Andrea CarmignaniRaffaella D’Alessandro

La Sicurezza nel Cloud Computing: i nuovi rischi e le soluzioni a supporto

Agenda

• Cloud Security Concerns

• IBM approach for building a secure Cloud Computing

• Security FOR the Cloud

• Security FROM the Cloud

Security remains a top concern of customer migrating to the cloud…

According to IBM's Institute for Business Value 2010 Global IT Risk Study, cloud computing raised serious concerns among respondents about the use, access and control of data

Protection of Intellectual property of data

Ability to enforce regulatory or

contractual obligations 21 %

30 %

Unauthorized use of data 15 %

Confidentiality, Integrity and Availability of data 12 %

A recent survey on 150 executives of large firms found that security remains the number one concern

Where do this Concerns come from?

• Client feels uncomfortable with the idea of their information on systems they do not own in-house (feels like their losing control)

• Client doesn’t know how to deal with this change of paradigm (shifting their focus from cross enterprise security to workload security)

• Client wants to apply the same approach (and security controls) they used to in their traditional IT.

• There’s a lack of information about how to deal with a shared, multi-tenant infrastructure. Does Cloud really increase potential for unauthorized exposure?

• Clients are worried about service disruptions affecting the business. Is it really something specific to Cloud Computing? Which are the differences with a traditional Outsourcing?

• Regulations may prohibit the use of clouds for certain workloads and data. How much do we know about regulations to understand when this is really an obstacle for the intended workloads?

Do we share the same perspective?

How many of them are really specific to Cloud Computing?

Benefici e rischi dei modelli di erogazione(i diversi modelli di erogazione presentano rischi diversi)

Ben

efic

i di c

osto

Benefici sulla qualità del servizio: Rapidità; Scalabilità; Flessibilità; Trasparenza dei costi

Bas

soM

edio

Alto

Basso Medio Alto

Traditional IT

Public Cloud

Community Cloud

Private Cloud

Hybrid Cloud

Alto

Medio

Basso

Rischio legato alla sicurezza

One-size does not fit-all: Different cloud workloads have unique risk profiles

Low-risk Mid-risk High-riskBusiness risk

Nee

d fo

r sec

urity

ass

uran

ce

Low

High Tomorrow’s high-value and high-risk workloads need: Quality of protection

adapted to risk Direct visibility and

control Significant level of

assurance

Lower-risk workloads One-size-fits-all

approach to data protection

No significant assurance

Price is key

Today’s clouds are primarily here:

Training and testing with non-sensitive data

Mission-critical workloads, personal information

Analysis and simulation with public data

An Example of Security Challenge: Virtual Images MobilityVirtualization is a building block inside the cloud computing paradigm.Inside cloud is crucial to move running application from one physical server to another to have systems management flexibility and better availability

…as well as on the target physical host

Does the destination “fulfill” origin security policy and regulation?

What about the security of the target system?

…but some security Issues could wait through the journey from one host to another….

Today data are transferred without being encrypted;

This means possible threats against the VM

Hypervisor Hypervisor

Who is responsible for security at the … level?Datacenter Infrastructure Middleware Application Process

Platform as a Service

Middleware

Database

Web 2.0 ApplicationRuntime

JavaRuntime

DevelopmentTooling

Infrastructure as a Service

Servers Networking StorageData Center Fabric

Shared virtualized, dynamic provisioning

Software as a Service

Collaboration

Financials

CRM/ERP/HR

Industry Applications

Provider Consumer

Provider Consumer

Provider ConsumerPotential Security Gaps

Challenge: Ensuring the tight integration of provider and subscriber security controls and governance

Coordinating information security is the responsibility of BOTH the provider and the consumer

La collaborazione è la chiave per l’approccio alla Sicurezza nel Cloud

• La criticità per un corretto ed integrato governo delle rispettive competenze è data dalla possibile discontinuità che si localizza nei punti di confine delle responsabilità lato cliente e lato fornitore.

• Pertanto, poichè la Sicurezza è determinata dalla risultante degli elementi che ne compongono la catena lungo tutti i livelli dell’infrastruttura elaborativa, è importante che il cliente ed il fornitore affrontino la tematica sedendosi insieme intorno ad un tavolo e concordando con la massima trasparenza tutti gli elementi necessari ad indirizzare adguatamente la Governance della Sicurezza delle Informazioni.

• In particolare è importante che siano ben delineati tutti gli aspetti organizzativi e tecnologici che richiedono la stretta interrelazione tra le strutture organizzative preposte alla Sicurezza lato cliente e le corrispondenti lato fornitore.

Develop a strategy

Technology and Services

Design and Implement

Security Best practices… think holistically

Select technologies and services … modularity and standards are keys

Take a risk-based approach to security … prioritize workloads

Based on Business Requirements

Cloud security requires a change of the usual security mindset, we need an interdisciplinary approach based on the following steps

Monitor & Audit

Proactively inspecting the infrastructure

… address new threats

How IBM deliver Cloud Security

Security ByDesign

SecurityBy Workload

New SecurityEfficiencies

We Believe the Cloud could be more secure than traditional Enterprises

11

Security By Design

12

Security has to be Built into the Fabric of the Cloud

“Almost 60 percent of all the applications brought to security testing and risk-analysis company Veracode during the past 18 months couldn't meet the minimum standards for acceptable security, even when the criteria were dialed down to accommodate applications that don't pose a great security risk”

Many Apps Flunk Security Check Before Move to CloudKevin Fogarty,

6 0 %

4 0 %

Failed to meet requirements

Met requirements

Workload driven security

13

Cloud Security depends on focusing security controls on specificTypes of work

Sample Foundations we deploy in our clouds

14

Access & IdentityIBM leverages a

combination of extensive internal policies along with

various IBM tools to address Access and Identity in the Cloud

Data & InformationIBM will apply data

protections to information when

possible, In addition we

Release ManagementIBM implements strong

policies for management of release of virtual

images and software within it’s environment

SIEMIBM Leverages it’s

own tools and expertise to provide

the functions for Security Event and

Information Management

Physical SecurityIn order to address our customers needs IBM

applies industry leading approaches to security of our data centers such as

CCTV, 24/7 physical security, biometrics, etc..

Problem & Incident Management

Leveraging IBM tools and services IBM

provides a high quality of Problem and incident management including

utilization of social networking technologies

Threat and Vulnerability Management

Leveraging IBM’s own managed services and tooling IBM applies its

best of breed solutions to it’s own clouds

Change & Configuration Mgmt

IBM manages its environment leveraging best case change and

configuration management process via its own tooling for example Rational Asset

Manager

Create new Security Efficiency

15

IBM SecurityFoundations

CloudSecurity

AdministrativeSecurity

UserControl

Trusted Advisor Security ServicesSolution Provider Research

Security & Privacy Leadership

Security for the Cloud Security from the Cloud

IBM Strategy: support customers with an unmatched synergy among solutions, products and services for both private and public cloud

We provideservice from

the cloud

Examples:

Web Uniform Resource Locator (URL) filtering

Security event log management

IBM built security services and solutions aligned with IBM Security Framework to address Client’s concerns from any security perspective

We help you assess, plan and implement security solutions

Examples:

Security assessment services

Architecture, design and implementation services

We provideproducts to protect

the cloud

Examples:

Virtual Security Server for VMWare

Proventia IPS and Virtual IPS appliance

Professional Cloud security services

Cloud HostedSecurity services

Cloud Security Products

1 2 3

Vision: Be the trusted partner for professional, managed, and cloud security services for customers around the world

18

IBM Security Solutions for the Cloud

Cloud Security Strategy RoadmapGuides customers through their unique security and privacy concerns related to cloud computing and helps them to build a security roadmap for risk mitigation while still pursuing a cloud initiative

Key Features Education and guidance from knowledgeable IBM consultants on

cloud security and privacy concerns during an interactive onsite working session

Development of a cloud security strategy for risk mitigation including security measures and compensating controls

Provides recommendations for cloud provider evaluation

IBM Professional Cloud Security Services

Professional Cloud security services

MODULES: [1] [2] [3] [4] [5]

Key Features Evaluates client’s existing or proposed cloud security infrastructure against industry

best practices Develops maturity ranking of existing security posture in consideration of cloud

security goals and gap assessment Provides specific recommendations on action items or considerations for addressing

identified issues

IBM Professional Cloud Security Services

Professional Cloud security services

Cloud Security Assessment

Assist clients in evaluating the strength of the security architecture, policies and practices associated with their cloud solution against best practices for secure cloud computing in consideration of their security objectives

IBM Virtualization Security Solutions deliver products and services, optimized for virtualization

IBM Virtual Server Security for VMware®•An Integrated security partition able to protect all the VMs inside physical hosts

These solutions will enable customers to realize the benefits of virtualization while maintaining their security posture

Existing solutions certified for protection of virtual

workloads

Threat protection delivered in a virtual form-factor

Integrated virtual environment-aware threat protection

IBM Cloud Security Products

Cloud Security Products

Cloud-based Security Services that help reduce costs and complexity, improve security posture, and meet regulatory compliance

Security Event and Log Management

Vulnerability Management Service

Managed Web and Email Security

Service

X-Force Threat Analysis Service

From the Cloud – IBM Security Operations Centers

To the Customer – Offloading Security Tasks on the Ground

Subscription service

Monitoring and management

Cloud based

IBM Cloud Hosted Managed Security Services

PCI - Approved Scanning Vendor

Cloud HostedSecurity services

Offsite management of logs and events from IPS’s, Firewalls and OSs

Customers can access secure log/event archival of all aggregated security events for up to 7 years.

Proactive discoveryand remediation of

vulnerabilities, including temporal risk reporting for

PCI DSS compliance

Clean pipe information- Protection against spam, worms, viruses, spyware, adware, and

offensive content

Customized security intelligence based on threat information from X-Force

research and development team

IBM has unmatched global network of Security Operations Centers (SOC) and Research facilities to extensively monitor real-time threats

9 security operations

centers

9 securityresearchcenters

133monitoredcountries

30,000+devices under

contract

3,800+MSS clientsworldwide

9 billion+eventsper day

• 16 Acquisitions in security space• 3,700+ MSS clients worldwide• 13 Billion+ events managed daily• World class security research

IBM Security Operations CentersCloud Hosted

Security services

Cloud Security Strategy Roadmap

Cloud Security Assessment

Penetration Testing

Application Security Assessment

Identity and Access Management

Security Event and Log Management

Vulnerability Management Services

Managed Email / Web Security Services

X-Force Threat Analysis Service

Security & Compliance Leadership

Helping clients begin their journey to the cloud with relevant security expertise

Cloud-based Security Services that help clients reduce costs and complexity, improve security posture, and meet regulatory compliance

Security remains a top customer concern in shifting to Cloud infrastructures, thus presenting IBM an opportunity to demonstrate thought leadership

Security for the Cloud

Dev/Test Cloud:

Intrusion Prevention device under management

Internal and External VMS (Vulnerability Mgmt Service) deployed

Penetration testing

Compute Cloud:

Intrusion Prevention devices under management

Storage Cloud:

On going deployment

Dev/Test Cloud Compute Cloud Storage Cloud

IBM Security Services are already providing support and delivery services to several of IBM’s strategic cloud offering initiatives. . .

Security from the Cloud

IBM Redpaper: Cloud Security Guidance

• Based on cross-IBM research and customer interaction on cloud security• Highlights a series of best practice controls that should be implemented• Broken into 7 critical infrastructure components:

– Building a Security Program– Confidential Data Protection– Implementing Strong Access and Identity– Application Provisioning and De-provisioning– Governance Audit Management– Vulnerability Management– Testing and Validation

www.ibm.com/redbooks

Real-world Pilots on Next Generation Security & PrivacyTrustworthy Clouds: Privacy and Resilience for Internet-scale Critical Infrastructure

TClouds is co-financed by the European Commission under EU Framework Programme 7

http://www.tclouds-project.eu/

Thank you!

All t he problems of the world could be set t led easily if men were only willing t o think…

Thomas J. Wat son

Andrea.carmignani@it.ibm.comRaffaella.dalessandro@it.ibm.com