Upload
orange-business-services
View
3.616
Download
1
Tags:
Embed Size (px)
Citation preview
cloud securitywebinar
Jean-François Audenard – Cloud Security AdvisorNovember 10, 2011
2 Cloud Security Webinar –Nov 2011 France Telecom - Orange
our agenda
1. context
2. expectations
3. building & maintaining trust
4. Orange cloud services
3 Cloud Security Webinar –Nov 2011 France Telecom - Orange
context
4 Cloud Security Webinar –Nov 2011 France Telecom - Orange
our customers are targets
CISCO – Global Threat Report – 2Q2011
© Paty Wingrove - Fotolia.com
5 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Cloud concentrate everything
datacenters
customer’s data
revenues
risks
hacker’s greed
security (good news !) © boule
vard
- Foto
lia.co
m
6 Cloud Security Webinar –Nov 2011 France Telecom - Orange
threats follows the data
enterprise Internal network/IT CloudServices Providers
(CSP)
threats / attackers
threats
7 Cloud Security Webinar –Nov 2011 France Telecom - Orange
expectations
8 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Cloud security is a must have
9 Cloud Security Webinar –Nov 2011 France Telecom - Orange
an expectation AND a business accelerator
<…> As counterintuitive as this may seem, enterprises actually expect cloud security to be superior to what they employ for traditional IT services. Current Analysis’ survey of ‘Cloud Services 2011 – Enterprise Adoption Plans and Trends’ in August 2011 found that one of the drivers for cloud adoption is actually more security. <…>
highly secure cloud services : A business booster
10 Cloud Security Webinar –Nov 2011 France Telecom - Orange
compliance
as a customer
– Internal compliance (IT Security Policy)– vertical compliance (PCI-DSS, …)
as a service provider
– Telco’s specific obligations– General legal obligations
rising trend on personal information's
– Data breach notifications
nothing really specific related to cloud
© Scott Maxwell - Fotolia.com
11 Cloud Security Webinar –Nov 2011 France Telecom - Orange
question : what really changes with cloud ?
Cloud is not more or less secure : the security posture evolves
– Risks are transferred– New risk appear
underlying cloud technologies are not new
concentration brings new opportunities (but increased risks too).
…the cloud’s economies of scale and flexibility are both a friend and a foe from a security point
of view. The massive
concentrations of resources and data present a
more attractive target to attackers, but cloud-based
defenses can be more robust, scalable
and cost-effective…
Source: Enisa
answer : Cloud require security excellence & associated transparency
12 Cloud Security Webinar –Nov 2011 France Telecom - Orange
building & maintaining trust
© Ben Chams - Fotolia.com
13 Cloud Security Webinar –Nov 2011 France Telecom - Orange
trust must be both external & internal
internal stakeholders
enterprise
Cloud
Executives
Business Units
Risk Managers, CISO
Corporate IT
Employees
governmentspecifics
regulations
Cloud providers
regulation/standards bodies
• Certifications
• Security SLAs
• Transparency
• Adherence to standards
• Cloud service catalog
•Risks assessment
• Security SLAs
• Policies
• Applicable laws
• “Cloud-ready” regulations
• certification bodies
standards
14 Cloud Security Webinar –Nov 2011 France Telecom - Orange
data classification & rights assignation
private networks, encryption & strong authentication
access control, rights management, encryption
encryption, asset management
crypto-shredding, secure deletion, content discovery
create
transfer
store
use
archive
destroy
application security, logical controls, activity monitoring
ensures data protection
15 Cloud Security Webinar –Nov 2011 France Telecom - Orange
appropriate level of engagement
Cloud service provider managementcustomer’s management increased
responsibilities for the Cloud
Service Provider
responsibilities between parties
datacenter
servers & network
Hypervisor (VMM)
VM
operating systems
middleware
applications
Iaa
S PaaS
SaaS
increased criticality
high-level of shared resources
16 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Cloud models & security
publicCloud for enterpris
es
community cloud
private cloud
hybridcloud
shared infrastructure
dedicated infrastructure/staff/proces
ses
security is under
customer’s control
security controlled by the provider
Internal risk & compliance still
apply here !
17 Cloud Security Webinar –Nov 2011 France Telecom - Orange
implementation rules
transparency brings confidence
change your mind for data-centric security
leverage existing security frameworks & practices
participate to research & standardization activities © lilu
foto
- Foto
lia.co
m
18 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Orange cloud services
19 Cloud Security Webinar –Nov 2011 France Telecom - Orange
our cloud security development lifecycle
Security Risk Assessment
Security Implementation Assistance Security
ReviewsSecurity Penetration Tests
T0
T3
T2
T-1
Risks Mitigation Plan
High-Level Risks Assessment
Continuous improvement (PDCA)
Legal Obligations Assessment
integrated approach
– right from the beginning
– risk-based approach
driven by experts
– security consultants
– security architects
– specialized lawyers
adaptable & updated
– for specific projects too
20 Cloud Security Webinar –Nov 2011 France Telecom - Orange
portfolioIn
frast
ruct
ure
as
a
Serv
ice
Soft
ware
as
a
Serv
ice
IT infrastructureas a Service
Security as a Service
Collaborationas a Service
Real-Time applicationsas a Service
Back-up and Storage
as a Service
Flexible ComputingPremium
Messaging Protection Suite
Web Protection Suite
Unified Collaboration
(B2GaaS)
Fleet ManagementNetwork IVR
Business Store
Flexible Computing
Private
2011H2 2010now
VPN Galerie
IT Plan
Contact Center
as a Service
Cloud-ready NetworkingBusiness VPN
Business Acceleration
Flexible Computing
Business TelephonyHosted Exchange
Orange APIPrivate Applications
Store
Business Together with Microsoft – Online Services
Flexible SSL
Smartphone management
Application & Content Delivery
Networking
21 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Web Protection Suite
real-time protection from zero-day threats
– real-time scanning, not just URL filtering– latest security detections immediately benefit all customers– policy enforced across the enterprise, including to out-of-
office workers
effortless management
– intuitive Web-based interface centralizing all management and reporting functions
– policy changes are immediately rolled-out across the enterprise
real security-as-a-service
– take hardware, software and database into the cloud– pricing mostly based on monthly recurring charges– save costs: customers confirm 30-40% in annual TCO savings
powered by
22 Cloud Security Webinar –Nov 2011 France Telecom - Orange
flexible SSL
a comprehensive “IT opening” cloud solution, proposed in SaaS model
capable of connecting every type of remote users to your internal IT system
using every type of device (laptop, PDA, …)
with every type of connection (DSL, BE v3, …)
and with every profile (corporate user, 3rd party, …)
a scalable offer following easily your requirements automated real time changes
subscription modifiable on a monthly basis (SaaS model)
with aggressive SLA and pricing model
pricing model based on the application and not on the gateway
only requirements is to be an Orange Business Services MPLS customer
travelers
home worker
partners
Internal applications
messaging
corporate employees
Gallery
internetIT resources
23 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Cloud & security are best friends
© laurent hamels - Fotolia.com
Thank you !
25 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Cloud vulnerabilities are an opportunity
? ?
?? ?
??
© Yuri Arcurs - Fotolia.com
26 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Cloud specific vulnerabilities
On-demand self-service
Ubiquitous network access
Resource polling
Rapid elasticity
Measured service
NIST
Virtualization
Hyper-jacking
VM-Escape
VM sprawl
VM Theft
Direct
vulnerabilities
27 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Direct vulnerabilities
they’re the visible top of the iceberg
associated risks may hit both
– the provider– its customers
Identified during risk assessment phase
the provider must manage them
the provider must demonstrate them
28 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Yes : Thanks to cloud-specific vulnerabilities
On-demand self-service
Ubiquitous network access
Resource polling
Rapid elasticity
Measured service
NIST
Virtualization
Hyper-jacking
VM-Escape
VM sprawl
VM Theft
Direct
vulnerabilities
Indirect
vulnerabilitiesInability to monitor traffic
Limited network zoning
Single point of failure
Forbidden network vulns scans
29 Cloud Security Webinar –Nov 2011 France Telecom - Orange
Indirect vulnerabilities
is seen as regressions or limitations
A security control may be either
– difficult to instantiate
– impossible to implement
associated risks are customer’s centric
an opportunity for
– provider’s differentiation
– premium services catalog
© bro
dtca
st - Foto
lia.co
m