CLUSIR DU 12 JUIN

761 views
611 views

Published on

PRESENTATION OBS SUR LA SECURITE DU
CLOUD COMPUTING

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
761
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CLUSIR DU 12 JUIN

  1. 1. cloud computing securityJean-François AUDENARD – Orange Business Services - Cloud Security AdvisorPrésentation CLUSIR – InfoNord – Club RSSIv1r0 – June 12th, 2012
  2. 2. agenda Sécurité et cycle de vie des données – Les challenges de la sécurité des données dans le cloud – Des opportunités mais aussi un retour aux fondamentaux – Sécurité « adhérente aux données » : principes & approche La sécurité du cloud chez Orange Business Services – Notre approche « SecuredByDesign » – Modèle d’intégration de la sécurité dans les projets Cloud – Entretenir et améliorer la sécurité au quotidien Questions/réponses2 Cloud Security – 12 Juin 2012 Orange Business Services
  3. 3. context3 Cloud Security – 12 Juin 2012 Orange Business Services
  4. 4. Our customers are targets Flame – 1Q2012 CISCO – Global Threat Report – 2Q20114 Cloud Security – 12 Juin 2012 Orange Business Services
  5. 5. Cloud concentrate everything Datacenters Customer’s data Revenues Risks Hacker’s greed Security (good news !)5 Cloud Security – 12 Juin 2012 Orange Business Services
  6. 6. Threats follows the data Enterprise Internal network/IT Cloud Services Providers (CSP) Threats / Attackers6 Cloud Security – 12 Juin 2012 Orange Business Services
  7. 7. expectations7 Cloud Security – 12 Juin 2012 Orange Business Services
  8. 8. Cloud security is a must have All big analysts firms agree !8 Cloud Security – 12 Juin 2012 Orange Business Services
  9. 9. An expectation AND a business accelerator <…> As counterintuitive as this may seem, enterprises actually expect cloud security to be superior to what they employ for traditional IT services. Current Analysis’ survey of ‘Cloud Services 2011 – Enterprise Adoption Plans and Trends’ in August 2011 found that one of the drivers for cloud adoption is actually more security <…> security. Highly secure cloud services will boost our business9 Cloud Security – 12 Juin 2012 Orange Business Services
  10. 10. Compliance As a customer – Internal compliance – vertical compliance (PCI-DSS, …) As a service provider – Telco’s legal obligations Rising trend on personal informations – Data breach notifications Nothing specific related to cloud10 Cloud Security – 12 Juin 2012 Orange Business Services
  11. 11. What’s really new11 Cloud Security – 12 Juin 2012 Orange Business Services
  12. 12. Question : what really changes with cloud ? Cloud is not more or less secure : the security posture evolves …the cloud’s economies of scale – Risks are transferred and flexibility are both a friend – New risk appear and a foe from a security point of view. The massive concentrations of resources and data present a Underlying cloud technologies are not more attractive target to attackers, but cloud-based defenses new can be more robust, scalable and cost-effective… Concentration brings new Source: Enisa opportunities (but increased risks too). Answer : Cloud require security excellence & associated transparency transparency12 Cloud Security – 12 Juin 2012 Orange Business Services
  13. 13. Cloud specific vulnerabilities NIST On-demand self-service Ubiquitous network access Resource polling Rapid elasticity Virtualization Measured service Direct Hyper-jacking vulnerabilities VM-Escape VM sprawl VM Theft13 Cloud Security – 12 Juin 2012 Orange Business Services
  14. 14. Direct vulnerabilities they’re the visible top of the iceberg associated risks may hit both – the provider – its customers Identified during risk assessment phase the provider must manage them the provider must demonstrate them14 Cloud Security – 12 Juin 2012 Orange Business Services
  15. 15. Vulnerabilities are an opportunity ? ? ? ? ? ? ? ? ? ? ?15 Cloud Security – 12 Juin 2012 Orange Business Services
  16. 16. Yes : Thanks to cloud-specific vulnerabilities Indirect vulnerabilities NIST Inability to monitor traffic On-demand self-service Limited network zoning Single point of failure Ubiquitous network access Forbidden network vulns scans Resource polling Rapid elasticity Virtualization Measured service Direct Hyper-jacking vulnerabilities VM-Escape VM sprawl VM Theft16 Cloud Security – 12 Juin 2012 Orange Business Services
  17. 17. Indirect vulnerabilities is seen as regressions or limitations A security control may be either – difficult to instantiate – impossible to implement associated risks are customer’s centric an opportunity for – provider’s differentiation – premium services catalog17 Cloud Security – 12 Juin 2012 Orange Business Services
  18. 18. Securing the cloud(S) S18 Cloud Security – 12 Juin 2012 Orange Business Services
  19. 19. Appropriate level of engagement Cloud Service Provider Management Customer’s Management increased responsibilities for Responsibilities between parties the Cloud Service Provider Applications middleware Operating systems increased criticality VM Hypervisor (VMM) high- high-level of shared resources Servers & network Datacenter aS aS aS Ia Pa Sa19 Cloud Security – 12 Juin 2012 Orange Business Services
  20. 20. Cloud models & security Security is under customer’s control private cloud community Internal risk & cloud compliance still shared apply here ! infrastructure hybrid cloud Dedicated infrastructure/staff/processes public cloud Security controlled by the provider20 Cloud Security – 12 Juin 2012 Orange Business Services
  21. 21. Building & maintaining Trust21 Cloud Security – 12 Juin 2012 Orange Business Services
  22. 22. Trust must be both external & internal Regulation/standards bodies specifics government standards regulations • Applicable laws • “Cloud-ready” regulations Internal stakeholders • certification bodies Cloud Providers Executives enterprise Business Units Risk Managers, CISO • Certifications • Cloud service catalog • Security SLAs Corporate IT •Risks assessment • Transparency • Security SLAs • Adherence to Employees standards • Policies22 Cloud Security – 12 Juin 2012 Orange Business Services
  23. 23. with the cloud data is living everywhere Business Units virtual datacenter access to the corporate application application VM VM VM Corporate IT VM VM VM VM administration VM/data transfers VM VM cloud infrastructure VM VM VM VM templates23 Cloud Security – 12 Juin 2012 Orange Business Services
  24. 24. in the cloud data is living everywhere : risk too Business Units virtual datacenter access to the corporate access control poor application application injections SQL toxic data malware device theft/loss sniffing DDoS Impersonation VM VM VMsprawl VM Corporate IT VM Malware security patches VM VM VM administration VM/data transfers disgruntled admin VM VM cloud rogue admin infrastructure VM VM VM theft of credentials isolation failure weak release mgt data location VM templates24 Cloud Security – 12 Juin 2012 Orange Business Services
  25. 25. the data security lifecyle generation of new content or significant modification of existing content Create permanent destruction & committing data to content discovery storage Destroy Store Archive Use data-transfer to long-term user interacting with the storage data (cloud & endpoint) Share exchange of data between users, customers and partners25 Cloud Security – 12 Juin 2012 Orange Business Services
  26. 26. simultaneous and multiples data lifecycles Business Units Create Destroy Store virtual datacenter access to the corporate Archive Use application application Share Create Destroy Store Archive Use VM VM VM Share Corporate IT VM Create Destroy Store VM VM VM administration VM/data transfers Archive Use Create ShareDestroy Store VM VM cloud infrastructure VM VM VMArchive Use VM templates Share 26 Cloud Security – 12 Juin 2012 Orange Business Services
  27. 27. use-case : a Virtual Machine (IaaS) VM VM 1 initial creation by corporate IT VM Create VM templates and instances are deleted 3 insertion in the VM template store5 Destroy Store 4 Archive Use VM are instantiated and executed for business purposes Share 2 transfer to the cloud as an OVF container27 Cloud Security – 12 Juin 2012 Orange Business Services
  28. 28. Create V VM M V 1 V M creation of the VM M V V V M M M template by corporate IT V M V M V M 1. classify Share 2. assign rights Risk-based decision for 2 transfer to the cloud as an OVF container moving specific workloads/applications in 1. activity monitoring & enforcement selected cloud(s) 2. encryption & 3. logical controls Tag VM templates with 4. application security labels to facilitate rights allocation/assignments watch when and where admin(s) are transferring templates logs accesses to admin VM interfaces VM VM secure data in motion using VM encryption secure admin interfaces/API28 Cloud Security – 12 Juin 2012 Orange Business Services
  29. 29. 3 insertion in the VM template store Store isolation between tenants & administrator 1. filesystem access controls separation of duties 2. encryption volume/media encryption 3. rights management Enforcement of rights created during “Create” phase (when data enters storage) 4. content discovery ensure data are located at the right place VM are instantiated and 4 executed for business purposes Use ! agent-based security & access log collection 1. activity monitoring & 2 perimeters of controls enforcement enforcement of rights created during1) cloud-based controls 2. rights management “Create” phase (modification, export,2) endpoint-based controls copying, …) 3. Logical controls application logic controls 4. application security application security 29 Cloud Security – 12 Juin 2012 Orange Business Services
  30. 30. VM are instantiated and 4 executed for business agent-based security & access log purposes Use 1. activity collection monitoring & enforcement of rights created during enforcement “Create” phase (modification, export, copying, …) 2. rights management Destroy application logic controls 3. Logical controls application security 4. application security 5 VM templates and instances are deleted 1. crypto-shredding 2. secure deletion 3. physical destruction VM VM VM VM VM 4. Content discovery VM VM VM VM VM delete the encryption keys overwrite data from 3 to 7 times with random pattern degaussing or physical destruction of storage devices ensure no copies or version of the date remain accessible30 Cloud Security – 12 Juin 2012 Orange Business Services
  31. 31. Implementation rules transparency brings confidence change your mind for data-centric security leverage existing security frameworks & practices participate to research & standardization activities31 Cloud Security – 12 Juin 2012 Orange Business Services
  32. 32. secure Infrastructure 6 lessons learnt from the fields Build security-in from the start of the project Select your Train your team compliance and educate frameworks & stick others to cloud with them security Take network & IT Integrate security convergence as an in opportunity existing processes Get intimate with cloud IT & ops32 Cloud Security – 12 Juin 2012 Orange Business Services
  33. 33. SecureByDesign Cloud servicesApril 18th, 2012 _ v1.1
  34. 34. trusted cloud computing approach trusted cloud offers today’ today’s focus cloud security security services « SecureByDesign » services delivered cloud platforms portfolio from the cloud pervasive and secure network connectivity to the cloud34 Cloud Security – 12 Juin 2012 Orange Business Services
  35. 35. our secure development lifecycle High-Level Risks Assessment think Security Risk Legal Obligations Assessment Assessment Risks Mitigation Plan Security Implementation Assistance Security build & deploy Reviews Security Penetration Tests operate Operational security & continuous improvement35 Cloud Security – 12 Juin 2012 Orange Business Services
  36. 36. CloudTrust : a tailored approach for secure cloud CloudTrust > per-service based > unified to the cloud-program > part of standard processes > bridge processes between BUs > risks/benefits based approach > cloud security architects > keep service definition >enhanced security value prop. > focuses on think/build/deploy > integrated operational security secure cloud services backed with highly reliable network connectivity with end-2-end SLAs36 Cloud Security – 12 Juin 2012 Orange Business Services
  37. 37. maintaining & enhancing trust in cloud services Global security oversight on changes Incident Admin & third-parties management access management CISSM Legal obligations Vulnerabilities Periodic security Management reviews & audits Cloud Information Systems Security Manager37 Cloud Security – 12 Juin 2012 Orange Business Services
  38. 38. end-2-end operational security CISSM cloud security architects • build security in right from the beginning • ensure continuous delivery model with smooth roll-out Orange Cloud Computing Services • global understanding and broad experience Flexible • leverage experiences and foster Computing Express Flexible new initiatives certifications Backup JCI ISO … 27K/20K • certified security professionals •active role in certifications activities and 27K ISMS • leverage processes to bolt security in private cloud • deliver telco-grade expertise to customer’s private cloud • tailored solutions for specific requirements38 Cloud Security – 12 Juin 2012 Orange Business Services
  39. 39. Flexible Computing Express CISSM Service Providers Business VPN Business Secure Virtual Data Center Galerie VPN LB DDoS VM VM VM VM Protection (6 zones) Internal Private WAN Remote sites 2-factors Logs Auth VM Templates Datacenters Security patches Antivirus Backup Business VPN VPN-SSL Console DDoS Protection FirewallingAutomated VA scans IPVPN network connectivity ISAE 3402 datacenters (SAS 70 Type 2)39 Cloud Security – 12 Juin 2012 Orange Business Services
  40. 40. Flexible Computing Express standard security features V V V V vDC) Secure Virtual DataCenter (vDC) M M M M (6 • 6 dedicated/isolated VLANs zon es) • State-full firewalling (dedicated instance) • Load-balancing (dedicated instance) Secure management V V V V • VPN-SSL remote access M M M M (6 • web-based unified management (vDC, VLANs, FW, …) zone s) • Two-factors authentication • Access to firewall logs Security services zone V V V V M M M M • VM templates (Microsoft, Linux) • Security patches distribution servers • Antivirus signatures • Backup services40 Cloud Security – 12 Juin 2012 Orange Business Services
  41. 41. additional security services security services store security services •Hardened VM templates Secure Virtual Data Center •Vulnerability scans & compliance LB •Encrypted VM & volumes VM VM VM VM •IDS/IPS •Database security (6 zones) •… professional services 2-factors Logs Auth •Vulnerabilities management VM Templates Security patches •OS & Applications Management Antivirus •Security audits Backup VPN-SSL Console •Penetration testing •…41 Cloud Security – 12 Juin 2012 Orange Business Services
  42. 42. takeaways42 Cloud Security – 12 Juin 2012 Orange Business Services
  43. 43. blogs : the direct link with our security experts http://blogs.orange-business.com/connecting-technology/security/ http://blogs.orange-business.com/securite/43 Cloud Security – 12 Juin 2012 Orange Business Services
  44. 44. continue the journey with us ! CSA EMEA Congress – 25-26th September 2012 - Amsterdam http://www.cloudsecuritycongress.com/ C&ESAR 2012 – 20-22th November – Rennes http://www.cesar-conference.org/44 Cloud Security – 12 Juin 2012 Orange Business Services
  45. 45. thank youbusiness changes with
  46. 46. Contacts Jean-François AUDENARD - Cloud Security Advisor - 01 44 37 61 91 – 06 74 79 67 12 - jeanfrancois.audenard@orange.com - twitter: @jeffman78 Philippe LANDEAU – Business Development – 01 55 54 42 36 - 06 82 59 52 36 – philippe.landeau@orange.com46 Cloud Security – 12 Juin 2012 Orange Business Services

×