Cloud Computing Security

cloud securitywebinar

Jean-François Audenard – Cloud Security AdvisorNovember 10, 2011

2 Cloud Security Webinar –Nov 2011 France Telecom - Orange

our agenda

1. context

2. expectations

3. building & maintaining trust

4. Orange cloud services


context


our customers are targets

CISCO – Global Threat Report – 2Q2011

© Paty Wingrove - Fotolia.com


Cloud concentrate everything

datacenters

customer’s data

revenues

risks

hacker’s greed

security (good news !) © boule

vard

- Foto

lia.co

m


threats follows the data

enterprise Internal network/IT CloudServices Providers

(CSP)

threats / attackers

threats


expectations


Cloud security is a must have


an expectation AND a business accelerator

<…> As counterintuitive as this may seem, enterprises actually expect cloud security to be superior to what they employ for traditional IT services. Current Analysis’ survey of ‘Cloud Services 2011 – Enterprise Adoption Plans and Trends’ in August 2011 found that one of the drivers for cloud adoption is actually more security. <…>

highly secure cloud services : A business booster


compliance

as a customer

– Internal compliance (IT Security Policy)– vertical compliance (PCI-DSS, …)

as a service provider

– Telco’s specific obligations– General legal obligations

rising trend on personal information's

– Data breach notifications

nothing really specific related to cloud

© Scott Maxwell - Fotolia.com


question : what really changes with cloud ?

Cloud is not more or less secure : the security posture evolves

– Risks are transferred– New risk appear

underlying cloud technologies are not new

concentration brings new opportunities (but increased risks too).

…the cloud’s economies of scale and flexibility are both a friend and a foe from a security point

of view. The massive

concentrations of resources and data present a

more attractive target to attackers, but cloud-based

defenses can be more robust, scalable

and cost-effective…

Source: Enisa

answer : Cloud require security excellence & associated transparency


building & maintaining trust

© Ben Chams - Fotolia.com


trust must be both external & internal

internal stakeholders

enterprise

Cloud

Executives

Business Units

Risk Managers, CISO

Corporate IT

Employees

governmentspecifics

regulations

Cloud providers

regulation/standards bodies

• Certifications

• Security SLAs

• Transparency

• Adherence to standards

• Cloud service catalog

•Risks assessment

• Security SLAs

• Policies

• Applicable laws

• “Cloud-ready” regulations

• certification bodies

standards


data classification & rights assignation

private networks, encryption & strong authentication

access control, rights management, encryption

encryption, asset management

crypto-shredding, secure deletion, content discovery

create

transfer

store

use

archive

destroy

application security, logical controls, activity monitoring

ensures data protection


appropriate level of engagement

Cloud service provider managementcustomer’s management increased

responsibilities for the Cloud

Service Provider

responsibilities between parties

datacenter

servers & network

Hypervisor (VMM)

VM

operating systems

middleware

applications

Iaa

S PaaS

SaaS

increased criticality

high-level of shared resources


Cloud models & security

publicCloud for enterpris

es

community cloud

private cloud

hybridcloud

shared infrastructure

dedicated infrastructure/staff/proces

ses

security is under

customer’s control

security controlled by the provider

Internal risk & compliance still

apply here !


implementation rules

transparency brings confidence

change your mind for data-centric security

leverage existing security frameworks & practices

participate to research & standardization activities © lilu

foto

- Foto

lia.co

m


Orange cloud services


our cloud security development lifecycle

Security Risk Assessment

Security Implementation Assistance Security

ReviewsSecurity Penetration Tests

T0

T3

T2

T-1

Risks Mitigation Plan

High-Level Risks Assessment

Continuous improvement (PDCA)

Legal Obligations Assessment

integrated approach

– right from the beginning

– risk-based approach

driven by experts

– security consultants

– security architects

– specialized lawyers

adaptable & updated

– for specific projects too


portfolioIn

frast

ruct

ure

as

a

Serv

ice

Soft

ware

as

a

Serv

ice

IT infrastructureas a Service

Security as a Service

Collaborationas a Service

Real-Time applicationsas a Service

Back-up and Storage

as a Service

Flexible ComputingPremium

Messaging Protection Suite

Web Protection Suite

Unified Collaboration

(B2GaaS)

Fleet ManagementNetwork IVR

Business Store

Flexible Computing

Private

2011H2 2010now

VPN Galerie

IT Plan

Contact Center

as a Service

Cloud-ready NetworkingBusiness VPN

Business Acceleration

Flexible Computing

Business TelephonyHosted Exchange

Orange APIPrivate Applications

Store

Business Together with Microsoft – Online Services

Flexible SSL

Smartphone management

Application & Content Delivery

Networking


Web Protection Suite

real-time protection from zero-day threats

– real-time scanning, not just URL filtering– latest security detections immediately benefit all customers– policy enforced across the enterprise, including to out-of-

office workers

effortless management

– intuitive Web-based interface centralizing all management and reporting functions

– policy changes are immediately rolled-out across the enterprise

real security-as-a-service

– take hardware, software and database into the cloud– pricing mostly based on monthly recurring charges– save costs: customers confirm 30-40% in annual TCO savings

powered by


flexible SSL

a comprehensive “IT opening” cloud solution, proposed in SaaS model

capable of connecting every type of remote users to your internal IT system

using every type of device (laptop, PDA, …)

with every type of connection (DSL, BE v3, …)

and with every profile (corporate user, 3rd party, …)

a scalable offer following easily your requirements automated real time changes

subscription modifiable on a monthly basis (SaaS model)

with aggressive SLA and pricing model

pricing model based on the application and not on the gateway

only requirements is to be an Orange Business Services MPLS customer

travelers

home worker

partners

Internal applications

messaging

corporate employees

Gallery

internetIT resources


Cloud & security are best friends

© laurent hamels - Fotolia.com

Thank you !


Cloud vulnerabilities are an opportunity

? ?

?? ?

??

© Yuri Arcurs - Fotolia.com


Cloud specific vulnerabilities

On-demand self-service

Ubiquitous network access

Resource polling

Rapid elasticity

Measured service

NIST

Virtualization

Hyper-jacking

VM-Escape

VM sprawl

VM Theft

Direct

vulnerabilities


Direct vulnerabilities

they’re the visible top of the iceberg

associated risks may hit both

– the provider– its customers

Identified during risk assessment phase

the provider must manage them

the provider must demonstrate them


Yes : Thanks to cloud-specific vulnerabilities

On-demand self-service

Ubiquitous network access

Resource polling

Rapid elasticity

Measured service

NIST

Virtualization

Hyper-jacking

VM-Escape

VM sprawl

VM Theft

Direct

vulnerabilities

Indirect

vulnerabilitiesInability to monitor traffic

Limited network zoning

Single point of failure

Forbidden network vulns scans


Indirect vulnerabilities

is seen as regressions or limitations

A security control may be either

– difficult to instantiate

– impossible to implement

associated risks are customer’s centric

an opportunity for

– provider’s differentiation

– premium services catalog

© bro

dtca

st - Foto

lia.co

m

Technology

Cloud Computing Security