on the security of data stored in the cloud dr theo dimitrakos head of security architectures...
Post on 15-Dec-2015
217 Views
Preview:
TRANSCRIPT
On the Security of Data Stored in the CloudDr Theo DimitrakosHead of Security Architectures Research Security Futures PracticeBT Innovate & Design
Contact: {srijith.nair,theo.dimitrakos}@bt.com
Dr Srijith NairSenior ResearcherSecurity Futures PracticeBT Innovate & Design
SecureClouud 20129-10 May
© British Telecommunications plc
Slide 2
Market evolution of Cloud computing
Data Centre
VirtualData
Centre
High-endCloud
Environment
We are here
Anticipated Cloud Market Evolution
Cloud IslandsCloud Islands Cloud V. ChainCloud V. Chain Cloud Horizontal FederationCloud Horizontal Federation
Cloud federation layer
Cloud service broker
Cloud Computing Technology Innovation emphasis on security
Commodity virtualisation
Multitenant Cloud islands
In-cloud common
capabilities
Customer defined virtual private clouds
Specialised Community
clouds
Cloud aware application production
Vertical Cloud service
assembly
Open Cloud Federation
Cloud aggregation ecosystem
2010 2020Commoditised virtualisation
• Security API for hypervisor
• Virtual Data Centre Service Management Layer
• Commoditised elasticity
• Commoditised data abstraction & data federation
Cloud islands
• User-defined hosting
• On-demand Elasticity
• Flexible charging model
• Rapid provisioning / de-provisioning
• Customer defined standalone cloud applications
• Cloud island-specific security in-depth
• Pre-customer isolation & multi- tenancy
Common capabilities
• Cloud –vs.– managed service delivery model
• Reusable and customisable enabling services offered via a cloud service delivery model: • Identity & access, • Data & system
security, • Data federation ,• Performance
monitoring,• Intelligent
reporting• Auditing• Usage control, • Licensing,• Optimisation
Virtual Private Clouds
• Customer defined security and QoS
• Customer-centric identity & access federation
• Customer-aware process & data isolation
• Customer-defined process and data federation
• Secure private network overlay offered as a service over the internet
• customer-centric loud application composition
Community Clouds
• Community-specific virtual private clouds
• In-cloud collaboration, community management & identity federation services
• Vertical integration of hosting and community-specific cloud applications
• Shared
Cloud aware applications
• Commoditisation of cloud application stores
• Commoditisation of SDK for cloud applications
• Take advantage of cloud IaaS or PaaS to develop SaaS
• Ability deploy your cloud SaaS over a targeted SaaS / PaaS
• SDK methods for on-demand elasticity, in-cloud hosting and dynamic resource provisioning
Cloud service
assembly• Standardisation of
cloud service management interfaces
• Commoditisation of cloud assembly processes & tools
• Vertical value chain specific federation
• Ability to mix-and-match cloud infrastructure & in-cloud common capabilities when producing cloud applications
• Ability to specify and rapidly provision mixed delivery models: eg. SaaS on 3rd party PaaS; PaaS on 3rd party IaaS
Open cloud federation
• Standardisation of• cloud common
capabilities• cloud service
management interfaces
• cloud access management & federated identity models
• cloud service monitoring & reporting
• cloud license management services
• Virtual Private “Local” Network over the Internet
• User defined Virtual Private Cloud
Cloud Aggregation Ecosystem
• Standardised cloud charging models including auctions
• Standardisation of cloud service assembly processes
• Virtual Data Centres assembled over multiple IaaS clouds by different providers
• PaaS over federated IaaS with integrated common capabilities by multiple 3rd parties
• Commoditisation of “Make your own Cloud” capability
4
Results of survey conducted by ENISA in 2009Results of survey conducted by ENISA in 2009
Main Concerns of Cloud Computing (from way back then)
0% 50% 100%
Confidentiality of corporate data
Privacy
Integrity of services and/or data
Availability of services and/or data
Lack of liability of providers in case of security incidents
Loss of control of services and/or data
Intra-clouds (vendor lock-in) migration
Inconsistency between trans national laws and regulations
Unclear scheme in the pay per use approach
Uncontrolled variable cost
Cost and difficulty of migration to the cloud (legacy software …
Repudiation
Main concerns in approaching the cloudNot Important
Medium Importance
Very Important
Showstopper
5
Main Data Challenges
Jurisdictional exposure
(location /breach)
Segregation of data at rest
Data loss or leakage
Data provenance
Data remanence
Data sharding
6
Main Solutions
Data classification, policy on what goes into
(which) cloud
Support for encryption of data
at rest
Transparent encryption at SaaS
level
Strong identity and access
management
At the physical disk level
At the virtual volume level
© British Telecommunications plc
Towards a comprehensive solution for cloud data hosting & sharing
Bespoke service on customer
cloud island
Full integration to VDC Infrastructure
Integrated with Customer’s corporate IT infrastructure Value add
service on 3rd party clouds
Service delivery models
Select cloud provider
Define data store and security policy
Encrypt data
Mount data store to VM in the cloud
Update data access / key release
policy
Enforce data access / key release policy
Monitor how policy is enforced in the cloud
© British Telecommunications plc
Example of virtual volume level encryption
Overview: Secure Cloud Data Hosting (VDC enhancement)
• The usage control of cloud storage is offered as a service• Customer in control of connection, protection and access to secure virtual storage • Keys and policy server are off the cloud data host• Decryption only possible when data is used in a specific “safe” environment following policy-based
approval• Security is enforced by “sand-boxed” context-aware intelligent agents embedded in customer’s VM
InternetInternet Hypervisor platformHypervisor platform
Customer VM 1 Customer VM 2 Customer VM n
Shared data storage
Offsite /Onsite Key Management Server
Policies (Rules)
Cloud Service Provider (VDC)
Agent Agent
© British Telecommunications plc
Customer experience
• Data stored in non-ephemeral storage volumes are encrypted at file system level • The encryption/decryption keys are stored off site.• Decryption only possible when used in specific environment• Rules-based approval (automatic or manual) before the keys are released to ensure release into
safe envelope (IP address, VM provenance, presence of DLP software etc.)
Overview: Secure Cloud Data Hosting (VDC enhancement)
• Encrypt a storage volume (iSCSI, NFS) at file system levelEncrypt volume
• Store decryption key outside the cloud in a Key Management ServerKeep keys safe
• Create a gold build Machine Image (e.g. VS template) with secure cloud agent installedInstall secure cloud agent
• Create instances from this image as requiredCreate customer image
• Agent requests keys when Virtual Machine is booted upKey request
• Keys may be released based on policy rules like IP address, OS type, CPU arch etc.Key provisioning
• On receiving keys, the volume is attached to VM instance, in read or read/write mode.Volume mounting
• Key released by agent when it is stopped (eg. when VM shuts down).Key release
Setup Once
VM lifetime
A
A
A
U
U
A
U
U
© British Telecommunications plc
Extensions to the core service
• Extend solution to federated storage that spans across• Multiple VDCs on the same cloud infrastructure• Cloud islands by different providers
• Combine solution with data shredding, variants of key split / group encryption, and optimal data fragment distribution algorithms to ensure that:• if all nodes hosting fragments of a customer's files are off all other customers can
continue to operate securely• root access all nodes hosting fragments of one customer's files will not provide
enough fragments to reconstruct / decrypt another customers file• customers can inspect the integrity of their shredded data
Secure Cloud (Shared) Storage:
• Cover protection of VM images at rest• Cover integrity checks of data and VM image volumes• Hypervisor root-kit to cover encryption of communication between protected VMs in
operation
Secure Cloud Container:
2 BT patents pending including combination of data shredding
and cloud encryption
Cloud security innovation roadmap at BT Research & Technology
Technical innovation challenges & solutions
Cloud Security Innovation Strategy
Market evolution analysis
Recommendations for High-level Secure Cloud Architecture for Government (IaaS)
In-cloud security cost-benefit analysis
Cloud information assurance metrics
Cloud security risk assessment (eGov)
Secure Cloud Service BrokerCloud Federation Fabric v1
Virtual hosing on federated clouds (basic functionality)
Recommendations for High-level Secure Cloud Architecture for Government (SaaS)
Cloud ecosystem security value network
Market analysis revision
Cloud security value network
revision
Virtual hosing on federated clouds (enhanced functionality)
Cloud Federation Fabric v2 Cloud Aggregation Environment (v1)
Accountable Entitlement Management (in-cloud)
Virtual Patching
In-Cloud Secure ESB fabric
Application aware Behavioural Malware detection (in-cloud)
In-cloud malware scanning
Secure cloud storage service Virtual community management
Cloud information assurance metrics
Cloud security analytics
Hypervisor level Malware Detection
Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention Use of trusted hardware in
Virtual Data Centres & Cloud
Core activities
Cloud federation
Cloud Security services
Cloud Security infrastructure
Secure Virtualisation
© British Telecommunications plc
BT thought-leadership: Innovation Demonstrators
Cloud brokerage & Federation• Secure Cloud Service
Broker• In-cloud federation &
coalition management• VHE on Federated
Clouds
Cloud Application Security• Intelligent Protection • Accountable Entitlement
Management• Behavioural monitoring
for Malware detection
Cloud Services Security• Secure cloud service
management • Secure data storage
service• Virtual Patching• Active Shielding
Secure Virtualisation• Hypervisor level
Malware Detection • Hypervisor level
Intrusion Prevention• Hypervisor level Data
Leak Prevention
CLOUD SECURITY INNOVATION SHOWCASES
OVER 9 PATENTS (AWARDED OR PENDING) ON NEXT GENERATION VIRTUALISATION & CLOUD SECURITY
© British Telecommunications plc
BT thought-leadership: Overview of external collaborations• Co-authors of ENISA expert advisory report on Cloud Security Risk
Analysis
• Contributors to CSA security guidelines and lead of Virtualisation Security work stream
• Contributors to ENISA expert group on Government use of Cloud computing
• Leading Cloud Brokerage & Federation use case at OPTIMIS a €15 million collaborative R&D project
• Led BEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on next generation SOA in Europe
• Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSO Summit, etc.
• 3 books and several technical papers in Cloud & Next Generation SOA
BTIBMMicrosoft KasperskyUK NHS
Google HPRSASymantecISSA
cloudsecurity.org Baker & McKenzie
© British Telecommunications plc
Slide 15
Thank you for your attention
For more information contact {srijith.nair,theo.dimitrakos}@bt.com
top related