• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PCTY 2012, Cloud security (real life) v. Ulf Feger
 

PCTY 2012, Cloud security (real life) v. Ulf Feger

on

  • 403 views

Præsentation fra PCTY 2012 v. Ulf Feger

Præsentation fra PCTY 2012 v. Ulf Feger

Statistics

Views

Total Views
403
Views on SlideShare
401
Embed Views
2

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 2

http://www-05.ibm.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Users are the weakest link What’s wrong with this picture? Did the gate work as designed? Did the gate provide security? Social engineering 71% of people at Victoria Station (London) station gave out passwords for an Easter egg* If security is too inconvenient … users will find a way to subvert it
  • To take the previous chart a step further, here we talk about attackers the different types of attackers we see. There are those using off the shelf tools and techniques -- exploits that are publicly released, and can easily be acquired off Internet to launch their attacks. Or you’ve got more sophisticated attackers who develop their own exploits and discover their own vulnerabilities then target them before anyone else has even seen them. We also see attacks that are broadly focused. They’re trying to target the entire Internet. Or, we have attacks that are highly targeted. They’re specifically interested in breaking into particular organizations. So looking at those two dimensions you get four categories. Off the shelf broad attacks are typically financially motivated botnet builders. This accounts for most of the attack activity that we’ve seen and have been fighting for the past ten years. However, we also see today this thing that’s often called the advanced persistent threat (ATP), which is sort of the other side of the coin. These are targeted, sophisticated attackers that are going after specific organizations and they’re using vulnerabilities they have discovered themselves. Highly custom malware so they’re very difficult to protect against. In addition, this year we’ve seen a lot of targeted attacks that used off the shelf techniques. So these are often activists. People who have a motive to attack a particular organization but are not necessarily as sophisticated in watching those attacks as the advanced persistent threat. And we have one more category, which fortunately we aren’t dealing with much today and that is if you took the sophistication of the APT and applied it broadly, this is sort of the cyber war nightmare scenario that people have been talking about in policy circles. Fortunately that’s not a reality today on the Internet.
  • Users are the weakest link What’s wrong with this picture? Did the gate work as designed? Did the gate provide security? Social engineering 71% of people at Victoria Station (London) station gave out passwords for an Easter egg* If security is too inconvenient … users will find a way to subvert it
  • This diagram is the Top Level view of the blueprint. The top layer is the IBM Security Framework, which provides the business context or business perspective of security. The framework is commonly represented by the graphic you see on the right. The blueprint separates the management of security from the implementation of security, which are represented in the middle and bottom layer respectively. A product-agnostic and solution-agnostic approach to defining security capabilities. A common vocabulary to use in more detailed discussions Architectural principles that are valid across all domains and deployment environments Based on researching many customer related scenarios A roadmap to assist in designing and deploying security solutions The security management layer represents the capabilities needed to translate the business view of security concerns into policies, operational procedures, and technical controls that can be deployed into the IT landscape and the organization. The Services and Infrastructures layer represents the security capabilities needed to enforce policies and their integration points into the IT infrastructure. By separating security management from security implementation, the IT organization can focus on getting the policy and needed controls correctly defined and can better monitor and assess how completely and effectively the policies are being enforced. Architecture Principles in the Blueprint 1. Openness 2. Security by default 3. Design for accountability 4. Design for regulations 5. Design for privacy 6. Design for extensibility 7. Design for sharing 8. Design for consumability 9. Multiple levels of protection 10. Separation of management, enforcement and accountability 11. Security is model-driven 12. Security-critical resources must be aware of their security context 13. Consistency in approaches, mechanisms and software components The IBM Security Blueprint separates security management from infrastructure services.
  • Welche Anforderungen haben unsere Kunden – Cloud Dienstnutzer und Cloud-Dienstanbieter - an eine Cloud-Lösung. Man nehme klassische Data Center Security und füge den Aspekt der Dynamik hinzu – eine der Eigenschaften der Cloud. Somit erhält man o.g. Liste der Herausforderungen mit ihren 11 Punkten – mind. 11 Punkte
  • Bem: GS Prz – Geschäftsprozesse Ansichten und Bemerkungen des IT-Verantwortlichen oder Beauftragten, häufiger Kommentar: Ich muss Cloud machen, ich soll Cloud machen, aber wie ? Oder: Ich mach doch schon Cloud, nämlich .. Virtualisierung Die meisten Interessenten für Cloud & Security sind im Umfeld Virt+Stand, teilweise Aut, viele geben aber auch offen zu: Kons beschäftigt sie Es gilt eine Sec Roadmap aufzustellen, mit dem Kunden, die die GSPrz + IT Proz + Sec Themen abbildet Und dies für jede Phase, z.B. hier für die Virt., viele habe die Riskiken nicht auf dem Radar
  • VMWare NOT PowerVM Hier 4 Sicherheitsszenarien 1 2 3
  • Eine Empfehlungssammlung des BSI für CC Anbieter, Ich empfehle dies auch den Nutzern zu lesen und ihre Anbieter daraufhin zu prüfen. Oder ein Service Provider überlegt Cloud-Dienste anzubieten: Was gilt es zu beachten - Ein guter Start, auf abstrakter, hoher Ebene, kaum technisch
  • Ich habe aus dem BSI Katalog die Einzelthemen exrtahiert und als MindMap erfasst Dann in beliebigen Farben Ergänzungen hinzugefügt, weitere Themen genannt Dient als Leitfaden für Kundendiskussion U.a. Weitere Informationsquellen
  • Dies ist die gesamt MindMap in Version 1.0, Aktuelle Version 1.03 / 16.08.2011 Weitere Versionen folgen
  • Hier in der Mitte, kaum zu übersehen: die Cloud Plattform mit ihren 3 Layern Services Business Support Systems/Services Operations Support Systems/Service In Anlehnung an das TMForum CSP eTOM model -> WO beginnt man hier mit Security: außerhalb – innerhalb ?
  • Hier in der Mitte, kaum zu übersehen: die Cloud Plattform mit ihren 3 Layern Services Business Support Systems/Services Operations Support Systems/Service In Anlehnung an das TMForum CSP eTOM model -> WO beginnt man hier mit Security: außerhalb – innerhalb ?
  • Eine Liste mit Sec Herausforderungen, eigentlich nichts neues, wenn man sich mit diesen themen bereits in der „alten“ Welt beschäftigt hat ..
  • Cloud vs. „Nur-Virtualisierung“ Ein Kreislauf der auch Sec betrifft, diese muss integriert werden Diese muss bereits in die grundlegende Architektur integtriert werden Hier fehlt: Exit-Management Was geschieht mit den Daten, wie bleiben alle Parteien auditierfähig, welche Abhängigkeiten von der Workload existieren
  • Standardmodell – Schichtenmodell 1+2.. Abstraktion der HW durch konsolidierte HW 3: Katalogwesen -> keine Management mehr auf Zuruf 4: Gewinn durch Automatisierung von der Bestellung bis zum Abbau – Achtung Abbau ist ein difizieles Thema: Was geschieht mit den Daten, wo bleibt die Auditierfähigkeit 5: am Schluß purzelt die sichere Cloud heraus .. Ok, so einfach ist es nun auch nicht
  • Nehmen wir die untersten Schichten: HW + Virtualisierung - diese sind nicht nur 1x, sondern x mal vorhanden, es sei denn man eine eine omnipotente Maschine – oder spielt nu mit Cloud Also x mal HW + x mal Virtualiserung UND dies gemanaged durch 1 Plattform, nicht x+1 Plattformen, Management-Konsolen Es ergibt sich eine verteilte Cloud Infrastruktur, ja, diese kann komplett lokal sein, muss aber nicht, Beispiele zur Verteilung einer privaten Cloud und was dies bedeutet folgt noch

PCTY 2012, Cloud security (real life) v. Ulf Feger PCTY 2012, Cloud security (real life) v. Ulf Feger Presentation Transcript

  • Cloud Security Abstract: Cloud security or security for the cloud is neither a „big bang” nor is it something completely new. It’s a transformation process of taking existing methodologies and technologies and adapting them depending on the cloud business road you are taking. This is not limited to just technology assets but also includes policies, processes, and of course the handling of (business) expectations. What might such a roadmap look like and is it then limited to security only?Ulf FegerSecurity Architect, CISSP, COBIT Practitioner (ISACA)Cloud Security & Security SolutionsIBM Security Systems DivisionMember of the Board, Cloud Security Alliance, German Chapter
  • Cloud & Security Customer Expectations and Experiences  Healing bei Touching – or Cloud is a devil  The Cloud – yes, of course with Security – solves all our Security challenges, we will have no problems anymore  Open discussions: I know what I know and to be honest tell me what I should know  What you tell me is not Cloud security that‘s security  The roadmap to Cloud & Security  Customer expectations towards IBM – Understand their environment (on given information) – Understand their security concepts & architecture (on the given information) – Be able to talk to network people, sw architects, security architects – Provide inside, give feedback  What we do: – All of the stuff above – Open discussions in highly political environment – Offered more input based on existing material like BSI MindMap – Fed people with news ideas like VSP, Cloud Security is more than some techie stuff only2
  • Cloud & Security Transformation of Security, of Security Awareness, of the Need for Security The Fortress3
  • Cloud & Security Who is attacking our networks?4
  • Cloud & Security Zeus Crimeware Service Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit“ We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary5 FUD = Full Undetectable,
  • Cloud & Security Transformation of Security, of Security Awareness, of the Need for Security The Fortress The User6
  • Cloud & Security7
  • Cloud & Security8
  • Cloud & Security - Ernst & Young - Daimler - Deutsche Bank - wecon-it consulting - TU Darmstadtt - Siemens - Fraunhofer AISEC - Verizon - Suse/Novell - Vodafone - Siemens Communications - NetApp - T-Systems - Detecon - IBM - more coming soon9
  • Cloud & Security10
  • Cloud Reference Architecturefor Enterprise Architects
  • Cloud & Security Risik versus Potential Risk is doing something and Risk is doing it not. from CISM© Review Manual 201212
  • Cloud & Security IBM Cloud Computing Reference Architecture The IBM CC RA represents the aggregate experience across hundreds of cloud client engagements and the implementation of IBM-hosted clouds Cloud Service Cloud Service Provider Cloud Service Consumer Creator Cloud Services Common Cloud Management Platform (CCMP) – Based on knowledge of IBM’s services, Existing & 3rd party Business-Process- software & system experiences, including IBM services, Partner Ecosystems as-a-Service Cloud Research Service Integration Tools Sof tware-as-a-Service Operational Business Service Support Support Creation Services Services Tools (OSS) (BSS) Platf orm-as-a-Service Consumer In-house IT Inf rastructure-as-a-Service Inf rastructure The IBM Cloud Computing Reference Architecture Security, Resiliency, Performance & Consumability (CC RA) is reflected in the design of Governance – IBM-hosted cloud services OpenGroup submission: http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc CCRA Whitepaper on ibm.com: http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&appname=GTSE_CI_CI_USEN&htmlfid=CIW03078USEN&attachment=CIW03078USEN.PDF13
  • Cloud & SecurityCloud Computing Reference Architecture (CC RA) – Security, Resiliency, Performance & Consumability drill-down Cloud Service Cloud Service Provider Cloud Service Consumer Creator Cloud Services Common Cloud Management Platform Existing & 3rd party Business-Process- services, Partner as-a-Service Ecosystems Cloud Service Integration Tools Software-as-a-Service Operational Business Service Support Support Creation Tools Services Services (BSS) (OSS) Platform-as-a-Service Consumer In-house IT Infrastructure-as-a-Service Infrastructure Security Resiliency Consumability Software, System Access & Identity Resiliency Security Event Ease of Doing & Service Lifecycle Data Resiliency Compliance Readily Adapts Management Assurance Management Assessment Business Data and Configuration for Resiliency Policy Positive First Simplified Security Policy Information Governance Management Resiliency Use Experience Operations Protection Threat & Resiliency Availability & Security Data policy Rapidly Vulnerability Monitoring / Continuity Entitlement enforcement Analysis Management Integrates Management Security, Resiliency, Performance & Consumability14 Governance © 2011 IBM Corporation
  • Cloud & Security Architecture Principles IBM Security Framework: Business Security Reference Model Governance, Risk, People and Identity Data and Information Compliance (GRC) IT Infrastructure: Application and Process Network, Server, End Physical Infrastructure Point Foundational Security Management Software, System and Identity, Access and Data and Information Threat and Vulnerability IT Service Management Service Assurance Entitlement Management Protection Management Management Command and Control Security Policy Risk and Compliance Physical Asset Management Management Assessment Management Security Services and Infrastructure Security Info and Identity, Access and Security Policy Crypto, Key and Service Management Event Infrastructure Entitlement Infrastructure Infrastructure Certificate Infrastructure Infrastructure Host and End-point Storage Security Application Security Network Security Physical Security Security Code and Identities and Events and Images Policies Attributes Logs Security Data Repositories Service Levels and Classification Config Info Operational IT Security Designs and Registry Context Knowledge15
  • Cloud Governance - GRC .. hey .. and what else ? .. and what’s the meaning of G R C ?
  • Cloud & Security The majority of corporations avoid the use of Cloud Computing because of Security and Goverance risks and the lack of trust in to the service provider1) Obstacles for Cloud-Projects Question: „Do you use cloud Frage: „Because of which reasons do you decided not to computing solutions already or do you use cloud computing solutions (multiple answers are plan the use them in near future? “ possible)? Risk of loss of Governance / and Control Inadequate Data Security / Availability Open Compliance or Legal issues Doubts in regard to the long term No: 54% Yes: 46% availability of the offering Risik of a Vendor- Lock-In No commercial benefit Licence issues 0% 10% 20% 30% 40% 50% 60% 1) „Cloud Computing in Germany“ – Survey Results from Deloitte and BITKOM, January 201117
  • Cloud & Security Requirements – Cloud Computing & Security (plus GRC + ..) Security topics – technical & process related  Data Security & Data Privacy  Access Management & Identity Management - IAM Cloud Services  Application and Service Provisioning incl. Removal  Application and Systems test incl. Data Pro- and De-Provisioning Cloud Computing Model  Service Level Agreement – SLA Management  Vulnerability Management – Detection, Scoring, Removal  Threat Analysis  Service Availability incl. local/national load balancing  Auditability & Governance (GRC – Governance, Risk & Compliance)  Cross-border law.abiding, e.g. person related data & processes18
  • Cloud & Security Cloud from the viewpoint of Export Regulations (ER) An Export takes place when .. Root Access  Cross border Clouds – the data crosses the border Cross Border Cloud Computing  Distributed service offerings means  The server and data stay in the local country  Who gets which kind or type of root access to/for what ?19
  • Cloud & Security20
  • Cloud & Security Understand Compliance requirements – Data Privacy – Data Security Expectation 1  Improvement in Security 2  Inner Security 4  Reduction in Cost  Outer Securitty „How do I prove?“  Load Optimization  Operational Security 3 5 traceability & Focus: verifiability & „What do I really need?“ auditability Goal understand business security guidelines, risks and threats rules, policies Security Compliance Management awareness, monitoring & implementation & detection automization Risk Risk – Appetite ? Cloud - Workload -> Risk Assessment / Analysis / Accreditation / Certification21
  • Cloud & Security Business processes, use cases, assets • C – Confidentiality Matrix items to evaluate: • I – Integrity - authentication (item1) Potential Damage • A – Availability - data transfer (item2) - .. I5-c high i2-a (4) i5-i i2-c i5-a medium i3-c (3) i1-c i2-c i1-a i3-i low i4-i (2) i7-a insignificant (1) impossible low medium high very high Probability (0) (2) (3) (4) (4)22
  • Concepts, Processes, ToolsThe Roadmap towards Cloud Security - a Transformation Process
  • The Roadmap to where ? Cloud & Security Cloud transformation phases to your own cloud. Where‘s your Security ? Does it fit to your risk appetite ? 1 2 3 4 5 IT IT IT IT IT processes processes processes processes processes Bus Transition Cloud(ization) Pro 4 Transition Bus Automatization Pro 3 Bus Transition Standardization Pro 2 Bus Virtualization Pro 1 Bus Consolidation Pro Elimination Exp: Baseline VSP Compliance Approval GRC Target Security SIEM rules, Reporting Approval Workflows24
  • Cloud & Security 4 (simple) examples of underestimated threats x Virtualisierung Power VM, VMware, KVM… Ressourcen Virtualisierung Power VM, VMware, KVM… Ressourcen Virtualisierung Power VM, VMware, KVM… Ressourcen Virtualisierung Power VM, VMware, KVM… Ressourcen25
  • Requirements and Challengesto cover and solve
  • Cloud & Security https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Minimum_information/SecurityRecommendationsCloudComputingProviders.html27
  • Cloud & Security Eckpunktepapier- Sicherheitsempfehlungen Security Recommendation for Cloud Computing für Cloud Computing Anbieter Providers More sources: • IT-Grundschutz • BSI-Standard 100-2/100-4 • ISO 27001/2 • Cloud Security Alliance – German Chapter, cloudsecurityalliance.org • ISF – Information Security Forum, www.securityforum.org • TMForum – TeleManagement Forum, www.tmfourm.org • Euro Cloud e.V. en.eurocloud.de/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktepapier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf?__blob=publicationFile 28
  • Cloud & Security the result ..29 To get the MindMap contact ulf.feger@de.ibm.com
  • Cloud & Security n tio Supporting Security landscape – What is the aim of my security ? ap ad Desktop/Client Security Policy Connection Repository HTTP (incl. SOAP/ HTTP) Connection Identity Repository Admin User Web Services (Person & Account) ic Connection User Self- Admin. service Identity Synchronisation m Reporting Tivoli Identity Manager (TIM) Workflow & Lifecycle Tivoli Access Manager for e-business (TAMeb) Common Cloud Entitlement Policy Identity HR Store System na Tivoli Federated Identity Manager (TFIM) Auditor Management Platform Provisioning Engine Management Domain Tivoli Security Policy Manager (TSPM)dy Reconciliation Provisioning Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO) SSO WS Fed Web Policy Policy SSO Policy Tivoli Compliance Insight Manager (TCIM) Mgmt Mgmt Conf. Mgmt Admin(s) Policy Enforce Cloud Services Web Web Authentication and App Web Single Signon Web Authentication and Portal Portal Web Single Signon HTTP Server Authorization HTTP Server Authorization Web Consumer App Enterprise Single Signon User Authentication Web Internet App Other Employee/ FedSSO A&A FedSSO BSS Apps Staff A&A WS ESB Business Gateway (SOA) Windows Windows Windows Apps Policy Apps Identity Apps Enforce Mapping Enterprise Dir Collect Collect Collect Collect Collect Collect Collect Collect Collect Log Log Log Log Log Log Log Log Log OSS Audit Log Consolidation Audit Policy Compliance Reporting30 Auditor Auditor
  • Cloud & Security Supporting Security landscape – What is the aim of my security ? Desktop/Client Security Policy Connection Repository HTTP (incl. SOAP/ HTTP) Connection Identity Repository Admin User Web Services (Person & Account) Connection User Self- Admin. service Identity Synchronisation Reporting Tivoli Identity Manager (TIM) Workflow & Lifecycle Tivoli Access Manager for e-business (TAMeb) Entitlement Policy Identity HR Store System Tivoli Federated Identity Manager (TFIM) Auditor Provisioning Engine Management Domain Tivoli Security Policy Manager (TSPM) Reconciliation Provisioning Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO) SSO WS Fed Web Policy Policy SSO Policy Tivoli Compliance Insight Manager (TCIM) Mgmt Mgmt Conf. Mgmt Admin(s) Policy Enforce Web Cloud Platform Web Authentication and App Web Single Signon Web Authentication and Portal Portal Web Single Signon HTTP Server Authorization Cloud Services HTTP Server Authorization Web Consumer App Enterprise Single Signon BSS User Authentication Web Internet OSS App Other Employee/ FedSSO Apps Staff FedSSO A&A A&A WS ESB Business Gateway (SOA) Windows Windows Windows Apps Policy Apps Apps Identity Enforce Mapping Enterprise Dir Collect Collect Collect Collect Collect Collect Collect Collect Collect Log Log Log Log Log Log Log Log Log Audit Log Consolidation Audit Policy Compliance Reporting Auditor Auditor31
  • Cloud & Security Admin User User Self- Admin. service Identity Synchronisation Reporting Common Cloud Workflow & Lifecycle Entitlement Policy Identity HR Management Platform Store System Auditor Provisioning Engine Management Domain Reconciliation Provisioning SSO WS Fed Web Policy Policy SSO Policy Mgmt Mgmt Conf. Mgmt Admin(s) Policy Enforce Cloud Services Web Web Authentication and App Web Single Signon Web Authentication and Portal Portal Web Single Signon HTTP Server Authorization HTTP Server Authorization Web Consumer App Enterprise Single Signon User Authentication Web Internet App Other Employee/ BSS FedSSO Apps Staff A&A FedSSO A&A WS ESB Business Gateway (SOA) Windows Windows Windows Apps Policy Apps Identity Apps Enforce Mapping Enterprise Dir Collect Collect Collect Collect Collect Collect Collect Collect Collect Log Log Log Log Log Log Log Log Log Audit Log Consolidation Audit Policy OSS Compliance Reporting Auditor Auditor32
  • Cloud & Security Admin User User Self- Admin. service Identity Synchronisation Reporting Common Cloud Workflow & Lifecycle Entitlement Policy Identity HR Management Platform Store System Auditor Provisioning Engine Management Domain Reconciliation Provisioning SSO WS Fed Web Policy Policy SSO Policy Mgmt Mgmt Conf. Mgmt Admin(s) Cloud Services Policy Enforce Web Web Authentication and App Web Single Signon Web Authentication and Portal Portal Web Single Signon HTTP Server Authorization HTTP Server Authorization Web Consumer App Enterprise Single Signon User Authentication Web Internet App Other Employee/ BSS FedSSO Apps Staff A&A FedSSO A&A WS ESB Business Gateway (SOA) Windows Windows Windows Apps Policy Apps Identity Apps Enforce Mapping Enterprise Dir Collect Collect Collect Collect Collect Collect Collect Collect Collect Log Log Log Log Log Log Log Log Log Audit Log Consolidation Audit Policy OSS Compliance Reporting Auditor Auditor33
  • Which challenges have to be&solved – a long list, a new list ? Cloud Security csIT - “traditionell” miCloud – Service User Cloud ––(Service) Provider Cloud (Service) ProviderUser: na control incl. rule based policy • Access y managment • Access control incl. rule based policy dD managment• Service Offering lo u • User and entitlement management incl. processes mngment and p.-automation • User and entitlement management incl. processes mngment and p.-automation CDuties: • Role based separation of duties • Role bases separation of duties- Authentication • Security policy management • Security policy management- Authorization- del. Administration • Security monitoring, auditing, compliance • Security monitoring, auditing, compliance- pay the bill reporting reporting • SOD for multi tenancy • SoD for multi tenancyExpectations: • Reporting (SoD based) - Security infor- • Reporting (SoD based) - Security infor--SLA Fulfillment mation and Event Management mation and Event Management-Compliance • Compliance audit & reporting across the • Compliance audit & reporting across the-Detailed Reporting IT infrastructure and processes IT infrastructure and processes • Protection and security for the virtualized • Protection and security for the virtualized environment (network / hosts / VMs) environment (network / hosts / VMs) • Protection and compliance tool for server • Protection and compliance tool for server verification verification • Configuration and change management • Configuration and change management • Connectivity / linkage with YOUR accoun- • Connectivity / linkage with YOUR accoun-34 ting model (Metering & Rating) ting model (Metering & Rating)
  • Cloud & Security IBM Cloud Components – more than Virtualization only 10. Management 9. Visualization of the services Service Level related to business targets and Agreements (SLAs) Service agreements 8. Collect, Analyze, and 11. Exit-Management Report -> Acounting based on usage / costs / licence model Common Cloud Management Platform 1. Ordering / 3. Provisioning Cloud Services of the service booking from a 7. Realtime Management service Event Consolidation rgd. catalogue BSS the Business Services 4. Integration with OSS 6. Monitoring 2. integration with - Service Monitoring Storage Area Service Desk -Platform Monitoring Network (SAN) and und IT Asset netzwork(poo) Management + - Performance AND the Security Processes - Security Alerts Managment 5. Service - PUMA Discovery, -… Change & Configuration Service = Software, Platform, Infrastructure (i.e. Composite Management: Application, Physical / Virtual OS, Middleware, Network, Storage - Service - Platform Not in all cases will all steps exist in a client engagement35
  • Cloud & Security Distributed Cloud Setup36
  • Cloud & Security The Cloud – Layers “Cloud” Test/Dev Training Applikationen ... 3 Standardization Standardization / Service Catalogue / Image Catalogue Ressource Planing Request Approval Workflow (Request / Quota ..) Provisioning / Usage / 4 Automization Removal Accounting / Billing Process Automation Engine Monitoring High Availability Dynamic Secure and highly Provisioning Security 5 availabe private Repository  Secure virt. env. cloud  Identity & Access Mgmt. Virtualization Power VM, VMware, KVM… 2 Virtualization Resources 1 Consolidation37
  • Standardization Cloud & Security / Service Catalogue / Image Catalogue Ressource Planing Request Approval Workflow The Cloud – Layers (Request / Quota ..) Provisioning / Usage / Removal Accounting / Billing Process Automation Engine Germany Virtualisierung Power VM, VMware, KVM… Ressourcen Virtualisierung Power VM, VMware, KVM… Ressourcen Ressourcen France Virtualisierung Power VM, VMware, KVM… Virtualisierung Power VM, VMware, KVM… Hungary Ressourcen Virtualisierung Power VM, VMware, KVM… Virtualisierung Power VM, VMware, KVM… Ressourcen Ressourcen China Virtualisierung Power VM, VMware, KVM… Brazil Ressourcen38
  • Cloud & Security Ulf Feger Security Architect, CISSP, CP IBM Security Systems Q&A Gustav-Heinemann Ufer 120 50968 Köln, Deutschland Mobile.: +49-171-22 619 22 E-Mail: ulf.feger@de.ibm.com http://www.ibm.com/security/cloud-security.html IBM Cloud Computing: ibm.com/cloudcomputing ibm.com/de/cloud/ Trustworthy Cloud tclouds-project.eu/ IBM Enterprise Security: ibm.com/security IBM Internet Security Systems: ibm.com/services/security IBM X-Force® Security Alerts and Advisories: xforce.iss.net Cloud Standards Customer Council cloud-council.org/39