Last month Clabby Analytics presented our analysis of the findings of an IBM Institute for Business Value (IBV) study entitled “The IT infrastructure conversation: new content, new participants, new tone”. In short, the survey indicated that most enterprise executives lack confidence that their existing information infrastructures (systems, storage, and networks) are prepared to handle new mobile, social, Big Data, analytics and cloud workloads.
The survey further indicated that respondents plan to spend more on infrastructure projects to rectify this situation. But this survey also contained one surprising finding: that 50% of organizations are more concerned about internal security as compared with external security, with threats specific to cloud computing ranking as the lowest concern among survey participants. We considered this finding an anomaly – and promised to present our thoughts on cloud security in a subsequent blog. This is that blog.
The Evolution of Cloud Security
The fact that IBM’s survey respondents indicated that cloud security was low on their priority list surprised us. Why” Because in recent conversations with dozens of IT executives and security vendors – all indicated that cloud security is a “white hot” topic. So we have no idea why the IBV study found that cloud security ranked so low.
Until recently, we have seen data center managers focus on securing their information systems using the following approaches: locking-down the perimeter (using firewalls); adopting antivirus software across their organizations; adopting authentication and authorization software – and finally, securing data using encryption techniques.
Over the past year, however, we have seen a decided shift in enterprise security buying behavior toward:
- Ensuring that users have access rights to data (better authentication/authorization – especially as it relates to data in cloud environments);
- Protecting data “on-the-fly” (over the network) and as it travels through the cloud (better information management and better data protection, including the use of encryption); and,
- Gaining real-time visibility into actions that are taking place within a cloud so that malicious activities can be prevented (blending monitoring with analytics to detect incursions).
But as IT buyers seek to shore-up their cloud security, they also told us that they don’t want to have to purchase and learn how to use new cloud-specific tools. Instead, they want tools that extend their existing traditional internal security across internal private and external public cloud environments. In other words they want an integrated approach that encompasses traditional/private/public hybrid cloud security.
More specifically IT managers say they are looking for advanced, integrated hybrid cloud security suites that can:
- Use predictive analytics to improve security
- Protect against data loss, monitor data activities, mask and redact data, govern data and protect encryption keys
- Scan applications and source code, and provide hybrid scanning and correlation as well as conduct fraud detection
- Emphasize “people management” security with stronger authentication, access management and user provisioning as well as privileged user management, fine grain entitlements and identity governance.
IT security managers also tell us that they would like more security services such as those provided by Security Operations Centers that monitor and manage security processes and provide emergency response services.
Integrated Cloud Security Suites Have Started to Arrive
Vendors, too, are hearing similar requests for extending traditional security tools and utilities into cloud environments. And the move to do so is well underway. This week IBM briefed us on 11 new product and service offerings called “IBM Dynamic Cloud Security” that include products that have run in traditional data centers that have now been extended to cloud environments.
Next week we plan to attend CA Technologies’ CA World event, where we will see another highly-integrated cloud security product/service suite. And other vendors are also actively trying to extend their traditional on-premise security offerings to the cloud.
Here is a short overview of some of the new products and services offered in the “IBM Dynamic Cloud Security” portfolio:
These products help cloud managers administer access rights:
- Improved authentication with IBM’s Cloud Identity Services (powered by IBM’s Lighthouse acquisition) designed to easily onboard and manage users through IBM-hosted infrastructure;
- Cloud Sign On Service (for Bluemix cloud – and IBM developer-oriented cloud) – a Bluemix component service that allows developers to quickly introduce single sign on to web and mobile applications by using application program interface (API) calls;
- Cloud Access Manager (for SoftLayer – IBM’s public cloud environment) – a security access manager virtual appliance that defends cloud applications with pattern-based protection, multi-factor authentication, and context-based access controls;
- Cloud Privileged Identity Manager (for SoftLayer) – a product extension that allows IT managers to audit privileged user access and track application to application credentials on the cloud;
These products help protect data in the cloud:
- Cloud Web App Analyzer Service (for Bluemix cloud) – scans applications before they are put into production (Web application threats are preventable – the new service finds vulnerabilities based on IBM AppScan Dynamic Analyzer);
- Cloud Mobile App Analyzer Service (for Bluemix cloud)– API-based service utilizing IBM AppScan Mobile Analyzer capabilities identifies vulnerabilities in mobile apps;
- Cloud Data Activity Monitoring – a virtual appliance used to monitor sensitive data access in cloud repositories (essentially IBM’s Guardium data activity monitoring extended to SoftLayer and AWS);
This product helps security managers gain visibility in cloud activities:
- Cloud Security Intelligence – extensions of IBM’s QRadar to support hybrid clouds and SoftLayer. Can be integrated with multiple cloud services including Amazon’s CloudTrail, Salesforce.com, Qualys, CloudPassage and more. Offers built-in encryption and compressed data transfer, and can be installed in IBM SoftLayer and/or Amazon Web Services cloud environments;
These services and service-enabling capabilities help optimize security operations:
- Security Intelligence and Operations Consulting Services – intelligence-driven consulting services from IBM that help assess security practices, plan, design and build out customer staffed Security Operations Centers;
- Cloud Security Managed Services – security services supported by analysts in global Security Operations Centers to help manage security, ensure compliance and provide emergency response services;
- Intelligent Threat Protection Cloud – provides a consolidated view using analytics on Big Data, visualization, and intelligent threat analysis combined with expert knowledge to respond to security incidents.
Note that not all clouds are designed the same, nor do they have the same security service level requirements. So IBM has made its cloud security offerings available in different ways: 1) some are sold as individual products; 2) others are packaged as integrated product suites; 3) others are API interfaces available as component cloud services; and, 4) still others are based on consulting services.
The key point of this is that IBM has extended several of its strong traditional data center monitoring, data protection, and authentication products to the cloud, making it possible for IT security managers who already know how to use advanced security technologies in their traditional data centers to use the same tools to manage private and public hybrid cloud environments. This is what IT managers have been asking for – IBM is now delivering cloud-enabled advanced security management extensions for cloud security management.
A closer look at IBM’s new offerings shows that IBM is attempting to differentiate its portfolio by:
- Designing its offerings to serve the hybrid cloud (a mix of traditional and public cloud environments);
- Leveraging existing security intelligence and control products – extending them to the cloud to prevent intrusion/malicious behavior;
- Offering a mix delivery models because one-size-does-not-fit all when it comes to cloud design; and,
- Providing new cloud-oriented security services.
With these new tools and services, IBM customers can now govern their hybrid cloud environments; extend security across both cloud and traditional data center environments using the same tools; and detect intrusions and other security violations.
We also note that IT security managers have additional options when it comes to managing fraud (see our report entitled “IBM’s Smarter Counter Fraud Initiative: A Comprehensive, Unique and Aggressive Approach to Real-time Fraud Prevention”). And there are still other integrated options when it comes to protecting data (see this report “Securing Data: Advanced Methods and Tools” for more details).
In the past Clabby Analytics has been skeptical about security in the cloud (we identified security and application performance management as the two biggest inhibitors to cloud adoption back in 2009). But now we are finally seeing cloud security addressed in a cohesive, integrated manner using extensions based on products that have long been proven effective in traditional data center environments. We now have confidence that cloud security can be reliably achieved.
Finally, we’d like to pass on a quote from IBM about cloud security. The company sees cloud security as “not only achievable, it is an opportunity to drive the business, improve defenses and reduce risk”. Given the state of the market with new, integrated cloud security products like IBM’s – we have to agree.