SlideShare uma empresa Scribd logo
1 de 8
Baixar para ler offline
Thought Leadership White Paper

Cloud Security
Who do you trust?
Nick Coleman, IBM Cloud Security Leader
Martin Borrett, IBM Lead Security Architect

Cloud Computing
2

Cloud Security – Who do you trust?

Cloud Security – Who do you trust?
Cloud computing offers to change the way we use computing
with the promise of significant economic and efficiency
benefits. The speed of adoption depends on how trust in new
cloud models can be established.
Trust needs to be achieved, especially when data is stored
in new ways and in new locations, including for example
different countries.
In this paper we will explain why trust, reliability and
security decisions are central to choosing the right model.
Consider for example:

This paper is provided to stimulate discussion by looking at
three areas:
•	

•	

•	

•	

How easy would it be to lose your
service if a denial of service attack is
launched within your cloud provider?
Will you suffer a data security
breach when an administrator can
access multiple stores of data within
the virtualised environment they
are controlling?
Could you lose your service when an
investigation into data loss of another
customer starts to affect your privacy
and data?

•	
•	

What is different about cloud?
What are the new security challenges cloud introduces?
What can be done and what should be considered further?

What is different about cloud?
Cloud computing moves us away from the traditional model,
where organisations dedicate computing power to a particular
business application, to a flexible model for computing where
users access business applications and data in shared
environments.
Cloud is a new consumption and delivery model; resources can
be rapidly deployed and easily scaled (up and down), with
processes, applications and services provisioned ‘on demand’.
It can also enable a pay per usage model.
In these models the risk profile for data and security changes
and is an essential factor in deciding which cloud computing
models are appropriate for an organisation.

Without cloud computing

With cloud computing

Workload B

Workload A

Workload A

Workload A

Software
Hardware
Storage
Networking

Software
Hardware
Storage
Networking

Software
Hardware

Service
management

Service
management

•	 Automated service management
•	 Standardised services
•	 Location independent

Workload C

Storage
Networking

Service management
•	 Rapid scalability
•	 Self-service
Thought Leadership White Paper

Today’s Data Centre

Tomorrow’s Cloud
•	 Who has control?

•	 We have control
Virtual
Machine

•	 It’s located at X
•	 It’s stored in servers Y, Z

Virtual
Machine

Abstraction Layer
(Virtualisation/Hypervisor)

•	 We have backups in place

•	 Where is it located?
Virtual
Machine

•	 Where is it stored?
•	 Who backs it up?

•	 Our admins control access

•	 Who has access?

•	 Our uptime is sufficient

•	 How resilient is it?

•	 The auditors are happy

•	 How do auditors observe?

•	 Our security team is
engaged

•	 How does our security
team engage?

What are the security challenges
cloud introduces?
There are existing security challenges, experienced in other
computing environments, and there are new elements which
are necessary to consider. The challenges include:
•	
•	
•	
•	
•	

Governance
Data
Architecture
Applications
Assurance

These five categories are described in the rest of this section
in more detail so that the complexity of these issues can be
better understood.

Governance
Achieving and maintaining governance and compliance
in cloud environments brings new challenges to many
organisations. (This paper should not be seen as legal advice
or guidance specific to any one organisation.) Things you
might need to consider include:

Jurisdiction and regulatory requirements
•	

•	

Complying with Export/Import controls
•	

•	

“ 2 3 of organisations identify security as
/
their top concern when considering cloud.”
Driving Profitable Growth Through Cloud Computing,
IBM Study (conducted by Oliver Wyman) published Nov 2008.

Can data be accessed and stored at rest within regulatory
constraints?
Are development, test and operational clouds managing data
within the required jurisdictions including backups?

Applying encryption software to data in the cloud, are these
controls permitted in a particular country/jurisdiction?
Can you legally operate with the security mechanisms
being applied?

Compliance of the infrastructure
•	

Are you buying into a cloud architecture/infrastructure/
service which is not compliant?

Audit and reporting
•	

•	

Can you provide the required evidence and reports to
show compliance to regulations such as PCI and SOX?
Can you satisfy legal requirements for information when
operating in the cloud?

3
4

Cloud Security – Who do you trust?

Data

Architecture

Cloud places data in new and different places, not just the
user data but also the application (source) code. Who has
access, and what is left behind when you scale down a service?
Other key issues include:

Standardised infrastructure and applications; increased
commoditisation leading to more opportunity to exploit
a single vulnerability many times. Looking at the
underlying architecture and infrastructure, some of
the considerations include:

Data location and segregation
•	
•	

Protection

Where does the data reside? How do you know?
What happens when investigations require access
to servers and possibly other people’s data?

•	

Data footprints
•	

•	
•	

How do you ensure that the data is where you need it
when you need it, yet not left behind?
How is it deleted?
Can the application code be exposed in the cloud?

Hypervisor vulnerabilities
•	

Backup and recovery
•	
•	

How can you retrieve data when you need it?
Can you ensure that the backup is maintained securely,
in geographically separated locations?

•	

How can you protect the hypervisor (a key component for
cloud infrastructures) which interacts and manages multiple
environments in the cloud? The hypervisor being a potential
target to gain access to more systems, and hosted images.

Multi-tenant environments
•	

Administration
•	

How do you protect against attack when you have a standard
infrastructure and the same vulnerability exists in many places
across that infrastructure?

How can you control the increased access administrators
have working in a virtualised model?
Can privileged access be appropriately controlled in cloud
environments?

How do you ensure that systems and applications are
appropriately and sufficiently isolated and protecting against
malicious server to server communication?

Security policies
•	

How do you ensure that security policies are accurately and
fully implemented across the cloud architectures you are using
and buying into?

Identity Management
•	
•	
•	

How do you control passwords and access tokens in the cloud?
How do you federate identity in the cloud?
How can you prevent userids/passwords being passed and
exposed in the cloud unnecessarily, increasing risk?

Governance

Data

Architecture

Applications

Assurance

Achieving
compliance and
management in
the cloud

Information shared
inside and outside
the organisation

New web
architecture,
infrastructure and
threats

Applications on
the phone, internet
and in a virtualised
cloud

Audit and monitoring
in a virtualised/cloud
environment

Providing Software as a service (SaaS), Infrastructure and hardware as a service (laaS)
and Platform as a service (PaaS), either individually or in different combinations
Thought Leadership White Paper

Applications
There has been a significant increase in web application
vulnerabilities, so much so that these vulnerabilities make
up more than half of the disclosed vulnerabilities over the
past 4 years.

Assurance
Challenges exist for testing and assuring the infrastructure,
especially when there is no easy way for data centre visits or
penetration (pen) tests.

Operational oversight
•	

“67% of all web application

vulnerabilities had no patch in 2009.”

Source: IBM Security Solutions X-Force 2009 Trend and Risk
Report, published Feb 2010.

When logs no longer just cover your own environment
do you need to retrieve and analyse audit logs from diverse
systems potentially containing information with
multiple customers?

Audit and assurance
•	

•	

What level of assurance and how many providers will you
need to deal with?
Do you need to have an audit of every cloud service provider?

Investigating an incident
•	

Software Vulnerabilities
•	
•	

How do you check and manage vulnerabilities in applications?
How do you secure applications in the cloud that are
increasing targets due to the large user population?

Patch management
•	

•	

How do you secure applications where patches are
not available?
How do you ensure images are patched and up to date when
deployed in the cloud?

Application devices
•	

•	

How do you manage the new access devices using their own
new application software?
How do you ensure they are not introducing a new set of
vulnerabilities and ways to exploit your data?

5

•	

How much experience does your provider have of audit and
investigation in a shared environment?
How much experience do they have of conducting
investigations without impacting service or data
confidentiality?

Experience of new cloud providers
•	

•	

What will the security of data be if the cloud providers are no
longer in business?
Has business continuity been considered for this eventuality?
6

Cloud Security – Who do you trust?

Security from the cloud

Identity
Management

Application
Security

End Point
Protection

Cloud Security Services
Governance, Risk
Management and
Compliance
How can you start
to build to a position
of trust and risk
management when
setting up cloud
computing for your
organisation?

Security Event
and Log
Management

Security for the cloud

Application
Security

What can be done and what should be
considered further?
Many of the risks identified can be managed through the
application of appropriate security and governance measures.
Which risks you choose to address will be different depending
on your business, your appetite for risk and how costly these
measures are.
In many cases the complexity of securing cloud comes not just
from the individual application but how it integrates into the
rest of the organisation.

Delivering security for the cloud
Working out where and how to apply security is core to
delivering security for the cloud.
Security itself can be delivered from within the cloud.
Elements such as Event and Log Management, Identity
Management, End Point Protection and Application Security
are increasingly delivered as cloud security services. Security
for the cloud will be down to what can be delivered in the
cloud and what needs to supplement that delivery framework.

End Point
Protection

Getting started:
1.		Define a cloud strategy with security in mind
Identify the different workloads and how they need to
interact. Which models are appropriate based on their
security and trust requirements and the systems they need
to interface to?

2.		Identify the security measures needed
Using a framework such as the one IBM uses, the IBM
Security Framework and Blueprint, allows teams to capture
the measures that are needed in areas such as governance,
architecture, applications and assurance.

3.	Enabling security for the cloud.
The upfront set of assurance measures you will want to take.
Assessing that the applications, infrastructure and other
elements meet your security requirements, as well as
operational security measures.
Cloud security can be delivered as part of the cloud service and
also as specific components added in to enhance security.
Depending on your cloud provider it may be that a
combination of both of these approaches is necessary.
The fundamental principles of security and risk management
still apply. The approach IBM is using is based on IBM’s
Security Framework and Blueprint which provides a
comprehensive framework to address all aspects of security.
Thought Leadership White Paper

In summary

Cloud computing offers new possibilities and new challenges.
These challenges range from governance, through to
securing application and infrastructure. Fundamentally it is
important to be able to assure the security of these new
models in order to build trust and confidence.
The key to establishing trust in these new models is
choosing the right cloud computing model for your
organisation. Place the right workloads in the right model
with the right security mechanisms.
•	

•	

For those planning to consume cloud services looking for
trust and assurance from the cloud provider; understanding
the service level agreements and the approaches to security
is key. Assessing that this can be delivered, including what
assurances can be provided will be important.
For those providing or building a cloud infrastructure,
using a proven methodology and technologies that can
deliver appropriate security is key.

This is not just a technical challenge but a challenge of
governance and compliance; applications and infrastructure;
and assurance. This paper is written to stimulate discussion
of the challenges and ways to start to address these
challenges in securing cloud computing.

The Authors
Nick Coleman
IBM Cloud Security Leader.
Email: coleman@uk.ibm.com
Twitter: twitter.com/teamsecurity
Martin Borrett
IBM Lead Security Architect
Email: borretm@uk.ibm.com

7
IBM United Kingdom Limited
PO Box 41
North Harbour
Portsmouth
Hampshire
PO6 3AU
United Kingdom
IBM Ireland Limited
Oldbrook House
24-32 Pembroke Road
Dublin 4
Ireland
IBM Ireland Limited registered in Ireland under company number 16226.

The IBM home page can be found at ibm.com
IBM, the IBM logo, ibm.com and Information Agenda are trademarks or
registered trademarks of International Business Machines Corporation in
the United States, other countries, or both. If these and other IBM
trademarked terms are marked on their first occurrence in this information
with a trademark symbol (® or ™), these symbols indicate U.S. registered
or common law trademarks owned by IBM at the time this information was
published. Such trademarks may also be registered or common law
trademarks in other countries.
A current list of IBM trademarks can be found at: http://www.ibm.com/
legal/copytrade.shtml
Other company, product and service names may be trademarks, or service
marks of others.
References in this publication to IBM products, programs or services do
not imply that IBM intends to make these available in all countries in
which IBM operates. Any reference to an IBM product, program or service
is not intended to imply that only IBM products, programs or services may
be used. Any functionally equivalent product, program or service may be
used instead.
IBM hardware products are manufactured from new parts, or new and used
parts. In some cases, the hardware product may not be new and may have
been previously installed. Regardless, IBM warranty terms apply.
This publication is for general guidance only. Information is subject to
change without notice. Please contact your local IBM sales office or reseller
for latest information on IBM products and services.
IBM does not provide legal, accounting or audit advice or represent or
warrant that its products or services ensure compliance with laws. Clients
are responsible for compliance with applicable securities laws and
regulations, including national laws and regulations.
Photographs may show design models.
© Copyright IBM Corporation 2010
All Rights Reserved.

Please Recycle

10-0796 (09/10) TT

Mais conteúdo relacionado

Destaque

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Alert Logic
 
Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)ChinaNetCloud
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingveena venugopal
 
Staying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierStaying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierTriNimbus
 
Cloud computing security from single to multi clouds
Cloud computing security from single to multi cloudsCloud computing security from single to multi clouds
Cloud computing security from single to multi cloudsCholavaram Sai
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
Presentation điện toán đám mây
Presentation   điện toán đám mâyPresentation   điện toán đám mây
Presentation điện toán đám mâyxKinAnx
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerDavid Wallom
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsLayer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsCA API Management
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityGahya Pandian
 
SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)
SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)
SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)Security Bootcamp
 
Cloud computing security and privacy
Cloud computing security and privacyCloud computing security and privacy
Cloud computing security and privacyAdeel Javaid
 

Destaque (19)

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Sop vpn ip-astinet
Sop vpn ip-astinetSop vpn ip-astinet
Sop vpn ip-astinet
 
IP Security over VPN
IP Security over VPNIP Security over VPN
IP Security over VPN
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
 
Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
Staying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierStaying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave Millier
 
Cloud computing security from single to multi clouds
Cloud computing security from single to multi cloudsCloud computing security from single to multi clouds
Cloud computing security from single to multi clouds
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Presentation điện toán đám mây
Presentation   điện toán đám mâyPresentation   điện toán đám mây
Presentation điện toán đám mây
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud provider
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsLayer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model Requirements
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)
SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)
SBC 2012 - Tổng quan về bảo mật trong Cloud (Lê Vĩnh Đạt)
 
Cloud computing security and privacy
Cloud computing security and privacyCloud computing security and privacy
Cloud computing security and privacy
 
Cloud Security Alliance Guide to Cloud Security
Cloud Security Alliance Guide to Cloud SecurityCloud Security Alliance Guide to Cloud Security
Cloud Security Alliance Guide to Cloud Security
 

Mais de IBM Security

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 

Mais de IBM Security (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 

Último

Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 

Último (20)

Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 

Cloud security - Who do you trust?

  • 1. Thought Leadership White Paper Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect Cloud Computing
  • 2. 2 Cloud Security – Who do you trust? Cloud Security – Who do you trust? Cloud computing offers to change the way we use computing with the promise of significant economic and efficiency benefits. The speed of adoption depends on how trust in new cloud models can be established. Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. In this paper we will explain why trust, reliability and security decisions are central to choosing the right model. Consider for example: This paper is provided to stimulate discussion by looking at three areas: • • • • How easy would it be to lose your service if a denial of service attack is launched within your cloud provider? Will you suffer a data security breach when an administrator can access multiple stores of data within the virtualised environment they are controlling? Could you lose your service when an investigation into data loss of another customer starts to affect your privacy and data? • • What is different about cloud? What are the new security challenges cloud introduces? What can be done and what should be considered further? What is different about cloud? Cloud computing moves us away from the traditional model, where organisations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments. Cloud is a new consumption and delivery model; resources can be rapidly deployed and easily scaled (up and down), with processes, applications and services provisioned ‘on demand’. It can also enable a pay per usage model. In these models the risk profile for data and security changes and is an essential factor in deciding which cloud computing models are appropriate for an organisation. Without cloud computing With cloud computing Workload B Workload A Workload A Workload A Software Hardware Storage Networking Software Hardware Storage Networking Software Hardware Service management Service management • Automated service management • Standardised services • Location independent Workload C Storage Networking Service management • Rapid scalability • Self-service
  • 3. Thought Leadership White Paper Today’s Data Centre Tomorrow’s Cloud • Who has control? • We have control Virtual Machine • It’s located at X • It’s stored in servers Y, Z Virtual Machine Abstraction Layer (Virtualisation/Hypervisor) • We have backups in place • Where is it located? Virtual Machine • Where is it stored? • Who backs it up? • Our admins control access • Who has access? • Our uptime is sufficient • How resilient is it? • The auditors are happy • How do auditors observe? • Our security team is engaged • How does our security team engage? What are the security challenges cloud introduces? There are existing security challenges, experienced in other computing environments, and there are new elements which are necessary to consider. The challenges include: • • • • • Governance Data Architecture Applications Assurance These five categories are described in the rest of this section in more detail so that the complexity of these issues can be better understood. Governance Achieving and maintaining governance and compliance in cloud environments brings new challenges to many organisations. (This paper should not be seen as legal advice or guidance specific to any one organisation.) Things you might need to consider include: Jurisdiction and regulatory requirements • • Complying with Export/Import controls • • “ 2 3 of organisations identify security as / their top concern when considering cloud.” Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman) published Nov 2008. Can data be accessed and stored at rest within regulatory constraints? Are development, test and operational clouds managing data within the required jurisdictions including backups? Applying encryption software to data in the cloud, are these controls permitted in a particular country/jurisdiction? Can you legally operate with the security mechanisms being applied? Compliance of the infrastructure • Are you buying into a cloud architecture/infrastructure/ service which is not compliant? Audit and reporting • • Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX? Can you satisfy legal requirements for information when operating in the cloud? 3
  • 4. 4 Cloud Security – Who do you trust? Data Architecture Cloud places data in new and different places, not just the user data but also the application (source) code. Who has access, and what is left behind when you scale down a service? Other key issues include: Standardised infrastructure and applications; increased commoditisation leading to more opportunity to exploit a single vulnerability many times. Looking at the underlying architecture and infrastructure, some of the considerations include: Data location and segregation • • Protection Where does the data reside? How do you know? What happens when investigations require access to servers and possibly other people’s data? • Data footprints • • • How do you ensure that the data is where you need it when you need it, yet not left behind? How is it deleted? Can the application code be exposed in the cloud? Hypervisor vulnerabilities • Backup and recovery • • How can you retrieve data when you need it? Can you ensure that the backup is maintained securely, in geographically separated locations? • How can you protect the hypervisor (a key component for cloud infrastructures) which interacts and manages multiple environments in the cloud? The hypervisor being a potential target to gain access to more systems, and hosted images. Multi-tenant environments • Administration • How do you protect against attack when you have a standard infrastructure and the same vulnerability exists in many places across that infrastructure? How can you control the increased access administrators have working in a virtualised model? Can privileged access be appropriately controlled in cloud environments? How do you ensure that systems and applications are appropriately and sufficiently isolated and protecting against malicious server to server communication? Security policies • How do you ensure that security policies are accurately and fully implemented across the cloud architectures you are using and buying into? Identity Management • • • How do you control passwords and access tokens in the cloud? How do you federate identity in the cloud? How can you prevent userids/passwords being passed and exposed in the cloud unnecessarily, increasing risk? Governance Data Architecture Applications Assurance Achieving compliance and management in the cloud Information shared inside and outside the organisation New web architecture, infrastructure and threats Applications on the phone, internet and in a virtualised cloud Audit and monitoring in a virtualised/cloud environment Providing Software as a service (SaaS), Infrastructure and hardware as a service (laaS) and Platform as a service (PaaS), either individually or in different combinations
  • 5. Thought Leadership White Paper Applications There has been a significant increase in web application vulnerabilities, so much so that these vulnerabilities make up more than half of the disclosed vulnerabilities over the past 4 years. Assurance Challenges exist for testing and assuring the infrastructure, especially when there is no easy way for data centre visits or penetration (pen) tests. Operational oversight • “67% of all web application vulnerabilities had no patch in 2009.” Source: IBM Security Solutions X-Force 2009 Trend and Risk Report, published Feb 2010. When logs no longer just cover your own environment do you need to retrieve and analyse audit logs from diverse systems potentially containing information with multiple customers? Audit and assurance • • What level of assurance and how many providers will you need to deal with? Do you need to have an audit of every cloud service provider? Investigating an incident • Software Vulnerabilities • • How do you check and manage vulnerabilities in applications? How do you secure applications in the cloud that are increasing targets due to the large user population? Patch management • • How do you secure applications where patches are not available? How do you ensure images are patched and up to date when deployed in the cloud? Application devices • • How do you manage the new access devices using their own new application software? How do you ensure they are not introducing a new set of vulnerabilities and ways to exploit your data? 5 • How much experience does your provider have of audit and investigation in a shared environment? How much experience do they have of conducting investigations without impacting service or data confidentiality? Experience of new cloud providers • • What will the security of data be if the cloud providers are no longer in business? Has business continuity been considered for this eventuality?
  • 6. 6 Cloud Security – Who do you trust? Security from the cloud Identity Management Application Security End Point Protection Cloud Security Services Governance, Risk Management and Compliance How can you start to build to a position of trust and risk management when setting up cloud computing for your organisation? Security Event and Log Management Security for the cloud Application Security What can be done and what should be considered further? Many of the risks identified can be managed through the application of appropriate security and governance measures. Which risks you choose to address will be different depending on your business, your appetite for risk and how costly these measures are. In many cases the complexity of securing cloud comes not just from the individual application but how it integrates into the rest of the organisation. Delivering security for the cloud Working out where and how to apply security is core to delivering security for the cloud. Security itself can be delivered from within the cloud. Elements such as Event and Log Management, Identity Management, End Point Protection and Application Security are increasingly delivered as cloud security services. Security for the cloud will be down to what can be delivered in the cloud and what needs to supplement that delivery framework. End Point Protection Getting started: 1. Define a cloud strategy with security in mind Identify the different workloads and how they need to interact. Which models are appropriate based on their security and trust requirements and the systems they need to interface to? 2. Identify the security measures needed Using a framework such as the one IBM uses, the IBM Security Framework and Blueprint, allows teams to capture the measures that are needed in areas such as governance, architecture, applications and assurance. 3. Enabling security for the cloud. The upfront set of assurance measures you will want to take. Assessing that the applications, infrastructure and other elements meet your security requirements, as well as operational security measures. Cloud security can be delivered as part of the cloud service and also as specific components added in to enhance security. Depending on your cloud provider it may be that a combination of both of these approaches is necessary. The fundamental principles of security and risk management still apply. The approach IBM is using is based on IBM’s Security Framework and Blueprint which provides a comprehensive framework to address all aspects of security.
  • 7. Thought Leadership White Paper In summary Cloud computing offers new possibilities and new challenges. These challenges range from governance, through to securing application and infrastructure. Fundamentally it is important to be able to assure the security of these new models in order to build trust and confidence. The key to establishing trust in these new models is choosing the right cloud computing model for your organisation. Place the right workloads in the right model with the right security mechanisms. • • For those planning to consume cloud services looking for trust and assurance from the cloud provider; understanding the service level agreements and the approaches to security is key. Assessing that this can be delivered, including what assurances can be provided will be important. For those providing or building a cloud infrastructure, using a proven methodology and technologies that can deliver appropriate security is key. This is not just a technical challenge but a challenge of governance and compliance; applications and infrastructure; and assurance. This paper is written to stimulate discussion of the challenges and ways to start to address these challenges in securing cloud computing. The Authors Nick Coleman IBM Cloud Security Leader. Email: coleman@uk.ibm.com Twitter: twitter.com/teamsecurity Martin Borrett IBM Lead Security Architect Email: borretm@uk.ibm.com 7
  • 8. IBM United Kingdom Limited PO Box 41 North Harbour Portsmouth Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 Ireland IBM Ireland Limited registered in Ireland under company number 16226. The IBM home page can be found at ibm.com IBM, the IBM logo, ibm.com and Information Agenda are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks can be found at: http://www.ibm.com/ legal/copytrade.shtml Other company, product and service names may be trademarks, or service marks of others. References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM products, programs or services may be used. Any functionally equivalent product, program or service may be used instead. IBM hardware products are manufactured from new parts, or new and used parts. In some cases, the hardware product may not be new and may have been previously installed. Regardless, IBM warranty terms apply. This publication is for general guidance only. Information is subject to change without notice. Please contact your local IBM sales office or reseller for latest information on IBM products and services. IBM does not provide legal, accounting or audit advice or represent or warrant that its products or services ensure compliance with laws. Clients are responsible for compliance with applicable securities laws and regulations, including national laws and regulations. Photographs may show design models. © Copyright IBM Corporation 2010 All Rights Reserved. Please Recycle 10-0796 (09/10) TT