Cloud & AI Summit · Successful approaches and experiences securing the hybrid multi-cloud world...

Amsterdam, November 8, 2019

Drive innovation in a multi cloud reality

Cloud & AI Summit

Securing the journey to CloudSuccessful approaches and experiences securing the hybrid multi-cloud world

Martin BorrettIBM Distinguished EngineerCTO IBM Security Europe

Cloud provides organizations

access to state-of-the-art IT

in a cost effective and flexible

manner, and enable their

digital transformation

journey, but each phase has

security implications

IBM Security / © 2019 IBM Corporation

Traditional Architecture

IT Controlled Security andResiliency w/ manual controls

Microservices Architecture

Security & Resiliency embedded in business workflow via automation & orchestration

Flexible Consumption

Native Security ComplexityLoss of Visibility & Control

On-Premises

Private Cloud

Public Cloud

Security ResponsibilitiesUnderstanding your security responsibilities vs. Cloud Service Provider’s

Cloud-Native IntegrationIntegrating cloud-native security tools into your overall security operations

Critical DataSecuring your critical data in the cloud

Shadow ITVisibility of your applications and Shadow IT usage

Cloud-Native ConfigurationEnsuring your cloud-native security tools are configured properly

Security at SpeedApplying security controls with speed to

support business innovation

Secure Application Development

Developing cloud applications & APIs that are secure by design

Managing ComplianceKeeping up with changing

compliance regulations

Dynamic WorkloadsSecuring dynamic workloads and

managing changing risk profiles

Centralized VisibilityCentrally managing policy across on-

premise & cloud environments

IBM Security / © 2019 IBM Corporation

Increasing shared responsibility. Decreasing control & visibilityIa

aS

|

In

fra

stru

ctu

re-a

s-a

-Se

rvic

e

Ca

aS

|

Co

nta

ine

r-a

s-a

-Se

rvic

e

Pa

aS

|

Pla

tfo

rm-a

s-a

-Se

rvic

e

Sa

aS

|

So

ftw

are

-as-

a-S

erv

ice

On

-Pre

mis

e

| T

rad

itio

na

l IT

Data

Application

Storage

Operating System

Virtualization

Physical Servers

Network & Storage

Data Center

Migration to Cloud brings forth new security obstacles

and reduced visibility & control

Client Responsibility Provider Responsibility

A programmatic approach to securing the hybrid enterprise

3. RunProvide threat management with an integrated resiliency plan

2. Harden native cloud security +

augment with additional security controls

1. PlanBuild a cloud security strategy and adoption roadmap

Build


Continuous Improvement as

cloud continuously

evolves

Establish a cloud security baseline

Build industry-specific maturity roadmap

Map to regulatory + privacy requirements

Perform a critical data assessment

Enable / harden native security controls

Build a plan to transition to cloud

Establish zero-trust network + endpt. controls

Enable DLP controls, key mgmt. + encryption

Integrate with cloud IAM and use contextAutomate security controls w/ DevOps

App Security and vulnerability testing

Engage offensive penetrating testing

Register all assets across hybrid-cloud

Tie all controls to single pane of glass

Establish correlation rules and runbooks

Built a joint resiliency plan w/ cloud provider

Practice response plan with threat hunting

Continuous compliance reporting

A programmatic approach to securing the hybrid enterprise – Phase 1


cloud continuously

evolves











Continuous compliance reporting Establish a cloud security baseline






Firstly, you need to establish a baseline and build your maturity roadmap.

A holistic assessment of current state security maturity:

✓ Governance

✓ Metrics

✓ Cloud Security Optimization

✓ Data Security

✓ Application Security

✓ Network and System Security

✓ Security Operations

✓ Identity + Access Management

A Cloud Security Strategy and Assessment can help you:

1. Assess your current state cloud security maturity

2. Define a future state that secures workloads across your hybrid environment

3. Build a strategy + roadmap for cloud migration that addresses pertinent security + regulatory concerns

Cloud is more than a technology change! It is a cultural change to organizations

It’s critical to establish a Cloud Security Strategy, Governance + Readiness Plan

Strategy + Roadmap







Evaluating the Enterprise Tech Stack from a Security Point of View.

Cloud is more than a technology change! It is a cultural change to organizations

Cloud maturity & capabilities are very important

Strategy + Roadmap







Misconfigured cloud services is one of the top reasons for data breachesIt’s imperative to lock down your cloud environments and harden your native controls.

• Harden security posture of native cloud capabilities

• Align native security with organization’s threat management process

• Streamline enterprise visibility for native security activity

• Enhance an organization’s readiness for cloud innovation

• Enable knowledge transfer for effective native security operations

Strategy + Roadmap















cloud continuously

evolvesRegister all assets across hybrid-cloud











Augment Native

Controls

Extend beyond traditional network + endpoint security controls for more comprehensive coverage.

Establish zero-trust network + endpoint

controls


Integrate with cloud IAM and user context

Automate security controls w/ DevOps

App Security + vulnerability testing

Engage offensive testing

Micro-segmentation Containerization

Traditional networks:

• Little visibility into application level traffic flows,

• Static policies - harder to upkeep and can lead to application outages due to misconfiguration

Micro-segmentation:

• Application-centric visibility with more granular control

• Adaptive and can support hybrid environments.

Container security solution across Build, Ship, & Run.

• Scanning of images to check for vulnerabilities

• Protection + visibility into CI/CD dev tools

• Vulnerability analysis on all images

• Certify and track image inventory

• Re-assure valid images are running

• Runtime protection to prevent configuration drifts or rogue containers

• L3 and L7 Firewall capabilities

• Monitor host OS + container system calls + processes

• Compliance and reporting

BUILD

SHIP

RUN

Secure your critical data across your hybrid environment.

Now that you’ve identified your critical data, you must implement controls to protect it.

DLP in the cloud

• Use policy based DLP to protect sensitive assets from being copied to the cloud

• Sensitive data can be blocked from exfiltration, quarantined, or deleted.

Multi-cloud Data Encryption

• Protect your data across dedicated private, hybrid and public clouds

• Encryption agents are deployed across your workloads

• Setting access policies + agent management is all handled through a central console

Augment Native

Controls


controls






Assess your cloud IAM strategy + explore IDaaS solutions to optimize your technology investments

Use Case: Can access to your cloud accounts be integrated as part of your privileged access management program?

Use Case:Can your MFA be extended to internet-facing / accessible applications?

Design a solution focused on user outcomes using IBM Design Thinking

Optimize your technology investmentsby complementing existing IAM program with the cloud-based solution that fits your needs

Enhance your operational efficiency with improved business processes and Robotic Programming Automation (RPA)

The Journey to Cloud-Based IAM solution approaches your IAM transformation in three stages:

Moving workloads to cloud doesn’t necessarily mean changes to your IAM

toolset

Find the right cloud

strategy

Transform the IAM

environment

Operate and continuously

improve

1

2

3

Can you extend your existing policies and controls to the new cloud workloads?

But many clients do want to move their IAM workloads to the cloud as well

Augment Native

Controls


controls






Emerging DevOps teams lead to conflicting objectives

You need a solution that can satisfy both sets of objectives

CISO: Organization Challenges

Securing compute critical data assets on Cloud

Continuous compliance to changing regulations

Policy enforcement & threat detection across hybrid environments

Policy enforcement at DevOps

DevOps: Business Innovation

Business demands flexibility and speed to

market

Capitalize on constantly evolving

CSP capabilities

No time to wait on security approvals

Security Solution

Secure by Design integrated into DevOps

Infrastructure provisioning

Automated base security controls provisioning

Enable Managed Services

Augment Native

Controls


controls






Implement a secure-by-design application development methodology

Application Security Program Services

Secure DevelopmentTraining Services

Application Security Testing Services

Secure Development Support Services

Requirements Design Coding Testing Release

Application Security solutions to support clients across their entire SDLC

Secure-by-Design strategy + advisory services

Guidance with CI/CD implementationDevelopment standards, etc.

Providing support to the development organization across their various tasks + challenges

Non-functional security requirements gathering, remediation and implementation support, etc.

Secure development training & coding language best practices

Full suite of tools and processes around to help identify vulnerabilities early

Pre and post production penetration testing

Augment Native

Controls


controls



















cloud continuously

evolvesRegister all assets across hybrid-cloud






Operating in a hybrid environment often leads to disparate controls.

You need to centralize security visibility for policy management

You have....

Workloads on premise + on cloud(s)

With....

Disparate security controls across both

Need to bring....

Logs & alerts into a single pane of glass

Providing....

Threat Management

Incident Management

Log Management & Alerting

Ticketing

Cloud Agnostic

Supporting workloads across:

IBM Cloud | AWS | Azure | Private DC + On Premise

Vendor Agnostic

Supporting multiple best-of-breed technologies across

multiple cloud environments & on-premise

Threat Management + Resiliency







Compliance doesn’t stop at the cloudThere are hundreds of mandatory laws and regulations, as well as voluntary standards, audit standards, codes of conduct and internal policies that companies have to comply with.

$








Compliance doesn’t stop at the cloud.There are hundreds of mandatory laws and regulations, as well as voluntary standards, audit standards, codes of conduct and internal policies that companies have to comply with.

How can you ensure rigorous compliance for cloud workloads?

The financial impacts of non-compliance are large and rising.

The legal and regulatory landscape is always changing.

$$

Strategy Development

Tool-Based Solution

Fully Managed

Not sure where to start?Let us help you assess your current state cloud controls maturity against relevant regulatory requirements, and define a strategy for improving and managing your compliance posture.

Not in a highly regulated industry?Some use-cases can be solved with simple tooling. We can help design and implement a tool-based compliance approach with tools such as Dome9.

Highly regulated or operating across multiple jurisdictions?Our managed Technology Compliance Advisor service can help map your existing controls to relevant regulatory requirements, and then regularly assessing for updates & notify you of required actions.









3. RunProvide threat management with an integrated resiliency plan

2. Harden native cloud security +

augment with additional security controls

1. PlanBuild a cloud security strategy and adoption roadmap

Build

Thank you for your attention!

Learn more on www.ibm.com/

Cloud & AI Summit · Successful approaches and experiences securing the hybrid multi-cloud world...

Documents

Transcript of Cloud & AI Summit · Successful approaches and experiences securing the hybrid multi-cloud world...