Security, Privacy, and Data Protection for Trusted Cloud Computing

Prof. Kai Hwang, University of Southern California

Keynote Address, International Conference on Parallel and Distributed Computing and Systems (PDCS 2010), Marina Del Rey, CA. Nov. 8, 2010


   
Nov.8, 2010

Cloud Platforms over Datacenters Cloud Infrastructure and Services Reputation-based Trust Management Data Coloring and Software Watermarking Cloud Support of The Internet of Things

Kai Hwang, USC

Handy Tools We Use over the Evolutional Periods In History

Is it safe to play with your computer, when you are naked and vulnerable ?
Nov.8, 2010
Kai Hwang, USC 2

Top 10 Technologies for 2010

Nov.8, 2010

Kai Hwang, USC

Web 2.0, Clouds, and Internet of Things

HPC: HighPerformance Computing

HTC: HighThroughput Computing

P2P:
Peer to Peer

MPP:
Massively Parallel Source: K. Hwang, G. Fox, and J. Dongarra, Processors

Distributed Systems and Cloud Computing,

Morgan Kaufmann, 2011 (in press to appear) Nov.8, 2010
Kai Hwang, USC

Public, Private and Hybrid Clouds

Source: Distributed Systems and Cloud Computing, [2] Nov.8, 2010

Kai Hwang, USC 5

Cloud Computing as A Service

[9]

Nov.8, 2010

Kai Hwang, USC

Cloud Providers, Services and Security Measures

Kai Hwang and Deyi Li, Trusted Cloud Computing with Secure Resources and Data Coloring, IEEE Internet Computing, Sept. 2010
Nov.8, 2010
Kai Hwang, USC 7

Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )

Nov.8, 2010

Kai Hwang, USC

vSphere 4 : An OS for Cloud Platform

Nov.8, 2010

Kai Hwang, USC

Cloud Services Stack

Application Cloud Services Platform Cloud Services Compute & Storage Cloud Services Co-Location Cloud Services Network Cloud Services
Nov.8, 2010
Kai Hwang, USC 10

Top 8 Cloud Computing Companies

Nov.8, 2010

Kai Hwang, USC

11

Marc Benioff, Founder of Salesforce.com

1986 graduated from USC 1999 started salesforce.com 2003-05 appointed chairman of US Presidential IT Advisory Committee 2009 announced Force.com platform for cloud business computing

A SaaS and PaaS Cloud Provider

Nov.8, 2010
Kai Hwang, USC 12

Ex ' ! X

Security and Trust Crisis

in Cloud Computing
    
Protecting datacenters must first secure cloud resources and uphold user privacy and data integrity. Trust overlay networks could be applied to build reputation systems for establishing the trust among interactive datacenters. A watermarking technique is suggested to protect shared data objects and massively distributed software modules. These techniques safeguard user authentication and tighten the data access-control in public clouds. The new approach could be more cost-effective than using the traditional encryption and firewalls to secure the clouds.
Nov.8, 2010
Kai Hwang, USC 13 13

Trusted Zones for VM Insulation

Identity federation

Federate identities with public clouds

APP OS APP OS

Insulate infrastructure from Malware, Trojans and cybercriminals

Tenant #2

Anti-malware Cybercrime intelligence Strong authentication

Virtual network security

Control and isolate VM in the virtual infrastructure

Virtual Infrastructure

APP

APP OS

OS

Tenant #1

Insulate information from other tenants Insulate information from cloud providers employees

Data loss prevention

Virtual Infrastructure

Access Mgmt

Segregate and control user access

Encryption & key mgmt Tokenization

Cloud Provider
Physical Infrastructure Physical Infrastructure Security Info. & Event Mgmt Nov.8, 2010

Enable end to end view of security events and Kai Hwang, USC compliance across infrastructures

GRC

14

Data Security and Copyright Protection in A Trusted Cloud Platform

Source: Reference [3, 4] Nov.8, 2010 2009 March 11,

Kai Hwang, USC Prof. Kai Hwang, USC 15

Security Protection Mechanisms for Public Clouds

Mechanism
Trust delegation and Negotiation Worm containment and DDoS Defense Reputation System Over Resource Sites Fine-grain access control Collusive Piracy prevention
Nov.8, 2010

Brief Description
Cross certificates must be used to delegate trust across different PKI domains. Trust negotiation among different CSPs demands resolution of policy conflicts. Internet worm containment and distributed defense against DDoS attacks are necessary to secure all datacenters and cloud platforms . Reputation system could be built with P2P technology. One can build a hierarchy of reputation systems from datacenters to distributed file systems . This refers to fine-grain access control at the file or object level. This adds up the security protection beyond firewalls and intrusion detection systems . Piracy prevention achieved with peer collusion detection and content poisoning techniques .
Kai Hwang, USC 16 16

Cloud Service Models and Their Security Demands

Cloud computing will not be accepted by common users unless the trust and dependability issues are resolved satisfactorily [1].
Nov.8, 2010
Kai Hwang, USC 17

Trust Management for Protecting Cloud Resources and Safeguard Datacenter Operations [3]

Nov.8, 2010

Kai Hwang, USC

Source: [4]

18

PowerTrust Built over A Trust Overlay Network

Global Reputation Scores V v1 Initial Reputation Aggregation Regular Random Walk v2 v3
... ... ... ...

vn Power Nodes Distributed Ranking Module

Reputation Updating Look-ahead Random Walk Local Trust Scores

Trust Overlay Network

R. Zhou and K. Hwang, PowerTrust : A scalable and robust reputation system for structured P2P networks, IEEE-TPDS, May 2007
Nov.8, 2010
19

Kai Hwang, USC

Distributed Defense against DDoS Attacks over Multiple Network Domains

(Chen, Hwang, and Ku, IEEE Trans. on Parallel and Distributed Systems, Dec. 2007 )
Nov.8, 2010
20

Kai Hwang, USC

Data Coloring via Watermarking

Nov.8, 2010

Kai Hwang, USC

21

Color Matching To Authenticate Data

Owners and Cloud Service Providers

Nov.8, 2010

Kai Hwang, USC

22

The Internet of Things Smart Earth:

Internet of Things (IOT)

Smart Earth

An IBM Dream

Nov.8, 2010

Kai Hwang, USC

23

Opportunities of IOT in 3 Dimensions

Nov.8, 2010

Kai Hwang, USC

24

Architecture of The Internet of Things

Application Layer Merchandise Tracking Environment Protection Intelligent Search Telemedicine Intelligent Traffic Smart Home

Cloud Computing Platform

Network Layer

Mobile Telecom Network

The Internet

Information Network

RFID Sensing Layer RFID Label

Sensor Network

GPS

Sensor Nodes

Road Mapper

Nov.8, 2010

Kai Hwang, USC

25

Supply Chain Management

supported by the Internet of Things.
( http://www.igd.com)

Nov.8, 2010

Kai Hwang, USC

26

Smart Power Grid

Nov.8, 2010

Kai Hwang, USC

27

Mobility Support and Security Measures for Mobile Cloud Computing

Cloud Service Models Infrastructure Cloud (The IaaS Model) Platform Cloud (The PaaS Model)

Mobility Support and Data Protection Methods

        Special air interfaces Mobile API design File/Log access control Data coloring Wireless PKI , User authentication, Copyright protection Disaster recovery

Hardware and Software Measures for Cloud Security

 Hardware/software root of trust,  Provisioning of virtual machines,  Software watermarking  Host-based firewalls and IDS  Network-based firewalls and IDS  Trust overlay network  Reputation system  OS patch management

Nov.8, 2010

Kai Hwang, USC

28

Service-Oriented Cloud of Clouds (Intercloud or Mashup)

Raw Data
Another Grid
SS
S S

Data
S S

Information
S S fs fs
Fil er Service

Knowledge
Another Grid
S S

Wisdom

Decisions

SS

Filter Cloud
fs

fs fs

fs fs

Discovery Cloud Filter Cloud

Another S ervice SS
SS SS

fs
Fil er Service

fs fs

fs fs

Filter loud
fs

fs
Fil er Service

fs fs fs

Discovery Cloud

fs
fs fs

fs
Fil er Service

fs fs

SS

Filter loud

fs

Filter Cloud
S S

Filter loud

Traditional Grid with exposed services

n o th er rid

SS

S S

S S

S S

S S

S S

S S

S S

S S

S S

a ta a se

Compute Cloud

S torage Cloud

S e n so r o r a ta In te r c h a n g e S e r v ic e

Cloud of clouds -- from Raw Data to Wisdom. SS = Sensor service, fs = filter services
Nov.8, 2010
Kai Hwang, USC 29

Conclusions:
Computing clouds are changing the whole IT , service industry, and global economy. Clearly, cloud computing demands ubiquity, efficiency, security, and trustworthiness. Cloud computing has become a common practice in business, government, education, and entertainment leveraging 50 millions of servers globally installed at thousands of datacenters today.

 Private clouds will become widespread in addition to using a few

public clouds, that are under heavy competition among Google, MS, Amazon, Intel, EMC, IBM, SGI, VMWare, Saleforce.com, etc.

 Effective trust management, guaranteed security, user privacy,

data integrity, mobility support, and copyright protection are crucial to the universal acceptance of cloud as a ubiquitous service.

Nov.8, 2010

Kai Hwang, USC

30

SGI Cyclone HPC cloud for enabling SaaS and IaaS applications (http://www.sgi.com/cyclone)

Nov.8, 2010

Kai Hwang, USC

31

Nebula Cloud Developed by NASA

(http://nebula.nasa.gov)

Nov.8, 2010

Kai Hwang, USC

32

Cloud Computing Service Provider Priorities

 Ensure confidentiality, integrity, and
availability in a multi-tenant environment.

 Effectively meet the advertised SLA,

while optimizing cloud resource utilization.

 Offer tenants capabilities for selfservice, and achieve scaling through automation and simplification.

Nov.8, 2010

Kai Hwang, USC

33

Google App Engine Platform for PaaS Operations

Nov.8, 2010

Kai Hwang, USC

34

Table 1:

Cloud Security Responsibilities by Providers and Users

Source: Reference [4] Nov.8, 2010

Kai Hwang, USC 35

Concept of Virtual Clusters

(Source: W. Emeneker, et et al, Dynamic Virtual Clustering with Xen and Moab, ISPA 2006, Springer-Verlag LNCS 4331, 2006, pp. 440-451) Nov.8, 2010
Kai Hwang, USC 36