Flexible and Secure Services using Sensitive Information in the Cloud

Similar documents
5 Essential Characteristics of a Winning Virtualization Platform

Introduction to Cloud : Cloud and Cloud Storage. Lecture 2. Dr. Dalit Naor IBM Haifa Research Storage Systems. Dalit Naor, IBM Haifa Research

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

MANAGED SERVICE PROVIDERS SOLUTION BRIEF

SWIFT. Page:1. Openstack Swift. Object Store Cloud built from the grounds up. David Hadas Swift ATC. HRL 2012 IBM Corporation

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Learn the Essentials of Virtualization Security

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

Making a Smooth Transition to a Hybrid Cloud with Microsoft Cloud OS

Cloud Courses Description

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

GPFS-OpenStack Integration. Dinesh Subhraveti IBM Research

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

Encrypting Business Files in the Cloud

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

Cloud Courses Description

vsphere 6.0 Advantages Over Hyper-V

Introduction to OpenStack

Mobile Cloud Computing T Open Source IaaS

Virtual Datacenter or Virtualization in the datacenter. (OpenStack) Larry Rudolph

How To Make A Cloud Work For You

SUSE Cloud 2.0. Pete Chadwick. Douglas Jarvis. Senior Product Manager Product Marketing Manager

BDR TM for VMware. VMware BACKUP WITH VEMBU. VEMBU TECHNOLOGIES TRUSTED BY OVER 25,000 BUSINESSES

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

Trends driving software-defined storage

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Windows Server 2003 Migration Guide: Nutanix Webscale Converged Infrastructure Eases Migration

Effective End-to-End Cloud Security

Learn the essentials of virtualization security

OpenStack Cloud Migration:

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

BDR TM V3.0 DEPLOYMENT AND FEATURES

Covering my IaaS: Security and Extending the Datacenter. Brian Bourne Tadd Axon

HP Integration with Veeam Backup and Replication. Mark Hambelton Veeam EMEA Alliances SE

IOS110. Virtualization 5/27/2014 1

2) Xen Hypervisor 3) UEC

DATA SECURITY MODEL FOR CLOUD COMPUTING

Microsoft s Advantages and Goals for Hyper-V for Server 2016

Boas Betzler. Planet. Globally Distributed IaaS Platform Examples AWS and SoftLayer. November 9, IBM Corporation

Nessus or Metasploit: Security Assessment of OpenStack Cloud

How To Compare Cloud Computing To Cloud Platforms And Cloud Computing

cloud functionality: advantages and Disadvantages

Understand IBM Cloud Manager V4.2 for IBM z Systems

Security & Cloud Services IAN KAYNE

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

RED HAT OPENSTACK PLATFORM A COST-EFFECTIVE PRIVATE CLOUD FOR YOUR BUSINESS

OpenStack Introduction. November 4, 2015

Keyword: Cloud computing, service model, deployment model, network layer security.

AN INVESTIGATION OF SECURITY THEME FOR CLOUD COMPUTING

FLOSSK: FLOSSTalk OpenStack 22 nd February, Arturo Suarez: Founder, COO&BizDev StackOps 21/02/12 1

Endpoint protection for physical and virtual desktops

A New Strategy for Data Management in a Time of Hyper Change

Virtualization with Windows

Product Brochure. Hedvig Distributed Storage Platform Modern Storage for Modern Business. Elastic. Accelerate data to value. Simple.

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

VMware vcloud Networking and Security Overview

Experience with Server Self Service Center (S3C)

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Secure Cloud-Ready Data Centers Juniper Networks

High Availability with Windows Server 2012 Release Candidate

Cloud Security. One Size Does Not Fit All

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Cloud Computing. A new kind of developers? Presentation by. Nick Barcet nick.barcet@canonical.com

Top virtualization security risks and how to prevent them

Cloud Sync White Paper. Based on DSM 6.0

Security and Cloud Compunting - Security impacts, best practices and solutions -

Netzwerkvirtualisierung? Aber mit Sicherheit!

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers

Setting up a private cloud for academic environment with open source software

OpenStack Awareness Session

Operating Systems Virtualization mechanisms

Mobile Admin Security

Security and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Software Execution Protection in the Cloud

Private Clouds Can Be Complicated: The Challenges of Building and Operating a Microsoft Private Cloud

Toolbox.com Live Chat

Securing Virtual Applications and Servers

SECURE CLOUD COMPUTING

Simplified Private Cloud Management

MaxDeploy Hyper- Converged Reference Architecture Solution Brief

preliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

The VMware Administrator s Guide to Hyper-V in Windows Server Brien Posey Microsoft

Learn How to Leverage System z in Your Cloud

Distributed and Cloud Computing

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

RightScale mycloud with Eucalyptus

Achta's IBAN Validation API Service Overview (achta.com)

Privacy-Preserving Distributed Encrypted Data Storage and Retrieval

Distributed Block-level Storage Management for OpenStack

OpenNebula Open Souce Solution for DC Virtualization. C12G Labs. Online Webinar

Data Security using Encryption in SwiftStack

Cloud Models and Platforms

CA Cloud Overview Benefits of the Hyper-V Cloud

BACKUP BEST PRACTICES FOR A XENSERVER & XENDESKTOP ENVIRONMENT

Ubuntu OpenStack on VMware vsphere: A reference architecture for deploying OpenStack while limiting changes to existing infrastructure

Transcription:

Flexible and Secure Services using Sensitive Information in the Cloud Sponsor: NSF IUCRC Fundamental Research Program In partnership with Microsoft and IBM Faculty: Doug Blough, Ling Liu, Dan Russler (Adjunct) Graduate Students: Kyle Bilbray, Emily Bragg, Jordan Brown, Michael Darakananda, Brian Laub, Yuzhe Tang, Jiaqi Xue

Background l Reluctance to host services with business-critical information and/or sensitive personal information in clouds Cloud resources are shared with other users, possibly even direct competitors Cloud providers typically have full and unfettered access to user data l Project goal: Develop and evaluate an architecture and underlying mechanisms for flexible, secure and privacy-preserving execution of services in clouds (use health as the driving application area)

Research Thrusts and Architecture l l l Information trust, integrity and provenance - signature schemes, information flow monitoring/control Leveraging cloud resources Remove host OS from trusted computing base Data fragmentation across multiple servers Operating on encrypted data Signing Service Encryp0on Service Health Data Providers Health Data Consumers Encrypted Opera0ons Encrypted Data Fragmented Key Store Policies Protected In- Memory Plain Text Data Unencrypted Opera0ons Applica0on Layer

l l l Current Research Emphases Flexible and secure object storage Encode object into multiple fragments (replicas, secret shares, erasure-coded pieces, etc.) Support many different encodings, including user-defined ones Store fragments across availability zones, administrative zones, and virtual nodes per user-specified requirements Programming support for use of protected memory Protected memory allocated by hypervisor, not visible to dom0 Create versions of malloc() and free() for allocation/deallocation of protected memory Provide support for protected code segments and protected function execution Granular information flow control Ability to perform fine-grain tracking of sensitive information flow and block unauthorized accesses

Primary Research Platform l 82-node cluster operated by GT-CERCS and running OpenStack (www.openstack.org) l OpenStack was started by Rackspace but now includes numerous companies, organizations, and individuals (~6700 people) l OpenStack provides compute, networking, and storage services (Swift) on top of any major hypervisor (KVM, Xen, VMWare, Hyper-V, etc.)

A Flexible and Secure Cloud Object Storage Service Cloud service that provides options for data storage to maintain privacy and robustness of sensitive data that needs to be operated on in the cloud Flexibility: give client control over how data is physically stored Security: protect against insider threats; minimize trust when surrendering data to cloud domain Availability: maintain always there property of cloud storage

Threats Failures Individual servers, racks, other physical infrastructure Entire data center Attacks Other cloud users/applications (VM isolation) Cloud provider s administrators Hypervisor-protected memory Separate administrative domains Service-level Service vulnerabilities Service provider s administrator s

Cloud Storage Node Organization Secret shares or erasure code fragments Share, fragment replicas AZ2 migration AZ3 Admin Zone A Admin Zone B Availability Zone 1

Example Use Cases l Strong confidentiality, availability Encrypt data on disk Secret share encryption key(s) across administrative zones (so data can be decrypted and operated on in protected memory) Replicate across availability zones l Strong availability, moderate confidentiality, better performance Erasure code data across administrative zones Replicate across availability zones

Storage Service Architecture Metadata about object encoding, fragment locations stored in protected memory and encrypted on disk

Implementation Status Modified build of OpenStack Swift 1.9.2 Client dictates per-bucket encoding Modular encoding API Secret sharing: xor (n,n), Shamir (k,n) Erasure coding Replication Have demonstrated simple PUT/GET interface with HTTPS communication, DELETE in progress Metadata encrypted via 256-bit AES using service master key, per-client key derivation/management in progress

Future Work Evaluation of robustness, performance, security Modeling protected memory New encoding strategies, e.g. GridSharing, intelligent fragment placement

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information