1

NETE4631Cloud Privacy and Security

Lecture Notes #9

Managing the Cloud - Recap

2

Capacity Planning – Recap (2)

Steps for capacity planner Examine what systems are in place Measuring their workload

Resources - CPU, RAM, disk, and network Load testing and identifying resource ceiling Determining usage pattern & predict future

demand Add or tear down resources to meet demand

Scenario Scale vertically (scale up) Scale horizontally (scale out)

3

Lecture Outline Statistical challenges in the cloud Security implications Security and privacy challenges Security mapping

Security responsibilities Security service boundary Approaches

Securing data Identity management Standard compliance

4

Characteristics of Cloud (NIST)

5

Statistical Challenges in the Cloud

6

Security Implications

Outsourcing Data and Applications Extensibility and Shared

Responsibility Service-Level Agreements (SLAs) Virtualization and Hypervisors Heterogeneity Compliance and Regulations

7

Security & Privacy Challenges

Authentication and Identity Management

Access Control and Accounting Trust Management and Policy

Integration Secure-Service Management Privacy and Data Protection Organizational Security

Management8

Security Mapping Determine which resources you are planning to

move to the cloud Determine the sensitivity of the resources to risk Determine the risk associated with the particular

cloud deployment type (public, private, or hybrid models) of a resource

Take into account the particular cloud service model that you will be using

If you have selected a particular cloud provider, you need to evaluate its system to understand how data is transferred, where it is stored, and how to move data both in and out of the cloud

9

The AWS Security Center

10

Security Responsibilities

Cloud Deployment Models (NIST) Public clouds Private clouds Hybrid clouds

11

Security Service Boundary

12By Cloud Security Alliance (CSA)

Approaches

Techniques for securing applications, data, management, network, and physical hardware Data-Centric Security and Privacy Identity Management

Comply to compliance standards

13

Techniques for securing resources

Picture from Alexandra Institute 14

Securing Data

Access control Authentication Authorization Encryption

15

Brokered Cloud Storage Access

16

Establishing Identities

What is the identity? Things you are Things you know Things you have Things you relate to

They can be used to authenticate client requests for services Control access to data in the cloud Preventing unauthorized used Maintain user roles

17

Steps for establishing identities for cloud computing Establish an identity Identity be authenticated Authentication can be portable Authentication provide access to

resources

18

Defining Identity as a Service (IDaaS)

Store the information that associates with a digital entity used in electronic transactions

Core functions Data store Query engine Policy engine

19

Core IDaaS applications

20

Authentication Protocol Standards

OpenID 2.0 http://openid.net OAuth http://oauth.net

21

Policy Engine (XACML)

22

SAML Single Sign On Request/ Response Mechanism

23

24

Auditing

Auditing is the ability to monitor the events to understand performance

Proprietary log formats Might not be co-located

Auditing (2)

25Picture from Alexandra Institute

26

Regulatory Compliance

All regulations were written without keeping Cloud Computing in mind.

Clients are held responsible for compliance under the laws that apply to the location where the processing or storage takes place.

Security laws that requires companies providing sensitive personal information have to encrypt data transmitted and stored on their systems (Massachusetts March, 2012).

Regulatory Compliance (2) You have to ensure the followings:

Contracts reviewed by your legal staff The right to audit in your SLA Review cloud service providers their security

and regulatory compliance Understand the scope of the regulations that

apply to your cloud-based applications Consider what steps to take to comply with the

demand of regulations that apply and/ or adjusting your procedures to this matter

Collect and maintain the evidence of your compliance with regulations

27

Defining Compliance as a Service (CaaS) CaaS needs to

Serve as a trusted party Be able to manage cloud relationships Be able to understand security policies

and procedures Be able to know how to handle information

and administer policy Be aware of geographic location Provide an incidence response, archive,

and allow for the system to be queried, all to a level that can be captured in a SLA

28

Defining Compliance as a Service (CaaS) (2) Examples of clouds that advertise

CaaS capabilities include the following: Athenahealth for the medical industry Bankserv for the banking industry ClearPoint PCI for mechant

transactions FedCloud for goverment

29

References

Chapter 4, 12 of Course Book: Cloud Computing Bible, 2011, Wiley Publishing Inc.

Research paper - Security and Privacy Challenges in Cloud Computing Environments, Hassan Takabi and James B.D. Joshi, University of Pittsburgh

30