2nd SG 13 Regional Workshop for Africa on
“Future Networks: Cloud Computing, Energy
Saving, Security & Virtualization”
(Tunis, Tunisia, 28 April 2014)
Securing the Cloud
Selma Turki
Business Development Executive, European Union
Institutions Selma.turki@be.ibm.com
Security remains #1 inhibitor to broad scale
cloud adoption
2012 Cloud Computing – Key Trends and Future Effects – IDG
Cloud environments present new challenges
Cloud computing tests the limits of security
operations
and infrastructure
Security and Privacy Domains
People and Identity
Data and Information
Application and Process
Network, Server and Endpoint
To cloud
Self-Service
Highly Virtualized
Location
Independence
Workload Automation
Multiple Logins, Onboarding Issues
Multi-tenancy, Data Separation
External Facing, Quick Provisioning
Virtualization, Network Isolation
Physical Infrastructure
Rapid Elasticity
Provider Controlled, Lack of Visibility
Governance, Risk and Compliance
Standardization
Audit Silos, Compliance Controls
In a cloud environment, access expands, responsibilities change, control
shifts, and the speed of provisioning resources and applications increases greatly affecting all aspects of IT security.
Key Cloud security concerns
1.
Manage the registration and control the access of
thousands or even millions of Cloud users in a
cost-effective way
2.
Ensure the safety and privacy of critical enterprise
data in Cloud environments without disrupting
operations
3.
Provide secure access to applications in the Cloud
4.
Manage patch requirements for virtualized systems
5.
Provide protection against network threat and
vulnerabilities in the Cloud
6.
Protect virtual machines
7.
Achieve visibility and transparency in Cloud
environments to find advanced threats and meet
regulatory and compliance requirements
1 Identity
Vulnerability
Mgt.Log
Service
Security
Event and
Mgt.
Cost-effective user registration and access control of Cloud users
Requirement
Full life-cycle identity
management (“cradleto-grave”) for cloudbased users
Access, authorization
control, and fraud
prevention for
applications and data in
the cloud
Ability to track and log
user activities, report
violations, and prove
compliance
Capability
Federated single sign-on to multiple web-based and cloud applications
with a single ID and password for employees, customers, BPs, vendors
User self-service for identity creation and password reset
Securely provision, manage, automate and track privileged access to
critical enterprise resources
Automated management and risk-based enforcement of access control
policies across every application, data source, operating system and
even company boundaries
Role-based identity and access management aligns users’ roles to their
access capabilities, simplifies management and compliance
Security incident and event management for compliance reporting and
auditing of users and their activities—in both cloud and traditional
environments
The ability to monitor, control, and report on privileged identities (e.g.,
systems and database administrators) for cloud-based administrators
Addressing compliance requirements, reducing operational costs,
enhancing security posture and developing operational efficiencies
1 Identity
IBM Identity and Access Management Vision
Key Themes
Standardized IAM
and Compliance
Management
Expand IAM vertically to provide
identity and access intelligence to the
business; Integrate horizontally to
enforce user access to data, app, and
infrastructure
Secure Cloud, Mobile,
Social Interaction
Enhance context-based access control
for cloud, mobile and SaaS access, as
well as integration with proofing,
validation and authentication solutions
Insider Threat
and IAM Governance
Continue to develop Privileged
Identity Management (PIM)
capabilities and enhanced
Identity and Role management
2 Data
Four steps to data security in the Cloud
 Discover where sensitive data resides
1
Understand, define
policy
 Classify and define data types
 Define policies and metrics
 Encrypt, redact and mask virtualized databases
2
Secure and protect
3
Actively monitor and
audit
4
Establish
compliance and
security intelligence
 De-identify confidential data in non-production
environments
 Monitor virtualized databases and enforce review of
policy exceptions
 Automate and centralize the controls needed for
auditing and compliance (e.g., SOX, PCI)
 Assess database vulnerabilities
 Automate reporting customized for different
regulations to demonstrate compliance in the Cloud
 Integrate data activity monitoring with security
information and event management (SIEM)
2 Data
Data Security Vision
QRadar
Integration
Across
Multiple
Deployment
Models
Key Themes
Reduced Total Cost
of Ownership
Expanded support for
databases and unstructured
data, automation, handling and
analysis of large volumes of
audit records, and new
preventive capabilities
Enhanced Compliance
Management
Dynamic
Data Protection
Enhanced Database Vulnerability
Assessment (VA) and Database
Protection Subscription Service (DPS)
with improved update frequency,
labels for specific regulations, and
product integrations
Data masking capabilities for
databases (row level, role level) and
for applications (pattern based, form
based) to safeguard sensitive and
confidential data
Application security challenge: manage risk
3 Applications
 76% of CEOs feel reducing security
flaws within business-critical
applications is the most important
aspect of their data protection
programs
 79% of compromised records used
Web Apps as the attack pathway
 81% of breached organizations
subject to PCI were found to be noncompliant
3 Applications
Application Security Vision
Key Themes
Coverage for Mobile
applications and new
threats
Continue to identify and reduce risk
by expanding scanning capabilities to
new platforms such as mobile, as well
as introducing next generation
dynamic analysis scanning and glass
box testing
Simplified interface and
accelerated ROI
New capabilities to improve customer time
to value and consumability with out-ofthe-box scanning, static analysis
templates and ease of use features
Security Intelligence
Integration
Automatically adjust threat levels based
on knowledge of application vulnerabilities
by integrating and analyzing scan results
with SiteProtector and the QRadar
Security Intelligence Platform
Optimizing the patch cycle and help ensure
the security of both traditional and Cloud
computing assets 4 Patch Management
+
Distributed Endpoints
Web
App
DB
Physical Servers
+
Virtual Servers
Customer Pain Points
Capability
 Time required to patch all
enterprise physical , virtual,
distributed, and cloud assets
Automatically manage patches for multiple OSs and
applications across physical and virtual servers
 Lack of control over deployed
and dormant virtual systems OS
patch levels and related security
configurations
Reduce security and compliance risk by slashing
remediation cycles from weeks to hours
Patch running / offline / dormant VMs
Continuously monitor and enforce endpoint
configuration
Security Challenges with
Virtualization: New Complexities
6 Protect VMs
New complexities
Before Virtualization
After Virtualization
 Dynamic relocation of VMs
 Increased infrastructure
layers to manage and protect
 Multiple operating systems
and applications per server
 Elimination of physical
boundaries between systems
 Manually tracking software
and configurations of VMs
 Hyperviser is attack vector
• 1:1 ratio of OSs
and applications
per server
• 1:Many ratio of OSs and
applications per server
• Additional layer to manage and
secure
6 Protect VMs
Example for Securing the Virtualized Runtime:
IBM Security Virtual Server Protection for VMware vSphere 4









VMsafe Integration
Firewall and Intrusion
Prevention
Rootkit Detection /
Prevention
Inter-VM Traffic Analysis
Automated Protection for
Mobile VMs (VMotion)
Virtual Network Segment
Protection
Virtual Network-Level
Protection
Virtual Infrastructure
Auditing (Privileged User)
Virtual Network Access
Control
• There have been 100 vulnerabilities disclosed across all of
VMware’s virtualization products since 1999.*
• 57% of the vulnerabilities discovered in VMware products are
remotely accessible, while 46% are high risk vulnerabilities.*
7 Security Intelligence
Security Intelligence: Integrating across
IT silos
Security Devices
Servers & Hosts
Network & Virtual Activity
Event Correlation
Database Activity
Offense
Activity Baselining & Identification
Anomaly Detection
Application Activity
Configuration Info
Vulnerability Info
User Activity
+
Deep
Intelligence
=
Exceptionally Accurate and
Actionable Insight
 Detecting threats
 Predicting risks against your business
 Consolidating data silos
 Addressing regulatory mandates
 Detecting insider fraud
JK 2012-04-26
Extensive Data
Sources
High Priority Offenses
IBM Security Framework: Delivering intelligence,
integration and expertise across a
comprehensive framework
IBM Security Systems
 IBM Security Framework
built on the foundation of
COBIT and ISO standards
 End-to-end coverage of the
security domains
 Managed and Professional
Services to help clients
secure the enterprise
Security as a Service: IBM Security Services
from the Cloud
Security Event
and Log
Management
Offsite management
of security logs
and events
Application
Security
Management
Help reduce data
loss, financial loss
and website
downtime
Managed
Web and Email
Security
Help protect against
spam, worms, viruses,
spyware, adware and
offensive content
Security-as-a-Service (SaaS)
from IBM Managed Security Services
Security Intelligence ● People ● Data ● Apps ● Infrastructure
IBM X-Force®
Threat Analysis
Service
Mobile Device
Security
Management
Help protect against
malware and other
threats while enabling
mobile access
Vulnerability
Management
Service
Help provide
proactive discovery
and remediation of
vulnerabilities
Customized security threat
intelligence based on
IBM X-Force®
research and development
Key Cloud Resources
IBM Research and Papers

Special research concentration in cloud security, including
white Papers, Redbooks, Solution Brief – Cloud Security
IBM X-Force

Proactive counter intelligence and public education
http://www.ibm.com/security/xforce/
IBM Institute for Advanced Security

Cloud Security Zone and Blog (Link)
Customer Case Study

EXA Corporation creates a secure and resilient private cloud
(Link)
Other Links:




IBM Media series – SEI Cloud Security (Link)
External IBM.COM : IBM Security Solutions (Link)
External IBM.COM : IBM SmartCloud– security (Link)
IBM SmartCloud security video (Link)
IBM Best Cloud
Computing
Security
IBM Security Systems
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
19
© 2012 IBM Corporation
IBM Security Systems Cloud-ready security
solutions span the portfolio
QRadar Security Intelligence
Federating
identities for public
and hybrid cloud
environments
Security
Application
Scanning for
cloud based
applications
Virtual IPS for
VMware ESX /
ESXi hosts and
workloads
Virtual IPS for
virtual network
edge protection
Virtual IPS for
virtual network
edge protection
Virtual IPS for
virtual network
edge protection
Federated Identity
Manager –
Business Gateway
AppScan Static /
Dynamic Analysis
Virtual Server
Protection
Network IPS
Virtual Applicance
Endpoint Manager /
SmartCloud Patch
Guardium database
monitoring and
protection