© 2012 IBM Corporation1

Raffaella D’AlessandroIBM GTS Security and Compliance ConsultantCISA, CRISC, LA ISO 27001, LA BS 25999, ISMS Senior Manager, ITIL v3Roma, 16 maggio 2012

IBM SmartCloud“Le regole per la Sicurezza nel Cloud Computing:la visione di IBM”

© 2012 IBM Corporation2

Agenda

§Le esperienze di IBM sul Cloud Computing

§Le regole nella “Fabbrica del Cloud”: la IBM Cloud Computing Reference Architecture

§Servizi di Sicurezza e aspetti gestionali nella IBM Cloud Computing Reference Architecture

§Le regole per la costruzione dei servizi di Sicurezza nella “Fabbrica del Cloud”

§Le regole per la gestione dei servizi di Sicurezza nella “Fabbrica del Cloud”

§Use Case

© 2012 IBM Corporation3

Our market experiences have shaped our strategies for driving innovation and value for clients through cloud computing

successful privatecloud projects

secure daily cloud transactions

managed SAP users

successful cloud projects

daily client transactions through public cloud

managed virtual machines

3,000 4.5M 1M

Commitment to open standards and a broad ecosystem

Private & HybridCloud Enablement

Technologies

Managed ServicesInfrastructure & Platform

as a Service

Business SolutionsSoftware and Business

Process as a Service

Foundation Services Solutions

Il Cloud Computing sta trasformando il panorama IT mondiale e sta guidando verso una nuova era di crescita e cambiamento sia IBM che i suoi clienti

© 2012 IBM Corporation4

Public Cloud RA whitepaper available on ibm.com: http://public.dhe.ibm.com/common/ssi/ecm/en/ciw03078usen/CIW03078USEN.PDFCCRA OpenGroup submission: http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc

The IBM Cloud Computing Reference Architecture (CCRA):le regole della “Fabbrica del Cloud” per lo sviluppo e l’erogazione di Servizi

© 2012 IBM Corporation5

Le regole della “Fabbrica del Cloud” sono in continua evoluzione

© 2012 IBM Corporation6

IBM CCRA –Servizi di Sicurezza e aspetti gestionali

Security & Risk Manager

Compliance Manager

Continuity Manager

© 2012 IBM Corporation7

IBM Cloud Security Foundation Controls

© 2012 IBM Corporation8

The objective of security for Cloud Computing is to set and maintain the level of assurance for systems (hardware and software), services and informations that falls within the business and technical risk boundaries set by the provider(s) and the consumers.

Security within IBM Cloud Computing is based on an effectiveGovernance, to include:§Definition of risks§Definition of security plans and security policies§Establishment of organizational structures §Security Principles of Design §Security Policy for Development, Operation and Admin, Compliance§Security Foundational Controls§Security Component Catalog§Security Subsystems Models

Le best practices IBM per la Sicurezza nella “Fabbrica del Cloud”

http://www.redbooks.ibm.com/abstracts/redp4614.html

© 2012 IBM Corporation9

IBM Security Framework: Business Security Reference Model

Arc

hite

ctur

al P

rinci

ples

Application and Process

People and Identity

IT Infrastructure:Network, Server,

End PointPhysical Infrastructure

Data and InformationGovernance, Risk, Compliance (GRC)

Security Services and Infrastructure

Security Policy Infrastructure

Identity, Access and Entitlement Infrastructure

Security Info and Event Infrastructure

Host and End-point SecurityStorage Security Network SecurityApplication Security Physical Security

Service Management Infrastructure

Designs Config Info and Registry

Data Repositories and Classification

Code and Images Policies

Identities and Attributes

Operational Context

IT Security Knowledge

Events and Logs

SecurityService Levels

Identity, Access and Entitlement Management

Threat and Vulnerability Management

Data and Information Protection Management

Software, System and Service Assurance

Security Policy Management

Risk and Compliance Assessment

Command and Control Management

Physical Asset Management

IT Service Management

Crypto, Key and Certificate Infrastructure

Foundational Security Management

Le regole per la costruzione dei servizi di Sicurezza nella “Fabbrica del Cloud”: IBM Security Framework Architectural Principles

© 2012 IBM Corporation10

Le regole per la gestione dei servizi di Sicurezza nella “Fabbrica del Cloud”, devono consentire di rispondere ad una unica domanda

“Who will be liable if something goes wrong

in the cloud and data is lost or compromised?”

© 2012 IBM Corporation11

Who is responsible for privacy & security at the … level?Datacenter Infrastructure Middleware Application Process

Platform as a Service

Middleware

Database

Web 2.0 ApplicationRuntime

JavaRuntime

DevelopmentTooling

Infrastructure as a Service

Servers Networking StorageData Center Fabric

Shared virtualized, dynamic provisioning

Software as a Service

Collaboration

Financials

CRM/ERP/HR

Industry Applications

Provider Consumer

Provider Consumer

Provider ConsumerPotential Gaps

La collaborazione tra consumer e provider è la chiave per indirizzare adeguatamente le responsabilità per la Privacy e la Sicurezza nel Cloud

Coordinating privacy and information security is the responsibility of BOTH the provider and the consumer

© 2012 IBM Corporation12

Un caso esemplificativo di IBM SmartCloud for Social Business:La Sicurezza nei servizi di e-mail e Social Collaboration progettati per le organizzazioni pubbliche e private

Files

Meetings Events

Chat

Survey Forms

eMail

Communities

Activities

People

I servizi di Sicurezza nel trasferimento dei dati garantiscono i massimi livelli:§Sofisticato sistema di cifratura per tutte le comunicazioni in rete §Cifratura di tutte le caselle di posta e applicazioni§Cifratura opzionale per i singoli documenti archiviati

I servizi di Sicurezza per la gestione dei dati consentono di implementare le stesse Politiche interne adottate dal cliente:§Classificazione, gestione, routing & sharing dei dati§Security policy (es consistenza su regole password)§Privacy (sia per clienti che per i dipendenti)§Auditing e compliance§Archiviazione e discovery

© 2012 IBM Corporation13

http://www.ibm.com/cloud-computing/us/en/

http://www-935.ibm.com/services/us/en/it-services/security-services.html?lnk=mhse