Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact:

Published bySyed Tifft Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact:"— Presentation transcript:

1 On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact: {srijith.nair,theo.dimitrakos}@bt.comtheo.dimitrakos}@bt.com Dr Srijith Nair Senior Researcher Security Futures Practice BT Innovate & Design SecureClouud 2012 9-10 May

2 © British Telecommunications plc Slide 2 Market evolution of Cloud computing Data Centre Data Centre Virtual Data Centre Virtual Data Centre High-end Cloud Environment We are here Anticipated Cloud Market Evolution Cloud Islands Cloud V. Chain Cloud Horizontal Federation Cloud federation layer Cloud service broker

3 Cloud Computing Technology Innovation emphasis on security Commoditised virtualisation Security API for hypervisor Virtual Data Centre Service Management Layer Commoditised elasticity Commoditised data abstraction & data federation Cloud islands User-defined hosting On-demand Elasticity Flexible charging model Rapid provisioning / de-provisioning Customer defined standalone cloud applications Cloud island- specific security in- depth Pre-customer isolation & multi- tenancy Common capabilities Cloud –vs.– managed service delivery model Reusable and customisable enabling services offered via a cloud service delivery model: Identity & access, Data & system security, Data federation, Performance monitoring, Intelligent reporting Auditing Usage control, Licensing, Optimisation Virtual Private Clouds Customer defined security and QoS Customer-centric identity & access federation Customer-aware process & data isolation Customer-defined process and data federation Secure private network overlay offered as a service over the internet customer-centric loud application composition Community Clouds Community- specific virtual private clouds In-cloud collaboration, community management & identity federation services Vertical integration of hosting and community-specific cloud applications Shared Cloud aware applications Commoditisation of cloud application stores Commoditisation of SDK for cloud applications Take advantage of cloud IaaS or PaaS to develop SaaS Ability deploy your cloud SaaS over a targeted SaaS / PaaS SDK methods for on-demand elasticity, in-cloud hosting and dynamic resource provisioning Cloud service assembly Standardisation of cloud service management interfaces Commoditisation of cloud assembly processes & tools Vertical value chain specific federation Ability to mix-and- match cloud infrastructure & in- cloud common capabilities when producing cloud applications Ability to specify and rapidly provision mixed delivery models: eg. SaaS on 3 rd party PaaS; PaaS on 3 rd party IaaS Open cloud federation Standardisation of cloud common capabilities cloud service management interfaces cloud access management & federated identity models cloud service monitoring & reporting cloud license management services Virtual Private “Local” Network over the Internet User defined Virtual Private Cloud Cloud Aggregation Ecosystem Standardised cloud charging models including auctions Standardisation of cloud service assembly processes Virtual Data Centres assembled over multiple IaaS clouds by different providers PaaS over federated IaaS with integrated common capabilities by multiple 3 rd parties Commoditisation of “Make your own Cloud” capability

4 4 Results of survey conducted by ENISA in 2009 Main Concerns of Cloud Computing (from way back then)

5 5 Main Data Challenges Jurisdictional exposure (location /breach) Segregation of data at rest Data loss or leakage Data provenance Data remanence Data sharding

6 6 Main Solutions Data classification, policy on what goes into (which) cloud Support for encryption of data at rest Transparent encryption at SaaS level Strong identity and access management At the physical disk level At the virtual volume level

7 © British Telecommunications plc Towards a comprehensive solution for cloud data hosting & sharing Bespoke service on customer cloud island Full integration to VDC Infrastructure Integrated with Customer’s corporate IT infrastructure Value add service on 3 rd party clouds Service delivery models Select cloud provider Define data store and security policy Encrypt data Mount data store to VM in the cloud Update data access / key release policy Enforce data access / key release policy Monitor how policy is enforced in the cloud

8 © British Telecommunications plc Example of virtual volume level encryption Overview: Secure Cloud Data Hosting (VDC enhancement) The usage control of cloud storage is offered as a service Customer in control of connection, protection and access to secure virtual storage Keys and policy server are off the cloud data host Decryption only possible when data is used in a specific “safe” environment following policy-based approval Security is enforced by “sand-boxed” context-aware intelligent agents embedded in customer’s VM Internet Hypervisor platform Customer VM 1Customer VM 2Customer VM n Shared data storage Offsite /Onsite Key Management Server Policies (Rules) Cloud Service Provider (VDC) Agent

9 © British Telecommunications plc Customer experience Data stored in non-ephemeral storage volumes are encrypted at file system level The encryption/decryption keys are stored off site. Decryption only possible when used in specific environment Rules-based approval (automatic or manual) before the keys are released to ensure release into safe envelope (IP address, VM provenance, presence of DLP software etc.) Overview: Secure Cloud Data Hosting (VDC enhancement) Encrypt a storage volume (iSCSI, NFS) at file system level Encrypt volume Store decryption key outside the cloud in a Key Management Server Keep keys safe Create a gold build Machine Image (e.g. VS template) with secure cloud agent installed Install secure cloud agent Create instances from this image as required Create customer image Agent requests keys when Virtual Machine is booted up Key request Keys may be released based on policy rules like IP address, OS type, CPU arch etc. Key provisioning On receiving keys, the volume is attached to VM instance, in read or read/write mode. Volume mounting Key released by agent when it is stopped (eg. when VM shuts down). Key release Setup Once VM life time

10 © British Telecommunications plc Further remarks about the solution Transport security: Random session keys are generated on the agent and encrypted to the KMS public key (the root certificate for which is installed with the agent). Data returned from KMS is encrypted to session key. Transmissions are over SSL, providing an additional layer of protection. Authentication: Session key is used to calculate Message Authentication Code on results sent from agent to KMS Security of the link between agent and KMS (mgmt server) Measurements showed that when data volume is 3/4 x RAM size: 6% overhead for write operations 8% to 11% overhead for read operations Performance implications OS support: Win 2K3, Win 2K8, Win7, SuSe, RHEL, CentOs Hypervisor support: Xen, VMWare and Eucalyptus OS and Hypervisor support VDC variants: SDKs available for developing native plug-in to new VDC management layers Management portals: API access to KMS process allowing embedding in existing dashboards Identity systems: Support for Active Directory Federation Service, SAML Extensibility

11 © British Telecommunications plc Extensions to the core service Extend solution to federated storage that spans across Multiple VDCs on the same cloud infrastructure Cloud islands by different providers Combine solution with data shredding, variants of key split / group encryption, and optimal data fragment distribution algorithms to ensure that: if all nodes hosting fragments of a customer's files are off all other customers can continue to operate securely root access all nodes hosting fragments of one customer's files will not provide enough fragments to reconstruct / decrypt another customers file customers can inspect the integrity of their shredded data Secure Cloud (Shared) Storage: Cover protection of VM images at rest Cover integrity checks of data and VM image volumes Hypervisor root-kit to cover encryption of communication between protected VMs in operation Secure Cloud Container: 2 BT patents pending including combination of data shredding and cloud encryption

12 Cloud security innovation roadmap at BT Research & Technology Technical innovation challenges & solutions Cloud Security Innovation Strategy Market evolution analysis Recommendations for High-level Secure Cloud Architecture for Government (IaaS) Secure Cloud Architecture for Government (IaaS) In-cloud security cost-benefit analysis Cloud information assurance metrics Cloud security risk assessment (eGov) Secure Cloud Service Broker Cloud Federation Fabric v1 Virtual hosing on federated clouds (basic functionality) Recommendations for High-level Secure Cloud Architecture for Government (SaaS) Cloud ecosystem security value network Market analysis revision Cloud security value network revision Virtual hosing on federated clouds (enhanced functionality) Cloud Federation Fabric v2 Cloud Aggregation Environment (v1) Accountable Entitlement Management (in-cloud) Virtual Patching In-Cloud Secure ESB fabric Application aware Behavioural Malware detection (in-cloud) In-cloud malware scanning Secure cloud storage service Virtual community management Cloud information assurance metrics Cloud security analytics Hypervisor level Malware Detection Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention Use of trusted hardware in Virtual Data Centres & Cloud Core activities Cloud federation Cloud Security services Cloud Security infrastructure Secure Virtualisation

13 © British Telecommunications plc BT thought-leadership: Innovation Demonstrators Cloud brokerage & Federation Secure Cloud Service Broker In-cloud federation & coalition management VHE on Federated Clouds Cloud Application Security Intelligent Protection Accountable Entitlement Management Behavioural monitoring for Malware detection Cloud Services Security Secure cloud service management Secure data storage service Virtual Patching Active Shielding Secure Virtualisatio n Hypervisor level Malware Detection Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention

14 © British Telecommunications plc BT thought-leadership: Overview of external collaborations Co-authors of ENISA expert advisory report on Cloud Security Risk Analysis Contributors to CSA security guidelines and lead of Virtualisation Security work stream Contributors to ENISA expert group on Government use of Cloud computing Leading Cloud Brokerage & Federation use case at OPTIMIS a €15 million collaborative R&D project Led BEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on next generation SOA in Europe Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSO Summit, etc. 3 books and several technical papers in Cloud & Next Generation SOA BT IBM Microsoft Kaspersky UK NHS Google HP RSA Symantec ISSA cloudsecurity.org Baker & McKenzie

15 © British Telecommunications plc Slide 15 Thank you for your attention For more information contact {srijith.nair,theo.dimitrakos}@bt.com

16 © British Telecommunications plc Slide 16

17 BACKUP SLIDES

18 Architectural Diagram of integration in Alpha Cloud platform at BT Research & Technology

19 Towards a Secure Cloud blueprint

20 Towards a Secure Cloud blueprint technical security subsystems

Download ppt "On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact:"

Similar presentations

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.
Geneva, Switzerland, 17 October 2011 ITU Workshop on Service Delivery Platforms (SDP) for Telecommunication Ecosystems: from todays realities to requirements.

Geneva, Switzerland, 17 October 2011 ITU Workshop on Service Delivery Platforms (SDP) for Telecommunication Ecosystems: from todays realities to requirements.
Distributed Data Processing

Distributed Data Processing
Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Deploying GMP Applications Scott Fry, Director of Professional Services.

Deploying GMP Applications Scott Fry, Director of Professional Services.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
FI-WARE – Future Internet Core Platform FI-WARE Cloud Hosting July 2011 High-level description.

FI-WARE – Future Internet Core Platform FI-WARE Cloud Hosting July 2011 High-level description.
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
© 2009 IBM Corporation ® IBM Software Group Introduction to Cloud Computing Vivek C Agarwal IBM India Software Labs.

© 2009 IBM Corporation ® IBM Software Group Introduction to Cloud Computing Vivek C Agarwal IBM India Software Labs.
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support

Similar presentations

Ads by Google