November 5, 2014 | Written by: Kevin Allen
Share this post:
An interview with cloud security pro Brendan Hannigan, IBM GM Security Systems Division …
In nearly every cloud study that has been published over the past couple years, security is identified as the biggest concern among executives and the strongest barrier to cloud adoption.
Symantec reports that data breaches rose 62 percent last year, which resulted in more than 500 million exposed identities. Mainstream media outlets are quick to jump on these stories while cloud providers work hard to stay ahead of hackers and new malware.
To that end, IBM today announced it has built the industry’s first intelligent security portfolio for protecting people, data and applications in the cloud.
To get a better idea of how IBM is working to keep the cloud secure, we recently spoke with Brendan Hannigan, general manager of IBM Securities Division:
Why do you think cloud security concerns persist?
When anyone adopts new technology there are valid concerns—security is one of those. As companies leverage the cloud more and more, there are real questions given that some information and some applications are not within the perimeter of a company’s own firewall.
For IBM, we view cloud as an opportunity to fundamentally improve the way security is delivered for our customers’ important data and applications. We’re developing our roadmaps and strategies to take advantage of the cloud itself.
We’re working hard to help our customers who live in a world where they have traditional existing data centers and are now leveraging the cloud. Just take a scenario where you have a customer who is adding functionality and moving applications to the cloud. We want to help our customers do that, but we want to do it in a way that doesn’t add complexity.
What are some examples?
We’ve pivoted our entire security portfolio so that we can help our customers manage their access to the cloud. For example, as companies on-board employees or employees leave a company, they are automatically provisioned or de-provisioned from whatever cloud services they’re using. Another thing we’ve done is add all of our capabilities for monitoring and managing data access to the cloud. We’ve extended that into helping monitor cloud environments and access to the cloud. The last piece extends all the visibility that IBM has in terms of understanding activity and monitoring for compliance and security purposes—into the cloud as well.
How does this fit in with IBM’s cloud security strategy?
Our strategy is to help our customers leverage the cloud to improve security. We want to help them extend their environment so that they can run their existing technologies and also new technologies in the cloud. Our security portfolio products and services are focused on the cloud and we’ve just announced 11 new services, all of which are all about helping to secure the cloud.
Some high-profile data breaches have been widely discussed in the news over the past year or so. How is IBM working to stay ahead of these types of threats specifically?
We have some of the most advanced fraud and malware researchers in the entire world. These researchers are constantly looking into the latest versions of platforms and malware that activate and execute fraudulent financial transactions .. We’ve developed advanced malware prevention solutions that help our customers protect against that, and those solutions are delivered through the cloud. We have expert researchers behind the scenes who are monitoring the environments and delivering counter measures while constantly looking at ways that criminals are adjusting their techniques. We also have a threat protection system that helps enterprises combine endpoint protection with network protection with enterprise analytics…
What misconceptions exist around cloud security these days?
When companies move information to the cloud, they have natural concerns about whether or not they can actually deliver the same or better security in those cloud environments than what they deliver in their traditional environments. The answer is: They can.
The question for customers really is, what’s the level of control that they want to have? That’s why, if you look at IBM’s cloud strategy with our SoftLayer cloud platform, we have the ability to deliver virtualized cloud environments or bare metal cloud environments. The customer can choose to leverage security capabilities that are built into some of these functions or actually bring their own security functionality and extend from the enterprise into the cloud.
You mentioned SoftLayer, and I wanted to ask: How is IBM approaching security with SoftLayer and another relatively new offering, Bluemix?
If you look at the way SoftLayer is built in terms of functionality with bare metal and virtualized compute infrastructure, built within to that are inherent security capabilities.
If you look at what’s happening with Bluemix, we have now delivered composable services so that companies, as they’re developing applications, can connect with our identity as a service. This allows them to leverage APIs and just connect that application’s functionality . Another example is leveraging application security techniques and having them available in the cloud as well. They can be initiated in a cloud to test application components as they’re delivered. That’s possible in Bluemix as well.
The mix for IBM is security built in automatically, security services that can be used as applications are developed natively and lastly the availability of the entire IBM Cloud portfolio that can be extended from the enterprise out to these cloud environments, so that we can extend the controls these customers want.
What’s something you see that all cloud users should be doing?
The best practices around access, data protection, visibility—all of those controls are possible and can and should be adopted in the cloud.
So, some questions to ask yourself are: Do you understand cloud usage in your environment and have you added the basic controls, like identity and access management? Do you have control, as people come in and out of your company, to easily remove their authentication and entitlements from any cloud applications they’re using?
All of the controls that you would expect that a security practitioner would put in place from a best-practices perspective can be mapped to these cloud environments. Everything from access to user monitoring, to visibility and data activity monitoring should all be extended into the cloud.