SoftLayer Fundamentals Keep Safe Securi 1284312

2014 IBM Corporation

SoftLayer Fundamentals Keep safe Securing your SoftLayer virtual instances

Copyright IBM Corp. 2014. All rights reserved.

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of

IBM trademarks is available on the web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Intel and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other

countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

CDNLayer, CloudLayer, KnowledgeLayer, RescueLayer, SoftLayer, and StorageLayer are trademarks or registered

trademarks of SoftLayer, Inc., an IBM Company.

Other company, product, or service names may be trademarks or service marks of others.

The information contained in this document has been submitted to any formal IBM test and is distributed on an as is basis without any warranty either express or implied. The use of this information or the implementation of any of these techniques is a customer responsibility and depends on the customer's ability to evaluate and integrate them into the customers operational environment. While each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the

same or similar results will result elsewhere. Customers attempting to adapt these techniques to their own environment do so at their own risk.

Copyright International Business Machines Corporation 2014. All rights reserved. This document may not be

reproduced in whole or in part without the prior written permission of IBM. Note to U.S. Government Users Documentation related to restricted rights Use , duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.

Trademarks

2



Meet your speakers

Jody Cefola is the SoftLayer Channels Integration leader focused on

partner enablement from IBM. Jody had 10 years in channel development

and execution working with all types of partners and international

experience with channel execution in Europe and Asia Pacific.

Darrel Haswell is an advisory SoftLayer Business Partner Solution Architect.

Darrel graduated from the University of North Texas with a Computer Science

degree. Darrel has skills in virtual technology, Linux Administration, storage

technologies, network management and security compliance.

3

2014 IBM Corporation Copyright IBM Corp. 2014. All rights reserved.


Your cloud strategy is your business strategy

Pacesetters use cloud to surface insights from data. They reimagine business

models, make better decisions and serve customers in new ways to create winning

business outcomes.

With so much at stake, you don't want just any cloud

Source: IBM Center for Applied Insights Under cloud cover: How leaders are accelerating competitive differentiation that surveyed

802 cloud decision makers and users, spanning 13 countries and 24 industries.

2x the revenue growth

Almost

2.5x higher gross profit

growth than peers

Nearly

4



Tap into SoftLayer. Leverage significant investment to build

skills starting with SoftLayer Fundamentals

7.6 Revenue growth for Business Partners who have embraced

cloud2 7.6 2.5X

7.6 of CIOs who are reengineering IT plan to look for outside help new skills, tools and capabilites3 7.6 66%

Sources: 1. Forrester Research, Cloud Channel Trends, 2013 to 2014, February 2013, 2. IDC: Worldwide channel and alliances 2013 top 10 predictions, January 2013,3. IBM CIO

study, 2011,

7.6 value for service channel partners has become technical

training1

7.6 #1

5



SoftLayer Fundamentals is a series of technical webinars to

provide knowledge on the capabilities to help build solutions

Webinar

Date Topic # Topic

February 25 1 Changing the landscape, not the definition - SoftLayer overview

February 27 2 One size does not fit all Defining the SoftLayer cloud architecture

March 4 3 Connecting to the cloud SoftLayer network options, part 1


March 11 5 Keep safe Securing your virtual instances

March 13 6 Storing your data Understanding SoftLayer storage options

March 18 7 Flexible and on demand Understanding SoftLayer managed services

March 20 8 You cant manage what you dont monitor SoftLayer management and monitoring

March 25 9 Evaluating cloud providers - Leveraging SoftLayer differentiators

For general SoftLayer overview presentations

Lance Crosby, SoftLayer CEO, main tent at IBM PWLC: http://www.youtube.com/watch?v=t9h2cXwcUvA

Grow your cloud business - leveraging the IBM acquisition of SoftLayer:

https://engage.vevent.com/rt/ibm~1017?token=NTU2MTY1MjY0MDAxMjExMDgxN0NIRUNLX0RBVEVfQU5EX0VOVFJJ

RVNfQ09VTlQ

6



Upon completion of this webinar, you should be able to:

Comprehend SoftLayers general security model

Discuss available anti-virus, authentication, and

intrusion protection

Review the security infrastructure

Explain how the data centers are secured

Securing Virtual Instances

7



In this topic, you will learn about the general

security model.

Security overview

8



Security overview

The

environment is

achieved

through a

combination of:

Architecture and

operational

responsibilities in the

SoftLayer offerings

Certified physical and

logical security of the

SoftLayer data centers

Ease of use when

enabling SoftLayer

security features

Additional security

capabilities delivered

through partners (Open

Ecosystem)

SoftLayer provides a security-rich environment for deploying and running customer

workloads.

9



Security overview (cont.)

SoftLayers approach to delivering cloud services adds security regardless of the chosen

offering.

1. SoftLayers data center operations reduce the risk of a targeted attack from a

malicious insider.

2. Highly automated provisioning for physical and logical resources reduces risk of

security issues via human error.

3. SoftLayer maintains highly secured data centers.

4. Consistency ensured for instances across all SoftLayer data centers.

5. Value-add security features can be added via the standard, stable SoftLayer API.

6. Includes vulnerability scanning, anti-virus, firewall, VLAN and VPN.

7. Ease of use of these capabilities increases the likelihood of them being used.

8. Fine grained control of user entitlements are managed through the Customer Portal.

10




Technology Area SoftLayer

Anti-virus and spyware Optional components:

McAfee Windows VirusScan Anti-Virus McAfee Total Protection for Windows

Note: Available on Windows only.

Distributed Denial of Service

(DDoS) protection

Threat management system (TMS), virtual machine

isolation, and active work with the client to attempt to

determine threat point.

Cisco Guard DDoS protection

Arbor Peakflow traffic analysis Arbor ATLAS Global Traffic Analyzer

Drive wiping procedures All data is removed from re-provisioned machines with

drive wipe software approved by the Department of

Defense (DoD).

Patch services Private network access (only) to Windows and Red Hat

Update Servers.

Network IDS/IPS protection Nessus vulnerability assessment and reporting

McAfee host intrusion protection (optional)

11




Technology Area SoftLayer

Server firewalls (software

and physical firewalls)

OS firewalls

Shared FortiGate hardware devices

Security management

approach

Aligned with US Government standards.

SP800-53 is a catalog of security and privacy controls originally defined for US federal government

information systems.

The catalog was developed in response to the US Federal Information Security Management Act

(FISMA).

Two-factor authentication Two factor authentication is available only within the

portal.

Symantec identity protection (optional) Windows Azure Multi-Factor Authentication (formerly

known as PhoneFactor) protection (optional)

VPN Client-Site SSL or PPTP VPN

Site-to-Site IPSec VPN

12



In this topic, you will learn about

Security services

Anti-virus policy definitions

Host Intrusion detection and protection

services

VPN and remote access

Firewall and network-based threat protection

Protecting against anti-virus, spyware, authentication, and

intrusion

13



Securing the environment

SoftLayer offers security services that can be used by the customer to secure their

environment.

These services include:

Vulnerability scanning

Antivirus and anti-spyware protection

Host-based intrusion protection

Firewall and network based threat protection (IPS, DDoS)

Virtual Private Networking (VPN) (IPSec, SSL, PPTP)

Two factor authentication to the SoftLayer Customer Portal

SSL Certificates that enable confidentiality of data-in-transit

14



Scanning the environment for weaknesses

1

2

3

The customer selects and manages vulnerability scanning services from the Customer

Portal.

15



Protecting against viruses Anti-virus protection is also selected and managed from the Customer Portal.

Anti-virus available for Windows and

Red Hat Linux only

Anti-spyware available for Windows only

Policy definitions

16



Protecting against viruses (cont.)

Windows anti-virus and spyware policy definitions.

Alert Manager Policies Minimal Relaxed Default High Ultimate

Email scan X

Access Protection Policies Minimal Relaxed Default High Ultimate

Block outbound SMTP (port: 25) X

Block inbound IRC (ports: 6666-

6669)

X X X

Block outbound IRC (ports: 6666-

6669)

X X X

Block IE/ZIP/RAR from launching

from the temp folder X X X X

Block remote modification: EXEs

and DLLs

X X X X X

Block remote creation of files in core

system directories

X X X X X

Block access to suspicious startup

files

X X X

17





Access Protection Policies (cont.) Minimal Relaxed Default High Ultimate

Block scripts in temp folder X X X

Block creation of EXEs in Windows

folders

X X X

Block creation of DLLs in Windows

folders

X X

18





Buffer Overflow Protection Minimal Relaxed Default High Ultimate

Buffer overflow warning mode X X

Buffer overflow ON X

On Access Scan Policies Minimal Relaxed Default High Ultimate

Scan reading from Disk X

Scan writing to Disk X X X X X

Scan network drives X

Find unknown program viruses X X X

Find unknown macro viruses X X

Scan inside ZIP files X X

Scan MIME X

Detect unwanted programs X X X X

Scan database directories X

19





On Access General Policies Minimal Relaxed Default High Ultimate

Scan boot sectors X X X X X

Scan boot drives on reboot X X X X

Maximum scan time per file

(seconds)

30 30 45 60 75

Enable script scan X X

Block remote connection if virus

written

X X X X

20




Linux Red Hat and CentOS anti-virus and spyware policy definitions.

Access Protection Policies Minimal Relaxed Default High Ultimate

Maximum scan time per file

(seconds)

30 30 45 60 75

Scan reading from Disk X X

Scan writing to Disk X X X X X

Find unknown program viruses X X X

Find unknown macro viruses X X

Scan inside ZIP files X X X X

Scan MIME X X X

Detect unwanted programs X X X

Scan database directories X

21



Managed host

IP for managed host

Detection Logs

Stopping host intrusion

SoftLayer offers Host Intrusion and Protection services for Windows servers.

22



Per-server policies are managed from the Customer Portal.

Managing through per-server policies

23



Managing through per-server policies (cont.)

IP Mode Duration malicious hosts are blocked

Adaptive_10 10 minutes

Adaptive_120 120 minutes

Adaptive_UR Until removed by user

On_10 10 minutes

On_20 20 minutes

On_UR Until removed by user

On (MacAfee default) 10 minutes

IPS mode host protection policies.

Adaptive mode

Client exception rules are auto-generated based on traffic observed. Mode is used to teach HIPS what is normal and permissible. Rules can be reviewed and removed through the Customer Portal.

IPS protection can also be completely disabled.

24




Protection Setting High Severity Medium Severity Low Severity

Basic protection Block No action No action

Prepare for

enhanced

Block Log and allow No action

Enhanced Block Block No action

Prepare for

maximum

Block Block Log and allow

Maximum Block Block Block

On_UR Until removed by

user

On (MacAfee

default)

10 minutes

IDS protection host protection policies.

25



Firewall protection

On

Refine rules based on exceptions and review

Learn

Auto-generate rules from normal activity

Adaptive

No firewall

Off


26



SoftLayer offers a choice of VPN connectivity options to suit different use cases for

remote access.

Client-Site SSL or PPTP VPN

Browser based or VPN client software installed on client workstation

Users must be registered and entitled in the Customer Portal

Site-Site IPSec VPN

Requires IPSec device on non-SoftLayer side

Does not require per-user configuration

Additional monthly cost

Accessing the server remotely

27



1

2

3 4

Accessing the server remotely (cont.)

Customer administrators access their servers via VPN over routes segregated from the

public network access.

28



Server firewalls using software or shared hardware are available through the Customer

Portal.

OS configured firewalls

Shared FortiGate devices Cost varies according to port server speed of the provisioned

Safeguarding the environment with firewalls

29



Protecting against DDoS

What happens to your environment if targeted by DDoS?

First occurrence 1. You instance IP will automatically be nulled for an hour following the first

attack.

2. You will receive a ticket notification regarding the attack on your account.

Second occurrence 1. Your instance IP will automatically be nulled for four hours following the

second attack.

2. You will receive a ticket notification regarding the attack on your account.

Third occurrence

Your IP instance will not be reinstated until the source of attacks has been determined and the issue resolved.

Resolving attacks

1. Change your IP address.

2. Work with a third-party vendor to clean your traffic.

Note

No SLA for DDoS.

SoftLayers DDoS detection equipment only protects other accounts once an attack has been detected.

30



In this topic, you will learn about the network

options available to secure the environment.

Using network gateways to protect the environment

31



Vyatta Network OS subscription edition deployed on a bare metal server.

Managed by the customer

Network configuration is extended through deployment of additional software images, not

new physical network hardware.

Capabilities:

Firewall

VPN

Load-balancing

Nat

QoS

SoftLayer also offers a network gateway appliance powered by the Vyatta Network OS.

Using network gateways to protect the environment

32



A customer can construct a self-managed solution for software-based network

connectivity.

Choice may be based on skill and experience within their team, functional and non-functional requirements.

Security capabilities will vary according to the chosen technology. Options include:

Using network gateways to protect the environment (cont.)

33



A customer can segment their

provisioned physical

and virtual servers onto

one or more private

VLANs.

Customer VLANs across one or more

data centers can be

interconnected via the

SoftLayer private

network.

Distributed denial of service (DDoS)

protection is provided

on the SoftLayer

public network via

Cisco Guard devices

Using network gateways to protect the environment (cont.) Below is an overview of typical network flows for a customer access their SoftLayer

hosted resources.

34



Internet

Latest patches always available

No additional cost, unlimited bandwidth

Update servers are located on the SoftLayer private network for Windows and Red Hat

operating systems:

Private customer network

SoftLayer private network

Using network gateways to protect the environment (cont.)

35



In this topic, you will learn how to set up and

administer security through the Customer Portal.

Administering security through the Customer Portal

36



A users entitlements in the SoftLayer Management System are set up through the

Customer Portal.

Administering security through the Customer Portal (cont.)

37



Administering security through the Customer ortal (cont.)

38



IP address restrictions can limit access to

the Customer Portal from the customers enterprise network.

Password lifetime can be

compliant with the customers security policy.

The Login Policy can be controlled on a per user basis.

Controlling the Login Policy by user

39



VIP for Mobile

VIP Access for Desktop VIP Security Card

Accessing resources through the Customer Portal (cont.)

The Symantec Authenticator VIP access is also granted through the Customer Portal.

40



In this topic, you will learn about securing the

infrastructure of a virtual instance.

Securing the infrastructure

41



Dedicated/Bare Metal

Public virtual

instance

A bare metal, or

dedicated, solution to

meet the exact

needs of your

application.

SoftLayer SOC2 certified data center

Multi-tenant cloud

computing, storage

and content delivery

on SoftLayers

automated platform.

Private virtual

instance

Single-tenant cloud

computing, deployed

and scaled in a matter

of hours.

SoftLayer provides three offerings to secure the infrastructure Dedicated, Public, and

Private. Each has its own security and multi-tenancy characteristics.

Securing the infrastructure (cont.)

42



Responsibility

Offering

Data center management

Hypervisor provisioning

Hypervisor management

Server provisioning

Automated server

management

Manual server

management

Customer workload

management

SoftLayer bare metal

offering

(dedicated/ bare metal))

SoftLayer Customer Customer SoftLayer Customer

SoftLayer (in response to

tickets created

by customer)

Customer

SoftLayer Private virtual

instance SoftLayer SoftLayer SoftLayer SoftLayer

SoftLayer for physical

server;

customer for virtual server

SoftLayer (in response to

tickets created

by customer)

Customer

SoftLayer public virtual

instance SoftLayer SoftLayer SoftLayer


server;



server;



server;


Customer

SoftLayer

Customer

Combination

Comparing the security models of core IaaS platforms

43



Sensitive workloads are best hosted on SoftLayers bare metal or private dedicated cloud

offering.

After initial provisioning, all responsibility for workload security and compliance rests

with the customer.

Customers have the ability to fully encrypt their hard drive.

Hosting sensitive workloads

Dedicated/Bare

Metal

Sensitive

Workloads on

Private cloud

SoftLayer SOC2 certified Data center

Multi-tenant cloud

computing, storage

and content delivery

on SoftLayers automated platform.

Singe-tenant

cloud computing,

deployed and

scaled in a matter

of hours.

Sensitive

Workloads on

Bare Metal

Servers

NOT

RECOMMENDED

on public, multi-

tenant

A bare metal, or

dedicated, solution

to meet the exact

needs of your

application.

Customer responsible

for satisfying all controls

for operating system and

above including the

logical access

management required to

manage the workloads

SoftLayer responsible

for best practices for

physical safeguards of

the hosting facility

necessary to protect IaaS

Customer risk: Loss of

data from use of (access to)

applications and data

including the operational

management of

applications and systems

SoftLayer risk:

- Inability of customer to

access data of data due

to inability to access

hosted solution through

unplanned downtime

scenarios

- Data breach due to

improper media

destruction

Public virtual

instance

Private virtual

instance

44



In this topic, you will learn about

Tier 3 data centers

Measures taken to secure the data center and

server rooms

Operational security measures

Securing the data centers

45



Tier 4

Tier 3

Tier 2

Tier 1

SoftLayer data centers are Tier 3 data centers.

Securing the data centers

99.995% availability Annual downtime .04 hours

Two independent utility path Fully redundant (2N+1) Sustain 96-hour power outage

99.982% availability Annual downtime 1.6 hours

99.749% availability Annual downtime 22.0

hours

99.671% availability Annual downtime 28.8

hours

One path of power and cooling

Some redundancy in power

Single path power and cooling

No redundant components

Multi power and cooling paths Fault tolerant (N+1) Sustain 72-hour power outage

46



Data center and server room security

Data centers located only in facilities with controlled access and 24- hour security.

No server room doors are public-facing.

Server rooms are staffed 24 x 7.

Unmarked entry and exit doors into server rooms.

Digital security video surveillance is used in the data center and server rooms

Biometric security systems are used throughout the data center.

Server room access strictly limited to SoftLayer employees and escorted contractors or visitors.

Barcode-only identification on hardware; no customer markings of any type on the

servers themselves.

Securing the data centers (cont.)

47



Operational security

Engineers and technicians trained on internal industry standard policies and procedures, and audited yearly.

Geographic redundancy for all core systems for disaster recovery and business continuity.

Two-factor authentication for Customer Portal access adds greater server security.

All data removed from re-provisioned machines with drive wipe software approved by the US Department of Defense.

Ongoing PCI DSS compliance for SoftLayers own handling of credit card information.

Current SSAE 16 SOC1 report, with no exceptions

noted.

Securing the data centers (cont.)

48



In this topic, you will learn about SoftLayers

industry and regulatory compliance.

Complying with industry and regulatory standards

49



Service Organization Control (SOC) 2 SoftLayer have an unqualified SOC 2 Type II report

for all data centers.

Audits security, availability, process integrity, privacy and confidentiality.

Report available to customers and their auditors via NDA.

Safe Harbor

Certification demonstrates that SoftLayer provides adequate privacy protection as defined by the

Directive.

Industry and regulatory compliance

50



Payment Card Industry Data Security Standard (PCI-DSS)

At present, SoftLayer does not have a PCI Report on Compliance (ROC).

SoftLayer is suited to host PCI workloads through its bare-metal and single-tenant private cloud offerings.

o It is not recommended to host a PCI workload in

the SoftLayer multi-tenant cloud offering.

Federal Information Security Management Act (FISMA)

SoftLayer is working towards FISMA compliance in select data centers.

Health Insurance Portability and Accountability Act (HIPAA)

Industry and regulatory compliance (cont.)

51



Cloud Security Alliance (CSA) SoftLayer have published a self-assessment in

the CSA Security, Trust and Assurance Registry

(STAR).

SoftLayer expects to be eligible for CSA-STAR Certification and Attestation since they have an existing

SOC 2 Type II assessment from a third party.

CSA-STAR Continuous certificate is still under development by CSA.

Industry and regulatory compliance (cont.)

52



? ?

Questions

53


Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 54

Leading Edge

Trusted

Completely Free

Recommended actions

Sign up for a free 1 month trial account:

http://www.softlayer.com/info/free-

cloud/skills100

Within 60 days, register as a SoftLayer

partner with a viable SL opportunity (time

frame, workload, configuration) at:

http://www.softlayer.com/partners/ibm-

partners



Attend other SoftLayer Fundamentals webinars or download

the replay and materials at your convenience

Please remember to download the glossary of terms

Webinar

Date Topic # Topic

February 25 1 Changing the landscape, not the definition - SoftLayer overview

February 27 2 One size does not fit all Defining the SoftLayer cloud architecture



March 11 5 Keep safe Securing your virtual instances

March 13 6 Storing your data Understanding SoftLayer storage options

March 18 7 Flexible and on demand Understanding SoftLayer managed services

March 20 8 You cant manage what you dont monitor SoftLayer management and monitoring

March 25 9 Evaluating cloud providers - Leveraging SoftLayer differentiators

55

Documents

SoftLayer Fundamentals Keep Safe Securi 1284312