Post on 19-Oct-2020
© 2012 IBM Corporation1
Raffaella D’AlessandroIBM GTS Security and Compliance ConsultantCISA, CRISC, LA ISO 27001, LA BS 25999, ISMS Senior Manager, ITIL v3Roma, 16 maggio 2012
IBM SmartCloud“Le regole per la Sicurezza nel Cloud Computing:la visione di IBM”
© 2012 IBM Corporation2
Agenda
§Le esperienze di IBM sul Cloud Computing
§Le regole nella “Fabbrica del Cloud”: la IBM Cloud Computing Reference Architecture
§Servizi di Sicurezza e aspetti gestionali nella IBM Cloud Computing Reference Architecture
§Le regole per la costruzione dei servizi di Sicurezza nella “Fabbrica del Cloud”
§Le regole per la gestione dei servizi di Sicurezza nella “Fabbrica del Cloud”
§Use Case
© 2012 IBM Corporation3
Our market experiences have shaped our strategies for driving innovation and value for clients through cloud computing
successful privatecloud projects
secure daily cloud transactions
managed SAP users
successful cloud projects
daily client transactions through public cloud
managed virtual machines
3,000 4.5M 1M
Commitment to open standards and a broad ecosystem
Private & HybridCloud Enablement
Technologies
Managed ServicesInfrastructure & Platform
as a Service
Business SolutionsSoftware and Business
Process as a Service
Foundation Services Solutions
Il Cloud Computing sta trasformando il panorama IT mondiale e sta guidando verso una nuova era di crescita e cambiamento sia IBM che i suoi clienti
© 2012 IBM Corporation4
Public Cloud RA whitepaper available on ibm.com: http://public.dhe.ibm.com/common/ssi/ecm/en/ciw03078usen/CIW03078USEN.PDFCCRA OpenGroup submission: http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc
The IBM Cloud Computing Reference Architecture (CCRA):le regole della “Fabbrica del Cloud” per lo sviluppo e l’erogazione di Servizi
© 2012 IBM Corporation5
Le regole della “Fabbrica del Cloud” sono in continua evoluzione
© 2012 IBM Corporation6
IBM CCRA –Servizi di Sicurezza e aspetti gestionali
Security & Risk Manager
Compliance Manager
Continuity Manager
© 2012 IBM Corporation7
IBM Cloud Security Foundation Controls
© 2012 IBM Corporation8
The objective of security for Cloud Computing is to set and maintain the level of assurance for systems (hardware and software), services and informations that falls within the business and technical risk boundaries set by the provider(s) and the consumers.
Security within IBM Cloud Computing is based on an effectiveGovernance, to include:§Definition of risks§Definition of security plans and security policies§Establishment of organizational structures §Security Principles of Design §Security Policy for Development, Operation and Admin, Compliance§Security Foundational Controls§Security Component Catalog§Security Subsystems Models
Le best practices IBM per la Sicurezza nella “Fabbrica del Cloud”
http://www.redbooks.ibm.com/abstracts/redp4614.html
© 2012 IBM Corporation9
IBM Security Framework: Business Security Reference Model
Arc
hite
ctur
al P
rinci
ples
Application and Process
People and Identity
IT Infrastructure:Network, Server,
End PointPhysical Infrastructure
Data and InformationGovernance, Risk, Compliance (GRC)
Security Services and Infrastructure
Security Policy Infrastructure
Identity, Access and Entitlement Infrastructure
Security Info and Event Infrastructure
Host and End-point SecurityStorage Security Network SecurityApplication Security Physical Security
Service Management Infrastructure
Designs Config Info and Registry
Data Repositories and Classification
Code and Images Policies
Identities and Attributes
Operational Context
IT Security Knowledge
Events and Logs
SecurityService Levels
Identity, Access and Entitlement Management
Threat and Vulnerability Management
Data and Information Protection Management
Software, System and Service Assurance
Security Policy Management
Risk and Compliance Assessment
Command and Control Management
Physical Asset Management
IT Service Management
Crypto, Key and Certificate Infrastructure
Foundational Security Management
Le regole per la costruzione dei servizi di Sicurezza nella “Fabbrica del Cloud”: IBM Security Framework Architectural Principles
© 2012 IBM Corporation10
Le regole per la gestione dei servizi di Sicurezza nella “Fabbrica del Cloud”, devono consentire di rispondere ad una unica domanda
“Who will be liable if something goes wrong
in the cloud and data is lost or compromised?”
© 2012 IBM Corporation11
Who is responsible for privacy & security at the … level?Datacenter Infrastructure Middleware Application Process
Platform as a Service
Middleware
Database
Web 2.0 ApplicationRuntime
JavaRuntime
DevelopmentTooling
Infrastructure as a Service
Servers Networking StorageData Center Fabric
Shared virtualized, dynamic provisioning
Software as a Service
Collaboration
Financials
CRM/ERP/HR
Industry Applications
Provider Consumer
Provider Consumer
Provider ConsumerPotential Gaps
La collaborazione tra consumer e provider è la chiave per indirizzare adeguatamente le responsabilità per la Privacy e la Sicurezza nel Cloud
Coordinating privacy and information security is the responsibility of BOTH the provider and the consumer
© 2012 IBM Corporation12
Un caso esemplificativo di IBM SmartCloud for Social Business:La Sicurezza nei servizi di e-mail e Social Collaboration progettati per le organizzazioni pubbliche e private
Files
Meetings Events
Chat
Survey Forms
Communities
Activities
People
I servizi di Sicurezza nel trasferimento dei dati garantiscono i massimi livelli:§Sofisticato sistema di cifratura per tutte le comunicazioni in rete §Cifratura di tutte le caselle di posta e applicazioni§Cifratura opzionale per i singoli documenti archiviati
I servizi di Sicurezza per la gestione dei dati consentono di implementare le stesse Politiche interne adottate dal cliente:§Classificazione, gestione, routing & sharing dei dati§Security policy (es consistenza su regole password)§Privacy (sia per clienti che per i dipendenti)§Auditing e compliance§Archiviazione e discovery
© 2012 IBM Corporation13
http://www.ibm.com/cloud-computing/us/en/
http://www-935.ibm.com/services/us/en/it-services/security-services.html?lnk=mhse