MM
Uploaded byMarco Casassa Mont
PPTX, PDF123 views

Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors

This document discusses cloud computing and related security issues. It provides background on cloud computing models and services. It discusses how cloud computing impacts enterprise security lifecycle management and control. Current trends of increasing cloud services adoption and consumerization of enterprise IT are described. Requirements for cloud computing like identity management, assurance, compliance and privacy are outlined. Initiatives to develop best practices for cloud security are also mentioned. Potential future research directions around trusted infrastructure, security analytics, economics of cloud stewardship and privacy management are proposed.

Embed presentation

Download to read offline
© Copyright 2010 Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1 Marco Casassa Mont (marco.casassa-mont@hp.com) Senior Researcher Systems Security Lab, HP Labs, Bristol Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors Industry Perspective RAND Europe – Cloud Computing 2010 10 September 2010
© Copyright 2010 Hewlett-Packard Development Company, L.P.2 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.3 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.4 Cloud Computing: Definition – No Unique Definition or General Consensus about what Cloud Computing is … – Different Perspectives & Focuses (Platform, SW, Service Levels…) – Flavours: • Computing and IT Resources Accessible Online • Dynamically Scalable Computing Power • Virtualization of Resources • Access to (potentially) Composable & Interchangeable Services • Abstraction of IT Infrastructure  No need to understand its implementation: use Services & their APIs • Related “Buzzwords”: Iaas, PaaS, SaaS, EaaS, … • Some current players, at the Infrastructure & Service Level: Salesfoce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.
© Copyright 2010 Hewlett-Packard Development Company, L.P.5 Cloud Service Layers Cloud Infrastructure Services (IaaS) Cloud Platform Services (PaaS) Cloud End-User Services (SaaS) Physical Infrastructure Service Users Source: HP Labs, Automated Infrastructure Lab (AIL), Bristol, UK - Peter Toft Cloud Providers Service Providers
© Copyright 2010 Hewlett-Packard Development Company, L.P.6 Cloud Computing: Models Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet
© Copyright 2010 Hewlett-Packard Development Company, L.P.7 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.8 Today Security Management Lifecycle Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (from disclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations Assurance & Situational Awareness Security Analytics Economics/ Threats/ Investments
© Copyright 2010 Hewlett-Packard Development Company, L.P.9 Stewardship in the Cloud Ecosystem Implications Service Consumer SaaS Provider IaaS Provider Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
© Copyright 2010 Hewlett-Packard Development Company, L.P.10 The Enterprise Cloud Consumer Business IT Dept CISO/CIO staff infrastructure Fulfill need Public Cloud Private/ Community Cloud Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
© Copyright 2010 Hewlett-Packard Development Company, L.P.11 Cloud Computing: Implications – Enterprise: Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to Externally Provided Services and IT Infrastructures – Private User: Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable Services – General Issues: • Assurance (and Trust) about Security and Business Practices • Potential Loss of Control (on Data, Infrastructure, Processes, etc.) • Data & Confidential Information Stored in The Clouds • Management of Identities and Access (IAM) in the Cloud • Compliance to Security Practice and Legislation • Privacy Management (Control, Consent, Revocation, etc.) • New Threat Environments • Reliability and Longevity of Cloud & Service Providers
© Copyright 2010 Hewlett-Packard Development Company, L.P.12 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.13 Current Trends of Relevance 1. Increasing Adoption of Services in the Cloud 2. (IT) Consumerisation of the Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P. Adoption of Services in the Cloud
© Copyright 2010 Hewlett-Packard Development Company, L.P.15 Services in the Cloud [1/2] • Growing adoption of IT Cloud Services by People and Companies, in particular SMEs (cost saving, etc.) • Includes: • Datacentre consolidation and IT Outsourcing • Private Cloud/Cloud Services • Public Cloud Services - Amazon, Google, Salesforce, … • Gartner predictions about Value of Cloud Computing Services: • 2008 : $46.41 billion • 2009 : $56.30 billion • 2013 : $150.1 billion (projected) • NOTE: these Trends are less obvious for Medium-Large Organisations and Gov Agencies Cloud Computing Services Org Org Org
© Copyright 2010 Hewlett-Packard Development Company, L.P.16 Services in the Cloud [2/2] • Some statistics about SME’s usage of Cloud Services (Source: SpiceWorks): • Cloud initiatives from Governments  see UK g-Cloud Initiative http://johnsuffolk.typepad.com/john-suffolk---government-cio/2009/06/government-cloud.html Data Backup : 16% Email : 21.2% Application : 11.1% VOIP : 8.5% Security : 8.5% CRM : 6.2% Web Hosting : 25.4% eCommerce : 6.4% Logistics : 3.6% Do not use : 44.1% Cloud Computing Services Org Org Org
© Copyright 2010 Hewlett-Packard Development Company, L.P.17 Personal Cloud Services • User-driven, Personal Cloud Services: - Multiple Interconnected Devices - Multiple Online Services - Multiple Data Sources and Stores • Forrester’s Prediction (by Frank Gillet): - Growing role of Personal Cloud Services and Decreasing Relevance of traditional Operating Systems …
© Copyright 2010 Hewlett-Packard Development Company, L.P.18 Opportunities and Threats • Opportunities: • Cost cutting • Further enabler of IT Outsourcing (medium-large organisations) • Better & cheaper services • No lock-in situation with a service provider • … • Threats: • Potential lack of control on Data and Processes • Proliferation of data and PII information • Reliability and Survivability Issues • Data protection and Privacy • Reliance on third party …
© Copyright 2010 Hewlett-Packard Development Company, L.P.1919 © Copyright 2010 Hewlett-Packard Development Company, L.P. (IT) Consumerisation of the Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.20 Traditional (IT) Enterprise Model • Key role of CIOs/CISOs, Legal Departments, etc. in defining Policies and Guidelines • Controlled and Centralised IT Provisioning • IT Infrastructures, Services and Devices Managed by the Organisation IT Services Storage ServersCorporate Devices Corporate IT (security) Policies, Provisioning & Management Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.21 Towards Consumerization of (IT) Enterprise New Driving Forces: • IT Outsourcing • Employees using their own Devices at work • Adoption of Cloud Services by Employees and the Organization • Blurring Boundaries between Work and Personal Life • Local Decision Making … Enterprise IT Services Storage Servers Personal Devices Storage Servers ServicesCloud Services
© Copyright 2010 Hewlett-Packard Development Company, L.P.22 Opportunities and Threats • Opportunities for Employees and Organisations: • Empowering users • Seamless experience between work and private life • Cost cutting • Better service offering •Transformation of CIO/CISO roles … • Threats: • Enterprise data stored all over the places: Potential Data losses … • Lack of control by organisation on users’ devices: potential security threats • …
© Copyright 2010 Hewlett-Packard Development Company, L.P.23 Cloud Computing: Requirements – Simplified Management of Identities and Credentials – Need for Assurance and Transparency about: • (Outsourced) Processes • Security & Privacy Practices • Data Lifecycle Management – Compliance to Regulation, Policies and Best Practice • Need to redefine what Compliance means in The Cloud – Accountability – Privacy Management: Control on Data Usage & Flows – Reputation Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.24 Cloud Computing: Initiatives Recent General Initiatives aiming at Shaping Cloud Computing: – Open Cloud Manifesto • Making the case for an Open Cloud – Cloud Security Alliance • Promoting Best Security Practices for the Cloud – Jericho Forum • Cloud Cube Model: Recommendations & (Security) Evaluation Framework – …
© Copyright 2010 Hewlett-Packard Development Company, L.P.25 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.26 Some Future Directions • Trusted Infrastructure • Security Analytics • Cloud Stewardship Economics • Privacy Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.2727 © Copyright 2010 Hewlett-Packard Development Company, L.P. Trusted Infrastructure
© Copyright 2010 Hewlett-Packard Development Company, L.P.28 Trusted Infrastructure Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet Trusted Client Devices Trusted Client Infrastructure Trusted Client Infrastructure Trusted Client Infrastructure • Ensuring that the Infrastructural IT building blocks of the Enterprise and the Cloud are secure, trustworthy and compliant with security best practice • Trusted Computing Group (TCG) / • Impact of Virtualization TCG: http://www.trustedcomputinggroup.org
© Copyright 2010 Hewlett-Packard Development Company, L.P.29 Trusted Infrastructure: Trusted Virtualized Platform Personal Environment Win/Lx/OSX Corporate Productivity OS Remote IT Mgmt Home Banking Corporate Production Environment OS E-Govt Intf. Corp. Soft Phone Trusted Hypervisor Secure Corporate (Government) Client Persona Personal Client Persona Trusted Corporate Client Appliance Trusted Personal Client Appliances online (banking, egovt) or local (ipod) Services managed from cloud HP Labs: Applying Trusted Computing to Virtualization
© Copyright 2010 Hewlett-Packard Development Company, L.P.30 Paradigm Shift: Identities/Personae as “Virtualised Environment” in the Cloud Trusted Hypervisor End-User Device MyPersona1+ Virtualised Environment1 MyPersona2+ Virtualised Environment2 Bank Gaming Community Services … Using Virtualization to push Control from the Cloud/Service back to the Client Platform •User’s Persona is defined by the Service Interaction Context •User’s Persona & Identity are “tight” to the Virtualised Environment •Persona defined by User or by Service Provider •Potential Mutual attestation of Platforms and Integrity Trusted Domain
© Copyright 2010 Hewlett-Packard Development Company, L.P.3232 © Copyright 2010 Hewlett-Packard Development Company, L.P. Security Analytics
© Copyright 2010 Hewlett-Packard Development Company, L.P.33 Security Analytics Putting the Science into Security Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.34 Complexity, Costs, Threats and Risks are All Increasing Trying harder is not enough – we have to get smarter
© Copyright 2010 Hewlett-Packard Development Company, L.P.35 Problems with Security Investments – Security Investments affect multiple outcomes: budget, confidentiality, integrity, availability, … – In most situations these outcomes can only be predicted with high degrees of uncertainty – Often the outcomes are inter-related (trade-off) and the link to investments is poorly understood – Classical business justification/due diligence (Return on Security Investment, cost benefit analysis) encourages these points to be glossed over
© Copyright 2010 Hewlett-Packard Development Company, L.P.36 Security Analytics – Providing Strategic Decision Support to Decision Makers (e.g. CIOs, CISOs, etc.) – Using Modelling and Simulation to Represent Process, IT Systems, Interactions, Human Behaviours and their Impact on Aspects of Relevance: Security Risks, Productivity, Costs – Carry out “What-If” Analysis and Make Predictions, based on Alternative Investments, Threat Environments, etc.
© Copyright 2010 Hewlett-Packard Development Company, L.P.37 Security Analytics: Integrating Scientific Knowledge Economic Theory (utility, trade offs, externalities, information asymmetry, incentives) Applied Mathematics (probability theory, queuing theory, process algebra, model checking) Experiment and Prediction (Discrete event modelling and simulation) Empirical Studies (Grounded theory, discourse analysis, cognitive science) CISO / CIO / Business Security/Systems Domain knowledge Business Knowledge
© Copyright 2010 Hewlett-Packard Development Company, L.P.38 PACKAGED SECURITY ANALYTICS Transforming security management to one based on scientific rigor – Launched at Infosec 2010 as part of Security Business Intelligence – Based on VTM/IAM case studies – Iterative engagement approach to define the problem and explore possible solutions and their tradeoffs – Generation of full report  Application of Security Analytics to Cloud Stewardship Economics
© Copyright 2010 Hewlett-Packard Development Company, L.P.3939 © Copyright 2010 Hewlett-Packard Development Company, L.P. Cloud Stewardship Economics
© Copyright 2010 Hewlett-Packard Development Company, L.P.40 UK Government Founded Collaborative Initiative – Cloud Stewardship Economics: • Economics & System Modelling -> Cloud Eco-Systems • Aberdeen University, Bath University, IISP, Lloyds of London, Marmalade Box, Sapphire, Validsoft Source & Contacts: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
© Copyright 2010 Hewlett-Packard Development Company, L.P.41 The Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa Service Comms aa Service CPU Service Infrastructur e Service Secure Archive Storage Service 24*7 Available Storage Service Pure Service Consumers Pure Service Providers Service Consumer/ Providers
© Copyright 2010 Hewlett-Packard Development Company, L.P.42 Stewardship in the Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa ServiceComms aa Service CPU Service Infrastructure Service Secure Archive Storage Service 24*7 Available Storage Service Confidentiality Integrity Availability requirements expectations Obligations preferences incentives Procurement & Consuming Procurement & Consuming
© Copyright 2010 Hewlett-Packard Development Company, L.P.43 Summary of Cloud Stewardship Issues – Cloud • Multiple stakeholders • Complex Supply Chains • Procurement Challenges – Stewardship • Where information is • Who is accountable, and responsible • Who can see or change information • Assurance • Liability (with longevity)
© Copyright 2010 Hewlett-Packard Development Company, L.P.44 Cloud Ecosystem Economics Key ideas that are guiding our empirical work – Micro Economics • Information Asymmetry – As the service provider I know more about the costs and risks of handling your data than you or any regulator • Externalities; Public/Club Goods – Being secure costs me more than I gain, even though others in the community gain too. • Heterogeneity of services & users – How do we value bundled security characteristics & develop associated product and pricing strategies – Macro Economics • Aggregate drivers and effects – … As well as applying preference, utility, system modelling to this context
© Copyright 2010 Hewlett-Packard Development Company, L.P.4545 © Copyright 2010 Hewlett-Packard Development Company, L.P. Privacy Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.46 Privacy Management TSB EnCoRe Project - EnCoRe: Ensuring Consent and Revocation UK Government Collaborative Project – http://www.encore-project.info/ “EnCoRe is a multi-disciplinary research project, spanning across a number of IT and social science specialisms, that is researching how to improve the rigour and ease with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal data by others” - Problem: Management of Personal Data (PII) and Confidential Information driven by Consent & Revocation Contact: HP Labs, Systems Security Lab (SSL), Bristol, UK – Pete Bramhall
© Copyright 2010 Hewlett-Packard Development Company, L.P.47 EnCoRe: Enabling the Flow of Identity Data + Consent/Revocation Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 CRM Service Delivery Service Service 3 Backup Service ILM Service User … … …The Internet Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Enterprise Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.48 Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 CRM Service … Service 3 Backup Service ILM Service User … … … The Internet EnCoRe Toolbox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe: Explicit Management of Consent and Revocation Enterprise Enterprise EnCoRe ToolBox
© Copyright 2010 Hewlett-Packard Development Company, L.P.49 EnCoRe Project – Various Case Study: • Enterprise Data • Biobank • Assisted Living – Press Event: 29/06/2010 http://www.v3.co.uk/v3/news/2265665/hp-working-privacy-tool http://finchannel.com/Main_News/B_Schools/66174_LSE%3A_Turning_off_the_tap_for_online_personal_data_- _prototype_system_unveiled_by_EnCoRe_/ – Technical Architecture and Solutions available online: http://www.encore-project.info/
© Copyright 2010 Hewlett-Packard Development Company, L.P.50 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.51 Conclusions – Cloud Computing is Happening Now – Different Drivers and Needs – but Cost Cutting is currently Dominating – Different attitudes and risk exposures based on type of Companies (SMEs, Medium-large Enterprise, Government Agencies) – It is not really a Matter of Technology – Little understanding of the overall Security, Trust and Privacy Implications – Need for more Assurance, Accountability and Transparency
© Copyright 2010 Hewlett-Packard Development Company, L.P.52 Q&A More Information: Marco Casassa Mont, HP Labs, marco.casassa-mont@hp.com http://www.hpl.hp.com/personal/Marco_Casassa_Mont/

More Related Content

PPTX
Big Data for Security - DNS Analytics
byMarco Casassa Mont
 
PPT
Ultralight Data Movement for IoT with SDC Edge
byDataWorks Summit
 
PPTX
Operating a secure big data platform in a multi-cloud environment
byDataWorks Summit
 
PPTX
Big Data for Security - DNS Analytics
byMarco Casassa Mont
 
PPT
Big Data (security Issue)
byExport Promotion Bureau
 
PPTX
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
byDataWorks Summit
 
PDF
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
byIRJET Journal
 
PPTX
Breaking the Silos: Storage for Analytics & AI
byDataWorks Summit
 
Big Data for Security - DNS Analytics
byMarco Casassa Mont
 
Ultralight Data Movement for IoT with SDC Edge
byDataWorks Summit
 
Operating a secure big data platform in a multi-cloud environment
byDataWorks Summit
 
Big Data for Security - DNS Analytics
byMarco Casassa Mont
 
Big Data (security Issue)
byExport Promotion Bureau
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
byDataWorks Summit
 
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
byIRJET Journal
 
Breaking the Silos: Storage for Analytics & AI
byDataWorks Summit
 

What's hot

PPTX
Shaping a Digital Vision
byDataWorks Summit/Hadoop Summit
 
PPTX
Data Science Driven Malware Detection
byVMware Tanzu
 
PPTX
Continuous Data Ingestion pipeline for the Enterprise
byDataWorks Summit
 
PPTX
How big data and AI saved the day: critical IP almost walked out the door
byDataWorks Summit
 
PPTX
Data Integrity proofs in cloud storage
bySameer Mohd
 
PPTX
Security Framework for Multitenant Architecture
byDataWorks Summit
 
PDF
Security and Audit for Big Data
byNicolas Morales
 
PDF
On the Application of AI for Failure Management: Problems, Solutions and Algo...
byJorge Cardoso
 
PDF
IT_RFO10-14-ITS_AppendixA_20100513
byAlexander Doré
 
PPTX
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
byDataWorks Summit
 
PPTX
Multi-tenant Hadoop - the challenge of maintaining high SLAS
byDataWorks Summit
 
DOCX
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
byIEEEFINALYEARPROJECTS
 
PDF
3 guiding priciples to improve data security
byKeith Braswell
 
PPTX
Ciso round table on effective implementation of dlp & data security
byPriyanka Aash
 
PDF
Lessons learned from over 25 Data Virtualization implementations
byDenodo
 
PDF
Cloud computing - Risks and Mitigation - GTS
byAnchises Moraes
 
PDF
Hybrid Cloud Strategy for Big Data and Analytics
byDataWorks Summit/Hadoop Summit
 
PDF
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
byVeritas Technologies LLC
 
PDF
Open Source Data Management for Industry 4.0
byDataWorks Summit
 
PDF
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
byIRJET Journal
 
Shaping a Digital Vision
byDataWorks Summit/Hadoop Summit
 
Data Science Driven Malware Detection
byVMware Tanzu
 
Continuous Data Ingestion pipeline for the Enterprise
byDataWorks Summit
 
How big data and AI saved the day: critical IP almost walked out the door
byDataWorks Summit
 
Data Integrity proofs in cloud storage
bySameer Mohd
 
Security Framework for Multitenant Architecture
byDataWorks Summit
 
Security and Audit for Big Data
byNicolas Morales
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
byJorge Cardoso
 
IT_RFO10-14-ITS_AppendixA_20100513
byAlexander Doré
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
byDataWorks Summit
 
Multi-tenant Hadoop - the challenge of maintaining high SLAS
byDataWorks Summit
 
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
byIEEEFINALYEARPROJECTS
 
3 guiding priciples to improve data security
byKeith Braswell
 
Ciso round table on effective implementation of dlp & data security
byPriyanka Aash
 
Lessons learned from over 25 Data Virtualization implementations
byDenodo
 
Cloud computing - Risks and Mitigation - GTS
byAnchises Moraes
 
Hybrid Cloud Strategy for Big Data and Analytics
byDataWorks Summit/Hadoop Summit
 
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
byVeritas Technologies LLC
 
Open Source Data Management for Industry 4.0
byDataWorks Summit
 
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
byIRJET Journal
 

Similar to Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors

PPT
HP Cloud Services
byScott MacPherson - Hewlett Packard
 
PPTX
Cloud computing Introductory Session
byAbhinav Parmar
 
PPTX
Uncovering New Opportunities With HP Public Cloud - RightScale Compute 2013
byRightScale
 
PDF
Cloud,beyond the hype, looking at the journey to Cloud
byChristian Verstraete
 
PPT
Securing Cloud Services
byJohn Rhoton
 
PPTX
Wisdom Shifts for Enterprise by Kerry Bailey, SVP, HP
byTheCloudFactory
 
PPT
Cloud.overview.2010.07.15[1]
byOrlando F. Delgado
 
PDF
Sa*ple
byKrishanu B
 
PDF
HP Helion - Copaco Cloud Event 2015 (break-out 4)
byCopaco Nederland
 
PDF
Berislav Biočić, HP SEE: “HP Cloud za e-Poslovanje”
bygoranvranic
 
PDF
Protecting What Matters...An Enterprise Approach to Cloud Security
byInnoTech
 
PPTX
Cloud Computing - The new buzz word
byQuadrisk
 
PPT
Rio Info 2010 - Seminário de Tecnologia - Integracao de Servicos - Cesar Taur...
byRio Info
 
PPT
The future of online services (the cloud and personalization)
byTISEE
 
PPT
Readying your IT Infrastructure for Cloud
byRH
 
PDF
Transform IT Service Delivery Helion
byAndrey Karpov
 
PPT
Cloud computing (2)
byVincent Kwon
 
PDF
Cloud
byKiruba buri R
 
PDF
Cloud Computing Impact
byVirttoo org
 
PPTX
Web Os Cloud Presentation
byDamian Hamilton
 
HP Cloud Services
byScott MacPherson - Hewlett Packard
 
Cloud computing Introductory Session
byAbhinav Parmar
 
Uncovering New Opportunities With HP Public Cloud - RightScale Compute 2013
byRightScale
 
Cloud,beyond the hype, looking at the journey to Cloud
byChristian Verstraete
 
Securing Cloud Services
byJohn Rhoton
 
Wisdom Shifts for Enterprise by Kerry Bailey, SVP, HP
byTheCloudFactory
 
Cloud.overview.2010.07.15[1]
byOrlando F. Delgado
 
Sa*ple
byKrishanu B
 
HP Helion - Copaco Cloud Event 2015 (break-out 4)
byCopaco Nederland
 
Berislav Biočić, HP SEE: “HP Cloud za e-Poslovanje”
bygoranvranic
 
Protecting What Matters...An Enterprise Approach to Cloud Security
byInnoTech
 
Cloud Computing - The new buzz word
byQuadrisk
 
Rio Info 2010 - Seminário de Tecnologia - Integracao de Servicos - Cesar Taur...
byRio Info
 
The future of online services (the cloud and personalization)
byTISEE
 
Readying your IT Infrastructure for Cloud
byRH
 
Transform IT Service Delivery Helion
byAndrey Karpov
 
Cloud computing (2)
byVincent Kwon
 
Cloud
byKiruba buri R
 
Cloud Computing Impact
byVirttoo org
 
Web Os Cloud Presentation
byDamian Hamilton
 

More from Marco Casassa Mont

PPTX
Big Data for Security - Threat Analytics
byMarco Casassa Mont
 
PPTX
Big Data for Security - DNS Analytics
byMarco Casassa Mont
 
PPTX
Security Analytics & Security Intelligence-as-a-Service
byMarco Casassa Mont
 
PPTX
Security intelligence using big data presentation (engineering seminar)
byMarco Casassa Mont
 
PPT
Policy Management: An Overview
byMarco Casassa Mont
 
PPTX
Big Data for Security
byMarco Casassa Mont
 
PPTX
Cyber security within Organisations: A sneaky peak of current status, trends,...
byMarco Casassa Mont
 
Big Data for Security - Threat Analytics
byMarco Casassa Mont
 
Big Data for Security - DNS Analytics
byMarco Casassa Mont
 
Security Analytics & Security Intelligence-as-a-Service
byMarco Casassa Mont
 
Security intelligence using big data presentation (engineering seminar)
byMarco Casassa Mont
 
Policy Management: An Overview
byMarco Casassa Mont
 
Big Data for Security
byMarco Casassa Mont
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
byMarco Casassa Mont
 

Recently uploaded

PPTX
Bob Stewart Greater 02 08 2026.pptx
byFamilyWorshipCenterD
 
PDF
AAC2026_Keynote_Horx Strathern_Megatrends Countertrends.pdf
byAgile Austria Conference
 
PDF
Robbee Minicola PhD Oral Defense Presentation
byMicrosoft
 
PPTX
Overview-Swine-Production-and-Breeds-of-Swine.pptx
bypanangcadjhonemart2
 
PPTX
2026-02-08 Hebrews 06 (shared slides).pptx
byDale Wells
 
PDF
AAC2026_Lavrova_ The Second Spear of Agility Why We Need Meaning, Not Metrics...
byAgile Austria Conference
 
PDF
AAC2026_Liebisch_It Starts With You - How Personal Growth Builds the Foundati...
byAgile Austria Conference
 
PDF
Top 10 Tips To Buy Verified Binance Accounts_ An Educational Guide topselleri...
bygsghhgf8
 
PPTX
Street and Hip-hop Dance - Power Point -
byrhanzcerhamirez16
 
PPTX
HUMAN RESOURCE STRATEGY & PERSONNEL PLANNING.pptx
bynaimaengfarah76
 
PDF
Presentation - French Revolution (Student Lecture).pdf
byacdebussy
 
PDF
AAC2026_Lister_Understand your 'Scrum DNA' !pdf
byAgile Austria Conference
 
PDF
🇮🇳🇮🇳🇮🇳 Welcome to India 🇮🇳🇮🇳🇮🇳.pdf
bymanjusuhag88
 
PDF
MENTAL HEALTH SESSION BY REHEMA MUTHONI MUCHAI.
by2402232
 
PDF
AAC2026_Richter_Why Agile Alone Isn't Enough - From Agile Methods to Goal-Dir...
byAgile Austria Conference
 
PPTX
alkali metal physical and chemical properties
byolurantifaith43
 
PDF
When to Use Google Ads Instead of Local Service Ads: 4 Clear Scenarios
byDigital Harvest
 
PDF
AAC2026_Tanzer_Grown Organically Software and Bonsai.pdf
byAgile Austria Conference
 
PDF
AAC2026_Batusek_Beyond the Bus Factor: Build your teams for for the future.pdf
byAgile Austria Conference
 
PDF
French Revolution { Class 9 } Presentation .pdf
bymanjusuhag88
 
Bob Stewart Greater 02 08 2026.pptx
byFamilyWorshipCenterD
 
AAC2026_Keynote_Horx Strathern_Megatrends Countertrends.pdf
byAgile Austria Conference
 
Robbee Minicola PhD Oral Defense Presentation
byMicrosoft
 
Overview-Swine-Production-and-Breeds-of-Swine.pptx
bypanangcadjhonemart2
 
2026-02-08 Hebrews 06 (shared slides).pptx
byDale Wells
 
AAC2026_Lavrova_ The Second Spear of Agility Why We Need Meaning, Not Metrics...
byAgile Austria Conference
 
AAC2026_Liebisch_It Starts With You - How Personal Growth Builds the Foundati...
byAgile Austria Conference
 
Top 10 Tips To Buy Verified Binance Accounts_ An Educational Guide topselleri...
bygsghhgf8
 
Street and Hip-hop Dance - Power Point -
byrhanzcerhamirez16
 
HUMAN RESOURCE STRATEGY & PERSONNEL PLANNING.pptx
bynaimaengfarah76
 
Presentation - French Revolution (Student Lecture).pdf
byacdebussy
 
AAC2026_Lister_Understand your 'Scrum DNA' !pdf
byAgile Austria Conference
 
🇮🇳🇮🇳🇮🇳 Welcome to India 🇮🇳🇮🇳🇮🇳.pdf
bymanjusuhag88
 
MENTAL HEALTH SESSION BY REHEMA MUTHONI MUCHAI.
by2402232
 
AAC2026_Richter_Why Agile Alone Isn't Enough - From Agile Methods to Goal-Dir...
byAgile Austria Conference
 
alkali metal physical and chemical properties
byolurantifaith43
 
When to Use Google Ads Instead of Local Service Ads: 4 Clear Scenarios
byDigital Harvest
 
AAC2026_Tanzer_Grown Organically Software and Bonsai.pdf
byAgile Austria Conference
 
AAC2026_Batusek_Beyond the Bus Factor: Build your teams for for the future.pdf
byAgile Austria Conference
 
French Revolution { Class 9 } Presentation .pdf
bymanjusuhag88
 

Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors

  • 1.
    © Copyright 2010Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1 Marco Casassa Mont (marco.casassa-mont@hp.com) Senior Researcher Systems Security Lab, HP Labs, Bristol Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors Industry Perspective RAND Europe – Cloud Computing 2010 10 September 2010
  • 2.
    © Copyright 2010Hewlett-Packard Development Company, L.P.2 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 3.
    © Copyright 2010Hewlett-Packard Development Company, L.P.3 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 4.
    © Copyright 2010Hewlett-Packard Development Company, L.P.4 Cloud Computing: Definition – No Unique Definition or General Consensus about what Cloud Computing is … – Different Perspectives & Focuses (Platform, SW, Service Levels…) – Flavours: • Computing and IT Resources Accessible Online • Dynamically Scalable Computing Power • Virtualization of Resources • Access to (potentially) Composable & Interchangeable Services • Abstraction of IT Infrastructure  No need to understand its implementation: use Services & their APIs • Related “Buzzwords”: Iaas, PaaS, SaaS, EaaS, … • Some current players, at the Infrastructure & Service Level: Salesfoce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.
  • 5.
    © Copyright 2010Hewlett-Packard Development Company, L.P.5 Cloud Service Layers Cloud Infrastructure Services (IaaS) Cloud Platform Services (PaaS) Cloud End-User Services (SaaS) Physical Infrastructure Service Users Source: HP Labs, Automated Infrastructure Lab (AIL), Bristol, UK - Peter Toft Cloud Providers Service Providers
  • 6.
    © Copyright 2010Hewlett-Packard Development Company, L.P.6 Cloud Computing: Models Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet
  • 7.
    © Copyright 2010Hewlett-Packard Development Company, L.P.7 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 8.
    © Copyright 2010Hewlett-Packard Development Company, L.P.8 Today Security Management Lifecycle Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (from disclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations Assurance & Situational Awareness Security Analytics Economics/ Threats/ Investments
  • 9.
    © Copyright 2010Hewlett-Packard Development Company, L.P.9 Stewardship in the Cloud Ecosystem Implications Service Consumer SaaS Provider IaaS Provider Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
  • 10.
    © Copyright 2010Hewlett-Packard Development Company, L.P.10 The Enterprise Cloud Consumer Business IT Dept CISO/CIO staff infrastructure Fulfill need Public Cloud Private/ Community Cloud Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
  • 11.
    © Copyright 2010Hewlett-Packard Development Company, L.P.11 Cloud Computing: Implications – Enterprise: Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to Externally Provided Services and IT Infrastructures – Private User: Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable Services – General Issues: • Assurance (and Trust) about Security and Business Practices • Potential Loss of Control (on Data, Infrastructure, Processes, etc.) • Data & Confidential Information Stored in The Clouds • Management of Identities and Access (IAM) in the Cloud • Compliance to Security Practice and Legislation • Privacy Management (Control, Consent, Revocation, etc.) • New Threat Environments • Reliability and Longevity of Cloud & Service Providers
  • 12.
    © Copyright 2010Hewlett-Packard Development Company, L.P.12 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 13.
    © Copyright 2010Hewlett-Packard Development Company, L.P.13 Current Trends of Relevance 1. Increasing Adoption of Services in the Cloud 2. (IT) Consumerisation of the Enterprise
  • 14.
    © Copyright 2010Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P. Adoption of Services in the Cloud
  • 15.
    © Copyright 2010Hewlett-Packard Development Company, L.P.15 Services in the Cloud [1/2] • Growing adoption of IT Cloud Services by People and Companies, in particular SMEs (cost saving, etc.) • Includes: • Datacentre consolidation and IT Outsourcing • Private Cloud/Cloud Services • Public Cloud Services - Amazon, Google, Salesforce, … • Gartner predictions about Value of Cloud Computing Services: • 2008 : $46.41 billion • 2009 : $56.30 billion • 2013 : $150.1 billion (projected) • NOTE: these Trends are less obvious for Medium-Large Organisations and Gov Agencies Cloud Computing Services Org Org Org
  • 16.
    © Copyright 2010Hewlett-Packard Development Company, L.P.16 Services in the Cloud [2/2] • Some statistics about SME’s usage of Cloud Services (Source: SpiceWorks): • Cloud initiatives from Governments  see UK g-Cloud Initiative http://johnsuffolk.typepad.com/john-suffolk---government-cio/2009/06/government-cloud.html Data Backup : 16% Email : 21.2% Application : 11.1% VOIP : 8.5% Security : 8.5% CRM : 6.2% Web Hosting : 25.4% eCommerce : 6.4% Logistics : 3.6% Do not use : 44.1% Cloud Computing Services Org Org Org
  • 17.
    © Copyright 2010Hewlett-Packard Development Company, L.P.17 Personal Cloud Services • User-driven, Personal Cloud Services: - Multiple Interconnected Devices - Multiple Online Services - Multiple Data Sources and Stores • Forrester’s Prediction (by Frank Gillet): - Growing role of Personal Cloud Services and Decreasing Relevance of traditional Operating Systems …
  • 18.
    © Copyright 2010Hewlett-Packard Development Company, L.P.18 Opportunities and Threats • Opportunities: • Cost cutting • Further enabler of IT Outsourcing (medium-large organisations) • Better & cheaper services • No lock-in situation with a service provider • … • Threats: • Potential lack of control on Data and Processes • Proliferation of data and PII information • Reliability and Survivability Issues • Data protection and Privacy • Reliance on third party …
  • 19.
    © Copyright 2010Hewlett-Packard Development Company, L.P.1919 © Copyright 2010 Hewlett-Packard Development Company, L.P. (IT) Consumerisation of the Enterprise
  • 20.
    © Copyright 2010Hewlett-Packard Development Company, L.P.20 Traditional (IT) Enterprise Model • Key role of CIOs/CISOs, Legal Departments, etc. in defining Policies and Guidelines • Controlled and Centralised IT Provisioning • IT Infrastructures, Services and Devices Managed by the Organisation IT Services Storage ServersCorporate Devices Corporate IT (security) Policies, Provisioning & Management Enterprise
  • 21.
    © Copyright 2010Hewlett-Packard Development Company, L.P.21 Towards Consumerization of (IT) Enterprise New Driving Forces: • IT Outsourcing • Employees using their own Devices at work • Adoption of Cloud Services by Employees and the Organization • Blurring Boundaries between Work and Personal Life • Local Decision Making … Enterprise IT Services Storage Servers Personal Devices Storage Servers ServicesCloud Services
  • 22.
    © Copyright 2010Hewlett-Packard Development Company, L.P.22 Opportunities and Threats • Opportunities for Employees and Organisations: • Empowering users • Seamless experience between work and private life • Cost cutting • Better service offering •Transformation of CIO/CISO roles … • Threats: • Enterprise data stored all over the places: Potential Data losses … • Lack of control by organisation on users’ devices: potential security threats • …
  • 23.
    © Copyright 2010Hewlett-Packard Development Company, L.P.23 Cloud Computing: Requirements – Simplified Management of Identities and Credentials – Need for Assurance and Transparency about: • (Outsourced) Processes • Security & Privacy Practices • Data Lifecycle Management – Compliance to Regulation, Policies and Best Practice • Need to redefine what Compliance means in The Cloud – Accountability – Privacy Management: Control on Data Usage & Flows – Reputation Management
  • 24.
    © Copyright 2010Hewlett-Packard Development Company, L.P.24 Cloud Computing: Initiatives Recent General Initiatives aiming at Shaping Cloud Computing: – Open Cloud Manifesto • Making the case for an Open Cloud – Cloud Security Alliance • Promoting Best Security Practices for the Cloud – Jericho Forum • Cloud Cube Model: Recommendations & (Security) Evaluation Framework – …
  • 25.
    © Copyright 2010Hewlett-Packard Development Company, L.P.25 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 26.
    © Copyright 2010Hewlett-Packard Development Company, L.P.26 Some Future Directions • Trusted Infrastructure • Security Analytics • Cloud Stewardship Economics • Privacy Management
  • 27.
    © Copyright 2010Hewlett-Packard Development Company, L.P.2727 © Copyright 2010 Hewlett-Packard Development Company, L.P. Trusted Infrastructure
  • 28.
    © Copyright 2010Hewlett-Packard Development Company, L.P.28 Trusted Infrastructure Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet Trusted Client Devices Trusted Client Infrastructure Trusted Client Infrastructure Trusted Client Infrastructure • Ensuring that the Infrastructural IT building blocks of the Enterprise and the Cloud are secure, trustworthy and compliant with security best practice • Trusted Computing Group (TCG) / • Impact of Virtualization TCG: http://www.trustedcomputinggroup.org
  • 29.
    © Copyright 2010Hewlett-Packard Development Company, L.P.29 Trusted Infrastructure: Trusted Virtualized Platform Personal Environment Win/Lx/OSX Corporate Productivity OS Remote IT Mgmt Home Banking Corporate Production Environment OS E-Govt Intf. Corp. Soft Phone Trusted Hypervisor Secure Corporate (Government) Client Persona Personal Client Persona Trusted Corporate Client Appliance Trusted Personal Client Appliances online (banking, egovt) or local (ipod) Services managed from cloud HP Labs: Applying Trusted Computing to Virtualization
  • 30.
    © Copyright 2010Hewlett-Packard Development Company, L.P.30 Paradigm Shift: Identities/Personae as “Virtualised Environment” in the Cloud Trusted Hypervisor End-User Device MyPersona1+ Virtualised Environment1 MyPersona2+ Virtualised Environment2 Bank Gaming Community Services … Using Virtualization to push Control from the Cloud/Service back to the Client Platform •User’s Persona is defined by the Service Interaction Context •User’s Persona & Identity are “tight” to the Virtualised Environment •Persona defined by User or by Service Provider •Potential Mutual attestation of Platforms and Integrity Trusted Domain
  • 31.
    © Copyright 2010Hewlett-Packard Development Company, L.P.3232 © Copyright 2010 Hewlett-Packard Development Company, L.P. Security Analytics
  • 32.
    © Copyright 2010Hewlett-Packard Development Company, L.P.33 Security Analytics Putting the Science into Security Management
  • 33.
    © Copyright 2010Hewlett-Packard Development Company, L.P.34 Complexity, Costs, Threats and Risks are All Increasing Trying harder is not enough – we have to get smarter
  • 34.
    © Copyright 2010Hewlett-Packard Development Company, L.P.35 Problems with Security Investments – Security Investments affect multiple outcomes: budget, confidentiality, integrity, availability, … – In most situations these outcomes can only be predicted with high degrees of uncertainty – Often the outcomes are inter-related (trade-off) and the link to investments is poorly understood – Classical business justification/due diligence (Return on Security Investment, cost benefit analysis) encourages these points to be glossed over
  • 35.
    © Copyright 2010Hewlett-Packard Development Company, L.P.36 Security Analytics – Providing Strategic Decision Support to Decision Makers (e.g. CIOs, CISOs, etc.) – Using Modelling and Simulation to Represent Process, IT Systems, Interactions, Human Behaviours and their Impact on Aspects of Relevance: Security Risks, Productivity, Costs – Carry out “What-If” Analysis and Make Predictions, based on Alternative Investments, Threat Environments, etc.
  • 36.
    © Copyright 2010Hewlett-Packard Development Company, L.P.37 Security Analytics: Integrating Scientific Knowledge Economic Theory (utility, trade offs, externalities, information asymmetry, incentives) Applied Mathematics (probability theory, queuing theory, process algebra, model checking) Experiment and Prediction (Discrete event modelling and simulation) Empirical Studies (Grounded theory, discourse analysis, cognitive science) CISO / CIO / Business Security/Systems Domain knowledge Business Knowledge
  • 37.
    © Copyright 2010Hewlett-Packard Development Company, L.P.38 PACKAGED SECURITY ANALYTICS Transforming security management to one based on scientific rigor – Launched at Infosec 2010 as part of Security Business Intelligence – Based on VTM/IAM case studies – Iterative engagement approach to define the problem and explore possible solutions and their tradeoffs – Generation of full report  Application of Security Analytics to Cloud Stewardship Economics
  • 38.
    © Copyright 2010Hewlett-Packard Development Company, L.P.3939 © Copyright 2010 Hewlett-Packard Development Company, L.P. Cloud Stewardship Economics
  • 39.
    © Copyright 2010Hewlett-Packard Development Company, L.P.40 UK Government Founded Collaborative Initiative – Cloud Stewardship Economics: • Economics & System Modelling -> Cloud Eco-Systems • Aberdeen University, Bath University, IISP, Lloyds of London, Marmalade Box, Sapphire, Validsoft Source & Contacts: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
  • 40.
    © Copyright 2010Hewlett-Packard Development Company, L.P.41 The Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa Service Comms aa Service CPU Service Infrastructur e Service Secure Archive Storage Service 24*7 Available Storage Service Pure Service Consumers Pure Service Providers Service Consumer/ Providers
  • 41.
    © Copyright 2010Hewlett-Packard Development Company, L.P.42 Stewardship in the Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa ServiceComms aa Service CPU Service Infrastructure Service Secure Archive Storage Service 24*7 Available Storage Service Confidentiality Integrity Availability requirements expectations Obligations preferences incentives Procurement & Consuming Procurement & Consuming
  • 42.
    © Copyright 2010Hewlett-Packard Development Company, L.P.43 Summary of Cloud Stewardship Issues – Cloud • Multiple stakeholders • Complex Supply Chains • Procurement Challenges – Stewardship • Where information is • Who is accountable, and responsible • Who can see or change information • Assurance • Liability (with longevity)
  • 43.
    © Copyright 2010Hewlett-Packard Development Company, L.P.44 Cloud Ecosystem Economics Key ideas that are guiding our empirical work – Micro Economics • Information Asymmetry – As the service provider I know more about the costs and risks of handling your data than you or any regulator • Externalities; Public/Club Goods – Being secure costs me more than I gain, even though others in the community gain too. • Heterogeneity of services & users – How do we value bundled security characteristics & develop associated product and pricing strategies – Macro Economics • Aggregate drivers and effects – … As well as applying preference, utility, system modelling to this context
  • 44.
    © Copyright 2010Hewlett-Packard Development Company, L.P.4545 © Copyright 2010 Hewlett-Packard Development Company, L.P. Privacy Management
  • 45.
    © Copyright 2010Hewlett-Packard Development Company, L.P.46 Privacy Management TSB EnCoRe Project - EnCoRe: Ensuring Consent and Revocation UK Government Collaborative Project – http://www.encore-project.info/ “EnCoRe is a multi-disciplinary research project, spanning across a number of IT and social science specialisms, that is researching how to improve the rigour and ease with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal data by others” - Problem: Management of Personal Data (PII) and Confidential Information driven by Consent & Revocation Contact: HP Labs, Systems Security Lab (SSL), Bristol, UK – Pete Bramhall
  • 46.
    © Copyright 2010Hewlett-Packard Development Company, L.P.47 EnCoRe: Enabling the Flow of Identity Data + Consent/Revocation Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 CRM Service Delivery Service Service 3 Backup Service ILM Service User … … …The Internet Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Enterprise Enterprise
  • 47.
    © Copyright 2010Hewlett-Packard Development Company, L.P.48 Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 CRM Service … Service 3 Backup Service ILM Service User … … … The Internet EnCoRe Toolbox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe: Explicit Management of Consent and Revocation Enterprise Enterprise EnCoRe ToolBox
  • 48.
    © Copyright 2010Hewlett-Packard Development Company, L.P.49 EnCoRe Project – Various Case Study: • Enterprise Data • Biobank • Assisted Living – Press Event: 29/06/2010 http://www.v3.co.uk/v3/news/2265665/hp-working-privacy-tool http://finchannel.com/Main_News/B_Schools/66174_LSE%3A_Turning_off_the_tap_for_online_personal_data_- _prototype_system_unveiled_by_EnCoRe_/ – Technical Architecture and Solutions available online: http://www.encore-project.info/
  • 49.
    © Copyright 2010Hewlett-Packard Development Company, L.P.50 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 50.
    © Copyright 2010Hewlett-Packard Development Company, L.P.51 Conclusions – Cloud Computing is Happening Now – Different Drivers and Needs – but Cost Cutting is currently Dominating – Different attitudes and risk exposures based on type of Companies (SMEs, Medium-large Enterprise, Government Agencies) – It is not really a Matter of Technology – Little understanding of the overall Security, Trust and Privacy Implications – Need for more Assurance, Accountability and Transparency
  • 51.
    © Copyright 2010Hewlett-Packard Development Company, L.P.52 Q&A More Information: Marco Casassa Mont, HP Labs, marco.casassa-mont@hp.com http://www.hpl.hp.com/personal/Marco_Casassa_Mont/

Editor's Notes

  • #32 Earlier I said that we want to create a virtualization system that could be attested to, i.e. that we could make a strong statement as to the trustworthiness of it’s current state. So I want to spend a few moments expanding on this. Explain what a chain of trust is. We want to build systems that are immune from s/w attacks. So we build a chain of trust which is anchored in h/w which gives us a resilience to s/w attacks. It starts with the TPM (crypto device) that is bound to the mother board and we guarantee that this device will be in a known state when initially powered on. Associated with this is a Core Root of Trust for Measurement (CRTM), which is the BIOS boot block code; it can’t itself be measured but it is a piece of code which is considered trustworthy. It reliably measures integrity value of other code, and stays unchanged during the lifetime of the platform. CRTM is an extension of normal BIOS, which will be run first to measure other parts of the BIOS block before passing control. The BIOS then measures hardware, and the bootloader and passes control to the bootloader. The bootloader measures VMM kernel and pass control to the VMM and so on. What you end up with is a chain of trust with a measurement value that can be used for attestation. TPM stores measurements and can cryptographically report on those measurements to requesting parties (attestation). Essentially, the TPM signs the measurement (which is a cryptographic hash) so that the one asking for the measurement can know that it was measured by a real TPM. The requestor then checks this measurement against a known good value to determine whether or not this system can be trusted. This is an important feature of these TCG TPMs but one that has yet not been fully exploited. What we are doing within our project is to create an Integrity Measurement and Attestation framework. Specifically designed for measuring the VMM and its supporting security services so that it can attest itself to other platforms that request verification. At its lowest level it will utilize TCG TPM hardware technology and associated CPU / Chipset support such as the Intel (TXT) / AMD (SVM) for DRTM (Dynamic Root of Trust) mechanisms [Grawrock 2006]. Our planned approach diverges from existing integrity measurement systems in regard to its explicit support for the needs of virtualized systems such as chains of trust that can be safely dynamically modified [Cabuk et al. 2008a] and the support for tying the integrity of several VMs together into a single attestable and verifiable entity. TXT allows us, in combination with the TPM, to ensure that either a Measured Launch Environment or Controlled Launch Environments can be started. MLEs allow any code sequence to run, but generate a launch record which is difficult to forge by an alternative startup sequence. Controlled Launch allows us to refuse to start a particular code image unless the hardware has followed an already approved execution path. We have some functional code which demonstrates MLE, and the functionality to enforce CLE is being developed now.
  • #34 Most security strategy, policy and investments decisions are based on intuition and best practices. Security Analytics is about using scientific methods to make security management rigorous and evidence based.
  • #35 We believe this is more necessary as information security gets harder. With cloud computing, virtualization, consumerization, more business reliance on IT – and pressure on the IT budget - it gets harder to justify any expenditure, and yet with the burgeoning threat environment this must be done. Yes, we can continue to try harder, but it feels like a change in approach is needed, one where we get smarter – hence security analytics.
  • #38 Today most security teams have good knowledge about IT and are working hard to align this with business knowledge. We are looking to take this further to make business aligned security decisions based on simulation and prediction. To support this we are using appropriate economic and mathematical tools
  • #39 This is part of an ongoing ambitious research programme, and our first deliverable is to offer a packaged Security Analytics services engagement, together with the tools and methodology, for both Vulnerability and Threat Management, and also for Identity and Access Management. Starting with an initial workshop to explore your unique security challenges and identify the strategic priorities, appropriate models will be created and explored to determine the possible outcomes of key security decisions which are available to you. At the end of the exercise you will receive a full report documenting the challenges addressed, the options explored and conclusions drawn.