Philippe Duluc – Director of Bull’s Security business
Director of Bull’s Security business
A former student of the École Polytechnique and ENSTA, Philippe Duluc has held various posts at the French Ministry of Defense and has been an advisor on scientific and technical affairs to the Secretary General for National Defense. For eight years he was Director of Security at the France Telecom Orange group. Since 2011, he has been Director of Bull’s security business and Director of Security for the Bull Group itself. He chairs the permanent ‘cyber-security’ working group at the ACN (Alliance pour la Confiance Numérique), France’s digital security alliance.
Cyber-security and cyber-space are two concepts that have always been inseparable.In recent years, cyber-space has experienced spectacular growth thanks to the convergence of networks around the Internet and asymmetric encryption which has helped to secure them via certification. Today, profound upheavals in cyber-space are having direct repercussions in terms of security.
Transformations in cyber-space
Internet convergence. Driven by needs, usages and costs, all networks now interconnect with each other via a single IP (Internet Protocol) network. As physical barriers disappear, this massively increases the potential for viruses to spread and for information systems to be hacked. Nowadays the only real barriers are software ones, with all the limitations and the risks that we are all aware of.
Consumerism. Often in response to demands from top people won over by powerful and easy-to-use smartphones mass-market devices are spilling over into the business world. But these kinds of devices do not necessarily incorporate businesses’ security requirements, such as secure management of installed devices or data protection. Imposing them as part of the installed base means depart from corporate security policies.
Breakdown of silos. BYOD (Bring Your Own Device), remote working, diaries that include both personal and business elements… The barriers between personal and profession life are breaking down. And this raises security issues too. What can business do about illicit behaviour or actions that go against internal policies? Legal issues may also be involved. Especially since the protection of personal data can take precedence over that of company assets, as we have seen with the recent changes to European directives in telecommunications.
Outsourcing. At the heart of the Cloud, the virtualization, consolidation and sharing of data processing and storage platforms brings significant benefits. But this also poses important questions, such as where is the data actually located and how resilient is the relevant architecture?
What are the real threats in cyber-space?
With time and technological advances, the era when cyber-space was mainly a playground for hackers and enthusiastic amateurs has gone. Organized gangs of international criminals have established a strong foothold, developing lawless zones and hidden Web sites, used to buy and sell hacking tools, and security loopholes that ISVs are not yet aware of. Certain major trends are currently shaping the evolution of this murky world.
An unprecedented scale. In recent years, threats have not only grown in speed and size, but also in their complexity and the level of danger they pose. In January 2003, the ‘Slammer’ worm propagated across the whole world in under 10 minutes, infecting over 75,000 Web sites. In 2007 a network of thousands of ‘slave’ PCs (‘zombies’), forming a ‘botnet’, paralyzed the parliamentary e-mail system in Estonia for 12 hours. And in April 2011, over 77 million users of Sony’s PlayStation network were affected by the theft of personal and banking data, with an estimated damage inflicted to Sony amounting to several billion dollars.
Various motivations and methods. The term ‘cyber attack’ covers a huge variety of aims and methods: large-scale theft of personal data, motivated by greed; defacing or saturation of infrastructures for ideological reasons (cyber-demonstrations) or malevolent ones (blackmail); theft of sensitive information for strategic or economic ends…
APTs: a new type of threat. A number of recent large-scale, targeted and surreptitious attacks have marked the appearance of a new kind of threat, known as Advanced Persistent Threats (or APTs). These include entities (an enemy government, for example) that have the ability and motivation to repeatedly attack a particular target. Some recent examples include the ‘Titan Rain’ attacks of 2003 (where the US government’s information systems were subject to coordinated attacks, believed to originate from China); Night Dragon in 2007 (aimed at major oil and gas firms); Shady Rat in 2011 (a vast hacking operation that affected numerous Canadian businesses and institutions over several months); and the attack on the French Finance Ministry ahead of the G20 summit in 2011.
Increasingly sophisticated attack techniques. Attacks are gradually growing in their sophistication, as their businesses and institutions strengthen their security measures and develop a more risk-adverse culture in their cyber-activities. Among the current trends, two major new developments are emerging. The first is that computer-based attacks are starting to be aimed at physical infrastructures, as in the example of the Stuxnet worm discovered in June 2010, which targeted programmable logic devices, especially in Iranian nuclear installations. The second is that attacks can now reach the very core of Internet security itself (asymmetrical encryption), as in August 2011, when the Dutch certification authority, DigiNotar, saw its information system come under attack, allowing the hackers to issue fake certificates for Internet domains belonging to the CIA, MI6 and Mossad.
Cloud computing and security
It is against this backdrop that Cloud computing is currently establishing the Internet as the nerve center for all forms of computing. Open to all, and to all ways of using IT, the Cloud has really become the target of choice for hackers, all the more so because there is no regulatory framework for the Cloud which is, by its very nature, stateless. So security is a key challenge, to the point where it is seen as the main thing preventing the more widespread adoption of the Cloud.
An individual might hesitate, for example, to store sensitive personal information in the Cloud.
But for businesses, the questions take on a whole new order of magnitude. Where exactly are my resources located physically? Are they still as protected effectively as if I still ‘owned them’? What legal regime governs my data? If my resources are managed by my service-provider, how can I be sure that they are the ones I originally intended to use? How can I be certain that they have not been altered for use in a way that I never intended? Can I sign-off or certify these resources to make sure they meet with my expectations? What’s more, how can I guarantee the confidentiality of data exchanged over the network or stored in my service provider’s systems? How am I going to identify myself to these applications available via the Cloud? Will I have to re-identify myself each time or will I be able to have a single sign-on? Finally, if my supplier’s infrastructure is shared between many users, and made available over the Internet is it not, by its very nature more exposed to cyber attacks? What level of protection has my service provider put in place?
In order for the Cloud to develop and grow, service providers must gradually provide their customers with security guarantees. Many of them exist already, in response to the kinds of questions outlined above:
- Some service providers are establishing platforms in Europe
- It is possible to certify resources using electronic signatures
- It is also possible to encrypt exchanges and stored data
- Identities can be managed, even combined even to the level of distributed systems
- Various network security solutions are available
- Service providers are subject to contractual and regulatory requirements.
As risks grow and change, cyber-space is at an important point in its evolution. With APTs, the advantage seemed to have swung back to the hackers, even though after the Second World War progress in encryption gave the advantage to the defense. In order to protect yourself and get the full benefits of the Cloud with complete peace of mind, it is not just a matter of relying on a cyber-security like Bull and implementing effective technical and organizational solutions, but also of raising the general level of awareness of cyber-threats throughout the workforce and the user population. More than ever, security is only as good as the weakest link and cyber-criminals can spot those very quickly. And these weaknesses can increasingly be traced back to people. ‘Security is a matter for everyone’, is more than just a slogan; it is the fundamental principle at the root of the evolution towards the Cloud.