Cloud Security Who do you trust?

Similar documents
Cloud Security Who do you trust?

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Implicaciones para. CISA, CISM, CGEIT, CRISC, CISSP, OSCP, Cobit FC, ITIL v3 FC

Security and Cloud Computing

A trusted support resource can help you drive growth and innovation. Maintenance and technical support services from IBM

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Strategies for assessing cloud security

Cloud computing White paper November IBM Point of View: Security and Cloud Computing

Addressing Security for Hybrid Cloud

IBM Security Privileged Identity Manager helps prevent insider threats

Strengthen security with intelligent identity and access management

How To Protect Your Cloud Computing Resources From Attack

Assimil8 extends business analytics on demand to companies of all sizes

Securing the Service Desk in the Cloud

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Safeguarding the cloud with IBM Dynamic Cloud Security

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Security Officer s Checklist in a Sourcing Deal

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Security and Managing Use Risks

Cloud Computing Governance & Security. Security Risks in the Cloud

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Cloud Security Introduction and Overview

Cloud Security: The Grand Challenge

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Hedge Funds & the Cloud: The Pros, Cons and Considerations

About Advent One. Contents. 02 What we do. 03 Infrastructure Services. 04 Cloud and Managed Services. 07 Hosting Desktop. 08 Phone.

Security Controls What Works. Southside Virginia Community College: Security Awareness

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Information Security: Cloud Computing

SHARPCLOUD SECURITY STATEMENT

Supporting information technology risk management

IBM QRadar as a Service

BMC s Security Strategy for ITSM in the SaaS Environment

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

IBM Security in the Cloud

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

GoodData Corporation Security White Paper

Public Cloud Service Definition

IT service management: resetting priorities for an uncertain economy.

Data Protection: From PKI to Virtualization & Cloud

John Essner, CISO Office of Information Technology State of New Jersey

PCI DSS and the A10 Solution

Understanding Enterprise Cloud Governance

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

How To Protect Your Cloud From Attack

Securely Outsourcing to the Cloud: Five Key Questions to Ask

System Security and Auditing for IBM i

A Survey on Security Issues in Service Delivery Models of Cloud Computing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security of Cloud Computing for the Power Grid

Orchestrating the New Paradigm Cloud Assurance

IBM Tivoli Storage Manager for Virtual Environments

The Future of the IT Department

Check Point and Security Best Practices. December 2013 Presented by David Rawle

The Education Fellowship Finance Centralisation IT Security Strategy

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

IBM Virtual Server Services. A smarter way to support and grow your business

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

HIPAA/HITECH Compliance Using VMware vcloud Air

Datacenter Management Optimization with Microsoft System Center

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

Cloud Security. DLT Solutions LLC June #DLTCloud

Consolidated security management for mainframe clouds

50x Zettabytes*

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

IBM SmartCloud Workload Automation

Securing and protecting the organization s most sensitive data

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Information security due diligence

IBM Workload Automation

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

IBM Tivoli Netcool network management solutions for SMB

OPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0

Information Security: Business Assurance Guidelines

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Transcription:

Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect

2 Cloud Security Who do you trust? Cloud Security Who do you trust? Cloud computing offers to change the way we use computing with the promise of significant economic and efficiency benefits. The speed of adoption depends on how trust in new cloud models can be established. Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. In this paper we will explain why trust, reliability and security decisions are central to choosing the right model. Consider for example: How easy would it be to lose your service if a denial of service attack is launched within your cloud provider? Will you suffer a data security breach when an administrator can access multiple stores of data within the virtualised environment they are controlling? Could you lose your service when an investigation into data loss of another customer starts to affect your privacy and data? This paper is provided to stimulate discussion by looking at three areas: What is different about cloud? What are the new security challenges cloud introduces? What can be done and what should be considered further? What is different about cloud? Cloud computing moves us away from the traditional model, where organisations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments. Cloud is a new consumption and delivery model; resources can be rapidly deployed and easily scaled (up and down), with processes, applications and services provisioned on demand. It can also enable a pay per usage model. In these models the risk profile for data and security changes and is an essential factor in deciding which cloud computing models are appropriate for an organisation. Without cloud computing With cloud computing Workload A Software Hardware Storage Networking Workload A Software Hardware Storage Networking Workload A Workload B Workload C Software Hardware Storage Networking Service management Service management Service management Automated service management Standardised services Location independent Rapid scalability Self-service

Thought Leadership White Paper 3 We have control It s located at X It s stored in servers Y, Z We have backups in place Our admins control access Our uptime is sufficient The auditors are happy Our security team is engaged Today s Data Centre Tomorrow s Cloud Virtual Machine Virtual Machine Abstraction Layer (Virtualisation/Hypervisor) Virtual Machine Who has control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? What are the security challenges cloud introduces? There are existing security challenges, experienced in other computing environments, and there are new elements which are necessary to consider. The challenges include: Governance Data Architecture Applications Assurance These five categories are described in the rest of this section in more detail so that the complexity of these issues can be better understood. 2 /3 of organisations identify security as their top concern when considering cloud. Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman) published Nov 2008. Governance Achieving and maintaining governance and compliance in cloud environments brings new challenges to many organisations. (This paper should not be seen as legal advice or guidance specific to any one organisation.) Things you might need to consider include: Jurisdiction and regulatory requirements Can data be accessed and stored at rest within regulatory constraints? Are development, test and operational clouds managing data within the required jurisdictions including backups? Complying with Export/Import controls Applying encryption software to data in the cloud, are these controls permitted in a particular country/jurisdiction? Can you legally operate with the security mechanisms being applied? Compliance of the infrastructure Are you buying into a cloud architecture/infrastructure/ service which is not compliant? Audit and reporting Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX? Can you satisfy legal requirements for information when operating in the cloud?

4 Cloud Security Who do you trust? Data Cloud places data in new and different places, not just the user data but also the application (source) code. Who has access, and what is left behind when you scale down a service? Other key issues include: Data location and segregation Where does the data reside? How do you know? What happens when investigations require access to servers and possibly other people s data? Data footprints How do you ensure that the data is where you need it when you need it, yet not left behind? How is it deleted? Can the application code be exposed in the cloud? Backup and recovery How can you retrieve data when you need it? Can you ensure that the backup is maintained securely, in geographically separated locations? Administration How can you control the increased access administrators have working in a virtualised model? Can privileged access be appropriately controlled in cloud environments? Architecture Standardised infrastructure and applications; increased commoditisation leading to more opportunity to exploit a single vulnerability many times. Looking at the underlying architecture and infrastructure, some of the considerations include: Protection How do you protect against attack when you have a standard infrastructure and the same vulnerability exists in many places across that infrastructure? Hypervisor vulnerabilities How can you protect the hypervisor (a key component for cloud infrastructures) which interacts and manages multiple environments in the cloud? The hypervisor being a potential target to gain access to more systems, and hosted images. Multi-tenant environments How do you ensure that systems and applications are appropriately and sufficiently isolated and protecting against malicious server to server communication? Security policies How do you ensure that security policies are accurately and fully implemented across the cloud architectures you are using and buying into? Identity Management How do you control passwords and access tokens in the cloud? How do you federate identity in the cloud? How can you prevent userids/passwords being passed and exposed in the cloud unnecessarily, increasing risk? Governance Data Architecture Applications Assurance Achieving compliance and management in the cloud Information shared inside and outside the organisation New web architecture, infrastructure and threats Applications on the phone, internet and in a virtualised cloud Audit and monitoring in a virtualised/cloud environment Providing Software as a service (SaaS), Infrastructure and hardware as a service (laas) and Platform as a service (PaaS), either individually or in different combinations

Thought Leadership White Paper 5 Applications There has been a significant increase in web application vulnerabilities, so much so that these vulnerabilities make up more than half of the disclosed vulnerabilities over the past 4 years. 67% of all web application vulnerabilities had no patch in 2009. Source: IBM Security Solutions X-Force 2009 Trend and Risk Report, published Feb 2010. Software Vulnerabilities How do you check and manage vulnerabilities in applications? How do you secure applications in the cloud that are increasing targets due to the large user population? Patch management How do you secure applications where patches are not available? How do you ensure images are patched and up to date when deployed in the cloud? Assurance Challenges exist for testing and assuring the infrastructure, especially when there is no easy way for data centre visits or penetration (pen) tests. Operational oversight When logs no longer just cover your own environment do you need to retrieve and analyse audit logs from diverse systems potentially containing information with multiple customers? Audit and assurance What level of assurance and how many providers will you need to deal with? Do you need to have an audit of every cloud service provider? Investigating an incident How much experience does your provider have of audit and investigation in a shared environment? How much experience do they have of conducting investigations without impacting service or data confidentiality? Experience of new cloud providers What will the security of data be if the cloud providers are no longer in business? Has business continuity been considered for this eventuality? Application devices How do you manage the new access devices using their own new application software? How do you ensure they are not introducing a new set of vulnerabilities and ways to exploit your data?

6 Cloud Security Who do you trust? Security from the cloud Application Security Identity Management Governance, Risk Management and Compliance How can you start to build to a position of trust and risk management when setting up cloud computing for your organisation? Cloud Security Services Security Event and Log Management Application Security Security for the cloud End Point Protection End Point Protection What can be done and what should be considered further? Many of the risks identified can be managed through the application of appropriate security and governance measures. Which risks you choose to address will be different depending on your business, your appetite for risk and how costly these measures are. In many cases the complexity of securing cloud comes not just from the individual application but how it integrates into the rest of the organisation. Delivering security for the cloud Working out where and how to apply security is core to delivering security for the cloud. Security itself can be delivered from within the cloud. Elements such as Event and Log Management, Identity Management, End Point Protection and Application Security are increasingly delivered as cloud security services. Security for the cloud will be down to what can be delivered in the cloud and what needs to supplement that delivery framework. Getting started: 1. Define a cloud strategy with security in mind Identify the different workloads and how they need to interact. Which models are appropriate based on their security and trust requirements and the systems they need to interface to? 2. Identify the security measures needed Using a framework such as the one IBM uses, the IBM Security Framework and Blueprint, allows teams to capture the measures that are needed in areas such as governance, architecture, applications and assurance. 3. Enabling security for the cloud. The upfront set of assurance measures you will want to take. Assessing that the applications, infrastructure and other elements meet your security requirements, as well as operational security measures. Cloud security can be delivered as part of the cloud service and also as specific components added in to enhance security. Depending on your cloud provider it may be that a combination of both of these approaches is necessary. The fundamental principles of security and risk management still apply. The approach IBM is using is based on IBM s Security Framework and Blueprint which provides a comprehensive framework to address all aspects of security.

Thought Leadership White Paper 7 In summary Cloud computing offers new possibilities and new challenges. These challenges range from governance, through to securing application and infrastructure. Fundamentally it is important to be able to assure the security of these new models in order to build trust and confidence. The key to establishing trust in these new models is choosing the right cloud computing model for your organisation. Place the right workloads in the right model with the right security mechanisms. The Authors Nick Coleman IBM Cloud Security Leader. Email: coleman@uk.ibm.com Twitter: twitter.com/teamsecurity Martin Borrett IBM Lead Security Architect Email: borretm@uk.ibm.com For those planning to consume cloud services looking for trust and assurance from the cloud provider; understanding the service level agreements and the approaches to security is key. Assessing that this can be delivered, including what assurances can be provided will be important. For those providing or building a cloud infrastructure, using a proven methodology and technologies that can deliver appropriate security is key. This is not just a technical challenge but a challenge of governance and compliance; applications and infrastructure; and assurance. This paper is written to stimulate discussion of the challenges and ways to start to address these challenges in securing cloud computing.

IBM United Kingdom Limited PO Box 41 North Harbour Portsmouth Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 Ireland IBM Ireland Limited registered in Ireland under company number 16226. The IBM home page can be found at ibm.com IBM, the IBM logo, ibm.com and Information Agenda are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks can be found at: http://www.ibm.com/ legal/copytrade.shtml Other company, product and service names may be trademarks, or service marks of others. References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM products, programs or services may be used. Any functionally equivalent product, program or service may be used instead. IBM hardware products are manufactured from new parts, or new and used parts. In some cases, the hardware product may not be new and may have been previously installed. Regardless, IBM warranty terms apply. This publication is for general guidance only. Information is subject to change without notice. Please contact your local IBM sales office or reseller for latest information on IBM products and services. IBM does not provide legal, accounting or audit advice or represent or warrant that its products or services ensure compliance with laws. Clients are responsible for compliance with applicable securities laws and regulations, including national laws and regulations. Photographs may show design models. Copyright IBM Corporation 2010 All Rights Reserved. Please Recycle 10-0796 (09/10) TT

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information