Upload
buitram
View
218
Download
2
Embed Size (px)
Citation preview
GRUPPO TELECOM ITALIA
Cloud Security @ TIM Current Practises and Future Challanges
Michele Vecchione @ TIM 1st Workshop of the Project Cluster on Data Protection, Security and Privacy in the Cloud. 23 February 2016, Napoli, Italy
3
TIM Cloud Strategy versus OTT Players CLOUD e strategia
Tim
Distinctive Factors of our Cloud Business Model Three Distinctive factors differenciate TIM cloud offering from OTT players: Proximity, Compliance to Security&Privacy and Excellence in Quality of experience
high
high
high
Proximity
Quality of Experience
Compliance& Security
OTT TELCO
Telco OTT Proximity Direct Sales
PreSales Force, CRM Exploitation, Customisation, Local Infrastructures
Product Centric Self Service
Quality of Experience
E2E control SLA Low latency
Remote No direct network control
Compliance& Security
EU regulation SOC/NOC Consultancy
Rely upon Internet or third parties Lower privacy rules
4
Cloud adoption in Italy CLOUD e strategia
Tim
There is space to grow…. … BUT there are some concerns
Building a secure cloud for hosting Enterprise SAAS is a TOP Priority
5
TIM Cloud Infrastructure: Data Centers A Secure Physical Infrastructure
Titolo della Relazione Nome del Relatore, Nome Struttura
Regional Service Centers National DCs
IDC Cesano Maderno
IDC Rozzano
DC Bologna
DC Padova
DC Bari
Palermo
Firenze
Torino
Napoli
DC Oriolo Romano
IDC Pomezia
Nord Est Area Bologna Padova
Systems rooms #
Systems Rooms available area
• Production Systems rooms area • TLC Systems rooms area
Installed/Active Servers # • Managed Servers #
15 23 >4.100 >4.300
>3.600 >3.300
>250 >280
>1.100 >950 >900 >600
Nord Ovest Area Cesano Rozzano
Systems rooms #
Systems Rooms available area
• Production Systems rooms area • TLC Systems rooms area
Installed/Active Servers # • Managed Servers #
16 11 >4.800 >3.500
>4.500 >2.800
>280 >200
>4.700 >2.200 >1.300 >1.500
Center/South Area Oriolo
Systems rooms #
Systems Rooms available area
• Production Systems rooms area • TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
13 16 >3.400 >6.600
>2.900 >6.100
>400 >400
>3.200 >5.400 >3.000 >3.000
Bari Pomezia
6 >2.000
>1.800
>90
>800 >700
Acilia Work in progress ACILIA
Data Center TIER 4 Area Size Production System Rooms (6 m Height) Hi Density power supply
Network supports
>4.0000 mq
>3.500 mq
Fino a 15 Kw/mq
SDN, NFV
6
Logical Security: 1) Clarify Responsabilities according to the choosen Service Model and Distribution Model
7
Logical Security: 2) Implement Security according to Responsability Cloud Service Provider Scope:
• Expose clear security levels of cloud SEs • Inform customer about Certifications, Policies,
Processes, Responsabilities, Security Plan, L. 196 obligations, and Checks (ex PT and VA) in charge to TIM
• Contractually sign obligations and SLA TIM
Customer
Customer Scope: • Assist customer in understanding residual risk • Consult the customer to secure its area of responsability • Provide addictional Security Services and tools to mitigate its own risk
8
Logical Security: 3) Security as a service to support SAAS
TIM Security
Competence Center
TIM Security
Operation Center
9
Market Security Addictional Services Main Offered services
TIM Security Operation Center
AREA PROTECTIO
N
MAIL PROTECTIO
N MSOC
HOST PROTECTIO
N SECURITY ASSESSMEN
T
SECURITY MONITORIN
G DDOS
MITIGATION
Virtual appliances to protect mission critical Web Application, Data Bases o File Systems running into the TIM cloud or on premises
Mail Relay service with Antispam & Antivirus Layer for customer with Mail Service offered by TIM or at Customer Premises
Security Appliance Mgnt (IDS, IPS, Boundary Antivirus, Web Content Filtering, Antispam)
D i s t r i b u t e d D e n i a l - o f - S e r v i c e Protection, to protect from attacks aiming to block the service to legitimate users.
Periodic Vulnerability Assessments, Penetration Testing, Source Code Audit executed by the TIM SOC
Monitoring of corporate anti-intrusion systems to identify and block potential attacks from internet as well as intranet users and prevent system violation
• Cisco CCNA (Cisco Certified Network Associate)
• Microsoft: “Microsoft Windows server” • SCJP - Sun Certified Java Programmer • ISO 20000 & 27001 Lead Auditor • ECDL Core • QCS - QualysGuard Certified Specialist • Certified Information Forensics
Investigator – CIFI • EC-Council Certified Security Analyst –
ECSA • EC-Council Licensed Penetration Tester –
LTP • Certified Ethical Hacker – CEH v7 • Microsoft Certified Systems Engineer • CompTIA Security+ Certified (SYO-201)
• Fortinet Certified Network and Security Associate (FCNSA)
• Juniper Networks Certified Internet Associate (JNCIA-FWV)
• QualysGuard Certified Specialist • Hands on Hacking Web Application
(HOH) • Network and system security for
company and public administration • Clavister Firewall Certification • IT Security & Digital Forensics (Master) • ISO 9000 • ISO 27001
10
The world is changing rapidly: new security challanges ! Where is my Perimeter? With Mobility and cloud, The company perimeter is now The
Internet! New cloud security Access Layers are required to secure corporate Apps and data that are aware of used endpoint, access location, OS, Strong digital Identity, and used application .
Titolo della Relazione Nome del Relatore, Nome Struttura
! How can I intelligently scan all of my Huge Cloud traffic? An enourmous amount of information about activity monitoring Logs (users, Admins), Anomalies detection (threads, usage, traffic, data scan) need to be handled every day. A big data approch must be undertaken.
! How I secure IoT? With IoT, Billions of low power and limited CPU devices with be connected to applications generating trillions of daily events.
! How I secure Smartphones? MDM and BYOD have low penetration. How do I secure these endpoints in a more easy way?
11
The world is changing rapidly: new security challanges ! How can I enforce data protection using cloud? Corporate applications needs to
enforce data protection in different cloud deployment scenarios. How can I get visibility on Shadow Cloud? How can I get contextual access control and prevent data leakage on the cloud?
! How can I secure the agile and collaborative developments? Devops is growing Fast. With continous Development, integration and delivery it is necessary to shift from a traditional SLDC security enforcement to a more dynamic security framework.
12
Our Vision: Creating an Digital Ecosystem around the TIM Cloud
• Expose our Infrastructural assets (Network, BSS, CRM, Data Sets)
• Aggregate and attract Extewrnal Communities (R&D, Start-ups, PPAA, System Integrators, ISV,..)
• Broker Third Parties (Cloud providers, SW Vendors,..)
• Enable an API economy
• Expose Commercial Capabilities (sales force, resellers, payments)
• Enable collaborative Dev for new generation of cloud- ready SAAS (Mashup, Devops. Micro services)
• Sell IAAS, PAAS and SAAS
• Monetise the community
13
New Security Requirements • In the new Cloud Ecosystem new security requirements arise:
Titolo della Relazione Nome del Relatore, Nome Struttura
• Secuity Pre-scan at Dev Stage • Automatic Testing at Build and Push Time • Secure microservices Registry
• Scanning container at run time • WL/BL Container Registry • Signed containers
• Centralise Log (Big Data) • Contextual Access Control • Ecrypt data in motion and data at rest • Orchestrate enviroments (Dev, Test, Prod) • Provide Dashboard for security Risk Ass • Discover Shadow cloud apps • Protect Mobile and IoT devices with
client less approach
• Provide SSO / Digital ID across apps • Multi Factor Strong Auth • IAM across apps
14
Conclusions • The trend of porting into the cloud existing legacy applications with well defined monolithic
sw architecture will fade away with time
• New security threads are continously arising from new emerging technologies such as IoT, PAAS, middleware frameworks, microservices, containers,..
• The new TIM cloud will quickly become a collaborative enviroment where a number of different entities will create together new services by aggregating capabilities under the form of API, Building blocks, micro-services offered by community members.
Titolo della Relazione Nome del Relatore, Nome Struttura
The scientific community need to help CPs with new Security Technologies, Solutions, Methodologies and Standards.
The Cloud MUST Communicate SECURITY By Design!
Grazie Thank You! Michele Vecchione TIM Director Vertical Platform Engineering [email protected]