cloud computing security and privacy christian goire
TRANSCRIPT
Cloud ComputingSecurity and Privacy to gain Trust
SMARTEVENT 2010September 23
Sophia Antipolis
Christian GOIRE
Cloud Computing Definition(s)
202/05/23
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
NIST Definition
Built on compute and storage virtualization, provides scalable, network-centric, abstracted IT infrastructure, platforms, and applications as on-demand services that are billed by consumption.
Gartner’s definition : "a style of computing where scalable and elastic IT-related capabilities are provided 'as a service' to external customers using Internet technologies."
302/05/23
The NIST Cloud Definition Framework
CommunityCommunityCloudCloud
Private Private CloudCloud
Public CloudPublic Cloud
Hybrid CloudsDeploymentModels
ServiceModels
EssentialCharacter-istics
Common Character-istics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
402/05/23
3 main ServicesModels
502/05/23
Cloud Providers – A Birds Eye ViewInfrastructure as a Service
Platform as a Service
Software as a Service
Main aspects forming a cloud system
602/05/23
Expert group report (Excerpts)
Non- functional aspects
Elasticity
Reliability
Quality of Service
Agility and adaptability
Availability
702/05/23
Continued (2)
Economic aspects
Cost reduction
Pay per use
Improved time to market
Return of investment
Turning CAPEX into OPEX
Going Green
802/05/23
Continued (3)
Technological Aspects
Virtualisation
Multi- tenancy
Security, Privacy and compliance
Data Management
API’s and / or Programming Enhancements
Metering
Tools
902/05/23
Research time line (in year) of the individual topics
1002/05/23
Security and Privacy Challenges
The massive concentrations of resources and data present a more attractive target to attackers
The challenges are not new but Cloud computing intensifies them
1102/05/23
Technical risks
Resource exhaustionIsolation failureCloud provider malicious insider, abuse of high privilegeManagement interface compromiseIntercepting data in transitData leakage on up /download, intra- cloudInsecure or ineffective deletion of data Distributed Denial of service DDoSEconomic denial of service EDOSLoss of encryption keysUndertaking malicious probes and scansCompromise service engineConflicts between customer procedures and cloud
1202/05/23
Policy and organizational risks
Lock -inLoss of governanceCompliance challengesLoss of business reputation due to co -tenant activitiesCloud service termination or failureCloud provider acquisitionSupply chain failure
1302/05/23
Legal risk
Subpoena and e- discoveryRisk from change of jurisdictionData protection riskLicensing risks
1402/05/23
Research recommendations
Certification processes and standards for the Cloud
1502/05/23
Research recommendations
Metrics for security in cloud computingReturn on security investmentsEffects of different forms reporting breaches on securityTechniques for increasing transparency /level of security Location tagging, data type tagging, policy tagging Privacy (data provenance) tracing data end to end
End to end data confidentiality in the cloud and beyond: Encrypted search (long term) Encrypted processing schemes (long term) Encryption and confidentiality tools for social applications in the
cloud Trusted computing in clouds, trusted boot sequence for virtual
machine stack
Standardization etc.
1602/05/23
Legal recommendations
Legal issues to be resolved during the evaluation of the contracts (ULA User Licensing Agreement, SLA Service Level Agreement) Data protection Data security Data Transfer Law enforcement access Confidentiality and non disclosure Intellectual property Risk allocation and limitation of liability Change of control
1702/05/23
Conclusion
Technology solutions ; privacy by designCompliance with transparency provisions vis-à-vis individuals Ensure that customers know about the location of their data Ensure that they properly understand the risks so that they make
informed choices
Current review process of the existing Data Protection Directive
1802/05/23