More Related Content Similar to Security Building Blocks of the IBM Cloud Computing Reference Architecture (20) Security Building Blocks of the IBM Cloud Computing Reference Architecture1. © 2014 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
Security Building Blocks of the Cloud
Computing Reference Architecture
Stefaan Van daele
Senior Security Architect – IBM Europe
stefaan_vandaele at be.ibm.com
stefaanvda
http://www.linkedin.com/in/stefaanvdaele
2. © 2014 IBM Corporation
IBM Security Systems
22
Security Requirements in Cloud
Solutions
3. © 2014 IBM Corporation
IBM Security Systems
3
Different cloud deployment models also change the way we think
about security
Private cloud Public cloud
On or off premises cloud
infrastructure operated solely
for an organization and
managed by the organization
or a third party
Available to the general
public or a large industry
group and owned by an
organization selling cloud
services.
Hybrid IT
Traditional IT and clouds (public and/or
private) that remain separate but are bound
together by technology that enables data and
application portability
- Customer responsibility for infrastructure
− More customization of security controls
− Good visibility into day-to-day operations
− Easy to access to logs and policies
− Applications and data remain “inside the firewall”
− Provider responsibility for infrastructure
− Less customization of security controls
− No visibility into day-to-day operations
− Difficult to access to logs and policies
− Applications and data are publically exposed
Changes in
Security and Privacy
4. © 2014 IBM Corporation
IBM Security Systems
4
Minimizing the risks of cloud computing requires a strategic approach
Define a cloud strategy with security in mind
– Identify the different workloads and how they need to interact.
– Which models are appropriate based on their security and trust requirements and
the systems they need to interface to?
Identify the security measures needed
– Using a methodology such as the IBM Security Framework allows teams to
measure what is needed in areas such as governance, architecture, applications
and assurance.
Enabling security for the cloud
– Define the upfront set of assurance measures that must be taken.
– Assess that the applications, infrastructure and other elements meet the security
requirements, as well as operational security measures.
5. © 2014 IBM Corporation
IBM Security Systems
5
Our approach to delivering security aligns with each phase of an
organization’s cloud project or initiative
Design Deploy Consume
Establish a cloud strategy
and implementation plan to
get there.
Build cloud services, in the
enterprise and/or as a cloud
services provider.
Manage and optimize
consumption of cloud
services.
Example
security
capabilities
Cloud security roadmap
Secure development
Network threat protection
Server security
Database security
Application security
Virtualization security
Endpoint protection
Configuration and patch
management
Identity and access
management
Secure cloud
communications
Managed security
services
Secure by Design
Focus on building security
into the fabric of the cloud.
Workload Driven
Secure cloud resources
with innovative features
and products.
Service Enabled
Govern the cloud through
ongoing security operations
and workflow.
IBM Cloud
Security
Approach
6. © 2014 IBM Corporation
IBM Security Systems
6
Adoption patterns are emerging for successfully beginning
and progressing cloud initiatives
IBM Cloud Security - One Size Does Not Fit All
Different security controls are appropriate for different cloud needs - the challenge becomes one of
integration, coexistence, and recognizing what solution is best for a given workload.
7. © 2014 IBM Corporation
IBM Security Systems
7
Capabilities provided to
consumers for using a
provider’s applications
Key security focus:
Compliance and Governance
Harden exposed applications
Securely federate identity
Deploy access controls
Encrypt communications
Manage application policies
Integrated service
management, automation,
provisioning, self service
Key security focus:
Infrastructure and Identity
Manage datacenter identities
Secure virtual machines
Patch default images
Monitor logs on all resources
Network isolation
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Key security focus:
Applications and Data
Secure shared databases
Encrypt private information
Build secure applications
Keep an audit trail
Integrate existing security
Advanced platform for
creating, managing, and
monetizing cloud services
Key security focus:
Data and Compliance
Isolate cloud tenants
Policy and regulations
Manage security operations
Build compliant data centers
Offer backup and resiliency
Each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
Infrastructure as a
Service (IaaS): Cut IT
expense and complexity
through cloud data centers
Platform-as-a-Service
(PaaS): Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
Security Intelligence – threat intelligence, user activity monitoring, real time insights
8. © 2014 IBM Corporation
IBM Security Systems
88
Cloud Computing Reference
Architecture (CCRA)
9. © 2014 IBM Corporation
IBM Security Systems
9
March 2009
Initiated CCAB
SC CCMP
Reference
Architecture
Early 2012
• Release CCRA 2.5
• Reach milestone of
~1500 IBMers formally
educated on the CCRA
July 2011
Released
“CCRA 2.0
for Business
Partners”
February 2011
Submitted CCRA
to The Open Group
Evolution of the Cloud Computing Reference Architecture (CCRA 3.0)
November 2012
• Release CCRA 3.0
• Adoption Patterns
Prescriptive guidance
on
IaaS/PaaS/CSP/SaaS
March 2011
Release
CCRA 2.0March 2010
Published CC &
CCMP Reference
Architecture 1.0
October 2010
Used in Cloud
Launch and various
customer/analyst
sessions
April 2011
Public Cloud RA
whitepaper available
on ibm.com
2012/13
CCRA
Standardization
ongoing
Defined overall architectural foundation
Added product- and –integration
focused solution architectures
10. © 2014 IBM Corporation
IBM Security Systems
10
Represents the aggregate experience
from hundreds of cloud client
engagements and IBM-hosted cloud
implementations
–Based on knowledge of IBM’s services,
software & system experiences, including
IBM Research
Provides prescriptive guidance on how to
build IaaS, PaaS, SaaS and service
provider clouds using IBM technologies
Reflected in the design of
– Clouds IBM implements for clients
– IBM-hosted cloud services
– IBM cloud appliances
– IBM cloud products
Public Cloud RA whitepaper available on ibm.com:
http://public.dhe.ibm.com/common/ssi/ecm/en/ciw03078usen/CIW03078USEN.PDF
CCRA OpenGroup submission:
http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc
The IBM Cloud Computing Reference Architecture (CCRA)
Governance
Security, Resiliency, Performance & Consumability
Cloud Service
Creator
Cloud Service
Consumer
Cloud Service Provider
Common Cloud
Management Platform (CCMP)
Operational
Support
Services
(OSS)
Cloud Services
Infrastructure-as-a-Service
Platform-as-a-Service
Software-as-a-Service
Business-Process-
as-a-Service
Business
Support
Services
(BSS)
Cloud
Service
Integration
Tools
Consumer
In-house IT
Service
Creation
Tools
Infrastructure
Existing & 3rd party
services, Partner
Ecosystems
CCRA 3.0
Common Reference Architecture Foundation
Cloud-enabled
data center /
building IaaS
Platform
Services
Cloud Service
Provider
Building SaaS
11. © 2014 IBM Corporation
IBM Security Systems
11
CCRA Detailed Overview
12. © 2014 IBM Corporation
IBM Security Systems
12
CCRA Security Component Model
*Infrastructure Includes – Server, Network, Storage
Security Components
Security Intelligence, Analytics and GRC
People Data Applications Infrastructure*
Security Governance, Risk
Management & Compliance
Security Information & Event
Management
Data & Information SecurityIdentity & Access
Management
Security Intelligence
Physical & Personnel
Security
Threat & Intrusion
Prevention
Security Policy Management
Encryption & Key
Management
Secure Application
Development
Endpoint Management
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf3cce8ff09b3_49d2_8ee7_4e49c1ef5d22/p
age/IBM%20Cloud%20Computing%20Reference%20Architecture%203.0
Additional information can be found here :
13. © 2014 IBM Corporation
IBM Security Systems
13
Using the IBM Security Framework, we articulate the way we address
security in the Cloud in terms of Foundational Controls
IBM Cloud Security Reference Model
Cloud Governance
Cloud specific security
governance including
directory synchronization
and geo locational support
Security Governance,
Risk Management &
Compliance
Security governance
including maintaining
security policy and audit
and compliance measures
Problem & Information
Security Incident
Management
Management and
responding to expected
and unexpected events
Identity and Access
Management
Strong focus on
authentication of
users and management of
identity
Discover, Categorize,
Protect
Data & Information
Assets
Strong focus on protection
of data at rest or in transit
Information Systems
Acquisition,
Development, and
Maintenance
Management of application
and virtual Machine
deployment
Secure Infrastructure
Against Threats and
Vulnerabilities
Management of
vulnerabilities and their
associated mitigations with
strong focus on network
and endpoint protection
Physical and Personnel
Security
Protection for physical
assets and locations
including networks and
data centers, as well as
employee security
DeployDesignConsume
14. © 2014 IBM Corporation
IBM Security Systems
14
Understand Client
Define Client
Requirements
Design Solution
Detail Design
Define Roadmap
& 1st Project
Business Driver
Actors and use cases
Non-functional requirements
System context
Architecture decisions
Architecture overview
Component model
Operational model
Solution integration Details
Cloud roadmap
Project description
Viability Assessment
Solution Approach - Summary
Get a thorough understanding of their existing
IT environment and identify the client’s Cloud
Adoption Pattern
Identify actors, workloads and
associated use cases and identify
security requirements for each
scenario
Define the Architecture Overview
Identify the building blocks and controls
needed leveraging the IBM Security
Framework and Cloud Foundational
Controls
Define the project plan with overall
timeline, phases and key milestones, and
overall delivery
Use the CCRA Security Component
Model to identify required components
and their interactions for the solution
Realize the component by mapping to
the capabilities in our products /
services portfolio
Leverage assets to build the deployment
architecture and integration requirements
15. © 2014 IBM Corporation
IBM Security Systems
15
Cloud Enabled Data Center - simple use case
Cloud Enabled Data Center
Self-Service
GUI
Cloud
Platform
User identity
is verified and
authenticated
1
Available
Resource
Resource Pool
Resource chosen
from correct
security domain
2
Image
Library
Machine
Image
VM is configured
with appropriate
security policy
3
Hypervisor
Configured
Machine Image
Virtual Machine
Virtual Machine
Image
provisioned
behind FW / IPS
4
Host security
installed and
updated
5
SW
Catalog
Config
Binaries
Software
patches applied
and up-to-date
6
Identity &
Access
Management
Security Information &
Event Management
Endpoint Management
Threat & Intrusion
Prevention
16. © 2014 IBM Corporation
IBM Security Systems
1616
One component in detail:
Security Information and Event
Management
17. © 2014 IBM Corporation
IBM Security Systems
17
Security Components
Security Intelligence Analytics and GRC
People Data Applications Infrastructure*
Security Governance, Risk
Management & Compliance
Security Information & Event
Management
Data & Information SecurityIdentity & Access
Management
Security Intelligence
Physical & Personnel
Security
Threat & Intrusion
Prevention
Security Policy Management
Encryption & Key
Management
Secure Application
Development
Endpoint Management
Security Component Model – Cloud Enabled Data Center
*Infrastructure Includes – Server, Network, Storage
18. © 2014 IBM Corporation
IBM Security Systems
18
Generic security service catalog for Security Operations
Risk and
Compliance
Compliance
Reporting Risk Reporting
Compliance
Controlling
Records
Management
Fraud Detection
Risk Identification Digital Forensics
Supervisory ServicesCompliance Management Evidence ManagementRisk Management
Analytics Services
Security &
Compliance
Dashboard
Threat and
Vulnerability
Management
Vulnerability
Remediation
Vulnerability
Analysis
Vulnerability
Discovery
Security Information and
Event ManagementVulnerability Management
Security Event
Correlation &
Normalization
Security Log
Collection &
Normalization
Security Monitoring
and Alerting
Security Problem
and Incident
Response
Threat Analysis
Security Threat and
Vulnerability
Research
Threat Identification
Security Intelligence Threat Management
Threat Mitigation
IT Service
Management
Incident and
Problem
Management
Asset Management
Asset
Administration
IT Service
Management Asset Management
19. © 2014 IBM Corporation
IBM Security Systems
19
Ceilometer
Usage / Performance
Monitoring + Auditing
“Datastores”
Core API Layer
“Filter” audits all Open
Stack API calls
CADF
AWS CloudTrail
OpenStack Audit (CADF)
Practical example: SIEM across hybrid cloud deployments
Workloads deployed in private virtual Environments
Public Cloud Services
20. © 2014 IBM Corporation
IBM Security Systems
20
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.