bt cloud enterprise service store - rob rowlingson

© British Telecommunications plc

Template Version 1.2

Future Cloud Action Line

High Impact Initiative


Template Version 1.2BT Assure. Security that matters

Rob RowlingsonPrincipal Security Researcher, BT Research & Technology

Contact: [email protected]

BT Cloud Enterprise Service Store with Intelligent Protection



Motivation: CIO dilemma: cloud vs. visibility & control

You have to:

Protect IT assets against

cyber-threats

Account for security

incidents.

I worry about:

My privacy

Loss of my data

The integrity of transactions

Harmful cloud applications

Cloud is cheap – use it now!

Security is too expensive – find a way around it …

I guarantee the

infrastructure & platform

You protect your

applications and data

Every cloud journey is

a new security project

• Migration

assessment

• Risk Analysis

Architecture

• Integration costs

• Operational costsSecurity Consultant

Cybercrime thrives on application/data/

platform/infrastructure

security gaps

Confused

CIO

End-User

CFO

Cloud Provider

Cloud adoption will always be limited until the

application/data/infrastructure security & governance gap is filled

Cloud providers consider application & data protection to be beyond their concern

Complicated and expensive for users to protect assets on public or hybrid clouds

Cloud users have little visibility or control of how their assets are protected in the cloud



Why Work with BT?

• BT Cloud Compute

– Exposure via a global cloud service

– 16 platforms, 4 continents, 45 data centres

– 4 global customer service centre hubs and 22 satellite

centres

– operating 24/7 and serving businesses in 198 countries.

• HII Trusted Ecosystem Accelerator (3rd Party

Ecosystem)

• ‘Intelligent Protection’ for your Applications

• New market opportunities for Cloud services

• Close collaboration with BT Research and Innovation



Common Capabilities for Cloud Service Stores:

basic ecosystem definition

5Cloud-based On-premise

Fully managed

Self-managed

Automatic Application Protection

6

• During Application Provisioning, Customers / Tenants:

• Purchase Intelligent Protection License for the required Security Modules (Firewall, Anti-Malware, Intrusion Detection, Integrity Monitoring, Log Inspection)

• Select an Application from the Application Market Place.

• Automatically Protect deployed Application with selected Host Security Options.

Protected Application Provisioning


Slide 7Cloud portal

Intelligent ProtectionSecurity Dashboard

Core strengths & innovative features

• In flight intrusion prevention, no down time

• Comprehensive security solution: Virtual firewall, IPS, Security Patch management, Anti-malware

• 360o Protection of customer applications

• Build for Cloud/VDC- hypervisor level security, more effective, easier to integrate into the cloud

• Supports physical servers & computers devices – agents can be deployed on physical or virtual hosts

BT Intelligent Protection

BT Intelligent Protection

High-Level Architecture

8

Automated Data Protection in the CloudIaaS/PaaS edition

9

Via the dashboard/portal, users can:

1. Attach, detach, encrypt or share encrypted data volumes, file-system directories

and data objects (e.g. files) with 3-clicks in <2min.

2. Define context (location/time/ownership/security-level)–based data access

3. Access a personalised secure key-store hosted by BT (on premise variants are

also available on request)

It is fully validated on BT Cloud and partly on 3rd parties (Amazon). Trials show

<10% overhead of encrypted storage operations,

<5% overhead to provisioning time of unprotected VMs



Overview of Trusted Cloud Digital Service Store:

indicative user journeys

General Use of Digital Market Place

Application Store Catalogue

Infrastructure Store Catalogue

STaaS Catalogue

On-board an Application

Design a new workload

Deploy an application

Infrastructure Use Deploy Apps in internal cloud (Cloud Platform, OpenStack, etc.)

Deploy Apps in public cloud Amazon EC2, Azure, BT Compute)

Use object storage (STaaS) and Encryption as a Service

Use of “Horizontal” Cloud/Cyber Security Services

Application and Host protection: Protect applications in multiple clouds via Intelligent Protection

Data protection (Encryption) as a Service: Encrypt files and virtual volumes in the cloud

Email filtering as a Service: Email server purchased via the Appstore

External email server

Use in R&D, trials and production

• Exposure via a global cloud service

• 16 platforms across 4 continents

• 45 data centres

• 4 global customer service centre hubs and 22satellite centres

• operating 24/7 and serving businesses in 198 countries.

Incorporated into BT Cloud Compute release roadmap as a value-add feature

• UK:

• London Borough of Camden

• Italy:

• City of Genoa

• Serbia:

• Strati-Grand, Belgrade

• Exposure to 2000 users of public services

• Enable secure consumption of public services across European regions

Baseline technology for governmental cloud pilots

•Part of Trusted Cloud Platform - EIT ICT Labs High Impact Initiative

•To be exposed to UK SMEs for as a co-innovation platform by the ICT Catapult in the UK

•Platform of choice for future research on cyber-securityattack analysis and prevention by Imperial College London – UK Global Uncertainties programme

Baseline platform for Trusted Cloud innovation by SMEs

New customer experience

• Make security management integral part of cloud application assemblyFusion

• integrity &security functions become managed parameters• while the form and coverage of the functions automatically adjust to user

selection.

Uniformity and Customisation

• “click-to-buy” security services

• “click-to-build” secure applications in less than 5 clicks.Automation

• automatic generation of recommended security policy• based on vulnerability analysis of the application stack, cloud

characteristics, user preferences and desired business impact levels;Versatility

• one cloud-based service securing applications and data on multiple private and public cloud infrastructures and platformsUniversality

• Automatically generated customisable security dashboard per user

• Unifying view of the security state of user’s applications on any cloudVisibility

• enables enforcing a common security policy to

• all instances of an application on multiple cloud environments.Control

Simplified customer experience through a market place, and a service and security management dashboard. Eliminates costs and risks of deployment, integration and management of complex security software or appliances.

SummaryFusionMake security management integralpart of cloud data & application assembly

Ubiquityintegrity &security functions become

managed parameters

Automated

“click-to-buy” security services

“click-to-build” secure data & applications in less than 5 clicks.

Versatileautomatic generation

of recommended security policy

Universalone service protecting applications and data on multiple clouds

VisibilityUnifying view of the security state of user’s

applications on any cloud

Controlenables enforcing a common enterprise security policy across clouds

Exposure in production via a global cloud service(BT Cloud Compute)

Exposure to 2000 users of public services

UK Research & DevelopmentProduct Development

Core Service operations

“The benefit has been in convincing the customer that Security is not just in our DNA, it's something that they can embed in their DNA with a single click!” David Cairns,

Principle Solutions Architect, BT Cloud Compute