Upload
nguyendung
View
215
Download
0
Embed Size (px)
Citation preview
© 2010 IBM Corporation© 2010 IBM Corporation
Securing the Cloud
Johan Van Mengsel, CISSPOpen Group Distinguished IT SpecialistIBM Global Technology Services
IBM Cloud Security Strategy
© 2010 IBM Corporation2
Todays Challenges
In distributed computing
environments, up to 85%
of computing capacity
sits idle.
Explosion of information
driving 54% growth in
storage shipments every
year.
70% on average is spent on
maintaining current IT
infrastructures versus adding
new capabilities.
85% idle 1.5x70¢ per $1
33% of consumers notified of a
security breach will terminate their
relationship with the company they
perceive as responsible.
33%
Consumer product and retail industries
lose about $40 billion annually, or 3.5
percent of their sales, due to supply
chain inefficiencies.
$40 billion
It’s time to start thinking differentlydifferentlydifferentlydifferently about infrastructure
© 2010 IBM Corporation
Requires Smarter IT Services
3
Cloud computing is anew consumption and delivery model
Yesterday
Today
© 2011 IBM Corporation
Cloud Computing provides workload optimized models for delivery and consumption of IT services
4
Attributes Characteristics Benefits
Advanced virtualizationIT resources can be shared
between many applications. Applications can run anywhere.
Providing more efficient utilization of IT resources.
Automated provisioningIT resources are provisioned or
de-provisioned on demand.
Reducing IT cycle time and
management cost
Elastic scalingIT environments scale down and
up as the need changes.Increasing flexibility
Service catalog ordering Defined environments can be ordered from a catalog.
Enabling self-service
Metering and billingServices are tracked with usage
metrics.
Offering more flexible pricing
schemes
Internet AccessServices are delivered through the Internet.
Access anywhere, anytime
AU
TO
MA
TIO
NS
TA
ND
AR
DIZ
AT
ION
VIR
TU
AL
IZA
TIO
N
© 2010 IBM CorporationPage: -5-3/15/2012
Sound great, what is preventing the adoption of Cloud Computing EVERWHERE?
� Current Cloud Computing offerings are best effort
� The Cloud Computing providers don’t currently have the rigour which traditional IT sourcing providers have
� No (or weak) service level agreements (SLAs) regarding quality of service� Performance� Uptime� Throughput� Confidentiality� etc
� No commitment regarding data residency
� Architecturally, these constraints prevent or hamper the running of mission critical, or highly regulated data in current Cloud offerings.
� As Cloud providers mature their offerings – this will change
� For now, corporations will not let their enterprise workloads run in the Cloud, as they cannot assert the quality of service
� Multi-tenancy is a key concern
?
© 2011 IBM Corporation
Security Challenges in Cloud Computing
6
© 2009 IBM Corporation7
Security and Cloud Computing
9/15/2009
Cloud Security: Simple Example
7
?
We Have Control
It’s located at X.
It’s stored in server’s Y, Z.
We have backups in place.
Our admins control access.
Our uptime is sufficient.
The auditors are happy.
Our security team is engaged.
Who Has Control?
Where is it located?
Where is it stored?
Who backs it up?
Who has access?
How resilient is it?
How do auditors observe?
How does our securityteam engage?
?
?
?
??
Today’s Data Center Tomorrow’s Public Cloud
© 2010 IBM Corporation
Security in the Cloud
According to IBM's Institute for Business Value 2010 Global IT Risk Study, cloud computing raised serious concerns among respondents about the use, access and control of data
8
A recent Appirio survey of 150+ mid to large-sized firms that have already adopted cloud applications:
77%
50%
23%
Cloud Makes protect ing privacy more difficult
Concerned about a dat a breach or loss
concerned about a weakeningof the corporate net work
28%
15%
13%
12%
10%
8%
7%
6%
Security is an issue with the cloud
Cloud solutions are difficult to integrate
Cloud solutions have a higher chance of lock-in
Cloud solutions are difficult to customize
Cloud solutions are not reliable
Cloud vendors are not yet viable
None
The cloud model is not proven
Single Biggest Misconception about the Cloud% of Respondents
UnimportantOf Little Importance
Somewhat Important
Important
Very Important
Ensuring security & compliance
Appirio, State of the Public Cloud: The Cloud Adopters’ Perspective, October 2010
http://thecloud.appirio.com/StateofthePublicCloudWhitepaper1.html
© 2011 IBM Corporation
9
Customer Requirements for Cloud Security
Identity and access management 21
Intrusion prevention and response 37
Patch management 7
Data Management 12
Virtualization Security 12
Governance, risk & compliance 25
Formal RFPs
Project Architect Interviews
Data Sources
NE IOT
SW IOT
MEA
North America IOT
ANZ
World-Wide Representation
6 Telcos3 CSIs
1 Government1 Bank1 Manufacturing1 SMB2 IBM
16 Cross Industry Customers
Analyzed Results ofthe analysis of existingcustomer requirementsfor Cloud Security
© 2011 IBM Corporation
Risks introduced by cloud computing
LessControl
DataSecurity
Security Management
Compliance Reliability
Where the information is located and stored, who has access rights, how access is
monitored & managed, including resiliency
Control needed to manage firewall and security
settings for applications and runtime environments
in the cloud
Concerns with high availability and loss of service should outages
occur
Challenges with an increase in potential
unauthorized exposure when migrating workloads to a shared network and compute infrastructure
Restrictions imposed by industry regulations over the use of clouds for some applications
Private Clouds Public Clouds
Risks across private, public and hybrid cloud delivery
models
© 2011 IBM Corporation
Adoption patterns are emerging for successfully beginningand progressing cloud initiatives
11
Infrastructure as a
Service (IaaS): Cut IT
expense and complexity
through cloud data centers
Platform-as-a-Service
(PaaS): Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
© 2011 IBM Corporation
Capabilities provided to consumers for using a provider’s applications
Key security focus:
Compliance and Governance
�Harden exposed applications
�Securely federate identity
�Deploy access controls
�Encrypt communications
�Manage application policies
Integrated service management, automation, provisioning, self service
Key security focus:
Infrastructure and Identity
�Manage datacenter identities
�Secure virtual machines
�Patch default images
�Monitor logs on all resources
�Network isolation
Pre-built, pre-integrated IT infrastructures tuned to application-specific needs
Key security focus:
Applications and Data
�Secure shared databases
�Encrypt private information
�Build secure applications
�Keep an audit trail
�Integrate existing security
Advanced platform for creating, managing, and monetizing cloud services
Key security focus:
Data and Compliance
�Isolate cloud tenants
�Policy and regulations
�Manage security operations
�Build compliant data centers
�Offer backup and resiliency
Each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
12
Infrastructure as a
Service (IaaS): Cut IT
expense and complexity
through cloud data centers
Platform-as-a-Service
(PaaS): Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
© 2010 IBM Corporation
Cloud Deployment/Delivery and Security
13
Depending on an organization's readiness to adopt cloud, there are a wide array of deployment and delivery options
Software as a Service
SaaS
Business Process as a Service
BPaaS
Platform as a Service
PaaS
Infrastructure as a Service
IaaS
More
Embedded
Security L
ess
Embedded
Security
© 2011 IBM Corporation
Self-Service
Highly Virtualized
Location Independence
Workload Automation
Rapid Elasticity
Standardization
Cloud computing tests the limits of security operations and infrastructure
14
People and Identity
Application and Process
Network, Server and Endpoint
Data and Information
Physical Infrastructure
Governance, Risk and Compliance
Security and Privacy Domains
Multiple Logins, Onboarding Issues
Multi-tenancy, Data Separation
Audit Silos, Compliance Controls
Provider Controlled, Lack of Visibility
Virtualization, Network Isolation
External Facing, Quick Provisioning
To cloud
In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases -greatly affecting all aspects of IT security.
© 2011 IBM Corporation
Different cloud deployment models also change the way we think about security
15
Private cloud Public cloudOn or off premises cloud
infrastructure operated solely for an organization and managed by the organization or a third party
Available to the general
public or a large industry group and owned by an
organization selling cloud services.
Hybrid ITTraditional IT and clouds (public and/or
private) that remain separate but are bound together by technology that enables data and
application portability
− Customer responsibility for infrastructure
− More customization of security controls
− Good visibility into day-to-day operations
− Easy to access to logs and policies
− Applications and data remain “inside the firewall”
− Provider responsibility for infrastructure
− Less customization of security controls
− No visibility into day-to-day operations
− Difficult to access to logs and policies
− Applications and data are publically exposed
Changes in Security and Privacy
© 2011 IBM Corporation
Cloud deployment pattern influences the extent of security controls
16
Security Enabled
Security as a Runtime
Security as a Service
Software as a Service
Collaboration
Business Processes
CRM/ERP/HR
Industry Applications
Platform as a Service
Middleware Database
Web 2.0 ApplicationRuntime
JavaRuntime
DevelopmentTooling
Infrastructure as a Service
Servers
Networking Storage
Data Center Fabric
Security
© 2010 IBM CorporationPage: -17-3/15/2012
Coordinating information security is BOTH the responsibility of the provider and the consumer
Platform-as-a-Service
Middleware
Database
Web 2.0 ApplicationRuntime
JavaRuntime
DevelopmentTooling
Infrastructure-as-a-Service
Servers Networking StorageData Center
Fabric
Shared virtualized, dynamic provisioning
Application-as-a-Service
Collaboration
Financials
CRM/ERP/HR
Industry Applications
Business Process-as-a-Service
Employee Benefits Mgmt.
Industry-specific Processes
Procurement
Business Travel
Who is responsible for security at the … level?Datacenter Infrastructure Middleware Application Process
Provider Consumer
Provider Consumer
Provider Consumer
Provider Consumer
© 2010 IBM CorporationPage: -18-3/15/2012
What is multi-tenancy, and what are the security IMPLICATIONS?
Example: Database Multi-tenancy
© 2011 IBM Corporation
Approaches for Cloud Security
19
© 2010 IBM Corporation
IBM’s approach to Cloud Security
20
At IBM we understand the cloud and we also understand that
“One Size Does not Fit All”
© 2009 IBM Corporation
21
Security and
Cloud Co
3/15/2012
Low-risk Mid-risk High-risk
Mission-critical workloads, personal
information
Business Risk
Need for Security Assurance
Low
High
Training, testing with non-
sensitive data
Today’s clouds are primarily here:
● Lower risk workloads● One-size-fits-all
approach to data protection
● No significant assurance
● Price is key
Tomorrow’s high value / high risk workloads need:
● Quality of protection adapted to risk
● Direct visibility and control
● Significant level of assurance
Analysis & simulation with
public data
One-size does not fit-all:
Different cloud workloads have different risk profiles
© 2011 IBM Corporation
Required controls for cloud security are the same as for IT security in general
1. Identity and Access Management
3. Information Systems Acquisition, Development, and Maintenance
2. Discover, Categorize and Protect Data & Information Assets
7. Security Governance, Risk Management & Compliance
5. Problem & Information Security Incident Management
4. Secure Infrastructure Against Threats and Vulnerabilities
Strong focus on authentication of users
and management of user identities
Strong focus on protection of data at rest
or in transit
Management of application and virtual
machine deployment
Management and responding to
expected and unexpected events
Management of vulnerabilities and their
associated mitigations with strong focus
on network and endpoint protection
6. Physical and Personnel Security
Security governance including
maintaining security policy and audit and
compliance measures
Protection for physical assets and
locations including networks and data
centers. Employee security.
8. Cloud GovernanceCloud-specific security governance
including directory synchronization and
geo-locational support
© 2011 IBM Corporation
Our approach to delivering security aligns with each phase of a client’s cloud project or initiative
Design Deploy ConsumeEstablish a cloud strategyand implementation plan toget there.
Build cloud services, in theenterprise and/or as a cloudservices provider.
Manage and optimizeconsumption of cloudservices.
Examplesecuritycapabilities
� Cloud security roadmap
� Secure development
� Network threat protection
� Server security
� Database security
� Application security
� Virtualization security
� Endpoint protection
� Configuration and patch management
� Identity and access management
� Secure cloud communications
� Managed security services
Secure by Design
Focus on building security into the fabric of the cloud.
Workload Driven
Secure cloud resources with innovative features and products.
Service Enabled
Govern the cloud throughongoing security operations and workflow.
IBM CloudSecurity Approach
23
© 2011 IBM Corporation
Security solutions to address the unique challenges of cloud computingHelping clients begin their journey to the cloud with relevant security expertise
� Compliance ownership
� Cross border constraints
� e-discovery process� Access to logs and audit trails
� Merging patch, change, and configuration
management policies
GRCGRCGRC
� Rapid provisioning/de-provisioning of users
� Federated identity management
� Data segregation
� Intellectual property protection
� Data preservation and investigation
� Multi-tenancy and shared images
� Virtualized environments
� Open public access
� Physical data center security and resiliency
© 2010 IBM Corporation
How we deliver Cloud Security
Security ByDesign
SecurityBy Workload
New SecurityEfficiencies
We Believe the Cloud could be more We Believe the Cloud could be more We Believe the Cloud could be more We Believe the Cloud could be more secure than traditional Enterprisessecure than traditional Enterprisessecure than traditional Enterprisessecure than traditional Enterprises
25
© 2011 IBM Corporation
Cloud Enabled Data Center - simple use case
Cloud Enabled Data CenterCloud Enabled Data Center
Self-Service GUI
Cloud Platform
User identityis verified and authenticated
1
Available Resourc
e
Resource Pool
Resource chosen from correct security domain 2
Image Library
Machine Image
VM is configured with appropriate security policy
3
Hypervisor
Configured Machine Image
Virtual Machine
Virtual Machine
Image provisioned behind FW / IPS
4
Host securityinstalled and updated
5
SW Catalog
ConfigBinaries
Software patches applied and up-to-date
6
© 2010 IBM Corporation
Workload driven security
27
Cloud Security depends on focusing security controls on specific
Types of work
Healthcare Collaboration Development
© 2011 IBM Corporation
28
Activity/Data Driven Cloud Security
• Organizations need to adopt a
strategy for cloud security that
considers the unique attributes of
the cloud as well as the activities
and data for which the cloud is
being utilized.
• Only by combining foundational
controls with activity/data specific
controls can organizations meet
their cloud security needs.
© 2011 IBM Corporation
� Failure to build security proactively into the fabric of the cloud (including secure
deployment of services) can have negative consequences:
– Audit failures
– Increased operating costs long term
– Poor customer satisfaction
– Difficulty in expansion
– Management complexity
– Failure to achieve cloudanticipated return due to service failures
Secure By Design: Security must be built into Cloud Fabric
© 2011 IBM Corporation
Security Challenges with Virtualization:
Using Traditional Security for a Virtual Data Center May Add Cost and Complexity
Legacy Security in Virtual Environment
Only blocks threats and attacks at the perimeter
Secures each physical server with protection and reporting
for a single agent
Patches critical vulnerabilities on individual servers
and networks
Policies are specific to critical applications in each network
segment and server
Network IPS
Server Protection
System Patching
Security Policies
Seems Secure … … Not Secure Enough
Should protect against threats at perimeter and between VMs
Securing each VM as if it were a physical server adds time
and cost
Needs to track, patch and control VM sprawl
Policies must be more encompassing
(Web, data, OS coverage, databases)
and be able to move with the VMs
© 2011 IBM Corporation
Points of Exposure
VMM or HypervisorVMM or Hypervisor
OperatingSystem
OperatingSystem
HardwareHardware
ApplicationsApplications
ManagementManagement
New Threats
New Threats
New Threats
VirtualMachine
VirtualMachine
New Threats
More Components = More Exposure
Existing Threats
© 2011 IBM Corporation
Management Vulnerabilities
——————————Secure storage of VMs
and the management data
Management Vulnerabilities
——————————Secure storage of VMs
and the management data
Virtual sprawl——————————Dynamic relocation
——————————VM stealing
Virtual sprawl——————————Dynamic relocation
——————————VM stealing
Resource sharing——————————Single point of failure
Resource sharing——————————Single point of failure
Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets
Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets
Security Challenges with Virtualization:
New Risks
Control events by Policies:
- VM Creation
- VM Registration
- VM Removal
- VM Power On
- VM Power Off
© 2011 IBM Corporation
IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4
� VMsafe Integration
� Firewall and Intrusion Prevention
� RootkitDetection/Prevention
� Inter-VM Traffic Analysis
� Automated Protection for Mobile VMs (VMotion)
� Virtual Network Segment Protection
� Virtual Network-Level
Protection
� Virtual Infrastructure Auditing (Privileged User)
� Virtual Network Access
Control
Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers.
© 2010 IBM Corporation
Creating New Security Efficiencies
34
IBM Professional
Security Services
Security Strategy Roadmap
IBM Professional
Security Services
Cloud SecurityAssessment
IBM Professional
Security Services
Application SecurityServices for Cloud
IBM Information
Protection Services
Managed Backup Cloud
Hosted VulnerabilityManagement
Hosted Security Event& Log Management
© 2011 IBM Corporation
InfoSphere Guardium
CSP’s WANCSP’s WAN
CSP’s Data CenterCustomer Data Center
Traditional database
moved into the Cloud
Traditional database
protected by Guardium
into the Cloud
Fear of having database been
accessed not authorized
people
© 2011 IBM Corporation
InfoSphere Optim in Cloud Service Provider Platform
CSP’s WAN
CSP’s Data Center Customer Data Center
Traditional database
moved into the Cloud withoutanonymisation
TraditionaldatabaseAnonymised by
Optim into the Cloud
Optim appliesAnonymization while
moving out of the customer’s DC
© 2011 IBM Corporation
Data Policy Management: Anonymizing Data With IBM
InfoSphere Optim
Scope :
• Anonymize data moved to the Cloud, therefore ease the move to the Cloud
Value:
• Establish a process to ease the move of key workloads such as Dev&Tests and the related data it requires for testing, removing the most important risks
Constraints:
• Requires human analysis of the data to anonymize and therefore it is a manualprocess the first time
Position:
• Should be used as a process within the source datacenter to enable the move in the target (cloud-based) datacenter
© 2011 IBM Corporation
Real-Time Database Monitoring
• Non-invasive architecture
• Outside database
• Minimal performance impact (2-3%)
• No DBMS or application changes
• Cross-DBMS solution
• 100% visibility including local DBA access
• Enforces separation of duties (SoD)
• Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders
• Granular, real-time policies & auditing
• Who, what, when, how
• Automated compliance reporting, sign-offs &
escalations (SOX, PCI, NIST, etc.)
DB2
© 2011 IBM Corporation
Scalable Multi-Tier Architecture
Integration with LDAP, IAM, IBM Tivoli, IBM TSM, Remedy, …
© 2009 IBM Corporation40
Security and Cloud Computing
9/15/2009
Quick intro: IBM Security Framework – Business-oriented framework used across all IBM brands that allows to structure and discuss a client’s security concerns
Built to meet four
key requirements:
� Provide Assurance� Enable Intelligence� Automate Process� Improve Resilience
Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security;
IBM RedGuide REDP-4528-00, July 2009
© 2009 IBM Corporation41
Security and Cloud Computing
9/15/2009
Typical Client Security Requirements
• Governance, Risk Management, Compliance
• 3rd-party audit (SAS 70(2), ISO27001, PCI)
• Client access to tenant-specific log and audit data
• Effective incident reporting for tenants
• Visibility into change, incident, image management, etc.
• SLAs, option to transfer risk from tenant to provider
• Support for forensics
• Support for e-Discovery
• Application and Process• Application security requirements for
cloud are phrased in terms of image security
• Compliance with secure development best practices
• Physical• Monitoring and control of physical
access
• People and Identity• Privileged user monitoring, including
logging activities, physical monitoring and background checking
• Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third party systems
• Standards-based SSO
• Data and Information• Data segregation• Client control over geographic location of
data
• Government: Cloud-wide data classification
• Network, Server, Endpoint• Isolation between tenant domains• Trusted virtual domains: policy-based
security zones
• Built-in intrusion detection and prevention
• Vulnerability Management
• Protect machine images from corruption and abuse
• Government: MILS-type separation
Based on interviews with clients and various analyst reports
© 2009 IBM Corporation
42
Security and
Cloud Co
3/15/2012
Customers require visibility into the security posture of their cloud.
�Establish 3rd-party audits (SAS 70, ISO27001, PCI)
�Provide access to tenant-specific log and audit data
�Create effective incident reporting for tenants
�Visibility into change, incident, image management, etc.
�Support for forensics and e-Discovery
Implement a governance and audit management program
Security governance, risk management and complianceSecurity governance, risk management and compliance
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security Guidance Document
IBM Security Products and Services
© 2009 IBM Corporation
43
Security and
Cloud Co
3/15/2012
Customers require proper authentication of cloud users.
�Privileged user monitoring, including logging activities, physical
monitoring and background checking
�Utilize federated identity to coordinate authentication and authorization with enterprise or third party systems
�A standards-based, single sign-on capability can help simplify user
logons for both internally hosted applications and the cloud.
Implement strong identity and access management
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security Guidance Document
IBM Security Products and Services
People and IdentityPeople and Identity
© 2009 IBM Corporation
44
Security and
Cloud Co
3/15/2012
Customers cite data protection as their most important concern.
�Use a secure network protocol when connecting to a secure
information store.
�Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall.
�Sensitive information not essential to the business should be securely
destroyed.
Ensure confidential data protection
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security Guidance Document
IBM Security Products and Services
Data and InformationData and Information
© 2009 IBM Corporation
45
Security and
Cloud Co
3/15/2012
Customers require secure cloud applications and provider processes.
�Implement a program for application and image provisioning.
�A secure application testing program should be implemented.
�Ensure all changes to virtual images and applications are logged.
�Develop all Web based applications using secure coding guidelines.
Establish application and environment provisioning
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security Guidance Document
IBM Security Products and Services
Application and ProcessApplication and Process
© 2009 IBM Corporation
46
Security and
Cloud Co
3/15/2012
Customers expect a secure cloud operating environment.
.
�Isolation between tenant domains
�Trusted virtual domains: policy-based security zones
�Built-in intrusion detection and prevention
�Vulnerability Management
�Protect machine images from corruption and abuse
Maintain environment testing and vulnerability/intrusion management
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security Guidance Document
IBM Security Products and Services
Network, Server and End PointNetwork, Server and End Point
© 2009 IBM Corporation
47
Security and
Cloud Co
3/15/2012
Customers expect cloud data centers to be physically secure.
.
�Ensure the facility has appropriate controls to monitor access.
�Prevent unauthorized entrance to critical areas within facilities.
�Ensure that all employees with direct access to systems have full
background checks.
�Provide adequate protection against natural disasters.
Implement a physical environment security plan
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security Guidance Document
IBM Security Products and Services
Physical SecurityPhysical Security
© 2010 IBM Corporation
IBM Security offerings for Cloud Computing
48
Professional Services
Managed Services
Products
Cloud Delivered
Security Governance, Risk and Compliance
Security Information and Event Management (SIEM) & Log Management
Data Security
E-Mail Security Database Monitoring
& Protection
Data LossPrevention
Messaging Security
Data Masking
ApplicationSecurity
Application Vulnerability Scanning
Access & EntitlementManagement
Web ApplicationFirewall
SOA Security
AccessManagement
Data Entitlement Management
IdentityManagement
Identity & AccessManagement
Mainframe SecurityAudit, Admin & Compliance
Security Configuration & Patch Management
Virtual SystemSecurity
Security EventManagement
Endpoint Protection
Intrusion Prevention System
Web/ URL Filtering
Threat Analysis
Firewall, IDS/ IPSMFS Management
Encryption & KeyLifecycle Management
VulnerabilityAssessment
Physical Security
InfrastructureSecurity
© 2011 IBM Corporation
49
IBM Security Solutions for the Cloud
© 2011 IBM Corporation
IBM continues to research, test and document more focused approaches to cloud security
50
IBM ResearchSpecial research concentration in cloud security
IBM X-ForceProactive counter intelligence and public education
Customer CouncilsReal-world feedback from clients adopting cloud
Standards ParticipationClient-focused open standards and interoperability
IBM Institute for Advanced SecurityCollaboration between academia, industry, government, and the IBM technical community
© 2011 IBM Corporation
IBM Cloud Security Guidance
Based on cross-IBM research and
customer interaction on cloud security
Highlights a series of best practice
controls that should be implemented
Broken into 7 critical infrastructure
components:
• Building a Security Program• Confidential Data Protection• Implementing Strong Access and
Identity• Application Provisioning and De-
provisioning• Governance Audit Management• Vulnerability Management• Testing and Validation
http://www.redbooks.ibm.com/abstracts/redp4614.html?Open
© 2011 IBM Corporation
IBM Security Solutions Architecture for Network, Server and Endpoint
Explores threats to and security requirements of IT systems. Business drivers such as managing risk and cost and compliance to business policies and external regulations, are explored, highlighting how they can be translated into frameworks to enable enterprise security.
The idea is to help bridge the communication gap between the business and the technical
perspectives of security and to enable simplification of thought and process.
http://www.redbooks.ibm.com/abstracts/sg247581.html?Open
© 2010 IBM Corporation
IBM Cloud Security Guidance
53
Based on cross-IBM research and
customer interaction on cloud security
Highlights a series of best practice
controls that should be implemented
Broken into 7 critical infrastructure
components:
• Building a Security Program• Confidential Data Protection• Implementing Strong Access and
Identity• Application Provisioning and De-
provisioning• Governance Audit Management• Vulnerability Management• Testing and Validation
http://www.redbooks.ibm.com/abstracts/redp4614.html?Open
© 2011 IBM Corporation
Cloud Security Whitepaper
Trust needs to be achieved,
especially when data is stored in
new ways and in new locations,
including for example different
countries.
This paper is provided to
stimulate discussion by looking
at three areas:• What is different about
cloud? • What are the new security
challenges cloud introduces?
• What can be done and what should be considered further?
http://www-03.ibm.com/press/us/en/attachment/32799.wss?fileId=ATTACH_FILE1&fileName=10-0861_US%20Cloud%20Computing%20White%20Paper_Final_LR.pdf
© 2009 IBM Corporation
55
Security and
Cloud Co
3/15/2012
Trusted Advisor Security CompanySolution Provider The Company
Security & Privacy Leadership
Security for the Cloud Security from the Cloud
© 2011 IBM Corporation
Thank you!
For more information, please visit:
http://ibm.com/cloud
© 2011 IBM Corporation
Design Deploy Consume
GRC � Understand the concerns of your unique cloud initiative
IBM Cloud Security Roadmap Service
X
Identity� Enable single sign on across
multiple cloud servicesIBM Tivoli Federated Identity Manager Business GW
X
Data� Protect and monitor
access to shared databasesIBM InfoSphere Guardium X X
Intrusion� Defend users and apps
from network attacks IBM Security Network Intrusion Prevention System
X
Virtualization� Protect VMs and hypervisor
from advanced threatsIBM Virtual Server Protection for VMware
X X
Patch Management
� Provide patch and configmanagement of VMs
IBM Tivoli Endpoint Manager for Security and Compliance
X X
Entry points to get started with IBM security solutions for cloud
57
Cloud Security On Ramps
IBM Security Framework
© 2009 IBM Corporation
Getting Started with Secure Cloud Computing
Develop
a strategy
Operate and
Manage
Technology
and Services
Design and
Implement
Security Best
practices… think holistically
Based on
Business
Requirements
… holistically in a more
dynamic environment,
workloads
Select Cloud
technology and
services
… modularity and
standards are key
Take a risk-based
approach to
security
… data in motion, data
at rest, access to data