ibm smartcloudpublic.dhe.ibm.com/software/dw/cloud/techtalks/ibm... · data-centric security is an...

© 2012 IBM Corporation

IBM SmartCloud Rethink IT. Reinvent Business.

Amy Anderson, Manager, Cloud Partner Programs

July, 2013

© 2012 IBM Corporation 2

Common Open Standards Technology and Industry Ecosystem

Deploy Design

Business Process as a Service

Software as a Service

Platform as a Service

Infrastructure as a Service

Consume

Enables private/hybrid cloud service

delivery and management

Cloud Enablement

Technologies

Secure and scalable cloud managed

services platform

Managed Cloud

Services

Pre-built Cloud SaaS business

applications and solutions

Cloud Business

Solutions

Cloud capabilities built upon a common platform, with a commitment

to open standards


Common Open Standards Technology and Industry Ecosystem

Deploy Design

Business Process as a Service




Consume

Enables private/hybrid cloud service

delivery and management

Cloud Enablement

Technologies

SmartCloud Enterprise+

Managed Cloud

Services

Pre-built cloud SaaS business

applications and solutions

Cloud Business

Solutions

SoftLayer will further advance the IBM cloud strategy and strengthen

IBM’s portfolio of cloud offerings built on open standards

#ibmcloud


Two major application deployment models have emerged in cloud

adoption

Scalable Virtualized Automated Lifecycle Heterogeneous Infrastructure

Cloud Enabled

Elastic Multi-tenant Integrated Lifecycle Standardized Infrastructure

Cloud Native

+ Existing

Middleware Workloads

Emerging Platform

Workloads

Compatibility with existing systems “Systems of Record”

Exploitation of new environments “System of Engagement”

Softlayer

SCE+

Cloud Security

IBM Cloud TechTalk: Keeping your Important Data Safe in the Cloud

July 23, 2013

C.J. Radford, Vice President, Cloud @cjrad @vormetric #CloudSecurity

Saravanan Coimbatore, Director, Cloud Solutions

IBM & Vormetric Partnership

Vormetric recognized as an IBM Business Partner

In 2007, IBM chose Vormetric Data Security to provide data

protection to its large enterprise and service provider customers:

Vormetric resold as InfoSphere Guardium Data Encryption

Hundreds of large enterprise and service providers globally

Proven data protection

Vormetric certified as “Ready for SmartCloudServices”

Vormetric listed in IBM Global Solutions Directory

Technical validations include:

SC – Enterprise

SC – Business Applications

SC – Infrastructure Services & Availability

SC – Security, Monitoring and Reporting

@cjrad @vormetric #CloudSecurity

How Are We Doing? Perimeter Security is Failing

100% 63%

243 100%

of victims have up-to-date antivirus software

of breaches are reported by third parties

median number of days advanced attackers are on the network before being detected

of breaches involved stolen credentials

Source: mandiant.com/threat-landscape/


Data-Centric Security Is An Issue

BIG DATA, GLOBAL COMPLIANCE, CLOUD ADOPTION, DATA BREACHES

1. Global State of Information Security® Survey by PwC, CIO magazine, and CSO magazine – October 2012 2. Verizon Data Breach Investigation Report – March 2012

CLOUD ADOPTION Enterprise Security #1 Inhibitor1

APTs DATA BREACHES 98% Stolen Records From Large Orgs2

BIG DATA Big Data is a Big Target

GLOBAL COMPLIANCE Aggressive New Regulations


Who is Responsible for Security?

Security You ~

Security Them ~

ROLE CLARITY

IaaS

PaaS

SaaS




APIs

Core Connectivity & Delivery

Abstraction

Hardware

Facilities

APIs


Abstraction

Hardware

Facilities

Integration Middleware

APIs


Abstraction

Hardware

Facilities

Integration Middleware

Presentation Modality

Presentation Platform

APIs

Applications

Data Metadata Content

Infra

stru

ctu

re a

s a

Se

rvic

e (Ia

as)

Pla

tform

as a

Se

rvic

e (P

aa

S)

Infra

stru

ctu

re a

s a

Se

rvic

e (Ia

as)

Source: Cloud Security Alliance, 2013.


Cloud Growing, but Security and Data Access Top Concerns for Cloud Adoption What are Your Top Cloud Services Concerns?

Security defects in the technology itself

Unauthorized access to or leak of our proprietary information

Unauthorized access to or leak of our customers’ information

Application and system performance

Business continuity and DR readiness of provider

Business viability of provider; risk company will fail

Integration of cloud data with our internal systems

Vendor lock-in

Features and general maturity of technology

51%

45%

40%

31%

30%

30%

27%

16%

14%

Security

Data Access

Source: 2013 State of Cloud Computing, InformationWeek, April 2013.


Cloud Computing Security Challenges

Multi-tenancy issues 01

Protecting confidential data 02

Data residency resulting in legal issues

03

Lack of standards across service providers

04

Auditing, reporting, and compliance

05

Visibility and intelligence in cloud

06

Does data remain after moving to/from cloud? 07

Service providers access to data

08


Memory Compute Storage

Hypervisor

Data Access Framework: [1/3]

Risks to Data Across the IT Stack

Operating System

Database

Application

User/End Point

Data Breach Risks

Compromised User Account or Device, MalWare, Spoofed Sessions, etc.

Privileged Users (Application Admins), Application Vulnerability, SQL Injection, etc.

Privileged Users (Database Admins), Pool Account, SQL Injection, Unpatched DB Vulnerabilities, Misconfigured DB permissions, etc.

Privileged Users (root, Sys Admins, Domain Admins), Vulnerable Service, Malware, etc.

Privileged Users (root, Sys Admins), Hypervisor Administrators, Security Vulnerabilities in the Hypervisor, etc.

Privileged Users (root, Sys Admins), Misconfigured File Permissions, Physical Media Theft, Storage Administrators, etc.



Hypervisor


Controls Implemented to Address Risks

Operating System

Database

Application

User/End Point

Controls to Prevent Data Breaches

Identity and Access Management, Endpoint Protection, Malware Detection, etc. – Rules and Signatures

Web Application Firewalls – Rules and Signatures

Database Activity Monitoring and Protection – Monitoring and Controls

Data Firewall: Encryption, security intelligence, and access policy controls

Security provided by hypervisor to segment data in multi-tenant environments

Data Firewall: Encryption, security intelligence and access policy controls



Use Best in Class Solutions to Address Risks

Hypervisor

Operating System

Database

Application

User/End Point



Data-Centric Security Elements for Protecting Data in the Cloud

Strong Access Policies Block privileged users like root from viewing data and thwart APTs

Provide fine-grained control to determine who can view specific data

Encryption & Key Management Lock down the data using strong industry approved algorithms

Understand who has control and ownership of keys and access policies

Security Intelligence Log all access to what matters the protected data

Provide valuable real-time intelligence on who is accessing protected data where and when

Automation Automatic installation, configuration, and dynamic policy enhancements based on real-time threats

Instant protection upon provisioning of new resources

Multi-Tenancy Secure data in commingled and multi-tenant environments

Enable end users to control policies specific to their own data


Physical

Vormetric Encryption

Vormetric Data Security Manager

Secure Vaulting (Certificates, Keys)

• Automate Deployment

• Key & Encryption Management

Vormetric Toolkit

Vormetric Vault

File and Volume Encryption Agents

Big Data

VM

Virtual

Physical

Virtual

Vormetric Key Management

Virtual Physical

Environment Support

Public Cloud

Private Cloud & Virtualization

Hybrid

Data Centers

Application Agents • Oracle and SQL

Server TDE Keys • Application

Encryption API

Vormetric Data Security Platform

• Policy & Management • Security Intelligence Logs • Users & groups


Secure the Public Cloud

Enterprise Data Center Environment

Internet

Policies & Logs

Policies & Logs

Vormetric Data Security Manager

Keys

Keys

Physical Servers

Private Cloud

Virtual Private Cloud




Secure your Private Cloud

Secure your private cloud just as you would your physical enterprise Domains and tenancy features easily support the needs of multiple business units

Vormetric Data Security

Manager

Keys

Policies & Logs

Automation

Business Unit 1

Business Unit 2 Business Unit 3


Address the “Insider Threat” by Limiting Access to Data Through Privileged User Access Policies

APT and Malicious Insiders

Business Unit User

Enterprise System Administrator

(Privileged User)

Virtual Machine Layer

Hypervisor Layer

Encrypted Multi-Tenant Storage

Storage Administrator

Storage Administrator

Enterprise

Cloud

• Log & Audit Access

• Integrate with SIEM for Actionable Intelligence

• Keys and policies owned & managed by the enterprise


Securing Data in IBM SCE using Vormetric

Vormetric DSM from IBM Enterprise portal

DSM Management Console

Logged In Site

Domain Management

Host Management

Policy Management on your agent host.

GuardPoint

Apply a policy to a GuardPoint


Launch Vormetric DSM from IBM SmartCloud Enterprise


DSM Management console


Logged In Site


Domain Management


Host Management


Policy Management


Policy Management – Cont’d


Configure Guard Points


Configure Guard Points – Apply Policy


Data-Centric Security Checklist for Cloud

If in the cloud, what are the SLAs? What are my expected responsibilities?

How will my data be encrypted?

Is my data on dedicated hardware? If not, how is data segregated?

Who has access or control over my data? How can I manage control/access?

When are audits conducted? How can I review results of audits?

Where is my data physically? Is the location physically secure?


Data-Centric Security Requirements

Transparent Transparent to Business Process

Transparent to Apps / Users

Neutral Data Type

Strong

Firewall Your Data

Protect Privileged User Access

Restrict Users and Apps

Easy

Easy to Implement

Easy to Manage

Easy to Understand

Efficient

Minimal Performance Impact

Multiple Environments Perform

Rational SLAs


Data-Centric Security for Protecting Data in the Cloud

Strong Access Policies

Encryption and Key

Management

Security Intelligence

Multi-Tenancy

PRIVATE OR PUBLIC

YOUR CLOUDS, YOUR KEYS

FIREWALL DATA: ACCESS, ENCRYPTION,

SECURITY INTELLIGENCE

1 2 3

Automation


Cloud Security Download Whitepaper at

Vormetric.com/resources/white-papers

Thank You!

C.J. Radford, Vice President, Cloud @cjrad @vormetric #CloudSecurity

Saravanan Coimbatore, Director, Cloud Solutions

ibm smartcloudpublic.dhe.ibm.com/software/dw/cloud/techtalks/ibm... · data-centric security is an...

Documents