5 Easy Steps to Securing Workloads on Public Clouds

© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

5 Easy Steps to Securing Workloads on Public Clouds

Jeff HoyCloud Security ArchitectIBM Security Systems, CTO Office

May 21, 2014



2

Please Note

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.



3

Share our views about Cloud Security• How cloud is changing security• Impact to your organization

5 Easy Steps to securing workloads• Topology-based options• Detailed examples

Looking forward• Trends in cloud direction• Emerging security capabilities

Goals of This Webinar

1

2

3



4

Speaker Background

About Jeff• Cloud Security Architect• IBM Security Systems• CTO Team• 12+ years with IBM• [email protected]

Focus Areas:• Cloud Security Enablement• SaaS Security• Hybrid Cloud• Next Generation Cloud Security



5

Topic: Securing the Cloud

Security in the Cloud



6

Services Acquired

Organization / Buyers

Security Responsibilities and Objectives

Software as a Service (SaaS)

CxOs (CIO, CMO, CHRO, ...)

Complete visibility to enterprise SaaS usage and risk profiling

Governance of user access to SaaS and identity federation

Platform as a Service (PaaS)

Application teams, LOBs

Enable developers to compose secure cloud applications and APIs, with enhanced user experience

Visibility and protection against fraud and applications threats

Infrastructure as a Service (IaaS)

CIO, IT teams

Protect the cloud infrastructure to securely deploy workloads and meet compliance objectives

Have full operational visibility across hybrid cloud deployments, and govern usage

Security objectives reflect responsibilities when adopting Cloud



7

Trusted IntranetOnline Banking

Application

Employee Application

DMZ Untrusted Internet

7

Traditional perimeter based security controls …



8

Online Banking Application

InvestmentAPI Services

Employee Application

Build and Deliver Apps, Services (PaaS)

Consume Apps and Services (SaaS)

Leverage Public Clouds (IaaS)

Trusted Intranet DMZ Untrusted Internet

8

Apps, APIsServices

Traditional perimeter based security controls … … are changing to security centered around applications and interactions



9

Cloud Security Capabilities

Identity

Protection

Insight

Protect infrastructure, applications, and data from threats

Auditable intelligence on cloud access, activity, cost and compliance

Manage identities and govern user access

IaaS: Securing infrastructure and workloads

SaaS: Secure usage of business applications

PaaS: Secure service composition and apps

Bluemix

We see three sets of capabilities to help adopt cloud with confidence



10

How will complex environments evolve for your organization?



11

Topic: 5 Easy Steps

5 Easy Stepsto Securing Workloads

on Public Clouds



12

Step #1: Basic Security Enablement

Traditional on-premise

IPS

Visibility

DataSecurity

Scanning

TLSFirewalls

SOAAppliance

EndpointMgmt

User

Admin

Public cloud-based

IPS

DataSecurity

Scanning

TLSFirewalls

SOAAppliance

EndpointMgmt

User

Admin

Same principles apply

Visibility



13

Monitor & manage security posture

Configure application centric security policies

Provision secure cloud infrastructure

User Access Customer

Application

NetworkProtection

Cloud Admins

Security Team

ApplicationTeam

Enterprise Roles

Service users

Securely Access Cloud services

Security Intelligence

DataSecurity

Example #1: Securing Workloads on Cloud Infrastructure (IaaS)

EXAMPLE

https://c4esx03lin05.tivlab.austin.ibm.com/console/qradar/jsp/QRadar.jsp



14

Step #2: Pattern-Based Security

IPSData

Security

Scanning

TLSFirewalls

SOAApplianceEndpoint

Mgmt

Visibility

System Template

Pattern Engine

Preconfigured Systems

Customize



15

Example #2: Secure Image Deployment

Virtual Image

• Apache HTTP Server• WebSphere Liberty• Banking EJB• IBM Access Manager• IBM Identity Manager• Restrictive Firewalls• Endpoint Manager• Disk encryption• Credential Vault

Deploy Images

Update Images

• IP Address• Hostname• Credentials, etc

Production System

EXAMPLE



16

Shared Security Services

REST APIs

Identity as a Service Log Management & Audit App and Vulnerability Testing

Security Policy Management for Cloud

Step #3: Automation-Enabled Pattern & Policy-driven Approaches



17

Example #3: Pattern-Based Access Management

Security WebGateway

Web Application

1

2 3

4

56

78

9

10

Environment Components

1. QRadar vSys Pattern2. External ISAM Appliance3. ISAM Log Integration4. WebSEAL Reverse Proxy5. Application vSys Pattern6. Application TAI + Junction7. Consolidated Logbackup8. SQL Injection Attack9. Application Response10. QRadar threat console

EXAMPLE



18

CeilometerUsage / Performance Monitoring + Auditing

“Datastores”

Core API Layer“Filter” audits all Open Stack API calls

CADF

AWS CloudTrail

OpenStack Audit (CADF)

Workloads deployed in

private virtual Environments

Public Cloud Services

Step #4: Integrated Intelligence across Hybrid Cloud



19

Example #4: Security Intelligence for Virtual Infrastructure

Business challenge:

• Improved security and visibility into virtual Infrastructures

• Better visibility into logs coming from their sensors across the environment

• Support ad hoc search across large data

Solution:

• Scales to large volumes

• User friendly reporting

• Quick search and review of logs

• Reasonable cost of ownership

SaaS applications

Infrastructure as a Service

Security Intelligence for Hybrid Cloud

19Virtualized data center

EXAMPLE




20

Administrator /app owner

End users

Shared Security Services(Security from the Cloud)

REST APIs


• API enable and standup key products as shared cloud services

• Multi-tenancy

Step #5: Leverage Security SaaS



21

Example #5: SaaS Security Usage in Your Environment

EXAMPLE



22

Topic: Looking Forward

Cloud Security Trends



23IBM SECURITY SYSTEMS :: IBM Confidential :: ©2013 IBM Corporation

DynamicAnalysis

InteractiveAnalysis

Mobile AppAnalysis

StaticAnalysis

Application Security Management

Inventory assets

Assess businessimpact

Measure status & progress

Prioritize vulnerabilities

Determine compliance

DEV OPS

DynamicAnalysis

Databasemonitoring

Security Intelligence

SIEMNetworkActivity

Monitoring

Vulnerability Mgmt

LogMgmt

Network Protection

FraudProtection

AppScan QRadar Guardium SiteProtetor/ IPS Trusteer

Security Across the Cloud DevOps lifecycle



24

DMZTrusted Intranet

Online bankingapplication

Online Banking Application

Migrating Online Application to off-premise cloud

Traditional Data Center

End UsersDomain Specialized Developer

Infrastructure Operations

Security & Compliance Manager

Cloud Application Zone Active Protection – Typical Scenario



25

Access Application4

Deploy App

Provision workload and security components

2Online Banking App

Workload Box

IBM Access Manager

IBM QRadar SIEM

WebApp

DBWebApp

DB

2

1

Config & Automation3

Secure Application

Demo Available - User Access Management, Web Application Protection, Log Management, Security Intelligence

Cloud Application Zone Active Protection - Solution Overview



26

• Data security as a virtual appliance deployed on the Cloud

• Data activity monitoring across hybrid clouds – virtualized and public clouds

• Provides vulnerability assessments of data systems

• Encrypts and masks sensitive data when used by privileged users

Data is…• Leaving the data center• Stored on shared drives

and cloud infrastructure• Hosted by 3rd party• Managed by 3rd party

DataProtection

Business Challenge: Solution:

26

Virtualized data center

IBM InfoSphere Guardium

EncryptionMasking

123 XJEActivity

Monitoring

Activity Monitoring

VulnerabilityAssessment

VulnerabilityAssessment

Structured &Unstructured

Data

Cloud ready data security and privacy on the cloud



27

Today Announcements

Delivering security from the cloud:

Solutions to protect cloud workloads:

Identity-as-a-Service beta for the IBM Cloud Platform

Security Optimization & Threat Monitoring

QRadar optimizations for cloud

Enhanced Virtual Threat Protection

IBM leads with enterprise-grade cloud security



28

Cloud creates opportunities for enhanced security

5 Easy steps to securing workloads

1. Basic Enablement

2. Pattern-Based Security

3. Automated Integration

4. Hybrid Cloud Security

5. Leveraging SaaS

Going forward• Direction of the cloud• Emerging security capabilities

Summary

1

2

3



29

Key Cloud Resources

IBM Best Cloud Computing

Security

IBM Research and Papers Special research concentration in cloud security, including

white Papers, Redbooks, Solution Brief – Cloud Security

IBM X-Force Proactive counter intelligence and public education

http://www-03.ibm.com/security/xforce/

IBM Institute for Advanced Security Cloud Security Zone and Blog (Link)

Customer Case Study EXA Corporation creates a secure and resilient private

cloud (Link)

Collateral Sales Support: NEW IBM Cloud Security Strategy and Community

connections page (Link) NEW Internal IBM SWG Sellers Workplace – Cloud

Security Collateral - (Link) SmartCloud Security Solutions Sales Kit – (Link)

Other Links: IBM Media series – SEI Cloud Security (Link) External IBM.COM : IBM Security Solutions (Link) External IBM.COM : IBM SmartCloud– security (Link) IBM SmartCloud security video (Link)

http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=SP&infotype=PM&appname=SWGE_WG_WG_USEN&htmlfid=WGS03002USEN&attachment=WGS03002USEN.PDF

http://www-03.ibm.com/security/xforce/

http://instituteforadvancedsecurity.com/topics/cloud-security/default.aspx

http://www-01.ibm.com/software/success/cssdb.nsf/CS/LWIS-8VRLVY?OpenDocument=&Site=default&cty=en_us

https://w3-connections.ibm.com/activities/service/html/mainpage

https://w3-connections.ibm.com/wikis/home?lang=en-US

https://w3-03.sso.ibm.com/software/xl/myportal/content?synKey=N825495D53260Z33

http://w3.tap.ibm.com/medialibrary/search?displayMediaSet=0&qt=sei+cloud+security&narrow_filter=summary

http://www.ibm.com/security

http://www.ibm.com/cloud-computing/us/en/security.html

http://www.youtube.com/watch?v=zoDeXDfMrkU&feature=plcp



30

Questions?

We Value Your Feedback!



31

Backup

X



32

Insight Establish intelligence across enterprise and

cloud• QRadar SIEM QRadar Log Manager QRadar Forensics

rotectionProtect data,

applications and infrastructure from threats and risks

Data & Application• IBM InfoSphere Guardium

• IBM Security AppScan

• IBM WebSphere DataPower

Infrastructure• IBM Security Network Protection

• IBM Security Trusteer

• IBM Endpoint Manager

ProtectionProtect data, applications and infrastructure

from threats and risks

Identity Manage users and their access to

cloudand access

Identity• Identity Service - Beta

• IBM Security Access Manager

• IBM Security Privileged Identity Manager

Identity Manage users and their access to cloud

Intelligent Security for the Cloud



33

AppScan Mobile Analyzer– Ability to upload Android APKs to the cloud for an IAST

(interactive application security scan)

• Service available through the BlueMix catalog

• Upload an APK and receive a security PDF report

• Public APIs to integrate to 3rd party • Environment deployed on SoftLayer

AppScan DAST on BlueMix– Run a DAST scan on web application deployed on

BlueMix

• Service available through the BlueMix catalog

• Almost zero configuration (User Name/Password)

• Public APIs to integrate to 3rd party • Environment deployed on SoftLayer

AppScan Service & APIs from Bluemix



34

Cloud software delivery as virtual appliances

Security Software

Security capabilities as virtual appliances. They should be available as shared services through APIs.

Delivering security capabilities as virtual appliances will enable

- Security enforcement ‘near’ workloads and in software defined environments

- Protection within on-premise virtual environments or hosted clouds



35

Administrator /app owner

End users

Shared Security Services(Security from the Cloud)

REST APIs


• API enable and standup key products as shared cloud services

• Multi-tenancy

Applications require easy-to-use, API-based services



36

DMZTrusted Intranet

Demo Scenario - Visibility to hybrid cloud application

Jane

Andrew Public Cloud Services

Provision infrastructure

Deploy App

Private Cloud Services

FredCustomers

Monitor Usage & Security of the Environments

Access App

Reverse ProxyLoad balance

Gateway

Cloudburst


Technology

5 Easy Steps to Securing Workloads on Public Clouds