Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact:

Similar presentations


Presentation on theme: "On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact:"— Presentation transcript:

1 On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact: Dr Srijith Nair Senior Researcher Security Futures Practice BT Innovate & Design SecureClouud May

2 © British Telecommunications plc Slide 2 Market evolution of Cloud computing Data Centre Data Centre Virtual Data Centre Virtual Data Centre High-end Cloud Environment We are here Anticipated Cloud Market Evolution Cloud Islands Cloud V. Chain Cloud Horizontal Federation Cloud federation layer Cloud service broker

3 Cloud Computing Technology Innovation emphasis on security Commoditised virtualisation Security API for hypervisor Virtual Data Centre Service Management Layer Commoditised elasticity Commoditised data abstraction & data federation Cloud islands User-defined hosting On-demand Elasticity Flexible charging model Rapid provisioning / de-provisioning Customer defined standalone cloud applications Cloud island- specific security in- depth Pre-customer isolation & multi- tenancy Common capabilities Cloud –vs.– managed service delivery model Reusable and customisable enabling services offered via a cloud service delivery model: Identity & access, Data & system security, Data federation, Performance monitoring, Intelligent reporting Auditing Usage control, Licensing, Optimisation Virtual Private Clouds Customer defined security and QoS Customer-centric identity & access federation Customer-aware process & data isolation Customer-defined process and data federation Secure private network overlay offered as a service over the internet customer-centric loud application composition Community Clouds Community- specific virtual private clouds In-cloud collaboration, community management & identity federation services Vertical integration of hosting and community-specific cloud applications Shared Cloud aware applications Commoditisation of cloud application stores Commoditisation of SDK for cloud applications Take advantage of cloud IaaS or PaaS to develop SaaS Ability deploy your cloud SaaS over a targeted SaaS / PaaS SDK methods for on-demand elasticity, in-cloud hosting and dynamic resource provisioning Cloud service assembly Standardisation of cloud service management interfaces Commoditisation of cloud assembly processes & tools Vertical value chain specific federation Ability to mix-and- match cloud infrastructure & in- cloud common capabilities when producing cloud applications Ability to specify and rapidly provision mixed delivery models: eg. SaaS on 3 rd party PaaS; PaaS on 3 rd party IaaS Open cloud federation Standardisation of cloud common capabilities cloud service management interfaces cloud access management & federated identity models cloud service monitoring & reporting cloud license management services Virtual Private “Local” Network over the Internet User defined Virtual Private Cloud Cloud Aggregation Ecosystem Standardised cloud charging models including auctions Standardisation of cloud service assembly processes Virtual Data Centres assembled over multiple IaaS clouds by different providers PaaS over federated IaaS with integrated common capabilities by multiple 3 rd parties Commoditisation of “Make your own Cloud” capability

4 4 Results of survey conducted by ENISA in 2009 Main Concerns of Cloud Computing (from way back then)

5 5 Main Data Challenges Jurisdictional exposure (location /breach) Segregation of data at rest Data loss or leakage Data provenance Data remanence Data sharding

6 6 Main Solutions Data classification, policy on what goes into (which) cloud Support for encryption of data at rest Transparent encryption at SaaS level Strong identity and access management At the physical disk level At the virtual volume level

7 © British Telecommunications plc Towards a comprehensive solution for cloud data hosting & sharing Bespoke service on customer cloud island Full integration to VDC Infrastructure Integrated with Customer’s corporate IT infrastructure Value add service on 3 rd party clouds Service delivery models Select cloud provider Define data store and security policy Encrypt data Mount data store to VM in the cloud Update data access / key release policy Enforce data access / key release policy Monitor how policy is enforced in the cloud

8 © British Telecommunications plc Example of virtual volume level encryption Overview: Secure Cloud Data Hosting (VDC enhancement) The usage control of cloud storage is offered as a service Customer in control of connection, protection and access to secure virtual storage Keys and policy server are off the cloud data host Decryption only possible when data is used in a specific “safe” environment following policy-based approval Security is enforced by “sand-boxed” context-aware intelligent agents embedded in customer’s VM Internet Hypervisor platform Customer VM 1Customer VM 2Customer VM n Shared data storage Offsite /Onsite Key Management Server Policies (Rules) Cloud Service Provider (VDC) Agent

9 © British Telecommunications plc Customer experience Data stored in non-ephemeral storage volumes are encrypted at file system level The encryption/decryption keys are stored off site. Decryption only possible when used in specific environment Rules-based approval (automatic or manual) before the keys are released to ensure release into safe envelope (IP address, VM provenance, presence of DLP software etc.) Overview: Secure Cloud Data Hosting (VDC enhancement) Encrypt a storage volume (iSCSI, NFS) at file system level Encrypt volume Store decryption key outside the cloud in a Key Management Server Keep keys safe Create a gold build Machine Image (e.g. VS template) with secure cloud agent installed Install secure cloud agent Create instances from this image as required Create customer image Agent requests keys when Virtual Machine is booted up Key request Keys may be released based on policy rules like IP address, OS type, CPU arch etc. Key provisioning On receiving keys, the volume is attached to VM instance, in read or read/write mode. Volume mounting Key released by agent when it is stopped (eg. when VM shuts down). Key release Setup Once VM life time

10 © British Telecommunications plc Further remarks about the solution Transport security: Random session keys are generated on the agent and encrypted to the KMS public key (the root certificate for which is installed with the agent). Data returned from KMS is encrypted to session key. Transmissions are over SSL, providing an additional layer of protection. Authentication: Session key is used to calculate Message Authentication Code on results sent from agent to KMS Security of the link between agent and KMS (mgmt server) Measurements showed that when data volume is 3/4 x RAM size: 6% overhead for write operations 8% to 11% overhead for read operations Performance implications OS support: Win 2K3, Win 2K8, Win7, SuSe, RHEL, CentOs Hypervisor support: Xen, VMWare and Eucalyptus OS and Hypervisor support VDC variants: SDKs available for developing native plug-in to new VDC management layers Management portals: API access to KMS process allowing embedding in existing dashboards Identity systems: Support for Active Directory Federation Service, SAML Extensibility

11 © British Telecommunications plc Extensions to the core service Extend solution to federated storage that spans across Multiple VDCs on the same cloud infrastructure Cloud islands by different providers Combine solution with data shredding, variants of key split / group encryption, and optimal data fragment distribution algorithms to ensure that: if all nodes hosting fragments of a customer's files are off all other customers can continue to operate securely root access all nodes hosting fragments of one customer's files will not provide enough fragments to reconstruct / decrypt another customers file customers can inspect the integrity of their shredded data Secure Cloud (Shared) Storage: Cover protection of VM images at rest Cover integrity checks of data and VM image volumes Hypervisor root-kit to cover encryption of communication between protected VMs in operation Secure Cloud Container: 2 BT patents pending including combination of data shredding and cloud encryption

12 Cloud security innovation roadmap at BT Research & Technology Technical innovation challenges & solutions Cloud Security Innovation Strategy Market evolution analysis Recommendations for High-level Secure Cloud Architecture for Government (IaaS) Secure Cloud Architecture for Government (IaaS) In-cloud security cost-benefit analysis Cloud information assurance metrics Cloud security risk assessment (eGov) Secure Cloud Service Broker Cloud Federation Fabric v1 Virtual hosing on federated clouds (basic functionality) Recommendations for High-level Secure Cloud Architecture for Government (SaaS) Cloud ecosystem security value network Market analysis revision Cloud security value network revision Virtual hosing on federated clouds (enhanced functionality) Cloud Federation Fabric v2 Cloud Aggregation Environment (v1) Accountable Entitlement Management (in-cloud) Virtual Patching In-Cloud Secure ESB fabric Application aware Behavioural Malware detection (in-cloud) In-cloud malware scanning Secure cloud storage service Virtual community management Cloud information assurance metrics Cloud security analytics Hypervisor level Malware Detection Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention Use of trusted hardware in Virtual Data Centres & Cloud Core activities Cloud federation Cloud Security services Cloud Security infrastructure Secure Virtualisation

13 © British Telecommunications plc BT thought-leadership: Innovation Demonstrators Cloud brokerage & Federation Secure Cloud Service Broker In-cloud federation & coalition management VHE on Federated Clouds Cloud Application Security Intelligent Protection Accountable Entitlement Management Behavioural monitoring for Malware detection Cloud Services Security Secure cloud service management Secure data storage service Virtual Patching Active Shielding Secure Virtualisatio n Hypervisor level Malware Detection Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention

14 © British Telecommunications plc BT thought-leadership: Overview of external collaborations Co-authors of ENISA expert advisory report on Cloud Security Risk Analysis Contributors to CSA security guidelines and lead of Virtualisation Security work stream Contributors to ENISA expert group on Government use of Cloud computing Leading Cloud Brokerage & Federation use case at OPTIMIS a €15 million collaborative R&D project Led BEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on next generation SOA in Europe Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSO Summit, etc. 3 books and several technical papers in Cloud & Next Generation SOA BT IBM Microsoft Kaspersky UK NHS Google HP RSA Symantec ISSA cloudsecurity.org Baker & McKenzie

15 © British Telecommunications plc Slide 15 Thank you for your attention For more information contact

16 © British Telecommunications plc Slide 16

17 BACKUP SLIDES

18 Architectural Diagram of integration in Alpha Cloud platform at BT Research & Technology

19 Towards a Secure Cloud blueprint

20 Towards a Secure Cloud blueprint technical security subsystems


Download ppt "On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact:"

Similar presentations


Ads by Google