1
NETE4631Cloud Privacy and Security
Lecture Notes #9
Managing the Cloud - Recap
2
Capacity Planning – Recap (2)
Steps for capacity planner Examine what systems are in place Measuring their workload
Resources - CPU, RAM, disk, and network Load testing and identifying resource ceiling Determining usage pattern & predict future
demand Add or tear down resources to meet demand
Scenario Scale vertically (scale up) Scale horizontally (scale out)
3
Lecture Outline Statistical challenges in the cloud Security implications Security and privacy challenges Security mapping
Security responsibilities Security service boundary Approaches
Securing data Identity management Standard compliance
4
Characteristics of Cloud (NIST)
5
Statistical Challenges in the Cloud
6
Security Implications
Outsourcing Data and Applications Extensibility and Shared
Responsibility Service-Level Agreements (SLAs) Virtualization and Hypervisors Heterogeneity Compliance and Regulations
7
Security & Privacy Challenges
Authentication and Identity Management
Access Control and Accounting Trust Management and Policy
Integration Secure-Service Management Privacy and Data Protection Organizational Security
Management8
Security Mapping Determine which resources you are planning to
move to the cloud Determine the sensitivity of the resources to risk Determine the risk associated with the particular
cloud deployment type (public, private, or hybrid models) of a resource
Take into account the particular cloud service model that you will be using
If you have selected a particular cloud provider, you need to evaluate its system to understand how data is transferred, where it is stored, and how to move data both in and out of the cloud
9
The AWS Security Center
10
Security Responsibilities
Cloud Deployment Models (NIST) Public clouds Private clouds Hybrid clouds
11
Security Service Boundary
12By Cloud Security Alliance (CSA)
Approaches
Techniques for securing applications, data, management, network, and physical hardware Data-Centric Security and Privacy Identity Management
Comply to compliance standards
13
Techniques for securing resources
Picture from Alexandra Institute 14
Securing Data
Access control Authentication Authorization Encryption
15
Brokered Cloud Storage Access
16
Establishing Identities
What is the identity? Things you are Things you know Things you have Things you relate to
They can be used to authenticate client requests for services Control access to data in the cloud Preventing unauthorized used Maintain user roles
17
Steps for establishing identities for cloud computing Establish an identity Identity be authenticated Authentication can be portable Authentication provide access to
resources
18
Defining Identity as a Service (IDaaS)
Store the information that associates with a digital entity used in electronic transactions
Core functions Data store Query engine Policy engine
19
Core IDaaS applications
20
Authentication Protocol Standards
OpenID 2.0 http://openid.net OAuth http://oauth.net
21
Policy Engine (XACML)
22
SAML Single Sign On Request/ Response Mechanism
23
24
Auditing
Auditing is the ability to monitor the events to understand performance
Proprietary log formats Might not be co-located
Auditing (2)
25Picture from Alexandra Institute
26
Regulatory Compliance
All regulations were written without keeping Cloud Computing in mind.
Clients are held responsible for compliance under the laws that apply to the location where the processing or storage takes place.
Security laws that requires companies providing sensitive personal information have to encrypt data transmitted and stored on their systems (Massachusetts March, 2012).
Regulatory Compliance (2) You have to ensure the followings:
Contracts reviewed by your legal staff The right to audit in your SLA Review cloud service providers their security
and regulatory compliance Understand the scope of the regulations that
apply to your cloud-based applications Consider what steps to take to comply with the
demand of regulations that apply and/ or adjusting your procedures to this matter
Collect and maintain the evidence of your compliance with regulations
27
Defining Compliance as a Service (CaaS) CaaS needs to
Serve as a trusted party Be able to manage cloud relationships Be able to understand security policies
and procedures Be able to know how to handle information
and administer policy Be aware of geographic location Provide an incidence response, archive,
and allow for the system to be queried, all to a level that can be captured in a SLA
28
Defining Compliance as a Service (CaaS) (2) Examples of clouds that advertise
CaaS capabilities include the following: Athenahealth for the medical industry Bankserv for the banking industry ClearPoint PCI for mechant
transactions FedCloud for goverment
29
References
Chapter 4, 12 of Course Book: Cloud Computing Bible, 2011, Wiley Publishing Inc.
Research paper - Security and Privacy Challenges in Cloud Computing Environments, Hassan Takabi and James B.D. Joshi, University of Pittsburgh
30