NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP
Nick Lewis Internet2 NET+ Program Manager, Security and Identity
© 2015 Internet2
Welcome
• Goals, logistics, etc • Want your feedback, so please comment and be
interactive! • We will have several small group discussions and
each table will need a facilitator • We will have a working lunch and a break after the
lunch exercise • Goal is to get out by 3pm if not earlier • Boxnote for the agenda and notes:
– https://internet2.app.box.com/notes/39717796893 – Could I get a couple volunteers to take notes?
Schedule for the day
8:00am Start of the day 8:05 Introductions 8:20 NET+ Program 9:00 How information security is currently integrated into NET+ 10:00 Break 10:30 Continue How information security is currently integrated into NET+ 12:00 Working lunch 12:30 Break 1:00 Future information security improvement to NET+ program 3:00 Wrap-up and next steps
Introductions
• Introductions and what are you expecting to get out of today? Anything you want to add to the agenda?
• What Cloud Services are your campus using? • Who has adopted Cloud Security Assessments?
– What standard? Roll your own? • What are your top concerns they have on security
services in the cloud?
Campus Experience with NET+
• Any campuses using NET+ services?
• What do you think?
• Any campuses not NET+ campuses?
• Why?
• Any examples where something worked better (or worse) than you expected?
Outline for this portion
• What is NET+ • How information security is currently integrated into
NET+ – How it currently works – Security assessments and requirements – Identity Management and InCommon – Ongoing oversight of service provider
• Service Provider perspective on NET+ program and information security aspects
• Integration into broader information security community
ADVANCING HIGHER EDUCATION
in the
AND BEYOND
The Genesis of NET+ 2010 NACUBO / EDUCAUSE Cloud Summit
http://www.nacubo.org/Documents/BusinessPolicyAreas/ShapingTheHECloudWhitePaper.pdf
Major Recommendations from 2010
Thirteen overall recommendations (Pg 21-22), which include:
• Create a cloud computing roadmap.
• Develop a risk-assessment framework and guide.
• Develop audit guidelines for cloud-based offerings.
• Identify needed skills and training for cloud-based services.
• Develop and publish model service level agreements.
• Encourage identity management.
• Create a higher education demand aggregator.
NET+ Three Year Review 2015
All of the areas of improvement include the security aspects
– Catalog Configuration – monitoring performance and enhancing standards
– Time To Market – more visibility into service validation – Streamlined Agreements – simpler and easier to use – Procurement Improvements – further streamline
procurement – First Service Adoption Barriers – lower adoption
barriers – Reduce Complexity of Business Models
Core Objectives of NET+ Services
A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community:
• Define a new generation of value-added services
• Leverage Internet2 R&E Network and other services such as InCommon
• Drive down the costs of provisioning/consuming services
• Provide a strategic partnership with service providers (new service offerings)
• Leverage community scale for better pricing and terms
• Develop solutions that meet performance, usability, and security requirements
• Provide a single point of contracting and provisioning
My vision for NET+
• When a campus has a problem, audit finding, incident, etc, they can look in the NET+ portfolio to find a solution they can quickly adopt at a price they can afford
• Pre-vetted, standard terms, community oversight • Meets the unique needs of higher education
– Mobile, highly decentralized, locally managed, etc • Facilitate campuses improving how they do
information security • Assist campuses adopt cloud services • Advances NET+ program
Security & Identity
Software as a Service
Infrastructure and Platform
Video, Voice & Collaboration
Digital Content for Research & Education
Tailored Cloud service portfolios to: • Enhance academic & research user
mobility in the Cloud • Accelerate trusted Cloud application
deployment for the enterprise • Ensure standards-based Cloud
security, accessibility, reliability and performance with enterprise scalability
What is Internet2 NET+ Cloud?
13
Enables trusted and responsive user mobility in the cloud, while delivering efficiencies to the enterprise.
What NET+ Is NOT
• Community driven and a way for the community to act on its own behalf
• A benefit of membership (benefits that accrue to par<cipants)
• A means of influencing the direc<on of IT services development
• A (growing) porBolio of IT assets that campuses can chose from with consistent terms, best pricing and highest value.
• A Vendor
• A Buying Club
• A Channel Partner
• A Reseller
• Exclusive (or picking winners)
What NET+ Is
© 2015 Internet2
370 Par(cipa(ng Campuses
600+ Ac(ve Subscrip(ons
15 Service Valida(ons
32 Available Services
89 Valida(on Campuses
9 New Evalua(ons
$250,000,000+ in Community Benefit
In 1124+ Days the Community Has Built...
WOW!
16
16
Internet2 NET+ Services: Engagements
17
17
Examples of Cloud Services Deployed at Scale
35+ universi<es moved their LMS to Instructure’s Canvas (18 months from GA)
105+ universi<es cloud storage and collabora<on campus-‐wide (38 months GA)
21+ universi<es leveraging Code42’s CrashPlan offering (23 months from EA)
69+ universi<es leveraging the NET+ Splunk offering (18 months from EA)
Leveraging community developed offerings, preferred pricing and business terms
Up to July 2015
26+ universi<es leveraging Amazon Web Service offering (9 months from EA)
Campus Expectations for the Cloud
• Any workloads not going to the cloud? Why?
• Any data types / security requirements not going to the cloud? Why?
Subscrip)on by Community Members, Regional and Global partners
Sponsored by Community Members
Designed by par<cipa<ng campuses, providers and Internet2
GET INVOLVED IN THE
NET+ SERVICE LIFECYCLE
All delivered at global scale, tailored to R&E needs, and benefi<ng all par)cipa)ng ins)tu)ons
The Internet2 NET+ Phases
Timeline variable 30–360+ days
Evaluation
? Inquiry
ResearchIncubator
Explore Service
Validation
Develop
Less than 50% reach Service Valida(on
The Internet2 NET+ Phases
Timeline variable 45-‐180 days
Develop
ServiceValidation
Deploy
Greater than 90% reach General Availability Apply community
standards
Inquiry and Evaluation Inquiry Phase
• Discovery Understanding the opportunity (what are the possibili<es? Market scope?)
• Alignment
Are the provider and community goals strategically aligned (are we headed in the same direc<on?)
• Feasibility
Are the investments and mutual accommoda<ons required likely to materialize?
• Community engagement
Membership and strategic engagement with the community
Evalua(on Phase • Iden(fying a Sponsor
A CIO or execu<ve from a member ins<tu<on
• Developing a Proposal With support of the Sponsor
• Iden(fying addi(onal SV par(cipants • Review of Requirements
Networking, Iden<ty, Security, Business model and terms
Membership in Internet2
Requirements of SPs
Identified Sponsor: CIO or other senior exec from a member institution Membership in Internet2 and InCommon Federation Adoption of InCommon -Shibboleth/SAML2.0 and Connection of services to the R&E Network Completion of the Internet2 NET+ Cloud Control Matrix Commitment to:
§ A formal Service Validation with 5-7 member institutions § Enterprise wide offerings and best pricing at community scale § Establishing a service advisory board for each service offering § Community business terms (NET+ Business / Customer agreements) § support the community’s security, privacy, compliance and accessibility obligations
Willingness to work with the Internet2 community to customize services to meet the unique needs of education and research
How NET+ Providers are Selected: ALWAYS Sponsored by Internet2 Member Campus
• Can the services scales at least nationally? • Can it be delivered over global R&E networks? • Develop a business model that scales globally and serves significant portion of
community? • Will provider work with community to meet unique R&E needs today and into
the future? • Adopts R&E federated identity standards? • Commit to community’s Security, Privacy, Compliance, and Accessibility
needs? • Supportive of common, community contracting terms and conditions (negotiate
once, use many times)
Quick-Start Program: Requirements
• Identified Sponsoring CIO ( or other senior executive from a member) • Membership in Internet2 and InCommon Federation • Adoption of InCommon -Shibboleth/SAML2.0 (within 6 months) • Connection to the R&E Network (within 6 months) • Completion of the NET+ Cloud Control Matrix • Commitment to enterprise wide offerings and best pricing • Commitment to establish of a service advisory group within the first 6 months
and to a formal Service Validation (within 24 months or after 10 campus enrollments)
• Acceptance of the Internet2 NET+ template business and customer agreement terms and the community BAA (for HIPAA compliance) – with minimal negotiation.
• Offerings will be limited to a 2 year renewable term and customer agreements will be between the service provider and consuming institution.
Quick-Start Program: Additional Considerations
• Program is for services where the standard requirements and business terms are immediately acceptable
• Modifications to the template made only to ensure appropriate representation of specific types of services
• The advantages of the program:
– Provide fast-track onboarding services to community requirements
– Minimizing the cost/effort required for on-boarding
– Benefit to Providers: faster time to revenue generation within the portfolio rubric and to community specifications
– Benefit to Members: faster time to value, minimum investment until scale economies and persistent interest is established, consistent adoption of community requirements
Internet2 NET+ Service Validation
• Assessment of the service for inclusion in the catalog
• Applying a consistent process / standard
• Available at scale to the entire higher education community
• SV Group is led by the sponsoring institution and 5-7 campus
participants • Facilitated by Internet2 Program Manager
• SV participants represent
o Themselves AND the Community
o Assess the service for inclusion in the catalogue
o Negotiate terms, business model and pricing for the entire R&E community
Service Validation
• Func(onal Assessment – Review features and func<onality – Tune service for research and educa<on
community
• Technical Integra(on – Network: determine op<mal connec<on and
op<mize service to use the Internet2 R&E network – Iden<ty: InCommon integra<on
• Security and Compliance – Security assessment: Cloud Controls Matrix – FERPA, HIPAA, privacy, data handling – Accessibility
• Business o Legal: customized agreement using NET+ community contract templates o Business model o Define pricing and value
proposi<on
• Deployment o Documenta<on o Use cases o Support model
NET+ Service Validation: Functional Assessment
• Review current features and func(onality
• Discuss exis<ng Service Provider product roadmap (under NDA)
• Determine ways in which service needs to be tuned for research and educa(on community
• Priori(ze feature requests among the par<cipa<ng universi<es in the Service Valida<on group and discuss priori<za<on with Service Provider’s product team
Process and Deliverables: customized roadmap for higher educa2on from the Service
Provider; feature, func2onality, and bug report priori2za2on from the universi2es
NET+ Service Validation: Technical Integration
• Network: Integrate service with the Internet2 R&E network and op<mize for enhanced delivery
– Test the network connec<on to create benchmarks
• Iden(ty: Review Service Provider’s iden<ty strategy and determine InCommon integra<on
– NET+ Iden<ty Guidance for Services
Process and Deliverables: Service Provider and par2cipa2ng universi2es assign technical team members on networking and iden2ty; develop and review tes2ng plans; and produce reference documents for service subscribers
Identity Management and InCommon
• NET+ Identity Service Validation Process – https://spaces.internet2.edu/display/NetPlusIDG/Home – Collect use cases. – Assess current implementation and roadmap. – Compare implementation, roadmap, and use cases. – Prioritize implementation and refine roadmap. – Implement and document. – Schools sign off. – Iterate.
• NET Plus Identity Guidance for Services – https://spaces.internet2.edu/display/NetPlusIDG/NET+Plus+Identity+Guidance+for
+Services
IDM and InCommon Discussion
Any feedback from campuses?
SV: Business & Legal
• Legal: customized agreement using NET+ community contract templates MOU between Internet2 and Service Provider is signed in order to begin the Service Valida<on phase Business Agreement between Internet2 and Service Provider is nego<ated during the Service Valida<on phase and reviewed and approved by university counsel
Business Model: customized approach to pricing that leverages community assets and captures aggrega<on to reduce costs to the Service Provider and provide savings and addi<onal value to universi<es Process and Deliverables: Par2es nego2ate business agreements, enterprise customer agreements and any associated terms of use
• Reduces business risk by vehng service providers for performance, security and compliance
• Reduces contrac(ng risk via standard (and beneficial) contract terms
• Reduces pricing risk by leveraging purchasing power of the community (including waterfall pricing)
• Ensures fair treatment in the market (no hidden clauses)
• Providing op(ons as the number of providers in each porBolio services category increases
NET+ Agreements: Mitigating Risk
NET+ Agreements: An Emerging Standard
Many universi<es may find it valuable to consider service valida<on via
NET+ to be “a standard specifica<on” and pre-‐qualifying evalua<on/review process that might allow:
• Formal procurement processes to be simplified or waived
• Not requiring formal bidding from Internet2 or NET+ validated service providers
• Elimina<ng the need for sole-‐source jus<fica<on for NET+ validated service providers when only one source is available for a par<cular category of service
• Allowing simplified proposals from NET+ validated service providers when mul<ple sources are available for a par<cular category of service
NET+ Template Contract
• One of the templates is in the Box folder • Developed working with campus legal counsels to
identify community terms • Definition of confidential information, accounts,
data, etc • Indemnification and Liability (Sec 5) • Availability / Zero impact maintenance • Termination and data transfer
NET+ Template Contract
• Security improvements to be included back into the NET+ offering. (Sec 3.2 Modifications and 8.9 Features)
• Data ownership is the participant (Sec 8.1(a)) • Data Privacy, Security, and Integrity – Sec 8.2-8.4 • Response to Legal orders – Sec 8.5 • Incident Response – Sec 8.6 • Data Retention and Disposal – Sec 8.7
How NET+ Contrac<ng Supports Procurement
• Community based due diligence
• Improves risk management by vehng service providers, standard and beneficial contract terms
• Ensures fair treatment in the market (no hidden clauses for “other” universi<es)
• Reduces costs of administra<on
• Leverages purchasing power of the en<re community
• Provides compe<<ve op<ons as the number of providers in each porBolio services category increases
Procurement Analysis Worksheets
• Completed for services once they complete early adopter
• General: – Service Provider; Service; Service Type (IaaS, PaaS, SaaS, other (specify)); Admitted
to Service Validation; Completed Service Validation; Schools leading the service validation were; Schools involved in legal discussions; Schools involved in business terms negotiation; Business Agreement signed
• Categories – General details on service. Service level commitments, compliance, technical, data,
use and legal concerns, and termination
How information security is currently integrated into NET+
Background
• Working group pulled together develop how NET+ should incorporate security – Developed this guidance: Recommended Process for
the Use of the Cloud Controls Matrix (CCM) in the NET+ Program
– http://meetings.internet2.edu/media/medialibrary/2014/04/22/20140408-brammer-netsecurity-2.pdf
• Security aspects began in June 2012, delivered initial version of security controls in December 2012, now in use by NET+ Program
• Service validation security aspects have evolved over time.
Pre-Service Validation
• Program Manager to work with service provider – Help them understand NET+ security and what
campuses will expect from them – Start gathering security documentation – Cursory review of their security documentation to give
SP feedback to help have a successful service validation
– Determine if NDAs are necessary and if so, start getting them from campuses in service validation
SV: Security & Compliance
Security assessment: Customized version of the Cloud Controls Matrix (CCM) developed by the Cloud Security Alliance and SOC 2 Type 2 Report
hmps://cloudsecurityalliance.org/research/collaborate/#_internet2 Accessibility review and Roadmap commitment. WCAG 3C Data handling: FERPA, HIPAA, privacy, data handling Process and Deliverables: Service Provider completes Cloud Controls Matrix and/or SOC2 Type 2 Report for review by universi<es; campus accessibility engineers review service and communicate needs to Service Provider
Service Validation – Security Aspects
• NDAs if requested by SP • Review of security docs from SP by campuses • Call with campuses and SP security staff • Whole picture from a campus perspective. What
security controls does a campus need because of the SP or does the SP expect of the campus?
• Example - LastPass security review
Security Assessments / Frameworks
• All of the security assessments in the world will not stop all attackers.
• CSA CCM - The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.
• SOC 2 - focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls.
• ISO27001 - Developed to provide a model for establishing, implementing, operating, monitoring, and maintaining an information security management system, it is widely recognized as the highest security standard in the industry for examining the efficacy of an organization’s overall security posture.
Security Requirements
• Use cases to flesh out security requirements – Depending on the use cases will determine the
security requirements – FERPA is addressed by defauly – If there is a healthcare use case covered with
HIPAA requirements, then HIPAA is included – A HIPAA BAA is included in default template – Export control
Small group discussion on service validation
What do you think of service validation?
What are your experiences with service validation? How security assessments should work?
How can we raise the bar to improve security? How to streamline information security aspects of SV?
How to do this faster to bring tools to campuses??
Ongoing oversight of service providers
• What is currently done – Internet2 NET+ Service Advisory Board (SAB) – Review feedback from the community and SAB
schools – Performed during service validation – Follow-up on security items from service validation – Requirement in contract for annual updates from
service providers on SOC2 or CCM • Integrates with what is done on a campus for
their oversight
Ongoing oversight of service providers
• What should we do? – Should it be a requirement for the SAB to annually review the updated security
documentation from the service provider? – When there are major updates, to update the security documentation on the provider? – Do current campus subscribers get notified? – Follow-up on future security controls – Example: Service provider promised CCM
• What to do if there are issues a service provider needs to address? – Violation of security requirement from contract? – Other contract violations – Handled via the breach sections with service provider potential remedy – Example: Service provider lapses in performing SOC2
How should ongoing oversight be handled? What can we do?
What is Internet2’s role and what is the SAB’s role? (20 min)
Service provider perspective
• What all of this means to them? – More than a buying vehicle – Potential to help them engage the HE market – Help them identify features and functionality HE needs
• How does this help them? – Streamlined legal and procurement (along with security, etc) – NET+ legal work with their final approval if necessary – Additional insight into what works for their customers
• Potential costs for the service provider – Our security requirements require significant resources to meet – Potential development costs to add functionality
How this is or should be integrated into information security community?
Relationship within Internet2
• InCommon – Require NET+ Service Providers to participate in InCommon – Work with InCommon on Identity Management
• TIER – Community Created and Curated Services could become a NET+ service
• Internet2 Network Services – Working with Paul Howell, Chief Cyberinfrastructure Security Officer – Collaborating on DDoS discussions for potential NET+ DDoS Response service
• CINO Working Groups CINO Working Groups Home End-to-End Trust and Security – Identifying any potential service providers or areas NET+ service providers might be
interested in engaging with the community
Higher Education Relationships
• Educause/HEISC – Supporting HEISC mission major activity - Providing effective practices and guidance
and fostering communication within the community – Supporting out of scope activities for “Developing or brokering information security
fee‐based services or tool” needed by the HE information security community – Suggestions for potential service providers, broad direction setting and priorities
• REN-ISAC – Support information sharing by REN-ISAC – Work with the community on threat intelligence or information sharing service
providers
• Coordination with both on HE-wide issues
Relationships Outside of Edu
• Cloud Security Alliance – Updates on Cloud Control Matrix – Certified Cloud Security Professional with ISC2 – Training on cloud security for HE information security staff – CSA Security, Trust & Assurance Registry (STAR)
• International Information System Security Certification Consortium, Inc., (ISC)² – Certified Cloud Security Professional – Training on cloud security for HE information security staff
• SANS, International Association of Privacy Professionals, others?
• Should the relationships with external organizations be lead by a campus person or Internet2?
Group Discussion: How this is or should be integrated into information security community? (20min)
NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP
Nick Lewis Internet2 NET+ Program Manager, Security and Identity
© 2015 Internet2