Ragib Hasan University of Alabama at Birmingham CS 491/691/791
Fall 2011 Lecture 1 08/16/2011 Security and Privacy in Cloud
Computing
Slide 2
Welcome to the class Administrative details When? : Tue/Thu
11am-12.15pm Where?: CH 430 Web:
http://www.cis.uab.edu/cs491/fall2011http://www.cis.uab.edu/cs491/fall2011
Instructor: Ragib Hasan, CH126 / UBOB 214
[email protected]@cis.uab.edu Office hours: Tue 12.30 pm-1.30
pm (more TBA) 8/16/2011CS491/691/791 Fall 20112
Slide 3
Introductions Please tell us Your name What level (grad,
undergrad, PhD/MS/BS) you are currently Your advisor Your research
interests Anything fun/interesting about you 8/16/2011CS491/691/791
Fall 20113
Slide 4
Goals of the course Identify the cloud computing security
issues Explore cloud computing security issues Learn about latest
research 8/16/2011CS491/691/791 Fall 20114
Slide 5
Plan Each week, we will Pick a different cloud computing
security topic Discuss general issues on the topic Read one or two
latest research paper on that topic 8/16/2011CS491/691/791 Fall
20115
Slide 6
Evaluations Based on paper reviews, term project, and
class/discussion participation Reviews: Students taking the course
for credit will have to submit 1 paper review per week The reviews
will be short, 1 page discussion of the papers pros and cons
(format will be posted on the class webpage) Project: Students (or
groups) can pick any topic related to cloud security.
8/16/2011CS491/691/791 Fall 20116
Slide 7
Example Review Summary Mention what problem the paper
addresses. What is the approach, and what are the results. Pros
Advantages or features you liked. At least 3. Cons Disadvantages or
shortcomings. At least 3. Ideas How can you improve the system?
Short 2/3 sentence comment on your ideas. 8/16/2011CS491/691/791
Fall 20117
Slide 8
Topics we will cover 8/16/2011CS491/691/791 Fall 2011 Data and
computation integrity and confidentiality Infrastructure, topology
Data Privacy NetworkingForensics 8
Slide 9
Required Background Strong background in security is NOT
required This is NOT a crypto course, so its fine if you dont
understand the math in a paper Only basic background in common
security concepts is needed (e.g., do you know what
confidentiality, integrity, and availability mean? Whats a private
key? Whats encryption, hashing?) Well take a systems approach
towards security, i.e. think about the systems practicality,
performance etc. 8/16/2011CS491/691/791 Fall 20119
Slide 10
Clouds have become ubiquitous How many of you have used a cloud
today? Probably, everyone!! 8/16/2011CS491/691/791 Fall 201110
Slide 11
What is Cloud Computing? 8/16/2011CS491/691/791 Fall 2011 Lets
hear from the experts 11
Slide 12
What is Cloud Computing? 8/16/2011CS491/691/791 Fall 2011 The
infinite wisdom of the crowds (via Google Suggest) 12
Slide 13
What is Cloud Computing? 8/16/2011CS491/691/791 Fall 2011 Larry
Ellison, founder of Oracle Weve redefined Cloud Computing to
include everything that we already do.... I dont understand what we
would do differently in the light of Cloud Computing other than
change the wording of some of our ads. 13
Slide 14
What is Cloud Computing? 8/16/2011CS491/691/791 Fall 2011
Richard Stallman GNU Its stupidity. Its worse than stupidity: its a
marketing hype campaign 14
Slide 15
What is Cloud Computing? 8/16/2011CS491/691/791 Fall 2011 Ron
Rivest The R of RSA Cloud Computing will become a focal point of
our work in security. Im optimistic 15
Slide 16
So, What really is Cloud Computing? Cloud computing is a new
computing paradigm, involving data and/or computation outsourcing,
with Infinite and elastic resource scalability On demand
just-in-time provisioning No upfront cost pay-as-you-go
8/16/2011CS491/691/791 Fall 2011 That is, use as much or as less
you need, use only when you want, and pay only what you use,
16
Slide 17
The real story Computing Utility holy grail of computer science
in the 1960s. Code name: MULTICS 8/16/2011CS491/691/791 Fall 2011
Why did it fail? Ahead of time lack of communication tech. (In
other words, there was NO (public) Internet) And personal computer
became cheaper and stronger 17
Slide 18
The real story Mid to late 90s, Grid computing was proposed to
link and share computing resources 8/16/2011CS491/691/791 Fall
201118
Slide 19
The real story continued 8/16/2011CS491/691/791 Fall 2011
Post-dot-com bust, big companies ended up with large data centers,
with low utilization Solution: Throw in virtualization technology,
and sell the excess computing power And thus, Cloud Computing was
born 19
Slide 20
Cloud computing provides numerous economic advantages For
clients: No upfront commitment in buying/leasing hardware Can scale
usage according to demand Barriers to entry lowered for startups
For providers: Increased utilization of datacenter resources
8/16/2011CS491/691/791 Fall 201120
Slide 21
Cloud computing means selling X as a service IaaS:
Infrastructure as a Service Selling virtualized hardware PaaS:
Platform as a service Access to a configurable platform/API SaaS:
Software as a service Software that runs on top of a cloud
8/16/2011CS491/691/791 Fall 201121
Slide 22
Cloud computing architecture 8/16/2011CS491/691/791 Fall 2011
e.g., Web browser SaaS, e.g., Google Docs PaaS, e.g., Google
AppEngine IaaS, e.g., Amazon EC2 22
Slide 23
Different types of cloud computing 8/16/2011CS491/691/791 Fall
2011 Amazon EC2 Clients can rent virtualized hardware, can control
the software stack on the rented machines Google AppEngine Provides
a programmable platform that can scale easily Microsoft Azure
Clients can choose languages, but cant change the operating system
or runtime IaaS PaaS 23
Slide 24
So, if cloud computing is so great, why arent everyone doing
it? 8/16/2011CS491/691/791 Fall 2011 Clouds are still subject to
traditional data confidentiality, integrity, availability, and
privacy issues, plus some additional attacks 24
Slide 25
Companies are still afraid to use clouds 8/16/2011CS491/691/791
Fall 2011 [Chow09ccsw] 25
Slide 26
Anatomy of fear Confidentiality Will the sensitive data stored
on a cloud remain confidential? Will cloud compromises leak
confidential client data (i.e., fear of loss of control over data)
Will the cloud provider itself be honest and wont peek into the
data? 8/16/2011CS491/691/791 Fall 201126
Slide 27
Anatomy of fear Integrity How do I know that the cloud provider
is doing the computations correctly? How do I ensure that the cloud
provider really stored my data without tampering with it?
8/16/2011CS491/691/791 Fall 201127
Slide 28
Anatomy of fear Availability Will critical systems go down at
the client, if the provider is attacked in a Denial of Service
attack? What happens if cloud provider goes out of business?
8/16/2011CS491/691/791 Fall 201128
Slide 29
Anatomy of fear Privacy issues raised via massive data mining
Cloud now stores data from a lot of clients, and can run data
mining algorithms to get large amounts of information on clients
8/16/2011CS491/691/791 Fall 201129
Slide 30
Anatomy of fear Increased attack surface Entity outside the
organization now stores and computes data, and so Attackers can now
target the communication link between cloud provider and client
Cloud provider employees can be phished 8/16/2011CS491/691/791 Fall
201130
Slide 31
Anatomy of fear Auditability and forensics Difficult to audit
data held outside organization in a cloud Forensics also made
difficult since now clients dont maintain data locally
8/16/2011CS491/691/791 Fall 201131
Slide 32
Anatomy of fear Legal quagmire and transitive trust issues Who
is responsible for complying with regulations (e.g., SOX, HIPAA,
GLBA)? If cloud provider subcontracts to third party clouds, will
the data still be secure? 8/16/2011CS491/691/791 Fall 201132
Slide 33
What we need is to Adapt well known techniques for resolving
some cloud security issues Perform new research and innovate to
make clouds secure 8/16/2011CS491/691/791 Fall 201133
Slide 34
Final quote 8/16/2011CS491/691/791 Fall 2011 [Cloud Computing]
is a security nightmare and it can't be handled in traditional
ways. John Chambers CISCO CEO 34
Slide 35
8/16/2011CS491/691/791 Fall 2011 Further Reading Armbrust et
al., Above the Clouds: A Berkeley View of Cloud Computing, UC
Berkeley Tech Report UCB/EECS-2009-28, February 2009. Chow et al.,
Cloud Computing: Outsourcing Computation without Outsourcing
Control, 1 st ACM Cloud Computing Security Workshop, November 2009.
35