Securing the Cloud - GSE Young IBM Security for Cloud... · Securing the Cloud Johan Van Mengsel

  • View
    213

  • Download
    0

Embed Size (px)

Text of Securing the Cloud - GSE Young IBM Security for Cloud... · Securing the Cloud Johan Van Mengsel

  • 2010 IBM Corporation 2010 IBM Corporation

    Securing the Cloud

    Johan Van Mengsel, CISSPOpen Group Distinguished IT SpecialistIBM Global Technology Services

    IBM Cloud Security Strategy

    2010 IBM Corporation2

    Todays Challenges

    In distributed computing

    environments, up to 85%

    of computing capacity

    sits idle.

    Explosion of information

    driving 54% growth in

    storage shipments every

    year.

    70% on average is spent on

    maintaining current IT

    infrastructures versus adding

    new capabilities.

    85% idle 1.5x70 per $1

    33% of consumers notified of a

    security breach will terminate their

    relationship with the company they

    perceive as responsible.

    33%

    Consumer product and retail industries

    lose about $40 billion annually, or 3.5

    percent of their sales, due to supply

    chain inefficiencies.

    $40 billion

    Its time to start thinking differentlydifferentlydifferentlydifferently about infrastructure

  • 2010 IBM Corporation

    Requires Smarter IT Services

    3

    Cloud computing is anew consumption and delivery model

    Yesterday

    Today

    2011 IBM Corporation

    Cloud Computing provides workload optimized models for delivery and consumption of IT services

    4

    Attributes Characteristics Benefits

    Advanced virtualizationIT resources can be shared

    between many applications. Applications can run anywhere.

    Providing more efficient utilization of IT resources.

    Automated provisioningIT resources are provisioned or

    de-provisioned on demand.

    Reducing IT cycle time and

    management cost

    Elastic scalingIT environments scale down and

    up as the need changes.Increasing flexibility

    Service catalog ordering Defined environments can be ordered from a catalog.

    Enabling self-service

    Metering and billingServices are tracked with usage

    metrics.

    Offering more flexible pricing

    schemes

    Internet AccessServices are delivered through the Internet.

    Access anywhere, anytime

    AU

    TO

    MA

    TIO

    NS

    TA

    ND

    AR

    DIZ

    AT

    ION

    VIR

    TU

    AL

    IZA

    TIO

    N

  • 2010 IBM CorporationPage: -5-3/15/2012

    Sound great, what is preventing the adoption of Cloud Computing EVERWHERE?

    Current Cloud Computing offerings are best effort

    The Cloud Computing providers dont currently have the rigour which traditional IT sourcing providers have

    No (or weak) service level agreements (SLAs) regarding quality of service Performance Uptime Throughput Confidentiality etc

    No commitment regarding data residency

    Architecturally, these constraints prevent or hamper the running of mission critical, or highly regulated data in current Cloud offerings.

    As Cloud providers mature their offerings this will change

    For now, corporations will not let their enterprise workloads run in the Cloud, as they cannot assert the quality of service

    Multi-tenancy is a key concern

    ?

    2011 IBM Corporation

    Security Challenges in Cloud Computing

    6

  • 2009 IBM Corporation7

    Security and Cloud Computing

    9/15/2009

    Cloud Security: Simple Example

    7

    ?

    We Have Control

    Its located at X.

    Its stored in servers Y, Z.

    We have backups in place.

    Our admins control access.

    Our uptime is sufficient.

    The auditors are happy.

    Our security team is engaged.

    Who Has Control?

    Where is it located?

    Where is it stored?

    Who backs it up?

    Who has access?

    How resilient is it?

    How do auditors observe?

    How does our securityteam engage?

    ?

    ?

    ?

    ??

    Todays Data Center Tomorrows Public Cloud

    2010 IBM Corporation

    Security in the Cloud

    According to IBM's Institute for Business Value 2010 Global IT Risk Study, cloud computing raised serious concerns among respondents about the use, access and control of data

    8

    A recent Appirio survey of 150+ mid to large-sized firms that have already adopted cloud applications:

    77%

    50%

    23%

    Cloud Makes protect ing privacy more difficult

    Concerned about a dat a breach or loss

    concerned about a weakeningof the corporate net work

    28%

    15%

    13%

    12%

    10%

    8%

    7%

    6%

    Security is an issue with the cloud

    Cloud solutions are difficult to integrate

    Cloud solutions have a higher chance of lock-in

    Cloud solutions are difficult to customize

    Cloud solutions are not reliable

    Cloud vendors are not yet viable

    None

    The cloud model is not proven

    Single Biggest Misconception about the Cloud% of Respondents

    UnimportantOf Little Importance

    Somewhat Important

    Important

    Very Important

    Ensuring security & compliance

    Appirio, State of the Public Cloud: The Cloud Adopters Perspective, October 2010

    http://thecloud.appirio.com/StateofthePublicCloudWhitepaper1.html

  • 2011 IBM Corporation

    9

    Customer Requirements for Cloud Security

    Identity and access management 21

    Intrusion prevention and response 37

    Patch management 7

    Data Management 12

    Virtualization Security 12

    Governance, risk & compliance 25

    Formal RFPs

    Project Architect Interviews

    Data Sources

    NE IOT

    SW IOT

    MEA

    North America IOT

    ANZ

    World-Wide Representation

    6 Telcos3 CSIs

    1 Government1 Bank1 Manufacturing1 SMB2 IBM

    16 Cross Industry Customers

    Analyzed Results ofthe analysis of existingcustomer requirementsfor Cloud Security

    2011 IBM Corporation

    Risks introduced by cloud computing

    LessControl

    DataSecurity

    Security Management

    Compliance Reliability

    Where the information is located and stored, who has access rights, how access is

    monitored & managed, including resiliency

    Control needed to manage firewall and security

    settings for applications and runtime environments

    in the cloud

    Concerns with high availability and loss of service should outages

    occur

    Challenges with an increase in potential

    unauthorized exposure when migrating workloads to a shared network and compute infrastructure

    Restrictions imposed by industry regulations over the use of clouds for some applications

    Private Clouds Public Clouds

    Risks across private, public and hybrid cloud delivery

    models

  • 2011 IBM Corporation

    Adoption patterns are emerging for successfully beginningand progressing cloud initiatives

    11

    Infrastructure as a

    Service (IaaS): Cut IT

    expense and complexity

    through cloud data centers

    Platform-as-a-Service

    (PaaS): Accelerate time

    to market with cloud

    platform services

    Innovate

    business models

    by becoming a cloud

    service provider

    Software as a Service

    (SaaS): Gain immediate

    access with business

    solutions on cloud

    2011 IBM Corporation

    Capabilities provided to consumers for using a providers applications

    Key security focus:

    Compliance and Governance

    Harden exposed applications

    Securely federate identity

    Deploy access controls

    Encrypt communications

    Manage application policies

    Integrated service management, automation, provisioning, self service

    Key security focus:

    Infrastructure and Identity

    Manage datacenter identities

    Secure virtual machines

    Patch default images

    Monitor logs on all resources

    Network isolation

    Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

    Key security focus:

    Applications and Data

    Secure shared databases

    Encrypt private information

    Build secure applications

    Keep an audit trail

    Integrate existing security

    Advanced platform for creating, managing, and monetizing cloud services

    Key security focus:

    Data and Compliance

    Isolate cloud tenants

    Policy and regulations

    Manage security operations

    Build compliant data centers

    Offer backup and resiliency

    Each pattern has its own set of key security concerns

    Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud

    12

    Infrastructure as a

    Service (IaaS): Cut IT

    expense and complexity

    through cloud data centers

    Platform-as-a-Service

    (PaaS): Accelerate time

    to market with cloud

    platform services

    Innovate

    business models

    by becoming a cloud

    service provider

    Software as a Service

    (SaaS): Gain immediate

    access with business

    solutions on cloud

  • 2010 IBM Corporation

    Cloud Deployment/Delivery and Security

    13

    Depending on an organization's readiness to adopt cloud, there are a wide array of deployment and delivery options

    Software as a Service

    SaaS

    Business Process as a Service

    BPaaS

    Platform as a Service

    PaaS

    Infrastructure as a Service

    IaaS

    More

    Embedded

    Security L

    ess

    Embedded

    Security

    2011 IBM Corporation

    Self-Service

    Highly Virtualized

    Location Independence

    Workload Automation

    Rapid Elasticity

    Standardization

    Cloud computing tests the limits of security operations and infrastructure

    14

    People and Identity

    App