Security, Privacy, and Data Protection for Trusted Cloud Computing

Download PDF
18 downloads 4086 Views 2MB Size Report
Comment
Dec 3, 2010 ... Kai Hwang, University of Southern California. Keynote ... on Cloud Computing ( CloudCom2010) ... Distributed Systems and Cloud Computing,.
Security, Privacy, and Data Protection for Trusted Cloud Computing Prof. Kai Hwang, University of Southern California Keynote Address, International Conference on Cloud Computing (CloudCom2010) Indianapolis, Indiana Dec.3, 2010

Dec. 3, 2010



Cloud Platforms over Datacenters

   

Cloud Infrastructure and Services Reputation-based Trust Management Data Coloring and Software Watermarking Cloud Support of The Internet of Things

Kai Hwang, USC

1

Handy Tools We Use over the Evolutional Periods In History

Is it safe to play with your computer, when you are naked and vulnerable ? Dec. 3, 2010

Kai Hwang, USC

2

Top 10 Technologies for 2010

Dec. 3, 2010

Kai Hwang, USC

3

Web 2.0, Clouds, and Internet of Things HPC: HighPerformance Computing

HTC: HighThroughput Computing

P2P: Peer to Peer

MPP: Massively Parallel Source: K. Hwang, G. Fox, and J. Dongarra,

Processors

Distributed Systems and Cloud Computing, Morgan Kaufmann, 2011 (in press to appear) Dec. 3, 2010

Kai Hwang, USC

4

Cloud Computing as A Service [9]

Dec. 3, 2010

Kai Hwang, USC

5

Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )

Dec. 3, 2010

Kai Hwang, USC

6

vSphere 4 : An OS for Cloud Platform

Dec. 3, 2010

Kai Hwang, USC

7

Cloud Services Stack Application Cloud Services Platform Cloud Services Compute & Storage Cloud Services Co-Location Cloud Services Network Cloud Services Dec. 3, 2010

Kai Hwang, USC

8

Marc Benioff, Founder of Salesforce.com 1986

graduated from USC

1999 started salesforce.com 2003-05 appointed chairman of US Presidential IT Advisory Committee 2009 announced Force.com platform for cloud business computing

A SaaS and PaaS Cloud Provider Dec. 3, 2010

Kai Hwang, USC

9

Ex' = X

Security and Trust Crisis in Cloud Computing



Protecting datacenters must first secure cloud resources and uphold user privacy and data integrity.



Trust overlay networks could be applied to build reputation systems for establishing the trust among interactive datacenters.



A watermarking technique is suggested to protect shared data objects and massively distributed software modules.



These techniques safeguard user authentication and tighten the data access-control in public clouds.



The new approach could be more cost-effective than using the traditional encryption and firewalls to secure the clouds. Dec. 3, 2010

Kai Hwang, USC

10 10

Trusted Zones for VM Insulation Federate identities with public clouds

Identity federatio n

Virtual network security

Access Mgmt

Control and isolate VM in the virtual infrastruct ure

Dec. 3, 2010

APP OS

Tenan t #2 Virtual Infrastructure APP

APP OS

Tenan t #1 Virtual Infrastructure OS

Segregate and control user access

Security Info. & Event Mgmt

APP OS

Insulate Anti-malware infrastructure from Malware, Cybercrime intelligence Trojans and cybercriminals Strong

Cloud Provider Physical Infrastructure Physical Infrastructure

Enable end to end view of security events and compliance across infrastructures Kai Hwang, USC

authentication Insulate information from other tenants Insulate informatio n from cloud providers’ employees

Data loss prevention

Encryption & key mgmt Tokenization

GRC 11

Cloud Service Models and Their Security Demands

Cloud computing will not be accepted by common users unless the trust and dependability issues are resolved satisfactorily [1]. Dec. 3, 2010

Kai Hwang, USC

12

Data Security and Copyright Protection in A Trusted Cloud Platform

Source: Reference [3, 4] Dec. 3, 2010 March 11, 2009

Kai Hwang, USCProf. Kai Hwang, USC

13

Security Protection Mechanisms for Public Clouds Mechanism

Brief Description

Trust delegation and Negotiation

Cross certificates must be used to delegate trust across different PKI domains. Trust negotiation among different CSPs demands resolution of policy conflicts.

Worm containment and DDoS Defense

Internet worm containment and distributed defense against DDoS attacks are necessary to secure all datacenters and cloud platforms .

Reputation System Over Resource Sites

Reputation system could be built with P2P technology. One can build a hierarchy of reputation systems from datacenters to distributed file systems .

Fine-grain access control

This refers to fine-grain access control at the file or object level. This adds up the security protection beyond firewalls and intrusion detection systems .

Collusive Piracy prevention Dec. 3, 2010

Piracy prevention achieved with peer collusion detection and content poisoning techniques . Kai Hwang, USC

14 14

Trust Management for Protecting Cloud Resources and Safeguard Datacenter Operations [3]

Dec. 3, 2010

Kai Hwang, USC

15

Source: [4]

PowerTrust Built over A Trust Overlay Network Global Reputation Scores V v1

v2

v3

...

...

...

...

vn

Initial Reputation Aggregation

Reputation Updating

Regular Random Walk

Look-ahead Random Walk

Power Nodes Distributed Ranking Module

Local Trust Scores

Trust Overlay Network

R. Zhou and K. Hwang, “PowerTrust : A scalable and robust reputation system for structured P2P networks”, IEEE-TPDS, May 2007 Dec. 3, 2010

Kai Hwang, USC

16

Data Coloring via Watermarking

Dec. 3, 2010

Kai Hwang, USC

17

Color Matching To Authenticate Data Owners and Cloud Service Providers

Dec. 3, 2010

Kai Hwang, USC

18

Architecture of The Internet of Things Application Layer

Merchandise Tracking

Environment Protection

Intelligent Search

Telemedicine

Intelligent Traffic

Smart Home

Cloud Computing Platform

Network Layer

Mobile Telecom Network

The Internet

Information Network

RFID

Sensor Network

GPS

RFID Label

Sensor Nodes

Road Mapper

Sensing Layer

Dec. 3, 2010

Kai Hwang, USC

19

24 Satellites of GPS Deployed in Outerspace

Dec. 3, 2010

Kai Hwang, USC

20

Service-Oriented Cloud of Clouds (Intercloud or Data 

Another Grid

Information 

S S

S S fs

fs

fs

fs

S S

S S

S S

fs

fs fs

S S

S S

fs Filter Service

fs

fs Filter Service

fs

SS SS

Filter Cloud fs

fs

Filter Cloud

Filter Cloud

fs

SS

Discovery Cloud

fs

fs Filter Service

fs

fs

fs

SS

SS

Filter Service

fs

Filter Cloud

Another Grid

fs

fs

SS

Wisdom  Decisions

Another Grid

SS

Another Service

Knowledge 

S S

Raw Data 

S S

Mashup)

S S

fs

Filter Cloud

S S

Compute Cloud

Discovery Cloud

fs

Traditional Grid with exposed services

Filter Cloud

S S

S S

S S

Storage Cloud

Database

Sensor or Data Interchange Service

Geoffrey Fox: Cloud of clouds -- from Raw Data to Wisdom. SS = Sensor service, fs = filter services Dec. 3, 2010

Kai Hwang, USC

21

Supply Chain Management supported by the Internet of Things. ( http://www.igd.com)

Dec. 3, 2010

Kai Hwang, USC

22

Facebook Applications (550 Millions users registered today)

Dec. 3, 2010

Kai Hwang, USC

23

Mobility Support and Security Measures for Mobile Cloud Computing Cloud Service Models

Mobility Support and Data Protection Methods

Hardware and Software Measures for Cloud Security

Infrastructure Cloud (The IaaS Model)

   

Special air interfaces Mobile API design File/Log access control Data coloring

 Hardware/software root of trust,

Platform Cloud (The PaaS Model)

   

Wireless PKI , User authentication, Copyright protection Disaster recovery

 Network-based firewalls and IDS  Trust overlay network  Reputation system  OS patch management

Dec. 3, 2010

 Provisioning of virtual machines,  Software watermarking  Host-based firewalls and IDS

Kai Hwang, USC

24

Cloudlets- A trusted, VM-based, and Resource-Rich Portal for Upgrading Mobile Devices with Cognitive Abilities for Mobile access of the cloud to explore Location-Aware Cloud Applications such as : Opportunity Discovery, Fast Information Processing, and Intelligent Decision Making on The Road, etc.

Source: “The Case of VM-based Cloudlets in Mobile Computing”, IEEE Pervasive Computing, Vol.8, No. 4, April 2009 Dec. 3, 2010

Kai Hwang, USC

25





Conclusions: Computing clouds are changing the whole IT , service industry, and global economy. Clearly, cloud computing demands ubiquity, efficiency, security, and trustworthiness. Cloud computing has become a common practice in business, government, education, and entertainment leveraging 50 millions of servers globally installed at thousands of datacenters today.

 Private clouds will become widespread in addition to using a few public clouds, that are under heavy competition among Google, MS, Amazon, Intel, EMC, IBM, SGI, VMWare, Saleforce.com, etc.

 Effective trust management, guaranteed security, user privacy, data integrity, mobility support, and copyright protection are crucial to the universal acceptance of cloud as a ubiquitous service.

Dec. 3, 2010

Kai Hwang, USC

26

Table 1:

Cloud Security Responsibilities by Providers and Users

Source: Reference [4] Dec. 3, 2010

Kai Hwang, USC

27

Cloud Computing – Service Provider Priorities  Ensure confidentiality, integrity, and availability in a multi-tenant environment.

 Effectively meet the advertised SLA, while optimizing cloud resource utilization.

 Offer tenants capabilities for selfservice, and achieve scaling through automation and simplification.

Dec. 3, 2010

Kai Hwang, USC

28

Using Twitter Crowd to Check Weather Conditions in Remote Cities

Dec. 3, 2010

Kai Hwang, USC

29

IOT Telemedicine Applications:

Measured Patient Data Transferred to Doctor Using a Wireless Sensor Network.

Dec. 3, 2010

Kai Hwang, USC

30

Opportunities of IOT in 3 Dimensions

Dec. 3, 2010

Kai Hwang, USC

31

Smart Power Grid

Dec. 3, 2010

Kai Hwang, USC

32

Public, Private and Hybrid Clouds

Dec. 3, 2010

Kai Hwang, USC

33

Cloud Providers, Services and Security Measures

Kai Hwang and Deyi Li, “Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Sept. 2010 Dec. 3, 2010

Kai Hwang, USC

34

The Internet of Things Smart Earth: Internet of Things (IOT)

Smart Earth

Dec. 3, 2010

Kai Hwang, USC

An IBM Dream

35

Enabling and Synergistic Technologies for Building The Internet of Things Enabling Technologies

Synergistic Technologies

Machine-to-machine interfaces

Geo-tagging/geo-caching

Cloud Computing Services.

Biometrics

Microcontrollers

Machine vision

Wireless communication

Robotics

Radio frequency iden. (RFID)

Augmented reality

Energy harvesting technologies

Telepresence and autonomy

Sensors and sensor networks

Life recorders and personal assistant

Actuators

Tangible user interfaces

Location technology (GPS)

Clean technologies

Software engineering

Mirror worlds

Table 9.3 Enabling and Synergistic Technologies for The IoT

Dec. 3, 2010

Kai Hwang, USC

36