© 2010 IBM Corporation

Cloudy with a chance of securityInformation security in virtual environments

Johan Celis

Security Solutions Architect EMEA

IBM

© 2010 IBM Corporation2

Integrated service lifecycle mgmt.

Expose resources “as-a-Service”.

Integrated Security infrastructure.

Rapid provisioning of IT resources, massive scaling.

Dynamic service mgmt. Energy saving via auto

workload distribution.

Rapid deployment of infrastructure and applications.

Request-driven service management.

Service Catalog.

Virtualization. Better hardware

utilization. Improved IT agility.

Server Consolidation. Streamline Operations – manage

physical and virtual systems. Lower power consumption.

Cloud Computing

Virtualization – First Step in Journey to Cloud Computing

© 2010 IBM Corporation3

Top Threats To Cloud Computing

Abuse and nefarious use of cloud computing

Insecure interfaces and API’s

Malicious insiders

Shared technology issues

Data loss or leakage

Account of service hijacking

Unknown risk profile

© 2010 IBM Corporation4

Layers of a typical Cloud Service

System ResourcesNetwork, Server, Storage

Physical System and Environment

Virtualized Resources Virtual Network, Server, Storage

Operational Support ServicesInfrastructure Provisioning

Instance, Image, Resource / Asset Mgmt

Business Support ServicesOffering Mgmt, Customer Mgmt, Ordering

Mgmt, Billing

Infrastructure as a serviceVirtualized servers, storage,

networking

Platform as a serviceOptimized middleware – application servers,

database servers, portal servers

Application as a serviceApplication software licensed for use as a service provided to customers on demand

Clo

ud

Pla

tfo

rmC

lou

d D

eli

ve

red

S

erv

ice

s

© 2010 IBM Corporation5

Cloud Security

System ResourcesNetwork, Server, Storage

Physical System and Environment

Virtualized Resources Virtual Network, Server, Storage

Operational Support ServicesInfrastructure Provisioning

Instance, Image, Resource / Asset Mgmt

Business Support ServicesOffering Mgmt, Customer Mgmt, Ordering

Mgmt, Billing

Infrastructure as a serviceVirtualized servers, storage,

networking

Platform as a serviceOptimized middleware – application servers,

database servers, portal servers

Application as a serviceApplication software licensed for use as a service provided to customers on demand

Clo

ud

Pla

tfo

rmC

lou

d D

eli

ve

red

S

erv

ice

s Secure integration with existing enterprise security infrastructure

Federated identity / identity as a service Authorization, entitlements Log, audit and compliance reporting Intrusion prevention

Process isolation, data segregation Control of privileged user access Provisioning w/ security and location

constraints Image provenance, image & VM integrity Multi-tenant security services (identity,

compliance reporting, etc.) Multi-tenant intrusion prevention Consistency top-to-bottom

© 2010 IBM Corporation6

Cloud Security = SOA Security + Virtualization Security

System ResourcesNetwork, Server, Storage

Physical System and Environment

Virtualized Resources Virtual Network, Server, Storage

Operational Support ServicesInfrastructure Provisioning

Instance, Image, Resource / Asset Mgmt

Business Support ServicesOffering Mgmt, Customer Mgmt, Ordering

Mgmt, Billing

Infrastructure as a serviceVirtualized servers, storage,

networking

Platform as a serviceOptimized middleware – application servers,

database servers, portal servers

Application as a serviceApplication software licensed for use as a service provided to customers on demand

Clo

ud

Pla

tfo

rmC

lou

d D

eli

ve

red

S

erv

ice

s

Service Oriented Architecture (SOA) Security

Virtualization Security

© 2010 IBM Corporation7

Hypervisor Security Challenges – New Complexities

1:1 ratio of OSs and applications per server

1:Many ratio of OSs and applications per server Additional layer to manage and secure

After VirtualizationBefore Virtualization

© 2010 IBM Corporation8

Management Vulnerabilities

——————————Secure storage of VMs

and the management data

Management Vulnerabilities

——————————Secure storage of VMs

and the management data

Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets

Stealth rootkits in hardware now possible——————————Virtual NICs & Virtual Hardware are targets

Hypervisor Security Challenges – New Risks

Virtual sprawl——————————

Dynamic VM state& relocation

——————————VM stealing

Virtual sprawl——————————

Dynamic VM state& relocation

——————————VM stealing

Resource sharing——————————Single point of failure——————————

Reduced visibility & control

Resource sharing——————————Single point of failure——————————

Reduced visibility & control

© 2010 IBM Corporation99

Security Challenges – OS & Application Vulnerabilities

Traditional threats remain as long as VMs communicate with the network, virtual or physical

o Wormso Rootkitso Trojanso DoSo SQL Injection o Cross Site Scripting

Virtual machine state changes (online, offline, snapshots) and cloning can obsolete patching processes

OS and application vulnerabilities and exposures do not change in the virtual world !!!

© 2010 IBM Corporation10

Security Challenges – Security & Network Convergence

© 2010 IBM Corporation11

Security Challenges – Compliance

Best Practices for Security Compliance in a Virtualized Environment

*Source: RSA Security Brief: Security Compliance in a Virtual World http://www.rsa.com/solutions/technology/secure/wp/10393_VIRT_BRF_0809.pdf

Configuration and change management

processes should be extended to encompass the virtual infrastructure

Maintain separate administrative access control though server, network and security infrastructure is now consolidated

Provide virtual machine and virtual network security segmentation

Maintain virtual audit logging

© 2010 IBM Corporation12

Traditional Security Solutions May Add Cost And Complexity

Only blocks threats and attacks at the perimeter

Secures each physical server with protection and reporting

for a single agent

Patches critical vulnerabilities on individual servers

and networks

Policies are specific to critical applications in each network

segment and server

Network IPS

Server Protection

System Patching

Security Policies

Seems Secure … … Not Secure Enough

Should protect against threats at perimeter and between VMs

Securing each VM as if it were a physical server adds time

and cost

Needs to track, patch and control VM sprawl

Policies must be more encompassing

(Web, data, OS coverage, databases)

and be able to move with the VMs

© 2010 IBM Corporation13

IBM Virtualization Security Solutions

Existing solutions certified for protection of virtual

workloads

Threat protection delivered in a virtual form-factor

Integrated virtual environment-aware threat protection

IBM Security Server IPS

IBM Security Network IPS

IBM Security Network Mail Security

IBM Security Network MFS

IBM Security Virtualized Network Security

IBM Security Network Mail Security

IBM Security Virtual Server Protection for VMware

© 2010 IBM Corporation14

What is VMsafe API ?

Security VM

(SVM)

VMsafe API

CPU & Memory Inspection

Networking

Storage

© 2010 IBM Corporation15

IBM Security Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4

VMsafe Integration Firewall and Intrusion

Prevention Rootkit

Detection/Prevention Inter-VM Traffic Analysis Automated Protection for

Mobile VMs (VMotion) Virtual Network Segment

Protection Virtual Network-Level

Protection Virtual Infrastructure

Auditing (Privileged User) Virtual Network Access

Control

IBM SecurityVirtual Server Protection

© 2010 IBM Corporation16

Vulnerability-centric, protocol-aware analysis and protection

Abstraction from underlying network configuration

Automated protection for new VMs

Network-level workload segmentation

Privileged-level protection of OS kernel structures

SiteProtector

IBM Security Virtual Server Protection for VMwareIntrusion Prevention System (IPS)

© 2010 IBM Corporation17

Performs deep packet inspection

Performs deep protocol and content analysis

Detects protocol and content anomalies

Simulates the protocol/content stacks in vulnerable systems

Normalizes at each protocol and content layer

Provides the ability to add new security functionality within the existing solution

IBM Security Virtual Server Protection for VMwareIPS - Protocol Analysis Module (PAM)

© 2010 IBM Corporation18

Protocol Analysis ModuleVirtual Patch® Technology

Shielding a vulnerability from exploitation independent of a software patch

Enables a responsible patch management process that can be adhered to without fear of a breach

IBM is a MAPP (Microsoft Active Protections Program) partner

© 2010 IBM Corporation19

Why IBM ?

IBM leads the industry in breadth and depth of security expertise with:

7,000,000,000+ security events managed daily

48,000+ vulnerabilities tracked in the IBM X-Force® research and development database

15,000 researchers, developers and subject matter experts on security initiatives

4,000+ customers managed in security operations centers around the world

3,000+ security & risk management patents

40+ years of proven success with security and virtualization on IBM Systems

© 2010 IBM Corporation20

Thank you!

For more information, please visit:

http://ibm.com/cloudhttp://ibm.com/security

Johan Celis – johan.celis@be.ibm.com