cloud security @ tim - current practises and future challanges
TRANSCRIPT
GRUPPO TELECOM ITALIA
Cloud Security @ TIMCurrent Practises and Future Challanges
Michele Vecchione @ TIM
1st Workshop of the Project Cluster on Data Protection, Security and Privacy in the Cloud. 23 February 2016, Napoli, Italy
2
The TIM Group in shortThe TIM Group in shortThe TIM Group in shortThe TIM Group in short
3
TIM TIM TIM TIM CloudCloudCloudCloud StrategyStrategyStrategyStrategy versus OTT versus OTT versus OTT versus OTT PlayersPlayersPlayersPlayers CLOUD e strategia
Tim
Distinctive Factors of our Cloud Business Model
Three Distinctive factors differenciate TIM cloud offering from OTT players:
Proximity, Compliance to Security&Privacy and Excellence in Quality of experience
high
high
high
Proximity
Quality ofExperience
Compliance&Security
OTT
TELCO
TelcoTelcoTelcoTelco OTTOTTOTTOTT
Proximity Direct Sales PreSales Force, CRM Exploitation, Customisation, Local Infrastructures
Product CentricSelf Service
Quality of
Experience
E2E controlSLALow latency
RemoteNo direct network control
Compliance&
Security
EU regulationSOC/NOCConsultancy
Rely upon Internet or third partiesLower privacy rules
4
CloudCloudCloudCloud adoptionadoptionadoptionadoption in in in in ItalyItalyItalyItaly CLOUD e strategia
Tim
There is space to grow…. … BUT there are some concerns
Building a secure cloud for hosting Enterprise SAAS is a TOP Priority
5
TIM Cloud Infrastructure: Data CentersA Secure Physical Infrastructure
Titolo della RelazioneNome del Relatore, Nome Struttura
RegionalRegionalRegionalRegional Service CentersService CentersService CentersService Centers
National National National National DCsDCsDCsDCs
IDC CesanoIDC CesanoIDC CesanoIDC CesanoMadernoMadernoMadernoMaderno
IDC RozzanoIDC RozzanoIDC RozzanoIDC Rozzano
DC BolognaDC BolognaDC BolognaDC Bologna
DC PadovaDC PadovaDC PadovaDC Padova
DC BariDC BariDC BariDC Bari
PalermPalermPalermPalerm
oooo
FirenFirenFirenFiren
zezezeze
TorinTorinTorinTorin
oooo
NapolNapolNapolNapol
iiii
DC Oriolo DC Oriolo DC Oriolo DC Oriolo RomanoRomanoRomanoRomano
IDC PomeziaIDC PomeziaIDC PomeziaIDC Pomezia
Nord Est AreaNord Est AreaNord Est AreaNord Est Area
BolognaBolognaBolognaBolognaPadovaPadovaPadovaPadova
Systems rooms #
Systems Rooms available area
• Production Systems rooms area
• TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
15151515 23232323
>4.100 >4.100 >4.100 >4.100 >4.300>4.300>4.300>4.300
>3.600 >3.300
>250 >280
>1.100 >1.100 >1.100 >1.100 >950>950>950>950
>900 >600
Nord Ovest AreaNord Ovest AreaNord Ovest AreaNord Ovest Area
CesanoCesanoCesanoCesanoRozzanoRozzanoRozzanoRozzano
Systems rooms #
Systems Rooms available area
• Production Systems rooms area
• TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
16161616 11111111
>4.800 >4.800 >4.800 >4.800 >3.500>3.500>3.500>3.500
>4.500 >2.800
>280 >200
>4.700 >4.700 >4.700 >4.700 >2.200>2.200>2.200>2.200
>1.300 >1.500
Center/South AreaCenter/South AreaCenter/South AreaCenter/South Area
OrioloOrioloOrioloOriolo
Systems rooms #
Systems Rooms available area
• Production Systems rooms area
• TLC Systems rooms area
Installed/Active Servers #
• Managed Servers #
13131313 16161616
>3.400 >3.400 >3.400 >3.400 >6.600>6.600>6.600>6.600
>2.900 >6.100
>400 >400
>3.200 >3.200 >3.200 >3.200 >5.400>5.400>5.400>5.400
>3.000 >3.000
BariBariBariBariPomeziaPomeziaPomeziaPomezia
6666
>2.000>2.000>2.000>2.000
>1.800
>90
>800>800>800>800
>700
AciliaAciliaAciliaAciliaWork in progressWork in progressWork in progressWork in progress
ACILIAACILIAACILIAACILIA
Data Center TIER 4Data Center TIER 4Data Center TIER 4Data Center TIER 4
Area Size
Production System Rooms (6 m Height)
Hi Density power supply
Network supports
>>>>4.0000 mq 4.0000 mq 4.0000 mq 4.0000 mq
>3.500 mq
Fino a 15 Kw/mq
SDN, NFV, NFV, NFV, NFV
6
LogicalLogicalLogicalLogical Security: 1) Security: 1) Security: 1) Security: 1) ClarifyClarifyClarifyClarify ResponsabilitiesResponsabilitiesResponsabilitiesResponsabilities accordingaccordingaccordingaccording to to to to the the the the choosenchoosenchoosenchoosen Service Model and Distribution Model Service Model and Distribution Model Service Model and Distribution Model Service Model and Distribution Model
7
LogicalLogicalLogicalLogical Security: 2) Security: 2) Security: 2) Security: 2) ImplementImplementImplementImplement Security Security Security Security accordingaccordingaccordingaccording totototoResponsabilityResponsabilityResponsabilityResponsability
Cloud Service Provider Scope:
• Expose clear security levels of cloud SEs
• Inform customer about Certifications, Policies,
Processes, Responsabilities, Security Plan,
L. 196 obligations, and Checks (ex PT and VA)
in charge to TIM
• Contractually sign obligations and SLA
TIM
Customer
Customer Scope:
• Assist customer in understanding residual risk
• Consult the customer to secure its area of responsability
• Provide addictional Security Services and tools to mitigate its own risk
8
LogicalLogicalLogicalLogical Security: 3) Security Security: 3) Security Security: 3) Security Security: 3) Security asasasas a service to a service to a service to a service to supportsupportsupportsupport SAAS SAAS SAAS SAAS
TIM
Security
Competence
Center
TIM
Security
Operation
Center
9
Market Security Addictional ServicesMain Offered services
TIM Security Operation Center
AREA AREA AREA AREA
PROTECTIONPROTECTIONPROTECTIONPROTECTION
MAIL MAIL MAIL MAIL
PROTECTIONPROTECTIONPROTECTIONPROTECTION
MSOCMSOCMSOCMSOC
HOST HOST HOST HOST
PROTECTIONPROTECTIONPROTECTIONPROTECTION
SECURITY SECURITY SECURITY SECURITY
ASSESSMENTASSESSMENTASSESSMENTASSESSMENT
SECURITY SECURITY SECURITY SECURITY
MONITORINGMONITORINGMONITORINGMONITORING
DDOSDDOSDDOSDDOS
MITIGATIONMITIGATIONMITIGATIONMITIGATION
Virtual appliances to protect mission critical WebApplication, Data Bases o File Systems running intothe TIM cloud or on premises
Mail Relay service with Antispam &Antivirus Layer for customer with MailService offered by TIM or at CustomerPremises
Security Appliance Mgnt (IDS, IPS,Boundary Antivirus, Web ContentFiltering, Antispam)
Distributed Denial-of-ServiceProtection, to protect from attacksaiming to block the service tolegitimate users.
Periodic Vulnerability Assessments,Penetration Testing, Source Code Auditexecuted by the TIM SOC
Monitoring of corporate anti-intrusionsystems to identify and block potentialattacks from internet as well as intranetusers and prevent system violation
• Cisco CCNA (Cisco Certified Network
Associate)
• Microsoft: “Microsoft Windows server”
• SCJP - Sun Certified Java Programmer
• ISO 20000 & 27001 Lead Auditor
• ECDL Core
• QCS - QualysGuard Certified Specialist
• Certified Information Forensics
Investigator – CIFI
• EC-Council Certified Security Analyst –
ECSA
• EC-Council Licensed Penetration Tester
– LTP
• Certified Ethical Hacker – CEH v7
• Microsoft Certified Systems Engineer
• CompTIA Security+ Certified (SYO-201)
• Fortinet Certified Network and Security
Associate (FCNSA)
• Juniper Networks Certified Internet
Associate (JNCIA-FWV)
• QualysGuard Certified Specialist
• Hands on Hacking Web Application
(HOH)
• Network and system security for
company and public administration
• Clavister Firewall Certification
• IT Security & Digital Forensics (Master)
• ISO 9000
• ISO 27001
10
The world is changing rapidly: new security challanges
� Where is my Perimeter? With Mobility and cloud, The company perimeter is now The
Internet! New cloud security Access Layers are required to secure corporate Apps
and data that are aware of used endpoint, access location, OS, Strong digital
Identity, and used application .
Titolo della RelazioneNome del Relatore, Nome Struttura
� How can I intelligently scan all of my Huge Cloud traffic? An enourmous amount of
information about activity monitoring Logs (users, Admins), Anomalies detection
(threads, usage, traffic, data scan) need to be handled every day. A big data
approch must be undertaken.
� How I secure IoT? With IoT, Billions of low power and limited CPU devices with be
connected to applications generating trillions of daily events.
� How I secure Smartphones? MDM and BYOD have low penetration. How do I secure
these endpoints in a more easy way?
11
The world is changing rapidly: new security challanges
� How can I How can I How can I How can I enforceenforceenforceenforce data data data data protectionprotectionprotectionprotection usingusingusingusing cloudcloudcloudcloud? ? ? ? Corporate applications needs to
enforce data protection in different cloud deployment scenarios. How can I get
visibility on Shadow Cloud? How can I get contextual access control and prevent
data leakage on the cloud?
� How can I How can I How can I How can I securesecuresecuresecure the agile and collaborative the agile and collaborative the agile and collaborative the agile and collaborative developmentsdevelopmentsdevelopmentsdevelopments? ? ? ? Devops is growing
Fast. With continous Development, integration and delivery it is necessary to shift
from a traditional SLDC security enforcement to a more dynamic security
framework.
12
Our Vision: Creating an Digital Ecosystem around the TIM Cloud
• Expose our Infrastructural assets
(Network, BSS, CRM, Data Sets)
• Aggregate and attract Extewrnal
Communities (R&D, Start-ups, PPAA,
System Integrators, ISV,..)
• Broker Third Parties
(Cloud providers, SW Vendors,..)
• Enable an API economy
• Expose Commercial Capabilities
(sales force, resellers, payments)
• Enable collaborative Dev for
new generation of cloud- ready SAAS
(Mashup, Devops. Micro services)
• Sell IAAS, PAAS and SAAS
• Monetise the community
13
New Security Requirements
• In the new Cloud Ecosystem new security requirements arise:
Titolo della RelazioneNome del Relatore, Nome Struttura
• Secuity Pre-scan at Dev Stage
• Automatic Testing at Build and Push Time
• Secure microservices Registry
• Scanning container at run time
• WL/BL Container Registry
• Signed containers
• Centralise Log (Big Data)
• Contextual Access Control
• Ecrypt data in motion and data at rest
• Orchestrate enviroments (Dev, Test, Prod)
• Provide Dashboard for security Risk Ass
• Discover Shadow cloud apps
• Protect Mobile and IoT devices with
client less approach
• Provide SSO / Digital ID across apps
• Multi Factor Strong Auth
• IAM across apps
14
Conclusions• The trend of porting into the cloud existing legacy applications with well defined monolithic
sw architecture will fade away with time
• New security threads are continously arising from new emerging technologies such as IoT,
PAAS, middleware frameworks, microservices, containers,..
• The new TIM cloud will quickly become a collaborative enviroment where a number of
different entities will create together new services by aggregating capabilities under the form
of API, Building blocks, micro-services offered by community members.
Titolo della RelazioneNome del Relatore, Nome Struttura
The scientific community need to help CPs with new Security Technologies,
Solutions, Methodologies and Standards.
The Cloud MUST Communicate SECURITY By Design!
