Cloud Security @ TIM - Current Practises and Future Challanges
2 likes515 views
The document discusses TIM Group's cloud security strategies, highlighting their unique offerings compared to OTT players, such as compliance, quality experience, and local presence. It outlines current practices and future challenges in building a secure cloud environment, detailing the infrastructure and logical security measures employed. The text concludes by emphasizing the need for advancements in security technologies and collaborative environments within the cloud ecosystem.
Cloud Security @ TIM - Current Practises and Future Challanges
- 1. GRUPPO TELECOM ITALIA Cloud Security @ TIM Current Practises and Future Challanges Michele Vecchione @ TIM 1st Workshop of the Project Cluster on Data Protection, Security and Privacy in the Cloud. 23 February 2016, Napoli, Italy
- 2. 2 The TIM Group in shortThe TIM Group in shortThe TIM Group in shortThe TIM Group in short
- 3. 3 TIMTIMTIMTIM CloudCloudCloudCloud StrategyStrategyStrategyStrategy versus OTTversus OTTversus OTTversus OTT PlayersPlayersPlayersPlayers CLOUD e strategia Tim Distinctive Factors of our Cloud Business Model Three Distinctive factors differenciate TIM cloud offering from OTT players: Proximity, Compliance to Security&Privacy and Excellence in Quality of experience high high high Proximity Quality of Experience Compliance& Security OTT TELCO TelcoTelcoTelcoTelco OTTOTTOTTOTT Proximity Direct Sales PreSales Force, CRM Exploitation, Customisation, Local Infrastructures Product Centric Self Service Quality of Experience E2E control SLA Low latency Remote No direct network control Compliance& Security EU regulation SOC/NOC Consultancy Rely upon Internet or third parties Lower privacy rules
- 4. 4 CloudCloudCloudCloud adoptionadoptionadoptionadoption inininin ItalyItalyItalyItaly CLOUD e strategia Tim There is space to grow…. … BUT there are some concerns Building a secure cloud for hosting Enterprise SAAS is a TOP Priority
- 5. 5 TIM Cloud Infrastructure: Data Centers A Secure Physical Infrastructure Titolo della Relazione Nome del Relatore, Nome Struttura RegionalRegionalRegionalRegional Service CentersService CentersService CentersService Centers NationalNationalNationalNational DCsDCsDCsDCs IDC CesanoIDC CesanoIDC CesanoIDC Cesano MadernoMadernoMadernoMaderno IDC RozzanoIDC RozzanoIDC RozzanoIDC Rozzano DC BolognaDC BolognaDC BolognaDC Bologna DC PadovaDC PadovaDC PadovaDC Padova DC BariDC BariDC BariDC Bari PalermPalermPalermPalerm oooo FirenFirenFirenFiren zezezeze TorinTorinTorinTorin oooo NapolNapolNapolNapol iiii DC OrioloDC OrioloDC OrioloDC Oriolo RomanoRomanoRomanoRomano IDC PomeziaIDC PomeziaIDC PomeziaIDC Pomezia Nord Est AreaNord Est AreaNord Est AreaNord Est Area BolognaBolognaBolognaBolognaPadovaPadovaPadovaPadova Systems rooms # Systems Rooms available area • Production Systems rooms area • TLC Systems rooms area Installed/Active Servers # • Managed Servers # 15151515 23232323 >4.100>4.100>4.100>4.100 >4.300>4.300>4.300>4.300 >3.600 >3.300 >250 >280 >1.100>1.100>1.100>1.100 >950>950>950>950 >900 >600 Nord Ovest AreaNord Ovest AreaNord Ovest AreaNord Ovest Area CesanoCesanoCesanoCesanoRozzanoRozzanoRozzanoRozzano Systems rooms # Systems Rooms available area • Production Systems rooms area • TLC Systems rooms area Installed/Active Servers # • Managed Servers # 16161616 11111111 >4.800>4.800>4.800>4.800 >3.500>3.500>3.500>3.500 >4.500 >2.800 >280 >200 >4.700>4.700>4.700>4.700 >2.200>2.200>2.200>2.200 >1.300 >1.500 Center/South AreaCenter/South AreaCenter/South AreaCenter/South Area OrioloOrioloOrioloOriolo Systems rooms # Systems Rooms available area • Production Systems rooms area • TLC Systems rooms area Installed/Active Servers # • Managed Servers # 13131313 16161616 >3.400>3.400>3.400>3.400 >6.600>6.600>6.600>6.600 >2.900 >6.100 >400 >400 >3.200>3.200>3.200>3.200 >5.400>5.400>5.400>5.400 >3.000 >3.000 BariBariBariBariPomeziaPomeziaPomeziaPomezia 6666 >2.000>2.000>2.000>2.000 >1.800 >90 >800>800>800>800 >700 AciliaAciliaAciliaAcilia Work in progressWork in progressWork in progressWork in progress ACILIAACILIAACILIAACILIA Data Center TIER 4Data Center TIER 4Data Center TIER 4Data Center TIER 4 Area Size Production System Rooms (6 m Height) Hi Density power supply Network supports >>>>4.0000 mq4.0000 mq4.0000 mq4.0000 mq >3.500 mq Fino a 15 Kw/mq SDN, NFV, NFV, NFV, NFV
- 6. 6 LogicalLogicalLogicalLogical Security: 1)Security: 1)Security: 1)Security: 1) ClarifyClarifyClarifyClarify ResponsabilitiesResponsabilitiesResponsabilitiesResponsabilities accordingaccordingaccordingaccording totototo thethethethe choosenchoosenchoosenchoosen Service Model and Distribution ModelService Model and Distribution ModelService Model and Distribution ModelService Model and Distribution Model
- 7. 7 LogicalLogicalLogicalLogical Security: 2)Security: 2)Security: 2)Security: 2) ImplementImplementImplementImplement SecuritySecuritySecuritySecurity accordingaccordingaccordingaccording totototo ResponsabilityResponsabilityResponsabilityResponsability Cloud Service Provider Scope: • Expose clear security levels of cloud SEs • Inform customer about Certifications, Policies, Processes, Responsabilities, Security Plan, L. 196 obligations, and Checks (ex PT and VA) in charge to TIM • Contractually sign obligations and SLA TIM Customer Customer Scope: • Assist customer in understanding residual risk • Consult the customer to secure its area of responsability • Provide addictional Security Services and tools to mitigate its own risk
- 8. 8 LogicalLogicalLogicalLogical Security: 3) SecuritySecurity: 3) SecuritySecurity: 3) SecuritySecurity: 3) Security asasasas a service toa service toa service toa service to supportsupportsupportsupport SAASSAASSAASSAAS TIM Security Competence Center TIM Security Operation Center
- 9. 9 Market Security Addictional Services Main Offered services TIM Security Operation Center AREAAREAAREAAREA PROTECTIONPROTECTIONPROTECTIONPROTECTION MAILMAILMAILMAIL PROTECTIONPROTECTIONPROTECTIONPROTECTION MSOCMSOCMSOCMSOC HOSTHOSTHOSTHOST PROTECTIONPROTECTIONPROTECTIONPROTECTION SECURITYSECURITYSECURITYSECURITY ASSESSMENTASSESSMENTASSESSMENTASSESSMENT SECURITYSECURITYSECURITYSECURITY MONITORINGMONITORINGMONITORINGMONITORING DDOSDDOSDDOSDDOS MITIGATIONMITIGATIONMITIGATIONMITIGATION Virtual appliances to protect mission critical Web Application, Data Bases o File Systems running into the TIM cloud or on premises Mail Relay service with Antispam & Antivirus Layer for customer with Mail Service offered by TIM or at Customer Premises Security Appliance Mgnt (IDS, IPS, Boundary Antivirus, Web Content Filtering, Antispam) Distributed Denial-of-Service Protection, to protect from attacks aiming to block the service to legitimate users. Periodic Vulnerability Assessments, Penetration Testing, Source Code Audit executed by the TIM SOC Monitoring of corporate anti-intrusion systems to identify and block potential attacks from internet as well as intranet users and prevent system violation • Cisco CCNA (Cisco Certified Network Associate) • Microsoft: “Microsoft Windows server” • SCJP - Sun Certified Java Programmer • ISO 20000 & 27001 Lead Auditor • ECDL Core • QCS - QualysGuard Certified Specialist • Certified Information Forensics Investigator – CIFI • EC-Council Certified Security Analyst – ECSA • EC-Council Licensed Penetration Tester – LTP • Certified Ethical Hacker – CEH v7 • Microsoft Certified Systems Engineer • CompTIA Security+ Certified (SYO-201) • Fortinet Certified Network and Security Associate (FCNSA) • Juniper Networks Certified Internet Associate (JNCIA-FWV) • QualysGuard Certified Specialist • Hands on Hacking Web Application (HOH) • Network and system security for company and public administration • Clavister Firewall Certification • IT Security & Digital Forensics (Master) • ISO 9000 • ISO 27001
- 10. 10 The world is changing rapidly: new security challanges Where is my Perimeter? With Mobility and cloud, The company perimeter is now The Internet! New cloud security Access Layers are required to secure corporate Apps and data that are aware of used endpoint, access location, OS, Strong digital Identity, and used application . Titolo della Relazione Nome del Relatore, Nome Struttura How can I intelligently scan all of my Huge Cloud traffic? An enourmous amount of information about activity monitoring Logs (users, Admins), Anomalies detection (threads, usage, traffic, data scan) need to be handled every day. A big data approch must be undertaken. How I secure IoT? With IoT, Billions of low power and limited CPU devices with be connected to applications generating trillions of daily events. How I secure Smartphones? MDM and BYOD have low penetration. How do I secure these endpoints in a more easy way?
- 11. 11 The world is changing rapidly: new security challanges How can IHow can IHow can IHow can I enforceenforceenforceenforce datadatadatadata protectionprotectionprotectionprotection usingusingusingusing cloudcloudcloudcloud???? Corporate applications needs to enforce data protection in different cloud deployment scenarios. How can I get visibility on Shadow Cloud? How can I get contextual access control and prevent data leakage on the cloud? How can IHow can IHow can IHow can I securesecuresecuresecure the agile and collaborativethe agile and collaborativethe agile and collaborativethe agile and collaborative developmentsdevelopmentsdevelopmentsdevelopments???? Devops is growing Fast. With continous Development, integration and delivery it is necessary to shift from a traditional SLDC security enforcement to a more dynamic security framework.
- 12. 12 Our Vision: Creating an Digital Ecosystem around the TIM Cloud • Expose our Infrastructural assets (Network, BSS, CRM, Data Sets) • Aggregate and attract Extewrnal Communities (R&D, Start-ups, PPAA, System Integrators, ISV,..) • Broker Third Parties (Cloud providers, SW Vendors,..) • Enable an API economy • Expose Commercial Capabilities (sales force, resellers, payments) • Enable collaborative Dev for new generation of cloud- ready SAAS (Mashup, Devops. Micro services) • Sell IAAS, PAAS and SAAS • Monetise the community
- 13. 13 New Security Requirements • In the new Cloud Ecosystem new security requirements arise: Titolo della Relazione Nome del Relatore, Nome Struttura • Secuity Pre-scan at Dev Stage • Automatic Testing at Build and Push Time • Secure microservices Registry • Scanning container at run time • WL/BL Container Registry • Signed containers • Centralise Log (Big Data) • Contextual Access Control • Ecrypt data in motion and data at rest • Orchestrate enviroments (Dev, Test, Prod) • Provide Dashboard for security Risk Ass • Discover Shadow cloud apps • Protect Mobile and IoT devices with client less approach • Provide SSO / Digital ID across apps • Multi Factor Strong Auth • IAM across apps
- 14. 14 Conclusions • The trend of porting into the cloud existing legacy applications with well defined monolithic sw architecture will fade away with time • New security threads are continously arising from new emerging technologies such as IoT, PAAS, middleware frameworks, microservices, containers,.. • The new TIM cloud will quickly become a collaborative enviroment where a number of different entities will create together new services by aggregating capabilities under the form of API, Building blocks, micro-services offered by community members. Titolo della Relazione Nome del Relatore, Nome Struttura The scientific community need to help CPs with new Security Technologies, Solutions, Methodologies and Standards. The Cloud MUST Communicate SECURITY By Design!
- 15. GrazieThank You! Michele Vecchione TIM Director Vertical Platform Engineering [email protected]