Cloud computing is a new consumption and delivery model. Yesterday Today

Transcription

1 IBM Cloud Security Strategy Securing the Cloud Johan Van Mengsel, CISSP Open Group Distinguished IT Specialist IBM Global Technology Services 2010 IBM Corporation Todays Challenges 85% idle 70 per $1 1.5x In distributed computing environments, up to 85% of computing capacity sits idle. 70% on average is spent on maintaining current IT infrastructures versus adding new capabilities. Explosion of information driving 54% growth in storage shipments every year. $40 billion Consumer product and retail industries lose about $40 billion annually, or 3.5 percent of their sales, due to supply chain inefficiencies. 33% 33% of consumers notified of a security breach will terminate their relationship with the company they perceive as responsible. It s time to start thinking differently about infrastructure IBM Corporation

2 Requires Smarter IT Services Cloud computing is a new consumption and delivery model Yesterday Today IBM Corporation Cloud Computing provides workload optimized models for delivery and consumption of IT services Attributes Characteristics Benefits VIRTUALIZATION AUTOMATION Advanced virtualization Automated provisioning Elastic scaling IT resources can be shared between many applications. Applications can run anywhere. IT resources are provisioned or de-provisioned on demand. IT environments scale down and up as the need changes. Providing more efficient utilization of IT resources. Reducing IT cycle time and management cost Increasing flexibility STANDARDIZATION Service catalog ordering Metering and billing Internet Access Defined environments can be ordered from a catalog. Services are tracked with usage metrics. Services are delivered through the Internet. Enabling self-service Offering more flexible pricing schemes Access anywhere, anytime 4

3 Sound great, what is preventing the adoption of Cloud Computing EVERWHERE? Current Cloud Computing offerings are best effort The Cloud Computing providers don t currently have the rigour which traditional IT sourcing providers have No (or weak) service level agreements (SLAs) regarding quality of service Performance Uptime Throughput Confidentiality etc No commitment regarding data residency Architecturally, these constraints prevent or hamper the running of mission critical, or highly regulated data in current Cloud offerings. As Cloud providers mature their offerings this will change For now, corporations will not let their enterprise workloads run in the Cloud, as they cannot assert the quality of service Multi-tenancy is a key concern? Page: IBM Corporation 3/15/2012 Security Challenges in Cloud Computing 6

4 Security and Cloud Computing Cloud Security: Simple Example Today s Data Center Tomorrow s Public Cloud We Have Control It s located at X. It s stored in server s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.?????? Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 7 9/15/ IBM Corporation 7 Security in the Cloud A recent Appirio survey of 150+ mid to large-sized firms that have already adopted cloud applications: Of Little Importance Unimportant Somewhat Important Important Very Important According to IBM's Institute for Business Value 2010 Global IT Risk Study, cloud computing raised serious concerns among respondents about the use, access and control of data Ensuring security & compliance Single Biggest Misconception about the Cloud % of Respondents Cloud Makes protecting privacy more difficult 77% Security is an issue with the cloud Cloud solutions are difficult to integrate 15% 28% Concerned about a dat a breach or loss 50% Cloud solutions have a higher chance of lock-in 13% Cloud solutions are difficult to customize Cloud solutions are not reliable 10% 12% concerned about a weakening of the corporate network 23% Cloud vendors are not yet viable 8% None 7% The cloud model is not proven 6% 8 Appirio, State of the Public Cloud: The Cloud Adopters Perspective, October IBM Corporation

5 9 Customer Requirements for Cloud Security 16 Cross Industry Customers Analyzed 6 Telcos 3 CSIs 1 Government 1 Bank 1 Manufacturing 1 SMB 2 IBM Results of the analysis of existing customer requirements for Cloud Security World-Wide Representation Data Sources NE IOT SW IOT MEA North America IOT ANZ Formal RFPs Project Architect Interviews Identity and access management 21 Intrusion prevention and response 37 Patch management 7 Data Management 12 Virtualization Security 12 Governance, risk & compliance 25 Risks introduced by cloud computing Restrictions imposed by industry regulations over the use of clouds for some applications Challenges with an increase in potential unauthorized exposure when migrating workloads to a shared network and compute infrastructure Data Security Where the information is located and stored, who has access rights, how access is monitored & managed, including resiliency Less Control Control needed to manage firewall and security settings for applications and runtime environments in the cloud Security Management Concerns with high availability and loss of service should outages occur Compliance Reliability Private Clouds Risks across private, public and hybrid cloud delivery models Public Clouds

6 Adoption patterns are emerging for successfully beginning and progressing cloud initiatives Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud 11 Each pattern has its own set of key security concerns Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud Integrated service management, automation, provisioning, self service Pre-built, pre-integrated IT infrastructures tuned to application-specific needs Advanced platform for creating, managing, and monetizing cloud services Capabilities provided to consumers for using a provider s applications Key security focus: Infrastructure and Identity Key security focus: Applications and Data Key security focus: Data and Compliance Key security focus: Compliance and Governance Manage datacenter identities Secure virtual machines Patch default images Monitor logs on all resources Network isolation Secure shared databases Encrypt private information Build secure applications Keep an audit trail Integrate existing security Isolate cloud tenants Policy and regulations Manage security operations Build compliant data centers Offer backup and resiliency Harden exposed applications Securely federate identity Deploy access controls Encrypt communications Manage application policies 12

7 Cloud Deployment/Delivery and Security Depending on an organization's readiness to adopt cloud, there are a wide array of deployment and delivery options More Embedded Security SaaS Software as a Service BPaaS Business Process as a Service PaaS Platform as a Service IaaS Infrastructure as a Service Less Embedded Security IBM Corporation Cloud computing tests the limits of security operations and infrastructure Security and Privacy Domains People and Identity Data and Information Application and Process Network, Server and Endpoint Physical Infrastructure Governance, Risk and Compliance Self-Service Highly Virtualized Location Independence Workload Automation Rapid Elasticity Standardization To cloud Multiple Logins, Onboarding Issues Multi-tenancy, Data Separation External Facing, Quick Provisioning Virtualization, Network Isolation Provider Controlled, Lack of Visibility Audit Silos, Compliance Controls In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security. 14

8 Different cloud deployment models also change the way we think about security Private cloud On or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party Hybrid IT Traditional IT and clouds (public and/or private) that remain separate but are bound together by technology that enables data and application portability Public cloud Available to the general public or a large industry group and owned by an organization selling cloud services. Changes in Security and Privacy Customer responsibility for infrastructure More customization of security controls Good visibility into day-to-day operations Easy to access to logs and policies Applications and data remain inside the firewall Provider responsibility for infrastructure Less customization of security controls No visibility into day-to-day operations Difficult to access to logs and policies Applications and data are publically exposed 15 Cloud deployment pattern influences the extent of security controls Business Processes Collaboration Industry Applications CRM/ERP/HR Security Enabled Software as a Service Middleware Web 2.0 Application Runtime Database Java Runtime Development Tooling Security as a Runtime Platform as a Service Servers Data Center Fabric Security Security as a Service Networking Storage Infrastructure as a Service 16

9 Coordinating information security is BOTH the responsibility of the provider and the consumer Who is responsible for security at the level? Datacenter Infrastructure Middleware Application Process Employee Procurement Benefits Mgmt. Industry-specific Business Travel Processes Business Process-as-a-Service Provider Consumer Collaboration CRM/ERP/HR Industry Financials Applications Application-as-a-Service Provider Consumer Middleware Web 2.0 Application Runtime Java Runtime Development Database Tooling Platform-as-a-Service Provider Consumer Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure-as-a-Service Provider Consumer Page: IBM Corporation 3/15/2012 What is multi-tenancy, and what are the security IMPLICATIONS? Example: Database Multi-tenancy Page: IBM Corporation 3/15/2012

10 Approaches for Cloud Security 19 IBM s approach to Cloud Security At IBM we understand the cloud and we also understand that One Size Does not Fit All IBM Corporation

11 21 One-size does not fit-all: Different cloud workloads have different risk profiles High Need for Security Assurance Analysis & simulation with public data Mission-critical workloads, personal information Tomorrow s high value / high risk workloads need: Quality of protection adapted to risk Direct visibility and control Significant level of assurance Se cur ity an d Clo ud Co Low 3/15/2012 Training, testing with nonsensitive data Low-risk Mid-risk High-risk Business Risk Today s clouds are primarily here: Lower risk workloads One-size-fits-all approach to data protection No significant assurance Price is key 2009 IBM Corporation Required controls for cloud security are the same as for IT security in general 1. Identity and Access Management Strong focus on authentication of users and management of user identities 2. Discover, Categorize and Protect Data & Information Assets Strong focus on protection of data at rest or in transit 3. Information Systems Acquisition, Development, and Maintenance Management of application and virtual machine deployment 5. Problem & Information Security Incident Management Management and responding to expected and unexpected events 6. Physical and Personnel Security Protection for physical assets and locations including networks and data centers. Employee security. 7. Security Governance, Risk Management & Compliance Security governance including maintaining security policy and audit and compliance measures 4. Secure Infrastructure Against Threats and Vulnerabilities Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection 8. Cloud Governance Cloud-specific security governance including directory synchronization and geo-locational support

12 Our approach to delivering security aligns with each phase of a client s cloud project or initiative Design Deploy Consume Establish a cloud strategy and implementation plan to get there. Build cloud services, in the enterprise and/or as a cloud services provider. Manage and optimize consumption of cloud services. IBM Cloud Security Approach Secure by Design Focus on building security into the fabric of the cloud. Workload Driven Secure cloud resources with innovative features and products. Service Enabled Govern the cloud through ongoing security operations and workflow. Example security capabilities Cloud security roadmap Secure development Network threat protection Server security Database security Application security Virtualization security Endpoint protection Configuration and patch management Identity and access management Secure cloud communications Managed security services 23 Security solutions to address the unique challenges of cloud computing Helping clients begin their journey to the cloud with relevant security expertise GRC Compliance ownership Cross border constraints e-discovery process Access to logs and audit trails Merging patch, change, and configuration management policies Rapid provisioning/de-provisioning of users Federated identity management Data segregation Intellectual property protection Data preservation and investigation Multi-tenancy and shared images Virtualized environments Open public access Physical data center security and resiliency

13 How we deliver Cloud Security We Believe the Cloud could be more secure than traditional Enterprises Security By Design Security By Workload New Security Efficiencies IBM Corporation Cloud Enabled Data Center - simple use case User identity is verified and authenticated 1 Self-Service GUI Cloud Platform Image 4 provisioned behind FW / IPS Host security installed and updated 5 Configured Machine Image Virtual Machine Cloud Enabled Data Center Resource chosen from correct security domain 2 VM is configured with appropriate security policy 3 Software 6 patches applied and up-to-date Virtual Machine Hypervisor Available Resourc e Image Library Machine Image SW Catalog Config Binaries Resource Pool

14 Workload driven security Cloud Security depends on focusing security controls on specific Types of work Healthcare Collaboration Development IBM Corporation Activity/Data Driven Cloud Security Organizations need to adopt a strategy for cloud security that considers the unique attributes of the cloud as well as the activities and data for which the cloud is being utilized. Only by combining foundational controls with activity/data specific controls can organizations meet their cloud security needs. 28

15 Secure By Design: Security must be built into Cloud Fabric Failure to build security proactively into the fabric of the cloud (including secure deployment of services) can have negative consequences: Audit failures Increased operating costs long term Poor customer satisfaction Difficulty in expansion Management complexity Failure to achieve cloud anticipated return due to service failures Security Challenges with Virtualization: Using Traditional Security for a Virtual Data Center May Add Cost and Complexity Legacy Security in Virtual Environment Seems Secure Not Secure Enough Network IPS Only blocks threats and attacks at the perimeter Should protect against threats at perimeter and between VMs Server Protection Secures each physical server with protection and reporting for a single agent Securing each VM as if it were a physical server adds time and cost System Patching Patches critical vulnerabilities on individual servers and networks Needs to track, patch and control VM sprawl Security Policies Policies are specific to critical applications in each network segment and server Policies must be more encompassing (Web, data, OS coverage, databases) and be able to move with the VMs

16 Points of Exposure Existing Threats New Threats Management Applications Operating System Virtual Machine VMM or Hypervisor New Threats New Threats Hardware New Threats More Components = More Exposure Security Challenges with Virtualization: New Risks Management Vulnerabilities Secure storage of VMs and the management data Virtual sprawl Dynamic relocation VM stealing Resource sharing Single point of failure Stealth rootkits in hardware now possible Virtual NICs & Virtual Hardware are targets Control events by Policies: - VM Creation - VM Registration - VM Removal - VM Power On - VM Power Off

17 IBM Virtual Server Protection for VMware Integrated threat protection for VMware vsphere 4 Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers. VMsafe Integration Firewall and Intrusion Prevention Rootkit Detection/Prevention Inter-VM Traffic Analysis Automated Protection for Mobile VMs (VMotion) Virtual Network Segment Protection Virtual Network-Level Protection Virtual Infrastructure Auditing (Privileged User) Virtual Network Access Control Creating New Security Efficiencies IBM Professional Security Services Security Strategy Roadmap IBM Professional Security Services Cloud Security Assessment IBM Professional Security Services Application Security Services for Cloud IBM Information Protection Services Managed Backup Cloud Hosted Vulnerability Management Hosted Security Event & Log Management IBM Corporation

18 InfoSphere Guardium CSP s Data Center Customer Data Center Traditional database protected by Traditional Guardium database into the Cloudmoved into the Cloud Fear of having database been accessed not authorized people CSP s WAN InfoSphere Optim in Cloud Service Provider Platform CSP s Data Center Customer Data Center Traditional database Anonymised by Optim into the Cloud Traditional database moved into the Cloud without anonymisation CSP s WAN Optim applies Anonymization while moving out of the customer s DC

19 Data Policy Management: Anonymizing Data With IBM InfoSphere Optim Scope : Anonymize data moved to the Cloud, therefore ease the move to the Cloud Value: Establish a process to ease the move of key workloads such as Dev&Tests and the related data it requires for testing, removing the most important risks Constraints: Requires human analysis of the data to anonymize and therefore it is a manual process the first time Position: Should be used as a process within the source datacenter to enable the move in the target (cloud-based) datacenter Real-Time Database Monitoring DB2 Non-invasive architecture Outside database Minimal performance impact (2-3%) No DBMS or application changes Cross-DBMS solution 100% visibility including local DBA access Enforces separation of duties (SoD) Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders Granular, real-time policies & auditing Who, what, when, how Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)

20 Scalable Multi-Tier Architecture Integration with LDAP, IAM, IBM Tivoli, IBM TSM, Remedy, Security and Cloud Computing Quick intro: IBM Security Framework Business-oriented framework used across all IBM brands that allows to structure and discuss a client s security concerns Built to meet four key requirements: Provide Assurance Enable Intelligence Automate Process Improve Resilience Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business- Driven Security; IBM RedGuide REDP , July /15/ IBM Corporation

21 Security and Cloud Computing Typical Client Security Requirements Governance, Risk Management, Compliance 3rd-party audit (SAS 70(2), ISO27001, PCI) Client access to tenant-specific log and audit data Effective incident reporting for tenants Visibility into change, incident, image management, etc. SLAs, option to transfer risk from tenant to provider Support for forensics Support for e-discovery Application and Process Application security requirements for cloud are phrased in terms of image security Compliance with secure development best practices Physical Monitoring and control of physical access People and Identity Privileged user monitoring, including logging activities, physical monitoring and background checking Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third party systems Standards-based SSO Data and Information Data segregation Client control over geographic location of data Government: Cloud-wide data classification Network, Server, Endpoint Isolation between tenant domains Trusted virtual domains: policy-based security zones Built-in intrusion detection and prevention Vulnerability Management Protect machine images from corruption and abuse Government: MILS-type separation Based on interviews with clients and various analyst reports 41 9/15/ IBM Corporation 42 Security governance, risk management and compliance IBM Security Framework Customers require visibility into the security posture of their cloud. Implement a governance and audit management program IBM Cloud Security Guidance Document Establish 3rd-party audits (SAS 70, ISO27001, PCI) Provide access to tenant-specific log and audit data Create effective incident reporting for tenants Visibility into change, incident, image management, etc. Support for forensics and e-discovery Supporting IBM Products, Services and Solutions Se IBM Security cur Products and Services ity an d Clo 3/15/2012 ud Co 2009 IBM Corporation

22 43 People and Identity IBM Security Framework Customers require proper authentication of cloud users. Implement strong identity and access management IBM Cloud Security Guidance Document Privileged user monitoring, including logging activities, physical monitoring and background checking Utilize federated identity to coordinate authentication and authorization with enterprise or third party systems A standards-based, single sign-on capability can help simplify user logons for both internally hosted applications and the cloud. Supporting IBM Products, Services and Solutions Se IBM Security cur Products and Services ity an d Clo 3/15/2012 ud Co 2009 IBM Corporation 44 Data and Information IBM Security Framework Customers cite data protection as their most important concern. Ensure confidential data protection IBM Cloud Security Guidance Document Use a secure network protocol when connecting to a secure information store. Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall. Sensitive information not essential to the business should be securely destroyed. Supporting IBM Products, Services and Solutions Se IBM Security cur Products and Services ity an d Clo 3/15/2012 ud Co 2009 IBM Corporation

23 45 Application and Process IBM Security Framework Customers require secure cloud applications and provider processes. Establish application and environment provisioning IBM Cloud Security Guidance Document Implement a program for application and image provisioning. A secure application testing program should be implemented. Ensure all changes to virtual images and applications are logged. Develop all Web based applications using secure coding guidelines. Supporting IBM Products, Services and Solutions Se IBM Security cur Products and Services ity an d Clo 3/15/2012 ud Co 2009 IBM Corporation 46 Network, Server and End Point IBM Security Framework IBM Cloud Security Guidance Document Customers expect a secure cloud operating environment.. Maintain environment testing and vulnerability/intrusion management Isolation between tenant domains Trusted virtual domains: policy-based security zones Built-in intrusion detection and prevention Vulnerability Management Protect machine images from corruption and abuse Supporting IBM Products, Services and Solutions Se IBM Security cur Products and Services ity an d Clo 3/15/2012 ud Co 2009 IBM Corporation

24 47 Physical Security IBM Security Framework Customers expect cloud data centers to be physically secure.. Implement a physical environment security plan Ensure the facility has appropriate controls to monitor access. Prevent unauthorized entrance to critical areas within facilities. Ensure that all employees with direct access to systems have full IBM Cloud Security Guidance Document background checks. Provide adequate protection against natural disasters. Supporting IBM Products, Services and Solutions Se IBM Security cur Products and Services ity an d Clo 3/15/2012 ud Co 2009 IBM Corporation IBM Security offerings for Cloud Computing Professional Services Managed Services Security Governance, Risk and Compliance Security Information and Event Management (SIEM) & Log Management Products Cloud Delivered Identity & Access Management Identity Management Data Loss Prevention Data Entitlement Management Encryption & Key Lifecycle Management Messaging Security Database Monitoring & Protection Data Masking Data Security Security Access Management Application Security Application Vulnerability Scanning Web Application Firewall Web/ URL Filtering Access & Entitlement Management SOA Security Infrastructure Security Threat Analysis Firewall, IDS/ IPS MFS Management Vulnerability Assessment Virtual System Security Security Event Management Mainframe Security Audit, Admin & Compliance Endpoint Protection Intrusion Prevention System Security Configuration & Patch Management Physical Security IBM Corporation

25 IBM Security Solutions for the Cloud 49 IBM continues to research, test and document more focused approaches to cloud security IBM Research Special research concentration in cloud security IBM X-Force Proactive counter intelligence and public education Customer Councils Real-world feedback from clients adopting cloud Standards Participation Client-focused open standards and interoperability IBM Institute for Advanced Security Collaboration between academia, industry, government, and the IBM technical community 50

26 IBM Cloud Security Guidance Based on cross-ibm research and customer interaction on cloud security Highlights a series of best practice controls that should be implemented Broken into 7 critical infrastructure components: Building a Security Program Confidential Data Protection Implementing Strong Access and Identity Application Provisioning and Deprovisioning Governance Audit Management Vulnerability Management Testing and Validation IBM Security Solutions Architecture for Network, Server and Endpoint Explores threats to and security requirements of IT systems. Business drivers such as managing risk and cost and compliance to business policies and external regulations, are explored, highlighting how they can be translated into frameworks to enable enterprise security. The idea is to help bridge the communication gap between the business and the technical perspectives of security and to enable simplification of thought and process.

27 IBM Cloud Security Guidance Based on cross-ibm research and customer interaction on cloud security Highlights a series of best practice controls that should be implemented Broken into 7 critical infrastructure components: Building a Security Program Confidential Data Protection Implementing Strong Access and Identity Application Provisioning and Deprovisioning Governance Audit Management Vulnerability Management Testing and Validation IBM Corporation Cloud Security Whitepaper Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. This paper is provided to stimulate discussion by looking at three areas: What is different about cloud? What are the new security challenges cloud introduces? What can be done and what should be considered further? 03.ibm.com/press/us/en/attachment/32799.wss?fileId=ATTACH_FILE1&fil ename= _us%20cloud%20computing%20white%20paper_final_lr.pdf

28 55 Trusted Advisor Solution Provider Security Company The Company Security for the Cloud Security from the Cloud Se cur ity an d Clo ud Co 3/15/2012 Security & Privacy Leadership 2009 IBM Corporation Thank you! For more information, please visit:

29 Entry points to get started with IBM security solutions for cloud Design Deploy Consume GRC Understand the concerns of your unique cloud initiative IBM Cloud Security Roadmap Service X Identity Enable single sign on across multiple cloud services IBM Tivoli Federated Identity Manager Business GW X Data Protect and monitor access to shared databases IBM InfoSphere Guardium X X Intrusion Defend users and apps from network attacks IBM Security Network Intrusion Prevention System X Virtualization Protect VMs and hypervisor from advanced threats IBM Virtual Server Protection for VMware X X Patch Management Provide patch and config management of VMs IBM Tivoli Endpoint Manager for Security and Compliance X X Cloud Security On Ramps IBM Security Framework 57 Getting Started with Secure Cloud Computing Develop a strategy Security Best practices think holistically Design and Implement Take a risk-based approach to security data in motion, data at rest, access to data Operate and Manage Based on Business Requirements holistically in a more dynamic environment, workloads Technology and Services Select Cloud technology and services modularity and standards are key 2009 IBM Corporation