Day 2, Thursday, 2012 Jan 19, 09.00 hrs

SESSION 4: Security in the Cloud

THE EMERGING CLOUD ECOSYSTEM:cyber security plus LI/RDcyber security plus LI/RD

Tony Rutkowski, Yaana Technologies  7th ETSI Security Workshop, 18‐19 Jan 2011

© ETSI 2012. All rights reserved

Outline

Security as a Business opportunity: A winningSecurity as a Business opportunity: A winning driver to ensure technology success and increase 

fid d d !confidence and trust amongst end‐users ! 

C t Cl d d l tCurrent Cloud developments

Cyber security and LI/RD developmentsCyber security and LI/RD developments

Business opportunitiesBusiness opportunities

2ETSI/Security Workshop (7) S4

The Basics: a new cloud‐based global communications infrastructure is emergingcommunications infrastructure is emerging

Global network architectures are profoundly rapidly changingGlobal network architectures are profoundly, rapidly changing• PSTNs/mobile networks are disappearing

• Internet is disappearing

• Powerful end user devices for virtual services are becoming ubiquitous

• End user behavior is nomadic

• Huge data centers optimized for virtual services combined with local access bandwidth are emerging worldwide as the new infrastructure 

Th h l lli d i idlThese changes are real, compelling, and emerging rapidly

Bringing about a holistic “cloud” ecosystem is occupying i d i l d h ldindustry in almost every venue around the world

3 ETSI/Security Workshop (7) S4

The Basics: a new cloud‐virtualized global communications architecture

Virtualized devices

Line or air interfaces

Access, IdM & transport cloud virtualization services

Intercloud services

Other cloud virtualization services, especially for application support

communications architecture

Access, IdM & transport General services

especially for application support

Access, IdM & transportGeneral services

Intercloud

Access, IdM & transportGeneral services

IntercloudAccess, IdM & transport services

General i

Access, IdM & transportservices

General

Intercloud

Access, IdM & transportGeneral services

4ETSI/Security Workshop (7) S4

Current Cloud developmentsp

• Implementations

• Industry Collaboration and Reports

5ETSI/Security Workshop (7) S4

Implementers – Top 50 in early 2011*p p y

10gen

Akamai

Amazon

FluidInfo

Fusion IO

GoGrid

Cloud Passage

Cloud.com

Cloudera

NimbulaNutanixPower Assure

Apigee

Apple

ARM

Google

Green Revolution

IBM

CloudSwitch

Couchbase

CSC

Rackspace

Red Hat

RightScale

Aryaka

Aspera

Boundary

Intel

IO Turbine

Joyent

Dell

DotCloud

Embrane

Salesforce.com

SeaMicro

Sentilla

Calxeda

China Telecom

Cisco

Juniper

Microsoft

New Relic

Enomaly

Eucalyptus Systems

SynapSense

Verizon/Terremark

VMware

Citrix NiciraFacebook Zeus Technology

* Source: Washington Technology/Gigacom (underline = top 8)6 ETSI/Security Workshop (7) S4

Most new applications/services – especially for mobile smartphones – are cloud‐basedfor mobile smartphones  are cloud based

Amazon

Apple, including Apple OS applications

Baidu

Facebook

Google, including  Android OS applications

Microsoft, including Microsoft OS applicationsg pp

RIM, including BlackBerry App World

Skypeyp

Yahoo

7ETSI/Security Workshop (7) S4

Major providers and vendors collaborating in new cloud telecom forumsin new cloud telecom forums

ATT NEC

BT

China Telecommunications

China Unicom

Nokia Siemens Networks

NTT

OracleChina Unicom

Cisco Systems

Datang

Oracle

RIM

Samsung Electronics

France Télécom Orange

Fujitsu

Hitachi

SAP

Telecom Italia

Telefon AB ‐ LM EricssonHitachi

Huawei Technologies

IBM

KDDI

Telefon AB  LM Ericsson

Telekomunikacja Polska

Verizon

V d f & O2KDDI

KT Corporation

Microsoft

Vodafone & O2

ZTE

8

* Sources: ITU-T Cloud Focus Group participant list, 2011; ETSI Cloud workshop

ETSI/Security Workshop (7) S4

Industry Technical Collaboration Venues

Almost everyoneATIS Alliance for Telecommunications Industry Solutions

Cable Labs

CSA Cloud Security Alliance

CSCC Cloud Standards Customer Council

DMTF Distributed Management Task Force

ENISA European Network and Information Security Agency

ETSI European Telecommunications Standards Institute

GICTF Global Inter‐Cloud Technology Forum

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

ISO International Organization for Standardization

ITU‐T International Telecommunication Union ‐ Telecommunications Standardization

NIST National Institute of Standards and Technology

OASIS Organization for the Advancement of Structured Information Standards

ODCA Open Data Center Alliance

OGF Open Grid Forump

OMG Object Management Group

SNIA Storage Networking Industry Association

The Open Group

TMF TeleManagement Forumg

Sources: ITU-T Focus Group on Cloud Computing, NIST Cloud Standards Wiki

9ETSI/Security Workshop (7) S4

ITU‐T Focus Group on Cloud Computing

Global initiative during 2010‐2011 to produce firstGlobal initiative during 2010 2011 to produce first comprehensive conceptualization and integration of all technical information• Ecosystem• Requirements and reference architecture• Infrastructure for network enabled clouds• Security• Standards activities• Telecommunication benefitsTelecommunication benefits• Resource Management

Deliverables were just delivered 9 Jan 2012

Sets a stage for widespread industry activity and structured implementations worldwide

10 ETSI/Security Workshop (7) S4

Identified Cloud Computing Services

Extended List of Cloud ServicesShort List of Cloud Services• Cloud Software as a Service (SaaS)• Communications as a Service (CaaS)• Cloud Platform as a Service (PaaS)• Cloud Infrastructure as a Service (IaaS)• Network as a Service (NaaS)

• Application services (SaaS)  • Resource services (IaaS)• Platform services (PaaS)• Network services (NaaS) • Communication services (CaaS) ( )

• Private cloud• Community cloud• Public cloud• Hybrid cloud• Personal cloud

Communication services (CaaS)

• Personal cloud• Inter cloud• Business Process as a Service (BPaaS)• Application Platform as a Service(APaaS)• Application Infrastructure as a Service (AIaaS)• Everything as a Service (XaaS)• Storage as a service• Database as a service• Information as a service• Process as a service• Security as a service• Integration as a service• Management/governance as a service• Testing as a service

11ETSI/Security Workshop (7) S4

A cloud computing functional reference architecturefunctional reference architecture

12

Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011

ETSI/Security Workshop (7) S4

A cloud computingnetwork infrastructure modelnetwork infrastructure model

13Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011

ETSI/Security Workshop (7) S4

Resource management framework

Standards intended to address:Awareness of logical and physical resources usedHow to dynamically reconfigure resourcesHow to expose additional interfacesHow to evaluate security controls

14Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011

ETSI/Security Workshop (7) S4

Cyber Security and LI/RD developments

15ETSI/Security Workshop (7) S4

Cloud cyber security

Threats for Cloud SecurityThreats for Cloud Security• Threats for Cloud Service Users• Threats for Cloud Service Providers

Security Requirements for Cloud SecuritySecurity Requirements for Cloud Security• Requirements for Cloud Service Users• Requirements for Cloud Service Providers

S d S bj Cl d S iStudy Subjects on Cloud Security• Security Architecture/Model and Framework • Security Management and Audit technology• Business Continuity Planning (BCP) and Disaster Recovery• Business Continuity Planning (BCP) and Disaster Recovery• Storage Security• Data and Privacy protection• Account/Identity Managementy g• Network Monitoring and Incident Response• Network Security Management• Interoperability and Portability Security• Virtualization Security• Virtualization Security • Obligatory Predicates (including LI/RD)

16

Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011

ETSI/Security Workshop (7) S4

Cloud computing service opportunities

Extended List of Cloud ServicesShort List of Cloud Services• Cloud Software as a Service (SaaS)• Communications as a Service (CaaS)• Cloud Platform as a Service (PaaS)• Cloud Infrastructure as a Service (IaaS)• Network as a Service (NaaS)

• Application services (SaaS)  • Resource services (IaaS)• Platform services (PaaS)• Network services (NaaS) • Communication services (CaaS) ( )

• Private cloud• Community cloud• Public cloud• Hybrid cloud• Personal cloud

Communication services (CaaS)

• Personal cloud• Inter cloud• Business Process as a Service (BPaaS)• Application Platform as a Service(APaaS)• Application Infrastructure as a Service (AIaaS)• Everything as a Service (XaaS)• Storage as a service• Database as a service• Information as a service• Process as a service• Security as a service• Integration as a service• Management/governance as a service• Testing as a service• Lawful Interception as a Service

Deliberately omitted from ITU‐T list

• Lawful Interception as a Service• Retained Data as a service• Law Enforcement Monitoring Facility as a service

17ETSI/Security Workshop (7) S4

Obligatory predicates: functionality identified for all cloud based servicesidentified for all cloud based services

Potential security monitoring and acquisition interfaces

Challenges will be• LI implementations across multiple cloudsLI implementations across multiple clouds• RD security and scaling• Inconsistencies among cloud infrastructure and service implementations

Potential application of ETSI TCLI eWarrant, DR handover, and Dynamic Triggering specifications

N i id d f I bili iNecessitates widespread use of DPI capabilities

18 ETSI/Security Workshop (7) S4

Business opportunitiespp

• Retained Data as a Service

19ETSI/Security Workshop (7) S4

Retained Data as a Service (RDaaS)

Retained Data obligatory predicates are numerousRetained Data obligatory predicates are numerous

Securities and financial transaction regulatory requirements

eDiscovery civil litigation evidence requirementseDiscovery civil litigation evidence requirements• USA rules being adopted by judiciaries worldwide

Data Retention criminal investigation requirementsData Retention criminal investigation requirements• EU Data Retention Directive

• Potential new cloud requirements under the Directive

Data Preservation criminal investigation requirements• Includes “quick freeze” capabilities

Cybersecurity/infrastructure protection requirements• Includes Continuous Security Monitoring event analysis capabilities

Billing record requirements

ETSI/Security Workshop (7) S420

RDaaS value propositions

RDaaS capabilities are idealRDaaS capabilities are ideal• Cloud service obligations

• Large‐scale non‐cloud services

Almost unlimited scaling of storage and processing resources

High security and protection of personally identifiable information

Technique re‐use can occur across multiple implementations

Lowered costs

Faster and more complex discovery and analysis capabilities

Specialized customer remote access “apps”

Facilitated by new CybOX observables initiative

ETSI/Security Workshop (7) S421