Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Michael Suby
Stratecast VP of Research
July 2014
The cloud will be a growing part of your IT environment. This is inevitable, particularly in consideration of the
following:
Self-Service Proclivity Findings from a late-2013 Frost & Sullivan survey show that 70 percent of
end users are ignoring IT approval procedures and subscribing to un-vetted cloud services, for a variety
of reasons: support business objectives, improve productivity, and foster innovation. Can your
organization mitigate the security risks associated with uncontrolled and invisible use of Software as a
Service (SaaS)?
Opportunities in the Internet of Things The eve of the Internet of Things is here, as the ability to
send and collect burgeoning streams of data is no longer technologically constrained. Similarly, producing
actionable insights from this data mountain is no longer on the horizon, but aided by the elasticity of
the cloud. Readying your organization to skillfully ride the twin waves of the Internet of Things and Big
Data & Analytics cannot waitbut are you prepared to tackle the information security challenges that
arise when the cloud is part of the equation?
Addressing these questions is feasible through proactive and sensible risk management. While information
technology does move rapidly and with a degree of unpredictability, a comprehensive risk management approach,
designed to flex and adapt, enables organizations to embrace cloud services with security confidence.
In this paper, we present a straightforward approach to cloud security. The structural foundation of this approach
will not only assist in mitigating the risks associated with cloud deployments and usage, but also improve and
standardize your security posture and practices across all your environmentspublic and private clouds as well
as bare metal server clouds; and allow you to skip future security overhauls brought on by the emergence of new
types of information technologies and security threats.
The cloud, and the technologies that underlie it, offer a rich set of benefits. However, without a clear
understanding of the security risks and the threats that underlie those risks, and how those risks vary by cloud
model, cloud benefits lose their luster, and serious consequences can occur, such as: disrupted operations, data
breaches, intellectual property (IP) theft, compliance violations, and brand damage. Moreover, the direct and
indirect costs of these and other consequences, and the restrictions that follow, will neutralize the benefits
anticipated with cloud adoption.
The cloud, and the technologies that underlie it, offer a rich set of benefits. However, without
a clear understanding of the security risks and the threats that underlie those risks, and how
those risks vary by cloud model, cloud benefits lose their luster, and serious consequences
can occur.
Compared to on-premises private data centers (i.e., traditional environment),1 cloud usage introduces
incremental risk. Yet, as we propose, this escalation of risk is controllable such that the benefits and risks of using
the cloud can be balanced. In essence, driving toward the same security objectives as in traditional environments
is the right path when using the cloud.
Insulate from Cyber Threats Defend against threats coming from the Internet and through trusted
yet compromised devices.
Protect Data Isolate and protect data of value throughout its entire lifecycle: in use, at rest, in
transit, and in retirement.
Control Operations Ensure that oversight and visibility over computing and security operations, and
people-based processes, is continuously effective and compliant with industry standards and government
regulations.
On-premises includes data centers as nodes on either the organizations local area network (LAN) or private wide area network
(WAN). In either, the data center is part of a dedicated private network.
Private Cloud A cloud environment in which the virtualized server infrastructure is dedicated to a
single enterprise. The dedicated environment (sometimes called a virtual private cloud) may be hosted
in a cloud providers data center, thus enabling enterprises to have the privacy associated with a
dedicated environment without the full capital investment of a data center. Or, the private cloud could
be hosted in the enterprises own data center.
Public Cloud A shared computing environment in which infrastructure is hosted in a cloud service
providers data center. The cloud service provider offers computing and storage capacity on demand,
through self-service portals, to subscribers paying for the capacity they use.
Hybrid Cloud An environment that allows enterprises to configure and manage multiple cloud
environmentspublic or private, on-premises or hostedas a single resource pool, through a common
management console.
The Public Cloud Model is Built on Multi-Tenancy Multi-tenancy drives individual tenant costs
downward; a cloud benefit. However, multi-tenancy also increases the potential of cyber-attacks, both
from the outside and the inside. From the outside, a public cloud provider is a large, attractive target,
and is a collective of tenants, which are also potential targets. Once through the shopping malls doors,
per se, each tenant becomes a potential victim. From the inside, malicious actors can also be cloud
subscribers who stage attacks against and eavesdrop on their co-tenants. Ironically, the elasticity benefit
of the cloud is not limited to legitimate users. Malicious actors can also use clouds elasticity in
accentuating their exploits; for example, building a dynamic botnet army, which may force the cloud
provider to take steps to stop the botnet, thereby also affecting legitimate services to the other tenants.
Security is a Split Responsibility Contrasting with the fully owned and operated foundation of
traditional environments, in all three of the prevalent public cloud modelsInfrastructure as a Service (IaaS),
Platform as a Service (PaaS), and Software as a Service (SaaS)security is a split responsibility between the
cloud provider and its subscribers (tenants); with the level of responsibility in the hands of the cloud
provider growing in moving across the models from IaaS to SaaS (see table on the next page). Similarly,
visibility into the cloud providers security operations is not as deep or deterministic as in traditional
environments. Consequently, cloud tenants are indirectly asked to trust without full verification. For
example, vulnerability scanning and remediation is part of the cloud providers security responsibilities (e.g.,
of virtual network interfaces and hypervisor in IaaS, and up through the application software in SaaS); but
frequency and depth of vulnerability scanning, and prioritizing remediation, is determined by the cloud
provider, not individual tenants. Similarly, identifying and mitigating security incidents and configuration
errors attributed to the layers of the cloud infrastructure under the cloud providers purview are also
outside the line-of-sight of the tenants. In cloud environments, the strength of security is partially dependent
on the strength of the security operations and administration conducted by the cloud provider.
In cloud environments, the strength of security is partially dependent on the strength of the
security operations and administration conducted by the cloud provider.
Cloud Layer
Cloud Models
Traditional
Environments IaaS PaaS SaaS
Data
Cloud Tenants
Responsibility
Fully
Owned and
Operated
In-House
Hypervisors
Process and Memory
Cloud Providers
Responsibility
Workload Mobility Also linked to the lower cost value proposition of the public cloud is the
infrastructure-optimizing mobility of virtual workloads among the cloud providers physical servers and
data centers. Yet, unlike a workload hosted in a dedicated server, in which circles of protections are
nailed up to protect that workload, similar protection is more difficult to sustain when virtual workloads
move. These security protections must be as mobile as the virtual workloads themselves, without loss of
integrity.
All Users are Remote Another advantage of the public cloud, but also an elevated security risk, is
that all users are remote. While beneficial in supporting anywhere access from any device versus more
restricted access from only company locations and company-issued devices, the inherent user validations
(e.g., an ID card for building access, password for LAN access, and a registered device ID) are not always
present. Consequently, the flow of data into the wild is a higher risk with public cloud services.
Additionally, expanding use of SaaS contributes to risk through credential sprawl and users coping
mechanisms (e.g., repeatable use of easy-to-remember passwords), plus account management challenges
(e.g., terminating access to multiple SaaS services following an employee departure).
The combination of continuous evolution in security threats and organizations adoption of new information
technologies has been met with a history of innovation in security. As either threats or IT changed, security has
also changed, either by adapting or through the development of new security categories and practices. Beneficially
in securing the cloud, security technologies and their foundational concepts that are already practiced in
traditional environments can be fitted to the cloud. This does not mean that securing the cloud is a simple
process of porting security technologies from traditional environments. Rather, the core precepts are present to
be effective in securing cloud environments, but must be implemented with a thorough understanding of clouds
incremental risks and uniqueness.
Beneficially in securing the cloud, security technologies and their foundational concepts that
are already practiced in traditional environments can be fitted to the cloud. This does not
mean that securing the cloud is a simple process of porting security technologies from
traditional environments.
Also, and as will be discussed later, choice is expanding for cloud users, particularly with IaaS. For IaaS, cloud
users have expanded choice in selecting the optimal mix of performance, privacy, and price for each of their
workloads. Their choices include: public cloud (virtual server, public network connection); private cloud (virtual
server, private network connection); and bare metal cloud (dedicated server, private network connection).
The principal security technologies and concepts needed to secure cloud environments include the following:
Segmentation and Isolation Public clouds multi-tenancy demands that organizations establish and
maintain virtual walls around each of their workloads and the network traffic that flows to and from
workloads and among workloads. This effort is essential in shielding workloads and data from other
cloud tenants and cloud administrators, and, from a performance perspective, assuring that the workload
is not crowded out of its necessary compute, storage, and networking resources. Depending on the
workload, best effort performance is intolerable; verifiable service level agreements (SLAs) are essential.
Threat Detection and Mitigation Threats designed to disrupt operations, undermine integrity, or
eventually sow the seeds for data exfiltration are omnipresent. Cloud providers recognized this and have
built threat detection and mitigation technologies and procedures into their operations to serve all of
their tenants; and, naturally, to maintain service uptime and integrity. Yet, with the micro-targeting of
advanced threats, the cloud providers threat detection is not a panacea. Adding a second layer of threat
detection is an advisable practice for all cloud tenants to defend against the external threats that evaded
the for everyone threat detection of the cloud provider.
Security Information & Event Management (SIEM)/Log Management No defense will ever
be completely impenetrable; there must be a backstop of non-stop collection of data to discover early
warning signals of multi-stage exploits. Continuing on the same path as in traditional environments, nextgeneration SIEM and Log Management forms this essential backstop in cloud environments. For
maximum effectiveness, data collection must be broad, from the network layer up through the
application layer; monitoring must be conducted on a real-time basis, and produce outcomes that are
grounded in context. In circumstances where a hybrid approach is useda mix of private data center
(traditional environment) and public cloudthe SIEM and Log Management capabilities must seamlessly
span both environments. Additionally, security intelligence must be equally comprehensive in spanning
external and internal factors, in order to filter what can be a mountain of daily security issues to a more
manageable, prioritized few.
Incident Response and Forensics Despite best efforts to protect virtual workloads in cloud
environments, the potential of a major security incident still exists and must be handled with expedience
and prudence. While a noble aspiration, planning and rehearsal is critical to ensure that cool heads
prevail during the heat of the moment. Forensics is also essential, to gauge the exploits extent and, of
equal importance, to guide defense-tightening adjustments. Comprehensive SIEM and Log Management
capabilities are essential in supporting both incident response and forensics.
Identity & Access Management As previously stated, the remoteness (i.e., access from any device,
from anywhere) of public cloud services, and the proliferation of SaaS subscriptions intensify the
necessity of an Identity & Access Management (I&AM) system to control user access privileges across
private and public environments. Automating subscriber management functions (i.e., bulk SaaS
enrollments, self-service password administration, and revocation of access privileges for departed
employees across all environments) are also important functions. Reporting on user log-in activity, also a
function of I&AM, assists in discovering questionable activities by users and administrators, and in
assigning the costs of cloud services to individuals and departments. Last, single sign-on lessens
credential sprawl and user time spent in resetting forgotten passwords, and logging into each SaaS
subscription individually.
Data Protection Data breach news stories are far too common; and, with certainty, there are
countless more data breaches that are either undetected or not publicly reported. Several coordinated
approaches assist in mitigating the risk of data breaches (e.g., segmentation and isolation, vulnerability
testing, SIEM, and I&AM). Encrypting valuable data in all of its modalitiesat rest, in motion, and in
useshould also be used. Of equal importance, the cloud users encryption keys should be inaccessible
by the cloud provider, to eliminate the potential that the cloud provider can access tenant data, and to
ensure that data erasure in the cloud is complete (i.e., by destroying the encryption keys).
Secure Software Development Secure software development has long been advocated by security
professionals as essential in systematically reducing the frequency and severity of software vulnerabilities.
Considering the heightened exposure in public cloud environments, the importance of secure software
development is equally heightened.
Vulnerability Scanning and Patch Management Even with devotion to secure software
development, vulnerable software still exists, if for no other reason than the threat actors continuously
advancing their techniques. Also, other layers of software lie below (e.g., operating system) or to the
side of applications (e.g., browsers, drivers, and readers), and are subject to vulnerabilities. Periodic
vulnerability scanning and regular patch management is a good standard practice, and one that takes on
greater importance in the consideration that vulnerabilities in the configuration of a virtual workload will
remain with each new virtual instance of the workload, until the vulnerabilities are discovered and
effectively removed from the workloads configuration profile.
While people and processes are essential in all security endeavors, the third leg of the stooltechnologyis
equally critical. Even with top-flight security personnel and vetted processes, when combined with sub-standard
security technologies, security efficacy suffers. With this in mind, we recommend the following subset of
attributes that should be at the top of the list in selecting security technologies for use in cloud environments.
In parallel with our perspective that cloud security introduces additional risk, we segmented the security
technology attributes into two categories: (1) enterprise-class, and (2) cloud-class. Although these categories are
not mutually exclusive (i.e., cloud-class attributes are beneficial in traditional environments and vice versa), the
cloud-class attributes reflect a step up in functionality needed in cloud environments, as organizations advance
their use of cloud services from trial and tactical to routine and strategic.
While people and processes are essential in all security endeavors, the third leg of the stool
technologyis equally critical. Even with top-flight security personnel and vetted processes,
when combined with sub-standard security technologies, security efficacy suffers.
Enterprise-class
Best-of-Breed Under the reasonable assumption that the short list of security technologies are
similar in security functionality, best-of-breed entails other comparative characteristics, such as:
performance (i.e., bump in the wire), modularity, interoperability, and efficient administration. Vendors
business stability, commitment to research & development, and customer support are also part of the
best-of-breed attribute.
Compliance Friendly The reach of regulations, including data sovereignty laws, continues to expand.
Easing the burden of compliance substantiation, and minimizing the length and severity of noncompliance instances are also enterprise-class attributes.
Unit- and Role-Based Administration Lines of business and corporate services (e.g., finance,
human resources, and legal) are examples of distinctive units within the broader organization that either
need or want autonomous administrative control over their security policies. In following the best
practice of least access privilege, role-based administration is also needed in enterprise-class security
technologies.
Cloud-Class
Rapidly Deployable and Highly Automated These are hallmark characteristics of cloud services.
Matching these characteristics in constructing security around each virtual workload and network flow is
essential in retaining, in full, the primary reasons for adopting cloud services.
Single Pane of Glass Extensibility One administrative interface for traditional environments and
another for cloud environments leads to fragmented security policies, compliance uncertainty, and
inefficient security operations. Furthermore, flexibility to move workloads between traditional and cloud
environments is hampered without single pane of glass extensibility. In expanding into the cloud, a crossenvironment administration interface is highly desirable.
Adaptable Just as cloud providers share of security responsibility varies across cloud models,
variation also exists in the security operations and practices among cloud providers in the same cloud
model. Optimally, variation in each cloud providers security attentiveness, and the means to verify
that attentiveness, is known; so, as a workload is placed in a cloud providers environment, the tenants
security responsibility is right-sized. In other words, tenant security is automatically and seamlessly
adaptable to conditions of the environment and the context of the workload (e.g., contains sensitive data
or a business-critical operation versus contains data of little value to would-be hackers; or performance
fluctuations, within reasonable bounds, are tolerable). This adaptability enables organizations to exercise
wider discretion in choosing cloud providers, and in deciding which workloads are cloud candidates.
Cloud security can be accomplished and accomplished well, but not by chance; planning is paramount. The
relative newness of the cloud and its unique challenges do not lend cloud security to a learn as we go
proposition; knowledgeable and tenured expertise is needed from the start.
The relative newness of the cloud and its unique challenges do not lend cloud security to a
learn as we go proposition; knowledgeable and tenured expertise is needed from the start.
IBM is thoroughly equipped to help organizations adopt cloud securely. The company is well-known for its
lengthy and deep history in IT security. Even before the cloud became that next turn in IT, the company
developed its evergreen Security Framework. Designed to establish a pragmatic framework to address the
security challenges of complex private data centers, the same framework elements are extensible into cloud
environments. Furthermore, with cloud security requiring a holistic approach rather than piecemeal, the history
of IBM is replete with examples
of organic growth and best-of-breed acquisitions (see timeline on next page) in
IBM Security
creating a comprehensive portfolio of security technologiessoftware and virtual applianceand professional
and managed security services.
2013
Endpoint
management
Security
and security
intelligence
Information
Database monitoring and analytics
and protection management
2011
Application
security
2010
Enterprise
singlesign-on
Application security
2009
Risk management
2008
Data management
Network intrusion
prevention
SOA management
and security
Identity management
Directory integration
Access management
Mainframe
and server
security
2012
IBM Security
is created
2007
2006
2005
2002
1999
1976
Source: IBM
Building on experience from client engagements, in-house thought leaders, and one of the worlds largest IT test
beds (itself), IBM developed its Cloud Computing Reference Architecture (CCRA) to guide adoption of cloud
services. Naturally, security is foundational to this architecture.
From CCRA to client engagements, IBM drives a best practice, strategic approach built on three steps that
leverage multiple components from IBMs broad security portfolio:
1. Security
Define
IBM
2. IdentifySecurity
the security measurements
neededModel
Revised
Component
3.
Security Components
Security Intelligence
People
Data
Applications
Infrastructure*
Secure Application
Development
Endpoint Management
Source: IBM
SoftLayer Private Cloud On-demand provisioning of single tenant virtualized servers hosted in
SoftLayers data centers, with customer connectivity via a private network port.
SoftLayer Public Cloud A public cloud Infrastructure as a Service hosted in SoftLayers data
centers.
Combined, these three SoftLayer services provide IBM customers with cloud infrastructure services without
compromise in supporting their varied workloads.
Security in a fast-paced technology-infused world cries for an invest once and deploy everywhere approach. For
this to be realized, security must be planned in advance and built-in, yet still be fluidly adaptable to circumstances,
and singularly controllable. Lacking this type of security approach, the practice of security in the cloud will be on
a path of reactiveness, with expensive and sub-optimized operations.
IBM has the essential assets to make security work in the cloud:
IBM has a proven and comprehensive portfolio of security technologies that are extensible into cloud
environments. All the technologies that we referenced earlier in this paper are present in IBM. The
company also has security solutions designed for unique security challenges present in cloud
environments (e.g., mitigating hypervisor vulnerabilities). Additionally, IBMs adherence to standards
allows the integration of clients existing standards-supporting assets.
IBMs approach to cloud adoption and security is strategic (advancing business through use of cloud),
holistic (a cloud environment is a dynamic instance of a private data center, and must encompass all of
the same security best practices), and proactive (discover and remediate vulnerabilities ahead of
threats).
And like the private data center, cloud security operations are 24 x 7. IBMs professional and managed security
services teams bring the expertise, and proven and reliable practices that client organizations need.
Michael Suby
VP of Research
Stratecast | Frost & Sullivan
msuby@stratecast.com
Silicon Valley
San Antonio
7550 West Interstate 10, Suite 400
San Antonio, Texas 78229-5616
Tel 210.348.1000
Fax 210.348.1003
London
4, Grosvenor Gardens,
London SWIW ODH,UK
Tel 44(0)20 7730 3438
Fax 44(0)20 7730 3343
877.GoFrost myfrost@frost.com
http://www.frost.com
ABOUT STRATECAST
Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription
research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only
attainable through years of real-world experience in an industry where customers are collaborators; todays
partners are tomorrows competitors; and agility and innovation are essential elements for success. Contact your
Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.
Auckland
Dubai
Moscow
Silicon Valley
Bahrain
Frankfurt
Mumbai
Singapore
Bangkok
Oxford
Sophia Antipolis
Beijing
Istanbul
Paris
Sydney
Bengaluru
Jakarta
Rockville Centre
Taipei
Buenos Aires
Kolkata
San Antonio
Tel Aviv
Cape Town
Kuala Lumpur
So Paulo
Tokyo
Chennai
London
Sarasota
Toronto
Colombo
Manhattan
Seoul
Warsaw
Delhi / NCR
Miami
Shanghai
Washington, DC
Detroit
Milan
Shenzhen