5 Easy Steps to Securing Workloads on Public Clouds

2,018 views
1,823 views

Published on

Cloud security remains a major consideration for projects moving to the cloud. While the topic has become less of an inhibitor to cloud adoption, the growing number of options creates complexity challenges and integration limitations. This webinar will focus on best practices for securing cloud workloads, based on common patterns emerging from customer deployments across a variety of cloud environments.

The session will highlight current differences between traditional software security and security in the cloud. It will touch upon emerging capabilities in virtual security products, and it will conclude with a tour of where virtualized security is heading and highlight how it can be stronger and faster than anything we had before.

View the full on-demand webcast: http://securityintelligence.com/events/secure-workloads-public-clouds-5-easy-steps/#.VMvUbPMo6Mo

Published in: Technology

5 Easy Steps to Securing Workloads on Public Clouds

  1. 1. © 2012 IBM Corporation IBM Security Systems 1© 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds Jeff Hoy Cloud Security Architect IBM Security Systems, CTO Office May 21, 2014
  2. 2. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 2 Please Note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
  3. 3. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 3 Share our views about Cloud Security • How cloud is changing security • Impact to your organization 5 Easy Steps to securing workloads • Topology-based options • Detailed examples Looking forward • Trends in cloud direction • Emerging security capabilities Goals of This Webinar 1 2 3
  4. 4. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 4 Speaker Background About Jeff • Cloud Security Architect • IBM Security Systems • CTO Team • 12+ years with IBM • jeffhoy@us.ibm.com Focus Areas: • Cloud Security Enablement • SaaS Security • Hybrid Cloud • Next Generation Cloud Security
  5. 5. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 5 Topic: Securing the Cloud Security in the Cloud
  6. 6. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 6 Services Acquired Organization / Buyers Security Responsibilities and Objectives Software as a Service (SaaS) CxOs (CIO, CMO, CHRO, ...)  Complete visibility to enterprise SaaS usage and risk profiling  Governance of user access to SaaS and identity federation Platform as a Service (PaaS) Application teams, LOBs  Enable developers to compose secure cloud applications and APIs, with enhanced user experience  Visibility and protection against fraud and applications threats Infrastructure as a Service (IaaS) CIO, IT teams  Protect the cloud infrastructure to securely deploy workloads and meet compliance objectives  Have full operational visibility across hybrid cloud deployments, and govern usage Security objectives reflect responsibilities when adopting Cloud
  7. 7. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 7 Trusted Intranet Online Banking Application Employee Application DMZ Untrusted Internet 7 Traditional perimeter based security controls …
  8. 8. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 8 Online Banking Application Investment API Services Employee Application Build and Deliver Apps, Services (PaaS) Consume Apps and Services (SaaS) Leverage Public Clouds (IaaS) Trusted Intranet DMZ Untrusted Internet 8 Apps, APIs Services Traditional perimeter based security controls … … are changing to security centered around applications and interactions
  9. 9. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 9 Cloud Security Capabilities Identity Protection Insight Protect infrastructure, applications, and data from threats Auditable intelligence on cloud access, activity, cost and compliance Manage identities and govern user access IaaS: Securing infrastructure and workloads SaaS: Secure usage of business applications PaaS: Secure service composition and apps Bluemix We see three sets of capabilities to help adopt cloud with confidence
  10. 10. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 10 How will complex environments evolve for your organization?
  11. 11. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 11 Topic: 5 Easy Steps 5 Easy Steps to Securing Workloads on Public Clouds
  12. 12. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 12 Step #1: Basic Security Enablement Traditional on-premise IPS Visibility Data Security Scanning TLSFirewalls SOA Appliance Endpoint Mgmt User Admin Public cloud-based IPS Data Security Scanning TLSFirewalls SOA Appliance Endpoint Mgmt User Admin Same principles apply Visibility
  13. 13. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 13 Monitor & manage security posture Configure application centric security policies Provision secure cloud infrastructure User Access Customer Application Network Protection Cloud Admins Security Team Application Team Enterprise Roles Service users Securely Access Cloud services Security Intelligence Data Security Example #1: Securing Workloads on Cloud Infrastructure (IaaS) EXAMPLE
  14. 14. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 14 Step #2: Pattern-Based Security IPS Data Security Scanning TLSFirewalls SOA Appliance Endpoint Mgmt Visibility System Template Pattern Engine Preconfigured Systems Customize
  15. 15. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 15 Example #2: Secure Image Deployment Virtual Image • Apache HTTP Server • WebSphere Liberty • Banking EJB • IBM Access Manager • IBM Identity Manager • Restrictive Firewalls • Endpoint Manager • Disk encryption • Credential Vault Deploy Images Update Images • IP Address • Hostname • Credentials, etc Production System EXAMPLE
  16. 16. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 16 Shared Security Services REST APIs  Identity as a Service  Log Management & Audit  App and Vulnerability Testing Security Policy Management for Cloud Step #3: Automation-Enabled Pattern & Policy-driven Approaches
  17. 17. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 17 Example #3: Pattern-Based Access Management Security Web Gateway Web Application 1 2 3 4 56 78 9 10 Environment Components 1. QRadar vSys Pattern 2. External ISAM Appliance 3. ISAM Log Integration 4. WebSEAL Reverse Proxy 5. Application vSys Pattern 6. Application TAI + Junction 7. Consolidated Logbackup 8. SQL Injection Attack 9. Application Response 10. QRadar threat console EXAMPLE
  18. 18. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 18 Ceilometer Usage / Performance Monitoring + Auditing “Datastores” Core API Layer “Filter” audits all Open Stack API calls CADF AWS CloudTrail OpenStack Audit (CADF) Workloads deployed in private virtual Environments Public Cloud Services Step #4: Integrated Intelligence across Hybrid Cloud
  19. 19. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 19 Example #4: Security Intelligence for Virtual Infrastructure Business challenge: • Improved security and visibility into virtual Infrastructures • Better visibility into logs coming from their sensors across the environment • Support ad hoc search across large data Solution: • Scales to large volumes • User friendly reporting • Quick search and review of logs • Reasonable cost of ownership SaaS applications Infrastructure as a Service Security Intelligence for Hybrid Cloud 19 Virtualized data center EXAMPLE
  20. 20. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 20 Administrator / app owner End users Shared Security Services (Security from the Cloud) REST APIs  Identity as a Service  Log Management & Audit  App and Vulnerability Testing • API enable and standup key products as shared cloud services • Multi-tenancy Step #5: Leverage Security SaaS
  21. 21. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 21 Example #5: SaaS Security Usage in Your Environment EXAMPLE
  22. 22. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 22 Topic: Looking Forward Cloud Security Trends
  23. 23. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 23 IBM SECURITY SYSTEMS :: IBM Confidential :: ©2013 IBM Corporation Dynamic Analysis Interactive Analysis Mobile App Analysis Static Analysis Application Security Management Inventory assets Assess business impact Measure status & progress Prioritize vulnerabilities Determine compliance DEV OPS Dynamic Analysis Database monitoring Security Intelligence SIEM Network Activity Monitoring Vulnerability Mgmt Log Mgmt Network Protection Fraud Protection AppScan QRadar Guardium SiteProtetor/ IPS Trusteer Security Across the Cloud DevOps lifecycle
  24. 24. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 24 DMZ Trusted Intranet Online banking application Online Banking Application Migrating Online Application to off-premise cloud Traditional Data Center End UsersDomain Specialized Developer Infrastructure Operations Security & Compliance Manager Cloud Application Zone Active Protection – Typical Scenario
  25. 25. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 25 Access Application 4 Deploy App Provision workload and security components 2 Online Banking App Workload Box IBM Access Manager IBM QRadar SIEM Web App DBWeb App DB 2 1 Config & Automation 3 Secure Application Demo Available - User Access Management, Web Application Protection, Log Management, Security Intelligence Cloud Application Zone Active Protection - Solution Overview
  26. 26. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 26 • Data security as a virtual appliance deployed on the Cloud • Data activity monitoring across hybrid clouds – virtualized and public clouds • Provides vulnerability assessments of data systems • Encrypts and masks sensitive data when used by privileged users Data is… • Leaving the data center • Stored on shared drives and cloud infrastructure • Hosted by 3rd party • Managed by 3rd party Data Protection Business Challenge: Solution: 26 Virtualized data center IBM InfoSphere Guardium Encryption Masking 123 XJE Activity Monitoring Activity Monitoring Vulnerability Assessment Vulnerability Assessment Structured & Unstructured Data Cloud ready data security and privacy on the cloud
  27. 27. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 27 Today Announcements Delivering security from the cloud: Solutions to protect cloud workloads: Identity-as-a-Service beta for the IBM Cloud Platform Security Optimization & Threat Monitoring QRadar optimizations for cloud Enhanced Virtual Threat Protection IBM leads with enterprise-grade cloud security
  28. 28. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 28 Cloud creates opportunities for enhanced security 5 Easy steps to securing workloads 1. Basic Enablement 2. Pattern-Based Security 3. Automated Integration 4. Hybrid Cloud Security 5. Leveraging SaaS Going forward • Direction of the cloud • Emerging security capabilities Summary 1 2 3
  29. 29. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 29 Key Cloud Resources IBM Best Cloud Computing Security IBM Research and Papers  Special research concentration in cloud security, including white Papers, Redbooks, Solution Brief – Cloud Security IBM X-Force  Proactive counter intelligence and public education http://www-03.ibm.com/security/xforce/ IBM Institute for Advanced Security  Cloud Security Zone and Blog (Link) Customer Case Study  EXA Corporation creates a secure and resilient private cloud (Link) Collateral Sales Support:  NEW IBM Cloud Security Strategy and Community connections page (Link)  NEW Internal IBM SWG Sellers Workplace – Cloud Security Collateral - (Link)  SmartCloud Security Solutions Sales Kit – (Link) Other Links:  IBM Media series – SEI Cloud Security (Link)  External IBM.COM : IBM Security Solutions (Link)  External IBM.COM : IBM SmartCloud– security (Link)  IBM SmartCloud security video (Link)
  30. 30. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 30 Questions? We Value Your Feedback!
  31. 31. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 31 Backup
  32. 32. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 32 Insight Establish intelligence across enterprise and cloud •QRadar SIEM QRadar Log Manager QRadar Forensics rotection Protect data, applications and infrastructure from threats and risks Data & Application • IBM InfoSphere Guardium • IBM Security AppScan • IBM WebSphere DataPower Infrastructure • IBM Security Network Protection • IBM Security Trusteer • IBM Endpoint Manager Protection Protect data, applications and infrastructure from threats and risks Identity Manage users and their access to cloudand access Identity • Identity Service - Beta • IBM Security Access Manager • IBM Security Privileged Identity Manager Identity Manage users and their access to cloud Intelligent Security for the Cloud
  33. 33. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 33  AppScan Mobile Analyzer – Ability to upload Android APKs to the cloud for an IAST (interactive application security scan) • Service available through the BlueMix catalog • Upload an APK and receive a security PDF report • Public APIs to integrate to 3rd party • Environment deployed on SoftLayer  AppScan DAST on BlueMix – Run a DAST scan on web application deployed on BlueMix • Service available through the BlueMix catalog • Almost zero configuration (User Name/Password) • Public APIs to integrate to 3rd party • Environment deployed on SoftLayer AppScan Service & APIs from Bluemix
  34. 34. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 34 Cloud software delivery as virtual appliances Security Software Security capabilities as virtual appliances. They should be available as shared services through APIs. Delivering security capabilities as virtual appliances will enable -Security enforcement ‘near’ workloads and in software defined environments - Protection within on-premise virtual environments or hosted clouds
  35. 35. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 35 Administrator / app owner End users Shared Security Services (Security from the Cloud) REST APIs  Identity as a Service  Log Management & Audit  App and Vulnerability Testing • API enable and standup key products as shared cloud services • Multi-tenancy Applications require easy-to-use, API-based services
  36. 36. © 2014 IBM Corporation 5 Easy Steps to Securing Workloads on Public Clouds 36 DMZ Trusted Intranet Demo Scenario - Visibility to hybrid cloud application Jane Andrew Public Cloud Services Provision infrastructure Deploy App Private Cloud Services Fred Customers Monitor Usage & Security of the Environments Access App Reverse Proxy Load balance Gateway Cloudburst

×