Cloud Trends & Security Challenges

(1)

Cloud Trends & Security Challenges

Chunming Rong

Chair (CloudCom)

Director (CIPSI)

Professor (UiS)

[email protected]

(2)

Center for IP-based Service Innovation

University of Stavanger Cloud Trends and Security Challenges 2

110111011111101100111010111001

Computing in Clouds

2009

2010

2011

(3)

(4)

University of Stavanger Cloud Trends and Security Challenges 4

Hype Cycle for Emerging Technologies, 2010

(5)

(6)

University of Stavanger

Ethernet LAN

Opr Workstation

Backbone

•Fibre •Radiolink •Satellite

Backbone

Network

Wireless sensornetwork

MA

N

MAN

_•_WiMax

Floater

”PAN”

3G 3G IEEE802.20 IEEE802.20 Mobile BWA

Mobile BWA WANWAN ETSI ETSI HiperAccess HiperAccess IEEE802.16 IEEE802.16 BWA

BWA BANBAN

ETSI ETSI HiperMAN HiperMAN IEEE802.16a IEEE802.16a WMAN

WMAN MANMAN

ETSI ETSI HiperLAN HiperLAN IEEE802.11 IEEE802.11 WLAN

WLAN LANLAN

ETSI ETSI HiperPAN HiperPAN IEEE802.15 IEEE802.15 Bluetooth

Bluetooth PANPAN

International standards

LAN

Ethernet Ethernet

LAN

ERP

Virtualized Computing Resource

(7)

(8)

(9)

Origin of the term “Cloud Computing”

• “Comes from the early days of the Internet where we

drew the network as a cloud… we didn’t care where the

messages went… the cloud hid it from us”

– Kevin Marks, Google

v

 

cloud 1.0 – networking: TCP/IP abstracUon

v

 

cloud 2.0 – documents: WWW data abstracUon

v

 

The emerging cloud 3.0 – abstracts infrastructure complexiUes

of servers, applicaUons, data, and heterogeneous plaYorms

(10)

Connected

≠

Cloud

(11)

Definition by NIST (v16)

• Cloud compuUng is

a model for enabling

– 

convenient, on-‐demand network access

– 

to a shared pool of conﬁgurable compuUng resources

• (e.g., networks, servers, storage, applicaUons, and services)

– 

that can be

rapidly

provisioned and released

– 

with

minimal

management eﬀort

or service provider interacUon.

(12)

The NIST Cloud Definition Framework

Community

Cloud

Private

Cloud

Public Cloud

Hybrid Clouds

Deployment

Models

Service

Models

EssenUal

CharacterisUcs

Common

CharacterisUcs

Sodware as a

Service (SaaS)

Service (PaaS)

PlaYorm as a

Infrastructure as a

Service (IaaS)

Resource Pooling

Broad Network Access

Rapid ElasUcity

Measured Service

On Demand Self-‐Service

Low Cost Sodware

VirtualizaUon

Service OrientaUon

Advanced Security

Homogeneity

Massive Scale

Resilient CompuUng

Geographic DistribuUon

12 Cloud Trends and Security Challenges

(13)

Alternative Descriptions

• Massive, abstracted (virtualized)

infrastructure

– 

Components decided for you

• Dynamic provisioning, scaling, locaUon

– 

Resource on-‐demand

– 

Pay per use

• No long-‐term commitments

• OS, applicaUon architecture independent

(14)

(15)

(16)

Cloud Computing Services

Cloud Computing Management Services

Workload

Management

Provisioning

Monitoring

Virtualized Physical

Servers

Physical Servers

Enterprise

Cloud

Private Cloud

Web Hosting

Cloud

Consumer

Large Scale

Cloud

Self-service

Portal

VM template

Templates

SLA, Billing, Metering,

Capacity Planning

Administration

Workflows

Cloud

CompuNng

Services

Virtualized

Resources

Management

(17)

Cloud: Evolution of Hosting

(18)

(19)

Infrastructure as a Service

(IaaS)

(20)

Platform as a Service

(PaaS)

(21)

(22)

(23)

Software as a Service

(SaaS)

(24)

Data as a Service

1110001100

1001001001

0100100001

(25)

Infrastructure as a Service

PlaYorm as a Service

ApplicaUon as a Service

InformaUon Services

Business Services

Mn

_gt.

&

Se

cu

rity

Cloud

Enabler

Virtual

Servers

Virtual

Middleware

Virtual

ApplicaUon

(26)

Cloud vs Grid

• Cloud = Grid + ElasUcity ?

– 

dynamically created services in grid

• E.g. WSRF: Web Services Resource Framework

• Data Intensive compuUng

– 

Focus on data amount, not speed

• Easy to use and to develop applicaUon

– 

By common users (no expert requirement)

(27)

Openness – Shareability and Freedom

• Open sodware

• Open services

(28)

Developments in Information Technology

ü

 

Moore’s law – doubling of

compuNng and storing capacity

every 18 months

ü

 

1.2 billion users on Internet –

increase of 30 millions per month

ü

 

SemanNc Web

–

 

Web Services

–

 

Ontologies

ü

 

The new IT waves

–

 

AutomaNon

–

 

Data everywhere (wireless)

–

 

Cyber communiNes

–

 

Cloud compuNng

–

 

…

1970

2006 2015

CompuNng and storing capacity 1970-‐2015

(29)

Oceans of Data, Skinny Pipes

• 1 Terabyte

– 

Easy to store

– 

Hard to move

Disks

!

MB / s

!

Time

!

Seagate Barracuda

!

115 !

2.3 hours

!

Seagate Cheetah

!

125 !

2.2 hours

!

Networks

!

MB / s

!

Time

!

Home Internet

!

< 0.625

!

> 18.5 days

!

(30)

Map-Reduce Programming Paradigm

US Patent 7,650,331: "System and method for eﬃcient large-‐scale data processing”.

FuncUonal-‐style code automaUcally parallelized and scheduled in a distributed system.

Cloud Trends and Security Challenges

Map" Reduce" Map" Reduce" Map" Reduce" Map" Reduce"

Map/Reduce

"

(31)

Open-‐source Java MapReduce for reliable, scalable, distributed compuUng.

Subprojects:

–

 

Hadoop Common

: The common uUliUes that support the other Hadoop subprojects.

–

 

Avro

: A data serializaUon system that provides dynamic integraUon with scripUng languages.

–

 

Chukwa

: A data collecUon system for managing large distributed systems.

–

 

HBase

: A scalable, distributed database that supports structured data storage for large tables.

–

 

HDFS

: A distributed ﬁle system that provides high throughput access to applicaUon data.

–

 

Hive

: A data warehouse infrastructure that provides data summarizaUon and ad hoc querying.

–

 

MapReduce

: framework for distributed processing of large data sets on compute clusters.

–

 

Pig

: A high-‐level data-‐ﬂow language and execuUon framework for parallel computaUon.

–

 

ZooKeeper

: A high-‐performance coordinaUon service for distributed applicaUons.

(32)

(33)

(34)

(35)

(36)

(37)

Desiderata for Data Intensive Systems

• Focus on Data

–

 

Terabytes, not tera-‐FLOPS

• Problem-‐Centric Programming

–

 

PlaYorm-‐independent expression of data parallelism

• InteracUve Access

–

 

From simple queries to massive computaUons

• Robust Fault Tolerance

–

 

Component failures are handled as rouUne events

(38)

System Comparison: Data

–

 

Data stored in separate repository

• No support for collecUon or

management

–

 

Brought into system for computaUon

• Time consuming

• Limits interacUvity

–

 

System collects and maintains data

• Shared, acUve data set

–

 

ComputaUon collocated with storage

• Faster access

System

Data Intensive

CompuUng

ConvenUonal

High Performance

CompuUng

(39)

System Comparison: Programming Models

–

 

Programs described at very low level

• Specify detailed control of processing &

communicaUons

–

 

Rely on small number of sodware

packages

• Wriuen by specialists

• Limits classes of problems & soluUon

methods

–

 

ApplicaUon programs wriuen in terms

of high-‐level operaUons on data

–

 

RunUme system controls scheduling,

load balancing, …

ConvenUonal High Performance CompuUng

Hardware

Machine-‐Dependent

Programming Model

Sodware

Packages

ApplicaUon

Programs

Hardware

Machine-‐Independent

Programming Model

RunUme

System

ApplicaUon

Programs

(40)

Wikipedia Page Views Monitoring

(41)

(42)

(43)

(44)

(45)

(46)

User Centric Cloud

• Resource available in the “Cloud”

–

 

Without (dependent on / concern about) a physical server

to a physical locaUon

• Service follows you & your devices

• Accessible anywhere

• Sharing with others

messages

calendar

maps

mulUmedia

email

news

contacts

VoIP

storage

…

(47)

Requirements by Today’s Users

• Accessibility

–

 

Access from anywhere and from mulUple devices

• Shareability

–

 

Make sharing as easy as creaUng and saving

• Freedom

–

 

Users don’t want their data held hostage

• Simplicity

–

 

Easy-‐to-‐learn, easy-‐to-‐use

• Security

–

 

Trust that data will not be lost or seen by unwanted

(48)

Sharing Data among Clouds

(49)

New Security Issues

• (Oden) unknown resource locaUon

• MulU-‐tenancy: protect against other users

• Virtual Machine image security

–

 

Maliciously modiﬁed images (or apps)

• Over-‐allocaUon of dynamic resources

–

 

IntenUonal

• scheduling DoS auack (with stolen account)

–

 

UnintenUonal

• runaway jobs

• …

(50)

Questions from Users

• Where is my informaUon?

• Who controls it?

–

 

How to proof my data ownership?

• Who has access?

• Who is it being shared with?

–

 

How to protect my privacy?

• How is being used?

• Who is looking out for my interests?

• How to assure the informaUon is authenUc?

(51)

Legal Issues

• Applicable Law and competent jurisdicUon

• Data leakage protecNon

• Data Privacy

–

 

DirecUve 95/46/EC on protecUon of individuals w.r.t. processing

and free movement of personal data

• InformaUon authenUcity

• Intellectual property

• Law enforcement

–

 

local authority access to data and info

• Liability of the stakeholders

• SubcontracUng

• Interoperability

(52)

Transfer of data outside the EEA?

DirecUve prohibits transfers of personal data to countries which

do not ensure an adequate level of protecUon; unless:

• Data Subject’s Consent

Not convenient

• Safe Harbor Principles

Only to US

• Model Contracts

Only ‘Point to Point’ transfer

• Binding Corporate Rules

Within same Co. enUUes

(Ref. Ar1cles 25-‐26)

(53)

SDOs

• IEEE Cloud CompuUng Standard Study Group (IEEE CCSSG)

• InternaUonal Standard OrganizaUon (ISO)

• Cloud Security Alliance (CSA)

• Open Grid Forum (OGF)

• InternaUonal TelecommunicaUons Union (ITU)

–

 

ITU Cloud CompuUng Focus group

• Distributed Management Task Force (DMTF)

• Storage Networking Industry AssociaUon (SNIA)

• Open Cloud ConsorUum (OCC)

• OrganizaUon for the Advancement of Structured

InformaUon Standards (OASIS)

• Internet Engineering Task Force (IETF)

• European TelecommunicaUons Standards InsUtute (ETSI)

(54)

Cross-SDOs Cloud Standards

• Standards are needed across diﬀerent Standard-‐

Developing OrganizaUons (SDOs) in order to

achieve interoperability among clouds

–

 

Network architecture

–

 

Data format

–

 

Metering and billing

–

 

Quality of Services (QoS)

–

 

Provisioning

–

 

Security, Privacy, IdenUty

–

 

…

(55)

Possible Cloud Standards

• Federated security across clouds

• Federated cloud storage

• Cloud Data Leakage PrevenUon (DLP)

• Data Interoperability across clouds

• Cloud monitoring and management standards

• Cloud development and deployment standards

• ApplicaUon portability across diﬀerent IaaSs

(56)

(57)

Cloud Storage – Pros.

• Extreme capacity of storage

• On-‐demand service provision

• ElasUcity of Scale

• Pay per use

• Ubiquitous availability

(58)

Cloud Storage – Cons. (current issues)

• Users have no control over

– 

Cloud services, cloud plaYorms, cloud

infrastructure

• The Trust Issue

• How do you prevent

– 

illegal sharing

– 

Server malicious access

Storing data on a cloud is like keeping your

money in a stranger’s pocket

(59)

Data Leakage Prevention (DLP)

Data Display

Data in

Transit

Data Storage

(60)

Data Storage with untrusted Provider

(61)

(62)

A Cloud DLP Solution

Cloud Trends and Security Challenges

C

A

C

B

A

C

B

Publisher

Cloud Storage

A

B

(63)

(64)

Cloud Trends & Security Challenges