NETE4631 Cloud Privacy and Security

1
NETE4631Cloud Privacy and Security

• Lecture Notes 9

2
Managing the Cloud - Recap
3
Capacity Planning Recap (2)

• Steps for capacity planner
• Examine what systems are in place
• Measuring their workload
• Resources - CPU, RAM, disk, and network
• Load testing and identifying resource ceiling
• Determining usage pattern predict future demand
• Add or tear down resources to meet demand
  Scenario
• Scale vertically (scale up)
• Scale horizontally (scale out)

4
Lecture Outline

• Statistical challenges in the cloud
• Security implications
• Security and privacy challenges
• Security mapping
• Security responsibilities
• Security service boundary
• Approaches
• Securing data
• Identity management
• Standard compliance

5
Characteristics of Cloud (NIST)
6
Statistical Challenges in the Cloud
7
Security Implications

• Outsourcing Data and Applications
• Extensibility and Shared Responsibility
• Service-Level Agreements (SLAs)
• Virtualization and Hypervisors
• Heterogeneity
• Compliance and Regulations

8
Security Privacy Challenges

• Authentication and Identity Management
• Access Control and Accounting
• Trust Management and Policy Integration
• Secure-Service Management
• Privacy and Data Protection
• Organizational Security Management

9
Security Mapping

• Determine which resources you are planning to
  move to the cloud
• Determine the sensitivity of the resources to
  risk
• Determine the risk associated with the particular
  cloud deployment type (public, private, or hybrid
  models) of a resource
• Take into account the particular cloud service
  model that you will be using
• If you have selected a particular cloud provider,
  you need to evaluate its system to understand how
  data is transferred, where it is stored, and how
  to move data both in and out of the cloud

10
The AWS Security Center
11
Security Responsibilities

• Cloud Deployment Models (NIST)
• Public clouds
• Private clouds
• Hybrid clouds

12
Security Service Boundary
By Cloud Security Alliance (CSA)
13
Approaches

• Techniques for securing applications, data,
  management, network, and physical hardware
• Data-Centric Security and Privacy
• Identity Management
• Comply to compliance standards

14
Techniques for securing resources

• Picture from Alexandra Institute

15
Securing Data

• Access control
• Authentication
• Authorization
• Encryption

16
Brokered Cloud Storage Access
17
Establishing Identities

• What is the identity?
• Things you are
• Things you know
• Things you have
• Things you relate to
• They can be used to
• authenticate client requests for services
• Control access to data in the cloud
• Preventing unauthorized used
• Maintain user roles

18
Steps for establishing identities for cloud
computing

• Establish an identity
• Identity be authenticated
• Authentication can be portable
• Authentication provide access to resources

19
Defining Identity as a Service (IDaaS)

• Store the information that associates with a
  digital entity used in electronic transactions
• Core functions
• Data store
• Query engine
• Policy engine

20
Core IDaaS applications
21
Authentication Protocol Standards

• OpenID 2.0 http//openid.net
• OAuth http//oauth.net

22
Policy Engine (XACML)
23
SAML Single Sign On Request/ Response Mechanism
24
Auditing

• Auditing is the ability to monitor the events to
  understand performance
• Proprietary log formats
• Might not be co-located

25
Auditing (2)
Picture from Alexandra Institute
26
Regulatory Compliance

• All regulations were written without keeping
  Cloud Computing in mind.
• Clients are held responsible for compliance under
  the laws that apply to the location where the
  processing or storage takes place.
• Security laws that requires companies providing
  sensitive personal information have to encrypt
  data transmitted and stored on their systems
  (Massachusetts March, 2012).

27
Regulatory Compliance (2)

• You have to ensure the followings
• Contracts reviewed by your legal staff
• The right to audit in your SLA
• Review cloud service providers their security and
  regulatory compliance
• Understand the scope of the regulations that
  apply to your cloud-based applications
• Consider what steps to take to comply with the
  demand of regulations that apply and/ or
  adjusting your procedures to this matter
• Collect and maintain the evidence of your
  compliance with regulations

28
Defining Compliance as a Service (CaaS)

• CaaS needs to
• Serve as a trusted party
• Be able to manage cloud relationships
• Be able to understand security policies and
  procedures
• Be able to know how to handle information and
  administer policy
• Be aware of geographic location
• Provide an incidence response, archive, and allow
  for the system to be queried, all to a level that
  can be captured in a SLA

29
Defining Compliance as a Service (CaaS) (2)

• Examples of clouds that advertise CaaS
  capabilities include the following
• Athenahealth for the medical industry
• Bankserv for the banking industry
• ClearPoint PCI for mechant transactions
• FedCloud for goverment

30
References

• Chapter 4, 12 of Course Book Cloud Computing
  Bible, 2011, Wiley Publishing Inc.
• Research paper - Security and Privacy Challenges
  in Cloud Computing Environments, Hassan Takabi
  and James B.D. Joshi, University of Pittsburgh