Andrea CarmignaniRaffaella D’Alessandro
La Sicurezza nel Cloud Computing: i nuovi rischi e le soluzioni a supporto
Agenda
• Cloud Security Concerns
• IBM approach for building a secure Cloud Computing
• Security FOR the Cloud
• Security FROM the Cloud
Security remains a top concern of customer migrating to the cloud…
According to IBM's Institute for Business Value 2010 Global IT Risk Study, cloud computing raised serious concerns among respondents about the use, access and control of data
Protection of Intellectual property of data
Ability to enforce regulatory or
contractual obligations 21 %
30 %
Unauthorized use of data 15 %
Confidentiality, Integrity and Availability of data 12 %
A recent survey on 150 executives of large firms found that security remains the number one concern
Where do this Concerns come from?
• Client feels uncomfortable with the idea of their information on systems they do not own in-house (feels like their losing control)
• Client doesn’t know how to deal with this change of paradigm (shifting their focus from cross enterprise security to workload security)
• Client wants to apply the same approach (and security controls) they used to in their traditional IT.
• There’s a lack of information about how to deal with a shared, multi-tenant infrastructure. Does Cloud really increase potential for unauthorized exposure?
• Clients are worried about service disruptions affecting the business. Is it really something specific to Cloud Computing? Which are the differences with a traditional Outsourcing?
• Regulations may prohibit the use of clouds for certain workloads and data. How much do we know about regulations to understand when this is really an obstacle for the intended workloads?
Do we share the same perspective?
How many of them are really specific to Cloud Computing?
Benefici e rischi dei modelli di erogazione(i diversi modelli di erogazione presentano rischi diversi)
Ben
efic
i di c
osto
Benefici sulla qualità del servizio: Rapidità; Scalabilità; Flessibilità; Trasparenza dei costi
Bas
soM
edio
Alto
Basso Medio Alto
Traditional IT
Public Cloud
Community Cloud
Private Cloud
Hybrid Cloud
Alto
Medio
Basso
Rischio legato alla sicurezza
One-size does not fit-all: Different cloud workloads have unique risk profiles
Low-risk Mid-risk High-riskBusiness risk
Nee
d fo
r sec
urity
ass
uran
ce
Low
High Tomorrow’s high-value and high-risk workloads need: Quality of protection
adapted to risk Direct visibility and
control Significant level of
assurance
Lower-risk workloads One-size-fits-all
approach to data protection
No significant assurance
Price is key
Today’s clouds are primarily here:
Training and testing with non-sensitive data
Mission-critical workloads, personal information
Analysis and simulation with public data
An Example of Security Challenge: Virtual Images MobilityVirtualization is a building block inside the cloud computing paradigm.Inside cloud is crucial to move running application from one physical server to another to have systems management flexibility and better availability
…as well as on the target physical host
Does the destination “fulfill” origin security policy and regulation?
What about the security of the target system?
…but some security Issues could wait through the journey from one host to another….
Today data are transferred without being encrypted;
This means possible threats against the VM
Hypervisor Hypervisor
Who is responsible for security at the … level?Datacenter Infrastructure Middleware Application Process
Platform as a Service
Middleware
Database
Web 2.0 ApplicationRuntime
JavaRuntime
DevelopmentTooling
Infrastructure as a Service
Servers Networking StorageData Center Fabric
Shared virtualized, dynamic provisioning
Software as a Service
Collaboration
Financials
CRM/ERP/HR
Industry Applications
Provider Consumer
Provider Consumer
Provider ConsumerPotential Security Gaps
Challenge: Ensuring the tight integration of provider and subscriber security controls and governance
Coordinating information security is the responsibility of BOTH the provider and the consumer
La collaborazione è la chiave per l’approccio alla Sicurezza nel Cloud
• La criticità per un corretto ed integrato governo delle rispettive competenze è data dalla possibile discontinuità che si localizza nei punti di confine delle responsabilità lato cliente e lato fornitore.
• Pertanto, poichè la Sicurezza è determinata dalla risultante degli elementi che ne compongono la catena lungo tutti i livelli dell’infrastruttura elaborativa, è importante che il cliente ed il fornitore affrontino la tematica sedendosi insieme intorno ad un tavolo e concordando con la massima trasparenza tutti gli elementi necessari ad indirizzare adguatamente la Governance della Sicurezza delle Informazioni.
• In particolare è importante che siano ben delineati tutti gli aspetti organizzativi e tecnologici che richiedono la stretta interrelazione tra le strutture organizzative preposte alla Sicurezza lato cliente e le corrispondenti lato fornitore.
Develop a strategy
Technology and Services
Design and Implement
Security Best practices… think holistically
Select technologies and services … modularity and standards are keys
Take a risk-based approach to security … prioritize workloads
Based on Business Requirements
Cloud security requires a change of the usual security mindset, we need an interdisciplinary approach based on the following steps
Monitor & Audit
Proactively inspecting the infrastructure
… address new threats
How IBM deliver Cloud Security
Security ByDesign
SecurityBy Workload
New SecurityEfficiencies
We Believe the Cloud could be more secure than traditional Enterprises
11
Security By Design
12
Security has to be Built into the Fabric of the Cloud
“Almost 60 percent of all the applications brought to security testing and risk-analysis company Veracode during the past 18 months couldn't meet the minimum standards for acceptable security, even when the criteria were dialed down to accommodate applications that don't pose a great security risk”
Many Apps Flunk Security Check Before Move to CloudKevin Fogarty,
6 0 %
4 0 %
Failed to meet requirements
Met requirements
Workload driven security
13
Cloud Security depends on focusing security controls on specificTypes of work
Sample Foundations we deploy in our clouds
14
Access & IdentityIBM leverages a
combination of extensive internal policies along with
various IBM tools to address Access and Identity in the Cloud
Data & InformationIBM will apply data
protections to information when
possible, In addition we
Release ManagementIBM implements strong
policies for management of release of virtual
images and software within it’s environment
SIEMIBM Leverages it’s
own tools and expertise to provide
the functions for Security Event and
Information Management
Physical SecurityIn order to address our customers needs IBM
applies industry leading approaches to security of our data centers such as
CCTV, 24/7 physical security, biometrics, etc..
Problem & Incident Management
Leveraging IBM tools and services IBM
provides a high quality of Problem and incident management including
utilization of social networking technologies
Threat and Vulnerability Management
Leveraging IBM’s own managed services and tooling IBM applies its
best of breed solutions to it’s own clouds
Change & Configuration Mgmt
IBM manages its environment leveraging best case change and
configuration management process via its own tooling for example Rational Asset
Manager
Create new Security Efficiency
15
IBM SecurityFoundations
CloudSecurity
AdministrativeSecurity
UserControl
Trusted Advisor Security ServicesSolution Provider Research
Security & Privacy Leadership
Security for the Cloud Security from the Cloud
IBM Strategy: support customers with an unmatched synergy among solutions, products and services for both private and public cloud
We provideservice from
the cloud
Examples:
Web Uniform Resource Locator (URL) filtering
Security event log management
IBM built security services and solutions aligned with IBM Security Framework to address Client’s concerns from any security perspective
We help you assess, plan and implement security solutions
Examples:
Security assessment services
Architecture, design and implementation services
We provideproducts to protect
the cloud
Examples:
Virtual Security Server for VMWare
Proventia IPS and Virtual IPS appliance
Professional Cloud security services
Cloud HostedSecurity services
Cloud Security Products
1 2 3
Vision: Be the trusted partner for professional, managed, and cloud security services for customers around the world
18
IBM Security Solutions for the Cloud
Cloud Security Strategy RoadmapGuides customers through their unique security and privacy concerns related to cloud computing and helps them to build a security roadmap for risk mitigation while still pursuing a cloud initiative
Key Features Education and guidance from knowledgeable IBM consultants on
cloud security and privacy concerns during an interactive onsite working session
Development of a cloud security strategy for risk mitigation including security measures and compensating controls
Provides recommendations for cloud provider evaluation
IBM Professional Cloud Security Services
Professional Cloud security services
MODULES: [1] [2] [3] [4] [5]
Key Features Evaluates client’s existing or proposed cloud security infrastructure against industry
best practices Develops maturity ranking of existing security posture in consideration of cloud
security goals and gap assessment Provides specific recommendations on action items or considerations for addressing
identified issues
IBM Professional Cloud Security Services
Professional Cloud security services
Cloud Security Assessment
Assist clients in evaluating the strength of the security architecture, policies and practices associated with their cloud solution against best practices for secure cloud computing in consideration of their security objectives
IBM Virtualization Security Solutions deliver products and services, optimized for virtualization
IBM Virtual Server Security for VMware®•An Integrated security partition able to protect all the VMs inside physical hosts
These solutions will enable customers to realize the benefits of virtualization while maintaining their security posture
Existing solutions certified for protection of virtual
workloads
Threat protection delivered in a virtual form-factor
Integrated virtual environment-aware threat protection
IBM Cloud Security Products
Cloud Security Products
Cloud-based Security Services that help reduce costs and complexity, improve security posture, and meet regulatory compliance
Security Event and Log Management
Vulnerability Management Service
Managed Web and Email Security
Service
X-Force Threat Analysis Service
From the Cloud – IBM Security Operations Centers
To the Customer – Offloading Security Tasks on the Ground
Subscription service
Monitoring and management
Cloud based
IBM Cloud Hosted Managed Security Services
PCI - Approved Scanning Vendor
Cloud HostedSecurity services
Offsite management of logs and events from IPS’s, Firewalls and OSs
Customers can access secure log/event archival of all aggregated security events for up to 7 years.
Proactive discoveryand remediation of
vulnerabilities, including temporal risk reporting for
PCI DSS compliance
Clean pipe information- Protection against spam, worms, viruses, spyware, adware, and
offensive content
Customized security intelligence based on threat information from X-Force
research and development team
IBM has unmatched global network of Security Operations Centers (SOC) and Research facilities to extensively monitor real-time threats
9 security operations
centers
9 securityresearchcenters
133monitoredcountries
30,000+devices under
contract
3,800+MSS clientsworldwide
9 billion+eventsper day
• 16 Acquisitions in security space• 3,700+ MSS clients worldwide• 13 Billion+ events managed daily• World class security research
IBM Security Operations CentersCloud Hosted
Security services
Cloud Security Strategy Roadmap
Cloud Security Assessment
Penetration Testing
Application Security Assessment
Identity and Access Management
Security Event and Log Management
Vulnerability Management Services
Managed Email / Web Security Services
X-Force Threat Analysis Service
Security & Compliance Leadership
Helping clients begin their journey to the cloud with relevant security expertise
Cloud-based Security Services that help clients reduce costs and complexity, improve security posture, and meet regulatory compliance
Security remains a top customer concern in shifting to Cloud infrastructures, thus presenting IBM an opportunity to demonstrate thought leadership
Security for the Cloud
Dev/Test Cloud:
Intrusion Prevention device under management
Internal and External VMS (Vulnerability Mgmt Service) deployed
Penetration testing
Compute Cloud:
Intrusion Prevention devices under management
Storage Cloud:
On going deployment
Dev/Test Cloud Compute Cloud Storage Cloud
IBM Security Services are already providing support and delivery services to several of IBM’s strategic cloud offering initiatives. . .
Security from the Cloud
IBM Redpaper: Cloud Security Guidance
• Based on cross-IBM research and customer interaction on cloud security• Highlights a series of best practice controls that should be implemented• Broken into 7 critical infrastructure components:
– Building a Security Program– Confidential Data Protection– Implementing Strong Access and Identity– Application Provisioning and De-provisioning– Governance Audit Management– Vulnerability Management– Testing and Validation
www.ibm.com/redbooks
Real-world Pilots on Next Generation Security & PrivacyTrustworthy Clouds: Privacy and Resilience for Internet-scale Critical Infrastructure
TClouds is co-financed by the European Commission under EU Framework Programme 7
http://www.tclouds-project.eu/
Thank you!
All t he problems of the world could be set t led easily if men were only willing t o think…
Thomas J. Wat son
[email protected]@it.ibm.com
Top Related