Cloud Security Challenges and Solutions

- Balraj S Boparai, CISSP
Worldwide Tivoli Security SWAT Team

1

Outline
• • • • • • Introduction to Cloud computing Security Challenges in the Cloud Cloud security concerns IBM’s Point of View on Cloud Security IBM solutions for securing cloud Assessing the Security Risks of Cloud Computing • Security as a Service

2

Introduction to Cloud Computing

3

What is Cloud Computing?
“Cloud” is a new consumption and delivery model for many IT-based services, in which the user sees only the service, and has no need to know anything about the technology or implementation Attributes

Standardized, consumable web-delivered services

Flexible pricing

Elastic scaling

Service Catalog Ordering

Metering & Billing

Rapid provisioning Advanced virtualization

VISIBILITY

CONTROL

AUTOMATION

....service oriented and service managed
4

Features of Cloud

5

The Layers of IT-as-a-Service
Collaboration Business Processes Industry Applications CRM/ERP/HR

Software as a Service

Web 2.0 Application Runtime Middleware Database

Java Runtime Development Tooling

Platform as a Service

Servers

Data Center Fabric Storage

Networking

Infrastructure as a Service 6

7

Cloud Computing Delivery Models
Flexible Delivery Models

Public …
• Service provider owned and managed • Access by subscription • Delivers select set of standardized business process, application and/or infrastructure services on a flexible price per use basis.

Cloud Services Cloud Computing Model

Private …
• Privately owned and managed. • Access limited to client and its partner network. • Drives efficiency, standardization and best practices while retaining greater customization and control

Hybrid …
• Access to client, partner network, and third party resources

.…Standardization, capital preservation, flexibility and time to deploy
ORGANIZATION

.… Customization, efficiency, availability, resiliency, security and privacy___

CULTURE

GOVERNANCE

...service sourcing and service value
8

Security and Cloud Computing

Cloud-onomics…

CLOUD COMPUTING

VIRTUALIZATION

+ +

ENERGY EFFICIENCY

+ +

STANDARDIZATION

+ +

AUTOMATION

= =

Reduced Cost

….leverages virtualization, standardization and service management to free up operational budget for new investment

AGILITY

BUSINESS & IT ALIGNMENT

SERVICE FLEXIBILITY

INDUSTRY STANDARDS

OPTIMIZED BUSINESS

…allowing you to optimize new investments
for direct business benefits
9

Security Challenges in the Cloud

10

Security and Cloud Computing

What is Cloud Security?
Confidentiality, integrity, availability of business-critical IT assets Stored or processed on a cloud computing platform
Software as a Service Utility Computing Grid Computing Cloud Computing

There is nothing new under the sun but there are lots of old things we don't know. Ambrose Bierce, The Devil's Dictionary
11

Security and Cloud Computing

Security and the building blocks of Cloud Computing
Strategic Outsourcing Global Outsourcing Grid Computing Service Oriented Architecture Web 2.0 Collaboration Virtualization

Vendor Trust SLAs

Legislative Boundaries International Standards

Distributed Infrastructure Availability, Resiliency

Risks
Security

Web Threats Web Security

Data Leakage Data Leakage Prevention

Shared Infrastructure Segmentation Technologies

Cloud Computing

Cloud Computing is a natural evolution of the evolving IT paradigms listed above.

A variety of security technologies, processes, procedures, laws, and trust models are required to secure the cloud. There is no silver bullet!
12

Security and Cloud Computing

Cloud Security: Simple Example
Today’s Data Center Tomorrow’s Public Cloud

? ? ?
We Have Control It’s located at X. It’s stored in server’s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.

? ? ?
Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage?

13

13

Security and Cloud Computing

Everybody is Concerned about the Security in New technologies always introduce (Public) Clouds
new threat vectors and new risks. “External” aspects of public clouds exacerbate concerns:

“Black box” sharing in clouds reduces visibility and control, increases risk of unauthorized access and disclosures. Limited compatibility with existing enterprise security infrastructure limits adoption for mission-critical apps. Limited experience and low assurance raise doubts over cloud reliability (operational availability, long-term perspective). Privacy and accountability regulations may prevent cloud adoption for certain data and in certain geographies.
14

Security and Cloud Computing

Different Clouds, Different Responsibilities
Collaboration Business Processes Industry Applications CRM/ERP/HR

The Cloud Curtain

Software as a Service

Web 2.0 Application Runtime Middleware Database

Java Runtime Development Tooling

The Cloud Curtain

Platform as a Service

Servers

Data Center Fabric Storage

Curtain

Networking

Infrastructure as a Service 15

Security and Cloud Computing

Recent Analyst Reports Confirm General Concerns – But also Highlight Security as a Potential Market Differentiator
• “Securing your applications or data when they live in a cloud provider’s infrastructure is a complicated issue because you lack visibility and control over how things are being done inside someone else’s network.”
Forrester, 5/09

• Gartner’s 7/09 “Hype Curve for Cloud Computing” positions Cloud Security Concerns into the early phase (technology trigger, will raise), and gives it a time horizon of 5-10 years

• “Large enterprises should generally avoid placing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term.“ Burton, 7/09 • “Cloud approaches offer a unique opportunity to shift a substantial burden for keeping up with threats to a provider for whom security may well be part of the value proposition.”
EMA, 2/09

• “Highly regulated or sensitive proprietary information should not be stored or processed in an external public cloud-based service without appropriate visibility into the provider's technology and processes and/or the use of encryption and other security mechanisms to ensure the appropriate level of information protection.” Gartner 7/09

16

Security and Cloud Computing

Security as a Potential Market Differentiator: Different Workloads have Different Risk Profiles
High Mission-critical workloads, personal information High value / high risk workloads need ● Quality of protection adapted to risk ● Direct visibility and control ● Significant level of assurance

Private
Need for Security Assurance
Analysis & simulation with public data

Hybrid
Training, testing with nonsensitive data Low Low-risk

Public
Mid-risk High-risk

Today’s clouds are primarily here: ● Lower risk workloads ● One-size-fits-all approach to data protection ● No significant assurance ● Price is key

Business Risk
17

Cloud Security Concerns

18

Data exposure and Compromise
• Organizations uncomfortable with idea of data located on external systems • Hosted providers cannot ensure absolute security • Authentication and access technology becomes increasingly important • Data segregation also becomes key in cloud

19

• Reliability of service
• Reliability is core advantage in cloud. It is very scalable and capable of meeting wide variations in processing power and users • High Availability is still a concern. Many cloud based offerings do not offer SLAs • Any (cloud) offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure • Even if offerer refuses to tell you where will it store your data. It should tell you what would happen to your data and service if one of its site succumbs to a disaster.

20

Reduced ability to demonstrate compliance with regulations, standards and SLA’s
• Public clouds are mostly by definition “A black Box” • Complying with SOX, HIPAA etc. regulations may prohibit clouds for some applications • Geographical requirements • A ‘Private’ and ‘Hybrid’ cloud can be configured to meet these requirements

21

• Ability to manage the security environment
• CSPs must supply easy visual controls to manage and monitor firewall and other security settings for applications and runtime environments in the cloud • No Granularity of access (SaaS). Usually only roles available are ‘Admin’ and ‘Normal User’

22

IBM’s Point of View on Cloud Security

23

Security and Cloud Computing

Layers of a typical Cloud Service
Application as a service Cloud Delivered Services
Application software licensed for use as a service provided to customers on demand

Platform as a service
Optimized middleware – application servers, database servers, portal servers

Infrastructure as a service
Virtualized servers, storage, networking

Cloud Platform

Business Support Services
Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing

Operational Support Services
Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt

Virtualized Resources
Virtual Network, Server, Storage

System Resources
Network, Server, Storage

Physical System and Environment

24

IBM’s Architectural Model for Cloud Computing
Service Request & Operations End Users, Operators Service Provider Service Creation Service Planning

Cloud Services
Application/Software as a Service

Standards Based Interfaces

Platform as a Service

Role-based Access

Service Definition Tools

Infrastructure as a Service

Cloud Management Platform
Business Support Systems (BSS)
Service Publishing Tools

Service Catalog

Operational Console

Service Delivery Platform “Operational Support Systems (OSS)”

Service Reporting & Analytics

25

Security and Cloud Computing

Cloud Security = SOA Security + Secure “New” Runtime
Service Request & Operations

Service Oriented Architecture
End Users, Operators Application / Software as a Service Platform as a Service

Service Provider

Service Creation Service Planning

Cloud Services
Application/Software as a Service

Identity & Role-based Security as a Service Access

Secure Runtime for Virtual Images and Virtual Storage Cloud Management Platform
Business Support Services
Service Catalog Operational

Standards Based Interfaces

Infrastructure as a Service

Secure integration with existing enterprise security infrastructure Service Federated identity / identity as a serviceDefinition Platform as a Service Tools Authorization, entitlements Log, audit and compliance reporting Infrastructure as a Service Intrusion prevention

Support Services

Virtualized Resources
Operational Console

System Resources

Physical System / Environment

26

9/15/2009

Service Process isolation, data segregation Publishing Business Support Systems (BSS) Control of privileged user access Tools Provisioning w/ security and location constraints Service Delivery Platform Service “Operational Support Systems (OSS)” Image provenance, image & VM integrity Reporting & Analytics Multi-tenant security services (identity, compliance reporting, etc.) Multi-tenant intrusion prevention Consistency top-to-bottom 26

IBM Security Framework
• It’s clear to IBM that a variety of security technologies, processes, procedures, laws, and trust models are required to secure the cloud. There is no silver bullet for securing the cloud

World class solutions – software, hardware and services 3rd-party audit (SAS 70(2), ISO27001, PCI)

27

IBM solutions for securing cloud

28

People and Identity
Businesses need to make sure people across their organization and supply chain have access to the data and tools that they need, when they need it, while blocking those who do not need or should not have access

• Tivoli Identity Manager • Tivoli Federated Identity Manager
– Offers a single access method for users into cloud and traditional applications – Cloud computing infrastructures involve enormous pools of external users constantly logging in to leverage shared IT services and this product’s authentication management features can help deliver significant business value

• Tivoli Access Manager for Operating Systems
– It can help protect individual application, network, data, and operating system resources – Single security model

29

Information and Data
– Earlier data can be protected with perimeter. Now data needs to be secured where ever it resides and when it is in motion. Capabilities for monitoring, access management and encryption – IBM’s Systems, Storage, and Network Segmentation Solutions
» offer application isolation, OS containers, encrypted storage, VLANs and other isolation technologies for a secure multitenant infrastructure

– Tivoli Key Lifecycle Manager – IBM Data Encryption for IMS and DB2 Databases – IBM Database Encryption Expert » Transparently protect any file on the file system » Transparently encrypt DB2 backup files » Protects information in Online, offline environments

• Backup and recovery of data stored remotely in the cloud
– IBM Information Protection Services
30

Process and Application
– Enterprises need to preemptively and proactively protect their business-critical applications – Focus is more on Web applications • Rational AppScan
– Provides automated Web application scanning and testing for all common Web application vulnerabilities, including WASC threat classification - such as SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligent fix recommendations to ease remediation

• Rational Policy Tester
– ensure site privacy by scanning web content and producing actionable reports to identify issues that may impact compliance

• ISS Professional Security Services • IBM Optim Data Privacy Solutions
– de-identify confidential information to protect privacy and support compliance initiatives by applying a range of masking and fictionalized substitution techniques

• IBM Tivoli Security Information and Event Manager

31

Optim’s data masking techniques

32

• Network, Server and Endpoint
• Proactive threat and vulnerability monitoring • Security of Virtualization stack
– ISS Virtualization Security » Proventia Virtualized Network Security Platform (VNSP) » IBM Proventia® Server Intrusion Prevention System (IPS) » IBM RealSecure® Server Sensor

33

34

• Physical Infrastructure
– Effective physical security requires a centralized management system that allows the monitoring of property, employees, customers and the general public

35

Security and Cloud Computing

Physical Infrastructure
BCRS Resilient Cloud Validation Program
Summary: IBM Business Continuity and Resiliency Services (BCRS) plans to offer a validation program for cloud service providers to ensure the resiliency of their business. Cloud Use Case: By using proven BCRS resiliency consulting methodology, combined with traditional shared and dedicated asset business and resiliency managed services, IBM is positioning BCRS as the premier resiliency provider to Cloud service providers.

Disaster Recovery
Restoration and availability of cloud computing resources

Public or Private Cloud

Resilient Cloud

High Performance On Demand Solutions (HiPODS) + IBM ISS Security Operations Centers
Summary: HiPODS is a group of specialists within IBM's Software Strategy group, with seven cloud computing locations around the world. IBM also has eight Security Operations Centers (SOCs) with a global reach to serve clients with international capabilities and a local presence. Cloud Use Case: The HiPODS team can create a project team anywhere in the world in minutes and assign servers / storage for a project in less than an hour. IBM SOCs monitor more than 17,000 security devices on behalf of 3,700 customers.

Data Location

Ability to process data in specific jurisdictions according to local requirements

36

36

36

Security and Cloud Computing

IBM Security has all the Capabilities and Credentials to Provide Enterprise-grade Security for Cloud Computing

Smart Planet Dynamic Infrastructure

G

GTS

ITS

GBS

IBM Research

37

9/15/2009

37

37

Security and Cloud Computing

Cloud computing also provides the opportunity to simplify security controls and defenses
Cloud Enabled Control(s) Benefit • Reduced risk of user access to unrelated resources.

People and Identity

• Defined set of cloud interfaces • Centralized repository of Identity and Access Control policies

• Computing services running in isolated domains as defined in service catalogs

• Improved accountability, Reduced risk of data leakage / loss • Reduced attack surface and threat window • Less likelihood that an attack would propagate

Information and Data

• Default encryption of data in motion & at rest • Virtualized storage providing better inventory, control, tracking of master data

• Autonomous security policies and procedures

Process & Application

• Personnel and tools with specialized knowledge of the cloud ecosystem • SLA-backed availability and confidentiality

• Improved protection of assets and increased accountability of business and IT users

Network Server and Endpoint Physical infrastructure
38 9/15/2009

• Automated provisioning and reclamation of hardened runtime images • Dynamic allocation of pooled resources to mission-oriented ensembles

• Reduced attack surface • Improved forensics with ensemble snapshots

• Closer coupling of systems to manage physical and logical identity / access.

• Improved ability to enforce access policy and manage compliance

38

38

Assessing the Security Risks of Cloud Computing

39

Key Findings
• • The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it. Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service Location independence and the possibility of service provider "subcontracting" result in IT risks, legal issues and compliance issues that are unique to cloud computing If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognized and unmanaged information-related risks
40

Recommendations
• Organizations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing Legal, regulatory and audit issues associated with location independence and service subcontracting should be assessed before cloud-based services are used Demand transparency from CSP. Don't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs Develop a strategy for the controlled and secure use of alternative delivery mechanisms, so that business managers know when they are appropriate to use and have a recognized approval process to follow
41

What to Evaluate
• • • Privileged User Access
• Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access

Compliance
• Cloud computing provider should be willing to submit to external audits and security certifications

Data Location
• Need to meet National privacy regulations • Is the provider willing to give a contractual commitment to obey the law on your behalf?

Data Segregation
• Ask for evidence that the encryption implementation was designed and tested by experienced specialists • Encryption accidents can make data totally unusable, and even normal encryption can complicate availability. • Who has access to the decryption keys?

42

What to Evaluate (Cont.)
• Availability
• Does cloud-based offerings provides service level commitments?

• Recovery
• How cloud offerings will recover from total disaster? • May not tell where data is stored. But does it have the ability to do a complete restoration, and how long will it take?

• Investigative Support
• Cloud services are especially difficult to investigate • Contractual commitment to support specific forms of investigation , Electronic Discovery

• Viability
• long-term viability of any external service provider

• Support in Reducing Risk
• CSPs to inform how safely and reliably use their product
43

How to Assess
• • • Evaluate the service provider in person. Use a neutral third party to perform a security assessment Accept whatever assurances the service provider offers

Ultimately, your ability to assess the risk of using a particular service provider comes down to its degree of transparency

trust.salesforce.com
44

Security as a Service

45

Security Offerings
• Email Filtering (backup, archival, eDiscovery,Encryption) • Web Content Filtering (Including outbound sensitive information) • Identity-as-a-Service (IDaaS)

46

Thank You

47

Sign up to vote on this title
UsefulNot useful