Embed Size (px)
Citation preview
Cloud Security Services: An Overview
CloSe Public Workshop, April 2015 N. Asokan
2
Outline
• Why CloSe? • What have we been doing in CloSe so far? • How is CloSe organized?
3
The big questions
Services are moving to the cloud … including security services They face seemingly conflicting constraints … user privacy, usability, deployability How to reconcile these apparent conflicts? How to effectively provide security from the cloud?
4
Assets
user data
user data
user data
user access patterns
Why?
5
Threats
user data
user data
user data
exfiltrate user data
mine access patterns lure users to insecure services
P2P botnet C&C
user access patterns
1
2
3
4
Why?
6
Potential solution points
user data
user data
user data
user access patterns
Secure Intermediary
Storage encryption
Storage encryption
Why?
7
Challenges
user data
user data
user data
user access patterns
Secure Intermediary Detection of covert channels (III) Detection/mitigation of unwanted objects/actions (IV) vs. partial info.: metadata-only, encrypted channels, … (III, IV) vs. guaranteeing user privacy (I) via use of trusted hardware (I) Networking & scalability (V)
Why?
8
Challenges
user data
user data
user data
user access patterns
Storage encryption vs. Deduplication (II)
Why?
Secure Intermediary Detection of covert channels (III) Detection/mitigation of unwanted objects/actions (IV) vs. partial info.: metadata-only, encrypted channels, … (III, IV) vs. guaranteeing user privacy (I) via use of trusted hardware (I) Networking & scalability (V)
9
Challenges
user data
user data
user data
user access patterns
Storage encryption vs. Intuitive key management (II)
Storage encryption vs. Deduplication (II)
Why?
Secure Intermediary Detection of covert channels (III) Detection/mitigation of unwanted objects/actions (IV) vs. partial info.: metadata-only, encrypted channels, … (III, IV) vs. guaranteeing user privacy (I) via use of trusted hardware (I) Networking & scalability (V)
10
Five Challenges (summary)
I. Reconciling remote data access with client privacy II. Reconciling client-encrypted storage with
deduplication and intuitive key management III. Detection of illicit/covert channels IV. Detection/mitigation of unwanted objects/actions V. Networking & Scalability
Why?
11
Private Membership Test
The problem: How to preserve end user privacy for anti-malware clients that look up cloud-hosted databases? Our approach: Build a private membership test scheme based on Bloom filters using (a) cryptography and (b) trusted hardware. Results so far: (a) Using Goldwasser-Micali homomorphic encryption scheme (paper, poster) (b) mediated by Trusted H/W (poster/demo)
Work Package 1
What?
WP leads: Jian Liu and Sandeep Tamrakar
12
Client-encrypted cloud storage in real life
The problem: How to reconcile the need for strong client-side encryption with real life constraints? (a) deduplication (business constraint) (b) use of multiple devices (usability constraint) Our approach: (a) use trusted hardware or cryptographic protocols; (b) design an intuitive key management scheme Results so far: (a) Secure deduplication w/o additional servers (draft paper), using trusted h/w (poster/demo) (b) OmniShare (poster/demo) Work Package 2
What?
WP leads: Jian Liu and Sandeep Tamrakar
13
Botnet detection
The problem: How to detect a bot that is using social media as its covert channel to communicate with its C&C by observing traffic in network. Our approach: Study how botnet communication is different from normal communication and learn to detect it. Results so far: We have studied bots that use i.e. Twitter for communication (poster). We have generated our own bot-like traffic and an algorithm to detect this among normal traffic.
Work Package 3
What?
WP lead: Tommi Meskanen
14
Detection and mitigation of unwanted objects/actions The problem: Identify malicious traffic/activity/malware by its activity and metadata only; How to mitigate malicious activity? Our approach: Using malware metadata and devising classifiers capable of fast traffic/malware identification; Develop privacy capable tools to obfuscate the data/traffic. Results so far: Malware APK identification from metadata (paper, poster); Fake Base Station analysis (poster); Differential privacy tools for traffic data anonymization (poster); Homomorphic encryption for privacy preserving databases (poster).
Work Package 4
What?
WP lead: Yoan Miche
15
Software-defined cloud security service The problem: a) how to secure upcoming IoT based smart environment that contains a large amount of wireless connected smart devices; b) Monitoring SaaS performance, usage characteristics etc. Our approach: a) design a platform that utilizes SDN and Cloud to enhance wireless security; b) use a set of virtual machines (migrations are possible if required) to run the artificial Android clients for F-Secure Freedome and collect the usage data. Results so far: a) System prototype for demonstrating a light-weight solution to address the problem; (demo, poster) b) a distributed environment based on Docker and CoreOS etcd and fleet to dynamically launch/shutdown a number of test nodes and collect the necessary metrics with Graphite. (poster)
Work Package 5
What?
WP leads: Jörg Ott and Sasu Tarkoma
16
Consortium
Six university partners (Academy of Finland) ARCADA, Aalto CS (2), Aalto Comnet, U Helsinki, U Turku
Three industry partners (Tekes) F-Secure, Nokia, Trustonic
External academic collaborators
Bar Ilan University, TU Darmstadt, Tartu University, …
Two years (July 2014 – June 2016)
How?
17
Addressing the challenges
user data
user data
user data
user access patterns
Storage encryption vs. Intuitive key management (II)
Storage encryption vs. Deduplication (II)
Secure Intermediary Detection/mitigation of unwanted objects/actions (IV) vs. guaranteeing user privacy (I) via use of trusted hardware (I) Detection of covert channels (III) Networking & scalability (V)
Aalto Comnet (A CN)
Aalto CS (A CS)
U Turku (UTU)
Arcada U (ARC)
U Helsinki (UH)
F-Secure (FSC)
Trustonic (TT)
Nokia (NOK)
Bar Ilan U (BIU)
Tartu U (TU)
A CS ARC
FSC N
UTU FSC
A CN UH
FSC N
FSC A CS TT
TU Darmstadt (TUD)
TT A CS TUD
FSC A CS N UTU TU
TT A CS
BIU
TT A CN
How?
18
Management Scientific Advisory Board
(international experts)
Challenges (Work Packages)
Project Steering Group (PIs)
Meets once per year Workshop on results & directions
3 - 4 meetings per year 2 per year combined with result workshop Complemented by video conf calls
Meeting regularly individually per WP
How?
19
Role of SAB
• Feedback on results • Guidance on next steps • Brief report (e.g., 2 pages) to accompany our application
to continue CloSe for another two years
How?
20
This workshop
• Today – 30 min presentation of each WP + 15 mins discussion – WP 1-2 combined
• Tomorrow
– Invited talks by SAB members
• Lots of breaks
– Demos and posters in the lobby – Buffet lunch in the lobby
21
Plan for today 9:00 Welcome and Introduction to CloSe N. Asokan 9:30 Industrial relevance of CloSe Alexey Kirichenko (F-Secure)
Gabriel Waller (Nokia) 10:30 Break* 11:00 WP1 and WP2: Private Membership Test &
Secure Cloud Storage with Deduplication Jian Liu, Sandeep Tamrakar
12:15 Lunch 13:30 WP3: Twitterbot Detection Tommi Meskanen 14:15 Break* 14:45 WP4: 1. Automated classification of
Android malware, 2. Traffic data analysis Yoan Miche
15:30 Break* 16:00 WP5: Secure Smart Home with SDN
based Cloud Service Jörg Ott and Sasu Tarkoma
16:45 End of Day 1
