Day 2, Thursday, 2012 Jan 19, 09.00 hrs

SESSION 4: Security in the

THE EMERGING CLOUD ECOSYSTEM: cyber security plus LI/RD

Tony Rutkowski, Yaana Technologies 7th ETSI Security Workshop, 18‐19 Jan 2011

© ETSI 2012. All rights reserved Outline

Security as a Business opportunity: A winning driver to ensure technology success and increase confidence and trust amongst end‐users ! CtCurrent Cloud ddlevelopment s

Cyber security and LI/RD developments

Business opportunities

2 ETSI/Security Workshop (7) S4 The Basics: a new cloud‐based global communications infrastructure is emerging

Global network architectures are profoundly, rapidly changing • PSTNs/mobile networks are disappearing • is disappearing • Powerful end user devices for virtual services are becoming ubiquitous • End user behavior is nomadic • Huge data centers optimized for virtual services combined with local access bandwidth are emerging worldwide as the new infrastructure These changes are real, compelling, and emerging rapidly Bringing about a holistic “cloud” ecosystem is occupying idindustry in almost every venue around the world

3 ETSI/Security Workshop (7) S4 The Basics: a new cloud‐virtualized global communications architecture

Virtualized Line or air Access, IdM & transport Intercloud Other cloud virtualization services, devices interfaces cloud virtualization services services especially for application support

Access, IdM & transport General services

Intercloud

General Access, IdM & transport services

General Intercloud Access, IdM & transport services

General services Access, IdM & transport Intercloud

General Access, IdM & transport services

4 ETSI/Security Workshop (7) S4 Current Cloud developments

• Implementations • Industry Collaboration and Reports

5 ETSI/Security Workshop (7) S4 Implementers – Top 50 in early 2011*

10gen Cloud Passage FluidInfo Akamai Cloud.com Fusion IO Amazon Cloudera GoGrid Power Assure Apigee CloudSwitch Rackspace Apple Couchbase Green Revolution Red Hat ARM CSC IBM RightScale Aryaka Dell Intel .com Aspera DotCloud IO Turbine SeaMicro Boundary Embrane Sentilla Calxeda Enomaly Juniper SynapSense China Telecom Verizon/Terremark Cisco Systems New Relic VMware Citrix Facebook Nicira Zeus Technology

* Source: Washington Technology/Gigacom (underline = top 8)

6 ETSI/Security Workshop (7) S4 Most new applications/services – especially for mobile smartphones – are cloud‐based

Amazon Apple, including Apple OS applications Baidu Facebook Google, including Android OS applications Microsoft, including Microsoft OS applications RIM, including BlackBerry App World Skype Yahoo

7 ETSI/Security Workshop (7) S4 Major providers and vendors collaborating in new cloud telecom forums

ATT NEC BT Nokia Siemens Networks China Telecommunications NTT China Unicom Oracle Cisco Systems RIM Datang Samsung Electronics France Télécom Orange SAP Fujitsu Telecom Italia Hitachi Telefon AB ‐ LM Ericsson Huawei Technologies Telekomunikacja Polska IBM Verizon KDDI VdfVodafone & O2 KT Corporation ZTE Microsoft

* Sources: ITU-T Cloud Focus Group participant list, 2011; ETSI Cloud workshop 8 ETSI/Security Workshop (7) S4 Industry Technical Collaboration Venues

Almost everyone ATIS Alliance for Telecommunications Industry Solutions Cable Labs CSA Cloud Security Alliance CSCC Cloud Standards Customer Council DMTF Distributed Management Task Force ENISA European Network and Information Security Agency ETSI European Telecommunications Standards Institute GICTF Global Inter‐Cloud Technology Forum IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force ISO International Organization for Standardization ITU‐TInternational Telecommunication Union ‐ Telecommunications Standardization NIST National Institute of Standards and Technology OASIS Organization for the Advancement of Structured Information Standards ODCA Open Alliance OGF Open Grid Forum OMG Object Management Group SNIA Storage Networking Industry Association The Open Group TMF TeleManagement Forum Sources: ITU-T Focus Group on , NIST Cloud Standards Wiki

9 ETSI/Security Workshop (7) S4 ITU‐T Focus Group on Cloud Computing

Global initiative during 2010‐2011 to produce first comprehensive conceptualization and integration of all technical information • Ecosystem • Requirements and reference architecture • Infrastructure for network enabled clouds • Security • Standards activities • Telecommunication benefits • Resource Management Deliverables were just delivered 9 Jan 2012 Sets a stage for widespread industry activity and structured implementations worldwide

10 ETSI/Security Workshop (7) S4 Identified Cloud Computing Services

Short List of Cloud Services Extended List of Cloud Services • Application services (SaaS) • Cloud Software (SaaS) • Resource services (IaaS) • Communications as a Service (CaaS) • Platform services (PaaS) • Cloud (PaaS) • Network services (NaaS) • Cloud Infrastructure as a Service (IaaS) • Communication services (CaaS) • (NaaS) • Private cloud • Community cloud • Public cloud • Hybrid cloud • Personal cloud • Inter cloud • Business Process as a Service (BPaaS) • Application Platform as a Service(APaaS) • Application Infrastructure as a Service (AIaaS) • Everything as a Service (XaaS) • Storage as a service • Database as a service • Information as a service • Process as a service • Security as a service • Integration as a service • Management/governance as a service • Testing as a service

11 ETSI/Security Workshop (7) S4 A cloud computing functional reference architecture

Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011

12 ETSI/Security Workshop (7) S4 A cloud computing network infrastructure model

Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011 13 ETSI/Security Workshop (7) S4 Resource management framework

Standards intended to address: ƒ Awareness of logical and physical resources used ƒ How to dynamically reconfigure resources ƒ How to expose additional interfaces ƒ How to evaluate security controls

Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011 14 ETSI/Security Workshop (7) S4 Cyber Security and LI/RD developments

15 ETSI/Security Workshop (7) S4 Cloud cyber security

Threats for Cloud Security • Threats for Cloud Service Users • Threats for Cloud Service Providers Security Requirements for Cloud Security • Requirements for Cloud Service Users • Requirements for Cloud Service Providers SdStudy SbjSubjects on Cloud SiSecurity • Security Architecture/Model and Framework • Security Management and Audit technology • Business Continuity Planning (BCP) and Disaster Recovery • Storage Security • Data and Privacy protection • Account/Identity Management • Network Monitoring and Incident Response • Management • Interoperability and Portability Security • Virtualization Security • Obligatory Predicates (including LI/RD) Source: ITU-T Focus Group on Cloud Computing, Final Report, Dec 2011 16 ETSI/Security Workshop (7) S4 Cloud computing service opportunities

Short List of Cloud Services Extended List of Cloud Services • Application services (SaaS) • Cloud (SaaS) • Resource services (IaaS) • Communications as a Service (CaaS) • Platform services (PaaS) • Cloud Platform as a Service (PaaS) • Network services (NaaS) • Cloud Infrastructure as a Service (IaaS) • Communication services (CaaS) • Network as a Service (NaaS) • Private cloud • Community cloud • Public cloud • Hybrid cloud • Personal cloud • Inter cloud • Business Process as a Service (BPaaS) • Application Platform as a Service(APaaS) • Application Infrastructure as a Service (AIaaS) • Everything as a Service (XaaS) • Storage as a service • Database as a service • Information as a service • Process as a service • Security as a service • Integration as a service Deliberately omitted • Management/governance as a service from ITU‐T list • Testing as a service • Lawful Interception as a Service • Retained • Law Enforcement Monitoring Facility as a service 17 ETSI/Security Workshop (7) S4 Obligatory predicates: functionality identified for all cloud based services

Potential security monitoring and acquisition interfaces

Challenges will be • LI implementations across multiple clouds • RD security and scaling • Inconsistencies among cloud infrastructure and service implementations Potential application of ETSI TCLI eWarrant, DR handover, and Dynamic Triggering specifications NiNecessitates widespread use of DPI capabiliti es

18 ETSI/Security Workshop (7) S4 Business opportunities

• Retained Data as a Service

19 ETSI/Security Workshop (7) S4 Retained Data as a Service (RDaaS)

Retained Data obligatory predicates are numerous Securities and financial transaction regulatory requirements eDiscovery civil litigation evidence requirements • USA rules being adopted by judiciaries worldwide Data Retention criminal investigation requirements • EU Data Retention Directive • Potential new cloud requirements under the Directive Data Preservation criminal investigation requirements • Includes “quick freeze” capabilities Cybersecurity/infrastructure protection requirements • Includes Continuous Security Monitoring event analysis capabilities Billing record requirements

20 ETSI/Security Workshop (7) S4 RDaaS value propositions

RDaaS capabilities are ideal • Cloud service obligations • Large‐scale non‐cloud services Almost unlimited scaling of storage and processing resources High security and protection of personally identifiable information Technique re‐use can occur across multiple implementations Lowered costs Faster and more complex discovery and analysis capabilities Specialized customer remote access “apps” Facilitated by new CybOX observables initiative

21 ETSI/Security Workshop (7) S4