Security Implications of Cloud Computing

Doc Shankar IBM Distinguished Engineer Federal CTO Office dshankar@us.ibm.com

Myths or Realities?
Cloud is not as secure as a traditional IT operation Security patching is better in a cloud Demonstrating compliance is harder in a cloud Data loss is less likely in a cloud More control leads to better security Cloud providers can handle insecure apps better Cloud providers have a better view of threats Cloud offers more availability than in-house IT Cloud providers are more concerned with protecting themselves than the client
2

Security Its simple, really

VPN
DAC HIPPA SOX

IPSEC

SSL
SaaS

Token

FIPS 140-2 XML Gateways Thin Clients

Biometrics
PKI H/W Crypto Digital Certificate

Kerberos

Guards Hardening Trusted OS Wireless Secure Blades Secure Collaboration Cyber Security RSBAC Cloud Compliance
3 * Not a complete collection

Key terms and acronyms*

Trustworthy Computing Trusted Computing Trusted OS Trusted Guards Trust Information Security Information Assurance Privilege Portal Sandbox Governance End-to-end security
* Not a complete list

PKI XML SOAP WSDL UDDI SAML XACML TTP PDP PEP WS *
4

Agenda
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint
5

A Simple Definition of Cloud

Cloud is really about moving complex computing workloads off premise and delivering them as a service.
The hope is that, it more cost effective then traditional IT.
6

A Complete Definition of Cloud*

Cloud Computing is a (pay-per-use) model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
* NIST Definition Still an evolving paradigm; e.g. pay-per-use deleted
7

Delivery Models
Software as a Service (SaaS)
Use providers applications Access through thick/thin clients, Browser, etc. E.g. email, google docs, Sales force, Desktop Apps.

Platform as a Service (PaaS)

Deploy client applications using programming languages, tools supported by provider E.g. azure .Net server, SQL sever, google app engine, Amazon SimpleDB

Infrastructure as a Service (IaaS)

Rent processing, storage, networks and other fundamental computing resources Deploy arbitrary software including operating systems Client could select networking components (firewalls, load balancers) E.g. Amazon EC2, S3, Azure storage services

Security Implications of the Delivery Models

Service
SaaS IaaS PaaS

Security by Extensibility Cloud Provider Greatest Least

Least Middle Greatest Middle

The lower down the stack the cloud provider stops, the more security you are tactically responsible for implementing and managing yourself
9

Deployment Models
Private Cloud
Owned or leased by a single organization No public access

Public Cloud
Owned by an organization selling cloud services

Managed Cloud
Owned by a single organization No public access

Community Cloud
Shared by several organizations Supports a specific community that has shared concerns

Hybrid Cloud
Composition of 2 or more clouds Enable data & application portability (e.g. cloud bursting)
Is private cloud an oxymoron?
10

Security Implications of the Deployment Models

Cloud Type Manager Owner Location Consumers

Private
Public Managed Community

Client or 3rd party provider

3rd party provider 3rd party provider All clients & 3rd party provider Both client & 3rd party provider

Client or 3rd party provider

3rd party provider 3rd party provider All clients & 3rd party provider Both client & 3rd party provider

On-premise or Trusted Off-premise

Off-premise On-premise Untrusted Trusted or Untrusted

On-premise or Trusted Off-premise (All Clients) Both Onpremise & Off-premise Trusted or Untrusted
11

Hybrid

Is CC New?
Distributed Systems Evolution
Computer Computer Utility (Phrase coined) Computer Networking LAN Client/Server Thin Clients Internet Web Applications Grid Computing Web Services Cross Organizational Web Services SaaS Cloud Computing
12

Cloud Readiness
Cloud Ready
When the processes, applications and data are largely independent When the points of integration are well defined When a lower level of security will work just fine When the core internal enterprise architecture is healthy When web is the desired platform When cost is an issue When the applications are new

Not so cloud ready

When the processes, applications and data are largely coupled When the points of integration are not well defined When a high level of security is required When the core internal enterprise architecture needs work When the applications require a native interface When cost is not an issue When the applications are legacy
13

Agenda
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint
14

Historical Analogy
In 1907, 70 percent of the industrial electrical generation in the United States was in-house, but by the 1920s that same percentage was generated by utility companies. Initially you had to own your own plant, but later it became a disadvantage.
15

Business value of CC
Illusion of infinite computing resources available on demand Pay for use of computing resources (e.g. processors by hour, storage by day) Elimination of upfront commitment by cloud users (start small & grow) Better uptime & availability (e.g. Google) Consistent upgrades Expedite launch of new IT projects Speedy Innovation Lower TOC Collaborative & community computing Wider visibility of internet traffic (e.g. DDoS)
16

CC Obstacles/Opportunities*
Adoption
Availability of Service Data Lock-In Data Confidentiality

Growth
Data Transfer Bottlenecks Performance Unpredictability Scalable Storage Bugs in large distributed systems Scaling Quickly

Business/Policy
Reputation Fate Sharing Software Licensing
* Above the Clouds: A Berkeley view of cloud computing UC, Berkeley
17

CC vs SOA
Characteristic Dynamic Linking Standard Protocols for Access Dynamic Discovery Relative Autonomy Trust Chain SOA Yes Yes Yes Yes Yes CC

Federation
On-demand self-service Ubiquitous Network Access Multi-tenancy Rapid Elasticity Measured Service

Yes
Yes Yes Yes Yes Yes
18

SOA is to cloud computing as HTML is to the internet

CC vs Outsourcing
Characteristic Standalone Computing Workloads Outsourcing Yes Move your server or hire a SP Known & controlled Cloud Computing No Unknown & Uncontrolled Dynamic e.g. VMs migrated dynamically No Unknown

Workload Placement Static & Migration Dedicated HW/SW for a customer Data Location Yes Known

Data replication
Multi-tenancy Multi-jurisdiction

Not allowed
No No

Unknown
Yes Yes
19

CC vs SaaS
SaaS User Mashup Applications SaaS User/SaaS Provider Web Applications Cloud User/SaaS Provider Utility Computing Cloud Provider
20

Agenda
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint
21

Cloud Security 101: Simple Example

TODAY ? ? ?
We Have Control Its located at X. Its stored in servers Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.

TOMORROW ? ? ?
Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage?

Lesson Learned: We have responded to these questions before clouds demand fast, responsive, agile answers.
22
22

High-level cloud security concerns

Less Control
Many companies and governments are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease.

Data Security
Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important.

Reliability

Compliance
Complying with SOX, HIPPA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential.

High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees.

Security Management
Providers must supply easy, visual controls to manage firewall and security settings for applications and runtime environments in the cloud.

23
23

CC Security Customer Concerns

I am nervous about someone else controlling my data My data is on the same disks as data from other users. If another customers data is raided by FBI, could mine go with it? I am not willing to say that the copy of the data in the cloud is the only copy Ive got I am fearful of vendor lock-in I am still responsible for demonstrating compliance I dont know where my data is stored in which country? I dont understand how my data is kept separate from others I dont see how I recover my data in case of a disaster I want to investigate any illegal activity over my data I want to ensure my data is available when I need it
Some say, Cloud security fears are overblown!
24

Cloud Security Breach Examples

Google Doc allowed shared permission without user knowledge
http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en

Salesforce.com phishing attack led to leak of a customer list; subsequent attacks

http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html

Vasrev.com Webhost hack wipes out data for 100,000 sites

http://www.theregister.co.uk/2009/06/08/webhost_attack/

Twitter company files leaked in Cloud Computing security failure

DDoS attack that downed Twitter also hit Facebook

http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_s ecurity_2009-08-07

http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure

25

Attack Categories
Unsafe Programs Misconfigured Programs Buggy Programs
Buffer Overflows Parsing Errors Formatting Errors Bad input to cgi bin Trojans Virus Worms Rootkits Botnets

Applications
Cross site scripting Injection flaws Malicious file execution

Malicious Programs

Eavesdropping Spamming IP Spoofing Phishing Pharming DoS/DDoS People

Social Engineering Weak passwords Sloppy Admins.

Identity Theft

26

Customer Pain Points

P - Privacy (Confidentiality) A - Authorization (Authentication) I - Integrity N - Non-Repudiation
The fundamentals of security havent changed for a long time. However, in the last few years due to viruses, worms, intrusions & DDoS attacks, another one has been added called Assured Information Access.
27

Security Issues
1. Governance & Risk Management 2. Compliance 3. Vulnerability & Patch Management 4. Physical/personal Security 5. Operational security 6. Availability 7. Incident response 8. Privacy 9. Business Continuity 10. Legal Issues 1. Data Security 2. Identity Management 3. Single Sign On 4. Applications Security 5. Secure Multi-tenancy 6. Logs & Audit Trails (Forensics) 7. Cyber Security (DPI) 8. Encryption & Key Management 9. Virtualization Security 10. Storage security 11. Information Lifecycle Management 12. Portability & interoperability 13. US Federal Specific Issues
28

Data Security Issues

Data Segregation Data Location DaR Protection DiM Protection Data Integrity Data Erasure at EoS Data Encryption (Policy/Keys) Data Compliance Data Loss Prevention Contractual Obligations/SLAs Authentication Access Control Auditing Support
29

Data Security in the Cloud

Data will be
Stored in multi-tenant environments Spanning multiple layers in the cloud stack Accessed by various parties of different trust levels

Located in various geographies Enforced by various contractual obligations/SLAs Governed by various regulations and industry best practices Secured by multiple technologies and services
A Shared, multi-tenant infrastructure increases potential for unauthorized exposure
30

users, tenants, privileged cloud admins

Identity Management
Identity issues in a data center
Single employee has multiple user accounts Provisioning & de-provisioning of accounts Terminated employees have system access SSO, RSO solutions Federated identity management capability Inappropriate privileges

31

Identity Management (Contd.)

Identity issues in a cloud data center
Same issues as above Segregation of identities across multiple tenants User account management (Ask cloud provider about life cycle) Multi factor authentication Cloud provider must leverage your federated identity management infrastructure Insist support of standards Open ID, SAML, WS-Federation, Liberty IDFF With IaaS & PaaS, client will have to build this integration Validate Cloud provider supports authentication meeting or exceeding your polices Investigate delegation of authentication to your Identity provider Investigate integration of your IdM solution with Cloud provider
Integration with Client AD or LDAP

Consider implementing SSO for internal applications and leveraging this for cloud applications Investigate identity as a service with a separate Cloud provider
The key to managing identities by cloud provider is to have robust federated Identity management architecture and strategy internal to the organization 32

SSO Evolution
Trust Breadth No SSO Enterprise SSO Web SSO Within a Department Other Departments within an enterprise Other web servers within an enterprise Other enterprises Authentication Method U/P, Certificates, etc. Identity Mappings across departments Identity Mappings across web servers Trust Identity assertions across enterprises Trust Basis Initial enrollment Formal relationship between departments Formal relationship between departments on web servers SLA between enterprises custom negotiated, case by case; less frequent changes Formal relationship between departments SLA between enterprises Predefined usually with low assurance Ids e.g. OpenID SLA between cloud environments Predefined/simpler; more frequent changes

Federated SSO (SOA Environment) Cloud SSO (Intra Cloud) Private Cloud SSO (Intra Cloud) Public Cloud SSO (Inter Cloud) Hybrid

Within a cloud with multiple departments Within a cloud with multiple enterprises

Identity mappings or Trust Identity assertions across departments Trust Identity assertions across enterprises within a cloud Trust Identity assertions across clouds

Other cloud environments

33

Application Security
Is it appropriate to migrate or design an application in the cloud? What type of cloud platform is most appropriate? What security controls must the application provide over and above the cloud platform? How would an enterprises software development life cycle change to accommodate cloud computing?
All answers must be continually re-evaluated as the application is maintained and enhanced over time.
34

Application Security
Cloud platform implications on application
Multi-tenancy Lack of direct control over environment Access to data by Cloud Provider

Migrate or develop decision application by Cloud Provider

What type of cloud platform Acceptance criteria for outsourced and packaged application code

Scanning methodology & tools Best practices available to harden machines should be applied to virtual machines Application security measures Application level firewalls & proxies OWASP development guideline
Security professionals must stay abreast of the latest tools and techniques hackers develop specifically to attack cloud providers
35

Secure Multi-tenancy
Tenants are segregated from all other tenants in all ways
Tenants are neither aware of others nor affect in any way

Multi-tenancy point
Hardware, hypervisor, OS, Application platform, Application Differing isolation qualities MT above the OS layer requires code changes to MW/applications

Customer must be able to set policies

Provider must provably enforce the customer policies

All operations are fully logged for audit and accountability System administrators have no access to customer data unless granted Customers system administrators have no access to their customer data unless granted
36

Logs & Audit Trails (Forensics)

CPs must make available as required by customer or law firm (Electronic Discovery) Is multi-tenancy logging used?
May need to have dedicated storage of logs and audit trails

Investigation support provided Forensics support Are logs tamper proof? How long are the logs and audit trails kept?
How does the client do forensics in the event of a cloud attack?
37

Cyber Security (DPI)

DPI refers to the ability to inspect all packet contents
Other packet processing models allow partial access (shown below) Full Layer 2-7 Inspection No inherent MAC or IP address: invisible on the network Real-time analysis with full packet & flow manipulation Create/remove packets High speed analysis (10 Gbits/sec)

Traditional Network Devices

Switch

MAC Header IP Header TCP/UDP

Payload

Firewall MAC Header IP Header

TCP/UDP

Payload

Router

MAC Header IP Header TCP/UDP

Payload

Servers MAC Header IP Header

TCP/UDP

Payload

DPI

Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP

MAC Header IP Header TCP/UDP

Payload 38

Encryption and Key Management

Traditional security is based on container-based protection
In cloud consumer doesn't know where data is stored Cloud divorces data from location

Strong encryption & secure key management is needed Sensitive & PII data must be encrypted; preferably all data is Who holds the keys?
Create a chain of separation for keys & data

How many keys? One? One/customer? Or Multiple keys/customer

Is the key management scalable?

Encrypt data in motion & data at rest Data integrity requirements Ensure encryption is adhering to industry & Government standards
Safe harbor provisions in some laws and regulations consider lost encrypted data as not lost at all.
39

Virtualization Security
Virtualization is a key enabler for cloud computing Simplicity of creating and moving machine instances creates a risk that insecure images can be created Assure each VM is secure by default (STIG, CIS, PCI DSS etc.) Assure security in VM migration Virtualization introduces new attack surfaces with the hypervisor & other management components Admin access should include strong authentication Creating, configuring and cloning VMs Virtualization obscures data location a key regulatory concern Secure sharing across partitions Trusted Virtual Domains Grouping VMs across machines
Virtualization is a key enablement technology for cloud computing. However, There Is a concern of VMs moving freely from one physical box to another
40

Storage Security
Basic tenets of data security still hold CIA Typically provided as IaaS Object Reuse requirement
Storage retirement process Data destroyed hard to prove Strong encryption renders data unreadable when storage is recycled

Storage provisioning for multiple customers (multi-tenancy) Can storage be seized by a 3rd party or Government? How is encryption done in multi-tenant storage? How long are the keys maintained? Support for long term archiving Management of off-line & portable storage
How do you know your storage provider plans your data is still reliable And available when your business needs it?
41

Information Lifecycle Management

Information must be managed throughout the life of the data (creation to destruction) Data classification should be put in place Data confidentiality Data integrity Provider access needs to be defined and enforced Data retention Data destruction (harder to prove by CP) Cross-jurisdictional issues Negotiate penalties for data breaches RBAC required
42

Portability & Interoperability

What if there is a need to switch a CP due to
Cost increase at renewal time Provider out of business Degraded service quality

Ability to recover and port depends on type of service

SaaS
Migrate data to new application Keep regular backups of data Ensure competitors can help migrate

IaaS
Ensure applications are deployed on virtual image Keep backups in cloud-independent format

PaaS
Ensure use of an application development architecture If not, could involve significant rewrites Keep backup cpoies

Geographic redundancy may be OK Consider use of multiple providers for redundancy

43

US Federal Specific Issues

How will the cloud meet my information assurance requirements? If multiple Govt. agencies need to share information, do they need to be in the same cloud? How do I build a community cloud? How is sharing done across different security domains in the cloud? e.g. Multiple Independent Levels of Security (MILS), Multilevel Security (MLS), Cross domain,.. Mission criticality is key in certain DoD operations. How is this guaranteed in the cloud? What cyber security requirements should I impose on cloud providers? In case of a cloud cyber attack, how is the attack contained? How do I know/control the other tenants? How would my end point encryption change, if I move to cloud? How will I meet Certification and Accreditation (C&A) requirements in the cloud?

44

Governance & Enterprise Risk Management

Beware many CSPs accept no responsibility for data they store in their infrastructure Be clear on who owns the data Be clear on what risks are being transferred SLAs include availability, service quality, resolution times, critical success factors, key performance indicators, etc. CSPs should have regular 3rd party risk assessments (made available to customers) Require listings of all 3rd party relationships Understand financial viability of CSP Understand CSPs key risk & performance indicators from a customer perspective For mission critical situations & PII examine creating a private or hybrid cloud What provider is needed? IaaS, PaaS, SaaS
45

Compliance
Know your legal obligations Compliance is NOT a provider responsibility! Understand data locations (e.g. EU DPD has restrictions) Data Copies and how they are controlled Perform external risk assessment Perform privacy impact assessment Provider must make it easier to demonstrate compliance Compliance Requirements
SAS 70 ISO 27001 FISMA EU DPD SOX GLBA HIPPA PCI DSS Basel II California A.B.21

46

Vulnerability Management
Vulnerability management strategy/plan Network scanning policy Application scanning policy Allow outside scanning? Allow external vulnerability assessment? Vulnerability remediation process

47

Physical/Personnel Security
Protection against internal attacks
Ensure internal people cant exploit the information to their gain

Restricted & Monitored access 24x7 Background checks for all relevant personnel Audit privileged users? Passed SAS 70 Audit? Audit result? Security team on client side needed? Coordination of Admins (Hybrid Cloud)
48

Operational Security
Look under the hood!
Understand how CP has implemented the key architectural characteristics What IT products does the CP use? Segregation of tenants Who are the other clients of your CP? Is your neighbor a high profile target? How does resource democratization occur? CPs patch management policies Logging practices
49

Availability
Availability #? Multiple ISPs DDoS protection mechanism Is availability history data available? Service upgrade plan Patch management policy Peak load/capacity
50

Incident Response
Multi-tenant applications
Detection of data breaches Response to data breaches Notification procedure
Each tenant may require a different notification

Coordination with vendor response procedures

51

Privacy
Private data
What is collected? Where is it stored? How is it stored? How is it used? How long is it stored?

Tagging of PII data Access control of PII data Protection of digital identities & credentials Access policy for 3rd parties (e.g. Govt. agency)
How will 3rd parties protect my privacy?
52

Business Continuity
Disaster recovery plan
Is it comparable to clients data center?

Can we do a BC audit? Location of recovery data centers Service level guarantee under DR conditions Data Portability
53

Legal Issues
Liability
Contractual responsibility for protecting client data Financial compensation Consequences of not meeting SLA Legal requests for information Prohibit data use by provider Restrict cross border transfer

Intellectual Property
All data including copies owned by client State data rights in SLA clearly

End of Service support

Data packaged and delivered to client How soon will it be delivered? Will the remaining copies be erased completely?
54

Agenda
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint
55

IBM Security Framework Red Guide

Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business Driven Security on the IBM Redbooks site. http://www.redbooks.i bm.com/abstracts/red p4528.html
56

Business and IT Drivers Define Layers of Security

Operational security
A mix of reactive and proactive measures that focus on the correct and reliable operation of the infrastructure and managing service levels.

Information assurance
Measures that are directed at protecting valued information assets.

Business security
A wide range of measures that address business-specific risks and outcomes.
57

IT Security is a Policy-based Process for Reducing Risk

The security policy must reduce the residual risk to, or below, levels acceptable to the organization Common Industry Approaches:
CobiT ISO/IEC 27002:2005

58

The IBM Security Framework

A broad, business view of security:
Business problem oriented, focused on the what, not the how Technology, service delivery, and form-factor neutral Translates into coarsegrained Business solutions, not into specific IT components or IT services Solutions addressing problems from different domains tend to share common elements
59

Typical Security Requirements (1/3)

3rd-party audit (SAS 70(2), ISO27001, PCI) SLAs, option to transfer risk from tenant to provider Visibility into change, incident, image management, etc. Effective incident reporting for tenants Client access to tenantspecific log and audit data Support for forensics Support for e-Discovery
Requirements based on feedback from clients (commercial & government) and analysis of recent reports from Burton, EMA, Gartner, Forrester.
60

Typical Security Requirements (2/3)

Privileged user monitoring, including logging activities, physical monitoring and background checking Coordinating authentication and authorization with enterprise or third party systems Standards-based SSO Data segregation Government: Cloud-wide data classification Client control over geographic location of data
61

Typical Security Requirements (3/3)

None Application security requirements for cloud are phrased in terms of image security. Or they are phrased in terms of compliance with secure development best practices.
Isolation between tenant domains Policy-based security zones / trusted virtual domains Government: MILS-type separation Built-in intrusion detection and prevention Protect machine images from

corruption and abuse

Vulnerability Management

Monitoring and control of physical access

62

The IBM Security Blueprint

A product-agnostic and solution-agnostic approach to defining security capabilities. A common vocabulary to use in more detailed discussions Architectural principles that are valid across all domains and deployment environments Based on researching many customer related scenarios A roadmap to assist in designing and deploying security solutions

63

IBM Security Blueprint Layers

The IBM Security Blueprint separates security management from infrastructure services.

64

Foundational Security Management

The Foundational Security Management Layer represents a closed-loop, risk management process for identifying, deploying, and assessing controls on risk.
65

Security Services and Infrastructure Layer

The Security Services and Infrastructure Layer represents the components that implement the security control points in the IT environment and the necessary infrastructure to support them.
66

Cloud computing also provides the opportunity to simplify security controls and defenses
Centralized Identity and Access Control policies People and Identity Well-defined set of input/output interfaces Consistent enrollment, proofing, validation and management of a trusted user Computing services running in isolated domains as defined in service catalogs Information and Data Default encryption of data in motion & at rest Virtualized storage providing better inventory, control, and tracking of master data

Autonomous security policies and procedures

Process & Application Personnel and tools with specialized knowledge of the cloud ecosystem SLA-backed availability and confidentiality Automated provisioning and reclamation of hardened runtime images Network Server and Endpoint Dynamic allocation of pooled resources to mission-oriented resources Simplified, built-in security controls Closer coupling of systems for management of physical and logical identity/access Physical infrastructure Strong platform of compute resources with integrated workload-balancing and resiliency Highly-fortified physical data centers

67

Cloud security requirements and supporting technologies

End User

Enterprise Administrator

IT Auditor

Application Developer

Cloud Provider

Privileged User Access

(centralized access and audit policies, directories)

Data Segregation
(encryption, network segmentation, Hardware / OS / App / Database isolation)

Compliance and Auditing

(audit policy creation, log generation and management)

Server Security
(trusted computing, auditing, access control)

Data Location
(cloud data centers)

Federated Identity Management

(single sign-on, identity provisioning technologies)

Data Recovery
(centralized backups, remote storage)

Network Security Investigative Support

(audit retention, search, and correlation) (Firewall, IPS, VLAN)

Disaster Recovery
(highly resilient clouds)

Privileged Account Management

(change control processes for privileged users)

Data Redaction and Termination

(secure removal processes for customer data and metadata)

Virtualization Security
(VM Segmentation, Virtual Appliances, Integrated Hypervisor Security)

Cloud Availability
(multiple cloud centers)

Policy Management
(unified security, governance, and policy enforcement)

Trusted Identity
(protecting their identities as constituents, employees, and consumers)

Data Leakage Prevention

(DLP technologies for data in motion and data at rest)

Browser Security Secure Provisioning

(image management, hardening, cohabitation policies) (ssl, memory protection, multilevel security, anti-malware)

Patch Management
(assessment, prioritization, scheduling, and application)

Application Testing
(vulnerability assessment, fuzzing, app scanning, automated code reviews)

People and Identity

Data and Information

Application and Process

Network, Server, and Endpoint

Physical Infrastructure

IT moves to writing SLAs!

68

Summary
The IBM Security Framework creates a business-oriented view of security. The IBM Security Blueprint is a technologyagnostic view of security capabilities that creates a common vocabulary for designing security controls that are consistently implemented across a variety of IT environments.
69

Conclusions
Look under the hood
Perform onsite inspection of CP facilities whenever possible Ensure CP meets all security requirements Convert all/some into CP requirements State integration requirements (Hybrid cloud) Understand how CP will meet these Be specific about your needs in the SLA Robust compartmentalization of job duties Privileged user access control Limit knowledge of customers

Be clear about your security requirements & solutions

Insider threat is a significant concern

Ensure discovery & forensics requirements are met Understand the handling of transitive trust
What suppliers does the cloud provider depend on? (Recursive)

Evolving convergence of physical & IT security introduce new risks Shop around for multiple CPs (inter cloud integration) Have open and frequent discussion with CP Cloud computing provides new economies for information technologies as well as new challenges. Properly constructed, it can be more secure than traditional IT infrastructure, but that construction requires the use of strong, integrated and usable security mechanisms.
70