Security Building Blocks of the IBM Cloud Computing Reference Architecture
-
Upload
stefaan-van-daele -
Category
Technology
-
view
373 -
download
2
description
Transcript of Security Building Blocks of the IBM Cloud Computing Reference Architecture
© 2014 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
Security Building Blocks of the Cloud
Computing Reference Architecture
Stefaan Van daele
Senior Security Architect – IBM Europe
stefaan_vandaele at be.ibm.com
stefaanvda
http://www.linkedin.com/in/stefaanvdaele
© 2014 IBM Corporation
IBM Security Systems
22
Security Requirements in Cloud
Solutions
© 2014 IBM Corporation
IBM Security Systems
3
Different cloud deployment models also change the way we think about security
Private cloud Public cloud
On or off premises cloud
infrastructure operated solely
for an organization and
managed by the organization
or a third party
Available to the general
public or a large industry
group and owned by an
organization selling cloud
services.
Hybrid IT
Traditional IT and clouds (public and/or
private) that remain separate but are bound
together by technology that enables data and
application portability
- Customer responsibility for infrastructure
− More customization of security controls
− Good visibility into day-to-day operations
− Easy to access to logs and policies
− Applications and data remain “inside the firewall”
− Provider responsibility for infrastructure
− Less customization of security controls
− No visibility into day-to-day operations
− Difficult to access to logs and policies
− Applications and data are publically exposed
Changes in
Security and Privacy
© 2014 IBM Corporation
IBM Security Systems
4
Minimizing the risks of cloud computing requires a strategic approach
Define a cloud strategy with security in mind
– Identify the different workloads and how they need to interact.
– Which models are appropriate based on their security and trust requirements and
the systems they need to interface to?
Identify the security measures needed
– Using a methodology such as the IBM Security Framework allows teams to
measure what is needed in areas such as governance, architecture, applications
and assurance.
Enabling security for the cloud
– Define the upfront set of assurance measures that must be taken.
– Assess that the applications, infrastructure and other elements meet the security
requirements, as well as operational security measures.
© 2014 IBM Corporation
IBM Security Systems
5
Our approach to delivering security aligns with each phase of an organization’s cloud project or initiative
Design Deploy Consume
Establish a cloud strategyand implementation plan toget there.
Build cloud services, in theenterprise and/or as a cloudservices provider.
Manage and optimizeconsumption of cloudservices.
Example
security
capabilities
Cloud security roadmap
Secure development
Network threat protection
Server security
Database security
Application security
Virtualization security
Endpoint protection
Configuration and patch management
Identity and access management
Secure cloud communications
Managed security services
Secure by Design
Focus on building security into the fabric of the cloud.
Workload Driven
Secure cloud resources with innovative features and products.
Service Enabled
Govern the cloud throughongoing security operations and workflow.
IBM Cloud
Security
Approach
© 2014 IBM Corporation
IBM Security Systems
6
Adoption patterns are emerging for successfully beginningand progressing cloud initiatives
IBM Cloud Security - One Size Does Not Fit All
Different security controls are appropriate for different cloud needs - the challenge becomes one of
integration, coexistence, and recognizing what solution is best for a given workload.
© 2014 IBM Corporation
IBM Security Systems
7
Capabilities provided to
consumers for using a
provider’s applications
Key security focus:
Compliance and Governance
Harden exposed applications
Securely federate identity
Deploy access controls
Encrypt communications
Manage application policies
Integrated service
management, automation,
provisioning, self service
Key security focus:
Infrastructure and Identity
Manage datacenter identities
Secure virtual machines
Patch default images
Monitor logs on all resources
Network isolation
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Key security focus:
Applications and Data
Secure shared databases
Encrypt private information
Build secure applications
Keep an audit trail
Integrate existing security
Advanced platform for
creating, managing, and
monetizing cloud services
Key security focus:
Data and Compliance
Isolate cloud tenants
Policy and regulations
Manage security operations
Build compliant data centers
Offer backup and resiliency
Each pattern has its own set of key security concerns
Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud
Infrastructure as a
Service (IaaS): Cut IT
expense and complexity
through cloud data centers
Platform-as-a-Service
(PaaS): Accelerate time
to market with cloud
platform services
Innovate
business models
by becoming a cloud
service provider
Software as a Service
(SaaS): Gain immediate
access with business
solutions on cloud
Security Intelligence – threat intelligence, user activity monitoring, real time insights
© 2014 IBM Corporation
IBM Security Systems
88
Cloud Computing Reference
Architecture (CCRA)
© 2014 IBM Corporation
IBM Security Systems
9
March 2009Initiated CCAB
SC CCMP
Reference
Architecture
Early 2012
• Release CCRA 2.5
• Reach milestone of
~1500 IBMers formally
educated on the CCRA
July 2011Released
“CCRA 2.0
for Business
Partners”
February 2011Submitted CCRA
to The Open Group
Evolution of the Cloud Computing Reference Architecture (CCRA 3.0)
November 2012
• Release CCRA 3.0
• Adoption Patterns
Prescriptive guidance
on
IaaS/PaaS/CSP/SaaS
March 2011Release
CCRA 2.0March 2010Published CC &
CCMP Reference
Architecture 1.0
October 2010Used in Cloud
Launch and various
customer/analyst
sessions
April 2011Public Cloud RA
whitepaper available
on ibm.com
2012/13CCRA
Standardization
ongoing
Defined overall architectural foundationAdded product- and –integration
focused solution architectures
© 2014 IBM Corporation
IBM Security Systems
10
Represents the aggregate experience
from hundreds of cloud client
engagements and IBM-hosted cloud
implementations
–Based on knowledge of IBM’s services,
software & system experiences, including
IBM Research
Provides prescriptive guidance on how to
build IaaS, PaaS, SaaS and service
provider clouds using IBM technologies
Reflected in the design of
– Clouds IBM implements for clients
– IBM-hosted cloud services
– IBM cloud appliances
– IBM cloud products
Public Cloud RA whitepaper available on ibm.com:
http://public.dhe.ibm.com/common/ssi/ecm/en/ciw03078usen/CIW03078USEN.PDF
CCRA OpenGroup submission:
http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc
The IBM Cloud Computing Reference Architecture (CCRA)
Governance
Security, Resiliency, Performance & Consumability
Cloud ServiceCreator
Cloud ServiceConsumer
Cloud Service Provider
Common Cloud
Management Platform (CCMP)
Operational
Support
Services
(OSS)
Cloud Services
Inf rastructure-as-a-Service
Platform-as-a-Service
Software-as-a-Service
Business-Process-
as-a-Service
Business
Support
Services
(BSS)
Cloud Service
IntegrationTools
ConsumerIn-house IT
Service Creation
Tools
Inf rastructure
Existing & 3rd party
services, Partner
Ecosystems
CCRA 3.0
Common Reference Architecture Foundation
Cloud-enabled
data center /
building IaaS
Platform
Services
Cloud Service
Provider
Building SaaS
© 2014 IBM Corporation
IBM Security Systems
11
CCRA Detailed Overview
© 2014 IBM Corporation
IBM Security Systems
12
CCRA Security Component Model
*Infrastructure Includes – Server, Network, Storage
Security Components
Security Intelligence, Analytics and GRC
People Data Applications Infrastructure*
Security Governance, Risk
Management & ComplianceSecurity Information & Event
Management
Data & Information SecurityIdentity & Access
Management
Security Intelligence
Physical & Personnel
Security
Threat & Intrusion
Prevention
Security Policy ManagementEncryption & Key
Management
Secure Application
Development
Endpoint Management
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf3cce8ff09b3_49d2_8ee7_4e49c1ef5d22/p
age/IBM%20Cloud%20Computing%20Reference%20Architecture%203.0
Additional information can be found here :
© 2014 IBM Corporation
IBM Security Systems
13
Using the IBM Security Framework, we articulate the way we address security in the Cloud in terms of Foundational Controls
IBM Cloud Security Reference Model
Cloud Governance
Cloud specific security
governance including
directory synchronization
and geo locational support
Security Governance,
Risk Management &
Compliance
Security governance
including maintaining
security policy and audit
and compliance measures
Problem & Information
Security Incident
Management
Management and
responding to expected
and unexpected events
Identity and Access
Management
Strong focus on
authentication of
users and management of
identity
Discover, Categorize,
Protect
Data & Information
Assets
Strong focus on protection
of data at rest or in transit
Information Systems
Acquisition,
Development, and
Maintenance
Management of application
and virtual Machine
deployment
Secure Infrastructure
Against Threats and
Vulnerabilities
Management of
vulnerabilities and their
associated mitigations with
strong focus on network
and endpoint protection
Physical and Personnel
Security
Protection for physical
assets and locations
including networks and
data centers, as well as
employee security
De
plo
yD
es
ign
Co
ns
um
e
© 2014 IBM Corporation
IBM Security Systems
14
Understand Client
Define Client
Requirements
Design Solution
Detail Design
Define Roadmap
& 1st Project
Business Driver
Actors and use cases
Non-functional requirements
System context
Architecture decisions
Architecture overview
Component model
Operational model
Solution integration Details
Cloud roadmap
Project description
Viability Assessment
Solution Approach - SummaryGet a thorough understanding of their existing
IT environment and identify the client’s Cloud
Adoption Pattern
Identify actors, workloads and
associated use cases and identify
security requirements for each
scenarioDefine the Architecture Overview
Identify the building blocks and controls
needed leveraging the IBM Security
Framework and Cloud Foundational
Controls
Define the project plan with overall
timeline, phases and key milestones, and
overall delivery
Use the CCRA Security Component
Model to identify required components
and their interactions for the solution
Realize the component by mapping to
the capabilities in our products /
services portfolio
Leverage assets to build the deployment
architecture and integration requirements
© 2014 IBM Corporation
IBM Security Systems
15
Cloud Enabled Data Center - simple use case
Cloud Enabled Data Center
Self-Service
GUI
Cloud
Platform
User identity
is verified and
authenticated
1
Available
Resource
Resource Pool
Resource chosen
from correct
security domain
2
Image
Library
Machine
Image
VM is configured
with appropriate
security policy
3
Hypervisor
Configured
Machine Image
Virtual Machine
Virtual Machine
Image
provisioned
behind FW / IPS
4
Host security
installed and
updated
5
SW
Catalog
Config
Binaries
Software
patches applied
and up-to-date
6
Identity &
Access
Management
Security Information &
Event Management
Endpoint Management
Threat & Intrusion
Prevention
© 2014 IBM Corporation
IBM Security Systems
1616
One component in detail:
Security Information and Event
Management
© 2014 IBM Corporation
IBM Security Systems
17
Security Components
Security Intelligence Analytics and GRC
People Data Applications Infrastructure*
Security Governance, Risk
Management & ComplianceSecurity Information & Event
Management
Data & Information SecurityIdentity & Access
Management
Security Intelligence
Physical & Personnel
Security
Threat & Intrusion
Prevention
Security Policy ManagementEncryption & Key
Management
Secure Application
Development
Endpoint Management
Security Component Model – Cloud Enabled Data Center
*Infrastructure Includes – Server, Network, Storage
© 2014 IBM Corporation
IBM Security Systems
18
Generic security service catalog for Security Operations
Risk and
Compliance
Compliance
Reporting Risk Reporting
Compliance
Controlling
Records
Management
Fraud Detection
Risk Identification Digital Forensics
Supervisory ServicesCompliance Management Evidence ManagementRisk Management
Analytics Services
Security &
Compliance
Dashboard
Threat and
Vulnerability
Management
Vulnerability
Remediation
Vulnerability
Analysis
Vulnerability
Discovery
Security Information andEvent ManagementVulnerability Management
Security Event
Correlation &
Normalization
Security Log
Collection &
Normalization
Security Monitoring
and Alerting
Security Problem
and Incident
Response
Threat Analysis
Security Threat and
Vulnerability
Research
Threat Identification
Security Intelligence Threat Management
Threat Mitigation
IT Service
Management
Incident and
Problem
Management
Asset Management
Asset
Administration
IT Service
Management Asset Management
© 2014 IBM Corporation
IBM Security Systems
19
CeilometerUsage / Performance Monitoring + Auditing
“Datastores”
Core API Layer“Filter” audits all Open Stack API calls
CADF
AWS CloudTrail
OpenStack Audit (CADF)
Practical example: SIEM across hybrid cloud deployments
Workloads deployed in private virtual Environments
Public Cloud Services
© 2014 IBM Corporation
IBM Security Systems
20
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.