1 / 37

FlexCloud : Reliable and Secure Cloud Overlay Infrastructures

FlexCloud : Reliable and Secure Cloud Overlay Infrastructures. Prof. Dr. Alexander Schill. 2013. Outline. Cloud Computing … What is it all about ? Problems π -Box : Building your personal secure cloud π -Data Controller: Secure Cloud Storage Conclusion & Future Work.

jasper-daniel
Download Presentation

FlexCloud : Reliable and Secure Cloud Overlay Infrastructures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FlexCloud: Reliable and Secure Cloud Overlay Infrastructures Prof. Dr. Alexander Schill 2013

  2. Outline CloudComputing … • Whatisit all about? • Problems • π-Box: Buildingyour personal securecloud • π-Data Controller:Secure Cloud Storage • Conclusion & Future Work

  3. The shape of a cloud … … is in theeyeofthebeholder. IaaS/PaaS* Cloud Operating System, partofAzurePlatform SaaS* Customizedapplicationsforbusinessandhomeuser, based on Google App Engine, e.g. collaborationtools IaaS* Migration ofvirtualmachinesbetween private andpublicclouds PaaS* Development andhostingof web applications SaaS/PaaS* Business cloudservicesfocussing on customerrelationshipmanagement *SaaS = Software as a Service PaaS = Platformas a Service IaaS = Infrastructure as a Service

  4. Cloud Computing Characteristics On-demandself service Rapid elasticity Broadband networkaccess Measured andoptimized service Resource pooling Cloud Computing is … … the on-demand and pay-per-useapplication of virtualised IT services over the Internet. Adopted from the NIST Definition of Cloud Computing [MeGr2011]

  5. Service & Deployment Models User/Clients Cloud Architecture Stack Cloud Organization Software Services (SaaS) User Interface Machine Interface Adopted from [MeGr2011] and [BKNT2010] Applications Convenience Public Applications Services Platform Services (PaaS) Hybrid Components Services Programming Environment Execution Environment Community Infrastructure Services (IaaS) Compute Network Storage Private Virtual Resource Set (VRS) User Control Physical Resource Set (PRS)

  6. Cloud Computing … • Whatisit all about? • Problems • π-Box: Buildingyour personal securecloud • π-Data Controller:Secure Cloud Storage • Conclusion & Future Work

  7. Problems ofCloudComputing Reliability andsecuritywhengivingupphysicalpossession >Failureofmonocultures >Cloudproviders‘ trustworthiness >Staying in control

  8. FlexCloudObjectives π-Cloud: Establishing a secure cloud computing life cycleHybrid cloud platform to integrate a user’s (cloud) resources, services and data. > Unified Cloud Prevent Vendor-Lock-in + Integration of existing IT > Secure Cloud Ensure data privacy and security > ManagedCloud Keep the user in command > EfficientCloud Adapt to user preferences and cloud's vital signs

  9. Cloud Computing … • Whatisit all about? • Problems • π-Box: Buildingyour personal securecloud • π-Data Controller: Secure Cloud Storage • Conclusion & Future Work

  10. FlexCloud'sApproach Subsume all end devices within a Personal Secure Cloud (π-Cloud) controlled by the π-Box. π-Cloud π-Box

  11. Transparent Encryption Documentclassificationconcerningsecurityrequirements. Analysis ofstructured, unstructureddataand contextinformation Addresseeidentificationandderivationofrespectivekeys. π-Cloud PKI ?

  12. Cloud Computing … • Whatisit all about? • Problems? • π-Box: Buildingyour personal securecloud • π-Data Controller: Secure Cloud Storage • Conclusion & Future Work

  13. Increasing Availability: from RAID to RAIC RAIC:Redundant Array of Independent Clouds RAID:Redundant Array of Independent Disks Integration Layer Integration Layer Webaccess Distributed filesystem Logical partition Versioning Preprocessing Layer File leveltransformation(e.g. compression) Preprocessing Layer RAID levelredundancyroutine(mirror, stripe, …) Dispersalroutine Reliablediskstorage Unreliable, lowqualityharddisk Reliable, universal andsecurecloudstorage Unreliable, proprietaryandinsecurecloudstorage Fragment leveltransformation (e.g. encryption) Transport Layer Transport Layer Caching Block resources Localpersistence Provider Storage API adapter

  14. Secure Cloud Storage Integrator for Enterprises (System Architecture) π-Cloud=Company Intranet π-Data Controller Meta Data WebDAV HTTP CIFS Cryptography API FTP Cloud StorageProtocol Adapter Shared Folder File Dispersion WebDAV HTTP

  15. Storing Files (1/5) π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  16. Implementation of the Shared Folder • Technology: FUSE (Filesystem in Userspace) • CIFS/SMB network share on proxy file server • Unified user interface for arbitrary cloud storage services • Utilizing CIFS access control mechanisms ./xmp /tmp/fuse ls - /tmp/fuse libfuse glibc glibc User space Kernel VFS FUSE NFS Ext3 … CIFS = Common Internet File System NFS = Network File System Ext3 = Third Extended File System SMB = Server Message Block FUSE = Filesystem in Userspace VFS = Virtual File System glibc = GNU C library

  17. Storing Files (2/5) π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  18. File Dispersion Ensure availability despite ofunreliable cloud storage providers … kthreshold, i.e. # ofnecessarysharestoreconstruct • ntotal # ofshares a fileissplitinto E.g. k=6, n=8 If k < n, weneedredundant information.

  19. Sharing Reconstruction Dealer Share holders … Input: Share holders store Reconstructor … Output: Secret Sharing aka Threshold Schemes • Objective: Divide a secret in shares with • Knowledge of any or more shares makes easily computable. • Knowledge of any or fewer shares leave completely undetermined (in the sense that all its possible values are equally likely).

  20. Secret Sharing:An informal example with 2 shares • Visual Cryptography[NaSh1994] • Simplification: n = k = 2 • Secretcannotbedeterminedindependently! [Source:http://goo.gl/watJC] • … revealed!

  21. Secret Sharing: More formalism Blakley's scheme[Blakley1979] Idea: Any n nonparallel n-dimensional hyper-planes intersect at a specific point. Sharing: Encode the secret as any single coordinate of the point of intersection. Recovering:1. Calculating the planes' point of intersection. 2. Take a specified coordinate of that intersection. s3 s Example:n≥3, k=3 2 sharesavailable 3sharesavailable 1 shareavailable Shamir's scheme[Shamir1979] Idea: It takes k points to define a polynomial of degree k-1. Sharing: Be a0:=s є S the secret to be shared where S is an infinite field known to all share holders.Randomly choose (k-1) coefficients a1,a2,…ak-1 є Sto build f(x):=Σai·xi.Calculate shares sj:=[j,f(j)]with j є ℕn. Recovering:Use Lagrange interpolation to find coefficients of the polynomial including constant term a0. Graphics taken from Wikipedia. s2 s1

  22. Information Dispersal:Computationally secure secret sharing • Rabin's scheme[Rabin1989] • Guarantees only availability but no secrecy. • ConstructionBe where , i.e. .Rest as with Shamir's secret sharing. • Properties • With a polynomial and shares of the same size as before, we can now share a value times as long as before. • Length of each share is only -th of the length of the secret, and if shares must be sufficient for reconstruction, one can obviously not get shorter.➔ Space optimal • However, one might gain some information if he gets access to several shares.➔ Computationally secure • More efficient information dispersal schemes • Need to be maximum distance separable to use arbitraryshares for reconstruction. • Examples:Cauchy-Reed-Solomon, Liberation, Blaum-Roth [PSS2008]

  23. Storing Files (3/5) π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  24. Cryptography: Confidentiality & Integrity AES-CBC + SHA256 +SHA256 AES-CBC + SHA256 AES-CBC AES-CBC + SHA256

  25. Storing Files (4/5) π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  26. Storing Files (5/5) • StoredMeta Data per component • Shared Folder: General filesysteminformation, e.g. filesize, accessrights … • File Dispersion:Useddispersionalgorithm/parameters (n, k), shares‘ locations • Cryptography:Usedcryptographickeysandcalculated checksums per share • Cloud StorageProtocol Adapter: Storage protocolparametersandproviderlogindata π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  27. Retrieving Files (1/3) • Dispersion parameters: n=6 π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  28. Retrieving Files (2/3) • Dispersion parameters: n=6, k=3 π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  29. Retrieving Files (3/3) π-Cloud=Company Intranet π-Data Controller Meta Data Cryptography Cloud StorageProtocol Adapter Shared Folder File Dispersion

  30. Prototype Implementation [SBM+11] π-Cockpit desktop application [SGS11] web interface for π-Cockpit ResUbic Cloud Storage Allocator for Cyber Physical Systems

  31. Performance Evaluation Upload File size: 24 MB; Dispersion parameters: n=8, k=6; Cryptographyparameters: AES (256 bit, 14 iterations), SHA256; Network Up/Downlink: 10/20 Mbit/s Towards User Centric Data Governance and Control in the Cloud

  32. Performance Evaluation Download File size: 24 MB; Dispersion parameters: n=8, k=6; Cryptographyparameters: AES (256 bit, 14 iterations), SHA256; Network Up/Downlink: 10/20 Mbit/s Towards User Centric Data Governance and Control in the Cloud

  33. Cloud Computing … • Whatisit all about? • Problems? • π-Box: Buildingyour personal securecloud • π-Data Controller:Secure Cloud Storage • Conclusion & Future Work

  34. Results so far & future work (π-Data Controller) • Data store for database system (block-based dispersion) • Collaboration scenarios, file sharing, access by external entities • Securing the meta data database • Automatic classification of data • Improving performance, e.g. scheduling algorithms, caching/prefetching, parallelization • Optimized cloud storage • Integration ofexistingcloudstorageservices (Cloud-of-Clouds) • Proxy serverfor transparent mediation➔ easy tousefor end-user, commonschemeforenterprises • Good performance, high security & data control for the user

  35. Cloud Adaption and Optimization Strategies for the compensation ofSLA violations Strategies for minimization ofenergy consumption Mechanisms for the visuali-zationof complex CloudMonitoring data Fine-grained Service Level Agreements Methods to determine fine-grained non-functional properties of Cloud Services Identification of assets andcorresponding requirements Deduction of monitoringtargets from SLAs Cloud Surveillanceand Incident Detection Specification of monitoringtargets and SLA violationsModels for the proactive recognition ofSLA violations and the evaluation of aCloud‘s energy efficiency Mechanisms for reliable distributed Monitoring Dynamic ProviderSelection and Cloud Setup Flexible distribution mechanisms forCloud Platforms Strategies for the performance optimization ofCloud Applications Reputation consideration to improve reliabilityand trustworthiness Towards a secure cloud life cycle

  36. Tomorrow's forecast: still cloudy but sunny spots Contact: alexander.schill@tu-dresden.destephan.gross@tu-dresden.de http://flexcloud.eu/

  37. References • [BKNT2010] C. Baun, M. Kunze, J. Nimis and S. Tai: Cloud Computing. Web-basiertedynamische IT-Services. Springer Verlag, 2010. • [Blakley1979] G. R. Blakley: Safeguarding cryptographic keys; AFIPS Conference Proceedings Vol. 48, National Computer Conference (NCC) 1979, 313-317. • [MeGr2011] P. Mell and T. Grace: The NIST Definition of Cloud Computing. NIST Special Publication 800-145, September 2011. • [NaSh1994] M. Naor and A. Shamir, Visual Cryptography , Eurocrypt 94. • [PSS2008] J. S. Plank, S. Simmerman, C. D. Schuman: Jerasure: A Library in C/C++ FacilitatingErasureCodingfor Storage Applications – Version 1.2. Technical Report CS-08-627, University of Tennessee, 2008. • [Rabin1989] M. O. Rabin: Efficient Dispersal of Information for Security, Load Balancing, and Fault Tolerance; Journal of the ACM 36/2 (1989) 335-348. • [SBM+2011] J. Spillner, G. Bombach, S. Matthischke, R. Tzschicholz, and A. Schill: Information Dispersion over Redundant Arrays of Optimal Cloud Storage for Desktop Users. In: IEEE International Conference on Utility and Cloud Computing. Melbourne, Australien, December 2011. • [SGS2011] R. Seiger, S. Groß, and A. Schill: A Secure Cloud Storage Integrator for Enterprises. In: International Workshop on Clouds for Enterprises. Luxemburg, September 2011. • [Shamir1979] A. Shamir: How to Share a Secret; Communications of the ACM 22/11 (1979) 612- 613.

More Related