Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Cloud Computing

No description
by

Andrea Scafuto

on 26 February 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cloud Computing

Cloud Data Privacy
''Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. Networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. ''

What is Cloud Computing?
Multi-Tenancy
From an

architectural perspective
, there is much confusion surrounding how cloud is both similar to and different existing model of computing and how these similarities and differences impact the organizational, operational and technological approaches to network and information security practices. There is a thin line between conventional computing and cloud computing. However, cloud computing will impact the organizational, operational and technological approaches to data security, network security and information security.

Architectural
Point of View
According to NIST cloud computing model is composed of five essential characteristics, three service models and four deployment models.
Architectural Point of View
[NIST]
Multi-tenancy is considered an important element. It is the simplest form implies use of same resources or application by multiple consumers, that may belong to same organization or different organization.
Essential Characteristics
1. On-demand Self-Service
Enables users to use cloud computing resources as needed without human interaction between the user and the cloud service provider. To be acceptable to the consumer, the self-service interface must be user-friendly and provide effective means to manage the service offerings. This ease of use and elimination of human interaction provides efficiencies and cost savings to both the user and the cloud service provider.
2. Broad Network Access
Essential Characteristics
High-bandwidth communication links must be available to connect to the cloud services.
The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
Essential Characteristics
3. Resource Pooling
The ability of the cloud to expand or reduce allocated resources quickly and efficiently to meet the requirements of the self-service characteristics of cloud computing.
4. Rapid Elasticity
Essential Characteristics
Resource usage can be monitored, controlled and reported for both the provider and consumer of service.
5. Measured Service
Essential Characteristics
Service Models
A SaaS provider deploys software to the user on demand, commonly through a licensing model. The provider may host the application on its own server infrastructure or use another vendor's hardware.
1. Cloud Software as a Service (SaaS)
Service Models
2. Cloud Platform as a Service (PaaS)
Is similar to SaaS, but the service is an entire application development environment, not just the use of an application. It differ from a SaaS solution in that they provide a cloud-hosted virtual development platform, accessible via a Web Browser.
2. Cloud Infrastructure as a Service (IaaS)
Service Models
The capability provided to the consumer is to provision processing, storage, network and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
Other Service Models
Data as a Service (DaaS)
Hardware as a Service (HaaS)
Storage as a Service (StaaS)
Deployment Models
Within each of the three delivery models just described are multiple deployment models. For example, a SaaS delivery model can be presented to users in one of several deployment types, such as a private or public cloud.
Deployment Models
Using NIST as a baseline for our description, NIST defines four cloud deployment models:
What Cloud isn't


Cloud computing can use distributed, virtualized platform instead of a centralized computer resource.
Grid computing does employ distributed virtual machine, but unlike cloud computing, these machines are usually focused on a single, very large task.
What Cloud isn't
Sometimes client/server computing is viewed as a cloud computing. However, in the traditional client-server model, the server is a specific machine at a specific location. Computations running in the cloud can be based on computers anywhere and can use virtualized platforms, all unknown to the users.
Cloud computing is not SaaS, it is the best way to deploy a SaaS.
Virtualization

Virtualization is used to share out a single physical server into multiple VMs or a
single physical resource into multiple virtual ones.


For cloud computing, virtualization has great value in rapid commissioning and decommissioning of servers.
Cloud virtualization software also presents a dynamic perspective and unified view of resource utilization and efficiencies for cloud IT operations.
Virtualization is the primary enabling technology for achieving cost-effective
server utilization while supporting separation between multiple tenants on
physical hardware.
Cloud Legal Perspective

As we know, IT and Regulation don't move at same speed.That aspect is pretty evident in Cloud Computing, in 2014 there is no legal identification for this IT paradigm. For this reason it's hard to understand for companies and users how they can be protected in legal way.
Cloud Legal Perspective


Network Availability
: the cloud must be available whenever you need it.
If it is not, then the consequences are no different than a denial-of-service situation.
Cloud Provider Viability
: since cloud providers are relatively new to the business, there are question about provider viability and commitment.
Disaster Recovery and Business Continuity
: tenant and users require confidence that their operation and services will continue if the cloud provider's production is subject to a disaster.
Security Incidents
: tenant and users need to be appropriately informed by the provider when an incident occurs.
Security Concerns
Security Concerns
Transparency
: when a cloud provider does not expose details of their internal policy or technology implementation, tenants or users must be trust the cloud provider's security claims. Even so, tenants and users require some transparency by providers as to provider cloud security, privacy, and how incidents are managed
New Risks, New Vulnerabilities
: there is some concern that cloud brings new classes of risks and vulnerabilities. Although all software, hardware and networking equipment are subjects to unearthing of new vulnerabilities, by applying layered security and well-conceived operational processes, a cloud may be protected from common types of attack even if some of its components are inherently vulnerable.
Security Concerns
Loss of Physical Control
: since tenants and users lose physical control over their data and applications, this results in a range of concerns: -
Privacy and Data
: with public or community clouds, data may not remain in the same system, raising multiple legal concerns -
Control over Data
: user or organization data may be commingled in various ways.
Legal and Regulatory Compliance
: it may be difficult or unrealistic to utilize public clouds if the data you need to process is subject to legal restriction or regulatory compliance.
M.Natale
A.Scafuto

Cloud Data Privacy

What is Privacy ?

"You can have security and not have privacy, but not cannot have privacy without security"
[Tim Mather]
What is Privacy ?
The concept of privacy varies widely among (and sometimes within) countries, cultures and jurisdiction. It is shaped by public expectation and legal interpretation. Privacy rights or obligations are related to the collection, use, disclosure, storage and destruction of personal data (or personally identifiable information-PII).
What is Privacy ?
Personal information should be managed as a part of data used by the organization. It should be managed from the time the information is conceived through to its final disposition.
Protection of personal information should consider the impact of the cloud on each the following phases
What is Privacy ?
1.
Generation
of the information (ownership,classification,governance)
2.
Use
(internal versus external, thirdy party, appropriateness, discovery/subpoena)
3.
Transfer
(public versus private networks, encryption requirements, access control)
4.
Transformation
(derivation, aggregation, integrity)
5.
Storage
(access control, structured versus unstructured, integrity/availability/confidentiality, encryption)
6.
Archival
(legal and compliance, off-site consideration, media concerns, retention)
7.
Destruction
(secure, complete)

What is Privacy ?
Privacy advocates have raised many concerns about cloud computing. These concerns tipically mix security and privacy.

Access
: data subjects have a right to know what personal information is held and, in some cases, can make a request to stop processing it.
Compliance
Storage
: Privacy laws in various countries place limitation on the ability of organization to transfer some types of personal information to other countries. When the data is stored in the cloud, a transfer may occur without the knowledge of the organization, resulting in a potential violation of the local law.
Retention
: e.g. how long is personal information retained?
Destruction
Audit and Monitoring
:how can organization monitor their CSP and provide assurance to relevant stakeholders that privacy requirements are met when their PII is in the cloud?
Privacy breaches

Security for Privacy
Security is one of the key requirements to enable privacy. This principle specifies that personal data should be protected by reasonable security safeguards against such risks as loss or unathorized access, destruction, use, modification or disclosure of data.
When it comes to cloud data protection methods, no particulary new techniques is required. Protecting data in the cloud can be similar to protecting data within a traditional data center. Authentication and identity, access control, encryption, secure deletion, integrity checking and data masking are all data protection methods that have applicability in cloud computing.
CIA Triad
Confidentiality, integrity and availability are important pillars of cloud software assurance.

Confidentiality
refers to prevention on intentional or unintentional unauthorized disclosure
of information. Confidentiality in cloud systems is related to areas of intellectual property rights,
covert channels, traffic analysis, encryption and inference.

Integrity
requires that following three principles are met:
- Modification are not made to data by unauthorized personnel on processes
- Unauthorized modifications are not made to data by authorized personnel of processes
- The data is internally and externally consistent.

Availability
ensures the reliable and timely access to cloud or computing resources by
appropriate personnel. It guarantees that the system are functioning properly when needed.
Common Threats and Vulnerabilities

To properly understand the threats that cloud computing presents to the computing infrastructure, it's important to understand communications security techniques to prevent, detect and correct errors so that CIA of transaction over network may be maintained. (transmission of voice, data, multimedia and facsimile in terms of LA, WA and remote access network; protocol of firewalls, routers and gateways)

1.
Eavesdropping
2.
Fraud
3.
Theft
4.
Sabotage
5. External attack
Data Encryption
Cryptography has expanded from protecting the confidentiality or private communications
to including techniques for assuring content integrity, identity authentication and digital signature along with a range of secure computing techniques.
Focusing on data security cryptography has great value for cloud computing.
To effect data confidentiality, plaintext is converted into cypher-text by numerous means based on mathematical functions.
There are four basic uses of cryptography:
1.
Block Cypher:
a block of plaintext as an input, a block of cyphertext as an output
2.
Stream Cypher:
long stream of input data are converted to an equivalent output stream of cyphertext
3.
Cryptographic Hash functions
take an arbitrarily long stream of input message and output a short.
4.
Authentication:
cryptography is also widely used within authentication and identity management systems.

Data Privacy is one of the most fragile aspect in Cloud Computing, privacy is directly linked to many aspects both implementation and legal.
Loss of Data Control
As we know, Cloud Computing give new possibilities on how customers can use their data,everywhere and with any device.But the otherside we have to discuss how and where phisically data are stored. Data Centers relocation is the key element in legal privacy analysis.
Many CSP install their Servers outside national confines.
Legal responsibility is bounded to the country that house a DataCenter.
Data Center Relocation
European Point of View

European Parliament with 95/46/CE in 1996 gives the first guidelines for a body of law to protect personal data with regard to the processing of personal data and on the free movement of such data.
In 2003 and 2013 the law packet was updated for meeting the new digital privacy requirements.This Directive was created with the intent to push for European Countries to create an adequate own laws.
Italian Point of View

In Italy the European efforts for persona data protection was absorbed in
d.lgs.
196/2003 (as know as
Codice della Privacy
).
This laws established legal protection to:


Cloud Market Players
Data Encryption
Symmetric cryptography: encryption key and decryption key is the same. It is very difficult establish a secret key between communicating parties when a secur channel does not already exist for them to securely exchange a shared secret key.
Symmetric Cryptography
Asymmetric cryptography: it used a public key for encryption that is different but mathematically related to the private key used for decryption. This is a great enabler for confidentiality in cloud computing and not just for encryption of content.
Asymmetric Cryptography
Main reasons for servers relocation are:

Advantageous cost per watt
Tax deduction
Optimal plant for Data Centers

In this scenario users can't know where data are stored, and also can't know if the national normative provide respect for its own rights.


Data Treatment
Personal Data
Data IDs
Confidential Data
Legal Data

An important aspect to underline is the nationality of cloud providers.Over the 90% of Cloud Service Providers are American.
The American Controversy
After the 11 September attacks, American Parliament enact a federal law: USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001).
The most interesting aspect of this law is the possibility to obtain personal interceptions from any IT National provider without any warrant or notify.
The PATRIOT Act open a legal argument about data privacy,in this scenario users can't be never effectively protected.




Technical point of view
Legal point of view
1.
Private cloud
: available to a single organization
2.
Public cloud
: available to the general public
3.
Community cloud
: shared by several organizations
4.
Hybrid cloud
: a mix of the previous solution.
Access Control
Generally speaking, access control management is a broad function that encompasses access requirements for your users and system administrators (privileged users) who access network, system and application resources.
The access control management should address the following:
Who should have access to what resource?
Why should the user have access to resource?
How should you access the resource?
Who has access to what resource?
Access Control
When users want to move, delete or modify data they must entrust the provider ,that have direct access to users' data.
Access control is intrinsically tied to identity management and is necessary to preserve the confidentiality, integrity and availability of cloud data.
1.
Discretionary Access Control (DAC)
: in a system every object has an owner. With DAC access control is determined by the owner of the object who decides who will have access and what privileges they will have.
2.
Role Based Access Control (RBAC)
: Access policy is determined by the system. The access is based only the role of subject.
3.
Mandatory Access Control (MAC)
: Access policy is determined by the system. The access is based on subject trust.
The most important access control models are:
Access Control
Access control is focused on two type of data:
1.
Data-at-rest
: it refers to any inactive data in computer storage, including files on an employee's computer. In this case the attention is focused on
data deleting
. Not always is ensured that provider effectively delete data.
When it is time to delete sensitive or valuable data in a cloud it is important to understand how that data is deleted.
Access Control
1. Data-at-rest
U.S Department of Defense illustrate the two key aspects of data deletion:
Clearing
: the process of eradicating the data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on media before clearing. All internal memory, buffer or other reusable memory shall be cleared to effectively deny access to previously stored information.
1. Data-at-rest
Access Control
Sanitization
: the process of removing the data from media before reusing the media in an environment that does not provide an acceptable level of protection for the data was in the media before sanitizing.
More often then not, data that is stored in a public cloud is not sanitized. The consequence is that if disks are decommissioned, then data is at risk of being exposed.
Furthermore deleted data can also be accessed well after it's been deleted simply because it also exists in archives or data backup volumes.
1. Data-at-rest
Access Control
2.
Data-in-motion
: it refers to data as it is moved from a stored state as a file or database entry to another form in the same or to a different location. In this case the encryption is the best way to reduce the vulnerability of this important step.
The most common way to protect data in motion is to utilize
encryption
combined with
authentication
to create a conduit in which to safely pass data to or from the cloud.
Encryption is used to assure that, if there was a breach of communication integrity between the two parties, the data remains confidential. Authentication is used to assure that the parties communicating data are who they say they are.
2. Data-in-motion
Is cloud computing the equivalent of grid computing?
Identity
Identification and authentication are the keystones of most
access control system.
Identification is the act of a user professing an identity to a system, usually in the form of a username or user logon ID to the system. Identification establishes user accountability (is the ability to determine the actions and behaviors of a single individual within a cloud system and to identify that particular individual) for the action on the system. User Ids should be unique and not shared among different individuals.
Authentication

Authentication is the testing of evidence of a user's identity. It establishes the user's identity and ensures that users are who they claim to be.
It is based on the following three factors types:

1. Something you know, such a personal identification number (PIN) or password
2. Something you have, such as an ATM card or smart card
3. Something you are (physically), such as a fingerprint or retina scan

It requires two of three factors in the authentication process.
Full transcript