Cloud Computing Reference Architecture (CCRA 4.0) Security ... - IBM [PDF]

Cloud Computing Reference Architecture (CCRA 4.0) Security Update

1

© 2014 IBM Corporation

Table of Contents Cloud Security – IBM Point of View Cloud Security Solution Details • Cloud Enabled Data Center (IaaS) • Platform as a Service (PaaS) • IBM Bluemix (PaaS) • Software as Service (SaaS)

Other Key Updates – CCRA 4.0 References 2


Cloud Security – IBM Point of View

33


Customers are faced with challenge of balancing innovation and risk

INNOVATION

1

RISK

Cloud creates opportunities for enhanced security

2

Cloud security is a shared responsibility between customers and Cloud providers

3

IBM Cloud platforms and IBM Security portfolio help enterprise customers adopt Cloud with confidence

4


Clients’ security objectives reflect their responsibilities when adopting Cloud

Services Acquired

Organization / Buyers

Software as a Service (SaaS)

CxOs (CIO, CMO, CHRO, ...)

Platform as a Service (PaaS)

Application teams, LOBs

Infrastructure as a Service (IaaS) 5

CIO, IT teams

Security Responsibilities and Objectives  Complete visibility to enterprise SaaS usage and risk profiling  Governance of user access to SaaS and identity federation  Enable developers to compose secure cloud applications and APIs, with enhanced user experience  Visibility and protection against fraud and applications threats  Protect the cloud infrastructure to securely deploy workloads and meet compliance objectives  Have full operational visibility across hybrid cloud deployments, and govern usage © 2014 IBM Corporation

Traditional perimeter-based security controls …

Trusted Intranet

DMZ

Untrusted Internet

Online Banking Application

Employee Application

6


Traditional perimeter-based security controls … … are changing to security centered around applications and data Trusted Intranet

DMZ

Investment API Services

Online Banking Application

Untrusted Internet Consume Apps and Services (SaaS)

Build and Deliver Apps, Services (PaaS) Apps, APIs Services

Employee Application

7

Leverage Public Clouds (IaaS)


We see three sets of security capabilities to help enterprise clients… Cloud Security Capabilities Identity Manage identities and govern user access SaaS: Secure usage of business applications

Protection Bluemix

Protect infrastructure, applications, and data from threats

Insight PaaS: Secure service composition and apps

Auditable intelligence on cloud access, activity, cost and compliance

IaaS: Securing infrastructure and workloads 8


… delivered via cloud-enabled technologies and managed services Cloud Security Capabilities Identity

Security SaaS

Protection Bluemix

Protect infrastructure, applications, and data from threats

APIs

Insight PaaS: Secure service composition and apps

Auditable intelligence on cloud access, activity, cost and compliance

Managed Security Services

SaaS: Secure usage of business applications

Professional Security Services

Manage identities and govern user access

Client Consumption Models

Virtual Appliances

IaaS: Securing infrastructure and workloads 9


Consume

Deploy

Design

Using the IBM Security Framework, we articulate the way we address security in the Cloud in terms of Foundational Controls

Cloud Governance Cloud specific security governance including directory synchronization and geo locational support

Security Governance, Risk Management & Compliance Security governance including maintaining security policy and audit and compliance measures

Problem & Information Security Incident Management Management and responding to expected and unexpected events

Identity and Access Management Strong focus on authentication of users and management of identity

IBM Cloud Security Reference Model

Discover, Categorize, Protect Data & Information Assets Strong focus on protection of data at rest or in transit

Information Systems Acquisition, Development, and Maintenance Management of application and virtual Machine deployment

Secure Infrastructure Against Threats and Vulnerabilities Management of vulnerabilities and their associated mitigations with strong focus on network and endpoint protection

Physical and Personnel Security Protection for physical assets and locations including networks and data centers, as well as employee security

10


Each Cloud Adoption Pattern has its own set of security requirements CCRA provides prescriptive guidance for each pattern Cloud Enabled Data Center Integrated service management, automation, provisioning, self service

Big Data / Analytics Big Data / Analytics workload on cloud

Cloud Platform Services Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

Mobile Social / Mobile workloads on Cloud

Cloud Service Provider Advanced platform for creating, managing, and monetizing cloud services

G Cloud Federal/Government Workloads on Cloud

Business Solutions on Cloud Capabilities provided to consumers for using a provider’s applications

11


Cloud Security Solutions – Cloud Enabled Data Center (IaaS)

12 12


CeDC Use cases by macro-patterns

(see appendix for UML use-case model)

ITIL Process integrated IaaS Problem & Incident Management

IT Asset Management

License Management

Change & Configuration Management

SLA Mgmt

Service Desk

Release Management

4

Advanced IaaS Services Storage Provisioning & Configuration Management

Network Provisioning & Configuration Management

Services Orchestration

Hybrid Clouds Integration

Advanced Security (Threat & vulnerability, identity & access, Security info and events mgmt)

Backup & Restore

Endpoint Compliance & Security Management

3

Managed IaaS Cloud infrastructure & services Monitoring

Capacity Mgmt & Planning

Events Mgmt

Patch Management

2

Simple IaaS Services Cloud resources Management 13

Authentication, Roles, Tenant Management

VMs provisioning & On‐ boarding

VMs patterns provisioning

VM Images construction and management

Usage metering, accounting & chargeback

1


Different CeDC implementation models (CCRA 4.0)  A CeDC can be implemented by using one of the following three models • • •

On-premise-hybrid Off-premise-hybrid Full off-premise

Model Type

Manage-from

Manage-to

On-premise-hybrid

On-premise

On-premise and/or on Softlayer/CMS

Off-premise-hybrid

Softlayer/CMS

Softlayer/CMS and/or Onpremise

Full off-premise

Softlayer/CMS

Softlayer/CMS

 Each model above is represented by a slightly different Architecture Overview Diagram (AOD) in this CeDC architecture 14


Security “in” (inherent in) and “on” (accessible from) IaaS provider

Identity Accessible “on” a IaaS Cloud Provider – Bring your own security

Inherent “in” a IaaS Cloud Provider – Security provided in SoftLayer

15

Protection

 Privileged admin management

 Network protection ‒ Firewalls, IPS, proxy

 Access management of web workloads

 Host security, vulnerability scanning  Encryption and key management

Insight  Monitoring customer hybrid infrastructure and workloads.  Log, Audit, and compliance reporting  Vulnerability management

 Admin user management

 Isolation of VMs, and dedicated instances

 Security monitoring of cloud infrastructure

 Role and entitlement management

 Network firewalls, VPNs; DoS protection

 Platform intelligence

 Federation of admin users from enterprises

 Encryption of data at rest and secure key store

 API access to cloud service logs


SoftLayer provides a security-rich environment for deploying and running customer workloads

 Achieved through a combination of: • Certified physical and logical security of the SoftLayer data centers • Architecture and operational responsibilities in the SoftLayer offerings • Additional security capabilities delivered via partners

 Ease of use when enabling SoftLayer security features makes applying security simple

16


SoftLayer’s approach to delivering cloud services adds security regardless of the offering chosen

 SoftLayer’s data center operations reduce the risk of a targeted attack from a malicious insider  Highly automated provisioning for physical and logical resources reduces risk of security issues via human error • Consistency ensured for instances across all SoftLayer data centers

 Value-add security features can be added via the standard, stable SoftLayer API • Includes vulnerability scanning, anti-virus, firewall, VLAN and VPN • Ease of use of these capabilities increases the likelihood of them being used

 Fine grained control of user entitlements are managed through the Portal

17


Granular identity and access management allows a customer high degree of control

 SoftLayer enforces a strict password policy for authenticating users • Also supports multi-factor authentication • Authentication logs are available

 Login policy can be configured to align with an enterprise’s on-premise policy  User entitlements can be individually set for each user • Examples: Create/view tickets, Create/manage/cancel bare metal and virtual servers, Configure network security

18


Add-on security services that can be used by the customer as part of securing their environment

     

Vulnerability scanning * Anti-virus and anti-spyware protection Host based intrusion protection * Firewall and network based threat protection (IPS, DDOS) Virtual private networking (IPSEC, SSL, PPTP) * Two factor authentication to the Customer Portal

 For more information on Soft Layer specific services, see: • http://www.softlayer.com/services/security

*Available on Soft Layer or CMS 19


Hosting Sensitive workloads in Cloud environments 

The definition of workload sensitivity will be determined by a Customer’s: • Risk management framework • Compliance obligations



Typical examples of sensitive workloads include: • Sensitive personal information of employees, partners and clients • Company confidential intellectual property, business plans and financial information • Data regulated by industry (e.g. PCI-DSS) or government (e.g. HIPAA-HITECH)



When data or processing is moved to a cloud, the consumer retains the ultimate responsibility for compliance with data-related laws and regulations.



Nonconformance with regulations can result in legal ramifications for both the customer and the provider depending on the regulation

20


Cloud compliance is a shared responsibility  The key to regulatory compliance in a cloud environment is in defining how control is shared between the cloud consumer and CSP. • It is the degree to which virtual components, applications and software are managed by the different roles that defines how responsibility for regulatory compliance is divided between the cloud consumer and CSP.

 It is imperative that consumers and CSP’s clearly understand where the boundaries are in their particular relationship rather than assuming that any particular responsibility model applies to them.  Collaboration between providers and consumers can help ensure that clouds meet specific security conformance and regulatory requirements. • Clear policies and procedures should be agreed upon between consumers and CSP’s for all security requirements and clear responsibilities for operation, management and reporting need to be defined for each regulatory requirement.

The allocation of responsibility between consumers and the CSP for managing security controls does not exempt a consumer from the responsibly of ensuring their data is properly secured in support of any regulation.

21


Hosting Sensitive workloads in IBM Cloud environments

Sensitive workloads can be hosted on Soft Layer’s bare metal or private dedicated cloud offerings CMS will soon support PCI and HIPAA workloads in the shared cloud environment Provided via bundled managed services which provide compliance up through the O/S on managed VMs

22


Authenticating users and managing their access “on” SoftLayer using IBM Security Access Manager

Customers move workloads from datacenter to SoftLayer. They want to •authenticate users & provide SSO •Control access to web apps

Customers adopt SoftLayer and want to manage administrative access to SoftLayer •Demonstrate compliance of administrative access •Privilege user management

23

EnterpriseApp Users

User Access

Customer Application

Servers, VMs, Networks,..

Enterprise CloudAdmins


Providing full visibility to hybrid cloud environments using IBM Security QRadar

•• Visibility Visibility across across hybrid hybrid cloud cloud deployments deployments using using QRadar QRadar •• Out Out of of the the box box integration integration with logs and event with logs and event collection collection •• Compliance Compliance and and vulnerability vulnerability management management

•• Unified Unified visibility visibility across across cloud cloud and and CPE CPE •• IBM IBM Virtual Virtual SOC SOC & & Managed Managed SIEM SIEM Services Services

IBM Virtual SOC Monitoring, Intelligence

24


Cloud Security Solutions – IBM BlueMix (PaaS)

25 25


IBM Cloud Capabilities – PaaS Adoption pattern Process Optimized Platform as a Service Application development

Application testing

Application lifecycle Management

Application governance

Cloud bursting

Workload automation & scheduling

Application performance monitoring

License Management

Application on‐ boarding

Continuous delivery

Advanced Platform as a Service

Data caching services

Auto scaling

Managed Platform as a Service

Platform as a Service

Identity management & security

Application monitoring

Mobile Management

Simple Platform as a Service Provisioning & automation services

26

Middleware pattern deployment

Application metering


Security “in” (inherent in) and “on” (accessible from) PaaS provider

Identity

Protection

Accessible from a PaaS Cloud Provider ‒ Design your own security



Inherent “in” a PaaS Cloud Provider ‒ Security is “baked in” platform



Developers registration and SSO





Group management; Entitlements to apps, services





APIs for  authentication/SSO of end users, for services/apps  APIs to perform context  aware access 

Insight

Security testing of App, service and APIs



APIs for customer app log and audit

Key management APIs



Application security and real time monitoring



Application vulnerability management

Data protection and compliance



Customer specific log and audit trail APIs



Application container





Fabric and services isolation and protection

Active security monitoring of provider (not individual customer services)

APIs for fraud detection IP reputation/threat intelligence APIs

Federation of developers/platform users

Hosted on

27


Identity Service (IDaaS) on Bluemix: Simplified Security for App Developers Safeguarding Mobile, Cloud, and Social interactions

Easy to use service allows developers to add access security for web and mobile applications

Policy-based authentication service provides easy-to-use SSO capability

Cloud SSO Service

Lightweight identity proofing adds identity assurance for IBM ID. Social Logins (Google, Facebook)

Flexible SSO options based on industry standards such as OpenID and OAuth

IBM ID (ibm.com) Social Logins (Google, Linkedin, ..) Enterprise LDAP (future) 28


IBM Security Systems

AppScan services soon available through Bluemix AppScan Mobile Analyzer – Ability to upload Android APKs to the cloud for an IAST (interactive application security scan)

• Service available through BlueMix catalog • Upload an APK and receive a security PDF report • Public APIs to integrate to 3rd party • Environment deployed on SoftLayer

29

AppScan DAST on BlueMix – Run a DAST scan on web application deployed on BlueMix

• Service available through BlueMix catalog • Almost zero configuration (User Name/Password) • Public APIs to integrate to 3rd party • Environment deployed on SoftLayer


Cloud Security Solutions – Software as a Service (SaaS)

30 30


Business Solutions on Cloud - Security Management System Context

31


Secure user access to Cloud services Use case: Enterprise expansion, securing public cloud access Business Challenge:  Extend on-premise IAM infrastructure to cloud apps  Secure employee access to SaaS applications (IBM, Google Apps, SalesForce)  Manage identity and federated SSO for internal / traditional applications and new external SaaS ones  Provision / de-provision users in SaaS partner’s registry

Solution:  Common identity management solution for user provisioning and password management – Role-based provisioning and de-provisioning – User- and manager-initiated entitlement requests – BU administrators manage their users’ rights  Federate access in context, based on web launch points; federated SSO access based on role

IBM Security Federated Identity Manager SaaS and Cloud Providers Employees

Identity Federation and Access

External users 32

Privileged cloud users

Enterprise Apps and Services © 2014 IBM Corporation

Available Today – Security capabilities delivered as Cloud service Fraud Prevention

• Delivered as a cloud service protecting millions of endpoints for the world’s top financial institutions

33

Mobile Security

Web Protection

• Delivered as a cloud • Delivered a service in service managing the cloud, providing millions of mobile Distributed Denial of devices for thousands of Service (DDoS) global customers protection for enterprise customers


IBM Cloud Security CCRA 4.0 – Other Updates

34 34


Other Key Updates Cloud Security Solution Details • • • • • •

Cloud Service Provider (CSP) SmartCloud Enterprise+ (SCE+) Security SAP on SmartCloud Enterprise+ Oracle Applications on SmartCloud Enterprise+ Approaches and Solution for Encryption of Data on Cloud Adoption of Cloud for IBM Workloads

Cloud Regulatory Compliance Programs Cloud Security Standards Open Stack Security

Please refer to the specific pattern documentation / detailed version for prescriptive guidance

35


IBM Cloud Security Software & Services Portfolio

36 36


IBM Security

IBM Security offers a comprehensive product portfolio Security Intelligence and Analytics QRadar Log Manager

QRadar SIEM

QRadar Risk Manager

QRadar Vulnerability Manager

QRadar Incident Forensics

Advanced Fraud Protection Trusteer Rapport

Trusteer Pinpoint Malware Detection

Trusteer Pinpoint ATO Detection

Trusteer Mobile Risk Engine

People

Data

Applications

Identity Manager

Guardium Database Activity Monitoring

AppScan Source

Network Intrusion Prevention (GX)

Trusteer Apex

Guardium Encryption Expert

AppScan Enterprise / Standard

Next Generation Network Protection (XGS)

FiberLink MaaS360

Access Manager Family Privileged Identity Manager Federated Identity Management Directory Integrator / Directory Server

Network

Infrastructure

Endpoint

Endpoint Manager Guardium / Optim Data Masking

DataPower Web Security Gateway

SiteProtector Threat Management

Key Lifecycle Manager

Security Policy Manager

QRadar Network Anomaly Detection

Host Protection zSecure

IBM X-Force Research

37


Smart Business Security Services delivered FOR the Cloud: ofe Pr

s

l na o i s

ce rvi e S ofe Pr

s

Cloud Security Strategy Roadmap Understand how to leverage cloud capabilities while considering business needs and governance requirements

ofe Pr

Helps cloud providers (public / private / hybrid) assess the security of a cloud against best practices and mandates. Assess or secure the cloud

ce rvi e S

Penetration Testing Validates the security of components of the cloud through active exploitation and system penetration 38

= Items we’ll cover in detail today!

ed ag n Ma

ce rvi e S

Managed Host, Network, SIEM Services

Cloud Security Assessment

Consultative services al ion s s

l na o i s

ce rvi e S

ofe Pr

s

Se al n s io

Helps provide protection from a broad selection of threats by actively mitigating cloud attacks For cloud providers or enterprises

ce rvi

Identity and Access Management Assesses the authentication strategy of a cloud environment and provides a plan for optimizing the approach against established business goals

ofe Pr

s

l na o i s

ce rvi e S

Application Security Assessment Assesses web-based cloud applications via automated scanning and manual source code review © 2014 IBM Corporation

Smart Business Security Services delivered FROM the Cloud: ed ag n Ma

Ma

rvi Se

ce

ce

Security Event and Log Management

Vulnerability Management Service

Offsite management of logs and events from intrusion protection services, firewalls and operating systems

Helps provide proactive discovery and remediation of vulnerabilities

Subscription service

Cloud based

d ge a n

ce rvi e S

IBM X-Force® Threat Analysis Service Customized security intelligence based on threat information from IBM X-Force® research and development 39

ed ag n Ma

rvi Se

= Items we’ll cover in detail today!

n Ma

ed ag

ce rvi e S

Managed Web and Email Security Helps protect against spam, worms, viruses, spyware, adware and offensive content

ed ag n Ma

ce rvi e S

Application Security Management Supports improved web application security to help reduce data loss, financial loss and website downtime with advanced security testing Monitoring and management

ed ag n Ma

rvi Se

ce

Mobile Device Security Management

Helps protect against malware and other threats while enabling mobile access


CCRA 4.0 Security – Prescriptive Guidance  Cloud Enabled Data Center (IaaS) / SoftLayer Security (IaaS)  Platform as a Service (PaaS)  IBM Bluemix (PaaS)  Software as Service (SaaS)  Cloud Service Provider (CSP)  BigData on Cloud  Mobile on Cloud  G-Cloud  SmartCloud Enterprise+ (SCE+) Security  SmartCloud Application Services (SCAS) Security  Encryption of Data at Rest  Adoption of Cloud for IBM Workloads  Cloud Regulatory Compliance Programs

40


Key Cloud Resources IBM Research and Papers 

Special research concentration in cloud security, including white Papers, Redbooks, Solution Brief – Cloud Security

IBM X-Force 

Proactive counter intelligence and public education http://www-03.ibm.com/security/xforce/

IBM Institute for Advanced Security 

Cloud Security Zone and Blog (Link)

Customer Case Study 

EXA Corporation creates a secure and resilient private cloud (Link)

Collateral Sales Support:   

NEW IBM Cloud Security Strategy and Community connections page (Link) NEW Internal IBM SWG Sellers Workplace – Cloud Security Collateral - (Link) SmartCloud Security Solutions Sales Kit – (Link)

Other Links:    

41

IBM Media series – SEI Cloud Security (Link) External IBM.COM : IBM Security Solutions (Link) External IBM.COM : IBM SmartCloud– security (Link) IBM SmartCloud security video (Link) IBM Best Cloud Computing Security


IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 42
