Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

Published byDerek Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM."— Presentation transcript:

1 © 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM

2 © 2010 IBM Corporation2  Integrated service lifecycle mgmt.  Expose resources “as-a- Service”.  Integrated Security infrastructure.  Rapid provisioning of IT resources, massive scaling.  Dynamic service mgmt.  Energy saving via auto workload distribution.  Rapid deployment of infrastructure and applications.  Request-driven service management.  Service Catalog.  Virtualization.  Better hardware utilization.  Improved IT agility.  Server Consolidation.  Streamline Operations – manage physical and virtual systems.  Lower power consumption. Cloud Computing Virtualization – First Step in Journey to Cloud Computing

3 © 2010 IBM Corporation3 Top Threats To Cloud Computing  Abuse and nefarious use of cloud computing  Insecure interfaces and API’s  Malicious insiders  Shared technology issues  Data loss or leakage  Account of service hijacking  Unknown risk profile

4 © 2010 IBM Corporation4 Layers of a typical Cloud Service System Resources Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment Virtualized Resources Virtual Network, Server, Storage Virtualized Resources Virtual Network, Server, Storage Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Infrastructure as a service Virtualized servers, storage, networking Infrastructure as a service Virtualized servers, storage, networking Platform as a service Optimized middleware – application servers, database servers, portal servers Platform as a service Optimized middleware – application servers, database servers, portal servers Application as a service Application software licensed for use as a service provided to customers on demand Application as a service Application software licensed for use as a service provided to customers on demand Cloud Platform Cloud Delivered Services IAAS SAAS PAAS

5 © 2010 IBM Corporation5 Cloud Security System Resources Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment Virtualized Resources Virtual Network, Server, Storage Virtualized Resources Virtual Network, Server, Storage Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Infrastructure as a service Virtualized servers, storage, networking Infrastructure as a service Virtualized servers, storage, networking Platform as a service Optimized middleware – application servers, database servers, portal servers Platform as a service Optimized middleware – application servers, database servers, portal servers Application as a service Application software licensed for use as a service provided to customers on demand Application as a service Application software licensed for use as a service provided to customers on demand Cloud Platform Cloud Delivered Services  Secure integration with existing enterprise security infrastructure  Federated identity / identity as a service  Authorization, entitlements  Log, audit and compliance reporting  Intrusion prevention  Process isolation, data segregation  Control of privileged user access  Provisioning w/ security and location constraints  Image provenance, image & VM integrity  Multi-tenant security services (identity, compliance reporting, etc.)  Multi-tenant intrusion prevention  Consistency top-to-bottom

6 © 2010 IBM Corporation6 Cloud Security = SOA Security + Virtualization Security System Resources Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment Virtualized Resources Virtual Network, Server, Storage Virtualized Resources Virtual Network, Server, Storage Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Infrastructure as a service Virtualized servers, storage, networking Infrastructure as a service Virtualized servers, storage, networking Platform as a service Optimized middleware – application servers, database servers, portal servers Platform as a service Optimized middleware – application servers, database servers, portal servers Application as a service Application software licensed for use as a service provided to customers on demand Application as a service Application software licensed for use as a service provided to customers on demand Cloud Platform Cloud Delivered Services Service Oriented Architecture (SOA) Security Virtualization Security

7 © 2010 IBM Corporation7 Hypervisor Security Challenges – New Complexities  1:1 ratio of OSs and applications per server  1:Many ratio of OSs and applications per server  Additional layer to manage and secure After VirtualizationBefore Virtualization

8 © 2010 IBM Corporation8 Management Vulnerabilities —————————— Secure storage of VMs and the management data Management Vulnerabilities —————————— Secure storage of VMs and the management data Stealth rootkits in hardware now possible —————————— Virtual NICs & Virtual Hardware are targets Stealth rootkits in hardware now possible —————————— Virtual NICs & Virtual Hardware are targets Hypervisor Security Challenges – New Risks Virtual sprawl —————————— Dynamic VM state & relocation —————————— VM stealing Virtual sprawl —————————— Dynamic VM state & relocation —————————— VM stealing Resource sharing —————————— Single point of failure —————————— Reduced visibility & control Resource sharing —————————— Single point of failure —————————— Reduced visibility & control

9 © 2010 IBM Corporation9 9 Security Challenges – OS & Application Vulnerabilities  Traditional threats remain as long as VMs communicate with the network, virtual or physical o Worms o Rootkits o Trojans o DoS o SQL Injection o Cross Site Scripting  Virtual machine state changes (online, offline, snapshots) and cloning can obsolete patching processes OS and application vulnerabilities and exposures do not change in the virtual world !!!

10 © 2010 IBM Corporation10 Security Challenges – Security & Network Convergence

11 © 2010 IBM Corporation11 Security Challenges – Compliance Best Practices for Security Compliance in a Virtualized Environment *Source: RSA Security Brief: Security Compliance in a Virtual World http://www.rsa.com/solutions/technology/secure/wp/10393_VIRT_BRF_0809.pdf  Configuration and change management processes should be extended to encompass the virtual infrastructure  Maintain separate administrative access control though server, network and security infrastructure is now consolidated  Provide virtual machine and virtual network security segmentation  Maintain virtual audit logging

12 © 2010 IBM Corporation12 Traditional Security Solutions May Add Cost And Complexity Only blocks threats and attacks at the perimeter Secures each physical server with protection and reporting for a single agent Patches critical vulnerabilities on individual servers and networks Policies are specific to critical applications in each network segment and server Network IPS Server Protection System Patching Security Policies Seems Secure …… Not Secure Enough Should protect against threats at perimeter and between VMs Securing each VM as if it were a physical server adds time and cost Needs to track, patch and control VM sprawl Policies must be more encompassing (Web, data, OS coverage, databases) and be able to move with the VMs

13 © 2010 IBM Corporation13 IBM Virtualization Security Solutions Existing solutions certified for protection of virtual workloads Threat protection delivered in a virtual form-factor Integrated virtual environment- aware threat protection  IBM Security Server IPS  IBM Security Network IPS  IBM Security Network Mail Security  IBM Security Network MFS  IBM Security Virtualized Network Security  IBM Security Network Mail Security  IBM Security Virtual Server Protection for VMware

14 © 2010 IBM Corporation14 What is VMsafe API ? Security VM (SVM) VMsafe API  CPU & Memory Inspection  Networking  Storage

15 © 2010 IBM Corporation15 IBM Security Virtual Server Protection for VMware Integrated threat protection for VMware vSphere 4 n VMsafe Integration n Firewall and Intrusion Prevention n Rootkit Detection/Prevention n Inter-VM Traffic Analysis n Automated Protection for Mobile VMs (VMotion) n Virtual Network Segment Protection n Virtual Network-Level Protection n Virtual Infrastructure Auditing (Privileged User) n Virtual Network Access Control IBM Security Virtual Server Protection

16 © 2010 IBM Corporation16  Vulnerability-centric, protocol-aware analysis and protection  Abstraction from underlying network configuration  Automated protection for new VMs  Network-level workload segmentation  Privileged-level protection of OS kernel structures IBM Security Virtual Server Protection for VMware Intrusion Prevention System (IPS)

17 © 2010 IBM Corporation17  Performs deep packet inspection  Performs deep protocol and content analysis  Detects protocol and content anomalies  Simulates the protocol/content stacks in vulnerable systems  Normalizes at each protocol and content layer Provides the ability to add new security functionality within the existing solution IBM Security Virtual Server Protection for VMware IPS - Protocol Analysis Module (PAM)

18 © 2010 IBM Corporation18 Protocol Analysis Module Virtual Patch ® Technology  Shielding a vulnerability from exploitation independent of a software patch  Enables a responsible patch management process that can be adhered to without fear of a breach  IBM is a MAPP (Microsoft Active Protections Program) partner

19 © 2010 IBM Corporation19 Why IBM ? IBM leads the industry in breadth and depth of security expertise with:  7,000,000,000+ security events managed daily  48,000+ vulnerabilities tracked in the IBM X-Force® research and development database  15,000 researchers, developers and subject matter experts on security initiatives  4,000+ customers managed in security operations centers around the world  3,000+ security & risk management patents  40+ years of proven success with security and virtualization on IBM Systems

20 © 2010 IBM Corporation20 Thank you! For more information, please visit: http://ibm.com/cloud http://ibm.com/security Johan Celis – johan.celis@be.ibm.com

Download ppt "© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM."

Similar presentations

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
Cisco‘s Cloud Stragegy, Products and Solutions Dr. Walter Dey, Distinguished Systems Engineer Datacenter and Virtualization Team Cisco Systems EMEAR Eurocloud.

Cisco‘s Cloud Stragegy, Products and Solutions Dr. Walter Dey, Distinguished Systems Engineer Datacenter and Virtualization Team Cisco Systems EMEAR Eurocloud.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.

Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Matt Hubbard Regional Product Marketing Securing Today’s Computing Ecosystem: Physical, Virtual and Cloud Confidential | Copyright.

Matt Hubbard Regional Product Marketing Securing Today’s Computing Ecosystem: Physical, Virtual and Cloud Confidential | Copyright.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.
VMware Virtualization Last Update 2014.02.06 2.0.0 1Copyright 2011-2014 Kenneth M. Chipps Ph.D. www.chipps.com.

VMware Virtualization Last Update Copyright Kenneth M. Chipps Ph.D.
© 2010 VMware Inc. All rights reserved Cloud Andy Steven: Enterprise Cloud Architect Northern EMEA

© 2010 VMware Inc. All rights reserved Cloud Andy Steven: Enterprise Cloud Architect Northern EMEA
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Cisco and NetApp Confidential. Distributed under non-disclosure only. Name Date FlexPod Entry-level Solution FlexPod Value, Sized Right for Smaller Workloads.

Cisco and NetApp Confidential. Distributed under non-disclosure only. Name Date FlexPod Entry-level Solution FlexPod Value, Sized Right for Smaller Workloads.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
© 2009 IBM Corporation ® IBM Software Group Introduction to Cloud Computing Vivek C Agarwal IBM India Software Labs.

© 2009 IBM Corporation ® IBM Software Group Introduction to Cloud Computing Vivek C Agarwal IBM India Software Labs.
Does The Cloud Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847) 912-3244.

Does "The Cloud" Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847)
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
© 2004-2014. Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.
Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Similar presentations

Ads by Google