GRUPPO TELECOM ITALIA

Cloud Security @ TIM Current Practises and Future Challanges

Michele Vecchione @ TIM 1st Workshop of the Project Cluster on Data Protection, Security and Privacy in the Cloud. 23 February 2016, Napoli, Italy

2

The TIM Group in short

3

TIM Cloud Strategy versus OTT Players CLOUD e strategia

Tim

Distinctive Factors of our Cloud Business Model Three Distinctive factors differenciate TIM cloud offering from OTT players: Proximity, Compliance to Security&Privacy and Excellence in Quality of experience

high

high

high

Proximity

Quality of Experience

Compliance& Security

OTT TELCO

Telco OTT Proximity Direct Sales

PreSales Force, CRM Exploitation, Customisation, Local Infrastructures

Product Centric Self Service

Quality of Experience

E2E control SLA Low latency

Remote No direct network control

Compliance& Security

EU regulation SOC/NOC Consultancy

Rely upon Internet or third parties Lower privacy rules

4

Cloud adoption in Italy CLOUD e strategia

Tim

There is space to grow…. … BUT there are some concerns

Building a secure cloud for hosting Enterprise SAAS is a TOP Priority

5

TIM Cloud Infrastructure: Data Centers A Secure Physical Infrastructure

Titolo della Relazione Nome del Relatore, Nome Struttura

Regional Service Centers National DCs

IDC Cesano Maderno

IDC Rozzano

DC Bologna

DC Padova

DC Bari

Palermo

Firenze

Torino

Napoli

DC Oriolo Romano

IDC Pomezia

Nord Est Area Bologna Padova

Systems rooms #

Systems Rooms available area

•  Production Systems rooms area •  TLC Systems rooms area

Installed/Active Servers # •  Managed Servers #

15 23 >4.100 >4.300

>3.600 >3.300

>250 >280

>1.100 >950 >900 >600

Nord Ovest Area Cesano Rozzano

Systems rooms #

Systems Rooms available area

•  Production Systems rooms area •  TLC Systems rooms area

Installed/Active Servers # •  Managed Servers #

16 11 >4.800 >3.500

>4.500 >2.800

>280 >200

>4.700 >2.200 >1.300 >1.500

Center/South Area Oriolo

Systems rooms #

Systems Rooms available area

•  Production Systems rooms area •  TLC Systems rooms area

Installed/Active Servers #

•  Managed Servers #

13 16 >3.400 >6.600

>2.900 >6.100

>400 >400

>3.200 >5.400 >3.000 >3.000

Bari Pomezia

6 >2.000

>1.800

>90

>800 >700

Acilia Work in progress ACILIA

Data Center TIER 4 Area Size Production System Rooms (6 m Height) Hi Density power supply

Network supports

>4.0000 mq

>3.500 mq

Fino a 15 Kw/mq

SDN, NFV

6

Logical Security: 1) Clarify Responsabilities according to the choosen Service Model and Distribution Model

7

Logical Security: 2) Implement Security according to Responsability Cloud Service Provider Scope:

•  Expose clear security levels of cloud SEs •  Inform customer about Certifications, Policies,

Processes, Responsabilities, Security Plan, L. 196 obligations, and Checks (ex PT and VA) in charge to TIM

•  Contractually sign obligations and SLA TIM

Customer

Customer Scope: •  Assist customer in understanding residual risk •  Consult the customer to secure its area of responsability •  Provide addictional Security Services and tools to mitigate its own risk

8

Logical Security: 3) Security as a service to support SAAS

TIM Security

Competence Center

TIM Security

Operation Center

9

Market Security Addictional Services Main Offered services

TIM Security Operation Center

AREA PROTECTIO

N

MAIL PROTECTIO

N MSOC

HOST PROTECTIO

N SECURITY ASSESSMEN

T

SECURITY MONITORIN

G DDOS

MITIGATION

Virtual appliances to protect mission critical Web Application, Data Bases o File Systems running into the TIM cloud or on premises

Mail Relay service with Antispam & Antivirus Layer for customer with Mail Service offered by TIM or at Customer Premises

Security Appliance Mgnt (IDS, IPS, Boundary Antivirus, Web Content Filtering, Antispam)

D i s t r i b u t e d D e n i a l - o f - S e r v i c e Protection, to protect from attacks aiming to block the service to legitimate users.

Periodic Vulnerability Assessments, Penetration Testing, Source Code Audit executed by the TIM SOC

Monitoring of corporate anti-intrusion systems to identify and block potential attacks from internet as well as intranet users and prevent system violation

•  Cisco CCNA (Cisco Certified Network Associate)

•  Microsoft: “Microsoft Windows server” •  SCJP - Sun Certified Java Programmer •  ISO 20000 & 27001 Lead Auditor •  ECDL Core •  QCS - QualysGuard Certified Specialist •  Certified Information Forensics

Investigator – CIFI •  EC-Council Certified Security Analyst –

ECSA •  EC-Council Licensed Penetration Tester –

LTP •  Certified Ethical Hacker – CEH v7 •  Microsoft Certified Systems Engineer •  CompTIA Security+ Certified (SYO-201)

•  Fortinet Certified Network and Security Associate (FCNSA)

•  Juniper Networks Certified Internet Associate (JNCIA-FWV)

•  QualysGuard Certified Specialist •  Hands on Hacking Web Application

(HOH) •  Network and system security for

company and public administration •  Clavister Firewall Certification •  IT Security & Digital Forensics (Master) •  ISO 9000 •  ISO 27001

10

The world is changing rapidly: new security challanges !  Where is my Perimeter? With Mobility and cloud, The company perimeter is now The

Internet! New cloud security Access Layers are required to secure corporate Apps and data that are aware of used endpoint, access location, OS, Strong digital Identity, and used application .

Titolo della Relazione Nome del Relatore, Nome Struttura

!  How can I intelligently scan all of my Huge Cloud traffic? An enourmous amount of information about activity monitoring Logs (users, Admins), Anomalies detection (threads, usage, traffic, data scan) need to be handled every day. A big data approch must be undertaken.

!  How I secure IoT? With IoT, Billions of low power and limited CPU devices with be connected to applications generating trillions of daily events.

!  How I secure Smartphones? MDM and BYOD have low penetration. How do I secure these endpoints in a more easy way?

11

The world is changing rapidly: new security challanges !  How can I enforce data protection using cloud? Corporate applications needs to

enforce data protection in different cloud deployment scenarios. How can I get visibility on Shadow Cloud? How can I get contextual access control and prevent data leakage on the cloud?

!  How can I secure the agile and collaborative developments? Devops is growing Fast. With continous Development, integration and delivery it is necessary to shift from a traditional SLDC security enforcement to a more dynamic security framework.

12

Our Vision: Creating an Digital Ecosystem around the TIM Cloud

•  Expose our Infrastructural assets (Network, BSS, CRM, Data Sets)

•  Aggregate and attract Extewrnal Communities (R&D, Start-ups, PPAA, System Integrators, ISV,..)

•  Broker Third Parties (Cloud providers, SW Vendors,..)

•  Enable an API economy

•  Expose Commercial Capabilities (sales force, resellers, payments)

•  Enable collaborative Dev for new generation of cloud- ready SAAS (Mashup, Devops. Micro services)

•  Sell IAAS, PAAS and SAAS

•  Monetise the community

13

New Security Requirements •  In the new Cloud Ecosystem new security requirements arise:

Titolo della Relazione Nome del Relatore, Nome Struttura

•  Secuity Pre-scan at Dev Stage •  Automatic Testing at Build and Push Time •  Secure microservices Registry

•  Scanning container at run time •  WL/BL Container Registry •  Signed containers

•  Centralise Log (Big Data) •  Contextual Access Control •  Ecrypt data in motion and data at rest •  Orchestrate enviroments (Dev, Test, Prod) •  Provide Dashboard for security Risk Ass •  Discover Shadow cloud apps •  Protect Mobile and IoT devices with

client less approach

•  Provide SSO / Digital ID across apps •  Multi Factor Strong Auth •  IAM across apps

14

Conclusions •  The trend of porting into the cloud existing legacy applications with well defined monolithic

sw architecture will fade away with time

•  New security threads are continously arising from new emerging technologies such as IoT, PAAS, middleware frameworks, microservices, containers,..

•  The new TIM cloud will quickly become a collaborative enviroment where a number of different entities will create together new services by aggregating capabilities under the form of API, Building blocks, micro-services offered by community members.

Titolo della Relazione Nome del Relatore, Nome Struttura

The scientific community need to help CPs with new Security Technologies, Solutions, Methodologies and Standards.

The Cloud MUST Communicate SECURITY By Design!

Grazie Thank You! Michele Vecchione TIM Director Vertical Platform Engineering Michele.vecchione@telecomitalia.it