Cloud computing & sécurité Gilles Bizet Orange Consulting 26 janvier 2011, clusir RhA
agenda 1 2 3 Préambule De nouveaux risques à couvrir? De nouvelles méthodes/de nouveaux outils? 4 Cas clients
Buzz marketing ou réalité?
cloud computing convergence logique entre l évolution des performances réseaux et des technologies IT IT network 1970 s the age of dedicated IT and communications huge dedicated servers bespoke proprietary systems high costs, no flexibility private network leased lines network 1990 s the age of shared IT and communications sleek rack and blades servers client-server model major software suites IP VPN Internet revolution virtual private network managed IP VPN next cloud computing green IT virtualized on demand shared, private and virtual private infrastructures applications usage-based billing Applications Sécurité monolithiques propriétaire (CICS/RACF, GCOS7, ) Clusif-Marion ISO 7498-2, SGBD ITSEC ISO13335-GMITS EDI SCSSI-EBIOS Prog objet Clusif-Mehari ISO27k, BPM ISO15408 xml, SOA,Web PCI-DSS services FW,proxy, Interopérabilité ISP/IDP,AV, EAI, IAM, ETL ISMS Security SI aas urbanisés
outsourcing vs cloud
Outsourcing vs cloud Une évolution logique - Je gère en interne - TMA - Télé exploitation - Déménagement - Colocation - Transformation - Cloud Source IDC 2010 Source Syntec 2010
le cloud computing, qu est-ce-que c est le Cloud Computing est un modèle de consommation à la demande d un ensemble de ressources informatiques accessibles via un réseau performant et qui peuvent être rapidement provisionnées et mises à disposition trois modèles de déploiement trois niveaux de services Cloud privé entreprise ❸Software as a Service ❷ Platform as a Service ❶ Infrastructure as a Service Cloud hybride mixte Cloud public ouvert Cloud applicatif Cloud de développement Cloud d infrastructure
cloud computing building blocks Sales, CRM Desktop suites ❸Software as a Service Billing HR Collaborative CMS Vertical apps ❷ Platform as a Service ❶Infrastructure as a Service BI Development Testing Pre prod Storage Backup / restore Archiving Unified comms API services Databases Security Monitoring Reporting Cloud IT tools (provisioning, management, billing, support, ) professional services OS virtualization Device
d une logique patrimoniale à une logique d usages: le chemin vers le cloud Economies de compétences Outsourcing Hébergement dans l entreprise Cloud computing Colocation Maintenance et mise à jour du matériel et des licences Processus de management délégué + Economies d échelles Pas d achat de matériel statique Mutualisation de la consommation énergétique et du refroidissement + Flexibilité d accès et d usage Virtualisation Allocation dynamique de ressources Accès aux services par Internet ou Intranet Paiement à l usage
le cloud computing: excellence opérationnelle, qualité de service et sécurité périmètre du cloud computing infrastructure mutualisée étendue les compétences fondamentales sécurité engagements de qualité de service de bout en bout service opéré 24X7 facturation à l usage portail pour la commande, la gestion et le reporting gestion des services aux utilisateurs finaux conformité réglementaire
Flexible Computing : comment ça marche? Visualisation des ressources disponibles Gestion des droits d administrateur Déploiement dynamique d architectures virtuelles Administration de l infrastructure déployée Accessibilité du service internet ou intranet
type de Cloud et périmètres : axe responsabilité IaaS : Niveaux de responsabilité 4 3 2 1 Application Serveur Applicatif Système d exploitation VM Hyperviseur Réseau & serveurs Datacenter Management par le fournisseur Management par le client Niveau de service Adapté aux besoins Souplesse & adaptabilité Périmètres Clairs et contractualisés Activités sécurité Identifiées Mesurables Par le client et le fournisseur Réciprocité entre parties Confiance contrôlée 1 Iaas «pur» 3 IaaS «AppSvr managé» 2 Iaas «avec OS managé» 4 IaaS «Fully Managé»
cloud computing a way to simplify security actual infrastructures physical servers Detection IPS/IDS Antivirus AntiSpyware Personal Proxy Personal Firewall Encryption Secure OS VPN IPSEC,SSL change, patch and licence management Filtering Partitioning Routing Firewall Proxy Reverse proxy Load balancer Identity Access Management Applications security cloud-ready infrastructures virtual desktop VPN IPSEC,SSL on demand service catalog green IT
agenda 1 2 3 Préambule De nouveaux risques à couvrir? De nouvelles méthodes/de nouveaux outils? 4 Cas clients
cloud main issues Which part of our IT is cloud ready? Could we expect benefits (more business, better ROI, TTM improvement)? Is the cloud more or less secure than my current environment? What are the impacts on IT platforms and data center? Will the cloud simplify my IT and what are the main changes for end-users? Are there best practices? How do we start? How does the CSP meet my needs? What are CSP commitments?
security : one of the main issue for cloud computing cloud computing issues Source Markess Security 31% Service availability 28% Quality of service 28% Network performance 23% Providers dependence 20% Source IDC Factors for choosing cloud computing Source Gartner Research
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content. We strongly encourage you, where available and appropriate, to use encryption technology to protect Your Content from unauthorized access and to routinely archive Your Content. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content. http://aws-portal.amazon.com/gp/aws/developer/terms-and-conditions.html LIMITATION OF LIABILITY YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE AND PARTNERS SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF GOOGLE OR PARTNERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) RESULTING FROM: (i) THE USE OR THE INABILITY TO USE GOOGLE SERVICES; (ii) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM ANY GOODS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM GOOGLE SERVICES; (iii) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (iv) STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON GOOGLE SERVICES; OR (v) ANY OTHER MATTER RELATING TO GOOGLE SERVICES. http://www.google.com/apps/intl/en/terms/user_terms.html
cloud components vs security challenges cloud-ready infrastructures Applications & tools qualification virtual desktop VPN IPSEC,SSL on demand service catalog green IT High value target Identity Access Mgmt Compromising the provisioning service or the configuration tools Multi-tenancy Policies cohabitation Clouds interlink Isolation Geolocalisation Hypervisor security Application sandboxes Traceability Auditability Accountability
cloud security specific risks and specific benefits Cloud specific security risks Loss of control Data confidentiality (data retention time) Infrastructure availibility and segregation Abuse of privilege from the provider (lock-in vs reversibility) Changes of jurisdiction (Geolocation of data center & people) Expected benefits Economy of scale Rapid and smart scaling of resources Mutualised interfaces for managed security services Improved efficiency in change management End to End SLAs
agenda 1 2 3 Préambule De nouveaux risques à couvrir? De nouvelles méthodes/de nouveaux outils? 4 Cas clients
cloud security answers based on best practices Security & risks management 27k ISO27002 chapters 5. Security policy 6. Organisation of information security 7. Asset management 8. Human resources security 9. Physical security 10. Communications & Ops management 11. Access control 12. Information systems acquisition, development, maintenance 13. Information security incident management 14. Business continuity 15. Compliance Risk Assessment Nov.2009 Security guide 2009-2010 Recommandation pour l externalisation déc.2010 35 risks -Organisational -Technical -Legal Contractualisation SLA/SLO CSA guide v2.1 Control matrix CSA threats v1.0 CSA IAM v2.1 CSA guide escm Provider : 84 recommandations Client : 95 recommandations
cloud security «Transférer mes données et mes applications dans le cloud c est comme déposer mon argent à la banque» «Cloud Computing isn t necessarily more or less secure than your current environment» CSA Security Guidance for critical Areas of Focus Cloud Computing v 2.1 dec. 2009 «Cloud s economies of scale and flexibility are both a friend and a foe from a security point of view» ENISA, benefits, risks and recommendations for Information Security, November 2009
cloud security as a service best practices Orange cloud law & rules compliance end-to-end SLAs real-time application identity and access management multi devices business continuity Disaster recovery ❸Software as a Service ❷ Platform as a Service ❶Infrastructure as a Service vertical application cloud-ready infrastructures collaborative software organisation and change management data center protection audit & penetration test network capacity and availability network and application performance probes mgmt data protection storage/backup secure archive ILM web protection messaging protection firewall gateway SSL IT management event & log management intrusion detection
Performance, service management et sécurité end2end End-user 1 Site A End-user 2 End-user 1 Site B IP VPN Network Mobile 3G 4G Data centers Internet user
Exemple : IAM et le cloud computing Une question : qui accède ou qui tente (ou a tenté) d accéder à quoi quand Des solutions multiples Organisationnelles (définies dans une politique des accès externes) Cartographie des populations (end-users, exploitants, administrateurs, éditeurs, développeurs, TMA, ) Processus (provisioning, attribution des privilèges, délégations, ) Plages horaires, timeout, Techniques Confidentialité des flux (VPN, SSL, ) Authentification renforcée (certificats, Radius, OTP, support physique, ) Traçabilité Cloisonnement/isolation Mobilité SSO/SLO, Fédération Interopérabilité (openid, OATH, saml, spml, API, scripting, ) Exemple : le cloud hébergeur de données de santé
Exemple : des sites et des infrastructures hautement sécurisées
A global approach from the strategy to the implementation & run cloud target design ICT architecture design cloud business model End2End SLA service management design cloud readiness assessment ICT architecture assessment business impacts analysis service management assessment cloud transition plan data migration BCP/DRP BSS/OSS automation service management transition cloud service management customer care capacity mgmt service operation continual service improvement green IT
key point : the assessment phase are you cloud ready? 10 question samples for a cloud-ready diagnostic «do you need to adapt and optimize your critical applications performances?» «do you have load peak due to seasonal application lifecycle?» «do you have strong needs to reduce the TTM for new IT services?» «do you have a clear vision of the ICT costs (per user / per application)?» «do you plan to launch ICT transformation project (virtualisation, outsourcing, )?» «do you intend to optimize your ICT process and to improve there ITIL/ISO20k compliance?» «do you feel confident about your IT security?» «is the pay per use model relevant for some of your applications?» «do your Service Management tools (provisioning, monitoring, metering, billing, security alerts) match your business needs?» «what changes do you expect in the relation between business users and IT delivery?»
cloud readiness assessment tools Applications inventory Applications lifecycle Applications interlink Volumes of data Critical applications map LAN & WAN Mobility Flow rates Protocol filtering Network map Security constraints Data protection Identity & Access management Security policy Servers & Workstations DB, Middlewares & OS Licences Application performance Virtualization eligibility Regulations & laws Commitments & SLA Hosting contracts Outsourcing contracts Contracts analysis Critical business process Critical competencies IT carbon footprint Benefits & costs Business & RH impacts Demand management Incident management Monitoring/reporting Capacity management Service management Probes & Discovering tools samples : PlateSpin, Compuware, infovista, opennet, riverbed, securactive, juniper, packeteer, ipanema, cisco, bluecoat, netdiscover,
demands & needs JOA Are you cloud ready? Virtualization assessment Application performance assessment Security assessment Service management assessment IT carbon footprint IT conceptual design IT service catalog IT architecture design Service management Service portfolio QoS/QoE, SLAs Monitoring/Reporting tools & practices Capacity management Security PAS, Risk analysis Audit / penetration tests IT transition plan - Project portfolio - Risks analysis / decision matrix - Milestones & deliverables ROI/TEI tools Customer experience PMO - Customer behavior analysis - Business case design - Business model - Project portfolio - DSI coaching
Cloud et sécurité conclusion Le cloud - une évolution «naturelle» La sécurité - une exigence incontournable Centralisation/concentration Cohabitation/colocation Déport de responsabilité Des besoins particuliers Du bastion à la défense en profondeur Géolocalisation des biens et des personnes Confinement/isolation Vigilance De l utilisateur usager à l utilisateur acteur
agenda 1 2 3 Préambule De nouveaux risques à couvrir? De nouvelles méthodes/de nouveaux outils? 4 Cas clients
cloud readiness assessment business case : government institution On demand web application hosting platform for citizen on line services domains key factors requirement level flexibility Seasonal applications Load peaks Tailored billing model - + security Dedicated platform with dedicated people - + QoS/QoE Business SLAs End2end commitment High level & technical reporting - +
cloud readiness assessment business case : financial company On demand web application development platform for internal customers domains key factors requirement level Industrial lifecycle management Development,Test, Pre production, Production 24/7 monitoring Best practices sharing Security process & tools sharing - + Infrastructure capacity Worldwide access - + ROI CAPEX reduction TTM improvement Pay for use model - +
cloud readiness assessment business case : luxury company Infrastructures as a service domains key factors requirement level Costs reduction Virtualization enforced Data center consolidation SLA review Mixing shared & private infrastructures - + Flexibility Capacity on demand Change management reactivity - + Collaborative work Team building Trainings Communication - +
cloud readiness assessment business case : industry Market place for technical softwares domains key factors requirement level Business model Architecture Get closer to the customers Pay per use Subscription Micro-payment - + Layer between front office and back office CRM integration A programming platform - + TTM Short term project - +
Gilles Bizet Orange consulting Phone : + 33 2 23 20 41 61 Mobile : + 33 6 80 61 41 51 gilles.bizet@orange-ftgroup.com