Securely Using Cloud Computing ServicesQin LiuEmail: gracelq628@126.comHunan UniversityPart I

* Outline3. Introduction to Our Work2. Security Issues in Clouds1. Cloud Computing

Evolution of Computing Patterns

What Is Cloud Computing?Wikipedia DefinitionCloud computing is a concept of using the Internet to allow people to access technology-enabled servicesIt allows users to consume services without knowledge of control over the technology infrastructure that supports themNIST Definition5 essential characteristics3 cloud service models4 cloud deployment models

The NIST Cloud Definition FrameworkServiceModelsEssentialCharacteristicsDeployment Models

On-demand serviceGet computing capabilities as needed automaticallyBroad Network AccessServices available over the net using desktop, laptop, PDA, mobile phoneResource poolingProvider resources pooled to server multiple clientsRapid ElasticityAbility to quickly scale in/out serviceMeasured serviceControl, optimize services based on metering

Essential Characteristics

Essential Characteristics

Cloud Service ModelsSoftware as a Service (SaaS)We use the provider appsUser doesnt manage or control the network, servers, OS, storage or applicationsPlatform as a Service (PaaS)User deploys their apps on the cloudControls their appsUser doesnt manage servers, IS, storageInfrastructure as a Service (IaaS)Consumers gets access to the infrastructure to deploy their stuffDoesnt manage or control the infrastructureDoes manage or control the OS, storage, apps, selected network components

SaaSPaaSIaaSAmazonGoogleMicrosoftSalesforceProducts and companies shown for illustrative purposes only and should not be construed as an endorsement

*Cloud Deployment ModelsPrivate cloud Enterprise owned or leasedCommunity cloudShared infrastructure for specific communityPublic cloudSold to the public, mega-scale infrastructureHybrid cloudComposition of two or more clouds

Cloud Deployment Models

Top 8 Cloud Computing Companies

Cloud Computing Example - Amazon EC2IaaShttp://aws.amazon.com/ec2

Cloud Computing Example - Google AppEnginePaaShttp://code.google.com/appengine/Google AppEngine APIPython runtime environmentDatastore APIImages APIMail APIMemcache APIURL Fetch APIUsers APIA free account can use up to 500 MB storage, enough CPU and bandwidth for about 5 million page views a month

ConventionalManually ProvisionedDedicated HardwareFixed CapacityPay for Capacity Capital & Operational ExpensesManaged via SysadminsCloudSelf-provisionedShared HardwareElastic CapacityPay for UseOperational ExpensesManaged via APIs

Why A Cloud?

Why A Cloud?

Why A Cloud?

Cloud Computing SummaryCloud computing is a kind of network service and is a trend for future computingScalability matters in cloud computing technologyUsers focus on application developmentServices are not known geographically

*3. Introduction to Our Work2. Security Issues in Clouds1. Cloud Computing Outline

*What Not a Cloud?

Kai Hwang and Deyi Li, Trusted Cloud Computing with Secure Resources and Data Coloring, IEEE Internet Computing, Sept. 2010 Cloud Providers and Security Measures

*General Security AdvantagesShifting public data to an external cloud reduces the exposure of the internal sensitive dataCloud homogeneity makes security auditing/testing simplerClouds enable automated security managementRedundancy / Disaster Recovery

*General Security ChallengesTrusting vendors security modelCustomer inability to respond to audit findingsObtaining support for investigationsIndirect administrator accountabilityProprietary implementations cant be examinedLoss of physical control

10 Security ConcernsWheres the data? Who has access? What are your regulatory requirements?Do you have the right to audit? What type of training does the provider offer their employees? What type of data classification system does the provider use?What are the service level agreement (SLA) terms?What is the long-term viability of the provider? What happens if there is a security breach? What is the disaster recovery/business continuity plan (DR/BCP)?

7 Potential RisksPrivileged user accessRegulatory complianceData locationData segregation.RecoveryInvestigative supportLong-term viability

What Is Not New?Data LossDowntimesPhishingPassword CrackingBotnets and Other Malware

Data Loss

Downtimes*

Phishinghey! check out this funny blog about you...*

Password Cracking*

What Is New?AccountabilityNo Security PerimeterLarger Attack SurfaceNew Side ChannelsLack of AuditabilityRegulatory ComplianceData Security

Accountability*

No Security PerimeterLittle control over physical or network location of cloud instance VMsNetwork access must be controlled on a host by host basis

Larger Attack SurfaceCloud ProviderYour Network

New Side ChannelsYou dont know whose VMs are sharing the physical machine with you.Attackers can place their VMs on your machine.See Hey, You, Get Off of My Cloud paper for how.Shared physical resources includeCPU data cache: Bernstein 2005CPU branch prediction: Onur Aciimez 2007CPU instruction cache: Onur Aciimez 2007In single OS environment, people can extract cryptographic keys with these attacks.

*

Lack of AuditabilityOnly cloud provider has access to full network traffic, hypervisor logs, physical machine data.Need mutual auditabilityAbility of cloud provider to audit potentially malicious or infected client VMs.Ability of cloud customer to audit cloud provider environment.*

Regulatory Compliance

Certifications*

Data SecurityConfidentialityAuthorized to knowAvailabilityData Never Loss Machine Never FailIntegrityData Has Not Been Tampered With

StorageProcessingTransmission

Data Security Is A Major Concern

Security concerns arising because both customer data and program are residing in Provider Premises.

Security is always a major concern in Open System Architectures

Customer

Why Data Is Not SecureCloud Security problems are coming fromLoss of controlLack of trustMulti-tenancy

Mainly exist in public cloud

Loss of Control in the CloudConsumers loss of controlData, applications, resources are located with providerUser identity management is handled by the cloudUser access control rules, security policies and enforcement are managed by the cloud providerConsumer relies on provider to ensureData security and privacyResource availabilityMonitoring and repairing of services/resources

Lack of Trust in the CloudA brief deviation from the talkTrusting a third party requires taking risksDefining trust and riskOpposite sides of the same coinPeople only trust when it paysNeed for trust arises only in risky situations Defunct third party management schemesHard to balance trust and riske.g. Key EscrowIs the cloud headed toward the same path?

Multi-tenancy Issues in the CloudConflict between tenants opposing goalsTenants share a pool of resources and have opposing goalsHow does multi-tenancy deal with conflict of interest?Can tenants get along together and play nicely ?If they cant, can we isolate them?How to provide separation between tenants?

Possible SolutionsLoss of ControlTake back controlData and apps may still need to be on the cloudBut can they be managed in some way by the consumer?Lack of trustIncrease trust (mechanisms)TechnologyPolicy, regulationContracts (incentives): topic of a future talkMulti-tenancyPrivate cloudTakes away the reasons to use a cloud in the first placeStrong separation

Cloud Security SummaryCloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server modelHowever, resources are ubiquitous, scalable, highly virtualizedContains all the traditional threats, as well as new onesIn developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of Loss of controlLack of trustMulti-tenancy problems

*3. Introduction to Our Work2. Security Issues in Clouds1. Cloud Computing Outline

Our Main Work

Selected PublicationsG. Wang, Q. Liu, F. Li, S. Yang, and J. Wu, "Outsourcing Privacy-Preserving Social Networks to a Cloud," accepted to appear in the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM 2013). Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments" Proceedings of the 31st IEEE International Conference on Computer Communications (IEEE INFOCOM 2012). G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption for Fine-Grained Access Control in Cloud Computing," Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS-10). Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Towards Differential Query Services in Cost-Efficient Clouds," accept to appear in IEEE Transactions on Parallel and Distributed Systems (TPDS). Q. Liu, G. Wang, and J. Wu, "Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment", Information Sciences. Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Cooperative Private Searching in Clouds," Journal of Parallel and Distributed Computing (JPDC).G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption and Scalable User Revocation for Sharing Data in Cloud Servers," Computers & Security.

Multi-User Data Sharing EnvironmentCloud Security problems are coming from :

Loss of controlLack of trust (mechanisms)Multi-tenancy

Security IssuesData SecurityRevocationRetrieval Privacy

The cloud service provider is a potential attacker!!

Data SecurityNatural wayAdopting cryptographic technique

Current solutionsTraditional symmetric/ asymmetric encryptionLow cost for encryption and decryptionSupport key delegation--HIBEHard to achieve fine-grained access controlAttribute-Based encryptionEasy to achieve fine-grained access controlHigh cost for encryption and decryptionDo not support key delegation

Public Key Cryptography*

Attribute-Based Encryption (ABE)Key Policy ABECiphertext Policy ABE

Hierarchical Attribute-Based Encryption (HABE)Application scenarioSample URARequirementsFine-grained access controlHierarchical key generationEfficiency

Hierarchical Attribute-Based Encryption (HABE)Key techniqueCombine the hierarchical identity-based encryption and attribute-based encryptionUse the attributes and exact ID to identify each user

HABE Architecture

User RevocationNave solutionThe data owner re-encrypts data and distributes new keys to the data userFrequent revocation will make the data owner become a performance bottleneckProxy re-encryption (PRE)

Time-Based Proxy Re-EncryptionPRE in cloudsThe data owner to send re-encryption instruction to the cloudThe cloud perform re-encryption based on proxy re-encryptionT2

Time-Based Proxy Re-EncryptionKey techniqueIncorporate time into PREThis scheme is suitable for the application where the valid of access is pre-determinedA time tree is constructedThe data owner and the cloud share a secret seed sThe cloud re-encrypt data based on internal time automatically while receiving a data access request

User PrivacyUser privacySearch privacy: The cloud cannot know what the users are searching forAccess privacy: The cloud cannot know what/which files are returned to the usersExisting solutionsPrivate search (PS) can protect user privacy while searching public dataSearchable encryption (SE) can protect search privacy while searching private data

Searchable Encryption (SE)Bob sends to Alice an email encrypted under Alices public key. Alices email gateway wants to test whether the email contains the keyword urgent so that it could route the email to her PDA immediately. But,Alice does not want the email gateway to be able to decrypther messages

Efficient Searchable Encryption

ProblemThe user needs to perform decryptionThin client has only limited resourcesRequirementsEnable the cloud to perform partial decryption without compromising search privacyUser can access data from the cloud anytime and anywhere with any devices

Efficient Searchable Encryption

Key techniqueAlice takes both Bob and CSPs public key as inputs of the encryption algorithmCSP uses its secret key to perform partial decrypt and generate an intermediate valueBob use the intermediate value to quickly recover data

Private Search (PS)F1: {A,B}F2:{B,D}F3:{C,D}Given a public dictionary that contains all keywords, e.g., dictionary=. Bob wants to retrieve files with keywords A and B

Private Search (PS)

Homomorphic encryption E(x)*E(y) = E(x+y) E(x)^y = E(x*y)survivalcollisionsurvivalunmatchedE(F2)* E(0) =E(F2)

Cooperative Private Search (COPS)Problem for simple PSProcessing each query is expensive. Given n users, the cloud needs to execute n queries Performance bottleneck on the cloudCOPS Architecture A proxy server (ADL) is introduced between the users and the cloud (trusted) Aggregate user queries Distribute searching results

Cooperative Private Search (COPS)Key techniqueThe user and the cloud shareShuffle functions shuffle the dictionary and the query --- to preserve search privacyPseudonym function: hide file nameObfuscated function: hide file content ---preserve access privacyKey meritsUser privacy is preserved fromThe cloud The proxy serverOther users

Efficient Information Retrieval for Ranked Queries (EIRQ)Problem for Simple COPSNo ranked queriesThe cloud returns all matched files

Queries are classified into 0,1,,r-1 ranks. Rank-i query retrieves (1-i/r) percentage of matched filesThe cloudCannot know which files are filtered/returnedCannot know each queries rankEfficient Information Retrieval for Ranked Queries (EIRQ)

Key techniques:Construct a mask matrix to protect query ranksFilter files without knowing which files are filtered

Efficient Information Retrieval for Ranked Queries (EIRQ)

ADL constructs a mask matrix that is encrypted with its publics key, and sends it to the cloudADLAliceBobNumber of ranks, r=2Number of keywordsConstruct Mask Matrix

F1: { A, B} F2: {B, D} F3: {C, D} ADL

The cloud chooses a random column for each file

F1 and F2 will be returnedF3 will be filtered with 50%

A file, matched rank i query,the probability to be filtered i/r

Filter Files

Evaluation

Evaluation

*Questions?

**NIST: National Institute of Standards and Technology*

Amazon EC2 Google App EngineMicrosoft AzureGoogle DocsIBM LotusLive

****Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting).*****1. Wheres the data? Different countries have different requirements and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your cloud provider should agree in writing to provide the level of security required for your customers.2. Who has access? Access control is a key concern, because insider attacks are a huge risk. A potential hacker is someone who has been entrusted with approved access to the cloud. If anyone doubts this, consider that in early 2009 an insider was accused of planting a logic bomb on Fanny Mae servers that, if launched, would have caused massive damage. Anyone considering using the cloud needs to look at who is managing their data and what types of controls are applied to these individuals.3. What are your regulatory requirements? Organizations operating in the US, Canada, or the European Union have many regulatory requirements that they must abide by (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT). You must ensure that your cloud provider is able to meet these requirements and is willing to undergo certification, accreditation, and review. 4. Do you have the right to audit? This particular item is no small matter; the cloud provider should agree in writing to the terms of audit.5. What type of training does the provider offer their employees? This is actually a rather important item, because people will always be the weakest link in security. Knowing how your provider trains their employees is an important item to review.6. What type of data classification system does the provider use? Questions you should be concerned with here include: Is the data classified? How is your data separated from other users? Encryption should also be discussed. Is it being used while the data is at rest and in transit? You will also want to know what type of encryption is being used. As an example, there is a big difference between WEP and WPA2. 7. What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed service between the cloud provider and the customer that specifies what level of services will be provided.8. What is the long-term viability of the provider? How long has the cloud provider been in business and what is their track record. If they go out of business, what happens to your data? Will your data be returned, and if so, in what format? As an example, in 2007, online storage service MediaMax went out of business following a system administration error that deleted active customer data. The failed company left behind unhappy users and focused concerns on the reliability of cloud computing.9. What happens if there is a security breach? If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being unhackable, cloudbased services are an attractive target to hackers. 10. What is the disaster recovery/business continuity plan (DR/BCP)? While you may not know the physical location of your services, it is physically located somewhere. All physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services are they promising? As an example, in February 2009, Nokias Contacts On Ovi servers crashed. The last reliable backup that Nokia could recover was dated January 23rd, meaning anything synced and stored by users between January 23rd and February 9th was lost completely.*1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.

3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.

5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."

7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

*http://news.cnet.com/twitter-phishing-scam-may-be-spreading/**Conflict between tenants opposing goalsTenants share a pool of resources and have opposing goalsHow does multi-tenancy deal with conflict of interest?Can tenants get along together and play nicely ?If they cant, can we isolate them?How to provide separation between tenants?

**Chiles and McMakin (1996) define trust as increasing ones vulnerability to the risk of opportunistic behavior of another whose behavior is not under ones control in a situation in which the costs of violating the trust are greater than the benefits of upholding the trust.

Trust here means mostly lack of accountability and verifiability*Who are my neighbors? What is their objective? They present another facet of risk and trust requirements*Data Security: Only the authorized data users can access the data stored in the cloudRevocation: Effectively revoke a data users access rightRetrieval Privacy: User privacy while retrieving data from the cloud

**Preserve search privacy and access privacyThe computation cost incurred in the cloud is high

The computation cost incurred in the cloud is high since the cloud needs to process a users query on each file in a collection. Otherwise the cloud will know the files without processing are not interested by the users

*The computation cost incurred in the cloud is high since the cloud needs to process a users query on each file in a collection. Otherwise the cloud will know the files without processing are not interested by the users

*The computation cost incurred in the cloud is high since the cloud needs to process a users query on each file in a collection. Otherwise the cloud will know the files without processing are not interested by the users

*For a keyword:Number of 1s is determined by the rank of query it appears: r-i High rank takes overRatio of 1s to r determines the probability of a file containing it to be returned: (r-i)/r High ratio takes over *