Upload
anissa-phelps
View
223
Download
3
Tags:
Embed Size (px)
Citation preview
Nov.8, 2010 Kai Hwang, USC 1
Security, Privacy, and Data Security, Privacy, and Data Protection for Trusted Protection for Trusted
Cloud ComputingCloud Computing Prof. Kai Hwang, University of Southern California
Keynote Address, International Conference on Parallel and Distributed Computing and Systems (PDCS 2010), Marina Del Rey, CA. Nov. 8, 2010
Cloud Platforms over Datacenters
Cloud Infrastructure and Services
Reputation-based Trust Management
Data Coloring and Software Watermarking
Cloud Support of The Internet of Things
Nov.8, 2010 Kai Hwang, USC 2
Handy Tools We Use over the
Evolutional Periods In History
Is it safe to play with your computer, when you are naked and vulnerable ?
Nov.8, 2010 Kai Hwang, USC 3
Top 10 Technologies for 2010
Nov.8, 2010 Kai Hwang, USC 4
Web 2.0, Clouds, and Internet of ThingsHPC: High-
Performance
Computing
HTC: High-
Throughput
Computing
P2P: Peer to Peer
MPP: Massively
Parallel
ProcessorsSource: K. Hwang, G. Fox, and J. Dongarra,
Distributed Systems and Cloud Computing, Morgan Kaufmann, 2011 (in press to appear)
Nov.8, 2010 Kai Hwang, USC 5
Public, Private and Hybrid Clouds
Source: Distributed Systems and Cloud Computing, [2]
Nov.8, 2010 Kai Hwang, USC 6
Cloud Computing as A Service
[9]
Nov.8, 2010 Kai Hwang, USC 7
Cloud Providers, Services and Security Measures
Kai Hwang and Deyi Li, “Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Sept. 2010
Nov.8, 2010 Kai Hwang, USC 8
Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )
Nov.8, 2010 Kai Hwang, USC 9
vSphere 4 : An OS for Cloud Platform
Nov.8, 2010 Kai Hwang, USC 10
Cloud Services Stack
NetworkCloud Services
Co-LocationCloud Services
Compute & StorageCloud Services
PlatformCloud Services
ApplicationCloud Services
Nov.8, 2010 Kai Hwang, USC 11
Top 8 Cloud Computing Companies
Nov.8, 2010 Kai Hwang, USC 12
Marc Benioff, Founder of Salesforce.com
1986 graduated from USC
1999 started salesforce.com
2003-05 appointed chairman of US Presidential
IT Advisory Committee 2009 announced Force.com platform for cloud business computing
1986 graduated from USC
1999 started salesforce.com
2003-05 appointed chairman of US Presidential
IT Advisory Committee 2009 announced Force.com platform for cloud business computing
A SaaS and PaaS Cloud Provider
Nov.8, 2010 Kai Hwang, USC 13 13
XEx ' XEx ' XEx '
Protecting datacenters must first secure cloud resources
and uphold user privacy and data integrity.
Trust overlay networks could be applied to build
reputation systems for establishing the trust among
interactive datacenters.
A watermarking technique is suggested to protect shared
data objects and massively distributed software modules.
These techniques safeguard user authentication and
tighten the data access-control in public clouds.
The new approach could be more cost-effective than using
the traditional encryption and firewalls to secure the
clouds.
Security and Trust Crisis in Cloud Computing
Nov.8, 2010 Kai Hwang, USC 14
Physical Infrastructure
Trusted Zones for VM Insulation
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Insulate information from cloud providers’ employees
Insulate information from other
tenants
Insulate infrastructure from Malware, Trojans
and cybercriminals
Segregate and control user
access
Control and isolate VM in
the virtual infrastructure
Federate identities with public clouds
Identity federation
Virtual network security
Access Mgmt
Cybercrime intelligence
Strong authentication
Data loss prevention
Encryption & key mgmt
Tokenization
Enable end to end view of security events and compliance across infrastructures
Security Info. & Event Mgmt GRC
Anti-malware
Nov.8, 2010 Kai Hwang, USC 15March 11, 2009 Prof. Kai Hwang, USC
Data Security and Copyright Protection
in A Trusted Cloud Platform
Source: Reference [3, 4]
Nov.8, 2010 Kai Hwang, USC 16
Security Protection Mechanisms for Public Clouds
16
Mechanism Brief Description
Trust delegation and Negotiation
Cross certificates must be used to delegate trust across different PKI domains. Trust negotiation among different CSPs demands resolution of policy conflicts.
Worm containment and
DDoS Defense
Internet worm containment and distributed defense against DDoS attacks are necessary to secure all datacenters and cloud platforms .
Reputation System Over
Resource Sites
Reputation system could be built with P2P technology. One can build a hierarchy of reputation systems from datacenters to distributed file systems .
Fine-grain access control
This refers to fine-grain access control at the file or object level. This adds up the security protection beyond firewalls and intrusion detection systems .
Collusive Piracy prevention
Piracy prevention achieved with peer collusion detection and content poisoning techniques .
Nov.8, 2010 Kai Hwang, USC 17
Cloud Service Models and Their Security Demands
Cloud computing will not be accepted by common users unless the trust and dependability issues are resolved satisfactorily [1].
Nov.8, 2010 Kai Hwang, USC 18
Trust Management for Protecting Cloud Resources and Safeguard Datacenter Operations [3]
Source: [4]
Nov.8, 2010 Kai Hwang, USC 19
PowerTrust Built over A Trust Overlay Network
R. Zhou and K. Hwang, “PowerTrust : A scalable and robust reputation system for structured P2P networks”, IEEE-TPDS, May 2007
Look-ahead Random Walk Distributed Ranking Module
vn............v3v2v1
Global Reputation Scores V
Regular Random Walk
Initial ReputationAggregation
Reputation Updating
Local Trust Scores
PowerNodes
Trust Overlay Network
Nov.8, 2010 Kai Hwang, USC 20
Distributed Defense against DDoS Attacks over Multiple
Network Domains
(Chen, Hwang, and Ku, IEEE
Trans. on Parallel and Distributed Systems,
Dec. 2007 )
Nov.8, 2010 Kai Hwang, USC 21
Data Coloring via Watermarking
Nov.8, 2010 Kai Hwang, USC 22
Color Matching To Authenticate Data Owners and Cloud Service
Providers
Nov.8, 2010 Kai Hwang, USC 23
The Internet of Things
InternetClouds
InternetClouds
Internet of Things (IOT)
Internet of Things (IOT)
The InternetThe Internet
Smart Earth
Smart Earth:
An IBM
Dream
Nov.8, 2010 Kai Hwang, USC 24
Opportunities of IOT in 3 Dimensions
Nov.8, 2010 Kai Hwang, USC 25
Architecture of The Internet of Things
Merchandise Tracking
Environment Protection
Intelligent Search
Tele-medicine
Intelligent Traffic
Cloud Computing Platform
Smart Home
Mobile Telecom Network
The Internet
InformationNetwork
RFID
RFID Label
Sensor Network
Sensor Nodes
GPS
Road Mapper
Sensing Layer
Network Layer
Application Layer
Nov.8, 2010 Kai Hwang, USC 26
Supply Chain Management supported by the Internet of Things.
( http://www.igd.com)
Nov.8, 2010 Kai Hwang, USC 27
Smart Power Grid
Nov.8, 2010 Kai Hwang, USC 28
Mobility Support and Security Measures for Mobile Cloud Computing
Cloud Service Models
Mobility Support and Data Protection Methods
Hardware and Software Measures for Cloud Security
Infrastructure Cloud
(The IaaS Model)
Special air interfaces Mobile API design File/Log access control Data coloring
Hardware/software root of trust,
Provisioning of virtual machines,
Software watermarking
Host-based firewalls and IDS
Platform Cloud
(The PaaSModel)
Wireless PKI , User authentication, Copyright protection Disaster recovery
Network-based firewalls and IDS
Trust overlay network Reputation system OS patch management
Nov.8, 2010 Kai Hwang, USC 29
Service-Oriented Cloud of Clouds (Intercloud or Mashup)
Database
SS
SS
SS
SS
SS
SS
Sensor or DataInterchange
Service
AnotherGrid
Raw Data Data Information Knowledge Wisdom Decisions
SS
SS
AnotherService
SSAnother
Grid SS
AnotherGrid
SS
SS
SS
SS
SS
SS
SS
StorageCloud
ComputeCloud
SS
SS
SS
SS
FilterCloud
FilterCloud
FilterCloud
DiscoveryCloud
DiscoveryCloud
Filter Service
fsfs
fs fs
fs fs
Filter Service
fsfs
fs fs
fs fs
Filter Service
fsfs
fs fs
fs fsFilterCloud
FilterCloud
FilterCloud
Filter Service
fsfs
fs fs
fs fs
Traditional Grid with exposed services
Cloud of clouds -- from Raw Data to Wisdom. SS = Sensor service, fs = filter services
Nov.8, 2010 Kai Hwang, USC 30
Conclusions: Computing clouds are changing the whole IT , service
industry, and global economy. Clearly, cloud computing demands ubiquity, efficiency, security, and trustworthiness.
Cloud computing has become a common practice in business, government, education, and entertainment leveraging 50 millions of servers globally installed at thousands of datacenters today.
Private clouds will become widespread in addition to using a few public clouds, that are under heavy competition among Google, MS, Amazon, Intel, EMC, IBM, SGI, VMWare, Saleforce.com, etc.
Effective trust management, guaranteed security, user privacy, data integrity, mobility support, and copyright protection are crucial to the universal acceptance of cloud as a ubiquitous service.
Nov.8, 2010 Kai Hwang, USC 31
SGI Cyclone HPC cloud for enabling SaaS and IaaS applications (http://www.sgi.com/cyclone)
Nov.8, 2010 Kai Hwang, USC 32
Nebula Cloud Developed by NASA (http://nebula.nasa.gov)
Nov.8, 2010 Kai Hwang, USC 33
Cloud Computing – Service Provider Priorities
Ensure confidentiality, integrity, and
availability in a multi-tenant
environment.
Effectively meet the advertised SLA,
while optimizing cloud resource
utilization.
Offer tenants capabilities for self-
service, and achieve scaling through
automation and simplification.
Nov.8, 2010 Kai Hwang, USC 34
Google App Engine Platform for PaaS Operations
Nov.8, 2010 Kai Hwang, USC 35
Cloud Security Responsibilities by Providers and Users
Table 1:
Source: Reference [4]
Nov.8, 2010 Kai Hwang, USC 36
Concept of Virtual Clusters
(Source: W. Emeneker, et et al, “Dynamic Virtual Clustering with Xen and Moab, ISPA 2006, Springer-Verlag LNCS 4331, 2006, pp. 440-451)