© 2010 IBM Corporation Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security [email protected]

© 2010 IBM Corporation

Christopher EnseyIBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced [email protected]@IBMFedCyber

Security and Cloud Computing

© 2010 IBM Corporation2


Outline

Security: Grand Challenge for the Adoption of Cloud Computing IBM Capabilities for Cloud Security IBM USAF MOCA



Security – Grand Challenge for the Adoption of Cloud Computing



What is Cloud Security?

There is nothing new under the sunbut there are lots of old things we don't know.Ambrose Bierce, The Devil's Dictionary

Software as a Service

Utility Computing

Grid Computing

Cloud Computing

Confidentiality, integrity, availabilityof mission-critical IT assetsStored or processed on a cloud computing platform



Where is the Data? – Moving from Private to PublicLeads to a Real or Perceived Loss of Control

We Have ControlIt’s located at X.We have backups.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.

Who Has Control?Where is it located?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?

Of enterprises consider security #1 inhibitor to cloud adoptions

80%

Of enterprises are concerned about the reliability of clouds48%

Of respondents are concerned with cloud interfering with their ability to comply with regulations

33%

Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)



Specific Customer Concerns Related to Security

Protection of intellectual property and data

Ability to enforce regulatory or contractual obligations

Unauthorized use of data

Confidentiality of data

Availability of data

Integrity of data

Ability to test or audit a provider’s environment

Other

30%21%15%12% 9% 8% 6% 3%

Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007



Workloads may be at Different Levels of Cloud Readiness

May not yet beready for migration ...

SensitiveData

HighlyCustomized

Not yet virtualized3rd party SW

Complexprocesses &transactions

Regulationsensitive

Readyfor Cloud

New workloadsmade possible by

clouds ...Collaborative Care

Medical Imaging

Financial Risk

Energy Management

AnalyticsInfrastructure Storage

Industry Applications

Collaboration

Workplace, Desktop& Devices

Business Processes

Disaster Recovery

Development& Test

InfrastructureCompute

Informationintensive

Isolatedworkloads

Matureworkloads

Pre-production

systems

BatchprocessingMarket bias:

Private cloud

Public cloud



Low-risk Mid-risk High-risk

Mission-critical workloads, personal

information

Mission Risk

Need for Security Assurance

Low

High

Training, testing with non-sensitive

data

Today’s clouds are primarily here:

Lower risk workloadsOne-size-fits-all

approach to data protection

No significant assurance

Price is key

Tomorrow’s high value / high risk workloads need:

Quality of protection adapted to risk

Direct visibility and control

Significant level of assurance

Analysis & simulation with

public data

One-size does not fit-all:Different cloud workloads have different risk profiles



IBM and Cloud Security



IBM's Strategy for Cloud Security

IBM Security Framework:Risk management-based

approach to security

Provider ofCloud-based Security Services

Provider ofSecure Clouds

Provider ofSecurity Products for Clouds



IBM as Provider of Security Products for Clouds, andIBM as Provider of Cloud-based Security Services

= Professional Services

= Products

Identity and Access Management

Identity and Access Management

Mainframe SecurityMainframe Security

Virtual System SecurityVirtual System Security

Database Monitoring and Protection

Database Monitoring and Protection

Encryption and Key Lifecycle ManagementEncryption and Key

Lifecycle Management

App Vulnerability ScanningApp Vulnerability Scanning

Access and Entitlement Management

Access and Entitlement Management

Web Application FirewallWeb Application Firewall

Data Loss PreventionData Loss Prevention

App Source Code ScanningApp Source Code Scanning

SOA SecuritySOA Security

Intrusion Prevention System

Intrusion Prevention System

Messaging SecurityMessaging Security

Data MaskingData Masking

Infrastructure SecurityInfrastructure Security

E-mail SecurityE-mail Security

Application SecurityApplication Security

Web/URL Filtering Web/URL Filtering

Vulnerability Assessment

Vulnerability Assessment

Firewall, IDS/IPS, MFS Mgmt.

Firewall, IDS/IPS, MFS Mgmt.

Identity ManagementIdentity Management

Data SecurityData

Security

Access ManagementAccess Management

GRCGRCGRCGRC

Physical SecurityPhysical Security

= Cloud-based & Managed Services

Security Governance, Risk and Compliance

Security Governance, Risk and Compliance SIEM and Log ManagementSIEM and Log Management

Web / URL Filtering

Web / URL Filtering

Security Event Management

Security Event Management

Threat Assessment Threat Assessment



Cloud Security = SOA Security + Secure Virtualized Runtime

Service-oriented Architecture• SOA Security model and protocols apply• Technical challenges: multi-tenancy, across trust domain,

REST-based, new protocols (e.g., OpenID)• Definitional challenges: profiles and security SLAs for cloud

Virtualized Runtime

Process/VM Isolation, data segregation, multi-tenancyMalicious insiders (co-tenants, cloud provider)Management (incl. self-service) interface compromiseInsecure interfaces and APIsUncertainty over data locationData protection and securityData recovery, resiliencyInsecure or incomplete data deletionAccount or service hijackingAbuse of cloud services (extrusion)Compliance risks

Source: CSA (2010), ENISA (2009), Gartner (2008), IBM X-Force (2010)

Top Threats and Risks in Cloud Computing



Example for SOA-style Security applied to Cloud:IBM Tivoli Federated Identity Manager

TFIM = Tivoli Federated Identity Manager TFIM BG = TFIM Business Gateway for SMB deploymentTSPM = Tivoli Security Policy Manager for data entitlement management

Centralized user access management to on- and off-premise apps and services

Tools for user enrollment, WS-Trust based security token services, web access management

TFIM &

TSPM

TFIM

BG

TFIM

SAML 1.0 / 1.1 / 2.0WS-FederationLiberty ID-FF 1.1/ 1.2 Information Card Profile 1.0 OpenID



Example for Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4

VMsafe Integration

Firewall and Intrusion Prevention

Rootkit Detection / Prevention

Inter-VM Traffic Analysis

Automated Protection for Mobile VMs (VMotion)

Virtual Network Segment Protection

Virtual Network-Level Protection

Virtual Infrastructure Auditing (Privileged User)

Virtual Network Access Control

This is an example where virtualization enables an approach to security that would not be

possible in a non-virtualized infrastructure!



Hosted Security Event and Log Management

Hosted Vulnerability Management

Hosted Email and Web Security

Hosted X-Force® Threat Analysis

Service

To the Customer – Offloading Security Tasks on the Ground

Offsite management of logs and events from IPS’s, Firewalls and OSs

Proactive discovery and remediation of vulnerabilities

Protection against spam, worms, viruses, spyware, adware, and

offensive content

Subscription service

Monitoring and management

Cloud based

Customized security intelligence based on threat

information from X-Force research and development

team

11 22 33 44

Cloud Security Services: Smart Security Services delivered from the IBM Cloud



Cloud Service Model Suggests Split ofResponsibilities between Provider and Subscriber

Platform-as-a-Service

Middleware

Database

Web 2.0 ApplicationRuntime

JavaRuntime

DevelopmentTooling

Infrastructure-as-a-Service

Servers Networking StorageData Center

Fabric

Shared virtualized, dynamic provisioning

Application-as-a-Service

Collaboration

Financials

CRM/ERP/HR

Industry Applications

Business Process-as-a-Service

Employee Benefits Mgmt.

Industry-specific Processes

Procurement

Business Travel

Who is responsible for security at the … level?Datacenter Infrastructure Middleware Application Process

Provider Subscriber

Provider Subscriber

Provider Subscriber

Provider Subscriber

Provider/Subscriber service agreementdetermines actual responsibilities.



IBM Cloud Computing PlatformIBM Global Cloud Data Centers

IBM's Approach to Providing Secure Clouds

Base Services(Offered by IBM)

Client Services(Customized by Client)

• Client's responsibility• IBM does not touch client resources• IBM provides guidance for customization

and management of client services

• IBM's responsibility• IBM provides tested base services

• IBM's responsibility• Base operated and managed according to

IBM's internal technical and organizational security standards

• Extensive regular internal legal, geo-specific, data privacy, technical reviews

• Regular ethical hacking/security testing• Based on IBM's strategic outsourcing

practices and the IBM Common Cloud Reference Architecture

Hardened management interfaces and cloud service management

State-of-the-artdata center service management

Cloud subscriber management based on IBM Web Identity

State-of-the-art data-center security (physical, organizational, system, network)

Strict policies and extensive monitoring to control privileged users



IBM Cloud Security in Action – IBM LotusLiveSecurity through the entire lifecycle and stack



IBM Cloud Security in Action – IBM Compute Cloud



IBM and US Air Force: MOCA


MOCA Purpose – Address Hard engineering problems for cloud and cyber defense

MOCA = Mission Oriented Cloud Architecture

A combined effort between IBM and the US Air Force to explore feasibility of cloud architectures in a mission setting.

Main Areas of Investigation:

Network awareness

Situational awareness

Application and database vulnerability detection

Network defense

Cloud management


26


MOCA ScopeThe Mission Oriented Cloud Architecture (MOCA)

project expands on four areas in cloud computing:

Network Awareness

- Advanced Analytic processing coupled via sensors, monitors and other detection devices

Application and database vulnerability detection

- Innovative technology leveraging IBM research investments in trusted virtual datacenters

Network Defense

- Automated re-provisioning of the cloud to respond to Cyber events: isolation of compromised virtual machines, reconfiguration of security policies, etc.

- Policy based security compliance reporting and enforcement

Cloud Mangement

- Real-time situational awareness of the cloud environment, security posture and network

- Secure collaboration in support of the mission and during threat events


27


MOCA Investigates Scope through Seven Functional Areas

The MOCA research will explore the scope areas through AF directed research and development in the following functional areas:

Foundational Cloud Computing

Resilience

Compliance

Analytics

Deep Packet Inspection

Multi-tenancy

Secure Collaboration


28


Area #1, Foundational Cloud Computing - Establish the Infrastructure

Provides cloud computing foundation system functionality for

• Federated Identity Management Capability

• Process governance for approval purposes

• Automated and Request Driven Provisioning

Foundational Service Discovery

Operational Service Deployment

Service Delivery Monitoring

• Operational Monitoring

IBM Technology

• Tivoli Service Automation Manager

• IBM Tivoli Monitoring

• Tivoli Access Manager and Federated Identity Manager

• SOA Governance Process


29


Area #2, Resilience - Keeping core capability militarily relevant

1. Protect: the network, systems, services and data.

2. Rebuild:

Reconstruction of damaged cloud resources

Rapid restoration from gold copies

3. Relocate:

Relocation of virtualized resources

Rapid relocation to a new VLAN

IBM Technology

• ISS Site Protector

• ISS Proventia IPS

• Guardium


30


Area #3, Compliance – Adherence to Security Policy

Compliance provides distribution, revocation, and integrity services for security policies

Security policy resides in the policy engine

The policies are distributed by the distribution engine and checked cyclically by the compliance engine

Security policies for the network perimeter, DMZ, applications, hosts and network devices are included.

IBM Technologies

• Tivoli End Point Manager

• Tivoli Compliance Manager


31


Area #4, Analytics – Know It Now; Respond Now

Analytics provide real-time autonomic policy responses based on a network attack detection

Sensors across the enterprise provide input to the ingest engine

The Ingest engine filters inputs and provides clean sensor data to the analytics engine for classification and correlation

The response engine provides the autonomic security policy actions based on the correlated event decision logic

IBM Technologies

• Infosphere Streams

• Tivoli End Point Manager


32


Area #5, Deep Packet Inspection – Is It Safe?Provide behavior-based, near real time detection and response to network level threats

All network traffic traversing the cloud is inspected for behavior based attacks

IP level inspection detects malformed messages, illegal content, and previously detected classes of attacks in the Network Threat Analyzer

Detected threats cause autonomic security policy changes to be implemented

IBM Technologies

• ISS Intrusion Prevention Systems

• Tivoli Endpoint Manager

• Tivoli Compliance Manager


33


Area #6, Multi-Tenancy – Peaceful, Secure Co-existence

Validate VM Isolation Management

Prove that data confidentiality exists between images

Prove ability to detect and correct image provisioning anomalies

Test that deployed VM images are correctly configured

Show that corrective actions for mis-configured VM images can be applied

Prove rapid provisioning capabilities

Rapid deployment of new VM images

Rapid provisioning of new images

Rapid access by new users

IBM Technologies

ISS Site Protector

Tivoli Service Automation Manager

Tivoli Endpoint Manager

Tivoli Compliance Manager

ISS Virtual Service Protection


34


Area #7, Secure Collaboration – Sharing Information Securely

Prove that documents can be shared securely. Functionality includes:

1.Validate that tagging and protecting portions of an XML document reflect security classification

2.Prove that label based access controls can be applied allowing group or community access

3.Test that check in/check out of document capabilities are present.

4.Provide meta-data based search capabilities across multiple documents

IBM Technologies

• IBM FileNet Content Manager

• Tivoli Access Manager

• Tivoli Identity Manager

• Lotus Live

• Lotus Symphony


35


Situational Awareness – Getting the Big picture


36


Questions?

06/23/10



Thank you!

For more information, please visit:ibm.com/federalIbm.com/federal/securityFollow me on Twitter: @IBMFedCyberOr send me an email: [email protected]

Documents

© 2010 IBM Corporation Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security [email protected]