slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security cense PowerPoint Presentation
Download Presentation
Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security cense

Loading in 2 Seconds...

play fullscreen
1 / 33

Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security cense - PowerPoint PPT Presentation


  • 250 Views
  • Uploaded on

Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security censey@us.ibm.com @IBMFedCyber. Security and Cloud Computing. Outline. Security: Grand Challenge for the Adoption of Cloud Computing IBM Capabilities for Cloud Security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Christopher Ensey IBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Security cense' - ide


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Christopher EnseyIBM Federal, Principal Security Strategist Assoc. Director, IBM Institute for Advanced Securitycensey@us.ibm.com@IBMFedCyber

Security and Cloud Computing

slide2
Security and Cloud Computing

Outline

  • Security: Grand Challenge for the Adoption of Cloud Computing
  • IBM Capabilities for Cloud Security
  • IBM USAF MOCA
slide3
Security and Cloud Computing

Security – Grand Challenge for the Adoption of Cloud Computing

slide4
Security and Cloud Computing

What is Cloud Security?

Confidentiality, integrity, availability

of mission-critical IT assets

Stored or processed on a cloud computing platform

Cloud Computing

Software as a Service

Utility Computing

Grid Computing

There is nothing new under the sun

but there are lots of old things we don't know.

Ambrose Bierce, The Devil's Dictionary

where is the data moving from private to public leads to a real or perceived loss of control
Security and Cloud Computing

33%

80%

Of respondents are concerned with cloud interfering with their ability to comply with regulations

Of enterprises consider security #1 inhibitor to cloud adoptions

Of enterprises are concerned about the reliability of clouds

48%

Where is the Data? – Moving from Private to PublicLeads to a Real or Perceived Loss of Control

We Have Control

  • It’s located at X.
  • We have backups.
  • Our admins control access.
  • Our uptime is sufficient.
  • The auditors are happy.
  • Our security team is engaged.

Who Has Control?

  • Where is it located?
  • Who backs it up?
  • Who has access?
  • How resilient is it?
  • How do auditors observe?
  • How does our security team engage?

Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)

slide6
Security and Cloud Computing

Specific Customer Concerns Related to Security

30%

21%

15%

12%

9%

8%

6%

3%

Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007

workloads may be at different levels of cloud readiness
Security and Cloud Computing

Market bias:

Private cloud

Public cloud

Workloads may be at Different Levels of Cloud Readiness

Ready

for Cloud

New workloads

made possible by

clouds ...

Collaborative Care

Medical Imaging

Analytics

Infrastructure Storage

Financial Risk

Industry Applications

Information

intensive

Energy Management

Collaboration

Isolated

workloads

Workplace, Desktop

& Devices

Sensitive

Data

Mature

workloads

Highly

Customized

Business Processes

Disaster Recovery

Pre-

production

systems

Not yet virtualized

3rd party SW

Development

& Test

May not yet be

ready for migration ...

Complex

processes &

transactions

Batch

processing

Infrastructure

Compute

Regulation

sensitive

slide8
Security and Cloud Computing

One-size does not fit-all:

Different cloud workloads have different risk profiles

High

Mission-critical workloads, personal information

Tomorrow’s high value / high risk workloads need:

  • Quality of protection adapted to risk
  • Direct visibility and control
  • Significant level of assurance

Analysis & simulation with public data

Need for Security Assurance

Today’s clouds are primarily here:

  • Lower risk workloads
  • One-size-fits-all approach to data protection
  • No significant assurance
  • Price is key

Training, testing with non-sensitive data

Low

Low-risk

Mid-risk

High-risk

Mission Risk

slide9
Security and Cloud Computing

IBM and Cloud Security

ibm s strategy for cloud security
Security and Cloud ComputingIBM's Strategy for Cloud Security

IBM Security Framework:

Risk management-based approach to security

Provider of

Security Products for Clouds

Provider of

Cloud-based Security Services

Provider ofSecure Clouds

slide11
Security and Cloud ComputingIBM as Provider of Security Products for Clouds, andIBM as Provider of Cloud-based Security Services

Security Governance, Risk and Compliance

SIEM and Log Management

GRC

= Professional Services

= Cloud-based & Managed Services

Identity and Access Management

Identity Management

Access Management

= Products

Data Security

Data Loss Prevention

Encryption and Key Lifecycle Management

Messaging Security

E-mail Security

Database Monitoring and Protection

Data Masking

Application Security

App Vulnerability Scanning

Web Application Firewall

App Source Code Scanning

Web / URL Filtering

SOA Security

Access and Entitlement Management

Infrastructure Security

Vulnerability Assessment

Mainframe Security

Threat Assessment

Web/URL Filtering

Intrusion Prevention System

Firewall, IDS/IPS, MFS Mgmt.

Security Event Management

Virtual System Security

Physical Security

slide12
Security and Cloud Computing

Cloud Security = SOA Security + Secure Virtualized Runtime

  • Service-oriented Architecture
  • SOA Security model and protocols apply
  • Technical challenges: multi-tenancy, across trust domain, REST-based, new protocols (e.g., OpenID)
  • Definitional challenges: profiles and security SLAs for cloud

Virtualized Runtime

Top Threats and Risks in Cloud Computing

  • Process/VM Isolation, data segregation, multi-tenancy
  • Malicious insiders (co-tenants, cloud provider)
  • Management (incl. self-service) interface compromise
  • Insecure interfaces and APIs
  • Uncertainty over data location
  • Data protection and security
  • Data recovery, resiliency
  • Insecure or incomplete data deletion
  • Account or service hijacking
  • Abuse of cloud services (extrusion)
  • Compliance risks

Source: CSA (2010), ENISA (2009), Gartner (2008), IBM X-Force (2010)

slide13
Security and Cloud Computing

TFIM BG

TFIM

TFIM & TSPM

Example for SOA-style Security applied to Cloud:IBM Tivoli Federated Identity Manager

SAML 1.0 / 1.1 / 2.0

WS-Federation

Liberty ID-FF 1.1/ 1.2

Information Card Profile 1.0

OpenID

Centralized user access management to on- and off-premise apps and services

Tools for user enrollment, WS-Trust based security token services, web access management

TFIM = Tivoli Federated Identity Manager

TFIM BG = TFIM Business Gateway for SMB deployment

TSPM = Tivoli Security Policy Manager for data entitlement management

slide14
Security and Cloud ComputingExample for Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4
  • VMsafe Integration
  • Firewall and Intrusion Prevention
  • Rootkit Detection / Prevention
  • Inter-VM Traffic Analysis
  • Automated Protection for Mobile VMs (VMotion)
  • Virtual Network Segment Protection
  • Virtual Network-Level Protection
  • Virtual Infrastructure Auditing (Privileged User)
  • Virtual Network Access Control

This is an example where virtualization enables an approach to security that would not be possible in a non-virtualized infrastructure!

cloud security services smart security services delivered from the ibm cloud
Security and Cloud ComputingCloud Security Services: Smart Security Services delivered from the IBM Cloud

Hosted Security Event and Log Management

Hosted Vulnerability Management

Hosted Email and Web Security

Hosted X-Force® Threat Analysis Service

Subscription service

Monitoring and management

Cloud based

1

2

3

4

Offsite management of logs and events from IPS’s, Firewalls and OSs

Proactive discovery and remediation of vulnerabilities

Protection against spam, worms, viruses, spyware, adware, and offensive content

Customized security intelligence based on threat information from X-Force research and development team

To the Customer – Offloading Security Tasks on the Ground

cloud service model suggests split of responsibilities between provider and subscriber
Security and Cloud Computing

Business Process-as-a-Service

Application-as-a-Service

Platform-as-a-Service

Infrastructure-as-a-Service

Cloud Service Model Suggests Split ofResponsibilities between Provider and Subscriber

Who is responsible for security at the … level?

Datacenter Infrastructure Middleware Application Process

Provider

Subscriber

Provider

Subscriber

Provider

Subscriber

Provider

Subscriber

Provider/Subscriber service agreement

determines actual responsibilities.

ibm s approach to providing secure clouds
Security and Cloud ComputingIBM's Approach to Providing Secure Clouds
  • Client's responsibility
  • IBM does not touch client resources
  • IBM provides guidance for customization and management of client services

Client Services

(Customized by Client)

Base Services

(Offered by IBM)

  • IBM's responsibility
  • IBM provides tested base services

IBM Cloud Computing Platform

IBM Global Cloud Data Centers

  • IBM's responsibility
  • Base operated and managed according to IBM's internal technical and organizational security standards
  • Extensive regular internal legal, geo-specific, data privacy, technical reviews
  • Regular ethical hacking/security testing
  • Based on IBM's strategic outsourcing practices and the IBM Common Cloud Reference Architecture
  • Hardened management interfaces and cloud service management
  • State-of-the-artdata center service management
  • Cloud subscriber management based on IBM Web Identity
  • State-of-the-art data-center security (physical, organizational, system, network)
  • Strict policies and extensive monitoring to control privileged users
slide18
Security and Cloud Computing

IBM Cloud Security in Action – IBM LotusLive

Security through the entire lifecycle and stack

slide20
Security and Cloud Computing

IBM and US Air Force: MOCA

moca purpose address hard engineering problems for cloud and cyber defense
Security and Cloud ComputingMOCA Purpose – AddressHard engineering problems for cloud and cyber defense
  • MOCA = Mission Oriented Cloud Architecture
  • A combined effort between IBM and the US Air Force to explore feasibility of cloud architectures in a mission setting.
  • Main Areas of Investigation:
    • Network awareness
    • Situational awareness
    • Application and database vulnerability detection
    • Network defense
    • Cloud management
moca scope
Security and Cloud ComputingMOCA Scope
  • The Mission Oriented Cloud Architecture (MOCA) project expands on four areas in cloud computing:
  • Network Awareness
  • Advanced Analytic processing coupled via sensors, monitors and other detection devices
  • Application and database vulnerability detection
  • Innovative technology leveraging IBM research investments in trusted virtual datacenters
  • Network Defense
  • Automated re-provisioning of the cloud to respond to Cyber events: isolation of compromised virtual machines, reconfiguration of security policies, etc.
  • Policy based security compliance reporting and enforcement
  • Cloud Mangement
  • Real-time situational awareness of the cloud environment, security posture and network
  • Secure collaboration in support of the mission and during threat events
moca investigates scope through seven functional areas
Security and Cloud ComputingMOCA Investigates Scope through Seven Functional Areas

The MOCA research will explore the scope areas through AF directed research and development in the following functional areas:

  • Foundational Cloud Computing
  • Resilience
  • Compliance
  • Analytics
  • Deep Packet Inspection
  • Multi-tenancy
  • Secure Collaboration
area 1 foundational cloud computing establish the infrastructure
Security and Cloud ComputingArea #1, Foundational Cloud Computing - Establish the Infrastructure
  • Provides cloud computing foundation system functionality for
    • Federated Identity Management Capability
    • Process governance for approval purposes
    • Automated and Request Driven Provisioning
      • Foundational Service Discovery
      • Operational Service Deployment
      • Service Delivery Monitoring
    • Operational Monitoring
  • IBM Technology
    • Tivoli Service Automation Manager
    • IBM Tivoli Monitoring
    • Tivoli Access Manager and Federated Identity Manager
    • SOA Governance Process
area 2 resilience keeping core capability militarily relevant
Security and Cloud ComputingArea #2, Resilience - Keeping core capability militarily relevant
  • Protect: the network, systems, services and data.
  • Rebuild:
    • Reconstruction of damaged cloud resources
    • Rapid restoration from gold copies
  • Relocate:
    • Relocation of virtualized resources
    • Rapid relocation to a new VLAN
    • IBM Technology
    • ISS Site Protector
    • ISS Proventia IPS
    • Guardium
area 3 compliance adherence to security policy
Security and Cloud ComputingArea #3, Compliance – Adherence to Security Policy
  • Compliance provides distribution, revocation, and integrity services for security policies
  • Security policy resides in the policy engine
  • The policies are distributed by the distribution engine and checked cyclically by the compliance engine
  • Security policies for the network perimeter, DMZ, applications, hosts and network devices are included.
  • IBM Technologies
    • Tivoli End Point Manager
    • Tivoli Compliance Manager
area 4 analytics know it now respond now
Security and Cloud ComputingArea #4, Analytics – Know It Now; Respond Now
  • Analytics provide real-time autonomic policy responses based on a network attack detection
  • Sensors across the enterprise provide input to the ingest engine
  • The Ingest engine filters inputs and provides clean sensor data to the analytics engine for classification and correlation
  • The response engine provides the autonomic security policy actions based on the correlated event decision logic
  • IBM Technologies
    • Infosphere Streams
    • Tivoli End Point Manager
slide28
Security and Cloud ComputingArea #5, Deep Packet Inspection – Is It Safe?Provide behavior-based, near real time detection and response to network level threats
  • All network traffic traversing the cloud is inspected for behavior based attacks
  • IP level inspection detects malformed messages, illegal content, and previously detected classes of attacks in the Network Threat Analyzer
  • Detected threats cause autonomic security policy changes to be implemented
  • IBM Technologies
    • ISS Intrusion Prevention Systems
    • Tivoli Endpoint Manager
    • Tivoli Compliance Manager
area 6 multi tenancy peaceful secure co existence
Security and Cloud ComputingArea #6, Multi-Tenancy – Peaceful, Secure Co-existence
  • Validate VM Isolation Management
    • Prove that data confidentiality exists between images
  • Prove ability to detect and correct image provisioning anomalies
    • Test that deployed VM images are correctly configured
    • Show that corrective actions for mis-configured VM images can be applied
  • Prove rapid provisioning capabilities
    • Rapid deployment of new VM images
    • Rapid provisioning of new images
    • Rapid access by new users
  • IBM Technologies
    • ISS Site Protector
    • Tivoli Service Automation Manager
    • Tivoli Endpoint Manager
    • Tivoli Compliance Manager
    • ISS Virtual Service Protection
area 7 secure collaboration sharing information securely
Security and Cloud ComputingArea #7, Secure Collaboration – Sharing Information Securely

Prove that documents can be shared securely. Functionality includes:

  • Validate that tagging and protecting portions of an XML document reflect security classification
  • Prove that label based access controls can be applied allowing group or community access
  • Test that check in/check out of document capabilities are present.
  • Provide meta-data based search capabilities across multiple documents
  • IBM Technologies
    • IBM FileNet Content Manager
    • Tivoli Access Manager
    • Tivoli Identity Manager
    • Lotus Live
    • Lotus Symphony
slide33
Security and Cloud Computing

Thank you!

For more information, please visit:

ibm.com/federal

Ibm.com/federal/security

Follow me on Twitter: @IBMFedCyber

Or send me an email: censey@us.ibm.com