More Related Content More from IBM Security (20) 5 Easy Steps to Securing Workloads on Public Clouds1. © 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
5 Easy Steps to Securing
Workloads on Public Clouds
Jeff Hoy
Cloud Security Architect
IBM Security Systems, CTO Office
May 21, 2014
2. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
2
Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.
3. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
3
Share our views about Cloud Security
• How cloud is changing security
• Impact to your organization
5 Easy Steps to securing workloads
• Topology-based options
• Detailed examples
Looking forward
• Trends in cloud direction
• Emerging security capabilities
Goals of This Webinar
1
2
3
4. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
4
Speaker Background
About Jeff
• Cloud Security Architect
• IBM Security Systems
• CTO Team
• 12+ years with IBM
• jeffhoy@us.ibm.com
Focus Areas:
• Cloud Security Enablement
• SaaS Security
• Hybrid Cloud
• Next Generation Cloud Security
5. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
5
Topic: Securing the Cloud
Security in the Cloud
6. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
6
Services
Acquired
Organization /
Buyers
Security Responsibilities and Objectives
Software as a
Service (SaaS)
CxOs (CIO, CMO,
CHRO, ...)
Complete visibility to enterprise SaaS usage and risk profiling
Governance of user access to SaaS and identity federation
Platform as a
Service (PaaS)
Application teams,
LOBs
Enable developers to compose secure cloud applications and APIs, with
enhanced user experience
Visibility and protection against fraud and applications threats
Infrastructure as
a Service (IaaS)
CIO, IT teams
Protect the cloud infrastructure to securely deploy workloads and meet
compliance objectives
Have full operational visibility across hybrid cloud deployments, and govern
usage
Security objectives reflect responsibilities when adopting Cloud
7. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
7
Trusted Intranet
Online Banking
Application
Employee
Application
DMZ Untrusted Internet
7
Traditional perimeter based security controls …
8. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
8
Online Banking
Application
Investment
API Services
Employee
Application
Build and Deliver Apps,
Services (PaaS)
Consume Apps and Services (SaaS)
Leverage Public Clouds (IaaS)
Trusted Intranet DMZ Untrusted Internet
8
Apps, APIs
Services
Traditional perimeter based security controls …
… are changing to security centered around applications and
interactions
9. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
9
Cloud Security Capabilities
Identity
Protection
Insight
Protect infrastructure,
applications, and data
from threats
Auditable intelligence on
cloud access, activity, cost
and compliance
Manage identities
and govern user access
IaaS: Securing infrastructure and workloads
SaaS: Secure usage of business applications
PaaS: Secure service composition and apps
Bluemix
We see three sets of capabilities to help adopt cloud with confidence
10. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
10
How will complex environments evolve for your organization?
11. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
11
Topic: 5 Easy Steps
5 Easy Steps
to Securing Workloads
on Public Clouds
12. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
12
Step #1: Basic Security Enablement
Traditional on-premise
IPS
Visibility
Data
Security
Scanning
TLSFirewalls
SOA
Appliance
Endpoint
Mgmt
User
Admin
Public cloud-based
IPS
Data
Security
Scanning
TLSFirewalls
SOA
Appliance
Endpoint
Mgmt
User
Admin
Same principles apply
Visibility
13. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
13
Monitor & manage
security posture
Configure
application centric
security policies
Provision secure
cloud
infrastructure
User
Access Customer
Application
Network
Protection
Cloud Admins
Security Team
Application
Team
Enterprise Roles
Service
users
Securely Access
Cloud services
Security
Intelligence
Data
Security
Example #1: Securing Workloads on Cloud Infrastructure (IaaS)
EXAMPLE
14. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
14
Step #2: Pattern-Based Security
IPS
Data
Security
Scanning
TLSFirewalls
SOA
Appliance
Endpoint
Mgmt
Visibility
System Template
Pattern Engine
Preconfigured Systems
Customize
15. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
15
Example #2: Secure Image Deployment
Virtual Image
• Apache HTTP Server
• WebSphere Liberty
• Banking EJB
• IBM Access Manager
• IBM Identity Manager
• Restrictive Firewalls
• Endpoint Manager
• Disk encryption
• Credential Vault
Deploy Images
Update Images
• IP Address
• Hostname
• Credentials, etc
Production System
EXAMPLE
16. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
16
Shared Security Services
REST APIs
Identity as a Service
Log Management & Audit
App and Vulnerability Testing
Security Policy Management for Cloud
Step #3: Automation-Enabled Pattern & Policy-driven Approaches
17. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
17
Example #3: Pattern-Based Access Management
Security Web
Gateway
Web Application
1
2 3
4
56
78
9
10
Environment Components
1. QRadar vSys Pattern
2. External ISAM Appliance
3. ISAM Log Integration
4. WebSEAL Reverse Proxy
5. Application vSys Pattern
6. Application TAI + Junction
7. Consolidated Logbackup
8. SQL Injection Attack
9. Application Response
10. QRadar threat console
EXAMPLE
18. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
18
Ceilometer
Usage / Performance
Monitoring + Auditing
“Datastores”
Core API Layer
“Filter” audits all Open
Stack API calls
CADF
AWS CloudTrail
OpenStack Audit (CADF)
Workloads
deployed in
private virtual
Environments
Public Cloud Services
Step #4: Integrated Intelligence across Hybrid Cloud
19. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
19
Example #4: Security Intelligence for Virtual Infrastructure
Business challenge:
• Improved security and visibility into virtual
Infrastructures
• Better visibility into logs coming from their sensors
across the environment
• Support ad hoc search across large data
Solution:
• Scales to large volumes
• User friendly reporting
• Quick search and review of logs
• Reasonable cost of ownership
SaaS applications
Infrastructure as a Service
Security Intelligence for Hybrid Cloud
19
Virtualized data center
EXAMPLE
20. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
20
Administrator /
app owner
End users
Shared Security Services
(Security from the Cloud)
REST APIs
Identity as a Service
Log Management & Audit
App and Vulnerability Testing
• API enable and standup
key products as shared
cloud services
• Multi-tenancy
Step #5: Leverage Security SaaS
21. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
21
Example #5: SaaS Security Usage in Your Environment
EXAMPLE
22. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
22
Topic: Looking Forward
Cloud Security Trends
23. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
23
IBM SECURITY SYSTEMS :: IBM Confidential :: ©2013 IBM Corporation
Dynamic
Analysis
Interactive
Analysis
Mobile App
Analysis
Static
Analysis
Application Security Management
Inventory
assets
Assess business
impact
Measure
status & progress
Prioritize
vulnerabilities
Determine
compliance
DEV OPS
Dynamic
Analysis
Database
monitoring
Security Intelligence
SIEM
Network
Activity
Monitoring
Vulnerability
Mgmt
Log
Mgmt
Network
Protection
Fraud
Protection
AppScan QRadar Guardium SiteProtetor/ IPS Trusteer
Security Across the Cloud DevOps lifecycle
24. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
24
DMZ
Trusted Intranet
Online banking
application
Online Banking
Application
Migrating Online Application to off-premise cloud
Traditional Data Center
End UsersDomain Specialized Developer
Infrastructure Operations
Security & Compliance Manager
Cloud Application Zone Active Protection – Typical Scenario
25. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
25
Access Application
4
Deploy App
Provision workload and
security components
2
Online Banking App
Workload Box
IBM Access Manager
IBM QRadar SIEM
Web
App
DBWeb
App
DB
2
1
Config & Automation
3
Secure Application
Demo Available - User Access Management, Web Application Protection,
Log Management, Security Intelligence
Cloud Application Zone Active Protection - Solution Overview
26. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
26
• Data security as a virtual appliance deployed on the
Cloud
• Data activity monitoring across hybrid clouds –
virtualized and public clouds
• Provides vulnerability assessments of data systems
• Encrypts and masks sensitive data when used by
privileged users
Data is…
• Leaving the data center
• Stored on shared drives
and cloud infrastructure
• Hosted by 3rd party
• Managed by 3rd party
Data
Protection
Business Challenge: Solution:
26
Virtualized data center
IBM InfoSphere Guardium
Encryption
Masking
123 XJE
Activity
Monitoring
Activity
Monitoring
Vulnerability
Assessment
Vulnerability
Assessment
Structured &
Unstructured
Data
Cloud ready data security and privacy on the cloud
27. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
27
Today Announcements
Delivering
security
from the
cloud:
Solutions
to protect
cloud
workloads:
Identity-as-a-Service
beta for the
IBM Cloud Platform
Security
Optimization
& Threat Monitoring
QRadar
optimizations
for cloud
Enhanced Virtual
Threat Protection
IBM leads with enterprise-grade cloud security
28. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
28
Cloud creates opportunities for
enhanced security
5 Easy steps to securing workloads
1. Basic Enablement
2. Pattern-Based Security
3. Automated Integration
4. Hybrid Cloud Security
5. Leveraging SaaS
Going forward
• Direction of the cloud
• Emerging security capabilities
Summary
1
2
3
29. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
29
Key Cloud Resources
IBM Best Cloud
Computing
Security
IBM Research and Papers
Special research concentration in cloud security, including
white Papers, Redbooks, Solution Brief – Cloud Security
IBM X-Force
Proactive counter intelligence and public education
http://www-03.ibm.com/security/xforce/
IBM Institute for Advanced Security
Cloud Security Zone and Blog (Link)
Customer Case Study
EXA Corporation creates a secure and resilient private
cloud (Link)
Collateral Sales Support:
NEW IBM Cloud Security Strategy and Community
connections page (Link)
NEW Internal IBM SWG Sellers Workplace – Cloud
Security Collateral - (Link)
SmartCloud Security Solutions Sales Kit – (Link)
Other Links:
IBM Media series – SEI Cloud Security (Link)
External IBM.COM : IBM Security Solutions (Link)
External IBM.COM : IBM SmartCloud– security (Link)
IBM SmartCloud security video (Link)
30. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
30
Questions?
We Value Your Feedback!
31. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
31
Backup
32. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
32
Insight
Establish intelligence across enterprise and
cloud
•QRadar SIEM QRadar Log Manager QRadar Forensics
rotection
Protect data,
applications and
infrastructure from
threats and risks
Data & Application
• IBM InfoSphere Guardium
• IBM Security AppScan
• IBM WebSphere DataPower
Infrastructure
• IBM Security Network Protection
• IBM Security Trusteer
• IBM Endpoint Manager
Protection
Protect data, applications and infrastructure
from threats and risks
Identity
Manage users and their access to
cloudand access
Identity
• Identity Service - Beta
• IBM Security Access Manager
• IBM Security Privileged Identity Manager
Identity
Manage users and their access to cloud
Intelligent Security for the Cloud
33. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
33
AppScan Mobile Analyzer
– Ability to upload Android APKs to the cloud for an IAST
(interactive application security scan)
• Service available through the BlueMix
catalog
• Upload an APK and receive a security PDF
report
• Public APIs to integrate to 3rd party
• Environment deployed on SoftLayer
AppScan DAST on BlueMix
– Run a DAST scan on web application deployed on
BlueMix
• Service available through the BlueMix
catalog
• Almost zero configuration (User
Name/Password)
• Public APIs to integrate to 3rd party
• Environment deployed on SoftLayer
AppScan Service & APIs from Bluemix
34. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
34
Cloud software delivery as virtual appliances
Security Software
Security capabilities as virtual appliances. They should be available as shared
services through APIs.
Delivering security capabilities as virtual
appliances will enable
-Security enforcement ‘near’ workloads
and in software defined environments
- Protection within on-premise virtual
environments or hosted clouds
35. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
35
Administrator /
app owner
End users
Shared Security Services
(Security from the Cloud)
REST APIs
Identity as a Service
Log Management & Audit
App and Vulnerability Testing
• API enable and standup
key products as shared
cloud services
• Multi-tenancy
Applications require easy-to-use, API-based services
36. © 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
36
DMZ
Trusted Intranet
Demo Scenario - Visibility to hybrid cloud application
Jane
Andrew Public Cloud Services
Provision
infrastructure
Deploy App
Private Cloud Services
Fred
Customers
Monitor Usage & Security of the Environments
Access App
Reverse Proxy
Load balance
Gateway
Cloudburst