Sec
u rity
i n c
loud
com
putin
gD
26/ 1
1/2 0
10
Thales & CloudDaniel PAYS - [email protected]
Advanced Studies director
System C4I Security and Defense
Plenary Cloud Computing SessionFIA - Budapest - 19/5/2011
2
Thales: Cloud challenges & positioningSECURITY CHALLENGES
Application security Content-based security Roles & rights management Identity management & interoperability Persistent data security
Infrastructure security Trusted isolation Trusted network management
Platform security Trusted application server Secure programming framework Source code evaluation framework
Security assurance and Cyber-security
Thales Communications S.A.
Dem
an
dD
elivery
Su
pp
ly
Resources (Physical, Storage, Network)
Service Offering Catalog
PortalServices : provisioning, management and
control
Users Admin Power users
Cloud Service Manager :
availability, performance
Supervisor : command and
control
Serv
ice M
an
ag
em
en
t :
con
fig
ura
tion
, ch
an
ge,
billin
g
Local resource managers and hypervisors
Operators SLA :
services,
security,elastici
ty
Network automation
Server automation
Storage automation
Middleware : usage mediation, placement, optimization, federation
Secu
rity
Man
ag
em
en
t :
role
an
d
iden
tity
, au
dit
, is
ola
tion
, d
ata
p
rote
cti
on
DIFFERENCIATORS
Security assurance and Cyber-security
Self-provisioning & automatic deployment according to functional and non functional requirements
Multi-sites federation with encryption
Supervision of the physical infrastructure and applicative Key Performance Indicators
Role Based Access Control
3
THALES and FI-PPP
CONCORD (CSA)
INFINITY (CSA)
INSTANT MOBILITY (IP)
FI-WARE (IP)
ENVIROFI (IP)
SMARTAGRIFOOD (IP)
OUTSMART(IP)
FINEST(IP)SAFE CITY (IP)
FI-CONTENT (IP)
http://www.fi-ppp.eu/
FINSENY (IP)
INSTANT MOBILITY (IP)
4
FI-PPP Security – Targeted Results
• Generate Trust and confidence by developing and providing security services for the Future Internet
Open specifications , Reference Implementation, KPI,...
Core security generic enablers demanded by FI Pillars and Usage Areas including: Identity and Access Management Authorization and Usage Control Policies Privacy and Trust Auditing
Complemented by optional generic enablers which might be used for specific needs requested by FI Smart applications at hands (e.g. data anonymization, data protection, filtering,...)
FI-WARE
5
FI-PPP Exemplification - Security usability
In the cloud computing, FI-PPP put up: End-to-end trust and data security Isolation Across Virtual domains Risk analysis and vulnerabilities mitigation Secure administration, alerting and reporting Smart decision support in case of cyber-attacks Week signal detection and response A permanent Life Cycle management of Security
User-centric intuitive security mechanisms
A pluri-disciplinary approach with Human Sciences (Ethic, Legal, Sociology, Psychology,…)
6
FI-PPP Exemplification Identity & Trust
Federation between heterogeneous domains:
One account versus unlimited number of account
Simplified password management
Ease collaboration environments for Enterprises
minimizes security overhead through sharing resources and information
Trusted federations increase efficiency
eID card is a gateway to personal information.
Sec
u rity
i n c
loud
com
putin
gD
26/ 1
1/2 0
10
« Andromède »
Trusted digital agency
« Design, Build and Run a trusted and secured « digital factory» infrastructure,
to sustain economic competitiveness (France and Europe)
« Grand Emprunt »
2011 May the 15th
8
Andromede security by Thales
• Andromede security requirements formalisation
Tools for application & services development, test, deployement and run in a trusted way
A resilient and secured infrastructure architecture (flows isolation, hardening, Zones management, localisation, cyphering,…)
• Solutions & services provided byThales Supply & integration of security solutions &
equipments Security operator
• Targets to be defined A separate security operator providing global security
services: Target ISO27001 and Andromède Certification (ANSSI) Optional added value services: Identity federation, intrusion
detection/prevention) DRP as a service, scan application tests, vulnerability assessment, intrusion testing,
Different : telecom transporter, hosters, outsourcers
Hyperviseur
Hyperviseur
Zone
administratio
n
opérations
Zone
administratio
n
opérations
Zone de services
Ldap, Dns, Ntp
Zone configuration
Repository XML
Zone services & sécurité
Zone services & sécurité
CA
IHM
Snort
Snort
Zone log
Zone Policy Engine
Zone d’accès
sécurisée
Zone sauvegarde
Zone de supervision
VDI
Ressources Cloud
Client A
Client B
Client B
Client A
Client CFw
Fw
A
C
SAN
Data
Data
Hypervisor
Hypervisor
Hyperviseur
Hyperviseur
Administrateur opérateur
Administrateur Client
Utilisateur
Zone
administratio
n
sécuritéZone
administratio
n
sécurité
VDI
INTERNET
FW
FWFw
nCipherRSA SecurId
Zone quarantaineJuniper
Secure Accès
JuniperSecure Accès
Firewall
WALLIX
WALLIX
Fw
NIM
NetForensic
+Suite Novell
CYBELS
GWT 2.0
Zone infra
structure
Utilisateur
DataCryptor /Mistral
DataCryptor /Mistral
SAMLv2
9
Trusted cloud life cycle: follow-up
help & constrain on development
IDE/SDK
Deployed Service
StoreFunctionalities
Manageability
Security
…
Common toolsPortfolio, Program,
Configuration, deployment
Application support, Middleware
Cloud
Operating tool
Feedback : lessons learnt
bugs, logs
Life cycle Gouvernance Co-design