Leveraging Specific technologies to address Cloud Risk

dizzyeyedfourwayInternet and Web Development

Nov 3, 2013 (3 years and 9 months ago)

91 views

© 2010 IBM Corporation
Leveraging Specific technologies to
address Cloud Risk
11th Annual Privacy and Security Conference
February 9, 2010
Dan Powers
Vice President, IBM Internet Security Systems
© 2010 IBM Corporation
2Security and Cloud Computing2/15/2010
IBM Cloud Services Portfolio:
Enabling New Delivery Models
Smart business
on the IBM cloud
IBM Smart Business
Services
IBM Smart Business
Systems
Standardized services
on the IBM cloud
Preintegrated, workload-
optimized systems
Private cloud services,
behind your firewall,built
and/or managed by IBM
IBM Lotus
Live
IBM Lotus®
iNotes®
IBM
CloudBurst™
family
IBM Smart
Business
Test Cloud
IBM Smart
Business
Desktop
Cloud
IBM
Smart
Business
Storage
Cloud
AnalyticsCollaboration
Development
and test
Desktop and
devices
Infrastructure
storage
IBM Smart
Analytics
System
Smart Business
for Small or
Midsize
Business
(backed by the
IBM Cloud)
Infrastructure
compute
IBM
Computing
on Demand
IBM
Information
Protection
Services
Business
services
BPM
BlueWorks
(design tools)
IBM Smart
Business
Desktop Cloud
IBM Smart
Analytics
Cloud
Smart business
expense
reporting on the
IBM cloud
IBM
Information
Archive
Smart
Business
Development
and Test on
the IBM
Cloud (beta)
Global Technology Services
Smart Business
End User
Support
© 2010 IBM Corporation
3Security and Cloud Computing2/15/2010
3
Coarse grainedFine grained
Guiding the conversation
IBM Capabilities &
Offerings to Help
Catalogues of products,
services and solutions
IBM Cloud
Security Guidance
Describes the
technology landscape
IBM Security
Framework
Describes the business
landscape of security
© 2010 IBM Corporation
4Security and Cloud Computing2/15/2010
IBM Security Framework –Business-oriented framework used across all
IBM brands that allows to structure and discuss a client’s security concerns
Built to meet four
key requirements:
Provide Assurance
Enable Intelligence
Automate Process
ImproveResilience
Introducing the IBM Security
Framework and IBM Security
Blueprint to Realize Business-
Driven Security;
IBM RedGuide REDP-4528-00,
July 2009
© 2010 IBM Corporation
5Security and Cloud Computing2/15/2010
IBM Cloud Security Guidance document
Based on cross-IBM research and customer interaction on cloud security
Highlights a series of best practice controls that should be implemented
Broken into 7 critical infrastructure components:
–Building a Security Program
–Confidential Data Protection
–Implementing Strong Access and Identity
–Application Provisioning and De-provisioning
–Governance Audit Management
–Vulnerability Management
–Testing and Validation
© 2010 IBM Corporation
6
Security and Cloud Computing
2/15/2010
Customers require visibilityinto the
security posture of their cloud.
Establish 3rd-party audits (SAS 70, ISO27001, PCI)
Provide access to tenant-specific log and audit data
Create effective incident reporting for tenants
Visibility into change, incident, image management, etc.
Support for forensics and e-Discovery
Implement a governance and audit management program
Security governance, risk management and compliance
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security
Guidance Document
IBM Security
Products and Services
IBM Information Security AssessmentAssessing security to create a roadmap to reduced risk
A comprehensive evaluation of an organization's existing security
policies, procedures, controls and mechanisms.
© 2010 IBM Corporation
7
Security and Cloud Computing
2/15/2010
Customers require proper
authenticationof cloud users.
Privileged user monitoring, including logging activities, physical
monitoring and background checking
Utilize federated identity to coordinate authentication and authorization
with enterprise or third party systems A standards-based, single sign-on capability can help simplify user
logons for both internally hosted applications and the cloud.
Implement strong identity and access management
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security
Guidance Document
IBM Security
Products and Services
IBM Tivoli Federated Identity Manager Securely manage cloud identities
Employ user-centric federated identity management to increase
customer satisfaction and collaboration
People and Identity
© 2010 IBM Corporation
8
Security and Cloud Computing
2/15/2010
Customers cite data protection as their
most important concern.
Use a secure network protocol when connecting to a secure
information store.
Implement a firewall to isolate confidential information, and ensure that
all confidential information is stored behind the firewall.Sensitive information not essential to the business should be securely
destroyed.
Ensure confidential data protection
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security
Guidance Document
IBM Security
Products and Services
Data and Information
IBM Data Security Services
Protect data and enable business innovation
Solutions fornetwork data loss prevention,endpoint
encryption,endpoint data loss prevention, and log analysis
© 2010 IBM Corporation
9
Security and Cloud Computing
2/15/2010
Customers require secure cloud
applicationsand provider processes.
Implement a program for application and image provisioning.
A secure application testing program should be implemented.
Ensure all changes to virtual images and applications are logged.
Develop all Web based applications using secure coding guidelines.
Establish application and environment provisioning
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security
Guidance Document
IBM Security
Products and Services
IBM WebSphere CloudBurst ApplianceSecure cloud application deployments
Easily, securely and repeatedly create application environments,
deployed and managed in a cloud
Application and Process
© 2010 IBM Corporation
10
Security and Cloud Computing
2/15/2010
Customers expect a securecloud
operating environment.
.
Isolation between tenant domains
Trusted virtual domains: policy-based security zones
Built-in intrusion detection and prevention
Vulnerability Management
Protect machine images from corruption and abuse
Maintain environment testing and vulnerability/intrusion management
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security
Guidance Document
IBM Security
Products and Services
IBM Virtual Server Security for VMware Protection of cloud-based infrastructure
Provides market-leading intrusion prevention, firewall and visible
security for virtual environments
Network, Server and End Point
© 2010 IBM Corporation
11
Security and Cloud Computing
2/15/2010
Customers expect cloud data centers to
be physically secure.
.
Ensure the facility has appropriate controls to monitor access.
Prevent unauthorized entrance to critical areas within facilities.
Ensure that all employees with direct access to systems have full
background checks.
Provide adequate protection against natural disasters.
Implement a physical environment security plan
Supporting IBM Products, Services and Solutions
IBM Security Framework
IBM Cloud Security
Guidance Document
IBM Security
Products and Services
IBM Physical Security Services
Defend and help secure physical environments
A full suite of digital security solutions and site assessments that can
be integrated with your network and IT systems
Physical Security
© 2010 IBM Corporation
Professional
Security Services
Managed Security
Services
Cloud Security
Services
We manage it for you
from the cloud
We provide service
from the cloud
We help you assess,
plan and implement
IBM Security Services –Vision
Vision: be the preferred provider of
managed, professional and cloud security
services for customers around the world.
Aligned to deliver comprehensive
security services to enable a …
smarter planet
IBM Security Services
© 2010 IBM Corporation
13
Identity & Access Mgmt
Services
Physical Security Services
Data Security Services
Security Governance and Compliance Services
Application Security Services
Threat
Mitigation
Services
Firewall
IDS/IPS
UTM
Protection Mgt
Web/URL Filtering
Vulnerability Assessment
Security Events
Threat
Assessment
Security
Logs
Security Services portfolio of services –detailed view
Managed Identity and Access
Management
= Professional services
= Managed services
= Cloud services
E-mail Security
GRC
© 2010 IBM Corporation
14
Security and Cloud Computing
2/15/2010
Smart Business Security ServicesSecurity services delivered from the IBM Cloud
Solution: Reducing Security Costs and Complexity
Little up-front investment
Centralized command center to monitor and control
Virtual-SOC services
24x7x365 global coverage
Run queries and reports on-demand
Automated analysisof security events and logs alerts
for remediation
Integrated with X-Force security intelligence
IBM ISS Security Offerings from the Cloud
•Security Event and Log
Management.
•Vulnerability Management
Services.
•Managed Web Security
Services.
•Managed Email Security
Services.
Customer Example:
Financial services organization looking for
ways to build automation in the security policy
associated with managing and filtering
unwanted viruses, spam, and other content
that carried risk, annoyance, or cost to its
employees.
Client benefits:
Reduced of the threat and cost of system
downtime caused by virus-infected emails Reduced business risk and gained
productivity by shielding employees from
Internet scams Helped protect IT investments all at a
reduced management cost to the organization
© 2010 IBM Corporation
15
Security and Cloud Computing
2/15/2010
Customer Benefits:
Helps minimize risk of downtime
Designed to increase operational
efficiencies by eliminating
infrastructure/maintenance costs
Assists in meeting or exceeding
regulatory compliance
requirements
Customers can realize potential
cost savings of up to 55%
IBM Smart Business Security ServicesVulnerability Management Services
Cloud-based offering simplifies global deployment of
proactive discovery, accuracy and remediation
of vulnerabilities
Web-based portal provides tiered access for
scan scheduling, review and reporting
Highly scalablefor organizations of all sizes
Provides customizable views and dynamic
accessto vulnerability data and dynamic visual
lifecycle for each discovered vulnerability
Provides a comprehensive tool-set for
workflow management and remediation
tracking
Includes customizable reporting viewsfor
analysts, auditors and management
© 2010 IBM Corporation
16
Security and Cloud Computing
2/15/2010
Customer Benefits:
Optimizes IT operations, freeing
personnel for strategic initiatives
Improves network security and
system uptime
Substantial bandwidth savings, by
stopping malicious threats before
they reach the organization’s
gateway
IBM Smart Business Security ServicesManaged E-Mail and Web Security Services
24x7x365 Cloud based deliveryprotection against
spam, worms, viruses, spyware, adware, undesirable
or offensive content
24x7 customer access, user-based policy and
control through Web-based, SaaS portal
Quick & easy setup
Highly scalable for organizations of all sizes
Eliminates upfront or ongoing hardware,
software or maintenance costs
Cloud offering eliminates the need to apply
patches or updates and risk infection during
critical windows of vulnerability
© 2010 IBM Corporation
17
IBM’s Cloud Security Strategy and Assessment ServicesEnabling organizations to define a sound strategy for secure cloud computing based
upon business goals, security requirements and best practices for cloud computing
security
Cloud Security Strategy Workshop
–Collaborative session with Customer’s key stakeholders and IBM security experts
–Guidance and education from IBM on considerations and key best practices for security cloud
environments
–Development of high-level cloud computing strategy for the use of private, public or hybrid clouds
–Documentation of discussion, findings and recommendations
Cloud Security Assessment
–Security assessment of a planned or already implemented cloud environment
–Three main areas of focus: Architecture, Governing in the cloud, Secure operations in the cloud
–IBM consultants will evaluate the security controls, mechanisms, policies and processes related
to cloud computing in comparison to cloud security guidance, best practices and applicable
regulatory requirements
–Recommendations will be provided for improving the overall security posture of the cloud
environment
© 2010 IBM Corporation
18
Additional Cloud Security Consulting ServicesTraditional governance and infrastructure security services enhanced to consider cloud
computing security requirements
Enterprise Security Architecture
–The Enterprise Security Architecture service for cloud computing will analyze the business
strategies and IT strategies for your cloud environment. It provides security architecture
principles that you can use to make decisions consistent with your organization's business and
security objectives. The customized security architecture will provide a comprehensive
framework for managing an organization’s security program consistent with its business
objectives.
Security Risk Assessment
–An Enterprise Risk Assessment customized to client’s business and IT strategies that will focus
on Information Security and Information Risks to the business. The analysis would include risk
impact for cloud computing
Security Policy Planning and Development
–Modification of or development of new security policies, standards and guidelines to account for
unique cloud computing requirements
Application Security Assessment
–Assess security aspects of shared cloud application design and the supporting cloud
infrastructure
Penetration Testing Services
–Test current security posture of cloud infrastructure via network attack simulation
© 2010 IBM Corporation
19
Security and Cloud Computing
2/15/2010
IBM Cloud Security in Action -LotusLive
Security through the entire lifecycle and stack
© 2010 IBM Corporation
20
Security and Cloud Computing
2/15/2010
Trusted Advisor
Security Company
Solution Provider
The Company
Security & Privacy Leadership
Security for the Cloud
Security from the Cloud
© 2010 IBM Corporation
21
Security and Cloud Computing
2/15/2010
Thank you!
For more information, please visit:
ibm.com/cloud
Ibm.com/security