Presentation cloud security the grand challenge

© 2010 IBM Corporation
CLOUD SECURITY: THE GRAND CHALLENGE
Glen Gooding
Asia Pacific Security Leader
IBM Corporation
ggooding@au1.ibm.com
Government Ware: GovWare Singapore September 29, 2010

Rest safe: Google saves the day

Agenda
Components of Cloud Market
Basic Security Concepts – Today and tomorrow
IBM’s vision of a Security Framework
IBM Cloud Security Guidance
Conceptual findings from Security Framework
Government Authentication Cloud Example
3

© 2010 IBM Corporation4
Workloads Most Considered for Cloud Delivery
Top private workloads
Database, application and
infrastructure workloads
emerge as most appropriate
 Data mining, text mining, or other analytics
 Security
 Data warehouses or data marts
 Business continuity and disaster recovery
 Test environment infrastructure
 Long-term data archiving/preservation
 Transactional databases
 Industry-specific applications
 ERP applications
Top public workloads
Infrastructure and
collaboration workloads
emerge as most appropriate
 Audio/video/Web conferencing
 Service help desk
 Infrastructure for training and demonstration
 WAN capacity and VoIP infrastructure
 Desktop
 Test environment infrastructure
 Storage
 Data center network capacity
 Server
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090

© 2010 IBM Corporation5
The Cloud
Curtain
The Cloud
Curtain
Curtain
CLOUD MODEL APPLIES AT ALL LEVELS OF THE IT STACK –
5
Resulting in Different Security Requirements, Different Responsibilities

WHAT IS CLOUD SECURITY?
There is nothing new under the sun
but there are lots of old things we don't know.
Ambrose Bierce, The Devil's Dictionary
Software as a Service
Utility Computing
Grid Computing
Cloud Computing
Confidentiality, Integrity, Availability
of business-critical IT assets
Stored or processed on a cloud
computing platform
6

CLOUD SECURITY: SIMPLE
EXAMPLE
?
We Have Control
It’s located at X.
It’s stored in server’s Y, Z.
We have backups in place.
Our admins control access.
Our uptime is sufficient.
The auditors are happy.
Our security team is engaged.
Who Has Control?
Where is it located?
Where is it stored?
Who backs it up?
Who has access?
How resilient is it?
How do auditors observe?
How does our security
team engage?
?
?
?
?
?
Today’s Data Center Tomorrow’s Public Cloud
CLOUD SECURITY: SIMPLE EXAMPLE
7

Compliance
Complying with
regulations may prohibit the
use of clouds for some
applications.
Reliability
High availability will be a key concern.
IT departments will worry about a loss
of service should outages occur.
Control
Many companies and governments
are uncomfortable with the idea of
their information located on
systems they do not control.
Security Management
Even the simplest of tasks may be
behind layers of abstraction or
performed by someone else.
Data
Migrating workloads to a shared
network and compute infrastructure
increases the potential for
unauthorized exposure.
Providers must offer a high degree
of security transparency to help
put customers at ease.
Authentication and access
technologies become
increasingly important.
Mission critical applications
may not run in the cloud
without strong availability
guarantees.
Comprehensive auditing
capabilities are essential.
Providers must supply easy controls to
manage security settings for
application and runtime environments.
CATEGORIES OF CLOUD COMPUTING RISKS
8

IBM SECURITY FRAMEWORK
Built to meet four key requirements:
 Provide Assurance
 Enable Intelligence
 Automate Process
 Improve Resilience
Introducing the IBM
Security Framework
and IBM Security
Blueprint to Realize
Business-Driven
Security;
IBM RedGuide
REDP-4528-00, July
2009
9

IBM approach to security on a Smart Planet…
Secure by Design
Intelligence
Standards
Assurance
Governance
Enable trust and confidence in IT through
software and system assurance
Stay ahead of the threat by monitoring
the attack landscape and anticipating
new threats
Enable security and privacy with an
open, standards-based architectural
approach
Provide visibility, control and automation
through CoBIT and ITIL-based service
management
 Open standards leadership in DMTF,
IETF, OASIS, TCG, W3C, …
 SOA & Web Services Security
 IBM Security Blueprint
 IBM Trusted Identity
 Fine-grained Security
 Trusted Virtual Data Center
 UK/US ITA, IBM OCR, EU FP7 open research
 IBM Service Management Platform –
asset management, problem &
incident management, change &
release management, etc.
 IBM Process Reference Model for IT
(PRM-IT)
 IBM Rational Unified Process
 Patch management for virtual images
 IBM Integrated Product Development Process
 System z Integrity Statement
 Trusted Foundry
 IBM High Assurance Platform
 Continuous Software Quality
 IBM Secure Blue
 IBM X-Force
 IBM Managed Security Services
 System S Event & Streaming System
 High Performance Computing
 Information Risk & Compliance
 Smart Surveillance
Foundational
Controls
PoweredbyIBMResearch
10

TYPICAL CLIENT SECURITY REQUIREMENTS
•Governance, Risk Management,
•Compliance
•3rd-party audit
(SAS 70(2), ISO27001/2, PCI)
•Client access to tenant-specific log
and audit data
•Effective incident reporting for tenants
•Visibility into change, incident, image
management, etc.
•SLAs, option to transfer risk from tenant
to provider
•Support for forensics
•Support for e-Discovery
•Application and Process
•Application security requirements for
cloud are phrased in terms of image
security
•Compliance with secure development
best practices
•Physical
•Monitoring and control of physical
access
• People and Identity
• Privileged user monitoring, including
logging activities, physical monitoring and
background checking
• Federated identity / onboarding:
Coordinating authentication and
authorization with enterprise or third party
systems
• Standards-based SSO
• Data and Information
• Data segregation
• Client control over geographic location
of data
• Government: Cloud-wide data classification
• Network, Server, Endpoint
• Isolation between tenant domains
• Trusted virtual domains: policy-based
security zones
• Built-in intrusion detection and
prevention
• Vulnerability Management
• Protect machine images from
corruption and abuse
• Government: MILS-type separation
Based on interviews with clients and various analyst reports
11

 Based on cross-IBM research on cloud security
 Highlights a series of best practice controls that should be implemented
 Broken into 7 critical infrastructure components:
– Building a Security Program
– Confidential Data Protection
– Implementing Strong Access and Identity
– Application Provisioning and De-provisioning
– Governance Audit Management
– Vulnerability Management
– Testing and Validation
IBM CLOUD SECURITY GUIDANCE DOCUMENT
12

Customers require visibility into the
security posture of their cloud.
Establish 3rd-party audits (ISO27001, PCI)
Provide access to tenant-specific log and audit data
Create effective incident reporting for tenants
Visibility into change, incident, image management, etc.
Understand applicable regional, national and international
laws
Support for forensics and e-Discovery
Implement a governance and audit management program
Security governance, risk management and complianceSecurity governance, risk management and compliance
IBM Security Framework
IBM Cloud Security
Guidance Document
13

Customers require proper authentication
of cloud users.
Privileged user monitoring, including logging activities,
physical monitoring and background checking
Utilize federated identity to coordinate authentication and
authorization with enterprise or third party systems
A standards-based, single sign-on capability
Implement strong identity and access management
IBM Cloud Security
Guidance Document
People and IdentityPeople and Identity
14

Customers cite data protection as their
most important concern within the cloud.
Use a secure network protocol when connecting to a
secure information store.
Implement a firewall to isolate confidential information,
and ensure that all confidential information is stored
behind the firewall.
Sensitive information not essential to the business
should be securely destroyed.
Ensure confidential data protection
IBM Cloud Security
Guidance Document
Data and InformationData and Information
15

Customers require secure cloud
applications and provider processes.
Implement a program for application and image
provisioning.
Develop all Web based applications using secure
coding guidelines.
Ensure external facing Web applications are black box
tested
A secure application testing program should be
implemented.
Ensure all changes to virtual images and applications
are logged.
Establish application and environment provisioning
IBM Cloud Security
Guidance Document
Application and ProcessApplication and Process
16

Customers expect a secure cloud
operating environment.
.
Implement vulnerability scanning, anti-virus, intrusion
detection and prevention on all appropriate images
Ensure isolation exists between tenant domains
Trusted virtual domains: policy-based security zones
Ensure provisioning management is strictly controlled
Protect machine images from corruption and abuse
Ensure provisioned images apply appropriate access
rights
Ensure destruction of outdated images
Maintain environment testing and vulnerability/intrusion management
IBM Cloud Security
Guidance Document
Network, Server and End PointNetwork, Server and End Point
17

Customers expect cloud data centers to
be physically secure.
.
Ensure the facility has appropriate controls to monitor
access.
Prevent unauthorized entrance to critical areas within
facilities e.g. servers, routers, storage, power supplies
Biometric access of employees
Ensure that all employees with direct access to
systems have full background checks.
Provide adequate protection against natural disasters.
Implement a physical environment security plan
IBM Cloud Security
Guidance Document
Physical SecurityPhysical Security
18

Customers want to hear how IBM can deliver
secure Government cloud solutions.
.
Enterprise wide Government security and compliance
Database security compliance
Virtualization and security implication
IBM’s involvement in Government Cloud Solutions
 A Real Use Case
Areas of expertise IBM can deliver on
IBM Cloud Security
Guidance Document
My thoughts on critical componentsMy thoughts on critical components
19

 Integrated service
lifecycle mgmt.
 Expose resources “as-
a-Service”.
 Integrated Security
infrastructure.
 Rapid provisioning of IT
resources, massive
scaling.
 Dynamic service mgmt.
 Energy saving via auto
workload distribution.
 Rapid deployment of
infrastructure and
applications.
 Request-driven service
management.
 Service Catalog.
 Virtualization.
 Better hardware
utilization.
 Improved IT agility.
 Server Consolidation.
 Streamline Operations – manage
physical and virtual systems.
 Lower power consumption.
Cloud
Computing
Virtualization – First Step in Journey to Cloud Computing
20

Resource sharing
——————————
Single point of failure
——————————
Loss of visibility
MORE COMPONENTS = MORE EXPOSURE
Traditional Threats
Virtual server sprawl
——————————
Dynamic state
——————————
Dynamic relocation
Stealth rootkits
Management
Vulnerabilities
——————————
Secure storage of VMs
and the management
data
——————————
Requires new
skill sets
——————————
Insider threat
New threats to VM
environments
Traditional threats can attack
VMs just like real systems
Security Challenges with Virtualization: New Risks
21

Server and Network Convergence
22

Cloud compliance: Security Information and Event Management
 Single, integrated product
 Log Management Reporting
 Unique ability to monitor user behavior
 Enterprise compliance dashboard
 Compliance management modules and
regulation-specific reports
 Broadest, most complete log and audit trail
capture capability
 W7 log normalization translates your logs into
business terms
 Easy ability to compare behavior to regulatory
and company policies
 Multi-tennancy support through scoping
Key Features
How to provide a single, integrated product
that delivers insider threat, audit and
compliance.
24

Real-Time Database Security & Monitoring
• Non-invasive
• No DBMS changes
• Minimal impact
• Does not rely on traditional DBMS-resident
logs that can easily be disabled by DBAs
• Granular policies & monitoring
• Who, what, when, how
• Real-time alerting
• Monitors all activities including local access
by privileged users
DB2DB2
SQL
Server
SQL
Server
25

Cloud based Authentication Hub
Australian Federal Government
26

© 2010 IBM CorporationIBM Insight Forum 09 ®
In a browser, hit
http://www.australia.gov.au
27

Click
Login to myaccount
28

IBM Insight Forum 09 ®
Provide your
logon details
29

30

Provide the correct answer to
your previously registered secret
question
31

And have access to
Centrelink and Medicare
I am now
authenticated
32

Clicking on the Medicare link,
takes me to Medicare’s site
33

Return to myaccount page
34

I have access to Centrelink
and Medicare
35

Clicking on the Centrelink link,
takes me to Centrelink’s site
Return to myaccount page
36

37

SUMMARY
• “Cloud” is a new consumption and delivery model inspired by consumer
Internet services.
• Security Remains the Top Concern for Cloud Adoption
• One sized security doesn’t fit all
• Take a structured approach to securing your cloud environment
• Documented guidance is available for download to assist you in securing your
cloud environment
• IBM has a view from End to End when it addresses your security needs
38

ONE voice for
security.
IBM SECURITYIBM SECURITY
SOLUTIONSSOLUTIONS
INNOVATIVE
products and services.
IBM SECURITYIBM SECURITY
FRAMEWORKFRAMEWORK
COMMITTED to the vision
of a Secure Smarter Planet.
SECURE BYSECURE BY
DESIGNDESIGN
Thank You.
39

Presentation cloud security the grand challenge

More Related Content

What's hot (16)

Viewers also liked (18)

Similar to Presentation cloud security the grand challenge (20)

More from xKinAnx (20)

Recently uploaded (20)

Presentation cloud security the grand challenge