Risk management for Cloud computing

Vikalp Nagori
IBM Security Services

viknagor@in.ibm.com

2016 IBM Corporation

Introduction to Cloud Computing
Benefits, models, services

Characteristics & Benefits

Cloud computing offers massive scalability, virtual computing power, storage,
and applications resources
On demand, scalable, elastic
Achieve economies of scale
Reduce CapEx by moving to OpEx
Improve access
Implement agile development at low cost
Leverage global workforce

Delivery Models Services

Public Cloud IaaS
Hybrid Cloud PaaS
Private Cloud SaaS

2016 IBM Corporation 2

Risk Management in Cloud
Typical risks that should be addressed in Cloud

Loss of governance
Compliance and legal risk
Responsibility ambiguity
Isolation failure
Data protection
Insecure or incomplete data deletion
Handling of security incidents
Service unavailability
Business failure of the provider

2016 IBM Corporation 3

Compliance and Legal consideration

It is necessary to classify your data so as to know what rules must apply to protecting it:
its sensitivity - must it only exist at specific trust levels? If so, which?
What regulatory/compliance restrictions apply e.g. Must it stay within your national
boundary?

With an understanding on what security you need to apply to your data:

What data and processes to move to the Clouds
What services to operate in the Clouds?
Which Cloud Formations are best suited to your needs

2016 IBM Corporation 4

Loss of governance
How do I hug my severs?

Consumer organization would have organizational policies, standards and adopted best
practices (ISO 27001)
Governance is about defining the organizing principles and rules
Example: Authentication strength, event management, vulnerability management

Evaluate Cloud service providers governance model and compliance

2016 IBM Corporation 5

Responsibility Ambiguity
Who's who in the zoo

Role and responsibilities of Cloud provider

Responsibilities of the Consumer
Scope and responsibilities of 3rd parties

Define RACI (Responsible, Accountable, Consulted, Informed)

Define who is responsible for:
Compliance and governance
Authentication, access management,
Data security; keys management
Events monitoring
Incident response
Backup, secure disposal etc.

2016 IBM Corporation 6

Isolation failure
Cocktail is always not good

Governance
Data co-mingling
Confidentiality and integrity compromise
Legal and regulatory issues
Service management- resources
Data disposal
Return of data

Separate instance of database

Cryptography

2016 IBM Corporation 7

Data protection
Protect data with defense in depth

Identity and Access Management

Secure hardened Operating System
Perimeter network security
Network segmentation
Application security
Database security
Data encryption
Security monitoring

2016 IBM Corporation 8

Insecure or incomplete data deletion
Managing data on contract termination

Open standards
Data return on contract termination
Secure data disposal

2016 IBM Corporation 9

Handling of Security Incidents
Determine capability to detect and respond to security incidents

Capability to do forensic investigation

Availability of audit trail
Coordination with CERT
Coordination with Law enforcement agencies

2016 IBM Corporation 10

Service unavailability
Manage impact to service outage

What's the impact of service unavailability

What are the business continuity plans?
Is consuming organizations business continuity policy enforced in cloud?

Agreement and periodic testing of BC/DR capabilities

Test RTO/RPO
Contractual liabilities

2016 IBM Corporation 11

Business failure of the provider
Manage risk from service providers business failure

What if service provides closes shop?

Custody of data?
Service transfer to another provider or in-premise?
Open standards followed by the service provider?

2016 IBM Corporation 12

IBMs Point of View on Cloud
Security

13

2016 IBM Corporation

Security is a joint responsibility between the
customer and Cloud provider

1. Identity and Access 4. Secure DevOps

Platform Security 2. Network security 5. Security monitoring & intelligence
Services 3. Data protection

Customer applications
& services
Enterprise

Directory
Database

IBM Cloud Security policies, practices and processes

1. Security monitoring 5. Application threat protection
Security 2. Network protection 6. Priv user mgmt
Operations & 3. Workload isolation 7. Pen testing

Compliance 4. Harden VMs & Containers

8. Compliance/Certification

Physical & Environmental Security

2016 IBM Corporation 14
1 Manage identity & access to the cloud workloads

Application users
Platform users

Cloud Identity and Access Management, and Application Single SignOn

Solution Approach Granular access control
Manage identity and access of your platform users developers and Configure that security admins
admins can change encryption keys
Consistently add user authentication and single sign on to on- Consistent model across
premise and cloud applications services, roles, users and
Integrate using open standards enabling application integration, apps
enterprise federation, social
2016 IBM Corporation 15
Manage identity & access consistently across hybrid cloud

Application
Security Team & Ops Team

Manage consistent
Identity & access policies Consumer / Employee
Applications

Enterprise Identity Cloud Resources

Federation
Web Access
Gateway Application Data
s

Enterprise Enterprise Cmopute Mobile

On Premise, Directory Public/Dedicated Cloud Deployments

Local Deployments

Identity & Access Management for hybrid cloud

Solution Approach
Enterprise identity federation for platform users
Application users & access employees, customers, partners
Consistent across web & mobile access

2016 IBM Corporation 16

2 Network security is getting re-defined, enabling defense-
in-depth
Network security from the Cloud Firewalls & IPS are table stakes Micro-segmentation is evolving
e.g., Customers use Akamai to protect banking e.g., Customer uses firewall and IPS to build e.g., Isolate data tier from web apps using
app from DDoS attacks DMZ in SoftLayer Vyatta router in SoftLayer

Cloud hosted proxies Firewalls, Intrusion Prevention (IPS) Network security groups
Cloud-scale protection from DDoS VPN for enterprise connectivity Network segmentation in SL (using
Web application firewalls Vyatta)

Cloud Security Proxy

data zone
Analytics

Apps & services

cloud dmz

1
7 2016 IBM Corporation 17
IBM VPN (VPN as a service)

Key Features

The IBM Virtual Private Network service for Bluemix is available to securely access IBM Containers (Docker
containers) inside the IBM Bluemix cloud environment.
You can use the IBM Bluemix cloud environment as an extension of your corporate data center.
You can also connect with the SoftLayer servers using the IBM VPN service
The IBM Virtual Private Network (VPN) service provides a secure IP-layer connectivity between your on-premise data
center and your IBM Bluemix cloud.
It leverages Internet Protocol Security (IPsec) protocol suite for protecting IP communication between endpoints residing
on your private subnets.
An IPsec-compatible VPN gateway is required in your on-premise data center for establishing secure connectivity with
IBM VPN service. No other client software is necessary.

2016 IBM Corporation 18

3 Data protection objectives drive Cloud deployment
models
Classification-based decisions Policy driven encryption Key management
e.g., CISOs decide that confidential data e.g., Customer uses solution to encrypt all files e.g., Customer uses IBM KeyProtect to
should be deployed in Bluemix Dedicated create their encryption keys

Sensitive data stays on-prem File based encryption (ICDES) Key management service
Confidential data considered Cleversafe- Objectstore encryption Hardware security modules
Regulatory compliance drives Cloudant & dashDB - encryption
decisions

1
9 2016 IBM Corporation 19
4 Secure DevOps Vulnerability and patch
management
Containers enables new model
e.g., Customer uses Vulnerability Advisor to
assess container images
VMs are still traditional Application security
e.g., Customer uses BigFix to patch all VMs e.g., Customer uses Application Security
and fix Linux security vulnerability service to scan web apps and mobile

Vulnerability analysis Configuration and patch management Application security scanning

Enterprise security policies (IEM) Mobile and web apps
Remediation in devOps VMs based models for lift & shift apps Secure engineering and proactive

Innovating in container security with IBM Research

2
0 2016 IBM Corporation 20
5 Security monitoring and intelligence are required to gain
confidence
Access trails and audit logs Identify Cloud incidents Enterprise security intelligence
e.g., All administrative access is logged e.g., Customer uses analytics tools to correlate e.g., CISO wants all logs and events
in Bluemix Cloud traffic to identify malicious app integrated into their on-prem QRadar

Dedicated Bluemix provides all logs All platform logs and events can be Customers use their SIEM
Application logs integration sent to onprem SIEM (Dedicated BM) Cloud and on-prem security monitoring
Continuous monitoring for attacks and Incident management and reporting
threats

Customer workloads
Cloud security insight Enterprise SIEM/ Enterprise
SOC

2
2016 IBM Corporation 21
1
IBM Cloud - Platform Provider Security

IBM Core Security Practices Compliance Certifications

Security Policies

Functional Infrastructure Operational Security

Vulnerability Services
Environment Isolation Scanning
Authentication
SSO Service
Firewalls (Authentication
Authorization Automated Patch
Federated Sign On,
Management
Intrusion Prevention Cloud Registry)
Security Logging
Security
Secure Application Application security
Data Protection Intelligence
Container Scan
Management
Secure User Access
Data security
development Governance
Operating system
practices
security hardening Cloud Integration
Privileged Identity
Service
Management

Physical & Environmental Security

2016 IBM Corporation 22

Security Assurance for Managed Hosting
Compliance without complication.
Our compliance department works with independent auditors and third-party organizations to meet the industrys most
stringent guidelines to provide reports and information for your own compliance needs.
The physical and virtual controls of our facilities, network, and customer portal are an extension of your own, and we make
it easy for you to get the information you need for your own audits.

SOC Reports
SoftLayer provides SOC 1, SOC 2 and SOC 3 reports. These reports evaluate SoftLayer's operational controls with respect
to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. SoftLayer SOC 3
ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management
systems and provides a systematic approach to managing company and customer information based on periodic risk
assessments. SoftLayer ISO 27001:2013 Certificate of Registration
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provisioning and use of cloud
services as well as implementation guidance for both cloud service providers and cloud service customers.
SoftLayer ISO 27017:2015 Certificate of Registration
Cloud Security Alliance STAR Registrant
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing
security assurance within cloud computing. Read SoftLayer's STAR Consensus Assessment Initiative Questionnaire
We help our customers meet their PCI compliance needs by providing an Attestation on Compliance from an independent
QSA. The Attestation on Compliance can be used in conjunction with our SOC 2 report and ISO 27001 certification to
demonstrate that the infrastructure meets the PCI controls
The SoftLayer cloud platform meets all of the necessary requirements for HIPAA on the data center/service provider side

http://www.softlayer.com/compliance

2016 IBM Corporation 23

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU
www.ibm.com/security

Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.