Cloud Security

Ulf FegerSecurity Architect, CISSP, COBIT Practitioner (ISACA)Cloud Security & Security Solutions IBM Security Systems Division

Member of the Board, Cloud Security Alliance, German Chapter

Abstract:Cloud security or security for the cloud is neither a „big bang” nor is it something completely new. It’s a transformation process of taking existing methodologies and technologies and adapting them depending on the cloud business road you are taking.

This is not limited to just technology assets but also includes policies, processes, and of course the handling of (business) expectations.

What might such a roadmap look like and is it then limited to security only?

2

Cloud & Security

Customer Expectations and Experiences Healing bei Touching – or Cloud is a devil The Cloud – yes, of course with Security – solves all our Security challenges, we will have no

problems anymore Open discussions: I know what I know and to be honest tell me what I should know What you tell me is not Cloud security that‘s security The roadmap to Cloud & Security

Customer expectations towards IBM– Understand their environment (on given information)– Understand their security concepts & architecture (on the given information)– Be able to talk to network people, sw architects, security architects– Provide inside, give feedback

What we do:– All of the stuff above– Open discussions in highly political environment– Offered more input based on existing material like BSI MindMap– Fed people with news ideas like VSP, Cloud Security is more than some techie stuff only

3

Cloud & Security

The Fortress

Transformation of Security, of Security Awareness, of the Need for Security

4

Cloud & Security

Who is attacking our networks?

5

Cloud & Security

Zeus Crimeware Service

Hosting for costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“

We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary

Hosting for costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“

We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary

FUD = Full Undetectable,

6

Cloud & Security

The Fortress The User

Transformation of Security, of Security Awareness, of the Need for Security

7

Cloud & Security

8

Cloud & Security

9

Cloud & Security

- Ernst & Young- Daimler- Deutsche Bank- wecon-it consulting- TU Darmstadtt- Siemens- Fraunhofer AISEC- Verizon- Suse/Novell- Vodafone- Siemens Communications- NetApp- T-Systems- Detecon- IBM- more coming soon

10

Cloud & Security

Cloud Reference Architecture

for Enterprise Architects

12

Cloud & Security

Risik versus Potential

Risk is doing something and

Risk is doing it not.from CISM© Review Manual 2012

13

Cloud & Security

IBM Cloud Computing Reference Architecture

The IBM CC RA represents the aggregate experience across hundreds of cloud client engagements and the implementation of IBM-hosted clouds

– Based on knowledge of IBM’s services,software & system experiences, including IBM Research

The IBM Cloud Computing Reference Architecture (CC RA) is reflected in the design of

– IBM-hosted cloud services– Clouds IBM implements for clients– IBM cloud appliances– IBM cloud service management products

The CC RA focuses on cloud specifics such as radical cost reduction while achieving high degrees of security, reliability, scalability and control

The CC RA consists of 21 detailed documents representing best-of-industry knowledge and insight on how to architect, design and implement clouds

Governance

Security, Resiliency, Performance & Consumability

Cloud ServiceCreator

Cloud ServiceConsumer

Cloud Service Provider

Common CloudManagement Platform (CCMP)

Operational Support Services

(OSS)

Cloud Services

Inf rastructure-as-a-Service

Platform-as-a-Service

Software-as-a-Service

Business-Process-as-a-Service

Business Support Services

(BSS)

Cloud Service

IntegrationTools

ConsumerIn-house IT

Service Creation

Tools

Infrastructure

Existing & 3rd party services, Partner

Ecosystems

OpenGroup submission: http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.docCCRA Whitepaper on ibm.com: http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&appname=GTSE_CI_CI_USEN&htmlfid=CIW03078USEN&attachment=CIW03078USEN.PDF

14

Cloud & Security

Cloud Computing Reference Architecture (CC RA) – Security, Resiliency, Performance & Consumability drill-down

Governance

Security, Resiliency, Performance & Consumability

Cloud Service Provider Cloud ServiceCreator

Cloud ServiceConsumer

Cloud Service Integration

Tools

ConsumerIn-house IT

Service Creation Tools

Common Cloud Management Platform

Operational Support Services

(OSS)

Cloud Services

Infrastructure-as-a-Service

Platform-as-a-Service

Software-as-a-Service

Business-Process-as-a-Service

Business Support

Services (BSS)

Infrastructure

Existing & 3rd party services, Partner

Ecosystems

Security Resiliency

Security Policy

Threat & Vulnerability Management

Software, System & Service Assurance

Security Entitlement

Access & Identity Lifecycle

Management

Governance

Data policy enforcement

Data Resiliency

Configuration for Resiliency

Resiliency Monitoring /

Analysis

Resiliency Compliance Assessment

Resiliency Policy Management

Availability & Continuity

Management

ConsumabilityEase of Doing

Business

Positive First Use Experience

Rapidly Integrates

Readily Adapts

Simplified Operations

Security Event Management

Data and Information Protection

© 2011 IBM Corporation

15

Cloud & Security

Architecture Principles

IBM Security Framework: Business Security Reference Model

Application and Process

People and Identity

IT Infrastructure: Network, Server, End

PointPhysical Infrastructure

Data and InformationGovernance, Risk, Compliance (GRC)

Foundational Security Management

Identity, Access and Entitlement Management

Threat and Vulnerability Management

Data and Information Protection Management

Software, System and Service Assurance

Security Policy Management

Risk and Compliance Assessment

Command and Control Management

Physical Asset Management

IT Service Management

Security Services and Infrastructure

Security Policy Infrastructure

Identity, Access and Entitlement Infrastructure

Security Info and Event Infrastructure

Host and End-point SecurityStorage Security Network SecurityApplication Security Physical Security

Service Management Infrastructure

Designs Config Info and Registry

Data Repositories and Classification

Code and Images Policies Identities and

Attributes

Operational Context

IT Security Knowledge

Events and Logs

SecurityService Levels

Crypto, Key and Certificate Infrastructure

Cloud Governance - GRC

.. hey .. and what else ?

.. and what’s the meaning of G R C ?

17

Cloud & Security

The majority of corporations avoid the use of Cloud Computing because of Security and Goverance risks and the lack of trust in to the service provider1)

1) „Cloud Computing in Germany“ – Survey Results from Deloitte and BITKOM, January 2011

Question: „Do you use cloud computing solutions already or do you plan the use them in near future? “

Frage: „Because of which reasons do you decided not to use cloud computing solutions (multiple answers are possible)?

Yes: 46%No: 54%Doubts in regard to the long term

availability of the offering

Risk of loss of Governance / and Control

Inadequate Data Security / Availability

Open Compliance or Legal issues

Risik of a Vendor-Lock-In

No commercial benefit

Licence issues

0% 10% 20% 30% 40% 50% 60%

Obstacles for Cloud-ProjectsObstacles for Cloud-Projects

18

Cloud & Security

Requirements – Cloud Computing & Security (plus GRC + ..)

Security topics – technical & process related

Data Security & Data Privacy

Access Management & Identity Management - IAM

Application and Service Provisioning incl. Removal

Application and Systems test incl. Data Pro- and De-Provisioning

Service Level Agreement – SLA Management

Vulnerability Management – Detection, Scoring, Removal

Threat Analysis

Service Availability incl. local/national load balancing

Auditability & Governance (GRC – Governance, Risk & Compliance)

Cross-border law.abiding, e.g. person related data & processes

Cross-border IC & export laws / export regulations

Billing and Accounting data –information basis for your business & business relationship

Exit-Management

Cloud Services

Cloud ComputingModel

19

Cloud & Security

Cloud from the viewpoint of Export Regulations (ER)

An Export takes place when ..

Cross border Clouds – the data crosses the border

Distributed service offerings means

The server and data stay in the local country

Who gets which kind or type of root access to/for what ?

What kind of entitlements does this user have or got granted ?

Technology and Source Code

Who is the initiator / exporter ?

The entity who decides that technology and/or source code is being transmitted ?

It is not the cloud service provider but the cloud user

Root Access

Cross Border Cloud Computing

20

Cloud & Security

21

Cloud & Security

Understand Compliance requirements – Data Privacy – Data SecurityExpectation

Goal

Improvement in Security Reduction in Cost Load Optimization

1 Inner Security Outer Securitty Operational Security

2„How do I prove?“

4

Focus:„What do I really need?“

3traceability & verifiability & auditability

5

Security Compliance Management

understand business risks and threats

security guidelines, rules, policies

monitoring & detection

awareness, implementation &

automization

Risk – Appetite ?Cloud - Workload -> Risk Assessment / Analysis / Accreditation / Certification

Risk

22

Cloud & Security

impossible(0)

insignificant(1)

low(2)

i4-ii7-a

medium(3) i1-c i2-c

i3-ci3-i

i1-a

high(4)

I5-ci5-ii5-a

i2-ai2-c

low(2)

medium(3)

high(4)

very high(4)

Business processes, use cases, assetsMatrix items to evaluate:

- authentication (item1)- data transfer (item2)- ..

• C – Confidentiality• I – Integrity• A – AvailabilityPotential Damage

Probability

The Roadmap towards Cloud Security -

a Transformation Process

Concepts, Processes, Tools

24

Cloud & Security

Cloud transformation phases to your own cloud.Where‘s your Security ? Does it fit to your risk appetite ?

Target

1

2

3

4

Transition

Transition

Transition

IT processes

IT processes

IT processes

IT processes

IT processes

BusPro

BusPro

BusPro

BusPro

BusPro

GRCBaselineSecurityApproval

VSPSIEM

Compliance rules,

Workflows

ApprovalReporting

Exp:

1 2 3 4 5

Consolidation

Virtualization

Standardization

Automatization

Cloud(ization)

Elimination

The Roadmap to where ?

25

Cloud & Security

4 (simple) examples of underestimated threats

Power VM, VMware, KVM…Virtualisierung

RessourcenPower VM, VMware, KVM…Virtualisierung

Ressourcen Power VM, VMware, KVM…Virtualisierung

Ressourcen Power VM, VMware, KVM…Virtualisierung

Ressourcen

x

Requirements and Challenges to cover and solve

27

Cloud & Security

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Minimum_information/SecurityRecommendationsCloudComputingProviders.html

28

Cloud & Security

Eckpunktepapier- Sicherheitsempfehlungen für Cloud Computing Anbieter

More sources:

• IT-Grundschutz• BSI-Standard 100-2/100-4• ISO 27001/2• Cloud Security Alliance – German Chapter, cloudsecurityalliance.org• ISF – Information Security Forum, www.securityforum.org• TMForum – TeleManagement Forum, www.tmfourm.org• Euro Cloud e.V. en.eurocloud.de/

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktepapier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf?__blob=publicationFile

Security Recommendation for Cloud Computing Providers

29

Cloud & Security

the result ..

To get the MindMap contact ulf.feger@de.ibm.com

30

Cloud & Security

WindowsApps

WindowsApps

WebApp

WebApp

WebApp

Po

rta

l

HT

TP

Se

rve

r

Internet

EnterpriseDir

Security Policy Repository

Identity Repository(Person & Account)

WindowsApps

Other Apps

WS Gateway

Consumer

Business

HTTP (incl. SOAP/HTTP) Connection

Web Services Connection

User

HR System

Employee/Staff

Po

rta

l

HT

TP

Se

rve

r

Desktop/Client Connection

We

b A

uth

en

tica

tion

an

d

Au

tho

riza

tion

ESB (SOA)

We

b A

uth

en

tica

tion

an

d

Au

tho

riza

tion

En

terp

rise

Sin

gle

Sig

no

n

Use

r A

uth

en

tica

tion

We

b S

ing

le S

ign

on

We

b S

ing

le S

ign

on

IdentitySynchronisation

Pro

visi

on

ing

Re

con

cilia

tion

Workflow & Lifecycle

Entitlement Policy

User Self-service

IdentityStoreR

ep

ort

ing

Provisioning Engine

Admin.

Admin

Auditor

FedSSO A&A FedSSO

A&A

IdentityMapping

Audit Log Consolidation

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Lo

gC

olle

ct

Audit Policy Compliance Reporting

Tivoli Identity Manager (TIM)

Tivoli Access Manager for e-business (TAMeb)

Tivoli Federated Identity Manager (TFIM)

Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)

Tivoli Compliance Insight Manager (TCIM)

Policy Enforce

Tivoli Security Policy Manager (TSPM)Management Domain

Web Policy Mgmt

FedSSOConf.

WS Policy Mgmt

Admin(s)

Auditor Auditor

SSOPolicyMgmt

Policy Enforce

Supporting Security landscape – What is the aim of my security ?

Cloud Services

BSS

OSS

Common Cloud Management Platform

dynam

ic a

daptio

n

31

Cloud & Security

Supporting Security landscape – What is the aim of my security ?

Cloud Services

BSS

OSS

Cloud Platform

Cloud Services

BSS

OSS

Cloud Services

BSS

OSS

Cloud ServicesCloud Services

BSSBSS

OSSOSS

Cloud Platform

WindowsApps

WindowsApps

WebApp

WebApp

WebApp

Por

tal

HT

TP

Ser

ver

Internet

EnterpriseDir

Security Policy Repository

Identity Repository(Person & Account)

WindowsApps

Other Apps

WS Gateway

Consumer

Business

HTTP (incl. SOAP/HTTP) Connection

Web Services Connection

User

HR System

Employee/Staff

Por

tal

HT

TP

Ser

ver

Desktop/Client Connection

Web

Aut

hent

icat

ion

and

Aut

horiz

atio

n

ESB (SOA)

Web

Aut

hent

icat

ion

and

Aut

horiz

atio

n

Ent

erpr

ise

Sin

gle

Sig

non

Use

r A

uthe

ntic

atio

n

Web

Sin

gle

Sig

non

Web

Sin

gle

Sig

non

IdentitySynchronisation

Pro

visi

onin

g

Rec

onci

liatio

n

Workflow & Lifecycle

Entitlement Policy

User Self-service

IdentityStoreR

epor

ting

Provisioning Engine

Admin.

Admin

Auditor

FedSSO A&A FedSSO

A&A

IdentityMapping

Audit Log Consolidation

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Audit Policy Compliance Reporting

Tivoli Identity Manager (TIM)

Tivoli Access Manager for e-business (TAMeb)

Tivoli Federated Identity Manager (TFIM)

Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)

Tivoli Compliance Insight Manager (TCIM)

Policy Enforce

Tivoli Security Policy Manager (TSPM)Management Domain

Web Policy Mgmt

FedSSOConf.

WS Policy Mgmt

Admin(s)

Auditor Auditor

SSOPolicyMgmt

Policy Enforce

Cloud Services

BSS

OSS

Cloud Platform

Cloud Services

BSS

OSS

Cloud Services

BSS

OSS

Cloud ServicesCloud Services

BSSBSS

OSSOSS

Cloud Platform

32

Cloud & Security

Cloud Services

BSS

OSS

Common Cloud Management Platform

WindowsApps

WindowsApps

WebApp

WebApp

WebApp

Por

tal

HT

TP

Ser

ver

Internet

EnterpriseDir

WindowsApps

Other Apps

WS Gateway

Consumer

Business

User

HR System

Employee/Staff

Por

tal

HT

TP

Ser

ver

Web

Aut

hent

icat

ion

and

Aut

horiz

atio

n

ESB (SOA)

Web

Aut

hent

icat

ion

and

Aut

horiz

atio

n

Ent

erpr

ise

Sin

gle

Sig

non

Use

r A

uthe

ntic

atio

n

Web

Sin

gle

Sig

non

Web

Sin

gle

Sig

non

IdentitySynchronisation

Pro

visi

onin

g

Rec

onci

liatio

n

Workflow & Lifecycle

Entitlement Policy

User Self-service

IdentityStoreR

epor

ting

Provisioning Engine

Admin.

Admin

Auditor

FedSSO A&A FedSSO

A&A

IdentityMapping

Audit Log Consolidation

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Audit Policy Compliance Reporting

Policy Enforce

Management Domain

Web Policy Mgmt

FedSSOConf.

WS Policy Mgmt

Admin(s)

Auditor Auditor

SSOPolicyMgmt

Policy Enforce

33

Cloud & Security

Cloud Services

BSS

OSS

Common Cloud Management Platform

WindowsApps

WindowsApps

WebApp

WebApp

WebApp

Por

tal

HT

TP

Ser

ver

Internet

EnterpriseDir

WindowsApps

Other Apps

WS Gateway

Consumer

Business

User

HR System

Employee/Staff

Por

tal

HT

TP

Ser

ver

Web

Aut

hent

icat

ion

and

Aut

horiz

atio

n

ESB (SOA)

Web

Aut

hent

icat

ion

and

Aut

horiz

atio

n

Ent

erpr

ise

Sin

gle

Sig

non

Use

r A

uthe

ntic

atio

n

Web

Sin

gle

Sig

non

Web

Sin

gle

Sig

non

IdentitySynchronisation

Pro

visi

onin

g

Rec

onci

liatio

n

Workflow & Lifecycle

Entitlement Policy

User Self-service

IdentityStoreR

epor

ting

Provisioning Engine

Admin.

Admin

Auditor

FedSSO A&A FedSSO

A&A

IdentityMapping

Audit Log Consolidation

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Log

Col

lect

Audit Policy Compliance Reporting

Policy Enforce

Management Domain

Web Policy Mgmt

FedSSOConf.

WS Policy Mgmt

Admin(s)

Auditor Auditor

SSOPolicyMgmt

Policy Enforce

34

Cloud & Security

IT - “traditionell”

• Access control incl. rule based policy managment

• User and entitlement management incl. processes mngment and p.-automation

• Role based separation of duties

• Security policy management

• Security monitoring, auditing, compliance reporting

• SOD for multi tenancy

• Reporting (SoD based) - Security infor- mation and Event Management

• Compliance audit & reporting across the IT infrastructure and processes

• Protection and security for the virtualized environment (network / hosts / VMs)

• Protection and compliance tool for server verification

• Configuration and change management

• Connectivity / linkage with YOUR accoun-ting model (Metering & Rating)

Cloud – (Service) ProviderCloud – Service User

User:• Service Offering

Duties:

- Authentication- Authorization- del. Administration- pay the bill

Expectations:

-SLA Fulfillment-Compliance-Detailed Reporting

Which challenges have to be solved – a long list, a new list ?

Cloud – (Service) Provider

• Access control incl. rule based policy managment

• User and entitlement management incl. processes mngment and p.-automation

• Role bases separation of duties

• Security policy management

• Security monitoring, auditing, compliance reporting

• SoD for multi tenancy

• Reporting (SoD based) - Security infor- mation and Event Management

• Compliance audit & reporting across the IT infrastructure and processes

• Protection and security for the virtualized environment (network / hosts / VMs)

• Protection and compliance tool for server verification

• Configuration and change management

• Connectivity / linkage with YOUR accoun-ting model (Metering & Rating)

Cloud Dynamics

35

Cloud & Security

IBM Cloud Components – more than Virtualization only

2. integration with Service Desk und IT Asset Management + Processes

1. Ordering / booking from a

service catalogue

3. Provisioning of the service

4. Integration with Storage Area Network (SAN) and netzwork(poo) AND the Security Managment

8. Collect, Analyze, and Report -> Acounting based on usage / costs / licence model

6. Monitoring- Service Monitoring-Platform Monitoring

- Performance- Security Alerts- PUMA- …

5. Service Discovery, Change & Configuration Management: - Service - Platform

7. Realtime ManagementEvent Consolidation rgd. the Business Services

9. Visualization of the services related to business targets and Service agreements

10. Management Service LevelAgreements (SLAs)

Service = Software, Platform, Infrastructure (i.e. Composite Application, Physical / Virtual OS, Middleware, Network, Storage

Not in all cases will all steps exist in a client engagement

Cloud Services

BSS

OSS

Common Cloud Management Platform

11. Exit-Management

36

Cloud & Security

Distributed Cloud Setup

37

Cloud & Security

“Cloud”

Standardization3

The Cloud – Layers

Standardization / Service Catalogue / Image Catalogue

Ressource Planing (Request / Quota ..)Request Approval Workflow

RemovalProvisioning / Usage /Accounting / Billing

Training ApplikationenTest/Dev ...

Power VM, VMware, KVM… Virtualization

Monitoring High Availability

Security Secure virt. env. Identity & Access Mgmt.

Repository

Process Automation Engine

Resources

DynamicProvisioning

Automization4

Secure and highly availabe private cloud

5

Virtualization2

Consolidation1

38

Cloud & Security

Power VM, VMware, KVM…Virtualisierung

Ressourcen

Power VM, VMware, KVM…Virtualisierung

Ressourcen

Power VM, VMware, KVM…Virtualisierung

Ressourcen

Power VM, VMware, KVM…Virtualisierung

Ressourcen

Power VM, VMware, KVM…Virtualisierung

Ressourcen

Power VM, VMware, KVM…Virtualisierung

Ressourcen

Power VM, VMware, KVM…Virtualisierung

Ressourcen

The Cloud – Layers

Standardization / Service Catalogue / Image Catalogue

Ressource Planing (Request / Quota ..)Request Approval Workflow

RemovalProvisioning / Usage /Accounting / Billing

Process Automation Engine

FranceHungary

China

Brazil

Germany

39

Cloud & Security

http://www.ibm.com/security/cloud-security.html

IBM Cloud Computing: ibm.com/cloudcomputingibm.com/de/cloud/

Trustworthy Cloud tclouds-project.eu/IBM Enterprise Security: ibm.com/securityIBM Internet Security Systems: ibm.com/services/security

IBM X-Force® Security Alerts and Advisories: xforce.iss.netCloud Standards Customer Council cloud-council.org/

Ulf Feger

Security Architect, CISSP, CPIBM Security Systems

Gustav-Heinemann Ufer 12050968 Köln, DeutschlandMobile.: +49-171-22 619 22E-Mail: ulf.feger@de.ibm.com

Q&A