Frank Hebestreit, CISA, CIPP/IT IBM Security Services, IBM Global Technology Services frank.hebestreit@de.ibm.com Security and Privacy Aspects in Cloud Computing 17.11.2010
Outline Cloud Computing and Outsourcing Security and privacy risks of cloud computing Mitigating cloud computing risks
Cloud Computing is Delivering Measurable Results
How is security different in the Cloud Model?? Today s data center We have control It s located at X. It s stored in servers Y and Z. We have backup plans. Our administrators control access. Our uptime meets our service level agreements. The auditors are happy. Our security team is engaged. Tomorrow s cloud Who has control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe it? How is our security team engaged?
Spectrum of Deployment Options for Cloud Computing Private IT capabilities are provided as a service, over an intranet, within the enterprise and behind the firewall Public IT activities / functions are provided as a service, over the Internet Enterprise data center Enterprise data center Enterprise A Enterprise B A Users B Private cloud Managed private cloud Hosted private cloud Shared cloud services Public cloud services Third-party operated Third-party hosted and operated Hybrid Internal and external service delivery methods are integrated through hybrid cloud gateways
Workloads may be at Different Levels of Cloud Readiness Ready for Cloud Analytics Information intensive Sensitive Data May not yet be ready for migration... Market bias: Private cloud Public cloud Isolated workloads Highly Customized Not yet virtualized 3 rd party SW Collaborative Care Medical Imaging Infrastructure Storage Financial Risk Industry Applications Mature workloads Complex processes & transactions Regulation sensitive Collaboration Preproduction systems Workplace, Desktop & Devices Batch processing New workloads made possible by clouds... Energy Management Business Processes Disaster Recovery Development & Test Infrastructure Compute
Outline Cloud Computing and Outsourcing Security and privacy risks of cloud computing Mitigating cloud computing risks
Different cloud workloads have different risk profiles High Need for Security Assurance Analysis & simulation with public data Mission-critical workloads, personal information Tomorrow s high value / high risk workloads need: Quality of protection adapted to risk Direct visibility and control Significant level of assurance Low Training, testing with nonsensitive data Low-risk Mid-risk High-risk Business Risk Today s clouds are primarily here: Lower risk workloads One-size-fits-all approach to data protection No significant assurance Price is key
What is information security risk? Information Security Risks are potential damages to information assets. Risk can be quantified by the expected (average) damage: Value of asset: What are your valuable information assets? Vulnerabilities: What vulnerabilities exist in your systems that may be exploited and lead to damage to your assets? Threats: The level of threats that aim at exploiting vulnerabilities Security controls are safeguards or countermeasures to avoid or minimize information security risks: Must be effective: Mitigate the given risk Should be adaptive: Adapt to changing risks Three main types of controls: Preventive: Prevent security incidents (e.g., patching a vulnerability) Detective: Detect a security incident (e.g., monitoring) Corrective: Repair damages (e.g., virus removal)
Risk Based Approach Successful organizations take a risk-based approach to information security. Nothing can be 100% secure but by knowing your current state, you can take a risk-based approach You can focus on implementing mitigating controls to address your most significant risks The remaining minimized risk is accepted because the likelihood of exploit and severity of exploit vs. cost of mitigation does not have a positive cost/benefit Successful organizations recognize risks, implement the appropriate mitigating controls, and innovate / grow their business Mitigating controls Accepted risk Current state Acceptable state Utopian state
Categories of Cloud Computing Risks Control Many companies and governments are uncomfortable with the idea of their information being located on systems they do not control. Data Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Providers must offer a high degree of security transparency to help put customers at ease. Reliability High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Authentication and access as well as protection along the data life-cycle become increasingly important. Compliance Complying with SOX, HIPAA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. Mission-critical applications may not run in the cloud without strong availability guarantees. Security Management Even the simplest of tasks may be behind layers of abstraction or performed by someone else. Providers must supply easy controls to manage security settings for application and runtime environments.
Top Risk European Network and Information Security Agency (ENISA) Cloud Computing Top Security Risks Probability Impact Risk LOSS OF GOVERNANCE VERY HIGH VERY HIGH HIGH LOCK-IN HIGH MEDIUM HIGH ISOLATION FAILURE LOW (Private Cloud) VERY HIGH HIGH MEDIUM (Public Cloud) COMPLIANCE RISKS VERY HIGH depends on PCI, SOX HIGH HIGH MANAGEMENT INTERFACE COMPROMISE MEDIUM VERY HIGH MEDIUM DATA PROTECTION HIGH HIGH HIGH INSECURE OR INCOMPLETE DATA DELETION MEDIUM VERY HIGH MEDIUM MALICIOUS INSIDER MEDIUM (Lower than traditional) VERY HIGH (Higher than traditional) HIGH
Cloud Computing and Privacy Issues Location matters Information must physically exist somewhere, sometimes multiple simultaneously Privacy laws assume data resides in one place Different laws may apply depending on where information exists Putting data in the cloud may impact privacy rights, obligations and status May make it impossible to comply with some laws Health records privacy Privacy Act May impact attorney-client privilege May impact trade secrets May reduce protections for personal information Information has strongest protections when it remains in possession of its owner Much legal uncertainty about privacy rights in the cloud Law is way behind technology Hard to predict what will happen when old laws are applied
Data Security & Privacy Is a Global Matter European Union European Data Protection Directive (1995) Russia Federal law on Personal Data (January 2007) USA Children s Privacy, COPPA (1999) Financial Sector GLB (2001) Health Sector, HIPAA (2002) California Privacy (2005) HIPAA/HITECH (2009) FISMA/FISCAM Update (2009) Existing Private Sector Privacy Laws Emerging Private Sector Privacy Laws Canada PIPEDA (2001-2004) Dubai Data Protection Law Chile Protection of Private Life Law (1999) Argentina Protection of Personal Data Law (2000) Taiwan APEC Guidelines (2004) Australia Privacy Amendment Act (2001) New Zealand Privacy Act (1993) Computer Processed Personal Data Protection Law (1995) South Korea Information and Communication Network Utility and Information Protection Law (2000) Japan Personal Data Protection Act (2005)
Outline Cloud Computing and Outsourcing Security and privacy risks of cloud computing Mitigating cloud computing risks
Coordinating information security is the responsibility of BOTH the provider and the consumer Who is responsible for security at the level? Datacenter Infrastructure Middleware Application Process Collaboration CRM/ERP/HR Financials Industry Applications Software as a Service Provider Consumer Middleware Web 2.0 Application Runtime Java Runtime Database Development Tooling Platform as a Service Provider Consumer Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure as a Service Provider Potential Security Gaps Consumer Challenge: Ensuring the tight integration of provider and subscriber security controls and governance
IBM's Approach to Providing Secure Clouds Client Services (Customized by Client) Base Services (Offered by IBM) Client's responsibility IBM does not touch client resources IBM provides guidance for customization and management of client services IBM's responsibility IBM provides tested base services IBM Cloud Computing Platform IBM Global Cloud Data Centers Hardened management interfaces and cloud service management State-of-the-art data center service management Cloud subscriber management based on IBM Web Identity State-of-the-art data-center security (physical, organizational, system, network) Strict policies and extensive monitoring to control privileged users IBM's responsibility Base operated and managed according to IBM's internal technical and organizational security standards Extensive regular internal legal, geo-specific, data privacy, technical reviews Regular ethical hacking/security testing Based on IBM's strategic outsourcing practices and the IBM Common Cloud Reference Architecture
Sources for cloud computing security best practices IBM Cloud Security Strategy Roadmap draws on references from a number of sources including: The IBM Cloud Security Guidance Redpaper ISO 2700x IBM Cloud Computing Management Platform Reference Architecture IBM Security Framework Cloud Security Alliance The Open Group
Gartner s security risks of cloud computing map directly to the IBM Security Framework Privileged User Access Data Segregation Data Recovery Investigative Support Regulatory Compliance Data Location Disaster Recovery Gartner: Assessing the Security Risks of Cloud Computing
IBM as Provider of Security Products for Clouds, and IBM as Provider of Cloud-based Security Services = Professional Services GRC Security Governance, Risk and Compliance SIEM and Log Management = Cloud-based & Managed Services = Products Identity and Access Management Identity Management Access Management Data Security Data Loss Prevention Encryption and Key Lifecycle Management Messaging Security E-mail Security Database Monitoring and Protection Data Masking Application Security App Vulnerability Scanning Web Application Firewall App Source Code Scanning Web / URL Filtering Access and Entitlement Management SOA Security Infrastructure Security Vulnerability Assessment Mainframe Security Threat Assessment Web/URL Filtering Intrusion Prevention System Firewall, IDS/IPS, MFS Mgmt. Security Event Management Virtual System Security Physical Security
Cloud Foundational Controls Identity and Access Management Strong focus on authentication of users and management of user identity. Data and Information Protection Strong focus on protection of data at rest or in transit Release Management Management of Application and Virtual Machine deployment Problem and Incident Management Governance and Compliance Management of cloud related events Threat and Vulnerability Management Management of Vulnerabilities and their associated mitigations with strong focus on network and endpoint protection Change and Configuration Management Management of Virtual Images, Licensing, etc Security Event Information Management Management of Security related Events and actionable mitigation management of security related events These controls represent capabilities and characteristics of operational clouds they don t tell the whole security story.
1 4 Building secure software (and solutions) is difficult but not impossible. What is the design point for assurance? Security Modeling & Architectural Analysis Secure Coding Practices Design Model Requirements, Use cases, Anomalies and Faults Coding Security in Build Testing Build Security in System Testing Binary Analysis Testing Source Code Control Assurance testing Secure Packaging Configuration & Change Mgmt Monitoring & Scanning Lifecycle Support Incident Process Are vulnerabilities present? 3 2 What are the security characteristics? The IBM Redguide on Improving Web Application SDLC Security includes the following list of security considerations for design and coding: Protecting Credentials and Secrets Session management Input validation and output encoding Exception management Cryptography Data at rest Data in motion Configuration management Auditing and logging Where is the product / solution deployed? The 2009 X-Force Report cites the following list of vulnerabilities results from tests over the past three years.. Cross-Site Request Forgery Cross-Site Scripting Error Message Information Leak Improper Access Control Improper Application Deployment Improper Use of SSL Inadequate / Poor Input Control Information Disclosure Insufficient Web Server Configuration Non Standard Encryption SQL Injection
How Privacy Rights are Protected By policy Protection through laws and organizational privacy policies Must be enforced Often requires mechanisms to obtain and record consent Transparency facilitates choice and accountability Violations still possible due to bad actors, mistakes, government mandates By architecture Protection through technology Reduces the need to rely on trust and external enforcement Violations only possible if technology fails or the availability of new data or technology defeats protections Technology reduces or eliminates any form of manual processing or intervention by humans Limits the amount of data available for data mining, R&D, targeting, other business purposes May require more complicated system architecture, expensive cryptographic operations
Common Privacy Principles Rights of the Individual Notice Choice and Consent Data Subject Access Controls on the Information Information Security Quality Information Lifecycle Collection Use and Retention Disclosure Management Management and Administration Monitoring and Enforcement
Cloud computing also provides the opportunity to SIMPLIFY security controls and defences People and Identity Information and Data Process & Application Network Server and Endpoint Physical Infrastructure Cloud Enabled Control(s)/Defense(s) Defined set of cloud interfaces Centralized repository of Identity and Access Control policies Computing services running in isolated domains as defined in service catalogs Default encryption of data in motion & at rest Virtualized storage providing better inventory, control, tracking of master data Service Oriented Enterprise Architecture Autonomous security policies and procedures Personnel and tools with specialized knowledge of the cloud ecosystem SLA-backed availability and confidentiality Automated provisioning and reclamation of hardened runtime images Dynamic allocation of pooled resources to mission-oriented ensembles Closer coupling of systems to manage physical and logical identity / access. Benefit Reduced risk of user access to unrelated resources. Improved accountability, Reduced risk of data leakage / loss Reduced attack surface and threat window Less likelihood that an attack would propagate Improved protection of assets and increased accountability of business and IT users Reduced attack surface Improved forensics with ensemble snapshots Improved ability to enforce access policy and manage compliance
Trusted Advisor Solution Provider Security Company The Company Security for the Cloud Security from the Cloud Security & Privacy Leadership
Thank you! For more information, please visit: ibm.com/cloud Ibm.com/security Or send me an email: frank.hebestreit@de.ibm.com
Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *, AS/400, e business(logo), DBE, ESCO, eserver, FICON, IBM, IBM (logo), iseries, MVS, OS/390, pseries, RS/6000, S/30, VM/ESA, VSE/ESA, WebSphere, xseries, z/os, zseries, z/vm, System i, System i5, System p, System p5, System x, System z, System z9, BladeCenter The following are trademarks or registered trademarks of other companies Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. * All other products may be trademarks or registered trademarks of their respective companies. NOTES: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was partly produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-ibm products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
Security Governance, Risk Management and Compliance IBM Security Framework Customers require insight into the security posture of their cloud. Implement a governance and audit management program IBM Cloud Security Guidance Document Establish third-party audits (SAS 70, ISO27001, PCI) Provide access to tenant-specific log and audit data Create effective incident reporting for tenants Insight into change, incident, image management, etc. Support for forensics and e-discovery Supporting IBM products, services and solutions IBM Security Products and Services IBM Cloud Security Assessment Assessing security to create a roadmap to reduced risk A comprehensive evaluation of an organization's existing security policies, procedures, controls and mechanisms.
People and Identity IBM Security Framework Customers require proper authentication of cloud users. Implement strong identity and access management Privileged user monitoring, including logging activities, physical monitoring and background checking Utilize federated identity to coordinate authentication and authorization with enterprise or third-party systems IBM Cloud Security Guidance Document A standards-based, single-sign-on capability can help simplify user logons for both internally hosted applications and the cloud. Role Based Access Control (RBAC) reduces the risk associated with persons being assigned inappropriate access and retaining access. Supporting IBM products, services and solutions IBM Security Products and Services IBM Tivoli Federated Identity Manager Securely manage cloud identities Employ user-centric federated identity management to increase customer satisfaction and collaboration
Data and Information IBM Security Framework Customers cite data protection as their most important concern. Ensure confidential data protection IBM Cloud Security Guidance Document Use a secure network protocol when connecting to a secure information store. Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall. Sensitive information not essential to the business should be securely destroyed. Supporting IBM products, services and solutions IBM Security Products and Services IBM Data Security Services Protect data and enable business innovation Solutions for network data loss prevention, endpoint encryption, endpoint data loss prevention, and log analysis
Application and Process IBM Security Framework Customers require secure cloud applications and provider processes. Establish application and environment provisioning IBM Cloud Security Guidance Document Implement a program for application and image provisioning. A secure application testing program should be implemented. Ensure all changes to virtual images and applications are logged. Develop all web-based applications using secure coding guidelines. Supporting IBM products, services and solutions IBM Security Products and Services IBM WebSphere CloudBurst Appliance Secure cloud application deployments Easily, securely and repeatedly create application environments deployed and managed in a cloud
Network, Server and End Point IBM Security Framework IBM Cloud Security Guidance Document Customers expect a secure cloud operating environment.. Maintain environment testing and vulnerability/intrusion management Isolation between tenant domains Trusted virtual domains: policy-based security zones Built-in intrusion detection and prevention Vulnerability management Protect machine images from corruption and abuse Supporting IBM products, services and solutions IBM Security Products and Services IBM Virtual Server Security for VMware Protection of cloud-based infrastructure Provides market-leading intrusion prevention, firewall and visible security for virtual environments
Physical Security IBM Security Framework IBM Cloud Security Guidance Document Customers expect cloud data centers to be physically secure.. Implement a physical environment security plan Ensure the facility has appropriate controls to monitor access. Prevent unauthorized entrance to critical areas within facilities. Ensure that all employees with direct access to systems have full background checks. Provide adequate protection against natural disasters. Supporting IBM products, services and solutions IBM Security Products and Services IBM Physical Security Services Defend and help secure physical environments A full suite of digital security solutions and site assessments that can be integrated with your network and IT systems