HPE Cloud Security

These materials are © 2017 John Wiley & Sons, Inc.
Any dissemination, distribution, or unauthorized use is strictly prohibited.

Hybrid Cloud
Security
HPE Special Edition
by Simon Leech CISSP-ISSAP,

CCSK, CISM, CRISC
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Hybrid Cloud Security For Dummies®, HPE Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2017 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the
Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department,
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at
http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making
Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons,
Inc. and/or its affiliates in the United States and other countries, and may not be used without written
permission. HPE and the HPE logo are trademarks or registered trademarks of Hewlett Packard
Enterprise Development LP. The OpenStack Word Mark and OpenStack Logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United
States and other countries and are used with the OpenStack Foundation’s permission. Neither HPE nor
John Wiley & Sons, Inc. is affiliated with, endorsed or sponsored by the OpenStack Foundation, or the
OpenStack community. Source: http://www.openstack.org/brand/openstack-trademark-policy. All
other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated
with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT
LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED
OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED
HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING
THAT THE PUBLISHER AND THE AUTHOR ARE NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING,
OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES
OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE
AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR
WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER
INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION
THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER,
READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, or how to create a custom For Dummies book
for your business or organization, please contact our Business Development Department in the U.S. at
877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For information about
licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.
ISBN 978-1-119-37446-6 (pbk); ISBN 978-1-119-37444-2 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
Development Editor: Elizabeth Kuball Production Editor:

Selvakumaran Rajendiran
Copy Editor: Elizabeth Kuball
Special Help: Sylvia McCleary,
Acquisitions Editor: Amy Fandrei
Jan De Clercq
Editorial Manager: Rev Mengle
Business Development Representative:
Karen Hattan
Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 2
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 3
Where to Go from Here........................................................................ 3
CHAPTER 1: Introducing Hybrid Cloud Security................................. 5

Hybrid Cloud Defined........................................................................... 5
Cloud Models......................................................................................... 6
Different Clouds, Different Security Requirements.......................... 7
Cloud Security Threats.......................................................................... 8
Principles of Hybrid Cloud Security..................................................... 9
Shaping security standards............................................................ 9
Shared responsibility....................................................................... 9
Defense in depth.............................................................................. 9
Due Diligence....................................................................................... 11
CHAPTER 2: Hardening the Cloud Environment.............................. 13

Building Security into the Cloud........................................................ 13
Recognizing the Challenges with Traditional Infrastructure
Security................................................................................................. 15
Providing Security for Compute Instances....................................... 16
Making Sense of Network Multitenancy........................................... 16
Understanding Software Network Overlays.................................... 18
Considering the Value of Containerization...................................... 19
CHAPTER 3: Securing the Application Life Cycle............................. 23

Identifying the Need for Improved Application Security................ 23
Integrating Security into the Software
Development Life Cycle...................................................................... 24
Static source code analysis........................................................... 25
Dynamic application security testing.......................................... 25
Run-time application self-protection........................................... 26
Knowing the Importance of Data-Centric Security.......................... 27
Why traditional encryption doesn’t work in the cloud.............. 28
Data-centric security in the cloud................................................ 28
Table of Contents iii
Shared Access Management.............................................................. 30
Understanding why identity matters........................................... 30
Integrating identity into the cloud............................................... 30
CHAPTER 4: Monitoring the Cloud.............................................................. 33

Monitoring, Detecting, and Responding........................................... 33
Implementing cloud security with big data................................ 34
Integrating cloud security events into the SIEM......................... 34
Collecting, Consolidating, and Correlating....................................... 35
Continuous Regulatory Compliance................................................. 36
Whose job is compliance?............................................................. 36
Why should you care?................................................................... 37
Data Sovereignty................................................................................. 38
Business Continuity and Disaster Recovery Planning.................... 40
CHAPTER 5: Ten Tips for Implementing a

Secure Cloud Platform........................................................... 43
iv Hybrid Cloud Security For Dummies, HPE Special Edition
Introduction
O
ver the past decade, cloud computing has allowed busi-
nesses and data centers to transform from a static, client/
server infrastructure into a virtualized, service-based
model where the business dictates the requirements, and IT is
expected to follow. There is no disputing the fact that the dynamic
nature of cloud computing — whether consumed as a public, pri-
vate, or hybrid cloud model, and whether delivered as
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or
Software as a Service (SaaS) — has significantly changed the way
in which businesses operate today.
Industry research firm IDC has described this new model of IT

for mobile devices, cloud services, social networks, and big data
analytics as the third platform — with the first platform being
mainframe computer systems, and the second platform being
client/server systems (www.idc.com/prodserv/3rd-platform).
Hewlett Packard Enterprise (HPE) calls this evolution to the third
platform the New Style of Business, because HPE sees IT being
given the ability to drive new business opportunities by quickly
delivering revenue-generating products, services, and experi-
ences. Cloud is one of the aspects of this New Style of Business
that allows IT to directly impact business strategy by energizing
growth and boosting productivity.
However, at the same time, businesses are increasingly becom-

ing victims of cyber attacks, and chief information officers (CIOs)
are becoming more and more aware of the impact that a cyber
incident can have on the profitability of an organization. Indeed,
some recent research carried out by HPE and the Ponemon Insti-
tute (www8.hp.com/us/en/software-solutions/ponemon-cyber-
security-report/) found that the average annualized cost of
cybercrime was $7.7 million in 2015, a net increase of 1.9 percent
over the previous year. So, it shouldn’t come as a surprise that
security is viewed as the number-one barrier to further cloud
adoption, with nine out of ten organizations surveyed in a recent
study commissioned by AlienVault saying they were very or mod-
erately concerned about public cloud security issues.
Introduction 1
About This Book
This book explores the cloud security threat, principles of a hybrid
cloud security architecture, and some of the security aspects of
HPE Helion OpenStack. It also looks at some of the individual
cloud-centric security technologies that HPE offers, and how
these technologies and services can help an organization to
strengthen its cloud defenses.
Foolish Assumptions
Agatha Christie once said that assumptions are dangerous things,
but in writing this book, I’ve assumed the following about you:
»» You work in the IT industry. Perhaps you define IT strategy

for a large enterprise, or maybe you’re a jack of all trades in a
smaller company. Either way, you’re familiar with a broad
range of IT topics, and you have a basic understanding of the
concepts of cloud and security.
»» You’re looking to benefit from “cloud.” Maybe you have a
traditional on-premises infrastructure and are looking to
migrate some of your IT functions into the public cloud. Or
perhaps you’re looking to create your own private cloud to
enable IT to be more flexible in meeting your business
requirements.
»» You’re a business or technical decision maker in your
organization, and you’re interested in learning more
about securing your hybrid cloud infrastructure. If so,
read on — I’ve written this book for you!
Icons Used in This Book

Throughout this book, I use special icons to call attention to
important information. Here’s what you can expect:
This icon points out information that may well be worth com-
mitting to your nonvolatile memory, your gray matter, or your
noggin — along with anniversaries and birthdays!
2 Hybrid Cloud Security For Dummies, HPE Special Edition
You won’t find a map of the human genome in this book, but if
you seek to attain the seventh level of NERD-vana, perk up! This
icon explains the jargon beneath the jargon!
Thank you for reading. Hope you enjoy the book. Please take care
of your writers! Seriously, this icon points out helpful suggestions
and useful nuggets of information.
Proceed at your own risk . . . well, okay — it’s actually nothing

that hazardous. These useful alerts offer practical advice to help
you avoid making potentially costly mistakes.
Beyond the Book

If you’d like to find out more about anything covered in this book,
check out www.hpe.com/cloud or www.hpe.com/cloud/security.
Or subscribe to HPE’s blog at http://community.hpe.com/t5/
Grounded-in-the-Cloud/bg-p/sws-661 to receive regular updates
about all things cloud.
Where to Go from Here

This book is intended as a reference work. You can read it from
beginning to end, like every good book, or you can jump into a
particular chapter that sparks your interest.
The field of security is very dynamic — it changes regularly as

new security threats are identified, and new technologies released.
The information in this book is current at the time of publication,
but I encourage you to use the book as just one of your sources
of information — I haven’t covered everything you need to know
about hybrid cloud security, but this is a good place to start.
Introduction 3
IN THIS CHAPTER
»» Defining hybrid cloud
»» Understanding the cloud security threat
»» Getting clear on the principles of hybrid

cloud security
Chapter 1
Introducing Hybrid
Cloud Security
I
n this chapter, I fill you in on the hybrid cloud and some of
the security threats in a cloud environment. I also discuss the
principles of hybrid cloud security and the importance of due
diligence.
Hybrid Cloud Defined

Cloud is a business catalyst, but there’s no one-size-fits-all solu-
tion. To stay competitive, you need an optimized internal envi-
ronment fused with the right mix of private cloud(s) and public
cloud(s) — in other words, a hybrid cloud.
Most organizations that are considering moving to the cloud

quickly realize that they won’t be able to put everything into the
cloud on day one. Maybe they still have legacy applications run-
ning on mainframes, or maybe some of the information that they
handle is just too sensitive to be stored in a public cloud environ-
ment, regardless of the security controls that are put in place.
This is where a hybrid cloud model can help. Applications that can
be safely and cost-effectively hosted in a public cloud, maybe as
a Software-as-a-Service (SaaS) offering, get hosted with a cloud
CHAPTER 1 Introducing Hybrid Cloud Security 5
provider. One organization might use several different providers
for different applications — for example, Dropbox for file storage,
Microsoft Office 365 for online collaboration tools, and Salesforce
for CRM systems.
Other applications that can benefit from the scalability and flex-
ibility of cloud, but require a bit more customization than a stan-
dard SaaS offering, get moved into Infrastructure-as-a-Service
(IaaS) or enterprise Platform-as-a-Service (PaaS) infrastructure,
as part of either a public cloud or a private cloud. In the case of
a private cloud, the entire infrastructure is run for a single cus-
tomer, whereas with a public cloud the cloud instances are hosted
in a shared environment, such as Microsoft Azure or Amazon Web
Services. IaaS and PaaS can be used for systems hosting home-
grown business intelligence applications or databases, or simply
any applications that are suitable to run in the cloud.
Finally, more traditional or legacy systems, or sensitive business-

critical applications — for example, transaction processing in a
banking environment — remain in the on-premises data center.
For every organization, this “right mix” of private and public

cloud is different. HPE has developed a tool that provides you
with new insight for cloud strategy and helps you to determine
your right mix. You can find it at https://www.hpe.com/us/en/
cloud-apps/right-mix/.
Cloud Models
A number of different cloud delivery models are available for
enterprises today. The main three are
»» Public cloud: In the public cloud, the cloud infrastructure is

typically owned by an organization selling cloud services (known
as a cloud service provider, or CSP), and delivered to the general
public on a subscription basis. Within public clouds, there are a
number of different service or consumption models:
• Infrastructure-as-a-Service (Iaas): In IaaS, the CSP provides

the virtualized computing infrastructure. This generally
includes virtual compute instances, network connectivity,
IP infrastructure, bandwidth, load balancers, and
firewalls. The subscriber is responsible for installing and
maintaining everything above the hypervisor (from the
operating system upward). Well-known examples of IaaS
include Amazon EC2 and Rackspace Cloud Servers.
• Platform-as-a-Service (PaaS): In PaaS, the CSP provides an

additional layer on top of the infrastructure. Services
include operating system, network access, storage,
database management systems, hosting, server-side
scripting, and support. The subscriber can use this
environment and the tools provided to create software
applications. Examples of PaaS include Salesforce Heroku
Enterprise, AWS Elastic Beanstalk, and Microsoft Azure.
• Software-as-a-Service (SaaS): In this model, the subscriber

consumes a software application across the Internet.
The subscriber has no infrastructure or applications to
manage and update, no setup or hardware costs, and
application accessibility from any Internet connection.
Examples of SaaS include Salesforce CRM and Microsoft
Office 365.
»» Private cloud: In the private cloud, the cloud infrastructure
is operated solely for an individual organization. The
infrastructure may be managed by the organization itself or
by a third party, and it may be located either on-premises or
off. Typically, a private cloud provides internal developers a
form of enterprise PaaS, such as HPE Helion Stackato,
Pivotal, or Red Hat OpenShift.
»» Hybrid cloud: In the hybrid cloud, the cloud infrastructure is
a combination of both private and public cloud instances
that remain unique entities, but are bound together by
standardized or proprietary technology that enables data
and application portability (for example, cloud bursting, in
which an application is hosted on a private cloud but shifts
over to the public cloud when the private cloud can’t handle
the demand).
Different Clouds, Different

Security Requirements
Each of the different cloud models has different security require-
ments. For example, with a public cloud SaaS instance, the hosting
CSP is typically responsible for the security of the solution. The
CSP designs the cloud solution to provide adequate control and
authentication capabilities and to protect the infrastructure
against all manner of cyber threats. The CSP also works to see
that due care is taken in protecting the data held within the cloud.
With a public cloud IaaS instance, the CSP offers basic infrastruc-
ture security — for example, firewalls and VPN connectivity —
but the subscriber is responsible for everything else.
Make sure you’re clear what your CSP is responsible for, and what
it’s not.
Cloud Security Threats

For most IT executives considering moving into the cloud, one of
the two biggest stumbling blocks is security (compliancy is the
other). This book focuses on the security controls that you can use
to make the cloud a more secure place, but what are you actually
protecting the cloud from? What are the threats that cloud cus-
tomers experience out there in the big bad world of cyber attacks?
The Top Threats workgroup at the Cloud Security Alliance

regularly publishes a report that highlights the main security
issues for cloud computing. At the time of publication of this
book, the most recent report was entitled “The Treacherous 12:
Cloud Computing Top Threats in 2016” (http://downloads.
cloudsecurityalliance.org/assets/research/top-threats/
Treacherous-12_Cloud-Computing_Top-Threats.pdf). It’s worth
downloading a copy to learn more about the threats.
Many of these threats are also present in the traditional data cen-
ter environment — threats like data breaches, system vulner-
abilities, or malicious insiders will continue to exist regardless of
where the data is stored and processed.
The difference from a cloud perspective, of course, is the increase

in accessibility to the data — and the challenge of the IT security
professional responsible for securing a cloud environment is how
to adapt standard security processes and controls to work well in
this hybrid environment.
Principles of Hybrid Cloud Security
When discussing how to securely transform to a hybrid infra-
structure with clients, HPE focuses on three main security-first
principles. These principles are the same regardless of the CSP,
and they offer a very good foundation for understanding cloud
security.
Shaping security standards

Standards make everything easier, especially interoperability.
So, when you’re choosing a cloud security solution provider, it’s
important to work with a partner that supports the various secu-
rity standards. Top cloud security solution providers also help to
shape security standards — for example, by sitting on the board
of standards committees, leading industry security teams, and
encouraging community collaboration.
By following a standards-based security philosophy, your solu-

tion provider will make itself as visible as possible in every aspect
of hybrid cloud security. It will also be able to continuously work
to protect your hybrid cloud from the constantly changing secu-
rity threat.
Shared responsibility
The responsibility for information security can’t be outsourced,
especially in a cloud environment. Ultimately, the buck stops
firmly within the four walls of your own organization.
Be sure to find the right mix of involvement for end users and
solution providers. The vendor may deliver best-in-class security
solutions, but it’s up to the end user to define the right security
policies to protect his or her business model and manage those
security policies from within the cloud, following industry best
practices.
Defense in depth
There is no silver bullet for security — no single solution that will
solve all your security challenges. Especially in a cloud environ-
ment, it’s important to provide multiple layers of security con-
trols, creating redundancies in the protection offered. For example,
infrastructure controls can exist in tandem with host layer protec-
tion, as can application controls and data security tools.
With an integrated approach to security, you can use some of the

same security tools to protect public cloud, private cloud, and tra-
ditional IT, delivering cost savings and reducing the complexity of
securing the hybrid infrastructure.
HOLISTIC SECURITY CONTROL

COVERAGE: THE HPE P5 MODEL
The HPE P5 Model focuses on the fact that a secure hybrid cloud
architecture requires much more than just security products. It also
requires security-minded people, policy and procedure, process, and
proof “security controls” so that the cloud solution is actually being
operated and managed at a certain security level:
• People (P1): Ensures that the right staff with the right knowledge
is performing the correct roles to oversee cloud computing secu-
rity and that users and consumers are made responsible and
knowledgeable on security aspects.
• Policies and procedures (P2): Ensures that the right set of poli-
cies and procedures are in place to govern the security and busi-
ness continuity of a cloud.
• Processes (P3): Ensures that the proper security and business
continuity process models are in place to safeguard the transfer of
data between the consumers and the provider of the cloud ser-
vices and to ensure to proper and secure operation of the cloud
services.
• Products (P4): Ensures that the appropriate defense-in-depth
technologies and solutions are in place to manage and mitigate
security risks.
• Proof (P5): Determines if the correct validation methods, metrics,
and/or key performance indicators (KPIs) are used to track security
control effectiveness in a hybrid cloud.
The P5 Model is part of the HPE Information Security Service

Management (ISSM) Methodology that HPE consulting uses to define
complete security programs for customers.
Due Diligence
With any model of cloud deployment, it’s possible to outsource
the management of operations and the management of the data,
but it’s never possible to outsource the risk an organization intro-
duces by moving its workloads and data into a cloud environment.
This is true regardless of the cloud deployment model, especially

when it’s put into perspective with directives such as the new EU
data protection and data breach notification regulations (http://
ec.europa.eu/justice/data-protection/reform/files/
regulation_oj_en.pdf), where organizations can be subject to
fines of up to €20 million or 4 percent of annual revenues if a
breach occurs.
With any planned move to the cloud, you need to follow a full
risk-based approach to ensure that all involved parties are con-
sulted and the implications of moving data and workloads to the
cloud are fully assessed. There should be a common understand-
ing that a breach is inevitable, sooner or later. The processes that
are put in place to deal with this, and the way that the incident
is handled post-breach, will ultimately determine whether the
organization can survive in the long run.
Among the many things to consider when performing due dili-

gence, some of the following areas are worth investigating:
»» Confidentiality: Before moving data to the cloud, you need

to understand the classification of the data. What would be
the impact to the business if the data were to inadvertently
end up in the public realm? How would it damage the
company’s reputation? What technical controls can be
deployed to protect the information?
»» Availability: Availability is one of the main advantages of an
elastic cloud, but what about the impact of non-availability?
How long can your business support a traditional application
not having access to a cloud-based back end? Can real-time
applications deal with the additional latency introduced by
the move to the cloud? How quickly can Disaster Recovery as
a Service (DRaaS) get you back online? What happens if your
CSP goes out of business?
»» Provider suitability: Your CSP will be providing an exten-
sion to your own IT infrastructure, so it’s vital to understand
how it handles its security operations. Has your CSP been
assessed by an independent auditor? Does it have a recent
audit report? How do its service-level agreements (SLAs)
relate to your own internal SLAs?
»» Impact of compliancy: What compliancy regulations are
relevant for your business? Are you performing credit card
transactions? Look at the Payment Card Industry Data
Security Standards (PCI DSS). Maintaining U.S. health data?
Consult the Health Insurance Portability and Accountability
Act (HIPAA). Storing personal data from citizens in the EU?
Know the General Data Protection Regulation (GDPR) and
EU-U.S. Privacy Shield.
Given that many regulations enforce sizeable monetary
penalties for noncompliance, and may hold company
directors personally liable, it’s vital to understand compliancy
requirements before embracing the cloud.
IN THIS CHAPTER
»» Understanding the challenges with
traditional security controls in the cloud
»» Securing compute instances
»» Defining micro-segmentation
»» Introducing containerization
Chapter 2
Hardening the Cloud
Environment
I
n this chapter, I fill you in on some of the controls you can
use to secure the cloud environment. I discuss the value of
using micro-segmentation to protect the cloud network, and
introduce some of the security challenges around implementing
containerization.
Building Security into the Cloud

Many of the security controls that are used to protect tradi-
tional data center architectures have equal value in a cloud-based
environment. After all, behind every great cloud there’s a great
data center.
Organizations need to incorporate cloud security into a more gen-

eral organizational security program, and ensure that all require-
ments are covered equally. In fact, security is typically listed
alongside governance, business, and management as one of the
four main functional areas that span both traditional and cloud-
oriented IT functions.
CHAPTER 2 Hardening the Cloud Environment 13
ARCHITECTURAL METHODOLOGY
To structure and streamline its Cloud Protection Reference
Architecture, HPE used the methodology described in the HPE Global
Method for IT Solution Architecture (HPE GM ITSA) and the holistic
security control approach provided by the HPE P5 Model.
HPE’s ITSA provides an architectural methodology for defining and

describing complex IT solution architectures that align top down from
the organization’s risks, goals, and business requirements to ensure
final implementation is a success. The result is a holistic and unified
hybrid cloud solution architecture that incorporates the viewpoints
and interests of all stakeholders involved.
The HPE GM ITSA provides a methodology for defining and describing

IT solution architectures that is the starting point for HPE consulting
engagements with customers. To construct as complete a picture as
possible of an IT solution architecture that incorporates the view-
points and interests of all stakeholders involved, HPE GM ITSA
approaches solution architecture using four viewpoints:
• Business view: The business view answers the question “Why are
we doing this?”
• Functional view: The functional view answers the question “What
should the solution do?”
• Technical view: The technical view answers the question “How
should the solution work?”
• Implementation view: The implementation view answers the
question “With what will the solution be built?”
A number of technology areas within a cloud functional refer-

ence architecture can be complemented by the cloud security pro-
gram. The most important ones are highlighted in Figure 2-1. The
remainder of this book addresses each of these areas, along with
some of the HPE solutions that can be used to help a cloud-based
organization increase its security posture.
FIGURE 2-1: Technical cloud security principles and capabilities.
Recognizing the Challenges with

Traditional Infrastructure Security
In a traditional, pre-virtualization data center, infrastructure
security was about using a hardware firewall, intrusion detection
system (IDS), and intrusion prevention system (IPS) to separate
servers into individual network segments, and apply security
controls to the traffic passing between those segments. Security
within the segments themselves was enforced on individual serv-
ers by keeping security patches up to date, and implementing
host-based IPS and anti-malware solutions.
In the virtualized or cloud data center, you can’t rely on hardware

appliances to provide the network segmentation because, more
often than not, the traffic travels from east to west, from virtual
machine to virtual machine, and it never meets the controls on
the physical network.
Plus, in a dynamic cloud environment, with rapid provisioning
and deprovisioning of compute instances, traditional patch man-
agement approaches don’t scale.
Providing Security for Compute Instances

In a cloud environment, and especially where different custom-
ers may be sharing the same physical infrastructure below the
virtual compute instances, you need to be able to provision virtual
compute instances securely. This includes but is not limited to the
following:
»» Virtual machine (VM) hardening

»» Authentication and authorization
»» Host based anti-malware
»» Secure communications
»» Secure backup and recovery
»» VM security scanning
»» Remediation
»» Compliance monitoring
»» Secure deprovisioning
»» Secure multitenancy
Most of these controls are dealt with by organizational policy.
There isn’t much difference between how some of these issues
are dealt with in a traditional data center and the way they’re
dealt with in a cloud-oriented data center. However, secure multi-
tenancy is tied very closely to the cloud infrastructure, so it’s
worth looking at in a little more detail, which I do in the following
section.
Making Sense of Network Multitenancy

According to the Gartner IT Glossary (www.gartner.com/it-
glossary), multitenancy is
a reference to the mode of operation of software where
multiple independent instances of one or multiple applications
operate in a shared environment. The instances (tenants) are
logically isolated, but physically integrated.
In a cloud-specific networking environment, multitenancy allows

different tenants to share the same physical infrastructure and,
if implemented correctly, even the same private IP ranges as one
another, without running into any resource or communication
issues.
Here’s an example of how this works within HPE Helion Open-

Stack, a cloud operating system (OS): The Neutron networking
module offers a highly customizable networking experience,
where consumers of the cloud can create complex network topol-
ogies through abstracted routers, networks, subnets, and ports.
All of this is customizable on a per-tenant basis and, through the
use of cloud automation tools, by the tenant in near real-time
without having to involve the networking team.
The advantage of this model is that, through the use of ten-

ant routers, complete network architectures can be created, and
they can even support the deployment of multitier applications
by placing each tier on a separate network behind the tenant’s
router. This approach can introduce a degree of complexity, but
it also offers a good level of security through complete network
separation.
Neutron can provide all this functionality natively to Helion Open-

Stack, but it also provides integration through plugins to third-
party network virtualization tools. HPE, through relationships
with VMware and Nokia–Alcatel Lucent, offers both the VMware
NSX platform, and the HPE DCN platform to deliver enterprise
(NSX) and service provider (DCN) class network virtualization.
The products have a different feature set and end customer in
mind, but at a high level, from a security perspective, the func-
tionality is very similar and they’re good examples of software-
defined networking (SDN) overlays, which brings me to the next
section.
Understanding Software
Network Overlays
SDN is starting to become popular in both on-premises and cloud-
based data centers because of the flexibility it can provide over a
traditional data center network (often referred to as a hardware-
defined network).
For years, enterprises have built networks around hardware

switches and routers, and it has been accepted that the network is
defined by the capabilities offered in the network operating sys-
tem. Because Ethernet follows standards, for the most part there
is interoperability between network devices from different ven-
dors, and devices talk happily to one another.
However, some of the advanced features remained specific to

individual hardware vendors. One example of this has to do with
virtualizing individual network devices into a single distributed
device. HPE chose to develop and use the IRF protocol, whereas
Cisco went with VSS. At a high level, both protocols offer simi-
lar functionality, but to implement the technology network-wide
would require standardization on a single hardware vendor.
Alternatively, SDN allows network administrators to manage

the network at a software abstraction layer. SDN-compatible
switches, often supporting the OpenFlow protocol, separate the
control plane from the data plane, allowing an SDN control-
ler to programmatically control the switch using a northbound
API. This effectively removes the barrier of using a single hard-
ware vendor, while still maintaining a network fabric with a high
level of functionality.
The concept of SDN also extends to a virtualized network — for

example, in a cloud — and allows the virtual switches to be pro-
grammed independently from the hardware network underlay by
cloud automation tooling. This provides a lot of flexibility from a
security perspective.
Here are three of the main features of an SDN overlay in a virtual-

ized environment:
»» Micro-segmentation: Traditional networking separates

logical networks through virtual local area networks (VLANs),
Internet Protocol (IP) subnets, and routers. But more and
more traffic in a cloud or virtualized data center is going
east–west rather than north–south. This means that security
devices that have been deployed to offer perimeter protec-
tion are no longer able to see as much of the network traffic
as they previously could. Micro-segmentation deals with this
by deploying distributed routers at the hypervisor level and
enabling access control lists (ACLs) at the closest enforce-
ment point to the VM itself — between the virtual switch and
the virtual network interface controller (NIC).
»» Service chaining: Service chaining (also called service
composer or service insertion) is the ability to integrate other
network security (or network management) devices into
the cloud network environment. It provides particular value
for east–west traffic. For example, both NSX and DCN can
integrate with third-party next-generation firewall solutions
(like the physical and virtual firewall solutions from vendors
such as Fortinet or Palo Alto Networks) to add an additional
layer of control for the traffic that is passed in between VMs.
The service chaining configuration is typically managed at
the distributed router level to provide the needed flexibility.
»» Secure access: Network overlay solutions support the ability
to create VPN tunnels for use to provide either secure access
to clients or secure site-to-site tunnels.
All network virtualization platforms offer integrated management

capabilities, but the best practice would be to use a cloud manage-
ment platform (for example, HPE Cloud Service Automation or
VMware vRealize) to automate the creation of network instances.
Considering the Value of

Containerization
Recently, a new method of provisioning virtualized compute has
started to become popular, driven by emerging vendors such as
Docker and Mesosphere.
Standard virtualization offered by VMware, Microsoft Hyper-v, or
KVM provides a hypervisor upon which multiple instances of an
operating system may be provisioned and used. Containerization
differs from this by offering OS-level virtualization — multiple
isolated user space instances sharing a single kernel.
This approach provides a lightweight virtualization technology

and affords much better use of system resources. A container has
its own process space, network interfaces, root file system, and
set of binaries and libraries (static and dynamic). Containers on
the same OS instance share the same running kernel.
You no longer need to build a dedicated OS instance to support a

single business application. Instead, the application can be con-
tainerized and run in tandem with many other container instances
on top of a single OS instance.
There are a lot of advantages to using container-based virtualiza-

tion, but there are also a lot of security concerns that need to be
addressed in order to have a secure running container environ-
ment. In particular, it’s worth noting that containers running on
top of a single kernel create a single point of failure. If a malicious
or misconfigured container somehow managed to cause a kernel
panic in the host OS, all containers would be impacted.
A full study of the security of containers is beyond the scope of

this book, but here are some tips worth considering:
»» Apply security patches to the host OS regularly. Better still,

use a security hardened host OS.
»» Make sure patches are applied not only to running contain-
ers, but also to container images. Container instances
typically have a short operational life span.
»» Only deploy containers from trusted sources.
»» Run containers with limited privileges.
»» Apply appropriate limits to avoid resource exhaustion.
»» Restrict networking ports to only those needed.
CASE STUDY: HPE HELION
OPENSTACK SECURITY
To understand how a provider may customize a cloud OS to improve
security, it’s worth looking at some of the work that HPE has carried
out to add to the security of the open-source OpenStack OS.
HPE Helion OpenStack was designed with three key targets in mind
from a security perspective:
• HPE started by forking the mainstream OpenStack release in order

to harden the platform and undergo a security review process.
• Security enhancements were introduced to address enterprise
and carrier grade requirements.
• HPE differentiated the involvement with the OpenStack project by
contributing security innovations upstream where possible.
The aim of hardening the distribution is to provide a strong, secure

HPE Helion OpenStack deployment, proactively protecting the OS and
applications from external or internal threats by enforcing good
behavior and preventing unknown exploits. HPE includes the follow-
ing steps in the platform hardening:
• The attack surface is reduced by shipping only the OpenStack

packages that HPE Helion requires.
• Mandatory access control policies for OpenStack compute compo-
nents are enforced by enabling AppArmor profiles at the OS level.
• Access to the external OpenStack endpoints is TLS encrypted, as is
all internal traffic between the services.
• Quotas are enforced on network, storage, and compute resources.
• Security groups are created for Neutron Virtual Network to help
segment and isolate network traffic.
Additionally, a security threat review is carried out. This review is

required for all new HPE Helion products and services, as well as for
significant changes to existing HPE Helion products and services. So
far, more than 200 security reviews have taken place. They’re carried
out by architects with many years of experience in the public cloud
space. HPE Helion also performs source code analysis to try to iden-
tify any vulnerabilities in the HPE Helion source code. A combination
(continued)
(continued)
of the open-source Bandit tool (to which HPE is a major contributor)

and HPE Fortify toolset is used to locate vulnerabilities, and any high
risks identified are mitigated before the code is released. Also, every
HPE Helion release undergoes penetration testing and vulnerability
assessment scans.
In terms of upstream innovations, HPE is actively involved in a

number of work groups, including the OpenStack Security Group
(OSSG) and the Vulnerability Management Team (VMT), which have
merged to create the OpenStack Security Project. Additionally HPE
has played a major role in co-authoring the OpenStack Security Guide
and contributing to OpenStack Security Notes (OSSN).
Here are some of the tools that HPE has co-developed in order to
help differentiate Helion OpenStack as a security-hardened product:
• Anchor: An ephemeral public key infrastructure (PKI) system built

to enable cryptographic trust in OpenStack services in a way that
doesn’t rely on broken provisioning and revocation mechanisms
that undermine most PKI deployments. Anchor issues certificates
for short periods of time (typically 12 to 24 hours), meaning that if
a node is no longer trusted, subsequent certificate signing
requests (CSRs) would be denied instead of having to rely on a cer-
tificate revocation list (CRL).
• Bandit: An automatic source code analysis tool designed to find
common security issues in Python code. Bandit uses an abstract
syntax tree to select and run appropriate tests and is used during
pen testing and code reviews of the HPE Helion OpenStack source
code.
• OpenStack Native Encryption: Encompassing Cinder, Nova-
ephemeral, and Swift object storage, it provides data at rest (DAR)
encryption, an often essential compliance requirement. Key man-
agement is a pivotal part of this work and has become an impor-
tant integration point for HPE Security’s Atalla ESKM product.
• Barbican: A representational state transfer (REST) application
programming interface (API) designed to provide Secrets as a
Service — the secure storage, provisioning, and management
of secrets such as passwords, encryption keys, and X509
certificates — within the OpenStack OS.
IN THIS CHAPTER
»» Identifying the role of security in the
software development life cycle
»» Understanding the need for encryption in

the cloud
»» Highlighting the role of identity in the cloud
Chapter 3
Securing the Application
Life Cycle
I
n this chapter, you learn about improving the quality of appli-
cations by introducing security into the software development
life cycle (SDLC), the value of data-centric encryption, and the
importance of understanding identity when adopting cloud.
Identifying the Need for Improved

Application Security
The cloud platform and compute instances can be configured
very securely, but often the weaknesses that hackers are after
are at the application level. In fact, research by HPE shows that
up to 84 percent of recent breaches were aimed at application
vulnerabilities.
This new reality demonstrates a change in the focus of cyber

criminals. Ten years ago, criminals were focusing on vulnerabili-
ties in infrastructure, operating systems, and off-the-shelf prod-
ucts. Today, organizations are creating more custom software to
CHAPTER 3 Securing the Application Life Cycle 23
fulfill specific business needs, and hackers are also starting to
focus on finding vulnerabilities in these made-to-measure appli-
cations for maximum impact.
Over time, organizations such as Adobe, Apple, HPE, Microsoft,

and SAP have become much better at identifying and correcting
vulnerabilities in their own products, whereas in-house devel-
oped applications often don’t follow the same stringent checks to
reduce vulnerabilities. So, although hackers still exploit operating
systems where they can, they can often more easily find vulner-
abilities elsewhere in the application stack, and use those vulner-
abilities to extract data.
Especially in a cloud environment, where the emphasis is on agile

DevOps and frequent code updates, security is often overlooked.
Without effectively integrating security into the SDLC, vulnerable
applications can be released into production with little concern
for the consequences.
Integrating Security into the Software

Development Life Cycle
In addition to the impact a breach can have, the cost savings that
result from fixing vulnerabilities as early in the SDLC as possible
can be considerable. Research has shown that it can cost up to
30 times less to fix a vulnerability at the early stages of prod-
uct development than it costs after the software has gone into
production.
If an organization is able to introduce security into the mind-

set of software developers, they’ll be able to improve the quality
of the software and reduce the costs involved with out-of-cycle
patch releases. There are products available that developers can
use to scan code before it gets released, but a lot of the success
from a software assurance program comes from changing the
mentality of the organization. Organizations need to
»» Get buy-in from senior management to sponsor security

projects within the development organization.
»» Involve people from the application security team at the
product requirements planning stage.
»» Introduce source code scanning as a gate process, ensuring
that all code intended for release into a production environ-
ment is first scanned using whatever tool the organization
has chosen.
The process of adding security to the SDLC is known as software

security assurance (SSA). There are generally considered to
be three complementary approaches to perform SSA: static
source code analysis, dynamic application security testing, and
run-time application self-protection.
Static source code analysis

Static application security testing (SAST) tools offer developers a
way to integrate security into the SDLC by providing automated
static code analysis. SAST tools scan source code, identify root
causes of software security vulnerabilities, and correlate and pri-
oritize results before the code is compiled and released, provid-
ing line-of-code insight for closing security gaps. This, in turn,
reduces business risk by quickly identifying the vulnerabilities
that pose the biggest threat to the security of the application, and
reduces development costs by identifying vulnerabilities early in
the SDLC process.
A number of open-source and commercially available solutions

are on the market and worth investigating. Within the HPE
security portfolio, the Fortify SCA product is available either as
a consultant-based license or as a Software-as-a-Service (SaaS)
offering, called Fortify on Demand.
Dynamic application security testing

After software (whether in-house developed or third-party
sourced) has been deployed into production or a test environment,
dynamic application security testing (DAST) comes into play.
DAST tools are automated dynamic testing tools that mimic real-
world hacking techniques and attacks, providing comprehensive
dynamic analysis of complex web applications and services. This
approach allows organizations to optimize testing resources by
bringing professional-level testing to novice security testers, and
to go beyond black box testing by integrating dynamic and run-
time analysis to find more vulnerabilities and fix them faster.
DAST tools typically are strong in analyzing web and mobile

applications, and they’re often available either as local installs
or cloud-based solutions. Within the HPE product family, For-
tify WebInspect is available as a consultant-based license, and
dynamic scanning is a feature of the SaaS offering, Fortify on
Demand.
Run-time application self-protection

In a perfect world, if all software vulnerabilities have been
removed during the coding stage and confirmed during dynamic
application testing, then the application security problem should
be sorted out, right? Unfortunately, no. Typically, a scan using
SAST will find many more vulnerabilities than the development
team is able to correct within the necessary time frame, so the
vulnerabilities need to be prioritized; often, only the most criti-
cal security problems will be fixed, with the development team
accepting the risk of releasing the software.
This is where run-time application self-protection (RASP) comes

into play. RASP solutions protect production applications from
the inside out. Such solutions are able to accurately distinguish
between a legitimate request and an actual attack by performing
run-time analysis of application logic and data flows. By using
contextual insight from within the application itself, you can con-
fidently identify and stop attacks that traditional network security
tools, such as intrusion prevention systems (IPSs) and web appli-
cation firewalls (WAFs), can’t see.
RASP solutions are fairly new. There are also other technologies
that can offer similar functionalities in a cloud, but they typically
work from an outside-in approach rather than inside-out. As an
alternative to RASP, cloud applications can be protected using a
WAF, a network IPS (NIPS) or host IPS (HIPS), or more tradi-
tional controls such as antivirus (AV) software. The RASP solution
within the HPE Fortify portfolio is HPE Application Defender.
Knowing the Importance of
Data-Centric Security
In addition to securing the application, you need to secure the
data being used by the application.
One of the major concerns for any organization putting data into
the cloud — whether the data is customer records or intellectual
property — is what happens to that data if the cloud instance
is breached. If you believe that sooner or later every company
will get breached, security becomes even more relevant. A suit-
able solution to the problem is data encryption — after all, if the
information is stored in a format that makes no sense to hackers,
it will have limited value to them if they steal it.
The use of encryption technologies is also a key discussion point

around compliancy and regulations — for example, with Payment
Card Industry Data Security Standard (PCI DSS) compliancy. PCI
DSS requirements apply to organizations where account data
(cardholder data and/or sensitive personally identifiable informa-
tion [PII] data) is stored, processed, or transmitted. The use of
encryption technology here can lower PCI costs by up to 90 percent
by reducing the systems that are in scope for certification.
There are a number of ways that data protection can be provided

in a cloud environment, and they all have to do with the life cycle
of data in a cloud environment.
»» Data in motion: Data that is being moved between two

points — for example, data moving from a corporate
network to a cloud environment, or data being transferred
between two cloud instances. Protecting data in motion
means preventing the data from being intercepted by an
unauthorized third party. The simplest way to achieve this is
by using secure communication protocols, including, but not
limited to, Secure Sockets Layer (SSL), Transport Layer
Security (TLS), or a virtual private network (VPN).
The encryption is point to point, and the data inside these
encrypted channels is typically not encrypted.
»» Data at rest: Data residing in a persistent format inside the
cloud — for example, file storage, or database records. The
key here is to protect the data being held inside the database
or file system so that if a cybercriminal were able to breach
the exterior defenses, the data inside the database or file
system would still be protected and of limited value. In a
cloud environment, especially one being managed by a cloud
service provider (CSP), it’s important to address the manage-
ment of the encryption keys, deciding exactly who should
have access to them.
»» Data in use: Data that has been loaded into an application
for processing, and is being held in the system memory.
Typically, this data is in a plain text format, and would be
readable by anyone able to intercept the information. If your
organization wants to work with true end-to-end encryption
through the life cycle of the data, you need to identify a
solution for data in use encryption.
Why traditional encryption doesn’t

work in the cloud
Traditional encryption methods have typically taken a layered
approach to data obfuscation — for example, starting with hard
drive encryption at the hardware level, database encryption at
the middleware layer, and encrypted network protocols at the
communication layer. The problem with this approach is that,
although the information is encrypted at some point in the data
life cycle, it doesn’t offer a full solution throughout the entire life
cycle.
Take the example of hard drive encryption. Encrypting the hard

drive in your laptop is important so that you can prevent unau-
thorized access to your data in case your laptop is lost or stolen.
But encrypting the hard drive in a cloud-based server won’t be of
any value to you when that server is booted and operating and the
contents of the hard drive are accessible to the operating system.
Data-centric security in the cloud

Given that a lot of the traditional encryption methods don’t
scale to the cloud, you need to find a method that does — and
this is where data-centric security can help. Data-centric security
involves encrypting the individual pieces of data that are being
stored, rather than encrypting the storage or transport medium
itself. The data then remains in this encrypted format through-
out the life cycle of the data, and it’s only decrypted by processes
that have a requirement to process the unencrypted version of
the data.
Traditional encryption methods, such as American Encryption

Standard (AES), work well to encrypt and obfuscate information,
but they completely change the format of the data, so applica-
tions need to be modified and data analytics solutions no longer
work. To approach data-centric security efficiently, a different
approach is needed.
One alternative is to use format-preserving encryption (FPE)

to encrypt structured data, such as Social Security numbers or
credit card numbers. FPE makes it possible to integrate data-level
encryption into legacy business application frameworks that were
previously difficult or impossible to address. It uses a published
encryption method with an existing proven algorithm to encrypt
data in a way that does not alter the data format. With FPE, encrypted
data retains its original format on a character-by-character basis,
so encrypted data can be used in existing data fields, removing the
need for application or database schema changes.
FPE is a mode of AES, recognized by the National Institute of

Standards and Technology (NIST). FPE is a technology used by
HPE in the HPE Security–Data Security family of products.
An additional way to deal with the protection of payment card

data in the cloud is through the use of tokenization. Tokeniza-
tion is the process of replacing sensitive data, such as the primary
account number (PAN), with a nonsensitive equivalent, known as
a token. Using tokenization to protect PANs can result in signifi-
cant PCI DSS audit scope and is considered a best practice.
HPE SecureData uses secure stateless tokenization (SST) to pro-

vide an enhanced approach to tokenization, including random
tokens with no databases, no data synchronization, no collisions,
and high performance.
Shared Access Management
Remembering usernames and passwords is a challenge for every
user, and the more applications that a user has access to, the
harder it is to come up with unique but memorable passwords.
Password management tools can definitely help here, but when
an enterprise is looking to adopt hybrid cloud and SaaS appli-
cations, being able to integrate the use of an enterprise identity
directory across all the cloud applications using identity federa-
tion is very beneficial.
Identity federation is the practice of linking a user’s identity and

attributes across multiple identity management systems.
Understanding why identity matters

Identity and access management (IAM) is the process of authenti-
cating the identity of users and authorizing their activities within
a system. In an enterprise system, IAM ensures that the right
people are using the system to perform only the activities that
they’re supposed to perform.
Authentication is the process of determining that a user is who he

says he is. In simple terms, this can be achieved by logging in using
a valid user ID and a corresponding password — assuming, of
course, that the password hasn’t been disclosed or compromised.
For organizations looking for stronger authentication security,

multifactor authentication (MFA) may be used. This could intro-
duce biometrics (fingerprint or iris scanning), a challenge response
mechanism, or one-time passwords in the form of soft tokens (for
example, SMS or Google Authenticator) and hardware tokens (RSA
SecurID) in addition to the standard user ID and password.
The second part of the IAM function is to provide user access

authorization, or the determination of which resources and
actions are available based upon the user ID, the role of the user,
and the projects that a user is provided access to.
Integrating identity into the cloud

In a cloud environment, the authentication function provides the
initial login to the cloud platform. For example, with OpenStack,
Keystone is the service responsible for authenticating users. It can
support multiple sources of authentication, including a built-in
authentication system and integrations with enterprise directo-
ries such as OpenLDAP or Microsoft Active Directory.
The focus of the authentication mechanism is to enable the local

cloud users to be able to operate cloud services, but the lack of
a number of important enterprise features often means that
cloud authentication is integrated into an external authentication
system. This has the benefit of being able to federate the cloud
authentication function into an enterprise directory, so that a
cloud user only needs to remember one set of credentials in order
to access both cloud and traditional on-premises applications.
Because OpenLDAP or Microsoft Active Directory is often used as

the single source of user authentication and information within
an enterprise, integrating cloud authentication with these ser-
vices makes a lot of sense.
Cloud authentication services also generally provide the capability

to integrate with Security Assertion Markup Language (SAML)–
based identity providers (IdPs) and authentication systems based
upon MFA. There are also a number of products on the market,
from vendors such as Ping Identity and Okta, which have devel-
oped plugins to support cloud-based services.
IN THIS CHAPTER
»» Understanding the value of security
intelligence in the cloud
»» Finding out about compliancy
»» Discovering issues around data

sovereignty
Chapter 4
Monitoring the Cloud
T
his chapter looks at the importance of event monitoring in
the cloud, and addresses some of the challenges around
compliance and regulations.
Monitoring, Detecting, and Responding

Industry regulations, compliance, and privacy are foremost among
the security-related concerns of most chief information officers
(CIOs) when they’re considering a move to the cloud. Organiza-
tions face threats that could disrupt operations and critical IT ser-
vices, and they need to deploy security solutions and implement
security controls that address those threats. Security solutions
that can proactively detect and protect against threats in real-time
are critical to enterprise success.
The traditional approach to monitoring security events is to

implement a security information and event management (SIEM)
platform as part of a 24/7 security operations center (SOC). A well-
implemented SIEM platform will collect, consolidate, and corre-
late security and operational events from multiple devices across
the entire enterprise infrastructure, and implement use cases to
deliver the relevant security information to the SOC analyst and
improve the security posture within the organization.
CHAPTER 4 Monitoring the Cloud 33
Implementing cloud security
with big data
In large enterprises, the number of events that a SIEM platform
can receive can be in the millions or even billions per day. For
example, the HPE SOC receives, on average, 21 billion security
events every single day. SIEM platforms use a variety of analyti-
cal techniques to reduce the huge amount of information that the
analyst receives to the most relevant information. These tech-
niques can include user behavioral analytics or malware analytics
to help detect both known and unknown threat vectors.
Integrating cloud security events

into the SIEM
Many enterprises already use a SIEM to monitor their on-premises
data centers and traditional IT environments. As they move their
infrastructures to the cloud, many of these same products can be
incorporated into the cloud environment to provide a unified real-
time view of the cloud along with the traditional IT environment.
Monitoring information coming from a private cloud can support

the following use cases, plus many others:
»» Getting real-time security alerts for brute-force attacks against

the cloud instances
»» Detecting malicious or unauthorized access to virtual machines,
volumes, or images
»» Quickly investigating accidental or intentional cloud service
outages
»» Compliance reporting for all user activity in the cloud
instance
Some Software-as-a-Service (SaaS) public cloud applications are

also starting to provide interfaces, very often application pro-
gramming interface (API) based, to enable cloud consumers to
receive security alerts from public cloud instances. Even without
this integration, enterprises can use cloud access security brokers
(CASBs) to gain information around public cloud usage. A CASB
is generally an appliance that sits at the perimeter of the enter-
prise, monitoring all public cloud usage, providing visibility and
blocking capabilities around public cloud usage. It integrates with
the SIEM and sends events to be correlated, providing enterprises
with the ability to monitor and detect a wide range of threats in
the cloud infrastructure, as well as with third-party apps.
With this extra visibility, security analysts can start to correlate

public cloud activity with on-premises alerts and build unique
profiles of the user activity. For example, analysts can
»» Identify usage of SaaS applications by unauthorized users

»» Identify potential data leakage as files are uploaded to online
file sharing tools
»» Correlate events on-premises with events in the cloud
Collecting, Consolidating, and Correlating

With the transition to cloud, the ability to see the security infor-
mation generated in the off-premises data center and, more
important, correlate that information with the alerts coming from
the traditional data center, can often be a challenge. However, the
strength of a SIEM can deliver significant value here in bridging
the gap between the two environments.
HPE ArcSight, an industry-leading SIEM, can collect alerts from

various cloud services. You can integrate ArcSight with the HPE
Helion OpenStack platform.
HPE Helion OpenStack uses LogStash, a centralized logging infra-

structure, to gather events and logs from the Helion OpenStack
environment, and LogStash can be configured to send these
events to a HPE ArcSight endpoint, typically an ArcSight connec-
tor. The connector then consolidates the events, converts them
into Common Event Format (CEF), and forwards them to the HPE
ArcSight Data Platform.
For example, consider a use case where a user enters the office
in London with a swipe card, and logs into her workstation using
her enterprise credentials. Every SIEM platform should be able
to correlate these two events as acceptable behavior. However,
five minutes later, the same user is identified as logging into her
Office 365 account from an IP address based in China — on its
own, this is also a normal event. Realistically, though, there is no
way that the user could have traveled from London to China in
such a short period of time, so this suggests that the Office 365
credentials may have been compromised. However, the only way
a security analyst could identify the malicious behavior is if the
cloud events are being correlated in context with the enterprise
events. ArcSight, together with the User Behavior Analytics mod-
ule, can detect anomalous user and entity behavior to help quickly
discover and prioritize the most suspicious and abnormal activi-
ties back to the security analyst in real-time, giving him powerful
analytics tools to be able to identify security incidents across his
entire IT infrastructure.
Continuous Regulatory Compliance

In a recent study carried out by 451 Research on behalf of HPE,
45 percent of respondents identified the ability to ensure compli-
ance with regulatory and policy requirements as one of the key
security challenges in moving to a hybrid cloud architecture. Many
organizations making the move to a cloud environment are strug-
gling with maintaining the compliance policies that have been
created for the traditional data center environment within a new
hybrid environment. They’re looking for solutions that allow for
shared policy compliance across infrastructures.
Whose job is compliance?

Regardless of where the data is stored, or which cloud model has
been chosen, responsibility for organizational risk remains firmly
with the organization. You can easily outsource your complete IT
operations capabilities to a third party, but you can never out-
source your organizational risk.
This means that although your chosen cloud service provider

(CSP) may offer some level of “compliancy” to a particular stan-
dard, it’s up to you to perform the appropriate due diligence to
understand whether the CSP’s idea of compliancy is the same as
your own, and understand the implications should the CSP get
breached or not be able to offer a fully compliant solution.
It’s also important to understand that being compliant is not

the same as being secure. A compliance standard may set a good
baseline for security, but it typically won’t dictate all the security
controls that need to be applied to be fully secure.
Why should you care?

Policy and compliance comes in a number of forms:
»» Security policies that have been defined by the business

for the business: Examples include operating system (OS)
hardening guidelines, or application usage policies. Although
it’s easy to create a template for a virtual machine and use
this every time a new OS is provisioned, it’s important to
remember that compliance in the traditional environment
is typically a point-in-time procedure. In a dynamic cloud
environment, there is a lot more value to be taken from a
continuous approach to compliance. You need to check for
compliance after an image or application is provisioned, but
also continue to check for compliance throughout the
lifetime of the service.
»» Compliancy requirements dictated by the industry
sector that you are operating in: Examples include
Payment Card Industry (PCI) compliance for companies that
are transacting credit card numbers, or Health Insurance
Portability and Accountability Act (HIPAA) for companies
involved in maintaining patient health records, as well as
industry best practices such as Center for Internet Security
(CIS) security guidelines.
Many of the recent regulatory compliance standards will
hold the organization, and in some cases even the individual
employee, responsible for any breach of compliance. The
responsibility may range from monetary fines to jail time for
company directors.
Some of the rules that may apply to your cloud include
the General Data Protection Regulation (GDPR), the
EU-U.S. Privacy Shield, U.S. security breach legislation,
Bundesdatenschutzgesetz (BDSG), and EU Data Protection
Directive 95/46/EC. Some of the industry regulations include
PCI, HIPAA, Sarbanes-Oxley (SOX), the Federal Risk and
Authorization Management Program (FedRAMP), the
International Traffic in Arms Regulations (ITAR), and the
Cloud Security Alliance (CSA) Security, Trust, and Assurance
Registry (STAR).
HPE offers a number of solutions that can help customers to
maintain uniform compliance across hybrid cloud infrastruc-
tures, including HPE IT Operations Compliance, HPE Verity, and
compliance reporting packs for HPE ArcSight.
Data Sovereignty
A main concern that organizations are faced with when consider-
ing the move to the cloud is the issue of data sovereignty (where data
is located in the cloud at any time). In the traditional data center,
it was fairly easy to address this concern: The data was stored on
servers in the data center, and it could easily be tied to a specific
geography. But in a cloud environment, the concept of geographical
boundaries becomes very blurry, especially when you look at large
CSPs offering elasticity, cloud bursting, and geographic redun-
dancy in the case of service outages. In fact, it’s usually impossible
to know with any degree of certainty exactly where your data is at
any particular time when the data is stored in a public cloud.
Safeguarding the privacy of the data is important. But it’s also

important to understand that data created in one geographical
location but stored in another may be subject to a different set
of rules.
Data sovereignty is an increasingly important issue due to the

adoption of cloud computing services. Businesses need to know
where data storage servers are located, and understand that regu-
lations vary by country. Complying with those regulations can be
costly. One such regulation, GDPR, is highlighted in the nearby
sidebar.
CASE STUDY: GDPR

The General Data Protection Regulation (GDPR) is a framework for the
28 member states of the European Union (EU), setting down a com-
prehensive approach for businesses to deal with the handling of sen-
sitive data around EU citizens. Because much of this data is likely to
be held in cloud-based applications, it’s worth understanding the
regulation to see how data stored in your enterprise cloud may be
impacted.
GDPR (Regulation EU 2016/679) was adopted by the EU in April 2016,
and is expected to come fully into force in May 2018, replacing the
older EU data protection directive (95/46/EC). Businesses are being
advised to start preparation for compliance with GDPR sooner rather
than later.
GDPR provides a single set of rules to all 28 member states, and

applies where the data controller/processor and/or the data subject is
located in the EU. This means that the regulation will also apply to
organizations located outside the EU, if they’re processing data related
to EU citizens.
Here’s an overview of the GDPR:
• Every regulated organization needs to employ a data protec-

tion officer. The data protection officer will be responsible for
monitoring IT processes, data security, and incident response
activities when data concerning EU citizens is involved.
• The data protection officer will also be responsible for breach
notifications to the supervisory authorities, as quickly as pos-
sible after a breach has been identified. Failure to disclose the
breach can lead to monetary fines as high as €20 million or 4 per-
cent of the organization’s annual revenue.
• Users must provide consent for the collection of data, as well
as the way the data will be used. The data protection officer will
also be required to prove that consent has been gained, as well as
allow users to withdraw consent at any time, and support the right
to erasure of any stored data on a number of grounds, including
noncompliance.
• The organization must support data portability, providing the
data owner with the possibility to transfer his or her data
from one electronic processing system into another.
• The organization must show responsibility and accountability.
It can do this by supporting privacy by design (for example, sup-
porting data protection when developing services and applica-
tions), providing data protection impact assessments, and giving
citizens the right to question automated decisions that impact
them.
Business Continuity and Disaster
Recovery Planning
Business continuity planning (BCP) and disaster recovery plan-
ning (DRP) is an important part of any IT strategy, because it
helps an organization prepare for the unexpected — whether it’s
a cyber incident, a natural disaster, or an equipment failure —
and return to normal business operations as quickly as possible.
Well-thought-out BCP/DRP should include alternative infra-

structure to support the business in times of emergency. Depend-
ing on the recovery time objective that the business requires, this
may be in the form of a cold, warm, or hot backup site.
A cold backup site is a location, but typically no provisioned

hardware and no backup copies of data. A warm backup site is
a location with hardware and connectivity; it may have back-
ups available, but those backups are not always up to date. A hot
backup site is an exact duplicate of the original site, with a near-
current backup of data.
However, the cost and expense of a full BCP/DRP program, as well

as the pressures of daily IT operations, often means that BCP/DRP
gets overlooked until it’s too late. The cloud can help to make
BCP/DRP realistic and more affordable than traditional methods.
Because the cloud is based around hardware-independent virtu-

alization, it’s a lot easier to back up data, applications, and oper-
ating systems to the cloud, and even configure an exact replica of
the main processing site.
In the event of an emergency requiring IT operations to fail over

from the primary site, automation can enable the new environ-
ment to be brought online quickly, and start to process data in a
short time.
A cloud-based BCP/DRP solution won’t solve all continuity prob-

lems (for example, it won’t do anything to provide alternative
working space for employees after a fire), but it will definitely pro-
vide a cost-effective alternative to traditional methods of backup
sites. Various service providers offer cloud-based BCP/DRP solu-
tions. Be sure to consider this as part of a cloud migration.
A STRUCTURED SERVICE
APPROACH
HPE can provide the following Cloud Protection services to help cus-
tomers build secure and compliant hybrid clouds:
• HPE Cloud Protection Transformation Workshop: The work-

shop provides in-depth discussion, consensus building, and high-
level recommendations on your cloud security strategy. It’s an
opportunity to share cloud security best practices and understand
the cloud security threat landscape, gain organizational stake-
holder alignment and confidence for implementing cloud security,
and identify and prioritize strategic initiatives related to cloud
security.
• HPE Cloud Protection and Compliance Analysis Service: The
service defines cloud security control recommendations for a new
or existing cloud environment, as well as related recommenda-
tions for your overall information security program to mitigate
risks and meet compliance requirements for a hybrid cloud envi-
ronment. The service allows organizations to evaluate changes
needed with existing security policies, procedures, and products;
define business and functional requirements that can drive future
cloud adoption; and guide private and hybrid cloud design activi-
ties in the future.
• HPE Cloud Protection Architecture and Design Service: The
service defines a secure, high-level, and detailed design that is tai-
lored to the organization’s hybrid cloud platform. It builds on the
HPE Cloud Protection Reference Architecture and HPE ITSA solu-
tion architecture methodology. The service leverages the out-
comes of the HPE Cloud Protection Workshop and the HPE Cloud
Protection and Compliance Analysis Service, and helps you archi-
tect the building blocks of your organization’s hybrid cloud.
• HPE Cloud Protection Implementation Service: The service pro-
vides implementation assistance for specific hybrid cloud security
controls based on HPE and HPE partner security solutions to
address specific cloud security requirements.
• HPE Platform Protection and Compliance Service: The service
provides security assessment and lockdown for operating system
and application platforms based on your organization’s specific
policies and compliance requirements.
IN THIS CHAPTER
»» Recognizing what you need to do to
make your cloud platform secure
»» Understanding what to look for when

selecting a cloud platform
Chapter 5
Ten Tips for
Implementing a Secure
Cloud Platform
M
oving an organization to the cloud introduces a lot of
new challenges to think about, not least those related to
security. You need to build a platform that satisfies the
needs of the business, but at the same time ensure that it doesn’t
introduce any unnecessary security risks that could compromise
the organization’s data or intellectual property.
Here are ten items to consider when building a private cloud or

choosing a cloud service provider:
»» Threat awareness: Make sure you understand the cloud

security threats and measures that can be taken to detect,
prevent, and eliminate them.
»» Platform suitability: Get clear on the different cloud service
models (IaaS, PaaS, SaaS), how security capabilities and
compliance needs differ between them, and how these
needs fit into the business model.
»» Due diligence: Perform suitable due diligence to determine
which parts of the business can be migrated to the cloud,
CHAPTER 5 Ten Tips for Implementing a Secure Cloud Platform 43
and use this information to help identify the most appropri-
ate cloud service providers and service partners.
»» Infrastructure security: Choose a secure hybrid cloud
platform, considering platform hardening, virtual machine
life cycle management, and approach to network security
and containerization.
»» Secure application development: Integrate security into
the software development life cycle to reduce the application
vulnerability footprint. This may require a change in the way
developers are educated, but it will lead to higher-quality
software.
»» Data-centric security: Use a data-centric approach to
encrypting confidential data and personally identifiable
information (PII), while ensuring that the data can be
processed and stored without impacting applications or
business processes.
»» Cloud identity management: Use federated identities to
integrate cloud identity and access management into the
corporate identity governance model, identifying roles and
responsibilities.
»» Security event visibility: Support the hybrid cloud with
continuous security monitoring and expand enterprise
security visibility by integrating alerts originating from the
cloud into the enterprise security information and event
management (SIEM) platform.
»» Continuous regulatory compliance: Understand compli-
ancy and regulatory requirements, policies, and procedures,
and identify appropriate controls that enable a business to
securely transform into a cloud-based operating model
without incurring additional business risk.
»» Cloud availability: Integrate the hybrid cloud operating
model into organizational business continuity and disaster
recovery planning to ensure that any cloud downtime is
planned for appropriately.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

HPE Cloud Security

Uploaded by

Copyright:

Available Formats

HPE Cloud Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HPE Cloud Security

Uploaded by

Copyright:

Available Formats

These materials are © 2017 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

by Simon Leech CISSP-ISSAP,

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

ISBN 978-1-119-37446-6 (pbk); ISBN 978-1-119-37444-2 (ebk)

Manufactured in the United States of America

Development Editor: Elizabeth Kuball Production Editor:

CHAPTER 1: Introducing Hybrid Cloud Security................................. 5

CHAPTER 2: Hardening the Cloud Environment.............................. 13

CHAPTER 3: Securing the Application Life Cycle............................. 23

Table of Contents iii

CHAPTER 4: Monitoring the Cloud.............................................................. 33

CHAPTER 5: Ten Tips for Implementing a

iv Hybrid Cloud Security For Dummies, HPE Special Edition

Industry research firm IDC has described this new model of IT

However, at the same time, businesses are increasingly becom-

»» You work in the IT industry. Perhaps you define IT strategy

Icons Used in This Book

2 Hybrid Cloud Security For Dummies, HPE Special Edition

Proceed at your own risk . . . well, okay — it’s actually nothing

Beyond the Book

Where to Go from Here

The field of security is very dynamic — it changes regularly as

»» Understanding the cloud security threat

»» Getting clear on the principles of hybrid

Hybrid Cloud Defined

Most organizations that are considering moving to the cloud

CHAPTER 1 Introducing Hybrid Cloud Security 5

Finally, more traditional or legacy systems, or sensitive business-

For every organization, this “right mix” of private and public

»» Public cloud: In the public cloud, the cloud infrastructure is

• Infrastructure-as-a-Service (Iaas): In IaaS, the CSP provides

6 Hybrid Cloud Security For Dummies, HPE Special Edition

• Platform-as-a-Service (PaaS): In PaaS, the CSP provides an

• Software-as-a-Service (SaaS): In this model, the subscriber

Different Clouds, Different

CHAPTER 1 Introducing Hybrid Cloud Security 7

Cloud Security Threats

The Top Threats workgroup at the Cloud Security Alliance

The difference from a cloud perspective, of course, is the increase

8 Hybrid Cloud Security For Dummies, HPE Special Edition

Shaping security standards

By following a standards-based security philosophy, your solu-

CHAPTER 1 Introducing Hybrid Cloud Security 9

With an integrated approach to security, you can use some of the

HOLISTIC SECURITY CONTROL

The P5 Model is part of the HPE Information Security Service

10 Hybrid Cloud Security For Dummies, HPE Special Edition

This is true regardless of the cloud deployment model, especially

Among the many things to consider when performing due dili-

»» Confidentiality: Before moving data to the cloud, you need

CHAPTER 1 Introducing Hybrid Cloud Security 11

12 Hybrid Cloud Security For Dummies, HPE Special Edition

»» Securing compute instances

Building Security into the Cloud

Organizations need to incorporate cloud security into a more gen-

CHAPTER 2 Hardening the Cloud Environment 13

HPE’s ITSA provides an architectural methodology for defining and

The HPE GM ITSA provides a methodology for defining and describing

A number of technology areas within a cloud functional refer-