Samson Tai, Chief Technologist, IBM Innovation Network Securing the Cloud Today: How do we get there 9/15/2009
What is Cloud Computing Cloud is a new consumption and delivery model for many IT-based services, in which the user sees only the service, and has no need to know anything about the technology or implementation Attributes Standardized, consumable web-delivered services Service Catalog Ordering Flexible pricing Metering & Billing Elastic scaling Rapid provisioning Advanced virtualization VISIBILITY CONTROL AUTOMATION...service oriented and service managed 2 9/15/2009
Cloud Computing Delivery Models Flexible Delivery Models Public Service provider owned and managed Access by subscription Delivers select set of standardized business process, application and/or infrastructure services on a flexible price per use basis.. Standardization, capital preservation, flexibility and time to deploy Cloud Services Cloud Computing Model Hybrid Access to client, partner network, and third party resources Private Privately owned and managed. Access limited to client and its partner network. Drives efficiency, standardization and best practices while retaining greater customization and control. Customization, efficiency, availability, resiliency, security and privacy ORGANIZATION CULTURE GOVERNANCE...service sourcing and service value 3 9/15/2009
End-user Survey: Perceived Concerns 5.00 4.50 4.00 3.50 3.00 2.50 2.00 1.50 Please rate each in terms of how significant they would be to your organization. Across the region and globally, security of cloud services is consistently rated as the top concern that CIOs have about cloud services. HK is little different to the rest of the surveyed countries and rates the issues of Security, Performance and Ability to integrate as the top three concerns Other concerns were consistent in rating 1.00 On-demand payment model will cost more Hard to integrate with in-house IT systems Ability to customize to our org's needs Security, worried about keeping our systems & information protected Regulatory requirements Availability Performance Not enough major suppliers yet Bringing back in-house may be difficult Source: IDC Market Evolution and Trends for Cloud Computing: Asia/Pacific End-User Study, 2009, N =114
What is Cloud Security Confidentiality, integrity, availability of business-critical IT assets, stored or processed on a cloud computing platform Cloud Computing Software as a Service Utility Computing Grid Computing There is nothing new under the sun but there are lots of old things we don't know. Ambrose Bierce, The Devil's Dictionary 5 9/15/2009
Cloud Security: Simple Example Today s Data Center Tomorrow s Public Cloud We Have Control It s located at X. It s stored in server s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged. Who Has Control Where is it located Where is it stored Who backs it up Who has access How resilient is it How do auditors observe How does our security team engage 6 9/15/2009 6
Security Requirement for Different Cloud Computing Models Cloud Delivered Services Application as a service Platform as a service Infrastructure as a service Multi-tenancy at all levels Cloud Platform Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Common Operational Services Virtualized Resources Virtual Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment Multi-tenant security infrastructure Image Security Virtualization Security Logical Data Center Security and Resilience Physical Data Center Security and Resilience
Gartner summarizes cloud security threats 1. Privileged user access (Federated Identity management/authentication /authorization) 2. Regulatory compliance 3. Data location 4. Data segregation 5. Recovery (backup) 6. Investigative support (auditing/logging) 7. Long-term viability (acquisitions)
Security and Cloud Computing IBM Security Framework Business-oriented framework used across all IBM brands that allows to structure and discuss a client s security concerns Governance, Risk Management, Compliance 3rd-party audit (SAS 70(2), ISO27001, PCI) Client access to tenant-specific log and audit data Effective incident reporting for tenants. Application and Process Application security requirements for cloud are phrased in terms of image Compliance with secure development best practice Physical Monitoring and control of physical access People and Identity Privileged user monitoring, including logging activities, physical monitoring and background checking Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third party systems Data and Information Data Segregation Client control over geographical location of data Network, Server, Endpoint Isolation between tenant domains Trusted virtual domains: Built-in intrusion detection and prevention 9 9/15/2009
There is No One-size-fits-all Security for Cloud Computing Different Workloads have Different Risk Profiles High Need for Security Assurance Low Training, testing with nonsensitive data Public Analysis & simulation with public data Mission-critical workloads, personal information Hybrid Low-risk Mid-risk High-risk Business Risk Private High value / high risk workloads need Quality of protection adapted to risk Direct visibility and control Significant level of assurance Today s clouds are primarily here: Lower risk workloads One-size-fits-all approach to data protection No significant assurance Price is key 10 9/15/2009
Thank You