NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP

Nick Lewis Internet2 NET+ Program Manager, Security and Identity

© 2015 Internet2

Welcome

•  Goals, logistics, etc •  Want your feedback, so please comment and be

interactive! •  We will have several small group discussions and

each table will need a facilitator •  We will have a working lunch and a break after the

lunch exercise •  Goal is to get out by 3pm if not earlier •  Boxnote for the agenda and notes:

– https://internet2.app.box.com/notes/39717796893 – Could I get a couple volunteers to take notes?

Schedule for the day

8:00am Start of the day 8:05 Introductions 8:20 NET+ Program 9:00 How information security is currently integrated into NET+ 10:00 Break 10:30 Continue How information security is currently integrated into NET+ 12:00 Working lunch 12:30 Break 1:00 Future information security improvement to NET+ program 3:00 Wrap-up and next steps

Introductions

•  Introductions and what are you expecting to get out of today? Anything you want to add to the agenda?

•  What Cloud Services are your campus using? •  Who has adopted Cloud Security Assessments?

– What standard? Roll your own? •  What are your top concerns they have on security

services in the cloud?

Campus Experience with NET+

•  Any campuses using NET+ services?

•  What do you think?

•  Any campuses not NET+ campuses?

•  Why?

•  Any examples where something worked better (or worse) than you expected?

Outline for this portion

•  What is NET+ •  How information security is currently integrated into

NET+ – How it currently works – Security assessments and requirements – Identity Management and InCommon – Ongoing oversight of service provider

•  Service Provider perspective on NET+ program and information security aspects

•  Integration into broader information security community

ADVANCING HIGHER EDUCATION

in the

AND BEYOND

The Genesis of NET+ 2010 NACUBO / EDUCAUSE Cloud Summit

http://www.nacubo.org/Documents/BusinessPolicyAreas/ShapingTheHECloudWhitePaper.pdf

Major Recommendations from 2010

Thirteen overall recommendations (Pg 21-22), which include:

•  Create a cloud computing roadmap.

•  Develop a risk-assessment framework and guide.

•  Develop audit guidelines for cloud-based offerings.

•  Identify needed skills and training for cloud-based services.

•  Develop and publish model service level agreements.

•  Encourage identity management.

•  Create a higher education demand aggregator.

NET+ Three Year Review 2015

All of the areas of improvement include the security aspects

– Catalog Configuration – monitoring performance and enhancing standards

– Time To Market – more visibility into service validation – Streamlined Agreements – simpler and easier to use – Procurement Improvements – further streamline

procurement – First Service Adoption Barriers – lower adoption

barriers – Reduce Complexity of Business Models

Core Objectives of NET+ Services

A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community:

•  Define a new generation of value-added services

•  Leverage Internet2 R&E Network and other services such as InCommon

•  Drive down the costs of provisioning/consuming services

•  Provide a strategic partnership with service providers (new service offerings)

•  Leverage community scale for better pricing and terms

•  Develop solutions that meet performance, usability, and security requirements

•  Provide a single point of contracting and provisioning

My vision for NET+

•  When a campus has a problem, audit finding, incident, etc, they can look in the NET+ portfolio to find a solution they can quickly adopt at a price they can afford

•  Pre-vetted, standard terms, community oversight •  Meets the unique needs of higher education

– Mobile, highly decentralized, locally managed, etc •  Facilitate campuses improving how they do

information security •  Assist campuses adopt cloud services •  Advances NET+ program

Security & Identity

Software as a Service

Infrastructure and Platform

Video, Voice & Collaboration

Digital Content for Research & Education

Tailored Cloud service portfolios to: •  Enhance academic & research user

mobility in the Cloud •  Accelerate trusted Cloud application

deployment for the enterprise •  Ensure standards-based Cloud

security, accessibility, reliability and performance with enterprise scalability

What is Internet2 NET+ Cloud?

13  

Enables trusted and responsive user mobility in the cloud, while delivering efficiencies to the enterprise.

What NET+ Is NOT

•  Community  driven  and  a  way  for  the  community  to  act  on  its  own  behalf  

•  A  benefit  of  membership  (benefits  that  accrue  to  par<cipants)  

•  A  means  of  influencing  the  direc<on  of  IT  services  development  

•  A  (growing)  porBolio  of  IT  assets  that  campuses  can  chose  from  with  consistent  terms,  best  pricing  and  highest  value.  

•  A  Vendor  

•  A  Buying  Club  

•  A  Channel  Partner  

•  A  Reseller  

•  Exclusive  (or  picking  winners)  

What NET+ Is

©  2015  Internet2  

370  Par(cipa(ng  Campuses  

600+  Ac(ve  Subscrip(ons  

15  Service  Valida(ons  

32  Available  Services  

89  Valida(on  Campuses  

9  New  Evalua(ons  

$250,000,000+  in  Community  Benefit  

In  1124+  Days  the  Community  Has  Built...  

WOW!  

16

16

Internet2 NET+ Services: Engagements

17

17

Examples  of  Cloud  Services  Deployed  at  Scale  

35+  universi<es  moved  their  LMS  to  Instructure’s  Canvas  (18  months  from  GA)  

105+  universi<es  cloud  storage  and  collabora<on  campus-­‐wide  (38  months  GA)  

21+  universi<es  leveraging  Code42’s  CrashPlan  offering    (23  months  from  EA)  

69+  universi<es  leveraging  the  NET+  Splunk  offering    (18  months  from  EA)  

Leveraging  community  developed  offerings,  preferred  pricing  and  business  terms  

Up  to  July  2015  

26+  universi<es  leveraging  Amazon  Web  Service  offering    (9  months  from  EA)  

Campus Expectations for the Cloud

•  Any workloads not going to the cloud? Why?

•  Any data types / security requirements not going to the cloud? Why?

Subscrip)on  by    Community  Members,  Regional  and    Global  partners  

Sponsored  by    Community  Members  

Designed  by    par<cipa<ng  campuses,  providers  and  Internet2  

GET  INVOLVED  IN  THE  

NET+  SERVICE  LIFECYCLE  

All  delivered  at  global  scale,  tailored  to  R&E  needs,  and    benefi<ng  all  par)cipa)ng  ins)tu)ons

The  Internet2  NET+  Phases  

Timeline  variable  30–360+  days  

Evaluation

? Inquiry

ResearchIncubator

Explore   Service

Validation

Develop  

Less  than  50%  reach  Service  Valida(on    

The Internet2 NET+ Phases  

Timeline  variable  45-­‐180  days  

Develop  

ServiceValidation

Deploy  

Greater  than  90%  reach  General  Availability  Apply  community    

standards  

Inquiry and Evaluation Inquiry  Phase  

•  Discovery  Understanding  the  opportunity  (what  are  the  possibili<es?  Market  scope?)  

•  Alignment  

Are  the  provider  and  community  goals  strategically  aligned  (are  we  headed  in  the  same  direc<on?)  

•  Feasibility  

Are  the  investments  and  mutual  accommoda<ons  required  likely  to  materialize?  

•  Community  engagement  

Membership  and  strategic  engagement  with  the  community  

Evalua(on  Phase  •  Iden(fying  a  Sponsor  

A  CIO  or  execu<ve  from  a  member  ins<tu<on  

•  Developing  a  Proposal  With  support  of  the  Sponsor  

•  Iden(fying  addi(onal  SV  par(cipants  •  Review  of  Requirements  

Networking,  Iden<ty,  Security,  Business  model  and  terms  

Membership  in  Internet2  

Requirements of SPs

Identified Sponsor: CIO or other senior exec from a member institution Membership in Internet2 and InCommon Federation Adoption of InCommon -Shibboleth/SAML2.0 and Connection of services to the R&E Network Completion of the Internet2 NET+ Cloud Control Matrix Commitment to:

§ A formal Service Validation with 5-7 member institutions § Enterprise wide offerings and best pricing at community scale § Establishing a service advisory board for each service offering § Community business terms (NET+ Business / Customer agreements) § support the community’s security, privacy, compliance and accessibility obligations

Willingness to work with the Internet2 community to customize services to meet the unique needs of education and research

How NET+ Providers are Selected: ALWAYS Sponsored by Internet2 Member Campus

•  Can the services scales at least nationally? •  Can it be delivered over global R&E networks? •  Develop a business model that scales globally and serves significant portion of

community? •  Will provider work with community to meet unique R&E needs today and into

the future? •  Adopts R&E federated identity standards? •  Commit to community’s Security, Privacy, Compliance, and Accessibility

needs? •  Supportive of common, community contracting terms and conditions (negotiate

once, use many times)

Quick-Start Program: Requirements

•  Identified Sponsoring CIO ( or other senior executive from a member) •  Membership in Internet2 and InCommon Federation •  Adoption of InCommon -Shibboleth/SAML2.0 (within 6 months) •  Connection to the R&E Network (within 6 months) •  Completion of the NET+ Cloud Control Matrix •  Commitment to enterprise wide offerings and best pricing •  Commitment to establish of a service advisory group within the first 6 months

and to a formal Service Validation (within 24 months or after 10 campus enrollments)

•  Acceptance of the Internet2 NET+ template business and customer agreement terms and the community BAA (for HIPAA compliance) – with minimal negotiation.

•  Offerings will be limited to a 2 year renewable term and customer agreements will be between the service provider and consuming institution.

Quick-Start Program: Additional Considerations

•  Program is for services where the standard requirements and business terms are immediately acceptable

•  Modifications to the template made only to ensure appropriate representation of specific types of services

•  The advantages of the program:

–  Provide fast-track onboarding services to community requirements

–  Minimizing the cost/effort required for on-boarding

–  Benefit to Providers: faster time to revenue generation within the portfolio rubric and to community specifications

–  Benefit to Members: faster time to value, minimum investment until scale economies and persistent interest is established, consistent adoption of community requirements

Internet2 NET+ Service Validation

•  Assessment of the service for inclusion in the catalog

•  Applying a consistent process / standard

•  Available at scale to the entire higher education community

•  SV Group is led by the sponsoring institution and 5-7 campus

participants •  Facilitated by Internet2 Program Manager

•  SV participants represent

o  Themselves AND the Community

o  Assess the service for inclusion in the catalogue

o  Negotiate terms, business model and pricing for the entire R&E community

Service Validation

•  Func(onal  Assessment  –  Review  features  and  func<onality  –  Tune  service  for  research  and  educa<on  

community  

•  Technical  Integra(on  –  Network:  determine  op<mal  connec<on  and  

op<mize  service  to  use  the  Internet2  R&E  network  –  Iden<ty:  InCommon  integra<on  

•  Security  and  Compliance  –  Security  assessment:  Cloud  Controls  Matrix  –  FERPA,  HIPAA,  privacy,  data  handling  –  Accessibility  

•  Business  o  Legal:  customized                agreement  using  NET+                community  contract  templates  o  Business  model  o  Define  pricing  and  value  

proposi<on  

•  Deployment  o  Documenta<on  o  Use  cases  o  Support  model  

NET+ Service Validation: Functional Assessment

•  Review  current  features  and  func(onality  

•  Discuss  exis<ng  Service  Provider  product  roadmap  (under  NDA)    

•  Determine  ways  in  which  service  needs  to  be  tuned  for  research  and  educa(on  community  

•  Priori(ze  feature  requests  among  the  par<cipa<ng  universi<es  in  the  Service  Valida<on  group  and  discuss  priori<za<on  with  Service  Provider’s  product  team  

Process  and  Deliverables:  customized  roadmap  for  higher  educa2on  from  the  Service  

Provider;  feature,  func2onality,  and  bug  report  priori2za2on  from  the  universi2es  

NET+ Service Validation: Technical Integration

•  Network:  Integrate  service  with  the  Internet2  R&E  network  and  op<mize  for  enhanced  delivery  

–  Test  the  network  connec<on  to  create  benchmarks  

•  Iden(ty:  Review  Service  Provider’s  iden<ty  strategy  and  determine  InCommon  integra<on  

–  NET+  Iden<ty  Guidance  for  Services  

Process  and  Deliverables:  Service  Provider  and  par2cipa2ng  universi2es  assign  technical  team  members  on  networking  and  iden2ty;  develop  and  review  tes2ng  plans;  and  produce  reference  documents  for  service  subscribers  

Identity Management and InCommon

•  NET+ Identity Service Validation Process –  https://spaces.internet2.edu/display/NetPlusIDG/Home –  Collect use cases. –  Assess current implementation and roadmap. –  Compare implementation, roadmap, and use cases. –  Prioritize implementation and refine roadmap. –  Implement and document. –  Schools sign off. –  Iterate.

•  NET Plus Identity Guidance for Services –  https://spaces.internet2.edu/display/NetPlusIDG/NET+Plus+Identity+Guidance+for

+Services

IDM and InCommon Discussion

Any feedback from campuses?

SV: Business & Legal

•  Legal:  customized  agreement  using  NET+  community  contract  templates  MOU  between  Internet2  and  Service  Provider  is  signed  in  order  to  begin  the  Service  Valida<on  phase  Business  Agreement  between  Internet2  and  Service  Provider  is  nego<ated  during  the  Service  Valida<on  phase  and  reviewed  and  approved  by  university  counsel  

Business  Model:  customized  approach  to  pricing  that  leverages  community  assets  and  captures  aggrega<on  to  reduce  costs  to  the  Service  Provider  and  provide  savings  and  addi<onal  value  to  universi<es  Process  and  Deliverables:  Par2es  nego2ate  business  agreements,  enterprise  customer  agreements  and  any  associated  terms  of  use    

•  Reduces  business  risk  by  vehng  service  providers  for  performance,  security  and  compliance  

•  Reduces  contrac(ng  risk  via  standard  (and  beneficial)  contract  terms  

•  Reduces  pricing  risk  by  leveraging  purchasing  power  of  the  community  (including  waterfall  pricing)  

•  Ensures  fair  treatment  in  the  market  (no  hidden  clauses)  

•  Providing  op(ons  as  the  number  of  providers  in  each  porBolio  services  category  increases  

NET+ Agreements: Mitigating Risk

NET+  Agreements:    An  Emerging  Standard  

Many  universi<es  may  find  it  valuable  to  consider  service  valida<on  via    

NET+  to  be  “a  standard  specifica<on”  and  pre-­‐qualifying  evalua<on/review  process  that  might  allow:  

•  Formal  procurement  processes  to  be  simplified  or  waived  

•  Not  requiring  formal  bidding  from  Internet2  or  NET+  validated  service  providers  

•  Elimina<ng  the  need  for  sole-­‐source  jus<fica<on  for  NET+  validated  service  providers  when  only  one  source  is  available  for  a  par<cular  category  of  service  

•  Allowing  simplified  proposals  from  NET+  validated  service  providers  when  mul<ple  sources  are  available  for  a  par<cular  category  of  service  

NET+ Template Contract

•  One of the templates is in the Box folder •  Developed working with campus legal counsels to

identify community terms •  Definition of confidential information, accounts,

data, etc •  Indemnification and Liability (Sec 5) •  Availability / Zero impact maintenance •  Termination and data transfer

NET+ Template Contract

•  Security improvements to be included back into the NET+ offering. (Sec 3.2 Modifications and 8.9 Features)

•  Data ownership is the participant (Sec 8.1(a)) •  Data Privacy, Security, and Integrity – Sec 8.2-8.4 •  Response to Legal orders – Sec 8.5 •  Incident Response – Sec 8.6 •  Data Retention and Disposal – Sec 8.7

How  NET+  Contrac<ng    Supports  Procurement  

•  Community  based  due  diligence  

•  Improves  risk  management  by  vehng  service  providers,  standard  and  beneficial  contract  terms  

•  Ensures  fair  treatment  in  the  market  (no  hidden  clauses  for  “other”  universi<es)  

•  Reduces  costs  of  administra<on  

•  Leverages  purchasing  power  of  the  en<re  community  

•  Provides  compe<<ve  op<ons  as  the  number  of  providers  in  each  porBolio  services  category  increases  

Procurement Analysis Worksheets

•  Completed for services once they complete early adopter

•  General: –  Service Provider; Service; Service Type (IaaS, PaaS, SaaS, other (specify)); Admitted

to Service Validation; Completed Service Validation; Schools leading the service validation were; Schools involved in legal discussions; Schools involved in business terms negotiation; Business Agreement signed

•  Categories –  General details on service. Service level commitments, compliance, technical, data,

use and legal concerns, and termination

How information security is currently integrated into NET+

Background

•  Working group pulled together develop how NET+ should incorporate security – Developed this guidance: Recommended Process for

the Use of the Cloud Controls Matrix (CCM) in the NET+ Program

– http://meetings.internet2.edu/media/medialibrary/2014/04/22/20140408-brammer-netsecurity-2.pdf

•  Security aspects began in June 2012, delivered initial version of security controls in December 2012, now in use by NET+ Program

•  Service validation security aspects have evolved over time.

Pre-Service Validation

•  Program Manager to work with service provider – Help them understand NET+ security and what

campuses will expect from them – Start gathering security documentation – Cursory review of their security documentation to give

SP feedback to help have a successful service validation

– Determine if NDAs are necessary and if so, start getting them from campuses in service validation

SV: Security & Compliance

Security  assessment:  Customized  version  of  the  Cloud  Controls  Matrix  (CCM)  developed  by  the  Cloud  Security  Alliance  and  SOC  2  Type  2  Report  

 hmps://cloudsecurityalliance.org/research/collaborate/#_internet2  Accessibility  review  and  Roadmap  commitment.    WCAG  3C  Data  handling:  FERPA,  HIPAA,  privacy,  data  handling    Process  and  Deliverables:  Service  Provider  completes  Cloud  Controls  Matrix  and/or  SOC2  Type  2  Report  for  review  by  universi<es;  campus  accessibility  engineers  review  service  and  communicate  needs  to  Service  Provider    

Service Validation – Security Aspects

•  NDAs if requested by SP •  Review of security docs from SP by campuses •  Call with campuses and SP security staff •  Whole picture from a campus perspective. What

security controls does a campus need because of the SP or does the SP expect of the campus?

•  Example - LastPass security review

Security Assessments / Frameworks

•  All of the security assessments in the world will not stop all attackers.

•  CSA CCM - The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

•  SOC 2 - focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls.

•  ISO27001 - Developed to provide a model for establishing, implementing, operating, monitoring, and maintaining an information security management system, it is widely recognized as the highest security standard in the industry for examining the efficacy of an organization’s overall security posture.

Security Requirements

•  Use cases to flesh out security requirements – Depending on the use cases will determine the

security requirements – FERPA is addressed by defauly – If there is a healthcare use case covered with

HIPAA requirements, then HIPAA is included – A HIPAA BAA is included in default template – Export control

Small group discussion on service validation

What do you think of service validation?

What are your experiences with service validation? How security assessments should work?

How can we raise the bar to improve security? How to streamline information security aspects of SV?

How to do this faster to bring tools to campuses??

Ongoing oversight of service providers

•  What is currently done –  Internet2 NET+ Service Advisory Board (SAB) – Review feedback from the community and SAB

schools – Performed during service validation – Follow-up on security items from service validation – Requirement in contract for annual updates from

service providers on SOC2 or CCM •  Integrates with what is done on a campus for

their oversight

Ongoing oversight of service providers

•  What should we do? –  Should it be a requirement for the SAB to annually review the updated security

documentation from the service provider? –  When there are major updates, to update the security documentation on the provider? –  Do current campus subscribers get notified? –  Follow-up on future security controls –  Example: Service provider promised CCM

•  What to do if there are issues a service provider needs to address? –  Violation of security requirement from contract? –  Other contract violations –  Handled via the breach sections with service provider potential remedy –  Example: Service provider lapses in performing SOC2

How should ongoing oversight be handled? What can we do?

What is Internet2’s role and what is the SAB’s role? (20 min)

Service provider perspective

•  What all of this means to them? –  More than a buying vehicle –  Potential to help them engage the HE market –  Help them identify features and functionality HE needs

•  How does this help them? –  Streamlined legal and procurement (along with security, etc) –  NET+ legal work with their final approval if necessary –  Additional insight into what works for their customers

•  Potential costs for the service provider –  Our security requirements require significant resources to meet –  Potential development costs to add functionality

How this is or should be integrated into information security community?

Relationship within Internet2

•  InCommon –  Require NET+ Service Providers to participate in InCommon –  Work with InCommon on Identity Management

•  TIER –  Community Created and Curated Services could become a NET+ service

•  Internet2 Network Services –  Working with Paul Howell, Chief Cyberinfrastructure Security Officer –  Collaborating on DDoS discussions for potential NET+ DDoS Response service

•  CINO Working Groups CINO Working Groups Home End-to-End Trust and Security –  Identifying any potential service providers or areas NET+ service providers might be

interested in engaging with the community

Higher Education Relationships

•  Educause/HEISC –  Supporting HEISC mission major activity - Providing effective practices and guidance

and fostering communication within the community –  Supporting out of scope activities for “Developing or brokering information security

fee‐based services or tool” needed by the HE information security community –  Suggestions for potential service providers, broad direction setting and priorities

•  REN-ISAC –  Support information sharing by REN-ISAC –  Work with the community on threat intelligence or information sharing service

providers

•  Coordination with both on HE-wide issues

Relationships Outside of Edu

•  Cloud Security Alliance –  Updates on Cloud Control Matrix –  Certified Cloud Security Professional with ISC2 –  Training on cloud security for HE information security staff –  CSA Security, Trust & Assurance Registry (STAR)

•  International Information System Security Certification Consortium, Inc., (ISC)² –  Certified Cloud Security Professional –  Training on cloud security for HE information security staff

•  SANS, International Association of Privacy Professionals, others?

•  Should the relationships with external organizations be lead by a campus person or Internet2?

Group Discussion: How this is or should be integrated into information security community? (20min)

NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP

Nick Lewis Internet2 NET+ Program Manager, Security and Identity

© 2015 Internet2