Nov Nov 4-5, 4-5, 2014 2014 Monarch Monarch Beach, Beach, CA CA How Safe are you in your Cloud? Security Intelligence and Regulatory Compliance in the Cloud November 2014 Heather Hinton, Ph.D. IBM Distinguished Engineer CTO Cloud Security and Compliance GTS Cloud Services Division
Executive Summary Cloud Adoption Compliance concerns Security concerns IBM Focus Cloud environments need to satisfy the same compliance requirements as traditional IT, with same security tools, policies and procedures, adapted for Cloud deployment Cloud adoption highlights changes to thinking about compliance including adoption of transitive compliance Infrastructure compliance with SOC2, ISO27001/2 or similar Client-side workload compliance built on Infrastructure + Workload Software/service compliance built on Infrastructure + Service Cloud adoption requires security solutions covering Identity, ion and Insight to be extended to stand alone and hybrid cloud Identity (user identification, access control and governance) ion (infrastructure security, app and data security, risk mgmt) Insight (user activity, threat intelligence, compliance, cost) Deploy Cloud offerings On and with extensive regulatory and compliance assertions Address hybrid cloud use cases by leveraging underlying compliance of,, layers With Integrated security capabilities Address hybrid cloud use cases by leveraging strong enterprise security solutions and services
Cloud computing is rapidly transforming the enterprise Access IBM Dynamic Cloud Security Data Optimize Security Operations Gain Workloads IBM Transitive Cloud Compliance Infrastructure Optimize Compliance Activities Leverage
Challenge: Adapt our understanding of risk management to allow adoption of secure, compliant, business friendly cloud Perceived Biggest Risks Software as a Service () Platform as a Service () Infrastructure as a Service () provider doesn t have adequate (up to my standards) practices around data protection, identity management, intrusion protection Focused on risks of managed by other and not enough on security basics for integrating with other providers and solutions provider won t have the same types of basic controls (up to my standards) that I need for my developers in my environment Focused on what the developer will do when removed from the training wheels of internal IT controls (developers let lose on the Internet!) provider doesn t have adequate (up to my standards) practices around physical security Tends to think in context of a traditional data center with physical cages
Cloud presents the opportunity to radically transform security practices and adopt new approaches to workload compliance Cloud compliance allows us to rethink risks based on the comprehensive hybrid cloud and transitive compliance Traditional Compliance Client dictated and driven control of risks for end-to-end operational stack Dynamic Cloud Compliance Compliance statements provided by each layer build up an end-to-end compliance statement Traditional Security Manual, static, and reactive Dynamic Cloud Security Standardized, automated, agile, and elastic Cloud security is not only achievable, it is an opportunity to drive the business, improve defenses and reduce risk
IBM SoftLayer and Bluemix provide a security-rich environment IBM Marketplace IBM Bluemix IBM Marketplace, Bluemix, and Partners AppScan for Mobile Vuln Single Sign On Intel TXT SoftLayer s Triple-layer network security SoftLayer: certified compliance Supports Data Privacy PCI DSS v3.0 AoC Ready for HIPAA Ready for GxP FedRAMP Ready System
IBM Transitive Compliance for the Hybrid Cloud is built on a layer cake model Workloads Infrastructure Leverage Hosted MssP Provider demonstrates MssP/ using Compliance Assertions, Ready For statements, and MssP/ specific audits as needed Customer provides Workload Compliance using Compliance Assertions, Ready For statements, and workload specific audits as needed Ready For Compliance Assertions Data Privacy Optimize Compliance Activities
IBM Dynamic Cloud Security Portfolio for the Hybrid Cloud supports security solutions tailored for your workload s needs Access Data Gain Hosted MssP Cloud Identity Services Intelligent Threat ion Cloud Cloud Sign On Service Cloud Web and Mobile Application Analyzers Cloud Access r Cloud Privileged Identity r Cloud Data Activity Monitoring Cloud Security Intelligence Security Intelligence and Operations Consulting Services Optimize Security Operations Cloud Security d Services
International Financial Services Consortium deploys Cloud hosted document exchange for Customer provided on IBM and IBM Security, builds transitive compliant solution Access Data Gain IBM Marketplace Hosted MssP Cloud Identity Services Cloud Sign On Service Cloud Access r Cloud PIM Security Intelligence and Operations Consulting Services Cloud Web and Mobile Application Analyzers Cloud Data Activity Monitoring Data Privacy Optimize Security Operations, Compliance Activities Data Encryption Cloud Security d Services Intelligent Threat ion Cloud Unified Threat Monitoring
National retailer deploys loyalty program extension including mobile accessibility, builds transitive compliant solution Access Data Gain Hosted MssP Cloud Identity Services Intelligent Threat ion Cloud IBM Marketplace Cloud Sign On Service Cloud Access r Cloud PIM Cloud Application Analyzers Cloud Data Activity Monitoring Cloud Security Intelligence Unified Threat Monitoring Security Intelligence and Operations Consulting Services Data Privacy Optimize Security Operations, Compliance Activities Cloud Security d Services