Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protegiendo la información en la nube. Tecnologías de cifrado

871 views

Published on

Isaac Agudo. Profesor asociado . Universidad de Málaga. Network, Information and Computer Security Lab.

Curso de Verano "Innovación Disruptiva en tecnologías de seguridad". Campus Vicálvaro de la URJC.

Summer Course "Disruptive innovation in security technologies". URJC's Vicálvaro Campus.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Protegiendo la información en la nube. Tecnologías de cifrado

  1. 1. Protec'ng  your  data  in  the   Cloud.   Isaac  Agudo  -­‐    isaac@lcc.uma.es   Network,  Informa/on  and  Computer  Security  Lab   www.nics.uma.es   University  of  Malaga  (Spain)   URJC 2014
  2. 2. Outline     §  Introduc/on  to  Cloud  Compu/ng   §  Security  Challenges  in  Cloud  Compu/ng   §  Security  in  Virtualized  Environments   §  Cryptography  in  the  Cloud     §  Iden/ty  Management  in  the  Cloud   URJC 2014
  3. 3. Introduc'on  to  Cloud  Compu'ng   URJC 2014
  4. 4. The  NIST  Defini/on  of  Cloud  Compu/ng   §    Cloud   compu/ng   is   a   model   for   enabling   convenient,   on-­‐ demand   network   access   to   a   shared   pool   of   configurable   compu/ng   resources   (for   example,   networks,   servers,   storage,   applica/ons   and   services)   that   can   be   rapidly   provisioned   and   released   with   minimal   management   effort   or  service  provider  interac/on   §   This  cloud  model  is  composed  of     –  five  essen/al  characteris/cs,     –  three  service  models,     –  four  deployment    models.   URJC 2014 Source: The NIST Definition of Cloud Computing (Special Publication 800-145)
  5. 5. Cloud  Compu/ng  Service  and  Deployment  Models   URJC 2014
  6. 6. Cloud  Compu/ng  Actors   §  Cloud   Provider:   Company   or   organiza/on   that   owns   the   IT   infrastructure  and  offer  services  using  the  Cloud  Model.   §  Customer:   Individual,   organiza/on   or   company   that   hire   services   from   a   Cloud   provider.   Customer   runs   their   applica/ons  in  the  Cloud  and  pay  the  provider  for  that.   §  Users:     Individual   or   set   o   individuals   that   access   the   applica/ons  running  in  the  Cloud   URJC 2014 Cloud   Provider   Internet   Customer   User   User   User  
  7. 7. Security  Challenges  in  Cloud  Compu'ng   URJC 2014
  8. 8. Security  in  Cloud  Compu/ng   URJC 2014
  9. 9. Cloud  Compu/ng  Top  Threats  in  2013   URJC 2014 §  The  Notorious  Nine:  Cloud  Compu/ng  Top  Threats  in  2013   hUps://cloudsecurityalliance.org/download/the-­‐notorious-­‐nine-­‐cloud-­‐ compu/ng-­‐top-­‐threats-­‐in-­‐2013/       §  Revises  Top  Threats  Cloud  Compu/ng  V1.0  (2010)   hUps://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf       §  Responses   to   the   survey   by   companies   from   USA   (50%),   INDIA  (8,6%),  UK  (5,5%),  CANADA  (4,1%)  and  other  contries   (31,8%)   –  53%  Cloud  consumers   –  30%  Cloud  providers  
  10. 10. The  Notorious  Nine  by  CSA   URJC 2014 76   78   80   82   84   86   88   90   92   Shared  Technology  Vulnerabili/es   Insuficiente  Due  Diligence   Abuse  of  Cloud  Services   Malicious  Insiders   Denial  of  Service   Insecure  Interfaces  &  APIs   Account/Service  &  Traffic  Hijacking   Data  Loss   Data  Breaches  
  11. 11. #1  Top  Threat:  Data  Breaches     §  There  is  risk  that  sensi/ve  internal  data  falls  into  the  hands  of   compe/tors.   §  The   cloud   provider   is   in   charge   of   enforcing   access   control   policies  for  their  costumers’  data.   §  Cloud  providers  implement  redundancy  and  replicate  data  in   order  to  provide  beUer  service  and  avoid  data  loss  but  this   expose  costumers’  data  even  more.   §  Mul'tenant   clouds   might   be   vulnerable   to   side   channels   aUacks.     URJC 2014 Source: Chris Brenton, The basics of Virtualization Security https://cloudsecurityalliance.org/wp-content/uploads/ 2011/11/virtualization-security.pdf
  12. 12. #3  Top  Threat:  Account/Service  Traffic  Hijacking     §  Account  or  service  hijacking  is  not  new.  AUack  methods  such   as   phishing,   fraud,   and   exploita/on   of   sogware   vulnerabili/es  s/ll  achieve  results.  Creden/als  and  passwords   are  ogen  reused,  which  amplifies  the  impact  of  such  aUacks.     §  In   April   2010,   Amazon   experienced   a   Cross-­‐Site   Scrip/ng   (XSS)   bug   that   allowed   aUackers   to   hijack   creden/als   from   the  site.  In  2009,  numerous  Amazon  systems  were  hijacked   to  run  Zeus  botnet  nodes.     §  It   is   cri/cal   to   leverage   strong   authen/ca/on   techniques   where  possible,  e.g.  two-­‐factor  authen/ca/on.     URJC 2014
  13. 13. #6  Top  Threat:  Malicious  Insiders     §  The   risk   of   malicious   insiders   is   percep/bly   higher   as   costumers  are  not  aware  of  what  employees  from  the  cloud   provider  have  access  to  their  data     §  A   malicious   insider,   such   as   a   system   administrator,   in   an   improperly   designed   cloud   scenario   can   have   access   to   poten/ally  sensi/ve  informa/on.     §  From   IaaS   to   PaaS   and   SaaS,   the   malicious   insider   has   increasing   levels   of   access   to   more   cri/cal   systems,   and   eventually  to  data.   §  Systems   that   depend   solely   on   the   cloud   service   provider   (CSP)  for  security  are  more  vulnerable.  Relying  on  server  side   encryp/on  does  not  solve  the  problem,  only  reduces  it.   URJC 2014
  14. 14. #7  Top  Threat:  Abuse  of  Cloud  Services     §  Cloud  compu/ng  advantages  and  opportuni/es  are  also   aUrac/ng  hackers.   §  The  easy  registra/on  process  and  the  rela/ve  anonymity   can  in  someway  allow  spammers,  malicious  code  authors   and   other   criminals   to   conduct   their   ac/vi/es   with   rela/ve  impunity.     §  The  Cloud  make  their  aUacks  simpler  and  cheaper.    Password  and  Key  cracking,  DDoS,  dynamic  aUack  points,   hos/ng   malicious   data   and   code,   botnet   command   and   control,   building   rainbow   tables,   CAPTCH   solving   farms,   etc.   URJC 2014
  15. 15. Some  aUacks  to  IaaS   §  People  run  tampered  images     §  Easy  and  instant  access  to  many  machines   §  Auto-­‐Scaling:  DoS  AUacks  paid  by  the  customer   §  Side  Channel  AUacks  (Cloud  Cartography)   §  AUack  based  on  lack  of  entropy  for  random  numbers   §  Bugs  in  virtualiza/on  sogware   §  ….   URJC 2014 Source: Matthias Jung, elastic-security.com http://www.slideshare.net/CloudCampFRA/matthias-jung-cloud-security-new-problem-or-new-context
  16. 16. Tampered  Images   §  Demonstrated  method  to  get  prime  placement  in  AWS  list  of   available   AMIs,     as   a   way   to   get   users   to   run   an   untrustworthy  AMI   §  Malicious  Virtual  Machine  Images   –  SSH  authorized  keys   –  Rootkits   –  Trojaned  binaries  (e.g.,  sshd)   –  Open  sockets  (e.g.,  reverse  shell  /connect  back)   –  Trojaned  custom  Xen  kernel   URJC 2014 “Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade”, Alex Stamos,Andrew Becherer, Nathan Wilcox,Black Hat USA 2009 / DEF CON 17 http://www.sensepost.com/blog/3797.html
  17. 17. AMI-­‐Exposed   §  Presence  of  SSH  authorized_keys   –  Poten/al  backdoor   §  Presence  of  SSH  iden/ty  keys   –  Can  be  used  to  gain  illicit  access  to  other  hosts   §  Presence  of  AWS  x.509  cer/ficate  (.pem)  files   –  Can  be  used  to  tamper  with  publisher's  EC2  account   §  Ac/ve  connec/ons  to  other  hosts   –  Poten/al  backdoors   §  SSH  Password  authen/ca/on  enabled   –  Poten/al  backdoor  via  default  passwords     –  Poten/al  exposure  via  weak  passwords     URJC 2014 DEF CON 19 "Get Off of My Cloud: Cloud Credential Compromise and Exposure". http://wn.com/defcon_19_get_off_of_my_cloud_cloud_credential_compromise_and_exposure AMI Exposed - A framework for security scanning of Amazon Machine Images (AMIs) Copyright (C) 2011 Jeff Jarmoc - Dell SecureWorks Counter Threat Unit https://github.com/jjarmoc/AMI-Exposed/
  18. 18. AMI  aiD   §  The  AMI  aiD  (AMID)  tool  scans  your  system  for  security  or   privacy   cri/cal   data   before   publishing   or   when   started   as   virtual  machine  in  the  cloud,  e.g.  an  Amazon  Machine  Image   (AMI).     §  It  is  not  bounded  to  Amazon  Images,  it  can  also  be  used  with   other  infrastructure-­‐as-­‐a-­‐service  (IAAS)  cloud  providers.     URJC 2014 Center for Advanced Security Research Darmstadt (Fraunhofer SIT) http://trust.cased.de/AMID http://code.google.com/p/amid/
  19. 19. Security  in  Virtualised  Environments   URJC 2014
  20. 20. Virtualiza/on   §  The   hypervisor   is   in   charge   of   emula/ng   all   the   specific   hardware  configura/ons  for  the  “guest”  opera/ng  systems.   URJC 2014 Source: Chris Brenton, The basics of Virtualization Security https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf
  21. 21. Introspec/on   §  Expansion  of  the  hypervisor’s  capabili/es   –  Beyond  monitoring  compute  and  store  calls   §  Introspec/on  permits  you  to  monitor   –  Memory  and  program  execu/on   –  Access  to  data  files  within  storage   –  Network  traffic   §  Conduit  for  deeper  VM  analysis.   –  Can  be  leverage  to  implement  security.   URJC 2014 Source: Chris Brenton, Hypervisor vs. Host Based Securty https://cloudsecurityalliance.org/wp-content/uploads/2011/11/hypervisor-vs-hostbased-security.pdf
  22. 22. Introspec/on  (II)   §  Hypervisor  runs  with  higher  privileges  than  WMs   –  It  sees  and  control  everything.   §  Kernel  Level  Rootkits  can’t  escape  Introspec/on     §  Introspec/on  is  not  the  Holy  Grail   –  Introspec/on  checks  require  complex  hypervisors   –  The  more  complex  the  code  the  more  prone  to  bugs  and  vulnerabili/es   URJC 2014
  23. 23. Introspec/on  and  Security   §  Malware  control  and  Intrusion  Detec/on.   –  Hypervisor  can  efficiently  monitor  anomalies  system  wide   §  Data  Loss  Preven/on   –  Introspec/on   can   protect   por/ons   of   the   disk   or   even   schedule   backups  independently  of  the  host  policies.   §  Firewalling   –  Between  VMs   §  Forensics   –  Logs  and  audit  trails  can  be  compiled  by  the  hypervisor   URJC 2014
  24. 24. An/Virus  in  the  Cloud   §  AV  Storms   –  Scheduled  scanning  in  mul/ple  VM  at   the   same   /me   can   drain   Hardware   resources.   §  Only  a  single  AV  instance  per  box   –  Each   host   is   connect   to   the   AV   by   Introspec/on  using  a  small  driver   §  Advantages   –  Integra/on  of  security  policies   –  Efficiency   –  Easier  to  manage   –  …   URJC 2014 Source: Vmware vShield Endpoint http://bit.ly/R0Pgyh
  25. 25. Cryptography  in  the  Cloud   URJC 2014
  26. 26. Encryp/on  in  the  Cloud     §  Amazon,   as   many   other   cloud   providers   offer   the   possibility   to   store  the  data  encrypted.   §  Every  element  is  encrypted  with  a   different  key.   §  Keys   are   stored   in   a   different   place.   §  E.g.  Dropbox   URJC 2014 http://aws.typepad.com/aws/2011/10/new-amazon-s3-server-side-encryption.html How  is  our  data  stored  in  the  Cloud?  
  27. 27. Mul/-­‐layer  Encryp/on   §  Addi/onally,   customers/users   can   implement   their   own   client  side  encryp/on  mechanisms.   §  Or  implement  encryp/on  in  a  trusted  Cloud  and  store  data  in   a  commodity  Cloud  (Twin  Clouds)   URJC 2014 S. Bugiel, St. Nurnberger, A. R. Sadeghi, Th. Schneide.Twin Clouds: An Architecture for Secure Cloud Computing. Workshop on Cryptography and Security in Clouds, March 15-16, 2011, Zurich.
  28. 28. Advanced  Crypto  schemes  for  the  Cloud   §  Even  encrypted  data  is  vulnerable  at  processing  /me   §  There  are  cryptographic  schemes  that  can  process  encrypted   data  without  decryp/ng  it.  We  will  focus  on  these  schemes   URJC 2014 -­‐      Searchable  Encryp'on.  Random  queries  on   encrypted  data  without  decryp/ng  it   -­‐      Homomorphic  Encryp'on.  Random  process  of   encrypted  data  without  decryp/ng  it   -­‐      Proxy  Re-­‐encryp'on.    Changing  encryp/on  keys   without  decryp/ng  data.  
  29. 29. Searchable  Encryp/on  (SE)   §  Servers  execute  queries  without  having  to  decrypt  the  data   –  Ideally,  without  learning  any  informa/on  about  it   §  Basically,   a   SE   scheme   is   a   set   of   cryptographic   primi/ves   that  enables  the  possibility  of  searching  keywords  over  the   encrypted  data  through  the  crea/on  of  trapdoors.   §  We  can  dis/nguish:     –  Symmetric  schemes   –  Asymmetric    schemes   URJC 2014 Query  +trapdoor   Query  results  
  30. 30. Searchable  Encryp/on  (SE)  Issues   §  Data  Ownership   –  Who   owns   data,   who   can   update   or   include   new   data,   who   can   perform  queries.   §  Index  genera/on  and  update   –  How  is  the  index  updated  and  generated   §  Access  Control  and  revoca/on   –  Is  it  possible  to  revoke  trapdoors?   §  Type  of  Queries   –  Single  keywords,  mul/ple  keywords,  conjunc/ve  and  ranked  queries,  ...   §  Security  Models   –  Random  Oracle  vs.  Standard  Model,  Adversary  models,    ...   URJC 2014
  31. 31. Symmetric  Searchable  Encryp/on  (SSE)   §  SSE  assume  that  the  data  is  encrypted  with  the  same  master   key  that  will  be  used  during  searching  and  that  the  owner  of   the  data  is  the  one  who  triggers  the  queries   §  Some  schemes  can  perform  conjunc/ve  keywords  searches   §  There  are  symmetric  schemes  that  enable  mul/ple  par/es  to   search  over  the  data  encrypted  by  a  single  user   URJC 2014 R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: improved definitions and efficient constructions,” in Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006, pp. 79–88. L. Ballard, S. Kamara, and F. Monrose, “Achieving efficient conjunctive keyword searches over encrypted data,” Information and Communications Security, pp. 414–426, 2005. D. X. Song, D. Wagner, and A. Perrig. “Practical techniques for searches on encrypted data”. In Symposium on Security and Privacy. IEEE, 2000.
  32. 32. Asymmetric  Searchable  Encryp/on    (ASE)   §  Any  party  that  knows  the  public  key  is  able  to  encrypt  and   add  data  to  the  server,  but  only  the  party  in  possession  of   the  private  key  can  generate  trapdoors.   §  Ini/al  schemes  only  focused  on  finding  hits  not  on  recovering   data.   §  Some  schemes  allow  subset,  range  and  conjunc/ve  queries     §  More  recent  schemes  can  recover  encrypted  data REce   URJC 2014 D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search,” in Advances in Cryptology EUROCRYPT 2004. Springer, 2004, pp. 506–522. D. Boneh and B. Waters, “Conjunctive, subset, and range queries on encrypted data,” Theory of Cryptography, pp. 535–554, 2007. T. Fuhr and P. Paillier, “Decryptable searchable encryption,” Provable Security, pp. 228–236, 2007. D. Hofheinz and E. Weinreb, “Searchable encryption with decryption in the standard model,” Cryptology eprint archive, report 2008/423, Tech. Rep., 2008.
  33. 33. Homomorphic  Encryp/on  (HE)   §  Homomorphic  encryp/on  can  process  data  in  a  confiden/al   way   §  First   schemes   focused   on   encryp/on   and   digital   signatures   related  computa/ons.   §  There   are   also   fully   homomorphic   schemes   that   cover   arbitrary  computa/ons,  unfortunately  those  schemes  are  not   yet  viable.   §  Recent   works   on   Lavce-­‐based   Cryptography   show   that   "somewhat"   homomorphic   encryp/on   can   be   used   in   prac/ce     URJC 2014 M. v. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT'10, vol. 6110, LNCS, pages 24-43. Springer, 2010. Kristin Lauter, Michael Naehrig, and Vinod Vaikuntanathan, Can Homomorphic Encryption be Practical?, no. MSR-TR-2011-61, 6 May 2011
  34. 34. Related  schemes   §  Private   Set   Intersec/on   (PSI).   It   allows   two   par/es   to   compute  the  intersec/on  of  their  sets  without  revealing  any   informa/on  about  items  that  are  not  in  the  intersec/on.     §  Secure  Mul/party  Computa/on  (SMC).     URJC 2014 Benny Pinkas (BIU), Thomas Schneider (TUDA), Michael Zohner (TUDA): Faster private set intersection based on OT extension. In 23rd USENIX Security Symposium (USENIX Security'14), August 20-22, 2014. https://sharemind.cyber.ee/introduction-to-sharemind Enable parties to jointly compute a function over their inputs, while at the same time keeping these inputs private.
  35. 35. Proxy  Re-­‐Encryp/on  (PRE)   §  A   proxy   re-­‐encryp/on   scheme   is   an   asymmetric   encryp/on   scheme  that  allows  a  proxy  to  transform  ciphertexts  under   Alice’s  public  key  into  ciphertexts  under  Bob’s  public  key   §  Proper/es   –  Bidirec/onal  vs.  Unidirec/onal   –  Single-­‐hop  vs.  Mul/-­‐hop   –  Collusion  resistant  (Alice-­‐Proxy;  Bob-­‐Proxy)   URJC 2014 Alice   Proxy   Bob   EA(m) EB(m) rA-B
  36. 36. Proxy  Re-­‐Encryp/on  Applica/ons   §  Secure  Mail  Delega/on   –  Mail  inspec/on  for  law  enforcement   –  Delega/on  of  du/es   §  Distributed  encrypted  storage   –  Access  control  to  encrypted  data   §  Outsourced  Filtering  of  SPAM   –  Delega/on  of  SPAM  Filtering   §  Digital  Rights  Managements  (DRM)   –  Moving  or  copying  protected  content  from  one  device  to  another   –  iTunes  DRM  crack  in  2005   URJC 2014
  37. 37. Some  Proxy  Re-­‐Encryp/on  Schemes   §  Introduced  in  1998  by  Blaze  et  al.  based  on  Elgamal   –  Bidirec/onal;  Mul/-­‐hop;  Not  resistant  to  collusions.   §  In   2005   Ateniese   et   al.   propose   new   proxy   re-­‐encryp/on   schemes  based  on  bilinear  pairings   –  Unidirec/onal;  Single-­‐hop;  Resistant  to  collusions.   §  In   2007   Ateniese   et   al.   propose   new   proxy   re-­‐encryp/on   schemes  for  Iden/ty-­‐based  encryp/on   URJC 2014 M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic proxy cryptography,” Advances in Cryptology EUROCRYPT’98, pp. 127–144, 1998. G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” 12th Annual Network and Distributed System Security Symposium, 2005, pp. 29–44. M. Green and G. Ateniese, “Identity-based proxy re-encryption,” in Applied Cryptography and Network Security. Springer, 2007, pp. 288–306.
  38. 38. Iden'ty  Management  in  the  Cloud   URJC 2014
  39. 39. Cloud  Iden/ty  as  a  Service  (IDaaS)   §  Cloud   Iden/ty   as   a   Service   (IDaaS)   is   fundamentally   the   management   of   iden//es   in   the   cloud,   outside   the   applica/ons  (and  possibly  even  the  providers)  that  use  them.   §  The  service  is  provided  as  third  party  management  of  iden/ty   and   access   control   func/ons,   including   user   life   cycle   management  and  single  sign-­‐on.     §  The  provider  is  in  control  of  all  iden//es  and  has  to  be  fully   tursted.   URJC 2014 https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf
  40. 40. Secure  IDaas   URJC 2014 IdM Protocol Data Protection Cloud Identity Provider Service Provider Storage givenName=5W$... sn=e4%SFd... Data Protection IdM protocol Host Organization Authentication IdM protocol Authoritative source Data Protection
  41. 41. Integra/ng  OpenID  with  PRE  to  enhance  privacy   in  cloud-­‐based  iden/ty  services     §  IDaaS   introduces   the   same   kind   of   problems   regarding   privacy  and  data  confiden/ality  as  other  cloud  services.   §  A  Privacy-­‐preserving  IDaaS  system  can  be  implemented  using   OpenID   AUribute   Exchange   and   a   proxy   re-­‐encryp/on   scheme.   §  In  this  way  the  iden/ty  provider  can  serve  aUributes  to  other   par/es  without  being  able  to  read  their  values.   URJC 2014 D. Nuñez, I. Agudo, and J. Lopez, "Integrating OpenID with Proxy Re-Encryption to enhance privacy in cloud-based identity services", In IEEE CloudCom 2012, IEEE Computer Society, pp. 241 - 248, Dec 2012
  42. 42. Overview   URJC 2014 OpenID Provider Encrypted attributes Re-encryption OpenID Consumer Decryption User Identity Provider Service Provider Encryption
  43. 43. Original  Protocol   URJC 2014
  44. 44. Modified  protocol   URJC 2014
  45. 45. Main  limita/on   §  AUributes  are  stored  in  the  cloud  directly  by  users.  Most  SP   require  “cer/fied”  aUributes,  issued  by  a  trusted  IdP.   §  Instead  of  using  OpenID  and  allow  users  to  upload  their  own   aUributes  we  can  use  SAML  and  allow  organiza/ons  to  store   informa/on  regarding  all  their  users   URJC 2014 Cloud Identity Provider Service Provider Host Organization rH!SP(pH, sH) (pSP , sSP ) ca c0 a D. Nuñez, and I. Agudo, "BlindIdM: A Privacy-Preserving Approach for Identity Management as a Service", In International Journal of Information Security, vol. 13, issue 2, Springer, pp. 199-215, 2014
  46. 46. Federated  IdM   Service Provider Host Organization (Identity Provider) Employee belongs to requests service direct trust retrieves identity provides identity information URJC 2014
  47. 47. BlindIdM   URJC 2014 Cloud Identity Provider Service Provider Host Organization Employee belongs to requests service outsources identity management direct trust direct trust indirect trust retrieves identity provides identity information
  48. 48. SAML  Informa/on  Flow   User agent Service Provider Cloud Identity Provider Host Organization Request service Discovery of the IdP SAML AuthnRequest AuthnRequest (User redirection) SAML AuthnRequest AuthnRequest (User redirection) User authentication SAML Response Response (User redirection) Re-encryption of user attributes and creation of SAML Response Response (User redirection) Decryption of user attributes and verification of SAML Response Access to service URJC 2014
  49. 49. URJC 2014
  50. 50. Privacy  in  the  Cloud   URJC 2014
  51. 51. What  is  Privacy?   §  The  concept  of  privacy  varies  widely  among  (and  some/mes   within)  countries,  cultures,  and  jurisdic/ons.     §  It  is  shaped  by  public  expecta/ons  and  legal  interpreta/ons;   as  such,  a  concise  defini/on  is  elusive  if  not  impossible.     §  Privacy  rights  or  obliga/ons  are  related  to  the  collec/on,  use,   disclosure,   storage,   and   destruc/on   of   personal   data   (or   Personally  Iden/fiable  Informa/on—PII).     §  At  the  end  of  the  day,  privacy  is  about  the  accountability  of   organiza/ons  to  data  subjects,  as  well  as  the  transparency  to   an  organiza/on’s  prac/ce  around  personal  informa/on.   51URJC 2014
  52. 52. What  is  the  data  life  cycle?   52 Source: Tim Mather,Subra Kumaraswamy,Shahed Latif , Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance, O'Reilly Media, Inc., 2009 URJC 2014
  53. 53. What  Are  the  Key  Privacy  Concerns?   §  Typically  mix  security  and  privacy   §  Some  considera/ons  to  be  aware  of:   –  Storage   –  Reten/on   –  Destruc/on   –  Audi/ng,  monitoring  and  risk  management   –  Privacy  Breaches   –  Who  is  responsible  for  protec/ng  privacy?   53URJC 2014
  54. 54. Storage   §  Where  is  the  data  in  the  Cloud?     §  The  aggrega/on  of  data  raises  new  privacy  issues   –  Some   governments   may   decide   to   search   through   data   without   necessarily   no/fying   the   data   owner,   depending   on   where   the   data   resides     §  Is  the  cloud  provider  en/tled  to  access  customer  data?   §  Do   cloud   providers   store   behavioural   informa/on   about   customers  and  their  clients?   54URJC 2014
  55. 55. Reten/on   §  How  long  is  personal  informa/on  retained?   §  Which  reten/on  policy  governs  the  data?     §  Does  the  organiza/on  own  the  data,  or  the  Cloud  Provider?     §  Who  enforces  the  reten/on  policy  in  the  cloud,  and  how  are   excep/ons  to  this  policy  managed?   55URJC 2014
  56. 56. Destruc/on   §  How   does   the   cloud   provider   destroy   Personal   Informa/on   at   the  end  of  the  reten/on  period?     §  How   can   we   be   sure   that   the   Cloud   destroyed   it   at   the   right   point  and  is  not  available  to  other  cloud  users?     §  Cloud   storage   providers   usually   replicate   the   data   across   mul/ple  systems  and  sites—increased  availability  is  one  of  the   benefits  they  provide.     –  Are  there  any  addi/onal  copies?     –  Is  data  destroyed  or  just  unavailable?     –  Is  the  Cloud  using  the  data  for  its  own  benefits?   56URJC 2014
  57. 57. Audi/ng,  monitoring  and  risk  management   §  How   can   organiza/ons   monitor   their   Cloud   Providers   and   provide   assurance   to   relevant   stakeholders   that   privacy   requirements  are  met  when  their  PII  is  in  the  cloud?   §  Are  they  regularly  audited?       §  What  happens  in  the  event  of  an  incident?   §  Transparency,  compliance  controls,  and  auditability  are  key   criteria  in  the  evalua/on  of  any  cloud  service  provider   57URJC 2014
  58. 58. Privacy  breaches   §  How  do  you  know  that  a  breach  has  occurred?   §  Who   is   responsible   for   managing   the   breach   no/fica/on   process?   §   How  is  responsible  for  the  consequences?   §  Data  breaches  have  a  cascading  effect     58URJC 2014

×