Cloud Security: What you need to know about IBM SmartCloud Security

  • 1,678 views
Uploaded on

Safeguarding the cloud with IBM Security solutions - Maintain visibility and control with proven security solutions for public, private and hybrid clouds.

Safeguarding the cloud with IBM Security solutions - Maintain visibility and control with proven security solutions for public, private and hybrid clouds.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,678
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
72
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © 2012 IBM CorporationIBM Security SystemsSmartCloud Security OverviewGretchen Marx, Program Manager, Portfolio StrategyIBM Security Division
  • 2. © 2013 IBM CorporationIBM Security Systems2Agenda§  Cloud security landscape§  IBM SmartCloud Security offerings§  SmartCloud Security demo
  • 3. © 2013 IBM CorporationIBM Security Systems3Cloud computing is hot and growing fastRestof ITRestof ITWW IT Spend ($B)Source: IBM Market Insights Cloud Phase 2 assessment, Feb 2011What organizations like aboutcloud computing:§  Elastic capacity–  Resource can be elasticallyprovisioned to quickly scale outand rapidly released to quicklyscale in§  Fast provisioning–  Automated provisioning /deprovisioning of resources asneeded§  Self-service requests–  User request services via a webportal§  Low cost, pay-as-you-go–  Users pay for what they useCloudNon-CloudTraditional IT3% CAGR25% CAGR
  • 4. © 2013 IBM CorporationIBM Security Systems4The Cloud security market is growingPrivatePublicCloud Security is estimated to be 10.6% of total security spendingin 2013, growing to 13.9% in 20152013 – 2016 WorldwideCloud Security Opportunity ($B)Worldwide Public and Private Cloud SecurityProduct Share by Subcategory, 201119%24%Source: IDC, December 2012
  • 5. © 2013 IBM CorporationIBM Security Systems5Cloud environments present new challenges
  • 6. © 2013 IBM CorporationIBM Security Systems6Security remains #1 inhibitor to broad scale cloud adoptionSource: 2012 Cloud Computing – Key Trends and Future Effects – IDG
  • 7. © 2013 IBM CorporationIBM Security Systems7Self-ServiceHighly VirtualizedLocation IndependenceWorkload AutomationRapid ElasticityStandardizationCloud computing tests the limits of security operationsand infrastructurePeople and IdentityApplication and ProcessNetwork, Server and EndpointData and InformationPhysical InfrastructureGovernance, Risk and ComplianceSecurity and Privacy DomainsMultiple logins, onboarding issuesMulti-tenancy, data separationAudit silos, compliance controlsProvider controlled, lack of visibilityVirtualization, network isolationExternal facing, quick provisioningTo the CloudIn a cloud environment, access expands, responsibilities change, controlshifts, and the speed of provisioning resources and applications increases -greatly affecting all aspects of IT security
  • 8. © 2013 IBM CorporationIBM Security Systems8Cloud computing changes the way we think about security.Private cloud Public cloudHybrid IT•  High multi-tenancy and data separation•  Image management and compliance•  Security of the virtual / hypervisor layer•  Virtual network visibility•  Need for Service level agreements (SLAs)•  Provider responsibility for infrastructure•  Customization of security controls•  Visibility into day-to-day operations•  Access to logs and policies•  Applications and data are publicallyexposedChanges inSecurity and PrivacyWhile security concerns are often shared across the different cloud models, the responsibilitychanges from consumer to provider which can present unique challenges
  • 9. © 2013 IBM CorporationIBM Security Systems9Security is a crucial part of the IBM SmartCloud strategyBuild Clouds securely –lBM’s industry leadingsecurity solutions andprofessional services enablean integrated set ofcapabilities to build secureclouds, whether for privateclouds or cloud deliveryplatforms for cloud serviceprovidersDeliver Cloud servicessecurely – ensure IBMSmartCloud Services aredelivered securely,addressing governance,identity, data, and physicalsecurityUse Cloud to deliverSecurity-as-a-Service –provide immediate accessto cloud-delivered securityservices, includingvulnerability scanning, weband email securitySecurity for Private Clouds Security for SCE / SCE+ Security-as-a-ServiceCloud EnablementTechnologiesEnables private / hybrid cloudservice delivery and managementCloud Computingas a ServiceCloud platform and/orinfrastructure as a serviceSoftware as a ServiceBusiness SolutionsPre-built Cloud SaaS businessapplications and solutionsFocus for this conversation
  • 10. © 2013 IBM CorporationIBM Security Systems101.Manage the registration and control the access ofthousands or even millions of Cloud users in a cost-effective way2.Ensure the safety and privacy of critical enterprisedata in Cloud environments without disruptingoperations3. Provide secure access to applications in the Cloud4. Manage patch requirements for virtualized systems5.Provide protection against network threat andvulnerabilities in the Cloud6. Protect virtual machines7.Achieve visibility and transparency in Cloudenvironments to find advanced threats and meetregulatory and compliance requirementsKey customer Cloud security concerns
  • 11. © 2013 IBM CorporationIBM Security Systems11IBM Security SystemsIBM Security: Delivering intelligence, integration and expertiseacross a comprehensive framework§  IBM Security Frameworkbuilt on the foundation ofCOBIT and ISO standards§  End-to-end coverage of thesecurity domains§  Managed and ProfessionalServices to help clientssecure the enterprise
  • 12. © 2013 IBM CorporationIBM Security Systems12SmartCloud Security CapabilitiesAdminister, secure, and extendidentity and access to and fromthe cloudSecure enterprise databasesBuild, test and maintain securecloud applicationsPrevent advanced threats withlayered protection and analytics§  IBM Security Identity and AccessManagement Suite§  IBM Security Federated IdentityManager - Business Gateway§  IBM Security Privileged IdentityManager§  IBM InfoSphere Guardium§  IBM Security AppScan Suite§  IBM AppScan OnDemand (hosted)§  IBM Security Key Life CycleManager§  IBM SmartCloud Patch§  IBM Security Network IPS andVirtual IPS§  IBM Security Virtual ServerProtection for VMwareIBM SmartCloud Security IntelligenceIBM Security QRadar SIEM and VFlow CollectorsIBM SmartCloud SecurityIdentity ProtectionIBM SmartCloud SecurityData and Application ProtectionIBM SmartCloud SecurityThreat Protection13-04-02
  • 13. © 2013 IBM CorporationIBM Security Systems13Cost-effective and standards-based registration and access controlof Cloud usersExternal users needidentity and accesscontrolsInternal users need easyand secure access toCloud applicationsCompliance and auditcontrols need to coverall the users andservicesExternalusersInternalusersApplicationApplicationInternalApplicationsExternalApplicationsWhen millions of usersneed access to cloud-based resources, userprovisioning (and de-provisioning) must besimple, efficient andscalableNeed to protect againstthreats that can lead todata loss and web fraudOrganizations need theability to tie cloud-basedapplications togetherwith internal applicationsand enable users toaccess them easily withsingle sign-on1 IdentityEnterprise SingleSign OnFederated IdentityManagementCustodians of the Cloud
  • 14. © 2013 IBM CorporationIBM Security Systems14Security Event and LogMgt.Vulnerability Mgt. ServiceCost-effective user registration and access control of Cloud usersAddressing compliance requirements, reducing operational costs,enhancing security posture and developing operational efficienciesRequirement CapabilityFull life-cycle identitymanagement (“cradle-to-grave”) for cloud-basedusers§  Federated single sign-on to multiple web-based and cloud applicationswith a single ID and password for employees, customers, BPs, vendors§  User self-service for identity creation and password reset§  Securely provision, manage, automate and track privileged access tocritical enterprise resourcesAccess, authorizationcontrol, and fraudprevention forapplications and data inthe cloud§  Automated management and risk-based enforcement of access controlpolicies across every application, data source, operating system andeven company boundaries§  Role-based identity and access management aligns users’ roles totheir access capabilities, simplifies management and complianceAbility to track and loguser activities, reportviolations, and provecompliance§  Security incident and event management for compliance reporting andauditing of users and their activities—in both cloud and traditionalenvironments§  The ability to monitor, control, and report on privileged identities (e.g.,systems and database administrators) for cloud-based administrators1 Identity
  • 15. © 2013 IBM CorporationIBM Security Systems15Know who can accessthe cloudSingle access method for usersinto workload aware CloudGetting started on ramp for the Cloud with Federated SSOFederated Access / Identity Management15Identity Federation enables web single signon across applications•  Access controls on cloud applications•  Provide users with the ability to single sign onto multiple Web-based cloud applications withdisparate user IDs/passwords•  Self service identity registration, validation andprocessing user credentialsIBM Security Access Manager for Cloud and MobileIBM Security Identity Manager1 Identity
  • 16. © 2013 IBM CorporationIBM Security Systems16Beyond the basics: Next steps in IAM for Cloud securitySummary: Improve visibility and securelyconnect users to the workload awareCloud; enforce auditable access andenable secure collaborationCloud Use Case: Federated SSO toSaaS / Cloud; self-service identityprovisioning, validation and processinguser credentialsDeployment Scenario: Hosted,managed and deployed as a CloudComputingInfrastructureSystemsStorageNetworkService Requestor3rd PartyCloudService ProviderServiceManagementIAAAdd Identity and Access Assurance to manage identities, entitlements, access control and auditingAdd full Identity and Access Assurance solutions•  Build on access and authorization control•  Full life-cycle user / identity management•  Role-based identity and access management•  Privileged identity management•  Security Information & Event Management (SIEM)IBM Security Identity and Access AssuranceKnow who canaccess the cloudSingle accessmethod for usersinto workloadaware CloudFIMSystems & ImageManagement1 Identity
  • 17. © 2013 IBM CorporationIBM Security Systems17Use Case: Prevent fraudulent access to Cloud applications andservices using risk-based access policy and strong authenticationUser attempts high-value transaction TransactioncompletesStrongauthenticationchallengeIBM Security Access Manager for Cloud and MobileTransactions < $100 Allowed with no additional authenticationAttempt to transfer >= $100 Requires strong authentication1 Identity
  • 18. © 2013 IBM CorporationIBM Security Systems18Privileged Identity Management: Centralized management ofprivileged and shared identitiesIBM security solutionIBM SecurityPrivileged Identity ManagementTrack and audit activities of privileged users (e.g., root,financial app administrators) for effective governanceBusiness challengeAddressing insider threat with privileged users access managementKey solution highlightsNew Privileged Identity Management (PIM) solution providingcomplete identity management and enterprise single sign-oncapabilities for privileged usersDatabasesIDCheck in / check out usingsecure credential vaultControl shared access tosensitive user IDsRequest, approve and re-validate privileged accessReduce risk, enhancecomplianceTrack usage of sharedidentitiesProvide increasedaccountability and audit trailAutomated passwordmanagementAutomated checkout of IDs,hide password fromrequesting employee,automate password reset toeliminate password theft1 Identity
  • 19. © 2013 IBM CorporationIBM Security Systems19SmartCloud Security CapabilitiesAdminister, secure, and extendidentity and access to and fromthe cloudSecure enterprise databasesBuild, test and maintain securecloud applicationsPrevent advanced threats withlayered protection and analytics§  IBM Security Identity and AccessManagement Suite§  IBM Security Federated IdentityManager - Business Gateway§  IBM Security Privileged IdentityManager§  IBM InfoSphere Guardium§  IBM Security AppScan Suite§  IBM AppScan OnDemand (hosted)§  IBM Security Key Life CycleManager§  IBM SmartCloud Patch§  IBM Security Network IPS andVirtual IPS§  IBM Security Virtual ServerProtection for VMwareIBM SmartCloud Security IntelligenceIBM Security QRadar SIEM and VFlow CollectorsIBM SmartCloud SecurityIdentity ProtectionIBM SmartCloud SecurityData and Application ProtectionIBM SmartCloud SecurityThreat Protection13-04-02
  • 20. © 2013 IBM CorporationIBM Security Systems20Old approaches to data protection are not efficient for Cloud andvirtualization§  Multi-tenancy raises security concerns in Cloud environments§  Lack of visibility over DB access in Cloud environments§  Security alerts not real time§  No separation of duties as required by auditors§  Inconsistent policies enterprise-wide§  Native logging causes high performance impact on DBMS2 Data“A data security strategy should include database auditing and monitoring, patchmanagement, data masking, access control, discovery / classification, andchange management.”-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011
  • 21. © 2013 IBM CorporationIBM Security Systems21Assess databasevulnerabilitiesDe-identify confidentialdata in non-productionenvironmentsDefine policies& metricsAudit and reportfor complianceProtect enterprise datafrom authorized &unauthorized accessFour steps to data security in the CloudDefine policies& metricsDe-identify confidentialdata in non-productionenvironmentsAssess databasevulnerabilitiesClassify & define datatypesFully redactedunstructured dataMonitor and enforcereview of policy exceptionsProtect enterprise datafrom authorized &unauthorized accessA data security strategy should include database auditing and monitoring, patchmanagement, data masking, access control, discovery/classification, andchange management.-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc., July 13, 2011Define policies& metricsClassify & define datatypesDefine policies& metricsClassify & define datatypesProtect enterprise datafrom authorized &unauthorized accessDefine policies& metricsClassify & define datatypesFully redactedunstructured dataProtect enterprise datafrom authorized &unauthorized accessDefine policies& metricsClassify & define datatypesDe-identify confidentialdata in non-productionenvironmentsFully redactedunstructured dataProtect enterprise datafrom authorized &unauthorized accessDefine policies& metricsClassify & define datatypesAssess databasevulnerabilitiesDe-identify confidentialdata in non-productionenvironmentsFully redactedunstructured dataDefine policiesand metricsClassify & define datatypesMonitor and enforcereview of policyexceptionsFully redactunstructured dataClassify and definedata typesAudit and reportfor complianceProtect enterprise datafrom authorized andunauthorized accessDiscover where sensitivedata residesDiscover where sensitivedata residesDiscover where sensitivedata residesDiscover where sensitivedata residesDiscover where sensitivedata residesDiscover where sensitivedata residesDiscover wheresensitivedata resides“”Monitorand Audit3Secure andProtect2Understandand Define1Enterprise Security intelligence4
  • 22. © 2013 IBM CorporationIBM Security Systems22Key ThemesReduced Total Costof OwnershipExpanded support for databases andunstructured data, automation, handlingand analysis of large volumes of auditrecords, and new preventive capabilitiesEnhanced ComplianceManagementEnhanced Database VulnerabilityAssessment (VA) and DatabaseProtection Subscription Service (DPS)with improved update frequency, labelsfor specific regulations, and productintegrationsDynamicData ProtectionData masking capabilities for databases(row level, role level) and forapplications (pattern based, formbased) to safeguard sensitive andconfidential dataData security for the CloudAcross MultipleDeploymentModelsQRadarIntegration2 Data
  • 23. © 2013 IBM CorporationIBM Security Systems23Application security challenge: manage risk§  76% of CEOs feel reducing securityflaws within business-criticalapplications is the most importantaspect of their data protectionprograms§  79% of compromised records usedWeb Apps as the attack pathway§  81% of breached organizationssubject to PCI were found to be non-compliant3 ApplicationsWeb Application VulnerabilitiesAs a Percentage of All Disclosures in 2012Web Applications:43 percentOthers:57 percentSource: IBM X-Force® 2012 Full-Year Trend and Risk ReportWeb application vulnerabilities up14% in 2012
  • 24. © 2013 IBM CorporationIBM Security Systems24Scan applications Analyze(identify issues)Automate Application Security TestingReport(detailed and actionable)Finding and fixing application vulnerabilities§  During coding§  During production§  Web vulnerabilities§  PII use and security§  Remediation steps§  Compliance3 Applications
  • 25. © 2013 IBM CorporationIBM Security Systems25Key ThemesCoverage for Cloud andmobile apps & new threatsIdentify and reduce risk by expandingscanning capabilities to new platforms suchas Cloud and mobile using next generationdynamic analysis scanning and glass boxtestingSimplified interface andaccelerated ROIImprove time to value andconsumability with out-of-the-boxscanning, static analysis templates andease of use featuresSecurity IntelligenceintegrationAutomatically adjust threat levelsbased on knowledge of applicationvulnerabilities by integrating andanalyzing scan results withSiteProtector and the QRadarSecurity Intelligence PlatformAppScan security for Cloud environments
  • 26. © 2013 IBM CorporationIBM Security Systems26SmartCloud Security CapabilitiesAdminister, secure, and extendidentity and access to and fromthe cloudSecure enterprise databasesBuild, test and maintain securecloud applicationsPrevent advanced threats withlayered protection and analytics§  IBM Security Identity and AccessManagement Suite§  IBM Security Federated IdentityManager - Business Gateway§  IBM Security Privileged IdentityManager§  IBM InfoSphere Guardium§  IBM Security AppScan Suite§  IBM AppScan OnDemand (hosted)§  IBM Security Key Life CycleManager§  IBM SmartCloud Patch§  IBM Security Network IPS andVirtual IPS§  IBM Security Virtual ServerProtection for VMwareIBM SmartCloud Security IntelligenceIBM Security QRadar SIEM and VFlow CollectorsIBM SmartCloud SecurityIdentity ProtectionIBM SmartCloud SecurityData and Application ProtectionIBM SmartCloud SecurityThreat Protection13-04-02
  • 27. © 2013 IBM CorporationIBM Security Systems27Optimizing the patch cycle and help ensure the security of bothtraditional and Cloud computing assetsCustomer Pain Points§  Time required to patch allenterprise physical, virtual,distributed, and cloud assets§  Lack of control over deployedand dormant virtual systems OSpatch levels and related securityconfigurationsDistributed EndpointsWebAppDBVirtual ServersPhysical Servers+ +4 Patch ManagementCapability§  Automatically manage patches for multiple OSs andapplications across physical and virtual servers§  Reduce security and compliance risk by slashingremediation cycles from weeks to hours§  Patch running / offline / dormant VMs§  Continuously monitor and enforce endpointconfiguration
  • 28. © 2013 IBM CorporationIBM Security Systems28§  Patch as fast as you can provision with rapidpatching, configuration and policydeployment across thousands of endpointsregardless of location, connection type orstatus§  Reduce security risk by slashing remediationcycles from weeks to days or hours§  Gain greater visibility into patch compliancewith flexible, real-time monitoring and reportingfrom a single management console§  Efficiently deploy patches, even over low-bandwidth or globally distributed networksreducing labor requirements by over 75%§  Patch endpoints on or off the network--including roaming devices using Internetconnections providing over 98.5% first passpatch complianceEnforce EvaluatePublishReportEnhanced Security and Patch Management with SmartCloud PatchStay in Control and Prove itSmartCloud Patch
  • 29. © 2013 IBM CorporationIBM Security Systems29The challenging state of network securitySocial media sites presentproductivity, privacy and securityrisks including new threat vectorsSOCIALNETWORKINGLimited visibility into trafficpatterns or types of traffictraversing the networkLIMITEDNETWORKVISIBILITYPoint solutions are siloed withminimal integration or datasharingPOINTSOLUTIONSURL Filtering • IDS / IPSIM / P2P • Web App ProtectionVulnerability ManagementIncreasingly sophisticated attacksare using multiple attack vectorsand increasing risk exposureSOPHISTICATEDATTACKSStealth Bots • Targeted AttacksWorms • Trojans • Designer Malware5 Network Protection
  • 30. © 2013 IBM CorporationIBM Security Systems30Network intrusion protection is a primary building block in CloudsecurityFirewall DatacenterNetwork IntrusionPrevention§  Protect both applications and network from being exploited§  Control protocols and applications§  Monitor traffic for anomalous traffic patterns§  Protect users from being attacked (e.g., through malicious documents)§  Prove compliance with regulation requirements (e.g., PCI)§  Enforce corporate policy with employees and 3rd parties (e.g., consultants)§  Monitor network traffic for sensitive information leaving the company§  Prevent data from being stolen from databases via web applications5 Network Protection
  • 31. © 2012 IBM CorporationIBM Security Systems31 IBM Internal and Business Partner Use OnlyIBM Security Network Protection XGS 5000IBM XGS 5000: Extensible, 0-Day protection powered by X-Force®•  Vulnerability modeling andalgorithms•  Stateful packet inspection•  Port variability•  Port assignment•  Port following•  Protocol tunneling•  Shellcode heuristics•  Application layer pre-processing•  Context field analysis•  RFC compliance•  Statistical analysis•  TCP reassembly and flowreassembly•  Host response analysis•  Port probe detection•  Pattern matching•  Custom signatures•  Injection logic engine•  IPv6 tunnel analysis•  SIT tunnel analysis–  15 years+ of vulnerability research anddevelopment–  Trusted by the world’s largest enterprisesand government agencies–  True protocol-aware intrusion prevention,not reliant on signatures–  Backed by X-Force ®–  Specialized engines•  Exploit Payload Detection•  Web Application Protection•  Content and File Inspection“When we see these attacks comingin, it will shut them downautomatically.”– Melbourne IT§  Next Generation IPS poweredby X-Force® Researchprotects weeks or even months“ahead of the threat”§  Full protocol, content andapplication aware protectiongoes beyond signatures§  Expandable protectionmodules defend againstemerging threats such asmalicious file attachments andWeb application attacks[The IBM Threat Protection Engine]“defended an attack against acritical government network anotherprotocol aware IPS missed”– Government AgencyIBM Security Threat ProtectionAbility to protect against the threats of today and tomorrow
  • 32. © 2013 IBM CorporationIBM Security Systems32Why virtualization security?6 Protect VMs
  • 33. © 2013 IBM CorporationIBM Security Systems33Summary of virtualization system security challenges§  Migration of VMs for load balancing can make themmore difficult to secure§  Ease of addition of VMs increases likelihood thatinsecure systems will go online§  Malicious insiders can inflict massive damage veryquicklyIncreased flexibilitycan increasesecurity risk§  Virtual endpoints have same security challenges astheir physical counterparts§  Virtualization management systems provide newattack vector§  Hypervisor itself is an attack vectorLarger attacksurface§  259 new virtualization vulnerabilities over the last 5years§  New attack types (e.g., Hyperjacking, hypervisorescape, VM attacks)New vulnerabilities1236 Protect VMs
  • 34. © 2013 IBM CorporationIBM Security Systems3434Virtual Server Protection increases ROI of the virtual infrastructure,while reducing risk§  Automated protection as each VM comes online–  Automatic discovery–  Automated vulnerability assessment–  Simplified patch management§  Non-intrusive–  No reconfiguration of the virtual network–  No presence in the guest OSü Improved stabilityü More CPU / memory availablefor workloadsü Reduced attack surface§  Protection for any guest OS–  Reduction in security agents formultiple OSs6 Protect VMsVMware vCloud
  • 35. © 2013 IBM CorporationIBM Security Systems35SmartCloud Security CapabilitiesAdminister, secure, and extendidentity and access to and fromthe cloudSecure enterprise databasesBuild, test and maintain securecloud applicationsPrevent advanced threats withlayered protection and analytics§  IBM Security Identity and AccessManagement Suite§  IBM Security Federated IdentityManager - Business Gateway§  IBM Security Privileged IdentityManager§  IBM InfoSphere Guardium§  IBM Security AppScan Suite§  IBM AppScan OnDemand (hosted)§  IBM Security Key Life CycleManager§  IBM SmartCloud Patch§  IBM Security Network IPS andVirtual IPS§  IBM Security Virtual ServerProtection for VMware
  • 36. © 2013 IBM CorporationIBM Security Systems36Security Intelligence: Integrating across IT silos7 Security Intelligence
  • 37. © 2013 IBM CorporationIBM Security Systems37Supplemented with Security-as-a-Service offerings
  • 38. © 2013 IBM CorporationIBM Security Systems38Cloud Auditing DataFederation (CADF) WGISO JTC 1/SC 27: IT SecurityTechniquesIETF OAuth 2.0Driving client-focused open standards and interoperabilityCustomer securitystandards guidanceOpen source cloud computinginfrastructure (IaaS focus)
  • 39. © 2013 IBM CorporationIBM Security Systems3939Thank you