Cloud ComputingSecurity and Privacy to gain Trust

SMARTEVENT 2010September 23

Sophia Antipolis

Christian GOIRE

Cloud Computing Definition(s)

202/05/23

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

NIST Definition

Built on compute and storage virtualization, provides scalable, network-centric, abstracted IT infrastructure, platforms, and applications as on-demand services that are billed by consumption.

Gartner’s definition : "a style of computing where scalable and elastic IT-related capabilities are provided 'as a service' to external customers using Internet technologies."

302/05/23

The NIST Cloud Definition Framework

CommunityCommunityCloudCloud

Private Private CloudCloud

Public CloudPublic Cloud

Hybrid CloudsDeploymentModels

ServiceModels

EssentialCharacter-istics

Common Character-istics

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Resource Pooling

Broad Network Access Rapid Elasticity

Measured Service

On Demand Self-Service

Low Cost Software

Virtualization Service Orientation

Advanced Security

Homogeneity

Massive Scale Resilient Computing

Geographic Distribution

402/05/23

3 main ServicesModels

502/05/23

Cloud Providers – A Birds Eye ViewInfrastructure as a Service

Platform as a Service

Software as a Service

Main aspects forming a cloud system

602/05/23

Expert group report (Excerpts)

Non- functional aspects

Elasticity

Reliability

Quality of Service

Agility and adaptability

Availability

702/05/23

Continued (2)

Economic aspects

Cost reduction

Pay per use

Improved time to market

Return of investment

Turning CAPEX into OPEX

Going Green

802/05/23

Continued (3)

Technological Aspects

Virtualisation

Multi- tenancy

Security, Privacy and compliance

Data Management

API’s and / or Programming Enhancements

Metering

Tools

902/05/23

Research time line (in year) of the individual topics

1002/05/23

Security and Privacy Challenges

The massive concentrations of resources and data present a more attractive target to attackers

The challenges are not new but Cloud computing intensifies them

1102/05/23

Technical risks

Resource exhaustionIsolation failureCloud provider malicious insider, abuse of high privilegeManagement interface compromiseIntercepting data in transitData leakage on up /download, intra- cloudInsecure or ineffective deletion of data Distributed Denial of service DDoSEconomic denial of service EDOSLoss of encryption keysUndertaking malicious probes and scansCompromise service engineConflicts between customer procedures and cloud

1202/05/23

Policy and organizational risks

Lock -inLoss of governanceCompliance challengesLoss of business reputation due to co -tenant activitiesCloud service termination or failureCloud provider acquisitionSupply chain failure

1302/05/23

Legal risk

Subpoena and e- discoveryRisk from change of jurisdictionData protection riskLicensing risks

1402/05/23

Research recommendations

Certification processes and standards for the Cloud

1502/05/23

Research recommendations

Metrics for security in cloud computingReturn on security investmentsEffects of different forms reporting breaches on securityTechniques for increasing transparency /level of security Location tagging, data type tagging, policy tagging Privacy (data provenance) tracing data end to end

End to end data confidentiality in the cloud and beyond: Encrypted search (long term) Encrypted processing schemes (long term) Encryption and confidentiality tools for social applications in the

cloud Trusted computing in clouds, trusted boot sequence for virtual

machine stack

Standardization etc.

1602/05/23

Legal recommendations

Legal issues to be resolved during the evaluation of the contracts (ULA User Licensing Agreement, SLA Service Level Agreement) Data protection Data security Data Transfer Law enforcement access Confidentiality and non disclosure Intellectual property Risk allocation and limitation of liability Change of control

1702/05/23

Conclusion

Technology solutions ; privacy by designCompliance with transparency provisions vis-à-vis individuals Ensure that customers know about the location of their data Ensure that they properly understand the risks so that they make

informed choices

Current review process of the existing Data Protection Directive

1802/05/23