Secure Cloud Computing: KEVIN JACKSON

(1)

Secure

Cloud

Computing:

A A hit t

O t l

A

h

An

Architecture

Ontology

Approach

(2)

Forces

Driving

Cloud

Computing

‐

The

New

IT

Era

(3)

Cloud

Computing

Value

(4)

Cloud

Computing

Challenge

(5)

Unified Ontology of Cloud Computing

(http://www.cs.ucsb.edu/~lyouseff/CCOntology/CloudOntology.pdf)

Cloud Application (SaaS)

Cloud Software Environment (PaaS)

Cloud Software Infrastructure

Computational Resources (IaaS) Storage (DaaS) Communications (CaaS) Software Kernal

Resources (IaaS) (DaaS) (CaaS)

Firmware / Hardware (HaaS) Lamia Youseff

University of California, Santa Barbara Maria Butrico, Dilma Da Silva

(6)

I t

t

ti it

d

Tactical

Employment

Issues



Internet connectivity assumed



SOA platform

• Security management

• Application service discovery and management

• Workflow orchestration

(7)

Ontology

Modifications

for

Tactical

Cloud

Computing

Cloud Application Access Management Access ManagementAccess ManagementCloud Application

(SaaS)

Cloud Software Environment Cloud Application

(SaaS)

Access Management Cloud Application (SaaS)

Workflow Orchestration Access Management Cloud Application (SaaS)

Workflow Orchestration – Policy Engine Security API

Access Management

Security API

Services / Services Discovery Service Management

Security API

Cloud Software Environment Cloud Software Infrastructure

Computational Storage Communications

Cloud SoftwareCloud Infrastructure Software Environment (PaaS)

Cl d S ft I f t t

Cloud Software Infrastructure Network Security Software Kernal Computational Resources (IaaS) Storage (DaaS) Communications (CaaS) Computational Resources (IaaS) Storage (DaaS) Communications (CaaS)

Computational Resources (IaaS) Storage (DaaS) Communications (CaaS) Computational Resources Storage

Communications (CaaS)

Network Connectivity Network Security

Network Security Software Kernal

Firmware / Hardware (HaaS) Software Kernal

Fi / H d (H S)

(IaaS) (DaaS) Communications (CaaS)

/ ( )

Firmware / Hardware (HaaS) Firmware_Firmware /_/ Hardware_Hardware (HaaS)_(HaaS)

(8)

Tactical

Cloud

Computing

Ontology

Access Management

Security API

Cloud Software Environment Cloud Software Environment

(PaaS) Cloud Software Infrastructure

Network Security

Computational Resources Storage

Communications (CaaS) Network Connectivity Network Security Network Security Software Kernal Fi / H d (H S)

(IaaS) (DaaS) Communications (CaaS)

(9)

Ontology

Modification

– Federated

SOA

Gl b l G Cl d A li i (S S) Access Management Cl d A li i (S S) Access Management Global Governance Dynamic Tasking

Cloud Application (SaaS) Workflow Orchestration – Policy Engine

Security API Services / Services Discovery

Service Management

Cloud Software Environment Cloud Application (SaaS)

Cloud Software Environment

(PaaS)

Computational Resources (IaaS) Storage Communications (CaaS)

Network Security (PaaS)

Computational Resources (IaaS) Storage Communications (CaaS)

Network Security

Software Kernal

Firmware / Hardware (HaaS)

Computational Resources (IaaS)

(DaaS) Communications (CaaS)

Software Kernal

Computational Resources (IaaS)

(10)

Secure

Cloud

Computing

– An

Approach

Workflow Orchestration – Policy Engine

Access Management •Access Management • “Out of Band” authentication •Security API y g Security API

Services / Services Discovery

Service Management

Clo d Soft are En ironment

Security API

• Use of services • Binding of service • COI driven

t Cloud Software Environment

(PaaS)

Network Security management •Network Security • No VPN • “Data in Motion” S f K l Computational Resources (IaaS) Storage

(DaaS) Communications (CaaS)

Network Connectivity Network Security a a o o security •Computational Resources • VM management

Data centric security Software Kernal

• Data-centric security model

• Storage

• “Data at Rest” securityy • COI driven access

(11)

SecureParser

®

Document E-mail Database Video Map Imagery Document E-mail Database Video Map Imagery Document Email Database -Video Map Imagery

Cryptographically splits data Creates physically separate fault

CDIP & COI Framework

CDIP & COI Framework High-efficiency cryptographic module:_• _{Provably-secure Computational Secret Sharing}

tolerant Shares

“M of N” Fault Tolerance Random Bit Split

AES Encryption

“M of N” Fault Tolerance Random Bit Split

AES Encryption

y p g

•Cryptographic Data Splitting

•Data Integrity Protection

•Modules can be change out, e.g. AES could be changed with a TYPE I encryption as requirement called for

Share Authentication M of N Fault Tolerance

Physically Separate Shares

• Written to Storage – Data at Rest

• Written to Networks – Data in Motion

• Created at any IO Point in the system

2 1 2 3 4 1 3 4 User Definable • Number of Shares • Fault Tolerance • Key Management

(12)

2005 CWID: AFCA assessment & AF C2 Battle Lab demo

Independent Testing and Evaluation

2005 CWID: AFCA assessment & AF C2 Battle Lab demo

“…as demonstrating the potential to be labeled as an MLS/PL-4 System…”

2005 DISA: Technical Information Panel (TIP)

“…found to have merit for further evaluation and consideration for use as an information assurance technology…potential to fundamentally alter the way storing and securing of data is approached.”

2006 SOCOM: National Center for the Study of Counter-terrorism and Cybercrimey y

IV&V completed successfully for SOCOM MLS Pilot Project

2006 EUCOM Combined Endeavor: Joint Interoperability Test Center (JITC)

“…value of the SecureParser was obvious. This capability not only offers increased…value of the SecureParser was obvious. This capability not only offers increased security of data, but reduces costs by eliminating the need for redundant resources.”

2008 Selected by DISA as a demonstration solution for CWID’08 - June 08

(13)



Mission

Network

Centric

Operations

Industry

Consortium



Mission

 Our mission is to facilitate global realization of the benefit inherent in

Network Centric Operations. To that end, we seek to enable continuously increasing levels of interoperability across the spectrum of joint,

interagency, intergovernmental, and multinational industrial and interagency, intergovernmental, and multinational industrial and

commercial operations. We will execute this mission in good faith as a global organization with membership open to all enterprises in quest of applying the vast potential of network centric technology to the operational challenges faced by our nations and their citizens.



P t



Past successes

◦ Network Centric Analysis Tool (NCAT)

◦ NCOIC Interoperability Framework (NIF)



Future

◦ Develop “operational art” in support of netcentric operations

◦ Support operational art advances through collaboration (Government,

Industry, Non-profits, Interest Groups)

◦ Provide value to members

 Use of NCOIC developed process provided differentiator in recent

European procurement for a member company

 NCOIC Patterns addressing interoperability concerns of member

(14)

E b

ll b

ti

Cloud

Computing

Operational

Art



Embrace collaboration

• OSD – tactical Cloud Computing

• TIGR – Government Cloud Computing

l d b l

• Cloud Interoperability Forum



Use Operational and Capability pattern process to develop Cloud

Computing Technical Patterns



Identify key netcentric operations interoperability requirements and

preferences within identified technical patterns



Iterate with NCOIC stakeholder companies and government

organizations



Use Capability and Operational patterns to validate operational

impact of reduced cloud interoperability



Leverage analysis to drive cloud interoperability recommendations

and best practices

(15)

Thank You !

[email protected]

http://cloudcomputing dataline com http://cloudcomputing.dataline.com http://govcloud.ulitzer.com