Sapienza Università di Roma Dipartimento di Informatica e Sistemistica Information Sharing in the Cloud: Opportunities and Challenges Roberto Baldoni Università degli Studi di Roma La Sapienza baldoni@dis.uniroma1.it, http://www.dis.uniroma1.it/~baldoni/ Microsoft Faculty day Rome, Italy 16/9/2010
The case of Collaborative Cyber Security in Financial Ecosystem What is information sharing; Which applications can primarily enjoying from it; Why cloud computing Issues related to cloud computing : the case of the financial infrastructure;
What is information sharing The term "information sharing" gained popularity as a result of the 9/11 Commission Hearings. The resulting commission testimony led to the enactment of several executive orders by President Bush that mandated agencies implement policies to "share information" across organizational boundaries. (Wikipedia) Information sharing is a behavior and not a technology issue. It includes: Cultural: the will to share and to collaborate Governance: the importance define instruments for information sharing Policy: the importance to define rules for sharing Economic: understanding the value of sharing
What is information sharing.but technology can help along several directions sharing huge amount of information sharing information in a timely manner correlating the shared information How is done now such information sharing in several contexts?
The case of Collaborative Cyber Security A payment card fraud (2008) 100 compromised payment cards used by a network of coordinated attackers retrieving cash from 130 different ATMs in 49 countries worldwide, totaling 9 million of US dollars. High degree of coordination, half an hour to be executed evade all the local monitoring techniques used for detecting anomalies in payment card usage patterns. The fraud has been detected only later, after aggregating all the information gathered locally by each financial institution involved in the payment card scam
Best Practices: Interact, the Canadian payment network Creation of new services for citizens used through ATM Information sharing for fraud protection Assumption: frauds hurt each bank randomly Action: Sharing some banking account information
Sapienza Università di Roma Dipartimento di Informatica e Sistemistica Collaborative Sense-and-Response application
Sense-and-Response applications Monitoring Continuous Control Command and Control Mashup services Business intelligence
Structure of a sense-respond application Sensors Event Notification Basic events Data Dissemination Complex Event Processing CEP Application level Correctness factors Accuracy (no false warning) Completeness (no detection of actual warning) Timeliness (no late warning) warnings
Collaborative sense-and response applications Some warning cannot be detected only correlating local information Events coming from different organizations over distinct administration boundaries; Sharing information potentially improves correctness factors: Improved accuracy Improved completeness Better timeliness
Examples of Collaborative sense-and-respond applications Collecting Network Anomalies [Huang et al, SIGMETRICS 2007] known, documented network disruptions are reflected in the BGP routing data within that network network-wide analysis can expose classes of network disruptions that are not detectable with existing techniques correlating different routing streams in real-time to localize network disruptions
Examples: Collaborative sense-and-response applications Smart Mobility Project involving Sapienza Univ. of Rome, Microsoft, Municipality of Rome live bing map (continuous queries) Events injected by traffic operators (local media, local transportation companies), traffic, citizens etc. Target: reducing the time to destination by assisting the person during the trip Platform based on MS Azure to optimize workload changes
Sense and response application characteristics It needs commodities CPUs In-Memory storage File system It is characterized by a uneven workload Cloud Computing is the right platform to use for implementing collaborative sense and response applications
Cloud Computing Definitions are Varied But There Are Some Common Attributes IT Customers: - Flexible pricing - Outsourced, on demand provisioning - Unlimited scaling - SW developer platform - Flexible Common Attributes of Clouds Flexible pricing Elastic scaling Rapid provisioning Advanced virtualization IT Analysts: - Variable pricing - No long term commitments - Hosted, on demand provisioning - Massive, elastic scaling - Standard Internet technology - Abstracted infrastructure - Service-oriented Press: - Pay by consumption - Lower costs - On demand provisioning - Grid and SaaS combination - Massive scaling - Efficient infrastructure - Simple and easy Frequently Cited Examples Amazon Compute and Storage Services Google App Services Salesforce App Exchange Financial Analysts: - Utility pricing - Multi-core chips - Hosted, a-a-s provisioning - Parallel, on demand processing - Scalable - Virtualized, efficient infrastructure - Flexible Source: IBM Corporate Strategy analysis of MI, PR, AR and VCG compilations
Data Management/Policy problems in the cloud Jurisdiction and regulation (Where and how will it be governed?) Ownership of Data (Who owns the data in the cloud?) Data Portability (Can you migrate between services?) Data Retention/Permanence (What happens to data over time?) Intellectual Property Security and Privacy (How is data secure and protected?) Reliability, Liability and Quality of Service (What happens when the cloud fails?)
Sapienza Università di Roma Dipartimento di Informatica e Sistemistica The case of the Financial Critical Infrastructure
The case of Collaborative Cyber Security in Financial Ecosystem "webification" of critical financial services, such as home banking, online trading, remote payments; Cross-domain interactions, spanning different organization boundaries are in place in financial contexts; Heterogeneous infrastructure systems such as telecommunication supply, banking, and credit card companies working on heterogeneous data;
The case of Collaborative Cyber Security in Financial Ecosystem A payment card fraud (2008) 100 compromised payment cards used by a network of coordinated attackers retrieving cash from 130 different ATMs in 49 countries worldwide, totaling 9 million of US dollars. High degree of coordination, half an hour to be executed evade all the local monitoring techniques used for detecting anomalies in payment card usage patterns. The fraud has been detected only later, after aggregating all the information gathered locally by each financial institution involved in the payment card scam
The case of Collaborative Cyber Security in Financial Ecosystem Distributed Denial Of Service Attack (2007, Northern Europe) render web-based financial services unreachable from legitimate users. DDoS attack targeted a credit card company and two DNS. Internet restored only after several trial-and-error activities carried out manually by network administrators of the attacked systems and of their Internet Service Providers (ISPs). Long preparation time (days), short attack time (seconds)
The case of Collaborative Cyber Security in Financial Ecosystem Both previous attacks cannot be detected quickly through information available at the IT infrastructure of a single financial player (i.e., using local monitoring) Need of Information Sharing Exchange non-sensitive status information Set up of agreements Advantages of a global monitoring system Damage mitigation Quick reaction
Barriers to Collaboration Barriers to collaboration Understanding the economics Trust LLYODS Legal Issues UBS France Telecom Internet AT&T Unicredit EDF Events SWIFT warnings
Sapienza Università di Roma Dipartimento di Informatica e Sistemistica EU CoMiFin Project EU CoMiFin Project www.comifin.eu
Collaborative Cyber Security: CoMiFin platform CoMiFin offers to FIs a platform for gaining the benefits of community-based collaboration over a business social network CoMiFin platform addresses needs considered important in the financial operator community (such as: information security, data privacy, SLA, contractual relationship for entering a community, certified anonimity, ) CoMiFin project had been submitted to three Financial Advisory Board (FAB) meeting evaluation sessions that have highlighted its possible business value in real financial use cases. Some FAB members: SWIFT, SIA-SSB, IMI-SAN PAOLO, BANK OF ITALY, UBS.
Collaborative Cyber Security: CoMiFin platform CoMiFin platform can be potentially useful for addressing the following business use cases Monitoring and reaction to threats (MitM, Stealty Scan, Phishing, ) Black/white lists distribution (for credit reputation, trust level, ) Anti-terrorism lists (with name check VAS) Anti money laundering monitoring Risk management support These use cases imply value added services that can be offered by SPs to FIs over CoMiFin
Collaborative Cyber Security: CoMiFin platform CoMiFin platform can be potentially useful for addressing the following business use cases Monitoring and reaction to threats (MitM, Stealty Scan, Phishing, ) Black/white lists distribution (for credit reputation, trust level, ) Anti-terrorism lists (with name check VAS) Anti money laundering monitoring Risk management support These use cases imply value added services that can be offered by SPs to FIs over CoMiFin
The notion of semantic room Contract set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements. The contract also contains the hardware and software requirements a member has to provision in order to be admitted into the SR. Objective each SR has a specic strategic objective to meet (e.g, large-scale stealthy scans detection, detecting Man-In-The-Middle attacks) Deployment highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality).
The notion of semantic room: relationship with cloud computing
CoMiFin Software Architecture contract
Sapienza Università di Roma Dipartimento di Informatica e Sistemistica Semantic Room I: Preventing Stealthy Scan
Collaborative Stealthy scan Attacker performs port scanning simultaneously at multiple sites trying to identify TCP/UDP ports that have been left open. Those ports can then be used as the attack vectors Added value of collaboration: Ability to identify an attacker trying to conceal his/her activity by accessing only a small number of ports within each individual domain Action taken: black list IP addresses update historical records
Example of semantic room for stealthy scan: Ingredients WebSphere extreme Scale (WXS): in-memory distributed storage High-level language for processing logic: Jaql (SQL-like, supports flows) Distributed processing runtime: MapReduce Distributed file system for long-term storage: HDFS Agilis consists of a distributed network of processing and storage elements hosted on a cluster of machines (also geographycally dispersed)
Data Dissemination: Agilis
Example of semantic room for stealthy scan: architecture
Collaborative Stealthy scan detection with Agilis Detection of stealty scan
Conclusion Information sharing is mandatory to reason on a complex world Security Enhancing productivity and the economy Cloud computing can provide necessary technological commodities to cope with such a complexity Privacy vs information sharing: the dilemma of the 21 st century