Tuesday, November 29, 2011

Security and Auditing are Multidimensional. Not One. Not Two.

"Chris. Are you sure you want to move to IT Audit?"
I wasn't sure what to expect during the shift from corporate security to corporate audit. The IT Audit Manager, Mike Schiller, and IT Security Manager, Brian Wrozek, had done a phenomenal job aligning objectives and approaches. The commonality in our mission objectives and mutual respect between the two teams is part of the reason I felt so comfortable making the move.

"Mike!! Look at all the stuff I found on this one box!"
Mike wasn't impressed. "Chris. What's the objective of this system? Where is it located? What data is stored on this system? How long has it been in operation? What projects are in place that will be completed in the next couple of months that affect the controls on this system?"

My introduction to multiple dimensions... 
Mike patiently walked through every "finding" and discussed each one. When we were done, there were still issues with the system, but they were now more correctly framed in context of the business as an organic function, and not "just" a polarized point-in-time evaluation. His careful mentoring of the team built the understanding that our audits have to encompass a review of the systems, operational processes, and alignment to the business.

In a previous post, we discussed The Circle of Trust - Cloud Audit Assurance. Pulling the three cycles discussed in that post together, they overlay each other nicely to show the nice interrelationships between what you have (Assets), what you want to accomplish (Alignment), and how you are going to do it (Operations). This model is as complex or as simple as you would like. It's a question of detail. Until next time.... Here's the model again (click it for a larger image):


Monday, November 21, 2011

Circling Back: Repeatable Processes

Do you have any doubt - whatsoever - that a well-coached sports team with good talent can beat a loose gathering of the world's best talent? It takes more than talent to have repeatable success. Effective leadership and management provide purpose, methods and metrics for performing consistently at the top of your game. The fundamentals are taught early and revisited often in sports. Coaches want their players to master and lean into the basics under the stress of physical and mental exhaustion. It's what drives the extra effort in the last seconds, driving towards the goal, to square up your shot and follow through.


Mastering Fundamentals Take Time. 
Malcolm Gladwell, in his book Outliers: The Story of Success, illustrates the strong correlation between the amount of time invested in a particular skill and the outcome. Mastery, according to his research, typically occurs after 10,000 hours (e.g. ~20 hours/week over 10 years). Examples included the obvious, such as athletes and musicians. Examples also included the not-so-obvious, such as Bill Gates programming for 10,000 hours prior to his break starting Microsoft.

Now - I'm not suggesting that developing an effective IT GRC program is going to take 10 years. However, I am suggesting that developing a strategy aligned with your business purpose, goals, and constraints is difficult to create, audit, and effectively manage. Also, it will take you longer than 10 years if you never start.


The Manager Administers; the Leader Innovates.

Warren Bennis wrote a list of differences between leadership and management in his book On Becoming a Leader. Read through some of them here in the context of the three cycles we discussed in the previous blog postings. Each cycle has to be managed to function, and each cycle requires leadership to innovate and respond to changing conditions.

Here's what happens when a system breaks down from a lack of experience and maturity that develops over time, working through difficult challenges. It's a flash back to the 2004 Olympic Men's Basketball team fielded by the inventors of the sport. Basketball and Apple Pie are about as American as it gets. That, and sweet tea in the South.

The individual parts in this particular system are among the best the world has ever seen. But they failed miserably as a team. They didn't know how to work together, and they hadn't worked together long enough to infuse corrective feedback into their operations. For my friends that love American football... Love or hate the Dallas Cowboys, the insane sync between Tony Romo and Jason Witten emerge when they are under pressure. The same should happen with your own operations.

The 2004 Men's Olympic Basketball Team. [From Wikipedia]

The revamped 2004 team consisted of some young NBA  [super]stars early in their careers, such as Carmelo Anthony and LeBron James, and also included recent Most Valuable Players Tim Duncan and Allen Iverson. The team was coached by Larry Brown.

After struggles in several exhibition matches, the vulnerability of the 2004 team was confirmed when Puerto Rico defeated them 92–73 in the first game of the Olympic tournament in Athens. The 19 point defeat was the most lopsided loss for the USA in the history of international competition.

After winning close games against Greece and Australia, The USA fell to Lithuania, dropping to 2–2 in the Olympic tournament. Even after an 89–53 win over Angola, the Americans entered the knockout rounds in fourth place due to goal average, the lowest seed of their group. The Americans faced undefeated Spain in their quarterfinal game, winning 102–94.

The semi-final match saw the team defeated by Argentina, 89–81, ending the United States' hold on the gold medal. ... Before 2004, American teams had only lost two games in all previous Olympic tournaments, whereas in this one the American team lost three.

Thursday, November 17, 2011

VMware vCloud Director Segmentation: PCI and HIPAA Firewall Controls

This came up last week and I thought I would post here to keep the information easily accessible.

Yes. You can use vCD to segment environments that are required to comply with HIPAA and/or PCI.

The firewall functions in vCD in no way preclude you from using vCD to host production Primary Account Number (PAN) or electronic Private Healthcare Information (ePHI) as long as you comply with all of the other controls required to host the information. Here are the details from the requirements along with specific comments.

PCI has an entire section devoted to firewall controls (Requirement 1: Install and maintain a firewall configuration to protect cardholder data), of which the most restrictive requirements are [1] the ability to implement ACLs, and [2] SPI/Dynamic Packet Filtering.

Requirement 1.3.6 
Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 

HIPAA has specific segmentation requirements for health care clearinghouse functions found here. Although they are specifically called out as Administrative Controls, the definition for this bill is defined as:

Sec. 164.304  Definitions 
Administrative safeguards are administrative actions, and policies  and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected  health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. 

Note the lack of any detailed requirements – intentionally – to allow a broad range of solutions to fit the requirement.

164.308(a)(4)(ii)(A)
(ii) Implementation specifications:
    (A) Isolating health care clearinghouse functions (Required). If ahealth care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Sec. 164.304 Definitions 

The Circle of Trust - Cloud Audit Assurance

Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. 
(NIST  SP 800-37 and SP 800-53A)  

Cloud Audit Assurance. 
What can you do to provide assurance that your cloud infrastructure serves the purpose for which it was designed while protecting the data? Where do you start? Where does trust begin? Let's discuss three cycles that may help frame the discussion and an approach that may work for you. There's truth in the effectiveness of simple models that are easily understood and that can deliver repeatable results.

Start with the Business: Solution Alignment Cycle.
A previous post discussed GRC in the context of the business. We have to understand the objectives of the business and how the infrastructure and workloads align and support the objectives, in the context of risk, while managing compliance concerns. One of the great values of GRC tools is their ability to continually monitor and measure the effectiveness of your GRC program. A governor, or speed limiter, is a device used to measure and regulate the speed of a machine, such as an engine (wikipedia..). The important analogy is the feedback mechanism to regulate the effectiveness of the mechanical engine to perform as expected. The illustration below shows a simple cycle that is intended to be self governing.


Governance (alignment to business objectives) greatly affects how Risk (probability and impact) and Compliance (authorities, contracts, policies) are managed. Frameworks (COBIT, etc) may be used to help drive the GRC program, whose effectiveness is measured using GRC Tools. The workflow of the GRC Tool helps to continuously regulate the cycle.

Manage the Technology: Solution Delivery Cycle.
The Storage, Network, Compute, and Hypervisor (infrastructure) and Solutions (work loads), deliver a service. The effectiveness of a solution (capacity, performance, alignment/ability to meet needs/applicability) continually drives the selection and amount of technology assets required to deliver the solution. Put differently, the measurement of the effectiveness of the solution drives the hardware and software requirements.

Add Secure Operations Processes.
The PCVMR cycle was discussed in the previous post using the mission of a submarine. Provision the technology assets. Configure in accordance with your authorities, best practices, and policies. Validate against your checklists and using (as risk appropriate) additional tools, scanners, or third party resources. Monitor for deviations from your baseline. Accurately Respond and improve your processes based on what you learned.