Standards Acceleration to Jumpstart
          Adoption of Cloud Computing
                   (SAJACC)

                   ...
Outline
       1        Brief review of clouds, and introduction to SAJACC.
                (15 minutes)

        2       ...
1 Brief review of clouds, and introduction to SAJACC




Information Technology Laboratory                                ...
NIST Working Cloud Definition (1 of 3)
                                             5 Key Characteristics

         1   On...
NIST Working Cloud Definition (1 of 3)
                                             5 Key Characteristics

         1   On...
NIST Working Cloud Definition (2 of 3)
                                               3 Deployment Models

               ...
NIST Working Cloud Definition (3 of 3)
                                                  4 Delivery Models

              ...
A Quick Trip Through the (simplified) API
                    Setting up:                           Steady state (simplifi...
Important Cloud Computing
                        Requirements
     •  interoperability: clouds work together
     •  port...
Standards Creation is Time Consuming


     •  Critical features (interoperability, portability)
        require high qual...
Shorter Term Standards Effort

     •  Until standards mature:
     •  What is needed is a process to test important cloud...
SAJACC Communication Strategy
      NIST will
      deploy and
      populate                           NIST Cloud Standar...
Populating the Portal
                                           NIST Cloud Standards Portal

                            ...
(1) NIST Inserts Existing Standards and De-facto
                               Interfaces
                               ...
(2) Organizations Contribute Open Specifications

                                                                        ...
2       Security issues in the cloud.




Information Technology Laboratory                                               ...
Security is a Major Issue




                                         [3]
Information Technology Laboratory              ...
What is Security?
      •  Traditionally, approximately:
              –  confidentiality: your data not leaked
          ...
Analyzing Cloud Security
        •  Some key issues:
                –  trust, multi-tenancy, encryption, compliance
     ...
General Security Advantages
        •  Shifting public data to a external cloud
           reduces the exposure of the int...
General Security Challenges
•     Trusting vendor’s security model
•     Customer inability to respond to audit findings
•...
Data Storage Services
       •  Advantages
               –  Data fragmentation and dispersal
               –  Automated ...
Cloud Processing Infrastructure

        •  Advantages
               –  Ability to secure masters and push out secure
   ...
Additional Issues
•         Issues with moving sensitive data to the cloud
        –           Privacy impact assessments
...
Putting it Together

        •  Most clouds will require very strong
           security controls
        •  All models of...
3 Use Cases to drive portability, interoperability, security
            in clouds




Information Technology Laboratory  ...
Use Cases
          Use Case: a description of how groups of users and their resources may
          interact with one or ...
Use Cases
          Use Case: a description of how groups of users and their resources may
          interact with one or ...
Preliminary Use Case Taxonomy for a
              Public Cloud (focus on IaaS)
                 Portability               ...
File/Object System Like
       Sharing access                  Customer
                    Provider
               data

...
Job Control and Programming
                                                      allocate
       Alloc/start/stop        ...
Cloud-2-Cloud
     Inter-cloud                Provider
1
                         Provider
2
   Provider
1
               ...
Cloud-2-Cloud (2)
                                            Provider
1
                   Provider
2
                 ne...
Cloud-2-Cloud (3)
     Cloud Burst                    Customer
Datacenter

                                               ...
Cloud-2-Cloud (4)
                                                                   API
1
        wrappers for clouds
   ...
Admin
                                                                                 An SLA Template?
     SLA
     comp...
Admin (2)
    Compliance                 Providers sometimes assert compliance with   how can customers tell?
            ...
Data Management

          Provider
                   Provider
                                      •  transfer data in
...
References
            [1] Amazon Web Services, aws.amazon.com.
            [2] “Eucalyptus: A Technical Report on an Elas...
Questions?




Information Technology Laboratory                                                  NIST
Computer Security D...
Upcoming SlideShare
Loading in...5
×

Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC)

2,119

Published on

SAJACC description from NIST

Published in: Technology, Business
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,119
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
26
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC)

  1. 1. Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) Lee Badger Tim Grance May. 20, 2010 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov National Institute of Standards and Technology
  2. 2. Outline 1 Brief review of clouds, and introduction to SAJACC. (15 minutes) 2 Security issues in the cloud. (15 minutes) 3 Preliminary Cloud Computing Use Cases. (20 minutes) 4 Questions! (10 minutes) more Note: Any mention of a vendor or product is NOT feedback? an endorsement or recommendation. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 2 National Institute of Standards and Technology
  3. 3. 1 Brief review of clouds, and introduction to SAJACC Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 3 National Institute of Standards and Technology
  4. 4. NIST Working Cloud Definition (1 of 3) 5 Key Characteristics 1 On-demand self service 4 Elasticity $ $( × Jan Feb Mar …… Dec ) renting takes minutes = 2 Ubiquitous network access $( × Jan ) rent it in any quantity 5 Resource pooling anywhere / any device reduces cost 3 Metered use = off off on conserve resources Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 4 National Institute of Standards and Technology
  5. 5. NIST Working Cloud Definition (1 of 3) 5 Key Characteristics 1 On-demand self service 4 Elasticity $ $( × Jan Feb Mar …… Dec ) renting takes minutes = 2 Ubiquitous network access $( × Jan ) rent it in any quantity 5 Resource pooling anywhere / any device reduces cost 3 Metered use = off off on conserve resources where is my workload? Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 5 National Institute of Standards and Technology
  6. 6. NIST Working Cloud Definition (2 of 3) 3 Deployment Models Cloud Provider Cloud Customer Admin control Application e.g., mail Limited Admin control 1 Software Middleware e.g., .Net as a Service Total control Operating System No control (SaaS) Hardware Application 2 Platform Admin control Limited programmability as a Service Middleware Operating System (PaaS) Total control No control Hardware Application 3 Infrastructure Total control No control Middleware as a Service (IaaS) Operating System Hypervisor Admin control No control Hardware Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 6 National Institute of Standards and Technology
  7. 7. NIST Working Cloud Definition (3 of 3) 4 Delivery Models Cloud Provider Infrastructure Cloud Customer Data Center 1 Private management 2 Community 3 Public 4 Hybrid Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 7 National Institute of Standards and Technology
  8. 8. A Quick Trip Through the (simplified) API Setting up: Steady state (simplified) aws.amazon.com create account RegisterImage set password email confirmation PEM-encoded RSA private key Configure Manage Configure Manage TLS x.509 cert storage keypairs IP addresses Instances: (routable) run reboot terminate CreateKeyPair query Use to talk with new VMs DeregisterImage Every operation digitally signed. Credit: [8], aws.amazon.com [1] Every key pair public key stored in the cloud infrastructure. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 9 National Institute of Standards and Technology
  9. 9. Important Cloud Computing Requirements •  interoperability: clouds work together •  portability: workloads can move around •  security: customer workloads protected (to the extent possible) •  Well-formulated standards could help, but… Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 10 National Institute of Standards and Technology
  10. 10. Standards Creation is Time Consuming •  Critical features (interoperability, portability) require high quality, mature standards. •  But standards development is a consensus- oriented process: often years to complete. •  Even longer for international standards. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 11 National Institute of Standards and Technology
  11. 11. Shorter Term Standards Effort •  Until standards mature: •  What is needed is a process to test important cloud system requirements --- NIST will provide that. Portable Interoperable SAJACC Secure (as possible) Standards Acceleration Jumpstarting Adoption of Cloud Computing Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 12 National Institute of Standards and Technology
  12. 12. SAJACC Communication Strategy NIST will deploy and populate NIST Cloud Standards Portal Use Cases specifications Standards Development Validated Organizations Reference Community Specifications Implementations Outreach standards •  Populate a web portal that distributes cloud specifications and reference implementations that are: –  Known to work for critical use cases (e.g., interoperability, portability, bulk data transfer). –  Can be easily used by cloud service providers and consumers. –  Provide a basis for innovation i.e. are extensible. •  Enables future innovation. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 13 National Institute of Standards and Technology
  13. 13. Populating the Portal NIST Cloud Standards Portal Use Cases Validated Reference Specifications Implementations Three complementary activities, all performed in collaboration with other agencies and standards development organizations: (1)  NIST inserts existing standards and de-facto interfaces as specifications. –  NIST identifies and validates specifications using use cases. (2) Organizations contribute open specifications. –  NIST receives and coordinates the prioritization of specifications, and validates using use cases. (3) NIST identifies gaps in cloud standards (and specifications) and publishes the gaps on the portal: produces opportunity for outside organizations to fill them. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 14 National Institute of Standards and Technology
  14. 14. (1) NIST Inserts Existing Standards and De-facto Interfaces 1 Initial Use Cases NIST Cloud Standards Portal Provided by Gov. Success? Use Cases 2 yes Legacy Validated specifications Reference Identified by Gov. 4 Government-run Specifications Implementations Validation Exercises Spec 1 Test 1 3 Spec 2 Test 2 Proposed Reference Generate … Spec n … Test n Specifications Implementations Test cases •  specifications, use cases: provide insight on how clouds can work •  reference implementations: enable validation exercises •  continuously growing portal: new content added over time •  publically available: anyone can access Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 15 National Institute of Standards and Technology
  15. 15. (2) Organizations Contribute Open Specifications 1 Initial Use Cases NIST Cloud Standards Portal Provided by Gov. Success? Use Cases 2 yes Legacy Validated specifications Reference Identified by Gov. 4 Government-run Specifications Implementations Validation Exercises Spec 1 Test 1 3 Spec 2 Test 2 Proposed Reference Organization-submitted … Spec n … Test n Specifications Implementations specifications •  continuously growing portal: new content added over time •  publically available: anyone can access or submit Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 16 National Institute of Standards and Technology
  16. 16. 2 Security issues in the cloud. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 17 National Institute of Standards and Technology
  17. 17. Security is a Major Issue [3] Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 18 National Institute of Standards and Technology
  18. 18. What is Security? •  Traditionally, approximately: –  confidentiality: your data not leaked –  integrity: your data or system not corrupted –  availability: your system keeps running •  What does this mean in the cloud? –  without user physical control •  Some issues –  with dynamically changing infrastructure –  secure access to the cloud –  protecting different users from one another Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 19 National Institute of Standards and Technology
  19. 19. Analyzing Cloud Security •  Some key issues: –  trust, multi-tenancy, encryption, compliance •  Clouds are massively complex systems that can be reduced to simple primitives that are replicated thousands of times and common functional units •  Cloud security is a tractable problem –  There are both advantages and challenges Former Intel CEO, Andy Grove: “only the paranoid survive” Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 20 National Institute of Standards and Technology
  20. 20. General Security Advantages •  Shifting public data to a external cloud reduces the exposure of the internal sensitive data •  Cloud homogeneity makes security auditing/testing simpler •  Clouds enable automated security management •  Redundancy / Disaster Recovery Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 21 National Institute of Standards and Technology
  21. 21. General Security Challenges •  Trusting vendor’s security model •  Customer inability to respond to audit findings •  Obtaining support for investigations •  Indirect administrator accountability •  Proprietary implementations can’t be examined •  Loss of physical control Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 22 National Institute of Standards and Technology
  22. 22. Data Storage Services •  Advantages –  Data fragmentation and dispersal –  Automated replication –  Provision of data zones (e.g., by country) –  Encryption at rest and in transit –  Automated data retention •  Challenges –  Isolation management / data multi-tenancy –  Storage controller •  Single point of failure / compromise? –  Exposure of data Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 23 National Institute of Standards and Technology
  23. 23. Cloud Processing Infrastructure •  Advantages –  Ability to secure masters and push out secure images •  Challenges –  Application multi-tenancy –  Reliance on hypervisors –  Process isolation / Application sandboxes Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 24 National Institute of Standards and Technology
  24. 24. Additional Issues •  Issues with moving sensitive data to the cloud –  Privacy impact assessments •  Risk assessment –  Contingency planning and disaster recovery for cloud implementations –  Using SLAs to obtain cloud security •  Suggested requirements for cloud SLAs •  Issues with cloud forensics •  Handling compliance –  FISMA –  HIPAA –  SOX –  PCI –  SAS 70 Audits Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 25 National Institute of Standards and Technology
  25. 25. Putting it Together •  Most clouds will require very strong security controls •  All models of cloud may be used for differing tradeoffs between threat exposure and efficiency •  There is no one “cloud”. There are many models and architectures. •  How does one choose? Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 26 National Institute of Standards and Technology
  26. 26. 3 Use Cases to drive portability, interoperability, security in clouds Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 27 National Institute of Standards and Technology
  27. 27. Use Cases Use Case: a description of how groups of users and their resources may interact with one or more systems to achieve specific goals. Goal abstract add concrete details use case Step 1 Step a Step I Step 2 OR Step b OR Step j ... … … … case study Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 28 National Institute of Standards and Technology
  28. 28. Use Cases Use Case: a description of how groups of users and their resources may interact with one or more cloud computing systems to achieve specific goals. Goal abstract add concrete details use case Step 1 Step a Step I Step 2 OR Step b OR Step j ... … … … case study Example: Parent $ Bank $ Student Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 29 National Institute of Standards and Technology
  29. 29. Preliminary Use Case Taxonomy for a Public Cloud (focus on IaaS) Portability Interoperability Security File/Object System Job Control & Cloud-2-Cloud Admin Data Management Like Programming •  inter-cloud data transfer •  SLA comparison •  transfer data in •  sharing access •  alloc/start/stop…1 •  multi-hop data transfer •  info discovery7 •  transfer data out •  access by name •  queueing1 •  storage peering7 •  user Acct mgmt •  backup to cloud7 •  access by pattern • horizontal •  backup between clouds7 •  compliance4 •  restore from cloud7 •  strong erase scaling of data/ •  cloud broker4 •  special security4 •  archive/preservation •  cloud drive7 processing •  cloud burst to cloud7 - synchronization •  services •  VM migration •  dynamic dispatch5 •  fault-tolerant group Note: these use cases are preliminary. Credits: SNIA [7], aws.amazon.com [1], DMTF [4], libcloud [5] Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 30 National Institute of Standards and Technology
  30. 30. File/Object System Like Sharing access Customer
 Provider
 data
 grant‐cmd
 2
 other
Customers
 1
 data
 Users
 Access by name Customer
 read
/foo/bar
 Compa&ble
modes:

read,
 Provider
 write,
append,
truncate,
 chown,
chmod,
chgrp,
…
 data
 Access by pattern Customer
 query
“pa>ern”
 Provider
 Specifying
pa<erns,
records.
 Access
control?
 matching
 records
 Strong erase Customer
 erase‐cmd
 GeAng
confidence?
 Provider
 Zero
out,
mul&‐pass?
 “ok!”
 DoD
5220‐22?
 Cloud Drive Customer
 Provider
 Looks
like
a
local
disk
 Synchroniza&on?
 like
NFS,
AFS
 Security
defaults?
 credit:
SNIA
[7]
 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 31 National Institute of Standards and Technology
  31. 31. Job Control and Programming allocate Alloc/start/stop compatibility, portability… Configure Configure Manage External Internal Instances: deallocate Resources resources run, restart, terminate… credit:
aws.amazon.com
[1]
 Queue services (thread synchronization in the large) ... compatibility, upstream workers downstream workers portability… credit:
aws.amazon.com
[1]
 Services like ordinary hosting, but with more scale, less “services” location awareness. Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 32 National Institute of Standards and Technology
  32. 32. Cloud-2-Cloud Inter-cloud Provider
1
 Provider
2
 Provider
1
 Provider
2
 data transfer Data
Object
 Physical
Data
 Container
 request
 request
 request
 request
 Customer
 Customer
 Network
Scenario
 Physical
Scenario
 protection of data in transit verification of data received some issues: coherent naming compatible crypto compatible access control metadata, ownership Multi-hop Provider
1
 Provider
2
 Provider
1
 Provider
2
 inter-cloud Data
Object
 Physical
Data
 Container
 data transfer request
 request
 request
 request
 Customer
 Customer
 Network
Scenario
 Physical
Scenario
 same issues, and in addition: after round trip, data is still as useful Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 33 National Institute of Standards and Technology
  33. 33. Cloud-2-Cloud (2) Provider
1
 Provider
2
 need common policies Storage common
 some
 policies
 other

 for naming of data peering client
data
 client
data
 objects, access control, snapshot/ cloning, etc. credit:
SNIA
[7]
 Customer
 Backup/restore Provider
1
 backup
 Provider
2
 common archival between client
working
 backup
 format, procedures, clouds data
 data
 restore
 data protection in transit, verification, key management, … credit:
SNIA
[7]
 Customer
 (an example of multi-hop) Cloud broker Provider
1
 Provider
2
 (resources)
 (resources)
 broker could provide a simple or stable broker
 interface to customers, (no
resources)
 even when providers change or have diverse Customer
 APIs. credit:
DMTF
[4]
 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 34 National Institute of Standards and Technology
  34. 34. Cloud-2-Cloud (3) Cloud Burst Customer
Datacenter
 Provider

 1
 vm1

 vm2

 ... vmN

 need common policies for naming of data Customer
Datacenter
 Provider

 objects, access 2
 vmN+1

 vmN+2

 vmN+M

 control, snapshot/ vm1

 vm2

 ... vmN

 cloning, etc. Customer
Datacenter
 3
 Provider

 vm1

 vm2

 ... vmN

 VM migration Provider
1
 Provider
2
 dynamic config of networks, (suspend- vm1

 vm2

 ... vmN

 vm2

 ... vmN

 VM formats resume or (e.g., OVF [6]), live) hypervisor diversity… Customer
 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 35 National Institute of Standards and Technology
  35. 35. Cloud-2-Cloud (4) API
1
 wrappers for clouds Dynamic dispatch cloud
 API
2
 (e.g., libCloud) Customer
 API
 access
 …
 library
 API
N

 credit:
libCloud
[5]
 standardized fault Fault-tolerant Customer
 transac&ons
 tolerance protocols, group QOS requirements, replicaYon
 etc. concurrency
control
 nesYng
 ACID
properYes
 byzanYne?
 other…
 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 36 National Institute of Standards and Technology
  36. 36. Admin An SLA Template? SLA comparison Cloud Provider Limitations User Promises SLA 1 Promises scheduled outages acceptable use policies Customer
 ? SLA 2 availability force majeure events changes to the SLA provided software on-time payment remedies for failure to perform security data preservation SLA 3 legal care of customer info service API changes ... perhaps as a prelude to more detailed terms that extend but do not contradict? Info Discovery A search service that retrieves documents who gets notified? subpoenaed for court. who bears costs? timeliness? credit:
SNIA
[7]
 User Acct A cloud customer may have his/her own How to prevent “jar’ing” of Mgmt customers, and a provider sometimes provides customer-customers when SaaS-style customer management services. providers change? Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 37 National Institute of Standards and Technology
  37. 37. Admin (2) Compliance Providers sometimes assert compliance with how can customers tell? (HIPPA, PCI, Sarbanes-Oxley, FISMA) credit:
DMTF
[4]
 requirements. Special E.g., a “mono-tenancy” requirement for a how can customers specify Security customer’s workloads. and tell? credit:
DMTF
[4]
 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 38 National Institute of Standards and Technology
  38. 38. Data Management Provider
 Provider
 •  transfer data in •  transfer data out Data
Object
 Physical
Data
Container
 •  backup to cloud •  restore from cloud Customer
 Customer
 •  archive/preservation to cloud Network
Scenario
 Physical
Scenario
 protection in transit; verification of correct data received; correct naming; initialization of access rules; … Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 39 National Institute of Standards and Technology
  39. 39. References [1] Amazon Web Services, aws.amazon.com. [2] “Eucalyptus: A Technical Report on an Elastic Utility Computing Architecture Linking Your Programs to Useful Systems”, UCSB Computer Science Technical Report Number 2008-10. [3] IDC Enterprise Panel, August 2008 n=244 [4] “Interoperable Clouds, A White Paper from the Open Cloud Standards Incubator”, Distributed Management Task Force, Version 1.0, DMTF Informational, Nov. 11, 2009, DSP-IS0101 [5] libcloud, http://incubator.apache.org/libcloud/ [6] “Open Virtualization Format Specification”, DMTF Document Number DSP0243, Version 1.0, Feb. 22, 2009. [7] “Cloud Storage Use Cases”, Storage Network Industry Association, Version 0.5 rev 0, June 8, 2009. [8] “Starting Amazon EC2 with Mac OS X”. Robert Sosinski. http://www.robertsosinski.com/2008/01/26 /starting-amazon-ec2-with-mac-os-x/ [9] “The Eucalyptus Open-source Cloud-computing System”, D. Nurmi, R. Wolski, C. Grzegorcyk, G. Obertelli, S. Soman, L. Youseff, D. Zagorodnov, in Proceedings of Cloud Computing and Its Applications, Oct. 2008. [10] “Ubuntu Enterprise Cloud Architecture”, S. Wardley, E. Goyer and N. Barcet, Technical White Paper, 2009, www.canonical.com Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 40 National Institute of Standards and Technology
  40. 40. Questions? Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 8 41 National Institute of Standards and Technology
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×