The cloud offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use immediately. However, the major inhibitor for businesses has been concerns around security. IBM has simplified the typical method for approaching this problem. Whether you’re looking to employ infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), use the framework below when designing your solution. Each platform comes with certain built-in security qualities and lets you use add-ons on top of the platform to secure each workload.

1. © 2015 IBM Corporation
Securing Your Cloud
Applications
Nataraj (Raj) Nagaratnam
CTO for Security Solutions, IBM Security
Sreekanth Iyer
Executive IT Architect, IBM Security
Jeffrey Hoy
Cloud Security Architect, IBM Security

2. Agenda
• Security for Infrastructure Services (IBM SoftLayer)
• Security for Platform Services (IBM Bluemix)
1
IaaS
PaaS

3. Cloud is rapidly transforming the enterprise
External StakeholdersTraditional Enterprise IT
Public CloudPrivate Cloud
PaaS
Development
services
SaaS
Business
applications
IaaS
Infrastructure
services
100+ IBM
Offerings
HR,
CRM, SCM
Data
archive
App
development
100+ IBM
Offerings
Online
website

4. Cloud presents the opportunity to radically transform
security practices
Dynamic Cloud Security
Standardized, automated,
agile, and elastic
Traditional Security
Manual, static,
and reactive
Cloud security is not only achievable, it is an opportunity
to drive the business, improve defenses and reduce risk

5. Clients focus on three imperatives for improving security
Detect threats with
visibility across clouds
Govern the
usage of cloud
Protect workloads
and data in the cloud
How can I understand who
is accessing the cloud
from anywhere, at anytime?
How can I fix vulnerabilities
and defend against attacks
before they’re exploited?
How can I obtain a
comprehensive view of cloud
and traditional environments?
“I can take advantage
of centralized cloud
logging and auditing
interfaces to hunt
for attacks.”
“Going to the cloud
gives me a single
choke point for all user
access ‒ it provides
much more control.”
“Cloud gives me
security APIs and
preconfigured policies
to help protect my data
and workloads”

6. IBM Dynamic Cloud Security
Optimize Security Operations
Manage
Access
Protect
Data
Gain
Visibility
SaaSPaaSIaaS
Structured Approach to Cloud Security
Assess and Govern
Focus for this Session

7. JKE Overview
6
JK Enterprises (JKE)
• A multinational financial services company that offers wide
range of wide range of financial and insurance products
and services
• Operates world-wide, with major offices in AP, EMEA and
US
• Employs approximately 5,500 staff
• Financial details include:
• A combined premium income of over $2.5 billion
• Investment assets of approximately $16.8 billion
• Customers include:
• End customers: over 2 million insured customers
• Brokers: over 200 registered brokers
• Has partnerships with a large number of partners, mainly
in the area of brokering and financial advice
• Provides internet customers and brokers with online
access to applications.

8. Securing Cloud – JKE Scenario
7
Focus for this Session

9. Security for Infrastructure Services
IaaS

10. Security comes “in” (inherent in) and “on” (accessible
from) IaaS provider
Identity Protection Insight
Accessible
“on” a IaaS
Cloud Provider
– Bring your
own security
 Privileged admin
management
 Access management
of web workloads
 Network protection ‒
Firewalls, IPS, proxy
 Host security,
vulnerability scanning
 Encryption and key
management
 Monitoring customer
hybrid infrastructure and
workloads.
 Log, Audit, and
compliance reporting
 Vulnerability management
Inherent “in” a
IaaS Cloud
Provider –
Security
provided in
SoftLayer
 Admin user
management
 Isolation of VMs, and
dedicated instances
 Security monitoring of
cloud infrastructure
 Role and entitlement
management
 Network firewalls,
VPNs; DoS protection
 Platform intelligence
 Federation of admin
users from
enterprises
 Encryption of data at
rest and secure key
store
 API access to cloud
service logs
IaaS

11. Security “in” (inherent in) IBM SoftLayer
SoftLayer Security
Features & Options
 Physical DC Security
 Logical Segregation
 GeoTrust SSL Certificates
 Two-Factor Authentication
for Portal Administrators
 McAfee Host Protection
 DC Site Affinity Option
IBM MSS - Fully Managed
Cloud Security Services
 Hosted Web Defense (DDoS+WAF)
 Hosted Application Security
Management Services
 Hosted Security Event and Log
Management
 Hosted Vulnerability Management
 Managed FW, IDPS and UTM
 Managed Email and Web Security
Comprehensive security for
IT assets deployed in
SoftLayer
VALUE
IBM SoftLayer and IBM Managed Security Services (MSS) provide
comprehensive cloud security solutions and capabilities for cloud customers –
IaaS

12. Scenario Overview
11
Enterprise
Application
Dev/Test/Prod
Infrastructure
Public CloudPrivate Cloud
IaaS
JK Enterprises (JKE)
Description
1 JKE provisions infrastructure resources and moves to Cloud
2 JKE deploys their business application on Cloud

13. Privileged User Management
12
IaaS
JK Enterprises (JKE)
1 JKE Cloud Administrator logs into SoftLayer
2 JKE Cloud Administrator provisions and sets up the required resources on Cloud
3 Weak management of password and administrator activities can compromise cloud systems
4 JKE implements Privileged User Management to monitor and audit cloud Admin activities
5 Privileged Identity Manager captures and tracks all actions by admin
JKE Cloud Administrator
IBM Security Privileged Identity Management
Dev/Test/ Prod
Infrastructure
Manage Access

14. Automated Provisioning of ISAM Virtual Appliance
13
IaaS
JK Enterprises (JKE)
1 JKE likes to add web application protection for their application on cloud
2 JKE deploys ISAM Virtual Appliance on SoftLayer
(Automated Provisioning and Configuration of ISAM Appliance on SoftLayer)
3 JKE can manage access and protect applications from attacks.
Employees
IBM Security Access Manager Virtual Appliance
Enterprise
Application
Agents / Partners/ Customers
Manage Access

15. Log Management & Security Intelligence
14
IaaS
JK Enterprises (JKE)
1 JKE Security Administrator wants visibility into their cloud infrastructure on SoftLayer
2 JKE Security Administrator uses IBM Security QRadar SIEM
3 QRadar collects all the events from security appliances, infrastructure and applications
4 QRadar detects anamolies, security threats and generates reports for audit and compliance.
JKE Security Administrator
IBM Security QRadar SIEM
Enterprise
Application
Dev/Test/Prod
Infrastructure
IBM Security
Access Manager
Virtual Appliance
IBM Security
Privileged Identity
Management
Employees
Agents / Partners/ Customers
Gain Visibility

16. IBM Security capabilities (“On”) SoftLayer that enhances
security of customer workloads
15
IaaS
Enterprise
Cloud
Administrators
Consolidated
logs and events
Portal and APIs
Application
users
Enterprise security monitoring
IBM Virtual SOC
services
Manage Access Protect Data Gain Visibility

17. Security for Platform Services
PaaS

18. Security comes “in” (inherent in) and “on” (accessible from) Provider
Identity Protection Insight
Accessible
from a PaaS
Cloud Provider
‒ Design your
own security
 APIs for
authentication/SSO of end
users, for services/apps
 APIs to perform context
aware access
 Security testing of App,
service and APIs
 Key management APIs
 APIs for fraud detection
 IP reputation/threat
intelligence APIs
 APIs for customer app log and
audit
 Application security and real
time monitoring
 Application vulnerability
management
Inherent “in” a
PaaS Cloud
Provider ‒
Security is
“baked in”
platform
 Developers registration
and SSO
 Group management;
Entitlements to apps,
services
 Federation of
developers/platform users
 Data protection and
compliance
 Application container
 Fabric and services
isolation and protection
 Customer specific log and audit
trail APIs
 Active security monitoring of
provider (not individual
customer services)
Hosted on
PaaS

19. Bluemix Platform Security Overview
18

20. “on” Bluemix Security

21. Single Sign On
• Add user authentication to your apps with policy-based configuration
• Zero coding approach
• Integrate with existing enterprise directory with SAML
• Option to chose from identity sources like Facebook, LinkedIn, and Google
• Option to create and use your own cloud directory
Key Features
Social
Identities
Enterprise
ID
Manage Access

22. AppScan Dynamic Analyzer
• Discover vulnerabilities before putting cloud apps into production
• Minimal configuration and developer training / preparation
• Scans authenticated and unauthenticated pages and identifies security issues
• Identifies a large variety of vulnerabilities, from OWASP Top 10, SANS Top 25 and more
• Produces a detailed security report - actionable information with remediation instructions
Key Features
Protect Data

23. AppScan Mobile Analyzer
• Based on Glass Box principles
• Identifies security issues in Android applications
• Produces a detailed security report
• Includes remediation steps
• Developer targeted information.
Key Features
Protect Data

24. Secure data warehousing and analytics
Data
Encryption
Data Access
Control
Activity
Monitoring
dashDB
• Automatic encryption for data at rest using Advanced Encryption Standard (AES)
• Encryption for data in transit - SSL is automatically configured when dashDB database is
provisioned
• dashDB database is continuously monitored through IBM InfoSphere Guardium
• Database access control – define who has access to what objects in the database
Key Features
Protect Data

25. Security Intelligence for the hybrid cloud
Gain Visibility
Cloud
Applications
Loggregator
• Facility to drain logs over syslog, syslog-tls or https through user provided service
• Includes all the events related to the app including staging and deployment
• Capability to distinguish the logs from different instances of the application
• Device Support Module (DSM) in QRadar for parsing CloudFoundry and application events
Key Features
Cloud
Applications
User Provided
Service

26. SSO Access to Bluemix Application
25
PaaS
JK Enterprises (JKE)
1 JKE Employees want to access business app deployed on Cloud by JKE Partner
2 JKE uses Identity as a SSO Service on Bluemix
3 Employees access the Bluemix application seamlessly using their enterprise/intranet ID
(SAML Federation using Enterprise Bridge)
Employees
HealthCare
Application
Single Sign On (SSO) on IBM Bluemix
Partner
Manage Access

27. Social Access to Cloud Application
26
App
Development
Social
Application
Public CloudPrivate Cloud
PaaS
Agents / Partners/ Customers
App Developers
Single Sign On (SSO) on IBM Bluemix
1 Marketing team wants to develop a new Cloud Systems of Engagement App
2 Uses IBM SSO Service Offering on Bluemix for SSO
3 Customers can access the Bluemix app using their social IDs
4 IDs of Contractors / Agents hired for the Marketing Campaign managed on Cloud Directory
Marketing Department
Manage Access

28. Cloud Application Security & Protection
27
App
Development
Internet
Application
Public CloudPrivate Cloud
PaaS
App Developers
IBM AppScan Dynamic Analyzer on Bluemix
1 App Developer wants to ensure the application is secure and there are no vulnerabilities
2 App Developer uses IBM Appscan Dynamic Analysis Service on Bluemix
3 App Developer gets a report on the App vulnerabilities and threats and recommendations on
how to fix them
(JKE Subsidiary)
Protect Data

29. Securing Mobile Application
28
Mobile
Application
Public CloudPrivate Cloud
PaaS
App Developers
IBM AppScan Mobile Analyzer on Bluemix
1 App Developer wants to ensure the mobile application is secure and has no vulnerabilities
2 App Developer uses IBM Appscan Mobile Analyzer Service on Bluemix
3 App Developer uploads the mobile application file (.apk)
4 App Developer gets a report on the Mobile App vulnerabilities, threats and recommendations
Protect Data

30. Database Service Security & Protection
29
Public CloudPrivate Cloud
PaaS
App Developers
InfoSphere Guardium
1 JKE use managed dataware housing and analytics services from the cloud (DashDB)
1 App Developer wants to ensure the access to the data is monitored
2 JKE gets reports on sensitive data access on the cloud
JK Enterprises (JKE)
Protect Data

31. Security Intelligence for Bluemix Apps
30
App
Development
Internet
Application
Public CloudPrivate Cloud
PaaS
JK Enterprises (JKE)
JKE Security Administrator
IBM Security QRadar SIEM
1 JKE Security Administrator wants visibility into their application on the cloud
2 JKE Security Administrator uses IBM Security QRadar SIEM
3 QRadar collects all the events related to the Bluemix Application
4 QRadar detects anomalies, security threats and generates reports for audit and compliance.
Gain Visibility

32. Open Standards
&
IBM Cloud Security

33. 32
Protect DataManage Access Gain Visibility
Kerberos RSA
AESTriple-DES
X.509
Certificates
SHA
Hashing
KMIP
Key Management
ISO 27018
Data Protection for Cloud Services
PCI-DSS
Controls for Card Data
ISO 24760
ID Management Architecture
ISO 17789
Cloud Computing Reference Architecture
CSCC
o Security for Cloud Computing:
10 Steps to Ensure Success Version 2.0
o Practical guide to Cloud SLAs
o Practical Guide to Cloud Computing
Version 2.0
o Cloud Security Standards: What to
Expect & Negotiate
ISO 29101
Privacy Architecture Framework
ISO 27017
Information Security Controls for Cloud Services
ISO 19794
Biometric Interchange Formats
ISO 19086
Cloud SLAs
CADF
Cloud Audit Data Federation
Cloud Security Standards*
* Indicative list only
Encryption

34. Cloud Computing Reference Architecture (CCRA)
- Providing Prescriptive Guidance to secure Client Cloud Adoption Patterns
Capabilities provided to
consumers for using a
provider’s applications
Integrated service
management, automation,
provisioning, self service
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Advanced platform for
creating, managing, and
monetizing cloud services
Cloud Enabled Data Center
Cloud Platform Services
Cloud Service Provider
Business Solutions on Cloud
Big Data / Analytics workload
on cloud
Social / Mobile workloads on
Cloud
Federal/Government
Workloads on Cloud
Big Data / Analytics
Mobile
G Cloud

35. IBM Dynamic Cloud Security Portfolio
 Cloud Security Intelligence NEW! Cloud Identity Services NEW!
 Cloud Sign On Service NEW!
 Cloud Access Manager NEW!
 Cloud Privileged Identity Manager NEW!
 Cloud Data Activity Monitoring NEW!
 Cloud Mobile Application Analyzer NEW!
 Cloud Web Application Analyzer NEW!
Optimize Security Operations
Deliver a consolidated view of your security operations – at unprecedented speed and agility
Protect Data
Identify vulnerabilities and help prevent
attacks targeting sensitive data
Gain Visibility
Monitor the cloud for security breaches
and compliance violations
 Intelligent Threat Protection Cloud
NEW!
 Cloud Security Managed Services
NEW!
 Security Intelligence and Operations
Consulting Services NEW!
SaaSPaaSIaaS
Manage Access
Safeguard people, applications,
and devices connecting to the cloud

36. Learn more about IBM Security
Visit our website
IBM Security Website
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
IBM Security
Intelligence. Integration. Expertise.

37. Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.

38. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

39. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.