Cloud computing is a new consumption and delivery model. Yesterday Today

(1)

Securing the Cloud

Johan Van Mengsel, CISSP

Open Group Distinguished IT Specialist

IBM Global Technology Services

IBM Cloud Security Strategy

Todays Challenges

In distributed computing environments, up to 85% of computing capacity sits idle. Explosion of information driving 54% growth in storage shipments every

year. 70% on average is spent on

maintaining current IT infrastructures versus adding

new capabilities.

85% idle

70¢ per $1

1.5x

33% of consumers notified of a security breach will terminate their relationship with the company they

perceive as responsible.

33%

Consumer product and retail industries

lose about $40 billion annually, or 3.5 percent of their sales, due to supply

chain inefficiencies.

$40 billion

(2)

Requires Smarter IT Services

3

Cloud computing is a

new consumption and delivery model

Yesterday

Today

Cloud Computing provides workload optimized models for

delivery and consumption of IT services

4

Attributes

Characteristics

Benefits

Advanced virtualization

IT resources can be shared between many applications. Applications can run anywhere.

Providing more efficient utilization of IT resources.

Automated provisioning

IT resources are provisioned or _{de-provisioned on demand.} Reducing IT cycle time and _{management cost}

Elastic scaling

IT environments scale down and _{up as the need changes.} Increasing flexibility

Service catalog ordering

Defined environments can be ordered from a catalog.

Enabling self-service

Metering and billing

Services are tracked with usage _metrics. Offering more flexible pricing _schemes

Internet Access

Services are delivered through _{the Internet.} Access anywhere, anytime

(3)

Page:

-5-3/15/2012

Sound great, what is preventing the adoption of Cloud Computing

EVERWHERE

?

Current Cloud Computing offerings are best effort The Cloud Computing providers don’t currently

have the rigour which traditional IT sourcing providers have

No (or weak) service level agreements (SLAs) regarding quality of service

Performance

Uptime

Throughput

Confidentiality etc

No commitment regarding data residency Architecturally, these constraints prevent or

hamper the running of mission critical, or highly regulated data in current Cloud offerings. As Cloud providers mature their offerings – this will

change

For now, corporations will not let their enterprise workloads run in the Cloud, as they cannot assert the quality of service

Multi-tenancy is a key concern

?

Security Challenges in

Cloud Computing

(4)

Security and Cloud Computing

9/15/2009

Cloud Security: Simple Example

7

?

We Have Control

It’s located at X. It’s stored in server’s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.

Who Has Control?

Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage?

?

Today’s Data Center

Tomorrow’s Public Cloud

Security in the Cloud

According to IBM's Institute for

Business Value 2010 Global IT Risk

Study, cloud computing raised

serious concerns among respondents

about the use, access and control of

data

8

A recent Appirio survey of 150+ mid to

large-sized firms that have already

adopted cloud applications:

77%

50%

23%

Cloud M akes pr ot ect ing pr ivacy mor e difficult

Concer ned about a dat a br each or loss

concer ned about a weak ening of t he cor por at e net wor k

28% 15% 13% 12% 10% 8% 7% 6%

Security is an issue with the cloud Cloud solutions are difficult to integrate Cloud solutions have a higher chance of lock-in Cloud solutions are difficult to customize Cloud solutions are not reliable Cloud vendors are not yet viable None The cloud model is not proven

Single Biggest Misconception about the Cloud

% of Respondents UnimportantOf Little Importance

Somewhat Important Impor tant

Very Important

Ensuring security & compliance

Appirio, State of the Public Cloud: The Cloud Adopters’ Perspective, October 2010

(5)

Customer Requirements for Cloud Security

Identity and access management

21 Intrusion prevention and response

37 Patch management

7 Data Management

12 Virtualization Security

12 Governance, risk & compliance

25

Formal RFPs Project Architect Interviews

Data Sources

NE IOT SW IOT MEA

North America IOT ANZ

World-Wide

Representation

6 Telcos

3 CSIs

1 Government

1 Bank

1 Manufacturing

1 SMB

2 IBM

16 Cross Industry

Customers

Analyzed

Results of

the analysis of existing

customer requirements

for Cloud Security

Risks introduced by cloud computing

Less Control Data Security Security Management Compliance Reliability

Where the information is located and stored, who has access rights, how access is monitored & managed,

including resiliency Control needed to manage

firewall and security settings for applications and runtime environments

in the cloud

Concerns with high availability and loss of service should outages

occur

Challenges with an increase in potential unauthorized exposure when migrating workloads

to a shared network and compute infrastructure

Restrictions imposed by industry regulations

over the use of clouds for some applications

Private Clouds Public Clouds

Risks across private, public and hybrid cloud delivery

(6)

Adoption patterns are emerging for successfully beginning

and progressing cloud initiatives

11

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers

Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud

Capabilities provided to consumers for using a provider’s applications

Key security focus:

Compliance and Governance

Harden exposed applications

Securely federate identity

Deploy access controls

Encrypt communications

Manage application policies Integrated service

management, automation, provisioning, self service

Key security focus:

Infrastructure and Identity

Manage datacenter identities

Secure virtual machines

Patch default images

Monitor logs on all resources

Network isolation

Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

Key security focus:

Applications and Data

Secure shared databases

Encrypt private information

Build secure applications

Keep an audit trail

Integrate existing security

Advanced platform for creating, managing, and monetizing cloud services

Key security focus:

Data and Compliance

Isolate cloud tenants

Policy and regulations

Manage security operations

Build compliant data centers

Offer backup and resiliency

Each pattern has its own set of key security concerns

Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud

12

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers

(7)

Cloud Deployment/Delivery and Security

13

Depending on an organization's readiness to adopt cloud, there

are a wide array of

deployment

and

delivery

options

Software as a Service SaaS Business Process as a Service BPaaS Platform as a Service PaaS Infrastructure as a Service IaaS M o re E m b e d d e d S e c u ri ty _eL s s E m b e d d e d S e c u ri ty © 2011 IBM Corporation Self-Service Highly Virtualized Location Independence Workload Automation Rapid Elasticity Standardization

Cloud computing tests the limits of security operations

and infrastructure

14 People and Identity

Application and Process Network, Server and Endpoint Data and Information

Physical Infrastructure Governance, Risk and Compliance

Security and Privacy Domains

Multiple Logins, Onboarding Issues Multi-tenancy, Data Separation

Audit Silos, Compliance Controls Provider Controlled, Lack of Visibility Virtualization, Network Isolation External Facing, Quick Provisioning

To cloud

(8)

Different cloud deployment models also change the way we think

about security

15

Private cloud

Public cloud

On or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party

Available to the general public or a large industry group and owned by an organization selling cloud services.

Hybrid IT

Traditional IT and clouds (public and/or private) that remain separate but are bound together by technology that enables data and

application portability

−Customer responsibility for infrastructure −More customization of security controls −Good visibility into day-to-day operations −Easy to access to logs and policies

−Applications and data remain “inside the firewall”

−Provider responsibility for infrastructure

−Less customization of security controls

−No visibility into day-to-day operations

−Difficult to access to logs and policies

−Applications and data are publically exposed

Changes in Security and Privacy

(9)

Page:

-17-3/15/2012

Coordinating information security is BOTH

the responsibility of the

provider and the consumer

Platform-as-a-Service Middleware Database Web 2.0 Application Runtime Java Runtime Development Tooling Infrastructure-as-a-Service

Servers Networking Data Center Storage Fabric Shared virtualized, dynamic provisioning

Application-as-a-Service Collaboration Financials CRM/ERP/HR Industry Applications Business Process-as-a-Service Employee Benefits Mgmt. Industry-specific Processes Procurement Business Travel

Who is responsible for security at the … level?

Datacenter Infrastructure Middleware Application Process

What is multi-tenancy, and what are the security

IMPLICATIONS

?

(10)

Approaches for Cloud Security

19

IBM’s approach to Cloud Security

20

At IBM we understand

the cloud and we also understand that

(11)

Low-risk Mid-risk High-risk

Mission-critical workloads, personal information

Business Risk

Need for

Security

Assurance

Low High Training, testing with non-sensitive data

Today’s clouds are primarily here:

● Lower risk workloads ● One-size-fits-all approach to data protection ● No significant assurance ● Price is key

Tomorrow’s high value / high risk workloads need:

● Quality of protection

adapted to risk

● Direct visibility and

control ● Significant level of assurance Analysis & simulation with public data

One-size does not fit-all:

Different cloud workloads have different risk profiles

Required controls for cloud security are the same as for IT

security in general

1. Identity and Access Management

3. Information Systems Acquisition, Development, and Maintenance 2. Discover, Categorize and Protect

Data & Information Assets

7. Security Governance, Risk Management & Compliance 5. Problem & Information Security

Incident Management

4. Secure Infrastructure Against Threats and Vulnerabilities

Strong focus on authentication of users and management of user identities

Strong focus on protection of data at rest or in transit

Management of application and virtual machine deployment

Management and responding to expected and unexpected events

Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection

6. Physical and Personnel Security

Security governance including maintaining security policy and audit and compliance measures

Protection for physical assets and locations including networks and data centers. Employee security.

8. Cloud Governance

(12)

Our approach to delivering security aligns with each phase of a

client’s cloud project or initiative

Design Deploy Consume

Establish a cloud strategy and implementation plan to get there.

Build cloud services, in the enterprise and/or as a cloud services provider.

Manage and optimize consumption of cloud services.

Example security capabilities

Cloud security roadmap

Secure development

Network threat protection

Server security

Database security

Application security

Virtualization security

Endpoint protection

Configuration and patch management

Identity and access management Secure cloud communications Managed security services Secure by Design Focus on building security into the fabric of the cloud.

Workload Driven

Secure cloud resources with innovative features and products.

Security solutions to address the unique challenges of cloud

computing

Helping clients begin their journey to the cloud with relevant security expertise

Compliance ownership Cross border constraints e-discovery process Access to logs and audit trails

Merging patch, change, and configuration management policies

GRC

Rapid provisioning/de-provisioning of users Federated identity management

Data segregation

Intellectual property protection Data preservation and investigation Multi-tenancy and shared images Virtualized environments Open public access

(13)

How we deliver Cloud Security

Security By

Design

Security

By Workload

New Security

Efficiencies

We Believe the Cloud could be more

secure than traditional Enterprises

25

Cloud Enabled Data Center - simple use case

Cloud Enabled Data Center

(14)

Workload driven security

27

Cloud Security depends on focusing security

controls on specific

Types of work

Healthcare

Collaboration

Development

28

Activity/Data Driven Cloud Security

• Organizations need to adopt a

strategy for cloud security that

considers the unique attributes of

the cloud as well as the activities

and data for which the cloud is

being utilized.

(15)

Failure to build security

proactively into the fabric of the

cloud (including secure

deployment of services) can have

negative consequences:

– Audit failures

– Increased operating costs long term

– Poor customer satisfaction

– Difficulty in expansion

– Management complexity

– Failure to achieve cloud

anticipated return due to service

failures

Secure By Design: Security must be built into Cloud Fabric

Security Challenges with Virtualization:

Using Traditional Security for a Virtual Data Center May Add

Cost and Complexity

Legacy Security in Virtual Environment

Only blocks threats and attacks at the perimeter

Secures each physical server with protection and reporting

for a single agent

Patches critical vulnerabilities on individual servers

and networks

Policies are specific to critical applications in each network

segment and server

Network IPS

Server Protection

System Patching

Security Policies

Seems Secure … … Not Secure Enough

Should protect against threats at perimeter and between VMs

Securing each VM as if it were a physical server adds time

and cost

Needs to track, patch and control VM sprawl

Policies must be more encompassing

(Web, data, OS coverage, databases)

(16)

Points of Exposure

VMM or Hypervisor

Operating

System

Operating

System

Hardware

Applications

Management

New

Threats

New

Threats

New

Threats

Virtual

Machine

Virtual

Machine

New

Threats

More Components = More Exposure

Management Vulnerabilities

——————————

Secure storage of VMs and the management data

Virtual sprawl —————————— Dynamic relocation —————————— VM stealing Virtual sprawl —————————— Dynamic relocation —————————— VM stealing Resource sharing —————————— Single point of failure Resource sharing

——————————

Single point of failure

Stealth rootkits in hardware now possible

—————————— Virtual NICs & Virtual Hardware are targets Stealth rootkits in hardware now possible

——————————

Virtual NICs & Virtual Hardware are targets

Security Challenges with Virtualization:

New Risks

(17)

IBM Virtual Server Protection for VMware

Integrated threat protection for VMware vSphere 4

VMsafe Integration

Firewall and Intrusion

Prevention

Rootkit

Detection/Prevention

Inter-VM Traffic Analysis

Automated Protection for

Mobile VMs (VMotion)

Virtual Network Segment

Protection

Virtual Network-Level

Protection

Virtual Infrastructure

Auditing (Privileged User)

Virtual Network Access

Control

Helps customers to be more secure, compliant and cost-effective by delivering integrated and

optimized security for virtual data centers.

Creating New Security Efficiencies

34 IBM Professional Security Services Security Strategy Roadmap IBM Professional Security Services Cloud Security Assessment IBM Professional Security Services Application Security Services for Cloud

IBM Information Protection Services Managed Backup Cloud Hosted Vulnerability Management

(18)

InfoSphere Guardium

CSP’s WAN

CSP’s Data Center Customer Data Center

Traditional database moved into the Cloud Traditional database

protected by Guardium into the Cloud

Fear of having database been accessed not authorized

people

InfoSphere Optim in Cloud Service Provider Platform

CSP’s WAN

CSP’s Data Center

Customer Data Center

Traditional database

moved into the

Cloud without

anonymisation

Traditional

database

Anonymised by

Optim into the

Cloud

(19)

Data Policy Management: Anonymizing Data With IBM

InfoSphere Optim

Scope :

• Anonymize data moved to the Cloud, therefore ease the move to the Cloud

Value:

• Establish a process to ease the move of key workloads such as Dev&Tests and

the related data it requires for testing, removing the most important risks

Constraints:

• Requires human analysis of the data to anonymize and therefore it is a manual

process the first time

Position:

• Should be used as a process within the source datacenter to enable the move in

the target (cloud-based) datacenter

Real-Time Database Monitoring

•

Non-invasive architecture

•

Outside database

•

Minimal performance impact (2-3%)

•

No DBMS or application changes

•

Cross-DBMS solution

•

100% visibility including local DBA access

•

Enforces separation of duties (SoD)

•

Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders

•

Granular, real-time policies & auditing

•

Who, what, when, how

•

Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)

(20)

Scalable Multi-Tier Architecture

Integration with LDAP, IAM, IBM Tivoli, IBM

TSM, Remedy, …

9/15/2009

Quick intro: IBM Security Framework – Business-oriented framework

used across all IBM brands that allows to structure and discuss a

client’s security concerns

Built to meet four

key requirements:

Provide

Assurance

Enable

Intelligence

Automate

Process

Improve

Resilience

Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security;

(21)

9/15/2009

Typical Client Security Requirements

• Governance, Risk Management,

Compliance

• 3rd-party audit (SAS 70(2), ISO27001, PCI)

• Client access to tenant-specific log and audit data

• Effective incident reporting for tenants

• Visibility into change, incident, image management, etc.

• SLAs, option to transfer risk from tenant to provider

• Support for forensics • Support for e-Discovery

• Application and Process

• Application security requirements for cloud are phrased in terms of image security

• Compliance with secure development best practices

• Physical

• Monitoring and control of physical access

• People and Identity

• Privileged user monitoring, including logging activities, physical monitoring and background checking

• Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third party systems

• Standards-based SSO

• Data and Information

• Data segregation

• Client control over geographic location of data

• Government: Cloud-wide data classification

• Network, Server, Endpoint

• Isolation between tenant domains • Trusted virtual domains: policy-based

security zones

• Built-in intrusion detection and prevention • Vulnerability Management

• Protect machine images from corruption and abuse

• Government: MILS-type separation

Based on interviews with clients and various analyst reports

Customers require

visibility into the

security posture of their cloud

.

Establish 3rd-party audits (SAS 70, ISO27001, PCI)

Provide access to tenant-specific log and audit data

Create effective incident reporting for tenants

Visibility into change, incident, image management, etc.

Support for forensics and e-Discovery

Implement a governance and audit management program

Security governance, risk management and compliance

Supporting IBM Products, Services and Solutions IBM Security Framework

IBM Cloud Security Guidance Document

(22)

Customers require

proper

authentication of cloud users.

Privileged user monitoring, including logging activities, physical monitoring and background checking

Utilize federated identity to coordinate authentication and authorization with enterprise or third party systems

A standards-based, single sign-on capability can help simplify user logons for both internally hosted applications and the cloud.

Implement strong identity and access management

IBM Security Products and Services

People and Identity

Customers cite

data protection as their

most important concern.

Use a secure network protocol when connecting to a secure information store.

Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall.

Sensitive information not essential to the business should be securely destroyed.

Ensure confidential data protection

Data and Information

(23)

Customers require

secure cloud

applications and provider processes.

Implement a program for application and image provisioning.

A secure application testing program should be implemented.

Ensure all changes to virtual images and applications are logged.

Develop all Web based applications using secure coding guidelines.

Establish application and environment provisioning

Application and Process

Customers expect a

secure cloud

operating environment.

.

Isolation between tenant domains

Trusted virtual domains: policy-based security zones

Built-in intrusion detection and prevention

Vulnerability Management

Protect machine images from corruption and abuse

Maintain environment testing and vulnerability/intrusion management

Network, Server and End Point

(24)

Customers expect

cloud data centers to

be

physically secure.

.

Ensure the facility has appropriate controls to monitor access.

Prevent unauthorized entrance to critical areas within facilities.

Ensure that all employees with direct access to systems have full background checks.

Provide adequate protection against natural disasters.

Implement a physical environment security plan

Physical Security

IBM Security offerings for Cloud Computing

48

Professional Services Managed Services Products Cloud Delivered

Security Governance, Risk and Compliance

Security Information and Event Management (SIEM) & Log Management

Data Security

E-Mail

Security Database Monitoring & Protection Data Loss Prevention Messaging Security Data Masking Application Security Application Vulnerability Scanning Access & Entitlement

Management Web Application Firewall SOA Security Access Management Data Entitlement Management Identity Management Identity & Access

Management

Mainframe Security Audit, Admin & Compliance

Security Configuration & Patch Management Virtual System Security Security Event Management Endpoint Protection Intrusion Prevention System Web/ URL Filtering Threat Analysis Firewall, IDS/ IPS MFS Management