Cloud Computing Security in the Tactical Environment the Difference a Year Makes

Similar documents
The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Building Resilient Systems: The Secure Software Development Lifecycle

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

Architectural Implications of Cloud Computing

Moving Target Reference Implementation

Security Issues in Cloud Computing

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

Security Model for VM in Cloud

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Security & Trust in the Cloud

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Why Private Cloud? Nenad BUNCIC VPSI 29-JUNE-2015 EPFL, SI-EXHEB

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

2012 CyberSecurity Watch Survey

Cyber Intelligence Workforce

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Cloud Security. DLT Solutions LLC June #DLTCloud

A Secure System Development Framework for SaaS Applications in Cloud Computing

CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

The NIST Definition of Cloud Computing

Cloud Security Introduction and Overview

The NIST Definition of Cloud Computing (Draft)

Supply-Chain Risk Management Framework

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Keyword: Cloud computing, service model, deployment model, network layer security.


Panel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems.

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Service-Oriented Cloud Automation. White Paper

Digital Forensics for IaaS Cloud Computing

Considerations for Adopting PaaS (Platform as a Service)

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Management of Security Information and Events in Future Internet

Intel Cloud Builder Guide to Cloud Design and Deployment on Intel Xeon Processor-based Platforms

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

What Cloud computing means in real life

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

An Architecture Model of Sensor Information System Based on Cloud Computing

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Private Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Intel IT s Cloud Journey. Speaker: [speaker name], Intel IT

Successfully Deploying Globalized Applications Requires Application Delivery Controllers

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

How To Use Elasticsearch

What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond!

Data Centers and Cloud Computing

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

A Survey on Cloud Security Issues and Techniques

CA Automation Suite for Data Centers

RED HAT CONTAINER STRATEGY

Windows Embedded Security and Surveillance Solutions

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Customer Architecture for Web Application Hosting, Version 2.0

Deploying Public, Private, and Hybrid Storage Clouds. Marty Stogsdill, Oracle

VMware vcloud Powered Services

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Computing Governance & Security. Security Risks in the Cloud

Implementing Microsoft Azure Infrastructure Solutions

Seeing Though the Clouds

Remote Voting Conference

Cloud computing: the state of the art and challenges. Jānis Kampars Riga Technical University

Compliance and Cloud Computing

FACING SECURITY CHALLENGES

A Systematic Method for Big Data Technology Selection

Extending AADL for Security Design Assurance of the Internet of Things

Top 10 Cloud Risks That Will Keep You Awake at Night

Windows Azure Platform

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Cloud Essentials for Architects using OpenStack

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Cloud Models and Platforms

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Security for Federal Agencies

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Requirements Engineering for SaaS Application Security in Cloud Using SQUARE Methodology

How To Protect Your Cloud Computing Resources From Attack

Transcription:

Cloud Computing Security in the Tactical Environment the Difference a Year Makes Panel Coordinator / Moderator: Noel Ellis (Eli) Johnson 260-429-5457 Email: Noel_E_Johnson@Raytheon.com This document does not contain technical data as defined by the International Traffic in Arms Regulations, 22 CFR 120.10(a), or technology as defined by the Department of Commerce Export Administration Regulations, and is therefore authorized for publication. Copyright Raytheon Company. All rights reserved. 1

UNCLASSIFIED Panel Topic & Members Panel Topic: Cloud Computing Security in the Tactical Environment, the Difference a Year Makes Panel Coordinator / Moderator, Noel Ellis (Eli) Johnson Raytheon Sr. Principal Systems Engineer, CISSP-ISSEP, CSSLP, Tactical Communications Solutions, multiple program supports as a Cybersecurity Subject Matter Expert, Dr. Jeff Boleng, Carnegie Mellon University, Software Solutions Division, Software Engineering Institute, Principal Research Scientist Professor; Elisa Bertino, Purdue University, Professor CS, Research Director of CERIAS, Director of Cyber Center, Mr. Randall Brooks, Raytheon, Raytheon Engineering Fellow, Member of the Technical Staff Mr. David A. Smith, Raytheon Certified Architect, Chair Cloud TIG C4I Business Area Technical Lead 2 UNCLASSIFIED

UNCLASSIFIED Panel Format Panel Topic: Cloud Computing Security in the Tactical Environment Each panel member will have 3-5 minutes to provide an initial position statement, Discussion based on initial position statements & moderator questions, Half hour will be reserved for questions from the audience, Each panel member will be provided 5 minutes final remarks, Noel Ellis (Eli) Johnson Raytheon Provide the context of challenges and opportunities of Cloud Computing Security in the Tactical Environment Opening position statements. Dr. Jeff Boleng, Carnegie Mellon University, Software Solutions Division, Software Engineering Institute, Professor; Elisa Bertino, Purdue University, Mr. Randall Brooks, Raytheon, Raytheon Engineering Fellow, Mr. David A. Smith, Raytheon Certified Architect, Chair Cloud TIG 3 UNCLASSIFIED

What is Cloud Computing? NIST SP 800-145, Mell and Grance, 2011 Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Essential Characteristics, Rapid Elasticity Resource Pooling Measured Service Broad network access On-demand self-service Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Deployment Models Public Cloud, Hybrid Cloud, Private Cloud, Community Cloud, 4

UNCLASSIFIED Cloud Computing Security in the Tactical Environments, Not all Tactical Environments are the Same! Types of Cloud Computing Services Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS), Core Advantages Flexibility, Highly automated, Shared Resources, Increased storage, Pay for what your use, Back up and restoration, Easy installation and maintenance, Core Disadvantages Cost, Limited flexibility, Data security and privacy, Knowledge and integration, Dependence on outside agencies, Network connectivity and bandwidth, Long term stability of service provider, Service unavailability due to a variety of reasons, UNCLASSIFIED 5

UNCLASSIFIED USG & DoD Transitioning to the Cloud FedRAMP Federal Risk and Authorization Management Program Cloud computing for USG DoD Cloud Computing Security Requirements Guide (SRG) Version 1, Release 1, 1/13/2015 National Institute of Standards and Technology (NIST) Cloud Computing Strategy working paper, April 2011 USG Cloud Computing Technology Roadmap Volume 1 Release 1.0 (Draft) November 2011 NIST Federal Information Processing Standards (FIPS) and Special Publication (SP) Relevant to Cloud Computing FIPS 199; Minimum Security Requirements for Federal Information and Information Systems NIST SP 500-291; NIST Cloud Computing Standards Roadmap, Version 2.0, July 2013 NIST SP 500-292; NIST Cloud Computing Reference Architecture, September 2011, NIST SP 800-37; Guide for Applying the Risk Management Framework to Federal Information Systems; A Security Life Cycle Approach; NIST SP 800-53 Rev.4; Security and Privacy Controls for Federal Information systems and Organizations; NIST SP 800-53A Rev.3; Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Build Effective Assessment Plans; June 2010; NIST SP 800-92; Guide to Computer Security Log Management; September 2006 NIST SP 800-125; Guide to Security for Full Virtualization Technologies; January 2011 NIST SP 800-137; Information Security Continuous Monitoring for Federal Information Systems and Organizations; September 2011; NIST SP 800-144; Guidelines on Security and Privacy Issues in Public Cloud Computing, December 2011 NIST SP 800-145; The NIST Definition of Cloud Computing; September 2011 NIST SP 800-146; Cloud Computing Synopsis and Recommendations; May 2012 The Transition has begun: Is it secure? Will it meet the goals? UNCLASSIFIED 6

UNCLASSIFIED The Solution must address Keep Bad Guys & Malware Out Cloud Computing, COTS & GOTS Device(s) & Types Timely 7 UNCLASSIFIED

Introduction & Opening Statement of Panel Member Dr. Jeff Boleng, Carnegie Mellon University, Software Solutions Division, Software Engineering Institute, Cloud Security at the Edge Jeff Boleng, PhD Principal Research Scientist 8

Copyright 2015 Carnegie Mellon University and IEEE This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0002951 9

Jeff Boleng, PhD, CMU/SEI Dr. Jeff Boleng, PhD, Principal Research Scientist, Software Solutions Division, Software Engineering Institute, Carnegie Mellow University Since 2012, Advanced Mobile Systems Team Co-PI of Tactical Computing and Communications and Tactical Analytics research at SEI Research areas: Context Computing, Mobile Ad Hoc Networks, Scientific Computing, Parallel and Distributed Systems BS in CS from US Air Force Academy 1991, MS and PhD from Colorado School of Mines (1997 and 2002) in Mathematical and Computer Sciences 25 years experience as AF Cyber Operation Officer, deployable networks, command post integration, 21 st Mission Support Squadron Commander 8 years on faculty at USAFA as Associate Professor, 4 years as Deputy Computer Science Department Head 10

Securing the cloud Tail of two layers Infrastructure Services Securing each is different Infrastructure Largely virtualized Depends on security of every VM Services Secured by numerous external administrators Largest risk to the hypervisor is through poorly secured services 11

Securing the Services* Simplify! Simple, well defined, and enforced interfaces Do one thing and do it well -- Doug McIlroy Favor composability over monolithic design Assume components are compromised Use fail-safe/fail-secure design Never implicitly trust the results of another service Always ask What will my service do when it fails? *Note: these ideas aren t new or mine. Thanks to Ken Thompson, Dennis Ritchie, Brian Kernighan, Rob Pike, Doug McIlroy, Eric Raymond and others 12

Piping diagram of a Westinghouse Air Brake System - 1909 13

Elisha Otis s elevator patent drawing, 15 January 1861 14

Microservice architectures Modular operating system containers Docker and LXC OSv Unikernels and MirageOS CoreOS Intel Clear Containers Small, lightweight, typically single process, multithreaded VMs built with only the OS and library components necessary to support the code implementing the service 15

Microservice architectures Our experience on an embedded robotics sensor system OSv with nanomsg and protocol buffers on Xen 12Mb VM on disk, 60Mb VM when running Redis benchmark 30% faster in OSv container No other OS service running (i.e. only 1 or 2 ports open at all) Pros cohesion coupling Forces rigorous commitment to interfaces and standardization Small size on disk and in RAM Faster startup and migration Reduced attack surface and complexity High availability (redundancy, load balancing, fail over) techniques from data center experience directly applicable Cons Timing, network latency, etc. (all the distributed computing challenges) Startup and shutdown orchestration Service discovery 16

Simplicity is the ultimate sophistication -Leonardo da Vinci 17

Introduction & Opening Statement of Panel Member Professor; Elisa Bertino, Purdue University, Professor CS, Research Director of CERIAS, Director of Cyber Center, Sensor-Cloud: Opportunities and Research Directions Elisa Bertino Purdue University Cyber Center 18

Definitions and Conceptual Architecture Military Target Tracking Natural Disaster Relief What is a Sensor-Cloud? An Infrastructure supporting pervasive computation based on: sensors as an interface between physical and cyber worlds the cloud as the cyber backbone the Internet and wireless technologies as the communication medium IoT and NoT These recent trends will further accelerate the deployment of sensor networks and sensor-based applications Drones and UAV The use of these devices will multiply the opportunities for collecting data from (possibly mobile) sensors on-the-ground and for managing these sensors 19

Research Directions Network access management Encryption techniques for small devices Sensor software and firmware security Secure sensor localization techniques Provenance techniques for sensors Tools supporting the deployment and monitoring of sensors, and the design of sensor-based data collection applications Data fusion techniques to assess and enhance sensor data trustworthiness Fault-tolerant and reliable continuous data acquisition Efficient sensor streamed data processing techniques Event processing and management Privacy for sensor-based applications and data 20 Diagram from: A. Alamri et al. A Survey on Sensor-Cloud: Architectures, Applications, and Approaches, 2013.

Introduction & Opening Statement of Panel Member Mr. Randall Brooks, Raytheon, Raytheon Engineering Fellow, Member of the Technical Staff 21

Cloud Application (hosted VM) Cloud Application (hosted VM) App A App A App B App C Host Operating System Cloud Application (hosted VM) Cloud Application (hosted VM) Position Statement Cloud Security is difficult to achieve in a tactical environment. It is faced with connectivity issues, a lack of elasticity and limited Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers. SaaS Provider PaaS Server Farm Mobile User IaaS Server Farm Outer Router Firewall Proxy (Deep Packet Inspection) On Prem Server Farm Isolated Services 22

Cloud Application (hosted VM) Cloud Application (hosted VM) Cloud Application (hosted VM) Cloud Application (hosted VM) Cloud Computing Essential Characteristics: Rapid Elasticity Resource Pooling Measured Service Broad network access On-demand selfservice NIST SP 800-145, Mell and Grance, 2011 PaaS App A App A App B App C Host Operating System Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. 23

Cloud Application (hosted VM) Cloud Application (hosted VM) Cloud Application (hosted VM) Cloud Application (hosted VM) Cloud Computing Models Deployment Models Public Cloud Hybrid Cloud Private Cloud Community Cloud SaaS Provider Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) PaaS Server Farm IaaS Server Farm App A App A App B App C Host Operating System 24

The Notorious Nine: Cloud Computing Top Threats Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issue 25

Introduction & Opening Statement of Panel Member Mr. David A. Smith, Raytheon Certified Architect, Chair Cloud TIG C4I Business Area Technical Lead 26

The Power of Cloud Applications (Mobile) User Interface Service Interfaces Service Processing Data Cloud Native Applications are built differently. Stateless services are composed of many separate, identical instances. Instances are added, deleted, and restarted by the application itself based on need. Security is built in, or not, to the application. Cloud Application Designs are Scalable and Resilient when connected 27

UNCLASSIFIED The Solution must address Keep Bad Guys & Malware Out Cloud Computing, COTS & GOTS Device(s) & Types Timely 28 UNCLASSIFIED

Closing Comments Mr. David A. Smith, Raytheon Certified Architect, Chair Cloud TIG C4I Business Area Technical Lead Mr. Randall Brooks, Raytheon, Raytheon Engineering Fellow, Member of the Technical Staff Professor; Elisa Bertino, Purdue University, Professor CS, Research Director of CERIAS, Director of Cyber Center, Dr. Jeff Boleng, Carnegie Mellon University, Software Solutions Division, Software Engineering Institute, Principal Research Scientist Panel Coordinator / Moderator, Noel Ellis (Eli) Johnson Raytheon Sr. Principal Systems Engineer, 29

Questions!! 30

Biography Noel Ellis (Eli) Johnson, CISSP-ISSEP, CSSLP Information Systems Security Engineer Business Unit: SAS Location: Fort Wayne Email: Noel_E_Johnson@Raytheon.com Office Phone: 260.429.5457 Mr. Johnson is a Senior Principal Engineer at Raytheon with over 26 years experience in designing security and information assurance (IA) solutions for the Defense and Commercial Telecommunications markets. Mr. Johnson recently was the Principal Investigator for secure mobility and supports the development and capture of a wide variety of crypto modern solutions for Type 1 applications as an IA subject matter expert. Mr. Johnson holds the following International Information Systems Security Certification Consortium (ISC) 2 certification credentials: Certified Information Systems Security Professional (CISSP) Information Systems Security Engineering Professional (ISSEP) Certified Secure Software Lifecycle Professional (CSSLP) Mr. Johnson supports the International Information Systems Security Certification Consortium (ISC) 2 Information Systems Security Engineering Professional (ISSEP) credential as a volunteer domain expert to perform Job Task Analyses and writes domain related items for the internationally recognized credential examination. 31 Mr. Johnson has published articles relating to Cryptographic Solutions for Mobile Devices and Secure Mobility in 2011 and 2012, presented at MILCOM 2012, panel chair for MILCOM 2014 & MILCOM 2015 relating to Cloud Computing Security.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information