How Safe are you in your Cloud?
Security Intelligence and Regulatory Compliance in
the Cloud
November 2014
Heather Hinton, Ph.D.
IBM Distinguished Engineer
CTO – Cloud Security and Compliance
GTS Cloud Services Division
Executive Summary
Cloud environments need to satisfy the same compliance requirements as traditional IT, with same security tools, policies and procedures, adapted for Cloud deployment
Cloud adoption highlights changes to thinking about compliance including adoption of “transitive compliance”
Infrastructure IaaS compliance with SOC2, ISO27001/2 or similar Client-side workload compliance built on Infrastructure + Workload Software/service SaaS compliance built on Infrastructure + Service Cloud adoption requires security solutions covering Identity, Protection and Insight to be extended to stand alone and hybrid cloud
Identity (user identification, access control and governance)
Protection (infrastructure security, app and data security, risk mgmt) Insight (user activity, threat intelligence, compliance, cost)
Deploy Cloud offerings
On and with extensive regulatory and compliance assertions
•Address hybrid cloud use cases by leveraging underlying compliance of IaaS, PaaS, SaaS layers
With Integrated security capabilities
•Address hybrid cloud use cases by leveraging strong enterprise security solutions and services
Cloud Adoption
Security concerns
Compliance
concerns
Cloud computing is rapidly transforming the enterprise
SaaS PaaS
IaaS
IBM Dynamic Cloud Security
Optimize Security Operations
Manage
Access
Protect
Data
Gain
Visibility
IBM Transitive Cloud Compliance
Optimize Compliance Activities
Manage
Workloads
Protect
Infrastructure
Leverage
Visibility
Perceived “Biggest Risks”
Software as a Service (SaaS)
SaaS provider doesn’t have adequate (up to “my” standards) practices around data protection, identity management, intrusion protection
Focused on risks of “managed by other” and not enough on security basics for
integrating with other providers and solutions
Platform as a Service (PaaS)
PaaS provider won’t have the same types of basic controls (up to “my” standards) that I need for my developers in my environment
Focused on what the developer will do when removed from the training wheels of
internal IT controls (developers let lose on the Internet!)
Infrastructure as a Service (IaaS)
IaaS provider doesn’t have adequate (up to “my” standards) practices around physical security
Tends to think in context of a traditional data center with physical cages
Challenge: Adapt our understanding of risk management to allow
adoption of secure, compliant, business friendly cloud
Cloud presents the opportunity to radically transform security
practices and adopt new approaches to workload compliance
Traditional Compliance
Client dictated and driven control of risks for end-to-end operational stack
Cloud compliance allows us to rethink risks based on the
comprehensive hybrid cloud and transitive compliance
Dynamic Cloud Security
Standardized, automated, agile, and elastic Traditional Security
Manual, static, and reactive
Cloud security is not only achievable, it is an opportunity
to drive the business, improve defenses and reduce risk
Dynamic Cloud Compliance
Compliance statements provided by each layer build up an end-to-end compliance statement
SaaS PaaS
IBM SoftLayer and Bluemix provide a security-rich environment
SoftLayer:
certified
compliance
SoftLayer’s
Triple-layer
network
security
IBM
Marketplace,
Bluemix, and
Partners
Intel® TXT AppScan for Mobile Vuln Single Sign OnIBM Marketplace IBM Bluemix
FedRAMP Ready System PCI DSS v3.0 AoC Ready for HIPAA Supports Data Privacy Ready for GxP
IBM Transitive Compliance for the Hybrid Cloud is built on a “layer
cake” model
IaaS PaaS SaaS Hosted MssP Manage Workloads Protect InfrastructureOptimize Compliance Activities
Leverage Visibility
Compliance Assertions “Ready For”
Customer provides Workload Compliance using IaaS Compliance Assertions, “Ready For” statements, and workload specific audits as needed
Provider demonstrates MssP/SaaS using IaaS Compliance Assertions, “Ready For” statements, and MssP/SaaS specific audits as needed
IBM Dynamic Cloud Security Portfolio for the Hybrid Cloud
supports security solutions tailored for your workload’s needs
IaaS PaaS SaaS Hosted MssP New!
Cloud Access Manager
Cloud Privileged Identity Manager Cloud Sign On Service Cloud Identity Services
New! New! New! New! Manage Access
Cloud Web and Mobile Application Analyzers New! Cloud Data Activity Monitoring New! Protect Data
Optimize Security Operations
Gain Visibility Cloud Security Intelligence New! Intelligent Threat Protection Cloud New! Security Intelligence
and Operations Consulting Services
Cloud Security Managed Services
IaaS PaaS SaaS Hosted MssP New! Cloud Access
Manager Cloud PIM Cloud Sign On Service Cloud Identity Services Manage Access Cloud Web and Mobile Application Analyzers Cloud Data Activity Monitoring Protect Data
Optimize Security Operations, Compliance Activities
Gain Visibility Unified Threat Monitoring Intelligent Threat Protection Cloud Security Intelligence
and Operations Consulting Services
Cloud Security Managed Services
International Financial Services Consortium deploys Cloud
hosted document exchange for Customer provided SaaS on IBM
IaaS and IBM Security, builds transitive compliant solution
Data Encryption
IBM Marketplace Data Privacy
IaaS PaaS SaaS Hosted MssP New! Cloud Sign On Service Cloud Identity Services Manage Access Cloud Application Analyzers Cloud Data Activity Monitoring Protect Data
Optimize Security Operations, Compliance Activities
Gain Visibility Cloud Security Intelligence Intelligent Threat Protection Cloud Security Intelligence
and Operations Consulting Services
Cloud Security Managed Services
National retailer deploys loyalty program extension including
mobile accessibility, builds transitive compliant solution
Data Privacy Cloud AccessManager Cloud PIM
Unified Threat Monitoring
IBM
Marketplace
