 All right. Can you guys, can you hear this? All right. It's always great to be the last session before the party though You know, so so let me personally compliment you for taking the time to come here. Okay. It's going to be an interesting session today It's actually going to be a panel, you know, so I have the pleasure of being the moderator my name is Raghu Yeluri and I am part of Intel's data center group and I work on security and one of the things that Intel we've been trying for the last four or five years is to actually create a new manageability control for security called trust Okay, and trust could be you know could have very many facets to it and One of the challenges is once you know trust once you have that trust How do you measure it? How do you monitor it and how do you do any remediation based on it? Okay, so today we have three pretty Accomplished panelists with me. We have Fred Lima here. He's the chief security architect at Visa and You know, he's been driving a lot of the security initiatives at Visa. We have Joy Duryaraj. She's the senior security product manager at HP Enterprise for the HP helium product line and we have Prasanna Who is the CEO of a very interesting startup called cloud Raksha? Okay We the way the panel is going to work each of the panelists I'm going to spend five minutes With Fred starting on hey, what are the objectives or requirements for? advancing trust in the clouds and what the Visa perspective is a little bit then We're going to transition to Joy who's going to talk about How HP helium is building what are called? compliance building blocks to take advantage of any hardware root of trust capabilities in the in the x86 platforms so that they can make those building blocks available for monitoring and compliance tools and Prasanna is going to spend five minutes on how they use these building blocks to bring it all together and We'll actually show a demonstration of how You can take some of the security controls that are relevant for PCI DSS and how do you monitor them? And how do you do compliance on top of it? Okay With that I just want to start with one slide before I hand it off to Fred Okay, cloud security means so many different things to different people. Okay, if you are a consumer or a developer of cloud you just care about apps and data that run on top of the cloud Okay, if you are a private cloud or a cloud provider You care about the middle two things, you know, how do I secure the platform the cloud platform? And how do I secure the infrastructure which is the security under the cloud? Okay, if you deal with multiple clouds private clouds and hybrid clouds then you have to deal about deal with security across clouds and finally there is a category of products that are emerging which are beginning to offer security as a service Okay, so they run in the cloud interestingly, but they provide monitoring of security controls Evaluation against compliance requirements and remediation from the cloud Okay In you you're gonna hear from the three panelists in The four bottom categories Okay, the one that the panel the three panelists won't cover is the the secure applications and data That's what you know IT shops and enterprises are going to do But I think the panelists are going to cover the bottom three bottom four. Okay with that I want to hand it to V Fred to kind of give us, you know What are the requirements for the the security requirements for the financial industry and you know, what are there? What are the objectives that they drive towards for advancing trust in the club? Thanks, we're good. Hi everybody I'm trying not to stay in a way of the party. That's for sure. So So We're here. We're here pretty much talking about what is that we want to look at when we think of advancing Trust in the cloud When we think about visa Leading company in the payment technology industry. We are definitely looking Very closely what's going on in cloud technologies given the all the beans advantages that We are looking at in terms of scalability agility And so on and so forth. That's definitely something we need to keep an eye with open stack, it's no different and given the commitment that we put in building our environment towards a cloud enablement of course secure becomes a topic of Concern in terms of how we want to make sure that things are properly secure how we want to make sure that things are addressing the needs of Compliance reporting and compliance measurement So to that I wanted to first talk a little bit about The word trust just expanding a little more what Raghu alluded to And If we just we could as he as he well pointed out trust could mean Different things for different people in different standard bodies have is likely different definitions of what that means But if I could just leverage what the trusted computing group Defines and alludes to when when talking about trust Think about trust as something that can be anchored to a hardware based at the station Root of trust so establishing a route of trust based on hardware Why is that important from from our perspective when looking at? Advanced trust in clouds It is important given the fact of what in use this new paradigm we're living with so yes It is about agility. It is about flexibility and scalability But what are the things that are taking place in order to make that happen from a cloud infrastructure perspective today? We look at these different use cases where you have a hypervisor based infrastructure or Container based environments run your top of bare metal OS we deal with VNF based network services we deal with security functions. They are also based on NFV type of deployments storage volumes And at the end of the day given what the cloud is pushing us towards we also need to consider The fact that this flexibility also means that our workloads Need to be properly Identified from a location perspective or tagged from a location perspective So some of the challenges and things that come to mind when you think about establishing a part this paradigm from secure paradigm in terms of advancing Trusts in clouds are those questions that you're seeing in a in the slide So how can we really make sure that we maintain that we establish some level of measurement and we maintain the integrity of the cloud infrastructure? how do we Also can establish integrity and maintain it for the workloads running on top of the of that infrastructure in addition to the location Knowing the location of the workloads and from a geo perspective and be able to To apply policies based on that location the ability to again Establish and and leverage the root of trust to establish At the station of integrity of that software that's running on top of of the cloud Now of course what it comes to mind is Compliance a lot of times for a lot of folks here in the room at the end of the day One of the things that we need to establish sometimes I like to think that way in terms of reducing complexity or compliance is what sources of truth Do we need to rely on establishing some level compliance monitoring and reporting? And to that effect a Single hardware base route of trust seems to help us towards those Those objectives and at the end of the day what is that we want that we can enable from a remote attestation? Perspective so I don't need to be there to know that it is really Tied to where supposed to be from a hardware perspective moving along then we come to this Higher level security objectives not really fine grained Detail security requirements per se, but security objectives that we feel can enable us to work towards advancing trust in clouds So a little bit of what we've talked before but just to reinforce the the ability of us to provide assurance In workload integrity of the of the cloud infrastructure in the workload The ability to enforce Residence residency of the workload and data From a location perspective the ability to protect the confidentiality of the workload That's running on top of the cloud and then of course as we mentioned having ongoing compliance verification We have this high-level conceptual view of an architecture in which we would leverage that the hardware base route of trust We would leverage some of the plugins into that route of trust in an API fashion To establish a security in compliance control plane towards that yet in alignment With the cloud control plane in our case here with the opening stack control plane So with that I'll pass the mic to Joy who is going to talk about HP's approach Sharon. Thank you Fred So at HP and we talked to customers like visa who are in the payment technology industry and have You know requirements about compliance it resonates very well because we have not only heard from customers in Indie financial space, but also customers from other vertical industries such as in a healthcare or or whether it's service providers or whether it's And then government agencies and so on so we recently did a survey of over 250 c-level execs and director level and above and using 451 research and this was a qualitative and quantitative research sponsored by a Hewlett-Packard enterprise so the results were not surprising at all I mean what it is is it's basically says that you know ensuring compliance with regulatory and policy requirements is still the number one concern from a security standpoint in a when customers deploy hybrid cloud and having the visibility and The capability to monitor what goes on in that environment given the nature of the Rapidly changing a cloud environment they the problem is that drifts happen very very quickly and being able to monitor for those Drifts compliance drifts is very very critical for a lot for customers across all spectrum of industries and The next thing is that you know They also want to make sure that there is consistent policy controls enforced throughout their infrastructure So whether it's you know starting all the way from hardware route of trust to you know The networking layer or whether it's a hypervisor layer or if you're going to the open stack and then on to the application layer They want to be able to have a very consistent way to Very consistent way to enforce policies across their environment so that's critical for our customers now when it comes to compliance That the key questions that our customers are asking is how do I remain? in a compliant in an open stack environment and How do I automate automation of compliance as a critic is a as a huge headache for many customers? and the problem of that is you know you have You have different you know systems you have different layers of the stack All giving out you know different formats of audit logs and whatnot How do you standardize across and how do you make sure that you know you're you're automatically checking for drifts? And that's an important aspect so quite the common example will be you know when you're running say VMs on your guest node for the guest operating system could not have been patched for several months And how do you make sure that your patching policies are staying up to date? The other aspect is tenant isolation So how do you ensure that your tenants are properly isolated? You've got the appropriate security controls and plays and so on and and most importantly the end-to-end compliance is critical And so what we have an ad HP is we have the basic building blocks So we have our pro-line to in a hardware servers They come equipped with TXT and TPM modules and so for us that they're being able to take advantage of that is very very critical and beneficial for our customers and being able to Integrate with vendors like Intel to bring together and also you know integrating with the cloud rock shark To bring together an entire solution that will do not only you know hard end-to-end compliance but starting with the hardware root of trust is critical and So we talked about you know, I already had talked about the different layers and being able to ensure that you're compliant across the entire stack and so when you look at the entire stack starting with the hardware root of trust is very very important and so with the without the Modules that we ship with every pro-line server. We are able to take advantage of it and provide the basic building blocks and So here is a great example that shows it's a diagrammatic representation that shows how the the hardware root of trust actually works in an open stack environment and They essentially what it is is the you know the plugins that Intel has developed an open source And allows a nova scheduler allows the Nova to intercept the requests and make sure that the hardware root of trust the certification or the attestation The integrity that Intel returns and use that integrity to basically you know run and for security policies So security policies are things like you know, don't allow my users to run You know spin up VMs if the server is not attested by Intel or not certified by Intel likewise You know if they're not belonging to a particular location And this is this is important from a data sovereignty perspective because you've got compliance needs where you know your example would be you know European compliance laws where you know companies operating on a France. They don't want you know users To run via the workloads if they are not based out of France So things like that we are able to take advantage of be using the basic building blocks from HP Intel and cloud rock shock. So with that I'd like to turn it over to Prasanna for his for cloud rock shock Thank you Fred. Thank you joy So clearly as Fred pointed out There's a bunch of requirements for compliance and security management that come along with the field of trying to do regulatory Workloads joy talked about all of the various components that are available that from which you assemble an overall solution So what I'm going to talk about is a little bit about how these things come together in order to create From the root of trust a long-term story starting from the time at which you Start the process all the way through the end of life of any assets that you're creating on top of OpenStack and Making sure that the compliance with your desired state is not only present But is provable from an audit perspective to auditors who are interested in the state over the entire life cycle As we all know Earning trust is hard enough but once it has earned it has to be maintained and it has to be maintained and Proven so that over the entire life cycle of the assets that you're building and using you have a consistent story Story right now the interesting thing is if you go out and these customers the joy was talking about if you actually Query what it takes to do this in today's environment about? 40% of the cost of managing cloud applications is worrying about all of these issues Around security and security compliance time and time again We've gone out and talked to multiple customers where that is the benchmark number that we're hearing it's a very significant piece of the operational cost and so bringing that down through a process of making security compliance simple and Making it automated so that there are no escapes from the process is what brings you to the point of being able to prove to auditors That you are doing everything in order to maintain a consistent security posture, right? There are multiple key things that you have to worry about when you're talking about security compliance First of all, what are the rule sets that you are applying? How is it that you are convincing somebody that the entire set of things that you're doing fits into the industry? Best practices to be able to satisfy requirements like Fred was talking about so one of the things we do is we start with standard Well-accepted security postures such as diss us mission critical stigs for those of you who are in the security community You know that that is a very rigid set of compliance mechanisms that you can bring to bear the second is you integrate it into the overall process of Setting up your clouds and then setting up the the Assets compute assets in the cloud like spinning up VMs and making sure that these postures are applied Immediately upon the creation of the assets and then checked by automation Continuously throughout the life cycle of the process and to do it in a way that is a one-touch Provisioning process so that even the most novice of users of the infrastructure Will be in a position to do it and will be in a position to do it without error And I'm going to show you in the demo how all of that stuff comes together Now this is obviously built on top of the variety of things that Joy was talking about his building blocks We start with a hardware root of trust and with the stuff that the Intel CIT technology particular They're 3.0 version that it brings to the table that is available on the HP hardware in the Proliant gen 9s and beyond we start with that to validate that at the time of creation of an asset The actual posture of that asset is actually measured by the hardware Which is irrefutable in a way that you can then build on and then extend that those Measurements over the life cycle of the asset to repeatedly check it and in a consistent and standard Reporting structure think of it as audit-ready logs that you can then take and show to your auditors that from the time of creation Automatically with no escapes all the way through the life cycle of the of the assets There has been a consistent policy applied now Why is that important even though you may start with a root of trust and start at the time of asset creation With the posture that you understand drift happens as you all well know in the development or in the DevOps Kind of environment changes are being made to the system as you experiment with it as you do the development and changes do happen so detecting those changes and Automatically remediating the posture as you go is very important Right the overall architecture that we bring to the table Involves that block in the middle which talks about the variety of things such as the actual rules that we apply Which is in our case what we're demonstrating today is the Nissa. I'm sorry the diss a nist rule set a A mechanism by which the service that we offer comes in from the outside reaches into the assets Reaches into the control nodes and the compute nodes of the open-stack environment to ensure that the configuration of those nodes themselves has not changed and then reaches into as I showed in the previous chart the Assets that are being spun up the VMs that are being spun up an open stack that register back with the service and get checked I will show you a quick demonstration of this How are we doing and time? Okay, good So the first piece of the puzzle is setting up the hardware correctly So looking at what Intel CIT technology brings to the table is a way to use the TXT and the TPM Which are the hardware components that are available in the Gen 9 servers that Joy mentioned Allows you to tag assets in a way that is guaranteed by the hardware as being immutable Let's say with interesting things like the geolocation of where those compute assets are or other properties including acceptable kernels or acceptable bios and then all the way up to the To the VMs that you're going to spin up in open-stack to make sure that the signatures of those VMs belong to a white list that is forced and checked by a hardware root of Trust chain that starts from the hardware and works all the way to the launching of the assets, right? So what this screen shows is how in the Intel cloud integrity technology? Console you are able to tag the various machines that you are spinning up as Compute nodes and assign them properties that are then used Oops, where's the rest of them? Okay. That was a short demo Now this tells you why continuous compliance is important. This is drift Everybody's wondering when the party starts Okay Yes, that was supposed to be the next slide so Once you have done the tagging that I showed in the previous screen What happens is that in your standard open-stack? Environment the various for example in this case compute nodes that are available have now been tagged and that tag has been measured and validated by the hardware, right? So let's see what happens when you now spin up an asset On this platform in which the various compute compute nodes have been tagged with let's say geo tags as the joy was showing the entire Perimeter control of the border control Use case right so you would launch an instance exactly as you would launch it normally, right? You would go you'd pull down the right set of things and as part of this entire process The CIT technology would then look at the tags that are associated with the VM that you're spinning up and say these Tags say that this VM has these following requirements It should be placed only on hardware that has the following geo tags, right? The second thing is that as this asset spins up as this asset gets created What we're showing over here is that you can actually tag it with the kind of compliance checks that you want to run on that asset Not only at the time of creation but over the life cycle which in this particular case We are specifying as a post provisioning script what that post provisioning script does is as the asset comes up First of all, it's been checked that it is legal to run on certain set of platforms And that's what it's gonna run on but then it also goes ahead and auto registers with the compliance service and says I'm alive. This is the compliance properties I want you to run and the example that we are showing is of running a PCI DSS compliance check And so that's what this use case is Run me and run me periodically Throughout my life cycle, right? So now we're going into the cloud rucksack our services dashboard where the system has already come in and registered itself and If you look down into the machines that are being managed You will see that highlighted light green bar over there is the machine that was just spun up on the in open stack it's registered with the system it said hello and Now you we automatically run the security posture that we were expecting or that the machine asked for when it got created in this particular case It was the PCI DSS compliance Rule set it's about a hundred and nine rules that we apply and you can see up in the top right in the console It says we've got a hundred and nine rules that were run off with 63 were successful This is for demonstration purposes. We're showing you a use case where the actual CentOS machine that was spun up was a brand-new build of CentOS just downloaded from the open stack CentOS web page It itself says that about 50% of the rules out of the box are not set correctly This is why paying attention to compliance is a big deal because out of the box Your machines are not necessarily configured the way you would like them to be right So you can go into the rules You can take a look at what the severity of the rule is you can get take a route and as I said These all trace back to the dis astiggs, which is what we are applying We can with although we're not demonstrating it here Auto remediate any changes that are found and go back and fix the configuration setting Not only at the time of creation, but throughout the lifecycle if anybody made any changes to it, right? And so we can manually remediate we can go click on the particular rule and say go fix it for this machine And eventually at the end of the day we generate reports and as I said right at the beginning We can produce a compliance ready report that can go as become part of your audit package And so this once you do that now what this leaves you with is a complete Check all the way from hardware So this is actually a hardware check that reaches back into the Intel CIT technology pulls out the attestation and the quotes of the machine that your workload is running on and The quote of the actual structure of the compliance that we ran on the machine puts it together into a single consumable Audit report that then spans the life cycle of the overall system, right? So I think what we're showing is that by putting all of these building blocks together and taking the requirements like Fred laid out You can actually build an end-to-end system that gets you audit ready compliance Not just of your open stack assets, but of the assets that you're creating running on top of open stack That's the story So let me open it up a question So let me kind of start with with with a couple of questions so that in a seed see the discussion a little bit here So Fred, I know you can't talk a whole lot about what you guys do at visa Okay, but can you give us a flavor of where you are in this whole trusted private cloud journey at visa? What can you share? sure so what what what we've seen is an evolution And we've been working on with this paradigm for several years in before Cloud came to play as far as how we Enable a hardware based root of trust. It's a paradigm. We live with in several areas of security specifically to virtualization platforms before Those are quote-unquote cloud arise. That's something we've been we've been doing some work for quite a while enabling Intel TXT now with opening stack coming to play and Commitment for us to secure that the platform We we're trying to establish up the baseline from which we want to enable all the good things that come with cloud as we mentioned before the flexibility the scalability and so on and so forth Going forward the I think what what we would like to see and anticipate is As the developers get more and more interest into putting different types of workloads on top of the cloud in in runtime environment How can I enable enforcement? At the runtime level in addition to us being able to evolve to Plugging is to secure a solution from a control plane prospect. What I mean by that is developers have their own Preferences in terms of Container control planes or containerized control planes or whatnot with the amount of control planes coming to play What does that mean where you have maybe the opening stack control plane and maybe some other control planes at the container level? From a security perspective, how can I minimize the complexity? in terms of us Building this journey and still advancing the trust but again Trying to minimize the complexity caused by these Quick advance that developers are marching towards So I've seen I've been paying attention to a little bit to what's going on in opening stack Magnum container container as a service And how this is how this is evolving to which is a good thing what And we this is a development conference the developers here in the room Open stack developers when I said developers early on as referring to the business application developers who work in the enterprise So they are not if they may not be infrastructure savvy, and they don't care and they don't want to be right and when they want to deal with a Control plane that enables them to do what they want to do How can we make that happen and yet in the background We from a security perspective can keep and can keep an eye on what's going on at the end of the day The hands may be moving from a centralized infrastructure team to the tenants themselves So that they can do what they need to do So my ass could be Try my ass could be to pay attention to this paradigm in which the application of the business application developer community Is asking to leverage similar or the same tools as the infrastructure team is asking for so that's that's that'll be my ask Thank you. So joy. I know, you know, you had a pretty good walkthrough of HP helium and the building blocks. Can you comment on What time frame the these building blocks for security, you know, the whole Hardware assured compliance as you called it. When are they going to be available for folks to access, right? So we recently launched healing open stack 3.0. Literally went out this week That's the that's one of the building blocks for this particular solution. We absolutely have Want to you know, make this broadly available. We're right now. We're working on POC demo and then obviously Solution for visa, but we will we definitely have plans to brought broadly product eyes this and I would say, you know We want to target end of this year Okay, thank you and Prasanna for you the tough question. Okay. Okay. I know at the end of the day The compliance controls and the whole remediation and enforcement happens through a product like yours Okay, there are efforts in the industry, especially in the open-stack world through Congress Okay, what's your ass? What would be your ass as a compliance? Security compliance vendor. What would you like the community to do more so that it makes Your life a lot easier More than our life easier. I think what can we do to make the community's life easier, right? So it's what what two things if the community can do that would be very valuable One is we need to share broadly The kinds of experiences we have the kind of profile sets that get past regulators Industry by industry So if there is a collective belief or collective knowledge that gets created saying that for certain use cases Here's the set of profiles or here's a set of security postures that regulators find acceptable We should share that knowledge because collectively we are better off as a community with well-accepted best practices Where those practices are accepted not only by the practitioners, but by the regulators who are overseeing the practitioners That's the first ask make sure we do that broadly The second is no matter what we as Vendors do in this space. There is a certain set of underlying code that open stack itself brings to the table as Much effort has to be paid to making that code security conscious and following best security practices as Anything that we can overlay on top of it to offer other security capabilities, right? So the building blocks that Joy mentioned starting from the hardware on up Including the kind of efforts that HP is doing with helium are In hardening helium and making sure that it is a reliable and security conscious set of Building blocks is very important And so recognizing that at the end of the day no matter how user-friendly The overall open stack system is if it is not something that we can prove to our auditors That it is following best practices and is reliable and trustworthy People in regulated industries cannot use it for production And you got to start from there and work our way backwards as opposed to building something that's usable and then worrying about how do we make it Right, thank you. Yeah, we've got about five minutes. I believe so let me see if there are any questions from you from the audience to any of the panelists Once you start talking we know that somebody's Presentation as well HP helium 3.0. Yeah is PCI complaint correct So is that a convert solution or is it just a software aspect of it? Because I would imagine because the hardware is the root of trust for example, so there's a hardware dependency Yeah, does that make sense or you know, what if I took it on commodity hardware and install it? Do I still can I? Can I can I make the claim that it is still Actually, it's an excellent question. First of all, I wanted to thank you for that So the first thing that I did want to you know clarify is With 3.0 a healing open stack will be PCI ready and there's a difference between you know PCI ready and PCI compliant Because when you when we say PCI compliant then you know We have to go through the physical and procedural and administrative controls Work with an auditor and get it certified so that responsibility will still lie with you as a customer and so when we say it's PCI ready what we mean is that first of all, we had worked with an external audit firm who did the Validation lab assessment and the readiness for us and they went literally went through you know 250 plus controls with the helium open stack and said yes, we do satisfy the Controls that we are responsible for and so that's the key difference that I wanted to highlight this You know, obviously the software distribution Will not be able to satisfy physical controls like data center, you know closed circuit TV or you know Security guards or biometrics those are still you know valid requirements from a compliance standpoint now Back to your question. So if you were to take say, you know, 3.0 put it in a converged Architecture put it in a converged hardware and then run through the controls So you can use our guide to guide you through those requirements that we satisfy But then keep in mind that there are requirements that you will need to satisfy as well You will need to configure it in a PCI compliant manner. That is very key And you will also need to obviously work with the auditor that will You know say yes good checkbox and tick mark and say yeah, yeah, you've met all these things a small example of that would be You know, let's say you're supposed to implement firewalls, but so we give you all the you know the neutron Capabilities that come out of the box with open stack, but it's important for the customer to be able to configure it in a Compliant manner. So that's subtlety there, but yeah, very good question. Hope I've answered your address your question Right. We got a minute or two left. So maybe one more question Yeah, so Phipps 140 dash to this is Generally, this is required for federal agencies. It's very very, you know involved set of Requirements going all the way across the stack We do want to address that sometime So we are definitely, you know wanting to target it, but we are not Phipps ready yet Right, I think maybe okay one more question before we wrap it up here My question is for Prasanna. I agree with what you said earlier about it should be like a community effort to come together to basically standardize our way to Satisfy the criteria from all these standards. I personally went through so I I work for Microsoft I know here. I'm the bad guy, but I Actually did it went through the same validation with FedRAMP exactly like HP Did it for PCI? So and we also have an External TPL doing the process. So my what I learned is basically there is a lot of gray area on how you can address the Very same criteria. So you can and then sometimes also a dance between oh, it's a technical responsibility versus It's a code like a responsibility on the customers with responsibility on the process and so on. So how would you go after? Creating these common knowledge because I mean I agree with the intent I don't know though how we could come together and do this because Then when you start going to the details of the implementation There are a lot of forces going in different directions, right? Yeah, sure And I think exactly it's a good question exactly as what Joy was saying earlier Is that a lot of these standards leave a lot of things in the physical realm and the administrative realm in the process control realm? That are simply not addressable from a technical perspective But at a minimum the things that you need to do from a technical perspective are probably common, right? And even there I think So for example, if you go and look at the the SCAP stuff or if you look at the DISA stuff Those are all building blocks from which one starts, right? Creating a better way to share that is the question that Ragu asked me is what what is the ask the ask is that? We as a community need to set up set up to it, right? Any trials that we do any You know proof cases that we build out. Let's find ways to publicize that Because that's the only way we're gonna learn from each other and if there is a community wide We've done ten of these trials with this exact same set of Constraints and that has gone through ten different auditors. That's a very good thing to know Without which, you know, everybody is an individual trying to drive what they are doing through their particular audit set and trying to get past it That doesn't scale quite frankly Right was exactly what you're experienced that you were talking about Hey, yeah, I think we have no more time for questions So if you want we can be available for a little bit to talk So I want to personally thank the three panelists Fred joy and Prasanna. Thanks for taking the time Joining and speaking here today. Okay, and thanks everybody for joining. Enjoy the party