securing your cloud applications
TRANSCRIPT
© 2015 IBM Corporation
Securing Your Cloud Applications
Nataraj (Raj) NagaratnamCTO for Security Solutions, IBM Security
Sreekanth IyerExecutive IT Architect, IBM Security
Jeffrey HoyCloud Security Architect, IBM Security
Agenda
• Security for Infrastructure Services (IBM SoftLayer)
• Security for Platform Services (IBM Bluemix)
1
IaaS
PaaS
Cloud is rapidly transforming the enterprise
External StakeholdersTraditional Enterprise IT
Public CloudPrivate Cloud
PaaSDevelopment
services
SaaSBusiness
applications
IaaSInfrastructure
services
100+ IBM Offerings
HR,CRM, SCM
Data archive
App development
100+ IBM Offerings
Online website
Cloud presents the opportunity to radically transform security practices
Dynamic Cloud SecurityStandardized, automated,
agile, and elastic
Traditional SecurityManual, static,
and reactive
Cloud security is not only achievable, it is an opportunity to drive the business, improve defenses and reduce risk
Clients focus on three imperatives for improving security
Detect threats with visibility across clouds
Govern theusage of cloud
Protect workloads and data in the cloud
How can I understand who is accessing the cloud
from anywhere, at anytime?
How can I fix vulnerabilities and defend against attacks before they’re exploited?
How can I obtain a comprehensive view of cloud and traditional environments?
“I can take advantage of centralized cloud logging and auditing
interfaces to hunt for attacks.”
“Going to the cloud gives me a single
choke point for all user access ‒ it provides much more control.”
“Cloud gives me security APIs and
preconfigured policies to help protect my data
and workloads”
IBM Dynamic Cloud Security
Optimize Security Operations
ManageAccess
ProtectData
GainVisibility
SaaSPaaSIaaS
Structured Approach to Cloud Security
Assess and Govern
Focus for this Session
JKE Overview
6
JK Enterprises (JKE)
• A multinational financial services company that offers wide
range of wide range of financial and insurance products
and services
• Operates world-wide, with major offices in AP, EMEA and
US
• Employs approximately 5,500 staff
• Financial details include:
• A combined premium income of over $2.5 billion
• Investment assets of approximately $16.8 billion
• Customers include:
• End customers: over 2 million insured customers
• Brokers: over 200 registered brokers
• Has partnerships with a large number of partners, mainly
in the area of brokering and financial advice
• Provides internet customers and brokers with online
access to applications.
Security comes “in” (inherent in) and “on” (accessible from) IaaS provider
Identity Protection Insight
Accessible “on” a IaaSCloud Provider – Bring your own security
Privileged admin
management
Access management
of web workloads
Network protection ‒
Firewalls, IPS, proxy
Host security,
vulnerability scanning
Encryption and key
management
Monitoring customer
hybrid infrastructure and
workloads.
Log, Audit, and
compliance reporting
Vulnerability management
Inherent “in” a IaaS Cloud Provider –Security provided in SoftLayer
Admin user
management
Isolation of VMs, and
dedicated instances
Security monitoring of
cloud infrastructure
Role and entitlement
management
Network firewalls,
VPNs; DoS protection
Platform intelligence
Federation of admin
users from
enterprises
Encryption of data at
rest and secure key
store
API access to cloud
service logs
IaaS
Security “in” (inherent in) IBM SoftLayer
SoftLayer Security
Features & Options
Physical DC Security
Logical Segregation
GeoTrust SSL Certificates
Two-Factor Authentication
for Portal Administrators
McAfee Host Protection
DC Site Affinity Option
IBM MSS - Fully Managed
Cloud Security Services
Hosted Web Defense (DDoS+WAF)
Hosted Application Security
Management Services
Hosted Security Event and Log
Management
Hosted Vulnerability Management
Managed FW, IDPS and UTM
Managed Email and Web Security
Comprehensive security for
IT assets deployed in
SoftLayer
VALUE
IBM SoftLayer and IBM Managed Security Services (MSS) provide
comprehensive cloud security solutions and capabilities for cloud customers –
IaaS
Scenario Overview
11
Enterprise Application
Dev/Test/ProdInfrastructure
Public CloudPrivate Cloud
IaaS
JK Enterprises (JKE)
Description
1 JKE provisions infrastructure resources and moves to Cloud
2 JKE deploys their business application on Cloud
Privileged User Management
12
IaaS
JK Enterprises (JKE)
1 JKE Cloud Administrator logs into SoftLayer
2 JKE Cloud Administrator provisions and sets up the required resources on Cloud
3 Weak management of password and administrator activities can compromise cloud systems
4 JKE implements Privileged User Management to monitor and audit cloud Admin activities
5 Privileged Identity Manager captures and tracks all actions by admin
JKE Cloud Administrator
IBM Security Privileged Identity Management
Dev/Test/ Prod
Infrastructure
Manage Access
Automated Provisioning of ISAM Virtual Appliance
13
IaaS
JK Enterprises (JKE)
1 JKE likes to add web application protection for their application on cloud
2 JKE deploys ISAM Virtual Appliance on SoftLayer (Automated Provisioning and Configuration of ISAM Appliance on SoftLayer)
3 JKE can manage access and protect applications from attacks.
Employees
IBM Security Access Manager Virtual Appliance
Enterprise Application
Agents / Partners/ Customers
Manage Access
Log Management & Security Intelligence
14
IaaS
JK Enterprises (JKE)
1 JKE Security Administrator wants visibility into their cloud infrastructure on SoftLayer
2 JKE Security Administrator uses IBM Security QRadar SIEM
3 QRadar collects all the events from security appliances, infrastructure and applications
4 QRadar detects anamolies, security threats and generates reports for audit and compliance.
JKE Security Administrator
IBM Security QRadar SIEM
Enterprise Application
Dev/Test/ProdInfrastructure
IBM Security
Access Manager
Virtual Appliance
IBM Security
Privileged Identity
Management
Employees
Agents / Partners/ Customers
Gain Visibility
IBM Security capabilities (“On”) SoftLayer that enhances security of customer workloads
15
IaaS
Enterprise
Cloud
Administrators
Consolidated
logs and events
Portal and APIs
Application
users
Enterprise security monitoring
IBM Virtual SOC
services
Manage Access Protect Data Gain Visibility
Security comes “in” (inherent in) and “on” (accessible from) Provider
Identity Protection Insight
Accessible from a PaaS Cloud Provider ‒ Design your own security
APIs for
authentication/SSO of end
users, for services/apps
APIs to perform context
aware access
Security testing of App,
service and APIs
Key management APIs
APIs for fraud detection
IP reputation/threat
intelligence APIs
APIs for customer app log and
audit
Application security and real
time monitoring
Application vulnerability
management
Inherent “in” a PaaS Cloud Provider ‒ Security is “baked in” platform
Developers registration
and SSO
Group management;
Entitlements to apps,
services
Federation of
developers/platform users
Data protection and
compliance
Application container
Fabric and services
isolation and protection
Customer specific log and audit
trail APIs
Active security monitoring of
provider (not individual
customer services)
Hosted on
PaaS
Single Sign On
• Add user authentication to your apps with policy-based configuration
• Zero coding approach
• Integrate with existing enterprise directory with SAML
• Option to chose from identity sources like Facebook, LinkedIn, and Google
• Option to create and use your own cloud directory
Key Features
SocialIdentities
Enterprise ID
Manage Access
AppScan Dynamic Analyzer
• Discover vulnerabilities before putting cloud apps into production
• Minimal configuration and developer training / preparation
• Scans authenticated and unauthenticated pages and identifies security issues
• Identifies a large variety of vulnerabilities, from OWASP Top 10, SANS Top 25 and more
• Produces a detailed security report - actionable information with remediation instructions
Key Features
Protect Data
AppScan Mobile Analyzer
• Based on Glass Box principles
• Identifies security issues in Android applications
• Produces a detailed security report
• Includes remediation steps
• Developer targeted information.
Key Features
Protect Data
Secure data warehousing and analytics
Data Encryption
Data Access Control
Activity Monitoring
dashDB
• Automatic encryption for data at rest using Advanced Encryption Standard (AES)
• Encryption for data in transit - SSL is automatically configured when dashDB database is
provisioned
• dashDB database is continuously monitored through IBM InfoSphere Guardium
• Database access control – define who has access to what objects in the database
Key Features
Protect Data
Security Intelligence for the hybrid cloud
Gain Visibility
Cloud Applications
Loggregator
• Facility to drain logs over syslog, syslog-tls or https through user provided service
• Includes all the events related to the app including staging and deployment
• Capability to distinguish the logs from different instances of the application
• Device Support Module (DSM) in QRadar for parsing CloudFoundry and application events
Key Features
Cloud Applications
User Provided
Service
SSO Access to Bluemix Application
25
PaaS
JK Enterprises (JKE)
1 JKE Employees want to access business app deployed on Cloud by JKE Partner
2 JKE uses Identity as a SSO Service on Bluemix
3 Employees access the Bluemix application seamlessly using their enterprise/intranet ID (SAML Federation using Enterprise Bridge)
Employees
HealthCareApplication
Single Sign On (SSO) on IBM Bluemix
Partner
Manage Access
Social Access to Cloud Application
26
App Development
SocialApplication
Public CloudPrivate Cloud
PaaS
Agents / Partners/ Customers
App Developers
Single Sign On (SSO) on IBM Bluemix
1 Marketing team wants to develop a new Cloud Systems of Engagement App
2 Uses IBM SSO Service Offering on Bluemix for SSO
3 Customers can access the Bluemix app using their social IDs
4 IDs of Contractors / Agents hired for the Marketing Campaign managed on Cloud Directory
Marketing Department
Manage Access
Cloud Application Security & Protection
27
App Development
Internet Application
Public CloudPrivate Cloud
PaaS
App Developers
IBM AppScan Dynamic Analyzer on Bluemix
1 App Developer wants to ensure the application is secure and there are no vulnerabilities
2 App Developer uses IBM Appscan Dynamic Analysis Service on Bluemix
3 App Developer gets a report on the App vulnerabilities and threats and recommendations on how to fix them
(JKE Subsidiary)
Protect Data
Securing Mobile Application
28
Mobile Application
Public CloudPrivate Cloud
PaaS
App Developers
IBM AppScan Mobile Analyzer on Bluemix
1 App Developer wants to ensure the mobile application is secure and has no vulnerabilities
2 App Developer uses IBM Appscan Mobile Analyzer Service on Bluemix
3 App Developer uploads the mobile application file (.apk)
4 App Developer gets a report on the Mobile App vulnerabilities, threats and recommendations
Protect Data
Database Service Security & Protection
29
Public CloudPrivate Cloud
PaaS
App Developers
InfoSphere Guardium
1 JKE use managed dataware housing and analytics services from the cloud (DashDB)
1 App Developer wants to ensure the access to the data is monitored
2 JKE gets reports on sensitive data access on the cloud
JK Enterprises (JKE)
Protect Data
Security Intelligence for Bluemix Apps
30
App Development
Internet Application
Public CloudPrivate Cloud
PaaS
JK Enterprises (JKE)
JKE Security Administrator
IBM Security QRadar SIEM
1 JKE Security Administrator wants visibility into their application on the cloud
2 JKE Security Administrator uses IBM Security QRadar SIEM
3 QRadar collects all the events related to the Bluemix Application
4 QRadar detects anomalies, security threats and generates reports for audit and compliance.
Gain Visibility
32
Protect DataManage Access Gain Visibility
Kerberos RSA
AESTriple-DES
X.509Certificates
SHAHashing
KMIPKey Management
ISO 27018Data Protection for Cloud Services
PCI-DSSControls for Card Data
ISO 24760ID Management Architecture
ISO 17789Cloud Computing Reference Architecture
CSCCo Security for Cloud Computing:
10 Steps to Ensure Success Version 2.0
o Practical guide to Cloud SLAs
o Practical Guide to Cloud Computing
Version 2.0
o Cloud Security Standards: What to
Expect & Negotiate
ISO 29101Privacy Architecture Framework
ISO 27017Information Security Controls for Cloud Services
ISO 19794Biometric Interchange Formats
ISO 19086Cloud SLAs
CADFCloud Audit Data Federation
Cloud Security Standards*
* Indicative list only
Encryption
Cloud Computing Reference Architecture (CCRA)- Providing Prescriptive Guidance to secure Client Cloud Adoption Patterns
Capabilities provided to
consumers for using a
provider’s applications
Integrated service
management, automation,
provisioning, self service
Pre-built, pre-integrated IT
infrastructures tuned to
application-specific needs
Advanced platform for
creating, managing, and
monetizing cloud services
Cloud Enabled Data Center
Cloud Platform Services
Cloud Service Provider
Business Solutions on Cloud
Big Data / Analytics workload
on cloud
Social / Mobile workloads on
Cloud
Federal/Government
Workloads on Cloud
Big Data / Analytics
Mobile
G Cloud
IBM Dynamic Cloud Security Portfolio
Cloud Security Intelligence NEW! Cloud Identity Services NEW!
Cloud Sign On Service NEW!
Cloud Access Manager NEW!
Cloud Privileged Identity Manager NEW!
Cloud Data Activity Monitoring NEW!
Cloud Mobile Application Analyzer NEW!
Cloud Web Application Analyzer NEW!
Optimize Security OperationsDeliver a consolidated view of your security operations – at unprecedented speed and agility
Protect DataIdentify vulnerabilities and help prevent
attacks targeting sensitive data
Gain VisibilityMonitor the cloud for security breaches
and compliance violations
Intelligent Threat Protection Cloud
NEW!
Cloud Security Managed Services
NEW!
Security Intelligence and Operations
Consulting Services NEW!
SaaSPaaSIaaS
Manage AccessSafeguard people, applications,
and devices connecting to the cloud
Learn more about IBM Security
Visit our website
IBM Security Website
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
IBM SecurityIntelligence. Integration. Expertise.
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.