard, which is SCAP-aware. In this model, the customer only subscribes to those data-feeds that are relevant to them. In this way, a customer of a cloud-based solution can use an eGRC dashboard for their as-a-service environment as well as their internal IT systems. 4 Wikipedia, Air gap (networking), as of July 25, 2012 page update EMC Security Design Principles for Multi-Tenant As-a-Service Environments 14
  • 15. Conclusion Summary The goal of this paper is to show that the information security and compliance challenges of multi-tenant as-a-service environments are largely the same as those for physical environments and can be successfully addressed. The controls that must be put in place are the same in both environments and include: • Anti-virus and anti-malware • Authentication • Authorization • Change control • Identify management • Intrusion detection • Security incident and event monitoring (SIEM) • Network controls and forensics • Monitoring and management (GRC) The key element to consider is the equation of “visibility plus control equals trust” - how the service provider will provide that and how the tenant will consume it. Findings This white paper highlights a couple of solutions that enable visibility into multi- tenant as-a-service environments: • SCAP solution The most promising solution is the protocol Secure Content Automation Protocol (SCAP), which was developed by the National Institute of Standards and Technology (NIST). However, SCAP by itself does not address the problem of how to provide customer-specific visibility into as-a-service environments. • EMC SCAP-based solution EMC’s prototype solution solves the customer-specific visibility problem. The solution uses SCAP and its associated protocols to forward vulnerability-related information from the service provider’s environment to an external air-gapped repository that collects the information. Tenants subscribe to the repository and receive SCAP information applicable only to them. EMC Security Design Principles for Multi-Tenant As-a-Service Environments 15
  • 16. References White papers For more information, see the following white papers: • Design Principles and Considerations for Configuring VMware vShield in Service Provider Environments • EMC Compute-as-a-service - Design Principles and Considerations for Deployment Other For more information, see the following documentation: documentation • Information Supplement: PCI DSS Virtualization Guidelines by the Virtualization Special Interest Group PCI Security Standards Council, Version 2.0, June 2011 • RSA Security Brief: Identity & Data Protection in the Cloud, November 2009 • On the Security of Cloud Storage Services, Fraunhofer Institute for Secure Information Technology, Moritz Borgmann, et al, March 2012 • Governance of Enterprise Security - CyLab 2012 Report: How Boards and Senior Executives are Managing Cyber Risks, Carnegie Mellon University, May 16, 2012 • Design Guide: Vblock Solutions for Trusted Multi-Tenancy, VCE, February 2012 EMC Security Design Principles for Multi-Tenant As-a-Service Environments 16