Security Building Blocks of the IBM Cloud Computing Reference Architecture

© 2014 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

Security Building Blocks of the Cloud

Computing Reference Architecture

Stefaan Van daele

Senior Security Architect – IBM Europe

stefaan_vandaele at be.ibm.com

stefaanvda

http://www.linkedin.com/in/stefaanvdaele



22

Security Requirements in Cloud

Solutions



3

Different cloud deployment models also change the way we think about security

Private cloud Public cloud

On or off premises cloud

infrastructure operated solely

for an organization and

managed by the organization

or a third party

Available to the general

public or a large industry

group and owned by an

organization selling cloud

services.

Hybrid IT

Traditional IT and clouds (public and/or

private) that remain separate but are bound

together by technology that enables data and

application portability

- Customer responsibility for infrastructure

− More customization of security controls

− Good visibility into day-to-day operations

− Easy to access to logs and policies

− Applications and data remain “inside the firewall”

− Provider responsibility for infrastructure

− Less customization of security controls

− No visibility into day-to-day operations

− Difficult to access to logs and policies

− Applications and data are publically exposed

Changes in

Security and Privacy



4

Minimizing the risks of cloud computing requires a strategic approach

Define a cloud strategy with security in mind

– Identify the different workloads and how they need to interact.

– Which models are appropriate based on their security and trust requirements and

the systems they need to interface to?

Identify the security measures needed

– Using a methodology such as the IBM Security Framework allows teams to

measure what is needed in areas such as governance, architecture, applications

and assurance.

Enabling security for the cloud

– Define the upfront set of assurance measures that must be taken.

– Assess that the applications, infrastructure and other elements meet the security

requirements, as well as operational security measures.



5

Our approach to delivering security aligns with each phase of an organization’s cloud project or initiative

Design Deploy Consume

Establish a cloud strategyand implementation plan toget there.

Build cloud services, in theenterprise and/or as a cloudservices provider.

Manage and optimizeconsumption of cloudservices.

Example

security

capabilities

Cloud security roadmap

Secure development

Network threat protection

Server security

Database security

Application security

Virtualization security

Endpoint protection

Configuration and patch management

Identity and access management

Secure cloud communications

Managed security services

Secure by Design

Focus on building security into the fabric of the cloud.

Workload Driven

Secure cloud resources with innovative features and products.

Service Enabled

Govern the cloud throughongoing security operations and workflow.

IBM Cloud

Security

Approach



6

Adoption patterns are emerging for successfully beginningand progressing cloud initiatives

IBM Cloud Security - One Size Does Not Fit All

Different security controls are appropriate for different cloud needs - the challenge becomes one of

integration, coexistence, and recognizing what solution is best for a given workload.



7

Capabilities provided to

consumers for using a

provider’s applications

Key security focus:

Compliance and Governance

Harden exposed applications

Securely federate identity

Deploy access controls

Encrypt communications

Manage application policies

Integrated service

management, automation,

provisioning, self service

Key security focus:

Infrastructure and Identity

Manage datacenter identities

Secure virtual machines

Patch default images

Monitor logs on all resources

Network isolation

Pre-built, pre-integrated IT

infrastructures tuned to

application-specific needs

Key security focus:

Applications and Data

Secure shared databases

Encrypt private information

Build secure applications

Keep an audit trail

Integrate existing security

Advanced platform for

creating, managing, and

monetizing cloud services

Key security focus:

Data and Compliance

Isolate cloud tenants

Policy and regulations

Manage security operations

Build compliant data centers

Offer backup and resiliency

Each pattern has its own set of key security concerns

Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud

Infrastructure as a

Service (IaaS): Cut IT

expense and complexity

through cloud data centers

Platform-as-a-Service

(PaaS): Accelerate time

to market with cloud

platform services

Innovate

business models

by becoming a cloud

service provider

Software as a Service

(SaaS): Gain immediate

access with business

solutions on cloud

Security Intelligence – threat intelligence, user activity monitoring, real time insights



88

Cloud Computing Reference

Architecture (CCRA)



9

March 2009Initiated CCAB

SC CCMP

Reference

Architecture

Early 2012

• Release CCRA 2.5

• Reach milestone of

~1500 IBMers formally

educated on the CCRA

July 2011Released

“CCRA 2.0

for Business

Partners”

February 2011Submitted CCRA

to The Open Group

Evolution of the Cloud Computing Reference Architecture (CCRA 3.0)

November 2012

• Release CCRA 3.0

• Adoption Patterns

Prescriptive guidance

on

IaaS/PaaS/CSP/SaaS

March 2011Release

CCRA 2.0March 2010Published CC &

CCMP Reference

Architecture 1.0

October 2010Used in Cloud

Launch and various

customer/analyst

sessions

April 2011Public Cloud RA

whitepaper available

on ibm.com

2012/13CCRA

Standardization

ongoing

Defined overall architectural foundationAdded product- and –integration

focused solution architectures

http://public.dhe.ibm.com/common/ssi/ecm/en/ciw03078usen/CIW03078USEN.PDF




10

Represents the aggregate experience

from hundreds of cloud client

engagements and IBM-hosted cloud

implementations

–Based on knowledge of IBM’s services,

software & system experiences, including

IBM Research

Provides prescriptive guidance on how to

build IaaS, PaaS, SaaS and service

provider clouds using IBM technologies

Reflected in the design of

– Clouds IBM implements for clients

– IBM-hosted cloud services

– IBM cloud appliances

– IBM cloud products

Public Cloud RA whitepaper available on ibm.com:


CCRA OpenGroup submission:

http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc

The IBM Cloud Computing Reference Architecture (CCRA)

Governance

Security, Resiliency, Performance & Consumability

Cloud ServiceCreator

Cloud ServiceConsumer

Cloud Service Provider

Common Cloud

Management Platform (CCMP)

Operational

Support

Services

(OSS)

Cloud Services

Inf rastructure-as-a-Service

Platform-as-a-Service

Software-as-a-Service

Business-Process-

as-a-Service

Business

Support

Services

(BSS)

Cloud Service

IntegrationTools

ConsumerIn-house IT

Service Creation

Tools

Inf rastructure

Existing & 3rd party

services, Partner

Ecosystems

CCRA 3.0

Common Reference Architecture Foundation

Cloud-enabled

data center /

building IaaS

Platform

Services

Cloud Service

Provider

Building SaaS


http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc



11

CCRA Detailed Overview



12

CCRA Security Component Model

*Infrastructure Includes – Server, Network, Storage

Security Components

Security Intelligence, Analytics and GRC

People Data Applications Infrastructure*

Security Governance, Risk

Management & ComplianceSecurity Information & Event

Management

Data & Information SecurityIdentity & Access

Management

Security Intelligence

Physical & Personnel

Security

Threat & Intrusion

Prevention

Security Policy ManagementEncryption & Key

Management

Secure Application

Development

Endpoint Management

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf3cce8ff09b3_49d2_8ee7_4e49c1ef5d22/p

age/IBM%20Cloud%20Computing%20Reference%20Architecture%203.0

Additional information can be found here :

https://www.ibm.com/developerworks/community/wikis/home?lang=en

https://www.ibm.com/developerworks/community/wikis/home?lang=en



13

Using the IBM Security Framework, we articulate the way we address security in the Cloud in terms of Foundational Controls

IBM Cloud Security Reference Model

Cloud Governance

Cloud specific security

governance including

directory synchronization

and geo locational support

Security Governance,

Risk Management &

Compliance

Security governance

including maintaining

security policy and audit

and compliance measures

Problem & Information

Security Incident

Management

Management and

responding to expected

and unexpected events

Identity and Access

Management

Strong focus on

authentication of

users and management of

identity

Discover, Categorize,

Protect

Data & Information

Assets

Strong focus on protection

of data at rest or in transit

Information Systems

Acquisition,

Development, and

Maintenance

Management of application

and virtual Machine

deployment

Secure Infrastructure

Against Threats and

Vulnerabilities

Management of

vulnerabilities and their

associated mitigations with

strong focus on network

and endpoint protection

Physical and Personnel

Security

Protection for physical

assets and locations

including networks and

data centers, as well as

employee security

De

plo

yD

es

ign

Co

ns

um

e



14

Understand Client

Define Client

Requirements

Design Solution

Detail Design

Define Roadmap

& 1st Project

Business Driver

Actors and use cases

Non-functional requirements

System context

Architecture decisions

Architecture overview

Component model

Operational model

Solution integration Details

Cloud roadmap

Project description

Viability Assessment

Solution Approach - SummaryGet a thorough understanding of their existing

IT environment and identify the client’s Cloud

Adoption Pattern

Identify actors, workloads and

associated use cases and identify

security requirements for each

scenarioDefine the Architecture Overview

Identify the building blocks and controls

needed leveraging the IBM Security

Framework and Cloud Foundational

Controls

Define the project plan with overall

timeline, phases and key milestones, and

overall delivery

Use the CCRA Security Component

Model to identify required components

and their interactions for the solution

Realize the component by mapping to

the capabilities in our products /

services portfolio

Leverage assets to build the deployment

architecture and integration requirements



15

Cloud Enabled Data Center - simple use case

Cloud Enabled Data Center

Self-Service

GUI

Cloud

Platform

User identity

is verified and

authenticated

1

Available

Resource

Resource Pool

Resource chosen

from correct

security domain

2

Image

Library

Machine

Image

VM is configured

with appropriate

security policy

3

Hypervisor

Configured

Machine Image

Virtual Machine

Virtual Machine

Image

provisioned

behind FW / IPS

4

Host security

installed and

updated

5

SW

Catalog

Config

Binaries

Software

patches applied

and up-to-date

6

Identity &

Access

Management

Security Information &

Event Management

Endpoint Management

Threat & Intrusion

Prevention



1616

One component in detail:

Security Information and Event

Management



17

Security Components

Security Intelligence Analytics and GRC

People Data Applications Infrastructure*

Security Governance, Risk

Management & ComplianceSecurity Information & Event

Management

Data & Information SecurityIdentity & Access

Management

Security Intelligence

Physical & Personnel

Security

Threat & Intrusion

Prevention

Security Policy ManagementEncryption & Key

Management

Secure Application

Development

Endpoint Management

Security Component Model – Cloud Enabled Data Center

*Infrastructure Includes – Server, Network, Storage



18

Generic security service catalog for Security Operations

Risk and

Compliance

Compliance

Reporting Risk Reporting

Compliance

Controlling

Records

Management

Fraud Detection

Risk Identification Digital Forensics

Supervisory ServicesCompliance Management Evidence ManagementRisk Management

Analytics Services

Security &

Compliance

Dashboard

Threat and

Vulnerability

Management

Vulnerability

Remediation

Vulnerability

Analysis

Vulnerability

Discovery

Security Information andEvent ManagementVulnerability Management

Security Event

Correlation &

Normalization

Security Log

Collection &

Normalization

Security Monitoring

and Alerting

Security Problem

and Incident

Response

Threat Analysis

Security Threat and

Vulnerability

Research

Threat Identification

Security Intelligence Threat Management

Threat Mitigation

IT Service

Management

Incident and

Problem

Management

Asset Management

Asset

Administration

IT Service

Management Asset Management



19

CeilometerUsage / Performance Monitoring + Auditing

“Datastores”

Core API Layer“Filter” audits all Open Stack API calls

CADF

AWS CloudTrail

OpenStack Audit (CADF)

Practical example: SIEM across hybrid cloud deployments

Workloads deployed in private virtual Environments

Public Cloud Services



20

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

Technology

Security Building Blocks of the IBM Cloud Computing Reference Architecture