Post on 08-Jun-2018
Day 2, Thursday, 2012 Jan 19, 09.00 hrs
SESSION 4: Security in the Cloud
THE EMERGING CLOUD ECOSYSTEM:cyber security plus LI/RDcyber security plus LI/RD
Tony Rutkowski, Yaana Technologies 7th ETSI Security Workshop, 18‐19 Jan 2011
© ETSI 2012. All rights reserved
Outline
Security as a Business opportunity: A winningSecurity as a Business opportunity: A winning driver to ensure technology success and increase
fid d d !confidence and trust amongst end‐users !
C t Cl d d l tCurrent Cloud developments
Cyber security and LI/RD developmentsCyber security and LI/RD developments
Business opportunitiesBusiness opportunities
2ETSI/Security Workshop (7) S4
The Basics: a new cloud‐based global communications infrastructure is emergingcommunications infrastructure is emerging
Global network architectures are profoundly rapidly changingGlobal network architectures are profoundly, rapidly changing• PSTNs/mobile networks are disappearing
• Internet is disappearing
• Powerful end user devices for virtual services are becoming ubiquitous
• End user behavior is nomadic
• Huge data centers optimized for virtual services combined with local access bandwidth are emerging worldwide as the new infrastructure
Th h l lli d i idlThese changes are real, compelling, and emerging rapidly
Bringing about a holistic “cloud” ecosystem is occupying i d i l d h ldindustry in almost every venue around the world
3 ETSI/Security Workshop (7) S4
The Basics: a new cloud‐virtualized global communications architecture
Virtualized devices
Line or air interfaces
Access, IdM & transport cloud virtualization services
Intercloud services
Other cloud virtualization services, especially for application support
communications architecture
Access, IdM & transport General services
especially for application support
Access, IdM & transportGeneral services
Intercloud
Access, IdM & transportGeneral services
IntercloudAccess, IdM & transport services
General i
Access, IdM & transportservices
General
Intercloud
Access, IdM & transportGeneral services
4ETSI/Security Workshop (7) S4
Current Cloud developmentsp
• Implementations
• Industry Collaboration and Reports
5ETSI/Security Workshop (7) S4
Implementers – Top 50 in early 2011*p p y
10gen
Akamai
Amazon
FluidInfo
Fusion IO
GoGrid
Cloud Passage
Cloud.com
Cloudera
NimbulaNutanixPower Assure
Apigee
Apple
ARM
Green Revolution
IBM
CloudSwitch
Couchbase
CSC
Rackspace
Red Hat
RightScale
Aryaka
Aspera
Boundary
Intel
IO Turbine
Joyent
Dell
DotCloud
Embrane
Salesforce.com
SeaMicro
Sentilla
Calxeda
China Telecom
Cisco
Juniper
Microsoft
New Relic
Enomaly
Eucalyptus Systems
SynapSense
Verizon/Terremark
VMware
Citrix NiciraFacebook Zeus Technology
* Source: Washington Technology/Gigacom (underline = top 8)6 ETSI/Security Workshop (7) S4
Most new applications/services – especially for mobile smartphones – are cloud‐basedfor mobile smartphones are cloud based
Amazon
Apple, including Apple OS applications
Baidu
Google, including Android OS applications
Microsoft, including Microsoft OS applicationsg pp
RIM, including BlackBerry App World
Skypeyp
Yahoo
7ETSI/Security Workshop (7) S4
Major providers and vendors collaborating in new cloud telecom forumsin new cloud telecom forums
ATT NEC
BT
China Telecommunications
China Unicom
Nokia Siemens Networks
NTT
OracleChina Unicom
Cisco Systems
Datang
Oracle
RIM
Samsung Electronics
France Télécom Orange
Fujitsu
Hitachi
SAP
Telecom Italia
Telefon AB ‐ LM EricssonHitachi
Huawei Technologies
IBM
KDDI
Telefon AB LM Ericsson
Telekomunikacja Polska
Verizon
V d f & O2KDDI
KT Corporation
Microsoft
Vodafone & O2
ZTE
8
* Sources: ITU-T Cloud Focus Group participant list, 2011; ETSI Cloud workshop
ETSI/Security Workshop (7) S4
Industry Technical Collaboration Venues
Almost everyoneATIS Alliance for Telecommunications Industry Solutions
Cable Labs
CSA Cloud Security Alliance
CSCC Cloud Standards Customer Council
DMTF Distributed Management Task Force
ENISA European Network and Information Security Agency
ETSI European Telecommunications Standards Institute
GICTF Global Inter‐Cloud Technology Forum
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
ISO International Organization for Standardization
ITU‐T International Telecommunication Union ‐ Telecommunications Standardization
NIST National Institute of Standards and Technology
OASIS Organization for the Advancement of Structured Information Standards
ODCA Open Data Center Alliance
OGF Open Grid Forump
OMG Object Management Group
SNIA Storage Networking Industry Association
The Open Group
TMF TeleManagement Forumg
Sources: ITU-T Focus Group on Cloud Computing, NIST Cloud Standards Wiki
9ETSI/Security Workshop (7) S4
ITU‐T Focus Group on Cloud Computing
Global initiative during 2010‐2011 to produce firstGlobal initiative during 2010 2011 to produce first comprehensive conceptualization and integration of all technical information• Ecosystem• Requirements and reference architecture• Infrastructure for network enabled clouds• Security• Standards activities• Telecommunication benefitsTelecommunication benefits• Resource Management
Deliverables were just delivered 9 Jan 2012
Sets a stage for widespread industry activity and structured implementations worldwide
10 ETSI/Security Workshop (7) S4
Identified Cloud Computing Services
Extended List of Cloud ServicesShort List of Cloud Services• Cloud Software as a Service (SaaS)• Communications as a Service (CaaS)• Cloud Platform as a Service (PaaS)• Cloud Infrastructure as a Service (IaaS)• Network as a Service (NaaS)
• Application services (SaaS) • Resource services (IaaS)• Platform services (PaaS)• Network services (NaaS) • Communication services (CaaS) ( )
• Private cloud• Community cloud• Public cloud• Hybrid cloud• Personal cloud
Communication services (CaaS)
• Personal cloud• Inter cloud• Business Process as a Service (BPaaS)• Application Platform as a Service(APaaS)• Application Infrastructure as a Service (AIaaS)• Everything as a Service (XaaS)• Storage as a service• Database as a service• Information as a service• Process as a service• Security as a service• Integration as a service• Management/governance as a service• Testing as a service
11ETSI/Security Workshop (7) S4
A cloud computing functional reference architecturefunctional reference architecture
12
Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011
ETSI/Security Workshop (7) S4
A cloud computingnetwork infrastructure modelnetwork infrastructure model
13Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011
ETSI/Security Workshop (7) S4
Resource management framework
Standards intended to address:Awareness of logical and physical resources usedHow to dynamically reconfigure resourcesHow to expose additional interfacesHow to evaluate security controls
14Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011
ETSI/Security Workshop (7) S4
Cloud cyber security
Threats for Cloud SecurityThreats for Cloud Security• Threats for Cloud Service Users• Threats for Cloud Service Providers
Security Requirements for Cloud SecuritySecurity Requirements for Cloud Security• Requirements for Cloud Service Users• Requirements for Cloud Service Providers
S d S bj Cl d S iStudy Subjects on Cloud Security• Security Architecture/Model and Framework • Security Management and Audit technology• Business Continuity Planning (BCP) and Disaster Recovery• Business Continuity Planning (BCP) and Disaster Recovery• Storage Security• Data and Privacy protection• Account/Identity Managementy g• Network Monitoring and Incident Response• Network Security Management• Interoperability and Portability Security• Virtualization Security• Virtualization Security • Obligatory Predicates (including LI/RD)
16
Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011
ETSI/Security Workshop (7) S4
Cloud computing service opportunities
Extended List of Cloud ServicesShort List of Cloud Services• Cloud Software as a Service (SaaS)• Communications as a Service (CaaS)• Cloud Platform as a Service (PaaS)• Cloud Infrastructure as a Service (IaaS)• Network as a Service (NaaS)
• Application services (SaaS) • Resource services (IaaS)• Platform services (PaaS)• Network services (NaaS) • Communication services (CaaS) ( )
• Private cloud• Community cloud• Public cloud• Hybrid cloud• Personal cloud
Communication services (CaaS)
• Personal cloud• Inter cloud• Business Process as a Service (BPaaS)• Application Platform as a Service(APaaS)• Application Infrastructure as a Service (AIaaS)• Everything as a Service (XaaS)• Storage as a service• Database as a service• Information as a service• Process as a service• Security as a service• Integration as a service• Management/governance as a service• Testing as a service• Lawful Interception as a Service
Deliberately omitted from ITU‐T list
• Lawful Interception as a Service• Retained Data as a service• Law Enforcement Monitoring Facility as a service
17ETSI/Security Workshop (7) S4
Obligatory predicates: functionality identified for all cloud based servicesidentified for all cloud based services
Potential security monitoring and acquisition interfaces
Challenges will be• LI implementations across multiple cloudsLI implementations across multiple clouds• RD security and scaling• Inconsistencies among cloud infrastructure and service implementations
Potential application of ETSI TCLI eWarrant, DR handover, and Dynamic Triggering specifications
N i id d f I bili iNecessitates widespread use of DPI capabilities
18 ETSI/Security Workshop (7) S4
Retained Data as a Service (RDaaS)
Retained Data obligatory predicates are numerousRetained Data obligatory predicates are numerous
Securities and financial transaction regulatory requirements
eDiscovery civil litigation evidence requirementseDiscovery civil litigation evidence requirements• USA rules being adopted by judiciaries worldwide
Data Retention criminal investigation requirementsData Retention criminal investigation requirements• EU Data Retention Directive
• Potential new cloud requirements under the Directive
Data Preservation criminal investigation requirements• Includes “quick freeze” capabilities
Cybersecurity/infrastructure protection requirements• Includes Continuous Security Monitoring event analysis capabilities
Billing record requirements
ETSI/Security Workshop (7) S420
RDaaS value propositions
RDaaS capabilities are idealRDaaS capabilities are ideal• Cloud service obligations
• Large‐scale non‐cloud services
Almost unlimited scaling of storage and processing resources
High security and protection of personally identifiable information
Technique re‐use can occur across multiple implementations
Lowered costs
Faster and more complex discovery and analysis capabilities
Specialized customer remote access “apps”
Facilitated by new CybOX observables initiative
ETSI/Security Workshop (7) S421