Professional Documents
Culture Documents
1
Outline
• Introduction to Cloud computing
• Security Challenges in the Cloud
• Cloud security concerns
• IBM’s Point of View on Cloud Security
• IBM solutions for securing cloud
• Assessing the Security Risks of
Cloud Computing
• Security as a Service
2
Introduction to Cloud Computing
3
What is Cloud Computing?
“Cloud” is a new consumption and delivery model for many IT-based services, in which the user sees
only the service, and has no need to know anything about the technology or implementation
Attributes
Flexible
Standardized, pricing Elastic
consumable scaling
Rapid
web-delivered provisioning
services Metering &
Service
Billing Advanced
Catalog
Ordering virtualization
4
Features of Cloud
5
The Layers of IT-as-a-Service
Collaboration CRM/ERP/HR
Business Industry
Processes Applications
Software as a Service
Development
Middleware Database
Tooling
Platform as a Service
Data Center
Servers
Fabric
Networking Storage
Infrastructure as a Service
6
7
Cloud Computing Delivery Models
Flexible Delivery Models
Public … Private …
Cloud
• Service provider owned and • Privately owned and
managed Services managed.
• Access by subscription • Access limited to client
• Delivers select set of
Cloud
and its partner network.
standardized business Computing • Drives efficiency,
process, application and/or Model standardization and best
infrastructure services on a practices while retaining
flexible price per use basis. greater customization
Hybrid … and control
• Access to client, partner
network, and third party
resources
.…Standardization, capital .… Customization, efficiency,
preservation, flexibility and availability, resiliency,
time to deploy security and privacy___
Cloud-onomics…
CLOUD COMPUTING
VIRTUALIZATION
+ ENERGY
EFFICIENCY
+ STANDARDIZATION
+ AUTOMATION
= Reduced
Cost
AGILITY
+ BUSINESS & IT
ALIGNMENT
+ SERVICE
FLEXIBILITY
+ INDUSTRY
STANDARDS
=
…allowing you to optimize new investments
OPTIMIZED
BUSINESS
10
Security and Cloud Computing
Utility Computing
Grid Computing
Cloud
Computing
12
Security and Cloud Computing
? ?
?
? ?
We Have Control ? Who Has Control?
It’s located at X. Where is it located?
It’s stored in server’s Y, Z. Where is it stored?
We have backups in place. Who backs it up?
Our admins control access. Who has access?
Our uptime is sufficient. How resilient is it?
The auditors are happy. How do auditors observe?
Our security team is engaged. How does our security
team engage?
13
13
Security and Cloud Computing
Software as a Service
Platform as a Service
Networking Storage
Infrastructure as a Service
15
Security and Cloud Computing
• “Securing your applications or data • Gartner’s 7/09 “Hype Curve for Cloud
when they live in a cloud provider’s Computing” positions Cloud Security
infrastructure is a complicated issue Concerns into the early phase (technology
because you lack visibility and trigger, will raise), and gives it a time
control over how things are being horizon of 5-10 years
done inside someone else’s network.”
Forrester, 5/09
• “Highly regulated or sensitive
• “Large enterprises should generally proprietary information should not
avoid placing sensitive be stored or processed in an
information in public clouds, but external public cloud-based
concentrate on building internal service without appropriate visibility
cloud and hybrid cloud capabilities into the provider's technology and
in the near term.“ Burton, 7/09 processes and/or the use of
encryption and other security
• “Cloud approaches offer a unique mechanisms to ensure the
opportunity to shift a substantial
burden for keeping up with threats appropriate level of information
to a provider for whom security may protection.” Gartner 7/09
well be part of the value proposition.”
EMA, 2/09
16
Security and Cloud Computing
Business Risk
17
Cloud Security Concerns
18
Data exposure and Compromise
• Organizations uncomfortable with idea of data
located on external systems
• Hosted providers cannot ensure absolute
security
• Authentication and access technology becomes
increasingly important
• Data segregation also becomes key in cloud
19
• Reliability of service
• Reliability is core advantage in cloud. It is very scalable
and capable of meeting wide variations in processing
power and users
• High Availability is still a concern. Many cloud based
offerings do not offer SLAs
• Any (cloud) offering that does not replicate the data and
application infrastructure across multiple sites is
vulnerable to a total failure
• Even if offerer refuses to tell you where will it store your
data. It should tell you what would happen to your data
and service if one of its site succumbs to a disaster.
20
Reduced ability to demonstrate compliance
with regulations, standards and SLA’s
• Public clouds are mostly by definition “A black Box”
• Complying with SOX, HIPAA etc. regulations may
prohibit clouds for some applications
• Geographical requirements
• A ‘Private’ and ‘Hybrid’ cloud can be configured to meet
these requirements
21
• Ability to manage the security
environment
• CSPs must supply easy visual controls to
manage and monitor firewall and other security
settings for applications and runtime
environments in the cloud
• No Granularity of access (SaaS). Usually only
roles available are ‘Admin’ and ‘Normal User’
22
IBM’s Point of View on Cloud Security
23
Security and Cloud Computing
Platform as a service
Optimized middleware – application servers,
database servers, portal servers
Infrastructure as a service
Virtualized servers, storage,
networking
Virtualized Resources
Virtual Network, Server, Storage
System Resources
Network, Server, Storage
24
IBM’s Architectural Model for Cloud Computing
Service Request & Operations Service Provider Service Creation
Application/Software as a Service
Service
Standards Based Interfaces
Infrastructure as a Service
25
Security and Cloud Computing
as a Service Definition
Tools
Identity & Security as a Service
Role-based Authorization, entitlements
Access
Log, audit and compliance reporting
Intrusionasprevention
Infrastructure a Service
27
IBM solutions for securing cloud
28
People and Identity
Businesses need to make sure people across their organization and supply
chain have access to the data and tools that they need, when they need it, while
blocking those who do not need or should not have access
29
Information and Data
– Earlier data can be protected with perimeter. Now data needs to be
secured where ever it resides and when it is in motion. Capabilities
for monitoring, access management and encryption
– IBM’s Systems, Storage, and Network Segmentation
Solutions
» offer application isolation, OS containers, encrypted storage,
VLANs and other isolation technologies for a secure multi-
tenant infrastructure
– Tivoli Key Lifecycle Manager
– IBM Data Encryption for IMS and DB2 Databases
– IBM Database Encryption Expert
» Transparently protect any file on the file system
» Transparently encrypt DB2 backup files
» Protects information in Online, offline environments
• Backup and recovery of data stored remotely in the cloud
– IBM Information Protection Services
30
Process and Application
– Enterprises need to preemptively and proactively
protect their business-critical applications
– Focus is more on Web applications
• Rational AppScan
– Provides automated Web application scanning and testing for all common
Web application vulnerabilities, including WASC threat classification - such
as SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligent
fix recommendations to ease remediation
32
• Network, Server and Endpoint
• Proactive threat and vulnerability monitoring
• Security of Virtualization stack
– ISS Virtualization Security
» Proventia Virtualized Network Security Platform
(VNSP)
» IBM Proventia® Server Intrusion Prevention
System (IPS)
» IBM RealSecure® Server Sensor
33
34
• Physical Infrastructure
– Effective physical security requires a centralized management system that
allows the monitoring of property, employees, customers and the general
public
35
Security and Cloud Computing
Physical Infrastructure
BCRS Resilient Cloud Validation Program
Restoration and
Cloud Use Case: By using proven BCRS resiliency
availability of cloud consulting methodology, combined with traditional
computing resources shared and dedicated asset business and resiliency
managed services, IBM is positioning BCRS as the
premier resiliency provider to Cloud service
providers. Resilient
Cloud
High Performance On Demand Solutions (HiPODS) + IBM ISS Security Operations Centers
36
36 36
Security and Cloud Computing
Smart Planet
Dynamic Infrastructure
37
37 9/15/2009 37
Security and Cloud Computing
• Defined set of cloud interfaces • Reduced risk of user access to unrelated resources.
People and • Centralized repository of Identity and Access Control policies
Identity
• Computing services running in isolated domains as defined in • Improved accountability, Reduced risk of data leakage /
service catalogs loss
Information • Default encryption of data in motion & at rest • Reduced attack surface and threat window
and Data • Virtualized storage providing better inventory, control, tracking • Less likelihood that an attack would propagate
of master data
• Autonomous security policies and procedures • Improved protection of assets and increased accountability
• Personnel and tools with specialized knowledge of the cloud of business and IT users
Process & ecosystem
Application • SLA-backed availability and confidentiality
Physical • Closer coupling of systems to manage physical and logical • Improved ability to enforce access policy and manage
identity / access. compliance
infrastructure
38 38
38 9/15/2009
Assessing the Security Risks of
Cloud Computing
39
Key Findings
• The most practical way to evaluate the risks associated with
using a service in the cloud is to get a third party to do it.
40
Recommendations
• Organizations that have IT risk assessment capabilities and
controls for externally sourced services should apply them to the
appropriate aspects of cloud computing
41
What to Evaluate
• Privileged User Access
• Ask providers to supply specific information on the hiring and oversight
of privileged administrators, and the controls over their access
• Compliance
• Cloud computing provider should be willing to submit to external audits
and security certifications
• Data Location
• Need to meet National privacy regulations
• Is the provider willing to give a contractual commitment to obey the law
on your behalf?
• Data Segregation
• Ask for evidence that the encryption implementation was designed and
tested by experienced specialists
• Encryption accidents can make data totally unusable, and even normal
encryption can complicate availability.
• Who has access to the decryption keys?
42
What to Evaluate (Cont.)
• Availability
• Does cloud-based offerings provides service level
commitments?
• Recovery
• How cloud offerings will recover from total disaster?
• May not tell where data is stored. But does it have the ability to
do a complete restoration, and how long will it take?
• Investigative Support
• Cloud services are especially difficult to investigate
• Contractual commitment to support specific forms of
investigation , Electronic Discovery
• Viability
• long-term viability of any external service provider
• Support in Reducing Risk
• CSPs to inform how safely and reliably use their product
43
How to Assess
trust.salesforce.com
44
Security as a Service
45
Security Offerings
• Email Filtering (backup, archival, e-
Discovery,Encryption)
• Web Content Filtering (Including outbound
sensitive information)
• Identity-as-a-Service (IDaaS)
46
Thank You
47