IBM Global Technology Services November 2010Thought Leadership White PaperStrategies for assessingcloud security
2 Securing the cloud: from strategy development to ongoing assessmentExecutive summary compliance. Even if IT workloads are transitioned to theCloud computing provides ﬂexible, cost-effective delivery of cloud, users are still responsible for compliance and data secu-business or consumer IT services over the Internet. Cloud rity. As a result, subscribers must establish trust relationshipsresources can be rapidly deployed and easily scaled, with all with their cloud providers and understand the risk posed byprocesses, applications, and services provisioned on demand, public and/or private cloud computing environments.regardless of the user location or device. As a result, cloudcomputing helps organizations improve service delivery, Security challenges in the cloud—thestreamline IT management and better align IT services with need for a trusted third party evaluationdynamic business requirements. Cloud computing can also One of the most signiﬁcant differences between cloudsimultaneously support core business functions and provide security and traditional IT security stems from the sharing ofcapacity for new and innovative services. infrastructure on a massive scale. Users spanning different cor- porations and trust levels often interact with the same set ofBoth public and private cloud models, or a hybrid approach computing resources. And public cloud services are increas-using both models, are now in use. Available to anyone with ingly being offered by a chain of providers—all storing andInternet access, public clouds are acquired as a service and processing data externally in multiple unspeciﬁed locations.paid for on a per-usage basis or by subscription. Private cloudsare owned and used by a single organization. They offer many Inside the cloud, it is difficult to physically locate where data isof the same beneﬁts as public clouds, but give the owner stored. Security processes that were once visible are now hid-greater ﬂexibility and control. den behind layers of abstraction. This lack of visibility can cause concerns about data exposure and compromise, serviceAlthough the beneﬁts of cloud computing are clear, so is the reliability, ability to demonstrate compliance and meet SLAs,need to develop proper security for cloud implementations— and overall security management.whether public or private. Embracing cloud computing with-out adequate security controls can place the entire IT Visibility can be especially critical for compliance. Theinfrastructure at risk. Cloud computing introduces another Sarbanes-Oxley Act, the Health Insurance Portability andlevel of risk because essential services are often outsourced to Accountability Act (HIPAA), European privacy laws, and manya third party, making it harder to maintain data integrity andprivacy, support data and service availability, and demonstrate
IBM Global Technology Services 3other regulations require comprehensive auditing capabilities. Developing a strategic cloud securityMany public clouds may indeed be a black box to the sub- roadmap with IBMscriber, thus clients may not be able to demonstrate compli- There is no one-size-ﬁts-all model for security in the cloud.ance. (A private or hybrid cloud, on the other hand, can be Organizations have different security requirements that areconﬁgured to meet those requirements.) determined by the unique characteristics of the business work- load they intend to migrate to the cloud or the services theyIn addition, providers are sometimes required to support are providing from their cloud. It is important when evaluat-third-party audits, or support e-Discovery initiatives and ing risk in a cloud computing model, that a cloud securityforensic investigations. This adds even more importance to strategy be developed.maintaining proper visibility into the cloud. Legal discovery ofa co-tenant’s data may affect the conﬁdentiality of other ten- By partnering with IBM, clients can beneﬁt from provenants’ data if the data is not properly segmented. This may assessment methodologies and best practices that helpmean that some sensitive data may not be appropriate for cer- ensure consistent, reliable results. They can also leverage com-tain cloud environments. prehensive frameworks that address enterprise cloud strategy, implementation and management in a holistic approach thatOrganizations considering cloud-based services must under- maximizes the business value of cloud investments while mini-stand the associated risks and ensure appropriate visibility. mizing business risk.IBM guidelines for securing cloud implementations focus onthe following areas: Deﬁning business and IT strategy The ﬁrst step to understanding security risks posed by a cloud● Building a security program computing model is to analyze business and IT strategies.● Conﬁdential data protection What is the value of the information that will be stored,● Implementing strong access and identity accessed and transmitted via the cloud? Is it business critical● Application provisioning and de-provisioning and/or conﬁdential? Is it subject to regulatory compliance?● Governance audit management Clients must also consider availability requirements. After● Vulnerability management determining the business and IT strategy and evaluating the● Testing and validation data, clients can make a more informed, risk-based decision about which cloud computing model to pursue.Because cloud computing is available in several service models(and hybrids of these models), each presents different levels ofresponsibility for security management. Trusted third partiescan help companies apply cloud security best practices to theirspeciﬁc business needs.
4 Securing the cloud: from strategy development to ongoing assessmentIdentifying the risks The IBM cloud security assessment reviews cloud architectureEach type of cloud—public, private and hybrid—carries a from a security standpoint, including policies and processes fordifferent level of IT security risk. Security experts from data access and storage. IBM security experts assess the cur-IBM can help clients identify the vulnerabilities, threats and rent state of cloud security against best practices, and againstother values at risk based on public, private or hybrid cloud providers’ own security objectives. Security requirements andarchitecture. From there, IBM will work with clients to design best practices criteria is based on unique characteristics of theinitial mechanisms and controls to mitigate risk, and outline subject cloud, including workload, trust level of end users,the maintenance and testing procedures that will help ensure data protection requirements and more. For example, cloudsongoing risk mitigation. supporting email will have different security requirements than those supporting electronic Protected HealthDocumenting the plan Information (ePHI).IBM clients will beneﬁt from a documented roadmap address-ing cloud security strategy. The plan should identify the types A gap assessment against security objectives and best practicesof workloads or applications that are candidates for cloud will reveal strengths and weaknesses of the current securitycomputing and should account for the legal, regulatory and architecture and processes. IBM experts will provide recom-security requirements. IBM will work with clients to plan for mendations for improvements and continuous securitycompensating controls to mitigate perceived risks, including measures to bridge the gaps. These can include the use ofhow to address identity and access management, and how to additional network security controls, modiﬁcations to existingbalance security controls between the cloud provider and the security policies and procedures, implementation of new iden-subscriber. tity and access management controls, acquisition of managed security services for offloading critical security managementAssessing cloud security with IBM tasks, or any number of other remediation steps.In addition to developing a strategy for cloud security,IBM can perform a cloud security assessment for public or In addition to a thorough review of the cloud security pro-private cloud offerings. This service can provide helpful due gram, IBM advises steady state technical testing of the cloud’sdiligence for cloud providers, or help subscribers understand network infrastructure and supporting applications via remotethe security posture of their provider’s cloud. penetration and application testing. This provides a “hacker’s eye” view of cloud components and provides insight into how cloud security weaknesses can signiﬁcantly impact data and information protection.
IBM Global Technology Services 5Why IBM? security services that enable a business-driven approach toTo fully beneﬁt from cloud computing, clients must ensure securing your cloud computing as well as your physical ITthat data, applications and systems are properly secured so that environments.cloud infrastructure won’t expose the organization to risk.Cloud computing has the usual requirements of traditional IT IBM’s capabilities empower you to dynamically monitor andsecurity, though it presents an added level of risk because of quantify security risks, enabling you to better:the external aspects of a cloud model. This can make it moredifficult to maintain data integrity and privacy, support data ● Understand threats and vulnerabilities in terms of businessand service availability, and demonstrate compliance. impact, ● Respond to security events with security controls that opti-Assessing the risks associated with cloud computing, such as mize business results,data integrity, recovery, privacy, and tenant isolation is critical ● Prioritize and balance your security investments.to the adoption of cloud technologies. These risks call forautomated end-to-end security with a heavier emphasis on IBM also securely operates its own public clouds, includingstrong isolation, integrity and resiliency in order to provide IBM LotusLive™. IBM continuously invests in research andvisibility, control and automation across the cloud computing development of stronger isolation at all levels of the network,infrastructure. server, hypervisor, process and storage infrastructure to sup- port massive multitenancy while mitigating risk.IBM helps clients put risk management strategies into actionby transforming security from a cost of doing business to a Through world-class solutions that address risk across allway to improve the business. IBM draws from a broad portfo- aspects of your business, IBM is able to help you create anlio of consulting services, software and hardware and managed intelligent infrastructure that drives down costs, is secure, and is just as dynamic as today’s business climate. IBM cloud secu- rity solutions and services build on the strong foundation of the IBM security framework to extend beneﬁts from tradi- tional IT environments to cloud computing environments.