Cloud Computing - Parkjonghyuk.net

chirpskulkInternet and Web Development

Nov 3, 2013 (3 years and 10 months ago)

75 views

서울과학기술대학교

Jeilyn Molina

121336101

Cloud Computing

Cloud Computing
is a general term used to describe a
new class of network based computing that takes place
over the Internet,


basically a step on from Utility Computing


a collection/group of integrated and networked
hardware, software and Internet
infrastructure.


Using the Internet for communication and transport
provides hardware, software and networking services
to clients


D
efines
cloud computing by
:



5 essential characteristics


3 cloud service models


4 cloud deployment models

Essential
characteristics

On
-
demand service


Get computing capabilities as needed
automatically

Broad Network Access


Services available over the net using
desktop, laptop, PDA, mobile phone

Essential
characteristics

Resource pooling


Provider resources pooled to server
multiple clients

Rapid Elasticity


Ability to quickly scale in/out
service

Essential
characteristics

Measured service


Control
, optimize services based
on metering

Cloud
service
models

Software as a Service (
SaaS
)


We use the provider apps


User doesn’t manage or control the network,
servers, OS, storage or applications

Platform as a Service (
PaaS
)


User deploys their apps on the cloud


Controls their apps


User doesn’t manage servers, IS, storage

Cloud
service
models

Infrastructure as a Service (
IaaS
)


Consumers gets access to the infrastructure to
deploy their stuff


Doesn’t manage or control the infrastructure


Does manage or control the OS, storage, apps,
selected network components

SalesForce

CRM

Cloud Service

Cloud deployment models

Public



Cloud infrastructure is available to the general public,
owned by
organization
selling cloud
services


Private



Cloud infrastructure for single organization

only, may
be managed by the organization

or a 3rd party, on or
off premise

Cloud deployment models

Community



Cloud infrastructure shared by several organizations
that have shared concerns, managed by organizations
or 3rd party


Hybrid



2 or more clouds bound by standard or proprietary
technology

Problems Associated with
Cloud Computing

Most security problems stem from
:



Loss of
control



Lack of
trust



Multi
-
tenancy

Consumer’s loss of
control



Data, applications, resources are located with
provider


User identity management is handled by the cloud


User access control rules, security policies and
enforcement are managed by the cloud provider


Consumer relies on provider to ensure


Data security and privacy


Resource availability


Monitoring and repairing of services/resources

Loss of Control in the Cloud

Defining
trust and
risk



Opposite sides of the same coin


People
only trust when it
pays


Need for trust arises only in risky situations


Defunct third party management
schemes



Hard to balance trust and risk


Is
the cloud headed toward the same path?

Lack of Trust in the Cloud

Multi
-
tenancy Issues in the Cloud

Conflict between tenants’ opposing
goals



Tenants share a pool of resources and have opposing
goals


How does multi
-
tenancy deal with conflict of interest
?



Can tenants get along together and ‘play nicely’ ?


If they can’t, can we isolate them
?


In theory, minimizing any of the issues would help
:



Loss of Control

Take back control

Data and apps may still need to be on the cloud

But can they be managed in some way by the consumer?


Lack of trust

Increase trust (mechanisms)

Technology

Policy, regulation

Contracts


Multi
-
tenancy

Private cloud

Takes away the reasons to use a cloud in the first place

VPC: its still not a separate system

Strong separation

Security Issues in the Cloud

Consumers have specific security needs but don’t have a
say
-
so in how they are
handled



What
is
the provider doing for me?


Currently consumers cannot dictate their
requirements to the
provider


Standard language to convey one’s policies and
expectations



Agreed upon and upheld by both parties


Standard language for representing
Service Level
Agreement
Can
be used in a intra
-
cloud environment
to realize overarching security
posture

Minimize Lack of Trust
:


Policy Language

Create policy language with the following
characteristics:


Machine
-
understandable


Easy to combine/merge and compare


Examples of policy statements are, requires isolation
between VMs, requires geographical isolation between
VMs, requires physical separation between other
communities/tenants that are in the same industry.


Need a validation tool to check that the policy created
in the standard language correctly reflects the policy
creator’s
intentions.

Minimize Lack of Trust
:


Policy Language

Minimize Lack of Trust
:


Certification

Certification


Some form of reputable, independent,
comparable assessment and description of
security features and assurance


Risk
assessment


Performed by certified third parties


Provides consumers with additional assurance

Minimize Loss of
Control

Monitoring


Utilizing different
clouds


Access control management

Monitoring

Cloud consumer needs situational awareness for critical
applications



When underlying components fail, what is the effect of the failure to the
mission logic


What recovery measures can be
taken


Requires an application
-
specific run
-
time monitoring and
management tool for the
consumer



The cloud consumer and cloud provider have different views of the
system


Enable both the provider and tenants to monitor the
components
in the
cloud that are under their control


Provide mechanisms that enable the provider to act on attacks he can
handle.


Provide
mechanisms that enable the consumer to act on attacks that he
can handle (application
-
level monitoring
).

Utilizing different clouds

Consumer
may use services from different clouds through an
intra
-
cloud or multi
-
cloud
architecture


Propose a multi
-
cloud or intra
-
cloud architecture in which consumers


Spread the risk


Increase redundancy (per
-
task or per
-
application)


Increase chance of mission completion for critical
applications


Possible issues to consider:


Policy incompatibility (combined, what is the overarching policy?)


Data dependency between clouds


Differing data semantics across clouds


Knowing when to utilize the redundancy feature (monitoring
technology)


Is it worth it to spread your sensitive data across multiple clouds?


Redundancy could increase risk of exposure

Access control management

Many possible layers of access
control



E.g. access to the cloud, access to servers, access to services,
access to
databases,
access to

Virtual Memory System
,
and access
to objects within a

Virtual
Memory


Depending on the deployment model used, some of these will be
controlled by the provider and others by the consumer


Regardless of deployment model, provider needs to manage
the user authentication and access control
procedures



Federated Identity Management: access control management burden
still lies with the provider


Requires user to place a large amount of trust on the provider in
terms of security, management, and maintenance of access control
policies. This can be burdensome when numerous users from
different organizations with different access control policies, are
involved

Access control management

Consumer
-
managed access control



Consumer retains decision
-
making process to retain some control,
requiring less trust of the provider (i.e. PDP is in consumer’s domain)


Requires the client and provider to have a pre
-
existing trust
relationship, as well as a pre
-
negotiated standard way of describing
resources, users, and access decisions between the cloud provider
and consumer. It also needs to be able to guarantee that the
provider will uphold the consumer
-
side’s access decisions.


Should be at least as secure as the traditional access control model.


Facebook and Google Apps do this to some degree, but not enough
control


Applicability to privacy of patient health records

PEP

(intercepts all

resource

access requests

from all client

domains)

PDP

for cloud

resource

on Domain A

Cloud Consumer in Domain B

ACM

(XACML

policies)

.

.

.

resources

Cloud Provider in Domain A

IDP

1. Authn request

2. SAML Assertion

3. Resource request (XACML Request) + SAML assertion

4. Redirect to domain of resource owner

7. Send signed and encrypted ticket

5
.
Determine whether user can access


specified resource

6
.
Create ticket for grant/deny

8. Decrypt and verify signature

9. Retrieve capability from ticket

10. Grant or deny access based on capability

Access Control

Service contracts should address these 13
domains



Architectural Framework


Governance, Enterprise Risk
Management


Legal, e
-
Discovery


Compliance & Audit


Information Lifecycle Management


Portability & Interoperability

Cloud Domains

Cloud Domains


Security, Business Continuity, Disaster
Recovery


Data Center Operations


Incident Response Issues


Application Security


Encryption & Key Management


Identity & Access Management


Virtualization

Cloud Architecture

Governance


Identify, implement process, controls to maintain
effective governance, risk
management
, compliance


Provider security governance should be assessed for
sufficiency, maturity, consistency with user ITSEC
process


Request clear docs on how facility & services are
assessed


Require
definition
of what provider considers critical
services, info


Perform full contract, terms of use due diligence to
determine roles, accountability

Legal, e
-
Discovery

Functional


which
functions & services in the Cloud have legal
implications for both
parties


Jurisdictional


which
governments administer laws and
regulations
impacting services, stakeholders, data
assets


Contractual


terms
& conditions


Both parties must understand each other’s roles

Litigation hold, Discovery searches

Expert testimony


Provider must save primary and secondary
data


Where is the data stored?


laws
for cross border data
flows


Plan for unexpected contract termination and orderly
return or secure disposal of assets


You should ensure you retain ownership of your data in
its original form


Legal, e
-
Discovery

Incident Response


Cloud apps aren’t always designed with data
integrity, security in mind


Provider keep app, firewall, IDS logs?


Provider deliver snapshots of your virtual
environment?


Sensitive data must be encrypted for data breach
regulations

Encrypt data in transit, at rest, backup
media


Secure key store


Protect encryption keys


Ensure encryption is based
on industry/government
standards.


Limit
access to key stores


Key backup & recoverability

Encryption, Key
Management

Determine how provider handles:


Provisioning


Authentication


Federation


Authorization, user profile
management

ID, Access
Management

Virtualization

What type of virtualization is used by the
provider
?


What 3
rd

party security technology
augments the virtual OS
?


Which controls protect admin interfaces
exposed to users?

Opportunities and Challenges

The use of the cloud provides a number of
opportunities:


It enables services to be used without any understanding of
their infrastructure.


Cloud computing works using economies of scale:


It potentially lowers the outlay expense for start up companies, as
they would no longer need to buy their own software or servers.


Cost would be by on
-
demand pricing.


Vendors and Service providers claim costs by establishing an
on
-
going
revenue stream.


Data and services are stored remotely but accessible from
“anywhere”.

Opportunities and Challenges

T
here has
been backlash against cloud computing
:



Use of cloud computing means dependence on others and that
could possibly limit flexibility and innovation:


The others are likely become the bigger Internet companies like Google
and IBM, who may monopolise the market.


Some argue that this use of supercomputers is a return to the time of
mainframe computing that the PC was a reaction against.


Security could prove to be a big issue:


It is still unclear how safe out
-
sourced data is and when using these
services ownership of data is not always clear.


There are also issues relating to policy and access:


If your data is stored abroad whose policy do you adhere to?


What happens if the remote server goes down?


How will you then access files?


There have been cases of users being locked out of accounts and
losing access to data.

Advantages of Cloud Computing

Lower computer costs:



Do not
need a high
-
powered and high
-
priced computer
to run cloud computing's web
-
based applications.


Since applications run in the cloud, not on the desktop
PC,
the desktop
PC does not need the processing power
or hard disk space demanded by traditional desktop
software.

Advantages of Cloud Computing

Reduced software costs:



Instead of purchasing expensive software
applications


better
than paying for similar commercial
software


Improved performance
:



With few large programs
hogging the
computer's memory
,
will see better performance from your PC.


Computers in a cloud computing system boot and run
faster because they have fewer programs and processes
loaded into memory…



Advantages of Cloud Computing

Easier group collaboration:


Sharing documents leads directly to better collaboration.


Many users do this as it is an important advantages of
cloud
computing


Device
independence.


You are no longer tethered to a single computer or network.


Changes to computers, applications and documents follow
you through the cloud.


Move to a portable device, and your applications and
documents are still available.

Disadvantages of Cloud Computing

Requires a constant Internet connection:


Cloud computing is impossible if
cannot
connect to the
Internet.


Since you use the Internet to connect to both your
applications and documents, if
do
not have an Internet
connection you cannot access anything, even
the own
documents.


Does not work well with low
-
speed connections:


Similarly, a low
-
speed Internet connection, such as that
found with dial
-
up services, makes cloud computing
painful at best and often impossible.


Web
-
based applications require a lot of bandwidth to
download, as do large documents.


Disadvantages of Cloud Computing

Features might be limited:


This situation is bound to change, but today many web
-
based applications simply are not as full
-
featured as their
desktop
-
based applications.

For example, you can do a lot more with Microsoft PowerPoint than with
Google Presentation's web
-
based
offering


Can be slow:


Even with a fast connection, web
-
based applications can
sometimes be slower than accessing a similar software
program on
the desktop
PC.


Everything about the program, from the interface to the
current document, has to be sent back and forth from
the
computer to the computers in the cloud.



Stored data might not be secure:


With cloud computing, all your data is stored on the cloud.

The questions is How secure is the cloud?


Can
unauthorized
users gain access to your confidential
data?

Stored data can be lost:


Theoretically, data stored in the cloud is safe, replicated
across multiple machines.


But on the off chance that your data goes missing, you
have no physical or local backup.

Disadvantages of Cloud Computing

Reference

http://www.nist.gov/index.html

http://www.cloudsecurityalliance.org

http://www.revistacloudcomputing.com

http://www.ibm.com/co/services/cloud.phtml


C.
Cachin
, et al., "Trusting the cloud," SIGACT News, vol. 40, pp. 81
-
86, 2009.


R. G. Lennon, et al., "Best practices in cloud computing:
designing
for the cloud,"
presented at the Proceeding of the
24th
ACM SIGPLAN conference companion on
Object oriented
programming
systems languages and applications, Orlando,
Florida
,
USA, 2009
.


Questions??