5 easy steps to securing workloads on public clouds
Post on 14-Sep-2014
843 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
Jeff HoyCloud Security ArchitectIBM Security Systems, CTO Office
May 21, 2014
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
2
Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
3
Share our views about Cloud Security• How cloud is changing security• Impact to your organization
5 Easy Steps to securing workloads• Topology-based options• Detailed examples
Looking forward• Trends in cloud direction• Emerging security capabilities
Goals of This Webinar
1
2
3
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
4
Speaker Background
About Jeff• Cloud Security Architect• IBM Security Systems• CTO Team• 12+ years with IBM• jeffhoy@us.ibm.com
Focus Areas:• Cloud Security Enablement• SaaS Security• Hybrid Cloud• Next Generation Cloud Security
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
5
Topic: Securing the Cloud
Security in the Cloud
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
6
Services Acquired
Organization / Buyers
Security Responsibilities and Objectives
Software as a Service (SaaS)
CxOs (CIO, CMO, CHRO, ...)
Complete visibility to enterprise SaaS usage and risk profiling
Governance of user access to SaaS and identity federation
Platform as a Service (PaaS)
Application teams, LOBs
Enable developers to compose secure cloud applications and APIs, with enhanced user experience
Visibility and protection against fraud and applications threats
Infrastructure as a Service (IaaS)
CIO, IT teams
Protect the cloud infrastructure to securely deploy workloads and meet compliance objectives
Have full operational visibility across hybrid cloud deployments, and govern usage
Security objectives reflect responsibilities when adopting Cloud
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
7
Trusted IntranetOnline Banking
Application
Employee Application
DMZ Untrusted Internet
7
Traditional perimeter based security controls …
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
8
Online Banking Application
InvestmentAPI Services
Employee Application
Build and Deliver Apps, Services (PaaS)
Consume Apps and Services (SaaS)
Leverage Public Clouds (IaaS)
Trusted Intranet DMZ Untrusted Internet
8
Apps, APIsServices
Traditional perimeter based security controls … … are changing to security centered around applications and interactions
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
9
Cloud Security Capabilities
Identity
Protection
Insight
Protect infrastructure, applications, and data from threats
Auditable intelligence on cloud access, activity, cost and compliance
Manage identities and govern user access
IaaS: Securing infrastructure and workloads
SaaS: Secure usage of business applications
PaaS: Secure service composition and apps
Bluemix
We see three sets of capabilities to help adopt cloud with confidence
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
10
How will complex environments evolve for your organization?
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
11
Topic: 5 Easy Steps
5 Easy Stepsto Securing Workloads
on Public Clouds
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
12
Step #1: Basic Security Enablement
Traditional on-premise
IPS
Visibility
DataSecurity
Scanning
TLSFirewalls
SOAAppliance
EndpointMgmt
User
Admin
Public cloud-based
IPS
DataSecurity
Scanning
TLSFirewalls
SOAAppliance
EndpointMgmt
User
Admin
Same principles apply
Visibility
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
13
Monitor & manage security posture
Configure application centric security policies
Provision secure cloud infrastructure
User Access Customer
Application
NetworkProtection
Cloud Admins
Security Team
ApplicationTeam
Enterprise Roles
Service users
Securely Access Cloud services
Security Intelligence
DataSecurity
Example #1: Securing Workloads on Cloud Infrastructure (IaaS)
EXAMPLE
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
14
Step #2: Pattern-Based Security
IPSData
Security
Scanning
TLSFirewalls
SOAApplianceEndpoint
Mgmt
Visibility
System Template
Pattern Engine
Preconfigured Systems
Customize
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
15
Example #2: Secure Image Deployment
Virtual Image
• Apache HTTP Server• WebSphere Liberty• Banking EJB• IBM Access Manager• IBM Identity Manager• Restrictive Firewalls• Endpoint Manager• Disk encryption• Credential Vault
Deploy Images
Update Images
• IP Address• Hostname• Credentials, etc
Production System
EXAMPLE
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
16
Shared Security Services
REST APIs
Identity as a Service Log Management & Audit App and Vulnerability Testing
Security Policy Management for Cloud
Step #3: Automation-Enabled Pattern & Policy-driven Approaches
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
17
Example #3: Pattern-Based Access Management
Security WebGateway
Web Application
1
2 3
4
56
78
9
10
Environment Components
1. QRadar vSys Pattern2. External ISAM Appliance3. ISAM Log Integration4. WebSEAL Reverse Proxy5. Application vSys Pattern6. Application TAI + Junction7. Consolidated Logbackup8. SQL Injection Attack9. Application Response10. QRadar threat console
EXAMPLE
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
18
CeilometerUsage / Performance Monitoring + Auditing
“Datastores”
Core API Layer“Filter” audits all Open Stack API calls
CADF
AWS CloudTrail
OpenStack Audit (CADF)
Workloads deployed in
private virtual Environments
Public Cloud Services
Step #4: Integrated Intelligence across Hybrid Cloud
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
19
Example #4: Security Intelligence for Virtual Infrastructure
Business challenge:
• Improved security and visibility into virtual Infrastructures
• Better visibility into logs coming from their sensors across the environment
• Support ad hoc search across large data
Solution:
• Scales to large volumes
• User friendly reporting
• Quick search and review of logs
• Reasonable cost of ownership
SaaS applications
Infrastructure as a Service
Security Intelligence for Hybrid Cloud
19Virtualized data center
EXAMPLE
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
20
Administrator /app owner
End users
Shared Security Services(Security from the Cloud)
REST APIs
Identity as a Service Log Management & Audit App and Vulnerability Testing
• API enable and standup key products as shared cloud services
• Multi-tenancy
Step #5: Leverage Security SaaS
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
21
Example #5: SaaS Security Usage in Your Environment
EXAMPLE
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
22
Topic: Looking Forward
Cloud Security Trends
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
23IBM SECURITY SYSTEMS :: IBM Confidential :: ©2013 IBM Corporation
DynamicAnalysis
InteractiveAnalysis
Mobile AppAnalysis
StaticAnalysis
Application Security Management
Inventory assets
Assess businessimpact
Measure status & progress
Prioritize vulnerabilities
Determine compliance
DEV OPS
DynamicAnalysis
Databasemonitoring
Security Intelligence
SIEMNetworkActivity
Monitoring
Vulnerability Mgmt
LogMgmt
Network Protection
FraudProtection
AppScan QRadar Guardium SiteProtetor/ IPS Trusteer
Security Across the Cloud DevOps lifecycle
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
24
DMZTrusted Intranet
Online bankingapplication
Online Banking Application
Migrating Online Application to off-premise cloud
Traditional Data Center
End UsersDomain Specialized Developer
Infrastructure Operations
Security & Compliance Manager
Cloud Application Zone Active Protection – Typical Scenario
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
25
Access Application4
Deploy App
Provision workload and security components
2Online Banking App
Workload Box
IBM Access Manager
IBM QRadar SIEM
WebApp
DBWebApp
DB
2
1
Config & Automation3
Secure Application
Demo Available - User Access Management, Web Application Protection, Log Management, Security Intelligence
Cloud Application Zone Active Protection - Solution Overview
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
26
• Data security as a virtual appliance deployed on the Cloud
• Data activity monitoring across hybrid clouds – virtualized and public clouds
• Provides vulnerability assessments of data systems
• Encrypts and masks sensitive data when used by privileged users
Data is…• Leaving the data center• Stored on shared drives
and cloud infrastructure• Hosted by 3rd party• Managed by 3rd party
DataProtection
Business Challenge: Solution:
26
Virtualized data center
IBM InfoSphere Guardium
EncryptionMasking
123 XJEActivity
Monitoring
Activity Monitoring
VulnerabilityAssessment
VulnerabilityAssessment
Structured &Unstructured
Data
Cloud ready data security and privacy on the cloud
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
27
Today Announcements
Delivering security from the cloud:
Solutions to protect cloud workloads:
Identity-as-a-Service beta for the IBM Cloud Platform
Security Optimization & Threat Monitoring
QRadar optimizations for cloud
Enhanced Virtual Threat Protection
IBM leads with enterprise-grade cloud security
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
28
Cloud creates opportunities for enhanced security
5 Easy steps to securing workloads
1. Basic Enablement
2. Pattern-Based Security
3. Automated Integration
4. Hybrid Cloud Security
5. Leveraging SaaS
Going forward• Direction of the cloud• Emerging security capabilities
Summary
1
2
3
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
29
Key Cloud Resources
IBM Best Cloud Computing
Security
IBM Research and Papers Special research concentration in cloud security, including
white Papers, Redbooks, Solution Brief – Cloud Security
IBM X-Force Proactive counter intelligence and public education
http://www-03.ibm.com/security/xforce/
IBM Institute for Advanced Security Cloud Security Zone and Blog (Link)
Customer Case Study EXA Corporation creates a secure and resilient private
cloud (Link)
Collateral Sales Support: NEW IBM Cloud Security Strategy and Community
connections page (Link) NEW Internal IBM SWG Sellers Workplace – Cloud
Security Collateral - (Link) SmartCloud Security Solutions Sales Kit – (Link)
Other Links: IBM Media series – SEI Cloud Security (Link) External IBM.COM : IBM Security Solutions (Link) External IBM.COM : IBM SmartCloud– security (Link) IBM SmartCloud security video (Link)
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
30
Questions?
We Value Your Feedback!
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
31
Backup
X
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
32
Insight Establish intelligence across enterprise and
cloud• QRadar SIEM QRadar Log Manager QRadar Forensics
rotectionProtect data,
applications and infrastructure from threats and risks
Data & Application• IBM InfoSphere Guardium
• IBM Security AppScan
• IBM WebSphere DataPower
Infrastructure• IBM Security Network Protection
• IBM Security Trusteer
• IBM Endpoint Manager
ProtectionProtect data, applications and infrastructure
from threats and risks
Identity Manage users and their access to
cloudand access
Identity• Identity Service - Beta
• IBM Security Access Manager
• IBM Security Privileged Identity Manager
Identity Manage users and their access to cloud
Intelligent Security for the Cloud
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
33
AppScan Mobile Analyzer– Ability to upload Android APKs to the cloud for an IAST
(interactive application security scan)
• Service available through the BlueMix catalog
• Upload an APK and receive a security PDF report
• Public APIs to integrate to 3rd party • Environment deployed on SoftLayer
AppScan DAST on BlueMix– Run a DAST scan on web application deployed on
BlueMix
• Service available through the BlueMix catalog
• Almost zero configuration (User Name/Password)
• Public APIs to integrate to 3rd party • Environment deployed on SoftLayer
AppScan Service & APIs from Bluemix
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
34
Cloud software delivery as virtual appliances
Security Software
Security capabilities as virtual appliances. They should be available as shared services through APIs.
Delivering security capabilities as virtual appliances will enable
- Security enforcement ‘near’ workloads and in software defined environments
- Protection within on-premise virtual environments or hosted clouds
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
35
Administrator /app owner
End users
Shared Security Services(Security from the Cloud)
REST APIs
Identity as a Service Log Management & Audit App and Vulnerability Testing
• API enable and standup key products as shared cloud services
• Multi-tenancy
Applications require easy-to-use, API-based services
© 2014 IBM Corporation
5 Easy Steps to Securing Workloads on Public Clouds
36
DMZTrusted Intranet
Demo Scenario - Visibility to hybrid cloud application
Jane
Andrew Public Cloud Services
Provision infrastructure
Deploy App
Private Cloud Services
FredCustomers
Monitor Usage & Security of the Environments
Access App
Reverse ProxyLoad balance
Gateway
Cloudburst
top related