Presentation from Chesapeake Regional Tech Council\'s TechFocus Seminar on Cloud Security; Presented by Jeff Crume, IBM Distinguished Engineer, IT Security Architect, CISSP-ISSAP on Thursday, October 27, 2011. http://www.chesapeaketech.org

1. Security Considerations in the Cloud
Jeff Crume
Distinguished Engineer
crume@us.ibm.com
http://extranet.lotus.com/crume
© 2011 IBM Corporation

2. Security and Cloud Computing
Security Remains the Top Concern for Cloud Adoption
80%
Of enterprises consider security
“How can we be assured that our data will
not be leaked and that the vendors have the
the #1 inhibitor to cloud adoptions technology and the governance to control its
employees from stealing data?”
48%
Of enterprises are concerned
“Security is the biggest concern. I don’t
worry much about the other “-ities” – reliability,
about the reliability of clouds availability, etc.”
33% “I prefer internal cloud to IaaS. When the
service is kept internally, I am more
Of respondents are concerned with comfortable with the security that it offers.”
cloud interfering with their ability
to comply with regulations
Source: Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman)
2 © 2011 IBM Corporation

3. Security and Cloud Computing
One-size does not fit-all:
Different cloud workloads have different risk profiles
High
Mission-critical
workloads, personal Tomorrow’s high value /
information high risk workloads need:
● Quality of protection
adapted to risk
● Direct visibility and
control
Need for Analysis & ● Significant level of
Security simulation with assurance
public data
Assurance
Today’s clouds are
primarily here:
● Lower risk workloads
Training, testing ● One-size-fits-all
with non-
approach to data
sensitive data
protection
● No significant
Low
assurance
● Price is key
Low-risk Mid-risk High-risk
Business Risk
3 © 2011 IBM Corporation

4. Security and Cloud Computing
Simple Example
Today’s Data Center Tomorrow’s Public Cloud
? ?
?
? ?
We Have Control ? Who Has Control?
It’s located at X. Where is it located?
It’s stored in server’s Y, Z. Where is it stored?
We have backups in place. Who backs it up?
Our admins control access. Who has access?
Our uptime is sufficient. How resilient is it?
The auditors are happy. How do auditors observe?
Our security team is engaged. How does our security
team engage?
4 © 2011 IBM Corporation

5. Security and Cloud Computing
Categories of Cloud Computing Risks
Control Data
Many companies and governments Migrating workloads to a shared
are uncomfortable with the idea of network and compute infrastructure
their information located on increases the potential for
systems they do not control. unauthorized exposure.
Providers must offer a high degree Authentication and access
of security transparency to help technologies become
put customers at ease. Reliability increasingly important.
High availability will be a key concern.
IT departments will worry about a loss
of service should outages occur.
Mission critical applications
may not run in the cloud
Compliance without strong availability
Complying with SOX, HIPAA guarantees.
Security Management
and other regulations may Even the simplest of tasks may be
prohibit the use of clouds for behind layers of abstraction or
some applications. performed by someone else.
Comprehensive auditing Providers must supply easy controls to
capabilities are essential. manage security settings for
application and runtime environments.
5 © 2011 IBM Corporation

6. Security and Cloud Computing
Cloud Security = Traditional Security + SOA Security +
Virtualization Security
• Hypervisor Security
• Rogue VMs, VM Isolation, Data Leakage,
Rootkits, etc.
• Federated Identity Mgmt
• Fed Prov/De-prov, Fed SSO
• Privileged Identity Mgmt
• Regulatory Compliance
• Audit, Data Residency
• Patch Mgmt
• Across multiple VMs
• Data Protection
• Encryption, Data Segregation, DLP
6 © 2011 IBM Corporation

7. Security and Cloud Computing
Additional Information
7 © 2011 IBM Corporation

8. Security and Cloud Computing
Example for Securing the Virtualized Runtime:
IBM Security Virtual Server Protection for VMware vSphere 4
VMsafe Integration
Firewall and Intrusion
Prevention
Rootkit Detection /
Prevention
Inter-VM Traffic Analysis
Automated Protection for
Mobile VMs (VMotion)
Virtual Network Segment
Protection
Virtual Network-Level
Protection
Virtual Infrastructure
Auditing (Privileged User)
Virtual Network Access
Control
••There have been 100 vulnerabilities disclosed across all of
There have been 100 vulnerabilities disclosed across all of
VMware’s virtualization products since 1999.*
VMware’s virtualization products since 1999.*
••57% of the vulnerabilities discovered in VMware products are
57% of the vulnerabilities discovered in VMware products are
remotely accessible, while 46% are high risk vulnerabilities.*
remotely accessible, while 46% are high risk vulnerabilities.*
8 © 2011 IBM Corporation

9. Security and Cloud Computing
IBM Cloud Security Guidance document
Based on cross-IBM research and customer interaction on cloud security
Highlights a series of best practice controls that should be implemented
Broken into 7 critical infrastructure components:
– Building a Security Program
– Confidential Data Protection
– Implementing Strong Access and Identity
– Application Provisioning and De-provisioning
– Governance Audit Management
– Vulnerability Management
– Testing and Validation
9 © 2011 IBM Corporation

10. Security and Cloud Computing
Cloud Security Whitepaper
Trust needs to be achieved, especially when
data is stored in new ways and in new
locations, including for example different
countries.
This paper is provided to stimulate
discussion by looking at three areas:
• What is different about cloud?
• What are the new security challenges cloud
introduces?
• What can be done and what should be
considered further?
10 © 2011 IBM Corporation

11. Security and Cloud Computing
11 © 2011 IBM Corporation

12. Security and Cloud Computing
Thank you!
For more information, please visit:
ibm.com/cloud
Ibm.com/security
12 © 2011 IBM Corporation