This talk was given at a Cloud Security Alliance Event in Lausanne April 29th, 2015.
Organized by the CSA CH chapter, the topic was about Trust issues in Cloud Computing in general. In this talk, I gave our feedback and the approach we have with customers when asked about security. The framework and tools offered by the cloud security alliance are a great help and help define a comparison base.
In the end, trust is always relative and rarely absolute. Cloud providers can and are in most cases a security asset rather than an additional risk.
2. Antoine
Coetsier
CEO
at
Exoscale
since
2011
+12
years
in
Service
Provider
Mobile/Teco/Cloud
(CCSK
holder)
3. ...
a
IaaS
provider
and
beyond
Cloud
hos5ng
based
on
latest
technology
§ Flexible
server
and
storage
infrastructure
§ Trimmed
for
performance,
intuiJve
usability
and
tooling
Market
place
for
value
added
applica5ons
§ One-‐stop-‐shop
to
reduce
infrastructure
complexity
for
developers
and
sysadmins
exoscale
in
a
nutshell...
The
safe
home
for
your
cloud
applicaJons
...
with
a
solid
background
Trust
rela5onship
with
the
cloud
provider
§ Started
2011
within
VelJgroup
§ Spun-‐off
mid
2014
Swiss
company
§ Proximity
to
EMEA
clients
§ Swiss
data
privacy
standards
3
99.95%
Pla$orm
availability
4. exoscale
offering
overview
A
one-‐stop-‐shop
for
developers/sysadmins
and
business
IT
4
Open
Cloud
Open
Cloud
Compute
Open
Cloud
Storage
Managed
Cloud
Swiss
Support
Virtual
data
center
Zones
&
Networking
Market
place
/
add-‐on
services
Vendor
backed
TransiJon
product
for
business
IT
migraJng
to
the
cloud
–
Hybrid
Cloud
One-‐stop-‐shop
for
SaaS
companies
Pure-‐play
cloud
offering
(web-‐based
purchase)
Worldwide
market
pricing
5. Some numbers
5
+1200
customers
acJve
25.000
instances
deployed
in
2014
6. Security
not
an
opJon
Solid
customers
business
reliability
6
+130
points
dealing
with
the
whole
cloud
service
–
Data
Governance
–
Facility
–
HR
–
InformaJon
Security
–
Legal
–
Risk
Management
–
Security
Architecture
Datacenters
Security
Framework
Top
of
the
art
locaJons
for
safe
housing
– GV1:
Internet
peering
point
– GV2:
Extreme
density
– DK2:
Reconverted
Swiss
Army
bunker
7. Enterprise
class
SLA
and
support
99,95
%
instance
availability
-‐4H
resoluJon
incident
objecJve
99
%
Self-‐care
plaaorms
availability
–
Portal
–
Management
interface
–
Billing
and
usage
console
–
User
Management
Transparent
escalaJon
matrix
24/7
Unique
Phone
Call
Center
–
Swiss
based
MulJ
language
:
–
French
–
English
–
German
Requests
management*
:
–
Business
days
–
From
8am
to
18pm
SLAs
Support
*
Geneva
2me
zone
and
vaca2on
schedule
9. Open
Cloud
compute:
instances
for
Devs
and
Sysadmins
Direct,
simple
to
use
cloud
instances
for
Devs
and
Sysadmins
Open
– Open
source
based
– Standard
API
– MulJ
OS:
Ease
of
use
– Direct
console
– Integrated
support
Performance
– KVM
– Persistent
storage
and
IP
– 10
GB
networking
Security
features
– Security
groups
– SSH
keypair
management
10. Open
Cloud
compute:
a
unique
portal
One
comprehensive
portal
for
instance
management,
support,
documentaJon
and
billing
informaJon
11. Open
Cloud
compute:
a
unique
portal
One
comprehensive
portal
for
instance
management,
support,
documentaJon
and
billing
informaJon
12. Scalable
security
Your tenant
Internet
public IPpublic IP
Security group A
public IPpublic IP
Security group B
Controlled Inbound
and Outbound traffic
13. confiden5al
Open
Cloud
Storage
Open
Cloud
Storage
Unique
Swiss
object
storage
offering
13
Unique
object
storage
offering
in
Switzerland
AWS
S3
compliant,
built
on
internal
IP
–
open
source
project
pithos.io
Masters
the
key
challenges
of
object
storage
– Unlimited
scalability
– High
performance
(low
read/write
latencies)
Object
Storage
background
S3
API
unlimited
Buckets
Objects
or
files
Object
storage
unlike
file
storage
focuses
on
high
performance
and
unlimited
scalability
of
storage
AWS
S3
de
facto
industry
standard
Market
highly
dominated
by
US
players
(Amazon,
Rackspace,
Google,
Microsoj)
14. confiden5al
Open
Cloud
Compute
Open
Cloud
Compute
More
than
25’000
instances
launched
in
2014
A
provider
of
virtual
servers
All
in
one
self-‐service
portal
– Deployment
of
new
instances
in
less
than
35
seconds
– Reduces
operaJonal
complexity
(like
networking)
Fully
compliant
to
many
open
and
proprietary
DevOps
tools
– Tooling
and
automaJon
(APIs)
Minutes
based
pricing
14
Technical
specificaJons
Cloud
Control
System
Apache
CloudStack
(tm)
Hypervisor
Linux
KVM
(Kernel
Virtual
Machine)
Storage
Local
SAS
Storage
(all
SAS/SSD)
Admin
interface
Own
provisioning
interface
Instance
size
CPU:
1
–
8
vCPUs
RAM:
512MB
–
32GB
Root
disk:
10GB
–
400GB
Network
Security
groups
for
network
isolaJon
1
Public
IP
per
instance
OS
images
Linux
(CentOS,
Debian,
Ubuntu,
CoreOS)
Windows
Server
(2008
R2,
2012)
Billing
and
pricing
Minutes
pricing
Online
payment
or
monthly
invoice
SLA
99.95%
availability
24/7
intervenJons
16. Open
Cloud
apps
Rapid
applicaJon
integraJon
and
deployment
16
PaaS*:
Plaaorm
as
a
service
– Languages
– First
in
Switzerland
Databases
and
cache
via
addons:
– SQL
– Memcache
– ....
Commit
your
code
–
git
commit
–m
–c
‘ready
for
prod’
Push
your
applicaJon
to
exoscale
apps
–
exoapp
default/myapp
push
Deploy
applicaJon
–
exoapp
default/myapp
deploy
Rollback,
push
new
version,
a
branch
...
– Without
losing
a
single
user
connecJon
Standard
Typical
workflow
From development to testing to production right from developer tools
17. ApplicaJon
scaling
Containers
can
scale
horizontally
and
verJcally
17
Advanced
features
– Custom
domain
names
– hops
or
websockets
support
– SSH
connecJon
– Log
viewing
– Buildpacks
18. Open
Cloud
Compute
Open
Cloud
pricing
Flexible
and
clear
pricing
structure
18
1) Some
extreme
combinaJons
not
possible
2) Memory
Hours
(128MB
container
for
one
hour)
Type
RAM
CPU
Monthly
price
micro
512
MB
1
CHF
14.98
Jny
1’024
MB
1
CHF
26.46
small
2’048
MB
2
CHF
52.38
medium
4’096
MB
2
CHF
82.08
large
8’192
MB
4
CHF
164.16
extra
large
16’384
MB
4
CHF
282.42
huge
32’768
MB
8
CHF
552.96
Size
Monthly
price
10
GB
CHF
1.44
50
GB
CHF
7.20
100
GB
CHF
14.40
200
GB
CHF
28.80
400
GB
CHF
57.60
Detailed
Instance
Pricing1
Detailed
Root
Disk
Pricing1
Windows
License
Pricing
Monthly
price
CHF
18.72
Open
Cloud
Storage
Monthly
price:
CHF
0.05
/
GB
Detailed
Object
Storage
Pricing
Networking
Detailed
Network
Pricing
Type
Price
in
CHF
0.00
/
GB
out
CHF
0.0765
/
GB
(first
100
GB
free)
inter-‐zone
CHF
0.00
/
GB
Market
place
Hourly
price
CHF
0.01
/
MeH
Detailed
Added
Value
Pricing
PaaS
Easy
and
clear
pricing
structure
All
services
are
charged
on
a
per
minute
rate
Highly
compeJJve
prices
20. MigraJng
to
a
cloud
service
20
1st
concern
is
always
security
ExisJng
guidelines
are
not
fit
for
purpose
– ISO
27001
– ...
What
is
the
data
at
stake
?
Dealing
with
issues
21. Cloud
compuJng
segmentaJon
TradiJonnal
IT
DC
faciliJes
Networking
Storage
Servers
O/S
Middleware
RunJme
Data
ApplicaJons
You
manage
IaaS
O/S
Middleware
RunJme
Data
ApplicaJons
You
manage
SaaS
DC
faciliJes
Networking
Storage
Servers
O/S
Middleware
RunJme
Data
ApplicaJons
Delivered
as
a
Service
PaaS
Data
ApplicaJons
You
manage
DC
faciliJes
Networking
Storage
Servers
Delivered
as
a
Service
DC
faciliJes
Networking
Storage
Servers
O/S
Middleware
RunJme
Delivered
as
a
Service
22. Roles
and
responsibiliJes
Roles
and
responsibiliJes
vary
upon
the
cloud
model
chosen
:
– “The
lower
down
the
stack
the
cloud
service
provider
stops,
the
more
security
capabiliJes
and
management
consumers
are
responsible
for
implemenJng
and
managing
themselves.”
Security
responsibility
Provider
Customer
23. ExisJng
frameworks
23
They
focus
on
on
aspect:
– Datacenter
– Acces
control
process
– ...
Not
on
the
service
SCOPE
PROBLEM
24. Framework
for
cloud
services
Best
pracJces
for
providing
security
within
the
Cloud,
Provide
educaJon
for
the
use
of
Cloud
soluJons
Define
guidance
and
acJonable
documents
Non
profit
organizaJon
formed
to
promote
Established
in
2008,
gained
significant
tracJon
in
2011
Not
(too)
commercial
or
one-‐sided
governed
Alliance
25. Cloud
Security
Alliance
Define
best
pracJces
in
a
Cloud
Control
Matrix
(CCM)
Commercial
note:
exoscale
has
documented
all
points
of
the
CCM
+130
points
dealing
with
a
large
scale
of
competences
:
–
Data
Governance
–
Facility
–
HR
–
InformaJon
Security
–
Legal
–
Risk
Management
–
Security
Architecture
26. Example
26
Human
Resources
Background
Screening
HRS-02 Pursuant to local laws, regulations, ethics, and
contractual constraints, all employment
candidates, contractors, and third parties shall be
subject to background verification proportional to
the data classification to be accessed, the
business requirements, and acceptable risk.
CAIQ:
consensus
assessments
iniJaJve
quesJonnaire
Data$GovernanceClassificationDG102 DG102.1 Do$you$provide$a$capability$to$identify$virtual$machines$via$policy$tags/metadata$(ex.$Tags$can$be$used$to$limit$gu
27. Cloud Security Alliance mapping
v
3.0.1
Released
Controls
base-‐lined
and
mapped
to:
–
COBIT
–
HIPAA
/
HITECH
Act
–
ISO/IEC
27001-‐2005
–
NISTSP800-‐53
–
FedRAMP
–
PCI
DSSv2.0
–
BITS
Shared
Assessments
–
GAPP
...
OCF
Level
1
:
The
Cloud
Control
Matrix
28. Risk
Management
regarding
data
28
What
is
the
data
at
stake
?
Personal/employees
data
Sensible
data
Regulated
data
Is
this
data
meaning
full
or
valuable
to
someone
else
?
29. Data
classificaJon
Any
data
we
handle,
has
been
classified
in
our
systems
and
been
given
policies
regarding
the
following
acJons:
– Create
– Store
– Use
– Share
– Archive
– Destroy
Each
class
has
its
own
rules
and
level
of
protecJon:
Standard
classes:
– Low:
civility,...
– Medium:
logs,...
– High:
authenJcaJon
secret
Special
classes:
– Credit
card
informaJon:
not
stored
– Forbidden
informaJon:
racial,
poliJcal,...
30. Reversibility
30
Using
a
cloud
service,
should
not
enable
the
transfer
of
ownership
of
the
data
As
a
general
rule:
– IaaS
and
PaaS
services
must
sJpulate
that
the
data
remains
your
property
– SaaS
services:
look
closely,
especially
for
main
stream
services
Can
I
reclaim/transmit
data
at
any
Jme?
What
happens
in
case
of
contract
breach,
bad
SLAs,
change
of
control
of
the
provider,
disconJnuaJon
of
the
service,...
The
answer
has
to
be
both
technical
and
legal
Ownership
Reclaim
31. The
key
is
contractual
31
Read
the
contract
or
terms
and
condiJons
Track
changes
– IniJaJves
like
hop://tosdr.org/
“Terms
of
Services:
didn’t
read”
emerged
32. The
“trust”
issue
Trust
is
relaJve
– You
trust
someone/something
more
than
another
– Does
absolute
trust
exist
?
For
IaaS,
who
do
you
trust
more?
– An
infrastructure
team
in
IT
department
– A
provider
Just
like
with
kids:
trust
does
not
exclude
controls
– Are
the
controls
adapted
?
33. Wrap
up
33
Classify
your
data
Request
a
security
alignment
Review
your
contracts
– Reversibility
HosJng
in
Data
protecJon
aware
locaJons
–
Switzerland
-‐
is
easier
– But
does
not
prevent
all
the
above
Providers
like
Exoscale
can
help
They
enforce
strict
controls
– Monthly
tesJng
of
power
redundancy
– Bi
monthly
review
of
security
access
– Risk
assessment
and
management
– …
Provider
is
an
asset
not
a
threat
in
your
security
landscape
35. My
recommendaJons
Be
ready
!
1. Test
even
if
you
do
not
have
a
business
case
2. Make
a
proof
of
concept
3. Open
an
Account
PROACTIVE
REACTIVE
36. Thank
you
for
your
aoenJon
Contact
us
+41
58
668
56
00
sales@exoscale.ch
Follow
us
@exoscale
exoscale
code
Head
Office
Lausanne
Avenue
de
Provence
4
CH
-‐
1007
Lausanne
Opera5ons:
Geneva
Rue
du
Pré
de
la
Fontaine
19
CH
-‐
1217
Meyrin