cloud security challenges and solutions
TRANSCRIPT
-
8/9/2019 Cloud Security Challenges and Solutions
1/47
1
Cloud Security Challenges and Solutions
- Balraj S Boparai, CISSP
Worldwide Tivoli Security SWAT Team
-
8/9/2019 Cloud Security Challenges and Solutions
2/47
2
Outline Introduction to Cloud computing
Security Challenges in the Cloud Cloud security concerns
IBMs Point of View on Cloud Security
IBM solutions for securing cloud Assessing the Security Risks of
Cloud Computing
Security as a Service
-
8/9/2019 Cloud Security Challenges and Solutions
3/47
3
Introduction to Cloud Computing
-
8/9/2019 Cloud Security Challenges and Solutions
4/47
4
What is Cloud Computing?
....service oriented and service managed
Attributes
VISIBILITY CONTROL AUTOMATION
Cloud is a new consumption and delivery model for many IT-based services, in which the user seesonly the service, and has no need to know anything about the technology or implementation
Metering &
Billing
Rapid
provisioning
Flexible
pricing Elastic
scaling
Advanced
virtualization
Standardized,
consumableweb-delivered
services Service
Catalog
Ordering
-
8/9/2019 Cloud Security Challenges and Solutions
5/47
5
Features of Cloud
-
8/9/2019 Cloud Security Challenges and Solutions
6/47
6
The Layers of IT-as-a-Service
Software as a Service
Collaboration
BusinessProcesses
CRM/ERP/HR
IndustryApplications
Platform as a Service
Middleware Database
Web 2.0 ApplicationRuntime
JavaRuntime
Development
Tooling
Infrastructure as a Service
Servers
Networking Storage
Data Center
Fabric
-
8/9/2019 Cloud Security Challenges and Solutions
7/47
7
-
8/9/2019 Cloud Security Challenges and Solutions
8/47
8
...service sourcing and service value
Cloud Computing Delivery Models
ORGANIZATION CULTURE GOVERNANCE
Flexible Delivery Models
Public Service provider owned and
managed
Access by subscription
Delivers select set of
standardized business
process, application and/or
infrastructure services on aflexible price per use basis.
Private Privately owned and
managed.
Access limited to client
and its partner network.
Drives efficiency,
standardization and best
practices while retaininggreater customization
and control
Cloud
Services
CloudComputing
Model
. Customization, efficiency,
availability, resiliency,
security and privacy___
.Standardization, capitalpreservation, flexibility and
time to deploy
Hybrid Access to client, partner
network, and third party
resources
-
8/9/2019 Cloud Security Challenges and Solutions
9/47
9
Security and Cloud Computing
= OPTIMIZEDBUSINESS
allowing you to optimize new investmentsfor direct business benefits
=AGILITY + BUSINESS & ITALIGNMENT +SERVICEFLEXIBILITY INDUSTRYSTANDARDS+
CLOUD COMPUTING
=Reduced
Cost
=.leverages virtualization, standardization and service management tofree up operational budget for new investment
VIRTUALIZATION
+ENERGY
EFFICIENCY
+STANDARDIZATION AUTOMATION
+
Cloud-onomics
-
8/9/2019 Cloud Security Challenges and Solutions
10/47
10
Security Challenges in the Cloud
-
8/9/2019 Cloud Security Challenges and Solutions
11/47
11
Security and Cloud Computing
What is Cloud Security?
There is nothing new under the sunbut there are lots of old things we don't know.
Ambrose Bierce, The Devil's Dictionary
Software as a Service
Utility Computing
Grid Computing
Cloud Computing
Confidentiality, integrity, availabilityof business-critical IT assets
Stored or processed on a cloud
computing platform
-
8/9/2019 Cloud Security Challenges and Solutions
12/47
12
Security and the building blocks of Cloud Computing
Security and Cloud Computing
Strategic
Outsourcing
GlobalOutsourcing
GridComputing
ServiceOriented
Architecture
Web 2.0
CollaborationVirtualization
CloudComputing
RisksVendorTrustLegislativeBoundaries
DistributedInfrastructure
WebThreats
DataLeakage
SharedInfrastructure
SecuritySLAs InternationalStandards
Availability,
Resiliency
Web
Security
Data Leakage
Prevention
Segmentation
Technologies
Cloud Computing is a natural evolution of the evolving IT paradigms listed above.
A variety ofsecurity technologies, processes, procedures, laws, and
trust models are required to secure the cloud. There is no silver bullet!
-
8/9/2019 Cloud Security Challenges and Solutions
13/47
13
Security and Cloud Computing
Cloud Security: Simple Example
13
?
We Have ControlIts located at X.
Its stored in servers Y, Z.
We have backups in place.
Our admins control access.
Our uptime is sufficient.The auditors are happy.
Our security team is engaged.
Who Has Control?Where is it located?
Where is it stored?
Who backs it up?
Who has access?
How resilient is it?How do auditors observe?
How does our security
team engage?
?
?
?
?
?
Todays Data Center Tomorrows Public Cloud
-
8/9/2019 Cloud Security Challenges and Solutions
14/47
14
Security and Cloud Computing
New technologies alwaysintroduce
new threat vectors and new risks.
External aspects of public clouds
exacerbate concerns: Black box sharing in clouds reduces
visibility and control, increases riskof unauthorized access and
disclosures.
Limited compatibility with existingenterprise security infrastructurelimits adoption for mission-critical
apps.
Limited experience and low assurance
raise doubts over cloud reliability(operational availability, long-termperspective).
Privacy and accountabilityregulations may prevent cloud
adoption for certain data and in certaingeographies.
Everybody is Concerned about the Security in
(Public) Clouds
-
8/9/2019 Cloud Security Challenges and Solutions
15/47
15
Security and Cloud Computing
The CloudCurtain
The CloudCurtain
Curtain
Software as a Service
Collaboration
BusinessProcesses
CRM/ERP/HR
IndustryApplications
Platform as a Service
Middleware Database
Web 2.0 ApplicationRuntime
JavaRuntime
DevelopmentTooling
Infrastructure as a Service
Servers
Networking Storage
Data Center
Fabric
Different Clouds, Different Responsibilities
-
8/9/2019 Cloud Security Challenges and Solutions
16/47
16
Security and Cloud Computing
Recent Analyst Reports Confirm General Concerns
But also Highlight Security as a Potential Market Differentiator
Securing your applications or datawhen they live in a cloud providersinfrastructure is a complicated issuebecause youlack visibility andcontrolover how things are beingdone inside someone elses network.Forrester, 5/09
Large enterprises should generallyavoid placing sensitive
information in public clouds, butconcentrate on building internalcloud and hybrid cloudcapabilitiesin the near term.Burton, 7/09
Cloud approaches offer aunique
opportunity to shift a substantialburden for keeping up with threatsto a providerfor whom security maywell be part of the value proposition.EMA, 2/09
Gartners 7/09 Hype Curve for CloudComputingpositions Cloud SecurityConcerns into the early phase(technologytrigger, will raise), and gives it a time
horizon of5-10 years
Highly regulated or sensitiveproprietary information should notbe stored or processed in an
external public cloud-basedservicewithout appropriate visibilityinto the provider's technology andprocesses and/or the use ofencryption and other security
mechanisms to ensure theappropriate level of informationprotection.Gartner 7/09
-
8/9/2019 Cloud Security Challenges and Solutions
17/47
17
Security and Cloud Computing
Low-risk Mid-risk High-risk
Mission-criticalworkloads, personal
information
Business Risk
Need forSecurity
Assurance
Low
High
Training, testingwith non-
sensitive data
Todays clouds areprimarily here:
Lower risk workloads One-size-fits-all
approach to dataprotection
No significantassurance
Price is key
High value / high riskworkloads need
Quality of protectionadapted to risk
Direct visibility andcontrol
Significant level ofassurance
Analysis &simulation with
public data
Security as a Potential Market Differentiator:
Different Workloads have Different Risk Profiles
Public
Private
Hybrid
-
8/9/2019 Cloud Security Challenges and Solutions
18/47
18
Cloud Security Concerns
-
8/9/2019 Cloud Security Challenges and Solutions
19/47
19
Data exposure and Compromise Organizations uncomfortable with idea of data
located on external systems
Hosted providers cannot ensure absolute
security
Authentication and access technology becomes
increasingly important
Data segregation also becomes key in cloud
-
8/9/2019 Cloud Security Challenges and Solutions
20/47
20
Reliability of service Reliability is core advantage in cloud. It is very scalable
and capable of meeting wide variations in processing
power and users
High Availability is still a concern. Many cloud based
offerings do not offer SLAs
Any (cloud) offering that does not replicate the data and
application infrastructure across multiple sites isvulnerable to a total failure
Even if offerer refuses to tell you where will it store your
data. It should tell you what would happen to your data
and service if one of its site succumbs to a disaster.
-
8/9/2019 Cloud Security Challenges and Solutions
21/47
21
Reduced ability to demonstrate compliancewith regulations, standards and SLAs
Public clouds are mostly by definition A black Box
Complying with SOX, HIPAA etc. regulations mayprohibit clouds for some applications
Geographical requirements
A Private and Hybrid cloud can be configured to meet
these requirements
-
8/9/2019 Cloud Security Challenges and Solutions
22/47
22
Ability to manage the securityenvironment
CSPs must supply easy visual controls tomanage and monitor firewall and other security
settings for applications and runtime
environments in the cloud
No Granularity of access (SaaS). Usually only
roles available are Admin and Normal User
-
8/9/2019 Cloud Security Challenges and Solutions
23/47
23
IBMs Point of View on Cloud Security
S it d Cl d C ti
-
8/9/2019 Cloud Security Challenges and Solutions
24/47
24
Layers of a typical Cloud Service
Security and Cloud Computing
System ResourcesNetwork, Server, Storage
Physical System and Environment
Virtualized ResourcesVirtual Network, Server, Storage
Operational Support ServicesInfrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Business Support Services
Offering Mgmt, Customer Mgmt, OrderingMgmt, Billing
Infrastructure as a serviceVirtualized servers, storage,
networking
Platform as a serviceOptimized middleware application servers,
database servers, portal servers
Application as a serviceApplication software licensed for use as aservice provided to customers on demand
Clou
dDelivered
Services
CloudPlatfor
m
-
8/9/2019 Cloud Security Challenges and Solutions
25/47
25
IBMs Architectural Model for Cloud ComputingService Request & Operations Service Provider Service Creation
Service
Definition
Tools
Service
Publishing
Tools
Service
Reporting &
Analytics
Service
Planning
Role-based
Access
Service Delivery PlatformOperational Support Systems (OSS)
Business Support Systems (BSS)
Infrastructure as a Service
Platform as a Service
Application/Software as a Service
End Users,
Operators
ServiceCatalog
Operational
Console
StandardsBased
Interfaces
Cloud Services
Cloud Management Platform
Security and Cloud Computing
-
8/9/2019 Cloud Security Challenges and Solutions
26/47
26
Security and Cloud Computing
26 9/15/2009
Cloud Security = SOA Security + Secure New Runtime
Service Request & Operations Service Provider Service Creation
Service
Definition
Tools
Service
Publishing
Tools
Service
Reporting &
Analytics
Service
Planning
Role-based
Access
Service Delivery PlatformOperational Support Systems (OSS)
Business Support Systems (BSS)
Infrastructure as a Service
Platform as a Service
Application/Software as a Service
End Users,
Operators
ServiceCatalog
Operational
Console
S
tandardsBased
Interfaces
Cloud Services
Cloud Management Platform
Service Oriented Architecture
Secure integration with existing enterprisesecurity infrastructure
Federated identity / identity as a service
Authorization, entitlements
Log, audit and compliance reporting
Intrusion prevention
Application / Software as a Service
Platform as a Service
Infrastructure as a Service
Identity & Security as a Service
Secure Runtime for Virtual Images and Virtual Storage
Business Support Services
Operational Support Services
Virtualized Resources
System Resources
Physical System / Environment
Process isolation, data segregation
Control of privileged user access Provisioning w/ security and location
constraints
Image provenance, image & VM integrity
Multi-tenant security services (identity,
compliance reporting, etc.) Multi-tenant intrusion prevention
Consistency top-to-bottom
-
8/9/2019 Cloud Security Challenges and Solutions
27/47
27
IBM Security Framework
Its clear to IBM that a variety of
security technologies, processes,
procedures, laws, and trust models
are required to secure the cloud.There is no silver bullet for securing
the cloud
World class solutions software,
hardware and services
3rd-party audit (SAS 70(2),
ISO27001, PCI)
-
8/9/2019 Cloud Security Challenges and Solutions
28/47
28
IBM solutions for securing cloud
-
8/9/2019 Cloud Security Challenges and Solutions
29/47
29
People and IdentityBusinesses need to make sure people across their organization and supplychain have access to the data and tools that they need, when they need it, whileblocking those who do not need or should not have access
Tivoli Identity Manager
Tivoli Federated Identity Manager Offers a single access method for users into cloud and traditional
applications
Cloud computing infrastructures involve enormous pools of external usersconstantly logging in to leverage shared IT services and this productsauthentication management features can help deliver significant businessvalue
Tivoli Access Manager for Operating Systems It can help protect individual application, network, data, and operating
system resources Single security model
-
8/9/2019 Cloud Security Challenges and Solutions
30/47
30
Information and Data Earlier data can be protected with perimeter. Now data needs to be
secured where ever it resides and when it is in motion. Capabilities
for monitoring, access management and encryption
IBMs Systems, Storage, and Network Segmentation
Solutions offer application isolation, OS containers, encrypted storage,
VLANs and other isolation technologies for a secure multi-
tenant infrastructure
Tivoli Key Lifecycle Manager IBM Data Encryption for IMSand DB2 Databases
IBM Database Encryption Expert
Transparently protect any file on the file system
Transparently encrypt DB2 backup files
Protects information in Online, offline environments
Backup and recovery of data stored remotely in the cloud
IBM Information Protection Services
-
8/9/2019 Cloud Security Challenges and Solutions
31/47
31
Process and Application
Enterprises need to preemptively and proactivelyprotect their business-critical applications
Focus is more on Web applications
Rational AppScan Provides automated Web application scanning and testing for all common
Web application vulnerabilities, including WASC threat classification - suchas SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligentfix recommendations to ease remediation
Rational Policy Tester ensure site privacy by scanning web content and producing
actionable reports to identify issues that may impact compliance
ISS Professional Security Services
IBM Optim Data Privacy Solutions de-identify confidential information to protect privacy and support
compliance initiatives by applying a range of masking and fictionalizedsubstitution techniques
IBM Tivoli Security Information and EventManager
-
8/9/2019 Cloud Security Challenges and Solutions
32/47
32
Optims data masking techniques
-
8/9/2019 Cloud Security Challenges and Solutions
33/47
33
Network, Server and Endpoint Proactive threat and vulnerability monitoring
Security of Virtualization stack
ISS Virtualization Security
Proventia Virtualized Network Security Platform(VNSP)
IBM Proventia Server Intrusion PreventionSystem (IPS)
IBM RealSecure Server Sensor
-
8/9/2019 Cloud Security Challenges and Solutions
34/47
34
-
8/9/2019 Cloud Security Challenges and Solutions
35/47
35
Physical Infrastructure Effective physical security requires a centralized management system that
allows the monitoring of property, employees, customers and the generalpublic
Security and Cloud Computing
Physical Infrastructure
-
8/9/2019 Cloud Security Challenges and Solutions
36/47
3636
Physical Infrastructure
36
Summary: IBM Business Continuity and ResiliencyServices (BCRS) plans to offer a validation program
for cloud service providers to ensure the resiliency of
their business.
Cloud Use Case: By using proven BCRS resiliencyconsulting methodology, combined with traditionalshared and dedicated asset business and resiliency
managed services, IBM is positioning BCRS as the
premier resiliency provider to Cloud service
providers.
BCRS Resilient Cloud Validation Program
Summary: HiPODS is a group of specialists withinIBM's Software Strategy group, with seven cloud
computing locations around the world. IBM also has
eight Security Operations Centers (SOCs) with a
global reach to serve clients with international
capabilities and a local presence.
Cloud Use Case: The HiPODS team can create aproject team anywhere in the world in minutes and
assign servers / storage for a project in less than an
hour. IBM SOCs monitor more than 17,000 security
devices on behalf of 3,700 customers.
High Performance On Demand Solutions (HiPODS) + IBM ISS Security Operations Centers
DisasterRecovery
Restoration andavailability of cloud
computing resources
Data Location
Ability to process
data in specific
jurisdictions
according to local
requirements
Resilient
Cloud
Public or Private Cloud
Security and Cloud Computing
-
8/9/2019 Cloud Security Challenges and Solutions
37/47
3737 9/15/2009
IBM Security has all the Capabilities and Credentials to Provide
Enterprise-grade Security for Cloud Computing
37
G
IBM ResearchGTS ITS GBS
Smart PlanetDynamic Infrastructure
Security and Cloud Computing
-
8/9/2019 Cloud Security Challenges and Solutions
38/47
3838 9/15/2009
Cloud Enabled Control(s) Benefit
People andIdentity
Defined set of cloud interfaces
Centralized repository of Identity and Access Control policies
Reduced risk of user access to unrelated resources.
Informationand Data
Computing services running in isolated domains as defined inservice catalogs
Default encryption of data in motion & at rest
Virtualized storage providing better inventory, control, tracking
of master data
Improved accountability, Reduced risk of data leakage /loss
Reduced attack surface and threat window
Less likelihood that an attack would propagate
Process &Application
Autonomous security policies and procedures
Personnel and tools with specialized knowledge of the cloud
ecosystem
SLA-backed availability and confidentiality
Improved protection of assets and increased accountability
of business and IT users
Network Serverand Endpoint
Automated provisioning and reclamation of hardened runtime
images
Dynamic allocation of pooled resources to mission-oriented
ensembles
Reduced attack surface
Improved forensics with ensemble snapshots
Physical
infrastructure
Closer coupling of systems to manage physical and logical
identity / access.
Improved ability to enforce access policy and manage
compliance
Cloud computing also provides the opportunity to simplifysecuritycontrols and defenses
38
-
8/9/2019 Cloud Security Challenges and Solutions
39/47
39
Assessing the Security Risks ofCloud Computing
-
8/9/2019 Cloud Security Challenges and Solutions
40/47
40
Key Findings
The most practical way to evaluate the risks associated withusing a service in the cloud is to get a third party to do it.
Cloud-computing IT risks in areas such as data segregation,data privacy, privileged user access, service provider viability,availability and recovery should be assessed like any otherexternally provided service
Location independence and the possibility of service provider"subcontracting" result in IT risks, legal issues and complianceissues that are unique to cloud computing
If your business managers are making unauthorized use ofexternal computing services, then they are circumventingcorporate security policies and creating unrecognized andunmanaged information-related risks
-
8/9/2019 Cloud Security Challenges and Solutions
41/47
41
Recommendations
Organizations that have IT risk assessment capabilities andcontrols for externally sourced services should apply them to theappropriate aspects of cloud computing
Legal, regulatory and audit issues associated with locationindependence and service subcontracting should be assessedbefore cloud-based services are used
Demand transparency from CSP. Don't contract for IT serviceswith a vendor that refuses to provide detailed information on itssecurity and continuity management programs
Develop a strategy for the controlled and secure use ofalternative delivery mechanisms, so that business managersknow when they are appropriate to use and have a recognizedapproval process to follow
-
8/9/2019 Cloud Security Challenges and Solutions
42/47
42
What to Evaluate
Privileged User Access Ask providers to supply specific information on the hiring and oversight
of privileged administrators, and the controls over their access
Compliance Cloud computing provider should be willing to submit to external audits
and security certifications
Data Location Need to meet National privacy regulations
Is the provider willing to give a contractual commitment to obey the lawon your behalf?
Data Segregation Ask for evidence that the encryption implementation was designed and
tested by experienced specialists
Encryption accidents can make data totally unusable, and even normalencryption can complicate availability.
Who has access to the decryption keys?
-
8/9/2019 Cloud Security Challenges and Solutions
43/47
43
What to Evaluate (Cont.)
Availability Does cloud-based offerings provides service level
commitments?
Recovery How cloud offerings will recover from total disaster?
May not tell where data is stored. But does it have the ability todo a complete restoration, and how long will it take?
Investigative Support Cloud services are especially difficult to investigate
Contractual commitment to support specific forms ofinvestigation , Electronic Discovery
Viability long-term viability of any external service provider
Support in Reducing Risk CSPs to inform how safely and reliably use their product
-
8/9/2019 Cloud Security Challenges and Solutions
44/47
44
How to Assess
Evaluate the service provider in person.
Use a neutral third party to perform a security assessment
Accept whatever assurances the service provider offers
Ultimately, your ability to assess the risk of using a
particular service provider comes down to itsdegree of transparency
trust.salesforce.com
-
8/9/2019 Cloud Security Challenges and Solutions
45/47
45
Security as a Service
-
8/9/2019 Cloud Security Challenges and Solutions
46/47
-
8/9/2019 Cloud Security Challenges and Solutions
47/47
47
Thank You