Security, Privacy, and Data Protection for Trusted Cloud Computing Prof. Kai Hwang, University of Southern California Keynote Address, International Conference on Parallel and Distributed Computing and Systems (PDCS 2010), Marina Del Rey, CA. Nov. 8, 2010 Nov.8, 2010 Cloud Platforms over Datacenters Cloud Infrastructure and Services Reputation-based Trust Management Data Coloring and Software Watermarking Cloud Support of The Internet of Things Kai Hwang, USC 1 Handy Tools We Use over the Evolutional Periods In History Is it safe to play with your computer, when you are naked and vulnerable ? Nov.8, 2010 Kai Hwang, USC 2 Top 10 Technologies for 2010 Nov.8, 2010 Kai Hwang, USC 3 Web 2.0, Clouds, and Internet of Things HPC: HighPerformance Computing HTC: HighThroughput Computing P2P: Peer to Peer MPP: Massively Parallel Source: K. Hwang, G. Fox, and J. Dongarra, Processors Distributed Systems and Cloud Computing, Morgan Kaufmann, 2011 (in press to appear) Nov.8, 2010 Kai Hwang, USC 4 Public, Private and Hybrid Clouds Source: Distributed Systems and Cloud Computing, [2] Nov.8, 2010 Kai Hwang, USC 5 Cloud Computing as A Service [9] Nov.8, 2010 Kai Hwang, USC 6 Cloud Providers, Services and Security Measures Kai Hwang and Deyi Li, “Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Sept. 2010 Nov.8, 2010 Kai Hwang, USC 7 Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ ) Nov.8, 2010 Kai Hwang, USC 8 vSphere 4 : An OS for Cloud Platform Nov.8, 2010 Kai Hwang, USC 9 Cloud Services Stack Application Cloud Services Platform Cloud Services Compute & Storage Cloud Services Co-Location Cloud Services Network Cloud Services Nov.8, 2010 Kai Hwang, USC 10 Top 8 Cloud Computing Companies Nov.8, 2010 Kai Hwang, USC 11 Marc Benioff, Founder of Salesforce.com 1986 graduated from USC 1999 started salesforce.com 2003-05 appointed chairman of US Presidential IT Advisory Committee 2009 announced Force.com platform for cloud business computing A SaaS and PaaS Cloud Provider Nov.8, 2010 Kai Hwang, USC 12 Ex' X Security and Trust Crisis in Cloud Computing Protecting datacenters must first secure cloud resources and uphold user privacy and data integrity. Trust overlay networks could be applied to build reputation systems for establishing the trust among interactive datacenters. A watermarking technique is suggested to protect shared data objects and massively distributed software modules. These techniques safeguard user authentication and tighten the data access-control in public clouds. The new approach could be more cost-effective than using the traditional encryption and firewalls to secure the clouds. Nov.8, 2010 Kai Hwang, USC 13 13 Trusted Zones for VM Insulation Identity federation Virtual network security Insulate infrastructure from Malware, Trojans and cybercriminals Federate identities with public clouds Control and isolate VM in the virtual infrastructure APP APP OS OS APP OS OS Tenant #1 Virtual Infrastructure Access Mgmt Cybercrime intelligence Strong authentication Tenant #2 Virtual Infrastructure APP Anti-malware Segregate and control user access Cloud Provider Insulate information from other tenants Insulate information from cloud providers’ employees Data loss prevention Encryption & key mgmt Tokenization PhysicalPhysical Infrastructure Infrastructure Security Info. & Event Mgmt Nov.8, 2010 Enable end to end view of security events and Kai Hwang, USC compliance across infrastructures GRC 14 Data Security and Copyright Protection in A Trusted Cloud Platform Source: Reference [3, 4] Nov.8, 2010 March 11, 2009 Kai Hwang, USCProf. Kai Hwang, USC 15 Security Protection Mechanisms for Public Clouds Mechanism Brief Description Trust delegation and Negotiation Cross certificates must be used to delegate trust across different PKI domains. Trust negotiation among different CSPs demands resolution of policy conflicts. Worm containment and DDoS Defense Internet worm containment and distributed defense against DDoS attacks are necessary to secure all datacenters and cloud platforms . Reputation System Over Resource Sites Reputation system could be built with P2P technology. One can build a hierarchy of reputation systems from datacenters to distributed file systems . Fine-grain access control This refers to fine-grain access control at the file or object level. This adds up the security protection beyond firewalls and intrusion detection systems . Collusive Piracy prevention Nov.8, 2010 Piracy prevention achieved with peer collusion detection and content poisoning techniques . Kai Hwang, USC 16 16 Cloud Service Models and Their Security Demands Cloud computing will not be accepted by common users unless the trust and dependability issues are resolved satisfactorily [1]. Nov.8, 2010 Kai Hwang, USC 17 Trust Management for Protecting Cloud Resources and Safeguard Datacenter Operations [3] Nov.8, 2010 Kai Hwang, USC 18 Source: [4] PowerTrust Built over A Trust Overlay Network Global Reputation Scores V v1 v2 v3 ... ... ... ... vn Initial Reputation Aggregation Reputation Updating Regular Random Walk Look-ahead Random Walk Power Nodes Distributed Ranking Module Local Trust Scores Trust Overlay Network R. Zhou and K. Hwang, “PowerTrust : A scalable and robust reputation system for structured P2P networks”, IEEE-TPDS, May 2007 Nov.8, 2010 Kai Hwang, USC 19 Distributed Defense against DDoS Attacks over Multiple Network Domains (Chen, Hwang, and Ku, IEEE Trans. on Parallel and Distributed Systems, Dec. 2007 ) Nov.8, 2010 Kai Hwang, USC 20 Data Coloring via Watermarking Nov.8, 2010 Kai Hwang, USC 21 Color Matching To Authenticate Data Owners and Cloud Service Providers Nov.8, 2010 Kai Hwang, USC 22 The Internet of Things Smart Earth: Internet of Things (IOT) Smart Earth Nov.8, 2010 Kai Hwang, USC An IBM Dream 23 Opportunities of IOT in 3 Dimensions Nov.8, 2010 Kai Hwang, USC 24 Architecture of The Internet of Things Application Layer Merchandise Tracking Environment Protection Intelligent Search Telemedicine Intelligent Traffic Smart Home Cloud Computing Platform Network Layer Mobile Telecom Network The Internet Information Network RFID Sensor Network GPS RFID Label Sensor Nodes Road Mapper Sensing Layer Nov.8, 2010 Kai Hwang, USC 25 Supply Chain Management supported by the Internet of Things. ( http://www.igd.com) Nov.8, 2010 Kai Hwang, USC 26 Smart Power Grid Nov.8, 2010 Kai Hwang, USC 27 Mobility Support and Security Measures for Mobile Cloud Computing Cloud Service Models Mobility Support and Data Protection Methods Hardware and Software Measures for Cloud Security Infrastructure Cloud (The IaaS Model) Special air interfaces Mobile API design File/Log access control Data coloring Hardware/software root of trust, Platform Cloud (The PaaS Model) Wireless PKI , User authentication, Copyright protection Disaster recovery Network-based firewalls and IDS Trust overlay network Reputation system OS patch management Nov.8, 2010 Provisioning of virtual machines, Software watermarking Host-based firewalls and IDS Kai Hwang, USC 28 Service-Oriented Cloud of Clouds (Intercloud or Mashup) Data S S S S fs fs Filter Service S S S S fs fs S S fs fs S S S S fs Filter Service fs fs Filter Service fs SS SS Filter Cloud fs fs Filter Cloud Another Grid fs Filter Cloud fs SS Discovery Cloud fs fs fs SS fs fs SS fs fs Filter Service fs Filter Cloud SS Wisdom Decisions Another Grid SS Another Service Knowledge S S Another Grid Information S S Raw Data S S fs Filter Cloud S S Compute Cloud Traditional Grid with exposed services Filter Cloud S S S S Storage Cloud Database Discovery Cloud fs S S Sensor or Data Interchange Service Cloud of clouds -- from Raw Data to Wisdom. SS = Sensor service, fs = filter services Nov.8, 2010 Kai Hwang, USC 29 Conclusions: Computing clouds are changing the whole IT , service industry, and global economy. Clearly, cloud computing demands ubiquity, efficiency, security, and trustworthiness. Cloud computing has become a common practice in business, government, education, and entertainment leveraging 50 millions of servers globally installed at thousands of datacenters today. Private clouds will become widespread in addition to using a few public clouds, that are under heavy competition among Google, MS, Amazon, Intel, EMC, IBM, SGI, VMWare, Saleforce.com, etc. Effective trust management, guaranteed security, user privacy, data integrity, mobility support, and copyright protection are crucial to the universal acceptance of cloud as a ubiquitous service. Nov.8, 2010 Kai Hwang, USC 30 SGI Cyclone HPC cloud for enabling SaaS and IaaS applications (http://www.sgi.com/cyclone) Nov.8, 2010 Kai Hwang, USC 31 Nebula Cloud Developed by NASA (http://nebula.nasa.gov) Nov.8, 2010 Kai Hwang, USC 32 Cloud Computing – Service Provider Priorities Ensure confidentiality, integrity, and availability in a multi-tenant environment. Effectively meet the advertised SLA, while optimizing cloud resource utilization. Offer tenants capabilities for selfservice, and achieve scaling through automation and simplification. Nov.8, 2010 Kai Hwang, USC 33 Google App Engine Platform for PaaS Operations Web Application Provider Users HTTP request App Engine Admin Console Manage Traffic Monitor Version Control Local Development Build Upgrade App Engine SDK Deploy Upload User Interface Google Load Balance Test Data Data Data Nov.8, 2010 HTTP response Kai Hwang, USC Data Data Data Data Data 34 Table 1: Cloud Security Responsibilities by Providers and Users Source: Reference [4] Nov.8, 2010 Kai Hwang, USC 35 Concept of Virtual Clusters (Source: W. Emeneker, et et al, “Dynamic Virtual Clustering with Xen and Moab, ISPA 2006, Springer-Verlag LNCS 4331, 2006, pp. 440-451) Nov.8, 2010 Kai Hwang, USC 36