© IBM Corporation 1

Presented by:

Securing the Future

David A. CassVP & CISO, Cloud & SaaS

© IBM Corporation 2

text

Agenda

– Threat landscape– Evaluating the risk of cloud services– Best practices

• Service Development• Secure Engineering Framework• Security policies

– Service Delivery• Data Protection• 3rd party accreditations, contractual obligations

– Service Consumption in a shared responsibility environment– Wrap up

© IBM Corporation 3

– IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

– Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

– The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

– The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in acontrolled environment. The actual throughput or performance that any user will experience will varydepending upon many factors, including considerations such as the amount of multiprogramming in theuser’s job stream, the I/O configuration, the storage configuration, and the workload processed.Therefore, no assurance can be given that an individual user will achieve results similar to those statedhere.

Please Note:

© IBM Corporation 4 4

Threat Landscape:83% of CISOs say that the challenge posed by external threats has increased in the last three years

Near Daily Leaks of Sensitive Data

40% increase in reported data

breaches and incidents

Relentless Use of Multiple Methods

800,000,000+ records were leaked, while the future

shows no sign of change

“Insane” Amounts of Records Breached

42% of CISOsclaim the risk from external threats increased

dramatically from prior years.

© IBM Corporation 5

Security leaders are more accountable than ever before

Loss of market share and reputation

Legal exposure

Business continuity

Audit failure

Fines and enforcement impact

Financial loss

Impact to data and systems,

(confidentiality, integrity and /

or availability)

Violation of employee privacy

Loss of customer trust

Loss of brand reputation

CEO CFO / COO CIO CHRO / CDO CMO

Your board and CEO demand a strategy

© IBM Corporation 6

Threat Landscape - Then

•Captive Workforce•Desktops & Laptops•Corporate Network with VPN for remote workers•Corporate Owned Devices

Enterprises

•Rouge Individuals•Motivated by the challenge•Little or no financial gainAttackers

•Noisy•Server side/infrastructure vulnerabilities•Noticeable•Damaging & Costly but not complicated to remediateAttacks

© IBM Corporation 7

Threat Landscape - Now

• Highly Mobile Workforce• Smartphones & Tablets• Use of home Wi-Fi, free Wi-Fi, cellular connections• Corporate Owned Devices

Enterprises

• Organized• Well funded• Highly skilled• Organized Crime• Financial/Political gain

Attackers•Stealthy•Applications, Databases, and Social Engineering•Hard to detect•Goal is data exfiltration

Attacks

© IBM Corporation 8

Evaluating the risk of cloud services:Identify Risk & Maturity Level Expectations By Tier - Example

Tiering Tier#Application

SecurityNetwork & Systems Data Security Secure OPS Security Strat & Org

Tier 1: Regulated Data (PHI, SOX, SPII, PCI, etc.)

1 4 4 5 4 4

Tier 2: Confidential, Attorney Client Privileged Data, Intellectual Property and Personally Identifiable (External)

2 3 4 4 4 4

Tier 3: Confidential, Attorney Client Privileged Data, Intellectual Property and Personally Identifiable (Internal)

3 3 3 4 4 3

Tier 4: Public Data (No Distinction between external & Internal)

4 3 4 3 3 3

Tier 5: Temporary Environment for POC, Lab work or Testing (No Prod or "Real" Data)

5 2 2 2 2 2

Maturity Level Expectation

© IBM Corporation 9

Application Security Tiers

Requirement Level 1 Level 2 Level 3 Level 4 Level 5

Source Code Control Not using source control Source Code Control is in place

Source Code control in place with manual scanning

Source Code Control in place with Automated security scanning

Source Code Control in place with Automated Security scanning and remediation results fed back into SDLC and training efforts

SDLC No defined SDLC Documented, not always followed

Documented and mostly followed; Security integration into SDLC processes

Documented and 100% Followed

Security Remediation feeding back into SDLC

Team Security Awareness Not really Aware, No dedicated security training

Aware of security requirements, not trained

Entire team at Security White Belt

Software Security Champions, Team at Security Green Belt

Entire Team understands security, team at Security Black Belt level

Third Parties No single point of detail for involved 3rd parties

At a minimum have an inventory of all 3rd parties

50% of third parties have undergone a 3rd party security assessment

100% of third parties have undergone a 3rd party security assessment, Required to validate (proof) following appropriate security practices

Onsite verification of security practices, External Developers at Black Belt

Production Releases No production release process, releases done whenever and however

Developers deploy manually to Prod

Documented and repeatable deployments, most likely handed off to someone else

Automated Releases Automated Releases with automated change detection and verification

Testing If it compiles and builds, its good to go

Manual adhoc testing performed by Development team

Manual scheduled security scanning

Automated security scanning, QA in place, Documented tests and captured testing results

Automated Testing / Test driven Development

© IBM Corporation 10

Best Practices:We see three sets of security capabilities to help enterprise clients …

Cloud Security Capabilities

Manage Access

Protect Data

Gain Visibility

Protect infrastructure, applications, and data from threats

Auditable intelligence on cloud access, activity, cost and compliance

Manage identities and govern user access

IaaS: Securing infrastructure and workloads

SaaS: Secure usage of business applications

PaaS: Secure service composition and apps

Bluemix

© IBM Corporation 11

… delivered via cloud-enabled technologies and managed services

IaaS: Securing infrastructure and workloads

SaaS: Secure usage of business applications

PaaS: Secure service composition and apps

Bluemix

Client ConsumptionModels

Security SaaS

Virtual Appliances

Managed S

ecurity Services

APIs

Professional S

ecurity Services

Cloud Security Capabilities

Manage Access

Protect Data

Gain Visibility

Protect infrastructure, applications, and data from threats

Auditable intelligence on cloud access, activity, cost and compliance

Manage identities and govern user access

© IBM Corporation 12

Comprehensive portfolio across platform security capabilities and cloud security products and services

SaaSPaaSIaaS

IBM Cloud Security

Optimize Security Operations

ManageAccess

ProtectData

GainVisibility

IBM Cloud Security Portfolio

© IBM Corporation 1313

IBM Secure Engineering Portal

– www.ibm.com/security/secure-engineering

© IBM Corporation 1414

SaaS - Cloud Security

– 140+ SaaS Offerings.– Executive (Macro) level chain of support

• CIO Office• Cloud Operations• CISO Cloud

– We know:• Who has access to data?• Where the data is accessed from?

– Security requirements addressed in deployment checklist before going to market.

© IBM Corporation 1515

SaaS Security

– Clients hand data and trust to IBM.• IBM partners with the client.

– IBM delivers SaaS but assures we take care of individuals needs.• Pen testing• Separation of Duties• Shared operating services – Malware / IPS / IDS• Encryption• Logging and Monitoring

– All offerings going through ISO 27001 certification.– Leadership on new standards; ISO 20243 (supply chain risk)– Standardization on SoftLayer platform with more Geo’s and local data centers than others to

support privacy requirements.

© IBM Corporation 1616

Teams apply the Secure Engineering practices across the Lifecycle as demonstrated by key project milestones.

Development Processand Lifecycle

Development Supply Chain Service Deployment

COTS Deployment Lifecycle

Catalog & Scan Components

Create Assurance Plan based on Risks &

Threats

Protect & Monitor Source Code

Complete Assurance Tasks, Security Scans &

Remediation

Security Compliance Review before initial Service Activation

Security defenses operational with periodic rescan

Review Completed Projects and gain

approval for Release

Scan Software Images for Viruses and

Malware

A

B

C DE

F

G

H

© IBM Corporation 1717

Service Delivery – How IBM Protects Client Data

– Governance focused on continuous assessment & enhancement– Shared services for vulnerability scanning, intrusion detection, penetration testing, log storage, X-

Force threat intel, and more …– Architectural separation of data stores, key storage, logs, etc– Encryption– Over 2000 pages of authoritative internal security policies. Not suitable for external consumption,

as it could help attackers!– External collateral:

• www.ibm.com/saas/security for the IBM SaaS Trust web site• www.ibm.com/privacy for privacy practices • Core Security Practices Document (NDA, controlled copy)• Offering specific security practices documents (acquisitions)

Physical / Logical / Organizational / Engineering controls

© IBM Corporation 1818

Compliance regimes

Offerings Regimes Industries Clients Countries

+CJISFFIECSSAE16O-TTPS / ISO 20243 EU Safe Harbor….

© IBM Corporation 1919

Service Consumption – How Clients Protect Data

– Classify data correctly– Configure service correctly– Train workforce sufficiently– Leverage controls as intended to restrict data access– Verify cloud service provider’s audit posture– Review log analytics and related usage attributes

© IBM Corporation 2020

IBM Cloud Trust web site - for more information

– www.ibm.com/saas/security

© IBM Corporation 2121

Wrap Up

– Understand your risk tolerance– Review what best practices are in use– Understand steps clients need to take in a shared responsibility environment

– IBM is a cyber-security & data protection thought & practice leader– IBM is exposing practices only to an extent that won’t aid hackers– IBM is pursuing accreditations selectively to control your cost

© IBM Corporation 22

Questions?

David CassCISO, IBM Cloud & SaaS OperationsE-mail: dcass@us.ibm.comTwitter: @dcass001 Linkedin: www.linkedin.com/in/dcass001/

© IBM Corporation 23© IBM Corporation 23

Accelerating Digital Business