Está en la página 1de 47

Cloud Security Challenges and Solutions

- Balraj S Boparai, CISSP


Worldwide Tivoli Security SWAT Team

1
Outline
• Introduction to Cloud computing
• Security Challenges in the Cloud
• Cloud security concerns
• IBM’s Point of View on Cloud Security
• IBM solutions for securing cloud
• Assessing the Security Risks of
Cloud Computing
• Security as a Service

2
Introduction to Cloud Computing

3
What is Cloud Computing?

“Cloud” is a new consumption and delivery model for many IT-based services, in which the user sees
only the service, and has no need to know anything about the technology or implementation

Attributes

Flexible
Standardized, pricing Elastic
consumable scaling
Rapid
web-delivered provisioning
services Metering &
Service
Billing Advanced
Catalog
Ordering virtualization

VISIBILITY CONTROL AUTOMATION

....service oriented and service managed

4
Features of Cloud

5
The Layers of IT-as-a-Service

Collaboration CRM/ERP/HR

Business Industry
Processes Applications

Software as a Service

Web 2.0 Application Java


Runtime Runtime

Development
Middleware Database
Tooling

Platform as a Service

Data Center
Servers
Fabric

Networking Storage

Infrastructure as a Service

6
7
Cloud Computing Delivery Models
Flexible Delivery Models

Public … Private …
Cloud
• Service provider owned and • Privately owned and
managed Services managed.
• Access by subscription • Access limited to client
• Delivers select set of
Cloud
and its partner network.
standardized business Computing • Drives efficiency,
process, application and/or Model standardization and best
infrastructure services on a practices while retaining
flexible price per use basis. greater customization
Hybrid … and control
• Access to client, partner
network, and third party
resources
.…Standardization, capital .… Customization, efficiency,
preservation, flexibility and availability, resiliency,
time to deploy security and privacy___

ORGANIZATION CULTURE GOVERNANCE

...service sourcing and service value


8
Security and Cloud Computing

Cloud-onomics…

CLOUD COMPUTING

VIRTUALIZATION
+ ENERGY
EFFICIENCY
+ STANDARDIZATION
+ AUTOMATION
= Reduced
Cost

….leverages virtualization, standardization and service management to


free up operational budget for new investment

AGILITY
+ BUSINESS & IT
ALIGNMENT
+ SERVICE
FLEXIBILITY
+ INDUSTRY
STANDARDS
=
…allowing you to optimize new investments
OPTIMIZED
BUSINESS

for direct business benefits


9
Security Challenges in the Cloud

10
Security and Cloud Computing

What is Cloud Security?


Confidentiality, integrity, availability
of business-critical IT assets
Stored or processed on a cloud Cloud Computing
computing platform
Software as a Service

Utility Computing

Grid Computing

There is nothing new under the sun


but there are lots of old things we don't know.
Ambrose Bierce, The Devil's Dictionary
11
Security and Cloud Computing

Security and the building blocks of Cloud Computing


Service
Strategic Global Grid Web 2.0
Oriented Virtualization
Outsourcing Outsourcing Computing Collaboration
Architecture

Vendor Legislative Distributed Web Data Shared


Trust Boundaries Infrastructure Risks Threats Leakage Infrastructure

SLAs International Availability, Web Data Leakage Segmentation


Standards Resiliency
Security Security Prevention Technologies

Cloud
Computing

Cloud Computing is a natural evolution of the evolving IT paradigms listed above.

A variety of security technologies, processes, procedures, laws, and


trust models are required to secure the cloud. There is no silver bullet!

12
Security and Cloud Computing

Cloud Security: Simple Example


Today’s Data Center Tomorrow’s Public Cloud

? ?
?
? ?
We Have Control ? Who Has Control?
It’s located at X. Where is it located?
It’s stored in server’s Y, Z. Where is it stored?
We have backups in place. Who backs it up?
Our admins control access. Who has access?
Our uptime is sufficient. How resilient is it?
The auditors are happy. How do auditors observe?
Our security team is engaged. How does our security
team engage?

13
13
Security and Cloud Computing

Everybody is Concerned about the Security in


(Public) Clouds New technologies always introduce
new threat vectors and new risks.

“External” aspects of public clouds


exacerbate concerns:
● “Black box” sharing in clouds reduces
visibility and control, increases risk
of unauthorized access and
disclosures.
● Limited compatibility with existing
enterprise security infrastructure
limits adoption for mission-critical
apps.
● Limited experience and low assurance
raise doubts over cloud reliability
(operational availability, long-term
perspective).
● Privacy and accountability
regulations may prevent cloud
adoption for certain data and in certain
geographies.
14
Security and Cloud Computing

Different Clouds, Different Responsibilities


Collaboration CRM/ERP/HR The Cloud
Curtain
Business Industry
Processes Applications

Software as a Service

Web 2.0 Application Java The Cloud


Runtime Runtime Curtain
Development
Middleware Database
Tooling

Platform as a Service

Data Center Curtain


Servers
Fabric

Networking Storage

Infrastructure as a Service

15
Security and Cloud Computing

Recent Analyst Reports Confirm General Concerns –


But also Highlight Security as a Potential Market Differentiator

• “Securing your applications or data • Gartner’s 7/09 “Hype Curve for Cloud
when they live in a cloud provider’s Computing” positions Cloud Security
infrastructure is a complicated issue Concerns into the early phase (technology
because you lack visibility and trigger, will raise), and gives it a time
control over how things are being horizon of 5-10 years
done inside someone else’s network.”
Forrester, 5/09
• “Highly regulated or sensitive
• “Large enterprises should generally proprietary information should not
avoid placing sensitive be stored or processed in an
information in public clouds, but external public cloud-based
concentrate on building internal service without appropriate visibility
cloud and hybrid cloud capabilities into the provider's technology and
in the near term.“ Burton, 7/09 processes and/or the use of
encryption and other security
• “Cloud approaches offer a unique mechanisms to ensure the
opportunity to shift a substantial
burden for keeping up with threats appropriate level of information
to a provider for whom security may protection.” Gartner 7/09
well be part of the value proposition.”
EMA, 2/09

16
Security and Cloud Computing

Security as a Potential Market Differentiator:


Different Workloads have Different Risk Profiles
High
Mission-critical
workloads, personal High value / high risk
information workloads need
● Quality of protection
adapted to risk
Private ● Direct visibility and
control
Need for Analysis & ● Significant level of
Security simulation with assurance
public data
Assurance

Hybrid Today’s clouds are


primarily here:
● Lower risk workloads
Training, testing ● One-size-fits-all
with non-
approach to data
sensitive data
protection
● No significant
Low
Public assurance
● Price is key
Low-risk Mid-risk High-risk

Business Risk
17
Cloud Security Concerns

18
Data exposure and Compromise
• Organizations uncomfortable with idea of data
located on external systems
• Hosted providers cannot ensure absolute
security
• Authentication and access technology becomes
increasingly important
• Data segregation also becomes key in cloud

19
• Reliability of service
• Reliability is core advantage in cloud. It is very scalable
and capable of meeting wide variations in processing
power and users
• High Availability is still a concern. Many cloud based
offerings do not offer SLAs
• Any (cloud) offering that does not replicate the data and
application infrastructure across multiple sites is
vulnerable to a total failure
• Even if offerer refuses to tell you where will it store your
data. It should tell you what would happen to your data
and service if one of its site succumbs to a disaster.

20
Reduced ability to demonstrate compliance
with regulations, standards and SLA’s
• Public clouds are mostly by definition “A black Box”
• Complying with SOX, HIPAA etc. regulations may
prohibit clouds for some applications
• Geographical requirements
• A ‘Private’ and ‘Hybrid’ cloud can be configured to meet
these requirements

21
• Ability to manage the security
environment
• CSPs must supply easy visual controls to
manage and monitor firewall and other security
settings for applications and runtime
environments in the cloud
• No Granularity of access (SaaS). Usually only
roles available are ‘Admin’ and ‘Normal User’

22
IBM’s Point of View on Cloud Security

23
Security and Cloud Computing

Layers of a typical Cloud Service


Application as a service
Application software licensed for use as a
Cloud Delivered

service provided to customers on demand


Services

Platform as a service
Optimized middleware – application servers,
database servers, portal servers

Infrastructure as a service
Virtualized servers, storage,
networking

Business Support Services


Cloud Platform

Offering Mgmt, Customer Mgmt, Ordering


Mgmt, Billing

Operational Support Services


Infrastructure Provisioning
Instance, Image, Resource / Asset Mgmt

Virtualized Resources
Virtual Network, Server, Storage

System Resources
Network, Server, Storage

Physical System and Environment

24
IBM’s Architectural Model for Cloud Computing
Service Request & Operations Service Provider Service Creation

End Users, Service


Operators Cloud Services Planning

Application/Software as a Service

Service
Standards Based Interfaces

Platform as a Service Definition


Tools
Role-based
Access

Infrastructure as a Service

Cloud Management Platform


Service
Publishing
Service
Business Support Systems (BSS) Tools
Catalog

Service Delivery Platform


Operational “Operational Support Systems (OSS)” Service
Console Reporting &
Analytics

25
Security and Cloud Computing

Cloud Security = SOA Security + Secure “New” Runtime


Service Request & Operations
Service Oriented Architecture Service Provider Service Creation

End Users, Service


Operators Cloud Services Planning
Application / Software as a Service

Platform as a Service ƒ Secure integration with existing enterprise


Application/Software as a Service
security infrastructure
Infrastructure as a Service Service
Federated
ƒ Platform identity / identity as a service
Standards Based Interfaces

as a Service Definition
Tools
Identity & Security as a Service
Role-based ƒ Authorization, entitlements
Access
ƒ Log, audit and compliance reporting
Intrusionasprevention
ƒInfrastructure a Service

Secure Runtime for Virtual Images and Virtual


Cloud Management Storage
Platform
Business Support Services ƒ Process isolation, data segregationService
Publishing
Service ƒ Control of privileged user access Tools
Business Support Systems (BSS)
Catalog
Operational Support Services
ƒ Provisioning w/ security and location
Virtualized Resources constraints
Service Delivery Platform
“Operational Support Systems (OSS)” Service
Operational
Console
ƒ Image provenance, image & VM integrity
Reporting &
System Resources
ƒ Multi-tenant security services (identity,
Analytics

Physical System / Environment compliance reporting, etc.)


ƒ Multi-tenant intrusion prevention
26 9/15/2009
ƒ Consistency top-to-bottom 26
IBM Security Framework
• It’s clear to IBM that a variety of
security technologies, processes,
procedures, laws, and trust models
are required to secure the cloud.
There is no silver bullet for securing
the cloud

• World class solutions – software,


hardware and services

• 3rd-party audit (SAS 70(2),


ISO27001, PCI)

27
IBM solutions for securing cloud

28
People and Identity
Businesses need to make sure people across their organization and supply
chain have access to the data and tools that they need, when they need it, while
blocking those who do not need or should not have access

• Tivoli Identity Manager


• Tivoli Federated Identity Manager
– Offers a single access method for users into cloud and traditional
applications
– Cloud computing infrastructures involve enormous pools of external users
constantly logging in to leverage shared IT services and this product’s
authentication management features can help deliver significant business
value
• Tivoli Access Manager for Operating Systems
– It can help protect individual application, network, data, and operating
system resources
– Single security model

29
Information and Data
– Earlier data can be protected with perimeter. Now data needs to be
secured where ever it resides and when it is in motion. Capabilities
for monitoring, access management and encryption
– IBM’s Systems, Storage, and Network Segmentation
Solutions
» offer application isolation, OS containers, encrypted storage,
VLANs and other isolation technologies for a secure multi-
tenant infrastructure
– Tivoli Key Lifecycle Manager
– IBM Data Encryption for IMS and DB2 Databases
– IBM Database Encryption Expert
» Transparently protect any file on the file system
» Transparently encrypt DB2 backup files
» Protects information in Online, offline environments
• Backup and recovery of data stored remotely in the cloud
– IBM Information Protection Services

30
Process and Application
– Enterprises need to preemptively and proactively
protect their business-critical applications
– Focus is more on Web applications
• Rational AppScan
– Provides automated Web application scanning and testing for all common
Web application vulnerabilities, including WASC threat classification - such
as SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligent
fix recommendations to ease remediation

• Rational Policy Tester


– ensure site privacy by scanning web content and producing
actionable reports to identify issues that may impact compliance
• ISS Professional Security Services
• IBM Optim Data Privacy Solutions
– de-identify confidential information to protect privacy and support
compliance initiatives by applying a range of masking and fictionalized
substitution techniques

• IBM Tivoli Security Information and Event


Manager 31
Optim’s data masking techniques

32
• Network, Server and Endpoint
• Proactive threat and vulnerability monitoring
• Security of Virtualization stack
– ISS Virtualization Security
» Proventia Virtualized Network Security Platform
(VNSP)
» IBM Proventia® Server Intrusion Prevention
System (IPS)
» IBM RealSecure® Server Sensor

33
34
• Physical Infrastructure
– Effective physical security requires a centralized management system that
allows the monitoring of property, employees, customers and the general
public

35
Security and Cloud Computing

Physical Infrastructure
BCRS Resilient Cloud Validation Program

Summary: IBM Business Continuity and Resiliency


Services (BCRS) plans to offer a validation program
Disaster Public or Private Cloud
for cloud service providers to ensure the resiliency of
Recovery
their business.

Restoration and
Cloud Use Case: By using proven BCRS resiliency
availability of cloud consulting methodology, combined with traditional
computing resources shared and dedicated asset business and resiliency
managed services, IBM is positioning BCRS as the
premier resiliency provider to Cloud service
providers. Resilient
Cloud

High Performance On Demand Solutions (HiPODS) + IBM ISS Security Operations Centers

Summary: HiPODS is a group of specialists within


IBM's Software Strategy group, with seven cloud
Data Location
computing locations around the world. IBM also has
eight Security Operations Centers (SOCs) with a
global reach to serve clients with international
Ability to process capabilities and a local presence.
data in specific
jurisdictions
according to local Cloud Use Case: The HiPODS team can create a
requirements project team anywhere in the world in minutes and
assign servers / storage for a project in less than an
hour. IBM SOCs monitor more than 17,000 security
devices on behalf of 3,700 customers.

36
36 36
Security and Cloud Computing

IBM Security has all the Capabilities and Credentials to Provide


Enterprise-grade Security for Cloud Computing

Smart Planet
Dynamic Infrastructure

GTS ITS GBS IBM Research

37
37 9/15/2009 37
Security and Cloud Computing

Cloud computing also provides the opportunity to simplify security


controls and defenses
Cloud Enabled Control(s) Benefit

• Defined set of cloud interfaces • Reduced risk of user access to unrelated resources.
People and • Centralized repository of Identity and Access Control policies
Identity

• Computing services running in isolated domains as defined in • Improved accountability, Reduced risk of data leakage /
service catalogs loss
Information • Default encryption of data in motion & at rest • Reduced attack surface and threat window
and Data • Virtualized storage providing better inventory, control, tracking • Less likelihood that an attack would propagate
of master data

• Autonomous security policies and procedures • Improved protection of assets and increased accountability
• Personnel and tools with specialized knowledge of the cloud of business and IT users
Process & ecosystem
Application • SLA-backed availability and confidentiality

• Automated provisioning and reclamation of hardened runtime • Reduced attack surface


images • Improved forensics with ensemble snapshots
Network Server
• Dynamic allocation of pooled resources to mission-oriented
and Endpoint ensembles

Physical • Closer coupling of systems to manage physical and logical • Improved ability to enforce access policy and manage
identity / access. compliance
infrastructure

38 38
38 9/15/2009
Assessing the Security Risks of
Cloud Computing

39
Key Findings
• The most practical way to evaluate the risks associated with
using a service in the cloud is to get a third party to do it.

• Cloud-computing IT risks in areas such as data segregation,


data privacy, privileged user access, service provider viability,
availability and recovery should be assessed like any other
externally provided service

• Location independence and the possibility of service provider


"subcontracting" result in IT risks, legal issues and compliance
issues that are unique to cloud computing

• If your business managers are making unauthorized use of


external computing services, then they are circumventing
corporate security policies and creating unrecognized and
unmanaged information-related risks

40
Recommendations
• Organizations that have IT risk assessment capabilities and
controls for externally sourced services should apply them to the
appropriate aspects of cloud computing

• Legal, regulatory and audit issues associated with location


independence and service subcontracting should be assessed
before cloud-based services are used

• Demand transparency from CSP. Don't contract for IT services


with a vendor that refuses to provide detailed information on its
security and continuity management programs

• Develop a strategy for the controlled and secure use of


alternative delivery mechanisms, so that business managers
know when they are appropriate to use and have a recognized
approval process to follow

41
What to Evaluate
• Privileged User Access
• Ask providers to supply specific information on the hiring and oversight
of privileged administrators, and the controls over their access
• Compliance
• Cloud computing provider should be willing to submit to external audits
and security certifications
• Data Location
• Need to meet National privacy regulations
• Is the provider willing to give a contractual commitment to obey the law
on your behalf?
• Data Segregation
• Ask for evidence that the encryption implementation was designed and
tested by experienced specialists
• Encryption accidents can make data totally unusable, and even normal
encryption can complicate availability.
• Who has access to the decryption keys?

42
What to Evaluate (Cont.)
• Availability
• Does cloud-based offerings provides service level
commitments?
• Recovery
• How cloud offerings will recover from total disaster?
• May not tell where data is stored. But does it have the ability to
do a complete restoration, and how long will it take?
• Investigative Support
• Cloud services are especially difficult to investigate
• Contractual commitment to support specific forms of
investigation , Electronic Discovery
• Viability
• long-term viability of any external service provider
• Support in Reducing Risk
• CSPs to inform how safely and reliably use their product

43
How to Assess

• Evaluate the service provider in person.


• Use a neutral third party to perform a security assessment
• Accept whatever assurances the service provider offers

Ultimately, your ability to assess the risk of using a


particular service provider comes down to its
degree of transparency

trust.salesforce.com

44
Security as a Service

45
Security Offerings
• Email Filtering (backup, archival, e-
Discovery,Encryption)
• Web Content Filtering (Including outbound
sensitive information)
• Identity-as-a-Service (IDaaS)

46
Thank You

47