On the Security of Data Stored in the CloudDr Theo DimitrakosHead of Security Architectures Research Security Futures PracticeBT Innovate & Design

Contact: {srijith.nair,theo.dimitrakos}@bt.com

Dr Srijith NairSenior ResearcherSecurity Futures PracticeBT Innovate & Design

SecureClouud 20129-10 May

© British Telecommunications plc

Slide 2

Market evolution of Cloud computing

Data Centre

VirtualData

Centre

High-endCloud

Environment

We are here

Anticipated Cloud Market Evolution

Cloud IslandsCloud Islands Cloud V. ChainCloud V. Chain Cloud Horizontal FederationCloud Horizontal Federation

Cloud federation layer

Cloud service broker

Cloud Computing Technology Innovation emphasis on security

Commodity virtualisation

Multitenant Cloud islands

In-cloud common

capabilities

Customer defined virtual private clouds

Specialised Community

clouds

Cloud aware application production

Vertical Cloud service

assembly

Open Cloud Federation

Cloud aggregation ecosystem

2010 2020Commoditised virtualisation

• Security API for hypervisor

• Virtual Data Centre Service Management Layer

• Commoditised elasticity

• Commoditised data abstraction & data federation

Cloud islands

• User-defined hosting

• On-demand Elasticity

• Flexible charging model

• Rapid provisioning / de-provisioning

• Customer defined standalone cloud applications

• Cloud island-specific security in-depth

• Pre-customer isolation & multi- tenancy

Common capabilities

• Cloud –vs.– managed service delivery model

• Reusable and customisable enabling services offered via a cloud service delivery model: • Identity & access, • Data & system

security, • Data federation ,• Performance

monitoring,• Intelligent

reporting• Auditing• Usage control, • Licensing,• Optimisation

Virtual Private Clouds

• Customer defined security and QoS

• Customer-centric identity & access federation

• Customer-aware process & data isolation

• Customer-defined process and data federation

• Secure private network overlay offered as a service over the internet

• customer-centric loud application composition

Community Clouds

• Community-specific virtual private clouds

• In-cloud collaboration, community management & identity federation services

• Vertical integration of hosting and community-specific cloud applications

• Shared

Cloud aware applications

• Commoditisation of cloud application stores

• Commoditisation of SDK for cloud applications

• Take advantage of cloud IaaS or PaaS to develop SaaS

• Ability deploy your cloud SaaS over a targeted SaaS / PaaS

• SDK methods for on-demand elasticity, in-cloud hosting and dynamic resource provisioning

Cloud service

assembly• Standardisation of

cloud service management interfaces

• Commoditisation of cloud assembly processes & tools

• Vertical value chain specific federation

• Ability to mix-and-match cloud infrastructure & in-cloud common capabilities when producing cloud applications

• Ability to specify and rapidly provision mixed delivery models: eg. SaaS on 3rd party PaaS; PaaS on 3rd party IaaS

Open cloud federation

• Standardisation of• cloud common

capabilities• cloud service

management interfaces

• cloud access management & federated identity models

• cloud service monitoring & reporting

• cloud license management services

• Virtual Private “Local” Network over the Internet

• User defined Virtual Private Cloud

Cloud Aggregation Ecosystem

• Standardised cloud charging models including auctions

• Standardisation of cloud service assembly processes

• Virtual Data Centres assembled over multiple IaaS clouds by different providers

• PaaS over federated IaaS with integrated common capabilities by multiple 3rd parties

• Commoditisation of “Make your own Cloud” capability

4

Results of survey conducted by ENISA in 2009Results of survey conducted by ENISA in 2009

Main Concerns of Cloud Computing (from way back then)

0% 50% 100%

Confidentiality of corporate data

Privacy

Integrity of services and/or data

Availability of services and/or data

Lack of liability of providers in case of security incidents

Loss of control of services and/or data

Intra-clouds (vendor lock-in) migration

Inconsistency between trans national laws and regulations

Unclear scheme in the pay per use approach

Uncontrolled variable cost

Cost and difficulty of migration to the cloud (legacy software …

Repudiation

Main concerns in approaching the cloudNot Important

Medium Importance

Very Important

Showstopper

5

Main Data Challenges

Jurisdictional exposure

(location /breach)

Segregation of data at rest

Data loss or leakage

Data provenance

Data remanence

Data sharding

6

Main Solutions

Data classification, policy on what goes into

(which) cloud

Support for encryption of data

at rest

Transparent encryption at SaaS

level

Strong identity and access

management

At the physical disk level

At the virtual volume level

© British Telecommunications plc

Towards a comprehensive solution for cloud data hosting & sharing

Bespoke service on customer

cloud island

Full integration to VDC Infrastructure

Integrated with Customer’s corporate IT infrastructure Value add

service on 3rd party clouds

Service delivery models

Select cloud provider

Define data store and security policy

Encrypt data

Mount data store to VM in the cloud

Update data access / key release

policy

Enforce data access / key release policy

Monitor how policy is enforced in the cloud

© British Telecommunications plc

Example of virtual volume level encryption

Overview: Secure Cloud Data Hosting (VDC enhancement)

• The usage control of cloud storage is offered as a service• Customer in control of connection, protection and access to secure virtual storage • Keys and policy server are off the cloud data host• Decryption only possible when data is used in a specific “safe” environment following policy-based

approval• Security is enforced by “sand-boxed” context-aware intelligent agents embedded in customer’s VM

InternetInternet Hypervisor platformHypervisor platform

Customer VM 1 Customer VM 2 Customer VM n

Shared data storage

Offsite /Onsite Key Management Server

Policies (Rules)

Cloud Service Provider (VDC)

Agent Agent

© British Telecommunications plc

Customer experience

• Data stored in non-ephemeral storage volumes are encrypted at file system level • The encryption/decryption keys are stored off site.• Decryption only possible when used in specific environment• Rules-based approval (automatic or manual) before the keys are released to ensure release into

safe envelope (IP address, VM provenance, presence of DLP software etc.)

Overview: Secure Cloud Data Hosting (VDC enhancement)

• Encrypt a storage volume (iSCSI, NFS) at file system levelEncrypt volume

• Store decryption key outside the cloud in a Key Management ServerKeep keys safe

• Create a gold build Machine Image (e.g. VS template) with secure cloud agent installedInstall secure cloud agent

• Create instances from this image as requiredCreate customer image

• Agent requests keys when Virtual Machine is booted upKey request

• Keys may be released based on policy rules like IP address, OS type, CPU arch etc.Key provisioning

• On receiving keys, the volume is attached to VM instance, in read or read/write mode.Volume mounting

• Key released by agent when it is stopped (eg. when VM shuts down).Key release

Setup Once

VM lifetime

A

A

A

U

U

A

U

U

© British Telecommunications plc

Extensions to the core service

• Extend solution to federated storage that spans across• Multiple VDCs on the same cloud infrastructure• Cloud islands by different providers

• Combine solution with data shredding, variants of key split / group encryption, and optimal data fragment distribution algorithms to ensure that:• if all nodes hosting fragments of a customer's files are off all other customers can

continue to operate securely• root access all nodes hosting fragments of one customer's files will not provide

enough fragments to reconstruct / decrypt another customers file• customers can inspect the integrity of their shredded data

Secure Cloud (Shared) Storage:

• Cover protection of VM images at rest• Cover integrity checks of data and VM image volumes• Hypervisor root-kit to cover encryption of communication between protected VMs in

operation

Secure Cloud Container:

2 BT patents pending including combination of data shredding

and cloud encryption

Cloud security innovation roadmap at BT Research & Technology

Technical innovation challenges & solutions

Cloud Security Innovation Strategy

Market evolution analysis

Recommendations for High-level Secure Cloud Architecture for Government (IaaS)

In-cloud security cost-benefit analysis

Cloud information assurance metrics

Cloud security risk assessment (eGov)

Secure Cloud Service BrokerCloud Federation Fabric v1

Virtual hosing on federated clouds (basic functionality)

Recommendations for High-level Secure Cloud Architecture for Government (SaaS)

Cloud ecosystem security value network

Market analysis revision

Cloud security value network

revision

Virtual hosing on federated clouds (enhanced functionality)

Cloud Federation Fabric v2 Cloud Aggregation Environment (v1)

Accountable Entitlement Management (in-cloud)

Virtual Patching

In-Cloud Secure ESB fabric

Application aware Behavioural Malware detection (in-cloud)

In-cloud malware scanning

Secure cloud storage service Virtual community management

Cloud information assurance metrics

Cloud security analytics

Hypervisor level Malware Detection

Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention Use of trusted hardware in

Virtual Data Centres & Cloud

Core activities

Cloud federation

Cloud Security services

Cloud Security infrastructure

Secure Virtualisation

© British Telecommunications plc

BT thought-leadership: Innovation Demonstrators

Cloud brokerage & Federation• Secure Cloud Service

Broker• In-cloud federation &

coalition management• VHE on Federated

Clouds

Cloud Application Security• Intelligent Protection • Accountable Entitlement

Management• Behavioural monitoring

for Malware detection

Cloud Services Security• Secure cloud service

management • Secure data storage

service• Virtual Patching• Active Shielding

Secure Virtualisation• Hypervisor level

Malware Detection • Hypervisor level

Intrusion Prevention• Hypervisor level Data

Leak Prevention

CLOUD SECURITY INNOVATION SHOWCASES

OVER 9 PATENTS (AWARDED OR PENDING) ON NEXT GENERATION VIRTUALISATION & CLOUD SECURITY

© British Telecommunications plc

BT thought-leadership: Overview of external collaborations• Co-authors of ENISA expert advisory report on Cloud Security Risk

Analysis

• Contributors to CSA security guidelines and lead of Virtualisation Security work stream

• Contributors to ENISA expert group on Government use of Cloud computing

• Leading Cloud Brokerage & Federation use case at OPTIMIS a €15 million collaborative R&D project

• Led BEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on next generation SOA in Europe

• Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSO Summit, etc.

• 3 books and several technical papers in Cloud & Next Generation SOA

BTIBMMicrosoft KasperskyUK NHS

Google HPRSASymantecISSA

cloudsecurity.org Baker & McKenzie

© British Telecommunications plc

Slide 15

Thank you for your attention

For more information contact {srijith.nair,theo.dimitrakos}@bt.com

© British Telecommunications plc

Slide 16

BACKUP SLIDES

Architectural Diagram of integration in Alpha Cloud platform at BT Research & Technology

Towards a Secure Cloud blueprint

Towards a Secure Cloud blueprinttechnical security subsystems