The Cloud Computing Paradigm

earsplittinggoodbeeInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

211 εμφανίσεις

The Cloud Computing Paradigm

Hassan
Takabi

LERSAIS @ SIS @ PITT

01
-
27
-
2011

2

Agenda


Understanding Cloud Computing


Cloud Computing Security


Secure Cloud Migration Paths


Foundational Elements of Cloud Computing


Cloud Computing Case Studies and Security Models

Understanding Cloud Computing

3

4

Origin of the term “Cloud Computing”


“Comes from the early days of the Internet where we drew
the network as a cloud… we didn’t care where the
messages went… the cloud hid it from us”


Kevin Marks,
Google


First cloud around networking (TCP/IP abstraction)


Second cloud around documents (WWW data abstraction)


The emerging cloud abstracts infrastructure complexities of
servers, applications, data, and heterogeneous platforms


(“muck” as Amazon’s CEO Jeff Bezos calls it)



5

A Working Definition of Cloud Computing


Cloud computing is a model for enabling convenient,
on
-
demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or service provider interaction.


This cloud model promotes availability and is composed of
five essential
characteristics,

three
service models
, and four
deployment models
.


Essential Cloud Characteristics


On
-
demand self
-
service


Get computing capabilities as needed
automatically


Broad network access


Services available over the net using
desktop, laptop, PDA, mobile phone





6

Essential Cloud Characteristics (Cont.)


Resource pooling


Location independence


Provider resources pooled to server multiple clients


Rapid elasticity


Ability to quickly scale in/out service


Measured service


control, optimize services based on metering


7

Cloud Service Models


Cloud Software as a Service (SaaS)


Use provider’s applications over a network


User doesn’t manage or control the network, servers, OS,
storage or applications


Cloud Platform as a Service (PaaS)


Users deploy
their applications on a cloud


Users control their apps


Users don’t manage servers, IS, storage

8

Cloud Service Models (Cont.)


Cloud Infrastructure as a Service (
IaaS
)


Rent processing, storage, network capacity, and other
fundamental computing resources


Consumers gets access to the infrastructure to
deploy their stuff


Don’t manage or control the infrastructure


Do manage or control the OS, storage, apps,
selected network components


To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the key
characteristics


9

Service Model Architectures

10

Cloud Deployment Models


Private cloud


single org only,


managed by the org or a 3
rd

party,


on or off premise


Community cloud


shared infrastructure for specific community


several orgs that have shared concerns,


managed by org or a 3
rd

party

11

Cloud Deployment Models (Cont.)


Public cloud


Sold to the public, mega
-
scale infrastructure


available to the general public


Hybrid cloud


composition of two or more clouds


bound by standard or proprietary technology



12

Common Cloud Characteristics


Cloud computing often leverages:


Massive scale


Homogeneity


Virtualization


Resilient computing


Low cost software


Geographic distribution


Service orientation


Advanced security technologies

13

The NIST Cloud Definition Framework

14

Community

Cloud

Private
Cloud

Public Cloud

Hybrid Clouds

Deployment

Models

Service

Models

Essential

Characteristics

Common

Characteristics

Software as a
Service (
SaaS
)

Platform as a
Service (
PaaS
)

Infrastructure as a
Service (
IaaS
)

Resource Pooling

Broad Network Access

Rapid Elasticity

Measured Service

On Demand Self
-
Service

Low Cost Software

Virtualization

Service Orientation

Advanced Security

Homogeneity

Massive Scale

Resilient Computing

Geographic Distribution

15

Cloud Computing Security

Security is the Major Issue


16

General Security Advantages


Shifting public data to a external cloud
reduces the exposure of the internal sensitive
data


Cloud homogeneity makes security
auditing/testing simpler


Clouds enable automated security
management


Redundancy / Disaster Recovery

17

General Security Challenges


Trusting vendor’s security model


Customer inability to respond to audit findings


Obtaining support for investigations


Indirect administrator accountability


Proprietary implementations can’t be examined


Loss of physical control


18

Security Relevant Cloud Components


Cloud Provisioning Services


Cloud Data Storage Services


Cloud Processing Infrastructure


Cloud Support Services


Cloud Network and Perimeter Security


Elastic Elements: Storage, Processing, and
Virtual Networks


19

Provisioning Service


Advantages


Rapid reconstitution of services


Enables availability


Provision in multiple data centers / multiple instances


Advanced honey net capabilities


Challenges


Impact of compromising the provisioning service

20

Data Storage Services


Advantages


Data fragmentation and dispersal


Automated replication


Provision of data zones (e.g., by country)


Encryption at rest and in transit


Automated data retention


Challenges


Isolation management / data multi
-
tenancy


Storage controller


Single point of failure / compromise?


Exposure of data to foreign governments

21

Cloud Processing Infrastructure


Advantages


Ability to secure masters and push out secure
images


Challenges


Application multi
-
tenancy


Reliance on hypervisors


Process isolation / Application sandboxes


22

Cloud Support Services


Advantages


On demand security controls (e.g., authentication,
logging, firewalls…)


Challenges


Additional risk when integrated with customer
applications


Needs certification and accreditation as a separate
application


Code updates


23

Cloud Network and Perimeter Security


Advantages


Distributed denial of service protection


VLAN capabilities


Perimeter security (IDS, firewall, authentication)


Challenges


Virtual zoning with application mobility

24

Cloud Security Advantages


Data Fragmentation and Dispersal


Dedicated Security Team


Greater Investment in Security Infrastructure


Fault Tolerance and Reliability


Greater Resiliency


Hypervisor Protection Against Network Attacks


Possible Reduction of C&A Activities (Access to
Pre
-
Accredited Clouds)

25

Cloud Security Advantages (Cont.)


Simplification of Compliance Analysis


Data Held by Unbiased Party (cloud vendor
assertion)


Low
-
Cost Disaster Recovery and Data Storage
Solutions


On
-
Demand Security Controls


Real
-
Time Detection of System Tampering


Rapid Re
-
Constitution of Services


Advanced Honeynet Capabilities

26

Cloud Security Challenges


Data dispersal and international privacy laws


EU Data Protection Directive and U.S. Safe Harbor
program


Exposure of data to foreign government and data
subpoenas


Data retention issues


Need for isolation management


Multi
-
tenancy


Logging challenges


Data ownership issues


Quality of service guarantees

27

Cloud Security Challenges (Cont.)


Dependence on secure hypervisors


Attraction to hackers (high value target)


Security of virtual OSs in the cloud


Possibility for massive outages


Encryption needs for cloud computing


Encrypting access to the cloud resource control interface


Encrypting administrative access to OS instances


Encrypting access to applications


Encrypting application data at rest


Public cloud vs internal cloud security


Lack of public SaaS version control

28

Additional Issues


Issues with moving PII and sensitive data to the cloud


Privacy impact assessments


Using SLAs to obtain cloud security


Suggested requirements for cloud SLAs


Issues with cloud forensics


Contingency planning and disaster recovery for cloud
implementations


Handling compliance


FISMA


HIPAA


SOX


PCI


SAS 70 Audits

29

Obstacles & Opportunities


30


31

Unique Features


Outsourcing Data and Applications


Extensibility and Shared Responsibility


Multi
-
tenancy


Service
-
Level Agreements


Virtualization and Hypervisors


Heterogeneity


Compliance and Regulations

32

Security Implications


33

Security and Privacy Challenges


Authentication and Identity Management


interoperability


password
-
based: inherited limitation


How multi
-
tenancy can affect the privacy of
identity information isn’t yet well understood.


multi
-
jurisdiction issue



integrated with other security components.

34

Security and Privacy Challenges


Access Control and Accounting


Heterogeneity and diversity of services, as well as
the domains’ diverse access requirements


capture dynamic, context, or attribute
-

or
credential
-
based access requirements


integrate privacy
-
protection requirements


interoperability


capture relevant aspects of SLAs



35

Security and Privacy Challenges


Trust Management and Policy Integration


compose multiple services to enable bigger
application services


efficiently capturing a generic set of parameters
required for establishing trust and to manage
evolving trust and interaction/sharing
requirements


address challenges such as semantic
heterogeneity, secure interoperability, and policy
-
evolution management.



36

Security and Privacy Challenges


Secure
-
Service Management


WSDL can’t fully meet the requirements of cloud
computing services description


issues such as quality of service, price, and SLAs


automatic and systematic service provisioning and
composition framework that considers security
and privacy issues



37

Security and Privacy Challenges


Privacy and Data Protection


storing data and applications on systems that
reside outside of on
-
premise datacenters


shared infrastructure, risk of potential
unauthorized access and exposure.


Privacy
-
protection mechanisms must be
embedded in all security solutions.


Provenance


Balancing between data provenance and privacy




38

Security and Privacy Challenges


Organizational Security Management


shared governance can become a significant issue
if not properly addressed


Dependence on external entities


the possibility of an insider threat is significantly
extended when outsourcing data and processes to
clouds.

39


40

Security and Privacy Approaches


Authentication and Identity Management


User
-
centric IDM


users control their digital identities and takes away
the complexity of IDM from the enterprises


federated IDM solutions


privacy
-
preserving protocols to verify various
identity attributes by using, for example, zero
-
knowledge proof
-
based techniques

41

Security and Privacy Approaches


Access Control Needs


RBAC


policy
-
integration needs


credential
-
based RBAC, GTRBAC,8 location
-
based
RBAC

42

Security and Privacy Approaches


Secure Interoperation


Multi
-
domain


centralized approach


decentralized approaches


specification frameworks to ensure that the cross
-
domain accesses are properly specified, verified,
and enforced


Policy engineering mechanisms

43

Security and Privacy Approaches


Secure
-
Service Provisioning and Composition


Open Services Gateway Initiative (OSGi)


Declarative OWL
-
based language can be used to
provide a service definition manifest, including a
list of distinct component types that make up the
service, functional requirements, component
grouping and topology instructions

44

Security and Privacy Approaches


Trust Management Framework


trust
-
based policy integration


Delegation


must be incorporated in service composition
framework

45

Security and Privacy Approaches


Data
-
Centric Security and Privacy


shifts data protection from systems and
applications


documents must be self
-
describing and defending
regardless of their environments.

46

Security and Privacy Approaches


Managing Semantic Heterogeneity


semantic heterogeneity among policies


Use of an ontology is the most promising
approach


policy framework and a policy enforcement
architecture


inference engines

47

48

Questions?