1. Secure Web Services and Cloud Computing Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course and Overview of Material covered in class January 20, 2012 – May 4, 2012

2. Objective of the Unit l This unit provides an overview of the course. The course describes concepts, developments, challenges, and directions in - Secure Web Services - Secure Semantic Web - Assured Cloud Computing

3. Outline of the Unit l Outline of Course l Course Work l Course Rules l Contact l Index to lectures and preparation for exam #1 l Papers to read for lectures March 23, 30, April 6, 13, 20 l Index to lectures and preparation for exam #2 l Conclusion (what we have learned in class) l Acknowledgement: - AFOSR for funding our research in assured cloud computing - NSF for funding our capacity building effort in cloud computing

4. Outline of the Course January 20, 2012: Introduction, Background on Data Security, Introduction to Cyber Security January 27 and February 3: Secure Web Services February 10 and February 17: Secure Semantic Web February 24 and March 2: Assured Cloud Computing March 9: Exam #1 After the Spring Break additional lectures on assured cloud computing and several papers for the students to read and present in class

5. Course Work l Two exams each worth 20 points - March 9, May 4 (second class period) l Programming project worth 14 points - April 27 l Two homework assignments prior to the mid-term: 8 points each - February 17, March 2 l Two term papers after the mid-term: 10 points each - March 30, April 20 l Two Surprise Quizzes: 5 points each

6. Course Rules l Course attendance is mandatory; unless permission is obtained from instructor for missing a class with a valid reason (documentation needed for medical emergency for student or a close family member – e.g., spouse, parent, child). Attendance will be collected every lecture. 5 points will be deducted out of 100 for each lecture missed without approval. l Each student will work individually l Late assignments will not be accepted. All assignments have to be turned in just after the lecture on the due date l No make up exams unless student can produce a medical certificate or give evidence of close family emergency l Copying material from other sources will not be permitted unless the source is properly referenced l Any student who plagiarizes from other sources will be reported to the appropriate UTD authroities

7. Contact l For more information please contact - Dr. Bhavani Thuraisingham - Professor of Computer Science and - Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX 75080 - Phone: 972-883-4738 - Fax: 972-883-2399 - Email: bhavani.thuraisingham@utdallas.edu - URL: http://www.utdallas.edu/~bxt043000/ URL: http://www.utdallas.edu/~bxt043000/

8. Papers to Read for Exam 1 1. Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004) Elisa BertinoBarbara CarminatiElena FerrariAmar GuptaIEEE Trans. Knowl. Data Eng. 16

9. Index to Lectures for Exam #1 l Lecture 1: Introduction (this unit) l Lecture 2: Security Modules l Lecture 3: Data, Info and Knowledge Management l Lecture 4: Access Control l Lecture 5: Policies l Lecture 6: Web Services and Security, Overview l Lecture 7: Web Services and Security, Details l Lecture 8: Assignment #1 l Lecture 9: Secure sharing of digital evidence (XML Security) l Lecture 10: Introduction to Semantic Web l Lecture 11: Trustworthy Semantic Web l Lecture 12: Inference Problem l Lecture 13: Scalable access control (Dr. Tyrone) not included

10. Index to Lectures for Exam #1 l Lecture 14: Assignment #2 l Lecture 15: Introduction to cloud and secure cloud l Lecture 16: Assured Cloud Computing l Lecture 17: Tools for cloud computing l Lecture 18: Jena and Hbase l Lecture 19: Twitter Storm l Lecture 20: NIST NVD (Jyothsna lecture)

11. Papers to Read for March 23, 2012 Wei She, I-Ling Yen, Bhavani M. Thuraisingham: Enhancing Security Modeling for Web Services Using Delegation and Pass- On. ICWS 2008: 545-552I-Ling YenBhavani M. ThuraisinghamICWS 2008 Wei She, I-Ling Yen, Bhavani M. Thuraisingham, Elisa Bertino: The SCIFC Model for Information Flow Control in Web Service Composition. ICWS 2009: 1-8I-Ling YenBhavani M. ThuraisinghamElisa BertinoICWS 2009 Cloud Identity Management http://cis.cau.edu/cms/files/CIS509-OAUTH/cloud-computing- identity-management.pdf Eric Olden IEEE Computer March 2011 http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5719572

12. Papers to Read for March 30, 2012 l 1. KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement http://www4.wiwiss.fu-berlin.de/bizer/SWTSGuide/KAoS/KAoS_Policy_03.pdf 2. http://groups.csail.mit.edu/dig/Rein/rein-paper.pdf Rein Policy Framework for the Semantic Web. Decentralized framework for representing and reasoning over distributed policies in the Semantic Web using Rei and CWM. Lalana Kagal and Tim Berners-Lee. 3. Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: A semantic web based framework for social network access control. SACMAT 2009: 177-186 4. Timothy W. Finin, Anupam Joshi, Lalana Kagal, Jianwei Niu, Ravi S. Sandhu, William H. Winsborough, Bhavani M. Thuraisingham: ROWLBAC: representing role based access control in OWL. SACMAT 2008: 73-82

13. Papers to Read for April 6, 2012 l http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf l http://www.cl.cam.ac.uk/research/srg/netos/papers/2004-oasis-ngio.pdf http://www.cl.cam.ac.uk/research/srg/netos/papers/2004-oasis-ngio.pdf l http://www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf http://www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf l http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf l http://delivery.acm.org/10.1145/2050000/2046665/p15- brown.pdf?ip=129.110.241.91&acc=ACTIVE%20SERVICE&CFID=75242210&C FTOKEN=69399126&__acm__=1333321759_25edce9244a170683f6ea888814e1 92e (paper discussed on April 13) http://delivery.acm.org/10.1145/2050000/2046665/p15- brown.pdf?ip=129.110.241.91&acc=ACTIVE%20SERVICE&CFID=75242210&C FTOKEN=69399126&__acm__=1333321759_25edce9244a170683f6ea888814e1 92e

14. Papers to Read for April 13 (in addition to the last paper for April 6) l http://www.sec.in.tum.de/assets/lehre/ss09/seminar_virtualisi erung/Secure_Hypervisors_S-Vogl.pdf (Secure Hypervisors) http://www.sec.in.tum.de/assets/lehre/ss09/seminar_virtualisi erung/Secure_Hypervisors_S-Vogl.pdf l Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st Annual Computer Security Applications Conference (ACSAC), December 5-9, Tucson, Arizona, 2005. (IEEE web site) l http://delivery.acm.org/10.1145/2050000/2046665/p15- brown.pdf?ip=129.110.241.91&acc=ACTIVE%20SERVICE&CFI D=75242210&CFTOKEN=69399126&__acm__=1333321759_25 edce9244a170683f6ea888814e192e (this was assigned for April 6 but we did not discuss in class) http://delivery.acm.org/10.1145/2050000/2046665/p15- brown.pdf?ip=129.110.241.91&acc=ACTIVE%20SERVICE&CFI D=75242210&CFTOKEN=69399126&__acm__=1333321759_25 edce9244a170683f6ea888814e192e

15. Papers to Read for April 20 1. Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar: Cloud Data Protection for the Masses. IEEE Computer 45(1): 39-45 (2012)Elaine ShiIan FischerUmesh ShankarIEEE Computer 45 2. Privacy and Security in Cloud Computing (High level paper) l http://www.brookings.edu/~/media/Files/rc/papers/2010/1026_cloud_ computing_friedman_west/1026_cloud_computing_friedman_west.p df http://www.brookings.edu/~/media/Files/rc/papers/2010/1026_cloud_ computing_friedman_west/1026_cloud_computing_friedman_west.p df 3. Addressing Cloud Computing Security Issues l http://www.sciencedirect.com/science/article/pii/S0167739X10002554 http://www.sciencedirect.com/science/article/pii/S0167739X10002554 4. Joseph Idziorek4. Joseph Idziorek, Mark Tannian, Doug Jacobson: Detecting fraudulent use of cloud resources. CCSW 2011: 61-72Mark TannianCCSW 2011 5. Vyas Sekar, Petros Maniatis: Verifiable resource accounting for cloud computing services. CCSW 2011: 21-26Petros ManiatisCCSW 2011

16. Papers to Read for Exam #2

17. l Mohammad Farhan Husain, James P. McGlothlin, Mohammad M. Masud, Latifur R. Khan, Bhavani M. Thuraisingham: Heuristics-Based Query Processing for Large RDF Graphs Using Cloud Computing. IEEE Trans. Knowl. Data Eng. 23(9): 1312-1327 (2011) – Section 1, 2, 3, Mohammad Farhan HusainJames P. McGlothlinMohammad M. Masud Latifur R. KhanIEEE Trans. Knowl. Data Eng. 23 l Arindam Khaled, Mohammad Farhan Husain, Latifur Khan, Kevin W. Hamlen, Bhavani M. Thuraisingham: A Token-Based Access Control System for RDF Data in the Clouds. CloudCom 2010: 104-111 – Section 1, 2, 3 Arindam KhaledMohammad Farhan HusainLatifur KhanKevin W. HamlenCloudCom 2010 l http://groups.csail.mit.edu/dig/Rein/rein-paper.pdf Rein Policy Framework for the Semantic Web. Decentralized framework for representing and reasoning over distributed policies in the Semantic Web using Rei and CWM. Lalana Kagal and Tim Berners-Lee. l Timothy W. Finin, Anupam Joshi, Lalana Kagal, Jianwei Niu, Ravi S. Sandhu, William H. Winsborough, Bhavani M. Thuraisingham: ROWLBAC: representing role based access control in OWL. SACMAT 2008: 73-82

18. Papers to Read for Exam #2 * Cloud Identity Management http://cis.cau.edu/cms/files/CIS509-OAUTH/cloud-computing-identity- management.pdf * Eric Olden IEEE Computer March 2011 http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5719572 * Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st Annual Computer Security Applications Conference (ACSAC), December 5-9, Tucson, Arizona, 2005. (IEEE web site) * Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar: Cloud Data Protection for the Masses. IEEE Computer 45(1): 39-45 (2012)Elaine ShiIan FischerUmesh ShankarIEEE Computer 45 * Vyas Sekar, Petros Maniatis: Verifiable resource accounting for cloud computing services. CCSW 2011: 21-26Petros ManiatisCCSW 2011

19. Papers to Read for Exam #2 l http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf l http://www.cl.cam.ac.uk/research/srg/netos/papers/2004-oasis-ngio.pdf http://www.cl.cam.ac.uk/research/srg/netos/papers/2004-oasis-ngio.pdf l http://www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf http://www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf l http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf

20. Index to Lectures for Exam #2 l Lecture 21: Secure Social networks l Lecture 22: Exam #1 l Lecture 23: Ontology Alignment l Lecture 24: Cloud Query Processing l Lecture 25: Token based access control l Lecture 26: Cloud data storage (Dr. Murat) l Lecture 27: NIST Guidelines l Lecture 28: Comprehensive overview of cloud computing l Lecture 29: Cloud Security Alliance papers

21. Conclusion

22. What have we learned? l Background on Cyber Security and Data Security - CISSP Modules (emphasis on Governance and Risk management, Access Control, Security Architectures as well as some cryptography basics) - Data and Applications Security including Query Modification, Access Control, Policies and Trust Management, Inference Control l Secure Web Services - Overview of Secure Web Services l SOA, XACML, SAML - Details of Secure Web Services l WS* Security, Identity Management, Secure Service Oriented Analysis and Design - Papers on Secure web services (UTD Research)

23. What have we learned? l Secure Semantic Web - Overview of Semantic Web - Trustworthy Semantic Web - Secure Publication of XML Data - NIST NVD Project - Security and Privacy of Social Networks (with semantic web; UTD Research) - Ontology Alignment (Guest Lecture) - Semantic Web Tools: Jena - Papers on Secure semantic web (including papers on REIN, ROWLBAC, KAOS)

24. What have we learned? l Secure Cloud Computing - Introduction to Cloud Computing and Secure Cloud Computing - Comprehensive Overview of Secure Cloud Computing - Selected topics in Cloud Security (e.g, Amazon Cloud, Azure) - NIST Security and Privacy Guidelines for the Cloud - Cloud Security Alliance l Secure Hypervisors - Secure Cloud Query Processing (UTD Research) - Assured Information Sharing via Cloud (UTD Research) - Cloud Computing Tools (Hadoop. MapReduce, TwitterStorm) - Papers on Secure Cloud (including on identity management, secure XEN and hypervisors, Fujitsu work on secure cloud)

25. Acknowledgement l Mr. Iftehkar (TA for the Class) l Mr. Vaibhav Khadilkar – for his extensive help in explaining cloud computing tools and the assistance in cloud computing project l Ms. Jyothsna Rachapalli for guest lecture on the NIST/NVD project l Dr. Neda Alipanah – for guest lecture on secure ontology alignment l AFOSR for funding our research in assured cloud computing; the research material was used for several of the lectures l NSF for funding the assured cloud computing education grant. l Students for giving feedback on the course (in addition to the standard evaluation) that will be used for future classes. In assured cloud computing. l Book on Building and Securing the Cloud will be published in late 2012 by Taylor and Francis to be used for the Spring 2013 Class