Martin Borrett, Lead Security Architect, Europe, IBM 9 th December 2010
Outline Brief Introduction to Cloud Computing Security: Grand Challenge for the Adoption of Cloud Computing IBM and Cloud Security 2 09/02/10
Brief Introduction to Cloud Computing 3 Security and 09/02/10 Cloud Computing
Cloud: Consumption & Delivery Models Optimized by Workload Cloud is a new consumption and delivery model inspired by consumer Internet services. Enabled by Ubiquitious network access Pooling and virtualization of resources Automation of service management Standardization of workloads Cloud enables: Self-service Location independence Sourcing options Flexible payment models Economies-of-scale Cloud Services Cloud represents: The industrialization of delivery for IT supported services 4 09/02/10
Spectrum of Deployment Options for Cloud Computing Private IT capabilities are provided as a service, over an intranet, within the enterprise and behind the firewall Public IT activities / functions are provided as a service, over the Internet Enterprise data center Enterprise data center Enterprise A Enterprise B A Users B Private cloud Managed private cloud Hosted private cloud Shared cloud services Public cloud services Third-party operated Third-party hosted and operated Hybrid Internal and external service delivery methods are integrated through hybrid cloud gateways 5 09/02/10
Workloads may be at Different Levels of Cloud Readiness Ready for Cloud Collaborative Care New workloads made possible by clouds... Analytics Information intensive Sensitive Data May not yet be ready for migration... Market bias: Private cloud Public cloud Isolated workloads Highly Customized Medical Imaging Infrastructure Storage Financial Risk Industry Applications Mature workloads Not yet virtualized 3 rd party SW Complex processes & transactions Regulation sensitive Collaboration Preproduction systems Workplace, Desktop & Devices Batch processing Energy Management Business Processes Disaster Recovery Development & Test Infrastructure Compute 6 09/02/10
7
Security Grand Challenge for the Adoption of Cloud Computing 8 Security and 09/02/10 Cloud Computing
Where is the Data? Moving from Private to Public Leads to a Real or Perceive Loss of Control We Have Control It s located at X. We have backups. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged. Who Has Control? Where is it located? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 33% Of respondents are concerned with cloud interfering with their ability to comply with regulations 80% Of enterprises consider security #1 inhibitor to cloud adoptions Of enterprises are concerned 48% about the reliability of clouds Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman) 9 09/02/10
10
One-size does not fit-all: Different cloud workloads have different risk profiles High Need for Security Assurance Analysis & simulation with public data Mission-critical workloads, personal information Tomorrow s high value / high risk workloads need: Quality of protection adapted to risk Direct visibility and control Significant level of assurance Low Training, testing with non-sensitive data Low-risk Mid-risk High-risk Business Risk Today s clouds are primarily here: Lower risk workloads One-size-fits-all approach to data protection No significant assurance Price is key 11 09/02/10
12
What is Cloud Security? Confidentiality, integrity, availability of business-critical IT assets Stored or processed on a cloud computing platform Cloud Computing Software as a Service Utility Computing Grid Computing There is nothing new under the sun but there are lots of old things we don't know. Ambrose Bierce, The Devil's Dictionary 13 09/02/10
Cloud Security = SOA Security + Secure Virtualized Runtime Service-oriented Architecture SOA Security model and protocols apply Technical challenges: multi-tenancy, across trust domain, REST-based, new protocols (e.g., OpenID) Definitional challenges: profiles and security SLAs for cloud Virtualized Runtime Top Threats and Risks in Cloud Computing Process/VM Isolation, data segregation, multi-tenancy Malicious insiders (co-tenants, cloud provider) Management (incl. self-service) interface compromise Insecure interfaces and APIs Uncertainty over data location Data protection and security Data recovery, resiliency Insecure or incomplete data deletion Account or service hijacking Abuse of cloud services (extrusion) Compliance risks Source: CSA (2010), ENISA (2009), Gartner (2008), IBM X-Force (2010) 14 09/02/10
IBM and Cloud Security 15 Security and 09/02/10 Cloud Computing
IBM's Strategy for Cloud Security IBM Security Framework: Risk management-based approach to security Provider of Security Products for Clouds Provider of Cloud-based Security Services Provider of Secure Clouds 16 09/02/10
Example for Securing the Virtualized Runtime: IBM Security Virtual Server Protection for VMware vsphere 4 VMsafe Integration Firewall and Intrusion Prevention Rootkit Detection / Prevention Inter-VM Traffic Analysis This is an example where virtualization enables an approach to security that would not be possible in a non-virtualized infrastructure! Automated Protection for Mobile VMs (VMotion) Virtual Network Segment Protection Virtual Network-Level Protection Virtual Infrastructure Auditing (Privileged User) Virtual Network Access Control 17 09/02/10
Cloud Security Services: Smart Business Security Services delivered from the IBM Cloud Hosted Security Event and Log Management Hosted Vulnerability Management Hosted Email and Web Security Hosted X-Force Threat Analysis Service Subscription service Cloud based Monitoring and management 1 2 3 4 Offsite management of logs and events from IPS s, Firewalls and OSs Proactive discovery and remediation of vulnerabilities Protection against spam, worms, viruses, spyware, adware, and offensive content Customized security intelligence based on threat information from X-Force research and development team To the Customer Offloading Security Tasks on the Ground 18 09/02/10
IBM's Approach to Providing Secure Clouds Client Services (Customized by Client) Base Services (Offered by IBM) Client's responsibility IBM does not touch client resources IBM provides guidance for customization and management of client services IBM's responsibility IBM provides tested base services IBM Cloud Computing Platform IBM Global Cloud Data Centers Hardened management interfaces and cloud service management State-of-the-art data center service management Cloud subscriber management based on IBM Web Identity State-of-the-art data-center security (physical, organizational, system, network) Strict policies and extensive monitoring to control privileged users IBM's responsibility Base operated and managed according to IBM's internal technical and organizational security standards Extensive regular internal legal, geo-specific, data privacy, technical reviews Regular ethical hacking/security testing Based on IBM's strategic outsourcing practices and the IBM Common Cloud Reference Architecture 19 09/02/10
IBM Cloud Security in Action IBM LotusLive Security through the entire lifecycle and stack 20 09/02/10
Thank you! ibm.com/cloud Ibm.com/security Or send me an email: borretm@uk.ibm.com 21 09/02/10