Cloud Computing and Security - Computer Science & Engineering

Download Report

Transcript Cloud Computing and Security - Computer Science & Engineering

Cloud Computing
Security
Computer Science and Engineering
1
Reading
Reading:
• NIST, The NIST Definition of Cloud Computing,
csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, 2011
• R. Sandhu, et al., Towards a discipline of mission-aware cloud computing,
CCSW’10 in Proc. of the 2010 Cloud Computing Workshop, 13-18, 2010.,
http://dl.acm.org/citation.cfm?id=1866835.1866839&coll=DL&dl=ACM&CF
ID=131355972&CFTOKEN=22051019
Computer Science and Engineering
2
What is cloud computing?
Computer Science and Engineering
3
The NIST Definition
• Computing paradigm to support ubiquitous, convenient, and ondemand network access to a shared pool of computing resources
• Access characteristics: can be rapidly provisioned and released
with minimal management effort or service provider’s interaction
• Description:
– Essential characteristics
– Service model
– Deployment model
Computer Science and Engineering
4
Essential Characteristics
•
•
•
•
•
On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service
Computer Science and Engineering
5
Service Models
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
Computer Science and Engineering
6
Deployment Models
•
•
•
•
Private cloud
Community cloud
Public cloud
Hybrid cloud
Computer Science and Engineering
7
Cloud concerns
• The cloud acts as a big black box -> Clients have no idea or
control over what happens inside a cloud
– Loss of control
• Cloud provider, system admins
– Lack of trust
• How to support traditional data confidentiality, integrity,
availability, and privacy issues, plus some additional attacks
– Extra work
Computer Science and Engineering
8
Security Objectives
• Confidentiality
– Fear of loss of control over data
• sensitive data stored on a cloud
• cloud compromises  leak confidential client data
– Is the cloud provider honest and won’t peek into the
data?
Computer Science and Engineering
9
Security Objectives
• Integrity
– Correct computations
– Data tampering
• Availability
– Denial of Service attack against cloud
– Cloud provider goes out of business
– Scalability
– Cloud provider’s downtime
Computer Science and Engineering
10
Regulations and Legal
requirements
• Auditability and forensics (out of control of data)
– Difficult to audit cloud data
– Difficult forensics
• Legal issues
– Who is responsible for complying with regulations?
– How about third party clouds?
Computer Science and Engineering
11
Privacy Issues
• Massive data mining
– Cloud now stores data from a lot of clients, and can
run data mining algorithms to get large amounts of
information on clients
• Increased attack surface
– Attackers target the communication link between
cloud provider and client
– Cloud provider employees can be phished
Computer Science and Engineering
12
WHAT ARE THE SECURITY
CONCERNS REGARDING
CLOUD COMPUTING?
Computer Science and Engineering
13
Why do we need cloud
security?
•
Players:
– Cloud provider
– Service consumer
• Concerns:
– Availability
– Security
• Cloud Security Alliance,
https://cloudsecurityalliance.org/
Computer Science and Engineering
14
Critical Security Areas in
Cloud Computing (CSA)
• Governing in the Cloud
– Governance and Enterprise Risk Management
– Legal and Electronic Discovery
– Compliance and Audit
– Information Lifecycle Management
– Portability and Interoperability
• Operating in the Cloud
– Traditional Security, Business Continuity, and Disaster Recovery
– Data Center Operations
– Incident Response, Notification, and Remediation
– Application Security
– Encryption and Key Management
– Identity and Access Management
– Virtualization
Computer Science and Engineering
15
Top 10 Customer Issues Eroding
Cloud Confidence (from CSA)
1. Government regulations keeping pace with the market (1.80)
2. Exit strategies (1.88)
3. International data privacy (1.90)
4. Legal issues (2.15)
5. Contract lock in (2.18)
6. Data ownership and custodian responsibilities (2.18)
7. Longevity of suppliers (2.20)
8. Integration of cloud with internal systems (2.23)
9. Credibility of suppliers (2.30)
10. Testing and assurance (2.30)
Computer Science and Engineering
16
WILL THE CLOUD STAY?
Computer Science and Engineering
17
Cloud and Security
• Security difficulties in the cloud
• Cloud as a security service provider
Computer Science and Engineering
18
What is Security?
• 1960s: Computer security (CompuSec) and
Communication security (CommSec)
• 1970s: encryption technologies
• 1990s: Information security (InfoSec)
• 2000s: Information Assurance, Information Warfare
• 2008-9: Information Dominance
• 2010s: Mission Assurance
Computer Science and Engineering
19
Mission Assurance
• Getting the job done
• Security is a secondary objective
• Always present malicious entity in a cyber system
• DoD Mission assurance specification
Computer Science and Engineering
20
WHAT IS A MISSION AWARE
CLOUD?
Computer Science and Engineering
21
Mission-aware cloud
Research problems 1.
1. “Develop a heterogeneous experimental cloud
computing infrastructure (denoted as the cloud
henceforth) spanning multiple locations, security and
assurance levels.”
2. “Experimentally explore, develop, and implement
extensive instrumentation to monitor, measure and
gather statistical data regarding activities in the cloud.”
Computer Science and Engineering
22
Mission-aware cloud
Research problems 2.
3. “Analyze gathered data to estimate underlying network
performance and threat vulnerability using regression, analysis
of variance, and other generalized linear statistical models.”
4. “Develop new protocols that cope with denial of service (DoS)
and insider attacks and ensure predictable delivery of mission
critical data.”
5. “Develop new or enhance existing virtual machines (VMs) that
enable efficient implementation of access control and trust
policies to facilitate mission assurance.”
Computer Science and Engineering
23
Mission-aware cloud
Research problems 3.
7. “Develop models, methodologies and architectures for
decentralized dynamic management of security and assurance
policies.”
8. “Design automated systems that analyze the tradeoffs between
security and availability versus performance and scalability and
take corrective action before threats or bottlenecks compromise
mission assurance.”
Computer Science and Engineering
24
Policy Decisions
•Pete and Ann
shares resources
•Need agreement on
security policy
•Pete
•Ann
•Cloud provider
Ann
Pete
Computer Science and Engineering
25
What will be the “new”
technology/capability for
2010s?
Computer Science and Engineering
26
Next Class: Mobile Security
Computer Science and Engineering
27