More Related Content
Similar to Presentation cloud security the grand challenge (20)
Presentation cloud security the grand challenge
- 1. © 2010 IBM Corporation
CLOUD SECURITY: THE GRAND CHALLENGE
Glen Gooding
Asia Pacific Security Leader
IBM Corporation
ggooding@au1.ibm.com
Government Ware: GovWare Singapore September 29, 2010
- 2. © 2010 IBM Corporation
Rest safe: Google saves the day
- 3. © 2010 IBM Corporation
Agenda
Components of Cloud Market
Basic Security Concepts – Today and tomorrow
IBM’s vision of a Security Framework
IBM Cloud Security Guidance
Conceptual findings from Security Framework
Government Authentication Cloud Example
3
- 4. © 2010 IBM Corporation4
Workloads Most Considered for Cloud Delivery
Top private workloads
Database, application and
infrastructure workloads
emerge as most appropriate
Data mining, text mining, or other analytics
Security
Data warehouses or data marts
Business continuity and disaster recovery
Test environment infrastructure
Long-term data archiving/preservation
Transactional databases
Industry-specific applications
ERP applications
Top public workloads
Infrastructure and
collaboration workloads
emerge as most appropriate
Audio/video/Web conferencing
Service help desk
Infrastructure for training and demonstration
WAN capacity and VoIP infrastructure
Desktop
Test environment infrastructure
Storage
Data center network capacity
Server
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
- 5. © 2010 IBM Corporation5
The Cloud
Curtain
The Cloud
Curtain
Curtain
CLOUD MODEL APPLIES AT ALL LEVELS OF THE IT STACK –
5
Resulting in Different Security Requirements, Different Responsibilities
- 6. © 2010 IBM Corporation
WHAT IS CLOUD SECURITY?
There is nothing new under the sun
but there are lots of old things we don't know.
Ambrose Bierce, The Devil's Dictionary
Software as a Service
Utility Computing
Grid Computing
Cloud Computing
Confidentiality, Integrity, Availability
of business-critical IT assets
Stored or processed on a cloud
computing platform
6
- 7. © 2010 IBM Corporation
CLOUD SECURITY: SIMPLE
EXAMPLE
?
We Have Control
It’s located at X.
It’s stored in server’s Y, Z.
We have backups in place.
Our admins control access.
Our uptime is sufficient.
The auditors are happy.
Our security team is engaged.
Who Has Control?
Where is it located?
Where is it stored?
Who backs it up?
Who has access?
How resilient is it?
How do auditors observe?
How does our security
team engage?
?
?
?
?
?
Today’s Data Center Tomorrow’s Public Cloud
CLOUD SECURITY: SIMPLE EXAMPLE
7
- 8. © 2010 IBM Corporation
Compliance
Complying with
regulations may prohibit the
use of clouds for some
applications.
Reliability
High availability will be a key concern.
IT departments will worry about a loss
of service should outages occur.
Control
Many companies and governments
are uncomfortable with the idea of
their information located on
systems they do not control.
Security Management
Even the simplest of tasks may be
behind layers of abstraction or
performed by someone else.
Data
Migrating workloads to a shared
network and compute infrastructure
increases the potential for
unauthorized exposure.
Providers must offer a high degree
of security transparency to help
put customers at ease.
Authentication and access
technologies become
increasingly important.
Mission critical applications
may not run in the cloud
without strong availability
guarantees.
Comprehensive auditing
capabilities are essential.
Providers must supply easy controls to
manage security settings for
application and runtime environments.
CATEGORIES OF CLOUD COMPUTING RISKS
8
- 9. © 2010 IBM Corporation
IBM SECURITY FRAMEWORK
Built to meet four key requirements:
Provide Assurance
Enable Intelligence
Automate Process
Improve Resilience
Introducing the IBM
Security Framework
and IBM Security
Blueprint to Realize
Business-Driven
Security;
IBM RedGuide
REDP-4528-00, July
2009
9
- 10. © 2010 IBM Corporation
IBM approach to security on a Smart Planet…
Secure by Design
Intelligence
Standards
Assurance
Governance
Enable trust and confidence in IT through
software and system assurance
Stay ahead of the threat by monitoring
the attack landscape and anticipating
new threats
Enable security and privacy with an
open, standards-based architectural
approach
Provide visibility, control and automation
through CoBIT and ITIL-based service
management
Open standards leadership in DMTF,
IETF, OASIS, TCG, W3C, …
SOA & Web Services Security
IBM Security Blueprint
IBM Trusted Identity
Fine-grained Security
Trusted Virtual Data Center
UK/US ITA, IBM OCR, EU FP7 open research
IBM Service Management Platform –
asset management, problem &
incident management, change &
release management, etc.
IBM Process Reference Model for IT
(PRM-IT)
IBM Rational Unified Process
Patch management for virtual images
IBM Integrated Product Development Process
System z Integrity Statement
Trusted Foundry
IBM High Assurance Platform
Continuous Software Quality
IBM Secure Blue
IBM X-Force
IBM Managed Security Services
System S Event & Streaming System
High Performance Computing
Information Risk & Compliance
Smart Surveillance
Foundational
Controls
PoweredbyIBMResearch
10
- 11. © 2010 IBM Corporation
TYPICAL CLIENT SECURITY REQUIREMENTS
•Governance, Risk Management,
•Compliance
•3rd-party audit
(SAS 70(2), ISO27001/2, PCI)
•Client access to tenant-specific log
and audit data
•Effective incident reporting for tenants
•Visibility into change, incident, image
management, etc.
•SLAs, option to transfer risk from tenant
to provider
•Support for forensics
•Support for e-Discovery
•Application and Process
•Application security requirements for
cloud are phrased in terms of image
security
•Compliance with secure development
best practices
•Physical
•Monitoring and control of physical
access
• People and Identity
• Privileged user monitoring, including
logging activities, physical monitoring and
background checking
• Federated identity / onboarding:
Coordinating authentication and
authorization with enterprise or third party
systems
• Standards-based SSO
• Data and Information
• Data segregation
• Client control over geographic location
of data
• Government: Cloud-wide data classification
• Network, Server, Endpoint
• Isolation between tenant domains
• Trusted virtual domains: policy-based
security zones
• Built-in intrusion detection and
prevention
• Vulnerability Management
• Protect machine images from
corruption and abuse
• Government: MILS-type separation
Based on interviews with clients and various analyst reports
11
- 12. © 2010 IBM Corporation
Based on cross-IBM research on cloud security
Highlights a series of best practice controls that should be implemented
Broken into 7 critical infrastructure components:
– Building a Security Program
– Confidential Data Protection
– Implementing Strong Access and Identity
– Application Provisioning and De-provisioning
– Governance Audit Management
– Vulnerability Management
– Testing and Validation
IBM CLOUD SECURITY GUIDANCE DOCUMENT
12
- 13. © 2010 IBM Corporation
Customers require visibility into the
security posture of their cloud.
Establish 3rd-party audits (ISO27001, PCI)
Provide access to tenant-specific log and audit data
Create effective incident reporting for tenants
Visibility into change, incident, image management, etc.
Understand applicable regional, national and international
laws
Support for forensics and e-Discovery
Implement a governance and audit management program
Security governance, risk management and complianceSecurity governance, risk management and compliance
IBM Security Framework
IBM Cloud Security
Guidance Document
13
- 14. © 2010 IBM Corporation
Customers require proper authentication
of cloud users.
Privileged user monitoring, including logging activities,
physical monitoring and background checking
Utilize federated identity to coordinate authentication and
authorization with enterprise or third party systems
A standards-based, single sign-on capability
Implement strong identity and access management
IBM Security Framework
IBM Cloud Security
Guidance Document
People and IdentityPeople and Identity
14
- 15. © 2010 IBM Corporation
Customers cite data protection as their
most important concern within the cloud.
Use a secure network protocol when connecting to a
secure information store.
Implement a firewall to isolate confidential information,
and ensure that all confidential information is stored
behind the firewall.
Sensitive information not essential to the business
should be securely destroyed.
Ensure confidential data protection
IBM Security Framework
IBM Cloud Security
Guidance Document
Data and InformationData and Information
15
- 16. © 2010 IBM Corporation
Customers require secure cloud
applications and provider processes.
Implement a program for application and image
provisioning.
Develop all Web based applications using secure
coding guidelines.
Ensure external facing Web applications are black box
tested
A secure application testing program should be
implemented.
Ensure all changes to virtual images and applications
are logged.
Establish application and environment provisioning
IBM Security Framework
IBM Cloud Security
Guidance Document
Application and ProcessApplication and Process
16
- 17. © 2010 IBM Corporation
Customers expect a secure cloud
operating environment.
.
Implement vulnerability scanning, anti-virus, intrusion
detection and prevention on all appropriate images
Ensure isolation exists between tenant domains
Trusted virtual domains: policy-based security zones
Ensure provisioning management is strictly controlled
Protect machine images from corruption and abuse
Ensure provisioned images apply appropriate access
rights
Ensure destruction of outdated images
Maintain environment testing and vulnerability/intrusion management
IBM Security Framework
IBM Cloud Security
Guidance Document
Network, Server and End PointNetwork, Server and End Point
17
- 18. © 2010 IBM Corporation
Customers expect cloud data centers to
be physically secure.
.
Ensure the facility has appropriate controls to monitor
access.
Prevent unauthorized entrance to critical areas within
facilities e.g. servers, routers, storage, power supplies
Biometric access of employees
Ensure that all employees with direct access to
systems have full background checks.
Provide adequate protection against natural disasters.
Implement a physical environment security plan
IBM Security Framework
IBM Cloud Security
Guidance Document
Physical SecurityPhysical Security
18
- 19. © 2010 IBM Corporation
Customers want to hear how IBM can deliver
secure Government cloud solutions.
.
Enterprise wide Government security and compliance
Database security compliance
Virtualization and security implication
IBM’s involvement in Government Cloud Solutions
A Real Use Case
Areas of expertise IBM can deliver on
IBM Security Framework
IBM Cloud Security
Guidance Document
My thoughts on critical componentsMy thoughts on critical components
19
- 20. © 2010 IBM Corporation
Integrated service
lifecycle mgmt.
Expose resources “as-
a-Service”.
Integrated Security
infrastructure.
Rapid provisioning of IT
resources, massive
scaling.
Dynamic service mgmt.
Energy saving via auto
workload distribution.
Rapid deployment of
infrastructure and
applications.
Request-driven service
management.
Service Catalog.
Virtualization.
Better hardware
utilization.
Improved IT agility.
Server Consolidation.
Streamline Operations – manage
physical and virtual systems.
Lower power consumption.
Cloud
Computing
Virtualization – First Step in Journey to Cloud Computing
20
- 21. © 2010 IBM Corporation
Resource sharing
——————————
Single point of failure
——————————
Loss of visibility
MORE COMPONENTS = MORE EXPOSURE
Traditional Threats
Virtual server sprawl
——————————
Dynamic state
——————————
Dynamic relocation
Stealth rootkits
Management
Vulnerabilities
——————————
Secure storage of VMs
and the management
data
——————————
Requires new
skill sets
——————————
Insider threat
New threats to VM
environments
Traditional threats can attack
VMs just like real systems
Security Challenges with Virtualization: New Risks
21
- 22. © 2010 IBM Corporation
Server and Network Convergence
22
- 23. © 2010 IBM Corporation
Cloud compliance: Security Information and Event Management
Single, integrated product
Log Management Reporting
Unique ability to monitor user behavior
Enterprise compliance dashboard
Compliance management modules and
regulation-specific reports
Broadest, most complete log and audit trail
capture capability
W7 log normalization translates your logs into
business terms
Easy ability to compare behavior to regulatory
and company policies
Multi-tennancy support through scoping
Key Features
How to provide a single, integrated product
that delivers insider threat, audit and
compliance.
24
- 24. © 2010 IBM Corporation
Real-Time Database Security & Monitoring
• Non-invasive
• No DBMS changes
• Minimal impact
• Does not rely on traditional DBMS-resident
logs that can easily be disabled by DBAs
• Granular policies & monitoring
• Who, what, when, how
• Real-time alerting
• Monitors all activities including local access
by privileged users
DB2DB2
SQL
Server
SQL
Server
25
- 25. © 2010 IBM Corporation
Cloud based Authentication Hub
Australian Federal Government
26
- 26. © 2010 IBM CorporationIBM Insight Forum 09 ®
In a browser, hit
http://www.australia.gov.au
27
- 27. © 2010 IBM CorporationIBM Insight Forum 09 ®
Click
Login to myaccount
28
- 28. © 2010 IBM Corporation
IBM Insight Forum 09 ®
Provide your
logon details
29
- 29. © 2010 IBM CorporationIBM Insight Forum 09 ®
30
- 30. © 2010 IBM CorporationIBM Insight Forum 09 ®
Provide the correct answer to
your previously registered secret
question
31
- 31. © 2010 IBM CorporationIBM Insight Forum 09 ®
And have access to
Centrelink and Medicare
I am now
authenticated
32
- 32. © 2010 IBM CorporationIBM Insight Forum 09 ®
Clicking on the Medicare link,
takes me to Medicare’s site
33
- 33. © 2010 IBM CorporationIBM Insight Forum 09 ®
Return to myaccount page
34
- 34. © 2010 IBM CorporationIBM Insight Forum 09 ®
I have access to Centrelink
and Medicare
35
- 35. © 2010 IBM CorporationIBM Insight Forum 09 ®
Clicking on the Centrelink link,
takes me to Centrelink’s site
Return to myaccount page
36
- 36. © 2010 IBM CorporationIBM Insight Forum 09 ®
37
- 37. © 2010 IBM Corporation
SUMMARY
• “Cloud” is a new consumption and delivery model inspired by consumer
Internet services.
• Security Remains the Top Concern for Cloud Adoption
• One sized security doesn’t fit all
• Take a structured approach to securing your cloud environment
• Documented guidance is available for download to assist you in securing your
cloud environment
• IBM has a view from End to End when it addresses your security needs
38
- 38. © 2010 IBM Corporation
ONE voice for
security.
IBM SECURITYIBM SECURITY
SOLUTIONSSOLUTIONS
INNOVATIVE
products and services.
IBM SECURITYIBM SECURITY
FRAMEWORKFRAMEWORK
COMMITTED to the vision
of a Secure Smarter Planet.
SECURE BYSECURE BY
DESIGNDESIGN
Thank You.
39