Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation
Cloud computing impacts the implementation of security in fundamentally new ways Security and Privacy Domains People and Identity Data and Information Application and Process Network, Server and Endpoint Physical Infrastructure Governance, Risk and Compliance To cloud Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources External Facing, Quick Provisioning Virtualization, Reduced Access Provider Controlled, Lack of Visibility Audit Silos, Logging Difficulties In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security. 2
Adoption patterns are emerging for successfully beginning and progressing cloud initiatives IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services CSP: Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud 3
Teams are starting projects to achieve the benefits of these patterns, which is leading to various security considerations IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud Integrated service management, automation, provisioning, self service Pre-built, pre-integrated IT infrastructures tuned to application-specific needs Advanced platform for creating, managing, and monetizing cloud services Capabilities provided to consumers for using a provider s applications Logical and physical isolation Secure virtual machines Patch of default images Encrypt stored data Assess self service portals Monitor logs on all resources Defend network perimeters Harden exposed applications Use cloud APIs properly Protect private information Secure shared databases Manage platform identities Integrate existing security controls with the cloud Isolate multiple cloud tenants Secure portals and APIs Manage security operations Build compliant data centers Offer backup and resiliency Integrate systems management and security Federate identity between the cloud and on-premise IT Proper user authentication Audit and compliance testing Encrypt data, both in motion and at rest Integrate existing security 4
Protecting and risk management in the cloud - building on traditional approaches, applied to new models IBM Cloud Security One Size Does Not Fit All Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload. 5
What are the issues we will face going forward Standardisation Interoperability Big Data Governance Security and Privacy Domains People and Identity Data and Information Application and Process Network, Server and Endpoint Physical Infrastructure Governance, Risk and Compliance To cloud Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources External Facing, Quick Provisioning Virtualization, Reduced Access Provider Controlled, Lack of Visibility Audit Silos, Logging Difficulties Driven by multiple people accessing multiple devices via multiple clouds 6
In the first six months of 2013, IBM X-Force: 7
In summary - Top questions to consider when evaluating a cloud provider The following are suggested common best practice questions to consider when evaluating a cloud provider: Is the cloud governance based on industry standards such as ISO 27000 (or FFIEC)? What is the risk and compliance management program? What are the physical and logical access controls, and the health checking processes? What is the problem and incident management process? How is protecting the company high value / sensitive data implemented? Encryption? How is threat and vulnerability identification implemented? Is the hypervisor certified? What is your personnel security policy? Public cloud Hybrid IT Private cloud 8
9