(ppt) - Cloud Security Alliance

Report
SecureClouud 2012
9-10 May
On the Security of Data Stored in the Cloud
Dr Srijith Nair
Dr Theo Dimitrakos
Senior Researcher
Security Futures Practice
BT Innovate & Design
Head of Security Architectures Research
Security Futures Practice
BT Innovate & Design
Contact: {srijith.nair,[email protected]
Market evolution of Cloud computing
Data
Centre
High-end
Cloud
Environment
Virtual
Data
Centre
We
are
here
Cloud Islands
Cloud V. Chain
Cloud Horizontal Federation
Cloud federation layer
Cloud service broker
Anticipated Cloud Market Evolution
Slide 2
© British Telecommunications plc
Cloud Computing Technology Innovation
emphasis on security
Commoditised
virtualisation
Cloud
islands
• Security API for
hypervisor
• Virtual Data Centre
Service Management
Layer
• Commoditised
elasticity
• Commoditised data
abstraction & data
federation
• User-defined
hosting
• On-demand
Elasticity
• Flexible charging
model
• Rapid provisioning
/ de-provisioning
• Customer defined
standalone cloud
applications
• Cloud islandspecific security indepth
• Pre-customer
isolation & multitenancy
Common
capabilities
• Cloud –vs.–
managed service
delivery model
• Reusable and
customisable
enabling services
offered via a cloud
service delivery
model:
• Identity & access,
• Data & system
security,
• Data federation ,
• Performance
monitoring,
• Intelligent
reporting
• Auditing
• Usage control,
• Licensing,
• Optimisation
Virtual
Private
Clouds
• Customer defined
security and QoS
• Customer-centric
identity & access
federation
• Customer-aware
process & data
isolation
• Customer-defined
process and data
federation
• Secure private
network overlay
offered as a
service over the
internet
• customer-centric
loud application
composition
Community
Clouds
Cloud aware
applications
• Communityspecific virtual
private clouds
• In-cloud
collaboration,
community
management &
identity federation
services
• Vertical integration
of hosting and
community-specific
cloud applications
• Shared
• Commoditisation of
cloud application
stores
• Commoditisation of
SDK for cloud
applications
• Take advantage of
cloud IaaS or PaaS
to develop SaaS
• Ability deploy your
cloud SaaS over a
targeted SaaS /
PaaS
• SDK methods for
on-demand
elasticity, in-cloud
hosting and
dynamic resource
provisioning
Cloud
service
assembly
• Standardisation of
cloud service
management
interfaces
• Commoditisation
of cloud assembly
processes & tools
• Vertical value
chain specific
federation
• Ability to mix-andmatch cloud
infrastructure & incloud common
capabilities when
producing cloud
applications
• Ability to specify
and rapidly
provision mixed
delivery models:
eg. SaaS on 3rd
party PaaS; PaaS
on 3rd party IaaS
Open cloud
federation
• Standardisation of
• cloud common
capabilities
• cloud service
management
interfaces
• cloud access
management &
federated identity
models
• cloud service
monitoring &
reporting
• cloud license
management
services
• Virtual Private
“Local” Network
over the Internet
• User defined
Virtual Private
Cloud
Cloud
Aggregation
Ecosystem
• Standardised cloud
charging models
including auctions
• Standardisation of
cloud service
assembly
processes
• Virtual Data
Centres assembled
over multiple IaaS
clouds by different
providers
• PaaS over
federated IaaS with
integrated common
capabilities by
multiple 3rd parties
• Commoditisation
of “Make your own
Cloud” capability
Main Concerns of Cloud Computing (from way back then)
Results of survey conducted by ENISA in 2009
Not Important
Medium Importance
Very Important
Showstopper
Main concerns in approaching the cloud
Confidentiality of corporate data
Privacy
Integrity of services and/or data
Availability of services and/or data
Lack of liability of providers in case of security incidents
Loss of control of services and/or data
Intra-clouds (vendor lock-in) migration
Inconsistency between trans national laws and regulations
Unclear scheme in the pay per use approach
Uncontrolled variable cost
Cost and difficulty of migration to the cloud (legacy software …
Repudiation
4 0%
50%
100%
Jurisdictional
exposure
(location
/breach)
Segregation
of data at
rest
Data
sharding
Main Data
Challenges
Data
remanence
Data loss or
leakage
Data
provenance
5
Data
classification,
policy on what
goes into (which)
cloud
Strong
identity and
access
management
Main
Solutions
Transparent
encryption at
SaaS level
6
Support for
encryption of
data at rest
At the physical
disk level
At the virtual
volume level
Towards a comprehensive solution for cloud data
hosting & sharing
Bespoke service on
customer cloud island
Full integration to VDC
Infrastructure
Service delivery
models
Integrated with Customer’s
corporate IT infrastructure
Select cloud
provider
Monitor how policy is
enforced in the cloud
Enforce data access /
key release policy
Update data access
/ key release policy
© British Telecommunications plc
Define data store
and security policy
Encrypt data
Mount data store to
VM in the cloud
Value add service on 3rd
party clouds
Example of virtual volume level encryption
Overview: Secure Cloud Data Hosting (VDC enhancement)
• The usage control of cloud storage is offered as a service
• Customer in control of connection, protection and access to secure virtual storage
• Keys and policy server are off the cloud data host
• Decryption only possible when data is used in a specific “safe” environment following policy-based approval
• Security is enforced by “sand-boxed” context-aware intelligent agents embedded in customer’s VM
Offsite /Onsite Key Management Server
Cloud Service Provider (VDC)
Customer VM 1
Agent
Internet
Customer VM 2
Customer VM n
Agent
Hypervisor platform
Shared data storage
Policies
(Rules)
© British Telecommunications plc
Customer experience
Overview: Secure Cloud Data Hosting (VDC enhancement)
•
•
•
•
Setup
Once
Data stored in non-ephemeral storage volumes are encrypted at file system level
The encryption/decryption keys are stored off site.
Decryption only possible when used in specific environment
Rules-based approval (automatic or manual) before the keys are released to ensure release into
safe envelope (IP address, VM provenance, presence of DLP software etc.)
Encrypt volume
• Encrypt a storage volume (iSCSI, NFS) at file system level
Keep keys safe
• Store decryption key outside the cloud in a Key Management Server
Install secure
cloud agent
Create customer
image
Key request
VM
life
time
• Create a gold build Machine Image (e.g. VS template) with secure cloud agent installed
• Create instances from this image as required
• Agent requests keys when Virtual Machine is booted up
Key provisioning
• Keys may be released based on policy rules like IP address, OS type, CPU arch etc.
Volume mounting
• On receiving keys, the volume is attached to VM instance, in read or read/write mode.
Key release
• Key released by agent when it is stopped (eg. when VM shuts down).
© British Telecommunications plc
Extensions to the core service
2 BT patents pending including
combination of data shredding
and cloud encryption
Secure Cloud (Shared) Storage:
• Extend solution to federated storage that spans across
• Multiple VDCs on the same cloud infrastructure
• Cloud islands by different providers
• Combine solution with data shredding, variants of key split / group encryption, and
optimal data fragment distribution algorithms to ensure that:
• if all nodes hosting fragments of a customer's files are off all other customers can
continue to operate securely
• root access all nodes hosting fragments of one customer's files will not provide enough
fragments to reconstruct / decrypt another customers file
• customers can inspect the integrity of their shredded data
Secure Cloud Container:
• Cover protection of VM images at rest
• Cover integrity checks of data and VM image volumes
• Hypervisor root-kit to cover encryption of communication between protected VMs in
operation
© British Telecommunications plc
Cloud security innovation roadmap
at BT Research & Technology
Cloud Security Innovation Strategy
Core
activities
Market evolution
analysis
Cloud information
assurance metrics
Technical innovation
challenges & solutions
Cloud
federation
In-cloud security
cost-benefit analysis
Cloud security risk
assessment (eGov)
Cloud Federation Fabric v1
Recommendations for High-level Secure
Cloud Architecture for Government (IaaS)
Secure Cloud Service Broker
Virtual hosing on federated clouds (basic functionality)
Cloud
Security
services
Cloud
Security
infrastructure
Secure
Virtualisation
Accountable Entitlement
Management (in-cloud)
Virtual Patching
Hypervisor level
Malware Detection
Secure cloud storage service
In-cloud malware scanning
Hypervisor level Intrusion
Prevention
Cloud ecosystem security
value network
Market analysis
revision
Cloud security
value network
revision
Recommendations for High-level Secure
Cloud Architecture for Government (SaaS)
Cloud Federation Fabric v2
Cloud Aggregation
Environment (v1)
Virtual hosing on federated clouds (enhanced functionality)
In-Cloud Secure ESB fabric
Cloud information assurance
metrics
Cloud security
analytics
Hypervisor level Data Leak Prevention
Virtual community management
Application aware
Behavioural Malware
detection (in-cloud)
Use of trusted hardware in
Virtual Data Centres & Cloud
BT thought-leadership: Innovation Demonstrators
Cloud
brokerage &
Federation
• Secure Cloud Service
Broker
• In-cloud federation &
coalition management
• VHE on Federated
Clouds
© British Telecommunications plc
Cloud Application
Security
Cloud Services
Security
Secure
Virtualisation
• Intelligent Protection
• Accountable Entitlement
Management
• Behavioural monitoring
for Malware detection
• Secure cloud service
management
• Secure data storage
service
• Virtual Patching
• Active Shielding
• Hypervisor level
Malware Detection
• Hypervisor level
Intrusion Prevention
• Hypervisor level Data
Leak Prevention
BT thought-leadership: Overview of external collaborations
•
Co-authors of ENISA expert advisory report on Cloud Security Risk
Analysis
•
Contributors to CSA security guidelines and lead of Virtualisation
Security work stream
•
Contributors to ENISA expert group on Government use of Cloud
computing
•
Leading Cloud Brokerage & Federation use case at OPTIMIS a €15
million collaborative R&D project
•
Led BEinGRID (Chief scientist / technical director) the largest R&D
investment (€25 million) on next generation SOA in Europe
•
Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime,
Intellect, ISF, CSO Summit, etc.
•
3 books and several technical papers in Cloud & Next Generation SOA
BT
IBM
Microsoft
Kaspersky
UK NHS
Google
HP
RSA
Symantec
ISSA
cloudsecurity.org
Baker & McKenzie
© British Telecommunications plc
Thank you for your attention
For more information contact
{srijith.nair,[email protected]
Slide 15
© British Telecommunications plc
Slide 16
© British Telecommunications plc
BACKUP SLIDES
Architectural Diagram of integration in Alpha
Cloud platform at BT Research & Technology
Towards a Secure Cloud blueprint
Towards a Secure Cloud blueprint
technical security subsystems

similar documents