International Journal of Services Computing (ISSN 2330-4472) Vol. 2, No. 2, April - June 2014 58 http://hipore.com/ijsc A COMPLIANCE AWARE INFRASTRUCTURE AS A SERVICE Shakil M. Khan, Lorraine M. Herger, Mathew A. McCarthy IBM Corporation [email protected],[email protected],[email protected]Abstract With cloud eclipsing the $100B mark, it is clear that the main driver is no longer strictly cost savings. The focus now is to exploit the cloud for innovation, utilizing the agility to expand resources to quickly build out new designs, products, simulations and analysis. Companies will use this agility and speed as competitive advantage. An example of the agility is the adoption by enterprises of the software-defined datacenter (SDDC) model, required to support the changing workloads and dynamic patterns of the enterprise. Often, security and compliance become an 'after thought', bolted on later when problems arise. In this paper, we will discuss our experience in developing and deploying a centralized management system for public, as well as an Openstack based cloud platform in SoftLayer, with an innovative, analytics-driven 'security compliance as a service' that constantly adjusts to varying compliance requirements based on workload, security and compliance requirements. Keywords: SDDC, GRC, Ontology, IaaS, Compliance, OWL, SWRL, Cloud __________________________________________________________________________________________________________________ 1. INTRODUCTION Companies are increasingly going “cloudwards” using both public providers and private datacenters because of the business agility that Infrastructure as a Service (IaaS) enables. Full IT automation, self-service provisioning, and metered usage billing helps companies accelerate the development of their products and services, and improves organizational efficiency. Unfortunately, many companies are struggling to accelerate the most important parts of their business due to the challenges of securing these highly dynamic environments. Use of cloud service does not automatically guarantee strong security or required compliance. Although some providers provide optional security capabilities that can be used to help reach the required security and compliance posture, it is the user’s obligations to ensure secure, compliant workloads running on cloud. This is a fact which is often forgotten in the haste to bring an application or service online. IBM Research has collaborative research projects with clients, ranging from internal business units to external clients - such as government and almost all vertical market segments. Researchers need to run their experiments with innovative architectures and algorithms in a datacenter environment modeled around the ‘living lab’ concept in order to pilot solutions for highly dynamic and volatile markets in a timely fashion. This introduces tremendous challenges in supporting heterogeneity in workloads as well as security and compliance requirements. In most cases the researchers who need to move fast and implement change run into very legitimate barriers and concerns from their IT and “governance” teams when they bring their ideas to the table. The groups responsible for creating and supporting applications and solutions are chartered with ensuring that data and intellectual property are secure, privacy laws and other regulations are complied with, and that the solutions are “future proof” and smart investments. The stewardship of one group to protect the company and the other to accelerate the response to change creates tension, frustration, and conflict. 2. BRIDGING THE CHASM BETWEEN AGILITY AND SECURITY With the acquisition of SoftLayer , IBM Research is being encouraged to use it to power its research workloads. Unfortunately, SoftLayer does not automatically guarantee strong security or required compliance. In order to stay relevant and competitive, research needs to respond to market forces almost immediately. Capabilities such as service catalog with standardized offerings and tiered SLA, automated workload aware provisioning in private, public and hybrid clouds, proactive incident and problem management, IT cost transparency and chargeback helped unlock the efficiency, agility and benefits of cloud. Yet reliability, security and compliance stand as formidable barriers in the path of turning these benefits into true potentials for achieving innovations at the speed of the business. Manual security and compliance as an “afterthought” pose the following challenges to the researchers: Need-specific, piecemeal solutions bolted on to existing infrastructures create silos, drives up cost, impedes innovations. Users lack expertise in security and compliance. Often the changes in regulations are not communicated outside security and compliance functions leading to contextually invalid security implementations by users. Data theft and intellectual property theft due to lack of security and compliance expertise. ’Home grown’ research solutions that meet business requirements but fall short of security and compliance audit requirements.
14
Embed
A COMPLIANCE AWARE INFRASTRUCTURE AS A SERVICEhipore.com/stsc/2014/IJSC-Vol2-No2-2014-pp58-71-Khan.pdf · both public providers and private datacenters because of the business agility
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
International Journal of Services Computing (ISSN 2330-4472) Vol. 2, No. 2, April - June 2014
58 http://hipore.com/ijsc
A COMPLIANCE AWARE INFRASTRUCTURE AS A SERVICE Shakil M. Khan, Lorraine M. Herger, Mathew A. McCarthy
Abstract With cloud eclipsing the $100B mark, it is clear that the main driver is no longer strictly cost savings. The focus now is to exploit the cloud for innovation, utilizing the agility to expand resources to quickly build out new designs, products, simulations and analysis. Companies will use this agility and speed as competitive advantage. An example of the agility is the adoption by enterprises of the software-defined datacenter (SDDC) model, required to support the changing workloads and dynamic patterns of the enterprise. Often, security and compliance become an 'after thought', bolted on later when problems arise. In this paper, we will discuss our experience in developing and deploying a centralized management system for public, as well as an Openstack based cloud platform in SoftLayer, with an innovative, analytics-driven 'security compliance as a service' that constantly adjusts to varying compliance requirements based on workload, security and compliance requirements. Keywords: SDDC, GRC, Ontology, IaaS, Compliance, OWL, SWRL, Cloud
Security configuration, optimized IT functional model,
discrepancy between optimized IT functional model and
realized IT model as a report to a user. Figure 3 shows a
flow diagram for iterative computations of state of
compliance using enterprise ontology, contracts, IT
functional model etc.
Start
Read Enterprise Ontology
Map portion of contracts to appropriate
business semantics (process,activities,roles,goals,technologies etc)
Read Contract Model
Derive IT functional Model
Generate and manage High Level
Operational Policies
Disambiguate contextual
references ,Map policy to Security
controls
Annotate security controls with security
requirements, generate low level
policices
Deploy and collect evidence
Compute
No
Drift?
Stop
200
210
220
230
240
250
260
280
IT professional contract modification
via visualization assisstant
Enterprise profile and rule based
contract content analysis
Analysis based
visualization of IT relevant parameters
Create revised version of contract
with known, accepted IT parameter
Additional revision from other parties
Generate deal specific artifacts
IT implementation details Project specific polices IT security and Compliance
requirements
100
110
120
130
140
150
160
Org ProfileRulesServicesCosts
Org Profileprocesses
ServicesActivities
RolesGoals
Technology
Create IT instance from IT functional, Security
requirement and implementation model
270
Fig 3: Enterprise Ontology and policy generation
In Figure 3, contract analytics with the help of domain
experts and Enterprise Ontology (Enterprise profile,
Services, rules) and parameterized operational criteria
(Sustainability, performance, profitability) e.g. costs,
tolerance for security, budget for security as input,
decomposes portions of contracts that will require IT
commitments into high level policies and requirements
(100,101,120,130,140,150,160).
An IT functional model is dynamically derived with the help
of Enterprise Ontology and artifacts generated from
contracts analytics . The IT functional model dynamically
bind with security requirements and security
implementations and generate deployable policies. The
International Journal of Services Computing (ISSN 2330-4472) Vol. 2, No. 2, April - June 2014
62 http://hipore.com/ijsc
polices are deployed and evidences are collected. The
evidences are computed to compare against parameterized
enterprise operational goals and requirement thresholds. If
drift detected then contractual item/items and Enterprise
ontology modification suggested. The process iterates until
the the measures reach within a defined tolerance for the
threshold ( 200,210,220,230,240,250,260,270,280).
5. ONTOLOGY BASED COMPLIANCE
VALIDATION EXAMPLE Security incidents with data breach present a wide array
of legal problems for victim companies. The data breach
notification laws pertaining to definition of personal
information, identification of notification triggers, method
of notification, content of notification, determination of time
and acceptable delays etc. widely vary across states.
A meta model for compliance validation and evaluation
i.e. Compliance-Ontology is proposed, based on which,
regulation constraints can be modeled into OWL axioms
and SWRL rules. An activity (Data-Sensitivity-Assessment-
Activity) from the Data Breach Notification Process Flow
has been used to show how state statute provisioned
regulatory constraints are applied to validate activity result
compliance. This meta model is influenced by “Ontology-
based semantic modeling of regulation constraint for
automated construction quality compliance checking”
( Zhong, Ding, et al. 2012). Compliance Checking Ontology
serves as a meta model, defining the concepts and relations
related to the IT Security regulatory compliance checking.
Analysis-Task class is the central concept in this Ontology.
An Analysis-Task is set according to the specific regulation
constraint. An Analysis-Task can be related to the Analysis-
Object through the “hasAnalysisObject” property, which
indicates that the Analysis-Object will be inspected to make
sure their compliance to the relevant regulation constraints
through the execution of the Analysis-Task. The Analysis-
Object refers to any concepts governed by regulations and
indicates what is to be inspected, in the case of IT Security
compliance to regulatory requirements domain the entities
include identification, evaluation, remediation processes
(activities and procedures), the data security products and
resources used in analysis. An Analysis-Object may include
a set of violation Analysis items. These analysis items can
be identified from the regulation provisions. For example,
The NYS Information Security Breach and Notification Act
are comprised of section 208 of the State Technology Law
and section 899-aa of the General Business Law. Section
899-aa states that “(c) "Breach of the security of the
system" shall mean unauthorized acquisition or acquisition
without valid authorization of computerized data that
compromises the security, confidentiality, or integrity of
personal information maintained by a business. Good faith
acquisition of personal information by an employee or agent
of the business for the purposes of the business is not a
breach of the security of the system, provided that the
private information is not used or subject to
unauthorized disclosure.
In determining whether information has been acquired,
or is reasonably believed to have been acquired, by an
unauthorized person or a person without valid authorization,
such business may consider the following factors, among
others:
(1) Indications that the information is in the physical
possession and control of an unauthorized person, such as a
lost or stolen computer or other device containing
information …………….
(d) "Consumer reporting agency" shall mean any person
which, for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages in whole or in part in the
practice of assembling or evaluating consumer credit
information or other information on consumers for the
purpose of furnishing consumer reports to third parties, and
which uses any means or facility of interstate commerce
for the purpose of preparing or furnishing consumer
reports.
2. Any person or business which conducts business in New
York state, and which owns or licenses computerized data
which includes private information shall disclose any
breach of the security of the system following discovery or
notification of the breach in the security of the system to any
resident of New York state whose private information was,
or is reasonably believed to have been, acquired by a
person without valid authorization.”, the analysis
items include determination of personal information,
identification of notification triggers, method of notification,
content of notification, determination of time and acceptable
delays etc. widely vary across states, and so on.
Furthermore, an Analysis-Task needs a set of Analysis-
Item-Checking-Action to test and collect the conformance
information/data for the analysis items. Each Analysis-Item-
Checking-Action has a Checking-Result, which represents
the actual violation/ conformance/ compliance information
collected. Similarly, an Analysis-Task needs a set of
Evaluation-Task to evaluate the provenance of those
Analysis items in accordance with the Evaluation-Criteria.
The Evaluation-Criteria is imposed by the regulation
provisions or set by the domain experts. Basing on the
Checking-Result and the Evaluation-Criteria, the
Evaluation-Task can be done to judge whether the analysis
items are compliant with the regulation constraints. Each
Evaluation-Task has an Evaluation-Result, which all
together are constituted the Analysis-Report. The Analysis-
Report of a particular Analysis-Task for the corresponding
Analysis-Object can be documented, based on the
Evaluation-Result of all the inspection items. In Compliance
Ontology, the Regulation-Constraint constitutes the main
the Analysis knowledge, since the focus is the regulation-
based compliance analysis. Each constraint comes from the
corresponding provision text in regulations. The relation
“hasRegulation” associates the constraint with the provision
International Journal of Services Computing (ISSN 2330-4472) Vol. 2, No. 2, April - June 2014
63 http://hipore.com/ijsc
text from which the constraint is extracted. Meanwhile, an
Analysis-Task must be assigned to a Position as it’s
responsibility, who performs the Analysis-Item-Checking-
Action and the Evaluation-Task to accomplish the Analysis-
Task. In addition, many parameters, such as business
process parameters, IT functional and realization
Parameters, User behavioral parameters and so on, are used
to depict the compliance features/state, in the IT security
regulatory compliance domain.
As shown in Fig. 3, the Analysis-Object can be the IT
functional model, IT Security Model, IT Configuration
model, IT Security products, Business processes, or user
activities and so on. Here, each main concept indicates one
facet of the analysis objects, and can be modeled as the IT
Security process ontology. In Compliance Ontology, the
Analysis-Object concepts (enveloped with the dashed line,
as shown in Fig. 3) are also the concepts of the IT Security
process model. Through the Analysis-Object concept, the
Compliance Ontology for compliance checking can interact
with the IT Security process model the meta mode provides
general and common terms and relations common to the IT
Security compliance checking against regulatory
requirements domain. Basing
on the meta model, the specific domain model for the
security compliance checking can be obtained via
specializing and instantiating the generic concepts and
relations in the meta model. Since the metamodel is not
limited to any specific IT Security domain, the metamodel
can be reused independently of any specific security
implementation. Basing on the meta model and the ontology,
the constraints knowledge imposed by the regulations can
be clearly and unambiguously defined such that they may
potentially be interpreted by a machine.
Analysis-Task
Regulation-Constraint Regulation
Deontic-Constraint
Analysis-Object
Checking-Result
Parameter
Role
Evaluation-Criteria
Evaluation-Task
Evaluation-Result
Compliance-Report
Analysis-Item-Checking-Action
hasAnalysisTask
resource product activity
include include include
Process Model
hasAnalysisCriteria
isRegulatedBy
hasReference
isRegulatedBy
hasEvaluationCriteria
hasEvaluationResult
isComposedOf
hasAnalysisItemComplianceCheckingAction
isResponsibilityOfperformAnalysi
sperformEvaluation
Analysis2Evaluation
hasEvaluationTask
hasAnalysisReport
hasCheckingResult
Fig 4: Compliance checking Ontology
Here, Sensitive data breach notification process
compliance analysis is presented as an example to
demonstrate. Based on Compliance-Ontology, regulation
constraints can be modeled into OWL axioms and SWRL
rules. An activity (Data-Sensitivity-Assessment-Activity)
from the Data Breach Notification Process Flow has been
used to show how state statute provisioned regulatory
constraints are applied to validate activity result compliance.
Data Breach Notification Analysis Process
hasActivity
…..
Data-Sensitivity -Assessment-
Activity
Restore-System-SecurityActivity
Notification-Activity …..
hasActivity
….. isdirectlyBeforeIncident-
Investigation-Activity
incident
isUsedIn
State – to determine state statutes pertaining to definition of personal information, determination of notification triggers, content of notification etc
Incident-timestamp – to determine acceptable delay