Cloud Security - Risiken und Chancen Dr. Matthias Schunter, MBA IBM Research Zürich, schunter@acm.org

Transcription

1 Dr. Matthias Schunter, MBA IBM Research Zürich,

2 Simple Questions Today s Data Center Tomorrow s Public Cloud??? We Have Control It s located at X. It s stored in server s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.??? Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 2

3 Table of Contents 1. Cloud Computing and IT Security Risks 2. An IBM Perspective on Securing the Cloud 3. The Telco Industry in the Clouds 3

4 1. Cloud Computing and IT Security Risks 4

5 What is IT Security? IT Security Goal: Ensure that the IT-related risk of each stakeholder is lowered to an acceptable level Risk Management Processes: Understand your risks Monitor for new emerging risks! Mitigate a subset of the risks Accept the remaining risks Security Controls to reduce identified risks by Prevention or Detection & Compensation 5

6 Recent Attack Trends Attacks are increasingly economically or politically motivated Focus on cyber security / protecting cyberspace & critical infrastructures The weakest link determines overall risk Insecure out-of-the-box configurations, standard passwords Attack sophistication is increasing Focus is constantly moving up, from network/os to application threats Bot-nets (for DDoS, Spam, etc.) Slow Attacks (prepared over years, combining many elements) Advanced Persistent Threat (ATP; focused, ongoing, resourceful intelligence) Insiders are major source of insecurity Mostly accidental ( I need to work around security, trivial password, lost laptop, ) Privileged insiders, e.g., administrators, assistants, management 6 IBM XForce Threat Reports:

7 Categories of Cloud Computing Risks: Control Many companies and governments are uncomfortable with the idea of their information located on systems they do not control. Data Migrating workloads to a public network and compute infrastructure increases the potential for unauthorized exposure. Providers must offer a high degree of security transparency to help put customers at ease. Reliability High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Hardening, authentication and access technologies become increasingly important. Compliance Complying with SOX, HIPAA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. Mission critical applications may not run in the cloud without strong availability guarantees. Security Management Even the simplest of tasks may be behind layers of abstraction or performed by someone else. Providers must supply easy controls to manage security settings for application and runtime environments. 7

8 2. An IBM Perspective on Securing the Cloud 8

9 Coordinating information security is the responsibility of BOTH the provider and the consumer Who is responsible for security at the level? Datacenter Infrastructure Middleware Application Process Collaboration CRM/ERP/HR Financials Industry Applications Software as a Service Provider Consumer Middleware Web 2.0 Application Runtime Java Runtime Database Development Tooling Platform as a Service Provider Consumer Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure as a Service Provider Potential Security Gaps Consumer Challenge: Ensuring the tight integration of provider and subscriber security controls and governance 9

10 One-size does not fit-all: Different cloud workloads have different risk profiles High Need for Security Assurance Analysis & simulation with public data IBM Enterprise+ Cloud Mission-critical workloads, personal information Tomorrow s high value / high risk workloads need: Quality of protection adapted to risk Direct visibility and control Significant level of assurance Low IBM Development and Test Cloud Training, testing with nonsensitive data Low-risk Mid-risk High-risk Business Risk Today s clouds are primarily here: Lower risk workloads One-size-fits-all approach to data protection No significant assurance Price is key 10

11 Example IBM Technology: Privileged Identity Management Security Risk from the Inside Administrator Mistakes and Fraud SME: 4 admins x 6 server = 24 accounts Global Cloud Delivery: 500 admins, Servers = accounts! Privileged Identity Management by IBM: Minimizes number of accounts Traceability and accountability for all actions 1 Pool of Privileged Accounts How Priviledged Identity Management works: Once authorized, admin obtains a (temporary) account from the pool Admin uses account to administer the system Admin returns the account into the pool (+ Logging of all actions) Admin 2 3 Server 11

12 Conclusion: The Swiss Telco Industry and the Clouds Strengths Wide 3G/HSDPA coverage and trong growth in 3G and smartphone usage Growing coverage of higher-speed networks (fiber, cable) Customer conmetering, and billing infrastructure Weaknesses Very high labour costs require overseas administration Small market size limited economies of scale Highly regulated market Opportunities: Demand for Cloud Services will rise Fast networks (fiber, 3G) will facilitate value-added services Clouds provide economies of scale for providers of value-added services and SMEs Cost-pressure in financial industry drives demand for cost-efficiency 12 Threats Fixed-line revenues and mobile ARPU are falling Network-based delivery of cloud services globalizes competition Source: BMI Switzerland Telecommunications Report 2010

13 Thank you! Visit me at the IBM booth for Questions and Answers! For more information, please visit: ibm.com/cloud Ibm.com/security 13