How to Troubleshoot Apps for the Modern Connected Worker
CLUSIR DU 12 JUIN
1. cloud computing security
Jean-François AUDENARD – Orange Business Services - Cloud Security Advisor
Présentation CLUSIR – InfoNord – Club RSSI
v1r0 – June 12th, 2012
2. agenda
Sécurité et cycle de vie des données
– Les challenges de la sécurité des données dans le cloud
– Des opportunités mais aussi un retour aux fondamentaux
– Sécurité « adhérente aux données » : principes & approche
La sécurité du cloud chez Orange Business Services
– Notre approche « SecuredByDesign »
– Modèle d’intégration de la sécurité dans les projets Cloud
– Entretenir et améliorer la sécurité au quotidien
Questions/réponses
2 Cloud Security – 12 Juin 2012 Orange Business Services
3. context
3 Cloud Security – 12 Juin 2012 Orange Business Services
4. Our customers are targets
Flame – 1Q2012
CISCO – Global Threat Report – 2Q2011
4 Cloud Security – 12 Juin 2012 Orange Business Services
5. Cloud concentrate everything
Datacenters
Customer’s data
Revenues
Risks
Hacker’s greed
Security (good news !)
5 Cloud Security – 12 Juin 2012 Orange Business Services
6. Threats follows the data
Enterprise Internal network/IT Cloud
Services Providers (CSP)
Threats / Attackers
6 Cloud Security – 12 Juin 2012 Orange Business Services
7. expectations
7 Cloud Security – 12 Juin 2012 Orange Business Services
8. Cloud security is a must have
All big analysts firms agree !
8 Cloud Security – 12 Juin 2012 Orange Business Services
9. An expectation AND a business accelerator
<…> As counterintuitive as this may seem, enterprises actually
expect cloud security to be superior to what they employ for
traditional IT services. Current Analysis’ survey of ‘Cloud
Services 2011 – Enterprise Adoption Plans and Trends’ in
August 2011 found that one of the drivers for cloud adoption is
actually more security <…>
security.
Highly secure cloud services will boost our business
9 Cloud Security – 12 Juin 2012 Orange Business Services
10. Compliance
As a customer
– Internal compliance
– vertical compliance (PCI-DSS, …)
As a service provider
– Telco’s legal obligations
Rising trend on personal information's
– Data breach notifications
Nothing specific related to cloud
10 Cloud Security – 12 Juin 2012 Orange Business Services
12. Question : what really changes with cloud ?
Cloud is not more or less secure : the
security posture evolves
…the cloud’s economies of scale
– Risks are transferred and flexibility are both a friend
– New risk appear and a foe from a security point of
view. The massive concentrations
of resources and data present a
Underlying cloud technologies are not more attractive target to
attackers, but cloud-based defenses
new
can be more robust, scalable
and cost-effective…
Concentration brings new Source: Enisa
opportunities (but increased risks too).
Answer : Cloud require security excellence & associated transparency
transparency
12 Cloud Security – 12 Juin 2012 Orange Business Services
13. Cloud specific vulnerabilities
NIST
On-demand self-service
Ubiquitous network access
Resource polling
Rapid elasticity Virtualization
Measured service
Direct
Hyper-jacking
vulnerabilities VM-Escape
VM sprawl
VM Theft
13 Cloud Security – 12 Juin 2012 Orange Business Services
14. Direct vulnerabilities
they’re the visible top of the iceberg
associated risks may hit both
– the provider
– its customers
Identified during risk assessment phase
the provider must manage them
the provider must demonstrate them
14 Cloud Security – 12 Juin 2012 Orange Business Services
15. Vulnerabilities are an opportunity
? ? ?
? ?
?
? ?
? ? ?
15 Cloud Security – 12 Juin 2012 Orange Business Services
16. Yes : Thanks to cloud-specific vulnerabilities
Indirect
vulnerabilities
NIST Inability to monitor traffic
On-demand self-service Limited network zoning
Single point of failure
Ubiquitous network access Forbidden network vulns scans
Resource polling
Rapid elasticity Virtualization
Measured service
Direct
Hyper-jacking
vulnerabilities VM-Escape
VM sprawl
VM Theft
16 Cloud Security – 12 Juin 2012 Orange Business Services
17. Indirect vulnerabilities
is seen as regressions or limitations
A security control may be either
– difficult to instantiate
– impossible to implement
associated risks are customer’s centric
an opportunity for
– provider’s differentiation
– premium services catalog
17 Cloud Security – 12 Juin 2012 Orange Business Services
19. Appropriate level of engagement
Cloud Service Provider Management
Customer’s Management
increased
responsibilities for Responsibilities between parties
the Cloud Service
Provider Applications
middleware
Operating systems
increased criticality
VM
Hypervisor (VMM)
high-
high-level of shared
resources Servers & network
Datacenter
aS
aS
aS
Ia
Pa
Sa
19 Cloud Security – 12 Juin 2012 Orange Business Services
20. Cloud models & security
Security is under
customer’s control private
cloud
community
Internal risk &
cloud compliance still
shared
apply here !
infrastructure
hybrid
cloud Dedicated
infrastructure/staff/processes
public
cloud
Security controlled by
the provider
20 Cloud Security – 12 Juin 2012 Orange Business Services
22. Trust must be both external & internal
Regulation/standards bodies
specifics
government standards regulations
• Applicable laws
• “Cloud-ready” regulations
Internal stakeholders • certification bodies Cloud Providers
Executives
enterprise
Business Units
Risk Managers, CISO • Certifications
• Cloud service
catalog • Security SLAs
Corporate IT
•Risks assessment • Transparency
• Security SLAs • Adherence to
Employees standards
• Policies
22 Cloud Security – 12 Juin 2012 Orange Business Services
23. with the cloud data is living everywhere
Business Units
virtual datacenter
access to the corporate
application application
VM VM VM
Corporate IT VM
VM VM VM
administration
VM/data transfers
VM
VM
cloud infrastructure
VM VM VM
VM templates
23 Cloud Security – 12 Juin 2012 Orange Business Services
24. in the cloud data is living everywhere : risk too
Business Units
virtual datacenter
access to the corporate access control
poor
application application injections
SQL
toxic data
malware
device theft/loss
sniffing
DDoS
Impersonation
VM
VM VMsprawl VM
Corporate IT VM Malware
security patches
VM VM VM
administration
VM/data transfers
disgruntled admin
VM
VM
cloud rogue admin
infrastructure
VM VM VM
theft of credentials isolation failure
weak release mgt data location
VM templates
24 Cloud Security – 12 Juin 2012 Orange Business Services
25. the data security lifecyle
generation of new content
or significant modification
of existing content
Create
permanent destruction
& committing data to
content discovery storage
Destroy
Store
Archive Use
data-transfer to long-term user interacting with the
storage data (cloud & endpoint)
Share
exchange of data between
users, customers and
partners
25 Cloud Security – 12 Juin 2012 Orange Business Services
26. simultaneous and multiples data lifecycles
Business Units
Create
Destroy Store virtual datacenter
access to the corporate
Archive Use
application application
Share
Create
Destroy Store
Archive Use
VM VM VM
Share
Corporate IT VM Create
Destroy Store VM VM VM
administration
VM/data transfers
Archive Use
Create
Share
Destroy Store
VM
VM
cloud infrastructure
VM VM VM
Archive Use
VM templates
Share
26 Cloud Security – 12 Juin 2012 Orange Business Services
27. use-case : a Virtual Machine (IaaS) VM
VM
1 initial creation by
corporate IT
VM
Create
VM templates and
instances are deleted
3 insertion in the VM
template store
5 Destroy
Store
4
Archive Use VM are instantiated and
executed for business
purposes
Share
2 transfer to the cloud as an
OVF container
27 Cloud Security – 12 Juin 2012 Orange Business Services
28. Create V VM
M V
1
V M
creation of the VM M V V V
M M M
template by corporate IT V
M
V
M
V
M
1. classify Share
2. assign rights
Risk-based decision for
2 transfer to the cloud as an
OVF container
moving specific
workloads/applications in 1. activity monitoring & enforcement
selected cloud(s) 2. encryption
& 3. logical controls
Tag VM templates with
4. application security
labels to facilitate rights
allocation/assignments watch when and where admin(s)
are transferring templates
logs accesses to admin
VM
interfaces
VM
VM secure data in motion using
VM
encryption
secure admin interfaces/API
28 Cloud Security – 12 Juin 2012 Orange Business Services
29. 3 insertion in the VM
template store Store
isolation between tenants & administrator
1. filesystem access controls separation of duties
2. encryption volume/media encryption
3. rights management Enforcement of rights created during
“Create” phase (when data enters storage)
4. content discovery
ensure data are located at the right place
VM are instantiated and
4 executed for business
purposes
Use
! agent-based security & access log
collection 1. activity monitoring &
2 perimeters of controls enforcement
enforcement of rights created during
1) cloud-based controls 2. rights management
“Create” phase (modification, export,
2) endpoint-based controls copying, …) 3. Logical controls
application logic controls 4. application security
application security
29 Cloud Security – 12 Juin 2012 Orange Business Services
30. VM are instantiated and
4 executed for business
agent-based security & access log
purposes Use
1. activity
collection
monitoring &
enforcement of rights created during enforcement
“Create” phase (modification, export,
copying, …)
2. rights
management
Destroy
application logic controls 3. Logical controls
application security 4. application
security
5 VM templates and
instances are deleted
1. crypto-shredding
2. secure deletion
3. physical destruction
VM VM VM VM VM
4. Content discovery
VM VM VM VM VM
delete the encryption keys
overwrite data from 3 to 7
times with random pattern
degaussing or physical
destruction of storage devices
ensure no copies or version of
the date remain accessible
30 Cloud Security – 12 Juin 2012 Orange Business Services
31. Implementation rules
transparency brings confidence
change your mind for data-centric
security
leverage existing security frameworks &
practices
participate to research & standardization
activities
31 Cloud Security – 12 Juin 2012 Orange Business Services
32. secure Infrastructure
6 lessons learnt from the fields
Build security-in
from
the start of the
project
Select your Train your team
compliance and educate
frameworks & stick others to cloud
with them security
Take network & IT
Integrate security
convergence as an
in
opportunity
existing processes
Get intimate with
cloud IT & ops
32 Cloud Security – 12 Juin 2012 Orange Business Services
36. CloudTrust : a tailored approach for secure cloud
CloudTrust
> per-service based > unified to the cloud-program
> part of standard processes > bridge processes between BUs
> risks/benefits based approach > cloud security architects
> keep service definition >enhanced security value prop.
> focuses on think/build/deploy > integrated operational security
secure cloud services backed with highly reliable
network connectivity with end-2-end SLAs
36 Cloud Security – 12 Juin 2012 Orange Business Services
37. maintaining & enhancing trust in cloud services
Global security
oversight on
changes
Incident
Admin & third-parties management
access management CISSM
Legal obligations
Vulnerabilities Periodic security
Management reviews & audits
Cloud Information Systems Security Manager
37 Cloud Security – 12 Juin 2012 Orange Business Services
38. end-2-end operational security CISSM
cloud security
architects • build security in right from the beginning
• ensure continuous delivery model with
smooth roll-out
Orange Cloud
Computing Services
• global understanding and broad
experience Flexible
• leverage experiences and foster Computing
Express Flexible
new initiatives
certifications Backup
JCI
ISO …
27K/20K
• certified security professionals
•active role in certifications activities
and 27K ISMS
• leverage processes to bolt security in private cloud
• deliver telco-grade expertise to
customer’s private cloud
• tailored solutions for specific
requirements
38 Cloud Security – 12 Juin 2012 Orange Business Services
39. Flexible Computing Express
CISSM
Service
Providers
Business VPN
Business
Secure Virtual Data Center Galerie
VPN
LB
DDoS VM VM VM VM
Protection
(6 zones)
Internal Private
WAN
Remote sites
2-factors Logs
Auth
VM Templates
Datacenters
Security patches
Antivirus
Backup Business VPN
VPN-SSL Console
DDoS Protection
Firewalling
Automated VA scans IPVPN network connectivity
ISAE 3402 datacenters
(SAS 70 Type 2)
39 Cloud Security – 12 Juin 2012 Orange Business Services
40. Flexible Computing Express standard security
features
V V V V
vDC)
Secure Virtual DataCenter (vDC)
M M M M
(6 • 6 dedicated/isolated VLANs
zon
es) • State-full firewalling (dedicated instance)
• Load-balancing (dedicated instance)
Secure management
V V V V
• VPN-SSL remote access M M M M
(6
• web-based unified management (vDC, VLANs, FW, …) zone
s)
• Two-factors authentication
• Access to firewall logs
Security services zone
V V V V
M M M M • VM templates (Microsoft, Linux)
• Security patches distribution servers
• Antivirus signatures
• Backup services
40 Cloud Security – 12 Juin 2012 Orange Business Services
41. additional security services
security services
store
security services
•Hardened VM templates
Secure Virtual Data Center •Vulnerability scans & compliance
LB •Encrypted VM & volumes
VM VM VM VM
•IDS/IPS
•Database security
(6 zones) •…
professional services
2-factors Logs
Auth •Vulnerabilities management
VM Templates
Security patches •OS & Applications Management
Antivirus •Security audits
Backup
VPN-SSL Console •Penetration testing
•…
41 Cloud Security – 12 Juin 2012 Orange Business Services
42. takeaways
42 Cloud Security – 12 Juin 2012 Orange Business Services
43. blogs : the direct link with our security experts
http://blogs.orange-business.com/connecting-technology/security/
http://blogs.orange-business.com/securite/
43 Cloud Security – 12 Juin 2012 Orange Business Services
44. continue the journey with us !
CSA EMEA Congress – 25-26th September 2012 - Amsterdam
http://www.cloudsecuritycongress.com/
C&ESAR 2012 – 20-22th November – Rennes
http://www.cesar-conference.org/
44 Cloud Security – 12 Juin 2012 Orange Business Services