Security in Cloud computing by hcj

VIEWS: 10 PAGES: 9

									                           Thales & Cloud
Daniel PAYS - daniel.pays@thalesgroup.com
Advanced Studies director
System C4I Security and Defense

Plenary Cloud Computing Session
FIA - Budapest - 19/5/2011
                            Thales: Cloud challenges & positioning
                 SECURITY CHALLENGES                                                                             DIFFERENCIATORS
                                                            Security assurance and Cyber-security
                                                            Self-provisioning & automatic deployment
                                                                       according to functional and non functional
                                                                       requirements
                                                            Multi-sites federation with encryption
                                                            Supervision of the physical infrastructure and
                                                                       applicative Key Performance Indicators
                                                            Role Based Access Control
     Application security
              Content-based security
              Roles & rights management                             SLA :




                                                        Demand
                                                                                                         Users     Power users    Operators       Admin    Service
                                                                   services,
              Identity management & interoperability              security,                                                                               Offering
                                                                                                                                                           Catalog
                                                                   elasticity
              Persistent data security                                                                                        Portal
                                                                                                         Services : provisioning, management and control
     Infrastructure security




                                                                                                                                                             Service Management : configuration,
                                                                    Security Management : role and
                                                                                                        Cloud Service Manager
              Trusted isolation                        Delivery
                                                                                                                                   Supervisor : command



                                                                     identity, audit, isolation, data
                                                                                                             : availability,
                                                                                                                                        and control
                                                                                                            performance
              Trusted network management




                                                                                                                                                                       change, billing
                                                                                                            Middleware : usage mediation, placement,
     Platform security                                                         protection                          optimization, federation

              Trusted application server                                                                 Network            Server            Storage
                                                                                                         automation        automation         automation
              Secure programming framework
                                                        Supply




                                                                                                            Local resource managers and hypervisors
              Source code evaluation framework
     Security assurance and Cyber-security                                                                  Resources (Physical, Storage, Network)



2
Thales Communications S.A.
                                                    THALES and FI-PPP


                            CONCORD (CSA)

                            INFINITY (CSA)


                            INSTANT MOBILITY (IP)
                            INSTANT MOBILITY (IP)
                            FINSENY (IP)
                            FI-CONTENT (IP)
                            SAFE CITY (IP)
                            FINEST(IP)
                            OUTSMART(IP)
                            SMARTAGRIFOOD (IP)
                            ENVIROFI (IP)
                            FI-WARE (IP)




3
    http://www.fi-ppp.eu/
                                  FI-PPP Security – Targeted Results

    • Generate Trust and confidence by developing and providing
      security services for the Future Internet
            Open specifications , Reference Implementation, KPI,...

       Core security generic enablers demanded by FI Pillars and
        Usage Areas including:
                                                                       FI-WARE
            Identity and Access Management
            Authorization and Usage Control Policies
            Privacy and Trust
            Auditing
       Complemented by optional generic enablers which might be
         used for specific needs requested by FI Smart applications at
         hands (e.g. data anonymization, data protection, filtering,...)




4
                       FI-PPP Exemplification - Security usability

 In the cloud computing, FI-PPP put up:
      End-to-end trust and data security
      Isolation Across Virtual domains
      Risk analysis and vulnerabilities mitigation
      Secure administration, alerting and reporting
      Smart decision support in case of cyber-attacks
      Week signal detection and response
      A permanent Life Cycle management of Security




                                                                 User-centric intuitive
                                                                 security mechanisms
     A pluri-disciplinary approach with Human Sciences (Ethic,
 5   Legal, Sociology, Psychology,…)
                          FI-PPP Exemplification Identity & Trust

     Trusted federations increase efficiency

 Federation between heterogeneous domains:
      One account versus unlimited number of account

      Simplified password management

      Ease collaboration environments for Enterprises

      minimizes security overhead through sharing
        resources and information



                                                         eID card is a gateway to
                                                         personal information.




 6
« Design, Build and Run a trusted and secured « digital factory» infrastructure,
to sustain economic competitiveness (France and Europe)




                                    « Andromède »
                                 Trusted digital agency
                                         « Grand Emprunt »
                                         2011 May the 15th
                                                  Andromede security by Thales
    •   Andromede security requirements                                                                                         ne tion
                                                                                                                                  e      n
                                                                                                                                                                                                                                                                                                                                                                                                                        Administrateur
                                                                                                                                                                                                                                                                                                                                                                                                                          opérateur




                                                                                                                             Zo n trratio
                                                                                                                              Zois t a s


        formalisation                                                               ne tion
                                                                                      e
                                                                                 Zo n trratio
                                                                                  Zois t a
                                                                                             n
                                                                                                                               inis io n
                                                                                                                            min attio
                                                                                                                          ad mpérra
                                                                                                                          ad o pé
                                                                                                                              o
                                                                                                                                       ns

                                                                                                                                                 VD
                                                                                                                                                    I


                                                                                                                                                                 WA
                                                                                                                                                                   LL
                                                                                                                                                                           IX
                                                                                                                                                                                                                                                                                   FW
                                                                                                                                                                                                                                                                                               INTERNET

                                                                                                                                                                                                                                                                                                                                                                                  Utilisateur
                                                                                                                                                                                                                                                                                                                                                                                                       Administrateur
                                                                                                                                                                                                                                                                                                                                                                                                          Client




                                                                                           é                                                                                                                                                                            Zo
                                                                                   inis it é
                                                                                min urrit
                                                                                                                                                                                                                                                                           ne
                                                                                                                                                                                                                                                                        sé d’ac




     Tools for application & services development, test,
                                                                              ad mséc u
                                                                                                                                                                                                                                                                           cu
                                                                                                                                                                                                                                                                              ris cès
                                                                              ad séc
                                                                                                                                                                                                                                                                                                    FW
                                                                                                                                                                                                       Fw                                                                        ée                                                                                                                                                            Utilisateur
                                                                                                                                                                                                                                              Sec Juni
                                                                                              VD                                                                                                                                                 ure per                                                                                                                                                                       Dat
                                                                                                 I
                                                                                                                                                                                            e                                                       Acc                                                                                                                                                                           aC
                                                                                                                                                                                                                                                                                                                                                                                                                                Mis ryptor
                                                                                                                                                                                        tain
                                                                                                                                                                                                                                                        ès
                                                                                                                                                                                                                                                                                                                                                                                                                                   tra     /
                                                                                                                                                                                     ran
                                                                                                                                                                                                                                                                                                                                                                                                                                       l
                                                                                                              WA                                                                                                                                             Sec Juni
                                                                                                                LL                                             a                                                                                                ure per
                                                                                                                     IX
                                                                                                                                                             qu                                                                                                    Acc
                                                                                                                                                          ne
                                                                                                                                                                                                                                                                       ès
                                                                                                                                  Fw
                                                                                                                                                        Zo


        deployement and run in a trusted way                                                              SA NIM
                                                                                                            MLv
                                                                                                               2
                                                                                                                                                                                                                             Fire
                                                                                                                                                                                                                                    wal
                                                                                                                                                                                                                                          l
                                                                                                                                                                                                                                                                                                                                       Clie

                                                                                                                                                                                                                                                                                                                                       Hyp
                                                                                                                                                                                                                                                                                                                                            nt
                                                                                                                                                                                                                                                                                                                                               A
                                                                                                                                                                                                                                                                                                                                                     Fw
                                                                                                                                                                                                                                                                                                                                                                                                                         Dat
                                                                                                                                                                                                                                                                                                                                                                                                                            aC
                                                                                                                                                                                                                                                                                                                                                                                                                          Mis ryptor
                                                                                                                                                                                                                                                                           e                                                              ervi                                                                               tra     /
                                                                                                                                                                                                                                                                       tur
                                                                                                                                                                                                                                                                                                                                                                                                                                 l
                                                                                                                   Zo Ldap                                                                                                                                                                                                                     so         Clie




     A resilient and secured infrastructure architecture (flows
                                                                                                                     ne                                                                                                                                                                                                                          r
                                                                                                                           ,D
                                                                                                                                                                                                                                                                   c                                                                                             nt
                                                                                                                                                                                                                                                                tru
                                                                                                                        de     ns                                                                                                                                                                                                                                     B
                                                                                                                          se     ,
                                                                                                                             rvic Ntp
                                                                                                                                 es                                         Snort
                                                                                                                                                                                                                                                        ras                                                                    a
                                                                                                                                               R                                                                                                     inf                                                                 Dat
                                                                                                                                                                                                                                                                                                                                                                          Hyp
                                                                                                                                                                                                                                                                                                                                                                                 Clie
                                                                                                                                                                                                                                                                                                                                                                                     nt
                                                                                                                                                                                                                                                  ne
                                                                                                                                        Zo
                                                                                                                                             ne epos                                                                                                                                                                                                                         ervi       C
                                                                                                                                                     ito
                                                                                                                                                                                                                                                Zo
                                                                                                                                               co        ry                                                                                                                                                                                                                      so
                                                                                                                                                  nf
                                                                                                                                                   igur XM                                                                                                                                                                                                                         r            Fw
                                                                                                                                                        atio L
                                                                                                   CA                                                       n
                                                                                           RS nCip
                                                                                             A S her                                                                                                                                                                              Clie
                                                                                                ec                                                                     Zo
                                                                                                   urId                                                                     ne                                       LS                                                        Hyp nt A                                                 SAN
                                                                                                                                                                                     de                            BE
                                                                                       Zo
                                                                                       Zo                                                                                                 su                     CY
                                                                                                                                                                                                                                                                                  ervi
                                                                                                                                                                                                                                                                                                                                                                 a




        isolation, hardening, Zones management, localisation,
                                                                                                             Zo                                                                                pe                                                                                      se
                                                                                          ne             Net                                                                                        rvis                                                                                  ur    C                                                            Dat
                                                                                          nes                   ne
                                                                                                       +S Fore log                                                                                         ion
                                                                                              se
                                                                                               erv       uite ns
                                                                                                             Nov ic                                                                                                         Snort
                                                                                                                                                                                                                                                                                                                                                                                                         d
                                                                                    Hyperviseur rvic
                                                                                                   ice           ell
                                                                                                                             Zo                                                                                                                                                                                                                                                                       lou
                                                                                                     es &
                                                                                                       s                        ne
                                                                                                                                   Pol
                                                                                                                                                                                                                      IHM
                                                                                                                                                                                                                              T 2.
                                                                                                                                                                                                                                  0                                                                           C
                                                                                                                                                                                                                                                                                                         Hyp lient
                                                                                                                                                                                                                                                                                                                                                                                                 sC
                                                                                                           &s sé
                                                                                                                                       icy
                                                                                                                                           Eng
                                                                                                                                                                                                                            GW                                                                              ervi
                                                                                                                                                                                                                                                                                                                se
                                                                                                                                                                                                                                                                                                                     B             A
                                                                                                                                                                                                                                                                                                                                                                                          rce
                                                                                                                éc
                                                                                                                                                                                                                                                                                                                                                                                        ou
                                                                                                                                               ine                                                                                                                                                                 ur
                                                                                                                     cu
                                                                                                                      urit
                                                                                                                        rité                                                                                                                                                                                                                                                     ss


        cyphering,…)
                                                                                                                          é                                      Zo
                                                                                                                                                                      ne
                                                                                                                                                                           sa                                                                                                                                                                                               Re
                                                                                                                                                                                uv
                                                                                                                                                                                     eg
                                                                                                                                                                                          arde


                                                                                                                                 Hyperviseur




        •   Solutions & services provided byThales
     Supply & integration of security solutions &
      equipments
     Security operator

    •   Targets to be defined
     A separate security operator providing global security
        services:
           Target ISO27001 and Andromède Certification (ANSSI)
           Optional added value services: Identity federation, intrusion
            detection/prevention) DRP as a service, scan application tests,
            vulnerability assessment, intrusion testing,
     Different : telecom transporter, hosters, outsourcers

8
                                         Trusted cloud life cycle: follow-up

     Life cycle                         Feedback : lessons learnt
                                               bugs, logs
     Gouvernance
     Co-design                                                 Production             Cloud
                                                                              Deployed Service
                                              Transition                  Application support, Middleware
                                                                                 Operating tool

                        Validation
                            Functionalities                  Store
                            Manageability
                            Security
    Développement           …
                                                                 designer


      help & constrain on
         development                          developper                          End user
           IDE/SDK


                                                             Common tools
                                                              Portfolio, Program,
                                                           Configuration, deployment

                                                    integrator              operator
9

								
To top