You are on page 1of 18

Cloud Computing

Security and Privacy to gain Trust

SMARTEVENT 2010
September 23
Sophia Antipolis

Christian GOIRE
Cloud Computing Definition(s)
Gartner’s definition :
"a style of computing where
scalable and elastic IT-
related capabilities are
provided 'as a service' to
external customers using
Internet technologies."
Built on compute and storage virtualization, provides
scalable, network-centric, abstracted IT infrastructure,
platforms, and applications as on-demand services
that are billed by consumption.
Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential
characteristics, three service models, and four deployment models.
08/12/21 NIST Definition
2
The NIST Cloud Definition Framework
Deployment Hybrid Clouds
Models
Private Community
Public Cloud
Cloud Cloud

Service Software as a Platform as a Infrastructure as a


Models Service (SaaS) Service (PaaS) Service (IaaS)

Essential On Demand Self-Service


Character-
Broad Network Access Rapid Elasticity
istics
Resource Pooling Measured Service

Common
Massive Scale Resilient Computing
Character-
istics Homogeneity Geographic Distribution
Virtualization Service Orientation
Low Cost Software Advanced Security

08/12/21 3
3 main
Services
Models

08/12/21 4
Cloud Providers – A Birds Eye View
Infrastructure
Infrastructure Platform
Platform Software
Software
as
asaaService
Service as
asaaService
Service as
asaaService
Service

08/12/21 5
Main aspects forming a cloud system

08/12/21 6
Expert group report (Excerpts)

Non- functional aspects

 Elasticity

 Reliability

 Quality of Service

 Agility and adaptability

 Availability

08/12/21 7
Continued (2)

Economic aspects

 Cost reduction

 Pay per use

 Improved time to market

 Return of investment

 Turning CAPEX into OPEX

 Going Green

08/12/21 8
Continued (3)

Technological Aspects

 Virtualisation

 Multi- tenancy

 Security, Privacy and compliance

 Data Management

 API’s and / or Programming Enhancements

 Metering

 Tools

08/12/21 9
Research time line (in year) of the
individual topics

08/12/21 10
Security and Privacy Challenges

The massive concentrations of resources and data


present a more attractive target to attackers

The challenges are not new but Cloud computing


intensifies them

08/12/21 11
Technical risks

Resource exhaustion
Isolation failure
Cloud provider malicious insider, abuse of high privilege
Management interface compromise
Intercepting data in transit
Data leakage on up /download, intra- cloud
Insecure or ineffective deletion of data
Distributed Denial of service DDoS
Economic denial of service EDOS
Loss of encryption keys
Undertaking malicious probes and scans
Compromise service engine
Conflicts between customer procedures and cloud

08/12/21 12
Policy and organizational risks

Lock -in
Loss of governance
Compliance challenges
Loss of business reputation due to co -tenant activities
Cloud service termination or failure
Cloud provider acquisition
Supply chain failure

08/12/21 13
Legal risk

Subpoena and e- discovery


Risk from change of jurisdiction
Data protection risk
Licensing risks

08/12/21 14
Research recommendations

Certification
processes and
standards for
the Cloud
08/12/21 15
Research recommendations

Metrics for security in cloud computing


Return on security investments
Effects of different forms reporting breaches on security
Techniques for increasing transparency /level of security
 Location tagging, data type tagging, policy tagging
 Privacy (data provenance) tracing data end to end
End to end data confidentiality in the cloud and beyond:
 Encrypted search (long term)
 Encrypted processing schemes (long term)
 Encryption and confidentiality tools for social applications in the
cloud
 Trusted computing in clouds, trusted boot sequence for virtual
machine stack
Standardization etc.

08/12/21 16
Legal recommendations

Legal issues to be resolved during the evaluation of the


contracts (ULA User Licensing Agreement, SLA Service
Level Agreement)
 Data protection
 Data security
 Data Transfer
 Law enforcement access
 Confidentiality and non disclosure
 Intellectual property
 Risk allocation and limitation of liability
 Change of control

08/12/21 17
Conclusion

Technology solutions ; privacy by design


Compliance with transparency provisions vis-à-vis
individuals
 Ensure that customers know about the location of their data
 Ensure that they properly understand the risks so that they make
informed choices
Current review process of the existing Data Protection
Directive

08/12/21 18

You might also like