Call in to speak with the host
Gain a better understanding of the issues surrounding cloud and mobile security. Today’s businesses want to leverage the benefits and lower costs of Cloud computing while embracing the flexibility and exponential growth in mobile devices. Executives cite security as the biggest concern for embracing cloud and mobile technology. In this podcast Caleb Barlow talks with Dr. David Druker and discusses how to reduce the security risks and reap the rewards of adopting cloud and mobile.
Links mentioned in this podcast:
Safeguarding the cloud: https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov2190
Redbook on the IBM Security Framework https://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg248100.html?Open
Shane Weeden's Blog https://www-304.ibm.com/connections/blogs/sweeden/?lang=en_us
Hi, this is Caleb Barlow and today we are going to be talking about securing cloud and mobile and yes it is possible. Before we get into that, I want to welcome you to the show and also thank our syndication partners, techpodcast.com, Blog Talk Radio, Security Cast Radio, Podcaster and iTunes among several others. If you're listening on any of those channels, please make sure you comment on the show, let us know what you think about it and if you are an iTunes subscriber it really helps us out if you rate the show no matter what you think of it and certainly provide us a comment there. Alright, so today we're going to be talking with David Druker who is a Security Solutions Architect here at IBM. Hi David! How are you?
Hello Caleb! How are you today?
I'm doing great. It's actually a nice sunny afternoon for a change here in Massachusetts, so Securing Cloud and Mobile. I love the title, it is possible. You know, cloud and mobile has got lots of benefits that everyone from enterprises to consumers we have looked at. We can improve our IT infrastructure, we can be more responsive, we can reduce cost but all of these things, you know, requires some challenges in terms of setting this environments up and I think many people, C-level executives were reluctant a little bit to move ahead and embrace these. What do you think is causing the issue and what is your view and what to do about it?
Well Caleb, you're definitely right. These executives that you're talking to, they have legitimate worries. The main issue that they see is they can't control these things but let's take a little deeper look. According to Gartner Group, security is a top concern that companies have about private clouds and it's in the top three for using public clouds. So, what are the key risks of cloud systems? Well, private clouds and some public clouds systems have this characteristic of elasticity. This is what lets them rapidly provision new instances of complex applications and use them for a while and then they just disappear when no longer needed. So, they even can grow and shrink automatically in response to load. This is really one of the main benefits of the Cloud computing model. So, how can companies secure these things when they didn't exist a moment ago and then they exist now and they are about to disappear? So, that's really their biggest issue. The basic solution that IBM is recommending is to really adopt our own security framework which is something we have developed for all IT security, in fact, there is an excellent Redbook that describes this in some detail which I think you're going to post after our call today, but the key way to deal with the elasticity problem is to put some parts of your security infrastructure directly in cloud instances so when they spring to existence, their security is there and when they disappear it simply shuts off, so that is sort of one simple pattern that we are adopting.
(crosstalk) much about, you know, so, you're setting--I mean, what's fascinating about this is you're setting these environments up in kind of real time. The, you know, if you think about security, not even that long ago, it was all about, you know, you think about your critical systems, you send an ALS doc and say "Okay, what do I need to add for security on this particular server?" you know, the point here with this issue it needs the framework because this is all automated. Right, I mean, I'm assuming in many of these cases there is no human involved at all.
That's exactly right. The provisioning of clouds is done by intelligent orchestration systems and they happen in response to the loads. You got to have this security built-in into it when it starts and then you need to couple it with an overall cloud security system that can report what's happening in each individual cloud instance. That way, you can understand what's happening in one versus another and that might be very important if you do have a security attack against one instance as opposed to another.
So, what are some of the kind of framework paradigms that you see here?
Well, in IBM security framework, we have four security domains: people, applications, data and infrastructure. The people applications and data parts are really not that different in cloud infrastructure than that they are into regular computing systems. But infrastructure can be quite different because your Cloud systems are virtualized, they run on hypervisors and they have this overall cloud access model where they can be in a provision dynamically and so, you got to have ways to ensure that all data flowing in and out of these clouds instances is monitored for instance for intrusion prevention, that is part of the infrastructure security pattern and another--a key thing is the individual virtual machines that are part of your cloud need to have management of them from an endpoint management point of view. So, you need to have some type of agent living on each of these operating systems to monitor the inventory of software and what security vulnerabilities and to dynamically patch them. So, products like IBM Endpoint Manager are very useful to provide this function. I want to say over the top of all of this, you certainly then want to have a security intelligence server which is gathering the data from all of these systems and making some analysis of it.
Okay, so, we've got both the cloud side and, you know, let's talk for a second here about mobile as well. So, you know, you mentioned mobile--mobile fits in here in what ways?
Well. Mobile is going to become the predominant method of accessing all IT systems and since IT systems are going to be cloud systems, then cloud plus mobile really is going forward. That is what customers--what companies will be deploying. So, the problem that mobile brings is two things, the notion of customer-owned devices and employee-owned devices and if it's a case of a--for instance employee-owned device is often called "bring your own device" and then how can a company be sure that this device has not been compromised or does not have other security problems. IBM, in fact, certainly does allow employees, like you and me, to own our own mobile phones and tablets and use them within IBM security infrastructure. So, the key security pattern that we see there is the ability for IBM to be reasonably certain that only that employee using that device and we do that right now with strong passwords, but I see new solutions coming in that area and then, finally, you also have to limit the access of the device just to certain applications or certain parts of your network and, so there are a couple of technologies one can use in that area but the main point is that you limit what the device can do, you secure the data that is on the device very carefully, and you keep a lot of data that the device needs to access only on your servers in the cloud.
Okay. So, these things--your point is, these things are very intertwined in terms of our thinking about mobile and our thinking about cloud, there is a good chance that, you know, the cloud environments would stand in behind that mobile application. So, let's focus on the cloud side just for a minute. You know, can you explain for folks the difference between, you know, we always say public clouds, private clouds, hybrid clouds. What is the difference in the security paradigm for each, what patterns do you see?
This can be a complicated subject but at base, a private cloud is one that is built by a business or another enterprise for their own use and at root a standard virtual environment something like VMware or Linux KVM or even IBM z/VM are ways to build virtualized environments. To make this into a cloud, you need to have additional machinery on top to provision and deprovision machines, monitor performance, manage the usage, and most importantly, from our point of view, measure the security of all of these virtualized systems. Public cloud, on the other hand, the most common patterns, is what is called "software as a service", so examples are these are like salesforce.com or Workday who can provide either HR systems or sales type systems available to companies without them installing any software at all. They really have different security problems but what companies increasingly have are hybrid clouds where they have a private cloud which will be their own computer infrastructure and then some non-critical business services are provided by software-as-a-service providers and so linking these together is really the security challenge. So, that is really what they are facing going forward.
It makes a ton of sense. So, as we go in and we secure these different frameworks and we really start to think about, you know, not only the security posture but the frameworks that we are going to use, the automation, what about also the software-as-a-service vendors like Saleforce, Workday, Into It, you know, a couple that you mentioned? I hear a lot about things like tokenization, encrypting these services. There is always concern about not only my own security posture but what's the security posture of the SaaS vendor that I've outsourced to? Can you talk a little bit about SaaS specifically and how you handle this in a hybrid environment?
Yes. When you're selecting a cloud service provider certainly you need to do due diligence about the quality of their own security and the audits that they subject themselves to. What I've been hearing is that most customers are requiring that they submit to a standard called the SSAE 16 which is an auditing standard for testing basic quality controls on their systems and the federal government also has new one called FedRAMP which, I think, a lot of commercial companies will also require down the line. So, number one is "Is the cloud provider--are they really doing business the right way?" Don't trust your data to some who is not. The other real key point is securing your access to this cloud. So, you know, I can certainly just connect directly to saleforce.com but that's not really the model you want to use for your employees. You want to run them through some type of secure on-ramp where you've encrypted their access, you have authenticated them and authorized them for your particular application, and also you may want to be federating the identities of the people that use your cloud, that is to say any private clouds you have with these public software-as-a-service providers. So, there are a couple of technologies for sure, for the secure on-ramp you can use something like IBM WebSphere Cast Iron and for federating identities something like IBM Federated Identity Manager will do this type of operation for you. As far as tokenization, it's a clever technique where a company does not actually store its real business data at the SaaS provider, instead there is this intermediary device that swaps out the real data for artificial data that mimics the structure of the real data and this might be useful in some cases but we think that the first steps in all cases are to make sure that your cloud provider is reputable provider and then secure that access the way I just described.
Many companies operate their own private cloud system. So, you know, we talked about kin of the SaaS environment where you go to Saleforce, you put your stuff there in a third party because many people are also running these types of systems with, in many cases, hundreds of clouds instances on premises each running, in may cases, multiple virtual machines. How can they understand what software is installed on them and what the security vulnerabilities hold in each of these instances as they are coming up and down all over the place?
As I said earlier, one strategy is to have security that matches the elasticity of these clouds and so this means having certainties as a security infrastructure like collection, points for products like IBM Gardium. So like for instance, you can have a database tap on databases that live in the cloud so they will collect the data from every cloud instance and then transmit it to your overall Gardium server and then in some cases, especially when you are operating clouds that might be in different countries and you need to isolate the data, you may want to put a security intelligence server directly in each clouds instance. So, this is also possible and then you can collect data from all of those intelligence servers and I am talking here about a product like IBM Q Radar that once you sort of understand what is in the individual clouds then you can look at your entire security profile. So, that's some the patterns that you can use when you have hundreds of instances.
Now, when we are thinking of private cloud providers and the methods they use to now secure the work of their administrator and DBAs as someone called them the "custodians of the cloud" which, of course. is very analogous to what was historically thought of and termed as "privileged users" that we would have kind of your typical on-premises solution and environment. Do these new privileges or these new custodians of the cloud, do they open any new issues or concerns?
It is really pretty much the same pattern but there are a couple of special aspects. Technologies that springs to mind is to use something like a privileged identity management system, IBM and other vendors offers these, and this ensures the true identity of the system provider or the system administrator, regardless of where they're working in the could, is auditable, so we can find out when they log-in a particular cloud. They might be using one identify and other cloud instance a different identity but using a system like a privileged identity manager, you can connect them to the real person. Similarly, there's tools that do the same thing for data base like IBM Gardium which will monitor the usage of a DBA's access, say into a cloud database server and, again, you will see who it is and what they are doing. So, this is similar again to standard IT but then adapted to the cloud environment.
So if we kind of shift gears now to mobile. You know, one of the more interesting things that came up in IBM semiannual X-Force report which talk in-depth about mobile was their view, where this is our own IBM research team, was that mobile devices should actually become more secure than traditional device potentially as early as 2014. It's rather bold prediction but I think there is some interesting meat behind it. You want to expand upon that a bit?
Yeah, I was pretty interested in that too, Caleb, but I thought initially I had the reaction, I think, many people do. "Mobile is inherently more insecure." I think a couple of things. The iPhone and Android, but it's specifically Iphone and some other technologies, have some built-in security. Now, up to now, we haven't thought maybe it was strong enough. I think that IBM and other enterprises are working with the providers of these technologies to strengthen them but the fact that they have tightly controlled ecosystems does make them the potential of having strong security. The other piece though, clearly, is the built-in sensors of phone. We've got accelerometer. We've got multiple cameras. Sometimes we have things that detect finger prints, proximity, all of those things can be used for biometric position, GPS to transmit additional data to your systems that really help you, overall, provide more security. So, by knowing all about who's using the phone and where they're using it and how they're using it. This is, I think, the idea behind more security coming from mobile devices.
Well, I mean, ultimately we all have a focus on them right now, right? And that's also where a lot of both innovative investments going as well investment at individual companies. The other thing that really strikes me about mobile phones is we assume out of the gate that they are not sterile environments. I mean, how many times eight ten years ago, you go get a new job, someone hands you the laptop and says "Hey, here is your laptop." It has all the access to the corporate environment that you need and has the applications on it and those are all sterile application where they probably had relationship with every vendor. Now you show up at work, you bring your own mobile device which has who knows what applications on it you downloaded from a $1.99-per-app store. This whole concept now of "I've got to actually put security into the application", I think, is fascinating and we'll probably end up on--you know, we'll probably end up thinking about our traditional laptops in new ways here eventually as well but another key issue with mobile devices is determining whether the user has registered the device for access to a specific application. What mechanisms ensure that the device and the app are actually registered and do these techniques provide a quick way to kind of revoke access when people leave or the device is lost or stolen?
Yeah, actually as you were talking about what else is happening in mobile, I was thinking about this case. So, in the case of, just briefly back on employee-owned devices, companies can require special things like strong passwords and also could install Endpoint Managers on them to ensure that they have not been compromised and that is important, but this technique of registration, this applies both to customers and employees. So, this is actually pretty neat. What you can do is have a mechanism where when you start using an application, you maybe could say, use a laptop and go to the website and say I want to register a phone this particular application. The registration page will generate a QR code that you scan with you phone and when you do that, then this instantly, this is one-time code, and that phone becomes registered for that application for that person. So, this is a key thing, we have linked the phone, the application, and the user all at the same time and this lets us later go back and revoke access that is, the company can do it or their user can do it. They can revoke access to this particular phone, register it on a new phone if it is lost or when they trade phones out and it's very powerful. There's a developer at IBM's Australia development labs, Shane Weeden, who has developed many of these technologies. They use a technology call OAS that is industry standard but IBM has an implementation. He has a great demo of this and as well as provides online access to his demo and I'll have you post a link to his blog after our podcast here.
Absolutely, we'll put that in the description of the podcast so that'll be out there in about an hour here. So let's also talk also talk about identity and access which, of course, is primary concern for both cloud and mobile. What aspect to typical--identity and access is so critical and what's different about it when we think about it in these environments?
I think on the cloud side, what you want to do is have a single sign-on manager, something like IBM Security Access Manager for web that does single sign-on against multiple cloud instances. So this, in the private cloud environment, you want to make sure that you have access control to all the cloud instances that's uniform and so you can understand who is logging in to, say maybe they logged in to multiple clouds simultaneously. You want to be able to gather that information and understand it and then so you put this in front of each cloud or in front of the who client infrastructure, that's one way to gather it. Along something that I haven't talked about much but is a key piece there is to collect all the data from this system as well as others and send it to your security intelligence server. You need to be able to understand all the data you are collecting to really see if you have security threats. On the mobile side, this is where there's very interesting technology now called "context-based authentication" or authorization, sometimes called Risk-Based Access. IBM has a product with that name that's part of our access manager family. So, context-based authorization will take information from the user's phone so it will find out where they are by the GPS or Wi-Fi or even cellular tower, it sends that. I can send other biometric information that is collected that we talked about earlier and this is combined with information that the company may have in the database so you might have the usage pattern of that user. Maybe they typically use the phone in the Northeast United States but if they're now, all of a sudden, trying to access a corporate app from North Africa or Europe or something like that then that might be a variance to your policy. So, we have a lot of data that we can collect, again, from the mobile device and also from other systems.
The context-based authorization system creates a risk score and the risk score then can be used to, say require additional authentication and might say "Well, you logged in with a password but now we need to see something biometric." or maybe a one-time password needs to be sent and used or maybe the risk is so high, the risk score simply says "You can't do this transaction. You are trying to withdraw from a bank account and the phone just seems to be thousand mile from where it was an hour. We are not going to allow it." because there is a strong evidence of fraud in this case. So, this connects very much with the fraud prevention systems. Very powerful technology.
So, we've looked at a bunch of different things about cloud and mobile. Where could we go to find out more details on, you know, you mentioned a few different IBM solutions in the mix here, and so where would we find those and also what's kind of your view on what comes next with all of this?
IBM has several new product updates this year that, of course, I can't discuss at this point but to keep abreast of them just look at the IBM security website and URL is easy to remember. It is ibm.com/security, so I'm certainly following that myself. Also, IBM has this great YouTube security channel where you can see lots of interesting videos, I believe both you and I have a few on there but there's lots of other great experts and so you can certainly see what IBM is doing in this area as well as what kind of trends we see in the industry. And finally, I think that people want to stay, monitor your blog and your channel on this podcasting system so as to see who else you bring in. Just on a personal note, I'm speaking about some these same topics at a seminar on cyber security later this week in San Jose, Costa Rica and there I am going to focus on the role of security information and event management in security along with the special considerations that are needed by cloud and mobile. So, I see a lot of continued development in this are but with the basic patterns for securing cloud and mobile, I think, have been established and the important thing for companies to do is get some expert help, figure out what they need to do, and start implementing them.
Alright, well, David, thanks a lot. I think one of the biggest takeaways for me, especially when we think about cloud and mobile, is first of all how they're--you know, we often have to thinks about these things as one and the same, right? I mean, the point here that you are making is cloud is probably the backend to a lot of these mobile applications and, of course, the second piece of this is you have make sure the frameworks are in place because a lot of these cloud solutions are standing up, coming down, and changing on the fly without necessarily having human intervention. So, if we do not have the framework in place and the automation in place, we are not going have the security structure in place that we need either.
You said it very well Caleb and I agree completely.
Alright David, well, thank you again and to keep track of what David's doing, again, he'll be kind of down in San Jose, Costa Rica later this week but can also follow both what David and his peers are up to at ibm.com/security. Thanks again for joining.
It's good to talk.