Security in Cloud Computing

Editor's Notes

• #5: IT has many challenges ahead of it, and behind it. Rephrased sometimes but all challenges just the same. We are going to look at a few trends going on in this environment that you may or may not be aware of.
• #6: The graphic on the center-left of the slide depicts ”Today’s data center”, showing a group of servers associated with a building. The servers are enclosed in a box with three figures in each corner – a clock, security guard, and a certification badge. The arrow mark points from this graphic to another on the right, which depicts ”Tomorrow’s cloud environment”. This graphic shows a group of servers inside a figure of a cloud and overlaid by numerous question marks. These servers are associated with a map of the world. When you are considering a new technology such as cloud, there are always challenges and dependencies that need to be addressed. This chart summarizes many of the concerns that customers have expressed. On the left, the well-known established environment which, while well understood, stable and secure, is costly, slow to change and labor intensive. On the right, the cloud environment with the value proposition we have discussed, but with a lot of uncertainties. It is not the intention in this session to try to answer all of these questions, only to recognize that these challenges exist and that IBM has answers to them. However, it is also fair to say, that not all the answers will satisfy the needs of all enterprise workloads. There are workloads (understood as IT usage scenarios, be that by developers, testers or end users) for which the cloud is not suited, that best reside in the enterprise data center, behind the enterprise firewall. However, there are workloads that fit well into a cloud context, for example the majority of development and test activities and many production workloads with less sensitive data (for example web servers with static content). The challenge is therefore to identify the workloads for which the cloud is “good enough.”
• #7: Infrastructure Leverage Virtualization of Hardware - Drives lower capital requirements Utilization of Infrastructure - Virtualized environments only get benefits of scale if they are highly utilized Labor Leverage Self Service - Clients who can “serve themselves” require less support and get services Automation of Management - Take repeatable tasks and automate Standardization of Workloads - More complexity = less automation possible = people needed
• #10: IBM is unique in offering a range of deployment models based on your workload requirements. Deployment models 1 and 2 fall under Smart Business Development and Test Cloud, which comprises private cloud services, behind your firewall, on premise. Deployment models 3 and 4 fall under Smart Business Development and Test on the IBM Cloud, which leverages standardized services on the IBM Cloud. This slide illustrates the five cloud delivery models – private cloud, managed private cloud, hosted private cloud, shared cloud services and public access to cloud services, and the features of each model. Model 4 is outlined to indicate that it is the deployment model that IBM Smart Business Development and Test on the Cloud leverages.
• #11: We also asked our panel of 1,090 what factors would keep them from using a public cloud service. Respondents could select multiple items and were asked to rank factors of a scale of 1 to 5, where "1" means "Not a Significant Barrier" and "5" means “A Very Significant Barrier." Concerns about security and privacy of company data represent the most significant barrier to public cloud services. Concerns about service quality – both the computing services and responsiveness of delivery over the Internet – also ranked high, as did doubts about the promises of cost savings.
• #13: Security is a basic requirement within any IT environment. Security is like a seat belt, you only appreciate it after it saves you in an accident. Security in a Cloud is really no different from security in any highly distributed environment. Where is becomes different is who provides security capabilities, which varies depending on the type of Cloud. In a Software as a Service environment, more responsibility falls on the provider as they are not only providing data storage and processing, but the actual application which is being used. In Infrastructure as a Service models, the cloud provider is purely a custodian of the data and processing, data, applications and processing is opaque to the provider, they simply provide the resources which one uses. We will focus on Infrastructure as a Service offerings that IBM is building as public clouds. Each stake holder in an IT environment has a different perspective on security, ultimately confidence in a cloud provider is a matter of trust. Just as an outsourcing situation is a matter of trust, though trust is built with contractual obligations that the provider must meet. Clouds introduce a more homogenous environment, which allows for less customization (generally) on a contractual basis.
• #14: Governance means control. Within a traditional IT center, or a private cloud, the customer maintains control over all systems, data, and processing which is done. When one moves to a public cloud (or a hybrid cloud) one is trusting the cloud provider to maintain control over the data and processing in a responsible manner. Trust is built by the provider being open about how they handle a customers data and processing within the provider controlled infrastructure. As with an outsourcing situation, the cloud provider needs to clearly demonstrate that they have security controls and policies which they manage their systems to. The provider also needs to clearly delineate their role, and what the customer is expected to do. Compliance. There is not any one size fits all approach to compliance, as there are a variety of different regulations, rules and policies which affect different environments. A cloud provider must have adequate controls in place that allow one to be compliant with their different regulations. In the case of the IaaS environment, these generally fall into how the provider manages the underlying infrastructure, how they monitor and audit the environment, how they handle privileged access to the infrastructure, how they assure customers that they are separated from other customers. Our current infrastructure-focused service products, customer data is opaque to the provider. Provider is a custodian of the data, and does not touch the customer data. Typically in industry-specific compliance policies, from an infrastructure perspective, deal with: Managing privileged access Auditing of accesses to data by provider staff Policies and practices for dealing with incidents For IBM, these are standard security items, handled in a controlled way in our data center operations Logging Infrastructure systems enable operating system audit capabilities End to end operation flows are logged and auditable Audit log data is retained for 90 days Logs are monitored and incident tickets raised for any actions which are not permitted. Intrusion Infrastructure is monitored by Intrusion Detection & Protection systems (IDS/IPS) Internet points of ingress and egress are monitored with IDS/IPS Future - will provide customer specific IDS/IPS through hypervisor introspection technology Reporting Internal reporting of security incidents through monitoring of audit data Future - customer level reports of actions which affect/alter the security of the infrastructure that directly relates to their resources. Security Management. Fundamental in any cloud environment is the separation of customers from each other, and from the providers infrastructure. Our IaaS offerings provide multi-tenancy through providing multiple instances of operating systems on a single hardware platform. Our cloud offerings provide this through a variety of mechanisms, some of which depend on how the customer wants to interact with our cloud. Through a technology called Trusted Virtual Data Centers (TVDC) customers can specify firewall rules that apply to their guests. TVDC differs from host based Firewalls in the guest operating systems, by instantiating the rules at the hypervisor level, by doing this, the management and enforcement of the firewall rules is moved out of the guest operating system. This means that if a guest were to be compromised, the firewall rules would still be enforced. Customers manage these facilities from the management portal. We also offer VLAN separation for those customers who wish to have effectively a dedicated network. Customers using this model, would connect from their enterprise via an IPSEC VPN, and all their guest operating systems would exist on a dedicated VLAN segment within the infrastructure. In all cases, the customer is responsible for managing the guest operating systems. IBM does not access or touch guest operating systems once they have been instantiated and turned over to the customer (with the exception of terminating instances based on customers utilization of the management portal). Persistent storage is provided through the use of Virtual Disk Drives (VDD). A VDD is simply a file that is attached to a guest operating system as if it were a physical disk drive. The guest sees this as a block device. The infrastructure manages the file services, with each customers VDD's being contained on a separate file system, with file permissions associated to a unique UID for that customer. Guest operating systems will run under this UID, therefore ensuring that the hypervisor controlled files can only be accessed by that particular customer. Mechanisms Hypervisors - enforces separation of operating system instances within a single physical hardware system. Provides a “logical” air-gap between customers Network Separation Firewalls - Customer controlled implemented independent of the operating systems at the hypervisor utilizing Trusted Virtual Domains Virtual LANs Customers can choose to have their guest images on a dedicated virtual LAN VLANs connect back to the customer using Virtual Private Networks Data Security. As stated before, the infrastructure controls access to customer data. There are effectively two types of data storage that we deal with, ephemeral and persistent storage. Ephemeral storage is a resource local to a hypervisor instance. It represents temporary runtime storage that is not persistent across termination and re-start of a virtual machine. Persistent storage was discussed before, and represents storage which persists even when a virtual machine is not running. One key issue is the concept of "object reuse". Since both ephemeral and persistent storage may contain customer data, simply deleting the storage resource when it is no longer needed (in the case of the persistent storage, when the customer specifies to destroy that storage from the management portal) is insufficient, as re-allocation of the blocks may allow for access to old data. Our cloud offerings will make use of secure deletion capabilities which will use a US Department of Defense "scrubbing" algorithm to overwrite files BEFORE they are deleted. Such a "scrubbing" operation overwrites the disk blocks associated with the file with random patterns of data, thereby eliminating all vestiges of the original data. This is applied to both ephemeral and persistent storage. Data Protection Customers provided with the ability to create “virtual disk drives”(VDD) (files which are presented to virtual machines as block devices). Customer can utilize operating system and application level encryption against these as they are accessed as native file systems to the guests. Each customers data is stored in a unique “file set” within the CC storage structure Access Control Lists (ACL’s) are used to ensure separation of customers. Guests run as a specific “customer” user. ACL’s on files are set to that user. Data Destruction Any data on disk is securely erased using a US DoD algorithm when deleted Ephemeral storage - when the storage is no longer used by a virtual machine Customer VDDs - when deleted from the management console. Security for Cloud Management. Customers manage virtual machines (creation, instantiation, deletion) and VDDs through a web portal interface. This portal application authenticates customers using what is known in IBM as "web identity". This is a unique username and password in an IBM controlled LDAP repository, in the future we will support federated identities so that customers do not need to maintain a separate userid and password for access to the management capabilities. This portal application uses its own LDAP to determine the authorizations which a given customer user can perform. Customer administrators control authorizing other users to perform operations against only that customers resources. The portal does not provide any mechanism to interface directly to a customers guest operating systems, it only provides the means to manage instances of guests and persistent storage. The portal is built using various tivoli security capabilities, including IBM Directory Server and Web Seal. The portal interfaces with a set of systems we call the "common cloud management platform". Portal operations drive automation work flows, and all operations are logged such that each action can be traced back to a specific customer user who initiated the operation. Administrative Portal Authenticated via Web Identity Authorized via Portal Access Controls Provides interfaces to initiate automated work flows for discrete tasks Customer manages the privileges of their user base Operations logged - end to end transaction auditing Operating Systems Guests Once provisioned IBM has no direct access to the guest VM;s Customers provided with initial SSH Key pair or Administrative password Customers MUST change these and any middleware administrative passwords upon taking control over the guest Malicious Insider. As discussed in the loss of governance topic, the cloud provider maintains privileged capabilities against the infrastructure. Since the data and processing exist within that infrastructure, there always exists potential mechanisms for access to the individual customer resources. How the cloud provider manages this privileged access, and ensures that provider administrators do not behave inappropriately is key. First, we extensively use automation. Automation allows for very specific work flows to be performed, and as previously mentioned the initiation of these work flows can start from the portal (or may be initiated by monitoring of the infrastructure - for example, detecting that a physical system is failing and moving virtual machines to a different physical machine). All steps in the work flow are logged, so that an audit trail is maintained. While automation will be the means by which the bulk of the management of infrastructure will be performed, there will always be cases where an administrator will have to access aspects of the infrastructure. This may be for trouble shooting problems, or may be needed for unanticipated situations. IBM will manage the infrastructure to the same corporate security policy that we use for our internal data processing systems. This is called ITCS104 (though the name is not really important, what is important is that we have an established policy that governs our management of the infrastructure). Once provisioned, IBM maintains no access to the customers virtual machines (we do provision machines with initial SSH Key pairs, or administrative passwords, and customers should change those immediately upon gaining access). Should an IBM administrator need access to a customer VM, the customer would have to explicitly enable a username and password for that access on the individual virtual machine, and delete that user immediately. As it relates to the infrastructure, each administrator will use a unique user id and password (we do not allow for shared id's, in fact, the automation also authenticates to the infrastructure using a unique user id). The use of root/administrator ID's is explicitly prohibited. Administrative users are granted privileges following the "least privilege" principle. Administrators are only granted those privileges needed to fulfill their role. All operations performed against the infrastructure systems are logged, and monitored. Should an administrative user perform an action such as accessing a customers VDD, this will raise a security alert, identifying that a specific user performed an unauthorized action. IBM will then apply our Business Conduct Guidelines for disciplinary action, as customer data is considered highly confidential, and therefore subject to disciplinary action which may require termination of the employee. The need for an individual to have a privileged identity against infrastructure is reviewed quarterly (per ITCS104) as well as on an annual basis. Identities are removed immediately upon an employee leaving the company. Automation Not a traditional Security construct Automation assures control over specific administrative tasks which are broken down to well defined work flow sequences. Automation is audited end to end to be able to re-construct a given work flow Human Administration All infrastructure components are managed/operated to the same policies as IBM Internal systems (ITCS104). Shared user ID’s are prohibited. Each administrative user uses their own ID to authenticate. User authorizations assigned based on least privilege principles. IBM’s business conduct guidelines provide the framework for disciplinary action should administrative privileges be abused.
• #26: The graphic on the slide consists of a conceptual image representing a hybrid cloud. In the upper left corner is a public cloud, in the upper right corner is a cloud that is trusted or private, and at the bottom are enterprise resources, connected to resources in the two clouds through the Internet. The enterprise resources are the base for providing management and governance of cloud software, applications and workload. The diagram illustrates the path that many enterprises are on to have a hybrid environment, often called a hybrid cloud, consisting of one or more cloud implementations with the characteristics we discussed earlier, combined with a ‘classic’ enterprise data center infrastructure. Some see this as a threat to the enterprise data center; others see it as an opportunity to expand beyond the data center to provide new levels of service, speed and cost efficiency. Irrespective, the disciplines and competencies of most types of IT professionals are evolving to encompass cloud concepts. Some of these disciplines are highlighted here, including IT infrastructure management, security and integration. IBM is uniquely positioned to help enterprises and their IT professionals through this evolution, based on best-of-breed offerings in both the enterprise data center and the cloud.
• #28: This chart depicts the common attributes of cloud computing and the associated business impact of what a cloud-enabled enterprise can accomplish. A cloud environment enables self‑service, resulting in projects being able to get started very quickly, and self provisioning or rapid provisioning. Some of the key functionalities include: Server and storage—IT resources from servers to storage, network and applications are pooled and virtualized to help provide an implementation-independent, efficient infrastructure, with elastic scaling—environments that can scale up and down by large factors as demand changes. Self-service portal—”Point-and-click” access to IT resources. Automated provisioning—Resources are provisioned on demand, helping to reduce IT resource setup and configuration cycle times. Service catalog ordering—Uniform offerings are readily available from a service catalog on a metered basis. Flexible pricing—Simple predefined bundles or pay by consumption with metering and subscription models help make pricing of IT services more flexible. The graphic on the slide consists of a box separated by a diagonal line with a picture of a cloud in between. The upper-left part of the box is white in color and has the words “Cloud accelerates business value across a wide variety of domains.” The lower-right section of the box is shaded in blue. An arrow mark above the box indicates the transition from a legacy development and test environment to one that is cloud-based.
• #29: The image is a screen capture of a portion of IBM Smart Business Development and Test on the IBM Cloud developer Internet site, and highlight showing a “View demo” function. The ‘view demo’ graphic is a link to a demo pop-up. Nine 32- and 64-bit configuration options allow you to pick the virtual machine (VM) instance sizes that best fit your needs. With the persistent storage option, you can order blocks of persistent storage to use with a virtual machine instance for longer term storage of content. Small (256 GB), medium (512 GB) and large (2048 GB) blocks are available. IBM standard and add-on support services can help enhance the availability and security of your development and test environment. Standard services: Technical support for all services—available through the web portal and by checking the online Cloud Service forum pages after log-in. Around-the-clock monitoring and management of the IBM cloud infrastructure, including: Security activities for the IBM Cloud Center base infrastructure to govern access to and use of our services Scheduled maintenance for the IBM Cloud Center base infrastructure to maintain our services Fee-based add-on services: Remote on-boarding support to help account managers and end users learn how to navigate and use the self-service web portal Premium support—around-the-clock telephone support with a web-based service request ticketing system Add-on Linux operating system assistance on top of premium support IBM provides network bandwidth for inbound and outbound data transfers between the IBM Cloud Center and the Internet for you to access and use the services. IBM tracks and measures the amount of data transferred. Data transfer is charged for on a GB-transferred basis. Reserved capacity packages consist of pools of resources from which customers can provision as required. They carry a monthly charge but also offer preferred (discounted) rates on the virtual servers provisioned.
• #30: IPS - Intrusion prevention solution; IDS - Intrusion detection solution; SSH - Secure Shell; API – application programming interface The IBM Cloud was designed with enterprise security as a top priority. With the IBM Cloud, security-rich access is provided through the Internet (IPS/IDS, SSH/HTTPS, web identity) to a management infrastructure, and content is delivered in compliance with IBM's security standards. Access to the infrastructure self-service portal and APIs is restricted to users with an IBM web identity. The infrastructure complies with IBM security policies, including regular security scans and controlled administrative actions and operations. Within the IBM delivery centers, customer data and virtual machines are kept in the data center where provisioned, and the physical security is the same as that for IBM’s own internal data centers. The graphic on the slide provides a high-level overview of the flow of data that takes place between a client environment and IBM’s cloud delivery centers. The top of the graphic contains a picture of a PC monitor and server, with a line leading downwards to an image depicting the client’s firewall and then to a cloud (IBM cloud services). From there, a line flows further downwards through another firewall (IBM’s) and an image depicting IBM’s unique security and authentication model and then leading to IBM’s delivery centers, which contains guest virtual machines and data.
• #32: The graphic on the slide indicates the three steps required to setup and deploy a service on the IBM Cloud. It consists of three boxes, the first one to select an image, the second to configure it and the third indicating that the application is provisioned. Above the third box is a picture of a hand holding a stopwatch, indicating the three steps can be accomplished quickly. Typical workflow steps: User logs into IBM Smart Business Development and Test on the IBM Cloud through a security-rich web portal. User selects the virtual image for the tool required from the image catalog and agrees with the “Terms and Conditions.” User selects the server and storage required for the service, based on the user’s needs. User requests the provisioning of an instance from the selected image on the selected hardware in the IBM Cloud. User’s development and test teams can use the provisioned instance as required. The user can save a customized version of the instance as a private image for future reuse, if desired. When completed, the user de-provisions the instance, releasing the hardware for other users. Most of the provisioning functions can also be accomplished using the built in Application Programming Interfaces (APIs): Command-line interface (CLI) and RESTful APIs Security APIs Compute Cloud APIs
• #37: Development repositories and processes manage information for development and reuse of assets. CCMDB and IT processes manage information needed for service management and process execution. Scenario 1 Development releases a software image. A software package needs to be created and deployed into production. Scenario 2 Incident/problem is found in production; a RFC is opened. Linking the RFC and the fix pack that addresses that RFC. Scenario 3 Existing CI (configuration item from CCMDB) are created as packages in RAM for a potential search/find/linkage to development assets