1 / 75

Securely Using Cloud Computing Services

Part I. Securely Using Cloud Computing Services. Qin Liu Email: gracelq628@126.com Hunan University. Outline. 1. Cloud Computing. 2. Security Issues in Clouds. 3. Introduction to Our Work. Evolution of Computing Patterns. What Is Cloud Computing?. Wikipedia Definition

ron
Télécharger la présentation

Securely Using Cloud Computing Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Part I Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.com Hunan University

  2. Outline • 1. Cloud Computing • 2. Security Issues in Clouds • 3. Introduction to Our Work

  3. Evolution of Computing Patterns

  4. What Is Cloud Computing? • Wikipedia Definition • Cloud computing is a concept of using the Internet to allow people to access technology-enabled services • It allows users to consume services without knowledge of control over the technology infrastructure that supports them • NIST Definition • 5 essential characteristics • 3 cloud service models • 4 cloud deployment models

  5. The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Community Cloud Public Cloud Private Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service

  6. Essential Characteristics • On-demand service • Get computing capabilities as needed automatically • Broad Network Access • Services available over the net using desktop, laptop, PDA, mobile phone • Resource pooling • Provider resources pooled to server multiple clients • Rapid Elasticity • Ability to quickly scale in/out service • Measured service • Control, optimize services based on metering

  7. Essential Characteristics

  8. Cloud Service Models • Software as a Service (SaaS) • We use the provider apps • User doesn’t manage or control the network, servers, OS, storage or applications • Platform as a Service (PaaS) • User deploys their apps on the cloud • Controls their apps • User doesn’t manage servers, IS, storage • Infrastructure as a Service (IaaS) • Consumers gets access to the infrastructure to deploy their stuff • Doesn’t manage or control the infrastructure • Does manage or control the OS, storage, apps, selected network components

  9. Service Delivery Model Examples Amazon Google Salesforce Microsoft SaaS PaaS IaaS Products and companies shown for illustrative purposes only and should not be construed as an endorsement

  10. Cloud Deployment Models • Private cloud • Enterprise owned or leased • Community cloud • Shared infrastructure for specific community • Public cloud • Sold to the public, mega-scale infrastructure • Hybrid cloud • Composition of two or more clouds

  11. Cloud Deployment Models

  12. Top 8 Cloud Computing Companies

  13. Cloud Computing Example - Amazon EC2 • IaaS • http://aws.amazon.com/ec2

  14. Cloud Computing Example - Google AppEngine • PaaS • http://code.google.com/appengine/ • Google AppEngine API • Python runtime environment • Datastore API • Images API • Mail API • Memcache API • URL Fetch API • Users API • A free account can use up to 500 MB storage, enough CPU and bandwidth for about 5 million page views a month

  15. Conventional Computing vs. Cloud Computing Conventional Cloud Self-provisioned Shared Hardware Elastic Capacity Pay for Use Operational Expenses Managed via APIs • Manually Provisioned • Dedicated Hardware • Fixed Capacity • Pay for Capacity • Capital & Operational Expenses • Managed via Sysadmins

  16. Why A Cloud?

  17. Why A Cloud?

  18. Why A Cloud?

  19. Cloud Computing Summary • Cloud computing is a kind of network service and is a trend for future computing • Scalability matters in cloud computing technology • Users focus on application development • Services are not known geographically

  20. Outline • 1. Cloud Computing • 2. Security Issues in Clouds • 3. Introduction to Our Work

  21. What Not a Cloud? 21

  22. Cloud Providers and Security Measures Kai Hwang and Deyi Li, “Trusted Cloud Computing with Secure Resources and Data Coloring”,IEEE Internet Computing, Sept. 2010

  23. General Security Advantages • Shifting public data to an external cloud reduces the exposure of the internal sensitive data • Cloud homogeneity makes security auditing/testing simpler • Clouds enable automated security management • Redundancy / Disaster Recovery

  24. General Security Challenges • Trusting vendor’s security model • Customer inability to respond to audit findings • Obtaining support for investigations • Indirect administrator accountability • Proprietary implementations can’t be examined • Loss of physical control

  25. 10 Security Concerns Where’s the data? Who has access? What are your regulatory requirements? Do you have the right to audit? What type of training does the provider offer their employees? What type of data classification system does the provider use? What are the service level agreement (SLA) terms? What is the long-term viability of the provider? What happens if there is a security breach? What is the disaster recovery/business continuity plan (DR/BCP)?

  26. 7 Potential Risks • Privileged user access • Regulatory compliance • Data location • Data segregation. • Recovery • Investigative support • Long-term viability

  27. What Is Not New? • Data Loss • Downtimes • Phishing • Password Cracking • Botnets and Other Malware

  28. Data Loss

  29. Downtimes

  30. Phishing “hey! check out this funny blog about you...”

  31. Password Cracking

  32. What Is New? • Accountability • No Security Perimeter • Larger Attack Surface • New Side Channels • Lack of Auditability • Regulatory Compliance • Data Security

  33. Accountability

  34. No Security Perimeter • Little control over physical or network location of cloud instance VMs • Network access must be controlled on a host by host basis

  35. Larger Attack Surface Cloud Provider Your Network

  36. New Side Channels • You don’t know whose VMs are sharing the physical machine with you. • Attackers can place their VMs on your machine. • See “Hey, You, Get Off of My Cloud” paper for how. • Shared physical resources include • CPU data cache: Bernstein 2005 • CPU branch prediction: Onur Aciiçmez 2007 • CPU instruction cache: Onur Aciiçmez 2007 • In single OS environment, people can extract cryptographic keys with these attacks.

  37. Lack of Auditability • Only cloud provider has access to full network traffic, hypervisor logs, physical machine data. • Need mutual auditability • Ability of cloud provider to audit potentially malicious or infected client VMs. • Ability of cloud customer to audit cloud provider environment.

  38. Regulatory Compliance

  39. Certifications

  40. Data Security Confidentiality Authorized to know Integrity Data Has Not Been Tampered With Availability Data Never LossMachine Never Fail Storage Processing Transmission

  41. Security concerns arising because both customer data and program are residing in Provider Premises. Security is always a major concern in Open System Architectures Data Security Is A Major Concern Customer Data Customer Customer Code Provider Premises

  42. Why Data Is Not Secure • Cloud Security problems are coming from • Loss of control • Lack of trust • Multi-tenancy • Mainly exist in public cloud

  43. Loss of Control in the Cloud • Consumer’s loss of control • Data, applications, resources are located with provider • User identity management is handled by the cloud • User access control rules, security policies and enforcement are managed by the cloud provider • Consumer relies on provider to ensure • Data security and privacy • Resource availability • Monitoring and repairing of services/resources

  44. Lack of Trust in the Cloud • A brief deviation from the talk • Trusting a third party requires taking risks • Defining trust and risk • Opposite sides of the same coin • People only trust when it pays • Need for trust arises only in risky situations • Defunct third party management schemes • Hard to balance trust and risk • e.g. Key Escrow • Is the cloud headed toward the same path?

  45. Multi-tenancy Issues in the Cloud • Conflict between tenants’ opposing goals • Tenants share a pool of resources and have opposing goals • How does multi-tenancy deal with conflict of interest? • Can tenants get along together and ‘play nicely’ ? • If they can’t, can we isolate them? • How to provide separation between tenants?

  46. Possible Solutions • Loss of Control • Take back control • Data and apps may still need to be on the cloud • But can they be managed in some way by the consumer? • Lack of trust • Increase trust (mechanisms) • Technology • Policy, regulation • Contracts (incentives): topic of a future talk • Multi-tenancy • Private cloud • Takes away the reasons to use a cloud in the first place • Strong separation

  47. Cloud Security Summary • Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model • However, resources are ubiquitous, scalable, highly virtualized • Contains all the traditional threats, as well as new ones • In developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of • Loss of control • Lack of trust • Multi-tenancy problems

  48. Outline • 1. Cloud Computing • 2. Security Issues in Clouds • 3. Introduction to Our Work

  49. Our Main Work

  50. Selected Publications • G. Wang, Q. Liu, F. Li, S. Yang, and J. Wu, "Outsourcing Privacy-Preserving Social Networks to a Cloud," accepted to appear in the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM 2013). • Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments" Proceedings of the 31st IEEE International Conference on Computer Communications (IEEE INFOCOM 2012). • G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption for Fine-Grained Access Control in Cloud Computing," Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS-10). • Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Towards Differential Query Services in Cost-Efficient Clouds," accept to appear in IEEE Transactions on Parallel and Distributed Systems (TPDS). • Q. Liu, G. Wang, and J. Wu, "Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment", Information Sciences. • Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Cooperative Private Searching in Clouds," Journal of Parallel and Distributed Computing (JPDC). • G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption and Scalable User Revocation for Sharing Data in Cloud Servers," Computers & Security.

More Related