Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

Transcription

1 0 Copyright 2011 FUJITSU Cloud Security & Standardization Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

2 Cloud computing 1 Copyright 2011 FUJITSU

3 Characteristics of cloud 2 Copyright 2011 FUJITSU High anonymity due to lack of contract statements High risk of third party s attacks through the Internet Huge impact of one incident to multiple consumers High risks of harmful individuals using enormous resources Possibility that customers assets may be seized or investigated by law-enforcement agencies Difficulty of proving data being lawfully treated

4 Security defence in depth in the cloud 3 Copyright 2011 FUJITSU

5 Cloud threats 4 Copyright 2011 FUJITSU Abuse and malicious use of cloud Insecure interfaces and APIs Malicious Insiders Shared technology issues Data loss or leakage Account or service hijacking Unknown risk profile Browsers and their very complicated environments

6 Typical cloud related security risks 5 Copyright 2011 FUJITSU Attacks from outside against ICT resources in the cloud Effects of cyber terrorism, malicious scans and DDoS can be considerable Attacks to the outside using cloud as a steppingstone Cloud as a tool for mounting attacks on sites outside the cloud Attacks on cloud users from ICT resources within the cloud EDoS attacks to cause monetary losses and information leaks caused by unauthorized data transfers Incidents internal to cloud service providers Malicious actions by individuals or mistakes in operation Malicious use of cloud ICT resources Making use of ICT resources in the cloud for engaging in some sort of criminal behavior Incidents in the cloud not related to attacks Power outages, sw/hw faults, other unexpected incidents

7 Cloud security focus areas 6 Copyright 2011 FUJITSU Confidentiality Data residency; Access control Integrity Ensuring data has not been tampered with; Compliance; Trust and reputation; Acceptable use policies; Certification; Auditing; E- Discovery; Mergers & acquisitions; Data protection Availability Business continuity; Disaster recovery; DDoS etc.; Regime for patching, security updates etc.; Up-time commitments; System performance commitments

8 Shared responsibilities management 7 Copyright 2011 FUJITSU

9 Shared responsibilities operation 8 Copyright 2011 FUJITSU

10 Shared responsibilities technology 9 Copyright 2011 FUJITSU

11 Cloud standardization 10 Copyright 2011 FUJITSU Traditional IT standards organizations and industrial alliances represented by DMTF, OGF and SNIA (and NIST) Traditional telecommunications and Internet standards organizations represented by ITU, ISO, IEEE and IETF Emerging standards organizations represented by CSA, OCC and CCIF Issue: wide ranges of related standardization Network, storage, server, operations mgmt, authentication, security, etc. Fujitsu is engaged in DMTF/CMDBf, DMTF/CMWG, DMTF/CIM-RS, OASIS/SAF, OGF/OCCi, CSA, JTC1/SC38, etc. DMTF board, OGF board, OASIS SAF WG chair, JTC1/SC38 (vice chair)

12 Fujitsu Cloud CERT 11 Copyright 2011 FUJITSU Centralized monitoring and Vulnerability assessment Fujitsu Cloud CERT monitors IDS/IPS of each FGCP/S5 cloud and executes vulnerability scanning test Security monitoring for 24 hours x 7 days by operators Real-time alerting when invasion is detected Monthly statistical report of attacks against the service environment Providing archived IDS log when security incident occurs on the service

13 Security Countermeasures (FGCP) SLA of 99.99% system availability and confidentiality & integrity for business needs Authentication & ID management Access control Audit trail management Centralized management Encryption & Key management Design of availability Physical security Authentic method using client-certificates and PIN. Thoroughgoing identity management and confidential information management using LDAP. VLAN based logical isolation. Access control based on roles. Log management from viewpoints of Management", Control", and Security". Centralized control of customers environment & events using integrated management console. Availability based on redundant cabinet. Complete redundancy of parts, components, and networks. Adopting client-certificates published with government recommended algorithm. Managing Certificate Revocation List (CRL). Getting certified as the first data center to be the AAA (top rating) grade from I.S.Rating Co.,Ltd, specialty company for rating information security. 12 Copyright 2011 FUJITSU

14 13 Copyright 2011 FUJITSU Data masking technology (under dev t) Filters and obscures sensitive information exchanged among clouds, based on anonymization technology

15 14 Copyright 2011 FUJITSU Strong authentication as a Service (dev t) We plan to make it feasible to authenticate groups on the scale of 10 million people; rapid multimodal biometric identification

16 15 Copyright 2011 FUJITSU