CRTC Cloud Security- Jeff Crume


Published on

Presentation from Chesapeake Regional Tech Council\'s TechFocus Seminar on Cloud Security; Presented by Jeff Crume, IBM Distinguished Engineer, IT Security Architect, CISSP-ISSAP on Thursday, October 27, 2011.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CRTC Cloud Security- Jeff Crume

  1. 1. Security Considerations in the Cloud Jeff Crume Distinguished Engineer © 2011 IBM Corporation
  2. 2. Security and Cloud Computing Security Remains the Top Concern for Cloud Adoption 80% Of enterprises consider security “How can we be assured that our data will not be leaked and that the vendors have the the #1 inhibitor to cloud adoptions technology and the governance to control its employees from stealing data?” 48% Of enterprises are concerned “Security is the biggest concern. I don’t worry much about the other “-ities” – reliability, about the reliability of clouds availability, etc.” 33% “I prefer internal cloud to IaaS. When the service is kept internally, I am more Of respondents are concerned with comfortable with the security that it offers.” cloud interfering with their ability to comply with regulationsSource: Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman) 2 © 2011 IBM Corporation
  3. 3. Security and Cloud ComputingOne-size does not fit-all:Different cloud workloads have different risk profiles High Mission-critical workloads, personal Tomorrow’s high value / information high risk workloads need: ● Quality of protection adapted to risk ● Direct visibility and controlNeed for Analysis & ● Significant level ofSecurity simulation with assurance public dataAssurance Today’s clouds are primarily here: ● Lower risk workloads Training, testing ● One-size-fits-all with non- approach to data sensitive data protection ● No significant Low assurance ● Price is key Low-risk Mid-risk High-risk Business Risk 3 © 2011 IBM Corporation
  4. 4. Security and Cloud Computing Simple Example Today’s Data Center Tomorrow’s Public Cloud ? ? ? ? ?We Have Control ? Who Has Control?It’s located at X. Where is it located?It’s stored in server’s Y, Z. Where is it stored?We have backups in place. Who backs it up?Our admins control access. Who has access?Our uptime is sufficient. How resilient is it?The auditors are happy. How do auditors observe?Our security team is engaged. How does our security team engage? 4 © 2011 IBM Corporation
  5. 5. Security and Cloud Computing Categories of Cloud Computing Risks Control Data Many companies and governments Migrating workloads to a shared are uncomfortable with the idea of network and compute infrastructure their information located on increases the potential for systems they do not control. unauthorized exposure. Providers must offer a high degree Authentication and access of security transparency to help technologies become put customers at ease. Reliability increasingly important. High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud Compliance without strong availability Complying with SOX, HIPAA guarantees. Security Management and other regulations may Even the simplest of tasks may be prohibit the use of clouds for behind layers of abstraction or some applications. performed by someone else. Comprehensive auditing Providers must supply easy controls to capabilities are essential. manage security settings for application and runtime environments. 5 © 2011 IBM Corporation
  6. 6. Security and Cloud ComputingCloud Security = Traditional Security + SOA Security + Virtualization Security • Hypervisor Security • Rogue VMs, VM Isolation, Data Leakage, Rootkits, etc. • Federated Identity Mgmt • Fed Prov/De-prov, Fed SSO • Privileged Identity Mgmt • Regulatory Compliance • Audit, Data Residency • Patch Mgmt • Across multiple VMs • Data Protection • Encryption, Data Segregation, DLP 6 © 2011 IBM Corporation
  7. 7. Security and Cloud Computing Additional Information 7 © 2011 IBM Corporation
  8. 8. Security and Cloud ComputingExample for Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4 VMsafe Integration Firewall and Intrusion Prevention Rootkit Detection / Prevention Inter-VM Traffic Analysis Automated Protection for Mobile VMs (VMotion) Virtual Network Segment Protection Virtual Network-Level Protection Virtual Infrastructure Auditing (Privileged User) Virtual Network Access Control ••There have been 100 vulnerabilities disclosed across all of There have been 100 vulnerabilities disclosed across all of VMware’s virtualization products since 1999.* VMware’s virtualization products since 1999.* ••57% of the vulnerabilities discovered in VMware products are 57% of the vulnerabilities discovered in VMware products are remotely accessible, while 46% are high risk vulnerabilities.* remotely accessible, while 46% are high risk vulnerabilities.* 8 © 2011 IBM Corporation
  9. 9. Security and Cloud ComputingIBM Cloud Security Guidance document Based on cross-IBM research and customer interaction on cloud security Highlights a series of best practice controls that should be implemented Broken into 7 critical infrastructure components: – Building a Security Program – Confidential Data Protection – Implementing Strong Access and Identity – Application Provisioning and De-provisioning – Governance Audit Management – Vulnerability Management – Testing and Validation 9 © 2011 IBM Corporation
  10. 10. Security and Cloud ComputingCloud Security Whitepaper Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. This paper is provided to stimulate discussion by looking at three areas: • What is different about cloud? • What are the new security challenges cloud introduces? • What can be done and what should be considered further?10 © 2011 IBM Corporation
  11. 11. Security and Cloud Computing11 © 2011 IBM Corporation
  12. 12. Security and Cloud Computing Thank you! For more information, please visit: © 2011 IBM Corporation