IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
•Télécharger en tant que PPT, PDF•
0 j'aime•1,049 vues
IBM SmartCloud Enterprise presentation which took place in Tallinn, EE on 09/10/2012 during IBM Baltics Forum 2012.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (8)
Similaire à IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
Similaire à IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development (20)
Plus de Piotr Pietrzak
Plus de Piotr Pietrzak (8)
Dernier
Dernier (20)
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
- 1. IBM SmartCloud Enterprise A Secure Infrastructure for Test and Development Piotr Pietrzak IBM Forum 2012 – Estonia Tallinn, October 9, 2012
- 2. IBM SmartCloud Enterprise at a glance Features and functions: Your servers and personal Choice of nine virtual (Intel) server configurations computers (PCs) Choice of operating systems: • Linux®; Red Hat, Novell SUSE or bring your own • Windows Server® 2003 and 2008 Software image choices: Your firewall • Pick a pre-configured IBM or IBM Partner image • Construct a Linux image in the cloud from software bundles using IBM SmartCloud IBM and partner tools • Import or copy an existing Linux image Enterprise Storage choices: • Persistent storage; fixed blocks up to 10TB IBM firewall • Object/File storage; web accessible file storage with nearly Optional VPN unlimited capacity gateway Options to dynamically add/delete multiple blocks of Virtual IBM unique security and authentication model servers isolated in virtual private network environments. Management Premium support services as a supplement to forums, with infrastructure optional add-on operating system support Private and shared VLANs Choice of six sites: US (2), Canada, Germany, Japan & Singapore with massive capacity. Virtual machines Payment options: and virtual storage • Pay-as-you-go IBM global delivery centers • Reserved capacity package options. What’s new? / 3Q2012 More at: ibm.com/cloud/solutions/enterprise • Increased SLA from 99.5% to 99.9% Cloud Portal: ibm.com/cloud/enterprise • Optional Platinum-M2 virtual machine – 32GB of RAM 2 • Cloning of Windows domain controller instances2012 IBM Corporation ©
- 3. Nine server and eight attachable persistent storage options enable you to configure systems to match a wide variety of workloads. 32-bit configurations 64-bit configurations Virtual machine (VM) Options Copper Bronze Silver Gold Copper Bronze Silver Gold Platinum Virtual CPUs 1 1 2 4 2 2 4 8 16 with 1.25 Gigahertz Virtual memory (GB) 2 2 4 4 4 4 8 16 16 Instance storage (GB) 60 60+175 60+350 60+350 60 60+850 60+1024 60+1024 60+2048 • Intel architecture servers can be provisioned with Linux (Red Hat, Novell SUSE or customer provided) or Microsoft Windows Server (2003 or 2008) and your choice of middleware. • Prices start well under 10 cents per hour* for a virtual machine, including operating system. Reserved capacity options provide pools of resources at discounted rates. • Dynamically attach and detach up to three extra blocks of persistent (RAID protected) storage to an instance, preformatted (ext3) or raw in eight sizes from 60 GB to 10 TB. *US prices for 32-bit copper configuration with Windows Server or SUSE Enterprise Linux, current as of December 5, 2011. Prices subject to change. 3 © 2012 IBM Corporation
- 4. The IBM SmartCloud Enterprise software asset catalogs provide a software store for your server configurations. The ‘public’ catalog contains a growing list of operating system images with or without selected software and software bundles from IBM (Lotus®,WebSphere®, DB2®, Informix®, Cognos®, Tivoli®, Rational®), Alphinat, Aviarc, BeyondTrust, CohesiveFT, Corent, Grid Robotics, Kaavo, NetEnrich, OpenCrowd, Pragma Systems, Servoy, SugarCRM or Zeus. The licensing options include: • “Pay-as-you-go” (“PAYG”), with hourly rates: You choose the desired software, accept the license terms online, and receive a monthly usage bill. • “Bring your own license” (“BYOL”): You own or buy a software license and can use the prebuilt image in the catalog. Your ‘private’ and ‘community’ catalogs provide a place for you to store and manage customized copies of public images and images you build in the cloud or import. 4 © 2012 IBM Corporation
- 5. You can have your server environment running in minutes and pay for it only as long as you need it. The self-service portal, designed for ease of use, guides you through setting up what you need and triggers the automated provisioning of your servers. Click and choose Choose the hardware and Application provisioned the software you need usage configuration and ready to run Step 1 Step 2 Step 3 5 © 2012 IBM Corporation
- 6. IBM SmartCloud Enterprise can help you gain savings, quality improvements and speed to market. Cloud computing from IBM can help you: • Reduce IT labor cost by over 50 percent1—reduce the cost and time to provision a software environment with reduced labor for configuration and without installation costs • Virtually eliminate capital expense and realize significant software license savings through more rapid access to elastic server capacity • Reduce provisioning cycle times from weeks to minutes— for faster time to market and more time for innovation • Improve quality—eliminate over 30 percent1 of all defects that come from faulty configurations; standard configurations help reduce risk and deliver higher service quality • Enable more effective development—preconfigured integrated IBM Rational® developer group tools and best practices • Improve governance and reduce risk of large server deployments 1 Based on results from IBM’s Technology Adoption Program. Your results may vary, and client-specific results can only be ascertained after a return on investment analysis. 6 © 2012 IBM Corporation
- 7. When considering a new technology such as cloud, there are always challenges and dependencies that need to be addressed. Today’s data center Tomorrow’s cloud environment We know that: ? ? Who ensures security? It is located at X Where is it located? ? Where is it stored? It is stored in server Y We have backups ? ? Who backs it up? in place Who has access? How resilient is it? Our administrators control ? How do auditors observe? access Our uptime is sufficient How does our security team engage? The auditors are happy Our security team is engaged Technical concerns: Extended network security Isolation failure Insecure or incomplete data deletion Additional software layers 7 © 2012 IBM Corporation
- 8. IBM Security Solutions to address the challenges of cloud computing Helping clients begin their journey to the cloud with relevant security expertise Compliance ownership Cross border constraints GRC e-discovery process Access to logs and audit trails Merging patch, change, and configuration management policies Rapid provisioning/de-provisioning of users Federated identity management Data segregation Intellectual property protection Data preservation and investigation Multi-tenancy and shared images Virtualized environments Open public access Physical data center security and resiliency 8 © 2012 IBM Corporation
- 9. Security governance, risk management and compliance Security governance, risk management and compliance Customers require visibility into the IBM Security Framework security posture of their cloud. Implement a governance and audit management program Establish 3rd-party audits (SAS 70, ISO27001, PCI) Provide access to tenant-specific log and audit data Create effective incident reporting for tenants IBM Cloud Security Guidance Document Visibility into change, incident, image management, etc. Support for forensics and e-Discovery Supporting IBM Products, Services and Solutions IBM Professional Security Services – IBM Managed Security Services - cloud security consulting Services – hosted security event and log cloud security strategy roadmap Enhanced management Assessing security to create a roadmap to reduced risk Cloud-based security services IBM Security A comprehensive evaluation of an A cloud-based security service designed to provide Products and Services organization's existing security policies, security incident and event management (SIEM) procedures, controls and mechanisms. functionality at a lower cost. 9 © 2012 IBM Corporation
- 10. People and Identity People and Identity Customers require proper authentication IBM Security Framework of cloud users. Implement strong identity and access management Privileged user monitoring, including logging activities, physical monitoring and background checking Utilize federated identity to coordinate authentication and authorization with enterprise or third party systems A standards-based, single sign-on capability can help simplify user logons for IBM Cloud Security both internally hosted applications and the cloud. Guidance Document Supporting IBM Products, Services and Solutions IBM Tivoli Federated Identity IBM Tivoli Security Information Manager and Event Manager Securely manage cloud identities Optimize security & compliance Employ user-centric federated identity efforts IBM Security management to increase customer Monitor user activity for accidental or Products and Services satisfaction and collaboration malicious activity that could put information at risk 10 © 2012 IBM Corporation
- 11. Data and Information Data and Information Customers cite data protection as their IBM Security Framework most important concern. Ensure confidential data protection Use a secure network protocol when connecting to a secure information store. Implement a firewall to isolate confidential information, and ensure that IBM Cloud Security all confidential information is stored behind the firewall. Guidance Document Sensitive information not essential to the business should be securely destroyed. Supporting IBM Products, Services and Solutions IBM Data Security Services IBM Information Protection Protect data and enable business Enhanced Services – managed backup innovation cloud Solutions for network data loss Flexible, automated backup and IBM Security prevention, endpoint encryption, recovery managed service Products and Services endpoint data loss prevention, and Located onsite or offsite using public log analysis and/or private cloud technology 11 © 2012 IBM Corporation
- 12. Application and Process Application and Process Customers require secure cloud IBM Security Framework applications and provider processes. Establish application and environment provisioning Implement a program for application and image provisioning. A secure application testing program should be implemented. Ensure all changes to virtual images and applications are logged. IBM Cloud Security Guidance Document Develop all Web based applications using secure coding guidelines. Supporting IBM Products, Services and Solutions IBM WebSphere DataPower Secure IBM Application Security Services Enhanced Hybrid Cloud Connector for Cloud IBM WebSphere DataPower Security assessment services for cloud Cast Iron Appliance XH35 applications Leverages standard protocols to Identify and eliminate security and privacy IBM Security provide multiple layers of connection risks associated with your cloud Products and Services security for private, public or hybrid applications. clouds. 12 © 2012 IBM Corporation
- 13. Network, Server and End Point Network, Server and End Point Customers expect a secure cloud IBM Security Framework operating environment. . Maintain environment testing and vulnerability/intrusion management Isolation between tenant domains Trusted virtual domains: policy-based security zones Built-in intrusion detection and prevention IBM Cloud Security Guidance Document Vulnerability Management Protect machine images from corruption and abuse Supporting IBM Products, Services and Solutions Managed Security Services – hosted IBM Professional Security Services – Enhanced vulnerability management cloud security consulting – cloud Identify vulnerabilities and manage risk security assessment to reduce cost Provide cloud providers with an IBM Security Cloud-based security service to identify assessment of their security controls Products and Services vulnerabilities across network devices, Leverage international standards and best servers, databases and web practices to provide public or private 13 applications cloud providers © 2012 IBM Corporation
- 14. Physical Security Physical Security Customers expect cloud data centers to be IBM Security Framework physically secure. . Implement a physical environment security plan Ensure the facility has appropriate controls to monitor access. Prevent unauthorized entrance to critical areas within facilities. Ensure that all employees with direct access to systems have full IBM Cloud Security background checks. Guidance Document Provide adequate protection against natural disasters. Supporting IBM Products, Services and Solutions IBM Physical Security Services Defend and help secure physical environments A full suite of digital security solutions and site assessments that can be IBM Security integrated with your network and IT systems Products and Services 14 © 2012 IBM Corporation
- 15. IBM SmartCloud Enterprise is designed to address key client concerns of control, reliability, and security Control. Web-based portal allows authorized users to log on at any time and monitor, manage and control their virtual environments. Administrator and user roles offer enterprise-level control of cloud assets and spending, including full usage detail downloads. Built-in APIs allow you to customize and automatically control your cloud server capacity. Reliability. Around-the-clock monitoring and management of the IBM SmartCloud infrastructure with a service level agreement. Features like ‘anti- collocation’ and ‘virtual IP addressing’ help enable you to build resiliency into your cloud server environments. Backup and recovery and monitoring services are available separately. Security. Built into the solution, ranging from tight physical security of the IBM SmartCloud delivery centers to IPS and vulnerability scanning of the IBM SmartCloud infrastructure. Optional security options such as virtual private networking can help you extend your existing security disciplines to the cloud. 15 © 2012 IBM Corporation
- 16. Why choose IBM to realize cloud computing value? • IBM has one of the broadest bases of cloud solutions in the market and is a thought leader in cloud standards, optimization and integration. • Our public cloud services offer flexible, enterprise-oriented delivery models to help enable enterprises to more securely partition their environment, virtual and dedicated. • IBM is world-leading in middleware, development and testing tools • We have expertise and best practices gained from years of experience managing and operating security-rich enterprise data centers around the world. 16 © 2012 IBM Corporation
- 17. Thank you for your time today. Questions?: Next Steps: • Request IBM SmartCloud Enterprise trial from your IBM sales representatives • Identify candidate cloud workloads • Ask your IBM sales representative for a SmartCloud Enterprise workload migration workshop For more information: ibm.com/smartcloud/solutions/enterprise Contact:piotr.pietrzak@pl.ibm.com http://twitter.com/piotrpietrzak 17 © 2012 IBM Corporation
Notes de l'éditeur
- This chart is an attempt to summarize the features of the IBM SmartCloud Enterprise offering. The list on the right summarizes the elements of the offering: There are nine 32- and 64-bit configuration options that allow you to pick the virtual machine (VM) instance sizes that best fit your needs. These can be configured with either a Linux operating system (Redhat or Novell SUSE) or Microsoft Windows Server 2003 or 2008. There are dozens of preconfigured and tested software images that you can use as the basis for building and saving customized private images to suit your needs. Private images can be shared by users within an account. With the persistent storage option, you can order extra blocks of persistent storage to use with a virtual machine instance for longer term storage of content. Small (256 gigabyte [GB]), medium (512 GB) and large (2048 GB) blocks are available. The offering provides a virtual private network option that isolates your instances on a private virtual LAN (VLAN). In addition, servers can be configured with up to four IP addresses, which enables you to build more robust systems but implement fallback strategies while allowing you to segment your system into layers (security zones) with restricted network access.(VPN: Virtual private network; VLAN: Virtual local area network) IBM standard and add-on support services consist of: Standard services: Technical support for all services—available through the web portal and by checking the online Cloud Service forum pages after login Around-the-clock monitoring and management of the IBM cloud infrastructure, including: Security activities for the IBM SmartCloud Enterprise infrastructure to govern access to and use of our services Scheduled maintenance for the IBM SmartCloud delivery centers and base infrastructure to maintain our services Fee-based add-on services: Remote on-boarding support to help account managers and end users learn how to navigate and use the self-service web portal Premium support: around-the-clock telephone support with a web-based service request ticketing system Advanced Premium support: Advanced Premium Support extends Premium Support with customer severity-level driven response times and a service level agreement with credits if response times aren't met. Add-on operating system assistance on top of premium support for Linux as well as Microsoft Windows Server . From a payment perspective, all of the standard features are available on a pay-as-you-go model. Virtual servers, selected software images, persistent storage and static IP addresses are charged for by the hour. Persistent storage charges include charges for storage blocks as well as for storing private images. Virtual private network options are charged for per month. Use of certain software images require a prepaid license. Operating system charges are included in the virtual server per hour charge. IBM provides network bandwidth for inbound and outbound data transfers between the IBM SmartCloud delivery centers and the Internet for you to access and use the services. IBM tracks and measures the amount of data transferred. Data transfer is charged for on a GB-transferred basis. Reserved capacity packages consist of pools of resources from which customers can provision as required. They carry a monthly charge but also offer preferred (discounted) rates on the virtual servers provisioned. Premium support is charged for as a 5 percent uplift on other service charges, charged for monthly, excluding pay-as-you-go software charges. Monthly minimum charge is US$75 in the US (price current as of March 28 2011). Advanced Premium support is charged for as a 10 percent uplift on other service charges, charged for monthly, excluding pay-as-you-go software charges. Monthly minimum charge is US$1,000 (price current as of March 28 2011). Add-on operating support is charged for as a fixed per hour uplift on instance hourly charges. The uplift varies by operating system and instance size.
- **Central processing unit (CPUs) **Redundant array of independent disks (RAID) **Gigabyte (GB) **Terabyte (TB) **ext3 is ‘third extended file system’, a file system that is commonly used by the Linux kernel The table illustrates the virtual machine instance types, storage and other options available with IBM SmartCloud Enterprise. Notes: The storage provided with an instance is divided up into a root segment (with 60 gigabytes) plus additional segments with the amount shown. Users may choose to provision an instance with just the root segment to shorten provisioning time. Virtual machine instance storage is erased when an instance is de-provisioned (deleted). Blocks of persistent storage and object storage should be used for storing data for longer periods. Persistent and object storage are both RAID protected, but instance storage is not. Although images can be built on one virtual machine configuration and migrated to a configuration of a different size, images have a limited set of virtual machines types and sizes they support. While small Linux virtual machines (Copper and Bronze) generally provision in approximately eight minutes or less, larger instances take longer, depending on storage size and operating system chosen.
- The offering includes a set of images that may be used as a starting point for building the server configurations you require. These images consist of operating system images (Linux, either SUSE or RedHat, and Windows Server 2003 and 2008) with or without additional preinstalled IBM and third-party software. IBM software includes software products from IBM Lotus ® , IBM WebSphere ® , IBM Information Management, IBM Tivoli ® and IBM Rational ® . IBM software is available under several licensing options, including bringing your own license for software you already hold a valid license for and paying for use by the hour. It also includes software from a number of IBM Business Partners such as Alphinat, Aviarc, BeyondTrust, CohesiveFT, Corent, Grid Robotics, Kaavo, NetEnrich, OpenCrowd, Pragma Systems, Servoy, SugarCRM and Zeus. A software bundle is software that is installed and/or configured in a running instance of an image. The bundle includes installation files, configuration files, a parameter specification, and a description of prerequisites that the bundle requires. With a library of software bundles and a library of fixed images, you can compose a custom image with multiple software bundles. For image providers, software bundles can also reduce operational costs and the management challenge of providing and maintaining every possible combination of their base images preinstalled with multiple software bundles. You can provide your own software bundles that can be installed on multiple images. IBM offers flexibility regarding software licensing , as follows: Bring your own license: Clients who own a software license for the specified software can use the preinstalled software on the cloud at no additional charge. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system. Pay by the hour: Clients who do not own a software license can use preinstalled software for a per instance per-hour usage charge. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system plus a per hour software charge. Bring your own software and license: Clients who own the software and associated license for the required software can use their own software to build and save their own private images in IBM SmartCloud Enterprise. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system. Clients who may want to test pre-releases of software may do so by choosing one of the available pre-release images. Pre-release images may only be used for test and other nonproductive use. Pre-release images are available at no charge and may be withdrawn without notice. When they have been withdrawn, customers must stop using them and any images derived from them. Charges for running pre-release software amount to the charges for running the selected virtual server configuration with a standalone operating system. Independent software vendor developers can use “development use only” ( DUO ) software in IBM SmartCloud Enterprise for development, test, proof of concept and sales demo , at no charge. DUO images are only available to an independent software vendor (ISV) or system integrator (SI) whose core business is solely the delivery of commercially available, network-delivered applications or software as a service (SaaS) applications for end users in the marketplace. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system. For a current list of IBM middleware images and the configurations supported, please visit the IBM SmartCloud Enterprise website at: http://www.ibm.com/smartcloud/solutions/enterprise Note, all images have been built to fit a limited range of virtual machine sizes and types, licening options and operating systems. For example, a particular IBM DB2® image may have been built to run on 32-bit configurations with SUSE Linux and is available on ”bring your own license” terms. That DB2 software may not be available under Red Hat Enterprise Linux (RHEL) or on 64-bit configurations.
- This chart shows you how quickly you can set up your virtualized server environment using IBM SmartCloud Enterprise. The normal provisioning flow has three steps once the user has logged into the IBM SmartCloud Enterprise portal and selected the Instances tab on the control panel: The user selects a data center location and an image for the required server from an image catalog, either a ‘public’ catalog of IBM-standard images, a ‘shared’ catalog of images the account manages or a private user catalog. The user selects the virtual machine configuration, network connectivity, security keys and storage required for the server, based on the user’s needs The user accepts the “Terms and Conditions” and thereby orders the provisioning of the server instance. The status of the order can be viewed in the control panel. After a few minutes, typically 6-7 minutes for a small Linux server and two to three times longer for a large Windows server, the server is ready for use. Per hour charges start when the server is ready for use (becomes ‘Active’). Once the server instance has been provided, the user can access, customize and use the server as if it was located in an in-house data center. Once the user has customized the instance as required (for example by having installed an application and configuring it), the user can save the customized version of the instance as a private image for future reuse, if desired. When the server is no longer needed, the user de-provisions the instance, stopping charges for the use of the server. Most of the functions can also be accomplished using the built-in application programming interfaces (APIs). The graphic on the slide shows the three steps required to set up and deploy a service with IBM SmartCloud Enterprise. It consists of three screen shots from the portal, the first one showing where you select an image, the second showing where to configure it and the third indicating that the application is provisioned. Above the third box is a picture of a hand holding a stopwatch, indicating the three steps can be accomplished quickly.
- IBM SmartCloud Enterprise lets you remotely access a scalable, virtualized server environment in a multitenant, self-service mode on a pay-per-use basis, leveraging standardized assets owned and managed by IBM. When you access IBM SmartCloud Enterprise, you can realize several benefits, including: Reduced costs by virtually eliminating capital outlays and significantly reducing operational and labor expenses Faster setup and shorter cycle times, enabling improved time to market Improved quality by helping to reduce development and testing errors from faulty configurations Enhanced teaming and collaboration for greater efficiency of your distributed IT teams Improved governance and enhanced security
- The graphic on the center-left of the slide illustrates ”Today’s data center,” showing a group of servers associated with a building. The servers are enclosed in a box with three figures in each corner—a clock, security guard and a certification badge. The arrow mark points from this graphic to another on the right, which depicts ”Tomorrow’s cloud environment.” This graphic shows a group of servers inside a figure of a cloud and overlaid by numerous question marks. These servers are associated with a map of the world. When you are considering a new technology such as cloud, there are always challenges and dependencies that need to be addressed. This chart summarizes many of the concerns that many enterprises have expressed. On the left, the well-known established environment which, while well understood, stable and security rich, is costly, slow to change and labor intensive. On the right, you see the cloud environment with the value proposition we have discussed, but with a lot of uncertainties. It is not the intention in this session to try to answer all of these questions, only to recognize that these challenges exist and that IBM can provide answers to them. However, it is also fair to say, that not all the answers will satisfy the needs of all enterprise workloads. There are workloads (understood as IT usage scenarios, be that by developers, testers or end users) for which the cloud is not suited, that best reside in the enterprise data center, behind the enterprise firewall. However, there are also workloads that fit well into a cloud context, for example the majority of development and test activities and many production workloads with less sensitive data (for example, web servers with static content). The challenge is therefore to identify the workloads for which the cloud is effective. Clients generally ask: “ Is IBM SmartCloud Enterprise secure?” “Will IBM guarantee the security of my data?” “ Are my applications and data protected against other tenants, IBM cloud administrators and developers, and external attackers?”
- IBM provides expertise around the unique challenges associated with cloud computing. New considerations come into play around traditional security activities when a cloud initiative is being evaluated. For example, when looking at application security an organization must assess the impact to security and privacy related to shared imaging or multi-tenancy. Clients must look at their security policies and procedures to understand what modifications might be necessary to accommodate a cloud strategy. Virtualization brings new challenges to system security, and the open nature of public clouds increases risks from unknown, potentially hostile attackers from a network perspective.
- Key Point: From a governance, risk and compliance perspective… organizations require visibility into the security posture of their cloud. This includes broad-based visibility into change, image, and incident management, as well as incident reporting for tenants and tenant-specific log and audit data. Visibility can be especially critical for compliance. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), European privacy laws, and many other regulations require comprehensive auditing capabilities. Since public clouds are by definition a black box to the subscriber, potential cloud subscribers may not be able to demonstrate compliance. (A private or hybrid cloud, on the other hand, can be configured to meet those requirements.) In addition, providers sometimes are required to support third-party audits, and their clients can be directed to support e-Discovery and forensic investigations when a breach is suspected. This adds even more importance to maintaining proper visibility into the cloud. In general, organizations often cite the need for flexible Service Level Agreements (SLAs) that can be adapted to their specific situation, building on their experiences with strategic outsourcing and traditional, managed services.
- Key Point: Organizations need to make sure that authorized users across their enterprise and supply chain have access to the data and tools that they need, when they need it, while blocking unauthorized access. Cloud environments usually support a large and diverse community of users, so these controls are even more critical. In addition, clouds introduce a new tier of privileged users: administrators working for the cloud provider. Privileged-user monitoring, including logging activities, becomes an important requirement. This monitoring should include physical monitoring and background checking. Identity federation and rapid onboarding capabilities must be available to coordinate authentication and authorization with the enterprise back-end or third-party systems. A standards-based, single sign-on capability is required to simplify user logons for both internally hosted applications and the cloud, allowing users to easily and quickly leverage cloud services.
- Key Point: Most organizations cite data protection as their most important security issue . Typical concerns include the way in which data is stored and accessed, compliance and audit requirements, and business issues involving the cost of data breaches, notification requirements, and damage to brand value. All sensitive or regulated data needs to be properly segregated on the cloud storage infrastructure, including archived data. Encrypting and managing encryption keys of data in transit to the cloud or data at rest in the service provider's data center is critical to protecting data privacy and complying with compliance mandates. The encryption of mobile media and the ability to securely share those encryption keys between the cloud service provider and consumer is an important and often overlooked need. Because moving large volumes of data quickly and cheaply over the Internet is still not practical in many situations, many organizations must send mobile media, such as an archive tape, to the cloud provider. It is critical that the data is encrypted and only the cloud provider and consumer have access to the encryption keys. Significant restrictions regarding data co-location can arise with cloud computing, depending on an organization's location, the type of data it handles, and the nature of its business. Several member states of the European Union (EU), for example, expressly forbid the nonpublic personal information of its citizens to leave their borders. Additionally, a cloud deployment can raise export-law violation issues relative to encrypted information, and the deployment can potentially expose intellectual property to serious threats. The organization's legal counsel must perform a thorough review of all these requirements prior to cloud deployment, making sure the organization can maintain control over the geographic location of data in the provider infrastructure. In areas involving users and data with different risk classes that are explicitly identified (such as public and financial services), organizations need to maintain cloud-wide data classification. The classification of the data will govern who has access, how that data is encrypted and archived, and how technologies are used to prevent data loss.
- Key Point: Clients typically consider cloud application security requirements in terms of image security. All of the typical application security requirements still apply to the applications in the cloud, but they also carry over to the images that host those applications. The cloud provider needs to follow and support a secure development process. In addition, cloud users demand support for image provenance and for licensing and usage control. Suspension and destruction of images must be performed carefully, ensuring that sensitive data contained in those images is not exposed. Defining, verifying, and maintaining the security posture of images in regards to client-specific security policies is an important requirement, especially in highly regulated industries. Organizations need to ensure that the Web services they publish into the cloud are secure, compliant, and meet their business policies. Leveraging secure-development best practices is a key requirement.
- Key Point: In the shared cloud environment, clients want to ensure that all tenant domains are properly isolated and that no possibility exists for data or transactions to leak from one tenant domain into the next. To help achieve this, clients need the ability to configure trusted virtual domains or policy-based security zones. As data moves further from the client's control, they expect capabilities like Intrusion Detection and Prevention systems to be built into the environment. The concern is not only intrusions into a client's trusted virtual domain, but also the potential for data leakages and for extrusions, that is, the misuse of a client's domain to mount attacks on third parties. Moving data to external service providers raises additional concerns about internal and Internet-based denial of service (DoS) or distributed denial of service (DDoS) attacks. In a shared environment, all parties must agree on their responsibilities to review data and perform these reviews on a regular basis. The organization must take the lead in terms of contract management for any risk assessments or controls deployment that it does not perform directly. Where image catalogs are provided by the cloud provider, clients want these images to be secure and properly protected from corruption and abuse. Many clients expect these images to be cryptographically certified and protected.
- Key Point: And finally, the cloud's infrastructure, including servers, routers, storage devices, power supplies, and other components that support operations, should be physically secure. Safeguards include the adequate control and monitoring of physical access using biometric access control measures and closed circuit television (CCTV) monitoring. Providers need to clearly explain how physical access is managed to the servers that host client workloads and that support client data.
- * Intrusion protection systems (IPS) *Internet protocol (IP) (address) * Application programming interfaces (APIs) This slide shows three key concerns and how IBM SmartCloud Enterprise can address them. Numerous third-party studies have documented that the key concerns enterprises have with cloud computing revolve around security, reliability and control. These three themes categorize most of the challenges discussed previously. These themes have therefore been key considerations for the way IBM has built the IBM SmartCloud Enterprise offering. The chart lists some of the specific things we do and provide to help address enterprise concerns. ‘ Anti-collocation’ is a feature introduced in April 2011 that enables clients to specify that two virtual machine instances must reside on different physical nodes to safeguard against failure of a physical node in the cloud. ‘ Virtual IP addressing’ is a technique whereby two or more virtual machine instances, set up as a primary server plus one or more secondary backup servers, can serve the same ‘virtual’ IP address, and thereby increase the resiliency of the overall configuration.
- For more information, please visit http://www.ibm.com/smartcloud/solutions/enterprise