Cloud Computing Security Computer Science and Engineering 1

Cloud Computing Security Computer Science and Engineering 1

Reading: • NIST, The NIST Definition of Cloud Computing, csrc. nist. gov/publications/nistpubs/800 -145/SP 800 -145. pdf, 2011 • R. Sandhu, et al. , Towards a discipline of mission-aware cloud computing, CCSW’ 10 in Proc. of the 2010 Cloud Computing Workshop, 13 -18, 2010. , http: //dl. acm. org/citation. cfm? id=1866835. 1866839&coll=DL&dl=ACM&CF ID=131355972&CFTOKEN=22051019 Computer Science and Engineering 2

What is cloud computing? Computer Science and Engineering 3

The NIST Definition • Computing paradigm to support ubiquitous, convenient, and ondemand network access to a shared pool of computing resources • Access characteristics: can be rapidly provisioned and released with minimal management effort or service provider’s interaction • Description: – Essential characteristics – Service model – Deployment model Computer Science and Engineering 4

Essential Characteristics • • • On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service Computer Science and Engineering 5

Service Models • Software as a Service (Saa. S) • Platform as a Service (Paa. S) • Infrastructure as a Service (Iaa. S) Computer Science and Engineering 6

Deployment Models • • Private cloud Community cloud Public cloud Hybrid cloud Computer Science and Engineering 7

Cloud concerns • The cloud acts as a big black box -> Clients have no idea or control over what happens inside a cloud – Loss of control • Cloud provider, system admins – Lack of trust • How to support traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks – Extra work Computer Science and Engineering 8

Security Objectives • Confidentiality – Fear of loss of control over data • sensitive data stored on a cloud • cloud compromises leak confidential client data – Is the cloud provider honest and won’t peek into the data? Computer Science and Engineering 9

Security Objectives • Integrity – Correct computations – Data tampering • Availability – Denial of Service attack against cloud – Cloud provider goes out of business – Scalability – Cloud provider’s downtime Computer Science and Engineering 10

Regulations and Legal requirements • Auditability and forensics (out of control of data) – Difficult to audit cloud data – Difficult forensics • Legal issues – Who is responsible for complying with regulations? – How about third party clouds? Computer Science and Engineering 11

Privacy Issues • Massive data mining – Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increased attack surface – Attackers target the communication link between cloud provider and client – Cloud provider employees can be phished Computer Science and Engineering 12

WHAT ARE THE SECURITY CONCERNS REGARDING CLOUD COMPUTING? Computer Science and Engineering 13

Why do we need cloud security? • Players: – Cloud provider – Service consumer • Concerns: – Availability – Security • Cloud Security Alliance, https: //cloudsecurityalliance. org/ Computer Science and Engineering 14

Critical Security Areas in Cloud Computing (CSA) • Governing in the Cloud – Governance and Enterprise Risk Management – Legal and Electronic Discovery – Compliance and Audit – Information Lifecycle Management – Portability and Interoperability • Operating in the Cloud – Traditional Security, Business Continuity, and Disaster Recovery – Data Center Operations – Incident Response, Notification, and Remediation – Application Security – Encryption and Key Management – Identity and Access Management – Virtualization Computer Science and Engineering 15

Top 10 Customer Issues Eroding Cloud Confidence (from CSA) 1. Government regulations keeping pace with the market (1. 80) 2. Exit strategies (1. 88) 3. International data privacy (1. 90) 4. Legal issues (2. 15) 5. Contract lock in (2. 18) 6. Data ownership and custodian responsibilities (2. 18) 7. Longevity of suppliers (2. 20) 8. Integration of cloud with internal systems (2. 23) 9. Credibility of suppliers (2. 30) 10. Testing and assurance (2. 30) Computer Science and Engineering 16

WILL THE CLOUD STAY? Computer Science and Engineering 17

Cloud and Security • Security difficulties in the cloud • Cloud as a security service provider Computer Science and Engineering 18

What is Security? • 1960 s: Computer security (Compu. Sec) and Communication security (Comm. Sec) • 1970 s: encryption technologies • 1990 s: Information security (Info. Sec) • 2000 s: Information Assurance, Information Warfare • 2008 -9: Information Dominance • 2010 s: Mission Assurance Computer Science and Engineering 19

Mission Assurance • Getting the job done • Security is a secondary objective • Always present malicious entity in a cyber system • Do. D Mission assurance specification Computer Science and Engineering 20

WHAT IS A MISSION AWARE CLOUD? Computer Science and Engineering 21

Mission-aware cloud Research problems 1. 1. “Develop a heterogeneous experimental cloud computing infrastructure (denoted as the cloud henceforth) spanning multiple locations, security and assurance levels. ” 2. “Experimentally explore, develop, and implement extensive instrumentation to monitor, measure and gather statistical data regarding activities in the cloud. ” Computer Science and Engineering 22

Mission-aware cloud Research problems 2. 3. “Analyze gathered data to estimate underlying network performance and threat vulnerability using regression, analysis of variance, and other generalized linear statistical models. ” 4. “Develop new protocols that cope with denial of service (Do. S) and insider attacks and ensure predictable delivery of mission critical data. ” 5. “Develop new or enhance existing virtual machines (VMs) that enable efficient implementation of access control and trust policies to facilitate mission assurance. ” Computer Science and Engineering 23

Mission-aware cloud Research problems 3. 7. “Develop models, methodologies and architectures for decentralized dynamic management of security and assurance policies. ” 8. “Design automated systems that analyze the tradeoffs between security and availability versus performance and scalability and take corrective action before threats or bottlenecks compromise mission assurance. ” Computer Science and Engineering 24

Policy Decisions • Pete and Ann shares resources • Need agreement on security policy • Pete • Ann • Cloud provider Ann Pete Computer Science and Engineering 25

What will be the “new” technology/capability for 2010 s? Computer Science and Engineering 26

Next Class: Mobile Security Computer Science and Engineering 27