How does IBM delivercloud security?An IBM paper covering SmartCloud Services1
2 How does IBM deliver cloud security?Contents In delivering security for its cloud offerings, IBM looks to and relies upon its strong security heritage and expertise. IBM has 2 Introduction more than 6,000 security engineers and consultants around the 3 Cloud governance world, designing, building and running security solutions for its customers and helping them address their challenges in this 3 Security governance, risk management and compliance space. It has a portfolio of more than 3,000 security patents, 4 Problem and information security incident management with 100 new patents in 2011 alone. IBM also has the largest vulnerability database in the industry and manages over 13 4 Identity and access management billion security related events every day for existing customers. 5 Discover, categorise, and protect data and information assets IBM’s security strategy is based on the IBM Security Framework2, IBM provides security solutions that span this framework and 5 System acquisitions, development and maintenance works with organisations to take a holistic and risk-based 6 Secure infrastructure against threats and vulnerabilities approach to security. IBM has extensive experience of delivering in an outsourced and managed services environment and of 6 Physical and personnel security having those services internally and externally audited to recognised industry standards. 7 Summary 7 Author The approach IBM takes to delivering cloud services to its customers is anchored in the IBM Security Framework and the associated IBM Security Blueprint. By using this proven framework and blueprint approach, we have created a set ofIntroduction foundational controls specific to cloud. These Cloud SecurityCloud computing is changing the way we use computing Foundation Controls have been developed from the foundationaland has the potential for significant economic and efficiency security management layer of the blueprint and are used tobenefits. But the speed of adoption depends on how quickly communicate with customers, partners and other stakeholderstrust in new cloud models can be established. Some of the about how we approach security in our cloud models.growing cloud security concerns include: security of highlyvirtualised environments from targeted threats and attacks, In this paper we present some of the measures that weenabling secure collaboration, protection of the data (isolation, take in relation to these foundational controls. This papersharing) in a rapid provisioning and de-provisioning environment is not intended to be exhaustive and does not describe everywhile experiencing the loss of direct control of security procedure and technical detail for each cloud offering.compliance, and privacy parameters.In order to build this trust, IBM has written this paperto enable discussion around the new security challengescloud introduces and how these are addressed by IBM’scloud offerings. We highlight the approach IBM takes tosecure cloud services delivered from IBM delivery centres.
SmartCloud 31. Cloud governance 2. Security governance, risk managementGovernance, risk and compliance are common issues raised and complianceby stakeholders. IBM has many managed services operations As a large enterprise and a service provider, our cloud solutionsin countries around the globe. IBM’s cloud governance builds reflect our understanding of organisational needs. We have aon that extensive IBM governance structure. We recognise robust security compliance programme that has governancethat taking advantage of cloud requires new considerations for over IBM internal security policies, standards and processes.governance and that there are important questions about howdata will be managed in the cloud. In order to assist transparency, • IBM has an Information Technology (IT) Security ComplianceIBM aligns its approach to recognised industry standards. management system which entails adherence to predefined requirements. These include physical access controls, logical• IBM has internal security policies, standards and processes access controls (including user ID administration) and security consistent with the ISO 27001 framework and control areas. health checking. Our internal and external audit partners In our delivery organisation we also regularly submit these regularly review these controls. policies, standards and processes to both internal audits and • Our processes and controls have evolved through thousands external certifications. of engagements around outsourcing, hosting and other• IBM also maintains many industry related certifications services. They have been further developed with the aim such as ISO 9001, ISO 20000 and CMMI across many data of meeting the needs of cloud environments. centres. For example a customer using SmartCloud Services from IBM’s data centre in Ehningen, Germany can expect We have incorporated governance and risk management best that it has both ISO 27001 and ISAE3402 covering the practices and lessons learned through implementing our own physical controls. cloud solutions and building solutions for other large enterprise customers – and applied them to our cloud offerings.IBM has a comprehensive Service Organisation Controls(SOC) reporting programme and is undergoing several IBM has extensive experience designing and delivering inSSAE16 or equivalent audits covering many IT services and multi-tenant environments. Security governance has alsoassociated controls, from managed services delivery through been enabled through the way we design, build and deliverto managed security services. We continue to develop this solutions guided by an approach called, ‘Secure by Design’.external auditing approach to cover our cloud services as theyevolve and to stay in line with the standards’ requirements.
4 How does IBM deliver cloud security?3. Problem and information security 4. Identity and access managementincident management To ensure that only those who need to access cloudIn the event of a problem or incident occurring in the cloud, environments do so, IBM has developed processes toformal response processes, aligned to the overall IBM ensure that access is tightly controlled. IBM maintainsCorporate Incident Management Processes, are executed and robust access control and privileged user monitoring torecords retained. IBM has extensive experience of environments ensure enforcement and compliance regarding access towith shared users and incident management is handled to best customer content and information.efforts to ensure that customers and their data are protected. • Access to any system managed by IBM begins with a• IBM has documented policies and procedures relating to the formal access request and management approval process. management and monitoring of security events within its Once approved, access is revalidated on a periodic basis, offerings and infrastructure, including policies on escalation at least annually, to ensure users still require the level of and resolution of incidents. access they have been granted. Systems are also in place• In order to maintain the integrity of these security policies to ensure that those who leave IBM have their access and procedures, and thereby protect our customers, these rights removed. policies are not divulged outside IBM. Procedures are, • IBM Administrators of the cloud have to authenticate to however, subjected to internal and external audits on a the management environment and to the management tools regular basis. in order to gain access to functionality. These activities are monitored and logged to prevent unauthorized accessIn the case of a security event, IBM will evaluate the to customer virtual environments.situation, and where an issue has a material impact on a • All customer content managed by IBM is strictlycustomer, will notify them of such incidents. IBM also controlled and actively monitored. Only those personnelprotects its infrastructure by shutting down instances that with appropriate authorisation from IBM Corporationviolate acceptable use policy. In addition, IBM has put in have access to host management systems.place log-management of its infrastructure, including networktraffic and administrative functions, to ensure issues can beinvestigated. IBM customers can be assured that the cloudinfrastructure monitoring does not capture or retain logs ofcustomer data, other than metadata.
SmartCloud 55. Discover, categorise, and protect data Governments have long had the authority to request accessand information assets to data for law enforcement and national security reasonsOne often cited concern about cloud is that it places data and such a request can extend to any company doing businessin new and different places. This applies not just to the user within that country, regardless of where the company is baseddata, but also to the application (source) code. or where the data is stored.IBM has invested in cloud data centres in geographic regions IBM will thoroughly evaluate its obligations in order toacross the globe with customers able to specify the cloud data provide the minimum data necessary to comply with legalcentre location they wish to use. Mechanisms for protecting requests, from governmental authorities for access to data.data, such as encryption, may also be possible. IBM recommends that customers review the legal and business• We have enabled customers to configure encryption – for requirements relative to their data and works with them to example, of persistent storage – within their guest workloads. architect solutions that meet their privacy and security needs. Customers retain key management responsibility to support the security of these processes. 6. System acquisitions, development• Encryption can also be built into some applications deployed and maintenance on our cloud services, for example IBM DB2® can encrypt Ensuring that the systems are built with security controls in local databases and support the encryption of customer mind, and that these controls are maintained throughout the information. For some solutions this can also be achieved operation of the system, is not a new concept to IBM. at the file system level.• At the infrastructure level there are additional controls such • Our extensive experience in managing infrastructure as encrypting backup media, protection of data on portable means that cloud operational processes have been built, media, as well as during the disposal of storage devices. to enable that security is applied to the environment throughout its lifecycle.Processes are also in place to ensure any media removed from • Hypervisors are Common Criteria certified, for example,the data centre is encrypted for transport, and securely deleted VMware ESX, PowerVM® and KVM are EAL 4+ certified.at the end of its use. In addition, in our standard operating KVM is deployed on hardened SELinux servers, whichprocedures, customer data is not removed from the data centre provides additional isolation capabilities over KVM itself.without a customer’s permission. • Procedures to maintain the security of the infrastructure such as standard infrastructure patch management forIBM, as an international company with global customers, has cloud infrastructure.substantial experience collecting, storing and working withpersonally identifiable information – and it has applied theserules within its managed infrastructure.
6 How does IBM deliver cloud security?7. Secure infrastructure against threats 8. Physical and personnel securityand vulnerabilities One concern often raised is where the data is locatedSecuring any infrastructure requires a defence in depth and how it will be controlled in the data centre. IBM cloudapproach and IBM uses a number of different processes delivery centres are located within established IBM dataand procedures to protect cloud infrastructures. These centres and the company has extensive experience inare underpinned with people and technology to secure managing data centres.the infrastructure against threats and vulnerabilities. • IBM has data centres with strong physical controls including,• The solutions have been designed with isolation built in but not limited to, CCTV, biometric authentication mechanisms, at different levels – at the network, hypervisor and storage resiliency tools and door alarms. All IBM personnel undergo layers. Management and infrastructure components are background checks prior to being hired. compartmentalised into security zones based on function, • IBM does allow accompanied visitation of its site facilities by data types and access requirements, and storage networks and its customers, however no persons, other than IBM personnel guest networks are physically separated. The zone design, and agents working on behalf of IBM, are allowed access to as well as network flows, requires formal review and approval the data centre facilities beyond those areas specified for visitors. through architecture governance processes. Access to the IBM data centre floor is strictly restricted to• Management infrastructure is regularly scanned for vulnerabilities authorised IBM personnel only and those permitted to carry using industry standard tools and master images are regularly out work on behalf of the company. updated to the latest security fix/patch level. • IBM requires employees to go through training in the handling• I ntrusion detection and prevention systems (IDPS) are of customer data and to demonstrate understanding of those utilised at boundaries to the Internet, IBM employs an policies. The IBM business conduct guidelines oversee approach that does not rely on signature-based vulnerability expectations and requirements of employees including the detection alone. This capability allows protection against handling of customer data. All IBM employees are required previously unseen threats based on behaviour and not to re-certify understanding in these areas on a yearly basis. just signatures.• A ll management systems and underlying infrastructure periodically undergo security configuration checking to ensure system security settings continue to be configured in-line with security standards and policy. Host-based firewalls within the customer Virtual Machines (VMs) can, and should, also be configured to achieve defence in depth.
SmartCloud 7Summary AuthorCloud computing offers new possibilities and new security Nick Colemanchallenges. These challenges range from governance, through IBM Global Cloud Security Leaderto securing application and infrastructure. Fundamentally it is Email: firstname.lastname@example.org to be able to assure the security of these new models twitter.com/teamsecurityin order to build trust and confidence. AcknowledgmentsIBM has extensive experience of delivering in shared Neil Readshawenvironments, a common characteristic of cloud. This IBM Senior Technical Staff Memberexperience ranges from managed services, through toinfrastructure as a service and platform as a service. Martin Borrett Director of the IBM Institute for Advanced Security EuropeThis paper introduces IBM’s approach to delivering cloudsecurity for infrastructure services. However it is not intended Referencesto be exhaustive and does not describe every procedure and 1 IBM SmartCloud Enterprise and Enterprise Plustechnical detail for each cloud offering. ibm.com/services/uk/en/cloud-enterpriseThe key to establishing trust in these new models is choosing 2 IBM Security Frameworkthe right cloud computing model for your organisation, and www.redbooks.ibm.com/abstracts/redp4528.htmlbeing able to deploy workloads using a delivery model withthe appropriate security controls.We understand this is not just a technical challenge but achallenge of governance and compliance, applications andinfrastructure, and assurance.