Sec

u rity

i n c

loud

com

putin

gD

26/ 1

1/2 0

10

Thales & CloudDaniel PAYS - daniel.pays@thalesgroup.com

Advanced Studies director

System C4I Security and Defense

Plenary Cloud Computing SessionFIA - Budapest - 19/5/2011

2

Thales: Cloud challenges & positioningSECURITY CHALLENGES

Application security Content-based security Roles & rights management Identity management & interoperability Persistent data security

Infrastructure security Trusted isolation Trusted network management

Platform security Trusted application server Secure programming framework Source code evaluation framework

Security assurance and Cyber-security

Thales Communications S.A.

Dem

an

dD

elivery

Su

pp

ly

Resources (Physical, Storage, Network)

Service Offering Catalog

PortalServices : provisioning, management and

control

Users Admin Power users

Cloud Service Manager :

availability, performance

Supervisor : command and

control

Serv

ice M

an

ag

em

en

t :

con

fig

ura

tion

, ch

an

ge,

billin

g

Local resource managers and hypervisors

Operators SLA :

services,

security,elastici

ty

Network automation

Server automation

Storage automation

Middleware : usage mediation, placement, optimization, federation

Secu

rity

Man

ag

em

en

t :

role

an

d

iden

tity

, au

dit

, is

ola

tion

, d

ata

p

rote

cti

on

DIFFERENCIATORS

Security assurance and Cyber-security

Self-provisioning & automatic deployment according to functional and non functional requirements

Multi-sites federation with encryption

Supervision of the physical infrastructure and applicative Key Performance Indicators

Role Based Access Control

3

THALES and FI-PPP

CONCORD (CSA)

INFINITY (CSA)

INSTANT MOBILITY (IP)

FI-WARE (IP)

ENVIROFI (IP)

SMARTAGRIFOOD (IP)

OUTSMART(IP)

FINEST(IP)SAFE CITY (IP)

FI-CONTENT (IP)

http://www.fi-ppp.eu/

FINSENY (IP)

INSTANT MOBILITY (IP)

4

FI-PPP Security – Targeted Results

• Generate Trust and confidence by developing and providing security services for the Future Internet

Open specifications , Reference Implementation, KPI,...

Core security generic enablers demanded by FI Pillars and Usage Areas including: Identity and Access Management Authorization and Usage Control Policies Privacy and Trust Auditing

Complemented by optional generic enablers which might be used for specific needs requested by FI Smart applications at hands (e.g. data anonymization, data protection, filtering,...)

FI-WARE

5

FI-PPP Exemplification - Security usability

In the cloud computing, FI-PPP put up: End-to-end trust and data security Isolation Across Virtual domains Risk analysis and vulnerabilities mitigation Secure administration, alerting and reporting Smart decision support in case of cyber-attacks Week signal detection and response A permanent Life Cycle management of Security

User-centric intuitive security mechanisms

A pluri-disciplinary approach with Human Sciences (Ethic, Legal, Sociology, Psychology,…)

6

FI-PPP Exemplification Identity & Trust

Federation between heterogeneous domains:

One account versus unlimited number of account

Simplified password management

Ease collaboration environments for Enterprises

minimizes security overhead through sharing resources and information

Trusted federations increase efficiency

eID card is a gateway to personal information.

Sec

u rity

i n c

loud

com

putin

gD

26/ 1

1/2 0

10

« Andromède »

Trusted digital agency

« Design, Build and Run a trusted and secured « digital factory» infrastructure,

to sustain economic competitiveness (France and Europe)

« Grand Emprunt »

2011 May the 15th

8

Andromede security by Thales

• Andromede security requirements formalisation

Tools for application & services development, test, deployement and run in a trusted way

A resilient and secured infrastructure architecture (flows isolation, hardening, Zones management, localisation, cyphering,…)

• Solutions & services provided byThales Supply & integration of security solutions &

equipments Security operator

• Targets to be defined A separate security operator providing global security

services: Target ISO27001 and Andromède Certification (ANSSI) Optional added value services: Identity federation, intrusion

detection/prevention) DRP as a service, scan application tests, vulnerability assessment, intrusion testing,

Different : telecom transporter, hosters, outsourcers

Hyperviseur

Hyperviseur

Zone

administratio

n

opérations

Zone

administratio

n

opérations

Zone de services

Ldap, Dns, Ntp

Zone configuration

Repository XML

Zone services & sécurité

Zone services & sécurité

CA

IHM

Snort

Snort

Zone log

Zone Policy Engine

Zone d’accès

sécurisée

Zone sauvegarde

Zone de supervision

VDI

Ressources Cloud

Client A

Client B

Client B

Client A

Client CFw

Fw

A

C

SAN

Data

Data

Hypervisor

Hypervisor

Hyperviseur

Hyperviseur

Administrateur opérateur

Administrateur Client

Utilisateur

Zone

administratio

n

sécuritéZone

administratio

n

sécurité

VDI

INTERNET

FW

FWFw

nCipherRSA SecurId

Zone quarantaineJuniper

Secure Accès

JuniperSecure Accès

Firewall

WALLIX

WALLIX

Fw

NIM

NetForensic

+Suite Novell

CYBELS

GWT 2.0

Zone infra

structure

Utilisateur

DataCryptor /Mistral

DataCryptor /Mistral

SAMLv2

9

Trusted cloud life cycle: follow-up

help & constrain on development

IDE/SDK

Deployed Service

StoreFunctionalities

Manageability

Security

…

Common toolsPortfolio, Program,

Configuration, deployment

Application support, Middleware

Cloud

Operating tool

Feedback : lessons learnt

bugs, logs

Life cycle Gouvernance Co-design