The cloud offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use immediately. However, the major inhibitor for businesses has been concerns around security. IBM has simplified the typical method for approaching this problem. Whether you’re looking to employ infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), use the framework below when designing your solution. Each platform comes with certain built-in security qualities and lets you use add-ons on top of the platform to secure each workload.
2. Agenda
• Security for Infrastructure Services (IBM SoftLayer)
• Security for Platform Services (IBM Bluemix)
1
IaaS
PaaS
3. Cloud is rapidly transforming the enterprise
External StakeholdersTraditional Enterprise IT
Public CloudPrivate Cloud
PaaS
Development
services
SaaS
Business
applications
IaaS
Infrastructure
services
100+ IBM
Offerings
HR,
CRM, SCM
Data
archive
App
development
100+ IBM
Offerings
Online
website
4. Cloud presents the opportunity to radically transform
security practices
Dynamic Cloud Security
Standardized, automated,
agile, and elastic
Traditional Security
Manual, static,
and reactive
Cloud security is not only achievable, it is an opportunity
to drive the business, improve defenses and reduce risk
5. Clients focus on three imperatives for improving security
Detect threats with
visibility across clouds
Govern the
usage of cloud
Protect workloads
and data in the cloud
How can I understand who
is accessing the cloud
from anywhere, at anytime?
How can I fix vulnerabilities
and defend against attacks
before they’re exploited?
How can I obtain a
comprehensive view of cloud
and traditional environments?
“I can take advantage
of centralized cloud
logging and auditing
interfaces to hunt
for attacks.”
“Going to the cloud
gives me a single
choke point for all user
access ‒ it provides
much more control.”
“Cloud gives me
security APIs and
preconfigured policies
to help protect my data
and workloads”
6. IBM Dynamic Cloud Security
Optimize Security Operations
Manage
Access
Protect
Data
Gain
Visibility
SaaSPaaSIaaS
Structured Approach to Cloud Security
Assess and Govern
Focus for this Session
7. JKE Overview
6
JK Enterprises (JKE)
• A multinational financial services company that offers wide
range of wide range of financial and insurance products
and services
• Operates world-wide, with major offices in AP, EMEA and
US
• Employs approximately 5,500 staff
• Financial details include:
• A combined premium income of over $2.5 billion
• Investment assets of approximately $16.8 billion
• Customers include:
• End customers: over 2 million insured customers
• Brokers: over 200 registered brokers
• Has partnerships with a large number of partners, mainly
in the area of brokering and financial advice
• Provides internet customers and brokers with online
access to applications.
10. Security comes “in” (inherent in) and “on” (accessible
from) IaaS provider
Identity Protection Insight
Accessible
“on” a IaaS
Cloud Provider
– Bring your
own security
Privileged admin
management
Access management
of web workloads
Network protection ‒
Firewalls, IPS, proxy
Host security,
vulnerability scanning
Encryption and key
management
Monitoring customer
hybrid infrastructure and
workloads.
Log, Audit, and
compliance reporting
Vulnerability management
Inherent “in” a
IaaS Cloud
Provider –
Security
provided in
SoftLayer
Admin user
management
Isolation of VMs, and
dedicated instances
Security monitoring of
cloud infrastructure
Role and entitlement
management
Network firewalls,
VPNs; DoS protection
Platform intelligence
Federation of admin
users from
enterprises
Encryption of data at
rest and secure key
store
API access to cloud
service logs
IaaS
11. Security “in” (inherent in) IBM SoftLayer
SoftLayer Security
Features & Options
Physical DC Security
Logical Segregation
GeoTrust SSL Certificates
Two-Factor Authentication
for Portal Administrators
McAfee Host Protection
DC Site Affinity Option
IBM MSS - Fully Managed
Cloud Security Services
Hosted Web Defense (DDoS+WAF)
Hosted Application Security
Management Services
Hosted Security Event and Log
Management
Hosted Vulnerability Management
Managed FW, IDPS and UTM
Managed Email and Web Security
Comprehensive security for
IT assets deployed in
SoftLayer
VALUE
IBM SoftLayer and IBM Managed Security Services (MSS) provide
comprehensive cloud security solutions and capabilities for cloud customers –
IaaS
13. Privileged User Management
12
IaaS
JK Enterprises (JKE)
1 JKE Cloud Administrator logs into SoftLayer
2 JKE Cloud Administrator provisions and sets up the required resources on Cloud
3 Weak management of password and administrator activities can compromise cloud systems
4 JKE implements Privileged User Management to monitor and audit cloud Admin activities
5 Privileged Identity Manager captures and tracks all actions by admin
JKE Cloud Administrator
IBM Security Privileged Identity Management
Dev/Test/ Prod
Infrastructure
Manage Access
14. Automated Provisioning of ISAM Virtual Appliance
13
IaaS
JK Enterprises (JKE)
1 JKE likes to add web application protection for their application on cloud
2 JKE deploys ISAM Virtual Appliance on SoftLayer
(Automated Provisioning and Configuration of ISAM Appliance on SoftLayer)
3 JKE can manage access and protect applications from attacks.
Employees
IBM Security Access Manager Virtual Appliance
Enterprise
Application
Agents / Partners/ Customers
Manage Access
15. Log Management & Security Intelligence
14
IaaS
JK Enterprises (JKE)
1 JKE Security Administrator wants visibility into their cloud infrastructure on SoftLayer
2 JKE Security Administrator uses IBM Security QRadar SIEM
3 QRadar collects all the events from security appliances, infrastructure and applications
4 QRadar detects anamolies, security threats and generates reports for audit and compliance.
JKE Security Administrator
IBM Security QRadar SIEM
Enterprise
Application
Dev/Test/Prod
Infrastructure
IBM Security
Access Manager
Virtual Appliance
IBM Security
Privileged Identity
Management
Employees
Agents / Partners/ Customers
Gain Visibility
16. IBM Security capabilities (“On”) SoftLayer that enhances
security of customer workloads
15
IaaS
Enterprise
Cloud
Administrators
Consolidated
logs and events
Portal and APIs
Application
users
Enterprise security monitoring
IBM Virtual SOC
services
Manage Access Protect Data Gain Visibility
18. Security comes “in” (inherent in) and “on” (accessible from) Provider
Identity Protection Insight
Accessible
from a PaaS
Cloud Provider
‒ Design your
own security
APIs for
authentication/SSO of end
users, for services/apps
APIs to perform context
aware access
Security testing of App,
service and APIs
Key management APIs
APIs for fraud detection
IP reputation/threat
intelligence APIs
APIs for customer app log and
audit
Application security and real
time monitoring
Application vulnerability
management
Inherent “in” a
PaaS Cloud
Provider ‒
Security is
“baked in”
platform
Developers registration
and SSO
Group management;
Entitlements to apps,
services
Federation of
developers/platform users
Data protection and
compliance
Application container
Fabric and services
isolation and protection
Customer specific log and audit
trail APIs
Active security monitoring of
provider (not individual
customer services)
Hosted on
PaaS
21. Single Sign On
• Add user authentication to your apps with policy-based configuration
• Zero coding approach
• Integrate with existing enterprise directory with SAML
• Option to chose from identity sources like Facebook, LinkedIn, and Google
• Option to create and use your own cloud directory
Key Features
Social
Identities
Enterprise
ID
Manage Access
22. AppScan Dynamic Analyzer
• Discover vulnerabilities before putting cloud apps into production
• Minimal configuration and developer training / preparation
• Scans authenticated and unauthenticated pages and identifies security issues
• Identifies a large variety of vulnerabilities, from OWASP Top 10, SANS Top 25 and more
• Produces a detailed security report - actionable information with remediation instructions
Key Features
Protect Data
23. AppScan Mobile Analyzer
• Based on Glass Box principles
• Identifies security issues in Android applications
• Produces a detailed security report
• Includes remediation steps
• Developer targeted information.
Key Features
Protect Data
24. Secure data warehousing and analytics
Data
Encryption
Data Access
Control
Activity
Monitoring
dashDB
• Automatic encryption for data at rest using Advanced Encryption Standard (AES)
• Encryption for data in transit - SSL is automatically configured when dashDB database is
provisioned
• dashDB database is continuously monitored through IBM InfoSphere Guardium
• Database access control – define who has access to what objects in the database
Key Features
Protect Data
25. Security Intelligence for the hybrid cloud
Gain Visibility
Cloud
Applications
Loggregator
• Facility to drain logs over syslog, syslog-tls or https through user provided service
• Includes all the events related to the app including staging and deployment
• Capability to distinguish the logs from different instances of the application
• Device Support Module (DSM) in QRadar for parsing CloudFoundry and application events
Key Features
Cloud
Applications
User Provided
Service
26. SSO Access to Bluemix Application
25
PaaS
JK Enterprises (JKE)
1 JKE Employees want to access business app deployed on Cloud by JKE Partner
2 JKE uses Identity as a SSO Service on Bluemix
3 Employees access the Bluemix application seamlessly using their enterprise/intranet ID
(SAML Federation using Enterprise Bridge)
Employees
HealthCare
Application
Single Sign On (SSO) on IBM Bluemix
Partner
Manage Access
27. Social Access to Cloud Application
26
App
Development
Social
Application
Public CloudPrivate Cloud
PaaS
Agents / Partners/ Customers
App Developers
Single Sign On (SSO) on IBM Bluemix
1 Marketing team wants to develop a new Cloud Systems of Engagement App
2 Uses IBM SSO Service Offering on Bluemix for SSO
3 Customers can access the Bluemix app using their social IDs
4 IDs of Contractors / Agents hired for the Marketing Campaign managed on Cloud Directory
Marketing Department
Manage Access
28. Cloud Application Security & Protection
27
App
Development
Internet
Application
Public CloudPrivate Cloud
PaaS
App Developers
IBM AppScan Dynamic Analyzer on Bluemix
1 App Developer wants to ensure the application is secure and there are no vulnerabilities
2 App Developer uses IBM Appscan Dynamic Analysis Service on Bluemix
3 App Developer gets a report on the App vulnerabilities and threats and recommendations on
how to fix them
(JKE Subsidiary)
Protect Data
29. Securing Mobile Application
28
Mobile
Application
Public CloudPrivate Cloud
PaaS
App Developers
IBM AppScan Mobile Analyzer on Bluemix
1 App Developer wants to ensure the mobile application is secure and has no vulnerabilities
2 App Developer uses IBM Appscan Mobile Analyzer Service on Bluemix
3 App Developer uploads the mobile application file (.apk)
4 App Developer gets a report on the Mobile App vulnerabilities, threats and recommendations
Protect Data
30. Database Service Security & Protection
29
Public CloudPrivate Cloud
PaaS
App Developers
InfoSphere Guardium
1 JKE use managed dataware housing and analytics services from the cloud (DashDB)
1 App Developer wants to ensure the access to the data is monitored
2 JKE gets reports on sensitive data access on the cloud
JK Enterprises (JKE)
Protect Data
31. Security Intelligence for Bluemix Apps
30
App
Development
Internet
Application
Public CloudPrivate Cloud
PaaS
JK Enterprises (JKE)
JKE Security Administrator
IBM Security QRadar SIEM
1 JKE Security Administrator wants visibility into their application on the cloud
2 JKE Security Administrator uses IBM Security QRadar SIEM
3 QRadar collects all the events related to the Bluemix Application
4 QRadar detects anomalies, security threats and generates reports for audit and compliance.
Gain Visibility
33. 32
Protect DataManage Access Gain Visibility
Kerberos RSA
AESTriple-DES
X.509
Certificates
SHA
Hashing
KMIP
Key Management
ISO 27018
Data Protection for Cloud Services
PCI-DSS
Controls for Card Data
ISO 24760
ID Management Architecture
ISO 17789
Cloud Computing Reference Architecture
CSCC
o Security for Cloud Computing:
10 Steps to Ensure Success Version 2.0
o Practical guide to Cloud SLAs
o Practical Guide to Cloud Computing
Version 2.0
o Cloud Security Standards: What to
Expect & Negotiate
ISO 29101
Privacy Architecture Framework
ISO 27017
Information Security Controls for Cloud Services
ISO 19794
Biometric Interchange Formats
ISO 19086
Cloud SLAs
CADF
Cloud Audit Data Federation
Cloud Security Standards*
* Indicative list only
Encryption
34. Cloud Computing Reference Architecture (CCRA)
- Providing Prescriptive Guidance to secure Client Cloud Adoption Patterns
Capabilities provided to
consumers for using a
provider’s applications
Integrated service
management, automation,
provisioning, self service
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Advanced platform for
creating, managing, and
monetizing cloud services
Cloud Enabled Data Center
Cloud Platform Services
Cloud Service Provider
Business Solutions on Cloud
Big Data / Analytics workload
on cloud
Social / Mobile workloads on
Cloud
Federal/Government
Workloads on Cloud
Big Data / Analytics
Mobile
G Cloud
35. IBM Dynamic Cloud Security Portfolio
Cloud Security Intelligence NEW! Cloud Identity Services NEW!
Cloud Sign On Service NEW!
Cloud Access Manager NEW!
Cloud Privileged Identity Manager NEW!
Cloud Data Activity Monitoring NEW!
Cloud Mobile Application Analyzer NEW!
Cloud Web Application Analyzer NEW!
Optimize Security Operations
Deliver a consolidated view of your security operations – at unprecedented speed and agility
Protect Data
Identify vulnerabilities and help prevent
attacks targeting sensitive data
Gain Visibility
Monitor the cloud for security breaches
and compliance violations
Intelligent Threat Protection Cloud
NEW!
Cloud Security Managed Services
NEW!
Security Intelligence and Operations
Consulting Services NEW!
SaaSPaaSIaaS
Manage Access
Safeguard people, applications,
and devices connecting to the cloud
36. Learn more about IBM Security
Visit our website
IBM Security Website
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
IBM Security
Intelligence. Integration. Expertise.
38. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
39. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.