2013 Beijing Regional Technical Exchange

Securing the Cloud

Jeff Crume, CISSP-ISSAP
IBM Distinguished Engineer
crume@us.ibm.com
Blog: InsideInternetSecurity.com

Driving the Innovation Agenda andIBMDelivering

the Distinctive Client Experience
Confidential
2012 IBM Corporation

IBM Security Systems

Security remains #1 inhibitor to broad scale cloud adoption

2012 Cloud Computing Key Trends and Future Effects IDG

2013 IBM Corporation

IBM Security Systems

Cloud environments present new challenges

2013 IBM Corporation

IBM Security Systems

Cloud computing tests the limits of security operations

and infrastructure

Security and Privacy Domains

People and Identity
Data and Information
Application and Process
Network, Server and Endpoint
Physical Infrastructure
Governance, Risk and Compliance

To cloud
Self-Service
Highly Virtualized
Location Independence
Workload Automation
Rapid Elasticity
Standardization

Multiple Logins, Onboarding Issues

Multi-tenancy, Data Separation
External Facing, Quick Provisioning
Virtualization, Network Isolation
Provider Controlled, Lack of
Visibility
Audit Silos, Compliance Controls

In a cloud environment, access expands, responsibilities change, control

shifts, and the speed of provisioning resources and applications increases greatly affecting all aspects of IT security.

2013 IBM Corporation

IBM Security Systems

Key Cloud security concerns

1.

Manage the registration and control the access of

thousands or even millions of Cloud users in a costeffective way

2.

Ensure the safety and privacy of critical enterprise

data in Cloud environments without disrupting
operations

3.

Provide secure access to applications in the Cloud

4.

Manage patch requirements for virtualized systems

5.

Provide protection against network threat and

vulnerabilities in the Cloud

6.

Protect virtual machines

7.

Achieve visibility and transparency in Cloud

environments to find advanced threats and meet
regulatory and compliance requirements
2013 IBM Corporation

IBM Security Systems

IBM Security: Delivering intelligence, integration and expertise

across a comprehensive framework

IBM Security Systems

IBM Security Framework
built on the foundation of
COBIT and ISO standards
End-to-end coverage of the
security domains
Managed and Professional
Services to help clients
secure the enterprise

2013 IBM Corporation

IBM Security Systems

SmartCloud Security Capabilities

SmartCloud Security

SmartCloud Security

SmartCloud Security

Identity Protection

Data and Application Protection

Threat Protection

Administer, secure, and extend

identity and access to and from
the cloud

Secure enterprise databases

Build, test and maintain secure
cloud applications

Prevent advanced threats with

layered protection and analytics

IBM Security Identity Manager

IBM Security Access Manager
IBM Security Federated
Identity Manager - Business
Gateway
IBM Security Privileged
Identity Manager
2013 IBM Corporation

1 Identity

IBM Security Systems

Cost-effective user registration and access control of Cloud users

Vulnerability
Mgt.Log
Service
Security
Event and
Mgt.

Requirement
Full life-cycle identity
management (cradle-tograve) for cloud-based
users
Access, authorization
control, and fraud
prevention for
applications and data in
the cloud
Ability to track and log
user activities, report
violations, and prove
compliance

Capability
Federated single sign-on to multiple web-based and cloud applications
with a single ID and password for employees, customers, BPs, vendors
User self-service for identity creation and password reset
Securely provision, manage, automate and track privileged access to
critical enterprise resources
Automated management and risk-based enforcement of access control
policies across every application, data source, operating system and
even company boundaries
Role-based identity and access management aligns users roles to
their access capabilities, simplifies management and compliance
Security incident and event management for compliance reporting and
auditing of users and their activitiesin both cloud and traditional
environments
The ability to monitor, control, and report on privileged identities (e.g.,
systems and database administrators) for cloud-based administrators

Addressing compliance requirements, reducing operational costs,

enhancing security posture and developing operational efficiencies
2013 IBM Corporation

IBM Security Systems

1 Identity

IBM Security Federated Identity Manager Made for clouds

Centralized user access management to
on and off-premise applications and
services
Provides secure authentication to business
partners and supports cloud scenarios
(B2B, B2C) reducing user administration and
operational overhead
Integrates with LotusLive, Google Apps,
Salesforce.com,

Enables Federated Single Sign-on and

Identity Mediation across different service
providers
Supports wide range of Federated Single Sign
On protocols

Out of the box integration with ISAM for

Web and WebSphere
Provides end-to-end identity propagation across
WebSphere Portal, DataPower and Federated
ESBs

2013 IBM Corporation

1 Identity

IBM Security Systems

Solving the Privileged Identity Management problem: Beyond

traditional approaches
Each administrator has a UserID
on every system

Administrators share
privileged UserIDs

Exponential increase in privileged

UserIDs

Risk of losing individual

accountability

Increased risk of mismanagement

of privileged UserIDs

Issues with password management

and security

Increased UserID administration

costs

Out of step with regulatory thinking

IBMs Privileged Identity Management solution combines the best

features of both approaches, without the disadvantages
2013 IBM Corporation

IBM Security Systems

1 Identity

Privileged Identity Management: Centralized management of

privileged and shared identities
Addressing insider threat with privileged users access management
Business challenge
Track and audit activities of privileged users (e.g. root,
financial app administrators) for effective governance

IBM Security
Privileged Identity Management

Key solution highlights

Control shared access to sensitive userids
Checkin / checkout using secure credential vault
Request, approve and re-validate privileged access
Reduce risk, enhance compliance

ID

Databases

Track usage of shared identities

Provide accountability
Automated password management
Automated checkout of IDs, hide password from requesting
employee, automate password reset to eliminate password
theft
IBM security solution
New Privileged Identity Management (PIM) solution
providing complete identity management and enterprise
single sign-on capabilities for privileged users
2013 IBM Corporation

1 Identity

IBM Security Systems

IBM Identity and Access Management Vision

Key Themes

Standardized IAM
and Compliance
Management
Expand IAM vertically to provide identity
and access intelligence to the business;
Integrate horizontally to enforce user
access to data, app, and infrastructure

Secure Cloud, Mobile,

Social Interaction

Insider Threat
and IAM Governance

Enhance context-based access control

for cloud, mobile and SaaS access, as
well as integration with proofing,
validation and authentication solutions

Continue to develop Privileged Identity

Management (PIM) capabilities and
enhanced Identity and Role management

2013 IBM Corporation

IBM Security Systems

SmartCloud Security Capabilities

SmartCloud Security

SmartCloud Security

SmartCloud Security

Identity Protection

Data and Application Protection

Threat Protection

Administer, secure, and extend

identity and access to and from
the cloud
IBM Security Identity Manager
IBM Security Access Manager
IBM Security Federated Identity
Manager - Business Gateway
IBM Security Privileged Identity
Manager

Secure enterprise databases

Build, test and maintain secure
cloud applications

Prevent advanced threats with

layered protection and analytics

IBM Endpoint Manager

(SmartCloud Patch)
IBM Security Network IPS
and Virtual IPS
IBM Virtual Server Protection
(VMware)
IBM QRadar SIEM

2013 IBM Corporation

6 Protect VMs

IBM Security Systems

Security Challenges with Virtualization: New Complexities

New complexities

Before Virtualization

After Virtualization

Dynamic relocation of VMs

Increased infrastructure
layers to manage and protect
Multiple operating systems
and applications per server
Elimination of physical
boundaries between systems
Manually tracking software
and configurations of VMs
Hyperviser is attack vector

1:1 ratio of OSs

and applications
per server

1:Many ratio of OSs and

applications per server
Additional layer to manage and
secure

2013 IBM Corporation

6 Protect VMs

IBM Security Systems

Example for Securing the Virtualized Runtime:

IBM Security Virtual Server Protection for VMware vSphere 4
VMsafe Integration

Firewall and Intrusion

Prevention

Rootkit Detection /
Prevention

Inter-VM Traffic Analysis

Automated Protection for

Mobile VMs (VMotion)

Virtual Network Segment

Protection

Virtual Network-Level
Protection

Virtual Infrastructure
Auditing (Privileged User)

Virtual Network Access

Control

There
Therehave
havebeen
been100
100vulnerabilities
vulnerabilitiesdisclosed
disclosedacross
acrossall
allof
of
VMwares
virtualization
products
since
1999.*
VMwares virtualization products since 1999.*
57%
57%of
ofthe
thevulnerabilities
vulnerabilitiesdiscovered
discoveredin
inVMware
VMwareproducts
productsare
are
remotely
accessible,
while
46%
are
high
risk
vulnerabilities.*
remotely accessible, while 46% are high risk vulnerabilities.*
2013 IBM Corporation

4 Patch Management

IBM Security Systems

Optimizing the patch cycle and help ensure the security of both
traditional and Cloud computing assets

+
Distributed Endpoints

Web
App
DB

Physical Servers

+
Virtual Servers

Customer Pain Points

Capability

Time required to patch all

enterprise physical , virtual,
distributed, and cloud assets
Lack of control over deployed and
dormant virtual systems OS patch
levels and related security
configurations

Automatically manage patches for multiple OSs and

applications across physical and virtual servers
Reduce security and compliance risk by slashing
remediation cycles from weeks to hours
Patch running / offline / dormant VMs
Continuously monitor and enforce endpoint
configuration
2013 IBM Corporation

7 Security Intelligence

IBM Security Systems

Security Intelligence: Integrating across IT silos

Security Devices
Servers & Hosts
Network & Virtual Activity

Event Correlation

Database Activity

Offense
Activity Baselining & Identification

Application Activity
Configuration Info
Vulnerability Info

Anomaly Detection

User Activity

Detecting threats
Consolidating data silos

Deep
Intelligence

Exceptionally Accurate and

Actionable Insight

Predicting risks against your business

Addressing regulatory mandates

Detecting insider fraud

2013 IBM Corporation

JK 2012-04-26

Extensive Data
Sources

High Priority Offenses

IBM Security Systems

SmartCloud Security Capabilities

SmartCloud Security

SmartCloud Security

SmartCloud Security

Identity Protection

Data and Application Protection

Threat Protection

Administer, secure, and extend

identity and access to and from
the cloud

Secure enterprise databases

IBM Security Identity Manager

IBM InfoSphere Guardium

IBM Security Access Manager

IBM Security AppScan

IBM Security Federated Identity

Manager - Business Gateway

IBM AppScan OnDemand

(hosted)

IBM Security Privileged Identity

Manager

Build, test and maintain secure

cloud applications

Prevent advanced threats with

layered protection and analytics

IBM Endpoint Manager

(SmartCloud Patch)
IBM Security Network IPS and
Virtual IPS
IBM Virtual Server Protection
(VMware)
IBM QRadar SIEM
2013 IBM Corporation

2 Data

IBM Security Systems

Four steps to data security in the Cloud

Understand, define
policy

Discover where sensitive data resides

Classify and define data types
Define policies and metrics

Secure and protect

Encrypt, redact and mask virtualized databases

De-identify confidential data in non-production
environments

Actively monitor and

audit

Monitor virtualized databases and enforce review of

policy exceptions
Automate and centralize the controls needed for
auditing and compliance (e.g., SOX, PCI)
Assess database vulnerabilities

Establish
compliance and
security intelligence

Automate reporting customized for different

regulations to demonstrate compliance in the Cloud
Integrate data activity monitoring with security
information and event management (SIEM)

2013 IBM Corporation

2 Data

IBM Security Systems

Data Security Vision

QRadar
Integration

Across Multiple
Deployment
Models

Key Themes

Reduced Total Cost

of Ownership

Enhanced Compliance
Management

Dynamic
Data Protection

Expanded support for databases and

unstructured data, automation, handling
and analysis of large volumes of audit
records, and new preventive
capabilities

Enhanced Database Vulnerability

Assessment (VA) and Database
Protection Subscription Service (DPS)
with improved update frequency, labels
for specific regulations, and product
integrations

Data masking capabilities for databases

(row level, role level) and for
applications (pattern based, form
based) to safeguard sensitive and
confidential data
2013 IBM Corporation

IBM Security Systems

3 Applications

Application security challenge: manage risk

76% of CEOs feel reducing security

flaws within business-critical
applications is the most important
aspect of their data protection
programs
79% of compromised records used
Web Apps as the attack pathway
81% of breached organizations
subject to PCI were found to be noncompliant

2013 IBM Corporation

3 Applications

IBM Security Systems

Application Security Vision

Key Themes

Coverage for Mobile

applications and new
threats
Continue to identify and reduce risk by
expanding scanning capabilities to new
platforms such as mobile, as well as
introducing next generation dynamic
analysis scanning and glass box testing

Simplified interface and

accelerated ROI

Security Intelligence
Integration

New capabilities to improve customer

time to value and consumability with
out-of-the-box scanning, static analysis
templates and ease of use features

Automatically adjust threat levels

based on knowledge of application
vulnerabilities by integrating and
analyzing scan results with
SiteProtector and the QRadar Security
Intelligence Platform
2013 IBM Corporation

IBM Security Systems

IBM Security Systems Cloud-ready security solutions span the

portfolio
QRadar Security Intelligence

Federating
identities for public
and hybrid cloud
environments

Security
Application
Scanning for
cloud based
applications

Virtual IPS for

VMware ESX /
ESXi hosts and
workloads

Virtual IPS for

virtual network
edge protection

Virtual IPS for

virtual network
edge protection

Virtual IPS for

virtual network
edge protection

Federated Identity
Manager
Business Gateway

AppScan Static /
Dynamic Analysis

Virtual Server
Protection

Network IPS
Virtual Applicance

Endpoint Manager /
SmartCloud Patch

Guardium database
monitoring and
protection
2013 IBM Corporation

IBM Security Systems

Key Cloud Resources

IBM Research and Papers

Special research concentration in cloud security, including

white Papers, Redbooks, Solution Brief Cloud Security

IBM X-Force

Proactive counter intelligence and public education

http://www.ibm.com/security/xforce/

IBM Institute for Advanced Security

Cloud Security Zone and Blog (Link)

Customer Case Study

EXA Corporation creates a secure and resilient private cloud

(Link)

Other Links:

IBM Media series SEI Cloud Security (Link)

External IBM.COM : IBM Security Solutions (Link)
External IBM.COM : IBM SmartCloud security (Link)
IBM SmartCloud security video (Link)

IBM Best Cloud

Computing
Security

2013 IBM Corporation

IBM Security Systems

Intelligent solutions provide the DNA to secure a Smarter Planet

Security
Intelligence,
Analytics &
GRC

People

Data

Applications

Infrastructure

2013 IBM Corporation

IBM Security Systems

Analysts recognize IBMs superior products and performance

Domain

Segment / Report

Analyst Recognition

Security Security Information & Event Management (SIEM)

Intelligence,
Analytics and
GRC Enterprise Governance Risk & Compliance Platforms

2012
2011

Identity & Access Governance

2012

User Provisioning / Administration

2012

People Role Management & Access Recertification

2010
2011

2012***
2011

Enterprise Single Sign-on (ESSO)

2011*

Web Access Management (WAM)

2012**

Database Auditing & Real-Time Protection

2010

2011

Data

Applications

Infrastructure

Data Masking

2013

Static Application Security Testing (SAST)

2010

Dynamic Application Security Testing (DAST)

2011

Network Intrusion Prevention Systems (NIPS)

2012

EndPoint Protection Platforms (EPP)

2013

2010

Leader
Leader

Visionary

Niche Player

Strong Performer

Leader (#1, 2, or 3 in segment)

Challenger
Contender

* Gartner MarketScope (discontinued in 2012)

** Gartner MarketScope
*** 2012 IDC MarketScape ranked IBM #1 in IAM

2010

V13-05

2013 IBM Corporation

IBM Security Systems

2012 Fall announcements for SmartCloud security

Besides the cost reduction, one major advantage is that we will be able to
offer cloud-based services for our customers with confidence.
Mr. Masaru Ito, Sales and Business Planning Leader
Cloud Services Division EXA Corporation
Optimize patch management for dynamic cloud
environments IBM SmartCloud for Patch
Management

Identity mediation across cloud service providers

IBM Security Access Manager for Cloud and Mobile*

Enable federated SSO and identity mediation across

different cloud service providers

Enable visibility and monitoring of mainframe-based

private clouds IBM Security zSecure

Integrate mainframe event data into QRadar for enhanced

monitoring

Extend security monitoring throughout the cloud

QRadar Security Intelligence Platform

Utilize cloud infrastructures to monitor activity across

geographically distributed locations, such as bank
branches and retail stores, for greater threat detection

Protect cloud platform from insider threats

IBM Security Privileged Identity Manager

Help prevent misuse of privileged identities to servers,

applications and databases
Control and track shared access to sensitive user IDs and
demonstrate compliance

Integrate Identity and Access Management with

cloud IBM Security Identity Manager

Reduce threat of attack and compliance risk by slashing

remediation cycles from weeks to hours
Help secure traditional and cloud environments and gain
complete visibility of all endpoints

Rapid IAM integration with cloud, SaaS and on-premise

services across heterogeneous environment
* Bundle in response to clients use and needs

2013 IBM Corporation

IBM Security Systems

Security as a Service: IBM Security Services from the Cloud

Security Event
and Log
Management

Offsite management
of security logs
and events

Application
Security
Management

Help reduce data

loss, financial loss
and website
downtime

Managed
Web and Email
Security

Help protect against

spam, worms, viruses,
spyware, adware and
offensive content

Security-as-a-Service (SaaS)
from IBM Managed Security Services
Security Intelligence People Data Apps Infrastructure
IBM X-Force
Threat Analysis
Service

Mobile Device
Security
Management

Help protect against

malware and other
threats while enabling
mobile access

Vulnerability
Management
Service

Help provide
proactive discovery
and remediation of
vulnerabilities

Customized security threat

intelligence based on
IBM X-Force
research and development

2013 IBM Corporation