best practice security in a cloud enabled world

An Executive Brief Sponsored by IBM

Michael Suby

Stratecast VP of Research

July 2014

Best Practice Security in a Cloud-Enabled World

2014 Stratecast. All Rights Reserved.

The cloud will be a growing part of your IT environment. This is inevitable, particularly in consideration of the

following:

Economic Attractiveness The economic attractiveness of cloud infrastructure services (e.g.,

Infrastructure as a Service IaaS) is rising with each round of price wars. Lured by this attractiveness,

will your organization be faced with escalating data protection, operational risk, management complexity,

and compliance uncertainty?

Self-Service Proclivity Findings from a late-2013 Frost & Sullivan survey show that 70 percent of

end users are ignoring IT approval procedures and subscribing to un-vetted cloud services, for a variety

of reasons: support business objectives, improve productivity, and foster innovation. Can your

organization mitigate the security risks associated with uncontrolled and invisible use of Software as a

Service (SaaS)?

Opportunities in the Internet of Things The eve of the Internet of Things is here, as the ability to

send and collect burgeoning streams of data is no longer technologically constrained. Similarly, producing

actionable insights from this data mountain is no longer on the horizon, but aided by the elasticity of

the cloud. Readying your organization to skillfully ride the twin waves of the Internet of Things and Big

Data & Analytics cannot waitbut are you prepared to tackle the information security challenges that

arise when the cloud is part of the equation?

Addressing these questions is feasible through proactive and sensible risk management. While information

technology does move rapidly and with a degree of unpredictability, a comprehensive risk management approach,

designed to flex and adapt, enables organizations to embrace cloud services with security confidence.

In this paper, we present a straightforward approach to cloud security. The structural foundation of this approach

will not only assist in mitigating the risks associated with cloud deployments and usage, but also improve and

standardize your security posture and practices across all your environmentspublic and private clouds as well

as bare metal server clouds; and allow you to skip future security overhauls brought on by the emergence of new

types of information technologies and security threats.

Stratecast | Frost & Sullivan


The cloud, and the technologies that underlie it, offer a rich set of benefits. However, without a clear

understanding of the security risks and the threats that underlie those risks, and how those risks vary by cloud

model, cloud benefits lose their luster, and serious consequences can occur, such as: disrupted operations, data

breaches, intellectual property (IP) theft, compliance violations, and brand damage. Moreover, the direct and

indirect costs of these and other consequences, and the restrictions that follow, will neutralize the benefits

anticipated with cloud adoption.

Compared to on-premises private data centers (i.e., traditional environment),1 cloud usage introduces

incremental risk. Yet, as we propose, this escalation of risk is controllable such that the benefits and risks of using

the cloud can be balanced. In essence, driving toward the same security objectives as in traditional environments

is the right path when using the cloud.

Security Objectives in Traditional Environments

Insulate from Cyber Threats Defend against threats coming from the Internet and through trusted

yet compromised devices.

Minimize Vulnerabilities Shrink the attack surface by reducing exploitable vulnerabilities

throughout the entire software stack and among data flows.

Protect Data Isolate and protect data of value throughout its entire lifecycle: in use, at rest, in

transit, and in retirement.

Control Operations Ensure that oversight and visibility over computing and security operations, and

people-based processes, is continuously effective and compliant with industry standards and government

regulations.

Three Cloud Types

Instrumental in gauging the incremental risk associated with the cloud is the understanding that risk varies by

cloud type. Universally, the cloud model, which encompasses several cloud types, is an approach to configuring,

provisioning, and managing data center infrastructure and applications. Clouds rely on automation,

standardization, and virtualization to allocate IT resources efficiently and optimally. Beyond these commonalities,

differences exist across the three cloud types:

The cloud, and the technologies that underlie it, offer a rich set of benefits. However, without

a clear understanding of the security risks and the threats that underlie those risks, and how

those risks vary by cloud model, cloud benefits lose their luster, and serious consequences

can occur.

1 On-premises includes data centers as nodes on either the organizations local area network (LAN) or private wide area network (WAN). In either, the data center is part of a dedicated private network.



Private Cloud A cloud environment in which the virtualized server infrastructure is dedicated to a

single enterprise. The dedicated environment (sometimes called a virtual private cloud) may be hosted

in a cloud providers data center, thus enabling enterprises to have the privacy associated with a

dedicated environment without the full capital investment of a data center. Or, the private cloud could

be hosted in the enterprises own data center.

Public Cloud A shared computing environment in which infrastructure is hosted in a cloud service

providers data center. The cloud service provider offers computing and storage capacity on demand,

through self-service portals, to subscribers paying for the capacity they use.

Hybrid Cloud An environment that allows enterprises to configure and manage multiple cloud

environmentspublic or private, on-premises or hostedas a single resource pool, through a common

management console.

Incremental Risk of Clouds

The Public Cloud Model is Built on Multi-Tenancy Multi-tenancy drives individual tenant costs

downward; a cloud benefit. However, multi-tenancy also increases the potential of cyber-attacks, both

from the outside and the inside. From the outside, a public cloud provider is a large, attractive target,

and is a collective of tenants, which are also potential targets. Once through the shopping malls doors,

per se, each tenant becomes a potential victim. From the inside, malicious actors can also be cloud

subscribers who stage attacks against and eavesdrop on their co-tenants. Ironically, the elasticity benefit

of the cloud is not limited to legitimate users. Malicious actors can also use clouds elasticity in

accentuating their exploits; for example, building a dynamic botnet army, which may force the cloud

provider to take steps to stop the botnet, thereby also affecting legitimate services to the other tenants.

Security is a Split Responsibility Contrasting with the fully owned and operated foundation of

traditional environments, in all three of the prevalent public cloud modelsInfrastructure as a Service (IaaS),

Platform as a Service (PaaS), and Software as a Service (SaaS)security is a split responsibility between the

cloud provider and its subscribers (tenants); with the level of responsibility in the hands of the cloud

provider growing in moving across the models from IaaS to SaaS (see table on the next page). Similarly,

visibility into the cloud providers security operations is not as deep or deterministic as in traditional

environments. Consequently, cloud tenants are indirectly asked to trust without full verification. For

example, vulnerability scanning and remediation is part of the cloud providers security responsibilities (e.g.,

of virtual network interfaces and hypervisor in IaaS, and up through the application software in SaaS); but

frequency and depth of vulnerability scanning, and prioritizing remediation, is determined by the cloud

provider, not individual tenants. Similarly, identifying and mitigating security incidents and configuration

errors attributed to the layers of the cloud infrastructure under the cloud providers purview are also

outside the line-of-sight of the tenants. In cloud environments, the strength of security is partially dependent

on the strength of the security operations and administration conducted by the cloud provider.



Cloud Securitys Spl it Responsibi l it ies

Workload Mobility Also linked to the lower cost value proposition of the public cloud is the

infrastructure-optimizing mobility of virtual workloads among the cloud providers physical servers and

data centers. Yet, unlike a workload hosted in a dedicated server, in which circles of protections are

nailed up to protect that workload, similar protection is more difficult to sustain when virtual workloads

move. These security protections must be as mobile as the virtual workloads themselves, without loss of

integrity.

All Users are Remote Another advantage of the public cloud, but also an elevated security risk, is

that all users are remote. While beneficial in supporting anywhere access from any device versus more

restricted access from only company locations and company-issued devices, the inherent user validations

(e.g., an ID card for building access, password for LAN access, and a registered device ID) are not always

In cloud environments, the strength of security is partially dependent on the strength of the

security operations and administration conducted by the cloud provider.

Cloud Layer Traditional

Environments

Cloud Models

IaaS PaaS SaaS

Data

Interfaces (APIs, GUIs)

Applications

Solution Stack (Programming languages)

Operating System (OS)

Virtual Machines

Virtual Network Interfaces

Hypervisors

Process and Memory

Data Storage (hard drives, removable disks, backups, etc.)

Network (interfaces and devices, communications infrastructure)

Physical Facilities / Data Centers

Cloud Tenants Responsibility

Cloud Providers Responsibility

Fully Owned and Operated In-House

Source: PCI Security Standards Council, Information Supplement: PCI DSS Cloud Computing Guidelines (February 2013), and Stratecast



present. Consequently, the flow of data into the wild is a higher risk with public cloud services.

Additionally, expanding use of SaaS contributes to risk through credential sprawl and users coping

mechanisms (e.g., repeatable use of easy-to-remember passwords), plus account management challenges

(e.g., terminating access to multiple SaaS services following an employee departure).

The combination of continuous evolution in security threats and organizations adoption of new information

technologies has been met with a history of innovation in security. As either threats or IT changed, security has

also changed, either by adapting or through the development of new security categories and practices. Beneficially

in securing the cloud, security technologies and their foundational concepts that are already practiced in

traditional environments can be fitted to the cloud. This does not mean that securing the cloud is a simple

process of porting security technologies from traditional environments. Rather, the core precepts are present to

be effective in securing cloud environments, but must be implemented with a thorough understanding of clouds

incremental risks and uniqueness.

Also, and as will be discussed later, choice is expanding for cloud users, particularly with IaaS. For IaaS, cloud

users have expanded choice in selecting the optimal mix of performance, privacy, and price for each of their

workloads. Their choices include: public cloud (virtual server, public network connection); private cloud (virtual

server, private network connection); and bare metal cloud (dedicated server, private network connection).

The principal security technologies and concepts needed to secure cloud environments include the following:

Segmentation and Isolation Public clouds multi-tenancy demands that organizations establish and

maintain virtual walls around each of their workloads and the network traffic that flows to and from

workloads and among workloads. This effort is essential in shielding workloads and data from other

cloud tenants and cloud administrators, and, from a performance perspective, assuring that the workload

is not crowded out of its necessary compute, storage, and networking resources. Depending on the

workload, best effort performance is intolerable; verifiable service level agreements (SLAs) are essential.

Threat Detection and Mitigation Threats designed to disrupt operations, undermine integrity, or

eventually sow the seeds for data exfiltration are omnipresent. Cloud providers recognized this and have

built threat detection and mitigation technologies and procedures into their operations to serve all of

their tenants; and, naturally, to maintain service uptime and integrity. Yet, with the micro-targeting of

advanced threats, the cloud providers threat detection is not a panacea. Adding a second layer of threat

Beneficially in securing the cloud, security technologies and their foundational concepts that

are already practiced in traditional environments can be fitted to the cloud. This does not

mean that securing the cloud is a simple process of porting security technologies from

traditional environments.



detection is an advisable practice for all cloud tenants to defend against the external threats that evaded

the for everyone threat detection of the cloud provider.

Security Information & Event Management (SIEM)/Log Management No defense will ever

be completely impenetrable; there must be a backstop of non-stop collection of data to discover early

warning signals of multi-stage exploits. Continuing on the same path as in traditional environments, next-

generation SIEM and Log Management forms this essential backstop in cloud environments. For

maximum effectiveness, data collection must be broad, from the network layer up through the

application layer; monitoring must be conducted on a real-time basis, and produce outcomes that are

grounded in context. In circumstances where a hybrid approach is useda mix of private data center

(traditional environment) and public cloudthe SIEM and Log Management capabilities must seamlessly

span both environments. Additionally, security intelligence must be equally comprehensive in spanning

external and internal factors, in order to filter what can be a mountain of daily security issues to a more

manageable, prioritized few.

Incident Response and Forensics Despite best efforts to protect virtual workloads in cloud

environments, the potential of a major security incident still exists and must be handled with expedience

and prudence. While a noble aspiration, planning and rehearsal is critical to ensure that cool heads

prevail during the heat of the moment. Forensics is also essential, to gauge the exploits extent and, of

equal importance, to guide defense-tightening adjustments. Comprehensive SIEM and Log Management

capabilities are essential in supporting both incident response and forensics.

Identity & Access Management As previously stated, the remoteness (i.e., access from any device,

from anywhere) of public cloud services, and the proliferation of SaaS subscriptions intensify the

necessity of an Identity & Access Management (I&AM) system to control user access privileges across

private and public environments. Automating subscriber management functions (i.e., bulk SaaS

enrollments, self-service password administration, and revocation of access privileges for departed

employees across all environments) are also important functions. Reporting on user log-in activity, also a

function of I&AM, assists in discovering questionable activities by users and administrators, and in

assigning the costs of cloud services to individuals and departments. Last, single sign-on lessens

credential sprawl and user time spent in resetting forgotten passwords, and logging into each SaaS

subscription individually.

Data Protection Data breach news stories are far too common; and, with certainty, there are

countless more data breaches that are either undetected or not publicly reported. Several coordinated

approaches assist in mitigating the risk of data breaches (e.g., segmentation and isolation, vulnerability

testing, SIEM, and I&AM). Encrypting valuable data in all of its modalitiesat rest, in motion, and in

useshould also be used. Of equal importance, the cloud users encryption keys should be inaccessible

by the cloud provider, to eliminate the potential that the cloud provider can access tenant data, and to

ensure that data erasure in the cloud is complete (i.e., by destroying the encryption keys).

Secure Software Development Secure software development has long been advocated by security

professionals as essential in systematically reducing the frequency and severity of software vulnerabilities.

Considering the heightened exposure in public cloud environments, the importance of secure software

development is equally heightened.



Vulnerability Scanning and Patch Management Even with devotion to secure software

development, vulnerable software still exists, if for no other reason than the threat actors continuously

advancing their techniques. Also, other layers of software lie below (e.g., operating system) or to the

side of applications (e.g., browsers, drivers, and readers), and are subject to vulnerabilities. Periodic

vulnerability scanning and regular patch management is a good standard practice, and one that takes on

greater importance in the consideration that vulnerabilities in the configuration of a virtual workload will

remain with each new virtual instance of the workload, until the vulnerabilities are discovered and

effectively removed from the workloads configuration profile.

While people and processes are essential in all security endeavors, the third leg of the stooltechnologyis

equally critical. Even with top-flight security personnel and vetted processes, when combined with sub-standard

security technologies, security efficacy suffers. With this in mind, we recommend the following subset of

attributes that should be at the top of the list in selecting security technologies for use in cloud environments.

In parallel with our perspective that cloud security introduces additional risk, we segmented the security

technology attributes into two categories: (1) enterprise-class, and (2) cloud-class. Although these categories are

not mutually exclusive (i.e., cloud-class attributes are beneficial in traditional environments and vice versa), the

cloud-class attributes reflect a step up in functionality needed in cloud environments, as organizations advance

their use of cloud services from trial and tactical to routine and strategic.

Enterprise-class

Best-of-Breed Under the reasonable assumption that the short list of security technologies are

similar in security functionality, best-of-breed entails other comparative characteristics, such as:

performance (i.e., bump in the wire), modularity, interoperability, and efficient administration. Vendors

business stability, commitment to research & development, and customer support are also part of the

best-of-breed attribute.

Compliance Friendly The reach of regulations, including data sovereignty laws, continues to expand.

Easing the burden of compliance substantiation, and minimizing the length and severity of non-

compliance instances are also enterprise-class attributes.

Unit- and Role-Based Administration Lines of business and corporate services (e.g., finance,

human resources, and legal) are examples of distinctive units within the broader organization that either

While people and processes are essential in all security endeavors, the third leg of the stool

technologyis equally critical. Even with top-flight security personnel and vetted processes,

when combined with sub-standard security technologies, security efficacy suffers.



need or want autonomous administrative control over their security policies. In following the best

practice of least access privilege, role-based administration is also needed in enterprise-class security

technologies.

Cloud-Class

Rapidly Deployable and Highly Automated These are hallmark characteristics of cloud services.

Matching these characteristics in constructing security around each virtual workload and network flow is

essential in retaining, in full, the primary reasons for adopting cloud services.

Single Pane of Glass Extensibility One administrative interface for traditional environments and

another for cloud environments leads to fragmented security policies, compliance uncertainty, and

inefficient security operations. Furthermore, flexibility to move workloads between traditional and cloud

environments is hampered without single pane of glass extensibility. In expanding into the cloud, a cross-

environment administration interface is highly desirable.

Adaptable Just as cloud providers share of security responsibility varies across cloud models,

variation also exists in the security operations and practices among cloud providers in the same cloud

model. Optimally, variation in each cloud providers security attentiveness, and the means to verify

that attentiveness, is known; so, as a workload is placed in a cloud providers environment, the tenants

security responsibility is right-sized. In other words, tenant security is automatically and seamlessly

adaptable to conditions of the environment and the context of the workload (e.g., contains sensitive data

or a business-critical operation versus contains data of little value to would-be hackers; or performance

fluctuations, within reasonable bounds, are tolerable). This adaptability enables organizations to exercise

wider discretion in choosing cloud providers, and in deciding which workloads are cloud candidates.



Cloud security can be accomplished and accomplished well, but not by chance; planning is paramount. The

relative newness of the cloud and its unique challenges do not lend cloud security to a learn as we go

proposition; knowledgeable and tenured expertise is needed from the start.

IBM is thoroughly equipped to help organizations adopt cloud securely. The company is well-known for its

lengthy and deep history in IT security. Even before the cloud became that next turn in IT, the company

developed its evergreen Security Framework. Designed to establish a pragmatic framework to address the

security challenges of complex private data centers, the same framework elements are extensible into cloud

environments. Furthermore, with cloud security requiring a holistic approach rather than piecemeal, the history

of IBM is replete with examples of organic growth and best-of-breed acquisitions (see timeline on next page) in

creating a comprehensive portfolio of security technologiessoftware and virtual applianceand professional

and managed security services.

The relative newness of the cloud and its unique challenges do not lend cloud security to a

learn as we go proposition; knowledgeable and tenured expertise is needed from the start.

2014 IBM Corporation

IBM Security

1

IBM Security Framework



IBM History of Security Portfol io Expansion

Building on experience from client engagements, in-house thought leaders, and one of the worlds largest IT test

beds (itself), IBM developed its Cloud Computing Reference Architecture (CCRA) to guide adoption of cloud

services. Naturally, security is foundational to this architecture.

From CCRA to client engagements, IBM drives a best practice, strategic approach built on three steps that

leverage multiple components from IBMs broad security portfolio:

1. Define a cloud strategy with security in mind

2. Identify the security measurements needed

3. Enable security for the cloud


IBM Security

2

History of IBM Security Portfolio Expansion

Mainframeand server

security

SOA management and security

Network intrusion prevention

Access management

Application security

Risk management

Data management

1976

1999

2006

2007

2008

2009

2010

2005

2013

2002

Identity management

Directory integration

2011

2012

Enterprisesingle-

sign-on

Database monitoring and protection

Applicationsecurity

Endpoint managementand security

Informationand analyticsmanagement

Securityintelligence

Secure mobile management

Advanced fraud protection

6,000+ IBM Security experts worldwide

3,000+ IBM security patents

4,000+ IBM managed security services clients worldwide

25 IBM Security labs worldwide

IBM Security

is created

Source: IBM


IBM Security

3

Revised Security Component Model

*Infrastructure Includes Server, Network, Storage

CCRA 3.0 Security Preview

Security Components

Security Intelligence, Analytics and GRC

People Data Applications Infrastructure*

Security Governance, Risk

Management & ComplianceSecurity Information & Event

Management

Data & Information SecurityIdentity & Access

Management

Security Intelligence

Physical & Personnel

Security

Threat & Intrusion

Prevention

Security Policy ManagementEncryption & Key

Management

Secure Application

Development

Endpoint Management

Source: IBM



IBM as a Secure Cloud Provider and Private Cloud Services

Earlier in this paper we spoke of the shared security responsibility between the cloud provider and its cloud

tenants. And, as the totality of security is only as good as the parts, the foundational layers of cloud security and

the protection of the cloud providers data center facilities (i.e., cloud providers responsibility) are crucial. As

expected, IBMs cloud-supporting data centers and its cloud security practices adhere to IBMs CCRA.

We also highlighted that multi-tenancy and Internet access are structural elements of public cloud services, and

these elements elevate security risk. While security technologies and practices can be established to mitigate this

additional risk, adherence to certain regulations (e.g., Health Insurance Portability and Accounting Act HIPAA,

and Payment Card Industry Data Security Standards PCI-DSS) and data privacy directives (e.g., US Department

of Commerces Safe Harbor directive) can still be hard to assure. Driven by this reality, organizations tendency is

to use on-premises data centers for the hosting of applications and workloads that are subject to these

regulations and directives; and, in doing so, forfeit the scalability, agility, and economic advantages (e.g., no capital

investments and usage-based pricing) delivered by the cloud services model.

IBM bridged this gap between cloud benefits and the security of private data centers with the 2013 acquisition of

SoftLayer, a cloud computing infrastructure company. Steeped in automation in physical and virtual server

provisioning and management, and grounded in security management (e.g., National Institute of Standards and

Technology (NIST) 800-53 framework and Cloud Security Alliances Security, Trust and Assurance Registry

(STAR) Self-Assessment), IBM offers the following SoftLayer services.

SoftLayer Bare Metal Cloud On-demand provisioning of customer-dedicated physical servers in

SoftLayers data centers, with customer connectivity via a private network port.

SoftLayer Private Cloud On-demand provisioning of single tenant virtualized servers hosted in

SoftLayers data centers, with customer connectivity via a private network port.

SoftLayer Public Cloud A public cloud Infrastructure as a Service hosted in SoftLayers data

centers.

Combined, these three SoftLayer services provide IBM customers with cloud infrastructure services without

compromise in supporting their varied workloads.



Security in a fast-paced technology-infused world cries for an invest once and deploy everywhere approach. For

this to be realized, security must be planned in advance and built-in, yet still be fluidly adaptable to circumstances,

and singularly controllable. Lacking this type of security approach, the practice of security in the cloud will be on

a path of reactiveness, with expensive and sub-optimized operations.

IBM has the essential assets to make security work in the cloud:

IBM has a proven and comprehensive portfolio of security technologies that are extensible into cloud

environments. All the technologies that we referenced earlier in this paper are present in IBM. The

company also has security solutions designed for unique security challenges present in cloud

environments (e.g., mitigating hypervisor vulnerabilities). Additionally, IBMs adherence to standards

allows the integration of clients existing standards-supporting assets.

IBMs approach to cloud adoption and security is strategic (advancing business through use of cloud),

holistic (a cloud environment is a dynamic instance of a private data center, and must encompass all of

the same security best practices), and proactive (discover and remediate vulnerabilities ahead of

threats).

And like the private data center, cloud security operations are 24 x 7. IBMs professional and managed security

services teams bring the expertise, and proven and reliable practices that client organizations need.

Michael Suby

VP of Research


[email protected]

877.GoFrost [email protected]

http://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary

innovation that addresses the global challenges and related growth opportunities that will make or break todays

market participants. For more than 50 years, we have been developing growth strategies for the Global 1000,

emerging businesses, the public sector and the investment community. Is your organization prepared for the next

profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends,

breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the

Discussion

For information regarding permission, write:

Frost & Sullivan

331 E. Evelyn Ave. Suite 100

Mountain View, CA 94041

ABOUT STRATECAST

Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper -

competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription

research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only

attainable through years of real-world experience in an industry where customers are collaborators; todays

partners are tomorrows competitors; and agility and innovation are essential elements for success. Contact your

Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

Silicon Valley

331 E. Evelyn Ave., Suite 100

Mountain View, CA 94041

Tel 650.475.4500

Fax 650.475.1570

London

4, Grosvenor Gardens,

London SWIW ODH,UK

Tel 44(0)20 7730 3438

Fax 44(0)20 7730 3343

San Antonio

7550 West Interstate 10, Suite 400

San Antonio, Texas 78229-5616

Tel 210.348.1000

Fax 210.348.1003

Auckland

Bahrain

Bangkok

Beijing

Bengaluru

Buenos Aires

Cape Town

Chennai

Colombo

Delhi / NCR

Detroit

Dubai

Frankfurt

Iskander Malaysia/Johor Bahru

Istanbul

Jakarta

Kolkata

Kuala Lumpur

London

Manhattan

Miami

Milan

Moscow

Mumbai

Oxford

Paris

Rockville Centre

San Antonio

So Paulo

Sarasota

Seoul

Shanghai

Shenzhen

Silicon Valley

Singapore

Sophia Antipolis

Sydney

Taipei

Tel Aviv

Tokyo

Toronto

Warsaw

Washington, DC