430 likes | 723 Views
Cloud Computing Security. Reading. Reading: NIST, The NIST Definition of Cloud Computing, csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, 2011
E N D
Cloud Computing Security Computer Science and Engineering
Reading Reading: • NIST, The NIST Definition of Cloud Computing, csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, 2011 • R. Sandhu, et al., Towards a discipline of mission-aware cloud computing, CCSW’10 in Proc. of the 2010 Cloud Computing Workshop, 13-18, 2010., http://dl.acm.org/citation.cfm?id=1866835.1866839&coll=DL&dl=ACM&CFID=131355972&CFTOKEN=22051019 Computer Science and Engineering
What is cloud computing? Computer Science and Engineering
The NIST Definition • Computing paradigm to support ubiquitous, convenient, and on-demand network access to a shared pool of computing resources • Access characteristics: can be rapidly provisioned and released with minimal management effort or service provider’s interaction • Description: • Essential characteristics • Service model • Deployment model Computer Science and Engineering
Essential Characteristics • On-demand self-service • Broad network access • Resource pooling • Rapid elasticity • Measured service Computer Science and Engineering
Service Models • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) Computer Science and Engineering
Deployment Models • Private cloud • Community cloud • Public cloud • Hybrid cloud Computer Science and Engineering
Cloud concerns • The cloud acts as a big black box -> Clients have no idea or control over what happens inside a cloud • Loss of control • Cloud provider, system admins • Lack of trust • How to support traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks • Extra work Computer Science and Engineering
Security Objectives • Confidentiality • Fear of loss of control over data • sensitive data stored on a cloud • cloud compromises leak confidential client data • Is the cloud provider honest and won’t peek into the data? Computer Science and Engineering
Security Objectives • Integrity • Correct computations • Data tampering • Availability • Denial of Service attack against cloud • Cloud provider goes out of business • Scalability • Cloud provider’s downtime Computer Science and Engineering
Regulations and Legal requirements • Auditability and forensics (out of control of data) • Difficult to audit cloud data • Difficult forensics • Legal issues • Who is responsible for complying with regulations? • How about third party clouds? Computer Science and Engineering
Privacy Issues • Massive data mining • Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increasedattack surface • Attackers target the communication link between cloud provider and client • Cloud provider employees can be phished Computer Science and Engineering
What are the Security concerns regarding Cloud computing? Computer Science and Engineering
Why do we need cloud security? • Players: • Cloud provider • Service consumer • Concerns: • Availability • Security • Cloud Security Alliance, https://cloudsecurityalliance.org/ Computer Science and Engineering
Critical Security Areas in Cloud Computing (CSA) • Governing in the Cloud • Governance and Enterprise Risk Management • Legal and Electronic Discovery • Compliance and Audit • Information Lifecycle Management • Portability and Interoperability • Operating in the Cloud • Traditional Security, Business Continuity, and Disaster Recovery • Data Center Operations • Incident Response, Notification, and Remediation • Application Security • Encryption and Key Management • Identity and Access Management • Virtualization Computer Science and Engineering
Top 10 Customer Issues Eroding Cloud Confidence (from CSA) • Government regulations keeping pace with the market (1.80) • Exit strategies (1.88) • International data privacy (1.90) • Legal issues (2.15) • Contract lock in (2.18) • Data ownership and custodian responsibilities (2.18) • Longevity of suppliers (2.20) • Integration of cloud with internal systems (2.23) • Credibility of suppliers (2.30) • Testing and assurance (2.30) Computer Science and Engineering
Will the cloud stay? Computer Science and Engineering
Cloud and Security • Security difficulties in the cloud • Cloud as a security service provider Computer Science and Engineering
What is Security? • 1960s: Computer security (CompuSec) and Communication security (CommSec) • 1970s: encryption technologies • 1990s: Information security (InfoSec) • 2000s: Information Assurance, Information Warfare • 2008-9: Information Dominance • 2010s: Mission Assurance Computer Science and Engineering
Mission Assurance • Getting the job done • Security is a secondary objective • Always present malicious entity in a cyber system • DoD Mission assurance specification Computer Science and Engineering
What is a Mission aware cloud? Computer Science and Engineering
Mission-aware cloud Research problems 1. • “Develop a heterogeneous experimental cloud computing infrastructure (denoted as the cloud henceforth) spanning multiple locations, security and assurance levels.” • “Experimentally explore, develop, and implement extensive instrumentation to monitor, measure and gather statistical data regarding activities in the cloud.” Computer Science and Engineering
Mission-aware cloud Research problems 2. • “Analyze gathered data to estimate underlying network performance and threat vulnerability using regression, analysis of variance, and other generalized linear statistical models.” • “Develop new protocols that cope with denial of service (DoS) and insider attacks and ensure predictable delivery of mission critical data.” • “Develop new or enhance existing virtual machines (VMs) that enable efficient implementation of access control and trust policies to facilitate mission assurance.” Computer Science and Engineering
Mission-aware cloud Research problems 3. • “Develop models, methodologies and architectures for decentralized dynamic management of security and assurance policies.” • “Design automated systems that analyze the tradeoffs between security and availability versus performance and scalability and take corrective action before threats or bottlenecks compromise mission assurance.” Computer Science and Engineering
Policy Decisions • Pete and Ann shares resources • Need agreement on security policy • Pete • Ann • Cloud provider Ann Pete Computer Science and Engineering
What will be the “new” technology/capability for 2010s? Computer Science and Engineering
Next Class: Mobile Security Computer Science and Engineering