The Cloud has become a game-changer in how businesses manage the flow of information, how software and data is distributed, and how people connect to one another. Cloud Computing has the potential to contribute significantly to European economic growth, while offering a wealth of opportunities to new ventures and established global players alike. But it also offers up a variety of threats in the form of cyber attacks, and that is why a multi-organisational Trusted Cloud High Impact Initiative was launched by EIT Digital.
In the first part, we talk with professor Theo Dimitrakos, chief researcher for security future practice at BT in the UK and a professor of Computer Science at the University of Kent. He and his team are responsible for cloud security innovation across the organisation, covering a number of different market segments and products. They also work in a number of competitive collaborations, together with universities, other companies, and organisations such as EIT Digital.
As part of this, they have what Theo calls a “vibrant program” of working on applied innovations with BT Global Services, major technology vendors and a number of corporate customers and data centres in regions such as Europe, Asia Pacific and Latin America. Finally, they are also involved in the production of advisor information and policy information through the European network and information security agency (ENISA) and the cloud security alliance.
Q: Can you give us an overview of what you do?
Prof. Dimitrakos: The biggest challenge that hinders cloud adoption today is how to enforce and manage security policies across many multi-tenant clouds from different providers. Cloud users still implement their own proprietary solutions to protect IT assets and data in each of their cloud deployments. Security comes as an afterthought. This makes cloud security time-consuming and expensive, and fails to fully address the risk of cyber-attacks. Security operations teams lose the visibility and control they need for assuring compliance and fulfilling enterprise-wide security policies.
In the context of cloud security, our main route of exploiting innovations within BT that we are actively pursuing with considerable success so far, both with BT Global Services – a part of the organisation that operates in around 150 countries across the globe – and the two parts of global services that we are very closely interacting with are BT Security and the IT services part, which offers an infrastructure as a service (IaaS) capability called BT Compute.
BT Cloud Compute is a cloud infrastructure as a service upon which we apply the innovations that we are developing and that we are also launching within initiatives such as the EIT Digital High Impact Initiative on Trusted Cloud. So for example, in relation to BT Cloud Compute, a significant portion of the Trusted Cloud service store that we have been contributing to and developing and enhancing in the context of the Trusted Cloud initiative in EIT Digital is already being used, as well as the hosted app protection capabilities that we have been defining within the Trusted Cloud initiative and a number of other carrier projects, and a collaboration of vendors.
In addition to the cloud part of BT, we are also working very closely with the security part of BT, especially in the delivery of new capabilities around security access and about cloud-based identity.
We also bring these two lines of product-driven, applied innovation by creating an innovative solution to manage and enforce enterprise security policy over multiple internal and public clouds, giving our clients full visibility and control of how applications and data are protected.
At the heart of this innovation, we use our advanced cloud security management solution to infuse security controls into the assembly and the life-cycle management of cloud assets. We also link these controls to centralised managed security services, such as services for host and application protection, data encryption, message filtering, and identity management. Customers using our solution benefit from a “click-to-buy” approach for security services combined with a “click-to-build” approach for assembling, deploying and managing secure applications and data. A central security dashboard visualises and analyses their security state and enables them to control how their applications and data are protected across data clouds. By using our extensibility toolkit, other service providers can also expose their managed security and network services as multi-cloud, reusable capabilities.
At BT, security is in our DNA. Our cloud security innovations prioritise our customer’s security needs, and embed protection into their DNA for a superior and safer customer experience regardless of the cloud platform they choose to use.
“One of the biggest threats that all companies are facing, but in particular the smaller organisations who do not have a very strong security capability, is cyber attacks. These include typically a combination of variants of host attacks, app attacks, identity theft and data leaks”
Q: Tell us more about your involvement with the EIT Digital Trust Cloud initiative.
Prof. Dimitrakos: In the context of the EIT Digital, we are contributing in the Trusted Cloud platform the core multi-cloud IaaS capabilities, together with a layer of multi-cloud service management capabilities, an advanced orchestrator that brings together security services and cloud services management orchestration and life-cycle management capability and a trusted cloud application and service store. This multi-layer framework enables SMEs and larger organisations as well as app and data owners to assemble their own cloud-hosted apps and to securely host their data in any of the multiplicity of cloud provides, which include but are not restricted to BT, such as internal and 3rd party public cloud infrastructures.
Further to that, we have also developed an innovative way of integrating security services into that multi-cloud environment so as to allow partly or fully-automated analysis of vulnerabilities of cloud hosted apps, protection of these apps as well as protection for the data that these cloud-hosted apps are using. Such cloud-based (managed) security services range from vulnerability scanning and anti-malware to application firewalls, intrusion prevention and detection, application and data access management and identity federation among others. Protection of data in particular is achieved both by means of offering encryption as a service but also by combining fine-granular data access control with protection of data through encryption. So effectively, we are enabling SMEs and other organisations to assemble apps, protect data, deploy multi-tier apps and data hosts in any of the multiplicity of cloud environments, then subscribe to managed data protection and app host protection security services in order to be able to protect the apps in the cloud throughout their life cycle, and then either fully delegate security management to a managed security service provider or manage security themselves by means of a very highly intuitive dashboard and operations centre. Through our innovations they can enforce a coherent and uniform enterprise security policy across many diverse cloud infrastructures offered by different cloud providers and using security services of their choice.
Q: How much of a need is there to protect apps?
Prof. Dimitrakos: One of the biggest threats that all companies are facing, but in particular the smaller organisations who do not have a very strong security capability, is cyber attacks. These include typically a combination of variants of host attacks, app attacks, identity theft and data leaks. So this is a major problem because it affects the reputations of the companies, especially the SMEs that are more vulnerable. It also affects the possibility of legal or regulatory ramifications through data leaks or the loss of data integrity. Overall it is a positive or negative differentiator for day-to-day business.
Q: Why is there a need to create a Trusted Cloud such as this?
Prof. Dimitrakos: One of the big problems that we have at the moment, is a gap and cracks in the integration of security on the whole stack that an enterprise, especially an SME, needs in order to conduct business in the cloud. The reason for this is that hosting an app or data in the cloud typically involves multiple layers of what is essentially outsourcing. And most of these service level agreements that are agreed with IaaS providers such as Amazon are typically concerned about the protection and security at the level of their infrastructure. That is very important, and for the SMEs it is very significant because it means they can run on potentially more reliable infrastructure. But it does very little to protect whatever the SME owns, be it data or app components, that run on top of this infrastructure.
Because this infrastructure protection typically will have to be aligned with the weakest link, the most open of multiple co-host tenants. So, in essence, they advise to the company that are using such infrastructure, they should take care of their own security and their own data protection beyond a number of base lines that the cloud provider is offering them. What we do is enable them to implement a consistent security policy and monitor and protect from data leaks, compromise cyber attacks across multiple providers by infusing into the app assembly and data hosting and life cycle, a bundle of security services proven to be an adequate level of protection.
So we offer a trusted, proven and very manageable way of implementing security policies for data and app protection across multiple cloud environments. That is a gap that exists at the moment, and we are addressing that gap, because it is prohibiting proper cloud adoption and secure operations by SMEs.
Q: Is there a particular need for a Trusted Cloud in Europe?
Prof. Dimitrakos: The European focus is two fold. The first part is the specific regulation environment in Europe, which is stronger than in other places. It is a fact also that Europe traditionally invests in small- and medium-sized organisations. There are quite a few in Europe, and these don't necessarily have the capability of the larger organisations. And of course, European citizens typically have stronger concerns about data protection, data integrity, and also privacy, than in other places. European governments pay more attention to this aspect.
Having said that, we believe that if we can improve that environment in Europe, especially the multi-cloud context, it would give us the ability to have, if not necessarily the same because of regulatory differences, then a comparable protection of data and communications across the globe, and that means that European companies and European citizens that are interacting with companies and SMEs or apps that operate globally, can do so without suffering the limitations of a lack of regulation or insecurity in environments outside Europe.
So this Trusted Cloud will be European in terms of location, but also in terms of focus and the appreciation of security and privacy in the cloud even when the underlying IaaS provider is not European.
Q: How does developing the Trusted Cloud as part of this high impact initiative have an effect?
Prof. Dimitrakos: I think that both for companies and research organisations to cooperate for co-innovation is very important, and that is already proven in a number of cases including this one. But the active involvement of SMEs as direct innovation contributors is fundamental to this ecosystem because it allows us to validate both the platform and the infrastructure of security innovations that are at the core of this platform. In other words, before we end up with launching new products that come out of this initiative, we have the opportunity to validate the approach and the experience and the enablement of SMEs with SMEs that are spread across Europe. That is very important and typically more useful than what we could have by direct customer engagement with SMEs.
Q: What is the most important thing you are bringing to the project?
Prof. Dimitrakos: The ability to implement a consistent data app and host protection policy that complies with European regulations across multiple cloud environments, not only BT's. We are enabling SMEs in particular to have an equally good if not better ability to deliver secure business opportunities across multiple cloud environments in Europe.
Professor Theo Dimitrakos is a chief researcher for security future practice at BT in the UK. He and his team are responsible for cloud security innovation.
Q: What can the project achieve in real terms, say by the end of the year?
Prof. Dimitrakos: Our expectation for concrete results by the end of the year is that we would have validated a core part of wider elements of the Trusted Cloud platform, in operation with at least two or three SMEs, and that this validation will include at least the application and service store and the host and application protection and some cloud data protection capabilities on a multi-cloud environment while we will be further developing the data protection capabilities. This is a major achievement that at present seems to be achievable within the year. Additionally, some elements of those innovations are being incorporated in new product or feature launches via BT Cloud Compute and feed into the Cloud of Clouds strategy of BT Global Services that defines BT’s strategic approach to multi-vendor and multi-provider, hybrid cloud environments.
It would also be nice to see some new products being launched, either as new products in a company's portfolio or as feature enhancements, inspired by or based on innovations in the Trusted Cloud initiative. We are planning to have such product launches in 2016, but we hope that some aspects or some preliminary launches will be happening in 2015.
November 30th 2015