Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0

Share

Download to read offline

Can you trust the cloud provider?

Download to read offline

This talk was given at a Cloud Security Alliance Event in Lausanne April 29th, 2015.
Organized by the CSA CH chapter, the topic was about Trust issues in Cloud Computing in general. In this talk, I gave our feedback and the approach we have with customers when asked about security. The framework and tools offered by the cloud security alliance are a great help and help define a comparison base.

In the end, trust is always relative and rarely absolute. Cloud providers can and are in most cases a security asset rather than an additional risk.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Can you trust the cloud provider?

  1. 1. Can  you  trust  the   Cloud  Provider?      
  2. 2. Antoine  Coetsier       CEO  at  Exoscale  since  2011     +12  years  in  Service  Provider  Mobile/Teco/Cloud         (CCSK  holder)  
  3. 3. ...  a  IaaS  provider  and  beyond     Cloud  hos5ng  based  on  latest  technology     §  Flexible  server  and  storage  infrastructure   §  Trimmed  for  performance,  intuiJve   usability  and  tooling     Market  place  for  value  added  applica5ons   §  One-­‐stop-­‐shop  to  reduce  infrastructure   complexity  for  developers  and  sysadmins   exoscale  in  a  nutshell...   The  safe  home  for  your  cloud  applicaJons   ...  with  a  solid  background     Trust  rela5onship  with  the  cloud  provider   §  Started  2011  within  VelJgroup   §  Spun-­‐off  mid  2014     Swiss  company   §  Proximity  to  EMEA  clients   §  Swiss  data  privacy  standards   3   99.95%   Pla$orm  availability  
  4. 4. exoscale  offering  overview   A  one-­‐stop-­‐shop  for  developers/sysadmins  and  business  IT   4   Open  Cloud   Open  Cloud  Compute   Open  Cloud  Storage   Managed  Cloud   Swiss   Support   Virtual  data  center   Zones  &  Networking   Market  place  /  add-­‐on  services     Vendor  backed     TransiJon  product  for   business  IT  migraJng  to   the  cloud  –  Hybrid  Cloud     One-­‐stop-­‐shop  for  SaaS  companies     Pure-­‐play  cloud  offering  (web-­‐based  purchase)     Worldwide  market  pricing  
  5. 5. Some numbers 5     +1200  customers  acJve     25.000  instances  deployed  in  2014  
  6. 6. Security  not  an  opJon   Solid  customers  business  reliability     6      +130  points  dealing  with  the  whole  cloud   service   –   Data  Governance   –   Facility   –   HR   –   InformaJon  Security   –   Legal   –   Risk  Management   –   Security  Architecture       Datacenters   Security  Framework      Top  of  the  art  locaJons  for  safe  housing   –  GV1:  Internet  peering  point   –  GV2:  Extreme  density   –  DK2:  Reconverted  Swiss  Army  bunker  
  7. 7. Enterprise  class  SLA  and  support      99,95  %  instance  availability      -­‐4H  resoluJon  incident  objecJve      99  %  Self-­‐care  plaaorms  availability   –     Portal   –     Management  interface   –     Billing  and  usage  console   –     User  Management      Transparent  escalaJon  matrix      24/7  Unique  Phone  Call  Center   –     Swiss  based      MulJ  language  :   –   French   –   English   –   German      Requests  management*  :   –     Business  days   –     From  8am  to  18pm   SLAs   Support   *  Geneva  2me  zone  and  vaca2on  schedule  
  8. 8. Open  Cloud     -­‐  Compute   -­‐  Storage  
  9. 9. Open  Cloud  compute:  instances  for  Devs  and  Sysadmins    Direct,  simple  to  use  cloud  instances  for  Devs  and  Sysadmins    Open   – Open  source  based   – Standard  API       – MulJ  OS:      Ease  of  use   – Direct  console   – Integrated  support      Performance   – KVM   – Persistent  storage  and  IP   – 10  GB  networking          Security  features   – Security  groups   – SSH  keypair  management  
  10. 10. Open  Cloud  compute:  a  unique  portal    One  comprehensive  portal  for  instance  management,  support,  documentaJon  and  billing  informaJon    
  11. 11. Open  Cloud  compute:  a  unique  portal    One  comprehensive  portal  for  instance  management,  support,  documentaJon  and  billing  informaJon    
  12. 12. Scalable  security   Your tenant Internet public IPpublic IP Security group A public IPpublic IP Security group B Controlled Inbound and Outbound traffic
  13. 13. confiden5al   Open  Cloud  Storage   Open  Cloud  Storage   Unique  Swiss  object  storage  offering   13     Unique  object  storage  offering  in   Switzerland     AWS  S3  compliant,  built  on  internal  IP   –   open  source  project  pithos.io     Masters  the  key  challenges  of  object  storage   –  Unlimited  scalability   –  High  performance  (low  read/write   latencies)   Object  Storage  background   S3  API    unlimited  Buckets   Objects  or  files    Object  storage  unlike  file  storage  focuses  on  high   performance  and  unlimited  scalability  of  storage    AWS  S3  de  facto  industry  standard    Market  highly  dominated  by  US  players  (Amazon,   Rackspace,  Google,  Microsoj)  
  14. 14. confiden5al   Open  Cloud  Compute   Open  Cloud  Compute   More  than  25’000  instances  launched  in  2014     A  provider  of  virtual  servers     All  in  one  self-­‐service  portal   –  Deployment  of  new  instances  in  less  than   35  seconds   –  Reduces  operaJonal  complexity  (like   networking)     Fully  compliant  to  many  open  and   proprietary  DevOps  tools   –  Tooling  and  automaJon  (APIs)     Minutes  based  pricing   14   Technical  specificaJons   Cloud  Control   System   Apache  CloudStack  (tm)   Hypervisor   Linux  KVM  (Kernel  Virtual  Machine)   Storage   Local  SAS  Storage  (all  SAS/SSD)   Admin  interface   Own  provisioning  interface   Instance  size   CPU:    1  –  8  vCPUs   RAM:    512MB  –  32GB   Root  disk:    10GB  –  400GB   Network   Security  groups  for  network  isolaJon   1  Public  IP  per  instance   OS  images   Linux  (CentOS,  Debian,  Ubuntu,  CoreOS)   Windows  Server  (2008  R2,  2012)   Billing  and  pricing   Minutes  pricing   Online  payment  or  monthly  invoice   SLA   99.95%  availability   24/7  intervenJons  
  15. 15. Open  Cloud     -­‐  Apps  
  16. 16. Open  Cloud  apps   Rapid  applicaJon  integraJon  and  deployment   16   PaaS*:  Plaaorm  as  a  service   – Languages     – First  in  Switzerland    Databases  and  cache  via  addons:   – SQL   – Memcache   – ....    Commit  your  code   –   git  commit  –m  –c  ‘ready  for  prod’    Push  your  applicaJon  to  exoscale  apps   –   exoapp  default/myapp  push    Deploy  applicaJon   –   exoapp  default/myapp  deploy    Rollback,  push  new  version,  a  branch  ...   – Without  losing  a  single  user  connecJon   Standard   Typical  workflow   From development to testing to production right from developer tools
  17. 17. ApplicaJon  scaling   Containers  can  scale  horizontally  and  verJcally 17    Advanced  features   – Custom  domain  names   – hops  or  websockets  support   – SSH  connecJon   – Log  viewing   – Buildpacks  
  18. 18. Open  Cloud  Compute   Open  Cloud  pricing   Flexible  and  clear  pricing  structure   18   1)  Some  extreme  combinaJons  not  possible   2)  Memory  Hours  (128MB  container  for  one  hour)   Type   RAM   CPU   Monthly  price   micro   512  MB   1   CHF  14.98   Jny   1’024  MB   1   CHF  26.46   small   2’048  MB   2   CHF  52.38   medium   4’096  MB   2   CHF  82.08   large   8’192  MB   4   CHF  164.16   extra  large   16’384  MB   4   CHF  282.42   huge   32’768  MB   8   CHF  552.96   Size   Monthly  price   10  GB   CHF  1.44   50  GB   CHF  7.20   100  GB   CHF  14.40   200  GB   CHF  28.80   400  GB   CHF  57.60   Detailed  Instance  Pricing1   Detailed  Root  Disk  Pricing1   Windows  License  Pricing   Monthly  price   CHF  18.72   Open  Cloud  Storage   Monthly  price:  CHF  0.05  /  GB     Detailed  Object  Storage  Pricing   Networking   Detailed  Network  Pricing   Type   Price   in   CHF  0.00  /  GB   out   CHF  0.0765  /  GB  (first  100  GB  free)   inter-­‐zone   CHF  0.00  /  GB   Market  place   Hourly  price   CHF  0.01  /  MeH   Detailed  Added  Value  Pricing   PaaS     Easy  and  clear   pricing  structure     All  services  are   charged  on  a  per   minute  rate     Highly   compeJJve   prices  
  19. 19. Cloud  CompuJng  Security   Frameworks    
  20. 20. MigraJng  to  a  cloud  service   20    1st  concern  is  always  security    ExisJng  guidelines  are  not  fit  for  purpose   – ISO  27001   – ...    What  is  the  data  at  stake  ?    Dealing  with  issues  
  21. 21. Cloud  compuJng  segmentaJon   TradiJonnal  IT   DC  faciliJes   Networking   Storage   Servers   O/S   Middleware   RunJme   Data   ApplicaJons   You  manage   IaaS   O/S   Middleware   RunJme   Data   ApplicaJons   You  manage   SaaS   DC  faciliJes   Networking   Storage   Servers   O/S   Middleware   RunJme   Data   ApplicaJons   Delivered  as  a  Service   PaaS   Data   ApplicaJons   You  manage   DC  faciliJes   Networking   Storage   Servers   Delivered  as  a  Service   DC  faciliJes   Networking   Storage   Servers   O/S   Middleware   RunJme   Delivered  as  a  Service  
  22. 22. Roles  and  responsibiliJes    Roles  and  responsibiliJes  vary  upon  the  cloud  model  chosen  :   – “The  lower  down  the  stack  the  cloud  service  provider  stops,  the  more  security  capabiliJes  and   management  consumers  are    responsible  for  implemenJng  and  managing  themselves.”   Security  responsibility   Provider  Customer  
  23. 23. ExisJng  frameworks   23    They  focus  on  on  aspect:   – Datacenter   – Acces  control  process   – ...    Not  on  the  service   SCOPE  PROBLEM  
  24. 24. Framework  for  cloud  services      Best  pracJces  for  providing  security  within  the  Cloud,      Provide  educaJon  for  the  use  of  Cloud  soluJons      Define  guidance  and  acJonable  documents     Non  profit  organizaJon  formed  to  promote      Established  in  2008,  gained  significant  tracJon  in  2011      Not  (too)  commercial  or  one-­‐sided  governed     Alliance  
  25. 25. Cloud  Security  Alliance    Define  best  pracJces  in  a  Cloud  Control  Matrix  (CCM)      Commercial  note:  exoscale  has  documented  all  points  of  the  CCM        +130  points  dealing  with  a  large  scale  of  competences  :   –   Data  Governance   –   Facility   –   HR   –   InformaJon  Security   –   Legal   –   Risk  Management   –   Security  Architecture        
  26. 26. Example   26   Human Resources Background Screening HRS-02 Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties shall be subject to background verification proportional to the data classification to be accessed, the business requirements, and acceptable risk. CAIQ:  consensus  assessments  iniJaJve  quesJonnaire   Data$GovernanceClassificationDG102 DG102.1 Do$you$provide$a$capability$to$identify$virtual$machines$via$policy$tags/metadata$(ex.$Tags$can$be$used$to$limit$gu
  27. 27. Cloud Security Alliance mapping    v  3.0.1  Released      Controls  base-­‐lined  and  mapped  to:   –   COBIT   –   HIPAA  /  HITECH  Act   –   ISO/IEC  27001-­‐2005   –   NISTSP800-­‐53   –   FedRAMP   –   PCI  DSSv2.0   –   BITS  Shared  Assessments   –   GAPP  ...     OCF  Level  1  :  The  Cloud  Control  Matrix    
  28. 28. Risk  Management  regarding  data   28    What  is  the  data  at  stake  ?    Personal/employees  data    Sensible  data    Regulated  data    Is  this  data  meaning  full  or  valuable  to  someone  else  ?  
  29. 29. Data  classificaJon    Any  data  we  handle,  has  been  classified  in  our   systems  and  been  given  policies  regarding  the   following  acJons:   – Create   – Store   – Use   – Share   – Archive   – Destroy    Each  class  has  its  own  rules  and  level  of   protecJon:    Standard  classes:   – Low:  civility,...   – Medium:  logs,...   – High:  authenJcaJon  secret    Special  classes:   – Credit  card  informaJon:  not  stored   – Forbidden  informaJon:  racial,  poliJcal,...  
  30. 30. Reversibility   30    Using  a  cloud  service,  should  not  enable  the   transfer  of  ownership  of  the  data    As  a  general  rule:   – IaaS  and  PaaS  services  must  sJpulate  that  the   data  remains  your  property   – SaaS  services:  look  closely,  especially  for  main   stream  services    Can  I  reclaim/transmit  data  at  any  Jme?    What  happens  in  case  of  contract  breach,  bad   SLAs,  change  of  control  of  the  provider,   disconJnuaJon  of  the  service,...    The  answer  has  to  be  both  technical  and  legal   Ownership   Reclaim  
  31. 31. The  key  is  contractual   31    Read  the  contract  or  terms  and  condiJons    Track  changes   – IniJaJves  like  hop://tosdr.org/  “Terms  of  Services:  didn’t  read”  emerged  
  32. 32. The  “trust”  issue    Trust  is  relaJve   – You  trust  someone/something  more  than  another   – Does  absolute  trust  exist  ?    For  IaaS,  who  do  you  trust  more?     – An  infrastructure  team  in  IT  department   – A  provider    Just  like  with  kids:  trust  does  not  exclude  controls   – Are  the  controls  adapted  ?  
  33. 33. Wrap  up   33    Classify  your  data    Request  a  security  alignment    Review  your  contracts   – Reversibility    HosJng  in  Data  protecJon  aware  locaJons  –     Switzerland  -­‐  is  easier     – But  does  not  prevent  all  the  above    Providers  like  Exoscale  can  help    They  enforce  strict  controls   – Monthly  tesJng  of  power  redundancy   – Bi  monthly  review  of  security  access   – Risk  assessment  and  management   – …    Provider  is  an  asset  not  a  threat  in  your  security   landscape  
  34. 34. And  now?  
  35. 35. My  recommendaJons    Be  ready  !   1. Test  even  if  you  do  not  have  a  business  case     2. Make  a  proof  of  concept   3. Open  an  Account     PROACTIVE     REACTIVE    
  36. 36. Thank  you  for  your  aoenJon      Contact  us   +41  58  668  56  00   sales@exoscale.ch              Follow  us   @exoscale     exoscale  code       Head  Office  Lausanne   Avenue  de  Provence  4   CH  -­‐  1007  Lausanne   Opera5ons:  Geneva   Rue  du  Pré  de  la  Fontaine  19   CH  -­‐  1217  Meyrin  

This talk was given at a Cloud Security Alliance Event in Lausanne April 29th, 2015. Organized by the CSA CH chapter, the topic was about Trust issues in Cloud Computing in general. In this talk, I gave our feedback and the approach we have with customers when asked about security. The framework and tools offered by the cloud security alliance are a great help and help define a comparison base. In the end, trust is always relative and rarely absolute. Cloud providers can and are in most cases a security asset rather than an additional risk.

Views

Total views

542

On Slideshare

0

From embeds

0

Number of embeds

20

Actions

Downloads

9

Shares

0

Comments

0

Likes

0

×