• No results found

A web-application architecture for Secure Cloud Computing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "A web-application architecture for Secure Cloud Computing"

Copied!
36
0
0

Loading.... (view fulltext now)

Download now ( 36 Page )

Full text

(1)

A web-application

architecture for

(2)

In the beginning...

 Your data-center

 Your mainframe or

mini-computer

 Your network

 Your Operations staff

 Your single-tiered, monolithic applications Hardware OS DB App KM PIN CCN Internal Operations Internal Network Company Perimeter

(3)

The PC-LAN

 Your data-center  Your PC server  Your PC client  Your network  Your firewall

 Your Operations staff

 Your two-tiered, client-server Hardware OS DB KM Internal Operations Internal Network Hardware OS App PIN CCN

(4)

The WWW

 Your data-center

 Your PC servers

 Your network

 Your firewall

 Your Operations staff

 Your three-tiered, web

applications Hardware OS DB KM Internal Operations Internal Network Company Perimeter Hardware OS AppSrv PIN CCN I Hardware OS Browser

(5)

The Public Cloud

Hardware OS DB App KM Hypervisor

? ? ? ?

PIN CCN CSP Operations CSP Network

 Cloud Service Provider's

(CSP) data-center  CSP's hardware  CSP's Hypervisor  CSP's Network  CSP's Operations staff  Unknown guests in VMs

(6)

EKM in the Public Cloud?

LAN HSM Internal Operations Internal Network Company Perimeter Hardware OS DB App Hypervisor

? ? ? ?

PIN CCN CSP Operations CSP Network CSP Perimeter
(7)

EKM with SaaS?

Internal Operations

SaaS Application Users

EKMI V P N Hardware API OS

? ? ? ?

?

SaaS Operations SaaS Network Web Application I
(8)

What's missing?

Methodology to use the Cloud without

being vulnerable

Controls to ensure that neither CSP nor

(9)

The Paradigm Shift

Regulatory

Compliant Cloud

Computing (RC3)

Architecture to

secure

data in the Cloud

with

(10)

RC3 Characteristics

1) Data-classification

2) Separate processing zones

(11)

RC3 Data Classification

Class-1

Sensitive and regulated dataSSN, CCN, ACH, Medical, etc.

Class-2

Sensitive but unregulated data

Application Credentials, Salaries, Sales figures, etc.

Class-3

(12)

Data – Before RC3

Bank Account AID 12345678 Firstname Jane Lastname Smith SSN 111-22-4444 BranchID 123 AccountType 1 DateOpened 02/02/2012 Balance 794.25 .... Class-1 data Class-2 data
(13)

Data – After RC3

Bank Account AID 9999000000023745 Firstname 9999000000071847 Lastname 9999000000071849 SSN 9999000000088764 BranchID 123 AccountType 1 DateOpened 02/02/2012 Balance 794.25 .... Class-3 data
(14)

Data – Before RC3

Patient PID 1234567 SSN 111-222-5555 Firstname John Lastname Smith Gender M DateOfBirth 03/03/1953 BloodType O+ .... Blood Report PID 1234567 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 .... Class-1 data Class-2 data Class-1 data Class-2 data
(15)

Data – After RC3

Patient PID 9999000000023745 SSN 9999000000057599 Firstname 9999000000045910 Lastname 9999000000045911 Gender M DateOfBirth 03/03/1953 BloodType O+ .... Blood Report PID 9999000000023745 ReportDate 04/04/2012 Class-3 data
(16)

RC3 Zones

Regulated Zone (Secure Zone)

Class-1 and Class-2 data-processing & storage

Enterprise Key Management Infrastructure (EKMI)

 Cloud Zone (Public Zone)

Class-3 data-processing & storage

Can, optionally, store C1/C2 tokens (C3-equivalent)

− NO CRYPTOGRAPHY

NO IDENTITY MANAGEMENT SYSTEM

(17)
(18)

Company Perimeter

Basic web application

Web-site Customer Details Product Details Shipping Details Payment Details Web Application Server Transaction Confirmation 1 2

(19)

With Redirection

Web Application Server Transaction Confirmation 2 Payment Processor Payment Details Customer Details Product Details Shipping Details 3 4 1 Payment Confirmation Company Perimeter
(20)

SECURE CLOUD COMPUTING

FOR E-COMMERCE

(21)

E-COMMERCE - 1

Regulated Zone Web Application IAM 1 Authentication Credentials Cloud Zone WebApp
(22)

Regulated Zone Web Application Cloud Zone WebApp

E-COMMERCE - 2

2 2 Session Token Session Token Company Perimeter or MSP
(23)

Regulated Zone Web Application Customer ID Address Order Detail Cloud Zone WebApp 3

E-COMMERCE - 3

Session Token Customer ID Address Order Detail
(24)

Regulated Zone Web Application Customer ID Address Order Detail Cloud Zone WebApp

E-COMMERCE - 4

Company Perimeter or MSP 4 Session Token Customer ID Name

Credit Card Number Card Expiry Date Card Verification Value Amount

Phone

(25)

Regulated Zone Web Application CCN Name 5 CCN

E-COMMERCE - 5

Customer ID Address Order Detail Cloud Zone WebApp
(26)

E-COMMERCE - 6

Regulated Zone Web Application CCN Name 6 Token Customer ID Address Order Detail Cloud Zone WebApp Company Perimeter or MSP
(27)

Regulated Zone Web Application CCN Name Customer ID Address Order Detail Token Cloud Zone WebApp

E-COMMERCE - 7

Token 7
(28)

Regulated Zone CCN Name 5 CCN Web Application 6 Token Customer ID Address Order Detail Token Cloud Zone WebApp

FULL TRANSACTION

Token 7 Company Perimeter or MSP 3 Session Token Customer ID Address Order Detail 4 Session Token Customer ID Name

Credit Card Number Card Expiry Date Card Verification Value Amount

Phone

(29)

HOW DO YOU TRANSITION

TO RC3?

(30)

Regulated Zone CCN Name 6 Token CCN Name 5 CCN Web Application

RC3 in the Enterprise

7 4 3 Customer ID Address Order Detail Token Public Zone Web Application Session Token Customer ID Name

Credit Card Number Card Expiry Date Card Verification Value Amount Phone E-mail address Company Perimeter or MSP Session Token Customer ID Address Order Detail Token

(31)

CCN Name 6 Token CCN Name 5 CCN Web Application

RC3 in Private Clouds

7 3 Session Token Customer ID Name

Credit Card Number Card Expiry Date Card Verification Value Amount Token Customer ID Address Order Detail Token Cloud Zone openstack WebApp Session Token Customer ID Address Order Detail

(32)

Regulated Zone CCN Name 6 Token CCN Name 5 CCN Web Application Customer ID Address Order Detail Token Cloud Zone WebApp

RC3 in Public Clouds

Token 7 4 3 Session Token Customer ID Name

Credit Card Number Card Expiry Date Card Verification Value Amount Phone E-mail address Company Perimeter or MSP Session Token Customer ID Address Order Detail

(33)

RC3 rules for the Cloud

 Do NOT store/use cryptographic keys in the Cloud

 Do NOT store/use plaintext sensitive data in the Cloud

 Do NOT store credentials to anything in the Cloud

 Do NOT use CSP-supplied cryptographic keys

 DO change your Server SSL keys very frequently

 DO consider digitally signing/verifying Cloud data in

the Regulated Zone

(34)

RC3 Case Study

 e-commerce company in US (ticket marketplace)

 Private Cloud

 Millions of documents

Sizes ranging from a few kilobytes to megabytes

 Needed automatic ramp-up/ramp-down capability

(35)

Resources

 Regulatory Compliant Cloud Computing (RC3)

http://www.ibm.com/developerworks/cloud/library/cl-regcloud/index.htmlhttp://www.infoq.com/articles/regulatory-compliant-cloud-computing

http://bit.ly/rc3issa

 Cryptographic engine (enables RC3 applications)

http://www.cryptoengine.org

 CryptoCabinet (RC3 sample application)

(36)

Questions?

 Contact Information

Arshad Noor

[email protected]+1 (408) 331-2001

http://www.infoq.com/articles/cloud-data-encryption-infrastructure http://www.ibm.com/developerworks/cloud/library/cl-regcloud/index.html http://www.infoq.com/articles/regulatory-compliant-cloud-computing http://bit.ly/rc3issa http://www.cryptoengine.org http://www.cryptocabinet.org

References

Download now ( PDF - 36 Page - 758.78 KB )

Related documents

Developer Guide To The. Virtual Merchant

This payment form will gather information from your customer such as the name displayed on their credit card, card number, expiration date, billing and shipping address, as well

TSYS Tokenization and Card Processing

Credit Card on File (CCOF) card data is stored on TSYS infrastructure with a token representing the card is stored in Spot.. When a CCOF transaction is processed the token stored

Swedbank Payment Portal Implementation Overview

The merchant may wish to consider storing the card expiry, masked card number and token against a customer profile on their system which would remove the need to query a transaction

Privacy Impact Assessment. NFIP Map Service Center

As already described in questions 3.6 and 3.7 above, individual customer name, home address, credit card number, expiration date, and NFIP Map Service Center order number

Classification of Brain Hemorrhage using Textural Analysis

Within the allotted time, we were able to do the following; 1) extracted the skull, 2) attain the foreground marker which is the hemorrhage region, 3) superimpose the

Force & Motion

gapw;rp :- gpd;tUk; tiuig mbg;gilahff; nfhz;L fPNo Nfl;fg;gLk; Nfs;tpfSf;F tpil jUf.. tiufpd; gb

Research of Raw Material Inventory Management of PH Company

Under this background of the economy, the product life cycles must be shorter and shorter, products kinds are more and more, and the delivery time of customer requirement

Effects of Service Brand Identity Building on Brand Performance in the Insurance Sector of Kenya

The study adopts the quantitative social survey research approaches and utilizes a sample of 214 insurance entities, the study validates a three-dimensional service brand