Click here to load reader

CRTC Cloud Security- Jeff Crume

  • View

  • Download

Embed Size (px)


Presentation from Chesapeake Regional Tech Council\'s TechFocus Seminar on Cloud Security; Presented by Jeff Crume, IBM Distinguished Engineer, IT Security Architect, CISSP-ISSAP on Thursday, October 27, 2011.

Text of CRTC Cloud Security- Jeff Crume

  • 1. Security Considerations in the Cloud Jeff Crume Distinguished Engineer [email protected] 2011 IBM Corporation
  • 2. Security and Cloud Computing Security Remains the Top Concern for Cloud Adoption 80% Of enterprises consider security How can we be assured that our data will not be leaked and that the vendors have the the #1 inhibitor to cloud adoptions technology and the governance to control its employees from stealing data? 48% Of enterprises are concerned Security is the biggest concern. I dont worry much about the other -ities reliability, about the reliability of clouds availability, etc. 33% I prefer internal cloud to IaaS. When the service is kept internally, I am more Of respondents are concerned with comfortable with the security that it offers. cloud interfering with their ability to comply with regulationsSource: Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman) 2 2011 IBM Corporation
  • 3. Security and Cloud ComputingOne-size does not fit-all:Different cloud workloads have different risk profiles High Mission-critical workloads, personal Tomorrows high value / information high risk workloads need: Quality of protection adapted to risk Direct visibility and controlNeed for Analysis & Significant level ofSecurity simulation with assurance public dataAssurance Todays clouds are primarily here: Lower risk workloads Training, testing One-size-fits-all with non- approach to data sensitive data protection No significant Low assurance Price is key Low-risk Mid-risk High-risk Business Risk 3 2011 IBM Corporation
  • 4. Security and Cloud Computing Simple Example Todays Data Center Tomorrows Public Cloud ? ? ? ? ?We Have Control ? Who Has Control?Its located at X. Where is it located?Its stored in servers Y, Z. Where is it stored?We have backups in place. Who backs it up?Our admins control access. Who has access?Our uptime is sufficient. How resilient is it?The auditors are happy. How do auditors observe?Our security team is engaged. How does our security team engage? 4 2011 IBM Corporation
  • 5. Security and Cloud Computing Categories of Cloud Computing Risks Control Data Many companies and governments Migrating workloads to a shared are uncomfortable with the idea of network and compute infrastructure their information located on increases the potential for systems they do not control. unauthorized exposure. Providers must offer a high degree Authentication and access of security transparency to help technologies become put customers at ease. Reliability increasingly important. High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud Compliance without strong availability Complying with SOX, HIPAA guarantees. Security Management and other regulations may Even the simplest of tasks may be prohibit the use of clouds for behind layers of abstraction or some applications. performed by someone else. Comprehensive auditing Providers must supply easy controls to capabilities are essential. manage security settings for application and runtime environments. 5 2011 IBM Corporation
  • 6. Security and Cloud ComputingCloud Security = Traditional Security + SOA Security + Virtualization Security Hypervisor Security Rogue VMs, VM Isolation, Data Leakage, Rootkits, etc. Federated Identity Mgmt Fed Prov/De-prov, Fed SSO Privileged Identity Mgmt Regulatory Compliance Audit, Data Residency Patch Mgmt Across multiple VMs Data Protection Encryption, Data Segregation, DLP 6 2011 IBM Corporation
  • 7. Security and Cloud Computing Additional Information 7 2011 IBM Corporation
  • 8. Security and Cloud ComputingExample for Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4 VMsafe Integration Firewall and Intrusion Prevention Rootkit Detection / Prevention Inter-VM Traffic Analysis Automated Protection for Mobile VMs (VMotion) Virtual Network Segment Protection Virtual Network-Level Protection Virtual Infrastructure Auditing (Privileged User) Virtual Network Access Control There have been 100 vulnerabilities disclosed across all of There have been 100 vulnerabilities disclosed across all of VMwares virtualization products since 1999.* VMwares virtualization products since 1999.* 57% of the vulnerabilities discovered in VMware products are 57% of the vulnerabilities discovered in VMware products are remotely accessible, while 46% are high risk vulnerabilities.* remotely accessible, while 46% are high risk vulnerabilities.* 8 2011 IBM Corporation
  • 9. Security and Cloud ComputingIBM Cloud Security Guidance document Based on cross-IBM research and customer interaction on cloud security Highlights a series of best practice controls that should be implemented Broken into 7 critical infrastructure components: Building a Security Program Confidential Data Protection Implementing Strong Access and Identity Application Provisioning and De-provisioning Governance Audit Management Vulnerability Management Testing and Validation 9 2011 IBM Corporation
  • 10. Security and Cloud ComputingCloud Security Whitepaper Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. This paper is provided to stimulate discussion by looking at three areas: What is different about cloud? What are the new security challenges cloud introduces? What can be done and what should be considered further?10 2011 IBM Corporation
  • 11. Security and Cloud Computing11 2011 IBM Corporation
  • 12. Security and Cloud Computing Thank you! For more information, please visit: 2011 IBM Corporation