Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation IBM Security Systems Securing Cloud Solutions Neil Warburton IBM Security Architect.

Similar presentations


Presentation on theme: "© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation IBM Security Systems Securing Cloud Solutions Neil Warburton IBM Security Architect."— Presentation transcript:

1 © 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation IBM Security Systems Securing Cloud Solutions Neil Warburton IBM Security Architect IBM UK

2 © 2012 IBM Corporation 2 The journey toward a Smarter Planet continues 2 Smart Supply Chains Smart Countries Smart Retail Smart Water Management Smart Weather Smart Energy Grids Smart Oil Field Technologies Smart Regions Smart Healthcare Smart Traffic Systems Smart Cities Smart Food Systems INSTRUMENTEDINTERCONNECTEDINTELLIGENT

3 © 2012 IBM Corporation 3 What is Cloud Computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models…” - US National Institute of Standards and Technology (NIST), September 2011

4 © 2012 IBM Corporation 4 Cloud Deployment/Delivery and Security Depending on an organization's readiness to adopt cloud, and appropriateness for a particular application, there are a wide array of deployment and delivery options

5 © 2012 IBM Corporation 5 IBM is helping organizations usher in an era of Security Intelligence Security Intelligence Proficient Proactive Automated Manual Reactive Proficient Basic Optimized Optimized Organizations use predictive and automated security analytics to drive toward security intelligence Proficient Security is layered into the IT fabric and business operations Basic Organizations employ perimeter protection, which regulates access and feeds manual reporting

6 Solving a security issue is a complex, four-dimensional puzzle 6 People Data Applications Infrastructure EmployeesConsultantsHackersTerroristsOutsourcersCustomersSuppliers Systems applications Web applicationsWeb 2.0Mobile apps StructuredUnstructuredAt restIn motion It is no longer enough to protect the perimeter – siloed point products will not secure the enterprise © 2012 IBM Corporation

7 7 A Cloud Analogy.... IaaS PaaS BPaaS

8 © 2012 IBM Corporation 8 Sometimes your solution won't fit a cloud model...

9 © 2012 IBM Corporation 9 Server/Storage Utilisation 10-20% Self serviceNone Test ProvisioningWeeks Change Management Months Release Management Weeks Metering/Billing Fixed cost model Payback period for new services Years 70-90% Unlimited Minutes Days/Hours Minutes Granular Months Legacy environments Cloud enabled enterprise Cloud is a synergistic fusion which accelerates business value across a wide variety of domains. CapabilityFrom To Why cloud?

10 © 2012 IBM Corporation 10 Security and Cloud Computing09/19/12 Simple Example ? We Have Control It’s located at X. It’s stored in server’s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged. Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? ? ? ? ? ? Today’s Data Center Tomorrow’s Public Cloud Think We

11 © 2012 IBM Corporation 11 Securing the Cloud is Today’s Challenge Continued movement of business to new platforms including cloud, virtualization, mobile, social business and more. Everything is everywhere. Securing the Cloud is Today’s Challenge Continued movement of business to new platforms including cloud, virtualization, mobile, social business and more. Everything is everywhere.

12 © 2012 IBM Corporation 12 Cloud Promises Many Benefits 12 Low Cost Elastic Infrastructure Good Measurable SLA Security

13 © 2012 IBM Corporation 13 Cloud Promises Many Benefits 13 Low Cost Elastic Infrastructure Good Measurable SLA Security

14 © 2012 IBM Corporation 14 Implications for cloud…. Distribution of Virtualization System Vulnerabilities Indeterminate: 6.25% Hypervisor: 1.25% Mgmt Server: 6.25% Guest VM: 15% Mgmt console: 16.25% Admin VM: 17.5% Hypervisor escape: 37.5%

15 © 2012 IBM Corporation 15 Approaches to delivering security need to align with each phase of a client’s cloud project or initiative Design Deploy Consume Establish a cloud strategy and implementation plan to get there. Build cloud services, in the enterprise and/or as a cloud services provider. Manage and optimize consumption of cloud services. Secure by Design Focus on building security into the fabric of the cloud. Workload Driven Secure cloud resources with innovative features and products. Service Enabled Enable security through services and interfaces. Cloud Security Approach

16 © 2012 IBM Corporation 16 Cloud computing impacts the implementation of security in fundamentally new ways People and Identity Application and Process Network, Server and Endpoint Data and Information Physical Infrastructure Governance, Risk and Compliance Security and Privacy Domains Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources Audit Silos, Logging Difficulties Provider Controlled, Lack of Visibility Virtualization, Reduced Access External Facing, Quick Provisioning To cloud In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security.

17 © 2012 IBM Corporation 17 IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services CSP: Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Adoption patterns are emerging for successfully beginning and progressing cloud initiatives

18 © 2012 IBM Corporation 18 Capabilities provided to consumers for using a provider’s applications  Federate identity between the cloud and on-premise IT  Proper user authentication  Audit and compliance testing  Encrypt data, both in motion and at rest  Integrate existing security Integrated service management, automation, provisioning, self service  Logical and physical isolation  Secure virtual machines  Patch of default images  Encrypt stored data  Assess self service portals  Monitor logs on all resources  Defend network perimeters Pre-built, pre-integrated IT infrastructures tuned to application-specific needs  Harden exposed applications  Use cloud APIs properly  Protect private information  Secure shared databases  Manage platform identities  Integrate existing security controls with the cloud Advanced platform for creating, managing, and monetizing cloud services  Isolate multiple cloud tenants  Secure portals and APIs  Manage security operations  Build compliant data centers  Offer backup and resiliency  Integrate systems management and security IaaS: Cut IT expense and complexity through a cloud enabled data center PaaS: Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider SaaS: Gain immediate access with business solutions on cloud Each pattern has its own set of key security concerns Cloud Enabled Data CenterCloud Platform ServicesCloud Service ProviderBusiness Solutions on Cloud

19 © 2012 IBM Corporation 19 How to Compromise A Company Cloud Security Policy

20 © 2012 IBM Corporation 20 Understanding cloud security: using Cloud Reference Model with foundational security controls IBM Cloud Reference Model Cloud Governance Cloud specific security governance including directory synchronization and geo locational support Security Governance, Risk Management & Compliance Security governance including maintaining security policy and audit and compliance measures Problem & Information Security Incident Management Management and responding to expected and unexpected events Identity and Access Management Strong focus on authentication of users and management of identity Discover, Categorize, Protect Data & Information Assets Strong focus on protection of data at rest or in transit Information Systems Acquisition, Development, and Maintenance Management of application and virtual Machine deployment Secure Infrastructure Against Threats and Vulnerabilities Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection Physical and Personnel Security Protection for physical assets and locations including networks and data centers, as well as employee security Deploy Design Consume

21 © 2012 IBM Corporation 21 Protecting and risk management in the cloud building on traditional approaches, applied to new models. Each model has different aspects to consider. Different security controls are appropriate for different cloud needs - the challenge becomes one of integration, coexistence, and recognizing what solution is best for a given workload. IBM Cloud Security One Size Does Not Fit All IBM Security Framework

22 © 2012 IBM Corporation 22 Security GRC Solving the Urgent Questions Am I compliant? What controls are needed? Can I prove it?

23 © 2012 IBM Corporation 23 Solving the Urgent Questions What's identity in the cloud? Can I restrict privileged users? Who has access? How does Federation fit in? Identity and Access in a Smarter Planet

24 © 2012 IBM Corporation 24 Protect sensitive data from malicious activity Solving the Urgent Questions Where's my sensitive data? How can I keep data secure? What are DBAs doing?

25 © 2012 IBM Corporation 25 Securing applications by design, not after disruption Solving the Urgent Questions How do I develop apps securely? How do I stop vulnerability exploitations?

26 © 2012 IBM Corporation 26 A platform for converged endpoint Solving the Urgent Questions How do I manage all these devices? How do I secure mobile devices?

27 © 2012 IBM Corporation 27 Keep the bad guys out of the network Solving the Urgent Questions Who's attacking my system? What's the latest threat intelligence? How do I manage all the data?

28 © 2012 IBM Corporation 28 Modernize traditional surveillance systems Solving the Urgent Questions Can I automate my video surveillance?

29 © 2012 IBM Corporation 29 IBM has extensive real-world experience delivering public and private cloud services “IBM has one of the most comprehensive cloud portfolios, with the cloud integrated throughout its many lines of business. Moreover, IBM’s consulting arm has put them in touch with numerous early adopters and special use cases— all of which helps the company stay ahead of competitors. ” – Jeff Vance, Datamation managed virtual machines. public cloud users. daily client transactions through public cloud. successful private cloud engagements.

30 © 2012 IBM Corporation 30 What are the issues we will face going forward… People and Identity Application and Process Network, Server and Endpoint Data and Information Physical Infrastructure Governance, Risk and Compliance Security and Privacy Domains Multiple Logins, Numerous Roles Multi-tenancy, Shared Resources Audit Silos, Logging Difficulties Provider Controlled, Lack of Visibility Virtualization, Reduced Access External Facing, Quick Provisioning To cloud Driven by multiple people accessing multiple devices via multiple clouds Standardisation Interoperability Big Data Governance

31 © 2012 IBM Corporation 31 Our focus is in two areas of cloud security Security from the CloudSecurity for the Cloud Public cloud Off premise Private cloud On premise Cloud-based Security Services Securing the Private Cloud stack – focusing on building security into the cloud infrastructure and its workloads Use cloud to deliver security as-a-Service - focusing on services such as vulnerability scanning, web and security, etc. Secure usage of Public Cloud applications – focusing on Audit, Access and Secure Connectivity 12

32 © 2012 IBM Corporation 32 In summary Over the past several years, security concerns surrounding cloud computing have become the most common inhibitor of widespread usage. This often translates to where is my data, who will be able to access, and how will I maintain oversight and governance? Each cloud model has different features which changes the way security gets delivered which also changes the way we look at security governance and assurance. Determining your desired security posture and enabling cloud in such a way that the new risks can be managed in a rapidly changing landscape.... Private cloud Public cloud Hybrid IT

33 © 2012 IBM Corporation 33


Download ppt "© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation IBM Security Systems Securing Cloud Solutions Neil Warburton IBM Security Architect."

Similar presentations


Ads by Google