Intelligent Protection for Applications in the Cloud Industrial Case Studies Rob Rowlingson (robert.rowlingson@bt.com) Theo Dimitrakos Chief Security Researcher, BT Research & Technology theo.dimitrakos@bt.com Fadi El-Moussa, Joshua Daniel, Gery Ducatel, Pramod Pawar, Ali Sajjad British Telecommunications plc Template Version 1.2 BT Assure. Security that matters
Introduction Why Cloud Security? Cyber Security follows» The current threat The threat follows» Criminal opportunity Opportunity arises from» Identification of Targets» Emergence of vulnerabilities Targets and Vulnerabilities emerge from the evolution of new applications for ICT Cloud computing is possibly the biggest trend in ICT BT sees significant growth opportunity as cloud service provider British Telecommunications plc Slide 2
Motivation: CIO dilemma: cloud vs. visibility & control I worry about: My privacy Loss of my data The integrity of transactions Harmful cloud applications You have to: Protect IT assets against cyber-threats Account for security incidents. Cloud is cheap use it now! Security is too expensive find a way around it Cybercrime thrives on application/data/ platform/infrastructure security gaps Every cloud journey is a new security project Migration assessment Risk Analysis Architecture Integration costs Operational costs Cloud providers consider application & data protection to be beyond their concern Complicated and expensive for users to protect assets on public or hybrid clouds Confused Security Consultant Cloud users have little visibility or control of CIOhow their assets are protected in the cloud End-User CFO Cloud Provider I guarantee the infrastructure & platform You protect your applications and data Cloud adoption will always be limited until the application/data/infrastructure security & governance gap is filled British Telecommunications plc Template Version 1.2
G-Cloud Digital Market Place (previously G-Cloud ServiceStore) The process aims to make it clearer, simpler and faster to find a service on the Digital Marketplace that meets a buyer s requirements. It aims to also reduce the time and cost for suppliers and emphasise finding a service that suits the buyer needs. Suppliers will assert how they meet the Cloud Security Principles by selecting a predefined answer for a range of questions that meet the Cloud Security Principles. Suppliers will then be required to provide evidence and documentation to support their assertion. These self-assertion statements will form part of the Suppliers service entry on the Digital Marketplace. Buyers will be able to assess and compare services with a view as to what meets their specific requirements. Suppliers will be able to continuously update the assertion statements, ensuring that Buyers have the latest information. British Telecommunications plc Template Version 1.2
Common capabilities for Cloud Service Stores: basic ecosystem definition Cloud-based British Telecommunications plc Template Version Self-managed 1.2 Fully managed On-premise 5
BT Intelligent Protection Core strengths & innovative features In flight intrusion prevention, no down time Comprehensive security solution: Virtual firewall, IPS, Security Patch management, Anti-malware 360 o Protection of customer applications Build for Cloud/VDC- hypervisor level security, more effective, easier to integrate into the cloud Intelligent Protection British Telecommunications plc Security Dashboard Cloud portal Slide 6
Intelligent Protection Service Security is secretly out of control Protection of Systems & Apps in the Cloud What is it? A cloud security service that has ben designed and developed to address customer demand for protecting virtual servers and hosted applications on cloud infrastructures. Supports multiple cloud service providers, including BT Cloud Compute, Amazon EC2, vcloud etc. Comprehensive security solution: Virtual firewall, Intrusion Prevention/Detection, Security Patch management, Anti-malware. Deploy security patching & intrusion prevention with no down time. Central Security Portal to manage protection in Multiple Cloud Platforms. Automatically Protect deployed applications / systems in Virtual Environment. Flexible delivery of protection: At Hypervisor / virtualisation management level. By self-installing agents on 3 rd party environments. Automatically integrate with Application Deployment via Service Store. Current status Inclusion in BT Compute product roadmap About to go live in the next release of BT Cloud Compute. Market place and intelligent protection service can be used to autoprovision on most popular cloud infrastructure / platform providers Benefits Reduction of complexity through integration with the cloud environment for automatic capability provisioning, life-cycle management and inventory synchronisation. Provides vulnerability protection. Eliminates the cost and risk of deployment, integration and management of complex security software or appliances. Next steps BT Assure portfolio proposition multi-cloud version BT Advice proposition security policy management consultancy BT Wholesale Proposition multi-cloud VSP version DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc
High level architecture of Intelligent Protection Capability
New customer experience Simplify how a customer can achieve and maintain security and compliance in the cloud whilst reducing cost and simplifying policy management. Fusion Make security management integral part of cloud application assembly Uniformity and Customisation Automation Versatility Universality integrity &security functions become managed parameters while the form and coverage of the functions automatically adjust to user selection. click-to-buy security services click-to-build secure applications in less than 5 clicks. automatic generation of recommended security policy based on vulnerability analysis of the application stack, cloud characteristics, user preferences and desired business impact levels; one cloud-based service securing applications and data on multiple private and public cloud infrastructures and platforms Visibility Automatically generated customisable security dashboard per user Unifying view of the security state of user s applications on any cloud Control enables enforcing a common security policy to all instances of an application on multiple cloud environments.
Automatic Application Protection Cloud Service Provisioning During Application Provisioning, Customers / Tenants: Purchase intelligent protection License for the required Security Modules (Firewall, Anti-Malware, Intrusion Detection, Integrity Monitoring, Log Inspection) Select an Application from the Application Market Place. Automatic Protect deployed Application with selected Security Options. 10
Automatic Application Protection 11
Automatic Application Protection 12
Automatic Application Protection 13
Automatic Application Protection 14
Case Study 1: Trusted Personal Data EIT ICT Labs High Impact Initiative for Trusted Data Management and Service Infrastructure Developing the Cloud Incubator platform Will develop APIs for the on-boarding of new innovative trusted services - as reusable capabilities on BT's cloud service store For partner applications (e.g. Telecom Italia) and SMEs via a funding competition BT is developing a data protection capability offering encryption as a service
Eastfield Welcome to Eastfield Mall
Case Studies 2: OPTIMIS A Cloud Broker architecture developed under FP7 To support organisations to externalise services and applications to trustworthy Cloud providers Key aspects of the Cloud Broker architecture proposed includes: i) Maximization of the user choice; ii) Multi-tier reseller model and user driven customization; iii) Provision of services on multi-tier reseller model; iv) Harmonization of high-value enhancements. 17
CASE Studies 3: Fed4Fire Orchestration of Cloud and user resources for provisioning and operating Intelligent Protection The IPCS4Fire experiment is currently being tested on following testbeds: Virtual Wall, W- Lab, BonFire and PlanetLab Europe.
Overview of the system used in the Fed4FIRE experiment
Case Study 4: Pilot use for public sector services (STRATEGIC) Aims to facilitate European public bodies and regional government to adopt public Cloud services Three pilot partners: Municipality of Camden (UK), City of Genoa (Italy) and Municipality of Stari Grad (Serbia) Sensitive data and multi-tiered applications involving deployment over multiple servers across Cloud infrastructures
Success: use in trials and production Exposure via a global cloud service 16platforms across 4 continents 45 data centres 4 global customer service centre hubs and 22 satellite centres operating 24/7 and serving businesses in 198 countries. protect future revenue of over 68M over 3 years. Incorporated into BT Cloud Compute release roadmap as a value-add feature UK: London Borough of Camden Italy: City of Genoa Serbia: Strati-Grand, Belgrade Exposure to 2000 users of public services Enable secure consumption of public services across European regions Baseline technology for governmental cloud pilots Part of Trusted Cloud Platform - EIT ICT Labs High Impact Initiative To be exposed to UK SMEs for as a co-innovation platform by the ICT Catapult in the UK Platform of choice for future research on cyber-security attack analysis and prevention by Imperial College London UK Global Uncertainties programme Baseline platform for Trusted Cloud innovation by SMEs
Fusion Make security management integral part of cloud application assembly Summary integrity &security functions become managed parameters automatic generation of recommended security policy Unifying view of the security state of user s applications on any cloud Ubiquity Automated Versatile Universal Visibility Control click-to-buy security services click-to-build secure applications in less than 5 clicks. one service protecting applications and data on multiple clouds enables enforcing a common enterprise security policy across clouds Exposure in production via a global cloud service (BT Cloud Compute) Exposure to 2000 users of public services UK Research & Development Product Development Core Service operations The benefit has been in convincing the customer that Securityis not just in our DNA, it's something that they can embed in their DNA with a single click! David Cairns, Principle Solutions Architect, BT Cloud Compute