An Executive Brief Sponsored by IBM. Michael Suby Vice President of Research

Transcription

1 An Executive Brief Sponsored by IBM Michael Suby Vice President of Research September 2015

2 Cloud Computing without Security Compromises Cloud computing is a new page in how information technology (IT) is accomplished. But cloud computing is more than just a page when security is the focus; it is a chapter. General-purpose clouds, page one, are designed to secure workloads up to a point. That point is: you, the user, are reliant on the cloud provider to secure the underlying cloud environment the servers, its operating system, and the virtualization layer. This is the shared security model of the cloud; a portion of security responsibility resides with the cloud provider, and the rest resides with the users. In response to this shared security model, IBM has taken innovative measures to secure its SoftLayer cloud platform. The inclusion of Intel TXT-based servers in its SoftLayer Infrastructure as a Service (IaaS) service options, and the development of IBM Cloud Data Encryption Services (ICDES) based on Security First Corp. s SPx data-centric cyber defense technology is a one-two punch in widening the gates to cloud computing for sensitive workloads. Furthermore, IBM s cloud advanced data security approach is flexible, transparent to end users, affordable, and administratively lightweight attributes that should not go unnoticed for enterprises as they evaluate their cloud options. For many workloads, having a shared security model is sufficient, as cloud providers have designed their environments to be secure. It is like your home: in compliance with building codes, doors and windows have locks, a smoke detector on each floor, and there is a streetlight and a fire hydrant nearby standard security, suitable for most homeowners. But what about in business, when your workloads are more sensitive in nature and have less risk tolerance and higher security standards? What can be done to support them in the cloud? What extra security components do you need to be confident that your cloud-hosted workloads have top-shelf, affordable security, when that level of security is a necessity? Cloud computing also shines a spotlight on data protection. While this may seem slightly odd, as securing and protecting data resides predominately on the user side of the shared security model, the distributed, fluid, and ephemeral attributes of cloud computing raises the stakes on data protection. Essentially, how can cloud users ensure that their sensitive data is adequately protected while in the cloud and outside of their enterprise environment? Just as cloud computing is a new page in IT, security can also turn to a new page or two. This new security page in a world of clouds, gratefully, can be one of administrative ease and end user transparency, even while a higher tier of security is delivered. Better security without additional burden or restrictions is this really possible? In this article we describe how it is possible; how IBM has merged Intel Trusted Execution Technology (Intel TXT) into its SoftLayer IaaS offerings and its IBM Cloud Data Encryption Services to deliver on the promise of cloud computing without compromises in security. Cloud Layers Data Interfaces (APIs, GUIs) Applications Solution Stack Guest OS Virtual Machines Virtual Network Interfaces Hypervisor Process and Memory (including BIOS and host OS) Data Storage Network Data Centers IaaS Cloud Users Responsibility Cloud Provider s Responsibility

3 Stratecast Frost & Sullivan There are many constituents involved in an organization s adoption and use of cloud services. Some are deeply engaged; such as, business leaders, IT, and finance; while others are concerned citizens and, at times, very vocal: such as end users. The information security (InfoSec) team is also part of the deeply engaged segment. Their interest and role, as expected, is in managing a wide range of security risks, such as cyber threats aimed at compromising systems; as well as preventing and mitigating unauthorized and fraudulent access to sensitive data all in a timely and reliably effective manner. Like the other constituents, InfoSec professionals are tuned into the wave of cloud adoption. Data from surveys 1 of InfoSec professionals by (ISC) 2 highlight InfoSec professionals dramatically changed perspectives on cloud adoption from a generalized we ll see perspective to one of it is real and will grow significantly. The chart below illustrates this perspective change over the last two biannual surveys. Even though cloud usage is expected to increase, InfoSec professionals are concerned about security threats. Asked about their greatest cloud security threats, the threats of a data breach or data loss were rated as either a top or high concern by approximately three-quarters of the survey respondents. As further demonstration of the intensity of this concern, these two cloud security threats ranked a minimum of 10 percentage points higher in concern than any other cloud security threat. The next two highest rated threats were: Account Hijacking (61% rating this threat as a top or high concern), followed by Malicious Insiders (59%). Very pertinent to InfoSec professionals is whether they can advise their organizations on using cloud services to a fuller extent, such as for workloads containing sensitive data, with the confidence that security risks are appropriately addressed. This is a challenge, as the InfoSec workforce is chronically understaffed. To place a finer point on the understaffing challenge is the high level of concern InfoSec professionals voiced regarding security technology sprawl; that is, the growing number of security technology products, vendors, and management consoles that weigh heavily on their security operations. This operational challenge further intensifies as enterprises add cloud environments to their IT footprints. As shown in the following chart, two-thirds of InfoSec professionals are either somewhat or very concerned about security technology sprawl. 1 Frost & Sullivan analysis on the survey data is contained in The 2015 (ISC) 2 Global Information Security Workforce Study.

4 Cloud Computing without Security Compromises Considering these perspectives of InfoSec professionals, what is an organization to do? The cloud will have a growing IT presence. Yet, security concerns could have a restraining impact; and expanding into cloud environments could materially add to an existing overload in security operations, resulting in less than optimal security oversight. In other words, how can an organization leverage the cloud to a fuller extent while balancing risk and operational effort? Furthermore, how can an organization maintain control over its data at all times when that data is stored outside of its premises? The answer is to choose cloud environments at a workload level, based on each workload s risk tolerance. And, as part of this evaluation, check under the hood the actual infrastructure of the highly secure cloud environments, to learn how risk is mitigated without increasing the operational effort of the organization s InfoSec staff. IBM SoftLayer, a provider of IaaS offerings, recognizes that a one size fits all approach is inconsistent with organizations varying security and performance requirements. To that end, the company offers choice: IaaS provisioned on bare metal servers and virtual servers. Additionally, for organizations that require the highest standards of security without compromising performance, IBM SoftLayer offers IaaS provisioned on bare metal servers equipped with Intel TXT. With Intel TXT, IBM SoftLayer customers gain an extra level of assurance on the integrity of the servers in their IaaS environments. What this means is that these customers can reach through the cloud provider-user demarcation in the shared security model, and pick up validating attestation that the servers in IBM s data centers that host their workloads are in a known good state and, of equal importance, whether not in a known good state. The practical aspects of this attestation are straightforward. At each server launch, Intel TXT conducts a processor-based (i.e., baked into silicon) evaluation of the platform software: firmware, BIOS, operating system, and hypervisor. Compared to a version of a known-good system

5 Stratecast Frost & Sullivan configuration, Intel TXT determines if compromises or abnormalities are present in any layer of the platform s software at launch time. If there are none, a root of trust has been established; that is, trusted integrity of the software is built and carried forward from a high integrity foundation the server hardware (i.e., the root). With this software integrity attestation, IBM SoftLayer customers can create and apply policies for their workload applications involving sensitive workloads and data. Again simplistically, if attestation is positive, they can spin up the workload s application. If negative, they suspend launch; or launch, but note that positive attestation is not present. As this attestation information can be automatically fed into standard VM management tools and Security Information & Event Management (SIEM) and Governance, Risk, and Compliance (GRC) systems, the incremental operational overhead to the InfoSec staff is inconsequential; that is, no need to learn and use an additional security console. What is not inconsequential is that IBM SoftLayer customers now have an auditable means to demonstrate integrity of the infrastructure hosting their sensitive workloads in a cloud environment; something they did not have before. Another noteworthy example of the benefits of attestation of the platform s software integrity pertains to vmotion. As workloads move among servers, policies can be established to only permit movement to servers that have received a positive attestation. vmotion is a beneficial performance and reliability feature. With Intel TXT in IBM SoftLayer bare metal servers, high security standards are not undermined in the use of vmotion. Similar Intel TXT-based policies can be applied in corralling workloads to specific physical locations (i.e., data centers) running Intel TXT-equipped servers. This is a clear benefit for organizations that operate in regions that have strict data locality or sovereignty regulations. Geo-defined policies, the records on servers that contain regulated data, and the security integrity of those servers can also be automatically fed into a SIEM or GRC system. This systematized control and recordkeeping eases the burden of proof for the organization s compliance personnel. IBM Cloud Data Encryption Services (ICDES) is another new page in the cloud security chapter. This page is dedicated to advanced data-centric protection to help safeguard data, even when network protection fails. This highly efficient, kernel-level software combines data protection, data fault tolerance and simplified key management. These combined capabilities yield the economics and flexibility of virtualization expected from cloud environments. Of high significance, ICDES goes beyond conventional file encryption, and is not reliant on an administrativeheavy key management system. Here s how ICDES accomplishes this: The ICDES software is installed on a server or a secure data-store for a virtual environment. Specific directories and/or files can then be designated for protection. Files containing sensitive data are then stored in these designated directories, and protected using a patented cryptographic splitting process. The first step in the data protection process encrypts the file using AES-256 encryption (i.e., conventional file encryption). Each file uses a unique encryption key, and those keys are handled internally within ICDES.

6 Cloud Computing without Security Compromises Going beyond traditional encryption, the encrypted files are then randomly split into multiple shares using a unique splitting key. This unique splitting key is also handled internally by ICDES. The file s crypto keys are then cryptographically wrapped and split into data shares. A master key and a set of workgroup keys are used to put the keys back together, collect the encrypted file shares, and then reassemble the shares, in order for the file to be unlocked (decrypted). Because each share contains only a subset of electronic bits that constitute the file s sensitive content, a stolen share cannot be subjected to a brute force attack, and cannot be decrypted. Even if a data breach were to occur, sensitive data is not exposed. This is similar to a physically shredded hard drive; a fragment by itself is worthless. The data shares are then potentially dispersed to as many unique storage locations as there are shares. Locations can be multiple physical or virtual servers in a single data center, servers in geographically separated data centers, multiple cloud storage environments, or any combination of these. By dispersing the shares over multiple locations, the difficulty for would-be data thieves is compounded, as multiple locations would need to be found, compromised, and their stored share or shares exfiltrated analogous to a scavenger hunt without any clues. Then, of course, each share would need the unique splitting key to be reassembled; and the encrypted data would have to be subjected to a brute force attack before the sensitive content could be accessed (i.e., the fragments of the shredded hard drive correctly arranged and glued together). Also, since the storage locations are not bound by data protection standards (advanced data-centric protection is accomplished as a software overlay through bit-level encryption, a keyed information dispersal algorithm, share dispersion and share keyed authentication, along with an easy to use key management system of which is FIPS140-2 certified), the organization can choose low-cost public cloud storage. Additionally, high availability of data and disaster recovery architectures can be implemented on the fly using ICDES with a built-in M of N data resiliency feature. When the data is separated into N shares, data resiliency can be implemented in real-time, and only M (M<N) shares are needed to restore the data. This allows for the loss of any one share without losing access to data. If at least M pieces of the N data shares are sent to storage in remote data centers, a disaster recovery architecture can be achieved. In the event of a data center outage, M shares of data can still be retrieved from the other remote storage sites, and that data remains secure at all times. Lastly, with ICDES, customers can retain ultimate key control. The main server key can be exported to a central key manager, on premises, by the customer. This Key Management Interoperability Protocol (KMIP)-compliant transfer puts the customer in direct control of the security key; and thus ensures singular control over who can access encrypted data to the customer. This removes any possible access control from the cloud infrastructure provider. On its own, ICDES is a powerful, easy to administer, and low cost cloud-leveraging approach to data-centric protection, which goes beyond encryption with its unbreakable data protection and data resiliency capabilities. ICDES is rising in importance, given the frequency of corporate data breaches. The reality of today s cyber threats is that even the most well-managed network perimeter defenses and regulatory-compliant environments are exploitable. Therefore, data-at-rest must be protected from the looming prospects of a data breach. The brute force-intolerant and

7 Stratecast Frost & Sullivan inclusive key management design of ICDES represents a winning proposition for data-at-rest protection in a cloud environment. One last point is the incremental data protection that is possible with Intel TXT. Combined with SoftLayer Intel TXT-based bare metal servers, data protection advances in multiples steps. Through policy, the workload location where the bit-level shares are decrypted and the file reassembled can be restricted to servers that have attained a positive assertion that is, the platform s software configuration is of a known-good state. Similarly, the storage of ICDES key material, master and workgroup keys can also be constrained to servers with positive assertions. In this fashion, sensitive data, and the means to secure this data, are protected at rest, in transit, and in use, transparently to end users, and with low levels of administrative oversight. The adoption of cloud computing is galloping forward. Even so, this gallop is uneven, as organizations question whether cloud computing is up to the task of meeting the most stringent security standards for their datasensitive workloads. But can is only part of the story; the how matters too. Organizations have protected their sensitive applications and data in their own data centers by applying layers of security technologies and procedures. They know how to accomplish their perimeter security and data protection objectives. While seemingly adequate, as data breaches remain a looming risk, there are, nevertheless, material direct and indirect costs in this heavy-handed fortressing approach. Furthermore, porting this same approach into the cloud would undermine the very flexibility and scalability that organizations seek to gain in moving to the cloud. Therefore, a new approach is required; one that honors the benefits of the cloud, leverages its technological advantages, and does so while establishing and maintaining stringent security standards. IBM is leading the way in cloud security. The inclusion of Intel TXT-based servers in its SoftLayer IaaS service options, and the development of ICDES are providing an advanced level of cloud security. IBM SoftLayer is doing its part in offering a secure cloud computing environment for sensitive workloads. Combined with the flexibility, end-user transparency, and lightweight administrative attributes of IBM s cloud security offering, IBM should definitely be on your short list of cloud solution providers to evaluate. Michael P. Suby VP of Research Stratecast Frost & Sullivan msuby@stratecast.com

8 Silicon Valley 331 E. Evelyn Ave., Suite 100 Mountain View, CA Tel Fax San Antonio 7550 West Interstate 10, Suite 400 San Antonio, Texas Tel Fax London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0) Fax 44(0) GoFrost ABOUT STRATECAST Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper - competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only attainable through years of real-world experience in an industry where customers are collaborators; today s partners are tomorrow s competitors; and agility and innovation are essential elements for success. Contact your Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives. ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the Discussion For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA Auckland Dubai Moscow Silicon Valley Bahrain Frankfurt Mumbai Singapore Bangkok Iskander Malaysia/Johor Bahru Oxford Sophia Antipolis Beijing Istanbul Paris Sydney Bengaluru Jakarta Rockville Centre Taipei Buenos Aires Kolkata San Antonio Tel Aviv Cape Town Kuala Lumpur São Paulo Tokyo Chennai London Sarasota Toronto Colombo Manhattan Seoul Warsaw Delhi / NCR Miami Shanghai Washington, DC Detroit Milan Shenzhen