Upload
ndelannoy
View
438
Download
0
Embed Size (px)
DESCRIPTION
PRESENTATION OBS SUR LA SECURITE DU CLOUD COMPUTING
Citation preview
cloud computing security
Jean-François AUDENARD – Orange Business Services - Cloud Security Advisor
Présentation CLUSIR – InfoNord – Club RSSI
v1r0 – June 12th, 2012
2 Cloud Security – 12 Juin 2012 Orange Business Services
agenda
� Sécurité et cycle de vie des données
– Les challenges de la sécurité des données dans le cloud
– Des opportunités mais aussi un retour aux fondamentaux
– Sécurité « adhérente aux données » : principes & approche
� La sécurité du cloud chez Orange Business Services
– Notre approche « SecuredByDesign »
– Modèle d’intégration de la sécurité dans les projets Cloud
– Entretenir et améliorer la sécurité au quotidien
� Questions/réponses
3 Cloud Security – 12 Juin 2012 Orange Business Services
context
4 Cloud Security – 12 Juin 2012 Orange Business Services
Our customers are targets
CISCO CISCO CISCO CISCO –––– Global Global Global Global ThreatThreatThreatThreat Report Report Report Report –––– 2Q20112Q20112Q20112Q2011
FlameFlameFlameFlame –––– 1Q20121Q20121Q20121Q2012
5 Cloud Security – 12 Juin 2012 Orange Business Services
Cloud concentrate everything
� Datacenters
� Customer’s data
� Revenues
� Risks
� Hacker’s greed
� Security (good news !)
6 Cloud Security – 12 Juin 2012 Orange Business Services
Threats follows the data
Enterprise Internal network/IT Cloud
Services Providers (CSP)
Threats / Attackers
7 Cloud Security – 12 Juin 2012 Orange Business Services
expectations
8 Cloud Security – 12 Juin 2012 Orange Business Services
Cloud security is a must have
All big analysts firms agree !
9 Cloud Security – 12 Juin 2012 Orange Business Services
An expectation AND a business accelerator
<…> As counterintuitive as this may seem, enterprises actually enterprises actually enterprises actually enterprises actually
expect cloud security to be superiorexpect cloud security to be superiorexpect cloud security to be superiorexpect cloud security to be superior to what they employ for
traditional IT services. Current Analysis’ survey of ‘Cloud
Services 2011 – Enterprise Adoption Plans and Trends’ in
August 2011 found that one of the drivers for cloud adoptiondrivers for cloud adoptiondrivers for cloud adoptiondrivers for cloud adoption is
actually more securitymore securitymore securitymore security. <…>
Highly secure cloud services will boost our business
10 Cloud Security – 12 Juin 2012 Orange Business Services
Compliance
� As a customer
– Internal compliance
– vertical compliance (PCI-DSS, …)
� As a service provider
– Telco’s legal obligations
� Rising trend on personal information's
– Data breach notifications
Nothing specific related to cloud
11 Cloud Security – 12 Juin 2012 Orange Business Services
What’s really new
12 Cloud Security – 12 Juin 2012 Orange Business Services
Question : what really changes with cloud ?
� Cloud is not more or less secure : the
security posture evolves
– Risks are transferred
– New risk appear
� Underlying cloud technologies are not
new
� Concentration brings new
opportunities (but increased risks too).
…the cloud’s economies of scale
and flexibility are both a friend
and a foe from a security point of
view. The massive concentrations
of resources and data present a
more attractive target to
attackers, but cloud-based defenses
can be more robust, scalable
and cost-effective…
Source: Enisa
Answer : Cloud require security excellence & associated transparAnswer : Cloud require security excellence & associated transparAnswer : Cloud require security excellence & associated transparAnswer : Cloud require security excellence & associated transparencyencyencyency
13 Cloud Security – 12 Juin 2012 Orange Business Services
Cloud specific vulnerabilities
On-demand self-service
Ubiquitous network access
Resource polling
Rapid elasticityRapid elasticityRapid elasticityRapid elasticity
Measured service
NIST
Virtualization
Hyper-jacking
VM-Escape
VM sprawl
VM Theft
Direct
vulnerabilities
14 Cloud Security – 12 Juin 2012 Orange Business Services
Direct vulnerabilities
� they’re the visible top of the iceberg
� associated risks may hit both
– the provider
– its customers
� Identified during risk assessment phase
� the provider must manage them
� the provider must demonstrate them
15 Cloud Security – 12 Juin 2012 Orange Business Services
Vulnerabilities are an opportunity
?
? ? ?
? ?
??
?
?
?
16 Cloud Security – 12 Juin 2012 Orange Business Services
Yes : Thanks to cloud-specific vulnerabilities
On-demand self-service
Ubiquitous network access
Resource polling
Rapid elasticityRapid elasticityRapid elasticityRapid elasticity
Measured service
NIST
Virtualization
Hyper-jacking
VM-Escape
VM sprawl
VM Theft
Direct
vulnerabilities
Indirect
vulnerabilitiesInability to monitor traffic
Limited network zoning
Single point of failure
Forbidden network vulns scans
17 Cloud Security – 12 Juin 2012 Orange Business Services
Indirect vulnerabilities
� is seen as regressions or limitations
� A security control may be either
– difficult to instantiate
– impossible to implement
� associated risks are customer’s centric
� an opportunity for
– provider’s differentiation
– premium services catalog
18 Cloud Security – 12 Juin 2012 Orange Business Services
Securing the cloud(SSSS)
19 Cloud Security – 12 Juin 2012 Orange Business Services
Appropriate level of engagement
Cloud Service Provider ManagementCustomer’s Management
���� increasedincreasedincreasedincreased
responsibilities for responsibilities for responsibilities for responsibilities for
the Cloud Service the Cloud Service the Cloud Service the Cloud Service
Provider Provider Provider Provider
Responsibilities between parties
Datacenter
Servers & network
Hypervisor (VMM)
VM
Operating systems
middleware
Applications
IaaS
IaaS
IaaS
IaaS
PaaS
PaaS
PaaS
PaaS
SaaS
SaaS
SaaS
SaaS
increased criticalityincreased criticalityincreased criticalityincreased criticality
highhighhighhigh----level of shared level of shared level of shared level of shared
resourcesresourcesresourcesresources
20 Cloud Security – 12 Juin 2012 Orange Business Services
Cloud models & security
public
cloud
community
cloud
private
cloud
hybrid
cloud
shared
infrastructure
Dedicated
infrastructure/staff/processes
Security is under
customer’s control
Security controlled by
the provider
Internal risk &
compliance still
apply here !
21 Cloud Security – 12 Juin 2012 Orange Business Services
Building & maintaining Trust
22 Cloud Security – 12 Juin 2012 Orange Business Services
Trust must be both external & internal
Internal stakeholders
enterprise
Executives
Business Units
Risk Managers, CISO
Corporate IT
Employees
government
specifics
regulations
Cloud Providers
Regulation/standards bodies
• Certifications
• Security SLAs
• Transparency
• Adherence to
standards
• Cloud service
catalog
•Risks assessment
• Security SLAs
• Policies
• Applicable laws
• “Cloud-ready” regulations
• certification bodies
standards
23 Cloud Security – 12 Juin 2012 Orange Business Services
with the cloud data is living everywhere
Corporate IT
VM VMVM
VM templates
Business Units
VM
administration
VM/data transfers
VM
VM
access to the
application
corporate
application
virtual datacenter
VM
VM
VM
VM
VM
VM
cloud infrastructure
24 Cloud Security – 12 Juin 2012 Orange Business Services
in the cloud data is living everywhere : risk too
Corporate IT
VM VMVM
VM templates
corporate
application
virtual datacenter
VM
VM
VM
VM
VM
VM
cloud infrastructure
Business Units
VM
administration
VM/data transfers
VM
VM
access to the
application
sniffing
DDoS
Impersonation
malware
device theft/loss
disgruntled admin
theft of credentials
weak release mgt
VM sprawl
Malware
security patches
rogue admin
isolation failure
data location
poor access control
SQL injections
toxic data
25 Cloud Security – 12 Juin 2012 Orange Business Services
committing data to
storage
exchange of data between
users, customers and
partners
the data security lifecyle
Create
Store
Use
Share
Archive
Destroy
permanent destruction
&
content discovery
user interacting with the
data (cloud & endpoint)
generation of new content
or significant modification
of existing content
data-transfer to long-term
storage
26 Cloud Security – 12 Juin 2012 Orange Business Services
simultaneous and multiples data lifecycles
Corporate IT
VM VMVM
VM templates
Business Units
VM
administration
VM/data transfers
VM
VM
access to the
application
corporate
application
virtual datacenter
VM
VM
VM
VM
VM
VM
cloud infrastructure
Create
Store
Use
Share
Archive
Destroy
Create
Store
Use
Share
Archive
Destroy
Create
Store
Use
Share
Archive
Destroy
Create
Store
Use
Share
Archive
Destroy
27 Cloud Security – 12 Juin 2012 Orange Business Services
use-case : a Virtual Machine (IaaS)
Create
Store
Use
Share
Archive
Destroy
VM
VM
VMinitial creation by
corporate IT1
transfer to the cloud as an
OVF container2
insertion in the VM
template store
3
VM are instantiated and
executed for business
purposes
4
VM templates and
instances are deleted
5
28 Cloud Security – 12 Juin 2012 Orange Business Services
creation of the VM
template by corporate IT1
Create
1. classify
2. assign rights
� Risk-based decision for
moving specific
workloads/applications in
selected cloud(s)
&� Tag VM templates with
labels to facilitate rights
allocation/assignments
VM
VM
VMVM
transfer to the cloud as an
OVF container2
Share
1. activity monitoring & enforcement
2. encryption
3. logical controls
4. application security
� watch when and where admin(s)
are transferring templates
� logs accesses to admin
interfaces
� secure data in motion using
encryption
� secure admin interfaces/API
VM V
MVM
VM
VMVM
VMVM
VMVM
29 Cloud Security – 12 Juin 2012 Orange Business Services
insertion in the VM
template store3 Store
1. filesystem access controls
2. encryption
3. rights management
4. content discovery
� isolation between tenants & administrator
separation of duties
� volume/media encryption
� Enforcement of rights created during
“Create” phase (when data enters storage)
� ensure data are located at the right place
VM are instantiated and
executed for business
purposes4 Use
1. activity monitoring &
enforcement
2. rights management
3. Logical controls
4. application security
� agent-based security & access log
collection
� enforcement of rights created during
“Create” phase (modification, export,
copying, …)
� application logic controls
� application security
!2 perimeters of controls
1) cloud-based controls
2) endpoint-based controls
30 Cloud Security – 12 Juin 2012 Orange Business Services
1. crypto-shredding
2. secure deletion
3. physical destruction
4. Content discovery
� delete the encryption keys
� overwrite data from 3 to 7
times with random pattern
� degaussing or physical
destruction of storage devices
� ensure no copies or version of
the date remain accessible
VM templates and
instances are deleted5
Destroy
VM are instantiated and
executed for business
purposes4 Use
1. activity
monitoring &
enforcement
2. rights
management
3. Logical controls
4. application
security
� agent-based security & access log
collection
� enforcement of rights created during
“Create” phase (modification, export,
copying, …)
� application logic controls
� application security
VM VMVM
VM VMVM
VM
VM
VM
VM
31 Cloud Security – 12 Juin 2012 Orange Business Services
Implementation rules
� transparency brings confidence
� change your mind for data-centric
security
� leverage existing security frameworks &
practices
� participate to research & standardization
activities
32 Cloud Security – 12 Juin 2012 Orange Business Services
secure Infrastructure
Build security-in
from
the start of the
projectTrain your team
and educate
others to cloud
security
Integrate security
in
existing processes
Get intimate with
cloud IT & ops
Take network & IT
convergence as an
opportunity
Select your
compliance
frameworks & stick
with them
6 lessons learnt from the fields6 lessons learnt from the fields6 lessons learnt from the fields6 lessons learnt from the fields
April 18th, 2012 _ v1.1
SecureByDesign Cloud services
34 Cloud Security – 12 Juin 2012 Orange Business Services
pervasive and secure network
connectivity to the cloud
« SecureByDesign »
cloud platforms
security services
delivered
from the cloud
cloud security
services
portfolio
trusted cloud offerstrusted cloud offerstrusted cloud offerstrusted cloud offers
trusted cloud computing approach
todaytodaytodaytoday’’’’s focuss focuss focuss focus
35 Cloud Security – 12 Juin 2012 Orange Business Services
our secure development lifecycle
Security Risk
Assessment
Risks Mitigation Plan
High-Level Risks Assessment
Legal Obligations
Assessmentthink
Security Implementation AssistanceSecurity
ReviewsSecurity Penetration Tests
build & deploy
Operational security & continuous improvementoperate
36 Cloud Security – 12 Juin 2012 Orange Business Services
CloudTrust : a tailored approach for secure cloud
> per-service based
> part of standard processes
> risks/benefits based approach
> keep service definition
> focuses on think/build/deploy
secure cloud services backed with highly reliable
network connectivity with end-2-end SLAs
> unified to the cloud-program
> bridge processes between BUs
> cloud security architects
>enhanced security value prop.
> integrated operational security
CloudTrustCloudTrustCloudTrustCloudTrust
37 Cloud Security – 12 Juin 2012 Orange Business Services
maintaining & enhancing trust in cloud services
Cloud Information Systems Security Manager
CISSM CISSM CISSM CISSM
Vulnerabilities Management
Global security oversight on
changes
Incident managementAdmin & third-parties
access management
Periodic security reviews & audits
Legal obligations
38 Cloud Security – 12 Juin 2012 Orange Business Services
end-2-end operational security CISSM CISSM CISSM CISSM
cloud security
architects • build security in right from the beginning
• ensure continuous delivery model with
smooth roll-out
Flexible
Computing
Express
Orange Cloud
Computing Services
Flexible
Backup
…JCI
• global understanding and broad
experience
• leverage experiences and foster
new initiatives
private cloud
• deliver telco-grade expertise to
customer’s private cloud
• tailored solutions for specific
requirements
• certified security professionals
•active role in certifications activities
and 27K ISMS
• leverage processes to bolt security in
certifications
ISO
27K/20K
39 Cloud Security – 12 Juin 2012 Orange Business Services
Flexible Computing Express
VMVM
(6 zones)
VMVM
Secure Virtual Data Center
Internal Private
WAN
DDoS
Protection
Logs
Console
2-factors
Auth
VPN-SSL
�VM Templates
�Security patches
�Antivirus
�Backup Business VPN
Remote sites
LB
Datacenters
Business VPN
Galerie
Service
Providers
Business
VPN
DDoS Protection
Firewalling
Automated VA scans IPVPN network connectivity
ISAE 3402 datacenters
(SAS 70 Type 2)
CISSM CISSM CISSM CISSM
40 Cloud Security – 12 Juin 2012 Orange Business Services
Flexible Computing Express standard security
features
VM
VM
(6
zon
es)
VM
VM
VM
VM
(6
zone
s)
VM
VM
• 6 dedicated/isolated VLANs
• State-full firewalling (dedicated instance)
• Load-balancing (dedicated instance)
Secure Virtual Secure Virtual Secure Virtual Secure Virtual DataCenterDataCenterDataCenterDataCenter ((((vDCvDCvDCvDC))))
• VPN-SSL remote access
• web-based unified management (vDC, VLANs, FW, …)
• Two-factors authentication
• Access to firewall logs
Secure managementSecure managementSecure managementSecure management
• VM templates (Microsoft, Linux)
• Security patches distribution servers
• Antivirus signatures
• Backup services
Security services zoneSecurity services zoneSecurity services zoneSecurity services zoneVM
VM
VM
VM
41 Cloud Security – 12 Juin 2012 Orange Business Services
security services
store
•Hardened VM templates
•Vulnerability scans & compliance
•Encrypted VM & volumes
•IDS/IPS
•Database security
• …
security servicessecurity servicessecurity servicessecurity services
additional security services
VMVM
(6 zones)
VMVM
Secure Virtual Data Center
Logs
Console
2-factors
Auth
VPN-SSL
�VM Templates
�Security patches
�Antivirus
�Backup
LB
•Vulnerabilities management
•OS & Applications Management
•Security audits
•Penetration testing
•…
professional servicesprofessional servicesprofessional servicesprofessional services
42 Cloud Security – 12 Juin 2012 Orange Business Services
takeaways
43 Cloud Security – 12 Juin 2012 Orange Business Services
blogs : the direct link with our security experts
http://blogs.orange-business.com/connecting-technology/security/
http://blogs.orange-business.com/securite/
44 Cloud Security – 12 Juin 2012 Orange Business Services
continue the journey with us !
CSA EMEA Congress – 25-26th September 2012 - Amsterdam
http://www.cloudsecuritycongress.com/
C&ESAR 2012 – 20-22th November – Rennes
http://www.cesar-conference.org/
thank you
business changes with
46 Cloud Security – 12 Juin 2012 Orange Business Services
Contacts
� Jean-François AUDENARD - Cloud Security Advisor
- 01 44 37 61 91 – 06 74 79 67 12
- twitter: @jeffman78
� Philippe LANDEAU – Business Development
– 01 55 54 42 36 - 06 82 59 52 36