cloud computing (f)or grid security - sans computing (f)or grid security györgy dán assistant...
TRANSCRIPT
Cloud Computing (f)or Grid Security
György Dán
Assistant professor
Laboratory for Communication Networks
School of Electrical Engineering
KTH Royal Institute of Technology
Stockholm, Sweden
SANS European SCADA Summit 2011, Rome
Cloud Computing
• NIST definition (800-145)
On-demand
Network access to
Shared pool of computing resources
Provisioned elastically
Monitored and controlled
• Key enabling technologies
Virtualization
Networking
VM
VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
György Dán http://www.ee.kth.se/~gyuri
Service Models and Control
• Computing resource as a Service
Infrastructure (IaaS ) CPU, Ram, storage, OSs
Platform (PaaS) Application runtime environment
Software (SaaS) Customized software solution
• Combination of service models
Application
Platform architecture
Virtualized infrastructure
Hardware
Facility
Cloud provider
Cloud subscriber IaaS
PaaS
SaaS
IaaS
Paa
S
Saa
S
Source: NIST 800-144
György Dán http://www.ee.kth.se/~gyuri
Deployment Models
• Different levels of
Control
Exposure to non-trusted parties
Economy of scale
Cost of ownership
Availability
Performance
• Combinations
Hybrid models
Source: Jericho Cloud Cube Model
Managed by Owned by Located at Accessed by
Private Organization Organization On-premise Trusted
Community Third party Third party Off-premise Trusted
Public Third party Third party Off-premise Non-trusted
Hybrid
Adapted from: Cloud Security Alliance , CSAGuide V3.0
György Dán http://www.ee.kth.se/~gyuri
The Big Picture
György Dán http://www.ee.kth.se/~gyuri
There are reasons for moving
• Economy of scale
Staff specialized on security
• Platform homogeneity
Uniform platform enables security automation
• Multi-endpoint service/data access
Simplified security policies
• Resource scaling
Meet varying demands, DoS
• Backup and recovery
Standard policy of cloud provider
Operational
security
Availability
Improved
Availability Cost
György Dán http://www.ee.kth.se/~gyuri
• Complex network of interacting components
• Interaction between tenants
• Increased integration w. intranet/Internet
• Loss of control, data ownership
• Cross-border operation and data
• Vendor lock-in
And some valid concerns
Source: The OpenNebula Project
Service + deployment models, composition ® SLAs, policy enforcement, attestation, regulation
C.I.A?
Standardization
(SNIA CDMI,
OGF OCCI)
Security policies, SLAs, dependable networks ®
Trustworthy clouds®
“Government clouds”
György Dán http://www.ee.kth.se/~gyuri
And some valid concerns
Source: The OpenNebula Project
György Dán http://www.ee.kth.se/~gyuri
• Complex network of interacting components
• Interaction between tenants
• Increased integration w. intranet/Internet
• Loss of control, data ownership
• Cross-border operation and data
• Vendor lock-in
And some valid concerns
Source: The OpenNebula Project
Service + deployment models, composition ® SLAs, policy enforcement, attestation, regulation
C.I.A?
Standardization
(SNIA CDMI,
OGF OCCI)
Security policies, dependable networks ®
Trustworthy clouds®
“Government clouds”
György Dán http://www.ee.kth.se/~gyuri
Potential Use Cases
• SCADA Master in the Cloud
SaaS, PaaS, IaaS service model
Private Community deployment
• SCADA Historian in the Cloud
IaaS service
Public deployment
• Disaster recovery
Backup in the cloud
• CRM in the Cloud
Customizable SaaS
Private Community Public
• Data Analysis in the Cloud
Smart metering data aggregation and analysis
Korea Electric Power Corporation Jeju Smart Grid Testbed – Total Operations Center
SCADA LAN
B
Workstation for operators
SCADA Server
(Online/Standby)
ACommunication
Equipment (Front-End)
Communication Networks
Application ServersModem
System Vendors
Advanced Workstations
CLARiiON
IED
CLARiiON
IED
INTERNET WAN
Office LAN
Firewall
FirewallSubstation LAN
Front-End
Substation LAN
Modem
Front-End
CLARiiON
IED
Source: EU FP7 VIKING project
György Dán http://www.ee.kth.se/~gyuri
Healthcare Case Study
• Healthcare Cloud Computing
Vertical Cloud Providers specialized on healthcare
Medical Imaging data archival
• Example: Insite One/Dell
Service Model
• Storage-as-a–service (IaaS) and SaaS
• Standards compliant (DICOM)
• 4.5 billion imaging objects stored (50/sec)
• 1.4 million studies/month archived
Deployment Models
• Private cloud and Community cloud – Data management
• Hybrid cloud (private and community) – Capacity expansion and disaster recovery
Charging model
• Pay per access (study/image)
György Dán http://www.ee.kth.se/~gyuri
Summary
• Computation On-demand
• Combinations of
Service model
Deployment model
• Big (future) potential
Research
Privacy, attestation, availability
Service composition
Standardization
• Application scenarios company dependent
Data storage
Hot-backup system
Off-site backup for Disaster recovery
György Dán http://www.ee.kth.se/~gyuri
Cloud Computing (f)or Grid Security
György Dán
Assistant professor
Laboratory for Communication Networks
School of Electrical Engineering
KTH Royal Institute of Technology
Stockholm, Sweden
SANS European SCADA Summit 2011, Rome