Security in Changing IT Ecosystem: Virtualization and Cloud Computing Dr. Dhiren Patel Indian Institute of Technology Gandhinagar, India dhiren@iitgn.ac.in
Cloud Computing World is further shrinking!!! a large-scale distributed computing paradigm a pool of managed computing power, storage, and services <abstracted, virtualized, dynamically-scalable> provisioning of services - dynamically configured and delivered on demand to external customers over the Internet
Services purchase services in the form of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), IT-as-a-Service (ITaaS), and sell value-added services (on "utility" basis) to other users Cloud clients will be able to add more capacity at peak demand, reduce costs, experiment with new services, and remove unneeded capacity
Computational and Sociological implications Delocalizing hardware and software resources Usage-based pricing model Build-Once-Run-Anywhere e.g. Google Apps a developer tool that enables you to run your web applications on Google's infrastructure allow startups to use Google's web servers, APIs, and other developer tools to build a web app on top of the pay-as-you-go pricing allows businesses on both ends of the spectrum to enjoy the "full service" Benefiting - Governments, Institutes, SMB, large Industry - to solve their ever-increasing computing and storage problems
Cloud from where?. The cloud is no longer an if but a when and the when is actually now!!! Amazon S3, EC, SimpleDB Google GAE Microsoft Azure IBM Blue cloud VMware vcloud Express Cisco - WebEx Salesforce Force.com platform, Bungee Labs, Keroku, Rackspace, Kaavo s IMOD, Go grid Morfik's Ajax platform etc.
Challenges
Challenges Network boundaries are disappearing!! There are no perimeters for defining an insider operational stability and security of critical information infrastructure higher level interoperability desires of services, to security provisions in Cloud CC shifts control over data and operations - how to ensure the confidentiality, integrity, and availability of information? Security processes, once visible, are now hidden behind layers of abstraction
Over lapping - Distributed, Cluster, Grid and Cloud Computing Scope
Specific Challenges Why would a startup want to hand over that much control and dependence to a big Internet company? Having a web app built and deployed with a specific provide makes it much easier for that provider to eventually acquire that web app!!!!!!?????? Paradigm shift - develop business processes in software, without having a clue about the processes themselves!!!! obvious influence of national policies, agencies and most of all economic risks!!!
Provider/Consumer Goals/Challenges the unpredictability of consumer demand, software and hardware failures, heterogeneity of services, power management, and conflicting signed Service Level Agreements (SLAs) between consumers and service providers Overestimating the provision of resources would lead to resource underutilization and, consequently, a decrease in revenue for the provider
Needs - Challenges The desire to continually load balance and optimize for performance, energy, availability, and other SLA-level goals that customers pay attention to, the problem becomes further complicated, creating more opportunities for misconfiguration and malicious conduct. This calls for highly automated end-to-end security with a heavier emphasis on strong isolation, integrity and resiliency
Solution Directives considerable assurances that services are highly reliable and available, as well as secure and safe, and that privacy is protected (i) encryption schema to ensure that the shared storage environment safeguards all data; (ii) stringent access controls to prevent unauthorized access to the data; and (iii) scheduled data backup and safe storage of the backup media
Trusted Computing Initiative and TPM adoption TCI important five components the specific chip, a `curtained memory' feature in the CPU, a security kernel in the operating system, a security kernel in each TC application a back-end infrastructure of online security servers maintained by hardware and software vendors to tie the whole thing together
Combined Efforts legal issues arise, such as e-discovery, regulatory compliance (including privacy), and auditing commit to storing and processing data in specific jurisdictions obey local privacy requirements on behalf of the customer national security concerns support to SAML (Security Assertion Markup Language) single sign-on - access to multiple Grid sites Privileged user access Authentication <multi factor> and Authorization RBAC model Research / Development / Implementation issues
Solution Directives Novel network addressing to virtual machine mechanics and instances Data centric security instead of protecting the containers [servers] in which the data lie, you focus on the data itself Location specific encryption/decryption Granular control and security ownership Cooperation between competing service providers!!! coordinated resource allocation, reservation
Concluding Remarks Cloud is very promising phenomenon Building implicit level of trust as well as an explicit level of vigilance to ensure success Security in an organization performs the same function as a brake for the automobile. Though it acts to stop the car, in reality it enables the car to go much faster!! When it comes to security innovation, don t ask why it might fail? Instead, imagine why it will succeed?
Thank you For your Time and Attention Dr. Dhiren Patel Professor of CSE IIT GN dhiren@iitgn.ac.in