SlideShare uma empresa Scribd logo

600.412.Lecture05

R
ragibhasan

CS 600.412 Security and Privacy in Cloud Computing

1 de 19
Security and Privacy in Cloud Computing Ragib HasanJohns Hopkins Universityen.600.412 Spring 2010 Lecture 5 03/08/2010
Securing Clouds 3/08/2010 Goal: Learn about different techniques for protecting a cloud against insider adversaries Reading Santos et al., Towards Trusted Cloud Computing, HotCloud 2009 Krautheim, Private Virtual Infrastructure for Cloud Computing, HotCloud 2009 Wood et al., The Case for Enterprise-Ready Virtual Private Clouds, HotCloud 2009 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 2
The IaaS security problem 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 3 The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious sys admins who can tamper with the VMs and violate confidentiality and integrity
How to ensure that the cloud is not tampered with? Naïve Approach 1: Just trust the cloud provider Why won’t work: Provider may be honest, sys admins may not be so Naïve Approach 2: As the cloud provider to allow auditing of the cloud by the client Why won’t work: Providers are not willing to open their system to outside audits Workable Approach 3: Ask cloud provider for unforgeable proof/attestation Why may work: A third party proof not revealing other information may be enough for both client and provider 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 4
How to audit with a third party? Allow third party access to cloud? Use trusted hardware 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 5
Trusted Platform Module (TPM) 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 6 TPMs are inexpensive chips now included in most laptops Can be the building block for a trusted computing base Can bootstrap trust in a system Cannot (easily) be compromised to get the keys Endorsement Key: A private (RSA) key that identifies the chip Platform Configuration Register (PCR) : Can contain hashes of system configurations
Trusted Cloud Computing Platform by Santos et al., HotCloud 09 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 7 Problem Insiders with root access can compromise confidentiality of client virtual machines Possible solution?: Encrypt virtual machines, but sooner or later, it has to be decrypted to run Possible Solution?: Only allow nodes running trustworthy software to decrypt the VM
Threat Model Attacker A malicious insider with root level access to cloud nodes (i.e., can install new software, modify existing software etc., inspect VMs running on a node) Does not have physical access to machine 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 8
How determine if a node is trustworthy? Major events that causes changes Node start, VM Launch, VM migration How to determine trustworthiness? A node is trustworthy if it has a trustworthy configuration (e.g., h/w, software etc.) Remote attestation can help in verifying configurations 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 9
TCCP Architecture Nodes run Trusted Virtual Machine Monitors (TVMM), and TVVM configuration can be certified by TPMs External Trusted Entity (ETE) or the Trusted Coordinator (TC) is the trusted third party that verifies the node 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 10
TCCP Protocols 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 11 Node registration VM Launch VM Migrate
TCCP limitations Any single point of failure? Will it increase the attack surface? How about cost-effectiveness? 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 12
Private Virtual Infrastructure Krautheim, HotCloud09 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 13 Problem The abstraction of a cloud hides the internal security details from clients, which in turn causes them to mistrust the cloud. Idea ,[object Object]
Separate the different clients through their exclusive private virtual infrastructures
Give more control to the cloud clients,[object Object]
5 Tenets of Cloud Computing Security Provide a trusted foundation Provide a secure provisioning factory Provide measurement and attestation mechanisms Provide secure shutdown and destruction of VMs Provide continuous monitoring and auditing 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 15
LoBots LoBots Secure VM Architecture and transfer protocol Act as the trusted agent of the PVI factory inside a cloud Can measure and monitor cloud on behalf of the factory 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 16
PVI Model 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 17
CloudNetWood et al., HotCloud 09 Problem: Migrating to cloud is difficult for enterprise applications Opening up network to outside access can expose system to outsider attacks Solution: Merge VPN technology with clouds Network provider collaborates to set up a VPN link between enterprise and cloud 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 18

Recomendados

Cloud by dev
Cloud by devCloud by dev
Cloud by devDevdutta Chakrabarti
 
firewalls
firewallsfirewalls
firewallsmarvejoy341
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 
Network Function Virtualization - Security Best Practices AtlSecCon 2015
Network Function Virtualization - Security Best Practices AtlSecCon 2015Network Function Virtualization - Security Best Practices AtlSecCon 2015
Network Function Virtualization - Security Best Practices AtlSecCon 2015Winston Morton
 
MidoNet roadmap
MidoNet roadmapMidoNet roadmap
MidoNet roadmapJean-Francois Joly
 
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudTop Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudNETWAYS
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Sabreen Irfana
 
Towards trusted cloud computing
Towards trusted cloud computingTowards trusted cloud computing
Towards trusted cloud computingSj Park
 

Recomendados

Cloud by dev
Cloud by devCloud by dev
Cloud by devDevdutta Chakrabarti
 
firewalls
firewallsfirewalls
firewallsmarvejoy341
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 
Network Function Virtualization - Security Best Practices AtlSecCon 2015
Network Function Virtualization - Security Best Practices AtlSecCon 2015Network Function Virtualization - Security Best Practices AtlSecCon 2015
Network Function Virtualization - Security Best Practices AtlSecCon 2015Winston Morton
 
MidoNet roadmap
MidoNet roadmapMidoNet roadmap
MidoNet roadmapJean-Francois Joly
 
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudTop Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudNETWAYS
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Sabreen Irfana
 
Towards trusted cloud computing
Towards trusted cloud computingTowards trusted cloud computing
Towards trusted cloud computingSj Park
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud ComputingAshish Patel
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudPaaSword EU Project
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIaetsd Iaetsd
 
600.412.Lecture03
600.412.Lecture03600.412.Lecture03
600.412.Lecture03ragibhasan
 
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021StreamNative
 
IRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET Journal
 
How secured and safe is Cloud?
How secured and safe is Cloud?How secured and safe is Cloud?
How secured and safe is Cloud?IRJET Journal
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET Journal
 
Multi-tenancy: Winning formula for a PaaS
Multi-tenancy: Winning formula for a PaaSMulti-tenancy: Winning formula for a PaaS
Multi-tenancy: Winning formula for a PaaSSrinath Perera
 
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...IRJET Journal
 
I017225966
I017225966I017225966
I017225966IOSR Journals
 
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service ProvidersA Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service Providersiosrjce
 
20100925 cloudy security - porticor
20100925 cloudy security - porticor20100925 cloudy security - porticor
20100925 cloudy security - porticorgiladpn
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2Pini Cohen
 
Ppt On Cc
Ppt On CcPpt On Cc
Ppt On CcSomya Agrawal
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz
 
Headquartered at home community publication nx n pakistan
Headquartered at home community publication nx n pakistanHeadquartered at home community publication nx n pakistan
Headquartered at home community publication nx n pakistanTariq Mustafa
 
Dw bobs-shikkhok
Dw bobs-shikkhokDw bobs-shikkhok
Dw bobs-shikkhokragibhasan
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewragibhasan
 

Mais conteúdo relacionado

Semelhante a 600.412.Lecture05

IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud ComputingAshish Patel
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudPaaSword EU Project
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIaetsd Iaetsd
 
600.412.Lecture03
600.412.Lecture03600.412.Lecture03
600.412.Lecture03ragibhasan
 
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021StreamNative
 
IRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET Journal
 
How secured and safe is Cloud?
How secured and safe is Cloud?How secured and safe is Cloud?
How secured and safe is Cloud?IRJET Journal
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET Journal
 
Multi-tenancy: Winning formula for a PaaS
Multi-tenancy: Winning formula for a PaaSMulti-tenancy: Winning formula for a PaaS
Multi-tenancy: Winning formula for a PaaSSrinath Perera
 
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...IRJET Journal
 
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service ProvidersA Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service Providersiosrjce
 
20100925 cloudy security - porticor
20100925 cloudy security - porticor20100925 cloudy security - porticor
20100925 cloudy security - porticorgiladpn
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2Pini Cohen
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz
 
Headquartered at home community publication nx n pakistan
Headquartered at home community publication nx n pakistanHeadquartered at home community publication nx n pakistan
Headquartered at home community publication nx n pakistanTariq Mustafa
 

Semelhante a 600.412.Lecture05 (20)

IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud Environment
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environment
 
600.412.Lecture03
600.412.Lecture03600.412.Lecture03
600.412.Lecture03
 
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
 
IRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing Features
 
How secured and safe is Cloud?
How secured and safe is Cloud?How secured and safe is Cloud?
How secured and safe is Cloud?
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
 
Multi-tenancy: Winning formula for a PaaS
Multi-tenancy: Winning formula for a PaaSMulti-tenancy: Winning formula for a PaaS
Multi-tenancy: Winning formula for a PaaS
 
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
 
I017225966
I017225966I017225966
I017225966
 
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service ProvidersA Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
 
20100925 cloudy security - porticor
20100925 cloudy security - porticor20100925 cloudy security - porticor
20100925 cloudy security - porticor
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2
 
Ppt On Cc
Ppt On CcPpt On Cc
Ppt On Cc
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
 
Headquartered at home community publication nx n pakistan
Headquartered at home community publication nx n pakistanHeadquartered at home community publication nx n pakistan
Headquartered at home community publication nx n pakistan
 

Mais de ragibhasan

Dw bobs-shikkhok
Dw bobs-shikkhokDw bobs-shikkhok
Dw bobs-shikkhokragibhasan
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewragibhasan
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02ragibhasan
 
600.412.Lecture07
600.412.Lecture07600.412.Lecture07
600.412.Lecture07ragibhasan
 
600.412.Lecture06
600.412.Lecture06600.412.Lecture06
600.412.Lecture06ragibhasan
 
600.412.Lecture08
600.412.Lecture08600.412.Lecture08
600.412.Lecture08ragibhasan
 
Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...
Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...
Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...ragibhasan
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud ComputingLecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computingragibhasan
 

Mais de ragibhasan (8)

Dw bobs-shikkhok
Dw bobs-shikkhokDw bobs-shikkhok
Dw bobs-shikkhok
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level view
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
 
600.412.Lecture07
600.412.Lecture07600.412.Lecture07
600.412.Lecture07
 
600.412.Lecture06
600.412.Lecture06600.412.Lecture06
600.412.Lecture06
 
600.412.Lecture08
600.412.Lecture08600.412.Lecture08
600.412.Lecture08
 
Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...
Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...
Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealog...
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud ComputingLecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computing
 

600.412.Lecture05

  • 1. Security and Privacy in Cloud Computing Ragib HasanJohns Hopkins Universityen.600.412 Spring 2010 Lecture 5 03/08/2010
  • 2. Securing Clouds 3/08/2010 Goal: Learn about different techniques for protecting a cloud against insider adversaries Reading Santos et al., Towards Trusted Cloud Computing, HotCloud 2009 Krautheim, Private Virtual Infrastructure for Cloud Computing, HotCloud 2009 Wood et al., The Case for Enterprise-Ready Virtual Private Clouds, HotCloud 2009 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 2
  • 3. The IaaS security problem 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 3 The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious sys admins who can tamper with the VMs and violate confidentiality and integrity
  • 4. How to ensure that the cloud is not tampered with? Naïve Approach 1: Just trust the cloud provider Why won’t work: Provider may be honest, sys admins may not be so Naïve Approach 2: As the cloud provider to allow auditing of the cloud by the client Why won’t work: Providers are not willing to open their system to outside audits Workable Approach 3: Ask cloud provider for unforgeable proof/attestation Why may work: A third party proof not revealing other information may be enough for both client and provider 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 4
  • 5. How to audit with a third party? Allow third party access to cloud? Use trusted hardware 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 5
  • 6. Trusted Platform Module (TPM) 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 6 TPMs are inexpensive chips now included in most laptops Can be the building block for a trusted computing base Can bootstrap trust in a system Cannot (easily) be compromised to get the keys Endorsement Key: A private (RSA) key that identifies the chip Platform Configuration Register (PCR) : Can contain hashes of system configurations
  • 7. Trusted Cloud Computing Platform by Santos et al., HotCloud 09 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 7 Problem Insiders with root access can compromise confidentiality of client virtual machines Possible solution?: Encrypt virtual machines, but sooner or later, it has to be decrypted to run Possible Solution?: Only allow nodes running trustworthy software to decrypt the VM
  • 8. Threat Model Attacker A malicious insider with root level access to cloud nodes (i.e., can install new software, modify existing software etc., inspect VMs running on a node) Does not have physical access to machine 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 8
  • 9. How determine if a node is trustworthy? Major events that causes changes Node start, VM Launch, VM migration How to determine trustworthiness? A node is trustworthy if it has a trustworthy configuration (e.g., h/w, software etc.) Remote attestation can help in verifying configurations 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 9
  • 10. TCCP Architecture Nodes run Trusted Virtual Machine Monitors (TVMM), and TVVM configuration can be certified by TPMs External Trusted Entity (ETE) or the Trusted Coordinator (TC) is the trusted third party that verifies the node 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 10
  • 11. TCCP Protocols 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 11 Node registration VM Launch VM Migrate
  • 12. TCCP limitations Any single point of failure? Will it increase the attack surface? How about cost-effectiveness? 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 12
  • 13.
  • 14. Separate the different clients through their exclusive private virtual infrastructures
  • 15.
  • 16. 5 Tenets of Cloud Computing Security Provide a trusted foundation Provide a secure provisioning factory Provide measurement and attestation mechanisms Provide secure shutdown and destruction of VMs Provide continuous monitoring and auditing 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 15
  • 17. LoBots LoBots Secure VM Architecture and transfer protocol Act as the trusted agent of the PVI factory inside a cloud Can measure and monitor cloud on behalf of the factory 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 16
  • 18. PVI Model 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 17
  • 19. CloudNetWood et al., HotCloud 09 Problem: Migrating to cloud is difficult for enterprise applications Opening up network to outside access can expose system to outsider attacks Solution: Merge VPN technology with clouds Network provider collaborates to set up a VPN link between enterprise and cloud 3/08/2010 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan 18
  • 20. 3/08/2010 19 en.600.412 Spring 2010 Lecture 5 | JHU | Ragib Hasan Further Reading TPM Reset Attack http://www.cs.dartmouth.edu/~pkilab/sparks/ Halderman et al., Lest We Remember: Cold Boot Attacks on Encryption Keys, USENIX Security 08, http://citp.princeton.edu/memory/