The pace of technological innovation is accelerating like never before.

BT Cloud Compute

Building on a market-leading range of cloud services, and a unique breadth of scope, reach and capability we have launched BT Cloud Compute – the next generation of cloud-based Infrastructure as a Service (IaaS).

Most customers are talking about cloud, and every vendor is referencing it. We recognise that every organisation faces its own scenarios and what’s needed is a simple way of finding the right approach to, and combination of, cloud services in order to deliver the best results.

We provide our customers with a global service, delivered using local infrastructure, commercial and support, and reinforced by excellent security. We exploit the advances in technology to offer our customers financial savings, choice and flexibility whilst minimising the risk.

Data sheet

BT Cloud ComputeSecurity

BT Compute

BT’s security credentials

Security is part of our DNA. We have always been a member of the UK’s critical national infrastructure; our network is under continual attack at both a physical and electronic level so we have to work to maintain the security and integrity of our network infrastructure.

Since 2010, we have built our team so we now have over 1,300 employees in job functions which focus specifically on security. Key roles globally in this area include security sales specialists, security specific operations teams, security designers, security consultants, security researchers and security product managers both for development of in-life solutions and new portfolio solutions.

Nationally we are trusted to provide security to nine of the top fourteen UK banks as well as the Ministry of Defence whilst globally our clients include Reuters, Credit Suisse, Unilever, PepsiCo and Phillips.

BT’s customers benefit from 30 years of collective knowledge relating to providing and managing security across network and IT solutions. Today we monitor the security of over 300,000 devices for over 1,000 customers globally across all market verticals.

BT Cloud Compute

Cloud industry best practice

BT secures cloud.bt.com using a combination of new and traditional security methodologies as well as emerging cloud security standards. We not only adhere to but contribute towards stringent industry standards and best practice projects that underpin Cloud security for Operating System and Application systems deployed on BT Cloud Compute.

We specifically support and contribute to (not limited to): • Software Alert Notices (SANS)

• Open Web Application Security Project (OWASP)

• National Institute of Standards and Technology (NIST) compliant checklist formats

• SAFEcode.org

• Cloud Security Alliance (CSA)

• Distributed Management Taskforce (DMTF)

• Cloud Standard Customer Council (CSCC)

• European Institute of Standards and Technology (ETSI)

• Open Grid Forum (OGF)

• Open Cloud Consortium

• Cloudstack Alliance

• Forum of Incident and Security Response Teams (FIRST)

Cloud Compute security

Cloud Compute employs Layer 3 and/or Layer 1 & 2 separation available depending upon customers’ security policies and whether the customer selects a Public or Private availability zone. Layer 3 uses routing tables to logically separate customer traffic and their data. Layer 2 uses traditional VLAN contructs and Layer 1 deploys physical separation.

If required, Layer 2 separation of virtualised hosts ensures that each private cloud customer’s virtual hosts run on dedicated server equipment. This separation is fundamental in isolating a customer from contention or threats that are effectively “in-house” in a multi-tenant Cloud model.

Where a multi-tenanted deployment model is chosen Hypervisor separation controls are performed using the Hypervisor’s in-built functions to control routing to and from individual virtual machines via the use of IP name space separation and routing groups.

Protective network controls include the use of virtual appliance-based intrusion detection and prevention devices. These appliances act independently of the IaaS platform and their impartial presence allows for checks and balances to negate design weaknesses in Applications or systems.

Where a customer needs dedicated networking technology to support performance or specific security requirements (over and above the standard offered through virtual firewall and VLAN technology) we can provide this through the deployment of dedicated Firewalls and Load balancers whilst still supporting and maintaining our Cloud-based offering.

BT Cloud Compute deploys a choice of dedicated or shared storage solutions from EMC and NetApp. Storage security is underpinned by defining dedicated isolated networked storage pools to each customer (via NetApp vFiler and EMC VDM technology protection) and this robust architecture is independently endorsed by KPMG authored audits. Our systems also conform to common criteria testing to provide industry standard evaluation level assurances (EAL).

Cloud Compute security technical details

Layer 2 separation using Layer 2 VLAN technology provides a foundation for Layer 3 routing. By deploying SDN (Software Defined Networking) and VXLAN, VXLAN works by creating Layer 2 logical networks that are encapsulated in standard Layer 3 IP packets. A “Segment ID” in every frame differentiates the VXLAN logical networks from each other without any need for VLAN tags. This allows very large numbers of isolated Layer 2 VXLAN networks to co-exist on a common Layer 3 infrastructure.

Isolation levels are as follows:

• Virtual Machines – security groups based on IPtables/EBtables and/or VLAN

• Physical Machines – security groups based on VLAN

• Network – security groups based on VRF (Virtual Routing and Forwarding)

• Storage – security groups based on vFiler and VDM (Virtual Data Mover)

• Support Systems – security groups based on AAA (Authentication, Authorisation and Accounting)

BT Cloud Compute deploys each customer account setup in advanced networking mode with a dedicated security and network appliance. This appliance provides a dedicated default gateway and firewall along with the following features:

• A dedicated and fully stateful firewall for TCP, UDP and ICMP traffic (not just packet filtering) which operates using IPtables in multi-arm mode with multiple interfaces based on CIDR source rules

• High Availability (redundant) Firewall (using VRRP) is offered as an option to provide a secondary Firewall appliance restoration within three seconds with connection re-establishment provided on a best endeavour basis

• Port Forwarding is offered via the customer Portal interface to conserve Public IP address allocation

• A dedicated High Availability Proxy Load Balancer offering sticky support (does not support session re-establishment if the primary Appliance fails even if High Availability is chosen)

• NAT (Network Address Transition) is configured as standard to forward all outbound traffic and block all incoming traffic until configured within the portal using the 5 tuple model (protocol type, local address, local port, remote address, remote port)

Monitoring and logging

BT Operates Global NOC/SOC (a dedicated Network and Security Operations Centre) with secondary and tertiary failover sites which are geographically diverse. The NOC/SOC monitor all our products and services and proactively resolve issues before they reach a customer impacting point. We provide the ability for our customers to both add their own monitors and see monitoring from our customer accessible portal.

BT Compute provides an Open Source based API for the monitoring elements of the platform allowing the construction of custom probes and monitors which provide an end customer with the platform view and reporting capabilities pertinent to their application estate. All our command and control systems are fully logged and archived under our information management policy, for example, Firewall Logs are regularly catalogued and are subject to HSM (Hierarchical Storage Management) where they are ultimately held on offsite WORM media to ensure no attack surfaces are left in situ.

Mitigate against malicious code

Our platforms can provide Anti-Virus/Malware scanning as standard. We also provide an advisory service for those customers who do not want automatic patching (lest neoteric patches conflict with customer applications). Within the network layer we can offer layer 7 deep packet inspection (header, URL and payload) and appliance based IDS/IPS can also be offered as required.

Intelligent Intrusion Detection and Prevention (IDS/IPS): contains a set of rules which protect known vulnerabilities from being exploited. The solution allows a network administrator to protect different types of applications including database, web, email and FTP servers. In addition, IDS/IPS rules also provide zero-day protection for known vulnerabilities which have not been issued a patch, as well as unknown vulnerabilities.

Web application protection rules: the solution contains a set of rules that can be configured to defend against common web application attacks. A network administrator can add or modify an existing security rule to protect web application running on the end system.

Bi-directional stateful firewall: a firewall that controls traffic to or from ports or Applications in order to block unauthorised access to the end system or service.

Vulnerability scanning: automatically scan systems against known vulnerabilities and missing patches in order to recommend which virtual patch needs to be deployed to protect a given system using either Deep Security solution or using a third party vulnerability analyses tools.

Email payload protection: optionally provided by email interception and cleansing of SPAM and malicious code payloads.

BT Cloud Compute

• All configuration is via the customer portal (SSH keys are used by the system to send and communicate any customer portal Firewall changes in a authenticated and encrypted fashion)

• VPN (L2TP/IPsec client to site account using a pre-shared key) is provided via the security appliance. Note: not site-to -site VPN

• IPAM (IP Address Management) and DNS Services for multiple IP addresses (multiple IP addresses can be requested per account)

• NETWORK_BYTES_SENT and NETWORK_BYTES_RECEIVED: Traffic passing through the virtual router is recorded.

Role based access control

We provide web portal access for our customers to order, manipulate, report on and modify their BT Cloud platforms and this is provided via an encrypted and authenticated access with an optional two factor challenge login. The AAA methodology is applied here i.e. Authentication, Authorisation and Accounting.

Secure customer Cloud infrastructure management is provided via VPN technology. We enable full administrative access to your systems via industry standard VPN mechanisms such as L2TP using encrypted and authenticated protocols such as IPsec, SSH and RDP to allow full root access to the infrastructure componentry only after RBAC has been passed.

Conforming to recognised industry standardsBT Cloud Compute conforms to ISO 27001 – an internationally recognised information security standard designed around a set of security controls that once implemented provide organisations with an assurance that their data is secure.

The standard requires us to demonstrate through a series of external assessments that we meet the requirements of over 130 security controls. Additionally, we must also show a high level of security governance, especially in the areas of risk assessment and risk management. Certification to ISO27001 allows us to demonstrate to our customers that we take information security seriously. By providing customers with this we let them know that our services are following the requirements of a known standard and that their data will be managed securely. Don’t just take our word for it – because an external accreditation body (such as LRQA) provides the crucial third party assurance you can rest assured that we are fully compliant.

BT Cloud Compute

Offices worldwideThe services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract.

© British Telecommunications plc 2012Registered office: 81 Newgate Street, London EC1A 7AJRegistered in England No: 1800000

PHME

Firewalls and security appliances

All hardware and Appliance based Firewalls are installed with “zeroed rulesets” including management rules. Control is then provided via our secure portal to build the rules from “Ground Zero”.

The customer has full control of the Firewall ports and protocols being ‘allowed’ into their BT Cloud Compute service. This is completed through the portal user interface. When a service is first provided it comes with no Firewall access and the customer then chooses which ports and protocols to open to their specific service. Port forwarding is similarly offered with the same “zero ruleset” starting point.

BT Cloud Compute deploys each customer account setup in advanced networking mode with bespoke dedicated security and network Appliance. This Appliance provides a dedicated default gateway and Firewall.

Cloud software releases

All BT Code is subject to change control. We have operated a formal change control to ISO standard for over 50 years. Our Software Vaulting policy means that revisions can only be made after change control has been undertaken by the BT CAB (Change Control Approval Board). Furthermore, there are lockdown periods where revisioning cannot be made lest it places projects in jeopardy. Seasonal holiday events and major world events also affect the policy.

We adhere to ISO/IEC 12207 which is the international standard for software life-cycle processes. It aims to be the standard that defines all the tasks required for developing and maintaining software.

In summary

As the market transitions, security for hosted or cloud based services is becoming more embedded in the network than ever before. We put our customers at the heart of what we do and we have a longstanding reputation for security excellence. We provide fully integrated security solutions that interact with the network to offer high levels of protection which means that customers can maximise the uptime of their business applications. We are committed to the continual improvement and enhancement of our security offerings – annually BT invests more than one million pounds in security related research. We have registered 108 patents and published over 190 security papers.