0 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Cloud Security & StandardizationMarkku SiltanenTietoturvakonsulttiCISA, CGEIT, CRISC
1 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Cloud computing
2 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Characteristics of cloudHigh anonymity due to lack of contract statementsHigh risk of third party’s attacks through the InternetHuge impact of one incident to multiple consumersHigh risks of harmful individuals using enormous resourcesPossibility that customers’ assets may be seized or investigated by law-enforcement agenciesDifficulty of proving data being lawfully treated
3 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Security defence in depth in the cloud
4 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Cloud threatsAbuse and malicious use of cloudInsecure interfaces and APIsMalicious InsidersShared technology issuesData loss or leakageAccount or service hijackingUnknown risk profileBrowsers and their very complicated environments
5 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Typical cloud related security risksAttacks from outside against ICT resources in the cloud
Effects of cyber terrorism, malicious scans and DDoS can be considerable
Attacks to the outside using cloud as a steppingstoneCloud as a tool for mounting attacks on sites outside the cloud
Attacks on cloud users from ICT resources within the cloudEDoS attacks to cause monetary losses and information leaks caused by unauthorized data transfers
Incidents internal to cloud service providersMalicious actions by individuals or mistakes in operation
Malicious use of cloud ICT resourcesMaking use of ICT resources in the cloud for engaging in some sort of criminal behavior
Incidents in the cloud not related to attacksPower outages, sw/hw faults, other unexpected incidents
6 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Cloud security focus areasConfidentiality
Data residency; Access control
IntegrityEnsuring data has not been tampered with; Compliance; Trust and reputation; Acceptable use policies; Certification; Auditing; E-Discovery; Mergers & acquisitions; Data protection
AvailabilityBusiness continuity; Disaster recovery; DDoS etc.; Regime for patching, security updates etc.; Up-time commitments; System performance commitments
7 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Shared responsibilities – management
8 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Shared responsibilities – operation
9 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Shared responsibilities – technology
10 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Cloud standardizationTraditional IT standards organizations and industrial alliances represented by DMTF, OGF and SNIA (and NIST)Traditional telecommunications and Internet standards organizations represented by ITU, ISO, IEEE and IETFEmerging standards organizations represented by CSA, OCC and CCIFIssue: wide ranges of related standardization
Network, storage, server, operations mgmt, authentication, security, etc.
Fujitsu is engaged in DMTF/CMDBf, DMTF/CMWG, DMTF/CIM-RS, OASIS/SAF, OGF/OCCi, CSA, JTC1/SC38, etc.DMTF board, OGF board, OASIS SAF WG chair, JTC1/SC38 (vice chair)
11 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Fujitsu Cloud CERTCentralized monitoring and Vulnerability assessment Fujitsu Cloud CERT monitors IDS/IPS of each FGCP/S5cloud and executes vulnerability scanning test
Security monitoring for 24 hours x 7 days by operatorsReal-time alerting when invasion is detectedMonthly statistical report of attacks against the service environment Providing archived IDS log when security incident occurs on the service
12 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Security Countermeasures (FGCP)
SLA of 99.99% system availability and confidentiality & integrity for business needs
Authentication &ID management
Accesscontrol
Audit trailmanagement
Centralizedmanagement
Encryption& Key
management
Design ofavailability
Physicalsecurity
Authentic method using client-certificates and PIN.
Thoroughgoing identity management and confidential information management using LDAP.
VLAN based logical isolation.Access control based on roles.
Log management from viewpoints of “Management", “Control", and “Security".
Centralized control of customers’ environment & events using integrated management console.
Adopting client-certificates published with government recommended algorithm.Managing Certificate Revocation List (CRL).
Availability based on redundant cabinet.
Complete redundancy of parts, components, and networks.
Getting certified as the first data center to be the AAA (top rating) grade fromI.S.Rating Co.,Ltd,
specialty company for rating information security.
13 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Data masking technology (under dev’t)Filters and obscures sensitiveinformation exchanged amongclouds, based on anonymizationtechnology
14 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic
Strong authentication as a Service (dev’t)We plan to make it feasible to authenticate groups on the scale of 10 million people; rapid multimodal biometric identification
15 Copyright 2011 FUJITSUGlen Koskela, CTO Nordic