IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from...
-
Upload
paula-shields -
Category
Documents
-
view
217 -
download
1
Transcript of IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from...
![Page 1: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/1.jpg)
IS 2620: Developing Secure Systems
The Cloud Computing Paradigm
Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm” by Peter Mell and Tim Grance from NIST
2/16/2012
![Page 2: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/2.jpg)
2
Agenda Understanding Cloud Computing Cloud Computing Security Secure Cloud Migration Paths Foundational Elements of Cloud Computing Security & Privacy Challenges Policy Management
![Page 3: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/3.jpg)
Understanding Cloud Computing
3
![Page 4: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/4.jpg)
4
Origin of the term “Cloud Computing” “Comes from the early days of the Internet where we drew
the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google
First cloud around networking (TCP/IP abstraction) Second cloud around documents (WWW data abstraction) The emerging cloud abstracts infrastructure complexities
of servers, applications, data, and heterogeneous platforms (“muck” as Amazon’s CEO Jeff Bezos calls it)
![Page 5: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/5.jpg)
5
A Working Definition of Cloud Computing
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
![Page 6: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/6.jpg)
Essential Cloud Characteristics
On-demand self-service Get computing capabilities as needed
automatically
Broad network access Services available over the net using
desktop, laptop, PDA, mobile phone
6
![Page 7: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/7.jpg)
Essential Cloud Characteristics (Cont.)
Resource pooling Location independence Provider resources pooled to server multiple clients
Rapid elasticity Ability to quickly scale in/out service
Measured service control, optimize services based on metering
7
![Page 8: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/8.jpg)
Cloud Service Models
Cloud Software as a Service (SaaS) Use provider’s applications over a network User doesn’t manage or control the network, servers, OS,
storage or applications Cloud Platform as a Service (PaaS)
Users deploy their applications on a cloud Users control their apps Users don’t manage servers, IS, storage
8
![Page 9: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/9.jpg)
Cloud Service Models (Cont.)• Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other fundamental computing resources
– Consumers gets access to the infrastructure to deploy their stuff
– Don’t manage or control the infrastructure– Do manage or control the OS, storage, apps,
selected network components• To be considered “cloud” they must be deployed
on top of cloud infrastructure that has the key characteristics
9
![Page 10: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/10.jpg)
Service Model ArchitecturesCloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS) Architectures
Platform as a Service (PaaS)Architectures
Software as a Service (SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
PaaS
Cloud Infrastructure
IaaS
10
![Page 11: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/11.jpg)
Cloud Deployment Models
Private cloud single org only, managed by the org or a 3rd party, on or off premise
Community cloud shared infrastructure for specific community several orgs that have shared concerns, managed by org or a 3rd party
11
![Page 12: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/12.jpg)
Cloud Deployment Models (Cont.)
Public cloud Sold to the public, mega-scale infrastructure available to the general public
Hybrid cloud composition of two or more clouds bound by standard or proprietary technology
12
![Page 13: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/13.jpg)
Common Cloud Characteristics
• Cloud computing often leverages:– Massive scale– Homogeneity– Virtualization– Resilient computing– Low cost software– Geographic distribution– Service orientation– Advanced security technologies
13
![Page 14: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/14.jpg)
The NIST Cloud Definition Framework
14
CommunityCommunityCloudCloud
Private Private CloudCloud
Public CloudPublic Cloud
Hybrid Clouds
DeploymentModels
ServiceModels
EssentialCharacteristics
Common Characteristics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
![Page 15: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/15.jpg)
15
Cloud Computing Security
![Page 16: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/16.jpg)
Security is the Major Issue
16
![Page 17: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/17.jpg)
General Security Advantages
Shifting public data to a external cloud reduces the exposure of the internal sensitive data
Cloud homogeneity makes security auditing/testing simpler
Clouds enable automated security management
Redundancy / Disaster Recovery
17
![Page 18: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/18.jpg)
General Security Challenges
Trusting vendor’s security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations can’t be examined Loss of physical control
18
![Page 19: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/19.jpg)
Security Relevant Cloud Components
Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and
Virtual Networks
19
![Page 20: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/20.jpg)
Provisioning Service
Advantages Rapid reconstitution of services Enables availability
Provision in multiple data centers / multiple instances Advanced honey net capabilities
Challenges Impact of compromising the provisioning service
20
![Page 21: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/21.jpg)
Data Storage Services
Advantages Data fragmentation and dispersal Automated replication Provision of data zones (e.g., by country) Encryption at rest and in transit Automated data retention
Challenges Isolation management / data multi-tenancy Storage controller
Single point of failure / compromise? Exposure of data to foreign governments
21
![Page 22: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/22.jpg)
Cloud Processing Infrastructure
Advantages Ability to secure masters and push out secure
images Challenges
Application multi-tenancy Reliance on hypervisors Process isolation / Application sandboxes
22
![Page 23: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/23.jpg)
Cloud Support Services
Advantages On demand security controls (e.g., authentication,
logging, firewalls…) Challenges
Additional risk when integrated with customer applications
Needs certification and accreditation as a separate application
Code updates
23
![Page 24: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/24.jpg)
Cloud Network and Perimeter Security
Advantages Distributed denial of service protection VLAN capabilities Perimeter security (IDS, firewall, authentication)
Challenges Virtual zoning with application mobility
24
![Page 25: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/25.jpg)
Cloud Security Advantages
Data Fragmentation and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks Possible Reduction of C&A Activities (Access to
Pre-Accredited Clouds)
25
![Page 26: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/26.jpg)
Cloud Security Advantages (Cont.)
Simplification of Compliance Analysis Data Held by Unbiased Party (cloud vendor
assertion) Low-Cost Disaster Recovery and Data Storage
Solutions On-Demand Security Controls Real-Time Detection of System Tampering Rapid Re-Constitution of Services Advanced Honeynet Capabilities
26
![Page 27: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/27.jpg)
Cloud Security Challenges
• Data dispersal and international privacy laws– EU Data Protection Directive and U.S. Safe Harbor
program– Exposure of data to foreign government and data
subpoenas– Data retention issues
• Need for isolation management• Multi-tenancy • Logging challenges• Data ownership issues • Quality of service guarantees
27
![Page 28: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/28.jpg)
Cloud Security Challenges (Cont.)
Dependence on secure hypervisors Attraction to hackers (high value target) Security of virtual OSs in the cloud Possibility for massive outages Encryption needs for cloud computing
Encrypting access to the cloud resource control interface
Encrypting administrative access to OS instances Encrypting access to applications Encrypting application data at rest
Public cloud vs internal cloud security Lack of public SaaS version control 28
![Page 29: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/29.jpg)
Obstacles & Opportunities
29
![Page 30: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/30.jpg)
30
![Page 31: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/31.jpg)
Unique Features
Outsourcing Data and Applications Extensibility and Shared Responsibility Multi-tenancy Service-Level Agreements Virtualization and Hypervisors Heterogeneity Compliance and Regulations
31
![Page 32: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/32.jpg)
Security Implications
32
![Page 33: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/33.jpg)
Security and Privacy Challenges
Authentication and Identity Management interoperability password-based: inherited limitation How multi-tenancy can affect the privacy of
identity information isn’t yet well understood. multi-jurisdiction issue integrated with other security components.
33
![Page 34: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/34.jpg)
Security and Privacy Challenges
Access Control and Accounting Heterogeneity and diversity of services, as well as
the domains’ diverse access requirements capture dynamic, context, or attribute- or
credential-based access requirements integrate privacy-protection requirements interoperability capture relevant aspects of SLAs
34
![Page 35: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/35.jpg)
Security and Privacy Challenges
Trust Management and Policy Integration compose multiple services to enable bigger
application services efficiently capturing a generic set of parameters
required for establishing trust and to manage evolving trust and interaction/sharing requirements
address challenges such as semantic heterogeneity, secure interoperability, and policy-evolution management.
35
![Page 36: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/36.jpg)
Security and Privacy Challenges
Secure-Service Management WSDL can’t fully meet the requirements of cloud
computing services description issues such as quality of service, price, and SLAs automatic and systematic service provisioning
and composition framework that considers security and privacy issues
36
![Page 37: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/37.jpg)
Security and Privacy Challenges
Privacy and Data Protection storing data and applications on systems that
reside outside of on-premise datacenters shared infrastructure, risk of potential
unauthorized access and exposure. Privacy-protection mechanisms must be
embedded in all security solutions. Provenance Balancing between data provenance and privacy
37
![Page 38: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/38.jpg)
Security and Privacy Challenges
Organizational Security Management shared governance can become a significant
issue if not properly addressed Dependence on external entities the possibility of an insider threat is significantly
extended when outsourcing data and processes to clouds.
38
![Page 39: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/39.jpg)
39
![Page 40: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/40.jpg)
Security and Privacy Approaches
Authentication and Identity Management User-centric IDM users control their digital identities and takes
away the complexity of IDM from the enterprises federated IDM solutions privacy-preserving protocols to verify various
identity attributes by using, for example, zero-knowledge proof-based techniques
40
![Page 41: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/41.jpg)
Security and Privacy Approaches
Access Control Needs RBAC policy-integration needs credential-based RBAC, GTRBAC,8 location-
based RBAC
41
![Page 42: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/42.jpg)
Security and Privacy Approaches
Secure Interoperation Multi-domain centralized approach decentralized approaches specification frameworks to ensure that the cross-
domain accesses are properly specified, verified, and enforced
Policy engineering mechanisms
42
![Page 43: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/43.jpg)
Security and Privacy Approaches
Secure-Service Provisioning and Composition Open Services Gateway Initiative (OSGi) Declarative OWL-based language can be used to
provide a service definition manifest, including a list of distinct component types that make up the service, functional requirements, component grouping and topology instructions
43
![Page 44: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/44.jpg)
Security and Privacy Approaches
Trust Management Framework trust-based policy integration Delegation must be incorporated in service composition
framework
44
![Page 45: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/45.jpg)
Security and Privacy Approaches
Data-Centric Security and Privacy shifts data protection from systems and
applications documents must be self-describing and defending
regardless of their environments.
45
![Page 46: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/46.jpg)
Security and Privacy Approaches
Managing Semantic Heterogeneity semantic heterogeneity among policies Use of an ontology is the most promising
approach policy framework and a policy enforcement
architecture inference engines
46
![Page 47: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/47.jpg)
Policy Management
No single access control mechanism, single policy language or single policy management tool
diverse access control solutions policies may be composed in incompatible
ways Heterogeneity and distribution of policies
pose problems in administration
47
![Page 48: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/48.jpg)
Case Study Implementation
Investigation Authentication mechanism How users can share resources with other users privacy/access setting options it provides policy language and mechanism it uses. What APIs it provides. change privacy settings using an API or in some
other ways. discover users' resources supports XACML or similar technologies.
48
![Page 49: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/49.jpg)
Case Study Implementation
Amazon S3, Dropbox, LinkedIn, Flickr, and Twitter
developed a unified framework
49
![Page 50: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/50.jpg)
50
![Page 51: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/51.jpg)
Limitations of the Existing Policy Management Systems
Application Centric vs. User Centric Unified Policy Management System Heterogeneity and Interoperation Privacy Preservation
51
![Page 52: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/52.jpg)
Proposed Semantic Based Policy Management Framework
designed on the concept of centrally expressing a users' security requirements
applied to a user's resources regardless of where they are stored
should be able to address interoperability and heterogeneity issues
52
![Page 53: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/53.jpg)
Semantic Web and Policy Management
specify a domain of interest individuals, classes of individuals, properties axioms that assert constraints over them
structured vocabulary describes concepts and relationships between
them specification of the meaning of terms
53
![Page 54: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/54.jpg)
Semantic Web and Policy Management
In a policy management system access rules are specified based on
representations of concepts policy rules and these representations should be
able to make policy-based authorization decisions deal with the heterogeneity of cloud
these representations should be generic and flexible enough
54
![Page 55: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/55.jpg)
Semantic Web and Policy Management
The Web Ontology Language (OWL 2) a family of standard knowledge representation
languages for the Semantic Web based on Description Logic (DL)
Reasoner we can check whether all of the statements and
definitions in the ontology are mutually consistent tradeoff between expressiveness and
efficient reasoning
55
![Page 56: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/56.jpg)
Semantic Web and Policy Management
Use SWRL to enrich the models dened using OWL 2 to represent rules on the Semantic Web extends OWL 2 in order to provide a way to
express conditional knowledge not decidable
we use the DL-Safe context OWL 2 RL + SWRL with DL-Safe restriction
referred as OWL and SWRL56
![Page 57: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/57.jpg)
Semantic Web and Policy Management
offers high expressiveness Reasoning: rule-based engines which offer
good performance scalable reasoning without sacrificing too
much expressive power heterogeneity management and
interoperability separation between domain description and
policy description57
![Page 58: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/58.jpg)
The Proposed Architectural Framework
58
![Page 59: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/59.jpg)
Authorization Knowledge Management
Each CSP has its own information system SBPMS requires CSPs to provide such
information for authorization purposes Update
push and/or pull strategies privacy of cloud user's identity
59
![Page 60: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/60.jpg)
Access Request Processing
The access requests are processed locally in each CSP
key advantage apply additional policies
60
![Page 61: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/61.jpg)
The Implementation Architecture
61
![Page 62: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/62.jpg)
Performance Evaluation
Prototype Generate policies Perform evaluations
62
![Page 63: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/63.jpg)
Policy Specification Language Meta Model
Semantic Based Specification Language and Policy Generation Process
Target [Provider, Subject, Object, Action, Service]
63
![Page 64: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/64.jpg)
Performance of the Ontology Construction
64
![Page 65: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/65.jpg)
Performance of the Authorization API
65
![Page 66: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/66.jpg)
References
Semantic Based Policy Management for Cloud Computing Environments, International Journal of Cloud Computing, 2012.
Security and Privacy Challenges in Cloud Computing Environments, IEEE Security and Privacy, Vol. 8, No. 6, 2010.
SecureCloud: Towards a Comprehensive Security Framework for Cloud Computing Environments, IEEE International Workshop on Emerging Applications for Cloud Computing (CloudApp 2010).
66
![Page 67: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/67.jpg)
67
Questions?
![Page 68: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/68.jpg)
PrivacyMonitor The goal of this project is to develop an
application that monitors the phone for possible privacy violation.
This app should be able to work with all the apps installed on the phone that connects to Internet such as social networks apps, IM apps, Email apps, etc.
The app provides an interface to user to specify privacy preferences and then runs in the background
![Page 69: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/69.jpg)
PrivacyMonitor
checks privacy policies and activities of all the apps and alert the user if there is any conflict between the user’s specified policies and policies of the app.
It is useful when installing an app to see whether it satisfies user’s privacy preferences and also when using an app to check whether it complies with its own policies.
![Page 70: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/70.jpg)
Possible Features Activate Application
Allows user to activate or deactivate the app Run as System Application
Allows user to run the app in the background Password Protection
Protects the app from unauthorized users Autoblock
It automatically blocks possible violations of privacy without users’ confirmation
![Page 71: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/71.jpg)
Possible Features
Notifications Alert about possible risk and ask user about
continuing the action (the autoblock must be off for this feature to work). When a threat is detected a small icon appears in the corner of the screen. The color of the icon could vary based on severity of the threat and it can show a number representing the number of threats.
Sound Alert Plays a sound when a threat is detected.
![Page 72: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/72.jpg)
Privacy for Mobile Apps
As mobile apps become more popular, people are becoming more concerned about privacy issues associated with those apps.
On the other hand, given how difficult privacy policies are to read on a large screen, there are concerns about the feasibility of reading them on small screens of mobile phones.
![Page 73: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/73.jpg)
Privacy for Mobile Apps
Currently, vast majority of applications that mobile phone users download do not have privacy policies at all
we need to answer the following questions What is a good approach for communicating
about app privacy policies to users? When and in what form should this
communication occur? What information should be included?
![Page 74: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/74.jpg)
Privacy for Mobile Apps
"Mobile Application Privacy Policy Framework" from the Mobile Marketing Association (MMA) Privacy & Advocacy Committee
"Privacy Policy Generator 3.0" initiative from TRUSTe
Policymaker from PrivacyChoice
![Page 75: IS 2620: Developing Secure Systems The Cloud Computing Paradigm Part of slides are taken from “Effectively and Securely Using the Cloud Computing Paradigm”](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acb4a7/html5/thumbnails/75.jpg)
Privacy for Mobile Apps
What we suggest as a solution is to use standardized short table from the paper "A Nutrition Label for Privacy"(
http://cups.cs.cmu.edu/soups/2009/proceedings/a4-kelley.pdf ) to design a privacy policies format for mobile apps.