Provably Secure Data Protection in the Cloud. ICDES (IBM Cloud Data Encryption Services)

(1)

‘Provably Secure’ Data Protection

in the Cloud

(2)

Agenda

• Cloud Security and Intro to ICDES

– Manish Aggarwal, IBM, Offering Manager Cloud

• Client Case Study: Crohn’s & Colitis Foundation of America

– Angela Dobes, CCFA, Program Director

• Use-cases for ICDES

– Russ Fulford, Security First, VP Cloud Solutions

(3)

Hacks & Data Breaches Keep Growing

2

Over 2 million

the number

of records

compromised in

cyber attacks daily

1

205 the number

of days before

a breach is

detected

4

49 the percentage

of data breaches

that occur due to

criminal attacks

3

429 the number of

cyber breaches

that happen

every week

5

1_{2014 Data Breach Trends, Risk Based Security Open Security Foundation, February 2015;}2,3₂₀₁₅_{Cost of Data Breach Study: Global Analysis,}

Ponemon Institute, May 2015; 4 _{M-Trends 2015: A View from the Front Lines, Mandiant 2015;}5 _{2014 Global Report on the Cost of Cyber Crime,}

Ponemon Institute, October 2014

More than

3.8 million USD

the cost to recover

from a cyber breach

2

(4)

Data Security is Evolving & Requires Layers

Network and perimeter centric

Add data centric security, access

controls & security intelligence

Newer Model

Traditional Model

IBM is the un-disputed leader in Enterprise Security and

invests in best of breed technologies

(5)

Advanced Cryptographic Splitting Technology

• If you can’t get the data you can’t hack it.

4

IDA

AES

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

AES

Encryption

Information Dispersal

Algorithm

File keys encrypted &

split by Workgroup Key

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # @ # # # ! # # & # # # $ # # # #! # # @ # # # # ? # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Workgroup Key encrypted and

split by Perfect Secret Sharing

Cryptographically split shares

and keys are sent to Storage

(6)

ICDES Delivers Robust Data Protection

• Confidentiality

– Ground-breaking data-centric security

– FIPS-140-2 certified AES-256 Encryption

1 – FIPS-140-2 certified Cryptographic splitting

1 – FIPS-140-2 certified built-in simplified key management

1 – Privacy – Zero knowledge environments

AVAILABILITY

(7)

ICDES Delivers Robust Data Protection

• Confidentiality

• Integrity

– Tampered data is not used

– Built in data health check

– Repair corrupt shares while still encrypted

– Always get what you started with

6

AVAILABILITY

(8)

ICDES Delivers Robust Data Protection

• Confidentiality

• Integrity

• Availability

– Data resiliency added at server edge

– Data is Always ON - no recovery time for share failure

– Simplified data availability architecture

– Never lose file encryption keys

– Supports a reduced-cost HA and DR architecture

AVAILABILITY

(9)

ICDES Delivers Robust Data Protection

• Confidentiality

• Integrity

• Availability

• Easier management of regulatory requirements

1 – HIPAA

– HITECH

– FISMA

– Sarbanes-Oxley

– PCI DSS

– FedRAMP

8 1_{Health Insurance Portability and Accountability Act of 1996 (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH);}

Federal Information Security Management Act of 2002 (FISMA); Payment Card Industry Data Security Standard (PCI DSS)

AVAILABILITY

(10)

ICDES Makes Data Security Easy

Step 1

Step 2

Step 3

START PROTECTING DATA

DATA

PROTECTED _DIRECTORY

Share 1 Share 2 Share 3 Share 4

PURCHASE

ICDES

Advanced Secure

DOWNLOAD

IBM Cloud Marketplace

2 of 4

/share1 /share2 /share3 /share4

(11)

Lowering Total Cost of Ownership

10

Current Environment

Customer Data Center

Cost Saving Options

With ICDES

Key Manager Built-In

External Bulk Keystore

“M of N” BUILT IN

“M of N” Built-In

High Availability & Disaster Recovery

(12)

Flexible Implementation Methods

vCenter

Management Server

Manage

Virtual

ICDES Plug-in

for vCenter

OS APP OS APP

Virtual Machines

CentOS ICDES OS APP OS APP

CentOS

ICDES

for

Secure

Datastore

Target

Physical

OS Installation

Select Files

&

Directories

(13)

Use ICDES In Any Environment

• IBM SoftLayer

• IBM Bluebox

• Private Clouds

• Hybrid Clouds

• Public Clouds

• Customer data centers

12

Public

Hybrid

Private

(14)

ICDES Editions – Beyond Standard Encryption

Secure

ICDES

Server

Data

protection

Keyed encryption

Keyed splitting

“1 of 1”

Compliance and

Critical Business Data

Users

and

Applications

(15)

ICDES Editions – Beyond Standard Encryption

Secure

ICDES

Server

Data

protection

Keyed encryption

Keyed splitting

“1 of 1”

Compliance and

Critical Business Data

Users

and

Applications

Local Site

“4 of 4”

Advanced Secure

Fault

tolerance

Data resiliency

and

authentication

+

(16)

ICDES Editions – Beyond Standard Encryption

Secure

ICDES

Server

Data

protection

Keyed encryption

Keyed splitting

“1 of 1”

Compliance and

Critical Business Data

Users

and

Applications

Local Site

“4 of 4”

Advanced Secure

Fault

tolerance

Data resiliency

and

authentication

+

Advanced Multi-site

Remote Site

Disaster

recovery

Multi-site

capability

+

(17)

Agenda

• Cloud Security and Intro to ICDES

• Client Case Study: Crohn’s & Colitis Foundation of America

• Use-cases for ICDES

• Q&A

(18)

• Crohn’s Disease is a chronic inflammatory condition of the

gastrointestinal tract that can affect any part of the body from the mouth

to the anus

• Ulcerative Colitis is a chronic inflammatory condition limited to the

colon

1.6M

# of Americans living with IBD

# of new cases of IBD diagnosed in the US each year

70K

What are Inflammatory Bowel Diseases?

(19)

Challenges in IBD



Current therapy for IBD is inadequate and

inconsistently delivered



Pathway to improved outcomes

 New resources to drive discovery

 Increased collaboration and sharing of data

 Improved patient selection

 Improved quality of care

(20)

IBD Plexus Vision & Goals

• Unite clinicians, patients, academia and industry

• Optimize use of data and biosamples across the research community

• Identify new drug targets

• Identify new biomarkers and diagnostics

• Improve the quality of care for patients with IBD

Build of a research and information exchange platform to

accelerate research and transform the care of IBD patients

(21)

Clinical

Biosample

‘Omics /

Expression

Patient

Reported /

Generated

IBD Plexus will link data

across study cohorts

together stakeholders

Break silos, bringing

&

Approach

(22)

Adult

prospective

research study

Internet-based

patient-powered

registry

Pediatric risk

stratification

study

Study Programs

Components

Study Programs

Components

Adult & Pediatric Registries

Biobank & LIMS

Data & Analytic Platforms

Centralized Analytical Lab

High Performance Computing

Researcher Portal

IBD Plexus Landscape

Real world

evidence

registry

Quality of care

(23)

IBD Plexus Hosting / Security

• IBM SoftLayer has been selected to host the IBD Plexus solution

22

Bare metal with

CCFA stack

DATA PLATFORM

ANALYTIC PLATFORM



Protected Health

Information (PHI)



De-identified data sets



Limited data sets

IBM Cloud Data Encryption Services (ICDES)

Dedicated virtualized

CCFA environment

(24)

Severe

Remission

Moderate

Mild

• Hypothesis Generation

• Basic Science

• Translational Research

• Clinical Trials

• Comp Effectiveness

• Quality Improvement

D

is

eas

e

A

c

tiv

ity

D

is

eas

e

A

c

tiv

ity

Time

Current State

Future State

Transforming Research

Severe

Remission

Moderate

Mild

(25)

Agenda

• Cloud Security and Intro to ICDES

• Client Case Study – CCFA

• Use-cases for ICDES

• Q&A

(26)

Cryptographic Splitting Core

Users & Applications

ENTERPRISE

Fault Tolerance (M of N)

Ingest Digital Data

Integrate with your Access Controls

G

ener

at

e key

s

Encryption & Authorization

Bit Randomization (IDA)

Key Wrapping

Journal Cache

Disperse Shares to Storage

Addressable

Storage

ICDES Server

(27)

CCFA – Securing Structured and Unstructured Data

26

Research, Academic

and Medical

Communities

Various Patient,

Academic &

Research Data

Cache

Object Storage

Gateway

Object

Storage

Data Platform Application

protected by ICDES

Analytic Platform Application

protected by ICDES

IBD Plexus

(28)

Use Case: Compliance or Highly Valuable Data

Protected

ICDES Server

CARD 1000 1000 1000 1000 Your Name

User Community

Application

Data

Server

Payment

Card Data

Secure

“1 of 1”

Unstructured

Structured

Storage

(29)

Share 1 Share 2

Share 3

Share 4

Use Case: Compliance or Highly Valuable Data

28

Protected

ICDES Server

CARD 1000 1000 1000 1000 Your Name

User Community

Application

Data

Server

Payment

Card Data

Advanced

Secure

“2 of 4”

Unstructured

Structured

With Resiliency

for

Highly Available Data

(30)

Remote

Location

Standby

Database

Server

Standby

ICDES

Server

Share 6

Share 5

Share 1 Share 2

Share 3

Share 4

Use Case: Compliance or Highly Valuable Data

Protected

ICDES Server

CARD 1000 1000 1000 1000 Your Name

User Community

Application

Data

Server

Payment

Card Data

Advanced

Multi-Site

“2 of 6”

Add Geographic

Separation of Data

for

(31)

Use Case: IBM Cloud Analytics Secure Hadoop

30

Storage

Gateway

ISHOC

User Community

Application

Data

Server

Massive Data to

be Analyzed

“2 of 2”

Object Storage

Data Stored Securely in Object Storage

Hadoop Cluster

HDFS

Location 1

(32)

Agenda

• Cloud Security and Intro to ICDES

• Client Case Study – CCFA

• Use-cases for ICDES

(33)

Notices and Disclaimers

32

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS

DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and

interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law

(34)

Notices and Disclaimers Con’t.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,

PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.