Cloud complete


Published on

Published in: Education, Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Government and Military sectors: complicated procurement rules and stringent security requirements Cloud-based categories: Cloud-based applications (SAAS) Cloud-based development (e.g. Google App Engine) Cloud-based infrastructure (e.g. Amazon’s EC2)
  • Trust and tenancy issues as well as loss of control related to the management model
  • Data mobility: the ability to share data between cloud services Where does data reside? - out-of-state, out-of-country issues Security Concerns for government in particular FISMA How to certify and accredit cloud computing providers under FISMA (e.g. ISO 27001)
  • Chiles and McMakin (1996) define trust as increasing one’s vulnerability to the risk of opportunistic behavior of another whose behavior is not under one’s control in a situation in which the costs of violating the trust are greater than the benefits of upholding the trust. Trust here means mostly lack of accountability and verifiability
  • Who are my neighbors? What is their objective? They present another facet of risk and trust requirements
  • The lack of security of local devices can disrupt the consumer and also provide a way for malicious services on the cloud to attack local networks through these terminal devices. In today’s ubiquitous computing environment, the local host machine may well be a desktop computer, a portable laptop or mobile device. While cloud consumers worry about the security on the cloud provider’s site, they may easily forget to harden their own machines. The lack of security of a local host can compromise the cloud and its resources for other users. With mobile devices, the threat may be even stronger, as users misplace or have the device stolen from them. The security mechanisms on handheld gadgets are often times insufficient compared to say, a desktop computer, providing a potential attacker an easy avenue into a cloud system. If a user relies mainly on a mobile device to access cloud data, the threat to availability is also increased as mobile devices malfunction or are lost. Devices that access the cloud should have strong authentication mechanisms, should be tamper-resistant, and have cryptographic functionality when traffic confidentiality is required. Since this places a part of the security burden onto the consumer, the provider may need to stipulate in its policy or SLA. New approaches to mobile cloud computing in which applications lie in the cloud as opposed to on a smart phone, enable more sophisticated security mechanisms. Users connect to the cloud from their local host machines. In particular, many secure cloud data storing technologies require users to generate master keys (used to encrypt data or session keys) and store them on the local machine. If a malicious service in the cloud can tamper with the local machine and access these keys, confidentiality of data stored in the cloud is at risk. For example, a user’s computer can be a zombie that can be used to attack the cloud. Or it can contain malicious code that damages provider-side resources, affecting not only the provider, but all its other consumers as well.  In today’s battle space, new technologies enable war fighters to use handheld devices to gather data for analysis at command centers. Therefore, the durability and robustness of these devices is a major concern not only for cloud computing but for general-purpose military use as well. Memory curtaining techniques for sensitive areas of memories such as those places where keys are stored (i.e. provides isolation of sensitive memory areas). Remote attestation or TPM type requirements.
  • While VPC providers argue that they provide superior isolation, the fact of the matter is that your data is not a separate physical system: your data is still stored on actual servers along with other consumers’ data, but logically separated. If the actual server fails, your data and applications stored on it are lost. Also, there needs to be a high level of trust as to the degree of isolation provided.
  • These SLAs typically state the high level policies of the provider (e.g. Will maintain uptime of 98%) and do not allow cloud consumers to dictate their requirements to the provider. COI clouds in particular have specific security policy requirements that must be met by the provider, due to the nature of COIs and the missions they are used for. These requirements need to be communicated to the provider and the provider needs to provide some way of stating that the requirements can be met. Cloud consumers and providers need a standard way of representing their security requirements and capabilities. Consumers also need a way to verify that the provided infrastructure and its purported security mechanisms meet the requirements stated in the consumer’s policy (proof of assertions). For example, if the consumer’s policy requires isolation of VMs, the provider can create an assertion statement that says it uses cache separation to support VM isolation.
  • When the underlying components fail in the cloud, the effect of the failures to the mission logic needs to be known so that correct recovery measures can be performed. We propose an application-specific run-time monitoring and management tool. With this tool, the application logic can remain on the consumer’s host computer. This allows the consumer to centrally monitor all aspects of the application as well as data flow. Since all outputs from underlying services are sent to the application logic, any data incompatibility between services is not an issue. The capabilities of the run-time monitoring and management tool are as follows: 1) Enable application user to determine the status of the cloud resources that may be used to run the application (across multiple clouds), 2)  Enable application user to determine the real-time security posture and situational awareness of the application, 3) Provide the application user with the ability to move user’s application (or part of it) to another site (other VM in same cloud or different cloud altogether), 4) Provide the application user with the ability to change the application logic on the fly, 5) Provide communicate capabilities with cloud providers. There are a few cloud vendors such as NimSoft [41] and Hyperic [42] that provide application-specific monitoring tools that provide some of the above functionality. These monitoring tools may be further enhanced or used in conjunction with other tools to provide the degree of monitoring required. However, any tool that is to be used for military purposes must also receive some type of accreditation and certification procedure.
  • Differering data semantics example: does a data item labeled secret in one cloud have the same semantics as another piece of data also labeled secret in a different cloud?
  • In cloud computing (as well as other systems), there are many possible layers of access control. For example, access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM. Depending on the deployment model used, some of these will be controlled by the provider and others by the consumer. For example, Google Apps, a representative SaaS Cloud controls authentication and access to its applications, but users themselves can control access to their documents through the provided interface to the access control mechanism. In IaaS type approaches, the user can create accounts on its virtual machines and create access control lists for these users for services located on the VM. Regardless of the deployment model, the provider needs to manage the user authentication and access control procedures (to the cloud). While some providers allow federated authentication – enabling the consumer-side to manage its users, the access control management burden still lies with the provider. This requires the user to place a large amount of trust on the provider in terms of security, management, and maintenance of access control policies. This can be burdensome when numerous users from different organizations with different access control policies, are involved. This proposal focuses on access control to the cloud. However, the concepts here could be applied to access control at any level, if deemed necessary. We propose a way for the consumer to manage the access control decision-making process to retain some control, requiring less trust of the provider. Approach: This approach requires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources, users, and access decisions between the cloud provider and consumer. It also needs to be able to guarantee that the provider will uphold the consumer-side’s access decisions. Furthermore, we need to show that this approach is at least as secure as the traditional access control model. This approach requires the data owner to be involved in all requests. Therefore, frequent access scenarios should not use this method if traffic is a concern. However, many secure data outsourcing schemes require the user to grant keys/certificates to the query side, so that every time the user queries a database, the owner needs to be involved. Therefore, not much different than that so may not be a problem.
  • 你好
  • All authorization entities (subject, object or action) and their attributes should be understood as the unambiguous meaning in the cloud computing environment. The action should be determined in according with the policy to ensure that policy administrator of cloud computing environment can define the ACPs an entities which can be understood by other administrators in different applications.
  • Cloud complete

    1. 1. Bharat Bhargavabbshail@purdue.eduComputer SciencePurdue UniversityResearch in Cloud Security and PrivacyYounSun Chocho52@cs.purdue.eduComputer SciencePurdue UniversityAnya Research Lab
    2. 2. Talk Objectives• A high-level discussion of the fundamental challengesand issues/characteristics of cloud computing• Identify a few security and privacy issues within thisframework• Propose some approaches to addressing these issues– Preliminary ideas to think about
    3. 3. Outline• Part I: Introduction• Part II: Security and Privacy Issues in Cloud Computing• Part III: Possible Solutions3
    4. 4. Part I. Introduction• Cloud Computing Background• Cloud Models• Why do you still hesitate to use cloud computing?• Causes of Problems Associated with Cloud Computing• Taxonomy of Fear• Threat Model4
    5. 5. Cloud Computing Background• Features– Use of internet-based services to support business process– Rent IT-services on a utility-like basis• Attributes– Rapid deployment– Low startup costs/ capital investments– Costs based on usage or subscription– Multi-tenant sharing of services/ resources• Essential characteristics– On demand self-service– Ubiquitous network access– Location independent resource pooling– Rapid elasticity– Measured service• “Cloud computing is a compilation of existing techniques andtechnologies, packaged within a new infrastructure paradigm thatoffers improved scalability, elasticity, business agility, faster startuptime, reduced management costs, and just-in-time availability ofresources”From [1] NIST
    6. 6. A Massive Concentration of Resources• Also a massive concentration of risk– expected loss from a single breach can be significantlylarger– concentration of “users” represents a concentration ofthreats• “Ultimately, you can outsource responsibility but you can’toutsource accountability.”From [2] John McDermott, ACSAC 09
    7. 7. Cloud Computing: who should use it?• Cloud computing definitely makes sense if your own securityis weak, missing features, or below average.• Ultimately, if– the cloud provider’s security people are “better” thanyours (and leveraged at least as efficiently),– the web-services interfaces don’t introduce too manynew vulnerabilities, and– the cloud provider aims at least as high as you do, atsecurity goals,then cloud computing has better security.From [2] John McDermott, ACSAC 09
    8. 8. Cloud Models• Delivery Models– SaaS– PaaS– IaaS• Deployment Models– Private cloud– Community cloud– Public cloud– Hybrid cloud• We propose one more Model: Management Models(trust and tenancy issues)– Self-managed– 3rdparty managed (e.g. public clouds and VPC)From [1] NIST
    9. 9. Delivery Models9While cloud-based software services are maturing,Cloud platform and infrastructure offering are still in their early stages !From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    10. 10. Impact of cloud computing on the governancestructure of IT organizations10From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    11. 11. If cloud computing is so great,why isn’t everyone doing it?• The cloud acts as a big black box, nothing inside thecloud is visible to the clients• Clients have no idea or control over what happensinside a cloud• Even if the cloud provider is honest, it can havemalicious system admins who can tamper with theVMs and violate confidentiality and integrity• Clouds are still subject to traditional dataconfidentiality, integrity, availability, and privacyissues, plus some additional attacks11
    12. 12. Companies are still afraid to use clouds12[Chow09ccsw]
    13. 13. Causes of Problems Associatedwith Cloud Computing• Most security problems stem from:– Loss of control– Lack of trust (mechanisms)– Multi-tenancy• These problems exist mainly in 3rdpartymanagement models– Self-managed clouds still have security issues, butnot related to above
    14. 14. Loss of Control in the Cloud• Consumer’s loss of control– Data, applications, resources are located withprovider– User identity management is handled by the cloud– User access control rules, security policies andenforcement are managed by the cloud provider– Consumer relies on provider to ensure• Data security and privacy• Resource availability• Monitoring and repairing of services/resources
    15. 15. Lack of Trust in the Cloud• A brief deviation from the talk– (But still related)– Trusting a third party requires taking risks• Defining trust and risk– Opposite sides of the same coin (J. Camp)– People only trust when it pays (Economist’s view)– Need for trust arises only in risky situations• Defunct third party management schemes– Hard to balance trust and risk– e.g. Key Escrow (Clipper chip)– Is the cloud headed toward the same path?
    16. 16. Multi-tenancy Issues in the Cloud• Conflict between tenants’ opposing goals– Tenants share a pool of resources and have opposing goals• How does multi-tenancy deal with conflict of interest?– Can tenants get along together and ‘play nicely’ ?– If they can’t, can we isolate them?• How to provide separation between tenants?• Cloud Computing brings new threats– Multiple independent users share the same physicalinfrastructure– Thus an attacker can legitimately be in the same physicalmachine as the target
    17. 17. Taxonomy of Fear• Confidentiality– Fear of loss of control over data• Will the sensitive data stored on a cloud remainconfidential?• Will cloud compromises leak confidential client data– Will the cloud provider itself be honest and won’tpeek into the data?• Integrity– How do I know that the cloud provider is doing thecomputations correctly?– How do I ensure that the cloud provider reallystored my data without tampering with it?17From [5]
    18. 18. Taxonomy of Fear (cont.)• Availability– Will critical systems go down at the client, if theprovider is attacked in a Denial of Service attack?– What happens if cloud provider goes out ofbusiness?– Would cloud scale well-enough?– Often-voiced concern• Although cloud providers argue their downtime compareswell with cloud user’s own data centers18From [5]
    19. 19. Taxonomy of Fear (cont.)• Privacy issues raised via massive data mining– Cloud now stores data from a lot of clients, and canrun data mining algorithms to get large amounts ofinformation on clients• Increased attack surface– Entity outside the organization now stores andcomputes data, and so– Attackers can now target the communication linkbetween cloud provider and client– Cloud provider employees can be phished19From [5]
    20. 20. Taxonomy of Fear (cont.)• Auditability and forensics (out of control of data)– Difficult to audit data held outside organization ina cloud– Forensics also made difficult since now clientsdon’t maintain data locally• Legal quagmire and transitive trust issues– Who is responsible for complying with regulations?• e.g., SOX, HIPAA, GLBA ?– If cloud provider subcontracts to third partyclouds, will the data still be secure?20From [5]
    21. 21. Taxonomy of Fear (cont.)21Cloud Computing is a securitynightmare and it cant be handledin traditional ways.John ChambersCISCO CEO• Security is one of the most difficult task to implement incloud computing.– Different forms of attacks in the application side andin the hardware components• Attacks with catastrophic effects only needs onesecurity flaw(
    22. 22. Threat Model• A threat model helps in analyzing a security problem,design mitigation strategies, and evaluate solutions•Steps:– Identify attackers, assets, threats and othercomponents– Rank the threats– Choose mitigation strategies– Build solutions based on the strategies22From [5]
    23. 23. Threat Model• Basic components– Attacker modeling• Choose what attacker to consider– insider vs. outsider?– single vs. collaborator?• Attacker motivation and capabilities– Attacker goals– Vulnerabilities / threats23From [5]
    24. 24. What is the issue?• The core issue here is the levels of trust– Many cloud computing providers trust theircustomers– Each customer is physically commingling its datawith data from anybody else using the cloud whilelogically and virtually you have your own space– The way that the cloud provider implementssecurity is typically focused on they fact thatthose outside of their cloud are evil, and thoseinside are good.• But what if those inside are also evil?24From [5]
    25. 25. Attacker Capability: Malicious Insiders• At client– Learn passwords/authentication information– Gain control of the VMs• At cloud provider– Log client communication– Can read unencrypted data– Can possibly peek into VMs, or make copies of VMs– Can monitor network communication, applicationpatterns– Why?• Gain information about client data• Gain information on client behavior• Sell the information or use itself25From [5]
    26. 26. Attacker Capability: Outside attacker• What?– Listen to network traffic (passive)– Insert malicious traffic (active)– Probe cloud structure (active)– Launch DoS• Goal?– Intrusion– Network analysis– Man in the middle– Cartography26From [5]
    27. 27. Challenges for the attacker• How to find out where the target is located?• How to be co-located with the target in the same(physical) machine?• How to gather information about the target?27From [5]
    28. 28. Part II: Security and Privacy Issuesin Cloud Computing - Big Picture• Infrastructure Security• Data Security and Storage• Identity and Access Management (IAM)• Privacy• And more…28From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    29. 29. Infrastructure Security• Network Level• Host Level• Application Level29
    30. 30. The Network Level• Ensuring confidentiality and integrity of yourorganization’s data-in-transit to and from your publiccloud provider• Ensuring proper access control (authentication,authorization, and auditing) to whatever resourcesyou are using at your public cloud provider• Ensuring availability of the Internet-facing resourcesin a public cloud that are being used by yourorganization, or have been assigned to yourorganization by your public cloud providers• Replacing the established model of network zones andtiers with domains30From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    31. 31. The Network Level - Mitigation• Note that network-level risks exist regardless ofwhat aspects of “cloud computing” services are beingused• The primary determination of risk level is thereforenot which *aaS is being used,• But rather whether your organization intends to useor is using a public, private, or hybrid cloud.31From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    32. 32. The Host Level• SaaS/PaaS– Both the PaaS and SaaS platforms abstract andhide the host OS from end users– Host security responsibilities are transferred tothe CSP (Cloud Service Provider)• You do not have to worry about protecting hosts– However, as a customer, you still own the risk ofmanaging information hosted in the cloud services.32From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    33. 33. The Host Level (cont.)• IaaS Host Security– Virtualization Software Security• Hypervisor (also called Virtual Machine Manager (VMM)) security isa key– a small application that runs on top of the physical machineH/W layer– implements and manages the virtual CPU, virtual memory, eventchannels, and memory shared by the resident VMs– Also controls I/O and memory access to devices.• Bigger problem in multitenant architectures– Customer guest OS or Virtual Server Security• The virtual instance of an OS• Vulnerabilities have appeared in virtual instance of an OS• e.g., VMWare, Xen, and Microsoft’s Virtual PC and Virtual Server• Customers have full access to virtual servers.33From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    34. 34. Case study: Amazons EC2 infrastructure• “Hey, You, Get Off of My Cloud: Exploring Information Leakage inThird-Party Compute Clouds”– Multiple VMs of different organizations with virtual boundariesseparating each VM can run within one physical server– "virtual machines" still have internet protocol, or IP, addresses,visible to anyone within the cloud.– VMs located on the same physical server tend to have IPaddresses that are close to each other and are assigned at thesame time– An attacker can set up lots of his own virtual machines, look attheir IP addresses, and figure out which one shares the samephysical resources as an intended target– Once the malicious virtual machine is placed on the same serveras its target, it is possible to carefully monitor how access toresources fluctuates and thereby potentially glean sensitiveinformation about the victim34
    35. 35. Local Host Security• Are local host machines part of the cloud infrastructure?– Outside the security perimeter– While cloud consumers worry about the security on the cloudprovider’s site, they may easily forget to harden their ownmachines• The lack of security of local devices can– Provide a way for malicious services on the cloud to attacklocal networks through these terminal devices– Compromise the cloud and its resources for other users
    36. 36. Local Host Security (Cont.)• With mobile devices, the threat may be even stronger– Users misplace or have the device stolen from them– Security mechanisms on handheld gadgets are often timesinsufficient compared to say, a desktop computer– Provides a potential attacker an easy avenue into a cloudsystem.– If a user relies mainly on a mobile device to access clouddata, the threat to availability is also increased as mobiledevices malfunction or are lost• Devices that access the cloud should have– Strong authentication mechanisms– Tamper-resistant mechanisms– Strong isolation between applications– Methods to trust the OS– Cryptographic functionality when traffic confidentiality isrequired36
    37. 37. The Application Level• DoS• EDoS(Economic Denial of Sustainability)– An attack against the billing model that underliesthe cost of providing a service with the goal ofbankrupting the service itself.• End user security• Who is responsible for Web application security inthe cloud?• SaaS/PaaS/IaaS application security• Customer-deployed application security37From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    38. 38. Data Security and Storage• Several aspects of data security, including:– Data-in-transit• Confidentiality + integrity using secured protocol• Confidentiality with non-secured protocol and encryption– Data-at-rest• Generally, not encrypted , since data is commingled withother users’ data• Encryption if it is not associated with applications?– But how about indexing and searching?– Then homomorphic encryption vs. predicateencryption?– Processing of data, including multitenancy• For any application to process data, not encrypted38From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    39. 39. Data Security and Storage (cont.)– Data lineage• Knowing when and where the data was located w/i cloud isimportant for audit/compliance purposes• e.g., Amazon AWS– Store <d1, t1,>– Process <d2, t2,>– Restore <d3, t3,>– Data provenance• Computational accuracy (as well as data integrity)• E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?– Correct : assuming US dollar– How about dollars of different countries?– Correct exchange rate?39Where is (or was) that system located?What was the state of that physical system?How would a customer or auditor verify thatinfo?From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    40. 40. Data Security and Storage• Data remanence– Inadvertent disclosure of sensitive information is possible• Data security mitigation?– Do not place any sensitive data in a public cloud– Encrypted data is placed into the cloud?• Provider data and its security: storage– To the extent that quantities of data from manycompanies are centralized, this collection can become anattractive target for criminals– Moreover, the physical security of the data center and thetrustworthiness of system administrators take on newimportance.40From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    41. 41. Why IAM?• Organization’s trust boundary will become dynamic and will movebeyond the control and will extend into the service providerdomain.• Managing access for diverse user populations (employees,contractors, partners, etc.)• Increased demand for authentication– personal, financial, medical data will now be hosted in thecloud– S/W applications hosted in the cloud requires access control• Need for higher-assurance authentication– authentication in the cloud may mean authentication outsideF/W– Limits of password authentication• Need for authentication from mobile devices41From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    42. 42. IAM considerations• The strength of authentication system should bereasonably balanced with the need to protect the privacyof the users of the system– The system should allow strong claims to betransmitted and verified w/o revealing moreinformation than is necessary for any given transactionor connection within the service• Case Study: S3 outage– authentication service overload leading to unavailability• 2 hours 2/15/08•
    43. 43. What is Privacy?• The concept of privacy varies widely among (andsometimes within) countries, cultures, and jurisdictions.• It is shaped by public expectations and legalinterpretations; as such, a concise definition is elusive ifnot impossible.• Privacy rights or obligations are related to the collection,use, disclosure, storage, and destruction of personal data(or Personally Identifiable Information—PII).• At the end of the day, privacy is about the accountabilityof organizations to data subjects, as well as thetransparency to an organization’s practice around personalinformation.43From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    44. 44. What is the data life cycle?44• Personal information should bemanaged as part of the data used bythe organization• Protection of personal informationshould consider the impact of thecloud on each phaseFrom [6] Cloud Security and Privacy by Mather and Kumaraswamy
    45. 45. What Are the Key Privacy Concerns?• Typically mix security and privacy• Some considerations to be aware of:– Storage– Retention– Destruction– Auditing, monitoring and risk management– Privacy breaches– Who is responsible for protecting privacy?45From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    46. 46. Storage• Is it commingled with information from otherorganizations that use the same CSP?• The aggregation of data raises new privacy issues– Some governments may decide to search throughdata without necessarily notifying the data owner,depending on where the data resides• Whether the cloud provider itself has any right tosee and access customer data?• Some services today track user behaviour for a rangeof purposes, from sending targeted advertising toimproving services46From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    47. 47. Retention• How long is personal information (that is transferredto the cloud) retained?• Which retention policy governs the data?• Does the organization own the data, or the CSP?• Who enforces the retention policy in the cloud, andhow are exceptions to this policy (such as litigationholds) managed?47From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    48. 48. Destruction• How does the cloud provider destroy PII at the end of theretention period?• How do organizations ensure that their PII is destroyed bythe CSP at the right point and is not available to other cloudusers?• Cloud storage providers usually replicate the data acrossmultiple systems and sites—increased availability is one ofthe benefits they provide.– How do you know that the CSP didn’t retain additionalcopies?– Did the CSP really destroy the data, or just make itinaccessible to the organization?– Is the CSP keeping the information longer than necessaryso that it can mine the data for its own use?48From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    49. 49. Auditing, monitoring and risk management• How can organizations monitor their CSP and provideassurance to relevant stakeholders that privacyrequirements are met when their PII is in the cloud?• Are they regularly audited?• What happens in the event of an incident?• If business-critical processes are migrated to a cloudcomputing model, internal security processes need toevolve to allow multiple cloud providers to participatein those processes, as needed.– These include processes such as securitymonitoring, auditing, forensics, incident response,and business continuity49From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    50. 50. Privacy breaches• How do you know that a breach has occurred?• How do you ensure that the CSP notifies you when abreach occurs?• Who is responsible for managing the breachnotification process (and costs associated with theprocess)?• If contracts include liability for breaches resultingfrom negligence of the CSP?– How is the contract enforced?– How is it determined who is at fault?50From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    51. 51. Who is responsible for protecting privacy?• Data breaches have a cascading effect• Full reliance on a third party to protect personaldata?• In-depth understanding of responsible datastewardship• Organizations can transfer liability, but notaccountability• Risk assessment and mitigation throughout the datalife cycle is critical.• Many new risks and unknowns– The overall complexity of privacy protection in thecloud represents a bigger challenge.51e.g., Suppose a hacker breaks into Cloud Provider A and steals data from Company X.Assume that the compromised server also contained data from Companies Y and Z.• Who investigates this crime?• Is it the Cloud Provider, even though Company X may fear thatthe provider will try to absolve itself from responsibility?• Is it Company X and, if so, does it have the right to see other data on that server,including logs that may show access to the data of Companies Y and Z?From [6] Cloud Security and Privacy by Mather and Kumaraswamy
    52. 52. Part III. Possible Solutions• Minimize Lack of Trust– Policy Language– Certification• Minimize Loss of Control– Monitoring– Utilizing different clouds– Access control management– Identity Management (IDM)• Minimize Multi-tenancy52
    53. 53. Security Issues in the Cloud• In theory, minimizing any of the issues would help:– Third Party Cloud Computing– Loss of Control• Take back control– Data and apps may still need to be on the cloud– But can they be managed in some way by the consumer?– Lack of trust• Increase trust (mechanisms)– Technology– Policy, regulation– Contracts (incentives): topic of a future talk– Multi-tenancy• Private cloud– Takes away the reasons to use a cloud in the first place• VPC: its still not a separate system• Strong separation
    54. 54. Like Amazon’s EC2, Microsoft’s Azure• Allow users to instantiate Virtual Machines• Allow users to purchase required quantitywhen required• Allow service providers to maximize theutilization of sunk capital costs• Confidentiality is very importantThird Party Cloud Computing
    55. 55. • Confidentiality issues• Malicious behavior by cloud provider• Known risks exist in any industry practicingoutsourcing• Provider and its infrastructure needs to be trustedKnown issues: Already exist
    56. 56. • Threats arise from other consumers• Due to the subtleties of how physical resourcescan be transparently shared between VMs• Such attacks are based on placement andextraction• A customer VM and its adversary can be assignedto the same physical server• Adversary can penetrate the VM and violatecustomer confidentialityNew Vulnerabilities & Attacks
    57. 57. • Collaborative attacks• Mapping of internal cloud infrastructure• Identifying likely residence of a target VM• Instantiating new VMs until one gets co-resident with the target• Cross-VM side-channel attacks• Extract information from target VM on thesame machineMore on attacks…
    58. 58. • Can one determine where in the cloud infrastructurean instance is located?• Can one easily determine if two instances are co-resident on the same physical machine?• Can an adversary launch instances that will be co-resident with other user instances?• Can an adversary exploit cross-VM informationleakage once co-resident?Answer: Yes to allMore on attacks…
    59. 59. - POLICY LANGUAGE- CERTIFICATIONMinimize Lack of Trust59
    60. 60. Minimize Lack of Trust:Policy Language• Consumers have specific security needs but don’thave a say-so in how they are handled– What the heck is the provider doing for me?– Currently consumers cannot dictate theirrequirements to the provider (SLAs are one-sided)• Standard language to convey one’s policies andexpectations– Agreed upon and upheld by both parties– Standard language for representing SLAs– Can be used in a intra-cloud environment to realizeoverarching security posture
    61. 61. Minimize Lack of Trust:Policy Language (Cont.)• Create policy language with the followingcharacteristics:– Machine-understandable (or at least processable),– Easy to combine/merge and compare– Examples of policy statements are, “requiresisolation between VMs”, “requires geographicalisolation between VMs”, “requires physicalseparation between other communities/tenantsthat are in the same industry,” etc.– Need a validation tool to check that the policycreated in the standard language correctlyreflects the policy creator’s intentions (i.e. thatthe policy language is semantically equivalent tothe user’s intentions).61
    62. 62. Minimize Lack of Trust: Certification• Certification– Some form of reputable, independent, comparableassessment and description of security featuresand assurance– Sarbanes-Oxley, DIACAP, DISTCAP, etc (are theysufficient for a cloud environment?)• Risk assessment– Performed by certified third parties– Provides consumers with additional assurance
    64. 64. Minimize Loss of Control:Monitoring• Cloud consumer needs situational awareness forcritical applications– When underlying components fail, what is theeffect of the failure to the mission logic– What recovery measures can be taken (by providerand consumer)• Requires an application-specific run-time monitoringand management tool for the consumer– The cloud consumer and cloud provider havedifferent views of the system– Enable both the provider and tenants to monitorthe components in the cloud that are under theircontrol
    65. 65. Minimize Loss of Control:Monitoring (Cont.)65– Provide mechanisms that enable the provider toact on attacks he can handle.• infrastructure remapping (create new or moveexisting fault domains)• shutting down offending components or targets(and assisting tenants with porting if necessary• Repairs– Provide mechanisms that enable the consumer toact on attacks that he can handle (application-levelmonitoring).• RAdAC (Risk-adaptable Access Control)• VM porting with remote attestation of targetphysical host• Provide ability to move the user’s application toanother cloud
    66. 66. Minimize Loss of Control:Utilize Different Clouds• The concept of ‘Don’t put all your eggs in one basket’– Consumer may use services from different clouds through anintra-cloud or multi-cloud architecture– Propose a multi-cloud or intra-cloud architecture in whichconsumers• Spread the risk• Increase redundancy (per-task or per-application)• Increase chance of mission completion for critical applications– Possible issues to consider:• Policy incompatibility (combined, what is the overarchingpolicy?)• Data dependency between clouds• Differing data semantics across clouds• Knowing when to utilize the redundancy feature (monitoringtechnology)• Is it worth it to spread your sensitive data across multipleclouds?– Redundancy could increase risk of exposure
    67. 67. Minimize Loss of Control:Access Control• Many possible layers of access control– E.g. access to the cloud, access to servers, access toservices, access to databases (direct and queries via webservices), access to VMs, and access to objects within a VM– Depending on the deployment model used, some of these willbe controlled by the provider and others by the consumer• Regardless of deployment model, provider needs tomanage the user authentication and access controlprocedures (to the cloud)– Federated Identity Management: access control managementburden still lies with the provider– Requires user to place a large amount of trust on theprovider in terms of security, management, and maintenanceof access control policies. This can be burdensome whennumerous users from different organizations with differentaccess control policies, are involved
    68. 68. Minimize Loss of Control:Access Control (Cont.)68• Consumer-managed access control– Consumer retains decision-making process to retainsome control, requiring less trust of the provider(i.e. PDP is in consumer’s domain)– Requires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources,users, and access decisions between the cloudprovider and consumer. It also needs to be able toguarantee that the provider will uphold theconsumer-side’s access decisions.– Should be at least as secure as the traditionalaccess control model.– Facebook and Google Apps do this to some degree,but not enough control– Applicability to privacy of patient health records
    69. 69. PEP(intercepts allresourceaccess requestsfrom all clientdomains)PDPfor cloudresourceon Domain ACloud Consumer in Domain BACM(XACMLpolicies)...resourcesCloud Provider in Domain AIDP1. Authn request2. SAML Assertion3. Resource request (XACML Request) + SAML assertion4. Redirect to domain of resource owner7. Send signed and encrypted ticket5. Retrieve policyfor specified resource6. Determine whether user can accessspecified resource7. Create ticket for grant/deny8. Decrypt and verify signature9. Retrieve capability from ticket10. Grant or deny access based on capabilityMinimize Loss of Control:Access Control
    70. 70. Minimize Loss of Control: IDMMotivationUser on AmazonCloud1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card1. Name2. E-mail3. Shipping Address1. Name2. Billing Address3. Credit Card1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card1. Name2. E-mail3. Shipping Address
    71. 71. Minimize Loss of Control: IDMIdentity in the CloudUser on AmazonCloud1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card1. Name2. Billing Address3. Credit Card
    72. 72. Minimize Loss of Control: IDMPresent IDMs• IDM in traditional application-centric IDM model– Each application keeps track of identifying information of itsusers.• Existing IDM Systems– Microsoft Windows CardSpace [W. A. Alrodhan]– OpenID []– PRIME [S. F. Hubner]These systems require a trusted third partytrusted third party anddo not work on an untrusted hostuntrusted host..If Trusted Third Party is compromised, all the identifying informationof the users is also compromised[Latest: AT&T iPad leakAT&T iPad leak]
    73. 73. Minimize Loss of Control: IDMIssues in Cloud Computing• Cloud introduces several issues to IDM– Users have multiple accountsmultiple accounts associated with multiplemultipleservice providers.service providers.– Lack of trust• Use of Trusted Third Party is not an option• Cloud hosts are untrusted– Loss of control• Collusion between Cloud Services– Sharing sensitive identity informationbetween services can lead to undesirablemapping of the identities to the user.mapping of the identities to the user.IDM in Cloud needs to be user-centric
    74. 74. Minimize Loss of Control: IDMGoals of Proposed User-Centric IDM for the Cloud1. Authenticate without disclosing identifying information2. Ability to securely use a service while on an untrustedhost (VM on the cloud)3. Minimal disclosure and minimized risk of disclosureduring communication between user and service provider(Man in the Middle, Side Channel and CorrelationAttacks)4. Independence of Trusted Third Party
    75. 75. Minimize Loss of Control: IDMApproach - 1• IDM Wallet:– Use of AB scheme to protect PII from untrustedhosts.• Anonymous Identification:– Use of Zero-knowledge proofing for authenticationof an entity without disclosing its identifier.
    76. 76. Minimize Loss of Control: IDMComponents of Active Bundle (Approach – 1)• Identity data: Data used during authentication, gettingservice, using service (i.e. SSN, Date of Birth).• Disclosure policy: A set of rules for choosing Identitydata from a set of identities in IDM Wallet.• Disclosure history: Used for logging and auditingpurposes.• Negotiation policy: This is Anonymous Identification,based on the Zero Knowledge Proofing.• Virtual Machine: Code for protecting data on untrustedhosts. It enforces the disclosure policies.
    77. 77. Minimize Loss of Control: IDMAnonymous Identification (Approach – 1)Anonymous Identification(Shamirs approach for Credit Cards)• IdP provides Encrypted Identity Information to theuser and SP.• SP and User interact• Both run IdPs public function on the certain bits ofthe Encrypted data.• Both exchange results and agree if it matches.
    78. 78. Minimize Loss of Control: IDMUsage Scenario (Approach – 1)
    79. 79. Minimize Loss of Control: IDMApproach - 2• Active Bundle schemeActive Bundle scheme to protect PII from untrustedhosts• Predicates over encrypted dataPredicates over encrypted data to authenticatewithout disclosing unencrypted identity data.• Multi-party computingMulti-party computing to be independent of atrusted third party
    80. 80. Minimize Loss of Control: IDMUsage Scenario (Approach – 2)• Owner O encrypts Identity Data(PII) using algorithmEncrypt and O’s public key PK. Encrypt outputs CT—theencrypted PII.• SP transforms his request for PII to a predicaterepresented by function p.• SP sends shares of p to the n parties who hold theshares of MSK.• n parties execute together KeyGen using PK, MSK, andp, and return TKp to SP.• SP calls the algorithm Query that takes as input PK, CT,TKp and produces p(PII) which is the evaluation of thepredicate.• The owner O is allowed to use the service only when thepredicate evaluates to “true”.
    81. 81. Minimize Loss of Control: IDMRepresentation of identity informationfor negotiationToken/PseudonymIdentity Information in clear plain text Active BundleActive Bundle
    82. 82. Minimize Loss of Control: IDMMotivation-Authentication Process using PIIProblem: Which information to disclose and how todisclose it.
    83. 83. Proposed IDM:Mechanisms• [16] Protection of Identity Information in Cloud Computing withoutTrusted Third Party - R. Ranchal, B. Bhargava, L.B. Othmane, L. Lilien,A. Kim, M. Kang, Third International Workshop on Dependable NetworkComputing and Mobile Systems (DNCMS) in conjunction with 29th IEEESymposium on Reliable Distributed System (SRDS) 2010• [17] A User-Centric Approach for Privacy and Identity Management inCloud Computing - P. Angin, B. Bhargava, R. Ranchal, N. Singh, L. Lilien,L.B. Othmane 29th IEEE Symposium on Reliable Distributed System(SRDS) 2010• Privacy in Cloud Computing Through Identity Management - B. Bhargava,N. Singh, A. Sinclair, International Conference on Advances inComputing and Communication ICACC-11, April, 2011, India.• Active Bundle• Anonymous Identification• Computing Predicates with encrypted data• Multi-Party Computing• Selective Disclosure
    84. 84. Proposed IDM:Active Bundle• Active bundleActive bundle (ABAB)– An encapsulating mechanism protectingprotecting datadata carriedwithinwithin it– Includes datadata– Includes metadatametadata used for managing confidentiality• Both privacy of data and privacy of the whole AB– Includes Virtual Machine (VM)• performing a set of operationsoperations• protectingprotecting its confidentialityconfidentiality
    85. 85. Proposed IDM:Active Bundle (Cont.)• Active Bundles—OperationsActive Bundles—Operations– Self-Integrity checkSelf-Integrity checkE.g., Uses a hash function– Evaporation/ FilteringEvaporation/ FilteringSelf-destroys (a part of) AB’s sensitive data whenthreatened with a disclosure– ApoptosisApoptosisSelf-destructs AB’s completely85
    86. 86. Proposed IDM:Active Bundle Scheme– Metadata:Metadata:• Access control policies• Data integrity checks• Dissemination policies• Life duration• ID of a trust server• ID of a security server• App-dependent information• …– Sensitive Data:Sensitive Data:• IdentityInformation• ...– Virtual MachineVirtual Machine(algorithm):(algorithm):• Interprets metadata• Checks active bundle integrity• Enforces access anddissemination control policies• …• E(Name)• E(E-mail)• E(Password)• E(Shipping Address)• E(Billing Address)• E(Credit Card)• …* E( ) - Encrypted Information
    87. 87. Proposed IDM:Anonymous IdentificationUser on AmazonCloud1. E-mail2. Password1. E-mail2. PasswordUser Request for serviceFunction f and number kfk(E-mail, Password) = RZKP Interactive ProtocolAuthenticated• Use of Zero-knowledge proofing for user authenticationwithout disclosing its identifier.
    88. 88. Proposed IDM:Interaction using Active BundleActiveBundle (AB)Security ServicesAgent (SSA)Active Bundle ServicesUser ApplicationActive Bundle CoordinatorActive BundleCreatorDirectoryFacilitatorActive Bundle DestinationTrust EvaluationAgent (TEA)Audit ServicesAgent (ASA)Active BundleAB informationdisclosure
    89. 89. Proposed IDM:Predicate over Encrypted Data• Verification without disclosing unencrypted identity data.• E-mail• Password• E(Name)• E(Shipping Address)• E(Billing Address)• E(Credit Card)• E(Name)• E(BillingAddress)• E(Credit Card)Predicate Request**Age Verification Request*Credit Card Verification Request
    90. 90. Proposed IDM:Multi-Party Computing• To become independent of a trusted third party• Multiple Services hold shares of the secret key• Minimize the risk• E(Name)• E(BillingAddress)• E(Credit Card)Key Management ServicesK’1 K’2 K’3 K’nPredicate Request* Decryption of information is handled by the Key Management services
    91. 91. Proposed IDM:Multi-Party Computing• To become independent of a trusted third party• Multiple Services hold shares of the secret key• Minimize the risk• Name• Billing Address• Credit CardKey Management ServicesK’1 K’2 K’3 K’nPredicate Reply**Age Verified*Credit Card Verified
    92. 92. Proposed IDM:Selective Disclosure• E-mail• Password• E(Name)• E(Shipping Address)• E(Billing Address)• E(Credit Card)Selective disclosure*• E(E-mail)• E(Name)• E(ShippingAddress)• User Policies in the Active Bundle dictate dissemination*e-bay shares the encrypted information based on the user policy
    93. 93. Proposed IDM:Selective Disclosure• E-mail• Password• E(Name)• E(Shipping Address)• E(Billing Address)• E(Credit Card)Selective disclosure*• E-mail• E(Name)• E(ShippingAddress)• User Policies in the Active Bundle dictate disseminationDecryption handled by Multi-Party Computing as in the previous slides
    94. 94. Proposed IDM:Selective Disclosure• E-mail• E(Name)• E(Shipping Address)Selective disclosure*• E(Name)• E(ShippingAddress)*e-bay seller shares the encrypted information based on the user policy
    95. 95. Proposed IDM:Selective Disclosure• E-mail• E(Name)• E(Shipping Address)Selective disclosure• Name• Shipping Address• Decryption handled by Multi-Party Computing as in the previous slides
    96. 96. Proposed IDM:Selective Disclosure• E-mail• E(Name)• E(Shipping Address)Selective disclosure• Name• Shipping Address• Fed-Ex can now send the package to the user
    97. 97. Proposed IDM:Identity in the CloudUser on AmazonCloud1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card1. Name2. Shipping Address1. Name2. Billing Address3. Credit Card1. E-mail2. Password1. E-mail
    98. 98. Proposed IDM:Characteristics and Advantages• Ability to use Identity data on untrusted hosts• Self Integrity Check• Integrity compromised- apoptosis or evaporation• Data should not be on this host• Independent of Third Party– Prevents correlation attacks• Establishes the trust of users in IDM– Through putting the user in control of who has his data– Identity is being used in the process of authentication,negotiation, and data exchange.• Minimal disclosure to the SP– SP receives only necessary information.
    99. 99. Proposed IDM:Conclusion & Future Work• Problems with IDM in Cloud Computing– Collusion of Identity Information– Prohibited Untrusted Hosts– Usage of Trusted Third Party• Proposed Approaches– IDM based on Anonymous Identification– IDM based on Predicate over Encrypted data• Future work– Develop the prototype, conduct experiments andevaluate the approach
    100. 100. Minimize Multi-tenancy100
    101. 101. Minimize Multi-tenancy• Can’t really force the provider to accept lesstenants– Can try to increase isolation between tenants• Strong isolation techniques (VPC to some degree)– C.f. VM Side channel attacks (T. Ristenpart et al.)• QoS requirements need to be met• Policy specification– Can try to increase trust in the tenants• Who’s the insider, where’s the security boundary? Whocan I trust?• Use SLAs to enforce trusted behavior
    102. 102. Conclusion• Cloud computing is sometimes viewed as areincarnation of the classic mainframe client-servermodel– However, resources are ubiquitous, scalable, highlyvirtualized– Contains all the traditional threats, as well as new ones• In developing solutions to cloud computing securityissues it may be helpful to identify the problems andapproaches in terms of– Loss of control– Lack of trust– Multi-tenancy problems
    104. 104. Take Amazon cloud for example.• store personal data(Simple Storage Service (S3) )• perform computations on stored data(Elastic Compute Cloud (EC2). )
    105. 105. If you want to set up a business. low initial capital investment shorter start-up time for new services lower maintenance and operation costs higher utilization through virtualization easier disaster recovery
    106. 106. Two main concerns: mobile computing are limited energy wireless bandwidth
    107. 107. Various studies have identified longer batterylifetime as the most desired feature of suchsystems. longer battery life to be more important than allother features, including cameras or storage. short battery life to be the most dislikedcharacteristic of Apple’s iPhone 3GS battery life was the top concern of music phoneusers.
    108. 108.  Adopt a new generation of semiconductor technology. Avoid wasting energy. (when it is idle, sleep mode) Execute programs slowly. (When a processor’s clockspeed doubles, the power consumption nearlyoctuples). Eliminate computation all together. (offloading theseapplications to the cloud).
    109. 109. How to implement a quantitative study. The amount ofenergy saved isS : the speed of cloud to compute C instructionsM : the speed of mobile to compute C instructionsD : the data need to transmitB : the bandwidth of the wireless Internet
    110. 110. the energy cost per second when the mobile phone isdoing computingthe energy cost per second when the mobile phone isidle.the energy cost per second when the mobile istransmission the data.ipcptrp
    111. 111. Suppose the server is F times faster—that is, S= F × M. We can rewrite the formula asEnergy is saved when this formula produces apositive number. The formula is positive if D/Bis sufficiently small compared with C/M and Fis sufficiently large.
    112. 112. chess game.A chessboard has 8 × 8 = 64 positions. Eachplayer controls 16 pieces at the beginning ofthe game. Each piece may be in one of the 64possible locations and needs 6 bits torepresent the location. To represent a chessgame’s current state, it is sufficient to statethat 6 bits × 32 pieces = 192 bits = 24 bytes;this is smaller than the size of a typicalwireless packet.
    113. 113. The amount of computation for chess is verylarge; Claude Shannon and Victor Allisestimated the complexity of chess to exceedthe number of atoms in the universe. Since theamount of computation C is extremely large,and D is very small, chess provides an examplewhere offloading is beneficial for most wirelessnetworks.
    114. 114.  regions like national parks the basement of a building interior of a tunnel, subway.In these cases,where the value of B in Equation can becomevery small or even zero, cloud computing doesnot save energy.
    115. 115. There is a fundamental assumptionunder-lying this analysis with the client-servermodel: Because the server does not alreadycontain the data, all the data must be sent tothe service provider.However, cloud computing changes thatassumption: The cloud stores data and performscomputation on it. For example, services likeAmazon S3 can store data, and Amazon EC2 canbe used to perform computation on the datastored using S3.
    116. 116. Another possible privacy and security solutionis to use a technique called steganography : Multimedia content like images and videoshave significant redundancy. This makes itpossible to hide data in multimedia usingsteganography. Steganographic techniques can be used totransform the data before storage so thatoperations can still be performed on the data.
    117. 117. Performing encryption or steganographictechniques before sending data to the cloudrequires some additional processing on themobile system. So the formula become:
    118. 118.  cloud computing can potentially save energyfor mobile users. not all applications are energyefficient when migrated to the cloud. cloud computing services would besignificantly different from cloud services fordesktops because they must offer energysavings. The services should consider the energyoverhead for privacy, security, reliability,and data communication before offloading.
    119. 119. Bandwidth Measurementsfor VMs in Cloud
    120. 120. MOTIVATION• Many applications are being deployed in cloud to leveragethe scalability provided by the cloud providers.• Tools provided by the cloud providers do not giveperformance metrics from the network perspective.• Network topology is not exposed to the cloud users and theapplications consider all network links to be homogeneous.• Metrics such as available bandwidth, latency etc. will bemore useful to the cloud users.
    121. 121. Experimental Evaluation• Set upo 19 EC2 small instances (US East)o 342 links between VMso Ubuntu 10.04 server version• Centralized Scheduler for starting Iperf clientso Predefined serialized schedule file at each VM instance.o Schedule file contains a time stamp along with the nodes that shouldcommunicate for a single reading.* Iperf - Network testing tool to measure the networkthroughput between end hosts.
    122. 122. Experimental Evaluation• Iperf takes 6 seconds to get a reading for a single link.• Each round of measurement takes around 30 minutes forfinding available bandwidth for all 342 links.• Total 5 rounds in total• Throughput matrix: Matrix containing estimated values foravailable bandwidth
    123. 123. Bandwidth Estimation• Shows the CDF of linkbandwidth estimation for allthe rounds.• Used throughput matrixhaving estimated 342values.• All links in clouds arenot homogeneous.• Only 10% of the links haveavailable bandwidth lessthan 400Mbps.
    124. 124. Bandwidth Variation Estimation• Shows the CDF of linkbandwidth variation acrossall the rounds.• Bandwidth range of a linkdefined as the differencebetween the max and minvalue across all rounds.• For most of the links,bandwidth is consistentacross time. Only 20%links have variation ofmore than 200 Mbps.
    125. 125. Virtual Machine Performance• Shows the availabledownload/uploadbandwidth of all machinesfor a single round• Almost all the machineshave average availablebandwidth more than 400Mbps.
    126. 126. Virtual Machine Performance• Shows the averageavailable download/ uploadbandwidth and its range foreach machine across allrounds.• Almost all the machineshave average download/upload bandwidth morethan 400 Mbps.• Some VMs (1, 4, 7) havelarge available bandwidthvariation.
    127. 127. CONCLUSIONS• Focussed on available bandwidth metric between each pairof VM instances.• Amazon EC2 data center is optimally utilized with ampleavailable bandwidth for almost all VMs.• Some badly performing VMs can be pointed out based onthe large variation in the available upload/downloadbandwidth and can be replaced with new VMs.
    128. 128. Future Work• More performance metric such as latency etc. can beconsidered.• These performance metrics can be used to improve theperformance of applications running in the cloud.• These performance metric tests can be run on large EC2instances.
    129. 129. A Mobile-Cloud CollaborativeApproach for Context-Aware BlindNavigation
    130. 130. Outline• Problem Statement• Goals• Challenges• Context-aware Navigation Components• Existing Blind Navigation Aids• Proposed System Architecture• Advantages of Mobile-Cloud Approach• Traffic Lights Detection– Related Work– System Developed– Experiments• Work In Progress
    131. 131. Problem Statement• Indoor and outdoor navigation is becoming aharder task for blind and visually impaired peoplein the increasingly complex urban world• Advances in technology are causing the blind tofall behind, sometimes even putting their lives atrisk• Technology available for context-aware navigationof the blind is not sufficiently accessible; somedevices rely heavily on infrastructuralrequirements
    132. 132. Demographics• 314 million visually impaired people in the worldtoday• 45 million blind• More than 82% of the visually impairedpopulation is age 50 or older• The old population forms a group with diverserange of abilities• The disabled are seldom seen using the streetalone or public transportation
    133. 133. Goals• ***Make a difference***Bring mobile technology in the daily lives of blindand visually impaired people to help achieve ahigher standard of life• Take a major step in context-aware navigation ofthe blind and visually impaired• Bridge the gap between the needs and availabletechnology• Guide users in a non-overwhelming way• Protect user privacy
    134. 134. Challenges• Real-time guidance• Portability• Power limitations• Appropriate interface• Privacy preservation• Continuous availability• No dependence on infrastructure• Low-cost solution• Minimal training
    135. 135. Discussions• Cary Supalo: Founder of Independence Science LLC (• T.V. Raman: Researcher at Google, leader of Eyes-Free project (speech enabled Android applications)• American Council of the Blind of Indiana StateConvention, 31 October 2009• Miami Lighthouse Organization
    136. 136. Mobility Requirements• Being able to avoid obstacles• Walking in the right direction• Safely crossing the road• Knowing when you have reached a destination• Knowing which is the right bus/train• Knowing when to get off the bus/trainAll require SIGHT as primary sense
    137. 137. Context-Aware Navigation Components• Outdoor Navigation (finding curbs -including insnow, using public transportation, interpretingtraffic patterns/signal lights…)• Indoor Navigation (finding stairs/elevator,specific offices, restrooms in unfamiliarbuildings, finding the cheapest TV at a store…)• Obstacle Avoidance (both overhanging and lowobstacles…)• Object Recognition (being able to reach objectsneeded, recognizing people who are in theimmediate neighborhood…)
    138. 138. Existing Blind Navigation Aids –Outdoor Navigation• Loadstone GPS (• Wayfinder Access (• BrailleNote GPS (• Trekker (• StreetTalk (• DRISHTI [1]• …
    139. 139. Existing Blind Navigation Aids –Indoor Navigation• InfoGrid (based on RFID) [2]• Jerusalem College of Technology system (based onlocal infrared beams) [3]• Talking Signs ( (audio signalssent by invisible infrared light beams)• SWAN (audio interface guiding user along path,announcing important features) [4]• ShopTalk (for grocery shopping) [5]
    140. 140. Existing Blind Navigation Aids –Obstacle Avoidance• RADAR/LIDAR• Kay’s Sonic glasses (audio for 3D representationof environment) (• Sonic Pathfinder ( (notesof musical scale to warn of obstacles)• MiniGuide ( (vibrationto indicate object distance)• VOICE ( (images intosounds heard from 3D auditory display)• Tactile tongue display [6]• …
    141. 141. Putting all together…Gill, J. Assistive Devices for People with Visual Impairments.In A. Helal, M. Mokhtari and B. Abdulrazak, ed., The Engineering Handbook of Smart Technology for Aging, Disability and IndependenJohn Wiley & Sons, Hoboken, New Jersey, 2008.
    142. 142. Proposed System Architecture
    143. 143. Proposed System ArchitectureServices:• Google Maps (outdoor navigation, pedestrianmode)• Micello (indoor location-based service for mobiledevices)• Object recognition (Selectin software etc)• Traffic assistance• Obstacle avoidance (Time-of-flight cameratechnology)• Speech interface (Android text-to-speech +speech recognition servers)• Remote vision• Obstacle minimized route planning
    144. 144. Use of the Android Platform
    145. 145. Advantages of a Mobile-Cloud CollaborativeApproach• Open architecture• Extensibility• Computational power• Battery life• Light weight• Wealth of context-relevant informationresources• Interface options• Minimal reliance on infrastructural requirements
    146. 146. Traffic Lights Status Detection Problem• Ability to detect status of traffic lightsaccurately is an important aspect of safenavigation– Color blind– Autonomous ground vehicles– Careless drivers• Inherent difficulty: Fast image processingrequired for locating and detecting the lightsstatus  demanding in terms of computationalresources• Mobile devices with limited resources fall shortalone
    147. 147. Attempts to Solve the Traffic LightsDetection Problem• Kim et al: Digital camera + portable PC analyzingvideo frames captured by the camera [7]• Charette et al: 2.9 GHz desktop computer toprocess video frames in real time[8]• Ess et al: Detect generic moving objects with400 ms video processing time on dual core 2.66GHz computer[9]Sacrifice portability for real-time,accurate detection
    148. 148. Mobile-Cloud Collaborative Traffic LightsDetector
    149. 149. Adaboost Object Detector• Adaboost: Adaptive Machine Learning algorithm usedcommonly in real-time object recognition• Based on rounds of calls to weak classifiers to focusmore on incorrectly classified samples at each stage• Traffic lights detector: trained on 219 images oftraffic lights (Google Images)• OpenCV library implementation
    150. 150. Experiments: Detector Output
    151. 151. Experiments: Response time
    152. 152. Enhanced Detection Schema
    153. 153. Work In Progress• Develop fully context-aware navigation system withspeech/tactile interface• Develop robust object/obstacle recognitionalgorithms• Investigate mobile-cloud privacy and security issues(minimal data disclosure principle) [10]• Investigate options for mounting of the camera
    154. 154. Collective Object Classification in ComplexScenesLabelMe Dataset (
    155. 155. Relational Learning with Multiple BoostedDetectors for Object Categorization• Modeling relational dependencies betweendifferent object categories• Multiple detectors running in parallel• Class label fixing based on confidence• More accurate classification than AdaBoostalone• Higher recall than classic collectiveclassification• Minimal decrease in recall for different classesof objects
    156. 156. Object Classification Experiments
    157. 157. Identity-Based Authentication forCloud ComputingHongwei Li, Yuanshun Dai, Ling Tian, andHaomiao YangCloudCom ‘09
    158. 158. What did they do?Proposed identity-based authentication for cloudcomputing, based on the identity-based hierarchicalmodel for cloud computing (IBHMCC) andcorresponding encryption and signature schemesBeing certificate-free, the authentication protocolaligned well with demands of cloud computing
    159. 159. Identity-Based Hierarchical Model for CloudComputing (IBHMCC)Define the identity of node isthe DN string from the rootnode to the current node itself.The identity of entity N isID_N = DN_0 || DN_M || DN_N
    160. 160. Deployment of IBHMCCRoot PKG setup and Low-level setup
    161. 161. Deployment of IBHMCC (cont.)After that, all nodes in the level-1 get and securely keep their secret keys andthe secret points.The public key and the Q-value are publicized.Then, Each node in the level-1 similarly repeats the above steps (2-5).
    162. 162. Identity-Based Encryption
    163. 163. Identity-Based Encryption (cont.)
    164. 164. Identity-Based Signature
    165. 165. Identity-Based Authentication for CloudComputing•Extends from TLS to handlethe IBE and IBS schemes
    166. 166. A Simple Technique for SecuringDataat Rest Stored in a ComputingCloudJeff Sedayao, Steven Su, Xiaohao Ma, MinghaoJiang, and Kai MiaoCloudCom ’09
    167. 167. What did they do?Simple technique implemented with Open Sourcesoftware solves the confidentiality of data stored onCloud Computing Infrastructure by using public keyencryption to render stored data at rest unreadableby unauthorized personnel, including systemadministrators of the cloud computing service onwhich the data is storedValidated their approach on a network measurementsystem implemented on PlanetLabUsed it on a service where confidentiality is critical –a scanning application that validates external firewallimplementations
    168. 168. Problem ScopeGoal is to ensure the confidentiality of data at rest“Data at rest” means that the data that is stored in areadable form on a Cloud Computing service, whetherin a storage product like S3 or in a virtual machineinstance as in EC2
    169. 169. Problem Scope (cont.)To protect data at rest, they want to prevent otherusers in the cloud infrastructure who might haveaccess to the same storage from reading the dataour process has storedThey also want to prevent system administrators whorun the cloud computing service from reading thedata.They assume that it is unlikely for an adversary tosnoop on the contents of memory.If the adversary had that capability, it is unlikelythat we could trust the confidentiality of any ofthe data that we generated there.
    170. 170. Problem Scope (cont.)While the administrative staff of the cloudcomputing service could theoretically monitor thedata moving in memory before it is stored in disk, webelieve that administrative and legal controls shouldprevent this from happening.They also do not guard against the modification ofthe data at rest, although we are likely to be able todetect this.
    171. 171. Solution Design
    172. 172. Solution Design (cont.)On a trusted host, collect the encrypted data, asshown in Figure 3, and decrypt it with the collectionagent’s private key which stays on that host. Notethat in this case, we are in exclusive control of theprivate key, which the cloud service provider has noview or control over.They will discuss this feature of our solution later.
    173. 173. Implementation Experiences
    174. 174. Implementation Experiences (cont.)
    175. 175. Privacy in a Semantic Cloud:What’s Trust Got to Do with It?Åsmund Ahlmann Nyre and Martin Gilje JaatunCloudCom’09
    176. 176. What did they do?• A brief survey on recent work on privacy and trustfor the semantic web, and sketch a middlewaresolution for privacy protection that leveragesprobabilistic methods for automated trust andprivacy management for the semantic web
    177. 177. Trust Management• Definition of trust• The willingness of a party to be vulnerable to theactions of another party based on the expectationthat the other will perform a particular actionimportant to the trustor, irrespective of theability to monitor and control that other party.
    178. 178. Trust Management (cont.)• Trust Models• Mayer, R., Davis, J., Schoorman, F.: An integrativemodel of organizational trust. Academy ofManagement Review• The main factors of trustworthiness were identified asability, benevolence and integrity.• On the trustor’s part, disposition to trust and perceivedrisk were identified as the most influential factors withregards to trust.• Furthermore, the outcome of a trust relation(experience) is assumed to influence one or more of thetrustworthiness factors and hence the trustworthinessof the trustee.
    179. 179. Trust Management (cont.)• Trust Models• The complexity of several proposed models doesnot necessarily give better trust assessments• Conrad, M., French, T., Huang, W., Maple, C.: Alightweight model of trust propagation in a multi-client network environment: to what extent doesexperience matter?• Proposed a lightweight model for trust propagation. Theparameters self confidence, experience, hearsay andprejudice are used to model and assess trust. Thiscomputational model also allows agents to compute a trustvalue to automatically perform trust decisions.
    180. 180. Trust Management (cont.)• Trust Models• Gil, Y., Artz, D.: Towards content trust of webresources• The idea is to arrive at content trust, where theinformation itself is used for trust calculation.• This allows for a whole new range of parameters (such asbias, criticality, appearance, etc.) to be used whenassessing trust in resources.• The problem of such parameters is that they require userinput, which conflicts with the assumption of agentsconducting the assessment autonomously.
    181. 181. Trust Management (cont.)• Trust Propagation• Golbeck, J., Hendler, J.: Accuracy of metrics forinferring trust and reputation in semantic web-based social networks• Inferring trust and reputation in social networks whenentities are not connected directly by a trustrelationship.• Done by computing the weighted distance from thesource to the sink.• Any distrusted entity is not included in the computationsince the trust assessments done by such entities areworthless.
    182. 182. Trust Management (cont.)• Trust Propagation• Guha, R., Kumar, R., Raghavan, P., Tomkins, A.:Propagation of trust and distrust• Introduce the notion of distrust to address the problemof expressing explicit distrust as a contrast to theabsence of trust.• Absence of trust may come from lack of information toconduct a proper trust assessment, while distrustexpresses that a proper assessment have been conductedand that the entity should not be trusted.• Furthermore, they argue that distrust could also bepropagated and proposes several propagation models inaddition to trust transitivity, including co-citation, whichis extensively used for web searches.
    183. 183. Trust Management (cont.)• Trust Propagation• Huang, J., Fox, M.S.: An ontology of trust: formalsemantics and transitivity• claim that not all kinds of trust can be assumed to betransitive.• They note that trust based on performance, i.e. an entityperforming as expected repeatedly, is not necessarilytransitive, while trust based on a belief that the entitywill perform as expected often is.
    184. 184. Probabilistic Privacy Policy Enforcement• A probabilistic approach to policy enforcement,where users are given a probability that theirrequirements will be respected and polices enforced.• Thus when interacting with websites who are knownto be less trustworthy, policy adherence is given by aprobability metric that the website will actuallyenforce its own policies.• This enforcement model does not include a privacy ortrust model• i.e. it is only occupied with how to handle uncertainty inenforcement and provide a tool for interacting with non-conforming entities while minimising the risks involved.
    185. 185. Probabilistic Privacy Policy Enforcement (cont.)
    186. 186. Probabilistic Privacy Policy Enforcement (cont.)• Personal Data Recorder (PDR)• Protecting users from this kind of aggregationrequires complete control of what information hasbeen distributed and to whom.• Records what data is transmitted to whichreceivers.• Example: Consider the situation where a user wanting tostay unidentified has provided his postal code andanonymous e-mail address to a website. Later he alsoprovides age and given name (not the full name) and theanonymous e-mail address. Now, the website is able tocombine the data (postal code, age and given name) toidentify the anonymous user• The second interaction with the website should havebeen blocked, since it enables the website to revealthe user’s identity. The PDR allows the user to view
    187. 187. Probabilistic Privacy Policy Enforcement (cont.)• Personal Data Monitor (PDM)• Computing and assessing policies and behaviour,and to update the personal data recorder withinferred knowledge.• Determine the likelihood that the personalinformation distributed to the receiver will alsoreach other.• Example: sending an e-mail with a business proposition toa specific employee of a company, it is likely that otheremployees in that company also will receive the e-mail(e.g. his superior).• PDM is responsible for inferring other recipients and toinclude such information in the Personal InformationBase.• Hence, any interaction later on should consider this
    188. 188. Probabilistic Privacy Policy Enforcement (cont.)• Trust Assessment Engine (TAE)• Calculating trust values of different entities inorder to determine their trustworthiness.• The TAE is focused solely on assessingcommunicating parties and does not take intoaccount risk willingness, vulnerability andcriticality.
    189. 189. Probabilistic Privacy Policy Enforcement (cont.)• Trust Monitor (TM)• Detecting events that might affect the perceivedtrustworthiness and the willingness to take risks.• Calculating and deciding on what is an acceptabletrust level, given the circumstances.• Any computed trust value and feedback receivedfrom cooperating entities is stored in the trustassessment repository
    190. 190. Probabilistic Privacy Policy Enforcement (cont.)• Policy Decision Point (PDP)• The final decision on whether to engage ininformation exchange and if so; under whatconditions.• Collects the views of both the TM and the PDMand compares their calculations to the policies andrequirements found in the policy repository.• The decision is reported back to the TM and PDMto allow recalculation in case the decision altersthe calculated trust values or distribution ofpersonal information
    191. 191. Towards an Approach of SemanticAccess Control for Cloud ComputingLuokai Hu, Shi Ying, Xiangyang Jia, and Kai ZhaoCloudCom’09
    192. 192. What did they do?• Analysis existing access control methods and presenta new Semantic Access Control Policy Language(SACPL) for describing Access Control Policies (ACPs)in cloud computing environment.• Access Control Oriented Ontology System (ACOOS)is designed as the semantic basis of SACPL.• Ontology-based SACPL language can effectively solvethe interoperability issue of distributed ACPs.
    193. 193. Access Control Oriented Ontology System (ACOOS)• Provide the common understandable semantic basisfor access control in cloud computing environments.• Divided into four parts, Subject Ontology, ObjectOntology, Action Ontology and Attribute Ontology• Web Ontology Language (OWL) is selected as themodeling language of ACOOS.• Ontology is helpful to construct authorizationpolicy within the scope of whole cloud computingenvironment based on policy definition elementswith determined semantics.
    194. 194. Access Control Oriented Ontology System (ACOOS)• Subject Ontology• Subject is the entity that has a number of actionpermissions over object.• e.g., a user, a user group, an organization, a role, aprocess, a service• Attribute of a subject is described by the dataproperty• The role in subject ontology represents thecapability of a subject to implement a task.• Access permission of resources can beencapsulated in the role.• If a subject is assigned to a role, it can access theresources indirectly.
    195. 195. Access Control Oriented Ontology System (ACOOS)• Object Ontology• Object is the entity as receptor of action and isneed for protection.• e.g., data, documents, services and other resources.• Attribute of an object is described by the dataproperty and object property of OWL withhasObjectDataAttribute and hasObjectAttributerespectively.• Object group can also be used to define the ruleto organize objects.• Each object group in fact establishes a new objectconcept, all object individuals of the object concept haveobject attribute values of the object group.
    196. 196. Access Control Oriented Ontology System (ACOOS)• Action Ontology• With the cloud computing technology, usually alarge number of subjects and objects but only arelatively small number of actions could be found• e.g., such as reading, writing and execution• Action also has properties, known as theActionAttribute, which describes variousinformation of action for authorization andmanagement.• Action group can be defined with helpful for thedefinition of rules.• The definition of action group, nearly the same with theobject group, will not repeat it again.
    197. 197. Access Control Oriented Ontology System (ACOOS)• Attribute Ontology• Attribute types are defined in the attributeontology, can be used to define the attribute ofalmost all entities, including the subject, objectand action.• The attribute value of entities is often needed todetermine whether meet the Permit conditions orDeny ones.
    198. 198. Semantic Access Control Policy Language (SACPL)• Policy markup language, such as XACML, supportsdescription and management of distributed policies.• The ACP of an object (resource) may be completed bya number of departments even organizations, such asinformation systems department, human resourcesand financial department.• The same ACP may be applied to the internal networkprotection, e-mail system, remote access systems, ora cloud computing platform.• As a result, in cloud computing environment, the issueof interoperability among policies is more importantthan ever before.
    199. 199. References1. NIST (Authors: P. Mell and T. Grance), "The NIST Definition of Cloud Computing (ver. 15)," National Institute of Standardsand Technology, Information Technology Laboratory (October 7 2009).2. J. McDermott, (2009) "Security Requirements for Virtualization in Cloud Computing," presented at the ACSAC CloudSecurity Workshop, Honolulu, Hawaii, USA, 2009.3. J. Camp. (2001), “Trust and Risk in Internet Commerce,” MIT Press4. T. Ristenpart et al. (2009) “Hey You Get Off My Cloud,” Proceedings of the 16th ACM conference on Computer andcommunications security, Chicago, Illinois, USA5. Security and Privacy in Cloud Computing, Dept. of CS at Johns Hopkins Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance by Tim Mather and Subra Kumaraswamy7. Afraid of outside cloud attacks? Youre missing the real threat. Amazon downplays report highlighting vulnerabilities in its cloud service. Targeted Attacks Possible in the Cloud, Researchers Warn. Vulnerability Seen in Amazons Cloud-Computing by David Talbot. Cloud Computing Security Considerations by Roger Halbheer and Doug Cavit. January 2010. Security in Cloud Computing Overview. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds by T. Ristenpart, E.Tromer, H. Shacham and Stefan Savage. CCS’0914. Cloud Computing Security. Update From Amazon Regarding Friday’s S3 Downtime by Allen Stern. Feb. 16, 2008. R. Ranchal, B. Bhargava, L.B. Othmane, L. Lilien, A. Kim, M. Kang, “Protection of Identity Information in Cloud Computingwithout Trusted Third Party,“ Third International Workshop on Dependable Network Computing and Mobile Systems(DNCMS) in conjunction with 29th IEEE Symposium on Reliable Distributed System (SRDS) 201017. P. Angin, B. Bhargava, R. Ranchal, N. Singh, L. Lilien, L.B. Othmane, “A User-Centric Approach for Privacy and IdentityManagement in Cloud Computing,” 29th IEEE Symposium on Reliable Distributed System (SRDS) 201018. H. Khandelwal, et al., "Cloud Monitoring Framework,” Purdue University. Dec 2010.
    200. 200. Other References for Cloud Security• M. Armbrust, et al., "Above the Clouds: A Berkeley View of Cloud Computing," UC BerkeleyReliable Adaptive Distributed Systems LaboratoryFebruary 10 2009.• Cloud Security Alliance, "Security Guidance for Critical Areas of Focus in Cloud Computing,ver. 2.1," 2009.• M. Jensen, et al., "On Technical Security Issues in Cloud Computing," presented at the 2009IEEE International Conference on Cloud Computing, Bangalore, India 2009.• P. Mell and T. Grance, "Effectively and Securely Using the Cloud Computing Paradigm," ed:National Institute of Standards and Technology, Information Technology Laboratory, 2009.• N. Santos, et al., "Towards Trusted Cloud Computing," in Usenix 09 Hot Cloud Workshop,San Diego, CA, 2009.• R. G. Lennon, et al., "Best practices in cloud computing: designing for the cloud," presentedat the Proceeding of the 24th ACM SIGPLAN conference companion on Object orientedprogramming systems languages and applications, Orlando, Florida, USA, 2009.• P. Mell and T. Grance, "The NIST Definition of Cloud Computing (ver. 15)," NationalInstitute of Standards and Technology, Information Technology LaboratoryOctober 72009.• C. Cachin, et al., "Trusting the cloud," SIGACT News, vol. 40, pp. 81-86, 2009.• J. Heiser and M. Nicolett, "Assessing the Security Risks of Cloud Computing," Gartner2008.• A. Joch. (2009, June 18) Cloud Computing: Is It Secure Enough? Federal Computer Week.• AWS Amazon EC2:• Amazon CloudWatch:• Iperf:
    201. 201. Cloud Blind References• L. Ran, A. Helal, and S. Moore, “Drishti: An Integrated Indoor/Outdoor Blind Navigation Systemand Service,” 2nd IEEE Pervasive Computing Conference (PerCom 04).• S.Willis, and A. Helal, “RFID Information Grid and Wearable Computing Solution to the Problemof Wayfinding for the Blind User in a Campus Environment,” IEEE International Symposium onWearable Computers (ISWC 05).• Y. Sonnenblick. “An Indoor Navigation System for Blind Individuals,” Proceedings of the 13thAnnual Conference on Technology and Persons with Disabilities, 1998.• J. Wilson, B. N. Walker, J. Lindsay, C. Cambias, F. Dellaert. “SWAN: System for Wearable AudioNavigation,” 11th IEEE International Symposium on Wearable Computers, 2007.• J. Nicholson, V. Kulyukin, D. Coster, “ShopTalk: Independent Blind Shopping Through VerbalRoute Directions and Barcode Scans,” The Open Rehabilitation Journal, vol. 2, 2009, pp. 11-23.• Bach-y-Rita, P., M.E. Tyler and K.A. Kaczmarek. “Seeing with the Brain,” International Journal ofHuman-Computer Interaction, vol 15, issue 2, 2003, pp 285-295.• Y.K. Kim, K.W. Kim, and X.Yang, “Real Time Traffic Light Recognition System for Color VisionDeficiencies,” IEEE International Conference on Mechatronics and Automation (ICMA 07).• R. Charette, and F. Nashashibi, “Real Time Visual Traffic Lights Recognition Based on Spot LightDetection and Adaptive Traffic Lights Templates,” World Congress and Exhibition on IntelligentTransport Systems and Services (ITS 09).• A.Ess, B. Leibe, K. Schindler, and L. van Gool, “Moving Obstacle Detection in Highly DynamicScenes,” IEEE International Conference on Robotics and Automation (ICRA 09).• P. Angin, B. Bhargava, R. Ranchal, N. Singh, L. Lilien, L. B. Othmane, “A User-centric Approachfor Privacy and Identity Management in Cloud Computing,” submitted to SRDS 2010.