Provably Secure Data Protection in the Cloud ICDES (IBM Cloud Data Encryption Services)
Agenda Cloud Security and Intro to ICDES Manish Aggarwal, IBM, Offering Manager Cloud Client Case Study: Crohn s & Colitis Foundation of America Angela Dobes, CCFA, Program Director Use-cases for ICDES Russ Fulford, Security First, VP Cloud Solutions Q&A 1
Hacks & Data Breaches Keep Growing Over 2 million the number of records compromised in cyber attacks daily 1 More than 3.8 million USD the cost to recover from a cyber breach 2 49 the percentage of data breaches that occur due to criminal attacks 3 205 the number of days before a breach is detected 4 429 the number of cyber breaches that happen every week 5 1 2014 Data Breach Trends, Risk Based Security Open Security Foundation, February 2015; 2,3 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2015; 4 M-Trends 2015: A View from the Front Lines, Mandiant 2015; 5 2014 Global Report on the Cost of Cyber Crime, Ponemon Institute, October 2014 2
Data Security is Evolving & Requires Layers Traditional Model Newer Model Network and perimeter centric Add data centric security, access controls & security intelligence IBM is the un-disputed leader in Enterprise Security and invests in best of breed technologies 3
Advanced Cryptographic Splitting Technology If you can t get the data you can t hack it. DATA AES # @ # # #! # # & # # # $ # # # #! # # @ # # # #? # # IDA # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # AES Encryption Information Dispersal Algorithm File keys encrypted & split by Workgroup Key Cryptographically split shares and keys are sent to Storage Workgroup Key encrypted and split by Perfect Secret Sharing 4
ICDES Delivers Robust Data Protection Confidentiality Ground-breaking data-centric security FIPS-140-2 certified AES-256 Encryption 1 FIPS-140-2 certified Cryptographic splitting 1 FIPS-140-2 certified built-in simplified key management 1 Privacy Zero knowledge environments AVAILABILITY InfoSec Triad for Data Protection 1 Federal Information Processing Standard (FIPS) 5
ICDES Delivers Robust Data Protection Confidentiality Integrity Tampered data is not used Built in data health check Repair corrupt shares while still encrypted Always get what you started with AVAILABILITY InfoSec Triad for Data Protection 6
ICDES Delivers Robust Data Protection Confidentiality Integrity Availability Data resiliency added at server edge Data is Always ON - no recovery time for share failure Simplified data availability architecture Never lose file encryption keys Supports a reduced-cost HA and DR architecture AVAILABILITY InfoSec Triad for Data Protection 7
ICDES Delivers Robust Data Protection Confidentiality Integrity Availability Easier management of regulatory requirements 1 HIPAA HITECH FISMA Sarbanes-Oxley PCI DSS FedRAMP AVAILABILITY InfoSec Triad for Data Protection 1 Health Insurance Portability and Accountability Act of 1996 (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH); Federal Information Security Management Act of 2002 (FISMA); Payment Card Industry Data Security Standard (PCI DSS) 8
ICDES Makes Data Security Easy PURCHASE ICDES Advanced Secure DOWNLOAD CONFIGURE IBM Cloud Marketplace 2 of 4 Step 1 /share1 /share2 /share3 /share4 START PROTECTING DATA DATA PROTECTED DIRECTORY Step 2 Step 3 Share 1 Share 2 Share 3 Share 4 9
Lowering Total Cost of Ownership Current Environment Customer Data Center With ICDES Cost Saving Options External Bulk Keystore Secure Private, Hybrid and Public Cloud Key Manager Built-In High Availability & Disaster Recovery M of N BUILT Built-In IN 10
Flexible Implementation Methods OS Installation Secure Datastore Target Select Files & Directories ICDES Plug-in for vcenter ICDES for vcenter Management Server Manage Virtual Machines CentOS ICDES APP APP APP APP Target CentOS OS OS OS OS Secure Datastore Virtual Physical 11
Use ICDES In Any Environment IBM SoftLayer IBM Bluebox Private Clouds Hybrid Clouds Public Clouds Customer data centers Public Private Hybrid 12
ICDES Editions Beyond Standard Encryption Secure Users and Applications Compliance and Critical Business Data ICDES Server Data protection Keyed encryption Keyed splitting 1 of 1 Local Site
ICDES Editions Beyond Standard Encryption Secure Advanced Secure Users and Applications Compliance and Critical Business Data ICDES Server Data protection Keyed encryption Keyed splitting + Fault tolerance 4 of 4 Data 1 resiliency of 1 and authentication Local Site
ICDES Editions Beyond Standard Encryption Remote Site Secure Advanced Secure Advanced Multi-site Users and Applications Compliance and Critical Business Data ICDES Server Data protection Keyed encryption Keyed splitting + Disaster recovery Multi-site capability + Fault tolerance 4 of 4 Data 1 resiliency of 1 and authentication Local Site
Agenda Cloud Security and Intro to ICDES Client Case Study: Crohn s & Colitis Foundation of America Use-cases for ICDES Q&A 16
What are Inflammatory Bowel Diseases? Crohn s Disease is a chronic inflammatory condition of the gastrointestinal tract that can affect any part of the body from the mouth to the anus Ulcerative Colitis is a chronic inflammatory condition limited to the colon 1.6M # of Americans living with IBD 70K # of new cases of IBD diagnosed in the US each year The CCFA is a non-profit organization dedicated to finding cures for IBD. 17
Challenges in IBD Current therapy for IBD is inadequate and inconsistently delivered Pathway to improved outcomes New resources to drive discovery Increased collaboration and sharing of data Improved patient selection Improved quality of care 18
IBD Plexus Vision & Goals Build of a research and information exchange platform to accelerate research and transform the care of IBD patients Goals of IBD Plexus are Unite clinicians, patients, academia and industry Optimize use of data and biosamples across the research community Identify new drug targets Identify new biomarkers and diagnostics Improve the quality of care for patients with IBD 19
Approach IBD Plexus will link data across study cohorts Break silos, bringing together stakeholders Clinical Omics / Expression Biosample Patient Reported / Generated & 20
IBD Plexus Landscape Pediatric risk stratification study Adult prospective research study Internet-based patient-powered registry Quality of care program Real world evidence registry Study Programs Components Adult & Pediatric Registries Biobank & LIMS Centralized Analytical Lab Data & Analytic Platforms High Performance Computing Researcher Portal Study Programs Components 21
IBD Plexus Hosting / Security IBM SoftLayer has been selected to host the IBD Plexus solution DATA PLATFORM Protected Health Information (PHI) ANALYTIC PLATFORM De-identified data sets Limited data sets Bare metal with CCFA stack Dedicated virtualized CCFA environment IBM Cloud Data Encryption Services (ICDES) 22
Disease Activity Transforming Research Current State Severe Moderate Mild Remission Time Disease Activity Future State Severe Moderate Mild Remission Hypothesis Generation Basic Science Translational Research Clinical Trials Comp Effectiveness Quality Improvement Time 23
Agenda Cloud Security and Intro to ICDES Client Case Study CCFA Use-cases for ICDES Q&A 24
Cryptographic Splitting Core ENTERPRISE Ingest Digital Data Addressable Storage Users & Applications Integrate with your Access Controls ICDES Server Generate keys Encryption & Authorization Bit Randomization (IDA) Fault Tolerance (M of N) Key Wrapping Journal Cache Disperse Shares to Storage 2 of 4 Example 25
CCFA Securing Structured and Unstructured Data Research, Academic and Medical Communities Various Patient, Academic & Research Data Cache Object Storage Gateway Data Platform Application protected by ICDES Object Storage IBD Plexus Data Analytic Platform Application protected by ICDES 26
Use Case: Compliance or Highly Valuable Data Unstructured User Community Application Data Server Payment Card Data CARD 1000 1000 1000 1000 Your Name Protected Directory ICDES Server Secure 1 of 1 Structured Storage 27
Use Case: Compliance or Highly Valuable Data User Community Application Data Server Payment Card Data With Resiliency for Highly Available Data CARD 1000 1000 1000 1000 Your Name Protected Directory ICDES Server Advanced Secure 2 of 4 Unstructured Structured Share 1 Share 2 Share 3 Share 4 Storage 28
Use Case: Compliance or Highly Valuable Data User Community Application Data Server CARD 1000 1000 1000 1000 Your Name Remote Location Standby Database Server Payment Card Data Protected Directory ICDES Server Standby ICDES Server Add Geographic Separation of Data for Disaster Recovery Advanced Multi-Site 2 of 6 Share 1 Share 2 Share 3 Share 4 Storage Share 5 Share 6 29
Use Case: IBM Cloud Analytics Secure Hadoop Data Stored Securely in Object Storage User Community Application Data Server Hadoop Cluster Massive Data to be Analyzed Storage Gateway ISHOC 2 of 2 HDFS Location 1 Location 2 Object Storage 30
Agenda Cloud Security and Intro to ICDES Client Case Study CCFA Use-cases for ICDES Q&A 31
Notices and Disclaimers Copyright 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law 32
Notices and Disclaimers Con t. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Aspera, Bluemix, Blueworks Live, CICS, Clearcase, Cognos, DOORS, Emptoris, Enterprise Document Management System, FASP, FileNet, Global Business Services, Global Technology Services, IBM ExperienceOne, IBM SmartCloud, IBM Social Business, Information on Demand, ILOG, Maximo, MQIntegrator, MQSeries, Netcool, OMEGAMON, OpenPower, PureAnalytics, PureApplication, purecluster, PureCoverage, PureData, PureExperience, PureFlex, purequery, purescale, PureSystems, QRadar, Rational, Rhapsody, Smarter Commerce, SoDA, SPSS, Sterling Commerce, StoredIQ, Tealeaf, Tivoli, Trusteer, Unica, urban{code}, Watson, WebSphere, Worklight, X-Force and System z Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml. 33
Thank You Your Feedback is Important! Access the InterConnect 2016 Conference Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.