IBM Security Systems

Addressing Cloud Security The Grand Challenge

sreekanth.iyer@in.ibm.com Senior IT Architect, IBM Security Solutions

2012 IBM Corporation 1

2012 IBM Corporation

IBM Security Systems

Cloud Security Agenda

Risks & Challenges IBMs Point of View

Mitigation Strategy
Technologies & Tools

22

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Security is a top concern in cloud adoption

There is universal interest in cloud computing across all industries and geographies #1 reason to move to a public cloud is lower total cost of ownership Top reasons for moving to a private cloud include cost/resource efficiencies, as well as enhancing speed and flexibility Security concerns are the top barrier to adoption of both public and private clouds Experience managing large outsourcing engagements gives IBM the tools to manage customers top cloud concerns Three distinctive end-user cloud buying patterns are emerging: exploratory, solution-focused and transformational There are reports that public clouds are being adopted faster than originally forecast

Cost Take-out is Key Driver

Security is Top Concern

Adoption Patterns are Emerging

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Cloud computing tests the limits of security operations and infrastructure

Security and Privacy Domains

People and Identity Data and Information Application and Process Network, Server and Endpoint

To cloud Self-Service Highly Virtualized Location Independence Workload Automation Rapid Elasticity Standardization
Multiple Logins, Onboarding Issues Multi-tenancy, Data Separation External Facing, Quick Provisioning Virtualization, Network Isolation

Physical Infrastructure
Governance, Risk and Compliance

Provider Controlled, Lack of Visibility

Audit Silos, Compliance Controls

In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security.
4 Copyright IBM Corp. 2004, 2010. All Rights Reserved. 4

IBM Security Systems

Different cloud deployment models also change the way we think about security

Private cloud
On or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party

Hybrid IT
Traditional IT and clouds (public and/or private) that remain separate but are bound together by technology that enables data and application portability

Public cloud
Available to the general public or a large industry group and owned by an organization selling cloud services.

Changes in Security and Privacy

Customer More Good Easy

responsibility for infrastructure

Provider Less No

responsibility for infrastructure

customization of security controls visibility into day-to-day operations to access to logs and policies and data remain inside the firewall

customization of security controls to access to logs and policies and data are publically exposed

visibility into day-to-day operations

Difficult

Applications
5

Applications

Copyright IBM Corp. 2004, 2010. All Rights Reserved. 5

IBM Security Systems

Summary - Categories of Cloud Computing Risks

Less Control
Many companies and governments are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease.

Reliability
High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees.

Data Security
Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important.

Compliance
Complying with SOX, HIPAA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential.
6

Security Management
Providers must supply easy controls to manage firewall and security settings for applications and runtime environments in the cloud.
Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

IBM Point of View: Cloud can be made secure for business

As with most new technology paradigms, security concerns surrounding cloud computing have become the most widely talked about inhibitor of widespread usage. To gain the trust of organizations, cloud services must deliver security and privacy expectations that meet or exceed what is available in traditional IT environments. The same way transformational technologies of the past overcame concerns PCs, outsourcing, the Internet.
7

Security and Privacy Expectations

Traditional IT In the Cloud

Trust

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

One-size does not fit-all:

Different cloud types have different security responsibilities
The Cloud Curtain

The Cloud Curtain

The Cloud Curtain

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Adoption patterns are emerging for successfully beginning and progressing cloud initiatives
Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud

Copyright IBM Corp. 2004, 2010. All Rights Reserved. 9

IBM Security Systems

Each pattern has its own set of key security concerns

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud

Cloud Enabled Data Center

Integrated service management, automation, provisioning, self service
Key security focus:

Cloud Platform Services

Pre-built, pre-integrated IT infrastructures tuned to application-specific needs
Key security focus:

Cloud Service Provider

Advanced platform for creating, managing, and monetizing cloud services
Key security focus:

Business Solutions on Cloud

Capabilities provided to consumers for using a providers applications
Key security focus:

Infrastructure and Identity Manage datacenter identities Secure virtual machines Patch default images Monitor logs on all resources Network isolation

Applications and Data Secure shared databases Encrypt private information Build secure applications Keep an audit trail Integrate existing security

Data and Compliance Isolate cloud tenants Policy and regulations Manage security operations Build compliant data centers Offer backup and resiliency

Compliance and Governance Harden exposed applications Securely federate identity Deploy access controls Encrypt communications Manage application policies

Security Intelligence threat intelligence, user activity monitoring, real time insights

10

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

IBM has a broad portfolio of products and services to help satisfy our customers most pressing security requirements

IBM Cloud Security

One Size Does Not Fit All

Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload.

11

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Our approach to delivering security aligns with each phase of a clients cloud project or initiative

Design
Establish a cloud strategy and implementation plan to get there.
IBM Cloud Security Approach

Deploy
Build cloud services, in the enterprise and/or as a cloud services provider.

Consume
Manage and optimize consumption of cloud services.

Secure by Design Focus on building security into the fabric of the cloud.

Workload Driven Secure cloud resources with innovative features and products. Application security Virtualization security Endpoint protection Configuration and patch management

Service Enabled Govern the cloud through ongoing security operations and workflow. Identity and access management Secure cloud communications Managed security services

Example security capabilities

Cloud security roadmap Secure development Network threat protection Server security Database security

12

Copyright IBM Corp. 2004, 2010. All Rights Reserved. 12

IBM Security Systems

Cloud Enabled Data Center - simple use case

Cloud Enabled Data Center

Self-Service GUI User identity is verified and authenticated

1
Cloud Platform

Image provisioned behind FW / IPS Host security installed and updated

5 6

Configured Machine Image Virtual Machine Virtual Machine

Resource chosen from correct security domain

VM is configured with appropriate security policy

Software patches applied and up-to-date

Hypervisor

3
SW Catalog Config Binaries

Available Resource

Image Library Machine Image

Resource Pool

13

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Example - securing the cloud for service agility and assurance

Cloud Enabled Data Center

Helping the client ensure their cloud services are secure and reliable.
Business challenge Deploy applications to the cloud with confidence that theyre secure, compliant, and meet regulatory requirements. Key security requirements
Identity and Access Control securely connect users to the cloud Virtualization Security protection for the virtual infrastructure Image and Patch Management keep cloud resources up-do-date and compliant

Tivoli Service Defense for Cloud

Security for IBM Tivoli Service Automation Tivoli Service Automation Manager Virtual Server Protection for VMware Tivoli Identity Manager Tivoli Endpoint Manager
14 Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Our focus is in two areas of cloud security

1 Security from the Cloud 2 Security for the Cloud

Cloud-based Security Services

Use cloud to deliver security as-a-Service - focusing on services such as vulnerability scanning, web and email security, etc.

Public cloud Off premise

Secure usage of Public Cloud applications focusing on Audit, Access and Secure Connectivity

Securing the Private Cloud stack focusing on building security into the cloud infrastructure and its workloads

Private cloud On premise

15

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

1

Security Services delivered from the Cloud

Delivering high-value services for cloud and traditional compute environments with little or no security device investment or maintenance

Security Event and Log Management

Offsite management of logs and events from intrusion protection services, firewalls and operating systems Subscription service

Vulnerability Management Service

Helps provide proactive discovery and remediation of vulnerabilities

Managed Web and Email Security

Helps protect against spam, worms, viruses, spyware, adware and offensive content

Cloud based

Monitoring and management

IBM X-Force Threat Analysis Service

Customized security intelligence based on threat information from IBM X-Force research and development

Application Security Management

Supports improved web application security to help reduce data loss, financial loss and website downtime with advanced security testing

Mobile Device Security Management

Helps protect against malware and other threats while enabling mobile access

16

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

End-to-end IBM security products for securing the cloud

2
IBM QRadar Security Intelligence IBM Identity and Access Management Suite
Identity integration, provision users to SaaS applications Desktop single sign on supporting desktop virtualization Total visibility into virtual environments

IBM AppScan Suite

Scan cloud based web and web services apps for vulnerabilities

Securing Cloud with IBM Security Systems

Security Intelligence People Data Apps Infrastructure

IBM InfoSphere Guardium Suite

Protect and monitor access to shared databases

IBM Endpoint Manager IBM Network IPS

Defend cloud users and apps from network attacks Patch and configuration management of VMs

IBM Virtual Server Protection for VMware

Protect VMs from advanced threats
Copyright IBM Corp. 2004, 2010. All Rights Reserved.

17

IBM Security Systems

IBM & CSCC contributing to cloud security standards development to address barriers in cloud adoption

IBM Security Standards Participation

Client-focused open standards and interoperability

Cloud Architecture Standards Including Security for SOA and Cloud

Identity in the Cloud TC

Published Cloud Identity Mgmt. Use Cases Whitepaper covering: 15 Identity Management categories SaaS, PaaS & IaaS service models Private, Public & Hybrid Cloud Drafting Cloud IdM Standards Gap Analysis

ISO JTC 1/SC 27 IT Security

Techniques Including cloud security methodologies, procedures, guidelines, documentation and evaluation procedures
18

Cloud Audit Working Group

Federation and Classification of Audit Data for Compliance Reporting
Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems Provide customer-lead guidance to the multiple cloud standards-defining bodies Establishing the criteria for openstandards-based cloud computing

280+
CSCC Forms New Security Working Group - Feb. 2012
- Co-chaired by The Kroger Co. & Boeing

companies are participating

Develop high priority use cases for cloud security that reflect customer issues and pain points Identify Regulatory Compliance Capabilities and Options through Security Architecture Standards Identify Best-of-Breed Security Solutions for Customers of Cloud
Soliciting Membership:
19

50%
operate outside the IT realm
Copyright IBM Corp. 2004, 2010. All Rights Reserved.

http://www.cloud-council.org

IBM Security Systems

IBM continues to research, test and document more focused approaches to cloud security

IBM Research
Special research concentration in cloud security

IBM X-Force
Proactive counter intelligence and public education

Customer Councils
Real-world feedback from clients adopting cloud

Standards Participation
Client-focused open standards and interoperability

IBM Institute for Advanced Security

Collaboration between academia, industry, government, and the IBM technical community

20

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Thank You

Best Cloud Computing Security

21

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

22

Copyright IBM Corp. 2004, 2010. All Rights Reserved.

IBM Security Systems

Acknowledgements, disclaimers and trademarks

Copyright IBM Corporation 2012. All rights reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBMs current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services. All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml

23

Copyright IBM Corp. 2004, 2010. All Rights Reserved.