Accelerating Continuous Security for Apps on Cloud

Vijay R KSenior Software Engineer,IBM Cloud Security Services

Sudheesh S KSenior Software Engineer,IBM Cloud Security Services

Legal NoticeCopyright © 2019 by International Business Machines Corporation. All rights reserved.

No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.

IBM, the IBM logo, and ibm.com, and (ADDITIONAL TRADEMARKS HERE) are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.

Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This document could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or program(s) described herein at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectually property rights, may be used instead.

THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER OR IMPLIED. IBM LY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products are warranted, if at all, according to the terms and conditions of the agreements (e.g., IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. IBM makes no representations or warranties, express or implied, regarding non-IBM products and services.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 1 0504- 785U.S.A.

IBM Cloud / © 2019 IBM Corporation

DDoS AttackAttack traffic impacts availability or performance

Data Theft AttemptCompromise of sensitive customer data

BotsPrevent malicious bots from abusing site or application

Webpage

Internet Facing Application or Website

on IBM Cloud

Security Threats Are Lurking!

3

4

Achieving continuous securityinvolves an end-to-end solution

Manage Access Protect Data Gain Visibility

Secure Platform

KeyManagement

Data-at-restEncryption

Data-in-useProtection

Identity& Access

NetworkThreat Protection

Audit/Activity Logs

CertificateManagement

SecurityPosture

4

App ID

Integrate identity into cloud apps

⎻ Simplified developer experience

⎻ User & Service Authentication

⎻ Open Standards

App ID

Identity Providers

ApplicationsProtected Resources

5

Inject malicious payloads through forms and APIs

How CIS, powered by Cloudflare, provides Data Protection & enables Bot Prevention

ATTACKS

DDoS Attacks are growing!

Snoop unencrypted sensitive data entered by customers

Brute-force their way into login pages

Robust DDoS protection for Domains and Hostnames

Encryption through TLS blocks snooping

Log-in protection through rate limiting

Block top OWASP and emerging application-level attacks through the WAF

1.

2.

3.

4.

IBM Cloud Internet Services

6

Hyper data security withKeep Your Own Keys (KYOK)

Encrypt data with BYOK

⎻ Key Protect service

⎻ Integrated with many IBM Cloud data & storage services

KYOK with Hyper Protect Crypto*NEW

!

*Announced - GA in March Dedicated Cloud HSM with full controlKey Protect in IBM Cloud Private

Key Protect APIs

Customer 1

Customer 2

Hyper Protect Crypto Services

Hyper Protect Crypto Services

7

Shield your data-in-usewith secure enclaves

Protect data-in-use

⎻ Secure sensitive data with Intel SGX

⎻ Deploy on Kubernetes service & Bare Metal servers

Shield apps. No code change with Data Shield*NEW

!

*Announced - BetaPre-canned images. Build new apps – C/C++, Python

Kubernetes

ServerIntel SGX En

clav

e

Custom Apps

Containers

1. Bring your container-based apps

2. Convert to protected container

3. Deploy on Data Shield

8

Govern Certificate Usage - Visibility

• Where certificates are used

• Who has access

• Who/what obtained TLS private keys

• What certificates need to be replaced

99

Monitor for SSL/TLS Certificate Expiration

Alerting Drive as much automation as possible

CallbackURL

Cloud Function

Certificate Authority

TLS Termination

1010

11

AI-infused security insights

Single pane of glass for security posture

⎻ Integrated vulnerability and certificates

⎻ Custom enterprise integrations

⎻ Open APIs and Partner Integrations

Network Insights* with Security AdvisorNEW

*Announced - Beta⎻ Network Insights & Activity Insights⎻ AI and machine learning

Monitor for Network Threats- Identify attacks, and malware in your cluster

- Kubernetes Aware

Security Advisor - Netowrk Insights

12

Simplified attack kill chain

1. Reconnaissance on the cluster’s public services

2. Exploit vulnerabilities to drop malicious code

3. The malicious payload downloads malware

4. The malware connects to the C&C

5. The malware connects to a data store and retrieves sensitive data

6. The data is exfiltrated through the C&C

K8s Cluster

Sensitive databucket

Attacker

Malware bucket

1

3

4

5

6

2

13Think 2019 / 3587/ Feb 14, 2019 / © 2019 IBM Corporation

Example:

An external actor plants malware in a K8s Cluster to Exfiltrate Information

Recon from a suspicious address

Container connects to

suspicious IP

Container downloads

large payload

Container retrieves a

large amount of data

Container sends out data to a suspicious

address

Preventing Compromise of your IBM Cloud account

Security Advisor – Activity Insights

Insider Threats:

• Using valid user credentials to leverage resources or obtain data

• Can be either malicious or unintentional

Monitor Activity logs using rules:

• Alert on activities in your IBM Cloud account

• Restrict by time window, list of principals, etc.

• E.g. count failed access attempts in a time window

1414

15

The Do’s of Protecting your Appü Manage Access to Cloud Resources

ü Protect the Edge - Use the Security services in CIS (DDoS mitigation, WAF, Rate Limiting, Range)

ü Secure compute by Micro segmentation on IKS

ü Manage Web and Mobile App users and service identity and access

ü Protect Data at rest, in transit and in Use

ü Enable TLS for all communications, external and internal

ü Monitor network and suspicious activities

Security Built-in the Cloud IBM Cloud Security Capabilities

Comprehensive IBM Cloud Security Portfolio

Security Visibility & Management ⎻ Certificate Manager⎻ Activity Tracker ⎻ Security Advisor

Identity & Access

⎻ Platform identity & access

⎻ App ID

Private Cloud Public Cloud Multi-Cloud

Secure Compute & Platforms ⎻ Kubernetes ⎻ Virtual Servers⎻ VMWare ⎻ Functions⎻ Bare metal

Network Security

⎻ Internet Services

⎻ VPC

⎻ Firewalls, ACLs

⎻ Secure Gateway

Data Security

⎻ Data Shield

⎻ Hyper Protect Crypto

⎻ Key Protect

⎻ Encrypted storage & data services

⎻ Security Connect⎻ Guardium

⎻ Hybrid cloud security & compliance services

Security Add-on the Cloud IBM Security portfolio

⎻ Cloud Identity⎻ QRadar

1616

How to Get StartedTry App IDhttps://cloud.ibm.coom/catalog/services/app-id

Try IBM Cloud Data Shieldhttps://www.ibm.com/cloud/data-shield

Try IBM Hyper Protect Serviceshttps://www.ibm.com/cloud/hyper-protect-services

Try IBM Cloud Internet Serviceshttps://cloud.ibm.com/catalog/services/internet-services

Try IBM Certificate Managerhttps://cloud.ibm.com/catalog/services/certificate-manager

Try Security Advisorhttps://cloud.ibm.com/security-advisor

1717

Thank you

Vijay R K vkalangu@in.ibm.com

Sudheesh S Kskairali@in.ibm.com

18

19