Luc Leysen, Expert en sécurité, Unisys Novembre 2010 Table Ronde CNIS Luc Leysen, Expert en sécurité, Unisys Novembre 2010 Key message: This presentation discusses Unisys cloud computing strategy announcements on 30 June 2009 and 2 November 2009 and what it means to clients. Today I’d like to share with you an exciting new strategy from Unisys that combines innovative security with a suite of solutions to expand your options for delivery of IT services in the cloud. We announced this new strategy and related offerings on 30 June 2009 with announcement of our cloud-in-a-box solution – Unisys Secure Private Cloud Solution – on 2 November 2009. This strategy is intended to overcome CIOs’ concerns about security of data in the cloud, cited by organizations and industry analysts as the top impediment to adopting cloud computing for business needs. It will enable organizations to move enterprise application workloads securely to tailored cloud environments with greater confidence in maintaining the integrity of critical information. In fact, we like to say that we’re smashing the barriers to adoption of cloud computing with our innovative cloud computing strategy and solutions portfolio.
Cas client Secure Cloud: Fiduciaire de placements immobiliers Une fiduciaire de placements immobiliers aux Etats-Unis Profile: 3,200 employés Construit, exploite et gère des centres commerciaux dans 40 états Besoin : Démarrer un spin-off à court terme Pour ce spin-off: établir un environnement Independent en 90 jours sans investissement en capitaux
Ses barrières à une nouvelle approche La Sécurite : préoccupation N°1 Le client s’inquiétait de … Forces Marché L’ Economie IT à tout moment, n’importe où IT comme facilitateur stratégique Shift tectonique en technologie L’Environnement (Vert) Forces Métier Eviter les coûts Fluidifier le goulot d’étranglement que peut représenter l’IT Harmoniser plus efficacement l’offre et la demande Diminuer l’utilisation de capitaux pour IT Automatisation d’ Opérations CLOUD COMPUTING Ses barrières à une nouvelle approche Key message: Market and business forces are creating the opportunity for a new computing approach but perceived implementation barriers are holding businesses back – both public and private cloud deployments. Unisys addresses these perceptions and will explicitly show how later in the presentation. Like many businesses, you may be overwhelmed by how the world has changed. On one hand, there are several market and business forces like those shown here, while on the other hand IT is struggling to keep up and map what they do and how they do it based on a traditional data center model that is inflexible and costly. Thus, IT faces a constant conundrum – how do I better support the business with less ($, resources….) in the face of constant change and especially now given this economic climate, the need for anytime, anywhere IT (with data sets getting larger and larger ) and keep up with a tectonic shift in the way IT works like the one that cloud computing presents which virtualization and automation have enabled? The business forces have caused IT to try to figure out what to do without a large, up front investment. Cloud computing’s more pay-as-you-go model addresses this. But the Public Cloud isn’t for everyone. Many companies aren’t willing, or able, to put their workloads onto the public cloud. For these companies, Private Cloud computing can be the answer though there are still perceived barriers preventing organizations from adopting private cloud computing – do I need to rip and replace my existing hardware? Isn’t running my own cloud going to be labor intensive? And will I really see the gains in efficiency? Cloud Publique Securité Conformité Ré-écriture d’ applications Cloud Privé Investissements existants Temps de travail important, courbe d’apprentissage scepticisme quant aux résultats => N° 1 © 2010 Unisys Corporation. All rights reserved. Page 3 3
la Sécurité : préoccupation N°1 Le client s’inquiétait de … La Sécurisation des données en dehors de son environnement sécurisé La visibilité non-autorisée de ses données dans un environnement partagé Les erreurs involontaires d’administration cloud Résultant en accés non-autorisé Provoquant la fuite de ses données vers d’autres organisations, clients ou concurrents Protection des données et de la vie privée Les procédures d’audit du fournisseur cloud La capacité du fournisseur cloud à l’aider à répondre aux exigences de conformité et de règlementation Conformité Key message: Questions such as those shown here concerning data protection/privacy and compliance are why clients worry about security with cloud computing. What if Unisys could allay their security concerns? Why should you worry? Let’s first remember that cloud computing, by definition, means that you are sharing a computing resource with other users. We should also remember that most conventional business applications contain sensitive data, such as: customer, patient, employee, financial, or other proprietary information that must be guarded and protected. Unlike conventional computing, where we can control all the infrastructure within our own firewalls, and where we can lock down data in controlled means, a shared cloud resource must also be secured to be able to meet most security compliance requirements. Here are a list of questions you should ask any cloud provider to answer to assess their ability to meet your security needs: Data Protection and Privacy How will you secure my data outside my firewall? Unisys Stealth for Network protects your data across any network topology to our Secure Cloud. How will you ensure there isn’t unauthorized visibility to my data when in a shared computing environment? Unisys Secure Cloud Solution only allows authorized users to access or assemble data. Even Unisys operators cannot see the data, unless given explicit permission by you. What about unintentional cloud administration errors? Providing unauthorized access/rights to others – Only you can grant access rights. Causing your data to go to other organizations, customers, or competitors - Even if Unisys did make such a mistake, with the Unisys Secure Cloud, the data is protected and cannot be made visible or whole, unless permission is granted, so no one without permission could use the data if it got out of our control. What if there is a potential breech of the virtualization hypervisor (i.e. virus)? So far, no one has created a virus that attacks a Virtual Hypervisor. But, what if this did happen? Unisys Stealth still is protecting data, and no unauthorized users can gain access to the data, even if the Hypervisor loses control. Compliance What are the cloud provider’s auditing procedures? The cloud provider’s ability to help you meet your regulatory and compliance requirements? For both of these, Unisys has extensive security and auditing done frequently, and we have achieved very prestigious certifications and ratings, including ISO 27001, ISO 20000, and SAS 70 type II. Even better, we provide our customers with access to a database that helps them integrate our capabilities with their own Compliance needs. This type of information simplifies and speeds up your needs to meet compliance for your applications. The Bottom line is that only Unisys can provide a secure cloud capable of running business applications with built in security. Other Cloud providers would have to redefine their whole cloud environments in order to accommodate a shared computing environment that was also secure. Of course, there are a few applications that run on a cloud that have had some degree of security built into them that can handle multiple tenants. But, unfortunately, most business applications were not designed from the beginning to run multiple tenants, and to provide the security needed. Demande à Unisys: Pouvez-vous éliminer ces préoccupations et rendre le cloud vraiment sécurisé?
Le différentiateur d’ Unisys Unisys a offert une solution extrêmement sécurisée pour lui donner confiance La technologie STEALTH basée sur la notion de communautés d’ intérêts , sur la dispersion de données selon le mécanisme propriétaire de “bit splitting”, et sur le chiffrement FIPS 140-2, 256-bit AES* Le différentiateur d’ Unisys Approche en couches de sécurité multi-vendeur concernant détection et prévention d’intrusion, gestion de pare feu, 24x7 monitoring sécurité, corrélation et analyse avancées, logs auditables … Meilleures Pratiques de Sécurité Maturité Opérationelle L’ Equipe de service Secure Cloud opère selon des processus de prestation certifiés ISO 20000 et conformes ITIL V3. Key Message: Other vendors may talk about security in cloud computing but only Unisys has the truly secure cloud When it comes to security in a cloud what we’re really talking about are the workloads and how clients can confidently move them to the cloud. A lot of vendors talk security in the cloud but we believe we have an advantage. Security is inherent in all our operations and offerings; it is one of Unisys 4 key areas of strength. Unisys delivers with globally secure operations and fast, reliable 24x7 services anywhere in the world. Note to speaker – begin at bottom and work up. For clients that require it, many of our centers have undergone SAS 70 – type II audits. (SAS 70 is an acronym for Statement on Auditing Standard 70; it was developed and is maintained by the American Institute of Certified Public Accountants). Specifically a SAS 70 audit validates that we have professional standards and satisfactory internal controls and safeguards when hosting specific information or processing information for our customers … and that we have applied these consistently over a long period. And we deliver Secure Cloud services from our ISO 27001-certified delivery centers. There are literally hundreds of control objectives for processes and procedures that need to be followed. These have been codified in the ISO 27001 standard, and all of our designated Cloud centers are certified. For you, our commitment to ISO 27001 means the best possible levels of security governance plus safeguards for the protection of your enterprise. Plus, we have global tools in place to monitor all of our centers’ compliance against these safeguards and standards, so that they are adhered to consistently, and also can consistently improve. Unisys also has a global program in place to implement and maintain ISO 20000 certifications across our delivery centers. All designated Secure Cloud delivery centers are already certified to ISO 20000. ISO 20000 is the international standard for IT Service Management for an integrated process approach, to effectively deliver managed services to meet the business and customer requirements. It reflects the best practice guidance contained within the ITIL v3 framework as well as components of the CoBIT framework. The Unisys Security Operations Centers (SOC) are located throughout the world and monitor the Secure Cloud on a 24*7 basis. We take a layered multi-vendor approach to security with Intrusion Detection and Prevention Services (IDPS), firewall management, advanced correlation and analytics, log analysis and more. Our commitment is to provide a security framework that is as good as or better than any you could establish yourself. And we do all this and more with the addition of our patent-pending Stealth technology that allows private communities of interest based on FIPS 140-2, 256-bit AES encryption and cloaks the data with proprietary “bit splitting”. We believe this is a key differentiator as Stealth technology allows different groups in a multi-tenant client environment to share the same IT infrastructure without fear of exposing one client’s data to another. We’ll talk much more about this in the next couple of slides. Programme de Sécurité Cértifié Indépendamment Les Services Secure Cloud sont approvisionnés à partir de centres de livraison certifiés ISO 27001. Centres de Services Certifiés et Contrôlés Indépendamment Centres de données certifiés SAS-70 Type II. *Advanced Encryption Standard
Stealth Network Appliance L’accès aux données est défini par communautés d’intérêts, sur une infrastructure commune et consolidée. Community of Interest 1 Community of Interest 2 Community of Interest 3 Appartenance COI Stealth Network Appliance Basé sur l’utilisateur Enterprise Information Bus Contrôlé par l’ IAM Stealth SAN Appliance © 2010 Unisys Corporation. All rights reserved.
Stealth Network Appliance Pour une communauté d’intérêt, le reste de l’environnement demeure masqué Community of Interest 1 Community of Interest 2 Community of Interest 3 Stealth Network Appliance Enterprise Information Bus Stealth SAN Appliance © 2010 Unisys Corporation. All rights reserved.
Transparent aux Applications OS 7. Application Network Stack 6. Presentation 5. Session 4. Transport 3. Network Stealth 2. Link 1. Physical NIC © 2009 Unisys Corporation. All rights reserved. Page 8 8
Les défis d’autres offres pour Sécuriser le Service Cloud demandé Facilité de Cloud Typique Client A VPN/SSL Network Client A Virtual Web Server Client B Virtual Web Server Client A Virtual App Server Client B Virtual App Server Client A Virtual DB Server Client B Virtual DB Server VPN/SSL Network Client B Il fallait “webifier” des applications Key Message: Trying to construct a truly secure cloud without Stealth is time-consuming, expensive, and creates a more restrictive cloud environment Let’s look at the challenge of securing an unsecured cloud in more detail. By definition, we can assume that a cloud service will be shared by 2 or more clients. This means that both clients have access to the servers, storage, networks, etc, within the cloud facility. When using traditional security techniques, the customer must secure the network by buying and implementing a VPN/SSL network to connect to the cloud facility. But, once inside the cloud facility, how do you secure your applications and data from other authorized users? The cloud provider must install firewalls to separate each user’s workloads from other users. They must isolate the storage as well, and add encryption software. Another major challenge for clients is that for this type of security to work, the application must be modified and re-built as a web-enabled, multi-tier application. This is often not possible or practical. After all this customization takes place, the end result is a private network, and this of course is extremely expensive to set up and maintain. Plus, it is not flexible, and cannot adapt quickly to workload changes. Client B Storage encryption Client A SAN Conclusion Trop chère : Pour le client et le fournisseur Cloud Non-élastique : Solution unique pour chaque application / client Peu pratique : Mise en place et maintenance couteuses en temps et argent
Offre d’ Unisys: Solution Stealth Bottom Line More expensive: for client and Cloud provider In-elastic: Unique solution for each application / client Impractical: Takes significant time and cost to set up and maintain Typical Cloud Facility Must web-enable applications Client A Virtual Web Server Client B Virtual Web Server Client A Virtual App Server Client B Virtual App Server Client A Virtual DB Server Client B Virtual DB Server VPN/SSL Network Storage encryption Client A SAN Conclusion Plus sécurisé et moins coûteux => partagé Plus simple, standardisé, et beaucoup plus flexible Pas de besoin de changement d’application Stealth Endpoint Client B Client A Stealth Network Appliance Internet Stealth Protected All data in blue is safe A Virtual Web Server B Virtual Web Server A Virtual App Server B Virtual App Server A Virtual DB Server B Virtual DB Server Stealth Storage Appliance SAN Unisys Data Center Key Message: In contrast Stealth secures the cloud simply, at less cost and creates a more flexible and usable cloud Let’s contrast the Unisys Secure Cloud which has been enabled with Stealth technology. A Unisys client will have complete end to end security, without modifying their existing applications. How do we do this? We install a Stealth Network Appliance for each client. Now data can be sent safely across any network, including the internet. Each client’s application(s) can be run on our Stealth-enabled Secure Cloud infrastructure without modifications. Stealth isolates each client’s applications, data. Stealth allows you to define specific communities of interest, and only entities within a community of interest will have access to the data and resources. If you look in the diagram showing the Unisys outsourcing facility where we host our Secure Cloud Solution, each virtual instance includes a Stealth Endpoint which protects and isolates. This allows us to define a very simple infrastructure. You can see that we are able to host multiple applications and even customers on the same hardware systems (Gray) in their own virtual instance. Note that we only have one firewall as we do not require dozens of firewalls, and layers of security software, because Stealth already isolates each community of interest. Stealth for SAN does the same for client data, and isolates each community of interest and their data. While this slide depicts using the Internet, some clients may choose to use a private network for higher performance. Bottom line is this solution is much more secure, simpler, and less expensive plus it allows us to respond much faster to your changes. Maybe even more important is that clients can run their existing applications without investing in significant modifications.
Détails du besoin Besoin: Etablir un environnement Independent en 90 jours sans investissement en capitaux, composé de : 39 serveurs avec diverses applications Stockage Services de messagerie et desktop pour 150 utilisateurs Un réseau sécurisé L’environnement devait permettre l’évolutivité et la flexibilité.
Détails de la réponse Unisys Réponse rapide d’Unisys: Infrastructure as a Service (IaaS): Serveurs virtuels sur VMWare, Stockage Réseau Sécurisé basé sur Stealth Unified Communications as a Service (UCaaS): Des Services de messagerie Microsoft Exchange Virtual Office as a Service (VOaaS): Images desktop virtuels sur HyperV couche de présentation Citrix Sur base d’ abonnement mensuel: pas de CapEx
Cas client spécifique: Fiducie de placement immobilier Détails de la réponse Unisys: Architecture Cas client spécifique: Fiducie de placement immobilier
Conclusion La Solution Stealth permettait: Le partage d’infrastructure => coût réduit L’utilisation de l’Internet comme canal de transport => coût réduit D’offrir un niveau de sécurité très haut: confidentialité des données garantie: En mouvement Lors du stockage Un déploiement rapide Une possibilité de séparation de responsabilités: Le client peut garder le contrôle par l’Active Directory sur l’accès aux segments réseau virtuels D’offrir une grande flexibilité, élasticité afin de répondre rapidement aux changements des besoins métier
Merci pour votre attention Questions & réponses