The document discusses TIM Group's cloud security strategies, highlighting their unique offerings compared to OTT players, such as compliance, quality experience, and local presence. It outlines current practices and future challenges in building a secure cloud environment, detailing the infrastructure and logical security measures employed. The text concludes by emphasizing the need for advancements in security technologies and collaborative environments within the cloud ecosystem.

1. GRUPPO TELECOM ITALIA
Cloud Security @ TIM
Current Practises and Future Challanges
Michele Vecchione @ TIM
1st Workshop of the Project Cluster on Data Protection, Security and Privacy
in the Cloud. 23 February 2016, Napoli, Italy

2. 2
The TIM Group in shortThe TIM Group in shortThe TIM Group in shortThe TIM Group in short

3. 3
TIMTIMTIMTIM CloudCloudCloudCloud StrategyStrategyStrategyStrategy versus OTTversus OTTversus OTTversus OTT PlayersPlayersPlayersPlayers CLOUD e
strategia
Tim
Distinctive Factors of our Cloud Business Model
Three Distinctive factors differenciate TIM cloud offering from OTT players:
Proximity, Compliance to Security&Privacy and Excellence in Quality of experience
high
high
high
Proximity
Quality of
Experience
Compliance&
Security
OTT
TELCO
TelcoTelcoTelcoTelco OTTOTTOTTOTT
Proximity Direct Sales
PreSales Force,
CRM Exploitation,
Customisation,
Local
Infrastructures
Product Centric
Self Service
Quality of
Experience
E2E control
SLA
Low latency
Remote
No direct network
control
Compliance&
Security
EU regulation
SOC/NOC
Consultancy
Rely upon Internet
or third parties
Lower privacy
rules

4. 4
CloudCloudCloudCloud adoptionadoptionadoptionadoption inininin ItalyItalyItalyItaly CLOUD e
strategia
Tim
There is space to grow…. … BUT there are some concerns
Building a secure cloud for hosting Enterprise SAAS is a TOP Priority

5. 5
TIM Cloud Infrastructure: Data Centers
A Secure Physical Infrastructure
Titolo della Relazione
Nome del Relatore, Nome Struttura
RegionalRegionalRegionalRegional Service CentersService CentersService CentersService Centers
NationalNationalNationalNational DCsDCsDCsDCs
IDC CesanoIDC CesanoIDC CesanoIDC Cesano
MadernoMadernoMadernoMaderno
IDC RozzanoIDC RozzanoIDC RozzanoIDC Rozzano
DC BolognaDC BolognaDC BolognaDC Bologna
DC PadovaDC PadovaDC PadovaDC Padova
DC BariDC BariDC BariDC Bari
PalermPalermPalermPalerm
oooo
FirenFirenFirenFiren
zezezeze
TorinTorinTorinTorin
oooo
NapolNapolNapolNapol
iiii
DC OrioloDC OrioloDC OrioloDC Oriolo
RomanoRomanoRomanoRomano
IDC PomeziaIDC PomeziaIDC PomeziaIDC Pomezia
Nord Est AreaNord Est AreaNord Est AreaNord Est Area
BolognaBolognaBolognaBolognaPadovaPadovaPadovaPadova
Systems rooms #
Systems Rooms available area
• Production Systems rooms area
• TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
15151515 23232323
>4.100>4.100>4.100>4.100 >4.300>4.300>4.300>4.300
>3.600 >3.300
>250 >280
>1.100>1.100>1.100>1.100 >950>950>950>950
>900 >600
Nord Ovest AreaNord Ovest AreaNord Ovest AreaNord Ovest Area
CesanoCesanoCesanoCesanoRozzanoRozzanoRozzanoRozzano
Systems rooms #
Systems Rooms available area
• Production Systems rooms area
• TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
16161616 11111111
>4.800>4.800>4.800>4.800 >3.500>3.500>3.500>3.500
>4.500 >2.800
>280 >200
>4.700>4.700>4.700>4.700 >2.200>2.200>2.200>2.200
>1.300 >1.500
Center/South AreaCenter/South AreaCenter/South AreaCenter/South Area
OrioloOrioloOrioloOriolo
Systems rooms #
Systems Rooms available area
• Production Systems rooms area
• TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
13131313 16161616
>3.400>3.400>3.400>3.400 >6.600>6.600>6.600>6.600
>2.900 >6.100
>400 >400
>3.200>3.200>3.200>3.200 >5.400>5.400>5.400>5.400
>3.000 >3.000
BariBariBariBariPomeziaPomeziaPomeziaPomezia
6666
>2.000>2.000>2.000>2.000
>1.800
>90
>800>800>800>800
>700
AciliaAciliaAciliaAcilia
Work in progressWork in progressWork in progressWork in progress
ACILIAACILIAACILIAACILIA
Data Center TIER 4Data Center TIER 4Data Center TIER 4Data Center TIER 4
Area Size
Production System Rooms (6 m Height)
Hi Density power supply
Network supports
>>>>4.0000 mq4.0000 mq4.0000 mq4.0000 mq
>3.500 mq
Fino a 15 Kw/mq
SDN, NFV, NFV, NFV, NFV

6. 6
LogicalLogicalLogicalLogical Security: 1)Security: 1)Security: 1)Security: 1) ClarifyClarifyClarifyClarify ResponsabilitiesResponsabilitiesResponsabilitiesResponsabilities accordingaccordingaccordingaccording totototo
thethethethe choosenchoosenchoosenchoosen Service Model and Distribution ModelService Model and Distribution ModelService Model and Distribution ModelService Model and Distribution Model

7. 7
LogicalLogicalLogicalLogical Security: 2)Security: 2)Security: 2)Security: 2) ImplementImplementImplementImplement SecuritySecuritySecuritySecurity accordingaccordingaccordingaccording totototo
ResponsabilityResponsabilityResponsabilityResponsability
Cloud Service Provider Scope:
• Expose clear security levels of cloud SEs
• Inform customer about Certifications, Policies,
Processes, Responsabilities, Security Plan,
L. 196 obligations, and Checks (ex PT and VA)
in charge to TIM
• Contractually sign obligations and SLA
TIM
Customer
Customer Scope:
• Assist customer in understanding residual risk
• Consult the customer to secure its area of responsability
• Provide addictional Security Services and tools to mitigate its own risk

8. 8
LogicalLogicalLogicalLogical Security: 3) SecuritySecurity: 3) SecuritySecurity: 3) SecuritySecurity: 3) Security asasasas a service toa service toa service toa service to supportsupportsupportsupport SAASSAASSAASSAAS
TIM
Security
Competence
Center
TIM
Security
Operation
Center

9. 9
Market Security Addictional Services
Main Offered services
TIM Security Operation Center
AREAAREAAREAAREA
PROTECTIONPROTECTIONPROTECTIONPROTECTION
MAILMAILMAILMAIL
PROTECTIONPROTECTIONPROTECTIONPROTECTION
MSOCMSOCMSOCMSOC
HOSTHOSTHOSTHOST
PROTECTIONPROTECTIONPROTECTIONPROTECTION
SECURITYSECURITYSECURITYSECURITY
ASSESSMENTASSESSMENTASSESSMENTASSESSMENT
SECURITYSECURITYSECURITYSECURITY
MONITORINGMONITORINGMONITORINGMONITORING
DDOSDDOSDDOSDDOS
MITIGATIONMITIGATIONMITIGATIONMITIGATION
Virtual appliances to protect mission critical Web
Application, Data Bases o File Systems running into
the TIM cloud or on premises
Mail Relay service with Antispam &
Antivirus Layer for customer with Mail
Service offered by TIM or at Customer
Premises
Security Appliance Mgnt (IDS, IPS,
Boundary Antivirus, Web Content
Filtering, Antispam)
Distributed Denial-of-Service
Protection, to protect from attacks
aiming to block the service to
legitimate users.
Periodic Vulnerability Assessments,
Penetration Testing, Source Code Audit
executed by the TIM SOC
Monitoring of corporate anti-intrusion
systems to identify and block potential
attacks from internet as well as intranet
users and prevent system violation
• Cisco CCNA (Cisco Certified Network
Associate)
• Microsoft: “Microsoft Windows server”
• SCJP - Sun Certified Java Programmer
• ISO 20000 & 27001 Lead Auditor
• ECDL Core
• QCS - QualysGuard Certified Specialist
• Certified Information Forensics
Investigator – CIFI
• EC-Council Certified Security Analyst –
ECSA
• EC-Council Licensed Penetration Tester
– LTP
• Certified Ethical Hacker – CEH v7
• Microsoft Certified Systems Engineer
• CompTIA Security+ Certified (SYO-201)
• Fortinet Certified Network and Security
Associate (FCNSA)
• Juniper Networks Certified Internet
Associate (JNCIA-FWV)
• QualysGuard Certified Specialist
• Hands on Hacking Web Application
(HOH)
• Network and system security for
company and public administration
• Clavister Firewall Certification
• IT Security & Digital Forensics (Master)
• ISO 9000
• ISO 27001

10. 10
The world is changing rapidly: new security challanges
Where is my Perimeter? With Mobility and cloud, The company perimeter is now The
Internet! New cloud security Access Layers are required to secure corporate Apps
and data that are aware of used endpoint, access location, OS, Strong digital
Identity, and used application .
Titolo della Relazione
Nome del Relatore, Nome Struttura
How can I intelligently scan all of my Huge Cloud traffic? An enourmous amount of
information about activity monitoring Logs (users, Admins), Anomalies detection
(threads, usage, traffic, data scan) need to be handled every day. A big data
approch must be undertaken.
How I secure IoT? With IoT, Billions of low power and limited CPU devices with be
connected to applications generating trillions of daily events.
How I secure Smartphones? MDM and BYOD have low penetration. How do I secure
these endpoints in a more easy way?

11. 11
The world is changing rapidly: new security challanges
How can IHow can IHow can IHow can I enforceenforceenforceenforce datadatadatadata protectionprotectionprotectionprotection usingusingusingusing cloudcloudcloudcloud???? Corporate applications needs to
enforce data protection in different cloud deployment scenarios. How can I get
visibility on Shadow Cloud? How can I get contextual access control and prevent
data leakage on the cloud?
How can IHow can IHow can IHow can I securesecuresecuresecure the agile and collaborativethe agile and collaborativethe agile and collaborativethe agile and collaborative developmentsdevelopmentsdevelopmentsdevelopments???? Devops is growing
Fast. With continous Development, integration and delivery it is necessary to shift
from a traditional SLDC security enforcement to a more dynamic security
framework.

12. 12
Our Vision: Creating an Digital Ecosystem around the TIM
Cloud
• Expose our Infrastructural assets
(Network, BSS, CRM, Data Sets)
• Aggregate and attract Extewrnal
Communities (R&D, Start-ups, PPAA,
System Integrators, ISV,..)
• Broker Third Parties
(Cloud providers, SW Vendors,..)
• Enable an API economy
• Expose Commercial Capabilities
(sales force, resellers, payments)
• Enable collaborative Dev for
new generation of cloud- ready SAAS
(Mashup, Devops. Micro services)
• Sell IAAS, PAAS and SAAS
• Monetise the community

13. 13
New Security Requirements
• In the new Cloud Ecosystem new security requirements arise:
Titolo della Relazione
Nome del Relatore, Nome Struttura
• Secuity Pre-scan at Dev Stage
• Automatic Testing at Build and Push Time
• Secure microservices Registry
• Scanning container at run time
• WL/BL Container Registry
• Signed containers
• Centralise Log (Big Data)
• Contextual Access Control
• Ecrypt data in motion and data at rest
• Orchestrate enviroments (Dev, Test, Prod)
• Provide Dashboard for security Risk Ass
• Discover Shadow cloud apps
• Protect Mobile and IoT devices with
client less approach
• Provide SSO / Digital ID across apps
• Multi Factor Strong Auth
• IAM across apps

14. 14
Conclusions
• The trend of porting into the cloud existing legacy applications with well defined monolithic
sw architecture will fade away with time
• New security threads are continously arising from new emerging technologies such as IoT,
PAAS, middleware frameworks, microservices, containers,..
• The new TIM cloud will quickly become a collaborative enviroment where a number of
different entities will create together new services by aggregating capabilities under the form
of API, Building blocks, micro-services offered by community members.
Titolo della Relazione
Nome del Relatore, Nome Struttura
The scientific community need to help CPs with new Security Technologies,
Solutions, Methodologies and Standards.
The Cloud MUST Communicate SECURITY By Design!

15. GrazieThank You!
Michele Vecchione
TIM
Director Vertical Platform Engineering
Michele.vecchione@telecomitalia.it