Download pdf - Securing the Cloud - GSE Young Professionals IBM Security for Cloud... · Securing the Cloud Johan Van Mengsel ... Risks introduced by cloud computing Less Control Data Security Security

© 2010 IBM Corporation© 2010 IBM Corporation

Securing the Cloud

Johan Van Mengsel, CISSPOpen Group Distinguished IT SpecialistIBM Global Technology Services

IBM Cloud Security Strategy

© 2010 IBM Corporation2

Todays Challenges

In distributed computing

environments, up to 85%

of computing capacity

sits idle.

Explosion of information

driving 54% growth in

storage shipments every

year.

70% on average is spent on

maintaining current IT

infrastructures versus adding

new capabilities.

85% idle 1.5x70¢ per $1

33% of consumers notified of a

security breach will terminate their

relationship with the company they

perceive as responsible.

33%

Consumer product and retail industries

lose about $40 billion annually, or 3.5

percent of their sales, due to supply

chain inefficiencies.

$40 billion

It’s time to start thinking differentlydifferentlydifferentlydifferently about infrastructure

© 2010 IBM Corporation

Requires Smarter IT Services

3

Cloud computing is anew consumption and delivery model

Yesterday

Today


Cloud Computing provides workload optimized models for delivery and consumption of IT services

4

Attributes Characteristics Benefits

Advanced virtualizationIT resources can be shared

between many applications. Applications can run anywhere.

Providing more efficient utilization of IT resources.

Automated provisioningIT resources are provisioned or

de-provisioned on demand.

Reducing IT cycle time and

management cost

Elastic scalingIT environments scale down and

up as the need changes.Increasing flexibility

Service catalog ordering Defined environments can be ordered from a catalog.

Enabling self-service

Metering and billingServices are tracked with usage

metrics.

Offering more flexible pricing

schemes

Internet AccessServices are delivered through the Internet.

Access anywhere, anytime

AU

TO

MA

TIO

NS

TA

ND

AR

DIZ

AT

ION

VIR

TU

AL

IZA

TIO

N

© 2010 IBM CorporationPage: -5-3/15/2012

Sound great, what is preventing the adoption of Cloud Computing EVERWHERE?

� Current Cloud Computing offerings are best effort

� The Cloud Computing providers don’t currently have the rigour which traditional IT sourcing providers have

� No (or weak) service level agreements (SLAs) regarding quality of service� Performance� Uptime� Throughput� Confidentiality� etc

� No commitment regarding data residency

� Architecturally, these constraints prevent or hamper the running of mission critical, or highly regulated data in current Cloud offerings.

� As Cloud providers mature their offerings – this will change

� For now, corporations will not let their enterprise workloads run in the Cloud, as they cannot assert the quality of service

� Multi-tenancy is a key concern

?


Security Challenges in Cloud Computing

6


Security and Cloud Computing

9/15/2009

Cloud Security: Simple Example

7

?

We Have Control

It’s located at X.

It’s stored in server’s Y, Z.

We have backups in place.

Our admins control access.

Our uptime is sufficient.

The auditors are happy.

Our security team is engaged.

Who Has Control?

Where is it located?

Where is it stored?

Who backs it up?

Who has access?

How resilient is it?

How do auditors observe?

How does our securityteam engage?

?

?

?

??

Today’s Data Center Tomorrow’s Public Cloud


Security in the Cloud

According to IBM's Institute for Business Value 2010 Global IT Risk Study, cloud computing raised serious concerns among respondents about the use, access and control of data

8

A recent Appirio survey of 150+ mid to large-sized firms that have already adopted cloud applications:

77%

50%

23%

Cloud Makes protect ing privacy more difficult

Concerned about a dat a breach or loss

concerned about a weakeningof the corporate net work

28%

15%

13%

12%

10%

8%

7%

6%

Security is an issue with the cloud

Cloud solutions are difficult to integrate

Cloud solutions have a higher chance of lock-in

Cloud solutions are difficult to customize

Cloud solutions are not reliable

Cloud vendors are not yet viable

None

The cloud model is not proven

Single Biggest Misconception about the Cloud% of Respondents

UnimportantOf Little Importance

Somewhat Important

Important

Very Important

Ensuring security & compliance

Appirio, State of the Public Cloud: The Cloud Adopters’ Perspective, October 2010

http://thecloud.appirio.com/StateofthePublicCloudWhitepaper1.html


9

Customer Requirements for Cloud Security

Identity and access management 21

Intrusion prevention and response 37

Patch management 7

Data Management 12

Virtualization Security 12

Governance, risk & compliance 25

Formal RFPs

Project Architect Interviews

Data Sources

NE IOT

SW IOT

MEA

North America IOT

ANZ

World-Wide Representation

6 Telcos3 CSIs

1 Government1 Bank1 Manufacturing1 SMB2 IBM

16 Cross Industry Customers

Analyzed Results ofthe analysis of existingcustomer requirementsfor Cloud Security


Risks introduced by cloud computing

LessControl

DataSecurity

Security Management

Compliance Reliability

Where the information is located and stored, who has access rights, how access is

monitored & managed, including resiliency

Control needed to manage firewall and security

settings for applications and runtime environments

in the cloud

Concerns with high availability and loss of service should outages

occur

Challenges with an increase in potential

unauthorized exposure when migrating workloads to a shared network and compute infrastructure

Restrictions imposed by industry regulations over the use of clouds for some applications

Private Clouds Public Clouds

Risks across private, public and hybrid cloud delivery

models


Adoption patterns are emerging for successfully beginningand progressing cloud initiatives

11

Infrastructure as a

Service (IaaS): Cut IT

expense and complexity

through cloud data centers

Platform-as-a-Service

(PaaS): Accelerate time

to market with cloud

platform services

Innovate

business models

by becoming a cloud

service provider

Software as a Service

(SaaS): Gain immediate

access with business

solutions on cloud


Capabilities provided to consumers for using a provider’s applications

Key security focus:

Compliance and Governance

�Harden exposed applications

�Securely federate identity

�Deploy access controls

�Encrypt communications

�Manage application policies

Integrated service management, automation, provisioning, self service

Key security focus:

Infrastructure and Identity

�Manage datacenter identities

�Secure virtual machines

�Patch default images

�Monitor logs on all resources

�Network isolation

Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

Key security focus:

Applications and Data

�Secure shared databases

�Encrypt private information

�Build secure applications

�Keep an audit trail

�Integrate existing security

Advanced platform for creating, managing, and monetizing cloud services

Key security focus:

Data and Compliance

�Isolate cloud tenants

�Policy and regulations

�Manage security operations

�Build compliant data centers

�Offer backup and resiliency

Each pattern has its own set of key security concerns

Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud

12

Infrastructure as a

Service (IaaS): Cut IT

expense and complexity

through cloud data centers


(PaaS): Accelerate time

to market with cloud

platform services

Innovate

business models

by becoming a cloud

service provider


(SaaS): Gain immediate

access with business

solutions on cloud


Cloud Deployment/Delivery and Security

13

Depending on an organization's readiness to adopt cloud, there are a wide array of deployment and delivery options


SaaS

Business Process as a Service

BPaaS

Platform as a Service

PaaS

Infrastructure as a Service

IaaS

More

Embedded

Security L

ess

Embedded

Security


Self-Service

Highly Virtualized

Location Independence

Workload Automation

Rapid Elasticity

Standardization

Cloud computing tests the limits of security operations and infrastructure

14

People and Identity

Application and Process

Network, Server and Endpoint

Data and Information

Physical Infrastructure

Governance, Risk and Compliance

Security and Privacy Domains

Multiple Logins, Onboarding Issues

Multi-tenancy, Data Separation

Audit Silos, Compliance Controls

Provider Controlled, Lack of Visibility

Virtualization, Network Isolation

External Facing, Quick Provisioning

To cloud

In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases -greatly affecting all aspects of IT security.


Different cloud deployment models also change the way we think about security

15

Private cloud Public cloudOn or off premises cloud

infrastructure operated solely for an organization and managed by the organization or a third party

Available to the general

public or a large industry group and owned by an

organization selling cloud services.

Hybrid ITTraditional IT and clouds (public and/or

private) that remain separate but are bound together by technology that enables data and

application portability

− Customer responsibility for infrastructure

− More customization of security controls

− Good visibility into day-to-day operations

− Easy to access to logs and policies

− Applications and data remain “inside the firewall”

− Provider responsibility for infrastructure

− Less customization of security controls

− No visibility into day-to-day operations

− Difficult to access to logs and policies

− Applications and data are publically exposed

Changes in Security and Privacy


Cloud deployment pattern influences the extent of security controls

16

Security Enabled

Security as a Runtime

Security as a Service


Collaboration

Business Processes

CRM/ERP/HR

Industry Applications

Platform as a Service

Middleware Database

Web 2.0 ApplicationRuntime

JavaRuntime

DevelopmentTooling

Infrastructure as a Service

Servers

Networking Storage

Data Center Fabric

Security


Coordinating information security is BOTH the responsibility of the provider and the consumer


Middleware

Database

Web 2.0 ApplicationRuntime

JavaRuntime

DevelopmentTooling

Infrastructure-as-a-Service

Servers Networking StorageData Center

Fabric

Shared virtualized, dynamic provisioning

Application-as-a-Service

Collaboration

Financials

CRM/ERP/HR

Industry Applications

Business Process-as-a-Service

Employee Benefits Mgmt.

Industry-specific Processes

Procurement

Business Travel

Who is responsible for security at the … level?Datacenter Infrastructure Middleware Application Process

Provider Consumer

Provider Consumer

Provider Consumer

Provider Consumer


What is multi-tenancy, and what are the security IMPLICATIONS?

Example: Database Multi-tenancy


Approaches for Cloud Security

19


IBM’s approach to Cloud Security

20

At IBM we understand the cloud and we also understand that

“One Size Does not Fit All”


21

Security and

Cloud Co

3/15/2012

Low-risk Mid-risk High-risk

Mission-critical workloads, personal

information

Business Risk

Need for Security Assurance

Low

High

Training, testing with non-

sensitive data

Today’s clouds are primarily here:

● Lower risk workloads● One-size-fits-all

approach to data protection

● No significant assurance

● Price is key

Tomorrow’s high value / high risk workloads need:

● Quality of protection adapted to risk

● Direct visibility and control

● Significant level of assurance

Analysis & simulation with

public data

One-size does not fit-all:

Different cloud workloads have different risk profiles


Required controls for cloud security are the same as for IT security in general

1. Identity and Access Management

3. Information Systems Acquisition, Development, and Maintenance

2. Discover, Categorize and Protect Data & Information Assets

7. Security Governance, Risk Management & Compliance

5. Problem & Information Security Incident Management

4. Secure Infrastructure Against Threats and Vulnerabilities

Strong focus on authentication of users

and management of user identities

Strong focus on protection of data at rest

or in transit

Management of application and virtual

machine deployment

Management and responding to

expected and unexpected events

Management of vulnerabilities and their

associated mitigations with strong focus

on network and endpoint protection

6. Physical and Personnel Security

Security governance including

maintaining security policy and audit and

compliance measures

Protection for physical assets and

locations including networks and data

centers. Employee security.

8. Cloud GovernanceCloud-specific security governance

including directory synchronization and

geo-locational support


Our approach to delivering security aligns with each phase of a client’s cloud project or initiative

Design Deploy ConsumeEstablish a cloud strategyand implementation plan toget there.

Build cloud services, in theenterprise and/or as a cloudservices provider.

Manage and optimizeconsumption of cloudservices.

Examplesecuritycapabilities

� Cloud security roadmap

� Secure development

� Network threat protection

� Server security

� Database security

� Application security

� Virtualization security

� Endpoint protection

� Configuration and patch management

� Identity and access management

� Secure cloud communications

� Managed security services

Secure by Design

Focus on building security into the fabric of the cloud.

Workload Driven

Secure cloud resources with innovative features and products.

Service Enabled

Govern the cloud throughongoing security operations and workflow.

IBM CloudSecurity Approach

23


Security solutions to address the unique challenges of cloud computingHelping clients begin their journey to the cloud with relevant security expertise

� Compliance ownership

� Cross border constraints

� e-discovery process� Access to logs and audit trails

� Merging patch, change, and configuration

management policies

GRCGRCGRC

� Rapid provisioning/de-provisioning of users

� Federated identity management

� Data segregation

� Intellectual property protection

� Data preservation and investigation

� Multi-tenancy and shared images

� Virtualized environments

� Open public access

� Physical data center security and resiliency


How we deliver Cloud Security

Security ByDesign

SecurityBy Workload

New SecurityEfficiencies

We Believe the Cloud could be more We Believe the Cloud could be more We Believe the Cloud could be more We Believe the Cloud could be more secure than traditional Enterprisessecure than traditional Enterprisessecure than traditional Enterprisessecure than traditional Enterprises

25


Cloud Enabled Data Center - simple use case

Cloud Enabled Data CenterCloud Enabled Data Center

Self-Service GUI

Cloud Platform

User identityis verified and authenticated

1

Available Resourc

e

Resource Pool

Resource chosen from correct security domain 2

Image Library

Machine Image

VM is configured with appropriate security policy

3

Hypervisor

Configured Machine Image

Virtual Machine

Virtual Machine

Image provisioned behind FW / IPS

4

Host securityinstalled and updated

5

SW Catalog

ConfigBinaries

Software patches applied and up-to-date

6


Workload driven security

27

Cloud Security depends on focusing security controls on specific

Types of work

Healthcare Collaboration Development


28

Activity/Data Driven Cloud Security

• Organizations need to adopt a

strategy for cloud security that

considers the unique attributes of

the cloud as well as the activities

and data for which the cloud is

being utilized.

• Only by combining foundational

controls with activity/data specific

controls can organizations meet

their cloud security needs.


� Failure to build security proactively into the fabric of the cloud (including secure

deployment of services) can have negative consequences:

– Audit failures

– Increased operating costs long term

– Poor customer satisfaction

– Difficulty in expansion

– Management complexity

– Failure to achieve cloudanticipated return due to service failures

Secure By Design: Security must be built into Cloud Fabric


Security Challenges with Virtualization:

Using Traditional Security for a Virtual Data Center May Add Cost and Complexity

Legacy Security in Virtual Environment

Only blocks threats and attacks at the perimeter

Secures each physical server with protection and reporting

for a single agent

Patches critical vulnerabilities on individual servers

and networks

Policies are specific to critical applications in each network

segment and server

Network IPS

Server Protection

System Patching

Security Policies

Seems Secure … … Not Secure Enough

Should protect against threats at perimeter and between VMs

Securing each VM as if it were a physical server adds time

and cost

Needs to track, patch and control VM sprawl

Policies must be more encompassing

(Web, data, OS coverage, databases)

and be able to move with the VMs


Points of Exposure

VMM or HypervisorVMM or Hypervisor

OperatingSystem

OperatingSystem

HardwareHardware

ApplicationsApplications

ManagementManagement

New Threats

New Threats

New Threats

VirtualMachine

VirtualMachine

New Threats

More Components = More Exposure

Existing Threats


Management Vulnerabilities

——————————Secure storage of VMs

and the management data

Management Vulnerabilities

——————————Secure storage of VMs

and the management data

Virtual sprawl——————————Dynamic relocation

——————————VM stealing

Virtual sprawl——————————Dynamic relocation

——————————VM stealing

Resource sharing——————————Single point of failure

Resource sharing——————————Single point of failure

Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets

Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets

Security Challenges with Virtualization:

New Risks

Control events by Policies:

- VM Creation

- VM Registration

- VM Removal

- VM Power On

- VM Power Off


IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4

� VMsafe Integration

� Firewall and Intrusion Prevention

� RootkitDetection/Prevention

� Inter-VM Traffic Analysis

� Automated Protection for Mobile VMs (VMotion)

� Virtual Network Segment Protection

� Virtual Network-Level

Protection

� Virtual Infrastructure Auditing (Privileged User)

� Virtual Network Access

Control

Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers.


Creating New Security Efficiencies

34

IBM Professional

Security Services

Security Strategy Roadmap

IBM Professional

Security Services

Cloud SecurityAssessment

IBM Professional

Security Services

Application SecurityServices for Cloud

IBM Information

Protection Services

Managed Backup Cloud

Hosted VulnerabilityManagement

Hosted Security Event& Log Management


InfoSphere Guardium

CSP’s WANCSP’s WAN

CSP’s Data CenterCustomer Data Center

Traditional database

moved into the Cloud


protected by Guardium

into the Cloud

Fear of having database been

accessed not authorized

people


InfoSphere Optim in Cloud Service Provider Platform

CSP’s WAN

CSP’s Data Center Customer Data Center


moved into the Cloud withoutanonymisation

TraditionaldatabaseAnonymised by

Optim into the Cloud

Optim appliesAnonymization while

moving out of the customer’s DC


Data Policy Management: Anonymizing Data With IBM

InfoSphere Optim

Scope :

• Anonymize data moved to the Cloud, therefore ease the move to the Cloud

Value:

• Establish a process to ease the move of key workloads such as Dev&Tests and the related data it requires for testing, removing the most important risks

Constraints:

• Requires human analysis of the data to anonymize and therefore it is a manualprocess the first time

Position:

• Should be used as a process within the source datacenter to enable the move in the target (cloud-based) datacenter


Real-Time Database Monitoring

• Non-invasive architecture

• Outside database

• Minimal performance impact (2-3%)

• No DBMS or application changes

• Cross-DBMS solution

• 100% visibility including local DBA access

• Enforces separation of duties (SoD)

• Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders

• Granular, real-time policies & auditing

• Who, what, when, how

• Automated compliance reporting, sign-offs &

escalations (SOX, PCI, NIST, etc.)

DB2


Scalable Multi-Tier Architecture

Integration with LDAP, IAM, IBM Tivoli, IBM TSM, Remedy, …



9/15/2009

Quick intro: IBM Security Framework – Business-oriented framework used across all IBM brands that allows to structure and discuss a client’s security concerns

Built to meet four

key requirements:

� Provide Assurance� Enable Intelligence� Automate Process� Improve Resilience

Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security;

IBM RedGuide REDP-4528-00, July 2009



9/15/2009

Typical Client Security Requirements

• Governance, Risk Management, Compliance

• 3rd-party audit (SAS 70(2), ISO27001, PCI)

• Client access to tenant-specific log and audit data

• Effective incident reporting for tenants

• Visibility into change, incident, image management, etc.

• SLAs, option to transfer risk from tenant to provider

• Support for forensics

• Support for e-Discovery

• Application and Process• Application security requirements for

cloud are phrased in terms of image security

• Compliance with secure development best practices

• Physical• Monitoring and control of physical

access

• People and Identity• Privileged user monitoring, including

logging activities, physical monitoring and background checking

• Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third party systems

• Standards-based SSO

• Data and Information• Data segregation• Client control over geographic location of

data

• Government: Cloud-wide data classification

• Network, Server, Endpoint• Isolation between tenant domains• Trusted virtual domains: policy-based

security zones

• Built-in intrusion detection and prevention

• Vulnerability Management

• Protect machine images from corruption and abuse

• Government: MILS-type separation

Based on interviews with clients and various analyst reports


42

Security and

Cloud Co

3/15/2012

Customers require visibility into the security posture of their cloud.

�Establish 3rd-party audits (SAS 70, ISO27001, PCI)

�Provide access to tenant-specific log and audit data

�Create effective incident reporting for tenants

�Visibility into change, incident, image management, etc.

�Support for forensics and e-Discovery

Implement a governance and audit management program

Security governance, risk management and complianceSecurity governance, risk management and compliance

Supporting IBM Products, Services and Solutions

IBM Security Framework

IBM Cloud Security Guidance Document

IBM Security Products and Services


43

Security and

Cloud Co

3/15/2012

Customers require proper authentication of cloud users.

�Privileged user monitoring, including logging activities, physical

monitoring and background checking

�Utilize federated identity to coordinate authentication and authorization with enterprise or third party systems

�A standards-based, single sign-on capability can help simplify user

logons for both internally hosted applications and the cloud.

Implement strong identity and access management





People and IdentityPeople and Identity


44

Security and

Cloud Co

3/15/2012

Customers cite data protection as their most important concern.

�Use a secure network protocol when connecting to a secure

information store.

�Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall.

�Sensitive information not essential to the business should be securely

destroyed.

Ensure confidential data protection





Data and InformationData and Information


45

Security and

Cloud Co

3/15/2012

Customers require secure cloud applications and provider processes.

�Implement a program for application and image provisioning.

�A secure application testing program should be implemented.

�Ensure all changes to virtual images and applications are logged.

�Develop all Web based applications using secure coding guidelines.

Establish application and environment provisioning





Application and ProcessApplication and Process


46

Security and

Cloud Co

3/15/2012

Customers expect a secure cloud operating environment.

.

�Isolation between tenant domains

�Trusted virtual domains: policy-based security zones

�Built-in intrusion detection and prevention

�Vulnerability Management

�Protect machine images from corruption and abuse

Maintain environment testing and vulnerability/intrusion management





Network, Server and End PointNetwork, Server and End Point


47

Security and

Cloud Co

3/15/2012

Customers expect cloud data centers to be physically secure.

.

�Ensure the facility has appropriate controls to monitor access.

�Prevent unauthorized entrance to critical areas within facilities.

�Ensure that all employees with direct access to systems have full

background checks.

�Provide adequate protection against natural disasters.

Implement a physical environment security plan





Physical SecurityPhysical Security


IBM Security offerings for Cloud Computing

48

Professional Services

Managed Services

Products

Cloud Delivered

Security Governance, Risk and Compliance

Security Information and Event Management (SIEM) & Log Management

Data Security

E-Mail Security Database Monitoring

& Protection

Data LossPrevention

Messaging Security

Data Masking

ApplicationSecurity

Application Vulnerability Scanning

Access & EntitlementManagement

Web ApplicationFirewall

SOA Security

AccessManagement

Data Entitlement Management

IdentityManagement

Identity & AccessManagement

Mainframe SecurityAudit, Admin & Compliance

Security Configuration & Patch Management

Virtual SystemSecurity

Security EventManagement

Endpoint Protection

Intrusion Prevention System

Web/ URL Filtering

Threat Analysis

Firewall, IDS/ IPSMFS Management

Encryption & KeyLifecycle Management

VulnerabilityAssessment

Physical Security

InfrastructureSecurity


49

IBM Security Solutions for the Cloud


IBM continues to research, test and document more focused approaches to cloud security

50

IBM ResearchSpecial research concentration in cloud security

IBM X-ForceProactive counter intelligence and public education

Customer CouncilsReal-world feedback from clients adopting cloud

Standards ParticipationClient-focused open standards and interoperability

IBM Institute for Advanced SecurityCollaboration between academia, industry, government, and the IBM technical community


IBM Cloud Security Guidance

Based on cross-IBM research and

customer interaction on cloud security

Highlights a series of best practice

controls that should be implemented

Broken into 7 critical infrastructure

components:

• Building a Security Program• Confidential Data Protection• Implementing Strong Access and

Identity• Application Provisioning and De-

provisioning• Governance Audit Management• Vulnerability Management• Testing and Validation

http://www.redbooks.ibm.com/abstracts/redp4614.html?Open


IBM Security Solutions Architecture for Network, Server and Endpoint

Explores threats to and security requirements of IT systems. Business drivers such as managing risk and cost and compliance to business policies and external regulations, are explored, highlighting how they can be translated into frameworks to enable enterprise security.

The idea is to help bridge the communication gap between the business and the technical

perspectives of security and to enable simplification of thought and process.

http://www.redbooks.ibm.com/abstracts/sg247581.html?Open


IBM Cloud Security Guidance

53

Based on cross-IBM research and

customer interaction on cloud security

Highlights a series of best practice

controls that should be implemented

Broken into 7 critical infrastructure

components:

• Building a Security Program• Confidential Data Protection• Implementing Strong Access and

Identity• Application Provisioning and De-

provisioning• Governance Audit Management• Vulnerability Management• Testing and Validation

http://www.redbooks.ibm.com/abstracts/redp4614.html?Open


Cloud Security Whitepaper

Trust needs to be achieved,

especially when data is stored in

new ways and in new locations,

including for example different

countries.

This paper is provided to

stimulate discussion by looking

at three areas:• What is different about

cloud? • What are the new security

challenges cloud introduces?

• What can be done and what should be considered further?

http://www-03.ibm.com/press/us/en/attachment/32799.wss?fileId=ATTACH_FILE1&fileName=10-0861_US%20Cloud%20Computing%20White%20Paper_Final_LR.pdf


55

Security and

Cloud Co

3/15/2012

Trusted Advisor Security CompanySolution Provider The Company

Security & Privacy Leadership

Security for the Cloud Security from the Cloud


Thank you!

For more information, please visit:

http://ibm.com/cloud


Design Deploy Consume

GRC � Understand the concerns of your unique cloud initiative

IBM Cloud Security Roadmap Service

X

Identity� Enable single sign on across

multiple cloud servicesIBM Tivoli Federated Identity Manager Business GW

X

Data� Protect and monitor

access to shared databasesIBM InfoSphere Guardium X X

Intrusion� Defend users and apps

from network attacks IBM Security Network Intrusion Prevention System

X

Virtualization� Protect VMs and hypervisor

from advanced threatsIBM Virtual Server Protection for VMware

X X

Patch Management

� Provide patch and configmanagement of VMs

IBM Tivoli Endpoint Manager for Security and Compliance

X X

Entry points to get started with IBM security solutions for cloud

57

Cloud Security On Ramps



Getting Started with Secure Cloud Computing

Develop

a strategy

Operate and

Manage

Technology

and Services

Design and

Implement

Security Best

practices… think holistically

Based on

Business

Requirements

… holistically in a more

dynamic environment,

workloads

Select Cloud

technology and

services

… modularity and

standards are key

Take a risk-based

approach to

security

… data in motion, data

at rest, access to data