Le Cloud Computing est-il l ennemi de la Sécurité? Eric DOMAGE Program manager IDC WE Security products & Solutions Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.
Quelques écrits structurants (à conserver ) Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.
Quelques déclarations. «Cloud Computing isn t necessarily more or less secure than your current environment» CSA Security Guidance for critical Areas of Focus Cloud Computing v 2.1 dec. 2009 «Cloud s economies of scale and flexibility are both a friend and a foe from a security point of view» ENISA, benefits, risks and recommendations for Information Security, November 2009 IDC Source:/Notes: Feb-10 3
Amazon Amazon Web Services Customer Agreement Updated January 20, 2010 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#3 IDC Feb-10 4
Google Terms of Service / Google Apps 1. LIMITATION OF LIABILITY YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE AND PARTNERS SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF GOOGLE OR PARTNERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) RESULTING FROM: (i) THE USE OR THE INABILITY TO USE GOOGLE SERVICES; (ii) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM ANY GOODS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM GOOGLE SERVICES; (iii) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (iv) STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON GOOGLE SERVICES; OR (v) ANY OTHER MATTER RELATING TO GOOGLE SERVICES. http://www.google.com/apps/intl/en/terms/user_terms.html IDC Feb-10 5
Aborder les risques en environnement Cloud Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.
Les grandes questions sécuritaires propres au Cloud (ENISA) - Perte de contrôle : où est l information, qui contrôle le nuage, qui le garantit, qui assume les SLAs, qui accède, qui est responsable en cas d incident? - Lock-in / verrouillage : qui est le contractant, quid du reinsourcing? Changement de fournisseur? Choix de souscontractant et partenaires - Isolation failure : attaques et points de faiblesse isolés (hyperviseur, VM Corrompues) - Compliance risk : certification, audit, géo-localisation - Data protection : gestion de la confidendialité et de l intégrité des données, multi-privacy, effacement - Malicious Insider : attaques internes, VM déviants IDC Feb-10 7
Les questions «basiques» de sécurité qui appellent réponse - IAM : 5 W s (Who, What, Why, Where, When) - DLP : Data Discovery, géolocalisation, gestion du cycle de vie - SCTM : Secure Content & Threat Management (FW, IPS, AV, Am) - SVM : Secure Compliance & Vulnerability management gestion et détection des vulnérabilités et du versionnage - Continuité : Back Up & recovery, IDC Feb-10 8
Les réponses - IAM : fédération d identité (SSO) SAML 2.0, WS Foundation - Data protection : Cryptographie, DLP Géo-localisation - Menaces externes :Av et AM adaptés Cloud (VM) - Menaces Internes : DLP Cloud / Sécurité de l hyperviseur IDC Feb-10 9
Quelques recommandations - L usage extensif de la cryptographie n est ni cher ni complexe «Crypter c est facile, décrypter». Le management des clés est plus important que la force des clés! - Les fournisseurs de Cloud ont, pour l instant les meilleures solutions de sécurité pour «leur» cloud. Ecoutez-les! - utiliser le «Guides de Discussion v2.1» du CSA pour examiner le projet Cloud sereinement avec votre fournisseur (listes de questions à poser, recommandations ) http://www.cloudsecurityalliance.org/guidance.html - User et abuser des standards (SAML, Fips, SanS, Iso 2700x) - Rester prudent les vraies révolutions informatiques sont vraiment rares IDC Feb-10 10
Merci de votre attention Eric Domage Program Manager European Security Products and Strategies IDC EMEA Software Group 13 Rue Paul Valery +33 1 56 26 26 69 +33 6 07 03 07 76 edomage@idc.com www.idc.com IDC Feb-10 11