Safeguarding the cloud with IBM Security solutions

---

IBM Software

Solution Brief

Safeguarding the cloud with IBM Security solutions Maintain visibility and control with proven security solutions for public, private and hybrid clouds

Highlights Address cloud concerns with enterpriseclass security solutions across all IT security domains

●● ● ●

Help protect and manage internal and external users, data, applications and workloads as they move to and from the cloud

●● ● ●

●● ● ●

Gain visibility and demonstrate compliance with activity monitoring and security intelligence

Cloud computing is transforming IT, resulting in greater operational efficiencies and lower costs than with many traditional IT deployments. However, while planning for cloud deployments, IT departments are concerned with reduced visibility into cloud data centers, less control over security policies, new threats against shared environments and the complexity of demonstrating compliance. To meet this need, IBM offers a cloud security portfolio that spans all security domains—people, data, applications and infrastructure—based on the IBM® Security framework and informed by thousands of client engagements. The capabilities featured in IBM Security solutions help IT departments to manage and protect against risks associated with cloud computing. Some key areas include: ●● ●

●● ●

●● ●

Managing user identities with comprehensive administration and security capabilities Monitoring and helping protect access to data and helping guard applications against the latest threats and vulnerabilities Helping secure endpoints and defend workloads against sophisticated network attacks within the cloud

Deployed in private and hybrid cloud environments, IBM Security solutions provide layered protection and deep insight across the infrastructure. Capabilities such as federated single sign-on and privileged

IBM Software

Solution Brief

user management help provide simplified access and control across multiple cloud services for potentially millions of users. Database monitoring and web application scanning help reduce data and application vulnerabilities. IBM solutions also support security compliance with patch management for endpoints and virtualized machines. What’s more, these solutions increase visibility and enhance auditing of cloud activity within multi-tenant environments.

IBM customer case study: EXA Corporation An integrated set of IBM cloud solutions for automation, security and management is helping EXA Corporation protect a hybrid private cloud solution that combines proprietary and external data centers distributed across Japan. A solution—including IBM Tivoli® Federated Identity Manager and IBM Security Virtual Server Protection for VMware—has helped the company to reduce costs and improve disaster resiliency, offer secure cloud-based services to its customers, and improve the flexibility and scalability of its IT environment.

IBM Security Framework

IBM Security Identity and Access Assurance helps users gain access to cloud resources, while also monitoring, controlling and reporting on the identities of the systems, database administrators and other privileged users. Identity federation and rapid onboarding capabilities help extend entitlements to applications and environments beyond the corporate firewall. In addition, IBM Tivoli Federated Identity Manager provides authentication to multiple cloud applications with a single ID and password, providing self service for identity creation and management. A virtual appliance deployment model helps administrators get started quickly and scale to thousands of users. Built on a standards-based platform, this single sign-on solution helps simplify logons for both internally hosted applications and the cloud, allowing users to easily and quickly leverage cloud services.

Infrastructure

Applications

Data

People

Professional Services

Security Intelligence and Analytics

Cloud and Managed Services

Governance, Risk and Compliance

Advanced Security and Threat Research Software and Appliances

In addition to database administrators and system administrators, cloud computing introduces a new tier of privileged users: operating personnel working for cloud providers. IBM Security Privileged Identity Manager helps manage and control access to critical cloud resources by the organization’s employees and/or personnel who work for cloud providers and have high-level privileged access.

Identity protection: Access control across cloud environments Organizations need to provide access to the data and tools their authorized users need, when they need them, while also blocking unauthorized access. As relationships extend outward to diverse communities of users, organizations also need strong provisioning and auditing capabilities for service and application entitlements.

2

IBM Software

Solution Brief

Data and application protection: Reduce vulnerabilities, prevent exploits

IBM InfoSphere® Guardium® Database Security solutions offer capabilities to help protect cloud-based customer information and intellectual property from both external and internal threats. These solutions help prevent unauthorized changes to sensitive cloud-based data by privileged users. They also can help reduce audit costs by providing a consistent approach for cloud- and non-cloud-based databases, including a centralized security console across different database platforms. Cloud-based data is often encrypted, and controlling and managing encryption keys can become a major concern in cloud environments. IBM Tivoli Key Lifecycle Manager, with full Key Management Interoperability Protocol (KMIP) support, enables the easy and secure exchange of encryption keys between key managers and encryption providers.

In shared infrastructures such as storage clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. IBM helps improve data governance through database access management, monitoring and reporting of both cloud-based users and system and database administrators, and through prevention of access attempts by malicious users.

IBM SmartCloud security intelligence IBM Security QRadar SIEM and IBM Security QRadar VFlow Collector appliances

IBM SmartCloud Security Identity protection

IBM SmartCloud Security Data and application protection

Administer, secure, and extend identity and access to and from the cloud.

Secure enterprise databases. Build, test and maintain secure cloud applications.

IBM Security Identity Manager IBM Security Access Manager IBM Tivoli Federated Identity Manager - Business Gateway IBM Security Privileged Identity Manager

IBM InfoSphere Guardium IBM Security AppScan suite IBM Security AppScan OnDemand (hosted) IBM Tivoli Key Lifecycle Manager

3

IBM SmartCloud Security Threat protection Prevent advanced threats with layered protection and analytics. IBM SmartCloud Patch Management IBM Security Network Intrusion Prevention System Virtual Appliance IBM Security Virtual Server Protection for VMware

IBM Software

Solution Brief

hypervisor directly. IBM Security Virtual Server Protection for VMware is designed to provide VMware-based infrastructures with dynamic security capabilities without requiring hostbased agents within each guest.

Today’s headlines are filled with the news of application security failures. Poor coding practices and human error, combined with the relative ease of finding and exploiting these vulnerabilities, often makes application security a major point of weakness. The IBM Security AppScan® suite of products provides one of the industry’s most comprehensive sets of tools to protect today’s enterprise applications. The dynamic analysis platform included in IBM Security AppScan Standard Edition allows continuous testing of production applications deployed to the cloud. IBM Security AppScan Source Edition provides source codescanning capabilities that help development teams discover and remediate security issues in new and existing applications.

To manage the numerous servers and systems in the cloud, IBM SmartCloud® Patch Management can help ensure that correct patches and security configurations are continuously assessed and remediated. IBM SmartCloud Patch Management, built on IBM BigFix® technology, supports multiple operating systems and third-party applications with thousands of out-of-the-box policies for assessing and ensuring security policy compliance.

Threat protection: Shield cloud resources from attacks and intrusions

Mainframe: Protect private clouds and virtualized environments

Cloud workloads are often Internet-facing, significantly increasing exposure to external threats and requiring an advanced level of protection for cloud workloads and their users. The IBM Security Network Intrusion Prevention System provides advanced network-level protection against emerging threats and vulnerabilities. Backed by the IBM X-Force® research and development team, IBM network protection helps shield applications and network infrastructure from exploitation, identifies personally identifiable information (PII) and other confidential data, and prevents users from opening up attack vectors such as instant messaging protocols and peer-to-peer file sharing to and from cloud resources.

Although mainframes are known for robust security, organizations still need a multi-layered approach to protect the missioncritical transactions that occur on the platform and their most crucial production data. The IBM Security zSecure™ suite provides cost-effective security administration, improves service by detecting threats and reduces risk with automated audit and compliance reporting. The following tools, in particular, can enhance security in mainframe cloud environments: ●● ●

Unpatched systems, unnecessary services and poor configurations settings are a high risk to cloud deployments. Moreover, virtualization introduces additional security complexities, such as maintaining the security of offline or suspended images, and opens the possibility of new classes of attacks targeting the

●● ●

●● ●

4

IBM Security zSecure Audit—empowers users to automatically analyze and report on security events and detect security exposures IBM Security zSecure Administration—enables more efficient and effective IBM Resource Access Control Facility (RACF®) administration, using significantly fewer resources IBM zSecure Manager for RACF z/VM®—provides combined audit and administration capabilities for RACF in the virtual machine environment

IBM Software

Solution Brief

Security intelligence: Visibility and insight into cloud activity and threats

IBM Security QRadar VFlow Collector appliances provide Layer-7 monitoring for VMware ESX and ESXi virtual environments and out-of-the-box application-profiling support for more than 1,000 applications. The solution runs as a virtual host inside the hypervisor and can monitor traffic from the virtual switch as well as port-mirrored traffic from a physical switch, providing visibility in both the traditional and virtual environments that comprise hybrid cloud environments.

By design, clouds hide underlying infrastructure from their tenants, making regulatory compliance difficult. Visibility and auditing are clearly critically needed capabilities and cloud providers must therefore support third-party audits. Customers are also increasingly asking for forensic capabilities to support security investigations.

Why IBM?

IBM QRadar® Security Intelligence Platform solutions, anchored by IBM Security QRadar SIEM, provide auditing capabilities and visibility into cloud deployments by monitoring all traffic going into and out of the cloud. By monitoring data at the application and network levels, QRadar solutions can aggregate this information with other security technologies, such as IBM Security Identity and Access Assurance, to correlate not only what data is going to the cloud, but which user is sending it.

Security is a journey, not a destination. An enterprise cloud security strategy should align with overall IT security strategy as an extension of the existing IT infrastructure. IBM offers a broad portfolio of security products and services to help build more secure cloud environments with more intelligent security policies. IBM security solutions are supported by the world-renowned IBM X-Force team—one of the most respected commercial security research teams in the industry. IBM X-Force helps organizations stay ahead of emerging threats by analyzing and maintaining one of the world’s most comprehensive vulnerability databases. IBM X-Force researches and evaluates the latest security threats and trends, and develops countermeasure technologies for IBM security solutions.

5

For more information To learn more about IBM Security solutions, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security

For more information about the EXA corporation case study, please click here.

About IBM Security solutions IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 13 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing

© Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America April 2013 IBM, the IBM logo, ibm.com, Tivoli, AppScan, IBM SmartCloud, WebSphere, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml BigFix is a registered trademark of BigFix, Inc., an IBM Company. QRadar is a registered trademark of Q1 Labs, an IBM Company. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. Please Recycle

WGS03012-USEN-00