Sreekanth Iyer, IBM, Addressing Cloud Security

© 2012 IBM Corporation

IBM Security Systems

11© 2012 IBM Corporation

Addressing Cloud Security – The Grand Challenge

[email protected]

Senior IT Architect, IBM Security Solutions


2 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.2

Cloud Security – Agenda

Risks & Challenges

IBM’s Point of View

Mitigation Strategy

Technologies & Tools


3 © Copyright IBM Corp. 2004, 2010. All Rights Reserved.

There is universal interest in cloud computing across all industries and geographies

• #1 reason to move to a public cloud is lower total cost of ownership

• Top reasons for moving to a private cloud include cost/resource efficiencies, as well as enhancing speed and flexibility• Security concerns are the top barrier to adoption of both public and private clouds

• Experience managing large outsourcing engagements gives IBM the tools to manage customers’ top cloud concerns• Three distinctive end-user cloud buying patterns are emerging: exploratory, solution-focused and transformational

• There are reports that public clouds are being adopted faster than originally forecast

Cost Take-out is Key Driver

Security is Top Concern

Adoption Patterns are Emerging

Security is a top concern in cloud adoption



Self-Service

Highly Virtualized

Location Independence

Workload Automation

Rapid Elasticity

Standardization

Cloud computing tests the limits of security operations and infrastructure

4

People and Identity

Application and Process

Network, Server and Endpoint

Data and Information

Physical Infrastructure

Governance, Risk and Compliance

Security and Privacy Domains

Multiple Logins, Onboarding Issues

Multi-tenancy, Data Separation

Audit Silos, Compliance Controls

Provider Controlled, Lack of Visibility

Virtualization, Network Isolation

External Facing, Quick Provisioning

To cloud

In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security.



Different cloud deployment models also change the way we think about security

5

Private cloud Public cloudOn or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party

Available to the general public or a large industry group and owned by an

organization selling cloud services.

Hybrid ITTraditional IT and clouds (public and/or

private) that remain separate but are bound together by technology that enables data and

application portability

− Customer responsibility for infrastructure

− More customization of security controls

− Good visibility into day-to-day operations

− Easy to access to logs and policies

− Applications and data remain “inside the firewall”

− Provider responsibility for infrastructure

− Less customization of security controls

− No visibility into day-to-day operations

− Difficult to access to logs and policies

− Applications and data are publically exposed

Changes in Security and Privacy



Summary - Categories of Cloud Computing Risks

Less ControlMany companies and governments are

uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease.

Data SecurityMigrating workloads to a shared network

and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important.

ReliabilityHigh availability will be a key concern. IT

departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees.

ComplianceComplying with SOX, HIPAA and other

regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential.

Security ManagementProviders must supply easy controls

to manage firewall and security settings for applications and runtime environments in the cloud.



IBM Point of View: Cloud can be made secure for business

Trust

Traditional IT In the Cloud

Security and PrivacyExpectations

As with most new technology paradigms, security concerns surrounding cloud computing have become the most widely talked about inhibitor of widespread usage.

To gain the trust of organizations, cloud services must deliver security and privacy expectations that meet or exceed what is available in traditional IT environments.

The same way transformational technologies of the past overcame concerns – PCs, outsourcing, the Internet.



One-size does not fit-all: Different cloud types have different security responsibilities

The CloudCurtain

The CloudCurtain

The CloudCurtain

Sreekanth Iyer

To Update with the Slide from Sridhar with more details about the Risks/Issues with the Curtain



Adoption patterns are emerging for successfully beginningand progressing cloud initiatives

9

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers

Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services

Innovate business models by becoming a cloud service provider

Software as a Service (SaaS): Gain immediate access with business solutions on cloud


10

© Copyright IBM Corp. 2004, 2010. All Rights Reserved.

Capabilities provided to consumers for using a provider’s applications

Key security focus:

Compliance and Governance

Harden exposed applicationsSecurely federate identityDeploy access controlsEncrypt communicationsManage application policies

Integrated service management, automation, provisioning, self service

Key security focus:

Infrastructure and Identity

Manage datacenter identities Secure virtual machinesPatch default imagesMonitor logs on all resourcesNetwork isolation

Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

Key security focus:

Applications and Data

Secure shared databasesEncrypt private information Build secure applicationsKeep an audit trailIntegrate existing security

Advanced platform for creating, managing, and monetizing cloud services

Key security focus:

Data and Compliance

Isolate cloud tenantsPolicy and regulationsManage security operationsBuild compliant data centersOffer backup and resiliency

Each pattern has its own set of key security concerns

Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers

Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services

Innovate business models by becoming a cloud service provider

Software as a Service (SaaS): Gain immediate access with business solutions on cloud

Security Intelligence – threat intelligence, user activity monitoring, real time insightsSecurity Intelligence – threat intelligence, user activity monitoring, real time insights


11


IBM has a broad portfolio of products and services to help satisfy our customer’s most pressing security requirements

Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload.

IBM Cloud SecurityOne Size Does Not Fit All


12


Our approach to delivering security aligns with each phase of a client’s cloud project or initiative

Design Deploy ConsumeEstablish a cloud strategyand implementation plan toget there.

Build cloud services, in the enterprise and/or as a cloud services provider.

Manage and optimizeconsumption of cloudservices.

Examplesecuritycapabilities

Cloud security roadmap

Secure development

Network threat protection

Server security

Database security

Application security

Virtualization security

Endpoint protection

Configuration and patch management

Identity and access management

Secure cloud communications

Managed security services

Secure by DesignFocus on building security into the fabric of the cloud.

Workload DrivenSecure cloud resources with innovative features and products.

Service EnabledGovern the cloud throughongoing security operations and workflow.

IBM CloudSecurity Approach

12


13


Cloud Enabled Data Center - simple use case

Cloud Enabled Data CenterCloud Enabled Data Center

Self-Service GUI

Cloud Platform

User identityis verified and authenticated

User identityis verified and authenticated

1

Available Resource

Resource Pool

Resource chosen from correct security domain

Resource chosen from correct security domain 2

Image Library

Machine Image

VM is configured with appropriate security policy

VM is configured with appropriate security policy

3

Hypervisor

Configured Machine Image

Virtual Machine

Virtual Machine

Image provisioned behind FW / IPS

Image provisioned behind FW / IPS

4

Host securityinstalled and updated

Host securityinstalled and updated

5

SW Catalog

Config Binaries

Software patches applied and up-to-date

Software patches applied and up-to-date

6


14


Example - securing the cloud for service agility and assurance

• Tivoli Service Automation Manager• Virtual Server Protection for VMware• Tivoli Identity Manager• Tivoli Endpoint Manager

Security for IBM Tivoli Service Automation

Tivoli Service Defense for Cloud

• Identity and Access Controlsecurely connect users to the cloud

• Virtualization Securityprotection for the virtual infrastructure

• Image and Patch Management keep cloud resources up-do-date and compliant

Key security requirements

Deploy applications to the cloud with confidence that they’re secure, compliant, and meet regulatory requirements.

Business challenge

Helping the client ensure their cloud services are secure and reliable.

Cloud Enabled Data CenterCloud Enabled Data Center


15


Our focus is in two areas of cloud securitySecurity from the Cloud Security for the Cloud

Public cloud Off premise

Private cloud On premise

Cloud-based Security Services

Securing the Private Cloud stack – focusing on building security into the cloud infrastructure and its workloads

Use cloud to deliver security as-a-Service - focusing on services such as vulnerability scanning, web and email security, etc.

Secure usage of Public Cloud applications – focusing on Audit, Access and Secure Connectivity

1 2


16


Security Services delivered from the CloudDelivering high-value services for cloud and traditional compute environments with little or no security device investment or maintenance

Security Event and Log Management

Offsite management of logs and events from intrusion

protection services, firewalls and operating systems

Offsite management of logs and events from intrusion

protection services, firewalls and operating systems

Vulnerability Management Service

Helps provide proactive discovery and remediation

of vulnerabilities

Helps provide proactive discovery and remediation

of vulnerabilities

Managed Web and Email Security

Helps protect against spam, worms, viruses, spyware,

adware and offensive content

Helps protect against spam, worms, viruses, spyware,

adware and offensive content

Monitoring and managementCloud basedSubscription service

IBM X-Force® Threat Analysis Service

Customized security intelligence based on threat information from

IBM X-Force® research and development

Customized security intelligence based on threat information from

IBM X-Force® research and development

Application Security Management

Supports improved web application security to help reduce data loss,

financial loss and website downtime with advanced security testing

Supports improved web application security to help reduce data loss,

financial loss and website downtime with advanced security testing

Mobile Device Security

Management

Helps protect against malware and other threats

while enabling mobile access

Helps protect against malware and other threats

while enabling mobile access

1


17


End-to-end IBM security products for securing the cloud

IBM QRadar Security

IntelligenceTotal visibility into

virtual environments IBM AppScan SuiteScan cloud based web and

web services apps for vulnerabilities

IBM Endpoint ManagerPatch and configuration

management of VMs

IBM Virtual Server Protection for VMware

Protect VMs from advanced threats

IBM InfoSphere Guardium Suite

Protect and monitor access to shared

databases

IBM Identity and Access Management Suite

Identity integration, provision users to SaaS applications

Desktop single sign on supporting desktop

virtualizationSecuring Cloud

with IBM Security SystemsSecurity Intelligence ● People ● Data ● Apps ● Infrastructure

IBM Network IPS

Defend cloud users and apps from network

attacks

2


18


IBM Security Standards ParticipationClient-focused open standards and interoperability

• Cloud Architecture Standards– Including Security for SOA and Cloud

• Cloud Architecture Standards– Including Security for SOA and Cloud

• Cloud Audit Working Group– Federation and Classification of Audit

Data for Compliance Reporting

• Cloud Audit Working Group– Federation and Classification of Audit

Data for Compliance Reporting

• Identity in the Cloud TC– Published Cloud Identity Mgmt. Use

Cases Whitepaper covering:15 Identity Management categoriesSaaS, PaaS & IaaS service modelsPrivate, Public & Hybrid Cloud

– Drafting Cloud IdM Standards Gap Analysis

• Identity in the Cloud TC– Published Cloud Identity Mgmt. Use

Cases Whitepaper covering:15 Identity Management categoriesSaaS, PaaS & IaaS service modelsPrivate, Public & Hybrid Cloud

– Drafting Cloud IdM Standards Gap Analysis

• ISO JTC 1/SC 27 – IT Security

Techniques– Including cloud security methodologies,

procedures, guidelines, documentation and evaluation procedures

• ISO JTC 1/SC 27 – IT Security

Techniques– Including cloud security methodologies,

procedures, guidelines, documentation and evaluation procedures

IBM & CSCC contributing to cloud security standards development to address barriers in cloud adoption


19


• Provide customer-lead guidance to the multiple cloud standards-defining bodies

• Establishing the criteria for open-standards-based cloud computing

companies areparticipating

280+

operate outsidethe IT realm

50%

“CSCC Forms New Security Working Group” - Feb. 2012 “CSCC Forms New Security Working Group” - Feb. 2012

• Develop high priority use cases for cloud security that reflect customer issues and pain points

• Identify Regulatory Compliance Capabilities and Options through Security Architecture Standards

• Identify “Best-of-Breed” Security Solutions for Customers of Cloud

http://www.cloud-council.orghttp://www.cloud-council.orgSoliciting Membership:Soliciting Membership:

- Co-chaired by The Kroger Co. & Boeing - Co-chaired by The Kroger Co. & Boeing


20


IBM continues to research, test and document more focused approaches to cloud security

IBM ResearchSpecial research concentration in cloud security

IBM X-ForceProactive counter intelligence and public education

Customer CouncilsReal-world feedback from clients adopting cloud

Standards ParticipationClient-focused open standards and interoperability

IBM Institute for Advanced SecurityCollaboration between academia, industry, government, and the IBM technical community


21


Thank You

Best Cloud Computing Security


22



23


Acknowledgements, disclaimers and trademarks

© Copyright IBM Corporation 2012. All rights reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.

All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.

IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml

Documents

Sreekanth Iyer, IBM, Addressing Cloud Security