lecture 9 trusted clouds
TRANSCRIPT
-
8/6/2019 Lecture 9 Trusted Clouds
1/39
Trusted Clouds
Dr. Zahid Anwar
Trusted ComputingMS-CCS-3
Credits: 3 0
Spring 2011
Dr. Zahid Anwar
-
8/6/2019 Lecture 9 Trusted Clouds
2/39
What is Cloud Computing?
2
Lets hear from the experts
-
8/6/2019 Lecture 9 Trusted Clouds
3/39
What is Cloud Computing?
3
The infinite wisdom of the crowds (via Google Suggest)
-
8/6/2019 Lecture 9 Trusted Clouds
4/39
What is Cloud Computing?
Weve redefined Cloud Computing
to include everything that we
already do. . . . I dont understand
what we would do differently in the
4
Larry Ellison,
founder of Oracle
ig t o C ou Computing ot er t an
change the wording of some of our
ads.
-
8/6/2019 Lecture 9 Trusted Clouds
5/39
What is Cloud Computing?
Its stupidity. Its worse
than stupidity: its a
marketing hype campaign
5
Richard Stallman
GNU
-
8/6/2019 Lecture 9 Trusted Clouds
6/39
What is Cloud Computing?
Cloud Computing will
become a focal point of
our work in security. Im
6
Ron Rivest
The R of RSA
optimistic
-
8/6/2019 Lecture 9 Trusted Clouds
7/39
Tremendous Buzz
Cloud computing achieves a
quicker return oninvestment
(Lindsay Armstrong ofsalesforce.com, Dec 2008)
Economic downturn, theappeal of that cost advantage
will be greatly magnified"
(IDC, 2008)
Not only is it faster and moreflexible, it is cheaper. [] the
emergence of cloud models radicallyalters the cost benefit decision
(FT Mar 6, 2009)
No less influential than e-business
(Gartner, 2008)
Revolution, the biggest upheaval since the invention ofthe PC in the 1970s [] IT departments will have little left to
do once the bulk of business computing shifts [] into thecloud
(Nicholas Carr, 2008)
The economics are compelling, with businessapplications made three to five times cheaper and
consumer applications five to 10 timescheaper
(Merrill Lynch, May, 2008)
-
8/6/2019 Lecture 9 Trusted Clouds
8/39
So, What really is Cloud Computing?
Cloud computing is a new computing paradigm,involving data and/or computation outsourcing,with
Infinite and elastic resource scalability
On demand just-in-time provisioning
No upfront cost pay-as-you-go
8
That is, use as much or as less you need, use only when you
want, and pay only what you use,
-
8/6/2019 Lecture 9 Trusted Clouds
9/39
The real story
Computing Utility holy grail of computer
science in the 1960s. Code name: MULTICS
9
Why it failed?
Ahead of time lack of communication tech.
(In other words, there was NO (public) Internet)
And personal computer became cheaper and
stronger
-
8/6/2019 Lecture 9 Trusted Clouds
10/39
The real story
Mid to late 90s,
Grid computing
was proposed to
link and share
computing
resources
10
-
8/6/2019 Lecture 9 Trusted Clouds
11/39
The real story continued
Post-dot-com bust, big
companies ended up with large
data centers, with low
utilization
11
Solution: Throw in virtualization technology, and sell
the excess computing power
And thus, Cloud Computing was born
-
8/6/2019 Lecture 9 Trusted Clouds
12/39
Cloud computing provides numerous
economic advantages
For clients:
No upfront commitment in buying/leasing hardware
Can scale usage according to demand
Barriers to entry lowered for startups
For providers:
Increased utilization of datacenter resources
12
-
8/6/2019 Lecture 9 Trusted Clouds
13/39
Delivery Models
Software as a Service (SaaS) Use providers applications over a network SalesForce.com
Platform as a Service (PaaS) Deploy customer-created applications to a cloud
AppEng
Infrastructure as a Service (IaaS)
Rent processing, storage, network capacity, and otherfundamental computing resources EC2, S3
13
-
8/6/2019 Lecture 9 Trusted Clouds
14/39
Cloud computing means selling X as a
serviceIaaS: Infrastructure as a Service
Selling virtualized hardware
aa : a orm as a serv ce
Access to a configurable platform/API
SaaS: Software as a service
Software that runs on top of a cloud
14
-
8/6/2019 Lecture 9 Trusted Clouds
15/39
Cloud computing architecture
e.g., Web browser
SaaS , e.g., Google Docs
15
PaaS, e.g., Google AppEngine
IaaS, e.g., Amazon EC2
-
8/6/2019 Lecture 9 Trusted Clouds
16/39
Different types of cloud computing
IaaSPaaS
16
Amazon EC2
Clients can rent
virtualized hardware,can control the
software stack on the
rented machines
Google AppEngine
Provides a
programmableplatform that can scale
easily
Microsoft Azure
Clients can choose
languages, but cant
change the operating
system or runtime
-
8/6/2019 Lecture 9 Trusted Clouds
17/39
So, if cloud computing is so great, why
arent everyone doing it?Clouds are still subject to
traditional data confidentiality,
integrity, availability, and
privacy issues, plus some
additional attacks
17
-
8/6/2019 Lecture 9 Trusted Clouds
18/39
Companies are still afraid to use clouds
18
[Chow09ccsw]
-
8/6/2019 Lecture 9 Trusted Clouds
19/39
Anatomy offear
Confidentiality
Will the sensitive data stored on a cloud remain
confidential? Will cloud compromises leak
confidential client data i.e., fear of loss of control
over data)
Will the cloud provider itself be honest and wontpeek into the data?
19
-
8/6/2019 Lecture 9 Trusted Clouds
20/39
Anatomy offear
Integrity
How do I know that the cloud provider is doing
the computations correctly?
stored my data without tampering with it?
20
-
8/6/2019 Lecture 9 Trusted Clouds
21/39
Anatomy offear
Availability
Will critical systems go down at the client, if the
provider is attacked in a Denial of Service attack?
business?
21
-
8/6/2019 Lecture 9 Trusted Clouds
22/39
Anatomy offear
Privacy issues raised via massive data mining
Cloud now stores data from a lot of clients, and
can run data mining algorithms to get large
amounts of information on clients
22
-
8/6/2019 Lecture 9 Trusted Clouds
23/39
Anatomy offear
Increased attack surface
Entity outside the organization now stores and
computes data, and so
between cloud provider and client
Cloud provider employees can be phished
23
-
8/6/2019 Lecture 9 Trusted Clouds
24/39
Anatomy offear
Auditability and forensics
Difficult to audit data held outside organization in
a cloud
Forensics also made difficult since now clients
dont maintain data locally
24
-
8/6/2019 Lecture 9 Trusted Clouds
25/39
Anatomy offear
Legal quagmire and transitive trust issues
Who is responsible for complying with regulations
(e.g., SOX, HIPAA, GLBA)?
clouds, will the data still be secure?
25
-
8/6/2019 Lecture 9 Trusted Clouds
26/39
Recall: Cloud Architecture
ClientSaaS / PaaS
Provider
26
Cloud Provider(IaaS)
-
8/6/2019 Lecture 9 Trusted Clouds
27/39
Attackers
27
-
8/6/2019 Lecture 9 Trusted Clouds
28/39
Who is the attacker?
Insider? Malicious employees at client
Malicious employees at Cloud provider
Cloud provider itself
28
Outsider?
IntrudersNetwork attackers?
-
8/6/2019 Lecture 9 Trusted Clouds
29/39
Attacker Capability: Malicious Insiders
At client
Learn passwords/authentication information
Gain control of the VMs
At cloud provider
Log client communication
29
-
8/6/2019 Lecture 9 Trusted Clouds
30/39
Attacker Capability: Cloud Provider
What?
Can read unencrypted data
Can possibly peek into VMs, or make copies of
Can monitor network communication, application
patterns
30
-
8/6/2019 Lecture 9 Trusted Clouds
31/39
Attacker motivation: Cloud Provider
Why?
Gain information about client data
Gain information on client behavior
Sell the information or use itself
Why not?
Cheaper to be honest? Why? (again)
Third party clouds?
31
-
8/6/2019 Lecture 9 Trusted Clouds
32/39
-
8/6/2019 Lecture 9 Trusted Clouds
33/39
Attacker goals: Outside attackers
Intrusion
Network analysis
Man in the middle
Cartography
33
-
8/6/2019 Lecture 9 Trusted Clouds
34/39
What we need is to
Adapt well known techniques for resolving
some cloud security issues
clouds secure
34
-
8/6/2019 Lecture 9 Trusted Clouds
35/39
Final quote
[Cloud Computing] is a
security nightmare and it
can't be handled in
35
.
John Chambers
CISCO CEO
-
8/6/2019 Lecture 9 Trusted Clouds
36/39
An Open-source Software
Computing
Eucalyptus Systems Inc.
805-845-8000
www.eucalyptus.com
-
8/6/2019 Lecture 9 Trusted Clouds
37/39
Whats in a name?
Elastic Utility Computing Architecture LinkingYourPrograms
To Useful Systems
Web services based implementation of elastic/utility/cloud
computing infrastructure
Linux image hosting ala Amazon ow o we now t s a c ou
Try and emulate an existing cloud: Amazon AWS
Functions as a software overlay
Existing installation should not be violated (too much)
Focus on installation and maintenance
System Administrators are people too.
-
8/6/2019 Lecture 9 Trusted Clouds
38/39
Architecture
Client-side API
Translator
Cloud Controller
Client-side Interface (via network)
Database Walrus (S3)
Cluster ControllerNode Controller
-
8/6/2019 Lecture 9 Trusted Clouds
39/39
39
Further Reading
Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing, UC Berkeley
Tech Report UCB/EECS-2009-28, February 2009.
Chow et al., Cloud Computing: Outsourcing Computation without Outsourcing
Control, 1st ACM Cloud Computing Security Workshop, November 2009.