Upload
ibm
View
1.561
Download
1
Embed Size (px)
Citation preview
© IBM Corporation 1
Presented by:
Securing the Future
David A. CassVP & CISO, Cloud & SaaS
© IBM Corporation 2
text
Agenda
– Threat landscape– Evaluating the risk of cloud services– Best practices
• Service Development• Secure Engineering Framework• Security policies
– Service Delivery• Data Protection• 3rd party accreditations, contractual obligations
– Service Consumption in a shared responsibility environment– Wrap up
© IBM Corporation 3
– IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
– Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
– The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
– The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in acontrolled environment. The actual throughput or performance that any user will experience will varydepending upon many factors, including considerations such as the amount of multiprogramming in theuser’s job stream, the I/O configuration, the storage configuration, and the workload processed.Therefore, no assurance can be given that an individual user will achieve results similar to those statedhere.
Please Note:
© IBM Corporation 4 4
Threat Landscape:83% of CISOs say that the challenge posed by external threats has increased in the last three years
Near Daily Leaks of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use of Multiple Methods
800,000,000+ records were leaked, while the future
shows no sign of change
“Insane” Amounts of Records Breached
42% of CISOsclaim the risk from external threats increased
dramatically from prior years.
© IBM Corporation 5
Security leaders are more accountable than ever before
Loss of market share and reputation
Legal exposure
Business continuity
Audit failure
Fines and enforcement impact
Financial loss
Impact to data and systems,
(confidentiality, integrity and /
or availability)
Violation of employee privacy
Loss of customer trust
Loss of brand reputation
CEO CFO / COO CIO CHRO / CDO CMO
Your board and CEO demand a strategy
© IBM Corporation 6
Threat Landscape - Then
•Captive Workforce•Desktops & Laptops•Corporate Network with VPN for remote workers•Corporate Owned Devices
Enterprises
•Rouge Individuals•Motivated by the challenge•Little or no financial gainAttackers
•Noisy•Server side/infrastructure vulnerabilities•Noticeable•Damaging & Costly but not complicated to remediateAttacks
© IBM Corporation 7
Threat Landscape - Now
• Highly Mobile Workforce• Smartphones & Tablets• Use of home Wi-Fi, free Wi-Fi, cellular connections• Corporate Owned Devices
Enterprises
• Organized• Well funded• Highly skilled• Organized Crime• Financial/Political gain
Attackers•Stealthy•Applications, Databases, and Social Engineering•Hard to detect•Goal is data exfiltration
Attacks
© IBM Corporation 8
Evaluating the risk of cloud services:Identify Risk & Maturity Level Expectations By Tier - Example
Tiering Tier#Application
SecurityNetwork & Systems Data Security Secure OPS Security Strat & Org
Tier 1: Regulated Data (PHI, SOX, SPII, PCI, etc.)
1 4 4 5 4 4
Tier 2: Confidential, Attorney Client Privileged Data, Intellectual Property and Personally Identifiable (External)
2 3 4 4 4 4
Tier 3: Confidential, Attorney Client Privileged Data, Intellectual Property and Personally Identifiable (Internal)
3 3 3 4 4 3
Tier 4: Public Data (No Distinction between external & Internal)
4 3 4 3 3 3
Tier 5: Temporary Environment for POC, Lab work or Testing (No Prod or "Real" Data)
5 2 2 2 2 2
Maturity Level Expectation
© IBM Corporation 9
Application Security Tiers
Requirement Level 1 Level 2 Level 3 Level 4 Level 5
Source Code Control Not using source control Source Code Control is in place
Source Code control in place with manual scanning
Source Code Control in place with Automated security scanning
Source Code Control in place with Automated Security scanning and remediation results fed back into SDLC and training efforts
SDLC No defined SDLC Documented, not always followed
Documented and mostly followed; Security integration into SDLC processes
Documented and 100% Followed
Security Remediation feeding back into SDLC
Team Security Awareness Not really Aware, No dedicated security training
Aware of security requirements, not trained
Entire team at Security White Belt
Software Security Champions, Team at Security Green Belt
Entire Team understands security, team at Security Black Belt level
Third Parties No single point of detail for involved 3rd parties
At a minimum have an inventory of all 3rd parties
50% of third parties have undergone a 3rd party security assessment
100% of third parties have undergone a 3rd party security assessment, Required to validate (proof) following appropriate security practices
Onsite verification of security practices, External Developers at Black Belt
Production Releases No production release process, releases done whenever and however
Developers deploy manually to Prod
Documented and repeatable deployments, most likely handed off to someone else
Automated Releases Automated Releases with automated change detection and verification
Testing If it compiles and builds, its good to go
Manual adhoc testing performed by Development team
Manual scheduled security scanning
Automated security scanning, QA in place, Documented tests and captured testing results
Automated Testing / Test driven Development
© IBM Corporation 10
Best Practices:We see three sets of security capabilities to help enterprise clients …
Cloud Security Capabilities
Manage Access
Protect Data
Gain Visibility
Protect infrastructure, applications, and data from threats
Auditable intelligence on cloud access, activity, cost and compliance
Manage identities and govern user access
IaaS: Securing infrastructure and workloads
SaaS: Secure usage of business applications
PaaS: Secure service composition and apps
Bluemix
© IBM Corporation 11
… delivered via cloud-enabled technologies and managed services
IaaS: Securing infrastructure and workloads
SaaS: Secure usage of business applications
PaaS: Secure service composition and apps
Bluemix
Client ConsumptionModels
Security SaaS
Virtual Appliances
Managed S
ecurity Services
APIs
Professional S
ecurity Services
Cloud Security Capabilities
Manage Access
Protect Data
Gain Visibility
Protect infrastructure, applications, and data from threats
Auditable intelligence on cloud access, activity, cost and compliance
Manage identities and govern user access
© IBM Corporation 12
Comprehensive portfolio across platform security capabilities and cloud security products and services
SaaSPaaSIaaS
IBM Cloud Security
Optimize Security Operations
ManageAccess
ProtectData
GainVisibility
IBM Cloud Security Portfolio
© IBM Corporation 1313
IBM Secure Engineering Portal
– www.ibm.com/security/secure-engineering
© IBM Corporation 1414
SaaS - Cloud Security
– 140+ SaaS Offerings.– Executive (Macro) level chain of support
• CIO Office• Cloud Operations• CISO Cloud
– We know:• Who has access to data?• Where the data is accessed from?
– Security requirements addressed in deployment checklist before going to market.
© IBM Corporation 1515
SaaS Security
– Clients hand data and trust to IBM.• IBM partners with the client.
– IBM delivers SaaS but assures we take care of individuals needs.• Pen testing• Separation of Duties• Shared operating services – Malware / IPS / IDS• Encryption• Logging and Monitoring
– All offerings going through ISO 27001 certification.– Leadership on new standards; ISO 20243 (supply chain risk)– Standardization on SoftLayer platform with more Geo’s and local data centers than others to
support privacy requirements.
© IBM Corporation 1616
Teams apply the Secure Engineering practices across the Lifecycle as demonstrated by key project milestones.
Development Processand Lifecycle
Development Supply Chain Service Deployment
COTS Deployment Lifecycle
Catalog & Scan Components
Create Assurance Plan based on Risks &
Threats
Protect & Monitor Source Code
Complete Assurance Tasks, Security Scans &
Remediation
Security Compliance Review before initial Service Activation
Security defenses operational with periodic rescan
Review Completed Projects and gain
approval for Release
Scan Software Images for Viruses and
Malware
A
B
C DE
F
G
H
© IBM Corporation 1717
Service Delivery – How IBM Protects Client Data
– Governance focused on continuous assessment & enhancement– Shared services for vulnerability scanning, intrusion detection, penetration testing, log storage, X-
Force threat intel, and more …– Architectural separation of data stores, key storage, logs, etc– Encryption– Over 2000 pages of authoritative internal security policies. Not suitable for external consumption,
as it could help attackers!– External collateral:
• www.ibm.com/saas/security for the IBM SaaS Trust web site• www.ibm.com/privacy for privacy practices • Core Security Practices Document (NDA, controlled copy)• Offering specific security practices documents (acquisitions)
Physical / Logical / Organizational / Engineering controls
© IBM Corporation 1818
Compliance regimes
Offerings Regimes Industries Clients Countries
+CJISFFIECSSAE16O-TTPS / ISO 20243 EU Safe Harbor….
© IBM Corporation 1919
Service Consumption – How Clients Protect Data
– Classify data correctly– Configure service correctly– Train workforce sufficiently– Leverage controls as intended to restrict data access– Verify cloud service provider’s audit posture– Review log analytics and related usage attributes
© IBM Corporation 2020
IBM Cloud Trust web site - for more information
– www.ibm.com/saas/security
© IBM Corporation 2121
Wrap Up
– Understand your risk tolerance– Review what best practices are in use– Understand steps clients need to take in a shared responsibility environment
– IBM is a cyber-security & data protection thought & practice leader– IBM is exposing practices only to an extent that won’t aid hackers– IBM is pursuing accreditations selectively to control your cost
© IBM Corporation 22
Questions?
David CassCISO, IBM Cloud & SaaS OperationsE-mail: [email protected]: @dcass001 Linkedin: www.linkedin.com/in/dcass001/
© IBM Corporation 23© IBM Corporation 23
Accelerating Digital Business