© 2016 IBM Corporation

IBM Security

1 © 2016 IBM Corporation

Securing the Cloud: Making Cloud an Opportunity to Enhance Security

February 2016 Greg Coughlin Director, IBM Security @JGCoughlin

© 2016 IBM Corporation

IBM Security

2

The rise of Shadow IT?

© 2016 IBM Corporation

IBM Security

3

Security reality – we have all been compromised

only 1 out of 100

security compromises are ever detected

General Keith Alexander, Head of U.S. Cyber Command, in a speech to the American

Enterprise Institute

1,764,121 Represents the number of security events the average organization of 15K employees will capture weekly

324 of these events represent actual attacks, per week

2.1 of these attacks will result in an incident, per week, – a 22% annual increase

2014 IBM Cybersecurity Intelligence Index

Security Principles for Leaders

© 2016 IBM Corporation

IBM Security

4

Are you a disruptor or a disruptee? Transformative technologies are disrupting industries

Source: Joint IBV/EIU Cloud-enabled Business Model Survey of 572 business & IT leaders

Mobile revolution Connectivity, access and participation are growing rapidly

Social media explosion Quickly becoming the primary communication & collaboration format

Hyper digitization Digital content is produced and accessed more quickly than ever before

The power of analytics Real time analysis, predictive analytics and micro-segmentation emerging

Transformational cloud – Cloud’s attributes make it a powerful delivery model delivering new business models, cost benefits, flexibility and large on-demand capacity

Gmail, Facebook, Linkedin are pioneer examples of cloud computing with advertisement based revenue and cloud’s low cost delivery model sustaining free services

Ecosystem of connected health and wellness apps that delivers a consolidated view of users’ health. Strong & growing ecosystem with APIs and Apps that cover all aspects of health care 1

The Xerox Mobile Print platform uses cloud to convert and process print requests. This removes complexity from end-users, reduces costs & management of diverse devices and print configurations

© 2016 IBM Corporation

IBM Security

5

Governments are being hit by multiple disruptive global shifts – urbanization, aging populations and structure of the global economy

Source: [1] Swiss Re. 2014. Natural catastrophes and man-made disasters in 2013: large losses from floods and hail; Haiyan hits the Philippines. Sigma Study, No 1/2014.; [2] http://www.imf.org/external/Pubs/ft/weo/2014/01/pdf/text.pdf

Number of Catastrophic Events, 1970 – 20131

2014 GDP Growth decline2

Unstable economic conditions

High competition for residents and businesses

Change in citizen demands

Increase of dependency ratio

Increase in catastrophic events

© 2016 IBM Corporation

IBM Security

6

Government CxOs expect rising cyber risk and the “anywhere” workplace to have the greatest impact

Industry convergence

The “anywhere” workplace

Rising cyber risk The redistribution of consumer purchasing power The sustainability imperative Alternative finance and financing mechanisms The sharing economy

Top trends to impact business (in 3 to 5 years)

66% 49%

50% 65%

46% 67%

43% 18%

32% 39%

25% 17%

24% 26%

Global Government

Source: Redefining Boundaries – Insights from the Global C-Suite Study, IBM Institute for Business Value

© 2016 IBM Corporation

IBM Security

7

Cloudy Security: So What’s the Problem?

1 in 3 Fortune 1000 employees

upload corporate data to cloud apps

50% of millennials use third-party

cloud apps at work

1 in 4 Fortune 1000 employees

use corporate log-in details for cloud apps

60% of employees know using external apps

is a violation of their company’s security policy

On behalf of IBM Security, Ketchum Global Research & Analytics (KGRA) conducted an online survey using the services of Ipsos Public Affairs. The survey interviewed 1,001 full-time employees at Fortune 1000 companies. The survey was fielded from July 27 to 31, 2015.

Source: IBM Internal Research

© 2016 IBM Corporation

IBM Security

8

Use five fundamental security principles to help guide you

(incidents will happen)

Prepare to respond, faster

(train, test, trick)

Increase the security IQ of every employee

(analytics = threat insights)

Leverage security intelligence

Protect your crown jewels

(define, protect, monitor) (the vanishing perimeter)

Safeguard cloud and mobile

Security Principles for Leaders

© 2016 IBM Corporation

IBM Security

9

Deploy a secure foundation to help protect and enable innovation

Safeguard cloud and mobile

1) Harris Interactive, 2012; 2) Global Mobile Enterprise 2011-2017 Forecast, Strategy Analytics, 2) IDC, Five Steps to Successful Integrated Cloud Management, May 2011, 3) 2013 IDC US Cloud Security Survey

Protect the data

Protect the apps

Manage the device

Protect the transaction

Corporate container

Security Principles for Leaders

Make cloud an opportunity to enhance security

Integrated security for public and private clouds

IaaS PaaS SaaS

of employed adults use at least one personally- owned device for business1

of users surveyed had corporate security on their personal devices1

of new apps will be deployed via the cloud2

of firms discovered cloud usage outside of IT or security policies3

© 2016 IBM Corporation

IBM Security

10

Steps to Empowering Employees To Securely Use Cloud Services 5

1. Discover 2. Identify 3. Track 4. Respond 5. Empower

Source: https://securityintelligence.com/five-tips-for-a-safer-cloud/

© 2016 IBM Corporation

IBM Security

11

How? Cloud Access Security Brokers (CASB)

“Since their emergence in 2012, CASBs have grown in importance and today are the primary technical means of giving organizations more control over SaaS security. This technology will become an essential component of SaaS deployments by 2017.”

© 2016 IBM Corporation

IBM Security

12

How can you protect what you can’t see?

Cloud Applications

Mobile Employees

CASBs are an important visibility tool for CISOs

CASBs collect cloud app usage details on traffic going through corporate gateways

Mobile users can go directly to cloud apps – creating the “mobile blind spot”

§  Cellular networks •  Both in and out of the office

§  Home WiFi or mobile hot spots §  Adds risk of malware, risky behavior,

and corporate policy violations

On-Premises and Remote / VPN Employees

Web gateway, Firewall, IPS, etc.

CASBs

“Blind spots” still exist for mobile usage

© 2016 IBM Corporation

IBM Security

13

MOBILE

BYOD

ON PREM

RISKY APPS

APPROVED APPS

Leverage SaaS solutions to help securely deploy Cloud Services

EMPLOYEES

Identity and Access Control

Threat Prevention

Policy Enforcement

Discovery and Visibility

Cloud Event Correlation

DETECT CONNECT PROTECT

Cloud Access Security

Broker

© 2016 IBM Corporation

IBM Security

14

Underneath the Hood

User, App, Device Analytics & Event Correlator

Application Federated SSO

Connectors

App

Application Discovery

App App

App

Delegated Entitlement

Management

End User Launchpad & Application Catalog

Access Policy Enforcement

Cloud Registry

IBM Cloud Security Enforcer

. . . (plus many more)

Enterprise Bridge Appliance Log

Collection ID

Bridge Directory

Sync

World Wide Mobile Cloud Proxy

Client Gateway [VPN] Threat Prevention

Microsoft Active Directory

ENTERPRISE

© 2016 IBM Corporation

IBM Security

15

How to make Cloud an opportunity to enhance security?

Initiate a dialogue with your line of business partners on Shadow IT

Build out your organization’s Security strategy to embrace Cloud, Mobile and SaaS Choose a Cloud Access Security Broker that incorporates Identity, Cognitive and SaaS

©2016 IBM Corporation 15

© 2016 IBM Corporation

IBM Security

16

Resources

White Papers: IDC – CISO’s Guide to Enabling a Cloud Strategic Focus on SAAS (http://idcdocserv.com/259429) Gartner - How to Evaluate and Operate a Cloud Access Security Broker (http://www.gartner.com/technology/reprints.do?id=12U47O25&ct=151215&st=sb) 451 Research - Big Blue goes all ‘startup’ with homegrown SaaS security offering (ask IBM for a copy)

Seminar: SecurityIntelligence.com - The New Cloud Security Hero: Cloud Security Enforcer Thought Leadership and Articles: • Major Misconceptions About Cloud Security in European Financial Sector, New Survey Shows • Treat Technical Debt Like a Bad Relationship • 2015 Was the Year of the Health Care Data Breach, But Cloud Sails Around the Storm • Taking Notice: Security Analysts Weigh In on IBM Cloud Security Enforcer • Is Cloud Security Enforcer on Your Radar?

IBMatReboot @IBMSecurity

17

DropoffyourfeedbackformforaFREEGi:atIBMBooth#16

© 2016 IBM Corporation

IBM Security

18

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.