David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success. Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h Speaker: David Cass (Vice President, Cloud and SaaS CISO)

1. © IBM Corporation1
Presented by:
Securing the Future
David A. Cass
VP & CISO, Cloud & SaaS

2. © IBM Corporation2
text
Agenda
– Threat landscape
– Evaluating the risk of cloud services
– Best practices
• Service Development
• Secure Engineering Framework
• Security policies
– Service Delivery
• Data Protection
• 3rd party accreditations, contractual obligations
– Service Consumption in a shared responsibility environment
– Wrap up

3. © IBM Corporation3
– IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
– Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a
purchasing decision.
– The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated into any contract.
– The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a
controlled environment. The actual throughput or performance that any user will experience will vary
depending upon many factors, including considerations such as the amount of multiprogramming in the
user’s job stream, the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results similar to those stated
here.
Please Note:

4. © IBM Corporation4 4
Threat Landscape:
83% of CISOs say that the challenge posed by external threats has
increased in the last three years
Near Daily Leaks
of Sensitive Data
40% increase
in reported data
breaches and incidents
Relentless Use
of Multiple Methods
800,000,000+ records
were leaked, while the future
shows no sign of change
“Insane” Amounts of Records Breached
42% of CISOs
claim the risk from external threats increased
dramatically from prior years.

5. © IBM Corporation5
Security leaders are more accountable than ever before
Loss of market share
and reputation
Legal exposure
Business continuity
Audit failure
Fines and enforcement
impact
Financial loss
Impact to data and
systems,
(confidentiality, integrity
and /
or availability)
Violation of employee
privacy
Loss of
customer trust
Loss of brand reputation
CEO CFO / COO CIO CHRO / CDO CMO
Your board and CEO demand a strategy

6. © IBM Corporation6
Threat Landscape - Then
• Captive Workforce
• Desktops & Laptops
• Corporate Network with VPN for remote workers
• Corporate Owned Devices
Enterprises
• Rouge Individuals
• Motivated by the challenge
• Little or no financial gain
Attackers
• Noisy
• Server side/infrastructure vulnerabilities
• Noticeable
• Damaging & Costly but not complicated to remediate
Attacks

7. © IBM Corporation7
Threat Landscape - Now
• Highly Mobile Workforce
• Smartphones & Tablets
• Use of home Wi-Fi, free Wi-Fi, cellular connections
• Corporate Owned Devices
Enterprises
• Organized
• Well funded
• Highly skilled
• Organized Crime
• Financial/Political gain
Attackers
• Stealthy
• Applications, Databases, and Social Engineering
• Hard to detect
• Goal is data exfiltration
Attacks

8. © IBM Corporation8
Evaluating the risk of cloud services:
Identify Risk & Maturity Level Expectations By Tier - Example
Tiering Tier#
Application
Security
Network & Systems Data Security Secure OPS Security Strat & Org
Tier 1: Regulated Data (PHI, SOX,
SPII, PCI, etc.)
1 4 4 5 4 4
Tier 2: Confidential, Attorney
Client Privileged Data, Intellectual
Property and Personally
Identifiable (External)
2 3 4 4 4 4
Tier 3: Confidential, Attorney
Client Privileged Data, Intellectual
Property and Personally
Identifiable (Internal)
3 3 3 4 4 3
Tier 4: Public Data (No Distinction
between external & Internal)
4 3 4 3 3 3
Tier 5: Temporary Environment for
POC, Lab work or Testing (No Prod
or "Real" Data)
5 2 2 2 2 2
Maturity Level Expectation

9. © IBM Corporation9
Application Security Tiers
Requirement Level 1 Level 2 Level 3 Level 4 Level 5
Source Code Control Not using source control Source Code Control is in
place
Source Code control in
place with manual scanning
Source Code Control in place
with Automated security
scanning
Source Code Control in place
with Automated Security
scanning and remediation
results fed back into SDLC
and training efforts
SDLC No defined SDLC Documented, not always
followed
Documented and mostly
followed; Security
integration into SDLC
processes
Documented and 100%
Followed
Security Remediation feeding
back into SDLC
Team Security Awareness Not really Aware, No
dedicated security training
Aware of security
requirements, not trained
Entire team at Security
White Belt
Software Security Champions,
Team at Security Green Belt
Entire Team understands
security, team at Security
Black Belt level
Third Parties No single point of detail for
involved 3rd parties
At a minimum have an
inventory of all 3rd parties
50% of third parties have
undergone a 3rd party
security assessment
100% of third parties have
undergone a 3rd party security
assessment, Required to
validate (proof) following
appropriate security practices
Onsite verification of security
practices,
External Developers at Black
Belt
Production Releases No production release
process, releases done
whenever and however
Developers deploy
manually to Prod
Documented and
repeatable deployments,
most likely handed off to
someone else
Automated Releases Automated Releases with
automated change detection
and verification
Testing If it compiles and builds, its
good to go
Manual adhoc testing
performed by
Development team
Manual scheduled security
scanning
Automated security scanning,
QA in place, Documented
tests and captured testing
results
Automated Testing / Test
driven Development

10. © IBM Corporation10
Best Practices:
We see three sets of security capabilities to help enterprise clients …
Cloud Security Capabilities
Manage Access
Protect Data
Gain Visibility
Protect infrastructure,
applications, and data from
threats
Auditable intelligence on cloud
access, activity, cost and
compliance
Manage identities
and govern user access
IaaS: Securing infrastructure and workloads
SaaS: Secure usage of business applications
PaaS: Secure service composition and apps
Bluemix

11. © IBM Corporation11
… delivered via cloud-enabled technologies and managed services
IaaS: Securing infrastructure and workloads
SaaS: Secure usage of business applications
PaaS: Secure service composition and apps
Bluemix
Client Consumption
Models
Security SaaS
Virtual Appliances
ManagedSecurityServices
APIs
ProfessionalSecurityServices
Cloud Security Capabilities
Manage Access
Protect Data
Gain Visibility
Protect infrastructure,
applications, and data from
threats
Auditable intelligence on cloud
access, activity, cost and
compliance
Manage identities
and govern user access

12. © IBM Corporation12
Comprehensive portfolio across platform security capabilities and cloud
security products and services
SaaSPaaSIaaS
IBM Cloud Security
Optimize Security Operations
Manage
Access
Protect
Data
Gain
Visibility
IBM Cloud Security Portfolio

13. © IBM Corporation13
IBM Secure Engineering Portal
– www.ibm.com/security/secure-engineering
13

14. © IBM Corporation14
SaaS - Cloud Security
– 140+ SaaS Offerings.
– Executive (Macro) level chain of support
• CIO Office
• Cloud Operations
• CISO Cloud
– We know:
• Who has access to data?
• Where the data is accessed from?
– Security requirements addressed in deployment checklist before going to market.
14

15. © IBM Corporation15
SaaS Security
– Clients hand data and trust to IBM.
• IBM partners with the client.
– IBM delivers SaaS but assures we take care of individuals needs.
• Pen testing
• Separation of Duties
• Shared operating services – Malware / IPS / IDS
• Encryption
• Logging and Monitoring
– All offerings going through ISO 27001 certification.
– Leadership on new standards; ISO 20243 (supply chain risk)
– Standardization on SoftLayer platform with more Geo’s and local data centers than others to
support privacy requirements.
15

16. © IBM Corporation1616
Teams apply the Secure Engineering practices across the Lifecycle as
demonstrated by key project milestones.
Development Process
and Lifecycle
Development
Supply Chain Service Deployment
COTS Deployment
Lifecycle
Catalog & Scan
Components
Create Assurance Plan based
on Risks &Threats
Protect & Monitor
Source Code
Complete Assurance Tasks,
Security Scans & Remediation
Security Compliance Review
before initial Service
Activation
Security defenses
operational with periodic
rescan
Review Completed Projects and
gain approval for Release
Scan Software Images for
Viruses and Malware
A
B
C D
E
F
G
H

17. © IBM Corporation17
Service Delivery – How IBM Protects Client Data
– Governance focused on continuous assessment & enhancement
– Shared services for vulnerability scanning, intrusion detection, penetration testing, log storage, X-
Force threat intel, and more …
– Architectural separation of data stores, key storage, logs, etc
– Encryption
– Over 2000 pages of authoritative internal security policies. Not suitable for external consumption,
as it could help attackers!
– External collateral:
• www.ibm.com/saas/security for the IBM SaaS Trust web site
• www.ibm.com/privacy for privacy practices
• Core Security Practices Document (NDA, controlled copy)
• Offering specific security practices documents (acquisitions)
17
Physical / Logical / Organizational / Engineering controls

18. © IBM Corporation18
Compliance regimes
18
Offerings  Regimes  Industries  Clients  Countries
+
CJIS
FFIEC
SSAE16
O-TTPS /
ISO 20243
EU Safe Harbor
….

19. © IBM Corporation19
Service Consumption – How Clients Protect Data
19
– Classify data correctly
– Configure service correctly
– Train workforce sufficiently
– Leverage controls as intended to restrict data access
– Verify cloud service provider’s audit posture
– Review log analytics and related usage attributes

20. © IBM Corporation20
IBM Cloud Trust web site - for more information
– www.ibm.com/saas/security
20

21. © IBM Corporation21
Wrap Up
21
– Understand your risk tolerance
– Review what best practices are in use
– Understand steps clients need to take in a shared responsibility environment
– IBM is a cyber-security & data protection thought & practice leader
– IBM is exposing practices only to an extent that won’t aid hackers
– IBM is pursuing accreditations selectively to control your cost

22. © IBM Corporation22
Questions?
David Cass
CISO, IBM Cloud & SaaS Operations
E-mail: dcass@us.ibm.com
Twitter: @dcass001
Linkedin: www.linkedin.com/in/dcass001/

23. © IBM Corporation23© IBM Corporation23
Accelerating Digital Business