SoftLayer Fundamentals Keep Safe Securi 1284312

2014 IBM Corporation
SoftLayer Fundamentals

Keep safe Securing your SoftLayer virtual instances

Copyright IBM Corp. 2014. All rights reserved.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in
many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Intel and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

CDNLayer, CloudLayer, KnowledgeLayer, RescueLayer, SoftLayer, and StorageLayer are trademarks or registered
trademarks of SoftLayer, Inc., an IBM Company.

Other company, product, or service names may be trademarks or service marks of others.

The information contained in this document has been submitted to any formal IBM test and is distributed on an as is basis
without any warranty either express or implied. The use of this information or the implementation of any of these techniques is a
customer responsibility and depends on the customer's ability to evaluate and integrate them into the customers operational
environment. While each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that t he
same or similar results will result elsewhere. Customers attempting to adapt these techniques to their own environment do so at
their own risk.

Copyright International Business Machines Corporation 2014. All rights reserved. This document may not be
reproduced in whole or in part without the prior written permission of IBM. Note to U.S. Government Users Documentation
related to restricted rights Use , duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with
IBM Corp.

Trademarks
2
Meet your speakers
Jody Cefola is the SoftLayer Channels Integration leader focused on
partner enablement from IBM. Jody had 10 years in channel development
and execution working with all types of partners and international
experience with channel execution in Europe and Asia Pacific.

Darrel Haswell is an advisory SoftLayer Business Partner Solution Architect.
Darrel graduated from the University of North Texas with a Computer Science
degree. Darrel has skills in virtual technology, Linux Administration, storage
technologies, network management and security compliance.
3
Your cloud strategy is your business strategy
Pacesetters use cloud to surface insights from data. They reimagine business
models, make better decisions and serve customers in new ways to create winning
business outcomes.

With so much at stake, you don't want just any cloud
Source: IBM Center for Applied Insights Under cloud cover: How leaders are accelerating competitive differentiation that surveyed
802 cloud decision makers and users, spanning 13 countries and 24 industries.
2x
the revenue growth
Almost
2.5x
higher gross profit
growth than peers
Nearly
4
Tap into SoftLayer. Leverage significant investment to build
skills starting with SoftLayer Fundamentals
7.6
Revenue growth for Business Partners who have embraced
cloud
2
7.6
2.5X
7.6
of CIOs who are reengineering IT plan to look for outside
help new skills, tools and capabilites
3
7.6 66%
Sources: 1. Forrester Research, Cloud Channel Trends, 2013 to 2014, February 2013, 2. IDC: Worldwide channel and alliances 2013 top 10 predictions, January 2013,3. IBM CIO
study, 2011,
7.6
value for service channel partners has become technical
training
1

7.6
#1
5
SoftLayer Fundamentals is a series of technical webinars to
provide knowledge on the capabilities to help build solutions
Webinar
Date
Topic # Topic
February 25 1 Changing the landscape, not the definition - SoftLayer overview
February 27 2 One size does not fit all Defining the SoftLayer cloud architecture
March 4 3 Connecting to the cloud SoftLayer network options, part 1
March 11 5 Keep safe Securing your virtual instances
March 13 6 Storing your data Understanding SoftLayer storage options
March 18 7 Flexible and on demand Understanding SoftLayer managed services
March 20 8 You cant manage what you dont monitor SoftLayer management and
monitoring
March 25 9 Evaluating cloud providers - Leveraging SoftLayer differentiators
For general SoftLayer overview presentations
Lance Crosby, SoftLayer CEO, main tent at IBM PWLC: http://www.youtube.com/watch?v=t9h2cXwcUvA
Grow your cloud business - leveraging the IBM acquisition of SoftLayer:
https://engage.vevent.com/rt/ibm~1017?token=NTU2MTY1MjY0MDAxMjExMDgxN0NIRUNLX0RBVEVfQU5EX0VOVFJJ
RVNfQ09VTlQ
6

Upon completion of this webinar, you should be able to:
Comprehend SoftLayers general security model
Discuss available anti-virus, authentication, and
intrusion protection
Review the security infrastructure
Explain how the data centers are secured

Securing Virtual Instances
7

In this topic, you will learn about the general
security model.
Security overview
8

Security overview
The
environment is
achieved
through a
combination of:

Architecture and
operational
responsibilities in the
SoftLayer offerings
Certified physical and
logical security of the
SoftLayer data centers
Ease of use when
enabling SoftLayer
security features
Additional security
capabilities delivered
through partners (Open
Ecosystem)
SoftLayer provides a security-rich environment for deploying and running customer
workloads.

9

Security overview (cont.)
SoftLayers approach to delivering cloud services adds security regardless of the chosen
offering.

1. SoftLayers data center operations reduce the risk of a targeted attack from a
malicious insider.
2. Highly automated provisioning for physical and logical resources reduces risk of
security issues via human error.
3. SoftLayer maintains highly secured data centers.
4. Consistency ensured for instances across all SoftLayer data centers.
5. Value-add security features can be added via the standard, stable SoftLayer API.
6. Includes vulnerability scanning, anti-virus, firewall, VLAN and VPN.
7. Ease of use of these capabilities increases the likelihood of them being used.
8. Fine grained control of user entitlements are managed through the Customer Portal.
10

Technology Area SoftLayer
Anti-virus and spyware Optional components:
McAfee Windows VirusScan Anti-Virus
McAfee Total Protection for Windows
Note: Available on Windows only.
Distributed Denial of Service
(DDoS) protection
Threat management system (TMS), virtual machine
isolation, and active work with the client to attempt to
determine threat point.
Cisco Guard DDoS protection
Arbor Peakflow traffic analysis
Arbor ATLAS Global Traffic Analyzer
Drive wiping procedures All data is removed from re-provisioned machines with
drive wipe software approved by the Department of
Defense (DoD).
Patch services Private network access (only) to Windows and Red Hat
Update Servers.
Network IDS/IPS protection Nessus vulnerability assessment and reporting
McAfee host intrusion protection (optional)
11

Technology Area SoftLayer
Server firewalls (software
and physical firewalls)
OS firewalls
Shared FortiGate hardware devices
Security management
approach
Aligned with US Government standards.
SP800-53 is a catalog of security and privacy controls
originally defined for US federal government
information systems.
The catalog was developed in response to the US
Federal Information Security Management Act
(FISMA).
Two-factor authentication Two factor authentication is available only within the
portal.
Symantec identity protection (optional)
Windows Azure Multi-Factor Authentication (formerly
known as PhoneFactor) protection (optional)
VPN Client-Site SSL or PPTP VPN
Site-to-Site IPSec VPN
12

In this topic, you will learn about
Security services
Anti-virus policy definitions
Host Intrusion detection and protection
services
VPN and remote access
Firewall and network-based threat
protection

Protecting against anti-virus, spyware, authentication, and
intrusion
13

Securing the environment
SoftLayer offers security services that can be used by the customer to secure their
environment.

These services include:
Vulnerability scanning
Antivirus and anti-spyware protection
Host-based intrusion protection
Firewall and network based threat protection (IPS, DDoS)
Virtual Private Networking (VPN) (IPSec, SSL, PPTP)
Two factor authentication to the SoftLayer Customer Portal
SSL Certificates that enable confidentiality of data-in-transit

14

Scanning the environment for weaknesses
1
2
3
The customer selects and manages vulnerability scanning services from the Customer
Portal.
15

Protecting against viruses
Anti-virus protection is also selected and managed from the Customer Portal.

Anti-virus available for Windows and
Red Hat Linux only
Anti-spyware available for Windows only

Policy definitions
16

Protecting against viruses (cont.)
Windows anti-virus and spyware policy definitions.

Alert Manager Policies Minimal Relaxed Default High Ultimate
Email scan X
Access Protection Policies Minimal Relaxed Default High Ultimate
Block outbound SMTP (port: 25) X
Block inbound IRC (ports: 6666-
6669)
X X X
Block outbound IRC (ports: 6666-
6669)
X X X
Block IE/ZIP/RAR from launching
from the temp folder
X X X X
Block remote modification: EXEs
and DLLs
X X X X X
Block remote creation of files in core
system directories
X X X X X
Block access to suspicious startup
files
X X X
17


Access Protection Policies (cont.) Minimal Relaxed Default High Ultimate
Block scripts in temp folder X X X
Block creation of EXEs in Windows
folders
X X X
Block creation of DLLs in Windows
folders
X X
18


Buffer Overflow Protection Minimal Relaxed Default High Ultimate
Buffer overflow warning mode X X
Buffer overflow ON X
On Access Scan Policies Minimal Relaxed Default High Ultimate
Scan reading from Disk X
Scan writing to Disk X X X X X
Scan network drives X
Find unknown program viruses X X X
Find unknown macro viruses X X
Scan inside ZIP files X X
Scan MIME X
Detect unwanted programs X X X X
Scan database directories X
19


On Access General Policies Minimal Relaxed Default High Ultimate
Scan boot sectors X X X X X
Scan boot drives on reboot X X X X
Maximum scan time per file
(seconds)
30 30 45 60 75
Enable script scan X X
Block remote connection if virus
written
X X X X
20

Linux Red Hat and CentOS anti-virus and spyware policy definitions.

Access Protection Policies Minimal Relaxed Default High Ultimate
Maximum scan time per file
(seconds)
30 30 45 60 75
Scan reading from Disk X X
Scan writing to Disk X X X X X
Find unknown program viruses X X X
Find unknown macro viruses X X
Scan inside ZIP files X X X X
Scan MIME X X X
Detect unwanted programs X X X
Scan database directories X
21

Managed host
IP for managed host
Detection Logs
Stopping host intrusion
SoftLayer offers Host Intrusion and Protection services for Windows servers.
22

Per-server policies are managed from the Customer Portal.
Managing through per-server policies
23

Managing through per-server policies (cont.)
IP Mode Duration malicious hosts are blocked
Adaptive_10 10 minutes
Adaptive_120 120 minutes
Adaptive_UR Until removed by user
On_10 10 minutes
On_20 20 minutes
On_UR Until removed by user
On (MacAfee default) 10 minutes
IPS mode host protection policies.

Adaptive mode
Client exception rules are auto-generated based on traffic observed.
Mode is used to teach HIPS what is normal and permissible.
Rules can be reviewed and removed through the Customer Portal.
IPS protection can also be completely disabled.

24

Protection Setting High Severity Medium Severity Low Severity
Basic protection Block No action No action
Prepare for
enhanced
Block Log and allow No action
Enhanced Block Block No action
Prepare for
maximum
Block Block Log and allow
Maximum Block Block Block
On_UR Until removed by
user
On (MacAfee
default)
10 minutes
IDS protection host protection policies.
25

Firewall protection
On
Refine rules based on exceptions and review
Learn
Auto-generate rules from normal activity
Adaptive
No firewall
Off
26

SoftLayer offers a choice of VPN connectivity options to suit different use cases for
remote access.
Client-Site SSL or PPTP VPN
Browser based or VPN client software installed on client workstation
Users must be registered and entitled in the Customer Portal

Site-Site IPSec VPN
Requires IPSec device on non-SoftLayer side
Does not require per-user configuration
Additional monthly cost

Accessing the server remotely
27

1
2
3
4
Accessing the server remotely (cont.)
Customer administrators access their servers via VPN over routes segregated from the
public network access.
28

Server firewalls using software or shared hardware are available through the Customer
Portal.

OS configured firewalls

Shared FortiGate devices
Cost varies according to port server speed of the provisioned

Safeguarding the environment with firewalls
29

Protecting against DDoS
What happens to your environment if targeted by DDoS?
First occurrence
1. You instance IP will automatically be nulled for an hour following the first
attack.
2. You will receive a ticket notification regarding the attack on your account.
Second occurrence
1. Your instance IP will automatically be nulled for four hours following the
second attack.
2. You will receive a ticket notification regarding the attack on your account.
Third occurrence
Your IP instance will not be reinstated until the source of attacks has been
determined and the issue resolved.

Resolving attacks
1. Change your IP address.
2. Work with a third-party vendor to clean your traffic.

Note
No SLA for DDoS.
SoftLayers DDoS detection equipment only protects
other accounts once an attack has been detected.

30

In this topic, you will learn about the network
options available to secure the environment.
Using network gateways to protect the environment
31

Vyatta Network OS subscription edition
deployed on a bare metal server.
Managed by the customer
Network configuration is extended through
deployment of additional software images, not
new physical network hardware.
Capabilities:
Firewall
VPN
Load-balancing
Nat
QoS

SoftLayer also offers a network gateway appliance powered by the Vyatta Network OS.
Using network gateways to protect the environment
32

A customer can construct a self-managed solution for software-based network
connectivity.
Choice may be based on skill and experience within their team, functional and non-
functional requirements.
Security capabilities will vary according to the chosen technology.
Options include:

Using network gateways to protect the environment (cont.)
33

A customer can
segment their
provisioned physical
and virtual servers onto
one or more private
VLANs.

Customer VLANs
across one or more
data centers can be
interconnected via the
SoftLayer private
network.

Distributed denial of
service (DDoS)
protection is provided
on the SoftLayer
public network via
Cisco Guard devices
Below is an overview of typical network flows for a customer access their SoftLayer
hosted resources.
34

Internet
Latest patches always available
No additional cost, unlimited bandwidth
Update servers are located on the SoftLayer private network for Windows and Red Hat
operating systems:
Private customer network
SoftLayer private network
35

In this topic, you will learn how to set up and
administer security through the Customer Portal.
Administering security through the Customer Portal
36

A users entitlements in the SoftLayer Management System are set up through the
Customer Portal.
Administering security through the Customer Portal (cont.)
37

Administering security through the Customer ortal (cont.)
38

IP address restrictions can limit access to
the Customer Portal from the customers
enterprise network.

Password lifetime can be
compliant with the customers
security policy.

The Login Policy can be controlled on a per user basis.
Controlling the Login Policy by user
39

VIP for Mobile
VIP Access for Desktop
VIP Security Card
Accessing resources through the Customer Portal (cont.)
The Symantec Authenticator VIP access is also granted through the Customer Portal.
40

In this topic, you will learn about securing the
infrastructure of a virtual instance.
Securing the infrastructure
41

Dedicated/Bare
Metal
Public virtual
instance

A bare metal, or
dedicated, solution to
meet the exact
needs of your
application.
SoftLayer SOC2 certified data center
Multi-tenant cloud
computing, storage
and content delivery
on SoftLayers
automated platform.
Private virtual
instance

Single-tenant cloud
computing, deployed
and scaled in a matter
of hours.
SoftLayer provides three offerings to secure the infrastructure Dedicated, Public, and
Private. Each has its own security and multi-tenancy characteristics.
Securing the infrastructure (cont.)
42

Responsibility

Offering
Data center
management
Hypervisor
provisioning
Hypervisor
management
Server
provisioning
Automated
server
management
Manual
server
management
Customer
workload
management
SoftLayer
bare metal
offering
(dedicated/
bare metal))
SoftLayer Customer Customer SoftLayer Customer
SoftLayer (in
response to
tickets created
by customer)
Customer
SoftLayer
Private virtual
instance
SoftLayer SoftLayer SoftLayer SoftLayer
SoftLayer for
physical
server;
customer for
virtual server
SoftLayer (in
response to
tickets created
by customer)
Customer
SoftLayer
public virtual
instance
SoftLayer SoftLayer SoftLayer
SoftLayer for
physical
server;
customer for
virtual server
SoftLayer for
physical
server;
customer for
virtual server
SoftLayer for
physical
server;
customer for
virtual server
Customer
SoftLayer
Customer
Combination
Comparing the security models of core IaaS platforms
43

Sensitive workloads are best hosted on SoftLayers bare metal or private dedicated cloud
offering.
After initial provisioning, all responsibility for workload security and compliance rests
with the customer.
Customers have the ability to fully encrypt their hard drive.

Hosting sensitive workloads
Dedicated/Bare
Metal
Sensitive
Workloads on
Private cloud
SoftLayer SOC2 certified Data center
Multi-tenant cloud
computing, storage
and content delivery
on SoftLayers
automated platform.
Singe-tenant
cloud computing,
deployed and
scaled in a matter
of hours.
Sensitive
Workloads on
Bare Metal
Servers
NOT
RECOMMENDED
on public, multi-
tenant
A bare metal, or
dedicated, solution
to meet the exact
needs of your
application.
Customer responsible
for satisfying all controls
for operating system and
above including the
logical access
management required to
manage the workloads

SoftLayer responsible
for best practices for
physical safeguards of
the hosting facility
necessary to protect IaaS

Customer risk: Loss of
data from use of (access to)
applications and data
including the operational
management of
applications and systems

SoftLayer risk:
- Inability of customer to
access data of data due
to inability to access
hosted solution through
unplanned downtime
scenarios
- Data breach due to
improper media
destruction

Public virtual
instance

Private virtual
instance

44

In this topic, you will learn about
Tier 3 data centers
Measures taken to secure the data center and
server rooms
Operational security measures

Securing the data centers
45

Tier 4

Tier 3

Tier 2

Tier 1
SoftLayer data centers are Tier 3 data centers.

Securing the data centers
99.995% availability
Annual downtime .04 hours

Two independent utility path
Fully redundant (2N+1)
Sustain 96-hour power outage

Annual downtime 1.6 hours

Annual downtime 22.0
hours

Annual downtime 28.8
hours

One path of power and
cooling
Some redundancy in
power

Single path power
and cooling
No redundant
components

Multi power and cooling paths
Fault tolerant (N+1)
Sustain 72-hour power outage

46

Data center and server room security
Data centers located only in facilities with controlled access and 24- hour security.
No server room doors are public-facing.
Server rooms are staffed 24 x 7.
Unmarked entry and exit doors into server rooms.
Digital security video surveillance is used in the data center and server rooms
Biometric security systems are used throughout the data center.
Server room access strictly limited to SoftLayer employees and escorted contractors
or visitors.
Barcode-only identification on hardware;
no customer markings of any type on the
servers themselves.

Securing the data centers (cont.)
47

Operational security
Engineers and technicians trained on internal industry standard policies and
procedures, and audited yearly.
Geographic redundancy for all core systems for disaster recovery and business
continuity.
Two-factor authentication for Customer Portal access adds greater server security.
All data removed from re-provisioned machines with drive wipe software approved by
the US Department of Defense.
Ongoing PCI DSS compliance for SoftLayers own handling of credit card information.
Current SSAE 16 SOC1 report, with no exceptions
noted.

Securing the data centers (cont.)
48

In this topic, you will learn about SoftLayers
industry and regulatory compliance.
Complying with industry and regulatory standards
49

Service Organization Control (SOC) 2
SoftLayer have an unqualified SOC 2 Type II report
for all data centers.
Audits security, availability, process integrity, privacy
and confidentiality.
Report available to customers and their auditors via
NDA.

Safe Harbor
Certification demonstrates that SoftLayer provides
adequate privacy protection as defined by the
Directive.

Industry and regulatory compliance
50

Payment Card Industry Data Security Standard (PCI-DSS)
At present, SoftLayer does not have a PCI Report on
Compliance (ROC).
SoftLayer is suited to host PCI workloads through its
bare-metal and single-tenant private cloud offerings.
o It is not recommended to host a PCI workload in
the SoftLayer multi-tenant cloud offering.

Federal Information Security Management Act (FISMA)
SoftLayer is working towards FISMA compliance in
select data centers.

Health Insurance Portability and Accountability Act (HIPAA)
Industry and regulatory compliance (cont.)
51

Cloud Security Alliance (CSA)
SoftLayer have published a self-assessment in
the CSA Security, Trust and Assurance Registry
(STAR).

SoftLayer expects to be eligible for CSA-STAR
Certification and Attestation since they have an existing
SOC 2 Type II assessment from a third party.

CSA-STAR Continuous certificate is still under
development by CSA.

Industry and regulatory compliance (cont.)
52
?
?
Questions
53
Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 54
Leading Edge
Trusted
Completely Free
Recommended actions
Sign up for a free 1 month trial account:
http://www.softlayer.com/info/free-
cloud/skills100

Within 60 days, register as a SoftLayer
partner with a viable SL opportunity (time
frame, workload, configuration) at:
http://www.softlayer.com/partners/ibm-
partners

Attend other SoftLayer Fundamentals webinars or download
the replay and materials at your convenience
Please remember to download the glossary of terms
Webinar
Date
Topic # Topic
February 25 1 Changing the landscape, not the definition - SoftLayer overview
February 27 2 One size does not fit all Defining the SoftLayer cloud architecture
March 11 5 Keep safe Securing your virtual instances
March 13 6 Storing your data Understanding SoftLayer storage options
March 18 7 Flexible and on demand Understanding SoftLayer managed services
March 20 8 You cant manage what you dont monitor SoftLayer management and
monitoring
March 25 9 Evaluating cloud providers - Leveraging SoftLayer differentiators
55

SoftLayer Fundamentals Keep Safe Securi 1284312

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SoftLayer Fundamentals Keep Safe Securi 1284312

Uploaded by

Copyright:

Available Formats

2014 IBM Corporation

You might also like