© 2010 ibm corporation cloudy with a chance of security information security in virtual...
TRANSCRIPT
© 2010 IBM Corporation
Cloudy with a chance of securityInformation security in virtual environments
Johan Celis
Security Solutions Architect EMEA
IBM
© 2010 IBM Corporation2
Integrated service lifecycle mgmt.
Expose resources “as-a-Service”.
Integrated Security infrastructure.
Rapid provisioning of IT resources, massive scaling.
Dynamic service mgmt. Energy saving via auto
workload distribution.
Rapid deployment of infrastructure and applications.
Request-driven service management.
Service Catalog.
Virtualization. Better hardware
utilization. Improved IT agility.
Server Consolidation. Streamline Operations – manage
physical and virtual systems. Lower power consumption.
Cloud Computing
Virtualization – First Step in Journey to Cloud Computing
© 2010 IBM Corporation3
Top Threats To Cloud Computing
Abuse and nefarious use of cloud computing
Insecure interfaces and API’s
Malicious insiders
Shared technology issues
Data loss or leakage
Account of service hijacking
Unknown risk profile
© 2010 IBM Corporation4
Layers of a typical Cloud Service
System ResourcesNetwork, Server, Storage
Physical System and Environment
Virtualized Resources Virtual Network, Server, Storage
Operational Support ServicesInfrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Business Support ServicesOffering Mgmt, Customer Mgmt, Ordering
Mgmt, Billing
Infrastructure as a serviceVirtualized servers, storage,
networking
Platform as a serviceOptimized middleware – application servers,
database servers, portal servers
Application as a serviceApplication software licensed for use as a service provided to customers on demand
Clo
ud
Pla
tfo
rmC
lou
d D
eli
ve
red
S
erv
ice
s
© 2010 IBM Corporation5
Cloud Security
System ResourcesNetwork, Server, Storage
Physical System and Environment
Virtualized Resources Virtual Network, Server, Storage
Operational Support ServicesInfrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Business Support ServicesOffering Mgmt, Customer Mgmt, Ordering
Mgmt, Billing
Infrastructure as a serviceVirtualized servers, storage,
networking
Platform as a serviceOptimized middleware – application servers,
database servers, portal servers
Application as a serviceApplication software licensed for use as a service provided to customers on demand
Clo
ud
Pla
tfo
rmC
lou
d D
eli
ve
red
S
erv
ice
s Secure integration with existing enterprise security infrastructure
Federated identity / identity as a service Authorization, entitlements Log, audit and compliance reporting Intrusion prevention
Process isolation, data segregation Control of privileged user access Provisioning w/ security and location
constraints Image provenance, image & VM integrity Multi-tenant security services (identity,
compliance reporting, etc.) Multi-tenant intrusion prevention Consistency top-to-bottom
© 2010 IBM Corporation6
Cloud Security = SOA Security + Virtualization Security
System ResourcesNetwork, Server, Storage
Physical System and Environment
Virtualized Resources Virtual Network, Server, Storage
Operational Support ServicesInfrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Business Support ServicesOffering Mgmt, Customer Mgmt, Ordering
Mgmt, Billing
Infrastructure as a serviceVirtualized servers, storage,
networking
Platform as a serviceOptimized middleware – application servers,
database servers, portal servers
Application as a serviceApplication software licensed for use as a service provided to customers on demand
Clo
ud
Pla
tfo
rmC
lou
d D
eli
ve
red
S
erv
ice
s
Service Oriented Architecture (SOA) Security
Virtualization Security
© 2010 IBM Corporation7
Hypervisor Security Challenges – New Complexities
1:1 ratio of OSs and applications per server
1:Many ratio of OSs and applications per server Additional layer to manage and secure
After VirtualizationBefore Virtualization
© 2010 IBM Corporation8
Management Vulnerabilities
——————————Secure storage of VMs
and the management data
Management Vulnerabilities
——————————Secure storage of VMs
and the management data
Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets
Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets
Hypervisor Security Challenges – New Risks
Virtual sprawl——————————
Dynamic VM state& relocation
——————————VM stealing
Virtual sprawl——————————
Dynamic VM state& relocation
——————————VM stealing
Resource sharing——————————Single point of failure——————————
Reduced visibility & control
Resource sharing——————————Single point of failure——————————
Reduced visibility & control
© 2010 IBM Corporation99
Security Challenges – OS & Application Vulnerabilities
Traditional threats remain as long as VMs communicate with the network, virtual or physical
o Wormso Rootkitso Trojanso DoSo SQL Injection o Cross Site Scripting
Virtual machine state changes (online, offline, snapshots) and cloning can obsolete patching processes
OS and application vulnerabilities and exposures do not change in the virtual world !!!
© 2010 IBM Corporation11
Security Challenges – Compliance
Best Practices for Security Compliance in a Virtualized Environment
*Source: RSA Security Brief: Security Compliance in a Virtual World http://www.rsa.com/solutions/technology/secure/wp/10393_VIRT_BRF_0809.pdf
Configuration and change management
processes should be extended to encompass the virtual infrastructure
Maintain separate administrative access control though server, network and security infrastructure is now consolidated
Provide virtual machine and virtual network security segmentation
Maintain virtual audit logging
© 2010 IBM Corporation12
Traditional Security Solutions May Add Cost And Complexity
Only blocks threats and attacks at the perimeter
Secures each physical server with protection and reporting
for a single agent
Patches critical vulnerabilities on individual servers
and networks
Policies are specific to critical applications in each network
segment and server
Network IPS
Server Protection
System Patching
Security Policies
Seems Secure … … Not Secure Enough
Should protect against threats at perimeter and between VMs
Securing each VM as if it were a physical server adds time
and cost
Needs to track, patch and control VM sprawl
Policies must be more encompassing
(Web, data, OS coverage, databases)
and be able to move with the VMs
© 2010 IBM Corporation13
IBM Virtualization Security Solutions
Existing solutions certified for protection of virtual
workloads
Threat protection delivered in a virtual form-factor
Integrated virtual environment-aware threat protection
IBM Security Server IPS
IBM Security Network IPS
IBM Security Network Mail Security
IBM Security Network MFS
IBM Security Virtualized Network Security
IBM Security Network Mail Security
IBM Security Virtual Server Protection for VMware
© 2010 IBM Corporation14
What is VMsafe API ?
Security VM
(SVM)
VMsafe API
CPU & Memory Inspection
Networking
Storage
© 2010 IBM Corporation15
IBM Security Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4
VMsafe Integration Firewall and Intrusion
Prevention Rootkit
Detection/Prevention Inter-VM Traffic Analysis Automated Protection for
Mobile VMs (VMotion) Virtual Network Segment
Protection Virtual Network-Level
Protection Virtual Infrastructure
Auditing (Privileged User) Virtual Network Access
Control
IBM SecurityVirtual Server Protection
© 2010 IBM Corporation16
Vulnerability-centric, protocol-aware analysis and protection
Abstraction from underlying network configuration
Automated protection for new VMs
Network-level workload segmentation
Privileged-level protection of OS kernel structures
SiteProtector
IBM Security Virtual Server Protection for VMwareIntrusion Prevention System (IPS)
© 2010 IBM Corporation17
Performs deep packet inspection
Performs deep protocol and content analysis
Detects protocol and content anomalies
Simulates the protocol/content stacks in vulnerable systems
Normalizes at each protocol and content layer
Provides the ability to add new security functionality within the existing solution
IBM Security Virtual Server Protection for VMwareIPS - Protocol Analysis Module (PAM)
© 2010 IBM Corporation18
Protocol Analysis ModuleVirtual Patch® Technology
Shielding a vulnerability from exploitation independent of a software patch
Enables a responsible patch management process that can be adhered to without fear of a breach
IBM is a MAPP (Microsoft Active Protections Program) partner
© 2010 IBM Corporation19
Why IBM ?
IBM leads the industry in breadth and depth of security expertise with:
7,000,000,000+ security events managed daily
48,000+ vulnerabilities tracked in the IBM X-Force® research and development database
15,000 researchers, developers and subject matter experts on security initiatives
4,000+ customers managed in security operations centers around the world
3,000+ security & risk management patents
40+ years of proven success with security and virtualization on IBM Systems
© 2010 IBM Corporation20
Thank you!
For more information, please visit:
http://ibm.com/cloudhttp://ibm.com/security
Johan Celis – [email protected]