AG
Uploaded byArun Gopinath
550 views

Strategies for assessing cloud security

IBM provides strategies for assessing cloud security risks. Key steps include developing a strategic cloud security roadmap, identifying risks specific to public and private cloud models, and conducting assessments of cloud security architectures. IBM security experts evaluate cloud security programs against best practices and provide recommendations to address gaps through additional controls, policies, identity management, or managed security services. Thorough testing also examines network and application vulnerabilities from an attacker's perspective.

Embed presentation

Downloaded 18 times
IBM Global Technology Services November 2010 Thought Leadership White Paper Strategies for assessing cloud security
2 Securing the cloud: from strategy development to ongoing assessment Executive summary compliance. Even if IT workloads are transitioned to the Cloud computing provides flexible, cost-effective delivery of cloud, users are still responsible for compliance and data secu- business or consumer IT services over the Internet. Cloud rity. As a result, subscribers must establish trust relationships resources can be rapidly deployed and easily scaled, with all with their cloud providers and understand the risk posed by processes, applications, and services provisioned on demand, public and/or private cloud computing environments. regardless of the user location or device. As a result, cloud computing helps organizations improve service delivery, Security challenges in the cloud—the streamline IT management and better align IT services with need for a trusted third party evaluation dynamic business requirements. Cloud computing can also One of the most significant differences between cloud simultaneously support core business functions and provide security and traditional IT security stems from the sharing of capacity for new and innovative services. infrastructure on a massive scale. Users spanning different cor- porations and trust levels often interact with the same set of Both public and private cloud models, or a hybrid approach computing resources. And public cloud services are increas- using both models, are now in use. Available to anyone with ingly being offered by a chain of providers—all storing and Internet access, public clouds are acquired as a service and processing data externally in multiple unspecified locations. paid for on a per-usage basis or by subscription. Private clouds are owned and used by a single organization. They offer many Inside the cloud, it is difficult to physically locate where data is of the same benefits as public clouds, but give the owner stored. Security processes that were once visible are now hid- greater flexibility and control. den behind layers of abstraction. This lack of visibility can cause concerns about data exposure and compromise, service Although the benefits of cloud computing are clear, so is the reliability, ability to demonstrate compliance and meet SLAs, need to develop proper security for cloud implementations— and overall security management. whether public or private. Embracing cloud computing with- out adequate security controls can place the entire IT Visibility can be especially critical for compliance. The infrastructure at risk. Cloud computing introduces another Sarbanes-Oxley Act, the Health Insurance Portability and level of risk because essential services are often outsourced to Accountability Act (HIPAA), European privacy laws, and many a third party, making it harder to maintain data integrity and privacy, support data and service availability, and demonstrate
IBM Global Technology Services 3 other regulations require comprehensive auditing capabilities. Developing a strategic cloud security Many public clouds may indeed be a black box to the sub- roadmap with IBM scriber, thus clients may not be able to demonstrate compli- There is no one-size-fits-all model for security in the cloud. ance. (A private or hybrid cloud, on the other hand, can be Organizations have different security requirements that are configured to meet those requirements.) determined by the unique characteristics of the business work- load they intend to migrate to the cloud or the services they In addition, providers are sometimes required to support are providing from their cloud. It is important when evaluat- third-party audits, or support e-Discovery initiatives and ing risk in a cloud computing model, that a cloud security forensic investigations. This adds even more importance to strategy be developed. maintaining proper visibility into the cloud. Legal discovery of a co-tenant’s data may affect the confidentiality of other ten- By partnering with IBM, clients can benefit from proven ants’ data if the data is not properly segmented. This may assessment methodologies and best practices that help mean that some sensitive data may not be appropriate for cer- ensure consistent, reliable results. They can also leverage com- tain cloud environments. prehensive frameworks that address enterprise cloud strategy, implementation and management in a holistic approach that Organizations considering cloud-based services must under- maximizes the business value of cloud investments while mini- stand the associated risks and ensure appropriate visibility. mizing business risk. IBM guidelines for securing cloud implementations focus on the following areas: Defining business and IT strategy The first step to understanding security risks posed by a cloud ● Building a security program computing model is to analyze business and IT strategies. ● Confidential data protection What is the value of the information that will be stored, ● Implementing strong access and identity accessed and transmitted via the cloud? Is it business critical ● Application provisioning and de-provisioning and/or confidential? Is it subject to regulatory compliance? ● Governance audit management Clients must also consider availability requirements. After ● Vulnerability management determining the business and IT strategy and evaluating the ● Testing and validation data, clients can make a more informed, risk-based decision about which cloud computing model to pursue. Because cloud computing is available in several service models (and hybrids of these models), each presents different levels of responsibility for security management. Trusted third parties can help companies apply cloud security best practices to their specific business needs.
4 Securing the cloud: from strategy development to ongoing assessment Identifying the risks The IBM cloud security assessment reviews cloud architecture Each type of cloud—public, private and hybrid—carries a from a security standpoint, including policies and processes for different level of IT security risk. Security experts from data access and storage. IBM security experts assess the cur- IBM can help clients identify the vulnerabilities, threats and rent state of cloud security against best practices, and against other values at risk based on public, private or hybrid cloud providers’ own security objectives. Security requirements and architecture. From there, IBM will work with clients to design best practices criteria is based on unique characteristics of the initial mechanisms and controls to mitigate risk, and outline subject cloud, including workload, trust level of end users, the maintenance and testing procedures that will help ensure data protection requirements and more. For example, clouds ongoing risk mitigation. supporting email will have different security requirements than those supporting electronic Protected Health Documenting the plan Information (ePHI). IBM clients will benefit from a documented roadmap address- ing cloud security strategy. The plan should identify the types A gap assessment against security objectives and best practices of workloads or applications that are candidates for cloud will reveal strengths and weaknesses of the current security computing and should account for the legal, regulatory and architecture and processes. IBM experts will provide recom- security requirements. IBM will work with clients to plan for mendations for improvements and continuous security compensating controls to mitigate perceived risks, including measures to bridge the gaps. These can include the use of how to address identity and access management, and how to additional network security controls, modifications to existing balance security controls between the cloud provider and the security policies and procedures, implementation of new iden- subscriber. tity and access management controls, acquisition of managed security services for offloading critical security management Assessing cloud security with IBM tasks, or any number of other remediation steps. In addition to developing a strategy for cloud security, IBM can perform a cloud security assessment for public or In addition to a thorough review of the cloud security pro- private cloud offerings. This service can provide helpful due gram, IBM advises steady state technical testing of the cloud’s diligence for cloud providers, or help subscribers understand network infrastructure and supporting applications via remote the security posture of their provider’s cloud. penetration and application testing. This provides a “hacker’s eye” view of cloud components and provides insight into how cloud security weaknesses can significantly impact data and information protection.
IBM Global Technology Services 5 Why IBM? security services that enable a business-driven approach to To fully benefit from cloud computing, clients must ensure securing your cloud computing as well as your physical IT that data, applications and systems are properly secured so that environments. cloud infrastructure won’t expose the organization to risk. Cloud computing has the usual requirements of traditional IT IBM’s capabilities empower you to dynamically monitor and security, though it presents an added level of risk because of quantify security risks, enabling you to better: the external aspects of a cloud model. This can make it more difficult to maintain data integrity and privacy, support data ● Understand threats and vulnerabilities in terms of business and service availability, and demonstrate compliance. impact, ● Respond to security events with security controls that opti- Assessing the risks associated with cloud computing, such as mize business results, data integrity, recovery, privacy, and tenant isolation is critical ● Prioritize and balance your security investments. to the adoption of cloud technologies. These risks call for automated end-to-end security with a heavier emphasis on IBM also securely operates its own public clouds, including strong isolation, integrity and resiliency in order to provide IBM LotusLive™. IBM continuously invests in research and visibility, control and automation across the cloud computing development of stronger isolation at all levels of the network, infrastructure. server, hypervisor, process and storage infrastructure to sup- port massive multitenancy while mitigating risk. IBM helps clients put risk management strategies into action by transforming security from a cost of doing business to a Through world-class solutions that address risk across all way to improve the business. IBM draws from a broad portfo- aspects of your business, IBM is able to help you create an lio of consulting services, software and hardware and managed intelligent infrastructure that drives down costs, is secure, and is just as dynamic as today’s business climate. IBM cloud secu- rity solutions and services build on the strong foundation of the IBM security framework to extend benefits from tradi- tional IT environments to cloud computing environments.
For more information To learn more about the IBM Cloud Security Services, please contact your IBM marketing representative or IBM Business Partner, or visit the following website: ibm.com/cloud Additionally, financing solutions from IBM Global Financing © Copyright IBM Corporation 2010 Route 100 can enable effective cash management, protection from tech- Somers, NY 10589 U.S.A. nology obsolescence, improved total cost of ownership and Produced in the United States of America return on investment. Also, our Global Asset Recovery November 2010 Services help address environmental concerns with new, All Rights Reserved more energy-efficient solutions. For more information on IBM, the IBM logo, ibm.com and LotusLive are trademarks or IBM Global Financing, visit: ibm.com/financing registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product or service names may be trademarks or service marks of others. Please Recycle SEW03022-USEN-01

More Related Content

PDF
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
byinventionjournals
 
PDF
Cloud implementation security challenges
bybornresearcher
 
PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
PDF
Whitepaper: Security of the Cloud
byCloudSmartz
 
PDF
Security of the Cloud
byEpoch Universal, Inc.
 
PDF
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
byIRJET Journal
 
PDF
Ijirsm poornima-km-a-survey-on-security-circumstances-for-mobile-cloud-computing
byIJIR JOURNALS IJIRUSA
 
PDF
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
byIRJET Journal
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
byinventionjournals
 
Cloud implementation security challenges
bybornresearcher
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
Whitepaper: Security of the Cloud
byCloudSmartz
 
Security of the Cloud
byEpoch Universal, Inc.
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
byIRJET Journal
 
Ijirsm poornima-km-a-survey-on-security-circumstances-for-mobile-cloud-computing
byIJIR JOURNALS IJIRUSA
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
byIRJET Journal
 

What's hot

PDF
International journal of computer science and innovation vol 2015-n2-paper4
bysophiabelthome
 
PDF
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
byIRJET Journal
 
PDF
Cloud computing security issues and challenges
byKresimir Popovic
 
PDF
Data Security Model Enhancement In Cloud Environment
byIOSR Journals
 
PDF
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
byIJIR JOURNALS IJIRUSA
 
DOC
report on Mobile security
byJAYANT RAJURKAR
 
PDF
APPLYING GEO-ENCRYPTION AND ATTRIBUTE BASED ENCRYPTION TO IMPLEMENT SECURE AC...
byIJCNCJournal
 
PDF
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
byIJERA Editor
 
PDF
Various Security Issues and their Remedies in Cloud Computing
byINFOGAIN PUBLICATION
 
PPTX
Cloud Security for U.S. Military Agencies
byNJVC, LLC
 
PDF
Enterprise Security Architecture: From access to audit
byBob Rhubart
 
PDF
Security in a Virtualised Computing
byIOSR Journals
 
PDF
Trusted computing for infrastructure
byEricsson
 
PDF
CLOUD STEGANOGRAPHY- A REVIEW
byJournal For Research
 
PDF
An study of security issues & challenges in cloud computing
byijsrd.com
 
PPTX
Cloud Audit and Compliance
byQuadrisk
 
PDF
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
byIRJET Journal
 
PDF
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
PPTX
CCSK Certificate of Cloud Computing Knowledge - overview
byPeter HJ van Eijk
 
International journal of computer science and innovation vol 2015-n2-paper4
bysophiabelthome
 
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
byIRJET Journal
 
Cloud computing security issues and challenges
byKresimir Popovic
 
Data Security Model Enhancement In Cloud Environment
byIOSR Journals
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
byIJIR JOURNALS IJIRUSA
 
report on Mobile security
byJAYANT RAJURKAR
 
APPLYING GEO-ENCRYPTION AND ATTRIBUTE BASED ENCRYPTION TO IMPLEMENT SECURE AC...
byIJCNCJournal
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
byIJERA Editor
 
Various Security Issues and their Remedies in Cloud Computing
byINFOGAIN PUBLICATION
 
Cloud Security for U.S. Military Agencies
byNJVC, LLC
 
Enterprise Security Architecture: From access to audit
byBob Rhubart
 
Security in a Virtualised Computing
byIOSR Journals
 
Trusted computing for infrastructure
byEricsson
 
CLOUD STEGANOGRAPHY- A REVIEW
byJournal For Research
 
An study of security issues & challenges in cloud computing
byijsrd.com
 
Cloud Audit and Compliance
byQuadrisk
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
byIRJET Journal
 
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
CCSK Certificate of Cloud Computing Knowledge - overview
byPeter HJ van Eijk
 

Viewers also liked

PDF
Securing virtualization in real world environments
byArun Gopinath
 
PDF
Realizing business value with iam
byArun Gopinath
 
PDF
Rewriting the rules of patch management
byArun Gopinath
 
PDF
Ibm xiv storage your ideal cloud building block
byArun Gopinath
 
PDF
Secure by design building id based security
byArun Gopinath
 
PDF
Ibm app security assessment_ds
byArun Gopinath
 
PDF
Centralizing security on the mainframe
byArun Gopinath
 
PDF
Cloud computing white paper who do you trust
byArun Gopinath
 
PDF
Secure by design
byArun Gopinath
 
PPT
2011)
bypineapple8705
 
PPTX
Brandy lee tuhiwai pp
bylesleymccardle
 
PDF
Innovator cx brochure
byFreddy Viera Espinoza
 
PPTX
Link Building With Twitter
byAman Talwar
 
PDF
Ba759 e70 4b70-45e3-896deb1f6574f53e
byCarlos Carvalho
 
PPTX
S6 w2 linear regression
byRachel Chung
 
PDF
2013 Annual Genio Italiano /// Artigiani della creatività!
byTunnel Studios
 
ODP
市政報告会プレゼン- 2015.02.07 長野市議会議員・小泉一真
by長野市議会議員小泉一真
 
PDF
Newsletter digital
byNalacity Shop
 
Securing virtualization in real world environments
byArun Gopinath
 
Realizing business value with iam
byArun Gopinath
 
Rewriting the rules of patch management
byArun Gopinath
 
Ibm xiv storage your ideal cloud building block
byArun Gopinath
 
Secure by design building id based security
byArun Gopinath
 
Ibm app security assessment_ds
byArun Gopinath
 
Centralizing security on the mainframe
byArun Gopinath
 
Cloud computing white paper who do you trust
byArun Gopinath
 
Secure by design
byArun Gopinath
 
2011)
bypineapple8705
 
Brandy lee tuhiwai pp
bylesleymccardle
 
Innovator cx brochure
byFreddy Viera Espinoza
 
Link Building With Twitter
byAman Talwar
 
Ba759 e70 4b70-45e3-896deb1f6574f53e
byCarlos Carvalho
 
S6 w2 linear regression
byRachel Chung
 
2013 Annual Genio Italiano /// Artigiani della creatività!
byTunnel Studios
 
市政報告会プレゼン- 2015.02.07 長野市議会議員・小泉一真
by長野市議会議員小泉一真
 
Newsletter digital
byNalacity Shop
 

Similar to Strategies for assessing cloud security

PPTX
Cloud securityperspectives cmg
byNeha Dhawan
 
PDF
IBM Point of View: Security and Cloud Computing
byIBM India Smarter Computing
 
PDF
IBM Point of view -- Security and Cloud Computing (Tivoli)
byIBM India Smarter Computing
 
PDF
How Secure Is Cloud
byWilliam Lam
 
PDF
Asset 1 security-in-the-cloud
bydrewz lin
 
PDF
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
PPT
Legal And Regulatory Issues Cloud Computing...V2.0
byDavid Spinks
 
PDF
Cloudsecurity
bydrewz lin
 
PDF
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
byIBM India Smarter Computing
 
PPTX
Cloud Security: A matter of trust?
byMark Williams
 
PPTX
Cloud computing Risk management
byPadma Jella
 
PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
PDF
Security in the cloud planning guide
byYury Chemerkin
 
PDF
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
byYew Weisin
 
PPTX
Cloud Computing Unveiled: Challenges, Security Frameworks, and Best Practices
byBoston Institute of Analytics
 
PDF
It auditing to assure a secure cloud computing
byingenioustech
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
PDF
Security Issues for Cloud Applications
byGuillermo Remache
 
PPTX
cloud computer security fundamentals Unit-5.pptx
bySuryaBasnet3
 
DOCX
Issue identification cloud computing
bygirish0984
 
Cloud securityperspectives cmg
byNeha Dhawan
 
IBM Point of View: Security and Cloud Computing
byIBM India Smarter Computing
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
byIBM India Smarter Computing
 
How Secure Is Cloud
byWilliam Lam
 
Asset 1 security-in-the-cloud
bydrewz lin
 
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
Legal And Regulatory Issues Cloud Computing...V2.0
byDavid Spinks
 
Cloudsecurity
bydrewz lin
 
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
byIBM India Smarter Computing
 
Cloud Security: A matter of trust?
byMark Williams
 
Cloud computing Risk management
byPadma Jella
 
Extending security in the cloud network box - v4
byValencell, Inc.
 
Security in the cloud planning guide
byYury Chemerkin
 
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
byYew Weisin
 
Cloud Computing Unveiled: Challenges, Security Frameworks, and Best Practices
byBoston Institute of Analytics
 
It auditing to assure a secure cloud computing
byingenioustech
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
Security Issues for Cloud Applications
byGuillermo Remache
 
cloud computer security fundamentals Unit-5.pptx
bySuryaBasnet3
 
Issue identification cloud computing
bygirish0984
 

Recently uploaded

PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 

Strategies for assessing cloud security

  • 1.
    IBM Global TechnologyServices November 2010 Thought Leadership White Paper Strategies for assessing cloud security
  • 2.
    2 Securing the cloud: from strategy development to ongoing assessment Executive summary compliance. Even if IT workloads are transitioned to the Cloud computing provides flexible, cost-effective delivery of cloud, users are still responsible for compliance and data secu- business or consumer IT services over the Internet. Cloud rity. As a result, subscribers must establish trust relationships resources can be rapidly deployed and easily scaled, with all with their cloud providers and understand the risk posed by processes, applications, and services provisioned on demand, public and/or private cloud computing environments. regardless of the user location or device. As a result, cloud computing helps organizations improve service delivery, Security challenges in the cloud—the streamline IT management and better align IT services with need for a trusted third party evaluation dynamic business requirements. Cloud computing can also One of the most significant differences between cloud simultaneously support core business functions and provide security and traditional IT security stems from the sharing of capacity for new and innovative services. infrastructure on a massive scale. Users spanning different cor- porations and trust levels often interact with the same set of Both public and private cloud models, or a hybrid approach computing resources. And public cloud services are increas- using both models, are now in use. Available to anyone with ingly being offered by a chain of providers—all storing and Internet access, public clouds are acquired as a service and processing data externally in multiple unspecified locations. paid for on a per-usage basis or by subscription. Private clouds are owned and used by a single organization. They offer many Inside the cloud, it is difficult to physically locate where data is of the same benefits as public clouds, but give the owner stored. Security processes that were once visible are now hid- greater flexibility and control. den behind layers of abstraction. This lack of visibility can cause concerns about data exposure and compromise, service Although the benefits of cloud computing are clear, so is the reliability, ability to demonstrate compliance and meet SLAs, need to develop proper security for cloud implementations— and overall security management. whether public or private. Embracing cloud computing with- out adequate security controls can place the entire IT Visibility can be especially critical for compliance. The infrastructure at risk. Cloud computing introduces another Sarbanes-Oxley Act, the Health Insurance Portability and level of risk because essential services are often outsourced to Accountability Act (HIPAA), European privacy laws, and many a third party, making it harder to maintain data integrity and privacy, support data and service availability, and demonstrate
  • 3.
    IBM Global TechnologyServices 3 other regulations require comprehensive auditing capabilities. Developing a strategic cloud security Many public clouds may indeed be a black box to the sub- roadmap with IBM scriber, thus clients may not be able to demonstrate compli- There is no one-size-fits-all model for security in the cloud. ance. (A private or hybrid cloud, on the other hand, can be Organizations have different security requirements that are configured to meet those requirements.) determined by the unique characteristics of the business work- load they intend to migrate to the cloud or the services they In addition, providers are sometimes required to support are providing from their cloud. It is important when evaluat- third-party audits, or support e-Discovery initiatives and ing risk in a cloud computing model, that a cloud security forensic investigations. This adds even more importance to strategy be developed. maintaining proper visibility into the cloud. Legal discovery of a co-tenant’s data may affect the confidentiality of other ten- By partnering with IBM, clients can benefit from proven ants’ data if the data is not properly segmented. This may assessment methodologies and best practices that help mean that some sensitive data may not be appropriate for cer- ensure consistent, reliable results. They can also leverage com- tain cloud environments. prehensive frameworks that address enterprise cloud strategy, implementation and management in a holistic approach that Organizations considering cloud-based services must under- maximizes the business value of cloud investments while mini- stand the associated risks and ensure appropriate visibility. mizing business risk. IBM guidelines for securing cloud implementations focus on the following areas: Defining business and IT strategy The first step to understanding security risks posed by a cloud ● Building a security program computing model is to analyze business and IT strategies. ● Confidential data protection What is the value of the information that will be stored, ● Implementing strong access and identity accessed and transmitted via the cloud? Is it business critical ● Application provisioning and de-provisioning and/or confidential? Is it subject to regulatory compliance? ● Governance audit management Clients must also consider availability requirements. After ● Vulnerability management determining the business and IT strategy and evaluating the ● Testing and validation data, clients can make a more informed, risk-based decision about which cloud computing model to pursue. Because cloud computing is available in several service models (and hybrids of these models), each presents different levels of responsibility for security management. Trusted third parties can help companies apply cloud security best practices to their specific business needs.
  • 4.
    4 Securing the cloud: from strategy development to ongoing assessment Identifying the risks The IBM cloud security assessment reviews cloud architecture Each type of cloud—public, private and hybrid—carries a from a security standpoint, including policies and processes for different level of IT security risk. Security experts from data access and storage. IBM security experts assess the cur- IBM can help clients identify the vulnerabilities, threats and rent state of cloud security against best practices, and against other values at risk based on public, private or hybrid cloud providers’ own security objectives. Security requirements and architecture. From there, IBM will work with clients to design best practices criteria is based on unique characteristics of the initial mechanisms and controls to mitigate risk, and outline subject cloud, including workload, trust level of end users, the maintenance and testing procedures that will help ensure data protection requirements and more. For example, clouds ongoing risk mitigation. supporting email will have different security requirements than those supporting electronic Protected Health Documenting the plan Information (ePHI). IBM clients will benefit from a documented roadmap address- ing cloud security strategy. The plan should identify the types A gap assessment against security objectives and best practices of workloads or applications that are candidates for cloud will reveal strengths and weaknesses of the current security computing and should account for the legal, regulatory and architecture and processes. IBM experts will provide recom- security requirements. IBM will work with clients to plan for mendations for improvements and continuous security compensating controls to mitigate perceived risks, including measures to bridge the gaps. These can include the use of how to address identity and access management, and how to additional network security controls, modifications to existing balance security controls between the cloud provider and the security policies and procedures, implementation of new iden- subscriber. tity and access management controls, acquisition of managed security services for offloading critical security management Assessing cloud security with IBM tasks, or any number of other remediation steps. In addition to developing a strategy for cloud security, IBM can perform a cloud security assessment for public or In addition to a thorough review of the cloud security pro- private cloud offerings. This service can provide helpful due gram, IBM advises steady state technical testing of the cloud’s diligence for cloud providers, or help subscribers understand network infrastructure and supporting applications via remote the security posture of their provider’s cloud. penetration and application testing. This provides a “hacker’s eye” view of cloud components and provides insight into how cloud security weaknesses can significantly impact data and information protection.
  • 5.
    IBM Global TechnologyServices 5 Why IBM? security services that enable a business-driven approach to To fully benefit from cloud computing, clients must ensure securing your cloud computing as well as your physical IT that data, applications and systems are properly secured so that environments. cloud infrastructure won’t expose the organization to risk. Cloud computing has the usual requirements of traditional IT IBM’s capabilities empower you to dynamically monitor and security, though it presents an added level of risk because of quantify security risks, enabling you to better: the external aspects of a cloud model. This can make it more difficult to maintain data integrity and privacy, support data ● Understand threats and vulnerabilities in terms of business and service availability, and demonstrate compliance. impact, ● Respond to security events with security controls that opti- Assessing the risks associated with cloud computing, such as mize business results, data integrity, recovery, privacy, and tenant isolation is critical ● Prioritize and balance your security investments. to the adoption of cloud technologies. These risks call for automated end-to-end security with a heavier emphasis on IBM also securely operates its own public clouds, including strong isolation, integrity and resiliency in order to provide IBM LotusLive™. IBM continuously invests in research and visibility, control and automation across the cloud computing development of stronger isolation at all levels of the network, infrastructure. server, hypervisor, process and storage infrastructure to sup- port massive multitenancy while mitigating risk. IBM helps clients put risk management strategies into action by transforming security from a cost of doing business to a Through world-class solutions that address risk across all way to improve the business. IBM draws from a broad portfo- aspects of your business, IBM is able to help you create an lio of consulting services, software and hardware and managed intelligent infrastructure that drives down costs, is secure, and is just as dynamic as today’s business climate. IBM cloud secu- rity solutions and services build on the strong foundation of the IBM security framework to extend benefits from tradi- tional IT environments to cloud computing environments.
  • 6.
    For more information Tolearn more about the IBM Cloud Security Services, please contact your IBM marketing representative or IBM Business Partner, or visit the following website: ibm.com/cloud Additionally, financing solutions from IBM Global Financing © Copyright IBM Corporation 2010 Route 100 can enable effective cash management, protection from tech- Somers, NY 10589 U.S.A. nology obsolescence, improved total cost of ownership and Produced in the United States of America return on investment. Also, our Global Asset Recovery November 2010 Services help address environmental concerns with new, All Rights Reserved more energy-efficient solutions. For more information on IBM, the IBM logo, ibm.com and LotusLive are trademarks or IBM Global Financing, visit: ibm.com/financing registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product or service names may be trademarks or service marks of others. Please Recycle SEW03022-USEN-01