Securing Your Cloud Applications

  • View
    510

  • Download
    7

Embed Size (px)

Text of Securing Your Cloud Applications

  • 2015 IBM Corporation

    Securing Your Cloud Applications

    Nataraj (Raj) NagaratnamCTO for Security Solutions, IBM Security

    Sreekanth IyerExecutive IT Architect, IBM Security

    Jeffrey HoyCloud Security Architect, IBM Security

  • Agenda

    Security for Infrastructure Services (IBM SoftLayer)

    Security for Platform Services (IBM Bluemix)

    1

    IaaS

    PaaS

  • Cloud is rapidly transforming the enterprise

    External StakeholdersTraditional Enterprise IT

    Public CloudPrivate Cloud

    PaaSDevelopment

    services

    SaaSBusiness

    applications

    IaaSInfrastructure

    services

    100+ IBM Offerings

    HR,CRM, SCM

    Data archive

    App development

    100+ IBM Offerings

    Online website

  • Cloud presents the opportunity to radically transform security practices

    Dynamic Cloud SecurityStandardized, automated,

    agile, and elastic

    Traditional SecurityManual, static,

    and reactive

    Cloud security is not only achievable, it is an opportunity to drive the business, improve defenses and reduce risk

  • Clients focus on three imperatives for improving security

    Detect threats with visibility across clouds

    Govern theusage of cloud

    Protect workloads and data in the cloud

    How can I understand who is accessing the cloud

    from anywhere, at anytime?

    How can I fix vulnerabilities and defend against attacks before theyre exploited?

    How can I obtain a comprehensive view of cloud and traditional environments?

    I can take advantage of centralized cloud logging and auditing

    interfaces to hunt for attacks.

    Going to the cloud gives me a single

    choke point for all user access it provides much more control.

    Cloud gives me security APIs and

    preconfigured policies to help protect my data

    and workloads

  • IBM Dynamic Cloud Security

    Optimize Security Operations

    ManageAccess

    ProtectData

    GainVisibility

    SaaSPaaSIaaS

    Structured Approach to Cloud Security

    Assess and Govern

    Focus for this Session

  • JKE Overview

    6

    JK Enterprises (JKE)

    A multinational financial services company that offers wide range of wide range of financial and insurance products

    and services

    Operates world-wide, with major offices in AP, EMEA and US

    Employs approximately 5,500 staff

    Financial details include:

    A combined premium income of over $2.5 billion

    Investment assets of approximately $16.8 billion

    Customers include:

    End customers: over 2 million insured customers

    Brokers: over 200 registered brokers

    Has partnerships with a large number of partners, mainly in the area of brokering and financial advice

    Provides internet customers and brokers with online access to applications.

  • Securing Cloud JKE Scenario

    7

    Focus for this Session

  • Security for Infrastructure Services

    IaaS

  • Security comes in (inherent in) and on (accessible from) IaaS provider

    Identity Protection Insight

    Accessible on a IaaSCloud Provider Bring your own security

    Privileged admin management

    Access management of web workloads

    Network protection Firewalls, IPS, proxy

    Host security, vulnerability scanning

    Encryption and key management

    Monitoring customer hybrid infrastructure and

    workloads.

    Log, Audit, and compliance reporting

    Vulnerability management

    Inherent in a IaaS Cloud Provider Security provided in SoftLayer

    Admin user management

    Isolation of VMs, and dedicated instances

    Security monitoring of cloud infrastructure

    Role and entitlement management

    Network firewalls, VPNs; DoS protection

    Platform intelligence

    Federation of admin users from

    enterprises

    Encryption of data at rest and secure key

    store

    API access to cloud service logs

    IaaS

  • Security in (inherent in) IBM SoftLayer

    SoftLayer Security

    Features & Options

    Physical DC Security

    Logical Segregation

    GeoTrust SSL Certificates

    Two-Factor Authentication for Portal Administrators

    McAfee Host Protection

    DC Site Affinity Option

    IBM MSS - Fully Managed

    Cloud Security Services

    Hosted Web Defense (DDoS+WAF)

    Hosted Application Security Management Services

    Hosted Security Event and Log Management

    Hosted Vulnerability Management

    Managed FW, IDPS and UTM

    Managed Email and Web Security

    Comprehensive security for

    IT assets deployed in

    SoftLayer

    VALUE

    IBM SoftLayer and IBM Managed Security Services (MSS) provide

    comprehensive cloud security solutions and capabilities for cloud customers

    IaaS

  • Scenario Overview

    11

    Enterprise Application

    Dev/Test/ProdInfrastructure

    Public CloudPrivate Cloud

    IaaS

    JK Enterprises (JKE)

    Description

    1 JKE provisions infrastructure resources and moves to Cloud

    2 JKE deploys their business application on Cloud

  • Privileged User Management

    12

    IaaS

    JK Enterprises (JKE)

    1 JKE Cloud Administrator logs into SoftLayer

    2 JKE Cloud Administrator provisions and sets up the required resources on Cloud

    3 Weak management of password and administrator activities can compromise cloud systems

    4 JKE implements Privileged User Management to monitor and audit cloud Admin activities

    5 Privileged Identity Manager captures and tracks all actions by admin

    JKE Cloud Administrator

    IBM Security Privileged Identity Management

    Dev/Test/ Prod

    Infrastructure

    Manage Access

  • Automated Provisioning of ISAM Virtual Appliance

    13

    IaaS

    JK Enterprises (JKE)

    1 JKE likes to add web application protection for their application on cloud

    2 JKE deploys ISAM Virtual Appliance on SoftLayer (Automated Provisioning and Configuration of ISAM Appliance on SoftLayer)

    3 JKE can manage access and protect applications from attacks.

    Employees

    IBM Security Access Manager Virtual Appliance

    Enterprise Application

    Agents / Partners/ Customers

    Manage Access

  • Log Management & Security Intelligence

    14

    IaaS

    JK Enterprises (JKE)

    1 JKE Security Administrator wants visibility into their cloud infrastructure on SoftLayer

    2 JKE Security Administrator uses IBM Security QRadar SIEM

    3 QRadar collects all the events from security appliances, infrastructure and applications

    4 QRadar detects anamolies, security threats and generates reports for audit and compliance.

    JKE Security Administrator

    IBM Security QRadar SIEM

    Enterprise Application

    Dev/Test/ProdInfrastructure

    IBM Security

    Access Manager

    Virtual Appliance

    IBM Security

    Privileged Identity

    Management

    Employees

    Agents / Partners/ Customers

    Gain Visibility

  • IBM Security capabilities (On) SoftLayer that enhances security of customer workloads

    15

    IaaS

    Enterprise

    Cloud

    Administrators

    Consolidated

    logs and events

    Portal and APIs

    Application

    users

    Enterprise security monitoring

    IBM Virtual SOC

    services

    Manage Access Protect Data Gain Visibility

  • Security for Platform Services

    PaaS

  • Security comes in (inherent in) and on (accessible from) Provider

    Identity Protection Insight

    Accessible from a PaaS Cloud Provider Design your own security

    APIs for authentication/SSO of end

    users, for services/apps

    APIs to perform context aware access

    Security testing of App, service and APIs

    Key management APIs

    APIs for fraud detection

    IP reputation/threat intelligence APIs

    APIs for customer app log and audit

    Application security and real time monitoring

    Application vulnerability management

    Inherent in a PaaS Cloud Provider Security is baked in platform

    Developers registration and SSO

    Group management; Entitlements to apps,

    services

    Federation of developers/platform users

    Data protection and compliance

    Application container

    Fabric and services isolation and protection

    Customer specific log and audit trail APIs

    Active security monitoring of provider (not individual

    customer services)

    Hosted on

    PaaS

  • Bluemix Platform Security Overview

    18

  • on Bluemix Security

  • Single Sign On

    Add user authentication to your apps with policy-based configuration

    Zero coding approach

    Integrate with existing enterprise directory with SAML

    Option to chose from identity sources like Facebook, LinkedIn, and Google

    Option to create and use your own cloud directory

    Key Features

    SocialIdentities

    Enterprise ID

    Manage Access

  • AppScan Dynamic Analyzer

    Discover vulnerabilities before putting cloud apps into production

    Minimal configuration and developer training / preparation

    Scans authenticated and unauthenticated pages and identifies security issues

    Identifies a large variety of vulnerabilities, from OWASP Top 10, SANS Top 25 and more

    Produces a detailed security report - actionable information with remediation instructions

    Key Features

    Protect Data

  • AppScan Mobile Analyzer

    Based on Glass Box principles

    Identifies securit