1. Securely Using Cloud Computing Services
Part I
Securely Using Cloud Computing Services
Qin Liu
Hunan University

2. Outline 1. Cloud Computing 2. Security Issues in Clouds
3. Introduction to Our Work

3. Evolution of Computing Patterns

4. What Is Cloud Computing?
Wikipedia Definition
Cloud computing is a concept of using the Internet to allow people to access technology-enabled services
It allows users to consume services without knowledge of control over the technology infrastructure that supports them
NIST Definition
5 essential characteristics
3 cloud service models
4 cloud deployment models
NIST美国国家标准技术研究所: National Institute of Standards and Technology

5. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models
Community
Cloud
Private Cloud
Public Cloud
Service
Models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Resource Pooling
Broad Network Access
Rapid Elasticity
Measured Service
On Demand Self-Service
按需自助服务：用户能够在无需与云服务提供商交互的情况下根据自己的需求使用云计算资源。不必担心空闲资源产生的资金浪费。
宽带网络连接：用户通过高带宽的网络接入云。支持各种标准的接入，用户通过互联网能够随时随地享受云计算服务。
快速弹性服务：用户根据自己的需要定制云中资源，云能够快速伸缩响应。
资源池：云是一个巨大的资源池，使用虚拟化技术屏蔽具体硬件层，对于用户来说是一种透明的计算模式。通过多用户模型，实现物理和虚拟资源的动态分配。
可测量的服务：用户所使用云计算资源的数量能够动态、自动地分配和监控，像使用水电等资源一样，对使用云中资源计费。
基础设施即服务
Amazon EC2，
平台即服务
Google App Engine，Microsoft Azure
软件即服务
Google Docs，IBM LotusLive
Essential
Characteristics

6. Essential Characteristics
On-demand service
Get computing capabilities as needed automatically
Broad Network Access
Services available over the net using desktop, laptop, PDA, mobile phone
Resource pooling
Provider resources pooled to server multiple clients
Rapid Elasticity
Ability to quickly scale in/out service
Measured service
Control, optimize services based on metering

7. Essential Characteristics

8. Cloud Service Models Software as a Service (SaaS)
We use the provider apps
User doesn’t manage or control the network, servers, OS, storage or applications
Platform as a Service (PaaS)
User deploys their apps on the cloud
Controls their apps
User doesn’t manage servers, IS, storage
Infrastructure as a Service (IaaS)
Consumers gets access to the infrastructure to deploy their stuff
Doesn’t manage or control the infrastructure
Does manage or control the OS, storage, apps, selected network components

9. Service Delivery Model Examples
Amazon
Google
Microsoft
Salesforce
SaaS
PaaS
IaaS
Products and companies shown for illustrative purposes only and should not be construed as an endorsement

10. Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting).

11. Cloud Deployment Models

12. Top 8 Cloud Computing Companies

13. Cloud Computing Example - Amazon EC2
IaaS

14. Cloud Computing Example - Google AppEngine
PaaS
Google AppEngine API
Python runtime environment
Datastore API
Images API
Mail API
Memcache API
URL Fetch API
Users API
A free account can use up to 500 MB storage, enough CPU and bandwidth for about 5 million page views a month

15. Conventional Computing vs. Cloud Computing
Manually Provisioned
Dedicated Hardware
Fixed Capacity
Pay for Capacity
Capital & Operational Expenses
Managed via Sysadmins
Self-provisioned
Shared Hardware
Elastic Capacity
Pay for Use
Operational Expenses
Managed via APIs

16. Why A Cloud?

17. Why A Cloud?

18. Why A Cloud?

19. Cloud Computing Summary
Cloud computing is a kind of network service and is a trend for future computing
Scalability matters in cloud computing technology
Users focus on application development
Services are not known geographically

20. Outline 1. Cloud Computing 2. Security Issues in Clouds
3. Introduction to Our Work

21. What Not a Cloud? 21

22. Cloud Providers and Security Measures
Kai Hwang and Deyi Li, “Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Sept. 2010

23. General Security Advantages
Shifting public data to an external cloud reduces the exposure of the internal sensitive data
Cloud homogeneity makes security auditing/testing simpler
Clouds enable automated security management
Redundancy / Disaster Recovery

24. General Security Challenges
Trusting vendor’s security model
Customer inability to respond to audit findings
Obtaining support for investigations
Indirect administrator accountability
Proprietary implementations can’t be examined
Loss of physical control

25. 10 Security Concerns Where’s the data? Who has access?
What are your regulatory requirements?
Do you have the right to audit?
What type of training does the provider offer their employees?
What type of data classification system does the provider use?
What are the service level agreement (SLA) terms?
What is the long-term viability of the provider?
What happens if there is a security breach?
What is the disaster recovery/business continuity plan (DR/BCP)?
1. Where’s the data? Different countries have different requirements and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your
cloud provider should agree in writing to provide the level of security required for your customers.
2. Who has access? Access control is a key concern, because insider attacks are a huge risk. A potential
hacker is someone who has been entrusted with approved access to the cloud. If anyone doubts this,
consider that in early 2009 an insider was accused of planting a logic bomb on Fanny Mae servers that,
if launched, would have caused massive damage. Anyone considering using the cloud needs to look at
who is managing their data and what types of controls are applied to these individuals.
3. What are your regulatory requirements? Organizations operating in the US, Canada, or the European
Union have many regulatory requirements that they must abide by (e.g., ISO 27002, Safe Harbor, ITIL, and
COBIT). You must ensure that your cloud provider is able to meet these requirements and is willing to
undergo certification, accreditation, and review.
4. Do you have the right to audit? This particular item is no small matter; the cloud provider should
agree in writing to the terms of audit.
5. What type of training does the provider offer their employees? This is actually a rather important
item, because people will always be the weakest link in security. Knowing how your provider trains their
employees is an important item to review.
6. What type of data classification system does the provider use? Questions you should be concerned
with here include: Is the data classified? How is your data separated from other users? Encryption should
also be discussed. Is it being used while the data is at rest and in transit? You will also want to know
what type of encryption is being used. As an example, there is a big difference between WEP and WPA2.
7. What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed service between the cloud provider and the customer that specifies what level of services will be
provided.
8. What is the long-term viability of the provider? How long has the cloud provider been in business
and what is their track record. If they go out of business, what happens to your data? Will your data be
returned, and if so, in what format? As an example, in 2007, online storage service MediaMax went out
of business following a system administration error that deleted active customer data. The failed company left behind unhappy users and focused concerns on the reliability of cloud computing.
9. What happens if there is a security breach? If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being unhackable, cloudbased services are an attractive target to hackers.
10. What is the disaster recovery/business continuity plan (DR/BCP)? While you may not know the
physical location of your services, it is physically located somewhere. All physical locations face threats
such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the
cloud provider respond, and what guarantee of continued services are they promising? As an example,
in February 2009, Nokia’s Contacts On Ovi servers crashed. The last reliable backup that Nokia could
recover was dated January 23rd, meaning anything synced and stored by users between January 23rd
and February 9th was lost completely. 25

26. 7 Potential Risks Privileged user access Regulatory compliance
Data location
Data segregation.
Recovery
Investigative support
Long-term viability
1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.
2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.
3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.
4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.
5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."
6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."
7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

27. What Is Not New? Data Loss Downtimes Phishing Password Cracking
Botnets and Other Malware

28. Data Loss

29. Downtimes

30. Phishing “hey! check out this funny blog about you...”

31. Password Cracking

32. What Is New? Accountability No Security Perimeter
Larger Attack Surface
New Side Channels
Lack of Auditability
Regulatory Compliance
Data Security

33. Accountability

34. No Security Perimeter
Little control over physical or network location of cloud instance VMs
Network access must be controlled on a host by host basis

35. Larger Attack Surface
Cloud Provider
Your Network

36. New Side Channels
You don’t know whose VMs are sharing the physical machine with you.
Attackers can place their VMs on your machine.
See “Hey, You, Get Off of My Cloud” paper for how.
Shared physical resources include
CPU data cache: Bernstein 2005
CPU branch prediction: Onur Aciiçmez 2007
CPU instruction cache: Onur Aciiçmez 2007
In single OS environment, people can extract cryptographic keys with these attacks.

37. Lack of Auditability
Only cloud provider has access to full network traffic, hypervisor logs, physical machine data.
Need mutual auditability
Ability of cloud provider to audit potentially malicious or infected client VMs.
Ability of cloud customer to audit cloud provider environment.

38. Regulatory Compliance

39. Certifications

40. Data Security Symmetric Encryption Homomorphic Encryption SSL MAC
Redundancy
Confidentiality
Authorized to know
Integrity
Data Has Not Been
Tampered With
Availability
Data Never Loss Machine Never Fail
Storage
Processing
Transmission

41. Data Security Is A Major Concern
Security concerns arising because both customer data and program are residing in Provider Premises.
Security is always a major concern in Open System Architectures
Customer Data
Customer Code
Provider Premises
Customer

42. Why Data Is Not Secure Cloud Security problems are coming from
Loss of control
Lack of trust
Multi-tenancy
Mainly exist in public cloud

43. Loss of Control in the Cloud
Consumer’s loss of control
Data, applications, resources are located with provider
User identity management is handled by the cloud
User access control rules, security policies and enforcement are managed by the cloud provider
Consumer relies on provider to ensure
Data security and privacy
Resource availability
Monitoring and repairing of services/resources
Conflict between tenants’ opposing goals
Tenants share a pool of resources and have opposing goals
How does multi-tenancy deal with conflict of interest?
Can tenants get along together and ‘play nicely’ ?
If they can’t, can we isolate them?
How to provide separation between tenants?

44. Lack of Trust in the Cloud
A brief deviation from the talk
Trusting a third party requires taking risks
Defining trust and risk
Opposite sides of the same coin
People only trust when it pays
Need for trust arises only in risky situations
Defunct third party management schemes
Hard to balance trust and risk
e.g. Key Escrow
Is the cloud headed toward the same path?
Chiles and McMakin (1996) define trust as increasing one’s vulnerability to the risk of opportunistic behavior of another whose behavior is not under one’s control in a situation in which the costs of violating the trust are greater than the benefits of upholding the trust.
Trust here means mostly lack of accountability and verifiability

45. Multi-tenancy Issues in the Cloud
Conflict between tenants’ opposing goals
Tenants share a pool of resources and have opposing goals
How does multi-tenancy deal with conflict of interest?
Can tenants get along together and ‘play nicely’ ?
If they can’t, can we isolate them?
How to provide separation between tenants?
Who are my neighbors? What is their objective? They present another facet of risk and trust requirements

46. Possible Solutions Loss of Control Lack of trust Multi-tenancy
Take back control
Data and apps may still need to be on the cloud
But can they be managed in some way by the consumer?
Lack of trust
Increase trust (mechanisms)
Technology
Policy, regulation
Contracts (incentives): topic of a future talk
Multi-tenancy
Private cloud
Takes away the reasons to use a cloud in the first place
Strong separation

47. Cloud Security Summary
Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model
However, resources are ubiquitous, scalable, highly virtualized
Contains all the traditional threats, as well as new ones
In developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of
Loss of control
Lack of trust
Multi-tenancy problems

48. Outline 1. Cloud Computing 2. Security Issues in Clouds
3. Introduction to Our Work

49. Our Main Work

50. Selected Publications
G. Wang, Q. Liu, F. Li, S. Yang, and J. Wu, "Outsourcing Privacy-Preserving Social Networks to a Cloud," accepted to appear in the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM 2013).
Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments" Proceedings of the 31st IEEE International Conference on Computer Communications (IEEE INFOCOM 2012).
G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption for Fine-Grained Access Control in Cloud Computing," Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS-10).
Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Towards Differential Query Services in Cost- Efficient Clouds," accept to appear in IEEE Transactions on Parallel and Distributed Systems (TPDS).
Q. Liu, G. Wang, and J. Wu, "Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment", Information Sciences.
Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Cooperative Private Searching in Clouds," Journal of Parallel and Distributed Computing (JPDC).
G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption and Scalable User Revocation for Sharing Data in Cloud Servers," Computers & Security.

51. Multi-User Data Sharing Environment
Cloud Security problems are coming from :
Loss of control
Lack of trust (mechanisms)
Multi-tenancy
Security Issues
Data Security
Revocation
Retrieval Privacy
Data Security: Only the authorized data users can access the data stored in the cloud
Revocation: Effectively revoke a data user’s access right
Retrieval Privacy: User privacy while retrieving data from the cloud
The cloud service provider is a potential attacker!!

52. Current solutions Data Security Natural way
Adopting cryptographic technique
Current solutions
Traditional symmetric/ asymmetric encryption
Low cost for encryption and decryption
Support key delegation--HIBE
Hard to achieve fine-grained access control
Attribute-Based encryption
Easy to achieve fine-grained access control
High cost for encryption and decryption
Do not support key delegation

53. Public Key Cryptography

54. Attribute-Based Encryption (ABE)
Ciphertext Policy ABE
Key Policy ABE

55. Hierarchical Attribute-Based Encryption (HABE)
Sample URA
Requirements
Fine-grained access control
Hierarchical key generation
Efficiency
Application scenario

56. Hierarchical Attribute-Based Encryption (HABE)
Key technique
Combine the hierarchical identity-based encryption and attribute-based encryption
Use the attributes and exact ID to identify each user
HABE Architecture

57. User Revocation Naïve solution Proxy re-encryption (PRE)
The data owner re-encrypts data and distributes new keys to the data user
Frequent revocation will make the data owner become a performance bottleneck
Proxy re-encryption (PRE)

58. Time-Based Proxy Re-Encryption
PRE in clouds
The data owner to send re-encryption instruction to the cloud
The cloud perform re-encryption based on proxy re- encryption
How to achieve automatic revocation without sending any instructions?
T2<T1: Potential security risk

59. Time-Based Proxy Re-Encryption
Key technique
Incorporate time into PRE
This scheme is suitable for the application where the valid of access is pre-determined
A time tree is constructed
The data owner and the cloud share a secret seed s
The cloud re-encrypt data based on internal time automatically while receiving a data access request

60. User Privacy User privacy Existing solutions
Search privacy: The cloud cannot know what the users are searching for
Access privacy: The cloud cannot know what/which files are returned to the users
Existing solutions
Private search (PS) can protect user privacy while searching public data
Searchable encryption (SE) can protect search privacy while searching private data

61. Searchable Encryption (SE)
Bob sends to Alice an encrypted under Alice’s public key.
Alice’s gateway wants to test whether the contains the keyword urgent so that it could route the to her PDA immediately.
But,Alice does not want the gateway to be able to decrypther messages

62. Efficient Searchable Encryption
Problem
The user needs to perform decryption
Thin client has only limited resources
Requirements
Enable the cloud to perform partial decryption without compromising search privacy
User can access data from the cloud anytime and anywhere with any devices

63. Efficient Searchable Encryption
Key technique
Alice takes both Bob and CSP’s public key as inputs of the encryption algorithm
CSP uses its secret key to perform partial decrypt and generate an intermediate value
Bob use the intermediate value to quickly recover data

64. Private Search (PS) A compressed version of all files
Given a public dictionary that contains all keywords, e.g., dictionary=<A,B,C,D>.
Bob wants to retrieve files with keywords A and B
Cloud
Bob
[1] [1] [0] [0]
F1 F NA
A compressed version of all files
F1: {A,B}
F2:{B,D}
F3:{C,D}
Preserve search privacy and access privacy
The computation cost incurred in the cloud is high
The computation cost incurred in the cloud is high since the cloud needs to process a user’s query on each file in a collection. Otherwise the cloud will know the files without processing are not interested by the users

65. Private Search (PS)
F1: { A, B}
F2: {B,D}
F3: {C,D}
F1 F NA
[1] [1] [0] [0]
key trick: map unmatched files to 0
Homomorphic encryption
E(x)*E(y) = E(x+y)
E(x)^y = E(x*y)
The computation cost incurred in the cloud is high since the cloud needs to process a user’s query on each file in a collection. Otherwise the cloud will know the files without processing are not interested by the users
F NA F1 F2 F3
E(F2)* E(0) =E(F2)
survival
unmatched
collision
survival

66. Cooperative Private Search (COPS)
Problem for simple PS
Processing each query is expensive. Given n users, the cloud needs to execute n queries
Performance bottleneck on the cloud
COPS Architecture
A proxy server (ADL) is introduced between the users and the cloud (trusted)
Aggregate user queries
Distribute searching results
The computation cost incurred in the cloud is high since the cloud needs to process a user’s query on each file in a collection. Otherwise the cloud will know the files without processing are not interested by the users

67. Cooperative Private Search (COPS)
Key technique
The user and the cloud share
Shuffle functions shuffle the dictionary and the query
--- to preserve search privacy
Pseudonym function: hide file name
Obfuscated function: hide file content
---preserve access privacy
Key merits
User privacy is preserved from
The cloud
The proxy server
Other users

68. Efficient Information Retrieval for Ranked Queries (EIRQ)
Problem for Simple COPS
No ranked queries
The cloud returns all matched files

69. Efficient Information Retrieval for Ranked Queries (EIRQ)
Queries are classified into 0,1,…,r-1 ranks.
Rank-i query retrieves (1-i/r) percentage of matched files
Files that match
rank 0 queries
rank 1 queries
Files that match rank i queries
Will not be filtered
Filtered with
probability 1/r
Filtered with probability i/r …
The cloud
Cannot know which files are filtered/returned
Cannot know each queries’ rank

70. Certain percentage of files matching user keywords
Efficient Information Retrieval for Ranked Queries (EIRQ)
Key techniques:
Construct a mask matrix to protect query ranks
Filter files without knowing which files are filtered
QueryGen
Step 1:
User
ADL
Cloud
Keywords, rank
FileFilter
File
Recovery
Matrix
Construct
Step 2:
Step 4:
Step 3:
Mask matrix
Buffer
Certain percentage of files matching user keywords

71. Construct Mask Matrix
ADL constructs a mask matrix that is encrypted with its publics key, and sends it to the cloud
Cloud A B C D
[1]
[0] …
{A, B} Rank 0
Alice
{A, C} Rank 1
For a keyword:
Number of 1s is determined by the rank of query it appears: r-i
High rank takes over
Ratio of 1s to r determines the probability of a file containing it to be returned: (r-i)/r
High ratio takes over
Number of keywords
ADL
Bob
Number of ranks, r=2

72. Filter Files
The cloud chooses a random column for each file
F1: { A, B}
F2: {B, D}
F3: {C, D} …
For F3: 50% %
E(0)*E(0)=E(0) E(0)*E(0)=E(0)
E(0)^F3 =E(0) E(1)^ F3 =E(F3) A B C D
[1]
[0] …
A file, matched rank i query,
the probability to be filtered i/r …
Cloud
buffer
F1 and F2 will be returned
F3 will be filtered with 50%
ADL

73. Evaluation

74. Evaluation

75. Questions? 75