Cloud computing & sécurité

dizzyeyedfourwayInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

106 εμφανίσεις

CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Cloud computing & sécurité
Gilles Bizet –Orange Consulting
26 janvier 2011, clusir RhA
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
123
agenda
Préambule
De nouveaux risques à couvrir ?De nouvelles méthodes/de nouveaux outils?
4
Cas clients
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Buzz marketing ou réalité?
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
SGBD
EDI
Prog objet
Applications monolithiques
BPM
xml, SOA,Web services
Interopérabilité
EAI, ETL
SI
urbanisés
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
outsourcing vs cloud
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Outsourcing vs cloud
Source IDC 2010
Une évolution “logique”-
Je gère en interne
-
TMA
-
Télé exploitation
-
Déménagement
-
Colocation
-
Transformation
-
Cloud
Source Syntec 2010
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
le cloud computing, qu’est-ce-que c’est…
￿Platform as a Service
Cloud de développement
￿Infrastructure as a Service
Cloud d’infrastructure
￿Software as a Service
Cloud applicatif
Cloud privé
entreprise
Cloud hybride
mixte
Cloud public
ouvert
trois niveaux de services
trois niveaux de services
trois niveaux de services
trois niveaux de services
trois modèles de déploiementtrois modèles de déploiementtrois modèles de déploiementtrois modèles de déploiement
“le Cloud Computing est un modèle de consommation à la demande d’un
ensemble de ressources informatiques accessibles via un réseau performant
et
qui peuvent être rapidement provisionnées et mises à disposition “
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloud computing building blocks
￿Platform as a Service
￿Infrastructure as a Service
￿Software as a Service
Sales, CRM
Billing
HR
CMS
Collaborative
Desktop
suites
Vertical apps
Development
Testing
Monitoring
API
services
Unified
comms
Storage
Backup /
restore
Archiving
Security
Device
Reporting
BI
Cloud IT tools
(provisioning, management, billing, support, )
professional services
Databases
OS
virtualization
Preprod
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
d’une logique patrimoniale à une logique d’usages:
le chemin vers le cloud
Flexibilité d’accès et d’usage
￿
Virtualisation
￿
Allocation dynamique de ressources
￿
Accès aux services par Internet ou
Intranet
￿
Paiement à l’usage
Outsourcing
Colocation
Cloud
computing
Hébergement
dans l’entreprise
Economies de compétences
￿
Maintenance et mise à jour du
matériel et des licences
￿
Processus de management
délégué
Economies d’échelles
￿
Pas d’achat de matériel statique
￿
Mutualisation de la consommation énergétique et du refroidissement
+
+
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
le cloud computing:
excellence opérationnelle, qualité de service et sécurité
périmètre du cloudcomputing
les compétences
fondamentales
infrastructure mutualisée étendue
sécurité
engagements de qualité de service de bout en bout
service opéré 24X7
facturation à l’usage
portail pour la commande, la gestion et le reporting
gestion des services aux utilisateurs finaux
conformité réglementaire
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Flexible Computing : comment ça marche?
Gestion des
droits
dadministrateur
Visualisation
des ressources
disponibles
Déploiement
dynamique
darchitectures
virtuelles
Administration
de
linfrastructure
déployée
Accessibilité du service internet
ou intranet
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
type de Cloud et périmètres : axe responsabilité
•Niveau de service
–Adapté aux besoins
–Souplesse & adaptabilité
•Périmètres
–Clairs et contractualisés
•Activités sécurité
–Identifiées
–Mesurables
–Par le client et le fournisseur
•Réciprocité entre parties
–Confiance contrôlée
IaaS: Niveaux de responsabilité
Datacenter
Réseau & serveurs
Hyperviseur
VM
Système d’exploitation
Serveur Applicatif
Application
Management par le fournisseur
Management par le client
1
1
Iaas «pur»
2
2
Iaas «avec OS managé»
3
3
IaaS « AppSvr managé»
4
4
IaaS «Fully Managé»
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudcomputing
a wayto simplifysecurity
Antivirus
AntiSpyware
PersonalProxy
PersonalFirewall
Encryption
Secure OS

VPN
IPSEC,SSL
Filtering
Partitioning
Routing
Firewall
Proxy
Reverse proxy
Loadbalancer
IdentityAccess
Management
Detection
IPS/IDS
Applications
security
actualactualactualactual
infrastructures
infrastructuresinfrastructures
infrastructures
change, patch and licence management
physical
servers
VPN
IPSEC,SSL
cloudcloudcloudcloud-
---ready
ready ready ready
infrastructuresinfrastructuresinfrastructuresinfrastructures
virtual
desktop
green IT
on demand
service catalog
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
123
agenda
Préambule
De nouveaux risques à couvrir ?De nouvelles méthodes/de nouveaux outils?
4
Cas clients
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudmain issues
Could we expect
benefits
(more business, better ROI,
TTM improvement)?
Are there
bestpractices
?
Is the cloud more or less
secure
than my current
environment?
How does the CSP meet my needs?
What are
CSP commitments?
Will the cloud
simplify
my IT
and what are the main
changesforend-users
?
Which part of our IT is
cloudready
?
What are the impacts on IT
platforms and
datacenter
?
How do we
start
?
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
security : one of the main issue for cloud computing
cloud computing issues
•Security31%
•Service availability28%
•Quality of service
28%
•Network performance23%
•Providers dependence20%
Factorsfor choosingcloudcomputing
Source Markess
Source Gartner Research
Source IDC
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
LIMITATION OF LIABILITY
YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE AND PARTNERS SHALL NOT BE LIABLE TO
YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES,
INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN
IF GOOGLE OR PARTNERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) RESULTING FROM: (i) THE USE OR THE
INABILITY TO USE GOOGLE SERVICES; (ii) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM
ANY GOODS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS
ENTERED INTO THROUGH OR FROM GOOGLE SERVICES; (iii) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR
TRANSMISSIONS OR DATA; (iv) STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON GOOGLE SERVICES; OR (v) ANY OTHER
MATTER RELATING TO GOOGLE SERVICES.
http://www.google.com/apps/intl/en/terms/user_terms.html
7.2. Security.We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so,
given the nature of the Internet.Accordingly, without limitation to Section 4.3 above and Section 11.5 below,
you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content.
We strongly encourage you, where available and appropriate, to use encryption technology to protect Your Content
from unauthorized access and to routinely archive Your Content.
We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss
of any of Your Content.
http://aws-portal.amazon.com/gp/aws/developer/terms-and-conditions.html
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
VPN
IPSEC,SSL
cloud-ready
infrastructures
virtual
desktop
green IT
on demand
service catalog
Compromising the
provisioning service
or the configuration tools
Multi-tenancy
Policies cohabitation
Clouds interlink
Isolation
Geolocalisation
Hypervisor security
Application sandboxes
Traceability
Auditability
Accountability
High value target
Identity Access Mgmt
￿
￿￿￿
Applications &
tools qualification
cloud components vs security challenges
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudsecurity
specificrisks… and specificbenefits
Cloud specific security risks
–Loss of control
–Data confidentiality (data retention time)
–Infrastructure availibility and segregation
–Abuse of privilege from the provider (lock-in vs reversibility)
–Changes of jurisdiction (Geolocation of data center & people)
Expected benefits
–Economy of scale
–Rapid and smart scaling of resources
–Mutualised interfaces for managed security services
–Improved efficiency in change management
–End to End SLAs
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
123
agenda
Préambule
De nouveaux risques à couvrir ?De nouvelles méthodes/de nouveaux outils?
4
Cas clients
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudsecurity
answersbasedon best practices
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloud security
«Transférer mes données et mes applications dans le cloud
c’est comme déposer mon argent à la banque»
«
Cloud Computing isn’t necessarily more or less secure than your current
environment
» CSA –Security Guidance for critical Areas of Focus Cloud
Computing v 2.1 –dec. 2009
«
Cloud’s economies of scale and flexibility are both a friend and a foe from a
security point of view
» ENISA, benefits, risks and recommendations for
Information Security , November 2009
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudsecurity
as a service
identity and access
managementmulti devices
￿Platform as a Service
￿Infrastructure as a Service
￿Software as a Service
cloud-ready
infrastructures
vertical
application
collaborative
software
real-time
application
Orange cloud
data center
protection
law
& rules
compliance
network capacity
and availability
data protection
storage/backup
secure archive
ILM
network and
application
performance
probes mgmt
IT management
event & log management
intrusion detection
end-to-end
SLAs
best
practices
audit &
penetration test
business continuity
Disaster recovery
organisation
and change
management
web protection
messaging protection
firewall
gateway SSL
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Performance, service management et sécurité end2end
End-user 1
Site A
End-user 1
Site B
End-user 2
Internet user
Mobile 3G 4G
Data
centers
IP VPN Network
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Exemple : IAM et le cloud computing
•Une question : qui accède ou qui tente (ou a tenté) d’accéder à quoi quand
•Des solutions multiples
–Organisationnelles (définies dans une politique des accès externes)
•Cartographie des populations (end-users, exploitants, administrateurs, éditeurs,
développeurs, TMA, …)
•Processus (provisioning, attribution des privilèges, délégations, …)
•Plages horaires, timeout, …
•…
–Techniques
•Confidentialité des flux (VPN, SSL, …)
•Authentification renforcée (certificats, Radius, OTP, support physique, …)
•Traçabilité
•Cloisonnement/isolation
•Mobilité
•SSO/SLO, Fédération
•Interopérabilité (openID, OATH, saml, spml, API, scripting, …)
•Exemple : le cloud hébergeur de données de santé
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Exemple : des sites et des infrastructures hautement sécurisées
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
A global approach
fromthe strategyto the implementation& run
cloudcloudcloudcloudreadiness
readinessreadinessreadinessassessment
assessmentassessmentassessment
ICT architecture assessment
business impacts analysis
service management
assessment
cloud target designcloud target designcloud target designcloud target design ICT architecture design
cloud business model
End2End SLA
service management
design
cloud transition plancloud transition plancloud transition plancloud transition plan data migration
BCP/DRP
BSS/OSS automation
service management
transition
cloud service managementcloud service managementcloud service managementcloud service management customer care
capacity mgmt
service operation
continual service improvement
green IT
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
keypoint : the assessmentphase
are youcloudready?
10 question samplesfor a cloud-readydiagnostic
«do youneedto adaptand optimizeyour
criticalapplications performances

«do youhave
loadpeak
due to seasonalapplication lifecycle?»
«do youhave strongneedsto reducethe
TTM
for new IT services ?»
«do youhave a clearvision of the
ICTcosts
(per user / per application)?»
« do youplan to launch
ICT
transformation
project
(virtualisation, outsourcing, ) ?»
«do youintendto optimizeyour
ICT
process
and to improvethereITIL/ISO20k
compliance? »
«do youfeelconfident about yourIT
security

«isthe
payper use model
relevant for someof yourapplications ?»
«do your
Service Management
tools (
provisioning, monitoring, metering, billing,
security alerts)
match your business needs?»
«whatchanges do youexpectin the relation between
business users
and IT
delivery?»
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudreadinessassessment
tools
Probes & Discovering tools samples :
PlateSpin, Compuware, infovista, opennet, riverbed,
securactive, juniper, packeteer, ipanema, cisco, bluecoat,
netdiscover, 
Demand management
Incident management
Monitoring/reporting
Capacity management
Service management
Critical business process
Critical competencies
IT carbon footprint
Benefits & costs
Business & RH impacts
Security constraints
Data protection
Identity & Access
management
Security policy
Regulations & laws
Commitments & SLA
Hosting contracts
Outsourcing contracts
Contracts analysis
LAN & WAN
Mobility
Flow rates
Protocol filtering
Network map
Servers & Workstations
DB, Middlewares & OS
Licences
Application performance
Virtualization eligibility
Applications inventory
Applications lifecycle
Applications interlink
Volumes of data
Criticalapplications map
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
demands & needs

JOA
–Are youcloudready?
–Virtualizationassessment
–Application performance assessment
–Security assessment
–Service management assessment
–IT carbonfootprint

IT conceptualdesign
–IT service catalog
–IT architecture design

Service management
–Service portfolio
–QoS/QoE, SLAs
–Monitoring/Reportingtools& practices
–Capacitymanagement

Security
–PAS, Riskanalysis
–Audit / penetrationtests

IT transition plan
-Project portfolio
-Risksanalysis/ decisionmatrix
-Milestones& deliverables

ROI/TEI tools

Customer experience
-Customer behavioranalysis
-Business case design
-Business model

PMO
-Project portfolio
-DSI coaching
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Cloud et sécurité
conclusion
Le cloud-une évolution «naturelle»
La sécurité -une exigence incontournable
Centralisation/concentration
Cohabitation/colocation
Déport de responsabilité
Des besoins particuliers
Du bastion à la défense en profondeur
Géolocalisation des biens et des personnes
Confinement/isolation
Vigilance
De lutilisateur usager à lutilisateur acteur
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
123
agenda
Préambule
De nouveaux risques à couvrir ?De nouvelles méthodes/de nouveaux outils?
4
Cas clients
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudreadinessassessment
business case : governmentinstitution
On demandweb application hostingplatformfor citizenon line services
keyfactors
requirementlevel
domains
Business SLAs
End2end commitment
High level& technicalreporting
-+
QoS/QoE
Dedicatedplatformwithdedicatedpeople
-+
security
Seasonalapplications
Loadpeaks
Tailoredbillingmodel
-+
flexibility
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudreadinessassessment
business case : financialcompany
On demandweb application developmentplatformfor internalcustomers
keyfactors
requirementlevel
domains
CAPEX reduction
TTM improvementPayfor use model
-+
ROI
Worldwideaccess
-+
Infrastructure
capacity
Development,Test, Preproduction, Production
24/7 monitoring
Best practices sharing
Security process& toolssharing
-+
Industrial
lifecycle
management
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudreadinessassessment
business case : luxurycompany
Infrastructures as a service
keyfactors
requirementlevel
domains
Team building
Trainings
Communication
-+
Collaborative
work
Capacityon demand
Change management reactivity
-+
Flexibility
Virtualizationenforced
Data center consolidation
SLA review
Mixingshared& privateinfrastructures
-+
Costsreduction
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
cloudreadinessassessment
business case : industry
Marketplace for technicalsoftwares
keyfactors
requirementlevel
domains
Short termproject
-+
TTM
Layer betweenfront office and back office
CRM integration
A programmingplatform
-+
Architecture
Getcloserto the customers
Payper use
Subscription
Micro-payment
-+
Business model
CLUSIF / CLUSIR RhA
Cloud computing & sécurité
Gilles Bizet
Orange consulting
Phone : + 33 2 23 20 41 61
Mobile: + 33 6 80 61 41 51
gilles.bizet@orange-ftgroup.com