330 likes | 690 Vues
Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security censey@us.ibm.com @IBMFedCyber. Security and Cloud Computing. Outline. Security: Grand Challenge for the Adoption of Cloud Computing IBM Capabilities for Cloud Security
 
                
                E N D
Christopher EnseyIBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Securitycensey@us.ibm.com@IBMFedCyber Security and Cloud Computing
Security and Cloud Computing Outline • Security: Grand Challenge for the Adoption of Cloud Computing • IBM Capabilities for Cloud Security • IBM USAF MOCA
Security and Cloud Computing Security – Grand Challenge for the Adoption of Cloud Computing
Security and Cloud Computing What is Cloud Security? Confidentiality, integrity, availability of mission-critical IT assets Stored or processed on a cloud computing platform Cloud Computing Software as a Service Utility Computing Grid Computing There is nothing new under the sun but there are lots of old things we don't know. Ambrose Bierce, The Devil's Dictionary
Security and Cloud Computing 33% 80% Of respondents are concerned with cloud interfering with their ability to comply with regulations Of enterprises consider security #1 inhibitor to cloud adoptions Of enterprises are concerned about the reliability of clouds 48% Where is the Data? – Moving from Private to PublicLeads to a Real or Perceived Loss of Control We Have Control • It’s located at X. • We have backups. • Our admins control access. • Our uptime is sufficient. • The auditors are happy. • Our security team is engaged. Who Has Control? • Where is it located? • Who backs it up? • Who has access? • How resilient is it? • How do auditors observe? • How does our security team engage? Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)
Security and Cloud Computing Specific Customer Concerns Related to Security 30% 21% 15% 12% 9% 8% 6% 3% Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007
Security and Cloud Computing Market bias: Private cloud Public cloud Workloads may be at Different Levels of Cloud Readiness Ready for Cloud New workloads made possible by clouds ... Collaborative Care Medical Imaging Analytics Infrastructure Storage Financial Risk Industry Applications Information intensive Energy Management Collaboration Isolated workloads Workplace, Desktop & Devices Sensitive Data Mature workloads Highly Customized Business Processes Disaster Recovery Pre- production systems Not yet virtualized 3rd party SW Development & Test May not yet be ready for migration ... Complex processes & transactions Batch processing Infrastructure Compute Regulation sensitive
Security and Cloud Computing One-size does not fit-all: Different cloud workloads have different risk profiles High Mission-critical workloads, personal information Tomorrow’s high value / high risk workloads need: • Quality of protection adapted to risk • Direct visibility and control • Significant level of assurance Analysis & simulation with public data Need for Security Assurance Today’s clouds are primarily here: • Lower risk workloads • One-size-fits-all approach to data protection • No significant assurance • Price is key Training, testing with non-sensitive data Low Low-risk Mid-risk High-risk Mission Risk
Security and Cloud Computing IBM and Cloud Security
Security and Cloud Computing IBM's Strategy for Cloud Security IBM Security Framework: Risk management-based approach to security Provider of Security Products for Clouds Provider of Cloud-based Security Services Provider ofSecure Clouds
Security and Cloud Computing IBM as Provider of Security Products for Clouds, andIBM as Provider of Cloud-based Security Services Security Governance, Risk and Compliance SIEM and Log Management GRC = Professional Services = Cloud-based & Managed Services Identity and Access Management Identity Management Access Management = Products Data Security Data Loss Prevention Encryption and Key Lifecycle Management Messaging Security E-mail Security Database Monitoring and Protection Data Masking Application Security App Vulnerability Scanning Web Application Firewall App Source Code Scanning Web / URL Filtering SOA Security Access and Entitlement Management Infrastructure Security Vulnerability Assessment Mainframe Security Threat Assessment Web/URL Filtering Intrusion Prevention System Firewall, IDS/IPS, MFS Mgmt. Security Event Management Virtual System Security Physical Security
Security and Cloud Computing Cloud Security = SOA Security + Secure Virtualized Runtime • Service-oriented Architecture • SOA Security model and protocols apply • Technical challenges: multi-tenancy, across trust domain, REST-based, new protocols (e.g., OpenID) • Definitional challenges: profiles and security SLAs for cloud Virtualized Runtime Top Threats and Risks in Cloud Computing • Process/VM Isolation, data segregation, multi-tenancy • Malicious insiders (co-tenants, cloud provider) • Management (incl. self-service) interface compromise • Insecure interfaces and APIs • Uncertainty over data location • Data protection and security • Data recovery, resiliency • Insecure or incomplete data deletion • Account or service hijacking • Abuse of cloud services (extrusion) • Compliance risks Source: CSA (2010), ENISA (2009), Gartner (2008), IBM X-Force (2010)
Security and Cloud Computing TFIM BG TFIM TFIM & TSPM Example for SOA-style Security applied to Cloud:IBM Tivoli Federated Identity Manager SAML 1.0 / 1.1 / 2.0 WS-Federation Liberty ID-FF 1.1/ 1.2 Information Card Profile 1.0 OpenID Centralized user access management to on- and off-premise apps and services Tools for user enrollment, WS-Trust based security token services, web access management TFIM = Tivoli Federated Identity Manager TFIM BG = TFIM Business Gateway for SMB deployment TSPM = Tivoli Security Policy Manager for data entitlement management
Security and Cloud Computing Example for Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4 • VMsafe Integration • Firewall and Intrusion Prevention • Rootkit Detection / Prevention • Inter-VM Traffic Analysis • Automated Protection for Mobile VMs (VMotion) • Virtual Network Segment Protection • Virtual Network-Level Protection • Virtual Infrastructure Auditing (Privileged User) • Virtual Network Access Control This is an example where virtualization enables an approach to security that would not be possible in a non-virtualized infrastructure!
Security and Cloud Computing Cloud Security Services: Smart Security Services delivered from the IBM Cloud Hosted Security Event and Log Management Hosted Vulnerability Management Hosted Email and Web Security Hosted X-Force® Threat Analysis Service Subscription service Monitoring and management Cloud based 1 2 3 4 Offsite management of logs and events from IPS’s, Firewalls and OSs Proactive discovery and remediation of vulnerabilities Protection against spam, worms, viruses, spyware, adware, and offensive content Customized security intelligence based on threat information from X-Force research and development team To the Customer – Offloading Security Tasks on the Ground
Security and Cloud Computing Business Process-as-a-Service Application-as-a-Service Platform-as-a-Service Infrastructure-as-a-Service Cloud Service Model Suggests Split ofResponsibilities between Provider and Subscriber Who is responsible for security at the … level? Datacenter Infrastructure Middleware Application Process Provider Subscriber Provider Subscriber Provider Subscriber Provider Subscriber Provider/Subscriber service agreement determines actual responsibilities.
Security and Cloud Computing IBM's Approach to Providing Secure Clouds • Client's responsibility • IBM does not touch client resources • IBM provides guidance for customization and management of client services Client Services (Customized by Client) Base Services (Offered by IBM) • IBM's responsibility • IBM provides tested base services IBM Cloud Computing Platform IBM Global Cloud Data Centers • IBM's responsibility • Base operated and managed according to IBM's internal technical and organizational security standards • Extensive regular internal legal, geo-specific, data privacy, technical reviews • Regular ethical hacking/security testing • Based on IBM's strategic outsourcing practices and the IBM Common Cloud Reference Architecture • Hardened management interfaces and cloud service management • State-of-the-artdata center service management • Cloud subscriber management based on IBM Web Identity • State-of-the-art data-center security (physical, organizational, system, network) • Strict policies and extensive monitoring to control privileged users
Security and Cloud Computing IBM Cloud Security in Action – IBM LotusLive Security through the entire lifecycle and stack
Security and Cloud Computing IBM Cloud Security in Action – IBM Compute Cloud
Security and Cloud Computing IBM and US Air Force: MOCA
Security and Cloud Computing MOCA Purpose – AddressHard engineering problems for cloud and cyber defense • MOCA = Mission Oriented Cloud Architecture • A combined effort between IBM and the US Air Force to explore feasibility of cloud architectures in a mission setting. • Main Areas of Investigation: • Network awareness • Situational awareness • Application and database vulnerability detection • Network defense • Cloud management
Security and Cloud Computing MOCA Scope • The Mission Oriented Cloud Architecture (MOCA) project expands on four areas in cloud computing: • Network Awareness • Advanced Analytic processing coupled via sensors, monitors and other detection devices • Application and database vulnerability detection • Innovative technology leveraging IBM research investments in trusted virtual datacenters • Network Defense • Automated re-provisioning of the cloud to respond to Cyber events: isolation of compromised virtual machines, reconfiguration of security policies, etc. • Policy based security compliance reporting and enforcement • Cloud Mangement • Real-time situational awareness of the cloud environment, security posture and network • Secure collaboration in support of the mission and during threat events
Security and Cloud Computing MOCA Investigates Scope through Seven Functional Areas The MOCA research will explore the scope areas through AF directed research and development in the following functional areas: • Foundational Cloud Computing • Resilience • Compliance • Analytics • Deep Packet Inspection • Multi-tenancy • Secure Collaboration
Security and Cloud Computing Area #1, Foundational Cloud Computing - Establish the Infrastructure • Provides cloud computing foundation system functionality for • Federated Identity Management Capability • Process governance for approval purposes • Automated and Request Driven Provisioning • Foundational Service Discovery • Operational Service Deployment • Service Delivery Monitoring • Operational Monitoring • IBM Technology • Tivoli Service Automation Manager • IBM Tivoli Monitoring • Tivoli Access Manager and Federated Identity Manager • SOA Governance Process
Security and Cloud Computing Area #2, Resilience - Keeping core capability militarily relevant • Protect: the network, systems, services and data. • Rebuild: • Reconstruction of damaged cloud resources • Rapid restoration from gold copies • Relocate: • Relocation of virtualized resources • Rapid relocation to a new VLAN • IBM Technology • ISS Site Protector • ISS Proventia IPS • Guardium
Security and Cloud Computing Area #3, Compliance – Adherence to Security Policy • Compliance provides distribution, revocation, and integrity services for security policies • Security policy resides in the policy engine • The policies are distributed by the distribution engine and checked cyclically by the compliance engine • Security policies for the network perimeter, DMZ, applications, hosts and network devices are included. • IBM Technologies • Tivoli End Point Manager • Tivoli Compliance Manager
Security and Cloud Computing Area #4, Analytics – Know It Now; Respond Now • Analytics provide real-time autonomic policy responses based on a network attack detection • Sensors across the enterprise provide input to the ingest engine • The Ingest engine filters inputs and provides clean sensor data to the analytics engine for classification and correlation • The response engine provides the autonomic security policy actions based on the correlated event decision logic • IBM Technologies • Infosphere Streams • Tivoli End Point Manager
Security and Cloud Computing Area #5, Deep Packet Inspection – Is It Safe?Provide behavior-based, near real time detection and response to network level threats • All network traffic traversing the cloud is inspected for behavior based attacks • IP level inspection detects malformed messages, illegal content, and previously detected classes of attacks in the Network Threat Analyzer • Detected threats cause autonomic security policy changes to be implemented • IBM Technologies • ISS Intrusion Prevention Systems • Tivoli Endpoint Manager • Tivoli Compliance Manager
Security and Cloud Computing Area #6, Multi-Tenancy – Peaceful, Secure Co-existence • Validate VM Isolation Management • Prove that data confidentiality exists between images • Prove ability to detect and correct image provisioning anomalies • Test that deployed VM images are correctly configured • Show that corrective actions for mis-configured VM images can be applied • Prove rapid provisioning capabilities • Rapid deployment of new VM images • Rapid provisioning of new images • Rapid access by new users • IBM Technologies • ISS Site Protector • Tivoli Service Automation Manager • Tivoli Endpoint Manager • Tivoli Compliance Manager • ISS Virtual Service Protection
Security and Cloud Computing Area #7, Secure Collaboration – Sharing Information Securely Prove that documents can be shared securely. Functionality includes: • Validate that tagging and protecting portions of an XML document reflect security classification • Prove that label based access controls can be applied allowing group or community access • Test that check in/check out of document capabilities are present. • Provide meta-data based search capabilities across multiple documents • IBM Technologies • IBM FileNet Content Manager • Tivoli Access Manager • Tivoli Identity Manager • Lotus Live • Lotus Symphony
Security and Cloud Computing Situational Awareness – Getting the Big picture
Security and Cloud Computing Thank you! For more information, please visit: ibm.com/federal Ibm.com/federal/security Follow me on Twitter: @IBMFedCyber Or send me an email: censey@us.ibm.com