Secure Web Services and Cloud Computing

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Introduction to the Course and Overview of Material covered in class

January 20, 2012 – May 4, 2012

Objective of the Unit

This unit provides an overview of the course. The course describes concepts, developments, challenges, and directions in

- Secure Web Services

- Secure Semantic Web

- Assured Cloud Computing

Outline of the Unit

Outline of Course Course Work Course Rules Contact Index to lectures and preparation for exam #1 Papers to read for lectures March 23, 30, April 6, 13, 20 Index to lectures and preparation for exam #2 Conclusion (what we have learned in class) Acknowledgement:

- AFOSR for funding our research in assured cloud computing

- NSF for funding our capacity building effort in cloud computing

Outline of the Course

January 20, 2012: Introduction, Background on Data Security, Introduction to Cyber Security

January 27 and February 3: Secure Web Services

February 10 and February 17: Secure Semantic Web

February 24 and March 2: Assured Cloud Computing

March 9: Exam #1

After the Spring Break additional lectures on assured cloud computing and several papers for the students to read and present in class

Course Work

Two exams each worth 20 points

- March 9, May 4 (second class period) Programming project worth 14 points

- April 27 Two homework assignments prior to the mid-term: 8 points

each

- February 17, March 2 Two term papers after the mid-term: 10 points each

- March 30, April 20 Two Surprise Quizzes: 5 points each

Course Rules

Course attendance is mandatory; unless permission is obtained from instructor for missing a class with a valid reason (documentation needed for medical emergency for student or a close family member – e.g., spouse, parent, child). Attendance will be collected every lecture. 5 points will be deducted out of 100 for each lecture missed without approval.

Each student will work individually Late assignments will not be accepted. All assignments have to be

turned in just after the lecture on the due date No make up exams unless student can produce a medical certificate or

give evidence of close family emergency Copying material from other sources will not be permitted unless the

source is properly referenced Any student who plagiarizes from other sources will be reported to the

appropriate UTD authroities

Contact

For more information please contact

- Dr. Bhavani Thuraisingham

- Professor of Computer Science and

- Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX 75080

- Phone: 972-883-4738

- Fax: 972-883-2399

- Email: bhavani.thuraisingham@utdallas.edu

- URL:http://www.utdallas.edu/~bxt043000/

Papers to Read for Exam 1

1. Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004)

Index to Lectures for Exam #1

Lecture 1: Introduction (this unit) Lecture 2: Security Modules Lecture 3: Data, Info and Knowledge Management Lecture 4: Access Control Lecture 5: Policies Lecture 6: Web Services and Security, Overview Lecture 7: Web Services and Security, Details Lecture 8: Assignment #1 Lecture 9: Secure sharing of digital evidence (XML Security) Lecture 10: Introduction to Semantic Web Lecture 11: Trustworthy Semantic Web Lecture 12: Inference Problem Lecture 13: Scalable access control (Dr. Tyrone) not included

Index to Lectures for Exam #1

Lecture 14: Assignment #2 Lecture 15: Introduction to cloud and secure cloud Lecture 16: Assured Cloud Computing Lecture 17: Tools for cloud computing Lecture 18: Jena and Hbase Lecture 19: Twitter Storm Lecture 20: NIST NVD (Jyothsna lecture)

Papers to Read for March 23, 2012

Wei She, I-Ling Yen, Bhavani M. Thuraisingham: Enhancing Security Modeling for Web Services Using Delegation and Pass-On. ICWS 2008: 545-552

Wei She, I-Ling Yen, Bhavani M. Thuraisingham, Elisa Bertino: The SCIFC Model for Information Flow Control in Web Service Composition. ICWS 2009: 1-8

Cloud Identity Management

http://cis.cau.edu/cms/files/CIS509-OAUTH/cloud-computing-identity-management.pdf

Eric Olden IEEE Computer March 2011

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5719572

Papers to Read for March 30, 2012

1. KAoS Policy and Domain Services: Toward a Description-Logic Approach

to Policy Representation, Deconfliction, and Enforcementhttp://www4.wiwiss.fu-berlin.de/bizer/SWTSGuide/KAoS/KAoS_Policy_03.pdf

2. http://groups.csail.mit.edu/dig/Rein/rein-paper.pdfRein Policy Framework for the Semantic Web. Decentralized framework for representing and reasoning over distributed policies in the Semantic Web using Rei and CWM. Lalana Kagal and Tim Berners-Lee.

3. Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: A semantic web based framework for social network access control. SACMAT 2009: 177-186

4. Timothy W. Finin, Anupam Joshi, Lalana Kagal, Jianwei Niu, Ravi S. Sandhu, William H. Winsborough, Bhavani M. Thuraisingham: ROWLBAC: representing role based access control in OWL. SACMAT 2008: 73-82

Papers to Read for April 6, 2012

http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf

http://www.cl.cam.ac.uk/research/srg/netos/papers/2004-oasis-ngio.pdf

http://www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf

http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf

http://delivery.acm.org/10.1145/2050000/2046665/p15-brown.pdf?ip=129.110.241.91&acc=ACTIVE%20SERVICE&CFID=75242210&CFTOKEN=69399126&__acm__=1333321759_25edce9244a170683f6ea888814e192e (paper discussed on April 13)

Papers to Read for April 13 (in addition to the last paper for April 6)

http://www.sec.in.tum.de/assets/lehre/ss09/seminar_virtualisierung/Secure_Hypervisors_S-Vogl.pdf (Secure Hypervisors)

Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st Annual Computer Security Applications Conference (ACSAC), December 5-9, Tucson, Arizona, 2005. (IEEE web site)

http://delivery.acm.org/10.1145/2050000/2046665/p15-brown.pdf?ip=129.110.241.91&acc=ACTIVE%20SERVICE&CFID=75242210&CFTOKEN=69399126&__acm__=1333321759_25edce9244a170683f6ea888814e192e (this was assigned for April 6 but we did not discuss in class)

Papers to Read for April 20

1. Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar: Cloud Data Protection for the Masses. IEEE Computer 45(1): 39-45 (2012)

2. Privacy and Security in Cloud Computing (High level paper) http://www.brookings.edu/~/media/Files/rc/papers/2010/1026_cloud_

computing_friedman_west/1026_cloud_computing_friedman_west.pdf

3. Addressing Cloud Computing Security Issues http://www.sciencedirect.com/science/article/pii/S0167739X10002554

4. Joseph Idziorek, Mark Tannian, Doug Jacobson: Detecting fraudulent use of cloud resources. CCSW 2011: 61-72

5. Vyas Sekar, Petros Maniatis: Verifiable resource accounting for cloud computing services. CCSW 2011: 21-26

Papers to Read for Exam #2

Papers to Read for Exam #2

Mohammad Farhan Husain, James P. McGlothlin, Mohammad M. Masud, Latifur R. Khan, Bhavani M. Thuraisingham: Heuristics-Based Query Processing for Large RDF Graphs Using Cloud Computing. IEEE Trans. Knowl. Data Eng. 23(9): 1312-1327 (2011) – Section 1, 2, 3,

Arindam Khaled, Mohammad Farhan Husain, Latifur Khan, Kevin W. Hamlen, Bhavani M. Thuraisingham: A Token-Based Access Control System for RDF Data in the Clouds. CloudCom 2010: 104-111 – Section 1, 2, 3

http://groups.csail.mit.edu/dig/Rein/rein-paper.pdfRein Policy Framework for the Semantic Web. Decentralized framework for representing and reasoning over distributed policies in the Semantic Web using Rei and CWM. Lalana Kagal and Tim Berners-Lee.

Timothy W. Finin, Anupam Joshi, Lalana Kagal, Jianwei Niu, Ravi S. Sandhu, William H. Winsborough, Bhavani M. Thuraisingham: ROWLBAC: representing role based access control in OWL. SACMAT 2008: 73-82

Papers to Read for Exam #2* Cloud Identity Management

http://cis.cau.edu/cms/files/CIS509-OAUTH/cloud-computing-identity-management.pdf

* Eric Olden IEEE Computer March 2011

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5719572

* Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st Annual Computer Security Applications Conference (ACSAC), December 5-9, Tucson, Arizona, 2005. (IEEE web site)

* Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar: Cloud Data Protection for the Masses. IEEE Computer 45(1): 39-45 (2012)

* Vyas Sekar, Petros Maniatis: Verifiable resource accounting for cloud computing services. CCSW 2011: 21-26

Papers to Read for Exam #2

http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf

http://www.cl.cam.ac.uk/research/srg/netos/papers/2004-oasis-ngio.pdf

http://www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf

http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf

Index to Lectures for Exam #2

Lecture 21: Secure Social networks Lecture 22: Exam #1 Lecture 23: Ontology Alignment Lecture 24: Cloud Query Processing Lecture 25: Token based access control Lecture 26: Cloud data storage (Dr. Murat) Lecture 27: NIST Guidelines Lecture 28: Comprehensive overview of cloud computing Lecture 29: Cloud Security Alliance papers

Conclusion

What have we learned? Background on Cyber Security and Data Security

- CISSP Modules (emphasis on Governance and Risk management, Access Control, Security Architectures as well as some cryptography basics)

- Data and Applications Security including Query Modification, Access Control, Policies and Trust Management, Inference Control

Secure Web Services

- Overview of Secure Web Services SOA, XACML, SAML

- Details of Secure Web Services WS* Security, Identity Management, Secure Service Oriented

Analysis and Design

- Papers on Secure web services (UTD Research)

What have we learned? Secure Semantic Web

- Overview of Semantic Web

- Trustworthy Semantic Web

- Secure Publication of XML Data

- NIST NVD Project

- Security and Privacy of Social Networks (with semantic web; UTD Research)

- Ontology Alignment (Guest Lecture)

- Semantic Web Tools: Jena

- Papers on Secure semantic web (including papers on REIN, ROWLBAC, KAOS)

What have we learned?

Secure Cloud Computing

- Introduction to Cloud Computing and Secure Cloud Computing

- Comprehensive Overview of Secure Cloud Computing

- Selected topics in Cloud Security (e.g, Amazon Cloud, Azure)

- NIST Security and Privacy Guidelines for the Cloud

- Cloud Security Alliance Secure Hypervisors

- Secure Cloud Query Processing (UTD Research)

- Assured Information Sharing via Cloud (UTD Research)

- Cloud Computing Tools (Hadoop. MapReduce, TwitterStorm)

- Papers on Secure Cloud (including on identity management, secure XEN and hypervisors, Fujitsu work on secure cloud)

Acknowledgement

Mr. Iftehkar (TA for the Class) Mr. Vaibhav Khadilkar – for his extensive help in explaining cloud

computing tools and the assistance in cloud computing project Ms. Jyothsna Rachapalli for guest lecture on the NIST/NVD project Dr. Neda Alipanah – for guest lecture on secure ontology alignment AFOSR for funding our research in assured cloud computing; the

research material was used for several of the lectures NSF for funding the assured cloud computing education grant. Students for giving feedback on the course (in addition to the

standard evaluation) that will be used for future classes. In assured cloud computing.

Book on Building and Securing the Cloud will be published in late 2012 by Taylor and Francis to be used for the Spring 2013 Class