More Related Content
Similar to Cloud Security Essentials
Similar to Cloud Security Essentials (20)
Cloud Security Essentials
- 1. © 2011 IBM Corporation
Cloud Security
Glenn Ambler, IBM Security Architect
22nd May, 2012
Glenn.ambler@uk.ibm.com
- 2. © 2011 IBM Corporation 2
What is Cloud Computing?
“Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool
of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction. This
cloud model is composed of five essential
characteristics, three service models, and four
deployment models…”
- US National Institute of Standards and Technology (NIST), September 2011
- 3. © 2011 IBM Corporation
Server/Storage
Utilisation
10-20%
Self service None
Test Provisioning Weeks
Change Management Months
Release
Management
Weeks
Metering/Billing
Fixed cost
model
Payback period for
new services
Years
70-90%
Unlimited
Minutes
Days/Hours
Minutes
Granular
Months
Legacy
environments
Cloud enabled
enterprise
Cloud is a synergistic fusion which
accelerates business value across a
wide variety of domains.
Capability From To
Why cloud?
- 4. © 2011 IBM Corporation
Cloud Deployment/Delivery and Security
Depending on an organization's readiness to adopt cloud, and
appropriateness for a particular application, there are a wide
array of deployment and delivery options
Hybrid
Internal and external service
delivery methods are integrated
through hybrid cloud gateways
IT capabilities are provided
"as a service" over an
intranet, within the enterprise
and behind the firewall
IT activities/functions are
provided "as a service" over
the Internet
Private Public
Private Clouds
Managed
Private Clouds
Hosted
Private Clouds
Shared
Cloud Services
Public
Cloud Services
Enterprise
Data Center
Enterprise
Data Center
Enterprise Users
A B
Enterprise
A BMore
Cost
Less
Control
Less
Cost
More
Control
- 5. © 2011 IBM Corporation
Security as a barrier to Cloud adoption
5
Over the past several years, security
concerns surrounding cloud
computing have become the most
common inhibitor of widespread usage.
To gain the trust of organizations, cloud
services must deliver security and privacy
expectations that meet or exceed what is
available in traditional IT environments.
Trust
Traditional IT In the Cloud
Security and Privacy
Expectations
- 6. © 2011 IBM Corporation
What is the threat and where is it evolving…
2010 = A record setting year had the largest number of
vulnerability disclosures in history - 8,562.
This is a 27 percent increase over 2009, and this increase
has had a significant operational impact
for anyone managing large IT infrastructures.
The relative mix of vulnerability severities has not
changed substantially for the past three years.
- 7. © 2011 IBM Corporation
Implications for cloud….
Distribution of Virtualization System Vulnerabilities
Indeterminate: 6.25% Hypervisor: 1.25%
Mgmt Server: 6.25%
Guest VM: 15%
Mgmt console: 16.25%
Admin VM: 17.5%
Hypervisor escape: 37.5%
- 8. © 2011 IBM Corporation
Approaches to delivering security need to align with each phase of a
client’s cloud project or initiative
Design Deploy Consume
Establish a cloud strategy
and implementation plan to
get there.
Build cloud services, in the
enterprise and/or as a cloud
services provider.
Manage and optimize
consumption of cloud
services.
Secure by Design
Focus on building security
into the fabric of the cloud.
Workload Driven
Secure cloud resources
with innovative features
and products.
Service Enabled
Enable security through
services and interfaces.
Cloud
Security
Approach
8
- 9. © 2011 IBM Corporation
Cloud computing impacts the implementation of security in
fundamentally new ways
9
People and Identity
Application and Process
Network, Server and Endpoint
Data and Information
Physical Infrastructure
Governance, Risk and Compliance
Security and Privacy Domains
Multiple Logins, Numerous Roles
Multi-tenancy, Shared Resources
Audit Silos, Logging Difficulties
Provider Controlled, Lack of Visibility
Virtualization, Reduced Access
External Facing, Quick Provisioning
To cloud
In a cloud environment, access expands, responsibilities change, control
shifts, and the speed of provisioning resources and applications increases -
greatly affecting all aspects of IT security.
- 10. © 2011 IBM Corporation
IaaS: Cut IT expense
and complexity through
a cloud enabled data
center
PaaS: Accelerate time
to market with cloud
platform services
CSP: Innovate
business models
by becoming a
cloud service
provider
SaaS: Gain immediate
access with business
solutions on cloud
Adoption patterns are emerging for successfully beginning
and progressing cloud initiatives
10
- 11. © 2011 IBM Corporation
Capabilities provided to
consumers for using a
provider’s applications
Federate identity between the
cloud and on-premise IT
Proper user authentication
Audit and compliance testing
Encrypt data, both in
motion and at rest
Integrate existing security
Integrated service
management, automation,
provisioning, self service
Logical and physical isolation
Secure virtual machines
Patch of default images
Encrypt stored data
Assess self service portals
Monitor logs on all resources
Defend network perimeters
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Harden exposed applications
Use cloud APIs properly
Protect private information
Secure shared databases
Manage platform identities
Integrate existing security
controls with the cloud
Advanced platform for
creating, managing, and
monetizing cloud services
Isolate multiple cloud tenants
Secure portals and APIs
Manage security operations
Build compliant data centers
Offer backup and resiliency
Integrate systems
management and security
IaaS: Cut IT expense
and complexity through
a cloud enabled data
center
PaaS: Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a
cloud service
provider
SaaS: Gain immediate
access with business
solutions on cloud
Each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
11
- 12. © 2011 IBM Corporation
Understanding cloud security: using Cloud Reference Model with
foundational security controls
IBM Cloud Reference Model
12
Cloud Governance
Cloud specific security governance
including directory synchronization
and geo locational support
Security Governance, Risk
Management & Compliance
Security governance including
maintaining security policy and audit
and compliance measures
Problem & Information
Security Incident Management
Management and responding to
expected and unexpected events
Identity and Access Management
Strong focus on authentication of
users and management of identity
Discover, Categorize, Protect
Data & Information Assets
Strong focus on protection of data at
rest or in transit
Information Systems Acquisition,
Development, and Maintenance
Management of application and virtual
Machine deployment
Secure Infrastructure Against
Threats and Vulnerabilities
Management of vulnerabilities and their
associated mitigations with strong focus
on network and endpoint protection
Physical and Personnel Security
Protection for physical assets and
locations including networks and data
centers, as well as employee security
DeployDesignConsume
- 13. © 2011 IBM Corporation
Protecting and risk management in the cloud building on traditional
approaches, applied to new models. Each model has different
aspects to consider.
13
Different security controls are appropriate for
different cloud needs - the challenge becomes
one of integration, coexistence, and recognizing
what solution is best for a given workload.
IBM Cloud Security
One Size Does Not Fit All
IBM Security Framework
- 14. © 2011 IBM Corporation
Case study
• Multinational FTSE 100
– Seeking to perform large data analysis project
– CIO instruction - “Use the cloud !”
– Security team - “Here’s our security policy…”
– Infrastructure as a service
• Solution
– De-personalise data
– Evidence of baseline security controls
– Added extra security controls
– Rethink security policy
• Outcome
– Lower costs
– Confidence in security
– Flexible and scaleable infrastructure
Levelofsecurity
Provider 1
Provider 2
Customer Policy
Final Solution
- 15. © 2011 IBM Corporation
What are the issues we will face going forward…
15
People and Identity
Application and Process
Network, Server and Endpoint
Data and Information
Physical Infrastructure
Governance, Risk and Compliance
Security and Privacy Domains
Multiple Logins, Numerous Roles
Multi-tenancy, Shared Resources
Audit Silos, Logging Difficulties
Provider Controlled, Lack of Visibility
Virtualization, Reduced Access
External Facing, Quick Provisioning
To cloud
Driven by multiple people accessing multiple devices via multiple clouds
Standardisation Interoperability Big Data Governance
- 16. © 2011 IBM Corporation
In summary
16
Over the past several years, security concerns
surrounding cloud computing have become the most
common inhibitor of widespread usage.
This often translates to where is my data, who will be able
to access, and how will I maintain oversight and
governance?
Each cloud model has different features which changes the
way security gets delivered which also changes the way
we look at security governance and assurance.
Determining your desired security posture and enabling
cloud in such a way that the new risks can be managed in
a rapidly changing landscape....
Private cloud
Public cloud
Hybrid IT