View
10
Download
0
Category
Preview:
Citation preview
Defining, Securing, and
Standardizing Cloud Computing
Tim Grance
NIST, Information Technology Laboratory
22 July 2010
2
Caveats and Disclaimers
• This presentation provides education on
cloud technology and its benefits to set up a
discussion of cloud security
• Looking for feedback on NIST role and ideas
presented
• It is NOT intended to provide official NIST
guidance and NIST does not make policy
• Any mention of a vendor or product is NOT
an endorsement or recommendation
Our Challenge
Technology is not kind. It does not wait. It
does not say please. It slams into existing
systems often destroying them whilst
creating new ones
Joseph Alois Schumpeter
1883-1950
Three Views on “Software”
Trustworthiness
1. Satisfies requirements/specs
2. Satisfies development processes (e.g.,
CMM)
3. Fit for purpose/operation
Cloud Trustworthiness
• Requires confidence in:
– Hardware
– Software
– Bandwidth (communications)
• Only (3) fit for purpose applies to cloud from
the consumer/user standpoint
(3) Fit For Purpose Attributes
Reliable/
accurate
(integrity)
Secure/
private
Timeliness
Trustworthiness
Problem: Intuitive
Lower Attributes
Reliable/
accurateSecure/
private
Timeliness
reliability security performanceavailabilityprivacy
fault tolerance fault tolerance
confidentiality
intrusion tolerancetestability
confidentiality, availability, integrity
Trustworthiness
Two Components
x y
With Attributes
x y
x has the following properties:
(aR, bP, cF, dSa, eSe, fA, gT, hM)
y has the following properties:
(iR, jP, kF, lSa, mSe, nA, oT, pM)
Compose Them:
What Have You Got?
xy
Then F(x o y) will inherit some level of trustworthiness from
the individual components. Is that level of trustworthiness
an integer? Probability? An n-tuple of values? Color coded
(green, red, yellow)?
Key Point: Predictions of future behavior
Key Message for Cloud
• Trustworthiness attributes are only reasonable to talk about within a
system context, i.e., it is not reasonable to talk about them and attempt
to measure them as standalone component properties. Eventual target
environments must be anticipated.
System Context: Operational Environment
Reliable/
accurateSecure/
private
Timeliness
reliability security performanceavailabilityprivacy
fault tolerance fault tolerance
confidentiality
intrusion tolerancetestability
Operational Environment!
t0 t∞Time
t0 t∞
Threat Space
EnvironmentSoftware
System
Time
“attributes”
Policies
Δ
A2
A1
P2
P1
S1
E2E1
T1
S2
V1.1V1.2
QUALITY ASSURANCE AND THE SINKING OF THE LARGEST OFFSHOREOIL PLATFORM
March 2001
For those of you who may
be involved in project cost
control (at whatever level),
please read this quote from a
Petrobras executive,
extolling the benefits of
cutting quality assurance
and inspection costs,
on the project that
was deployed in the
Atlantic Ocean off the
coast of Brazil in
March 2001.
"Petrobras has established new global benchmarks for the generation of exceptional shareholder wealth
through an aggressive and innovative program of cost cutting on its P36 production facility.
Conventional constraints have been successfully challenged
and replaced with new paradigms appropriate to the globalized corporate market place.
Through an integrated network of facilitated workshops,
the project successfully rejected: (1) the established constricting and negative influences of prescriptive engineering,
(2) onerous quality requirements, and (3) outdated concepts of inspection and client control.
Elimination of these unnecessary straitjackets has empowered the project's suppliers and contractors to propose highly economical solutions,
with the win-win bonus of enhanced profitability margins for themselves.
The P36 platform shows the shape of things to come
in the unregulated global market economy of the 21st Century.”
And now you have seen the final result of
this proud achievement by Petrobras.
QUIZ:
1. How many lives were lost to this cost saving effort and
how did this impact the environment, needlessly?
2. Did the person giving this speech or anyone in upper management connected with this decision lose their
job/bonus?
3. How much did Petrobras really save?
4. Does your company feel the same way about QA? If so,
you’d better know how to swim.
32
A Working Definition of Cloud Computing
• Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction.
• This cloud model promotes availability and is composed
of five essential characteristics, three service models,
and four deployment models.
What is Cloud Computing?
5 Key Characteristics
Broad network access
Resource pooling
anywhere / any device
On-demand self service
renting takes minutes
$
1
2
=conserve resources
Measured Service3
Rapid Elasticity
Jan Feb Mar …… Dec�
� Jan
=$(
(
)
)$rent it in any quantity
4
5
off off on
reduces cost
34
3 Cloud Service Models
• Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)
– Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other fundamental computing resources
• To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics
35
4 Cloud Deployment Models
• Private cloud
– enterprise owned or leased
• Community cloud
– shared infrastructure for specific community
• Public cloud
– Sold to the public, mega-scale infrastructure
• Hybrid cloud
– composition of two or more clouds
36
Common Cloud Characteristics
• Cloud computing often leverages:
– Massive scale
– Homogeneity
– Virtualization
– Resilient computing
– Low cost software
– Geographic distribution
– Service orientation
The NIST Cloud Definition Framework
37
CommunityCloud
Private Cloud
Public Cloud
Hybrid Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Common
Characteristics
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
What are the issues?
• Security & Privacy
• Network Access
• Interoperability/Portability
• Lifecycle Costs, Architectural Considerations
• Compliance
• Service Level Agreements
• Legal
• Standards
Cloud Standards Vision
• Provide advice to industry and government
for the creation and management of relevant
cloud computing standards allowing all
parties to gain the maximum value from
cloud computing
39
4040
NIST and Standards
• Promote cloud standards:
– Propose roadmaps
– Act as a catalyst
– Promote adoption of cloud standards
– Use cases, reference implementations
41
Cloud Standards Ideas
• Fungible clouds
– (mutual substitution of services)
– Data and customer application portability
– Common interfaces, semantics, programming
models
– Federated security services
– Vendors compete on effective implementations
• Enable and foster value add on services
– Advanced technology
– Vendors compete on innovative capabilities
4242
A proposal:
Standards Roadmap
• We need to define minimal standards
– Enable secure cloud integration, application
portability, and data portability
– Avoid over specification that will inhibit innovation
– Separately addresses different cloud models
43
Towards the Creation of
a Roadmap (I)
• Thoughts on standards:
– Usually more service lock-in as you move up the
SPI stack (IaaS->PaaS->SaaS)
– IaaS is a natural transition point from traditional
enterprise datacenters
• Base service is typically computation, storage, and
networking
– The virtual machine is the best focal point for
fungibility
– Security and data privacy concerns are the two
critical barriers to adopting cloud computing
44
Towards the Creation of
a Roadmap (II)
• Result:
– Focus on an overall IaaS standards roadmap as
a first major deliverable
– Research PaaS and SaaS roadmaps as we
move forward
– Provide visibility, encourage collaboration in
addressing these standards as soon as possible
– Identify common needs for security and data
privacy standards across IaaS, PaaS, SaaS
45
A Roadmap for IaaS
• Needed standards
– VM image distribution (e.g., DMTF OVF)
– VM provisioning and control (e.g., EC2 API)
– Inter-cloud VM exchange (e.g., ??)
– Persistent storage (e.g., Azure Storage, S3, EBS,
GFS, Atmos)
– VM SLAs (e.g., ??) – machine readable
• uptime, resource guarantees, storage redundancy
– Secure VM configuration (e.g., SCAP)
46
A Roadmap for PaaS and SaaS
• More difficult due to proprietary nature
• A future focus for NIST
• Standards for PaaS could specify
– Supported programming languages
– APIs for cloud services
• Standards for SaaS could specify
– SaaS-specific authentication / authorization
– Formats for data import and export (e.g., XML schemas)
– Separate standards may be needed for each application
space
47
Security and Data Privacy Across
IaaS, PaaS, SaaS
• Many existing standards
• Identity and Access Management (IAM)
– IdM federation (SAML, WS-Federation, Liberty ID-FF)
– Strong authentication standards (HOTP, OCRA, TOTP)
– Entitlement management (XACML)
• Data Encryption (at-rest, in-flight), Key Management
– PKI, PKCS, KEYPROV (CT-KIP, DSKPP), EKMI
• Records and Information Management (ISO 15489)
• E-discovery (EDRM)
48
Security Relevant Cloud
Components
• Cloud Provisioning Services
• Cloud Data Storage Services
• Cloud Processing Infrastructure
• Cloud Support Services
• Cloud Network and Perimeter Security
• Identity Management, Crypto/Key
Management, Compliance, etc
• Elastic Elements: Storage, Processing, and
Virtual Networks
49
Analyzing Cloud Security
• Some key issues:
– trust, multi-tenancy, encryption, compliance
• Clouds are massively complex systems can
be reduced to simple primitives that are
replicated thousands of times and common functional units
• Cloud security is a tractable problem
– There are both advantages and challenges
Former Intel CEO, Andy Grove: “only the paranoid survive”
50
General Security Advantages
• Shifting public data to a external cloud
reduces the exposure of the internal
sensitive data
• Cloud homogeneity makes security
auditing/testing simpler
• Clouds enable automated security
management
• Redundancy / Disaster Recovery
51
General Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be examined
• Loss of physical control
52
Security Relevant Cloud
Components
• Cloud Provisioning Services
• Cloud Data Storage Services
• Cloud Processing Infrastructure
• Cloud Support Services
• Cloud Network and Perimeter Security
• Elastic Elements: Storage, Processing, and
Virtual Networks
53
Provisioning Service
• Advantages
– Rapid reconstitution of services
– Enables availability
• Provision in multiple data centers / multiple instances
– Advanced honey net capabilities
• Challenges
– Impact of compromising the provisioning service
54
Data Storage Services
• Advantages
– Data fragmentation and dispersal
– Automated replication
– Provision of data zones (e.g., by country)
– Encryption at rest and in transit
– Automated data retention
• Challenges
– Isolation management / data multi-tenancy
– Storage controller
• Single point of failure / compromise?
– Exposure of data to foreign governments
55
Cloud Processing Infrastructure
• Advantages
– Ability to secure masters and push out secure
images
• Challenges
– Application multi-tenancy
– Reliance on hypervisors
– Process isolation / Application sandboxes
56
Cloud Support Services
• Advantages
– On demand security controls (e.g.,
authentication, logging, firewalls…)
• Challenges
– Additional risk when integrated with customer
applications
– Needs certification and accreditation as a
separate application
– Code updates
57
Additional Issues
• Issues with moving PII and sensitive data to the cloud
– Privacy impact assessments
• Using SLAs to obtain cloud security
– Suggested requirements for cloud SLAs
– Issues with cloud forensics
• Contingency planning and disaster recovery for cloud implementations
• Handling compliance
– FISMA
– HIPAA
– SOX
– PCI
– SAS 70 Audits
58
Secure Migration Paths
for Cloud Computing
59
The ‘Why’ and ‘How’ of Cloud Migration
• There are many benefits that explain
why to migrate to clouds
– Cost savings, power savings, green
savings, increased agility in software
deployment
• Cloud security issues may drive and
define how we adopt and deploy
cloud computing solutions
60
Balancing Threat Exposure and
Cost Effectiveness
• Private clouds may have less threat exposure than community clouds which
have less threat exposure than public clouds.
• Massive public clouds may be more cost effective than large community clouds which
may be more cost effective than small private
clouds.
• Doesn’t strong security controls mean that I can adopt the most cost effective approach?
61
Cloud Migration and Cloud Security
Architectures
• Clouds typically have a single security architecture
but have many customers with different demands
– Clouds should attempt to provide configurable security
mechanisms
• Organizations have more control over the security
architecture of private clouds followed by
community and then public
– This doesn’t say anything about actual security
• Higher sensitivity data is likely to be processed on
clouds where organizations have control over the
security model
62
Putting it Together
• Most clouds will require very strong security
controls
• All models of cloud may be used for differing
tradeoffs between threat exposure and
efficiency
• There is no one “cloud”. There are many
models and architectures.
• How does one choose?
63
Migration Paths for
Cloud Adoption
• Use public clouds
• Develop private clouds
– Build a private cloud
– Procure an outsourced private cloud
– Migrate data centers to be private clouds (fully virtualized)
• Build or procure community clouds
– Organization wide SaaS
– PaaS and IaaS
– Disaster recovery for private clouds
• Use hybrid-cloud technology
– Workload portability between clouds
64
Possible Effects of
Cloud Computing
• Small enterprises use public SaaS and public
clouds and minimize growth of data centers
• Large enterprise data centers may evolve to act as
private clouds
• Large enterprises may use hybrid cloud
infrastructure software to leverage both internal and
public clouds
• Public clouds may adopt standards in order to run
workloads from competing hybrid cloud
infrastructures
Use CasesUse Case: a description of how groups of users and their resources may
interact with one or more systems to achieve specific goals.
Goal
Step 1
Step 2
…
Step a
Step b
…
Step I
Step j
…OR OR . . .
abstract
use case
add concrete details
case study
65
Use CasesUse Case: a description of how groups of users and their resources may
interact with one or more cloud computing systems to achieve specific goals.
Goal
Step 1
Step 2
…
Step a
Step b
…
Step I
Step j
…OR OR . . .
abstract
use case
add concrete details
case study
Example:
Parent
Student
Bank
$$
66
• transfer data in
• transfer data out
• backup to cloud7
• restore from cloud7
• archive/preservation
to cloud7
• SLA comparison
• info discovery7
• user Acct mgmt
• compliance4
• special security4
• inter-cloud data transfer
• multi-hop data transfer
• storage peering7
• backup between clouds7
• cloud broker4
• cloud burst
• VM migration
• dynamic dispatch5
• fault-tolerant group
• alloc/start/stop…1
• queueing1
•horizontal
scaling of
data/processing
• services
• sharing access
• access by name
• access by pattern
• strong erase
• cloud drive7
- synchronization
Preliminary Use Case Taxonomy for a
Public Cloud (focus on IaaS)
File/Object SystemLike
Job Control &Programming
Cloud-2-Cloud Admin Data Management
Portability Interoperability Security
Note: these use cases are preliminary.
Credits: SNIA [7], aws.amazon.com [1], DMTF [4], libcloud [5], May 11 Use Case Workshop, Gaithersburg MD (first of a sequence).
67
File/Object System LikeSharing access ProviderCustomer
12 other Customers
Users
data
data
grant-cmd
Access by name ProviderCustomer
data
read /foo/bar Compatible modes: read, write, append, truncate, chown, chmod, chgrp, …
Access by pattern ProviderCustomer
matching records
query “pattern”Specifying patterns, records.Access control?
Strong erase ProviderCustomer erase-cmd Getting confidence?Zero out, multi-pass?DoD 5220-22?“ok!”
Cloud Drive ProviderCustomer Looks like a local diskSynchronization?Security defaults?like NFS, AFS
credit: SNIA [7]
68
Job Control and Programming
Alloc/start/stopallocate
Configure
Internal
resources
Configure
External
Resources
Manage
Instances:
run, restart, terminate…deallocate
compatibility, portability…
compatibility,portability…upstream workers downstream workers
Queue services
. . .
(thread synchronization
in the large)
Services
“services”
like ordinaryhosting, butwith morescale, lesslocationawareness.
credit: aws.amazon.com [1]
credit: aws.amazon.com [1]
69
Cloud-2-Cloud
Inter-clouddata transfer
Provider 1
Customer
Data Object
Network Scenario
Provider 2
request request
Provider 1
Customer
Physical Scenario
Provider 2
request request
Physical DataContainer
protection of data in transitverification of data receivedcoherent namingcompatible cryptocompatible access control metadata, ownership
some issues:
Multi-hopinter-clouddata transfer
Provider 1
Customer
Data Object
Network Scenario
Provider 2
request request
Provider 1
Customer
Physical Scenario
Provider 2
request request
Physical DataContainer
same issues, and in addition: after round trip, data is still as useful
70
Cloud-2-Cloud (2)
Storagepeering
Provider 1
Customer
Provider 2other
client data
need common policies for naming of data objects, access control, snapshot/cloning, etc.
credit: SNIA [7]
someclient data
commonpolicies
Backup/restorebetweenclouds
Provider 1
Customer
Provider 2backup
data
common archivalformat, procedures,data protection intransit, verification,key management, …
credit: SNIA [7]
client working data
backup
restore
(an example of multi-hop)
Cloud broker Provider 1
Customer
Provider 2broker could providea simple or stableinterface to customers,even when providerschange or have diverse APIs.
credit: DMTF [4]
broker
(resources) (resources)
(no resources)
71
Cloud-2-Cloud (3)Cloud Burst
Provider Customer Datacenter
need common policies for naming of data objects, access control, snapshot/cloning, etc.
1 vm1 vmNvm2 ...
Provider Customer Datacenter
vm1 vmNvm2 ...
Provider Customer Datacenter
vm1 vmNvm2 ...
2
3
vmN+1 vmN+2 vmN+M
VM migration(suspend-resume orlive)
Provider 1
Customer
dynamic configof networks,VM formats (e.g., OVF [6]),hypervisordiversity…
vm1 vmNvm2 ...Provider 2
vmNvm2 ...
72
Cloud-2-Cloud (4)
Fault-tolerantgroup
Customer
cloudaccesslibrary
API 1API 2…API N
API
wrappers for clouds(e.g., libCloud)
transactions
replicationconcurrency controlnestingACID propertiesbyzantine?other…
standardized fault tolerance protocols,QOS requirements,etc.
Dynamic dispatchCustomer
credit: libCloud [5]
73
Admin
SLAcomparison
Customer
. . .
SLA 1
SLA 2
SLA 3
?
Cloud ProviderPromises
availability
remedies for failure to perform
data preservation
legal care of customer info
Limitations
scheduled outages
force majeure events
changes to the SLA
security
service API changes
User Promises
acceptable use policies
provided software
on-time payment
An SLA Template?
perhaps as a prelude to more detailed terms that extend but do not contradict?
Info Discovery A search service that retrieves documents
subpoenaed for court.
who gets notified?who bears costs?timeliness?
User AcctMgmt
A cloud customer may have his/her own
customers, and a provider sometimes provides
SaaS-style customer management services.
How to prevent “jar’ing” of customer-customers when providers change?
credit: SNIA [7]
74
Admin (2)
Compliance Providers sometimes assert compliance with
(HIPPA, PCI, Sarbanes-Oxley, FISMA)
requirements.
how can customers tell?
SpecialSecurity
E.g., a “mono-tenancy” requirement for a
customer’s workloads.
how can customers specifyand tell?
credit: DMTF [4]
credit: DMTF [4]
75
Data Management
• transfer data in
• transfer data out
• backup to cloud
• restore from cloud
• archive/preservation
to cloud
Provider
Customer
Data Object
Provider
Customer
Physical Data Container
Network Scenario Physical Scenario
protection in transit;verification of correct data received;correct naming;initialization of access rules;…
76
77
Questions?
• Tim Grance, Peter Mell, Lee Badger, Jeff
Voas, Chandramouli, and Karygiannis
• NIST, Information Technology Laboratory
• Computer Security Division
References
[7] “Cloud Storage Use Cases”, Storage Network Industry Association, Version 0.5 rev 0, June 8, 2009.
[6] “Open Virtualization Format Specification”, DMTF Document Number DSP0243, Version 1.0, Feb. 22, 2009.
[8] “Starting Amazon EC2 with Mac OS X”. Robert Sosinski. http://www.robertsosinski.com/2008/01/26
/starting-amazon-ec2-with-mac-os-x/
[1] Amazon Web Services, aws.amazon.com.
[4] “Interoperable Clouds, A White Paper from the Open Cloud Standards Incubator”, Distributed Management
Task Force, Version 1.0, DMTF Informational, Nov. 11, 2009, DSP-IS0101
[3] IDC Enterprise Panel, August 2008 n=244
[2] “Eucalyptus: A Technical Report on an Elastic Utility Computing Architecture Linking Your Programs to
Useful Systems”, UCSB Computer Science Technical Report Number 2008-10.
[10] “Ubuntu Enterprise Cloud Architecture”, S. Wardley, E. Goyer and N. Barcet, Technical White Paper, 2009,
www.canonical.com
[9] “The Eucalyptus Open-source Cloud-computing System”, D. Nurmi, R. Wolski, C. Grzegorcyk, G. Obertelli,
S. Soman, L. Youseff, D. Zagorodnov, in Proceedings of Cloud Computing and Its Applications, Oct. 2008.
[5] libcloud, http://incubator.apache.org/libcloud/
78
Recommended