Security management in the internet era

Size: px

Start display at page:

Download "Security management in the internet era"

Johnathan Walters
8 years ago
Views:

1 Security management in the internet era Cloud Security (2) October 6, 2011 Jun Murai Keio University!! Suguru Yamaguchi! Nara Institute of Science and Technology! 1

2 Schedule 01st (09/22) Course Description 02nd (09/29) Cloud Security (1) 03rd (10/06) Cloud Security (2) 04th (10/13) Military use of the cyber security technology and its issues 05th (10/20) IPv6 Security 06th (10/27) Guest Lecture(Joichi Ito) 07th (10/27) Midterm Presentation(1) 08th (11/10) Midterm Presentation(2) 09th (11/17) Disaster Recovery Internet(1) 10th (12/01) Disaster Recovery Internet(2) 11th (12/08) Personal Information and Security(1) 12th (12/15) Personal Information and Security(2) 13th (12/22) Evaluation of Security Risk 14th (1/12) Final Presentation(1) 15th (1/19) Final Presentation(2) 2

3 Cloud Security(2) 3

4 Features of Cloud Computing ( 再掲 ) n Changing the general idea of hardware n A number of virtual hosts in one physical host n Crossing the border n There are many places to save & backup information Virtual hosts Physical host 4

5 Why the security is needed n (Not?) Best security n Disconnect from the network We cannot use the services n Trade-off between security and convenience n Business needs innovations n Innovation needs challenges n Security is not guaranteed in the challenging environment security convenience We have to think about security risks in various views 5

6 The Point of Security Management n User side n Usability v.s. Safety Ex. Can use everywhere vs. Risk of information leakage vs. Risk of out-of-service state n Benefit v.s. Cost for Safety Ex. Cost cutback vs. Confidentiality of business information n Supplier side n Profit vs. Safety Usability Benefit Safety Safety Ex. Service income vs. Cost of security 6

7 Case:Using GoogleApps in Nihon University Case study: Mail system in schools n 10 million students use GoogleApps, Gmail & etc n Advantage: Convenience (not affected by power outages) & management cost (more than two hundred million) n Disadvantage: Safety (information leakage of students) n Decision: Advantage > Disadvantage Risk of student information leakage is small n At first, faculty member s does not use GoogleApps n From the perspective of users(=faculties), safety is most important n Management cost < Risk of faculty members Information The data is stored abroad Faculty member s information is very critical If the service is stopped, the loss becomes large 7

8 Important Points of Cloud Security n Contract(Management) n Service Level Agreement n Policy Problems n Industry Protection n National problem n Cyber terror n Technology 8

9 Contract(Management) If a problem occurs in cloud computing, Who is responsible for? How laws are applied? 9

10 Contract (for companies) n service level agreement(sla) n Support for leaking n No problem if it is specified n Storing data in overseas n Who will take responsibility if the data leaked These things in reference to SLA Cost Compens ation Users have to think about both cost and compensation 10

11 Example of SLA n Clearly specified about responsibility and recompense(if it is specified, cloud service provider will not have problem) n Example of SLA (salesforce.com) 11. LIMITATION OF LIABILITY (abstract) Limitation of Liability. NEITHER PARTY'S LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) SHALL EXCEED THE LESSER OF $500,000 OR THE AMOUNT PAID BY YOU HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT,.. n If limitation is not specified.. n Distribution of free right to use 11

12 Incident and Response of the Cloud n WebARENA CLOUD9(NTTPC Data s Long-term failure) n Period:May 08, 2011-(do not start services yet) n Impact: User could not take data during two or three weeks Stop service n Guarantee:Another VPS Service free tickets n Amazon Cloud( Large-scale failure) n Occurrence time :April 21 24, 2011 n Effect of a failure: All Services of using AmazonEC2(Foursquare etc) 0.07% of data erase n Guarantee :10 days free tickets 12

13 Policy Problems n National problem n Cyber terror( 詳細は第 4 回 ) n Cyber Attack n Information Protection n Intellectual property rights n User Privacy n Industry Protection 13

14 National problem Cloud Computing and Privacy n What is privacy The right to be let alone (Samuel Warren 1890) The ability that we can control the others who get or share our information (Alan Westin 1967) [The right to be let alone] è [The Rights of controlling selfinformation] n Data management policy depends on suppliers n Data Confidentiality is implemented by the contract and trust on the service supplier. n Enforce of compliance (different from countries) 14

15 National problem Globalization of Enterprise Account (Ex. Shopping) Company Personal information protection system is different from each country Subcontracting/Outsource (Ex. Customer support) Customer Information What is a problem? How to protect? Individuals Services Domestic Overseas CRM center Leakage of Personal Information 15

16 National problem Development of Laws on Data Transfer n Agreement about data transfer of each countries (Safe Harbor Agreement) n Agreement on the data transfer between U.S. and EU n Permission of the companies which fill up personal information protection technology Limit the transfer of personal data to third countries It is necessary for Japan to agree about data transfer of each countries 16

17 National problem The need for Legislation n Depending on the situation, laws cannot prevent information leakage Company There is no law to catch information thieves (Can not be arrested) Can be arrested Copy Employees Bring information Illegal Activities using information Critical Data (Thief of information) In Japan, there is no criminal law & regulations against information theft. 17

18 Cyber attack using cloud n Cyber attack using cloud environment n Bot net which has redundancy n Attack which using a lot of resources n Who is responsible for this? Easy prepara)on of a-ack resources 18

19 Intellectual property rights n Variance with intellectual property right, copyright and cloud service n Is it against the law to share music and books? n It is still gray even only you use the data n Demerit n Difficult to change to cloud service due to the legal risk n Users will not be able to use cloud technology fully Japanese cloud service will be in danger because of law Need for relaxing the law on cloud service 19

20 Industry Protection n Use the term security to protect domestic industry n Drive out oversea cloud services n Protect domestic cloud services a way of driving out oversea company openly Company There is security problem in oversea cloud services! 自国のクラウドサービス 20

21 Discussion n Do nations doing in the right manner dealing with oversea companies? n Is it good thing to drive oversea companies? 21

22 Summary n Cloud computing doesn t bind physical location and hardware resource n Advantage: Availability and reduction of cost n Disadvantage n Service managements depend on the Supplier n Data leakages n Important points which Cloud computing have. n Company :Contract, n Policy Problems Legal Issues Industry Protection Intellectual property rights 22

23 Assignment n n n n n Amerio Airlines, the company that has many branches around the world, want to share customer information by using cloud computing service. Please suggest the appropriate method to do this process. Your idea should consist of 4 points of view: a contract between Amerio Airlines and customer, a contract between Amerio Airlines and cloud computing service, a legal system for distributing customer information, and a data leak prevention technique. Additional Information Submit at most 2 pages(a4). The Assignment is available in Japanese or English Students that handed in a good report will make a presentation of their report at the beginning of the fifth lecture. Deadline: 10/17(Mon) 17:00(JST) Submission: SOI submission page 23

24 Appendix 24

25 Importance of Security Measures n Compliance of basic Security Management n Risk Analysis n Clarification of Cost on each entity Cover all characters n Relationship between Risk & Cost on each entity n Rational Evaluation based on balance between Risk & Cost 25

26 Management of Cloud Computing Environment n Basis of Security Management Policy n Three Components n Security measures at Users & Suppliers Technology Compliance Management 26

27 Security Measures at Suppliers n Technology n Data Encryption in Communication Channel) n Authentication n Redundancy n Compliance n Policy of Clients Information Management n Management n Risk Management of information leakage n Set the rules for service qualities, roles & responsibilities 27

28 Security Measures at Users n Technology n Data Encryption n Compliance n Security Policy on exchanges of information over the network n Management n Management of Convenience & Risk n Make agreements with content, coverage & quality 28

29 User s Side Security Management n (Reusable) Password Authentication is dominant in major cloud computing services. n Password is the only protection measure for information management, so that high risk on information leakages apparently exists. n Example Google s password Login Gmail, Google calendar & etc MobileMe s password Read mail & calendar and get system configurations Windows Live password Use messenger, read mail, get system configurations 29

Security management in the internet era

Security management in the internet era Cloud Security (1) Septemberr 29, 2011 Jun Murai Keio University! Suguru Yamaguchi! Nara Institute of Science and Technology! Schedule 01st (09/22) Course Description