SlideShare ist ein Scribd-Unternehmen logo
1 von 8
Downloaden Sie, um offline zu lesen
Thought Leadership White Paper                Cloud Computing




Cloud Security
Who do you trust?
Nick Coleman, IBM Cloud Security Leader
Martin Borrett, IBM Lead Security Architect
2    Cloud Security – Who do you trust?




                                                                   Cloud Security – Who do you trust?
                                                                   Cloud computing offers to change the way we use computing
                                                                   with the promise of significant economic and efficiency
                                                                   benefits. The speed of adoption depends on how trust in new
                                                                   cloud models can be established.

                                                                   Trust needs to be achieved, especially when data is stored
                                                                   in new ways and in new locations, including for example
                                                                   different countries.

In this paper we will explain why trust, reliability and           This paper is provided to stimulate discussion by looking at
security decisions are central to choosing the right model.        three areas:
Consider for example:
                                                                   •	   What is different about cloud?
•	   How easy would it be to lose your                             •	   What are the new security challenges cloud introduces?
                                                                        What can be done and what should be considered further?
     service if a denial of service attack is                      •	


     launched within your cloud provider?
                                                                   What is different about cloud?
•	   Will you suffer a data security                               Cloud computing moves us away from the traditional model,
     breach when an administrator can                              where organisations dedicate computing power to a particular
     access multiple stores of data within                         business application, to a flexible model for computing where
     the virtualised environment they                              users access business applications and data in shared
                                                                   environments.
     are controlling?
                                                                   Cloud is a new consumption and delivery model; resources can
•	   Could you lose your service when an                           be rapidly deployed and easily scaled (up and down), with
     investigation into data loss of another                       processes, applications and services provisioned ‘on demand’. It
     customer starts to affect your privacy                        can also enable a pay per usage model.

     and data?                                                     In these models the risk profile for data and security changes
                                                                   and is an essential factor in deciding which cloud computing
                                                                   models are appropriate for an organisation.




                  Without cloud computing                                     With cloud computing


              Workload A                  Workload A          Workload A              Workload B           Workload C

                Software                   Software                        Software              Storage
                Hardware                   Hardware                        Hardware             Networking
                 Storage                    Storage
               Networking                 Networking                            Service management


               Service                      Service           •	 Automated service management      •	 Rapid scalability
             management                   management          •	 Standardised services             •	 Self-service
                                                              •	 Location independent
Thought Leadership White Paper   3




                                       Today’s Data Centre            Tomorrow’s Cloud
      •	 We have control                                                                                         •	 Who has control?
                                                                        Virtual             Virtual
      •	 It’s located at X                                             Machine             Machine               •	 Where is it located?
      •	 It’s stored in servers Y, Z                                      Abstraction Layer            Virtual
                                                                                                                 •	 Where is it stored?
                                                                       (Virtualisation/Hypervisor)    Machine
      •	 We have backups in place                                                                                •	 Who backs it up?
      •	 Our admins control access                                                                               •	 Who has access?
      •	 Our uptime is sufficient                                                                                •	 How resilient is it?
      •	 The auditors are happy                                                                                  •	 How do auditors
      •	 Our security team is                                                                                       observe?
         engaged                                                                                                 •	 How does our security
                                                                                                                    team engage?




What are the security challenges                                     Governance
cloud introduces?                                                    Achieving and maintaining governance and compliance
There are existing security challenges, experienced in other         in cloud environments brings new challenges to many
computing environments, and there are new elements which             organisations. (This paper should not be seen as legal advice or
are necessary to consider. The challenges include:                   guidance specific to any one organisation.) Things you might
                                                                     need to consider include:
•	   Governance
•	   Data                                                            Jurisdiction and regulatory requirements
                                                                     •	 Can data be accessed and stored at rest within regulatory
•	   Architecture
•	   Applications                                                       constraints?
                                                                     •	 Are development, test and operational clouds managing data
•	   Assurance
                                                                        within the required jurisdictions including backups?
These five categories are described in the rest of this section in
                                                                     Complying with Export/Import controls
more detail so that the complexity of these issues can be better
                                                                     •	 Applying encryption software to data in the cloud, are these
understood.
                                                                        controls permitted in a particular country/jurisdiction?
                                                                     •	 Can you legally operate with the security mechanisms

                                                                        being applied?

  /
“ 2 3 of organisations identify security as                          Compliance of the infrastructure
their top concern when considering cloud.”                           •	 Are you buying into a cloud architecture/infrastructure/

                                                                        service which is not compliant?
Driving Profitable Growth Through Cloud Computing,
IBM Study (conducted by Oliver Wyman) published Nov 2008.            Audit and reporting
                                                                     •	 Can you provide the required evidence and reports to

                                                                        show compliance to regulations such as PCI and SOX?
                                                                     •	 Can you satisfy legal requirements for information when

                                                                        operating in the cloud?
4   Cloud Security – Who do you trust?




Data                                                                        Architecture
Cloud places data in new and different places, not just the user            Standardised infrastructure and applications; increased
data but also the application (source) code. Who has access,                commoditisation leading to more opportunity to exploit
and what is left behind when you scale down a service?                      a single vulnerability many times. Looking at the
Other key issues include:                                                   underlying architecture and infrastructure, some of
                                                                            the considerations include:
Data location and segregation
•	 Where does the data reside? How do you know?                             Protection
•	 What happens when investigations require access                          •	 How do you protect against attack when you have a standard

   to servers and possibly other people’s data?                                infrastructure and the same vulnerability exists in many places
                                                                               across that infrastructure?
Data footprints
•	 How do you ensure that the data is where you need it                     Hypervisor vulnerabilities
   when you need it, yet not left behind?                                   •	 How can you protect the hypervisor (a key component for
•	 How is it deleted?                                                          cloud infrastructures) which interacts and manages multiple
•	 Can the application code be exposed in the cloud?                           environments in the cloud? The hypervisor being a potential
                                                                               target to gain access to more systems, and hosted images.
Backup and recovery
•	 How can you retrieve data when you need it?                              Multi-tenant environments
•	 Can you ensure that the backup is maintained securely,                   •	 How do you ensure that systems and applications are
   in geographically separated locations?                                      appropriately and sufficiently isolated and protecting against
                                                                               malicious server to server communication?
Administration
•	 How can you control the increased access administrators have             Security policies
   working in a virtualised model?                                          •	 How do you ensure that security policies are accurately and
•	 Can privileged access be appropriately controlled in cloud                  fully implemented across the cloud architectures you are using
   environments?                                                               and buying into?

                                                                            Identity Management
                                                                            •	 How do you control passwords and access tokens in

                                                                               the cloud?
                                                                            •	 How do you federate identity in the cloud?
                                                                            •	 How can you prevent userids/passwords being passed and

                                                                               exposed in the cloud unnecessarily, increasing risk?




       Governance                             Data               Architecture               Applications                 Assurance



          Achieving                      Information shared           New web                Applications on          Audit and monitoring
        compliance and                   inside and outside         architecture,          the phone, internet        in a virtualised/cloud
        management in                      the organisation      infrastructure and        and in a virtualised            environment
          the cloud                                                    threats                    cloud


                               Providing Software as a service (SaaS), Infrastructure and hardware as a service (laaS)
                                  and Platform as a service (PaaS), either individually or in different combinations
Thought Leadership White Paper   5




Applications                                                      Assurance
There has been a significant increase in web application          Challenges exist for testing and assuring the infrastructure,
vulnerabilities, so much so that these vulnerabilities make       especially when there is no easy way for data centre visits or
up more than half of the disclosed vulnerabilities over the       penetration (pen) tests.
past 4 years.
                                                                  Operational oversight
                                                                  •	 When logs no longer just cover your own environment

                                                                     do you need to retrieve and analyse audit logs from diverse
                                                                     systems potentially containing information with
“67% of all web application                                          multiple customers?

 vulnerabilities had no patch in 2009.”                           Audit and assurance
                                                                  •	 What level of assurance and how many providers will you
Source: IBM Security Solutions X-Force 2009 Trend and Risk
Report, published Feb 2010.                                          need to deal with?
                                                                  •	 Do you need to have an audit of every cloud service provider?


                                                                  Investigating an incident
                                                                  •	 How much experience does your provider have of audit and
Software Vulnerabilities                                             investigation in a shared environment?
•	 How do you check and manage vulnerabilities in applications?   •	 How much experience do they have of conducting
•	 How do you secure applications in the cloud that are              investigations without impacting service or data
   increasing targets due to the large user population?              confidentiality?

Patch management                                                  Experience of new cloud providers
•	 How do you secure applications where patches are               •	 What will the security of data be if the cloud providers are no
   not available?                                                    longer in business?
•	 How do you ensure images are patched and up to date when       •	 Has business continuity been considered for this eventuality?
   deployed in the cloud?

Application devices
•	 How do you manage the new access devices using their own

   new application software?
•	 How do you ensure they are not introducing a new set of

   vulnerabilities and ways to exploit your data?
6     Cloud Security – Who do you trust?



                                                                  Security from the cloud



                                                                                  Identity
                                                                                Management
                                              Application
                                               Security

                                                               Cloud Security Services             End Point
                                                                                                   Protection
Governance, Risk
Management and                                      Security Event
  Compliance
                                                      and Log
     How can you start                              Management
    to build to a position
       of trust and risk
     management when
                                                                  Security for the cloud
      setting up cloud
     computing for your
        organisation?
                                                 Application                                 End Point
                                                  Security                                   Protection




What can be done and what should be                                    Getting started:
considered further?
                                                                       1. Define a cloud strategy with security in mind
Many of the risks identified can be managed through the
                                                                          Identify the different workloads and how they need to
application of appropriate security and governance measures.
                                                                          interact. Which models are appropriate based on their
                                                                          security and trust requirements and the systems they need
Which risks you choose to address will be different depending
                                                                          to interface to?
on your business, your appetite for risk and how costly these
measures are.
                                                                       2. Identify the security measures needed
                                                                          Using a framework such as the one IBM uses, the IBM
In many cases the complexity of securing cloud comes not just
                                                                          Security Framework and Blueprint, allows teams to capture
from the individual application but how it integrates into the
                                                                          the measures that are needed in areas such as governance,
rest of the organisation.
                                                                          architecture, applications and assurance.

Delivering security for the cloud                                      3. Enabling security for the cloud.
Working out where and how to apply security is core to                    The upfront set of assurance measures you will want to take.
delivering security for the cloud.                                        Assessing that the applications, infrastructure and other
                                                                          elements meet your security requirements, as well as
Security itself can be delivered from within the cloud.                   operational security measures.
Elements such as Event and Log Management, Identity
Management, End Point Protection and Application Security              Cloud security can be delivered as part of the cloud service and
are increasingly delivered as cloud security services. Security        also as specific components added in to enhance security.
for the cloud will be down to what can be delivered in the             Depending on your cloud provider it may be that a
cloud and what needs to supplement that delivery framework.            combination of both of these approaches is necessary.

                                                                       The fundamental principles of security and risk management
                                                                       still apply. The approach IBM is using is based on IBM’s
                                                                       Security Framework and Blueprint which provides a
                                                                       comprehensive framework to address all aspects of security.
Thought Leadership White Paper   7




In summary                                                          The Authors
Cloud computing offers new possibilities and new challenges.
These challenges range from governance, through to                  Nick Coleman
securing application and infrastructure. Fundamentally it is        IBM Cloud Security Leader.
important to be able to assure the security of these new            Email: coleman@uk.ibm.com
models in order to build trust and confidence.                      Twitter: twitter.com/teamsecurity

The key to establishing trust in these new models is                Martin Borrett
choosing the right cloud computing model for your                   IBM Lead Security Architect
organisation. Place the right workloads in the right model          Email: borretm@uk.ibm.com
with the right security mechanisms.

•	   For those planning to consume cloud services looking for
     trust and assurance from the cloud provider; understanding
     the service level agreements and the approaches to security
     is key. Assessing that this can be delivered, including what
     assurances can be provided will be important.

•	   For those providing or building a cloud infrastructure,
     using a proven methodology and technologies that can
     deliver appropriate security is key.

This is not just a technical challenge but a challenge of
governance and compliance; applications and infrastructure;
and assurance. This paper is written to stimulate discussion
of the challenges and ways to start to address these
challenges in securing cloud computing.
IBM United Kingdom Limited
PO Box 41
North Harbour
Portsmouth
Hampshire
PO6 3AU
United Kingdom

IBM Ireland Limited
Oldbrook House
24-32 Pembroke Road
Dublin 4
Ireland

IBM Ireland Limited registered in Ireland under company number 16226.



The IBM home page can be found at ibm.com

IBM, the IBM logo, ibm.com and Information Agenda are trademarks or
registered trademarks of International Business Machines Corporation in
the United States, other countries, or both. If these and other IBM
trademarked terms are marked on their first occurrence in this information
with a trademark symbol (® or ™), these symbols indicate U.S. registered
or common law trademarks owned by IBM at the time this information was
published. Such trademarks may also be registered or common law
trademarks in other countries.

A current list of IBM trademarks can be found at: http://www.ibm.com/
legal/copytrade.shtml

Other company, product and service names may be trademarks, or service
marks of others.

References in this publication to IBM products, programs or services do
not imply that IBM intends to make these available in all countries in
which IBM operates. Any reference to an IBM product, program or service
is not intended to imply that only IBM products, programs or services may
be used. Any functionally equivalent product, program or service may be
used instead.

IBM hardware products are manufactured from new parts, or new and used
parts. In some cases, the hardware product may not be new and may have
been previously installed. Regardless, IBM warranty terms apply.

This publication is for general guidance only. Information is subject to
change without notice. Please contact your local IBM sales office or reseller
for latest information on IBM products and services.

IBM does not provide legal, accounting or audit advice or represent or
warrant that its products or services ensure compliance with laws. Clients
are responsible for compliance with applicable securities laws and
regulations, including national laws and regulations.

Photographs may show design models.

© Copyright IBM Corporation 2010
All Rights Reserved.



         Please Recycle




                                                        10-0796 (09/10) TT

Weitere ähnliche Inhalte

Kürzlich hochgeladen

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 

Kürzlich hochgeladen (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 

Empfohlen

Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming LanguageSimplilearn
 
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...Palo Alto Software
 
9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation9 Tips for a Work-free Vacation
9 Tips for a Work-free VacationWeekdone.com
 

Empfohlen (20)

Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
 
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
 
9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation
 

Ibm Cloud Security Who Do You Trust Lr

  • 1. Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect
  • 2. 2 Cloud Security – Who do you trust? Cloud Security – Who do you trust? Cloud computing offers to change the way we use computing with the promise of significant economic and efficiency benefits. The speed of adoption depends on how trust in new cloud models can be established. Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. In this paper we will explain why trust, reliability and This paper is provided to stimulate discussion by looking at security decisions are central to choosing the right model. three areas: Consider for example: • What is different about cloud? • How easy would it be to lose your • What are the new security challenges cloud introduces? What can be done and what should be considered further? service if a denial of service attack is • launched within your cloud provider? What is different about cloud? • Will you suffer a data security Cloud computing moves us away from the traditional model, breach when an administrator can where organisations dedicate computing power to a particular access multiple stores of data within business application, to a flexible model for computing where the virtualised environment they users access business applications and data in shared environments. are controlling? Cloud is a new consumption and delivery model; resources can • Could you lose your service when an be rapidly deployed and easily scaled (up and down), with investigation into data loss of another processes, applications and services provisioned ‘on demand’. It customer starts to affect your privacy can also enable a pay per usage model. and data? In these models the risk profile for data and security changes and is an essential factor in deciding which cloud computing models are appropriate for an organisation. Without cloud computing With cloud computing Workload A Workload A Workload A Workload B Workload C Software Software Software Storage Hardware Hardware Hardware Networking Storage Storage Networking Networking Service management Service Service • Automated service management • Rapid scalability management management • Standardised services • Self-service • Location independent
  • 3. Thought Leadership White Paper 3 Today’s Data Centre Tomorrow’s Cloud • We have control • Who has control? Virtual Virtual • It’s located at X Machine Machine • Where is it located? • It’s stored in servers Y, Z Abstraction Layer Virtual • Where is it stored? (Virtualisation/Hypervisor) Machine • We have backups in place • Who backs it up? • Our admins control access • Who has access? • Our uptime is sufficient • How resilient is it? • The auditors are happy • How do auditors • Our security team is observe? engaged • How does our security team engage? What are the security challenges Governance cloud introduces? Achieving and maintaining governance and compliance There are existing security challenges, experienced in other in cloud environments brings new challenges to many computing environments, and there are new elements which organisations. (This paper should not be seen as legal advice or are necessary to consider. The challenges include: guidance specific to any one organisation.) Things you might need to consider include: • Governance • Data Jurisdiction and regulatory requirements • Can data be accessed and stored at rest within regulatory • Architecture • Applications constraints? • Are development, test and operational clouds managing data • Assurance within the required jurisdictions including backups? These five categories are described in the rest of this section in Complying with Export/Import controls more detail so that the complexity of these issues can be better • Applying encryption software to data in the cloud, are these understood. controls permitted in a particular country/jurisdiction? • Can you legally operate with the security mechanisms being applied? / “ 2 3 of organisations identify security as Compliance of the infrastructure their top concern when considering cloud.” • Are you buying into a cloud architecture/infrastructure/ service which is not compliant? Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman) published Nov 2008. Audit and reporting • Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX? • Can you satisfy legal requirements for information when operating in the cloud?
  • 4. 4 Cloud Security – Who do you trust? Data Architecture Cloud places data in new and different places, not just the user Standardised infrastructure and applications; increased data but also the application (source) code. Who has access, commoditisation leading to more opportunity to exploit and what is left behind when you scale down a service? a single vulnerability many times. Looking at the Other key issues include: underlying architecture and infrastructure, some of the considerations include: Data location and segregation • Where does the data reside? How do you know? Protection • What happens when investigations require access • How do you protect against attack when you have a standard to servers and possibly other people’s data? infrastructure and the same vulnerability exists in many places across that infrastructure? Data footprints • How do you ensure that the data is where you need it Hypervisor vulnerabilities when you need it, yet not left behind? • How can you protect the hypervisor (a key component for • How is it deleted? cloud infrastructures) which interacts and manages multiple • Can the application code be exposed in the cloud? environments in the cloud? The hypervisor being a potential target to gain access to more systems, and hosted images. Backup and recovery • How can you retrieve data when you need it? Multi-tenant environments • Can you ensure that the backup is maintained securely, • How do you ensure that systems and applications are in geographically separated locations? appropriately and sufficiently isolated and protecting against malicious server to server communication? Administration • How can you control the increased access administrators have Security policies working in a virtualised model? • How do you ensure that security policies are accurately and • Can privileged access be appropriately controlled in cloud fully implemented across the cloud architectures you are using environments? and buying into? Identity Management • How do you control passwords and access tokens in the cloud? • How do you federate identity in the cloud? • How can you prevent userids/passwords being passed and exposed in the cloud unnecessarily, increasing risk? Governance Data Architecture Applications Assurance Achieving Information shared New web Applications on Audit and monitoring compliance and inside and outside architecture, the phone, internet in a virtualised/cloud management in the organisation infrastructure and and in a virtualised environment the cloud threats cloud Providing Software as a service (SaaS), Infrastructure and hardware as a service (laaS) and Platform as a service (PaaS), either individually or in different combinations
  • 5. Thought Leadership White Paper 5 Applications Assurance There has been a significant increase in web application Challenges exist for testing and assuring the infrastructure, vulnerabilities, so much so that these vulnerabilities make especially when there is no easy way for data centre visits or up more than half of the disclosed vulnerabilities over the penetration (pen) tests. past 4 years. Operational oversight • When logs no longer just cover your own environment do you need to retrieve and analyse audit logs from diverse systems potentially containing information with “67% of all web application multiple customers? vulnerabilities had no patch in 2009.” Audit and assurance • What level of assurance and how many providers will you Source: IBM Security Solutions X-Force 2009 Trend and Risk Report, published Feb 2010. need to deal with? • Do you need to have an audit of every cloud service provider? Investigating an incident • How much experience does your provider have of audit and Software Vulnerabilities investigation in a shared environment? • How do you check and manage vulnerabilities in applications? • How much experience do they have of conducting • How do you secure applications in the cloud that are investigations without impacting service or data increasing targets due to the large user population? confidentiality? Patch management Experience of new cloud providers • How do you secure applications where patches are • What will the security of data be if the cloud providers are no not available? longer in business? • How do you ensure images are patched and up to date when • Has business continuity been considered for this eventuality? deployed in the cloud? Application devices • How do you manage the new access devices using their own new application software? • How do you ensure they are not introducing a new set of vulnerabilities and ways to exploit your data?
  • 6. 6 Cloud Security – Who do you trust? Security from the cloud Identity Management Application Security Cloud Security Services End Point Protection Governance, Risk Management and Security Event Compliance and Log How can you start Management to build to a position of trust and risk management when Security for the cloud setting up cloud computing for your organisation? Application End Point Security Protection What can be done and what should be Getting started: considered further? 1. Define a cloud strategy with security in mind Many of the risks identified can be managed through the Identify the different workloads and how they need to application of appropriate security and governance measures. interact. Which models are appropriate based on their security and trust requirements and the systems they need Which risks you choose to address will be different depending to interface to? on your business, your appetite for risk and how costly these measures are. 2. Identify the security measures needed Using a framework such as the one IBM uses, the IBM In many cases the complexity of securing cloud comes not just Security Framework and Blueprint, allows teams to capture from the individual application but how it integrates into the the measures that are needed in areas such as governance, rest of the organisation. architecture, applications and assurance. Delivering security for the cloud 3. Enabling security for the cloud. Working out where and how to apply security is core to The upfront set of assurance measures you will want to take. delivering security for the cloud. Assessing that the applications, infrastructure and other elements meet your security requirements, as well as Security itself can be delivered from within the cloud. operational security measures. Elements such as Event and Log Management, Identity Management, End Point Protection and Application Security Cloud security can be delivered as part of the cloud service and are increasingly delivered as cloud security services. Security also as specific components added in to enhance security. for the cloud will be down to what can be delivered in the Depending on your cloud provider it may be that a cloud and what needs to supplement that delivery framework. combination of both of these approaches is necessary. The fundamental principles of security and risk management still apply. The approach IBM is using is based on IBM’s Security Framework and Blueprint which provides a comprehensive framework to address all aspects of security.
  • 7. Thought Leadership White Paper 7 In summary The Authors Cloud computing offers new possibilities and new challenges. These challenges range from governance, through to Nick Coleman securing application and infrastructure. Fundamentally it is IBM Cloud Security Leader. important to be able to assure the security of these new Email: coleman@uk.ibm.com models in order to build trust and confidence. Twitter: twitter.com/teamsecurity The key to establishing trust in these new models is Martin Borrett choosing the right cloud computing model for your IBM Lead Security Architect organisation. Place the right workloads in the right model Email: borretm@uk.ibm.com with the right security mechanisms. • For those planning to consume cloud services looking for trust and assurance from the cloud provider; understanding the service level agreements and the approaches to security is key. Assessing that this can be delivered, including what assurances can be provided will be important. • For those providing or building a cloud infrastructure, using a proven methodology and technologies that can deliver appropriate security is key. This is not just a technical challenge but a challenge of governance and compliance; applications and infrastructure; and assurance. This paper is written to stimulate discussion of the challenges and ways to start to address these challenges in securing cloud computing.
  • 8. IBM United Kingdom Limited PO Box 41 North Harbour Portsmouth Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 Ireland IBM Ireland Limited registered in Ireland under company number 16226. The IBM home page can be found at ibm.com IBM, the IBM logo, ibm.com and Information Agenda are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks can be found at: http://www.ibm.com/ legal/copytrade.shtml Other company, product and service names may be trademarks, or service marks of others. References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM products, programs or services may be used. Any functionally equivalent product, program or service may be used instead. IBM hardware products are manufactured from new parts, or new and used parts. In some cases, the hardware product may not be new and may have been previously installed. Regardless, IBM warranty terms apply. This publication is for general guidance only. Information is subject to change without notice. Please contact your local IBM sales office or reseller for latest information on IBM products and services. IBM does not provide legal, accounting or audit advice or represent or warrant that its products or services ensure compliance with laws. Clients are responsible for compliance with applicable securities laws and regulations, including national laws and regulations. Photographs may show design models. © Copyright IBM Corporation 2010 All Rights Reserved. Please Recycle 10-0796 (09/10) TT