Cloud&backed,Internet,of,Things, Security,and,Dependability,



Similar documents
1000Mbps Ethernet Performance Test Report

Cloud Computing and Amazon Web Services

Cisco Cloud Web Security Key Functionality [NOTE: Place caption above figure.]

Yahoo! Cloud Serving Benchmark

How To Test For Performance And Scalability On A Server With A Multi-Core Computer (For A Large Server)

Shared Parallel File System

AVLOR SERVER CLOUD RECOVERY

Scalable Architecture on Amazon AWS Cloud

Network performance in virtual infrastructures

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

How swift is your Swift? Ning Zhang, OpenStack Engineer at Zmanda Chander Kant, CEO at Zmanda

SecureSphere Appliances

Fixed Price Website Load Testing

Network Performance Between Geo-Isolated Data Centers. Testing Trans-Atlantic and Intra-European Network Performance between Cloud Service Providers

Total Defense Endpoint Premium r12

Best Practices for Monitoring Databases on VMware. Dean Richards Senior DBA, Confio Software

Kaspersky Endpoint Security 10 for Windows. Deployment guide

Shadi Khalifa Database Systems Laboratory (DSL)

Building Success on Acquia Cloud:

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

Dimension Data Enabling the Journey to the Cloud

Web Application Deployment in the Cloud Using Amazon Web Services From Infancy to Maturity

How To Cloud Compute At The Cloud At The Cyclone Center For Cnc

Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control

Cisco M-Series Content Security Management Appliance for and Web Security Appliances

IBM Platform Computing Cloud Service Ready to use Platform LSF & Symphony clusters in the SoftLayer cloud

VMware vcenter Server 6.0 Cluster Performance

Networking Virtualization Using FPGAs

IJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 1, March, 2013 ISSN:

AKCess Pro Server Management Software

DIR Contract Number DIR-TSO-2621 Appendix C Pricing Index

Patriot Hardware and Systems Software Requirements

Accelerating Web-Based SQL Server Applications with SafePeak Plug and Play Dynamic Database Caching

Building a Private Cloud with Eucalyptus

CribMaster Database and Client Requirements

CLOUDFORMS Open Hybrid Cloud

EWeb: Highly Scalable Client Transparent Fault Tolerant System for Cloud based Web Applications

IncidentMonitor Server Specification Datasheet

Amazon EC2 Product Details Page 1 of 5

Microsoft Exchange Server 2003 Deployment Considerations

Best Practices for Using MySQL in the Cloud

InterScan Web Security Virtual Appliance

Scaling in a Hypervisor Environment

Secure Your Mobile Workplace

Amazon Cloud Storage Options

Backup for branch offices and compartment backups. Måns Höiom & Rikard Lindkvist

Cisco Application Networking for IBM WebSphere

Microsoft Private Cloud Fast Track

Virtualization and IaaS management

DACSA: A Decoupled Architecture for Cloud Security Analysis

Tk20 Network Infrastructure

ACANO SOLUTION VIRTUALIZED DEPLOYMENTS. White Paper. Simon Evans, Acano Chief Scientist

Overview: X5 Generation Database Machines

Technology and Cost Considerations for Cloud Deployment: Amazon Elastic Compute Cloud (EC2) Case Study

AgencyPortal v5.1 Performance Test Summary Table of Contents

Powerful Online Solutions HOSTING. Price List. Surge Media Pty Ltd MAINTENANCE & SUPPORT Price List 1

On- Prem MongoDB- as- a- Service Powered by the CumuLogic DBaaS Platform

Feature Comparison. Windows Server 2008 R2 Hyper-V and Windows Server 2012 Hyper-V

Eloquence Training What s new in Eloquence B.08.00

Total Data Protection for your business

Cloud Computing through Virtualization and HPC technologies

Liferay Portal s Document Library: Architectural Overview, Performance and Scalability

Splunk Enterprise in the Cloud Vision and Roadmap

Cloud Server Performance A Comparative Analysis of 5 Large Cloud IaaS Providers

Imperva SecureSphere Appliances

THE DEFINITIVE GUIDE FOR AWS CLOUD EC2 FAMILIES

PSAM, NEC PCIe SSD Appliance for Microsoft SQL Server (Reference Architecture) September 11 th, 2014 NEC Corporation

INTERNET SECURITY THREAT REPORT

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

ORACLE DATABASE HIGH AVAILABILITY STRATEGY, ARCHITECTURE AND SOLUTIONS

RAID Performance Analysis

Molecular Devices High Content Data Management Solution Database Schema

White Paper. Recording Server Virtualization

Frequently Asked Questions

PostgreSQL Performance Characteristics on Joyent and Amazon EC2

securityserver Unparalleled management and detection of security, environmental, and disaster control resources.

Next Generation IPS and Reputation Services

Evaluation Report: Emulex OCe GbE and OCe GbE Adapter Comparison with Intel X710 10GbE and XL710 40GbE Adapters

SUN ORACLE DATABASE MACHINE

Converged storage architecture for Oracle RAC based on NVMe SSDs and standard x86 servers

IEEE CQR 2010 A Holistic Approach to Mobile Security

Comparing Cloud Computing Resources for Model Calibration with PEST

Oracle Database Deployments with EMC CLARiiON AX4 Storage Systems

VDI Without Compromise with SimpliVity OmniStack and Citrix XenDesktop

Dell Virtual Remote Desktop Reference Architecture. Technical White Paper Version 1.0

A Middleware Strategy to Survive Compute Peak Loads in Cloud

The Ultimate Business & Enterprise Hosting Solutions.

Corporate PC Backup - Best Practices

Tips and Best Practices for Managing a Private Cloud

NCTA Cloud Architecture

THE SUMMARY. ARKSERIES - pg. 3. ULTRASERIES - pg. 5. EXTREMESERIES - pg. 9

STORAGE CENTER WITH NAS STORAGE CENTER DATASHEET

Data Center security trends

Transcription:

Cloudbacked,Internet,of,Things, Security,and,Dependability, Miguel,Pupo,Correia, 2015EuropeanSecurityConference,ISEG,June2015, Schedule 1. InternetofThingsmeetstheCloud 2. SecuredPersonalDevice 3. ShuGle:cloudintrusionrecovery 2, 1

1.,INTERNET,OF,THINGS,MEETS,THE, CLOUD, 3, InternetofThings embeddedcomputajonaldeviceseverywhere PCAS 4, 2

InternetofThings InternetofThings(IoT)vision=billionsof things connectedtotheinternet(gartner:26bin2020) Things embeddedcomputajonaldevices,cybert physical(sensors,actuators) TypicallyconnectedusingwirelesscommunicaJons WiFi,GSM/3G/4G/5G,Bluetooth,NFC 5, CompuJngasauJlity usecomputajonal resourceswithout buyingthem CAPEXvsOPEX PayTasTyouTgo ElasJcity CloudCompuJng 6, 3

IoTmeetstheCloud ManyIoTapplicaJonsneedapla\orm Cloudisaconvenientenvironmentforthatpla\orm Payasyougosupportsgrowthandbigdata(26B...) 7, IoTPla\ormsintheCloud FuncJonality ManagementandinterconnecJonofthethings Datastorage,processing,andanalysis BusinessprocessimplementaJonandmonitoring InteracJonamongusers 8, 4

IoTPla\ormsintheCloud OpenSensors.io Collectssensordata(MQTT) Dataisofferedtoallusers(unlessclientpays) ProvidesdataflowstoapplicaJons Datastorage,devicemanagement,... Carriots Collectsthings data(rest/http) Managesdevicesanddata SupportsapplicaJonimplementaJonandexecuJon andothers 9, 2.,SECURED,PERSONAL,DEVICE, 10, 5

MoJvaJon:smartphoneintrusions Smartphoneisahandyplacetoputpersonaldata... buttheirsecuritystatusisquitebadandstorageislimited Mobile Threat Classifications, 2013 Source: Symantec Track User Risks that spy on the individual using the device, collecting SMS messages or phone call logs, tracking GPS coordinates, recording phone calls, or gathering pictures and video taken with the device. 35% 30 25 20 25% 20% 32% 28% 30% Steal Information This includes the collection of both device- and user-specific data, such as device information, configuration data, or banking details. Traditional Threats Threats that carry out traditional malware functions, such as back doors and downloaders. 15 10 13% 10% 8% 9% 8% 8% 15% Reconfigure Device These types of risks attempt to elevate privileges or simply modify various settings within the operating system. 5 Send Content Adware Reconfigure Traditional Steal Annoyance Device Threats Information Track User 2012 2013 Adware/Annoyance Mobile risks that display advertising or generally perform actions to disrupt the user. Send Content These risks will send text messages to premium SMS numbers, ultimately appearing on the bill of the device s owner. Other risks can be used to send spam messages. Source:SymantecITSR2014 11, ProjectPCASoverview PCASaimsatimplemenJngasecurehandheld device:thesecuredpersonaldevice(spd) asmartphoneaddton(or sleeve ) recognizestheuserusingseveralbiometricsensors allowsuserstoauthenjcatethemselves allowsuserstosecurelystoredata cancommunicatewithtrusted(cloud)services 12, 6

SPDsketches 13, Scenarios TwousecasesarebeingusedforvalidaJon: Electronichealth SPDisusedforstoringpersonalhealth dataaswellasaccesspointtotheehratthecloud Universitycampus SPDisusedforbeGeraccesscontrol andmoresecureauthenjcajonintocampusservices (canteen,library,website,...) 14, 7

Usage 15, SPDmeetstheCloud Bio,Sensors SPD Smart Phone Cloud CPU, Gate, Unit AuthenWcaWon, Unit,, Protected,,, Encrypted,Storage, USB, Secure,Channel SemiTrusted,, Apps Secure,comm., Service,, Trusted,, App, 16, 8

3.,SHUTTLE:,CLOUD,INTRUSION, RECOVERY, 17, MoJvaJon:cloudintrusions Intrusion/faultcauses: Solwareflaws ConfiguraJonandusagemistakes CorruptedlegiJmaterequests Intrusions/faultsmaycompromisedata/service: Integrity Availability ConfidenJality 18, 9

Goal RecoverapplicaJons dataintegrity whenintrusionshappen 19, Backups? User,AcWon, Malicious, AcWon, Backup, WorksbutremovesbothbadandgoodacJons ShuGle:removesbadacJonsbutkeepsgoodacJons t 20, 10

Pla\ormasaService(PaaS) Cloudservice=torunapplicaJons ConsumerdevelopsapplicaJontoruninthat environment,using Supportedlanguages,e.g.,Java,Python,Go,PHP Supportedcomponents,e.g.,SQL/noSQLdatabases,load balancers 21, ShuGleintrusionrecoveryservice Features: Supportedbythecloud:availablewithoutsetup RemovestheintrusioneffectsintheapplicaJons state SupportsapplicaJonsdeployedinvariousinstances AvoidsapplicaJondownJme CosteffecJve Recoversfast 22, 11

ShuGlearchitecture User requests Proxy Manager Shuttle Storage Legend: Load Balancer Interceptor Application Server DB Proxy Database Instance normalexecujon:log, Replay takesnapshots Instance Interceptor Application Server DB Proxy Database Instance Scalling User Requests Replay Requests Control Messages 23, ReplayProcess 1. IdenJfythemaliciousacJons(notpartofShuGle) 2. StartnewapplicaJonanddatabaseinstances 3. Loadasnapshotprevioustointrusioninstant Createanewbranch;keepstheapplicaJonrunninginpreviousbranch 4. Replayrequestsinnewbranch 5. Blockincomingrequests;replaylastrequests 6. Changetonewbranch;shutdownunnecessary instances 24, 12

ReplayModes FullReplay:ReplayeveryoperaJonalersnapshot SelecWveReplay:Replayonlyaffected(tainted)operaJons Serial:,ReplayalldependencygraphsequenJally Clustered:,Independentclusterscanbereplayedconcurrently, FullTReplay SelecJveTReplay 1Cluster(Serial) Clustered 25, EvaluaJonEnvironment AmazonEC2,c3.xlargeinstances,GbEthernet WildFly(formelyJBoss)applicaJonservers Voldemortdatabase AskQAapplicaJon;datafromStackExchange 26, 13

PerformanceoverheadevaluaJon innormalexecujon Workload A Workload B Shuttle 6325 ops/sec [5.78 ms] 15346 ops/sec [3.62 ms] No Shuttle 7148 ops/sec [5.07 ms] 17821 ops/sec [3.01 ms] overhead 13% [14%] 16% [20%] Table II OVERHEAD IN THROUGHPUT (OPS/SEC) AND RESPONSE LATENCY (MS). full replay. The attack effects are removed because Shuttle loads a database snapshot instead of undoing every operation. As the malicious actions were not logged, they are not replayed and Shuttle recovers the application consistency. 27, The number of requests to replay is defined by the snapshot instant: on full replay Shuttle replays all requests performed after the intrusion instant, while on selective replay Shuttle replays the requests necessary to read the values of the entries before the intrusion and the tainted requests. While selective replay seems torecoveryjme have a big advantage comparing with full replay, which performs, in these scenarios, at least 38 620 requests, some applications have more dependencies thus the for1millionrequests number of tainted requests is bigger. For instance, if the order between questions with the same tag is considered as a dependency, the number of dependencies rises from 92 939 to 109 118 and the number of independent clusters decreases from 6992 to 56. C. Performance We evaluate Shuttle s performance considering the throughput of the application, the size of the logs and the recovery time. We also estimate the cost of deployment of Shuttle on a public cloud provider, Amazon Web Services (AWS). We run 6 AWS c3.xlarge instances (14 ECUs, 4 vcpus, 2.8 GHz, Intel 28, Xeon E5-2680v2, 7.5 GB of memory, 2 x 40 GB storage capacity) connected by gigabit ethernet (780Mbps measured with iperf, 0.176ms round-trip time measured with ping). We use one client, one instance with Shuttle proxy and a load balancer (HAProxy), three WildFly (formerly JBoss) application servers and one Voldemort database. We consider a large data sample from the data of Stack Exchange with 50 000 requests (1432 questions, 3399 answers, 8335 comments, 36834 votes, 950 Update latency (us) show Shuttle has accesses. 2000 1500 1000 500 N 0 5 10 15 20 25 Throughput (thousa (a) Workload A Figure Recovery. We m replay the sample cluster) takes appr clusters takes only We measured th instances on cluste Shuttle is scalable reducing the time half the time of 1 Requests per second 2500 2000 1500 1000 500 clu 0 00:00 05:00 10:00 15 Time (minu (a) Recove Figu We measured 14 th two clients with The serial replay application server (2953s total, 1100

CONCLUSION, 29, Conclusion CloudandIoT,agreatmatch Thingscommunicatewithscalablepla\orminthecloud Payasyougo,elasJcity Intrusionsmayhappeninmobiledevices SPD,anoveldeviceforauthenJcaJonanddataprotecJon Dataphysicallyisolated,protectedwithbiometrics Intrusionsmayhappeninthecloud ShuGle,arecoveryserviceforPaaSofferings LeveragestheresourceelasJcityandpayTperTusemodelto reducetherecoveryjmeandcosts 30, 15

THANK,YOU, HTTPS://WWW.PCASPROJECT.EU, HTTPS://GITHUB.COM/DNASCIMENTO/SHUTTLE, 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information