Get documents about "Security in Cloud computing
Document Sample
Thales & Cloud
Daniel PAYS - daniel.pays@thalesgroup.com
Advanced Studies director
System C4I Security and Defense
Plenary Cloud Computing Session
FIA - Budapest - 19/5/2011
Thales: Cloud challenges & positioning
SECURITY CHALLENGES DIFFERENCIATORS
Security assurance and Cyber-security
Self-provisioning & automatic deployment
according to functional and non functional
requirements
Multi-sites federation with encryption
Supervision of the physical infrastructure and
applicative Key Performance Indicators
Role Based Access Control
Application security
Content-based security
Roles & rights management SLA :
Demand
Users Power users Operators Admin Service
services,
Identity management & interoperability security, Offering
Catalog
elasticity
Persistent data security Portal
Services : provisioning, management and control
Infrastructure security
Service Management : configuration,
Security Management : role and
Cloud Service Manager
Trusted isolation Delivery
Supervisor : command
identity, audit, isolation, data
: availability,
and control
performance
Trusted network management
change, billing
Middleware : usage mediation, placement,
Platform security protection optimization, federation
Trusted application server Network Server Storage
automation automation automation
Secure programming framework
Supply
Local resource managers and hypervisors
Source code evaluation framework
Security assurance and Cyber-security Resources (Physical, Storage, Network)
2
Thales Communications S.A.
THALES and FI-PPP
CONCORD (CSA)
INFINITY (CSA)
INSTANT MOBILITY (IP)
INSTANT MOBILITY (IP)
FINSENY (IP)
FI-CONTENT (IP)
SAFE CITY (IP)
FINEST(IP)
OUTSMART(IP)
SMARTAGRIFOOD (IP)
ENVIROFI (IP)
FI-WARE (IP)
3
http://www.fi-ppp.eu/
FI-PPP Security – Targeted Results
• Generate Trust and confidence by developing and providing
security services for the Future Internet
Open specifications , Reference Implementation, KPI,...
Core security generic enablers demanded by FI Pillars and
Usage Areas including:
FI-WARE
Identity and Access Management
Authorization and Usage Control Policies
Privacy and Trust
Auditing
Complemented by optional generic enablers which might be
used for specific needs requested by FI Smart applications at
hands (e.g. data anonymization, data protection, filtering,...)
4
FI-PPP Exemplification - Security usability
In the cloud computing, FI-PPP put up:
End-to-end trust and data security
Isolation Across Virtual domains
Risk analysis and vulnerabilities mitigation
Secure administration, alerting and reporting
Smart decision support in case of cyber-attacks
Week signal detection and response
A permanent Life Cycle management of Security
User-centric intuitive
security mechanisms
A pluri-disciplinary approach with Human Sciences (Ethic,
5 Legal, Sociology, Psychology,…)
FI-PPP Exemplification Identity & Trust
Trusted federations increase efficiency
Federation between heterogeneous domains:
One account versus unlimited number of account
Simplified password management
Ease collaboration environments for Enterprises
minimizes security overhead through sharing
resources and information
eID card is a gateway to
personal information.
6
« Design, Build and Run a trusted and secured « digital factory» infrastructure,
to sustain economic competitiveness (France and Europe)
« Andromède »
Trusted digital agency
« Grand Emprunt »
2011 May the 15th
Andromede security by Thales
• Andromede security requirements ne tion
e n
Administrateur
opérateur
Zo n trratio
Zois t a s
formalisation ne tion
e
Zo n trratio
Zois t a
n
inis io n
min attio
ad mpérra
ad o pé
o
ns
VD
I
WA
LL
IX
FW
INTERNET
Utilisateur
Administrateur
Client
é Zo
inis it é
min urrit
ne
sé d’ac
Tools for application & services development, test,
ad mséc u
cu
ris cès
ad séc
FW
Fw ée Utilisateur
Sec Juni
VD ure per Dat
I
e Acc aC
Mis ryptor
tain
ès
tra /
ran
l
WA Sec Juni
LL a ure per
IX
qu Acc
ne
ès
Fw
Zo
deployement and run in a trusted way SA NIM
MLv
2
Fire
wal
l
Clie
Hyp
nt
A
Fw
Dat
aC
Mis ryptor
e ervi tra /
tur
l
Zo Ldap so Clie
A resilient and secured infrastructure architecture (flows
ne r
,D
c nt
tru
de ns B
se ,
rvic Ntp
es Snort
ras a
R inf Dat
Hyp
Clie
nt
ne
Zo
ne epos ervi C
ito
Zo
co ry so
nf
igur XM r Fw
atio L
CA n
RS nCip
A S her Clie
ec Zo
urId ne LS Hyp nt A SAN
de BE
Zo
Zo su CY
ervi
a
isolation, hardening, Zones management, localisation,
Zo pe se
ne Net rvis ur C Dat
nes ne
+S Fore log ion
se
erv uite ns
Nov ic Snort
d
Hyperviseur rvic
ice ell
Zo lou
es &
s ne
Pol
IHM
T 2.
0 C
Hyp lient
sC
&s sé
icy
Eng
GW ervi
se
B A
rce
éc
ou
ine ur
cu
urit
rité ss
cyphering,…)
é Zo
ne
sa Re
uv
eg
arde
Hyperviseur
• Solutions & services provided byThales
Supply & integration of security solutions &
equipments
Security operator
• Targets to be defined
A separate security operator providing global security
services:
Target ISO27001 and Andromède Certification (ANSSI)
Optional added value services: Identity federation, intrusion
detection/prevention) DRP as a service, scan application tests,
vulnerability assessment, intrusion testing,
Different : telecom transporter, hosters, outsourcers
8
Trusted cloud life cycle: follow-up
Life cycle Feedback : lessons learnt
bugs, logs
Gouvernance
Co-design Production Cloud
Deployed Service
Transition Application support, Middleware
Operating tool
Validation
Functionalities Store
Manageability
Security
Développement …
designer
help & constrain on
development developper End user
IDE/SDK
Common tools
Portfolio, Program,
Configuration, deployment
integrator operator
9
