RSA Europe 2011 has released a Podcast to introduce my presentation next week

GRC-303: Everything You Wanted to Know About Virtual Compliance

Oh no! Not another cloud compliance presentation. This session gives an insider look at how and why clouds fail audits – ask not what you can do for your cloud, learn how to ask what your cloud can do for you. This session offers a clear and detailed review of usual flaws in virtual environments that prevent compliance.

I posted earlier the time and place of presentation.

Los Alamos National Labs (LANL) is a security research institution responsible for American nuclear deterrence. They have invested in security management practices and moved from a federal regulatory concern to an award-winning (see below) leader in security and compliance.

How did the Lab get to this point? A major effort to measure risk, apply National Institute of Standards and Technology controls, certify the use of those controls, and arrive at standard and supported system configurations for Lab systems consumed much of 2008.

A Solutions Architect now discusses on a podcast by The Virtualization Practice how they handled the NIST Certification and Accreditation (C&A) process and received authority to operate at FISMA moderate with VMware vCloud.

At a site like LANL, workloads that cross-domains, security enclaves, or classification levels are important to understand from the beginning, not after the Cloud is deployed. The reason is that this complicates any configuration of work-loads as cross-domain traffic would need to be ensured to only come from specific locations while denying all other locations. Into this falls tools like vShield App which can keep all VMs from talking to each other, but also allow cross-talk across domains as necessary by specific VMs.

The details of the architecture also will be presented October 11th in Washington DC when LANL receives a Cloud Initiatives in Government award from SANS.

LANL’s Infrastructure on Demand features an innovative cloud security and automation architecture, leveraging VMware’s vShield and LANL-written active defense on behalf of the workload clients. Key features include:

1. Automated provisioning of workloads into secure enterprise enclaves.
2. Mapping physical security into a virtual security model using VMware vShield.
3. Employing automated remediation features to offline non-compliant workloads.
4. Extension of a private cloud security framework into a secure hybrid cloud.

No, not the failure to put qualified and experienced security guards on duty when expecting high-risk events. Everyone knows that staffing the late night shift New Year’s and the 4th of July with fresh rookies carrying live ammunition and sending them to deal with violent riders is a recipe for disaster. Oh, except BART who has made the same mistake again recently.

No, not the failure to keep the trains running. BART blames that on time. As if it is somehow not their fault to have decrepit cars and tracks after 40 years. They’re still trying to figure out the cost of upgrades by 2017 even though “they got a lot of cash in the bank” as it was said to me by the woman selling tickets.

No, not the failure to provide Internet service. They have tried to figure it out for a few stations but they’ll shut it down at the first sign of someone saying something they disagree with. They wouldn’t call that a failure and they argue there’s no cost to silencing passengers. Perhaps that explains why they also let the tracks squeal at over 100db (louder than a jackhammer).

No, BART finally has been forced by auditors to admit failure — $200K in customer billing errors:

Over 16,000 BART customers were overcharged for parking in the transit agency’s lots over the past two years, and now the vendor responsible for the mistake is to set to dole out more than $200,000 in repayments.

Due to a software glitch, motorists using the BART lots were incorrectly nailed with fees during the weekends and some holidays — times when parking is supposed to be free. The overbilling occurred during a 28-month period, and wasn’t detected until a BART customer complained to the agency, according to spokesman Jim Allison.

Very nice illustration and explanation of hybrid cloud by VMwareDoug

The following figure depicts an evolving strategy and model for Federal cloud adoption. In this model of a hybrid and optimized Federal cloud, we see that at one end of the spectrum, [A], security requirements and service levels are relatively low. Such an environment is conducive to public facing workloads. Although still substantial, security requirements for public data are considerably less than other data types. Service levels, such as availability, hover at only three 9’s (e.g., 99.9%). At the other end of the spectrum, both security and service level requirements are extremely high [C], demanding the strictest confidentiality, integrity, availability, and service level performance (e.g. 99.999%).