0 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Cloud Security & StandardizationMarkku SiltanenTietoturvakonsulttiCISA, CGEIT, CRISC

1 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Cloud computing

2 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Characteristics of cloudHigh anonymity due to lack of contract statementsHigh risk of third party’s attacks through the InternetHuge impact of one incident to multiple consumersHigh risks of harmful individuals using enormous resourcesPossibility that customers’ assets may be seized or investigated by law-enforcement agenciesDifficulty of proving data being lawfully treated

3 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Security defence in depth in the cloud

4 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Cloud threatsAbuse and malicious use of cloudInsecure interfaces and APIsMalicious InsidersShared technology issuesData loss or leakageAccount or service hijackingUnknown risk profileBrowsers and their very complicated environments

5 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Typical cloud related security risksAttacks from outside against ICT resources in the cloud

Effects of cyber terrorism, malicious scans and DDoS can be considerable

Attacks to the outside using cloud as a steppingstoneCloud as a tool for mounting attacks on sites outside the cloud

Attacks on cloud users from ICT resources within the cloudEDoS attacks to cause monetary losses and information leaks caused by unauthorized data transfers

Incidents internal to cloud service providersMalicious actions by individuals or mistakes in operation

Malicious use of cloud ICT resourcesMaking use of ICT resources in the cloud for engaging in some sort of criminal behavior

Incidents in the cloud not related to attacksPower outages, sw/hw faults, other unexpected incidents

6 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Cloud security focus areasConfidentiality

Data residency; Access control

IntegrityEnsuring data has not been tampered with; Compliance; Trust and reputation; Acceptable use policies; Certification; Auditing; E-Discovery; Mergers & acquisitions; Data protection

AvailabilityBusiness continuity; Disaster recovery; DDoS etc.; Regime for patching, security updates etc.; Up-time commitments; System performance commitments

7 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Shared responsibilities – management

8 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Shared responsibilities – operation

9 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Shared responsibilities – technology

10 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Cloud standardizationTraditional IT standards organizations and industrial alliances represented by DMTF, OGF and SNIA (and NIST)Traditional telecommunications and Internet standards organizations represented by ITU, ISO, IEEE and IETFEmerging standards organizations represented by CSA, OCC and CCIFIssue: wide ranges of related standardization

Network, storage, server, operations mgmt, authentication, security, etc.

Fujitsu is engaged in DMTF/CMDBf, DMTF/CMWG, DMTF/CIM-RS, OASIS/SAF, OGF/OCCi, CSA, JTC1/SC38, etc.DMTF board, OGF board, OASIS SAF WG chair, JTC1/SC38 (vice chair)

11 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Fujitsu Cloud CERTCentralized monitoring and Vulnerability assessment Fujitsu Cloud CERT monitors IDS/IPS of each FGCP/S5cloud and executes vulnerability scanning test

Security monitoring for 24 hours x 7 days by operatorsReal-time alerting when invasion is detectedMonthly statistical report of attacks against the service environment Providing archived IDS log when security incident occurs on the service

12 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Security Countermeasures (FGCP)

SLA of 99.99% system availability and confidentiality & integrity for business needs

Authentication &ID management

Accesscontrol

Audit trailmanagement

Centralizedmanagement

Encryption& Key

management

Design ofavailability

Physicalsecurity

Authentic method using client-certificates and PIN.

Thoroughgoing identity management and confidential information management using LDAP.

VLAN based logical isolation.Access control based on roles.

Log management from viewpoints of “Management", “Control", and “Security".

Centralized control of customers’ environment & events using integrated management console.

Adopting client-certificates published with government recommended algorithm.Managing Certificate Revocation List (CRL).

Availability based on redundant cabinet.

Complete redundancy of parts, components, and networks.

Getting certified as the first data center to be the AAA (top rating) grade fromI.S.Rating Co.,Ltd,

specialty company for rating information security.

13 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Data masking technology (under dev’t)Filters and obscures sensitiveinformation exchanged amongclouds, based on anonymizationtechnology

14 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic

Strong authentication as a Service (dev’t)We plan to make it feasible to authenticate groups on the scale of 10 million people; rapid multimodal biometric identification

15 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic