Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Cloud Computing Security

3,260
views

Published on

Cloud security is a must have. Also, an expectation AND a business accelerator. …

Cloud security is a must have. Also, an expectation AND a business accelerator.
But what really changes with cloud ? Cloud is not more or less secure : the security posture evolves..

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,260
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • CISCO – Global Threat Report – 2Q2011 http://www.cisco.com/en/US/prod/collateral/vpndevc/cisco_global_threat_report_2q2011.pdf DUQU http://www.schneier.com/blog/archives/2011/10/new_malware_duq.html http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf NITRO http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf
  • La menace suit à la trace les données, quelque soit leur localisation, dans le cloud ou sur les périphériques mobiles….
  • TODO : Titre à retravailler/préciser….
  • presentation title
  • Exemple : SecuityInTTM pour les prohets de conception de service Exemple : Un qui n’a pas de SecuerityInttM TODO: Enlever slides « Recommamdations » et le
  • presentation title
  • Transcript

    • 1. cloud security webinar Jean-François Audenard – Cloud Security Advisor November 10, 2011
    • 2. our agenda
      • 1. context
      • 2. expectations
      • 3. building & maintaining trust
      • 4. Orange cloud services
    • 3. context
    • 4. our customers are targets CISCO – Global Threat Report – 2Q2011 © Paty Wingrove - Fotolia.com
    • 5. Cloud concentrate everything
      • datacenters
      • customer’s data
      • revenues
      • risks
      • hacker’s greed
      • security (good news !)
      © boulevard - Fotolia.com
    • 6. threats follows the data enterprise Internal network/IT Cloud Services Providers (CSP) threats / attackers threats
    • 7. expectations
    • 8. Cloud security is a must have
    • 9. an expectation AND a business accelerator
      • <…> As counterintuitive as this may seem, enterprises actually expect cloud security to be superior to what they employ for traditional IT services. Current Analysis’ survey of ‘Cloud Services 2011 – Enterprise Adoption Plans and Trends’ in August 2011 found that one of the drivers for cloud adoption is actually more security . <…>
      highly secure cloud services : A business booster
    • 10. compliance
      • as a customer
        • Internal compliance (IT Security Policy)
        • vertical compliance (PCI-DSS, …)
      • as a service provider
        • Telco’s specific obligations
        • General legal obligations
      • rising trend on personal information's
        • Data breach notifications
      • nothing really specific related to cloud
      © Scott Maxwell - Fotolia.com
    • 11. question : what really changes with cloud ?
      • Cloud is not more or less secure : the security posture evolves
        • Risks are transferred
        • New risk appear
      • underlying cloud technologies are not new
      • concentration brings new opportunities (but increased risks too).
      … the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective… Source: Enisa answer : Cloud require security excellence & associated transparency
    • 12. building & maintaining trust © Ben Chams - Fotolia.com
    • 13. trust must be both external & internal internal stakeholders enterprise Cloud Executives Business Units Risk Managers, CISO Corporate IT Employees Cloud providers regulation/standards bodies
      • Certifications
      • Security SLAs
      • Transparency
      • Adherence to standards
      • Cloud service catalog
      • Risks assessment
      • Security SLAs
      • Policies
      • Applicable laws
      • “ Cloud-ready” regulations
      • certification bodies
      government specifics regulations standards
    • 14. ensures data protection data classification & rights assignation private networks, encryption & strong authentication access control, rights management, encryption encryption, asset management crypto-shredding, secure deletion, content discovery create transfer store use archive destroy application security, logical controls, activity monitoring
    • 15. appropriate level of engagement Cloud service provider management customer’s management responsibilities between parties datacenter servers & network Hypervisor (VMM) VM operating systems middleware applications IaaS PaaS SaaS increased criticality high-level of shared resources  increased responsibilities for the Cloud Service Provider
    • 16. Cloud models & security public Cloud for enterprises community cloud private cloud hybrid cloud shared infrastructure dedicated infrastructure/staff/processes security is under customer’s control security controlled by the provider Internal risk & compliance still apply here !
    • 17. implementation rules
      • transparency brings confidence
      • change your mind for data-centric security
      • leverage existing security frameworks & practices
      • participate to research & standardization activities
      © lilufoto - Fotolia.com
    • 18. Orange cloud services
    • 19. our cloud security development lifecycle
      • integrated approach
        • right from the beginning
        • risk-based approach
      • driven by experts
        • security consultants
        • security architects
        • specialized lawyers
      • adaptable & updated
        • for specific projects too
      S ecurity R isk A ssessment S ecurity I mplementation A ssistance S ecurity R eviews S ecurity P enetration T ests T0 T3 T2 T-1 R isks M itigation P lan H igh- L evel R isks A ssessment Continuous improvement (PDCA) L egal O bligations A ssessment
    • 20. portfolio Infrastructure as a Service Software as a Service IT infrastructure as a Service Security as a Service Collaboration as a Service Real-Time applications as a Service Back-up and Storage as a Service Flexible Computing Premium Messaging Protection Suite Web Protection Suite Unified Collaboration (B2GaaS) Fleet Management Network IVR Business Store Flexible Computing Private 2011 H2 2010 now VPN Galerie IT Plan Contact Center as a Service Cloud-ready Networking Business VPN Business Acceleration Flexible Computing Business Telephony Hosted Exchange Orange API Private Applications Store Business Together with Microsoft – Online Services Flexible SSL Smartphone management Application & Content Delivery Networking
    • 21. Web Protection Suite
      • real-time protection from zero-day threats
        • real-time scanning, not just URL filtering
        • latest security detections immediately benefit all customers
        • policy enforced across the enterprise, including to out-of-office workers
      • effortless management
        • intuitive Web-based interface centralizing all management and reporting functions
        • policy changes are immediately rolled-out across the enterprise
      • real security-as-a- service
        • take hardware, software and database into the cloud
        • pricing mostly based on monthly recurring charges
        • save costs: customers confirm 30-40% in annual TCO savings
      powered by
    • 22. flexible SSL
      • a comprehensive “IT opening” cloud solution, proposed in SaaS model
      • capable of connecting every type of remote users to your internal IT system
        • using every type of device (laptop, PDA, …)
        • with every type of connection (DSL, BE v3, …)
        • and with every profile (corporate user, 3rd party, …)
      • a scalable offer following easily your requirements
        • automated real time changes
        • subscription modifiable on a monthly basis ( SaaS model)
      • with aggressive SLA and pricing model
      • pricing model based on the application and not on the gateway
      • only requirements is to be an Orange Business Services MPLS customer
    • 23. Cloud & security are best friends © laurent hamels - Fotolia.com
    • 24. Thank you !
    • 25. Cloud vulnerabilities are an opportunity ? ? ? ? ? ? ? © Yuri Arcurs - Fotolia.com
    • 26. Cloud specific vulnerabilities On-demand self-service Ubiquitous network access Resource polling Rapid elasticity Measured service NIST Virtualization Hyper-jacking VM-Escape VM sprawl VM Theft Direct vulnerabilities
    • 27. Direct vulnerabilities
      • they’re the visible top of the iceberg
      • associated risks may hit both
        • the provider
        • its customers
      • Identified during risk assessment phase
      • the provider must manage them
      • the provider must demonstrate them
    • 28. Yes : Thanks to cloud-specific vulnerabilities On-demand self-service Ubiquitous network access Resource polling Rapid elasticity Measured service NIST Virtualization Hyper-jacking VM-Escape VM sprawl VM Theft Direct vulnerabilities Indirect vulnerabilities Inability to monitor traffic Limited network zoning Single point of failure Forbidden network vulns scans
    • 29. Indirect vulnerabilities
      • is seen as regressions or limitations
      • A security control may be either
        • difficult to instantiate
        • impossible to implement
      • associated risks are customer’s centric
      • an opportunity for
        • provider’s differentiation
        • premium services catalog
      © brodtcast - Fotolia.com