cloud security challenges and solutions

8/9/2019 Cloud Security Challenges and Solutions

1/47

1

Cloud Security Challenges and Solutions

- Balraj S Boparai, CISSP

Worldwide Tivoli Security SWAT Team


2/47

2

Outline Introduction to Cloud computing

Security Challenges in the Cloud Cloud security concerns

IBMs Point of View on Cloud Security

IBM solutions for securing cloud Assessing the Security Risks of

Cloud Computing

Security as a Service


3/47

3

Introduction to Cloud Computing


4/47

4

What is Cloud Computing?

....service oriented and service managed

Attributes

VISIBILITY CONTROL AUTOMATION

Cloud is a new consumption and delivery model for many IT-based services, in which the user seesonly the service, and has no need to know anything about the technology or implementation

Metering &

Billing

Rapid

provisioning

Flexible

pricing Elastic

scaling

Advanced

virtualization

Standardized,

consumableweb-delivered

services Service

Catalog

Ordering


5/47

5

Features of Cloud


6/47

6

The Layers of IT-as-a-Service

Software as a Service

Collaboration

BusinessProcesses

CRM/ERP/HR

IndustryApplications

Platform as a Service

Middleware Database

Web 2.0 ApplicationRuntime

JavaRuntime

Development

Tooling

Infrastructure as a Service

Servers

Networking Storage

Data Center

Fabric


7/47

7


8/47

8

...service sourcing and service value

Cloud Computing Delivery Models

ORGANIZATION CULTURE GOVERNANCE

Flexible Delivery Models

Public Service provider owned and

managed

Access by subscription

Delivers select set of

standardized business

process, application and/or

infrastructure services on aflexible price per use basis.

Private Privately owned and

managed.

Access limited to client

and its partner network.

Drives efficiency,

standardization and best

practices while retaininggreater customization

and control

Cloud

Services

CloudComputing

Model

. Customization, efficiency,

availability, resiliency,

security and privacy___

.Standardization, capitalpreservation, flexibility and

time to deploy

Hybrid Access to client, partner

network, and third party

resources


9/47

9

Security and Cloud Computing

= OPTIMIZEDBUSINESS

allowing you to optimize new investmentsfor direct business benefits

=AGILITY + BUSINESS & ITALIGNMENT +SERVICEFLEXIBILITY INDUSTRYSTANDARDS+

CLOUD COMPUTING

=Reduced

Cost

=.leverages virtualization, standardization and service management tofree up operational budget for new investment

VIRTUALIZATION

+ENERGY

EFFICIENCY

+STANDARDIZATION AUTOMATION

+

Cloud-onomics


10/47

10

Security Challenges in the Cloud


11/47

11


What is Cloud Security?

There is nothing new under the sunbut there are lots of old things we don't know.

Ambrose Bierce, The Devil's Dictionary


Utility Computing

Grid Computing

Cloud Computing

Confidentiality, integrity, availabilityof business-critical IT assets

Stored or processed on a cloud

computing platform


12/47

12

Security and the building blocks of Cloud Computing


Strategic

Outsourcing

GlobalOutsourcing

GridComputing

ServiceOriented

Architecture

Web 2.0

CollaborationVirtualization

CloudComputing

RisksVendorTrustLegislativeBoundaries

DistributedInfrastructure

WebThreats

DataLeakage

SharedInfrastructure

SecuritySLAs InternationalStandards

Availability,

Resiliency

Web

Security

Data Leakage

Prevention

Segmentation

Technologies

Cloud Computing is a natural evolution of the evolving IT paradigms listed above.

A variety ofsecurity technologies, processes, procedures, laws, and

trust models are required to secure the cloud. There is no silver bullet!


13/47

13


Cloud Security: Simple Example

13

?

We Have ControlIts located at X.

Its stored in servers Y, Z.

We have backups in place.

Our admins control access.

Our uptime is sufficient.The auditors are happy.

Our security team is engaged.

Who Has Control?Where is it located?

Where is it stored?

Who backs it up?

Who has access?

How resilient is it?How do auditors observe?

How does our security

team engage?

?

?

?

?

?

Todays Data Center Tomorrows Public Cloud


14/47

14


New technologies alwaysintroduce

new threat vectors and new risks.

External aspects of public clouds

exacerbate concerns: Black box sharing in clouds reduces

visibility and control, increases riskof unauthorized access and

disclosures.

Limited compatibility with existingenterprise security infrastructurelimits adoption for mission-critical

apps.

Limited experience and low assurance

raise doubts over cloud reliability(operational availability, long-termperspective).

Privacy and accountabilityregulations may prevent cloud

adoption for certain data and in certaingeographies.

Everybody is Concerned about the Security in

(Public) Clouds


15/47

15


The CloudCurtain

The CloudCurtain

Curtain


Collaboration

BusinessProcesses

CRM/ERP/HR

IndustryApplications


Middleware Database

Web 2.0 ApplicationRuntime

JavaRuntime

DevelopmentTooling


Servers

Networking Storage

Data Center

Fabric

Different Clouds, Different Responsibilities


16/47

16


Recent Analyst Reports Confirm General Concerns

But also Highlight Security as a Potential Market Differentiator

Securing your applications or datawhen they live in a cloud providersinfrastructure is a complicated issuebecause youlack visibility andcontrolover how things are beingdone inside someone elses network.Forrester, 5/09

Large enterprises should generallyavoid placing sensitive

information in public clouds, butconcentrate on building internalcloud and hybrid cloudcapabilitiesin the near term.Burton, 7/09

Cloud approaches offer aunique

opportunity to shift a substantialburden for keeping up with threatsto a providerfor whom security maywell be part of the value proposition.EMA, 2/09

Gartners 7/09 Hype Curve for CloudComputingpositions Cloud SecurityConcerns into the early phase(technologytrigger, will raise), and gives it a time

horizon of5-10 years

Highly regulated or sensitiveproprietary information should notbe stored or processed in an

external public cloud-basedservicewithout appropriate visibilityinto the provider's technology andprocesses and/or the use ofencryption and other security

mechanisms to ensure theappropriate level of informationprotection.Gartner 7/09


17/47

17


Low-risk Mid-risk High-risk

Mission-criticalworkloads, personal

information

Business Risk

Need forSecurity

Assurance

Low

High

Training, testingwith non-

sensitive data

Todays clouds areprimarily here:

Lower risk workloads One-size-fits-all

approach to dataprotection

No significantassurance

Price is key

High value / high riskworkloads need

Quality of protectionadapted to risk

Direct visibility andcontrol

Significant level ofassurance

Analysis &simulation with

public data

Security as a Potential Market Differentiator:

Different Workloads have Different Risk Profiles

Public

Private

Hybrid


18/47

18

Cloud Security Concerns


19/47

19

Data exposure and Compromise Organizations uncomfortable with idea of data

located on external systems

Hosted providers cannot ensure absolute

security

Authentication and access technology becomes

increasingly important

Data segregation also becomes key in cloud


20/47

20

Reliability of service Reliability is core advantage in cloud. It is very scalable

and capable of meeting wide variations in processing

power and users

High Availability is still a concern. Many cloud based

offerings do not offer SLAs

Any (cloud) offering that does not replicate the data and

application infrastructure across multiple sites isvulnerable to a total failure

Even if offerer refuses to tell you where will it store your

data. It should tell you what would happen to your data

and service if one of its site succumbs to a disaster.


21/47

21

Reduced ability to demonstrate compliancewith regulations, standards and SLAs

Public clouds are mostly by definition A black Box

Complying with SOX, HIPAA etc. regulations mayprohibit clouds for some applications

Geographical requirements

A Private and Hybrid cloud can be configured to meet

these requirements


22/47

22

Ability to manage the securityenvironment

CSPs must supply easy visual controls tomanage and monitor firewall and other security

settings for applications and runtime

environments in the cloud

No Granularity of access (SaaS). Usually only

roles available are Admin and Normal User


23/47

23

IBMs Point of View on Cloud Security

S it d Cl d C ti


24/47

24

Layers of a typical Cloud Service


System ResourcesNetwork, Server, Storage

Physical System and Environment

Virtualized ResourcesVirtual Network, Server, Storage

Operational Support ServicesInfrastructure Provisioning

Instance, Image, Resource / Asset Mgmt

Business Support Services

Offering Mgmt, Customer Mgmt, OrderingMgmt, Billing

Infrastructure as a serviceVirtualized servers, storage,

networking

Platform as a serviceOptimized middleware application servers,

database servers, portal servers

Application as a serviceApplication software licensed for use as aservice provided to customers on demand

Clou

dDelivered

Services

CloudPlatfor

m


25/47

25

IBMs Architectural Model for Cloud ComputingService Request & Operations Service Provider Service Creation

Service

Definition

Tools

Service

Publishing

Tools

Service

Reporting &

Analytics

Service

Planning

Role-based

Access

Service Delivery PlatformOperational Support Systems (OSS)

Business Support Systems (BSS)



Application/Software as a Service

End Users,

Operators

ServiceCatalog

Operational

Console

StandardsBased

Interfaces

Cloud Services

Cloud Management Platform



26/47

26


26 9/15/2009

Cloud Security = SOA Security + Secure New Runtime

Service Request & Operations Service Provider Service Creation

Service

Definition

Tools

Service

Publishing

Tools

Service

Reporting &

Analytics

Service

Planning

Role-based

Access

Service Delivery PlatformOperational Support Systems (OSS)

Business Support Systems (BSS)



Application/Software as a Service

End Users,

Operators

ServiceCatalog

Operational

Console

S

tandardsBased

Interfaces

Cloud Services

Cloud Management Platform

Service Oriented Architecture

Secure integration with existing enterprisesecurity infrastructure

Federated identity / identity as a service

Authorization, entitlements

Log, audit and compliance reporting

Intrusion prevention

Application / Software as a Service



Identity & Security as a Service

Secure Runtime for Virtual Images and Virtual Storage

Business Support Services

Operational Support Services

Virtualized Resources

System Resources

Physical System / Environment

Process isolation, data segregation

Control of privileged user access Provisioning w/ security and location

constraints

Image provenance, image & VM integrity

Multi-tenant security services (identity,

compliance reporting, etc.) Multi-tenant intrusion prevention

Consistency top-to-bottom


27/47

27

IBM Security Framework

Its clear to IBM that a variety of

security technologies, processes,

procedures, laws, and trust models

are required to secure the cloud.There is no silver bullet for securing

the cloud

World class solutions software,

hardware and services

3rd-party audit (SAS 70(2),

ISO27001, PCI)


28/47

28

IBM solutions for securing cloud


29/47

29

People and IdentityBusinesses need to make sure people across their organization and supplychain have access to the data and tools that they need, when they need it, whileblocking those who do not need or should not have access

Tivoli Identity Manager

Tivoli Federated Identity Manager Offers a single access method for users into cloud and traditional

applications

Cloud computing infrastructures involve enormous pools of external usersconstantly logging in to leverage shared IT services and this productsauthentication management features can help deliver significant businessvalue

Tivoli Access Manager for Operating Systems It can help protect individual application, network, data, and operating

system resources Single security model


30/47

30

Information and Data Earlier data can be protected with perimeter. Now data needs to be

secured where ever it resides and when it is in motion. Capabilities

for monitoring, access management and encryption

IBMs Systems, Storage, and Network Segmentation

Solutions offer application isolation, OS containers, encrypted storage,

VLANs and other isolation technologies for a secure multi-

tenant infrastructure

Tivoli Key Lifecycle Manager IBM Data Encryption for IMSand DB2 Databases

IBM Database Encryption Expert

Transparently protect any file on the file system

Transparently encrypt DB2 backup files

Protects information in Online, offline environments

Backup and recovery of data stored remotely in the cloud

IBM Information Protection Services


31/47

31

Process and Application

Enterprises need to preemptively and proactivelyprotect their business-critical applications

Focus is more on Web applications

Rational AppScan Provides automated Web application scanning and testing for all common

Web application vulnerabilities, including WASC threat classification - suchas SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligentfix recommendations to ease remediation

Rational Policy Tester ensure site privacy by scanning web content and producing

actionable reports to identify issues that may impact compliance

ISS Professional Security Services

IBM Optim Data Privacy Solutions de-identify confidential information to protect privacy and support

compliance initiatives by applying a range of masking and fictionalizedsubstitution techniques

IBM Tivoli Security Information and EventManager


32/47

32

Optims data masking techniques


33/47

33

Network, Server and Endpoint Proactive threat and vulnerability monitoring

Security of Virtualization stack

ISS Virtualization Security

Proventia Virtualized Network Security Platform(VNSP)

IBM Proventia Server Intrusion PreventionSystem (IPS)

IBM RealSecure Server Sensor


34/47

34


35/47

35

Physical Infrastructure Effective physical security requires a centralized management system that

allows the monitoring of property, employees, customers and the generalpublic


Physical Infrastructure


36/47

3636

Physical Infrastructure

36

Summary: IBM Business Continuity and ResiliencyServices (BCRS) plans to offer a validation program

for cloud service providers to ensure the resiliency of

their business.

Cloud Use Case: By using proven BCRS resiliencyconsulting methodology, combined with traditionalshared and dedicated asset business and resiliency

managed services, IBM is positioning BCRS as the

premier resiliency provider to Cloud service

providers.

BCRS Resilient Cloud Validation Program

Summary: HiPODS is a group of specialists withinIBM's Software Strategy group, with seven cloud

computing locations around the world. IBM also has

eight Security Operations Centers (SOCs) with a

global reach to serve clients with international

capabilities and a local presence.

Cloud Use Case: The HiPODS team can create aproject team anywhere in the world in minutes and

assign servers / storage for a project in less than an

hour. IBM SOCs monitor more than 17,000 security

devices on behalf of 3,700 customers.

High Performance On Demand Solutions (HiPODS) + IBM ISS Security Operations Centers

DisasterRecovery

Restoration andavailability of cloud

computing resources

Data Location

Ability to process

data in specific

jurisdictions

according to local

requirements

Resilient

Cloud

Public or Private Cloud



37/47

3737 9/15/2009

IBM Security has all the Capabilities and Credentials to Provide

Enterprise-grade Security for Cloud Computing

37

G

IBM ResearchGTS ITS GBS

Smart PlanetDynamic Infrastructure



38/47

3838 9/15/2009

Cloud Enabled Control(s) Benefit

People andIdentity

Defined set of cloud interfaces

Centralized repository of Identity and Access Control policies

Reduced risk of user access to unrelated resources.

Informationand Data

Computing services running in isolated domains as defined inservice catalogs

Default encryption of data in motion & at rest

Virtualized storage providing better inventory, control, tracking

of master data

Improved accountability, Reduced risk of data leakage /loss

Reduced attack surface and threat window

Less likelihood that an attack would propagate

Process &Application

Autonomous security policies and procedures

Personnel and tools with specialized knowledge of the cloud

ecosystem

SLA-backed availability and confidentiality

Improved protection of assets and increased accountability

of business and IT users

Network Serverand Endpoint

Automated provisioning and reclamation of hardened runtime

images

Dynamic allocation of pooled resources to mission-oriented

ensembles

Reduced attack surface

Improved forensics with ensemble snapshots

Physical

infrastructure

Closer coupling of systems to manage physical and logical

identity / access.

Improved ability to enforce access policy and manage

compliance

Cloud computing also provides the opportunity to simplifysecuritycontrols and defenses

38


39/47

39

Assessing the Security Risks ofCloud Computing


40/47

40

Key Findings

The most practical way to evaluate the risks associated withusing a service in the cloud is to get a third party to do it.

Cloud-computing IT risks in areas such as data segregation,data privacy, privileged user access, service provider viability,availability and recovery should be assessed like any otherexternally provided service

Location independence and the possibility of service provider"subcontracting" result in IT risks, legal issues and complianceissues that are unique to cloud computing

If your business managers are making unauthorized use ofexternal computing services, then they are circumventingcorporate security policies and creating unrecognized andunmanaged information-related risks


41/47

41

Recommendations

Organizations that have IT risk assessment capabilities andcontrols for externally sourced services should apply them to theappropriate aspects of cloud computing

Legal, regulatory and audit issues associated with locationindependence and service subcontracting should be assessedbefore cloud-based services are used

Demand transparency from CSP. Don't contract for IT serviceswith a vendor that refuses to provide detailed information on itssecurity and continuity management programs

Develop a strategy for the controlled and secure use ofalternative delivery mechanisms, so that business managersknow when they are appropriate to use and have a recognizedapproval process to follow


42/47

42

What to Evaluate

Privileged User Access Ask providers to supply specific information on the hiring and oversight

of privileged administrators, and the controls over their access

Compliance Cloud computing provider should be willing to submit to external audits

and security certifications

Data Location Need to meet National privacy regulations

Is the provider willing to give a contractual commitment to obey the lawon your behalf?

Data Segregation Ask for evidence that the encryption implementation was designed and

tested by experienced specialists

Encryption accidents can make data totally unusable, and even normalencryption can complicate availability.

Who has access to the decryption keys?


43/47

43

What to Evaluate (Cont.)

Availability Does cloud-based offerings provides service level

commitments?

Recovery How cloud offerings will recover from total disaster?

May not tell where data is stored. But does it have the ability todo a complete restoration, and how long will it take?

Investigative Support Cloud services are especially difficult to investigate

Contractual commitment to support specific forms ofinvestigation , Electronic Discovery

Viability long-term viability of any external service provider

Support in Reducing Risk CSPs to inform how safely and reliably use their product


44/47

44

How to Assess

Evaluate the service provider in person.

Use a neutral third party to perform a security assessment

Accept whatever assurances the service provider offers

Ultimately, your ability to assess the risk of using a

particular service provider comes down to itsdegree of transparency

trust.salesforce.com


45/47

45

Security as a Service


46/47


47/47

47

Thank You

cloud security challenges and solutions

Documents