Embed Size (px)
Citation preview
© 2012 IBM Corporation
Finding the Secure Path to the Cloud June 7, 2012
Pierre Gourdon Global Strategist and Portfolio Manager, IBM Security Services
© 2012 IBM Corporation
There is universal interest in cloud computing across all industries and geographies
• #1 reason to move to a public cloud is lower total cost of ownership
• Top reasons for moving to a private cloud include cost/resource efficiencies, as well as enhancing speed and flexibility
• Security concerns are the top barrier to adoption of both public and private clouds
• Experience managing large outsourcing engagements gives IBM the tools to manage customers’ top cloud concerns
• Three distinctive end-user cloud buying patterns are emerging: exploratory, solution-focused and transformational
• There are reports that public clouds are being adopted faster than originally forecast
Cost Take-out is Key Driver
Security is Top Concern
Adoption Patterns are Emerging
What the Market is Telling Us
© 2012 IBM Corporation
Workload Type
Dev/Test Core Business Business Confidential Regulated
Ris
k
Private Cloud
Public Cloud
SaaS
Virtualized
Infrastructure
Legacy
Non/Cloud
Transparency/Governance
Necessary capability in
moving workloads
towards pubic cloud
Cloud Adoption Patterns and Risk
© 2012 IBM Corporation
Why is cloud security important to organizations?
• How do you keep user identity and access rights in synch
with corporate systems
• How can I find out where data is located?
• How can I make sure data isn't lost? Is data portable?
• How does the cloud deal with encryption?
• How do we ensure that only the right people see the right
information?
• How do auditors observe what is going on?
• How does the network admin interact with the cloud admin?
• Who is responsible for compliance audits?
• What happens if authentication requirements are stronger
than the cloud?
• What if corporate security settings (FW, AV, IDS, etc.) are
different than the cloud?
• How do you integrate legacy content in the cloud?
Cloud computing raises questions about maintaining the
security and privacy of information assets
4
© 2012 IBM Corporation 5
Security is a top concern with cloud computing…
69
%
54
%
53
%
52
%
47
%
Security/privacy of
company data
Service quality
Doubts about true cost
savings
Performance / Insufficient
responsiveness over network
Difficulty integrating with
in-house IT
Percent rating the factor as a significant barrier (4 or 5)
Respondents could select multiple items
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
What, if anything, do you perceive as actual or
potential barriers to acquiring public cloud services?
Studies show that Security is the number one inhibitor to organizations adopting cloud
technologies
Source: Oliver Wyman Interviews
© 2012 IBM Corporation
IBM Point of View: Cloud can be made secure for business
As with most new technology paradigms,
security concerns surrounding cloud
computing have become the most widely
talked about inhibitor of widespread usage.
To gain the trust of organizations, cloud
services must deliver security and privacy
expectations that meet or exceed what is
available in traditional IT environments.
The same way transformational
technologies of the past overcame
concerns – PCs, outsourcing, the
Internet. Trust
Traditional IT In the Cloud
Security and Privacy
Expectations
© 2012 IBM Corporation 7
Risks introduced by cloud computing
Less
Control
Data
Security
Security
Management
Compliance Reliability
Over where the information is
located and stored, who has
access and backups, how is it
monitored & managed
including resiliency Control needed to manage
firewall and security
settings for applications
and runtime environments
in the cloud
Concerns with high
availability and loss of
service should outages
occur
Challenges with an
increase in potential
unauthorized exposure
when migrating workloads
to a shared network and
compute infrastructure
Restrictions imposed
by industry regulations
over the use of clouds
for some application
© 2012 IBM Corporation
Self-Service
Highly Virtualized
Location Independence
Workload Automation
Rapid Elasticity
Standardization
Cloud computing tests the limits of security operations and
infrastructure
People and Identity
Application and Process
Network, Server and Endpoint
Data and Information
Physical Infrastructure
Governance, Risk and Compliance
Security and Privacy Domains
Multiple Logins, Onboarding Issues
Multi-tenancy, Data Separation
Audit Silos, Compliance Controls
Provider Controlled, Lack of Visibility
Virtualization, Network Isolation
External Facing, Quick Provisioning
To cloud
In a cloud environment, access expands, responsibilities change, control
shifts, and the speed of provisioning resources and applications increases -
greatly affecting all aspects of IT security.
© 2012 IBM Corporation
Different cloud deployment models also change the way we think
about security
Private cloud Public cloud
On or off premises cloud
infrastructure operated solely
for an organization and
managed by the organization
or a third party
Available to the general
public or a large industry
group and owned by an
organization selling cloud
services.
Hybrid IT
Traditional IT and clouds (public and/or
private) that remain separate but are bound
together by technology that enables data and
application portability
− Customer responsibility for infrastructure
− More customization of security controls
− Good visibility into day-to-day operations
− Easy to access to logs and policies
− Applications and data remain “inside the firewall”
− Provider responsibility for infrastructure
− Less customization of security controls
− No visibility into day-to-day operations
− Difficult to access to logs and policies
− Applications and data are publicly exposed
Changes in
Security and Privacy
© 2012 IBM Corporation
Our view of security requirements is formed around the foundational
security controls within the IBM cloud reference model
IBM Cloud Reference Model
Cloud Governance
Cloud specific security governance
including directory synchronization
and geo locational support
Security Governance, Risk
Management & Compliance
Security governance including
maintaining security policy and audit
and compliance measures
Problem & Information
Security Incident Management
Management and responding to
expected and unexpected events
Identity and Access Management
Strong focus on authentication of
users and management of identity
Discover, Categorize, Protect
Data & Information Assets
Strong focus on protection of data at
rest or in transit
Information Systems Acquisition,
Development, and Maintenance
Management of application and virtual
Machine deployment
Secure Infrastructure Against
Threats and Vulnerabilities
Management of vulnerabilities and their
associated mitigations with strong focus
on network and endpoint protection
Physical and Personnel Security
Protection for physical assets and
locations including networks and data
centers, as well as employee security
10
© 2012 IBM Corporation
Our focus is in two areas of cloud security
Security from the Cloud Security for the Cloud
Public cloud
Off premise
Private cloud
On premise
Cloud-based
Security Services
Securing the Private Cloud stack – focusing on building security into the cloud infrastructure and its workloads
Use cloud to deliver security
as-a-Service - focusing on
services such as vulnerability
scanning, web and email
security, etc.
Secure usage of Public Cloud
applications – focusing on Audit,
Access and Secure Connectivity
1 2
© 2012 IBM Corporation
The IBM Security Framework provides a structure to
address cloud security concerns
Compliance ownership
Cross border constraints
e-discovery process
Access to logs and audit trails
Merging patch, change, and configuration
management policies
Rapid provisioning/de-provisioning of users
Federated identity management
Data segregation
Intellectual property protection
Data preservation and investigation
Multi-tenancy and shared images
Virtualized environments
Open public access
Physical data center security and resiliency
12
© 2012 IBM Corporation
Adoption patterns are emerging for successfully defining
and progressing cloud initiatives
Infrastructure as a
Service (IaaS): Cut IT
expense and complexity
through cloud data centers
Platform-as-a-Service
(PaaS): Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
© 2012 IBM Corporation
Capabilities provided to
consumers for using a
provider’s applications
Key security focus:
Compliance and Governance
Harden exposed applications
Securely federate identity
Deploy access controls
Encrypt communications
Manage application policies
Integrated service
management, automation,
provisioning, self service
Key security focus:
Infrastructure and Identity
Manage datacenter identities
Secure virtual machines
Patch default images
Monitor logs on all resources
Network isolation
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Key security focus:
Applications and Data
Secure shared databases
Encrypt private information
Build secure applications
Keep an audit trail
Integrate existing security
Advanced platform for
creating, managing, and
monetizing cloud services
Key security focus:
Data and Compliance
Isolate cloud tenants
Policy and regulations
Manage security operations
Build compliant data centers
Offer backup and resiliency
Each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
Infrastructure as a
Service (IaaS): Cut IT
expense and complexity
through cloud data centers
Platform-as-a-Service
(PaaS): Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
© 2012 IBM Corporation
What are Cloud-based Security Services?
Advantages relative to On Premise security software:
– Lower up-front capital investment and deployment costs
– Lower on-going operational management costs
– Quicker time-to-deploy and time-to-benefit
– Ability to protect remote users and combine global analytics
Additional benefits of Cloud-based Security:
– Ability to standardize security on a single platform
– Ability to centralize data in a mature environment
– Ability to quickly consume software improvements
– Frees up resources to work on core business goals
Cloud-based Security Services (aka Hosted Security or Security SaaS) are
the delivery of security software functionality via a subscription model over
the Internet. An organization does not take ownership of the application but
rather ‘subscribes’ to a total solution that is delivered remotely.
15
© 2012 IBM Corporation
‘Cloud security service’ value differs based on approach:
The value proposition for cloud security has become widely understood,
creating interest and opportunity within even the largest of enterprises.
Cloud security is the enabler of broader cloud adoption!
Services FOR the Cloud
Help organizations identify appropriate workloads for
migration to the cloud based on risk profile and
governance requirements
Assist organizations with measuring and
implementing the most appropriate security controls
based on business needs
Validate the effectiveness of security controls and
demonstrate specific gaps / areas of opportunity
Provide design, deployment, and ongoing
management capabilities for a multitude of security
technologies ranging from infrastructure security, to
IAM, to GRC
Services FROM the cloud:
Provides online access to key security tools that
enable clients to efficiently perform key security
functions
Reduced up-front capital investment and deployment
Lower overall security management costs
Quicker time to deploy and time to value vs. on-
premise
Reduced on-premise skill requirements
Ability to standardize capabilities on one platform
Ability to rapidly consume software improvements
© 2012 IBM Corporation
In summary
Security in the cloud will only be trusted when adequate controls are demonstrated
There is no one-size-fits-all security model for the cloud
Required is an understanding of the strengths and vulnerabilities of your cloud architecture,
programs, policies and practices from a security perspective
Communication with key stakeholders will ensure that security capabilities align with the
business expectations – and reduce misperceptions
Cloud computing can be secure, and cloud-based security services can provide a cost-
effective method of leveraging leading security functionality while reducing complexity
© 2012 IBM Corporation
Thank you!
