Security Building Blocks of the IBM Cloud Computing Reference Architecture


Published on

This is the presentation I have given at the Secure Cloud 2014 conference in Amsterdam with a small update: it contains the link to the website with additional information about security use cases in the different Cloud models ( IaaS, PaaS, SaaS )

Published in: Technology

Security Building Blocks of the IBM Cloud Computing Reference Architecture

  1. 1. © 2014 IBM Corporation IBM Security Systems 1© 2014 IBM Corporation Security Building Blocks of the Cloud Computing Reference Architecture Stefaan Van daele Senior Security Architect – IBM Europe stefaan_vandaele at stefaanvda
  2. 2. © 2014 IBM Corporation IBM Security Systems 22 Security Requirements in Cloud Solutions
  3. 3. © 2014 IBM Corporation IBM Security Systems 3 Different cloud deployment models also change the way we think about security Private cloud Public cloud On or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party Available to the general public or a large industry group and owned by an organization selling cloud services. Hybrid IT Traditional IT and clouds (public and/or private) that remain separate but are bound together by technology that enables data and application portability - Customer responsibility for infrastructure − More customization of security controls − Good visibility into day-to-day operations − Easy to access to logs and policies − Applications and data remain “inside the firewall” − Provider responsibility for infrastructure − Less customization of security controls − No visibility into day-to-day operations − Difficult to access to logs and policies − Applications and data are publically exposed Changes in Security and Privacy
  4. 4. © 2014 IBM Corporation IBM Security Systems 4 Minimizing the risks of cloud computing requires a strategic approach  Define a cloud strategy with security in mind – Identify the different workloads and how they need to interact. – Which models are appropriate based on their security and trust requirements and the systems they need to interface to?  Identify the security measures needed – Using a methodology such as the IBM Security Framework allows teams to measure what is needed in areas such as governance, architecture, applications and assurance. Enabling security for the cloud – Define the upfront set of assurance measures that must be taken. – Assess that the applications, infrastructure and other elements meet the security requirements, as well as operational security measures.
  5. 5. © 2014 IBM Corporation IBM Security Systems 5 Our approach to delivering security aligns with each phase of an organization’s cloud project or initiative Design Deploy Consume Establish a cloud strategy and implementation plan to get there. Build cloud services, in the enterprise and/or as a cloud services provider. Manage and optimize consumption of cloud services. Example security capabilities  Cloud security roadmap  Secure development  Network threat protection  Server security  Database security  Application security  Virtualization security  Endpoint protection  Configuration and patch management  Identity and access management  Secure cloud communications  Managed security services Secure by Design Focus on building security into the fabric of the cloud. Workload Driven Secure cloud resources with innovative features and products. Service Enabled Govern the cloud through ongoing security operations and workflow. IBM Cloud Security Approach
  6. 6. © 2014 IBM Corporation IBM Security Systems 6 Adoption patterns are emerging for successfully beginning and progressing cloud initiatives IBM Cloud Security - One Size Does Not Fit All Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload.
  7. 7. © 2014 IBM Corporation IBM Security Systems 7 Capabilities provided to consumers for using a provider’s applications Key security focus: Compliance and Governance Harden exposed applications Securely federate identity Deploy access controls Encrypt communications Manage application policies Integrated service management, automation, provisioning, self service Key security focus: Infrastructure and Identity  Manage datacenter identities  Secure virtual machines  Patch default images  Monitor logs on all resources  Network isolation Pre-built, pre-integrated IT infrastructures tuned to application-specific needs Key security focus: Applications and Data  Secure shared databases  Encrypt private information  Build secure applications  Keep an audit trail  Integrate existing security Advanced platform for creating, managing, and monetizing cloud services Key security focus: Data and Compliance  Isolate cloud tenants  Policy and regulations  Manage security operations  Build compliant data centers  Offer backup and resiliency Each pattern has its own set of key security concerns Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud Security Intelligence – threat intelligence, user activity monitoring, real time insights
  8. 8. © 2014 IBM Corporation IBM Security Systems 88 Cloud Computing Reference Architecture (CCRA)
  9. 9. © 2014 IBM Corporation IBM Security Systems 9 March 2009 Initiated CCAB SC CCMP Reference Architecture Early 2012 • Release CCRA 2.5 • Reach milestone of ~1500 IBMers formally educated on the CCRA July 2011 Released “CCRA 2.0 for Business Partners” February 2011 Submitted CCRA to The Open Group Evolution of the Cloud Computing Reference Architecture (CCRA 3.0) November 2012 • Release CCRA 3.0 • Adoption Patterns  Prescriptive guidance on IaaS/PaaS/CSP/SaaS March 2011 Release CCRA 2.0March 2010 Published CC & CCMP Reference Architecture 1.0 October 2010 Used in Cloud Launch and various customer/analyst sessions April 2011 Public Cloud RA whitepaper available on 2012/13 CCRA Standardization ongoing Defined overall architectural foundation Added product- and –integration focused solution architectures
  10. 10. © 2014 IBM Corporation IBM Security Systems 10 Represents the aggregate experience from hundreds of cloud client engagements and IBM-hosted cloud implementations –Based on knowledge of IBM’s services, software & system experiences, including IBM Research Provides prescriptive guidance on how to build IaaS, PaaS, SaaS and service provider clouds using IBM technologies Reflected in the design of – Clouds IBM implements for clients – IBM-hosted cloud services – IBM cloud appliances – IBM cloud products Public Cloud RA whitepaper available on CCRA OpenGroup submission: The IBM Cloud Computing Reference Architecture (CCRA) Governance Security, Resiliency, Performance & Consumability Cloud Service Creator Cloud Service Consumer Cloud Service Provider Common Cloud Management Platform (CCMP) Operational Support Services (OSS) Cloud Services Infrastructure-as-a-Service Platform-as-a-Service Software-as-a-Service Business-Process- as-a-Service Business Support Services (BSS) Cloud Service Integration Tools Consumer In-house IT Service Creation Tools Infrastructure Existing & 3rd party services, Partner Ecosystems CCRA 3.0 Common Reference Architecture Foundation Cloud-enabled data center / building IaaS Platform Services Cloud Service Provider Building SaaS
  11. 11. © 2014 IBM Corporation IBM Security Systems 11 CCRA Detailed Overview
  12. 12. © 2014 IBM Corporation IBM Security Systems 12 CCRA Security Component Model *Infrastructure Includes – Server, Network, Storage Security Components Security Intelligence, Analytics and GRC People Data Applications Infrastructure* Security Governance, Risk Management & Compliance Security Information & Event Management Data & Information SecurityIdentity & Access Management Security Intelligence Physical & Personnel Security Threat & Intrusion Prevention Security Policy Management Encryption & Key Management Secure Application Development Endpoint Management!/wiki/Wf3cce8ff09b3_49d2_8ee7_4e49c1ef5d22/p age/IBM%20Cloud%20Computing%20Reference%20Architecture%203.0 Additional information can be found here :
  13. 13. © 2014 IBM Corporation IBM Security Systems 13 Using the IBM Security Framework, we articulate the way we address security in the Cloud in terms of Foundational Controls IBM Cloud Security Reference Model Cloud Governance Cloud specific security governance including directory synchronization and geo locational support Security Governance, Risk Management & Compliance Security governance including maintaining security policy and audit and compliance measures Problem & Information Security Incident Management Management and responding to expected and unexpected events Identity and Access Management Strong focus on authentication of users and management of identity Discover, Categorize, Protect Data & Information Assets Strong focus on protection of data at rest or in transit Information Systems Acquisition, Development, and Maintenance Management of application and virtual Machine deployment Secure Infrastructure Against Threats and Vulnerabilities Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection Physical and Personnel Security Protection for physical assets and locations including networks and data centers, as well as employee security DeployDesignConsume
  14. 14. © 2014 IBM Corporation IBM Security Systems 14 Understand Client Define Client Requirements Design Solution Detail Design Define Roadmap & 1st Project Business Driver Actors and use cases Non-functional requirements System context Architecture decisions Architecture overview Component model Operational model Solution integration Details Cloud roadmap Project description Viability Assessment Solution Approach - Summary Get a thorough understanding of their existing IT environment and identify the client’s Cloud Adoption Pattern Identify actors, workloads and associated use cases and identify security requirements for each scenario Define the Architecture Overview Identify the building blocks and controls needed leveraging the IBM Security Framework and Cloud Foundational Controls Define the project plan with overall timeline, phases and key milestones, and overall delivery Use the CCRA Security Component Model to identify required components and their interactions for the solution Realize the component by mapping to the capabilities in our products / services portfolio Leverage assets to build the deployment architecture and integration requirements
  15. 15. © 2014 IBM Corporation IBM Security Systems 15 Cloud Enabled Data Center - simple use case Cloud Enabled Data Center Self-Service GUI Cloud Platform User identity is verified and authenticated 1 Available Resource Resource Pool Resource chosen from correct security domain 2 Image Library Machine Image VM is configured with appropriate security policy 3 Hypervisor Configured Machine Image Virtual Machine Virtual Machine Image provisioned behind FW / IPS 4 Host security installed and updated 5 SW Catalog Config Binaries Software patches applied and up-to-date 6 Identity & Access Management Security Information & Event Management Endpoint Management Threat & Intrusion Prevention
  16. 16. © 2014 IBM Corporation IBM Security Systems 1616 One component in detail: Security Information and Event Management
  17. 17. © 2014 IBM Corporation IBM Security Systems 17 Security Components Security Intelligence Analytics and GRC People Data Applications Infrastructure* Security Governance, Risk Management & Compliance Security Information & Event Management Data & Information SecurityIdentity & Access Management Security Intelligence Physical & Personnel Security Threat & Intrusion Prevention Security Policy Management Encryption & Key Management Secure Application Development Endpoint Management Security Component Model – Cloud Enabled Data Center *Infrastructure Includes – Server, Network, Storage
  18. 18. © 2014 IBM Corporation IBM Security Systems 18 Generic security service catalog for Security Operations Risk and Compliance Compliance Reporting Risk Reporting Compliance Controlling Records Management Fraud Detection Risk Identification Digital Forensics Supervisory ServicesCompliance Management Evidence ManagementRisk Management Analytics Services Security & Compliance Dashboard Threat and Vulnerability Management Vulnerability Remediation Vulnerability Analysis Vulnerability Discovery Security Information and Event ManagementVulnerability Management Security Event Correlation & Normalization Security Log Collection & Normalization Security Monitoring and Alerting Security Problem and Incident Response Threat Analysis Security Threat and Vulnerability Research Threat Identification Security Intelligence Threat Management Threat Mitigation IT Service Management Incident and Problem Management Asset Management Asset Administration IT Service Management Asset Management
  19. 19. © 2014 IBM Corporation IBM Security Systems 19 Ceilometer Usage / Performance Monitoring + Auditing “Datastores” Core API Layer “Filter” audits all Open Stack API calls CADF AWS CloudTrail OpenStack Audit (CADF) Practical example: SIEM across hybrid cloud deployments Workloads deployed in private virtual Environments Public Cloud Services
  20. 20. © 2014 IBM Corporation IBM Security Systems 20 © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.