Accelerating Continuous Security for Apps on Cloud · References in this document to IBM products,...
Transcript of Accelerating Continuous Security for Apps on Cloud · References in this document to IBM products,...
Accelerating Continuous Security for Apps on Cloud
Vijay R KSenior Software Engineer,IBM Cloud Security Services
Sudheesh S KSenior Software Engineer,IBM Cloud Security Services
Legal NoticeCopyright © 2019 by International Business Machines Corporation. All rights reserved.
No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.
IBM, the IBM logo, and ibm.com, and (ADDITIONAL TRADEMARKS HERE) are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.
Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This document could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or program(s) described herein at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectually property rights, may be used instead.
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER OR IMPLIED. IBM LY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products are warranted, if at all, according to the terms and conditions of the agreements (e.g., IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. IBM makes no representations or warranties, express or implied, regarding non-IBM products and services.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 1 0504- 785U.S.A.
IBM Cloud / © 2019 IBM Corporation
DDoS AttackAttack traffic impacts availability or performance
Data Theft AttemptCompromise of sensitive customer data
BotsPrevent malicious bots from abusing site or application
Webpage
Internet Facing Application or Website
on IBM Cloud
Security Threats Are Lurking!
3
4
Achieving continuous securityinvolves an end-to-end solution
Manage Access Protect Data Gain Visibility
Secure Platform
KeyManagement
Data-at-restEncryption
Data-in-useProtection
Identity& Access
NetworkThreat Protection
Audit/Activity Logs
CertificateManagement
SecurityPosture
4
App ID
Integrate identity into cloud apps
⎻ Simplified developer experience
⎻ User & Service Authentication
⎻ Open Standards
App ID
Identity Providers
ApplicationsProtected Resources
5
Inject malicious payloads through forms and APIs
How CIS, powered by Cloudflare, provides Data Protection & enables Bot Prevention
ATTACKS
DDoS Attacks are growing!
Snoop unencrypted sensitive data entered by customers
Brute-force their way into login pages
Robust DDoS protection for Domains and Hostnames
Encryption through TLS blocks snooping
Log-in protection through rate limiting
Block top OWASP and emerging application-level attacks through the WAF
1.
2.
3.
4.
IBM Cloud Internet Services
6
Hyper data security withKeep Your Own Keys (KYOK)
Encrypt data with BYOK
⎻ Key Protect service
⎻ Integrated with many IBM Cloud data & storage services
KYOK with Hyper Protect Crypto*NEW
!
*Announced - GA in March Dedicated Cloud HSM with full controlKey Protect in IBM Cloud Private
Key Protect APIs
Customer 1
Customer 2
Hyper Protect Crypto Services
Hyper Protect Crypto Services
7
Shield your data-in-usewith secure enclaves
Protect data-in-use
⎻ Secure sensitive data with Intel SGX
⎻ Deploy on Kubernetes service & Bare Metal servers
Shield apps. No code change with Data Shield*NEW
!
*Announced - BetaPre-canned images. Build new apps – C/C++, Python
Kubernetes
ServerIntel SGX En
clav
e
Custom Apps
Containers
1. Bring your container-based apps
2. Convert to protected container
3. Deploy on Data Shield
8
Govern Certificate Usage - Visibility
• Where certificates are used
• Who has access
• Who/what obtained TLS private keys
• What certificates need to be replaced
99
Monitor for SSL/TLS Certificate Expiration
Alerting Drive as much automation as possible
CallbackURL
Cloud Function
Certificate Authority
TLS Termination
1010
11
AI-infused security insights
Single pane of glass for security posture
⎻ Integrated vulnerability and certificates
⎻ Custom enterprise integrations
⎻ Open APIs and Partner Integrations
Network Insights* with Security AdvisorNEW
*Announced - Beta⎻ Network Insights & Activity Insights⎻ AI and machine learning
Monitor for Network Threats- Identify attacks, and malware in your cluster
- Kubernetes Aware
Security Advisor - Netowrk Insights
12
Simplified attack kill chain
1. Reconnaissance on the cluster’s public services
2. Exploit vulnerabilities to drop malicious code
3. The malicious payload downloads malware
4. The malware connects to the C&C
5. The malware connects to a data store and retrieves sensitive data
6. The data is exfiltrated through the C&C
K8s Cluster
Sensitive databucket
Attacker
Malware bucket
1
3
4
5
6
2
13Think 2019 / 3587/ Feb 14, 2019 / © 2019 IBM Corporation
Example:
An external actor plants malware in a K8s Cluster to Exfiltrate Information
Recon from a suspicious address
Container connects to
suspicious IP
Container downloads
large payload
Container retrieves a
large amount of data
Container sends out data to a suspicious
address
Preventing Compromise of your IBM Cloud account
Security Advisor – Activity Insights
Insider Threats:
• Using valid user credentials to leverage resources or obtain data
• Can be either malicious or unintentional
Monitor Activity logs using rules:
• Alert on activities in your IBM Cloud account
• Restrict by time window, list of principals, etc.
• E.g. count failed access attempts in a time window
1414
15
The Do’s of Protecting your Appü Manage Access to Cloud Resources
ü Protect the Edge - Use the Security services in CIS (DDoS mitigation, WAF, Rate Limiting, Range)
ü Secure compute by Micro segmentation on IKS
ü Manage Web and Mobile App users and service identity and access
ü Protect Data at rest, in transit and in Use
ü Enable TLS for all communications, external and internal
ü Monitor network and suspicious activities
Security Built-in the Cloud IBM Cloud Security Capabilities
Comprehensive IBM Cloud Security Portfolio
Security Visibility & Management ⎻ Certificate Manager⎻ Activity Tracker ⎻ Security Advisor
Identity & Access
⎻ Platform identity & access
⎻ App ID
Private Cloud Public Cloud Multi-Cloud
Secure Compute & Platforms ⎻ Kubernetes ⎻ Virtual Servers⎻ VMWare ⎻ Functions⎻ Bare metal
Network Security
⎻ Internet Services
⎻ VPC
⎻ Firewalls, ACLs
⎻ Secure Gateway
Data Security
⎻ Data Shield
⎻ Hyper Protect Crypto
⎻ Key Protect
⎻ Encrypted storage & data services
⎻ Security Connect⎻ Guardium
⎻ Hybrid cloud security & compliance services
Security Add-on the Cloud IBM Security portfolio
⎻ Cloud Identity⎻ QRadar
1616
How to Get StartedTry App IDhttps://cloud.ibm.coom/catalog/services/app-id
Try IBM Cloud Data Shieldhttps://www.ibm.com/cloud/data-shield
Try IBM Hyper Protect Serviceshttps://www.ibm.com/cloud/hyper-protect-services
Try IBM Cloud Internet Serviceshttps://cloud.ibm.com/catalog/services/internet-services
Try IBM Certificate Managerhttps://cloud.ibm.com/catalog/services/certificate-manager
Try Security Advisorhttps://cloud.ibm.com/security-advisor
1717
19