SlideShare a Scribd company logo

Cloud Security Essentials

G
Glenn Ambler
1 of 18
Download to read offline
© 2011 IBM Corporation Cloud Security Glenn Ambler, IBM Security Architect 22nd May, 2012 Glenn.ambler@uk.ibm.com
© 2011 IBM Corporation 2 What is Cloud Computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models…” - US National Institute of Standards and Technology (NIST), September 2011
© 2011 IBM Corporation Server/Storage Utilisation 10-20% Self service None Test Provisioning Weeks Change Management Months Release Management Weeks Metering/Billing Fixed cost model Payback period for new services Years 70-90% Unlimited Minutes Days/Hours Minutes Granular Months Legacy environments Cloud enabled enterprise Cloud is a synergistic fusion which accelerates business value across a wide variety of domains. Capability From To Why cloud?
© 2011 IBM Corporation Cloud Deployment/Delivery and Security Depending on an organization's readiness to adopt cloud, and appropriateness for a particular application, there are a wide array of deployment and delivery options Hybrid Internal and external service delivery methods are integrated through hybrid cloud gateways IT capabilities are provided "as a service" over an intranet, within the enterprise and behind the firewall IT activities/functions are provided "as a service" over the Internet Private Public Private Clouds Managed Private Clouds Hosted Private Clouds Shared Cloud Services Public Cloud Services Enterprise Data Center Enterprise Data Center Enterprise Users A B Enterprise A BMore Cost Less Control Less Cost More Control
© 2011 IBM Corporation Security as a barrier to Cloud adoption 5 Over the past several years, security concerns surrounding cloud computing have become the most common inhibitor of widespread usage. To gain the trust of organizations, cloud services must deliver security and privacy expectations that meet or exceed what is available in traditional IT environments. Trust Traditional IT In the Cloud Security and Privacy Expectations
© 2011 IBM Corporation What is the threat and where is it evolving… 2010 = A record setting year had the largest number of vulnerability disclosures in history - 8,562. This is a 27 percent increase over 2009, and this increase has had a significant operational impact for anyone managing large IT infrastructures. The relative mix of vulnerability severities has not changed substantially for the past three years.
© 2011 IBM Corporation Implications for cloud…. Distribution of Virtualization System Vulnerabilities Indeterminate: 6.25% Hypervisor: 1.25% Mgmt Server: 6.25% Guest VM: 15% Mgmt console: 16.25% Admin VM: 17.5% Hypervisor escape: 37.5%
© 2011 IBM Corporation Approaches to delivering security need to align with each phase of a client’s cloud project or initiative Design Deploy Consume Establish a cloud strategy and implementation plan to get there. Build cloud services, in the enterprise and/or as a cloud services provider. Manage and optimize consumption of cloud services. Secure by Design Focus on building security into the fabric of the cloud. Workload Driven Secure cloud resources with innovative features and products. Service Enabled Enable security through services and interfaces. Cloud Security Approach 8
© 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways 9 People and Identity Application and Process Network, Server and Endpoint Data and Information Physical Infrastructure Governance, Risk and Compliance Security and Privacy Domains Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources Audit Silos, Logging Difficulties Provider Controlled, Lack of Visibility Virtualization, Reduced Access External Facing, Quick Provisioning To cloud In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security.
© 2011 IBM Corporation IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services CSP: Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Adoption patterns are emerging for successfully beginning and progressing cloud initiatives 10
© 2011 IBM Corporation Capabilities provided to consumers for using a provider’s applications Federate identity between the cloud and on-premise IT Proper user authentication Audit and compliance testing Encrypt data, both in motion and at rest Integrate existing security Integrated service management, automation, provisioning, self service Logical and physical isolation Secure virtual machines Patch of default images Encrypt stored data Assess self service portals Monitor logs on all resources Defend network perimeters Pre-built, pre-integrated IT infrastructures tuned to application-specific needs Harden exposed applications Use cloud APIs properly Protect private information Secure shared databases Manage platform identities Integrate existing security controls with the cloud Advanced platform for creating, managing, and monetizing cloud services Isolate multiple cloud tenants Secure portals and APIs Manage security operations Build compliant data centers Offer backup and resiliency Integrate systems management and security IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Each pattern has its own set of key security concerns Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud 11
© 2011 IBM Corporation Understanding cloud security: using Cloud Reference Model with foundational security controls IBM Cloud Reference Model 12 Cloud Governance Cloud specific security governance including directory synchronization and geo locational support Security Governance, Risk Management & Compliance Security governance including maintaining security policy and audit and compliance measures Problem & Information Security Incident Management Management and responding to expected and unexpected events Identity and Access Management Strong focus on authentication of users and management of identity Discover, Categorize, Protect Data & Information Assets Strong focus on protection of data at rest or in transit Information Systems Acquisition, Development, and Maintenance Management of application and virtual Machine deployment Secure Infrastructure Against Threats and Vulnerabilities Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection Physical and Personnel Security Protection for physical assets and locations including networks and data centers, as well as employee security DeployDesignConsume
© 2011 IBM Corporation Protecting and risk management in the cloud building on traditional approaches, applied to new models. Each model has different aspects to consider. 13 Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload. IBM Cloud Security One Size Does Not Fit All IBM Security Framework
© 2011 IBM Corporation Case study • Multinational FTSE 100 – Seeking to perform large data analysis project – CIO instruction - “Use the cloud !” – Security team - “Here’s our security policy…” – Infrastructure as a service • Solution – De-personalise data – Evidence of baseline security controls – Added extra security controls – Rethink security policy • Outcome – Lower costs – Confidence in security – Flexible and scaleable infrastructure Levelofsecurity Provider 1 Provider 2 Customer Policy Final Solution
© 2011 IBM Corporation What are the issues we will face going forward… 15 People and Identity Application and Process Network, Server and Endpoint Data and Information Physical Infrastructure Governance, Risk and Compliance Security and Privacy Domains Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources Audit Silos, Logging Difficulties Provider Controlled, Lack of Visibility Virtualization, Reduced Access External Facing, Quick Provisioning To cloud Driven by multiple people accessing multiple devices via multiple clouds Standardisation Interoperability Big Data Governance
© 2011 IBM Corporation In summary 16 Over the past several years, security concerns surrounding cloud computing have become the most common inhibitor of widespread usage. This often translates to where is my data, who will be able to access, and how will I maintain oversight and governance? Each cloud model has different features which changes the way security gets delivered which also changes the way we look at security governance and assurance. Determining your desired security posture and enabling cloud in such a way that the new risks can be managed in a rapidly changing landscape.... Private cloud Public cloud Hybrid IT
© 2011 IBM Corporation Resources
© 2011 IBM Corporation 18

Recommended

Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureStefaan Van daele
 
Roadmap to Cloud Computing
Roadmap to Cloud ComputingRoadmap to Cloud Computing
Roadmap to Cloud ComputingNVISH Solutions
 
CSA & GRC Stack
CSA & GRC StackCSA & GRC Stack
CSA & GRC StackCloudSecurityAllianceAustralia
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Democratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldDemocratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldEnterprise Management Associates
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 

Recommended

Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureStefaan Van daele
 
Roadmap to Cloud Computing
Roadmap to Cloud ComputingRoadmap to Cloud Computing
Roadmap to Cloud ComputingNVISH Solutions
 
CSA & GRC Stack
CSA & GRC StackCSA & GRC Stack
CSA & GRC StackCloudSecurityAllianceAustralia
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Democratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldDemocratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldEnterprise Management Associates
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityPiyush Mittal
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityOran Epelbaum
 
Cloud Reference Model
Cloud Reference ModelCloud Reference Model
Cloud Reference ModelDr. Ramkumar Lakshminarayanan
 
Cloud Encounters: Measuring the computing cloud
Cloud Encounters: Measuring the computing cloudCloud Encounters: Measuring the computing cloud
Cloud Encounters: Measuring the computing cloudPeter HJ van Eijk
 
Cloud security
Cloud security Cloud security
Cloud security Mohamed Shalash
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud StrategyAmit Gatenyo
 
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...3camp
 
Data Protection Modernization - Restore, Reuse, Reinvent
Data Protection Modernization - Restore, Reuse, ReinventData Protection Modernization - Restore, Reuse, Reinvent
Data Protection Modernization - Restore, Reuse, ReinventPaula Koziol
 
Designing a Modern Disaster Recovery Environment
Designing a Modern Disaster Recovery EnvironmentDesigning a Modern Disaster Recovery Environment
Designing a Modern Disaster Recovery EnvironmentEagle Technologies
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Cloud Computing security issues
Cloud Computing security issuesCloud Computing security issues
Cloud Computing security issuesPradeepti Kamble
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computingsaurabh soni
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesSusanneT
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityAung Thu Rha Hein
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
 

More Related Content

What's hot

Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityPiyush Mittal
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityOran Epelbaum
 
Cloud Encounters: Measuring the computing cloud
Cloud Encounters: Measuring the computing cloudCloud Encounters: Measuring the computing cloud
Cloud Encounters: Measuring the computing cloudPeter HJ van Eijk
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud StrategyAmit Gatenyo
 
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...3camp
 
Data Protection Modernization - Restore, Reuse, Reinvent
Data Protection Modernization - Restore, Reuse, ReinventData Protection Modernization - Restore, Reuse, Reinvent
Data Protection Modernization - Restore, Reuse, ReinventPaula Koziol
 
Designing a Modern Disaster Recovery Environment
Designing a Modern Disaster Recovery EnvironmentDesigning a Modern Disaster Recovery Environment
Designing a Modern Disaster Recovery EnvironmentEagle Technologies
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Cloud Computing security issues
Cloud Computing security issuesCloud Computing security issues
Cloud Computing security issuesPradeepti Kamble
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computingsaurabh soni
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesSusanneT
 

What's hot (20)

Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and Security
 
Cloud Reference Model
Cloud Reference ModelCloud Reference Model
Cloud Reference Model
 
Cloud Encounters: Measuring the computing cloud
Cloud Encounters: Measuring the computing cloudCloud Encounters: Measuring the computing cloud
Cloud Encounters: Measuring the computing cloud
 
Cloud security
Cloud security Cloud security
Cloud security
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud Strategy
 
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
Chmura nieuchronnym elementem Twojego IT w (nie)dalekiej przyszłości. Śmierte...
 
Data Protection Modernization - Restore, Reuse, Reinvent
Data Protection Modernization - Restore, Reuse, ReinventData Protection Modernization - Restore, Reuse, Reinvent
Data Protection Modernization - Restore, Reuse, Reinvent
 
Designing a Modern Disaster Recovery Environment
Designing a Modern Disaster Recovery EnvironmentDesigning a Modern Disaster Recovery Environment
Designing a Modern Disaster Recovery Environment
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Cloud Computing security issues
Cloud Computing security issuesCloud Computing security issues
Cloud Computing security issues
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computing
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing Capabilities
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 

Viewers also liked

MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
 
Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Ioannis Aligizakis, M.Sc.
 
Optimize S1000D & ATA Technical Illustration production
Optimize S1000D & ATA Technical Illustration productionOptimize S1000D & ATA Technical Illustration production
Optimize S1000D & ATA Technical Illustration productionVizualsite LLC
 
Tips for Technical Illustration
Tips for Technical IllustrationTips for Technical Illustration
Tips for Technical IllustrationTricia Spayer
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Microsoft Azure in the education sector
Microsoft Azure in the education sectorMicrosoft Azure in the education sector
Microsoft Azure in the education sectorJenny Carroll
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Shawn Ismail
 
20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD Premium20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD PremiumRobin Vermeirsch
 
What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Securitycraigbalding
 
05 Azure overview Using cloud principles v.2.0
05 Azure overview Using cloud principles v.2.005 Azure overview Using cloud principles v.2.0
05 Azure overview Using cloud principles v.2.0Herman Keijzer
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Amazon Web Services
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 

Viewers also liked (20)

MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud Security
 
Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21
 
Optimize S1000D & ATA Technical Illustration production
Optimize S1000D & ATA Technical Illustration productionOptimize S1000D & ATA Technical Illustration production
Optimize S1000D & ATA Technical Illustration production
 
Security in windows azure
Security in windows azureSecurity in windows azure
Security in windows azure
 
Tips for Technical Illustration
Tips for Technical IllustrationTips for Technical Illustration
Tips for Technical Illustration
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Microsoft Azure in the education sector
Microsoft Azure in the education sectorMicrosoft Azure in the education sector
Microsoft Azure in the education sector
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)
 
20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD Premium20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD Premium
 
What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Security
 
05 Azure overview Using cloud principles v.2.0
05 Azure overview Using cloud principles v.2.005 Azure overview Using cloud principles v.2.0
05 Azure overview Using cloud principles v.2.0
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 

Similar to Cloud Security Essentials

Emerging Technology in the Cloud! Real Life Examples. Pol Mac Aonghusa
Emerging Technology in the Cloud! Real Life Examples. Pol Mac AonghusaEmerging Technology in the Cloud! Real Life Examples. Pol Mac Aonghusa
Emerging Technology in the Cloud! Real Life Examples. Pol Mac Aonghusacatherinewall
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigmfanc1985
 
(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for EnterprisesAmazon Web Services
 
Cloud
CloudCloud
CloudNone
 
Indonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvIndonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvPandu W Sastrowardoyo
 
Security of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaSSecurity of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaSIJMER
 
Cloud adoption success and challenges - July 2014
Cloud adoption success and challenges - July 2014Cloud adoption success and challenges - July 2014
Cloud adoption success and challenges - July 2014IBM Thailand Co Ltd
 
Cloud Computing Fundamentals
Cloud Computing FundamentalsCloud Computing Fundamentals
Cloud Computing FundamentalsVikas Sahni
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspectivejmcdaniel650
 
IBM Softlayer ile bulutta 3. Boyut Bora Taşer IBM
IBM Softlayer ile bulutta 3. Boyut Bora Taşer IBMIBM Softlayer ile bulutta 3. Boyut Bora Taşer IBM
IBM Softlayer ile bulutta 3. Boyut Bora Taşer IBMWebrazzi
 
2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon
2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon
2011.04.04. Les partenaires IBM et le Cloud Business - Loic SimonClub Alliances
 
Cloud Computing - Beyond the Hype
Cloud Computing - Beyond the HypeCloud Computing - Beyond the Hype
Cloud Computing - Beyond the HypeRH
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud ComputingAshish Patel
 
Cloud Computing Introduction
Cloud Computing IntroductionCloud Computing Introduction
Cloud Computing IntroductionCraig Dickson
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challengexKinAnx
 
The why of a cloud ppt
The why of a cloud pptThe why of a cloud ppt
The why of a cloud pptSana Nasar
 
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg TevisPCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg TevisIBM Danmark
 

Similar to Cloud Security Essentials (20)

Bienvenida
BienvenidaBienvenida
Bienvenida
 
Emerging Technology in the Cloud! Real Life Examples. Pol Mac Aonghusa
Emerging Technology in the Cloud! Real Life Examples. Pol Mac AonghusaEmerging Technology in the Cloud! Real Life Examples. Pol Mac Aonghusa
Emerging Technology in the Cloud! Real Life Examples. Pol Mac Aonghusa
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises
 
Cloud
CloudCloud
Cloud
 
Indonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvIndonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isv
 
Security of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaSSecurity of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaS
 
Cloud adoption success and challenges - July 2014
Cloud adoption success and challenges - July 2014Cloud adoption success and challenges - July 2014
Cloud adoption success and challenges - July 2014
 
Cloud Computing Fundamentals
Cloud Computing FundamentalsCloud Computing Fundamentals
Cloud Computing Fundamentals
 
Cloud security risks
Cloud security risksCloud security risks
Cloud security risks
 
Cloud security risks
Cloud security risksCloud security risks
Cloud security risks
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
IBM Softlayer ile bulutta 3. Boyut Bora Taşer IBM
IBM Softlayer ile bulutta 3. Boyut Bora Taşer IBMIBM Softlayer ile bulutta 3. Boyut Bora Taşer IBM
IBM Softlayer ile bulutta 3. Boyut Bora Taşer IBM
 
2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon
2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon
2011.04.04. Les partenaires IBM et le Cloud Business - Loic Simon
 
Cloud Computing - Beyond the Hype
Cloud Computing - Beyond the HypeCloud Computing - Beyond the Hype
Cloud Computing - Beyond the Hype
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
Cloud Computing Introduction
Cloud Computing IntroductionCloud Computing Introduction
Cloud Computing Introduction
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challenge
 
The why of a cloud ppt
The why of a cloud pptThe why of a cloud ppt
The why of a cloud ppt
 
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg TevisPCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
 

Cloud Security Essentials

  • 1. © 2011 IBM Corporation Cloud Security Glenn Ambler, IBM Security Architect 22nd May, 2012 Glenn.ambler@uk.ibm.com
  • 2. © 2011 IBM Corporation 2 What is Cloud Computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models…” - US National Institute of Standards and Technology (NIST), September 2011
  • 3. © 2011 IBM Corporation Server/Storage Utilisation 10-20% Self service None Test Provisioning Weeks Change Management Months Release Management Weeks Metering/Billing Fixed cost model Payback period for new services Years 70-90% Unlimited Minutes Days/Hours Minutes Granular Months Legacy environments Cloud enabled enterprise Cloud is a synergistic fusion which accelerates business value across a wide variety of domains. Capability From To Why cloud?
  • 4. © 2011 IBM Corporation Cloud Deployment/Delivery and Security Depending on an organization's readiness to adopt cloud, and appropriateness for a particular application, there are a wide array of deployment and delivery options Hybrid Internal and external service delivery methods are integrated through hybrid cloud gateways IT capabilities are provided "as a service" over an intranet, within the enterprise and behind the firewall IT activities/functions are provided "as a service" over the Internet Private Public Private Clouds Managed Private Clouds Hosted Private Clouds Shared Cloud Services Public Cloud Services Enterprise Data Center Enterprise Data Center Enterprise Users A B Enterprise A BMore Cost Less Control Less Cost More Control
  • 5. © 2011 IBM Corporation Security as a barrier to Cloud adoption 5 Over the past several years, security concerns surrounding cloud computing have become the most common inhibitor of widespread usage. To gain the trust of organizations, cloud services must deliver security and privacy expectations that meet or exceed what is available in traditional IT environments. Trust Traditional IT In the Cloud Security and Privacy Expectations
  • 6. © 2011 IBM Corporation What is the threat and where is it evolving… 2010 = A record setting year had the largest number of vulnerability disclosures in history - 8,562. This is a 27 percent increase over 2009, and this increase has had a significant operational impact for anyone managing large IT infrastructures. The relative mix of vulnerability severities has not changed substantially for the past three years.
  • 7. © 2011 IBM Corporation Implications for cloud…. Distribution of Virtualization System Vulnerabilities Indeterminate: 6.25% Hypervisor: 1.25% Mgmt Server: 6.25% Guest VM: 15% Mgmt console: 16.25% Admin VM: 17.5% Hypervisor escape: 37.5%
  • 8. © 2011 IBM Corporation Approaches to delivering security need to align with each phase of a client’s cloud project or initiative Design Deploy Consume Establish a cloud strategy and implementation plan to get there. Build cloud services, in the enterprise and/or as a cloud services provider. Manage and optimize consumption of cloud services. Secure by Design Focus on building security into the fabric of the cloud. Workload Driven Secure cloud resources with innovative features and products. Service Enabled Enable security through services and interfaces. Cloud Security Approach 8
  • 9. © 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways 9 People and Identity Application and Process Network, Server and Endpoint Data and Information Physical Infrastructure Governance, Risk and Compliance Security and Privacy Domains Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources Audit Silos, Logging Difficulties Provider Controlled, Lack of Visibility Virtualization, Reduced Access External Facing, Quick Provisioning To cloud In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security.
  • 10. © 2011 IBM Corporation IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services CSP: Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Adoption patterns are emerging for successfully beginning and progressing cloud initiatives 10
  • 11. © 2011 IBM Corporation Capabilities provided to consumers for using a provider’s applications Federate identity between the cloud and on-premise IT Proper user authentication Audit and compliance testing Encrypt data, both in motion and at rest Integrate existing security Integrated service management, automation, provisioning, self service Logical and physical isolation Secure virtual machines Patch of default images Encrypt stored data Assess self service portals Monitor logs on all resources Defend network perimeters Pre-built, pre-integrated IT infrastructures tuned to application-specific needs Harden exposed applications Use cloud APIs properly Protect private information Secure shared databases Manage platform identities Integrate existing security controls with the cloud Advanced platform for creating, managing, and monetizing cloud services Isolate multiple cloud tenants Secure portals and APIs Manage security operations Build compliant data centers Offer backup and resiliency Integrate systems management and security IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Each pattern has its own set of key security concerns Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud 11
  • 12. © 2011 IBM Corporation Understanding cloud security: using Cloud Reference Model with foundational security controls IBM Cloud Reference Model 12 Cloud Governance Cloud specific security governance including directory synchronization and geo locational support Security Governance, Risk Management & Compliance Security governance including maintaining security policy and audit and compliance measures Problem & Information Security Incident Management Management and responding to expected and unexpected events Identity and Access Management Strong focus on authentication of users and management of identity Discover, Categorize, Protect Data & Information Assets Strong focus on protection of data at rest or in transit Information Systems Acquisition, Development, and Maintenance Management of application and virtual Machine deployment Secure Infrastructure Against Threats and Vulnerabilities Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection Physical and Personnel Security Protection for physical assets and locations including networks and data centers, as well as employee security DeployDesignConsume
  • 13. © 2011 IBM Corporation Protecting and risk management in the cloud building on traditional approaches, applied to new models. Each model has different aspects to consider. 13 Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload. IBM Cloud Security One Size Does Not Fit All IBM Security Framework
  • 14. © 2011 IBM Corporation Case study • Multinational FTSE 100 – Seeking to perform large data analysis project – CIO instruction - “Use the cloud !” – Security team - “Here’s our security policy…” – Infrastructure as a service • Solution – De-personalise data – Evidence of baseline security controls – Added extra security controls – Rethink security policy • Outcome – Lower costs – Confidence in security – Flexible and scaleable infrastructure Levelofsecurity Provider 1 Provider 2 Customer Policy Final Solution
  • 15. © 2011 IBM Corporation What are the issues we will face going forward… 15 People and Identity Application and Process Network, Server and Endpoint Data and Information Physical Infrastructure Governance, Risk and Compliance Security and Privacy Domains Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources Audit Silos, Logging Difficulties Provider Controlled, Lack of Visibility Virtualization, Reduced Access External Facing, Quick Provisioning To cloud Driven by multiple people accessing multiple devices via multiple clouds Standardisation Interoperability Big Data Governance
  • 16. © 2011 IBM Corporation In summary 16 Over the past several years, security concerns surrounding cloud computing have become the most common inhibitor of widespread usage. This often translates to where is my data, who will be able to access, and how will I maintain oversight and governance? Each cloud model has different features which changes the way security gets delivered which also changes the way we look at security governance and assurance. Determining your desired security posture and enabling cloud in such a way that the new risks can be managed in a rapidly changing landscape.... Private cloud Public cloud Hybrid IT
  • 17. © 2011 IBM Corporation Resources
  • 18. © 2011 IBM Corporation 18