300 likes | 439 Views
NETE4631 Cloud Privacy and Security. Lecture Notes #9. Managing the Cloud - Recap. Capacity Planning – Recap (2). Steps for capacity planner Examine what systems are in place Measuring their workload Resources - CPU, RAM, disk, and network Load testing and identifying resource ceiling
E N D
NETE4631Cloud Privacy and Security Lecture Notes #9
Capacity Planning – Recap (2) • Steps for capacity planner • Examine what systems are in place • Measuring their workload • Resources - CPU, RAM, disk, and network • Load testing and identifying resource ceiling • Determining usage pattern & predict future demand • Add or tear down resources to meet demand Scenario • Scale vertically (scale up) • Scale horizontally (scale out)
Lecture Outline • Statistical challenges in the cloud • Security implications • Security and privacy challenges • Security mapping • Security responsibilities • Security service boundary • Approaches • Securing data • Identity management • Standard compliance
Security Implications • Outsourcing Data and Applications • Extensibility and Shared Responsibility • Service-Level Agreements (SLAs) • Virtualization and Hypervisors • Heterogeneity • Compliance and Regulations
Security & Privacy Challenges • Authentication and Identity Management • Access Control and Accounting • Trust Management and Policy Integration • Secure-Service Management • Privacy and Data Protection • Organizational Security Management
Security Mapping • Determine which resources you are planning to move to the cloud • Determine the sensitivity of the resources to risk • Determine the risk associated with the particular cloud deployment type (public, private, or hybrid models) of a resource • Take into account the particular cloud service model that you will be using • If you have selected a particular cloud provider, you need to evaluate its system to understand how data is transferred, where it is stored, and how to move data both in and out of the cloud
Security Responsibilities • Cloud Deployment Models (NIST) • Public clouds • Private clouds • Hybrid clouds
Security Service Boundary By Cloud Security Alliance (CSA)
Approaches • Techniques for securing applications, data, management, network, and physical hardware • Data-Centric Security and Privacy • Identity Management • Comply to compliance standards
Techniques for securing resources Picture from Alexandra Institute
Securing Data • Access control • Authentication • Authorization • Encryption
Establishing Identities • What is the identity? • Things you are • Things you know • Things you have • Things you relate to • They can be used to • authenticate client requests for services • Control access to data in the cloud • Preventing unauthorized used • Maintain user roles
Steps for establishing identities for cloud computing • Establish an identity • Identity be authenticated • Authentication can be portable • Authentication provide access to resources
Defining Identity as a Service (IDaaS) • Store the information that associates with a digital entity used in electronic transactions • Core functions • Data store • Query engine • Policy engine
Authentication Protocol Standards • OpenID 2.0 http://openid.net • OAuth http://oauth.net
Auditing • Auditing is the ability to monitor the events to understand performance • Proprietary log formats • Might not be co-located
Auditing (2) Picture from Alexandra Institute
Regulatory Compliance • All regulations were written without keeping Cloud Computing in mind. • Clients are held responsible for compliance under the laws that apply to the location where the processing or storage takes place. • Security laws that requires companies providing sensitive personal information have to encrypt data transmitted and stored on their systems (Massachusetts March, 2012).
Regulatory Compliance (2) • You have to ensure the followings: • Contracts reviewed by your legal staff • The right to audit in your SLA • Review cloud service providers their security and regulatory compliance • Understand the scope of the regulations that apply to your cloud-based applications • Consider what steps to take to comply with the demand of regulations that apply and/ or adjusting your procedures to this matter • Collect and maintain the evidence of your compliance with regulations
Defining Compliance as a Service (CaaS) • CaaS needs to • Serve as a trusted party • Be able to manage cloud relationships • Be able to understand security policies and procedures • Be able to know how to handle information and administer policy • Be aware of geographic location • Provide an incidence response, archive, and allow for the system to be queried, all to a level that can be captured in a SLA
Defining Compliance as a Service (CaaS) (2) • Examples of clouds that advertise CaaS capabilities include the following: • Athenahealth for the medical industry • Bankserv for the banking industry • ClearPoint PCI for mechant transactions • FedCloud for goverment
References • Chapter 4, 12 of Course Book: Cloud Computing Bible, 2011, Wiley Publishing Inc. • Research paper - Security and Privacy Challenges in Cloud Computing Environments, Hassan Takabi and James B.D. Joshi, University of Pittsburgh