Présentation au sujet: "Luc Leysen, Expert en sécurité, Unisys Novembre 2010"— Transcription de la présentation:
1Luc Leysen, Expert en sécurité, Unisys Novembre 2010 Table Ronde CNISLuc Leysen, Expert en sécurité, UnisysNovembre 2010Key message: This presentation discusses Unisys cloud computing strategy announcements on 30 June 2009 and 2 November 2009 and what it means to clients.Today I’d like to share with you an exciting new strategy from Unisys that combines innovative security with a suite of solutions to expand your options for delivery of IT services in the cloud. We announced this new strategy and related offerings on 30 June 2009 with announcement of our cloud-in-a-box solution – Unisys Secure Private Cloud Solution – on 2 November 2009.This strategy is intended to overcome CIOs’ concerns about security of data in the cloud, cited by organizations and industry analysts as the top impediment to adopting cloud computing for business needs. It will enable organizations to move enterprise application workloads securely to tailored cloud environments with greater confidence in maintaining the integrity of critical information. In fact, we like to say that we’re smashing the barriers to adoption of cloud computing with our innovative cloud computing strategy and solutions portfolio.
2Cas client Secure Cloud: Fiduciaire de placements immobiliers Une fiduciaire de placements immobiliers aux Etats-UnisProfile:3,200 employésConstruit, exploite et gère des centres commerciaux dans 40 étatsBesoin :Démarrer un spin-off à court termePour ce spin-off:établir un environnement Independenten 90 jourssans investissement en capitaux
4la Sécurité : préoccupation N°1 Le client s’inquiétait de … La Sécurisation des données en dehors de son environnement sécuriséLa visibilité non-autorisée de ses données dans un environnement partagéLes erreurs involontaires d’administration cloudRésultant en accés non-autoriséProvoquant la fuite de ses données vers d’autres organisations, clients ou concurrentsProtection des données et de la vie privéeLes procédures d’audit du fournisseur cloudLa capacité du fournisseur cloud à l’aider à répondre aux exigences de conformité et de règlementationConformitéKey message: Questions such as those shown here concerning data protection/privacy and compliance are why clients worry about security with cloud computing. What if Unisys could allay their security concerns?Why should you worry? Let’s first remember that cloud computing, by definition, means that you are sharing a computing resource with other users.We should also remember that most conventional business applications contain sensitive data, such as: customer, patient, employee, financial, or other proprietary information that must be guarded and protected. Unlike conventional computing, where we can control all the infrastructure within our own firewalls, and where we can lock down data in controlled means, a shared cloud resource must also be secured to be able to meet most security compliance requirements.Here are a list of questions you should ask any cloud provider to answer to assess their ability to meet your security needs:Data Protection and PrivacyHow will you secure my data outside my firewall? Unisys Stealth for Network protects your data across any network topology to our Secure Cloud.How will you ensure there isn’t unauthorized visibility to my data when in a shared computing environment? Unisys Secure Cloud Solution only allows authorized users to access or assemble data. Even Unisys operators cannot see the data, unless given explicit permission by you.What about unintentional cloud administration errors?Providing unauthorized access/rights to others – Only you can grant access rights.Causing your data to go to other organizations, customers, or competitors - Even if Unisys did make such a mistake, with the Unisys Secure Cloud, the data is protected and cannot be made visible or whole, unless permission is granted, so no one without permission could use the data if it got out of our control.What if there is a potential breech of the virtualization hypervisor (i.e. virus)? So far, no one has created a virus that attacks a Virtual Hypervisor. But, what if this did happen? Unisys Stealth still is protecting data, and no unauthorized users can gain access to the data, even if the Hypervisor loses control.ComplianceWhat are the cloud provider’s auditing procedures?The cloud provider’s ability to help you meet your regulatory and compliance requirements?For both of these, Unisys has extensive security and auditing done frequently, and we have achieved very prestigious certifications and ratings, including ISO 27001, ISO 20000, and SAS 70 type II. Even better, we provide our customers with access to a database that helps them integrate our capabilities with their own Compliance needs. This type of information simplifies and speeds up your needs to meet compliance for your applications.The Bottom line is that only Unisys can provide a secure cloud capable of running business applications with built in security. Other Cloud providers would have to redefine their whole cloud environments in order to accommodate a shared computing environment that was also secure. Of course, there are a few applications that run on a cloud that have had some degree of security built into them that can handle multiple tenants. But, unfortunately, most business applications were not designed from the beginning to run multiple tenants, and to provide the security needed.Demande à Unisys: Pouvez-vous éliminer ces préoccupations et rendre le cloud vraiment sécurisé?
5Le différentiateur d’ Unisys Unisys a offert une solution extrêmement sécurisée pour lui donner confianceLa technologie STEALTH basée sur la notion de communautés d’ intérêts , sur la dispersion de données selon le mécanisme propriétaire de “bit splitting”, et sur le chiffrement FIPS 140-2, 256-bit AES*Le différentiateur d’ UnisysApproche en couches de sécurité multi-vendeur concernant détection et prévention d’intrusion, gestion de pare feu, 24x7 monitoring sécurité, corrélation et analyse avancées, logs auditables …Meilleures Pratiques de SécuritéMaturité OpérationelleL’ Equipe de service Secure Cloud opère selon des processus de prestation certifiés ISO et conformes ITIL V3.Key Message: Other vendors may talk about security in cloud computing but only Unisys has the truly secure cloudWhen it comes to security in a cloud what we’re really talking about are the workloads and how clients can confidently move them to the cloud. A lot of vendors talk security in the cloud but we believe we have an advantage. Security is inherent in all our operations and offerings; it is one of Unisys 4 key areas of strength. Unisys delivers with globally secure operations and fast, reliable 24x7 services anywhere in the world.Note to speaker – begin at bottom and work up.For clients that require it, many of our centers have undergone SAS 70 – type II audits. (SAS 70 is an acronym for Statement on Auditing Standard 70; it was developed and is maintained by the American Institute of Certified Public Accountants). Specifically a SAS 70 audit validates that we have professional standards and satisfactory internal controls and safeguards when hosting specific information or processing information for our customers … and that we have applied these consistently over a long period.And we deliver Secure Cloud services from our ISO certified delivery centers. There are literally hundreds of control objectives for processes and procedures that need to be followed. These have been codified in the ISO standard, and all of our designated Cloud centers are certified. For you, our commitment to ISO means the best possible levels of security governance plus safeguards for the protection of your enterprise. Plus, we have global tools in place to monitor all of our centers’ compliance against these safeguards and standards, so that they are adhered to consistently, and also can consistently improve.Unisys also has a global program in place to implement and maintain ISO certifications across our delivery centers. All designated Secure Cloud delivery centers are already certified to ISO ISO is the international standard for IT Service Management for an integrated process approach, to effectively deliver managed services to meet the business and customer requirements. It reflects the best practice guidance contained within the ITIL v3 framework as well as components of the CoBIT framework.The Unisys Security Operations Centers (SOC) are located throughout the world and monitor the Secure Cloud on a 24*7 basis. We take a layered multi-vendor approach to security with Intrusion Detection and Prevention Services (IDPS), firewall management, advanced correlation and analytics, log analysis and more.Our commitment is to provide a security framework that is as good as or better than any you could establish yourself. And we do all this and more with the addition of our patent-pending Stealth technology that allows private communities of interest based on FIPS 140-2, 256-bit AES encryption and cloaks the data with proprietary “bit splitting”. We believe this is a key differentiator as Stealth technology allows different groups in a multi-tenant client environment to share the same IT infrastructure without fear of exposing one client’s data to another. We’ll talk much more about this in the next couple of slides.Programme de Sécurité Cértifié IndépendammentLes Services Secure Cloud sont approvisionnés à partir de centres de livraison certifiés ISOCentres de Services Certifiés et Contrôlés IndépendammentCentres de données certifiés SAS-70 Type II.*Advanced Encryption Standard
9Les défis d’autres offres pour Sécuriser le Service Cloud demandé Facilité de Cloud TypiqueClient AVPN/SSL NetworkClient A Virtual Web ServerClient B Virtual Web ServerClient A Virtual App ServerClient BVirtual App ServerClient A Virtual DB ServerClient B Virtual DB ServerVPN/SSL NetworkClient BIl fallait “webifier” des applicationsKey Message: Trying to construct a truly secure cloud without Stealth is time-consuming, expensive, and creates a more restrictive cloud environmentLet’s look at the challenge of securing an unsecured cloud in more detail.By definition, we can assume that a cloud service will be shared by 2 or more clients. This means that both clients have access to the servers, storage, networks, etc, within the cloud facility.When using traditional security techniques, the customer must secure the network by buying and implementing a VPN/SSL network to connect to the cloud facility. But, once inside the cloud facility, how do you secure your applications and data from other authorized users? The cloud provider must install firewalls to separate each user’s workloads from other users. They must isolate the storage as well, and add encryption software. Another major challenge for clients is that for this type of security to work, the application must be modified and re-built as a web-enabled, multi-tier application. This is often not possible or practical. After all this customization takes place, the end result is a private network, and this of course is extremely expensive to set up and maintain. Plus, it is not flexible, and cannot adapt quickly to workload changes.Client BStorage encryptionClient ASANConclusionTrop chère : Pour le client et le fournisseur CloudNon-élastique : Solution unique pour chaque application / clientPeu pratique : Mise en place et maintenance couteuses en temps et argent
10Offre d’ Unisys: Solution Stealth Bottom LineMore expensive: for client and Cloud providerIn-elastic: Unique solution for each application / clientImpractical: Takes significant time and cost to set up and maintainTypical Cloud FacilityMust web-enable applicationsClient A Virtual Web ServerClient B Virtual Web ServerClient A Virtual App ServerClient BVirtual App ServerClient A Virtual DB ServerClient B Virtual DB ServerVPN/SSL NetworkStorage encryptionClient ASANConclusionPlus sécurisé et moins coûteux => partagéPlus simple, standardisé, et beaucoup plus flexiblePas de besoin de changementd’applicationStealth EndpointClient BClient AStealth Network ApplianceInternetStealth Protected All data in blue is safeA Virtual Web ServerB Virtual Web ServerA Virtual App ServerB Virtual App ServerA Virtual DB ServerB Virtual DB ServerStealth Storage ApplianceSANUnisys Data CenterKey Message: In contrast Stealth secures the cloud simply, at less cost and creates a more flexible and usable cloudLet’s contrast the Unisys Secure Cloud which has been enabled with Stealth technology.A Unisys client will have complete end to end security, without modifying their existing applications. How do we do this? We install a Stealth Network Appliance for each client. Now data can be sent safely across any network, including the internet.Each client’s application(s) can be run on our Stealth-enabled Secure Cloud infrastructure without modifications. Stealth isolates each client’s applications, data. Stealth allows you to define specific communities of interest, and only entities within a community of interest will have access to the data and resources.If you look in the diagram showing the Unisys outsourcing facility where we host our Secure Cloud Solution, each virtual instance includes a Stealth Endpoint which protects and isolates. This allows us to define a very simple infrastructure. You can see that we are able to host multiple applications and even customers on the same hardware systems (Gray) in their own virtual instance. Note that we only have one firewall as we do not require dozens of firewalls, and layers of security software, because Stealth already isolates each community of interest. Stealth for SAN does the same for client data, and isolates each community of interest and their data.While this slide depicts using the Internet, some clients may choose to use a private network for higher performance.Bottom line is this solution is much more secure, simpler, and less expensive plus it allows us to respond much faster to your changes. Maybe even more important is that clients can run their existing applications without investing in significant modifications.
11Détails du besoin Besoin: Etablir un environnement Independent en 90 jours sans investissement en capitaux, composé de :39 serveurs avec diverses applicationsStockageServices de messagerie et desktop pour 150 utilisateursUn réseau sécuriséL’environnement devait permettre l’évolutivité et la flexibilité.
12Détails de la réponse Unisys Réponse rapide d’Unisys:Infrastructure as a Service (IaaS):Serveurs virtuels sur VMWare,StockageRéseau Sécurisé basé sur StealthUnified Communications as a Service (UCaaS):Des Services de messagerie Microsoft ExchangeVirtual Office as a Service (VOaaS):Images desktop virtuels sur HyperVcouche de présentation CitrixSur base d’ abonnement mensuel: pas de CapEx
13Cas client spécifique: Fiducie de placement immobilier Détails de la réponse Unisys: ArchitectureCas client spécifique: Fiducie de placement immobilier
14Conclusion La Solution Stealth permettait: Le partage d’infrastructure => coût réduitL’utilisation de l’Internet comme canal de transport => coût réduitD’offrir un niveau de sécurité très haut: confidentialité des données garantie:En mouvementLors du stockageUn déploiement rapideUne possibilité de séparation de responsabilités:Le client peut garder le contrôle par l’Active Directory sur l’accès aux segments réseau virtuelsD’offrir une grande flexibilité, élasticité afin de répondre rapidement aux changements des besoins métier