CLUSIR DU 12 JUIN

cloud computing security

Jean-François AUDENARD – Orange Business Services - Cloud Security Advisor

Présentation CLUSIR – InfoNord – Club RSSI

v1r0 – June 12th, 2012

2 Cloud Security – 12 Juin 2012 Orange Business Services

agenda

� Sécurité et cycle de vie des données

– Les challenges de la sécurité des données dans le cloud

– Des opportunités mais aussi un retour aux fondamentaux

– Sécurité « adhérente aux données » : principes & approche

� La sécurité du cloud chez Orange Business Services

– Notre approche « SecuredByDesign »

– Modèle d’intégration de la sécurité dans les projets Cloud

– Entretenir et améliorer la sécurité au quotidien

� Questions/réponses


context


Our customers are targets

CISCO CISCO CISCO CISCO –––– Global Global Global Global ThreatThreatThreatThreat Report Report Report Report –––– 2Q20112Q20112Q20112Q2011

FlameFlameFlameFlame –––– 1Q20121Q20121Q20121Q2012


Cloud concentrate everything

� Datacenters

� Customer’s data

� Revenues

� Risks

� Hacker’s greed

� Security (good news !)


Threats follows the data

Enterprise Internal network/IT Cloud

Services Providers (CSP)

Threats / Attackers


expectations


Cloud security is a must have

All big analysts firms agree !


An expectation AND a business accelerator

<…> As counterintuitive as this may seem, enterprises actually enterprises actually enterprises actually enterprises actually

expect cloud security to be superiorexpect cloud security to be superiorexpect cloud security to be superiorexpect cloud security to be superior to what they employ for

traditional IT services. Current Analysis’ survey of ‘Cloud

Services 2011 – Enterprise Adoption Plans and Trends’ in

August 2011 found that one of the drivers for cloud adoptiondrivers for cloud adoptiondrivers for cloud adoptiondrivers for cloud adoption is

actually more securitymore securitymore securitymore security. <…>

Highly secure cloud services will boost our business


Compliance

� As a customer

– Internal compliance

– vertical compliance (PCI-DSS, …)

� As a service provider

– Telco’s legal obligations

� Rising trend on personal information's

– Data breach notifications

Nothing specific related to cloud


What’s really new


Question : what really changes with cloud ?

� Cloud is not more or less secure : the

security posture evolves

– Risks are transferred

– New risk appear

� Underlying cloud technologies are not

new

� Concentration brings new

opportunities (but increased risks too).

…the cloud’s economies of scale

and flexibility are both a friend

and a foe from a security point of

view. The massive concentrations

of resources and data present a

more attractive target to

attackers, but cloud-based defenses

can be more robust, scalable

and cost-effective…

Source: Enisa

Answer : Cloud require security excellence & associated transparAnswer : Cloud require security excellence & associated transparAnswer : Cloud require security excellence & associated transparAnswer : Cloud require security excellence & associated transparencyencyencyency


Cloud specific vulnerabilities

On-demand self-service

Ubiquitous network access

Resource polling

Rapid elasticityRapid elasticityRapid elasticityRapid elasticity

Measured service

NIST

Virtualization

Hyper-jacking

VM-Escape

VM sprawl

VM Theft

Direct

vulnerabilities


Direct vulnerabilities

� they’re the visible top of the iceberg

� associated risks may hit both

– the provider

– its customers

� Identified during risk assessment phase

� the provider must manage them

� the provider must demonstrate them


Vulnerabilities are an opportunity

?

? ? ?

? ?

??

?

?

?


Yes : Thanks to cloud-specific vulnerabilities

On-demand self-service

Ubiquitous network access

Resource polling

Rapid elasticityRapid elasticityRapid elasticityRapid elasticity

Measured service

NIST

Virtualization

Hyper-jacking

VM-Escape

VM sprawl

VM Theft

Direct

vulnerabilities

Indirect

vulnerabilitiesInability to monitor traffic

Limited network zoning

Single point of failure

Forbidden network vulns scans


Indirect vulnerabilities

� is seen as regressions or limitations

� A security control may be either

– difficult to instantiate

– impossible to implement

� associated risks are customer’s centric

� an opportunity for

– provider’s differentiation

– premium services catalog


Securing the cloud(SSSS)


Appropriate level of engagement

Cloud Service Provider ManagementCustomer’s Management

�� increasedincreasedincreasedincreased

responsibilities for responsibilities for responsibilities for responsibilities for

the Cloud Service the Cloud Service the Cloud Service the Cloud Service

Provider Provider Provider Provider

Responsibilities between parties

Datacenter

Servers & network

Hypervisor (VMM)

VM

Operating systems

middleware

Applications

IaaS

IaaS

IaaS

IaaS

PaaS

PaaS

PaaS

PaaS

SaaS

SaaS

SaaS

SaaS

increased criticalityincreased criticalityincreased criticalityincreased criticality

highhighhighhigh----level of shared level of shared level of shared level of shared

resourcesresourcesresourcesresources


Cloud models & security

public

cloud

community

cloud

private

cloud

hybrid

cloud

shared

infrastructure

Dedicated

infrastructure/staff/processes

Security is under

customer’s control

Security controlled by

the provider

Internal risk &

compliance still

apply here !


Building & maintaining Trust


Trust must be both external & internal

Internal stakeholders

enterprise

Executives

Business Units

Risk Managers, CISO

Corporate IT

Employees

government

specifics

regulations

Cloud Providers

Regulation/standards bodies

• Certifications

• Security SLAs

• Transparency

• Adherence to

standards

• Cloud service

catalog

•Risks assessment

• Security SLAs

• Policies

• Applicable laws

• “Cloud-ready” regulations

• certification bodies

standards


with the cloud data is living everywhere

Corporate IT

VM VMVM

VM templates

Business Units

VM

administration

VM/data transfers

VM

VM

access to the

application

corporate

application

virtual datacenter

VM

VM

VM

VM

VM

VM

cloud infrastructure


in the cloud data is living everywhere : risk too

Corporate IT

VM VMVM

VM templates

corporate

application

virtual datacenter

VM

VM

VM

VM

VM

VM


Business Units

VM

administration

VM/data transfers

VM

VM

access to the

application

sniffing

DDoS

Impersonation

malware

device theft/loss

disgruntled admin

theft of credentials

weak release mgt

VM sprawl

Malware

security patches

rogue admin

isolation failure

data location

poor access control

SQL injections

toxic data


committing data to

storage

exchange of data between

users, customers and

partners

the data security lifecyle

Create

Store

Use

Share

Archive

Destroy

permanent destruction

&

content discovery

user interacting with the

data (cloud & endpoint)

generation of new content

or significant modification

of existing content

data-transfer to long-term

storage


simultaneous and multiples data lifecycles

Corporate IT

VM VMVM

VM templates

Business Units

VM

administration

VM/data transfers

VM

VM

access to the

application

corporate

application

virtual datacenter

VM

VM

VM

VM

VM

VM


Create

Store

Use

Share

Archive

Destroy

Create

Store

Use

Share

Archive

Destroy

Create

Store

Use

Share

Archive

Destroy

Create

Store

Use

Share

Archive

Destroy


use-case : a Virtual Machine (IaaS)

Create

Store

Use

Share

Archive

Destroy

VM

VM

VMinitial creation by

corporate IT1

transfer to the cloud as an

OVF container2

insertion in the VM

template store

3

VM are instantiated and

executed for business

purposes

4

VM templates and

instances are deleted

5


creation of the VM

template by corporate IT1

Create

1. classify

2. assign rights

� Risk-based decision for

moving specific

workloads/applications in

selected cloud(s)

&� Tag VM templates with

labels to facilitate rights

allocation/assignments

VM

VM

VMVM

transfer to the cloud as an

OVF container2

Share

1. activity monitoring & enforcement

2. encryption

3. logical controls

4. application security

� watch when and where admin(s)

are transferring templates

� logs accesses to admin

interfaces

� secure data in motion using

encryption

� secure admin interfaces/API

VM V

MVM

VM

VMVM

VMVM

VMVM


insertion in the VM

template store3 Store

1. filesystem access controls

2. encryption

3. rights management

4. content discovery

� isolation between tenants & administrator

separation of duties

� volume/media encryption

� Enforcement of rights created during

“Create” phase (when data enters storage)

� ensure data are located at the right place



purposes4 Use

1. activity monitoring &

enforcement

2. rights management

3. Logical controls

4. application security

� agent-based security & access log

collection

� enforcement of rights created during

“Create” phase (modification, export,

copying, …)

� application logic controls

� application security

!2 perimeters of controls

1) cloud-based controls

2) endpoint-based controls


1. crypto-shredding

2. secure deletion

3. physical destruction

4. Content discovery

� delete the encryption keys

� overwrite data from 3 to 7

times with random pattern

� degaussing or physical

destruction of storage devices

� ensure no copies or version of

the date remain accessible

VM templates and

instances are deleted5

Destroy



purposes4 Use

1. activity

monitoring &

enforcement

2. rights

management

3. Logical controls

4. application

security

� agent-based security & access log

collection

� enforcement of rights created during

“Create” phase (modification, export,

copying, …)

� application logic controls

� application security

VM VMVM

VM VMVM

VM

VM

VM

VM


Implementation rules

� transparency brings confidence

� change your mind for data-centric

security

� leverage existing security frameworks &

practices

� participate to research & standardization

activities


secure Infrastructure

Build security-in

from

the start of the

projectTrain your team

and educate

others to cloud

security

Integrate security

in

existing processes

Get intimate with

cloud IT & ops

Take network & IT

convergence as an

opportunity

Select your

compliance

frameworks & stick

with them

6 lessons learnt from the fields6 lessons learnt from the fields6 lessons learnt from the fields6 lessons learnt from the fields

April 18th, 2012 _ v1.1

SecureByDesign Cloud services


pervasive and secure network

connectivity to the cloud

« SecureByDesign »

cloud platforms

security services

delivered

from the cloud

cloud security

services

portfolio

trusted cloud offerstrusted cloud offerstrusted cloud offerstrusted cloud offers

trusted cloud computing approach

todaytodaytodaytoday’’’’s focuss focuss focuss focus


our secure development lifecycle

Security Risk

Assessment

Risks Mitigation Plan

High-Level Risks Assessment

Legal Obligations

Assessmentthink

Security Implementation AssistanceSecurity

ReviewsSecurity Penetration Tests

build & deploy

Operational security & continuous improvementoperate


CloudTrust : a tailored approach for secure cloud

> per-service based

> part of standard processes

> risks/benefits based approach

> keep service definition

> focuses on think/build/deploy

secure cloud services backed with highly reliable

network connectivity with end-2-end SLAs

> unified to the cloud-program

> bridge processes between BUs

> cloud security architects

>enhanced security value prop.

> integrated operational security

CloudTrustCloudTrustCloudTrustCloudTrust


maintaining & enhancing trust in cloud services

Cloud Information Systems Security Manager

CISSM CISSM CISSM CISSM

Vulnerabilities Management

Global security oversight on

changes

Incident managementAdmin & third-parties

access management

Periodic security reviews & audits

Legal obligations


end-2-end operational security CISSM CISSM CISSM CISSM

cloud security

architects • build security in right from the beginning

• ensure continuous delivery model with

smooth roll-out

Flexible

Computing

Express

Orange Cloud

Computing Services

Flexible

Backup

…JCI

• global understanding and broad

experience

• leverage experiences and foster

new initiatives

private cloud

• deliver telco-grade expertise to

customer’s private cloud

• tailored solutions for specific

requirements

• certified security professionals

•active role in certifications activities

and 27K ISMS

• leverage processes to bolt security in

certifications

ISO

27K/20K


Flexible Computing Express

VMVM

(6 zones)

VMVM

Secure Virtual Data Center

Internal Private

WAN

DDoS

Protection

Logs

Console

2-factors

Auth

VPN-SSL

�VM Templates

�Security patches

�Antivirus

�Backup Business VPN

Remote sites

LB

Datacenters

Business VPN

Galerie

Service

Providers

Business

VPN

DDoS Protection

Firewalling

Automated VA scans IPVPN network connectivity

ISAE 3402 datacenters

(SAS 70 Type 2)

CISSM CISSM CISSM CISSM


Flexible Computing Express standard security

features

VM

VM

(6

zon

es)

VM

VM

VM

VM

(6

zone

s)

VM

VM

• 6 dedicated/isolated VLANs

• State-full firewalling (dedicated instance)

• Load-balancing (dedicated instance)

Secure Virtual Secure Virtual Secure Virtual Secure Virtual DataCenterDataCenterDataCenterDataCenter ((((vDCvDCvDCvDC))))

• VPN-SSL remote access

• web-based unified management (vDC, VLANs, FW, …)

• Two-factors authentication

• Access to firewall logs

Secure managementSecure managementSecure managementSecure management

• VM templates (Microsoft, Linux)

• Security patches distribution servers

• Antivirus signatures

• Backup services

Security services zoneSecurity services zoneSecurity services zoneSecurity services zoneVM

VM

VM

VM


security services

store

•Hardened VM templates

•Vulnerability scans & compliance

•Encrypted VM & volumes

•IDS/IPS

•Database security

• …

security servicessecurity servicessecurity servicessecurity services

additional security services

VMVM

(6 zones)

VMVM

Secure Virtual Data Center

Logs

Console

2-factors

Auth

VPN-SSL

�VM Templates

�Security patches

�Antivirus

�Backup

LB

•Vulnerabilities management

•OS & Applications Management

•Security audits

•Penetration testing

•…

professional servicesprofessional servicesprofessional servicesprofessional services


takeaways


blogs : the direct link with our security experts

http://blogs.orange-business.com/connecting-technology/security/

http://blogs.orange-business.com/securite/


continue the journey with us !

CSA EMEA Congress – 25-26th September 2012 - Amsterdam

http://www.cloudsecuritycongress.com/

C&ESAR 2012 – 20-22th November – Rennes

http://www.cesar-conference.org/

thank you

business changes with


Contacts

� Jean-François AUDENARD - Cloud Security Advisor

- 01 44 37 61 91 – 06 74 79 67 12

- [email protected]

- twitter: @jeffman78

� Philippe LANDEAU – Business Development

– 01 55 54 42 36 - 06 82 59 52 36

– [email protected]

Technology

CLUSIR DU 12 JUIN