CAC Model 1.0

This is a compilation of posts that describe the security model and operations processes I often use to help explain tightly integrated and responsive security measures.

Solution Security
Compliance for the Masses - Simplified Models
Mission Operations - PCVMR Cycle
Workflow for Analyzing Security Context
Security and Auditing are Multidimensional. Not On...
Circling Back: Repeatable Processes
VMware vCloud Director Segmentation: PCI and HIPAA...
The Circle of Trust - Cloud Audit Assurance
Cloud Security and GRC: Internal Controls

Here is a snippet from some of the postings that summarize the model. I will build on this and organize it over time. I have much more detailed information to add to this approach. If you skim through this - take a moment to first learn the simplicity of the PCVMR Cycle, and then learn to picture GRC's application to each of the P-C-V-M-R Cycle processes and each of the hardware and software assets.
In a previous post, we discussed The Circle of Trust - Cloud Audit Assurance. Pulling the three cycles discussed in that post together, they overlay each other nicely to show the nice interrelationships between what you have (Assets), what you want to accomplish (Alignment), and how you are going to do it (Operations). This model is as complex or as simple as you would like. It's a question of detail. Until next time.... Here's the model again (click it for a larger image):

Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. 
(NIST  SP 800-37 and SP 800-53A)  

Cloud Audit Assurance. 
What can you do to provide assurance that your cloud infrastructure serves the purpose for which it was designed while protecting the data? Where do you start? Where does trust begin? Let's discuss three cycles that may help frame the discussion and an approach that may work for you. There's truth in the effectiveness of simple models that are easily understood and that can deliver repeatable results.

Start with the Business: Solution Alignment Cycle.
A previous post discussed GRC in the context of the business. We have to understand the objectives of the business and how the infrastructure and workloads align and support the objectives, in the context of risk, while managing compliance concerns. One of the great values of GRC tools is their ability to continually monitor and measure the effectiveness of your GRC program. A governor, or speed limiter, is a device used to measure and regulate the speed of a machine, such as an engine (wikipedia..). The important analogy is the feedback mechanism to regulate the effectiveness of the mechanical engine to perform as expected. The illustration below shows a simple cycle that is intended to be self governing.


Governance (alignment to business objectives) greatly affects how Risk (probability and impact) and Compliance (authorities, contracts, policies) are managed. Frameworks (COBIT, etc) may be used to help drive the GRC program, whose effectiveness is measured using GRC Tools. The workflow of the GRC Tool helps to continuously regulate the cycle.

Manage the Technology: Solution Delivery Cycle.
The StorageNetworkCompute, and Hypervisor (infrastructure) and Solutions (work loads), deliver a service. The effectiveness of a solution (capacity, performance, alignment/ability to meet needs/applicability) continually drives the selection and amount of technology assets required to deliver the solution. Put differently, the measurement of the effectiveness of the solution drives the hardware and software requirements.

Add Secure Operations Processes.
The PCVMR cycle was discussed in a previous post using the mission of a submarine. Provision the technology assets. Configure in accordance with your authorities, best practices, and policies. Validate against your checklists and using (as risk appropriate) additional tools, scanners, or third party resources. Monitor for deviations from your baseline. Accurately Respond and improve your processes based on what you learned.

Reminiscing About the Past
Assurance.
Leading off the previous post, let's delve deeper into the processes that helped provide mission assurance to the crew taking the boat down to operational depth. We spoke of submarines and the mature operational approach that allowed a crew barely out of high school, most with no formal education, to not only function in these demanding environments, but excel and push themselves and their equipment to the extremes. 

Why were we successful? 
It was more than top-notch training. It was more than engineering and equipment superiority. It included a deep knowledge of operational processes that work in orchestration with the equipment and a firm understanding of the mission objectives and risks. The effectiveness of everything was measured and fed back into the processes and equipment.

Provision | Configure | Validate | Monitor | Respond
The PCVMR process cycle provides insight into how we were able to attest to the assurance of our boat to keep us safe and deliver on her mission. Here's how it works.


Provision: Equip yourself with the right systems for your mission. Submarines are equipped with systems appropriate for accomplishing their mission. Ballistic missile and attack submarines have very different missions and very different equipment... and crew and training. The highly specialized Submarine NR-1 was outfitted with equipment and capabilities not found in other subs because that's what her missions required. 

Configure: We sometimes laughed at a few of the Standard Operating Procedures (SOPs), but we respected them. Some would say, "Rules are written in blood." That's because somebody paid a heavy price for that stupid rule to check that breaker or valve lineup twice. Every system had a checklist for every operational lineup. These lineups are thoroughly tested by smart engineers, and every effort is made to follow the book. It's one thing if you're throwing your leftover litter into a McDonalds wastebasket. It's another to dump or pump it overboard underwater. One is casual. The other is very carefully handled. 

Validate: Everything was checked twice before getting underway. Every critical system was reviewed. Every change. Anyone that's spent time underway will recall the repeat-backs required on the phones as you read from a procedure to senior operator. The senior operators then repeated the same requests to watch officers for final permission. Everyone backed each other up to validate actions. Important actions were verified formally by a second person and signed off by all parties involved. Some critical actions required multiple validations and checks based on the affect of the system to the ship's mission. Once everything is known, you have entered an operational steady state, or a known state of operations. 

Monitor: Despite the best intentions to engineer flawless equipment and set everything up correctly, things go wrong. Systems are heavily monitored, automatically and manually, many both, to identify state deviations, or changes in the known state of operations. These may be intentional by the crew and known. These may be intentionally malicious from an external source, or changes could exist because of an inexperienced operator. The monitoring systems (some of which are redundant) help identify the early state of changes to give operators the most time to respond appropriately. Monitoring occurs across many complex related systems, and you need to identify issues as quickly as possible to minimize their impact. 

Respond:  It is the operator's experience and well-rehearsed drills that helps lead the best response. Realistic drills are part of every day life underway in preparation for when something bad happens. You expect something bad to happen. And it does. It's the workflow, methodical analysis, and rapid response that make the difference between "that was close!" and a new SOP. Rules are written in blood. Responses to incidents are debriefed for details that could could have managed the incident better than what was done. After Action Reviews. Post Incident Reviews. The outcomes of these meetings completes the PCVMR Cycle as they affect the Provisioning, Configuring, Validating, Monitoring, and Responding. 

Can you see how this translates to cloud security and audit? We'll dig into that next. It's time to walk out of the bubble and back into the cloud:).
One Man's Challenge.

Mapping controls is all the rage (pun) and today's faddish exercise. Come on. You know you want some of that. Can you think of anything more fun than trying to find all of the standards, regulations, vendor guides, best practice documents, and Christmas Cookie recipe books?? How about actually reading them?? And then creating a massive spreadsheet mapping (your best) interpretation of what (you think) might be individual controls across each of them so that you can track your compliance? And... wait for it... just as we're getting started in all of this, don't forget that every good corporate citizen is intimately familiar with the policies you've painstakingly written and tracked back to each authority document.

Is Another Man's Opportunity.

Enter the likes of the IT Unified Compliance Framework (ITUCF) (with their nice snazzy website update over the last year..). Their objective early in the game several years ago was to identify and correlate authority sources and documents from government agencies, standards bodies, and vendors. Massive undertaking. Simply massive. This is the classic case of how to put an elephant to sleep. Read one authority document at at time.

Opportunistic entrepreneurs and vendors created software tools to help manage the C in GRC. Many leverage (license) in whole or part the work of the ITUCF. Some target the entire enterprise, and others only IT. Consider the following from the well respected Michael Rasmussen of Corporate Integrity:
"The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain."
Environmentally Friendly.

Here's the flow of a security presentation I sometimes use to stimulate thought and focus around controls and how they can be orchestrated, coordinated, to deliver contextually rich information security and cloud auditing relevant views of the environment.


Environmentally Relevant. 

The enormous data set produced by monitoring and management tools delivers useless information if the data isn't comprehensive of the its environment. Several years ago I worked for a Network Access Control (NAC) company. During Proof of Concept demonstrations we often found more devices on the network than the organization thought was possible. It wasn't uncommon to discover 15-20% more than a company thought they had on the network. One particular example found - not kidding - 20,000+ devices more than their estimated 40,000 devices the company thought they had worldwide. Yes, this is extreme. But it's also those experiences that drive my belief you have to know what you have before you can secure it. 

Here is how I summarize action items during discussions around this topic.


We handled complex systems in the subsurface Navy, including Sonar, Navigation, Missile Controls, Reactor, Steam, Hydraulic, Water, Air, Electrical, Propulsion, and many, many others necessary to sustain life in a steal tube for months at a time under water.

There are several parallels to the complex infrastructures I work with in IT. The program for training 18-19 year old kids in less than two years to operate billion dollar reactors is incredibly effective. The success of the program hinges on several important factors, including top-notch training that I haven't experienced in any of the dozens of schools I've attended since leaving the military. They drill, drill, drill the concepts of controls in systems engineering, system integrity, monitoring, and response. You can summarize the operational processes for handling - and providing assurance for - complex systems in the five step cycle of Provision-Configure-Validate-Monitor-Respond. The workflow is show here in the Illustration below. In the coming days I will dig into this further to explain each of the processes and how they interrelate.
Mastering Fundamentals Take Time. 
Malcolm Gladwell, in his book Outliers: The Story of Success, illustrates the strong correlation between the amount of time invested in a particular skill and the outcome. Mastery, according to his research, typically occurs after 10,000 hours (e.g. ~20 hours/week over 10 years). Examples included the obvious, such as athletes and musicians. Examples also included the not-so-obvious, such as Bill Gates programming for 10,000 hours prior to his break starting Microsoft.

Now - I'm not suggesting that developing an effective IT GRC program is going to take 10 years. However, I am suggesting that developing a strategy aligned with your business purpose, goals, and constraints is difficult to create, audit, and effectively manage. Also, it will take you longer than 10 years if you never start.

The Manager Administers; the Leader Innovates.

Warren Bennis wrote a list of differences between leadership and management in his book On Becoming a Leader. Read through some of them here in the context of the three cycles we discussed in the previous blog postings. Each cycle has to be managed to function, and each cycle requires leadership to innovate and respond to changing conditions.

Here's what happens when a system breaks down from a lack of experience and maturity that develops over time, working through difficult challenges. It's a flash back to the 2004 Olympic Men's Basketball team fielded by the inventors of the sport. Basketball and Apple Pie are about as American as it gets. That, and sweet tea in the South.

The individual parts in this particular system are among the best the world has ever seen. But they failed miserably as a team. They didn't know how to work together, and they hadn't worked together long enough to infuse corrective feedback into their operations. For my friends that love American football... Love or hate the Dallas Cowboys, the insane sync between Tony Romo and Jason Witten emerge when they are under pressure. The same should happen with your own operations.