Cloud Service Providers Overcoming security and compliance barriers Dr Theodoros Stergiou, CEng, CPMM Security Solutions Product Manager & Cloud Security Officer
Agenda A brief introduction Security barriers Compliance barriers Overcoming issues through a real case study 2
Introduction By 2015 50% of CIOs expect to operate via The Cloud The cloud computing market is expected to grow from $74B in 2012 to $177B over the next two years 3 Source : Gartner
Cloud: The final Vision Just as electricity another essential utility did, a century ago, all computing is predicted to eventually move to the cloud. Cloud computing is being Computing power, Storage, Networking and internationally positioned as the next generation of Service Delivery, offering Application as a Service to the enterprise market. The Global yearly revenue of Cloud Services market is 25,5 B$ (2011) and is expected to reach 160 B$ by 2020. (source: Forrester, 2011) 4
Cloud Adoption Inhibitors 5 (*) 2013 Global IT leadership report, Savvis (*) 2013 3 rd Annual Survey, North Bridge
Cloud Benefits 6
The Big Issue FACT: Cloud Security (or Security in the Cloud) is regarded as a problem the primary inhibitor for cloud adoption Reality: However, Cloud Security should not be regarded a problem; rather, the means to build trust between the service provider and potential customers To properly address this issue, one must embrace: Service Provider perspective Customer perspective Overcoming security and compliance barriers is a multi-fold issue 7
Security Barriers Data privacy & leakage Communication secrecy Users lack of education Service Level Agreements Psychological reasons 8
Compliance Barriers Lack of an international standard regarding cloud computing security Diverse regulatory requirements per market region Lack of an official certification for cloud providers (starting to change though ) Cross-border and cross-market regulations (market verticals, etc) 9
A Real Case Study
Intracom Telecom Datacenter Solutions Facilities Converged Consolidation & Security & Management Networking Optimization Compliance Cloud Builder Innovative Solutions Cloud Security Cloud Planning & Design Cloud Implementation Operations organization consulting Backup aas Storage aas Desktop aas Security aas Disaster Recovery aas Strategy Engineering Services Solution Integration Audit & Validation Intracom Telecom 11
Our case study 12
Design Principles 13
Solutions for the Cloud Services Ladder Software as a Service (PACS) Application Services Platform as a Service Security as a Service Storage as a Service Backup as a Service Hybrid Cloud Disaster Recovery as a Service Infrastructure Services Desktop as a Service Virtual Machines Managed Hosting Colocation Data Centre Connectivity
Our target: a secured & compliant infrastructure 15 SECURITY & COMPLIANCE
Our Decision was to go with ISO 27001 Information Security is still the primary inhibitor of cloud adoption We needed a structured and process based approach to satisfy our business requirements We needed an internationally adopted standard to drive our efforts & ensure compliance We decided to certify our cloud, hosting & collocation services against ISO 27001 16
Governance controls Cloud Information Security Framework Cloud Information Security Committee ISMS based on ISO 27001 Continuous improvement risk treatment plan Consideration (by design & implementation) of: Cloud Security Alliance (CSA) ENISA ADAE 165/2011 DPA PCI DSS "Cloud Security Benchmark: Top 10 CSPs by CloudeAssurance, for 2013Q2, 2013Q3 Security, Trust and Assurance Registry (STAR), Cloud Security Alliance 17
Addressing Compliance ADAE (Hellenic authority for communication security & privacy) Security & privacy of subscriber information Contractual requirement with HOL DPA (Data Protection Authority) Data security & privacy of subscriber information Applicability particularly for PACS Laws 2472/97, 3674/08 adaptations of EU Data Protection Directive 95/46/EC PCI DSS (Payment Card Industry Data Security Standard) We also considered Cloud Security Alliance (CSA) ENISA (European Network and Information Security Agency) ISO 27001 is the basis for complying to legal & regulatory requirements 18
Technical Controls Network & Perimeter security FW, IDS/IPS, VPN, VLANs, Network segmentation Physical and Environmental controls Strong authentication controls Encrypted communication channels System security Server Protection Security Information and Event Management User & privilege access management Patch & Configuration management Virtualisation Security Application security Web application firewall Source code reviews Data security Data leakage prevention Data encryption (wherever applicable; e.g. BaaS AES-256) 19
Operational Controls Dedicated operations organization and delivery mechanism Cloud Services Operations Centre (CSOC) Network & Security Operations Centre 24x7x365 active 20
Our Added Value The unique expertise gained from being engaged in the full life cycle of the project coupled with our technological proficiency, make Intracom Telecom the ideal partner to rely on for creating your public or private cloud! 21
References First Public Cloud from GreekTelco provider Virtual Private Cloud First PACS deployment on Public Cloud Private Cloud for Greek Academic Society Focus on SMB Market Cloud provides VMs Backup Storage Security Design, Deployment, Operations by ICOM Dedicated Hardware Reuse of Public Cloud Networking Security Virtualisation platform Orchestration platform Backup platform Design, Deployment & Operations by ICOM Offered as SaaS Hosted in the Public Cloud Infrastructure Design, Deployment & Operations by ICOM Open Source based cloud Private Cloud provides VMs Storage Virtual private clouds Infrastructure deployed by ICOM 22
There is a lot of choice out there And many Paths can be followed 23
Let us help you One size does not fit all 24
How we can help you Planning Phase: Design and Implementation Phase: Cloud Data Center Security Operations Automation 25