The Cloud Computing Paradigm Hassan Takabi LERSAIS @

The Cloud Computing Paradigm Hassan Takabi LERSAIS @

The Cloud Computing Paradigm Hassan Takabi LERSAIS @ SIS @ PITT 01-27-2011 Agenda Understanding Cloud Computing Cloud Computing Security

Secure Cloud Migration Paths Foundational Elements of Cloud Computing Cloud Computing Case Studies and Security Models 2 Understanding Cloud Computing 3 Origin of the term Cloud Computing Comes from the early days of the Internet where we drew the network as a cloud we didnt care where the messages went the cloud hid it from us Kevin Marks,

Google First cloud around networking (TCP/IP abstraction) Second cloud around documents (WWW data abstraction) The emerging cloud abstracts infrastructure complexities of servers, applications, data, and heterogeneous platforms (muck as Amazons CEO Jeff Bezos calls it) 4 A Working Definition of Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can

be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. 5 Essential Cloud Characteristics On-demand self-service Get computing capabilities as needed automatically Broad network access

Services available over the net using desktop, laptop, PDA, mobile phone 6 Essential Cloud Characteristics (Cont.) Resource pooling Location independence Provider resources pooled to server multiple clients Rapid elasticity Ability to quickly scale in/out service Measured service

control, optimize services based on metering 7 Cloud Service Models Cloud Software as a Service (SaaS) Use providers applications over a network User doesnt manage or control the network, servers, OS, storage or applications Cloud Platform as a Service (PaaS) Users deploy their applications on a cloud

Users control their apps Users dont manage servers, IS, storage 8 Cloud Service Models (Cont.) Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources Consumers gets access to the infrastructure to deploy their stuff Dont manage or control the infrastructure

Do manage or control the OS, storage, apps, selected network components To be considered cloud they must be deployed on top of cloud infrastructure that has the key characteristics 9 Service Model Architectures Cloud Infrastructure Cloud Infrastructure

Cloud Infrastructure IaaS PaaS PaaS SaaS SaaS SaaS Cloud Infrastructure

Cloud Infrastructure IaaS PaaS Cloud Infrastructure IaaS PaaS Software as a Service (SaaS) Architectures

Platform as a Service (PaaS) Architectures Infrastructure as a Service (IaaS) Architectures 10 Cloud Deployment Models Private cloud single org only, managed by the org or a 3rd party, on or off premise

Community cloud shared infrastructure for specific community several orgs that have shared concerns, managed by org or a 3rd party 11 Cloud Deployment Models (Cont.) Public cloud Sold to the public, mega-scale infrastructure available to the general public Hybrid cloud

composition of two or more clouds bound by standard or proprietary technology 12 Common Cloud Characteristics Cloud computing often leverages: Massive scale Homogeneity Virtualization Resilient computing Low cost software Geographic distribution Service orientation

Advanced security technologies 13 The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Service Models Community Cloud Private

Cloud Software as a Service (SaaS) Public Cloud Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Essential

Characteristics Common Characteristics Broad Network Access Rapid Elasticity Resource Pooling Measured Service Massive Scale

Resilient Computing Homogeneity Geographic Distribution Virtualization Service Orientation Low Cost Software Advanced Security

14 Cloud Computing Security 15 Security is the Major Issue 16 General Security Advantages Shifting public data to a external cloud reduces the exposure of the internal sensitive

data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery 17 General Security Challenges

Trusting vendors security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations cant be examined Loss of physical control 18 Security Relevant Cloud Components

Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 19

Provisioning Service Advantages Rapid reconstitution of services Enables availability Provision in multiple data centers / multiple instances Advanced honey net capabilities Challenges Impact of compromising the provisioning service 20 Data Storage Services

Advantages Data fragmentation and dispersal Automated replication Provision of data zones (e.g., by country) Encryption at rest and in transit Automated data retention Challenges

Isolation management / data multi-tenancy Storage controller Single point of failure / compromise? Exposure of data to foreign governments 21 Cloud Processing Infrastructure Advantages Ability to secure masters and push out secure images Challenges Application multi-tenancy

Reliance on hypervisors Process isolation / Application sandboxes 22 Cloud Support Services Advantages On demand security controls (e.g., authentication, logging, firewalls) Challenges Additional risk when integrated with customer applications Needs certification and accreditation as a

separate application Code updates 23 Cloud Network and Perimeter Security Advantages Distributed denial of service protection VLAN capabilities Perimeter security (IDS, firewall, authentication) Challenges Virtual zoning with application mobility 24

Cloud Security Advantages Data Fragmentation and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability

Greater Resiliency Hypervisor Protection Against Network Attacks Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds) 25 Cloud Security Advantages (Cont.) Simplification of Compliance Analysis Data Held by Unbiased Party (cloud vendor assertion) Low-Cost Disaster Recovery and Data Storage Solutions On-Demand Security Controls Real-Time Detection of System Tampering

Rapid Re-Constitution of Services Advanced Honeynet Capabilities 26 Cloud Security Challenges Data dispersal and international privacy laws

EU Data Protection Directive and U.S. Safe Harbor program Exposure of data to foreign government and data subpoenas Data retention issues Need for isolation management Multi-tenancy Logging challenges

Data ownership issues Quality of service guarantees 27 Cloud Security Challenges (Cont.) Dependence on secure hypervisors Attraction to hackers (high value target) Security of virtual OSs in the cloud

Possibility for massive outages Encryption needs for cloud computing Encrypting access to the cloud resource control interface Encrypting administrative access to OS instances Encrypting access to applications Encrypting application data at rest

Public cloud vs internal cloud security Lack of public SaaS version control 28 Additional Issues Issues with moving PII and sensitive data to the cloud

Using SLAs to obtain cloud security Privacy impact assessments Suggested requirements for cloud SLAs Issues with cloud forensics Contingency planning and disaster recovery for cloud implementations

Handling compliance FISMA HIPAA SOX PCI SAS 70 Audits 29

Obstacles & Opportunities 30 31 Unique Features

Outsourcing Data and Applications Extensibility and Shared Responsibility Multi-tenancy Service-Level Agreements Virtualization and Hypervisors Heterogeneity Compliance and Regulations 32 Security Implications 33

Security and Privacy Challenges Authentication and Identity Management interoperability password-based: inherited limitation How multi-tenancy can affect the privacy of identity information isnt yet well understood. multi-jurisdiction issue integrated with other security components. 34 Security and Privacy Challenges Access Control and Accounting

Heterogeneity and diversity of services, as well as the domains diverse access requirements capture dynamic, context, or attribute- or credential-based access requirements integrate privacy-protection requirements interoperability capture relevant aspects of SLAs 35 Security and Privacy Challenges Trust Management and Policy Integration compose multiple services to enable bigger application services efficiently capturing a generic set of parameters

required for establishing trust and to manage evolving trust and interaction/sharing requirements address challenges such as semantic heterogeneity, secure interoperability, and policy-evolution management. 36 Security and Privacy Challenges Secure-Service Management WSDL cant fully meet the requirements of cloud computing services description issues such as quality of service, price, and SLAs automatic and systematic service provisioning and composition framework that considers security

and privacy issues 37 Security and Privacy Challenges Privacy and Data Protection storing data and applications on systems that reside outside of on-premise datacenters shared infrastructure, risk of potential unauthorized access and exposure. Privacy-protection mechanisms must be embedded in all security solutions. Provenance Balancing between data provenance and privacy

38 Security and Privacy Challenges Organizational Security Management shared governance can become a significant issue if not properly addressed Dependence on external entities the possibility of an insider threat is significantly extended when outsourcing data and processes to clouds. 39 40

Security and Privacy Approaches Authentication and Identity Management User-centric IDM users control their digital identities and takes away the complexity of IDM from the enterprises federated IDM solutions privacy-preserving protocols to verify various identity attributes by using, for example, zeroknowledge proof-based techniques 41 Security and Privacy Approaches Access Control Needs

RBAC policy-integration needs credential-based RBAC, GTRBAC,8 location-based RBAC 42 Security and Privacy Approaches Secure Interoperation Multi-domain centralized approach decentralized approaches specification frameworks to ensure that the crossdomain accesses are properly specified, verified, and enforced

Policy engineering mechanisms 43 Security and Privacy Approaches Secure-Service Provisioning and Composition Open Services Gateway Initiative (OSGi) Declarative OWL-based language can be used to provide a service definition manifest, including a list of distinct component types that make up the service, functional requirements, component grouping and topology instructions 44

Security and Privacy Approaches Trust Management Framework trust-based policy integration Delegation must be incorporated in service composition framework 45 Security and Privacy Approaches Data-Centric Security and Privacy shifts data protection from systems and applications documents must be self-describing and defending

regardless of their environments. 46 Security and Privacy Approaches Managing Semantic Heterogeneity semantic heterogeneity among policies Use of an ontology is the most promising approach policy framework and a policy enforcement architecture inference engines 47

Questions? 48

Recently Viewed Presentations

  • Storage Decisions 2003

    Storage Decisions 2003

    Stephen Crook. Steve Crook Consulting. [email protected] 847-221-2155. Email me the results or I will never participate in this survey again. Business Development. Consultant-Vendor. Sebastian J. Leonardi. Business Development Solutions. [email protected] (860) 997-5608. opening to closing methodology. ALL OF THE ABOVE....
  • Diapositiva 1 - scuolabalzico.gov.it

    Diapositiva 1 - scuolabalzico.gov.it

    They came first for the Communists,and I didn't speak up because I wasn't a Communist.. Then they came for . the trade unionists, and I didn't speak . up because . I wasn't a trade unionist. Then they came for...
  • Financial Algebra - Ms. Gannon's Math World

    Financial Algebra - Ms. Gannon's Math World

    Glassman Chevrolet pays commission to its car salespeople. They are paid a percent of the profit the dealership makes on the car, not on the selling price of the car. If the profit is under $750, the commission rate is...
  • The Emergence of Modern Canada - Ms Kubiak's School Site

    The Emergence of Modern Canada - Ms Kubiak's School Site

    The Emergence of Modern Canada. 1896-1914. Introduction. ... and Donald Mann to extend their lines through the Yellowhead Pass, and down the Thompson River to Kamloops, and through to Vancouver. ... Officials and police officers tried boarding the ship, but...
  • Click to edit Master title style - Oregon State University

    Click to edit Master title style - Oregon State University

    www.bsg-online.com, you are automatically routed to your company's "Corporate Lobby" web page. The Corporate Lobby page is your . gateway to . all . BSG activities. Near the top of this page is a series of menu selections that provide...
  • 20th Century rejections of liberalism

    20th Century rejections of liberalism

    Like most ideologies, totalitarian regimes provide an account of the past, and explanation of the present, and a vision for the future. However, the extensive use of propaganda, coercive power, and communications technologies ensure the totalitarian governments maintain strict control...
  • Algorithms and Data Structures - Aalborg Universitet

    Algorithms and Data Structures - Aalborg Universitet

    Use a collision handling technique We've seen Chaining Can also use Open Addressing Probing Double Hashing Open Addressing All elements are stored in the hash table (can fill up!), i.e., n £ m Each table entry contains either an element...
  • FY16 Goal Setting Setting Objectives that Get Results!

    FY16 Goal Setting Setting Objectives that Get Results!

    The goal planning process should align corporate, functional & individual objectives to a common set of strategic objectives & provide:. An understanding of what is expected & what the end result should look like. Employee focus &direction toward work activities...