Securing Big Data in the Cloud: Towards a More Focused and Data Driven Approach. Ragib Hasan, UAB Anthony Skjellum, Auburn 2014 NSF Big Data Workshop

Size: px

Start display at page:

Download "Securing Big Data in the Cloud: Towards a More Focused and Data Driven Approach. Ragib Hasan, UAB Anthony Skjellum, Auburn 2014 NSF Big Data Workshop"

Kelley Anthony
8 years ago
Views:

1 Securing Big Data in the Cloud: Towards a More Focused and Data Driven Approach Ragib Hasan, UAB Anthony Skjellum, Auburn 2014 NSF Big Data Workshop

2 [Cloud Computing] is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO 2

3 The Age of Big Data and Clouds The global market for clouds is growing 30% Compound Annual Growth Rate (CAGR) reaching $270 billion in 2020 (Market Research Media) Growth happening both in private and government sectors (US Federal government s spending on the cloud is approx. $792 million in 2013 (INPUT) Big Data is also becoming ubiquitous, going mainstream from academic and research usage A 4300% growth predicted by Clouds are the most suitable platform to make any sense of big data

4 So, if cloud computing is so effective in dealing with Big Data, why isn t everyone doing it? Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks 4

cloud provider for everything Lack of accountability There is a lack of accountability in part of the cloud

5 Why are Big Data and cloud security different from traditional security? Multi-tenancy Same hardware/network shared by many users Trust asymmetry Users have to completely trust the cloud provider for everything Lack of accountability There is a lack of accountability in part of the cloud service provider Securing a house Owner and user are often the same entity Securing a motel Owner and users are almost invariably distinct entities 5

6 Many major challenges remain in securing clouds and Big Data Novel attacks Trustworthy cloud architectures Data integrity and availability Computation integrity Data and computation privacy Data forensics Misbehavior detection Malicious use of clouds 6

and availability Computation integrity Data and computation

7 Co-tenancy in clouds creates new attack vectors A cloud is shared by multiple users Malicious users can now legally be in the same infrastructure Misusing co-tenancy, attackers can launch side channel attacks on victims Research question: How to prevent attackers from exploiting co-tenancy in attacking the infrastructure and/or other clients?

attackers can launch side channel attacks on victims Research question: How to

8 Today s cloud architectures act like big black boxes Clients have no idea of or control over what is happening inside the cloud Clients are forced to trust cloud providers completely Research Question: How do we design cloud computing architectures that are semi-transparent and provide clients with control over security? 8

cloud providers completely Research Question: How do we design cloud computing

Clients need reassurance that the outsourced data is available, has not been tampered with, and remains confidential.

9 Today s clouds provide no guarantee about outsourced data Problem: Dishonest cloud providers can throw data away or lose data. Malicious intruders can delete or tamper with data. Clients need reassurance that the outsourced data is available, has not been tampered with, and remains confidential. Amazon s Terms of services Research Question: How can clients get assurance/proofs that the cloud provider is actually storing data, is not tampering with data, and can make the data available ondemand? 9

10 Ensuring confidentiality of data in outsourced computation is difficult Most type of computations require decrypting data before any computations If the cloud provider is not trusted, this may result in breach of confidentiality Research Question: How can we ensure confidentiality of data and computations in a cloud? 10

cloud provider is not trusted, this may result in breach of confidentiality

Clients have no way of verifying computations outsourced to a Cloud Scenario User sends her data processing job to the cloud. Clouds provide dataflow operation as a service (e.

11 Clients have no way of verifying computations outsourced to a Cloud Scenario User sends her data processing job to the cloud. Clouds provide dataflow operation as a service (e.g., MapReduce, Hadoop etc.) Problem: Users have no way of evaluating the correctness of results Research question: How can we verify the accuracy of outsourced computation? 11

12 Data Forensics in Clouds is difficult Certain Government regulations mandate the ability to audit and run forensic analysis on critical business or healthcare data Clouds complicate forensic analysis, since the same storage infrastructure is shared by many clients Cloud providers are not willing to open up their entire storage for forensic investigations. Research question: How can we augment cloud infrastructures to allow forensic investigations? 12

storage infrastructure is shared by many clients Cloud providers are not willing to open up their entire storage

13 (Largely) Unexplored Areas Legal/policy issues and regulatory compliance: Cloud based storage is still subject to regulatory compliance and legal orders. Implementing things such as litigation hold in a cloud is very difficult. Proving a cloud is fully compliant with pre-cloud law is challenging Research question: How does cloud computing fit in with data security laws and regulations such as SOX, HIPAA, or with Litigation holds? 13

Implementing things such as litigation hold in a cloud is very difficult.

14 Making Big Data and Clouds Secure focus on the data! Our solution: Take a data driven approach Focus on data, it s location, generation, and transmission the provenance of data Look at the lifecycle of data and Ensure trustworthy computation and attribution Make Provenance a fundamental part of clouds

generation, and transmission the provenance of data Look at the lifecycle

15 Why aren t today s clouds accountable? Users do not know What happened to their data inside the cloud? What applications generated their data? How did the state of the cloud change? Cloud providers act like black boxes Clouds do not provide any information about internal operation to users Since they are in full control, any evidence/forensic investigation must go through them, making that less transparent 15

Cloud providers act like black boxes Clouds do not provide any information about internal operation to

16 Cloud Provenance is Key to Solving Cloud Security Data provenance: The modification and movement history of data objects as they enter/leave the cloud and are modified Application provenance: The history and activities of applications and users State provenance: The state history of the cloud computing system itself 16

and are modified Application provenance: The history and activities of

17 Challenges in Cloud Provenance Provenance collection: How do we efficiently collect it? Provenance storage: Where do we store it? What structures do we use? Securing provenance: How do we prevent attacks and forgery? Access to provenance: How can we give access to provenance while preserving cloud s/other users privacy? 17

Securing provenance: How do we prevent attacks and forgery?

18 How to provide accountability to users using Provenance-based Proofs? Proof of past data possession Proof of data possession Proof of data deletion Proof of capability Proof of work/task completion and Correctness 18

19 Current Results PPDP: Proof of past data possession (Zawoad and Hasan, CyberSec 2012, journal 2012) PPDP attests that a User U possessed a File F at a given past time. An Auditor can use PPDP to check the Past Data Possession. File can be deleted but PPDP can still preserve the proof of data possession. 19

20 Current Results SecLaaS: Secure Log Access as a Service (Zawoad and Hasan, ASIACCS 2013) Ext VM VM VM NC Attacker Attack Communication Log DB Proof DB API Web Server Investigator 20

21 Ongoing projects Provenance Aware Cloud (PAC) We are building a provenance-capable cloud using the openstack platform A small scale testbed has been developed for cloud security research. 21

22 John Chambers CISCO CEO [Cloud Computing] is a security nightmare and it can't be handled in traditional ways can be handled using Trustworthy provenance Details? Visit or ragib@cis.uab.edu 22

CS573 Data privacy and security in the cloud. Slide credits: Ragib Hasan, Johns Hopkins University

CS573 Data privacy and security in the cloud Slide credits: Ragib Hasan, Johns Hopkins University What is Cloud Computing? Let s hear from the experts 2 What is Cloud Computing? The infinite wisdom of