Upload
ajeet-singh-raina
View
30
Download
4
Embed Size (px)
Citation preview
© 2012 IBM Corporation
IBM Security Systems
11© 2012 IBM Corporation
Addressing Cloud Security – The Grand Challenge
Senior IT Architect, IBM Security Solutions
IBM Security Systems
2 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.2
Cloud Security – Agenda
Risks & Challenges
IBM’s Point of View
Mitigation Strategy
Technologies & Tools
IBM Security Systems
3 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
There is universal interest in cloud computing across all industries and geographies
• #1 reason to move to a public cloud is lower total cost of ownership
• Top reasons for moving to a private cloud include cost/resource efficiencies, as well as enhancing speed and flexibility• Security concerns are the top barrier to adoption of both public and private clouds
• Experience managing large outsourcing engagements gives IBM the tools to manage customers’ top cloud concerns• Three distinctive end-user cloud buying patterns are emerging: exploratory, solution-focused and transformational
• There are reports that public clouds are being adopted faster than originally forecast
Cost Take-out is Key Driver
Security is Top Concern
Adoption Patterns are Emerging
Security is a top concern in cloud adoption
IBM Security Systems
4 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Self-Service
Highly Virtualized
Location Independence
Workload Automation
Rapid Elasticity
Standardization
Cloud computing tests the limits of security operations and infrastructure
4
People and Identity
Application and Process
Network, Server and Endpoint
Data and Information
Physical Infrastructure
Governance, Risk and Compliance
Security and Privacy Domains
Multiple Logins, Onboarding Issues
Multi-tenancy, Data Separation
Audit Silos, Compliance Controls
Provider Controlled, Lack of Visibility
Virtualization, Network Isolation
External Facing, Quick Provisioning
To cloud
In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security.
IBM Security Systems
5 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Different cloud deployment models also change the way we think about security
5
Private cloud Public cloudOn or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party
Available to the general public or a large industry group and owned by an
organization selling cloud services.
Hybrid ITTraditional IT and clouds (public and/or
private) that remain separate but are bound together by technology that enables data and
application portability
− Customer responsibility for infrastructure
− More customization of security controls
− Good visibility into day-to-day operations
− Easy to access to logs and policies
− Applications and data remain “inside the firewall”
− Provider responsibility for infrastructure
− Less customization of security controls
− No visibility into day-to-day operations
− Difficult to access to logs and policies
− Applications and data are publically exposed
Changes in Security and Privacy
IBM Security Systems
6 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Summary - Categories of Cloud Computing Risks
Less ControlMany companies and governments are
uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease.
Data SecurityMigrating workloads to a shared network
and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important.
ReliabilityHigh availability will be a key concern. IT
departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees.
ComplianceComplying with SOX, HIPAA and other
regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential.
Security ManagementProviders must supply easy controls
to manage firewall and security settings for applications and runtime environments in the cloud.
IBM Security Systems
7 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
IBM Point of View: Cloud can be made secure for business
Trust
Traditional IT In the Cloud
Security and PrivacyExpectations
As with most new technology paradigms, security concerns surrounding cloud computing have become the most widely talked about inhibitor of widespread usage.
To gain the trust of organizations, cloud services must deliver security and privacy expectations that meet or exceed what is available in traditional IT environments.
The same way transformational technologies of the past overcame concerns – PCs, outsourcing, the Internet.
IBM Security Systems
8 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
One-size does not fit-all: Different cloud types have different security responsibilities
The CloudCurtain
The CloudCurtain
The CloudCurtain
IBM Security Systems
9 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Adoption patterns are emerging for successfully beginningand progressing cloud initiatives
9
Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers
Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services
Innovate business models by becoming a cloud service provider
Software as a Service (SaaS): Gain immediate access with business solutions on cloud
IBM Security Systems
10
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Capabilities provided to consumers for using a provider’s applications
Key security focus:
Compliance and Governance
Harden exposed applicationsSecurely federate identityDeploy access controlsEncrypt communicationsManage application policies
Integrated service management, automation, provisioning, self service
Key security focus:
Infrastructure and Identity
Manage datacenter identities Secure virtual machinesPatch default imagesMonitor logs on all resourcesNetwork isolation
Pre-built, pre-integrated IT infrastructures tuned to application-specific needs
Key security focus:
Applications and Data
Secure shared databasesEncrypt private information Build secure applicationsKeep an audit trailIntegrate existing security
Advanced platform for creating, managing, and monetizing cloud services
Key security focus:
Data and Compliance
Isolate cloud tenantsPolicy and regulationsManage security operationsBuild compliant data centersOffer backup and resiliency
Each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers
Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services
Innovate business models by becoming a cloud service provider
Software as a Service (SaaS): Gain immediate access with business solutions on cloud
Security Intelligence – threat intelligence, user activity monitoring, real time insightsSecurity Intelligence – threat intelligence, user activity monitoring, real time insights
IBM Security Systems
11
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
IBM has a broad portfolio of products and services to help satisfy our customer’s most pressing security requirements
Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload.
IBM Cloud SecurityOne Size Does Not Fit All
IBM Security Systems
12
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Our approach to delivering security aligns with each phase of a client’s cloud project or initiative
Design Deploy ConsumeEstablish a cloud strategyand implementation plan toget there.
Build cloud services, in the enterprise and/or as a cloud services provider.
Manage and optimizeconsumption of cloudservices.
Examplesecuritycapabilities
Cloud security roadmap
Secure development
Network threat protection
Server security
Database security
Application security
Virtualization security
Endpoint protection
Configuration and patch management
Identity and access management
Secure cloud communications
Managed security services
Secure by DesignFocus on building security into the fabric of the cloud.
Workload DrivenSecure cloud resources with innovative features and products.
Service EnabledGovern the cloud throughongoing security operations and workflow.
IBM CloudSecurity Approach
12
IBM Security Systems
13
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Cloud Enabled Data Center - simple use case
Cloud Enabled Data CenterCloud Enabled Data Center
Self-Service GUI
Cloud Platform
User identityis verified and authenticated
User identityis verified and authenticated
1
Available Resource
Resource Pool
Resource chosen from correct security domain
Resource chosen from correct security domain 2
Image Library
Machine Image
VM is configured with appropriate security policy
VM is configured with appropriate security policy
3
Hypervisor
Configured Machine Image
Virtual Machine
Virtual Machine
Image provisioned behind FW / IPS
Image provisioned behind FW / IPS
4
Host securityinstalled and updated
Host securityinstalled and updated
5
SW Catalog
Config Binaries
Software patches applied and up-to-date
Software patches applied and up-to-date
6
IBM Security Systems
14
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Example - securing the cloud for service agility and assurance
• Tivoli Service Automation Manager• Virtual Server Protection for VMware• Tivoli Identity Manager• Tivoli Endpoint Manager
Security for IBM Tivoli Service Automation
Tivoli Service Defense for Cloud
• Identity and Access Controlsecurely connect users to the cloud
• Virtualization Securityprotection for the virtual infrastructure
• Image and Patch Management keep cloud resources up-do-date and compliant
Key security requirements
Deploy applications to the cloud with confidence that they’re secure, compliant, and meet regulatory requirements.
Business challenge
Helping the client ensure their cloud services are secure and reliable.
Cloud Enabled Data CenterCloud Enabled Data Center
IBM Security Systems
15
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Our focus is in two areas of cloud securitySecurity from the Cloud Security for the Cloud
Public cloud Off premise
Private cloud On premise
Cloud-based Security Services
Securing the Private Cloud stack – focusing on building security into the cloud infrastructure and its workloads
Use cloud to deliver security as-a-Service - focusing on services such as vulnerability scanning, web and email security, etc.
Secure usage of Public Cloud applications – focusing on Audit, Access and Secure Connectivity
1 2
IBM Security Systems
16
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Security Services delivered from the CloudDelivering high-value services for cloud and traditional compute environments with little or no security device investment or maintenance
Security Event and Log Management
Offsite management of logs and events from intrusion
protection services, firewalls and operating systems
Offsite management of logs and events from intrusion
protection services, firewalls and operating systems
Vulnerability Management Service
Helps provide proactive discovery and remediation
of vulnerabilities
Helps provide proactive discovery and remediation
of vulnerabilities
Managed Web and Email Security
Helps protect against spam, worms, viruses, spyware,
adware and offensive content
Helps protect against spam, worms, viruses, spyware,
adware and offensive content
Monitoring and managementCloud basedSubscription service
IBM X-Force® Threat Analysis Service
Customized security intelligence based on threat information from
IBM X-Force® research and development
Customized security intelligence based on threat information from
IBM X-Force® research and development
Application Security Management
Supports improved web application security to help reduce data loss,
financial loss and website downtime with advanced security testing
Supports improved web application security to help reduce data loss,
financial loss and website downtime with advanced security testing
Mobile Device Security
Management
Helps protect against malware and other threats
while enabling mobile access
Helps protect against malware and other threats
while enabling mobile access
1
IBM Security Systems
17
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
End-to-end IBM security products for securing the cloud
IBM QRadar Security
IntelligenceTotal visibility into
virtual environments IBM AppScan SuiteScan cloud based web and
web services apps for vulnerabilities
IBM Endpoint ManagerPatch and configuration
management of VMs
IBM Virtual Server Protection for VMware
Protect VMs from advanced threats
IBM InfoSphere Guardium Suite
Protect and monitor access to shared
databases
IBM Identity and Access Management Suite
Identity integration, provision users to SaaS applications
Desktop single sign on supporting desktop
virtualizationSecuring Cloud
with IBM Security SystemsSecurity Intelligence ● People ● Data ● Apps ● Infrastructure
IBM Network IPS
Defend cloud users and apps from network
attacks
2
IBM Security Systems
18
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
IBM Security Standards ParticipationClient-focused open standards and interoperability
• Cloud Architecture Standards– Including Security for SOA and Cloud
• Cloud Architecture Standards– Including Security for SOA and Cloud
• Cloud Audit Working Group– Federation and Classification of Audit
Data for Compliance Reporting
• Cloud Audit Working Group– Federation and Classification of Audit
Data for Compliance Reporting
• Identity in the Cloud TC– Published Cloud Identity Mgmt. Use
Cases Whitepaper covering:15 Identity Management categoriesSaaS, PaaS & IaaS service modelsPrivate, Public & Hybrid Cloud
– Drafting Cloud IdM Standards Gap Analysis
• Identity in the Cloud TC– Published Cloud Identity Mgmt. Use
Cases Whitepaper covering:15 Identity Management categoriesSaaS, PaaS & IaaS service modelsPrivate, Public & Hybrid Cloud
– Drafting Cloud IdM Standards Gap Analysis
• ISO JTC 1/SC 27 – IT Security
Techniques– Including cloud security methodologies,
procedures, guidelines, documentation and evaluation procedures
• ISO JTC 1/SC 27 – IT Security
Techniques– Including cloud security methodologies,
procedures, guidelines, documentation and evaluation procedures
IBM & CSCC contributing to cloud security standards development to address barriers in cloud adoption
IBM Security Systems
19
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
• Provide customer-lead guidance to the multiple cloud standards-defining bodies
• Establishing the criteria for open-standards-based cloud computing
companies areparticipating
280+
operate outsidethe IT realm
50%
“CSCC Forms New Security Working Group” - Feb. 2012 “CSCC Forms New Security Working Group” - Feb. 2012
• Develop high priority use cases for cloud security that reflect customer issues and pain points
• Identify Regulatory Compliance Capabilities and Options through Security Architecture Standards
• Identify “Best-of-Breed” Security Solutions for Customers of Cloud
http://www.cloud-council.orghttp://www.cloud-council.orgSoliciting Membership:Soliciting Membership:
- Co-chaired by The Kroger Co. & Boeing - Co-chaired by The Kroger Co. & Boeing
IBM Security Systems
20
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
IBM continues to research, test and document more focused approaches to cloud security
IBM ResearchSpecial research concentration in cloud security
IBM X-ForceProactive counter intelligence and public education
Customer CouncilsReal-world feedback from clients adopting cloud
Standards ParticipationClient-focused open standards and interoperability
IBM Institute for Advanced SecurityCollaboration between academia, industry, government, and the IBM technical community
IBM Security Systems
21
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Thank You
Best Cloud Computing Security
IBM Security Systems
22
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
IBM Security Systems
23
© Copyright IBM Corp. 2004, 2010. All Rights Reserved.
Acknowledgements, disclaimers and trademarks
© Copyright IBM Corporation 2012. All rights reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.
All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.
IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml