Documente Academic
Documente Profesional
Documente Cultură
Vikalp Nagori
IBM Security Services
viknagor@in.ibm.com
Loss of governance
Compliance and legal risk
Responsibility ambiguity
Isolation failure
Data protection
Insecure or incomplete data deletion
Handling of security incidents
Service unavailability
Business failure of the provider
It is necessary to classify your data so as to know what rules must apply to protecting it:
its sensitivity - must it only exist at specific trust levels? If so, which?
What regulatory/compliance restrictions apply e.g. Must it stay within your national
boundary?
Consumer organization would have organizational policies, standards and adopted best
practices (ISO 27001)
Governance is about defining the organizing principles and rules
Example: Authentication strength, event management, vulnerability management
Governance
Data co-mingling
Confidentiality and integrity compromise
Legal and regulatory issues
Service management- resources
Data disposal
Return of data
Open standards
Data return on contract termination
Secure data disposal
Custody of data?
Service transfer to another provider or in-premise?
Open standards followed by the service provider?
13
Customer applications
& services
Enterprise
Directory
Database
Application users
Platform users
Application
Security Team & Ops Team
Manage consistent
Identity & access policies Consumer / Employee
Applications
Cloud hosted proxies Firewalls, Intrusion Prevention (IPS) Network security groups
Cloud-scale protection from DDoS VPN for enterprise connectivity Network segmentation in SL (using
Web application firewalls Vyatta)
1
7 2016 IBM Corporation 17
IBM VPN (VPN as a service)
Key Features
The IBM Virtual Private Network service for Bluemix is available to securely access IBM Containers (Docker
containers) inside the IBM Bluemix cloud environment.
You can use the IBM Bluemix cloud environment as an extension of your corporate data center.
You can also connect with the SoftLayer servers using the IBM VPN service
The IBM Virtual Private Network (VPN) service provides a secure IP-layer connectivity between your on-premise data
center and your IBM Bluemix cloud.
It leverages Internet Protocol Security (IPsec) protocol suite for protecting IP communication between endpoints residing
on your private subnets.
An IPsec-compatible VPN gateway is required in your on-premise data center for establishing secure connectivity with
IBM VPN service. No other client software is necessary.
Sensitive data stays on-prem File based encryption (ICDES) Key management service
Confidential data considered Cleversafe- Objectstore encryption Hardware security modules
Regulatory compliance drives Cloudant & dashDB - encryption
decisions
1
9 2016 IBM Corporation 19
4 Secure DevOps Vulnerability and patch
management
Containers enables new model VMs are still traditional Application security
e.g., Customer uses Vulnerability Advisor to e.g., Customer uses BigFix to patch all VMs e.g., Customer uses Application Security
assess container images and fix Linux security vulnerability service to scan web apps and mobile
2
0 2016 IBM Corporation 20
5 Security monitoring and intelligence are required to gain
confidence
Access trails and audit logs Identify Cloud incidents Enterprise security intelligence
e.g., All administrative access is logged e.g., Customer uses analytics tools to correlate e.g., CISO wants all logs and events
in Bluemix Cloud traffic to identify malicious app integrated into their on-prem QRadar
Dedicated Bluemix provides all logs All platform logs and events can be Customers use their SIEM
Application logs integration sent to onprem SIEM (Dedicated BM) Cloud and on-prem security monitoring
Continuous monitoring for attacks and Incident management and reporting
threats
Customer workloads
Cloud security insight Enterprise SIEM/ Enterprise
SOC
2
2016 IBM Corporation 21
1
IBM Cloud - Platform Provider Security
Security Policies
SOC Reports
SoftLayer provides SOC 1, SOC 2 and SOC 3 reports. These reports evaluate SoftLayer's operational controls with respect
to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. SoftLayer SOC 3
ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management
systems and provides a systematic approach to managing company and customer information based on periodic risk
assessments. SoftLayer ISO 27001:2013 Certificate of Registration
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provisioning and use of cloud
services as well as implementation guidance for both cloud service providers and cloud service customers.
SoftLayer ISO 27017:2015 Certificate of Registration
Cloud Security Alliance STAR Registrant
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing
security assurance within cloud computing. Read SoftLayer's STAR Consensus Assessment Initiative Questionnaire
We help our customers meet their PCI compliance needs by providing an Attestation on Compliance from an independent
QSA. The Attestation on Compliance can be used in conjunction with our SOC 2 report and ISO 27001 certification to
demonstrate that the infrastructure meets the PCI controls
The SoftLayer cloud platform meets all of the necessary requirements for HIPAA on the data center/service provider side
http://www.softlayer.com/compliance
THANK YOU
www.ibm.com/security
Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.