Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

CLOUD COMPUTING SECURITY HP Labs G-Cloud A Secure Cloud Infrastructure Frederic Gittler

advertisement 
CLOUD COMPUTING SECURITY
HP Labs G-Cloud
A Secure Cloud Infrastructure
Frederic Gittler
Cloud and Security Laboratory, HP Labs
Covering…
– A few words about HP Labs
– An outline of Cloud Computing
•
Business drivers, Goals, etc.
– Cloud Security
-
Stakeholders and their issues
-
Routes of attack
-
Properties required
– Secure services
-
Control over security properties
– Infrastructure design
2
-
Virtual machines, networks and storage
-
Sensors and monitoring
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
HP LABS AROUND THE WORLD
– Global talent, local innovation
AMERICAS
• 46 university collaborations in the Americas
• Guadalajara Advanced Prototyping Center $1M
• 29 projects with HP Brazil R&D
• DARPA, DOE, US Army, MPO external funding
• NSF Post-Docs support $1M
• UC Discovery awards
EMEA
• 10 university collaborations in EMEA
• 4 EU FP7 consortia, UK Tech Strategy
Board awards
• UK CASE PhD support
ST. PETERSBURG
SINGAPORE
PALO ALTO
HAIFA
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
• 7 university collaborations in
the Asia-Pacific Region
• A*STAR and EDB support,
Singapore
BEIJING
BRISTOL
3
APJ
BANGALORE
HP LABS RESEARCH AREAS
– Innovation at every touchpoint of information
Printing
& Content
Delivery
Service &
Solutions
Mobile &
Immersive
Experience
Networking &
Communications
Sustainability
Cloud &
Security
Intelligent
Infrastructure
Information
Analytics
4
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
A long history
1996
1997
1998
SmartFrog
1999
2000
OpenCall
2000
Sanger
Williams
F1
2001
Cells
Proposal
The Painter
2002
2003
2004
2005
2006
2007
DreamWorks
2008
SE3D
Cells v1
2009
2010
G-Cloud
Demo
2011
2012
Service
Sensors
5
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Data
Sharing
Cloud Services
IT delivered as a logical service, available on demand,
charged by usage
Logical Service: details of delivery hidden
On Demand: scales up and down immediately and seamlessly
Charged by Usage: metering and billing of services, pay for what you
use
Cloud computing is computation offered as a service
6
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Cloud computing Concepts
– Multi-tenancy
• Shared
service infrastructure, running simultaneous collocated workloads, for
multiple customers
• Dynamic
sharing for flexibility and utilisation efficiency
– Cloud-scale infrastructure
• Commodity
• Targeting
scale-out hardware
extreme economies of scale
– Ubiquitous access
• Using
• Any
7
portable client devices
where, any time
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Cloud Computing benefits
– Cost management
•
Benefit from economies of scale
•
Avoids cost of over-provisioning
•
Reduction in up-front capital investment, switch to expense more in line with business
needs
– Risk reduction
•
•
Someone else worries about running the data-centre, protecting your data, and
providing disaster recovery
Reduces risk of under-provisioning
– Flexibility
•
Add/remove services on demand
•
Scale up and down as needed – rapidly
– Ubiquity
•
Access from any place, any device, any time
8
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Barriers to adoption
– Security, Regulatory, Data locality concerns
– Concerns about lock-in, lack of multi-vendor options
– Challenge of migrating from in-house (or outsourced) apps
– Trust in the service vendors
•
Service levels
•
Stability
•
Geographic presence
– Vested Interests
9
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
The Cloud
10
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
public
private
community
private
11
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
install and
administer
public
private
community
Infrastructure
Provider
private
12
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
App Store
Service
Developer
public
private
community
Infrastructure
Provider
private
13
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
App Store
Service
Developer
public
private
community
Infrastructure
Provider
private
14
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
procure
App Store
Service
Developer
public
private
community
Infrastructure
Provider
private
15
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
procure
App Store
Service
Developer
public
private
community
Infrastructure
Provider
private
16
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
App Store
administer
Service
Developer
public
private
community
Infrastructure
Provider
private
17
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
App Store
Service
Developer
service
composed
public
community
Infrastructure
Provider
private
18
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
private
Roles in the Cloud
Service
Provider
App Store
Service
Developer
public
private
community
Infrastructure
Provider
multi-tenanted
private
19
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
App Store
Service
Developer
Service
Users
service
public
private
community
Infrastructure
Provider
private
20
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
Service
Provider
App Store
Service
Developer
Service
Users
service
public
private
community
Infrastructure
Provider
private
Social Attack
Engineered Attack
21
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Cyber-Criminal
22
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
a Cell is a container for a
service - including all its
virtualized infrastructure
23
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
24
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
spec
25
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
26
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
27
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
external internet
routing and firewall rules
28
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
spec
29
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
30
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
31
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
bipartite agreement
32
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Model-Based
– Describe “desired” end-point
•
Can freely update the description of the end-point
– Allow the system to create it
•
Asynchronous convergence for scale and performance
– Errors and status reported relative to model
•
33
Provides uniformity of mechanism
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Model-Based: Why
– Declarative
•
Enables analysis and tool support
•
Cross-model properties and policies
•
Basis for compliance and transparent management
•
•
Enables different principals to sign different parts of the model, independent of right of model
submission, and mapping into enterprise IT roles
Enables IT best practice
– Inherently idempotent
•
Hugely simplifies interaction model, improves security
– Enables back-end asynchrony and parallelism for scale and performance
– Template descriptions of services
•
Simplifies service packaging
•
Ease of integration with a Cloud Marketplace
– Easy to map transactional interfaces to model-based; hard to do the other way
around and maintain the advantages
34
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Infrastructure Models
cell
vnet
vnet
HTTP Only
VM
VM
VM
VVol
VVol
VVol
VVol
VVol
Topology managed by grants
Communication managed by rules
35
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Future Modelling
– Currently we provide explicit description of topology and some security
properties
– However, this is but the start….
•
Support for loose models and constraints
− Models that are configured according to user or business-level concepts
•
Order-dependencies
− Declarative description of state transitions and dependencies on the state
•
Specification of QoS policies
− linked through sensor framework, constraints and dependencies, to create auto-flexing models
•
Specification of service high-availability policies
− Automatically mapped into placement and recovery decisions
− Federation properties
•
Specification of additional security policies
− Guiding placement and other aspects such as providing “security probes”
− Semantic controls over data sharing
36
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Infrastructure Virtualization
– To build the isolation, we need virtualized environments
– Virtualization introduces security issues
•
But there are ways around it, for example placement algorithms can keep sensitive
workloads apart from each other
– Virtualization enables new security and isolation techniques
•
sitting “below” the virtual machine allows a range of control points, sensors and
mitigations that are impossible in a physical world
– Indeed virtualization can be seen as the KEY to producing secure multitenanted systems
37
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Infrastructure Integrity
– We must protect the cloud at all costs
– Threats come from
•
Services run upon it
•
Direct attacks from outside
•
Internal administrators
– We must understand these threats, and the paths that they may use to undermine the
cloud
– We must provide a number of engineering solutions to deal with the threats
•
Minimize attack surface, defence in depth
•
Provide a framework for countermeasures
• Sensors to detect attacks, both attempts and successes
• Mitigations to remove attempted and successful attacks
• Diagnosing attacks by turning sensor data into diagnoses
38
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Threats
identification
mitigation
prevention
detection
39
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
Core
40
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
utility controllers
supporting
services
server and storage nodes
41
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
VNets
VMs
(trusted
virtualization)
(diverter,
utility controllers
rules)
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
(CoWs,
caching)
supporting
services
server and storage nodes
42
VVols
Service
VNets
(diverter,
utility controllers
rules)
VMs
(KVM)
VVols
(CoWs,
caching)
system orchestration
supporting
services
server and storage nodes
43
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtual Networking
– Goals
• Support
full layer-3 unicast, multicast and broadcast packets
• Create the illusion of subnets and routing
• Provide all the inter-VM and subnet routing policies
• Strong and secure separation
VM
VM
Single shared physical network
44
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtual Storage
CopyA
COW volume A
CopyB
RW
RW
RO
COW volume B
Origin image
VM
VM
CopyA
LVM+
45
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
CopyB
Storage area network
LVM+
Virtualization Security: Threat
– The main requirement is that the core virtualization technology is secure
– What happens if a VM successfully breaks out of its container and takes over the host?
Dom 0
Dom U
Hypervisor
Physical host
46
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtualization Security: Prevention
– Use trusted virtualization technologies to minimize risk of attack and reduce impact
– Subdivide the Hypervisor and DOM0 into smaller, simpler, more secure parts and limiting the impact
of success
Dom U
Hypervisor
Physical host
47
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtualization Security: Host Compromise
– Provide host peer-peer detection of dom0 “misbehaviour”
Dom 0
Dom U
Hypervisor
?
48
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
?
Physical host
Sensors
Aim to detect:
– Illegal Actions
•
•
System components detecting or initiating abnormal activity with other system components: this is either a bug or a
successful attack and needs immediate attention
Attempts of user VMs to communicate with disallowed targets
– Abnormal behaviour
•
Sudden changes in profiles of IO or CPU usage
•
Requests for VMs or other resources beyond reasonable or specified limits
•
Excessive churn in topology
•
Sudden widening of network rules
Sensors are implemented everywhere
49
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensors: System
Dom 0
Dom 0
Dom 0
Dom 0
Dom 0
System components
inter-communicate in
limited ways
System
VM
System
VM
System
VM
VMs
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Dom 0
Dom 0
Dom 0
System components
can verify requests for
“reasonableness”
System
50
Dom 0
Enforcing and Sensing: IO
Enforcement Points and I/O Sensors, e.g.
•dropped or illegal packets
•writes to protected areas
Storage IO
Dom U
Hypervisor
Network IO
Includes checks on System VMs
51
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service Integrity
– A virused or malicious service is not strictly a threat to the integrity of the whole
cloud, however...
– We must prevent (where possible) attacks on another services by providing
robust isolation and detection of attack attempts
– We must detect when an attack succeeds by
•
monitoring from outside of the service
•
spotting abnormalities in behaviour
•
forensic examination of service VMs
– We must be able to mitigate when an attack is detected
•
52
Shutting down, restarting or freezing VMs or services
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service Sensors
– We want to allow service writers to be able to create sensors that
monitor their own services
•
run outside of the service, looking in, and undetectable to it
•
service owners have a better view of the service semantics
•
can be offered by 3rd party monitoring specialists (NSA for USG)
•
that do not have any privileged access to core system capability
– Virtualization gives control over what one compartment can do or see
with another compartment.
– We can use the fact that one virtual machine can (given permission)
53
•
look into the memory space of another.
•
Interpose itself into an IO path of another.
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensor VMs
• Invisible to the service VM
Dom 0
Sensor
inspection of
VM memory
Hypervisor
54
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
• Viruses and root-kits cannot
hide by altering OS or
disabling virus checkers
• Enabled by an API in the
hypervisor
• Needs care to ensure that it
doesn’t become another
vector for attack!
Sensor VMs
Sensor
Dom 0
Service
inspection of
VM IO
Hypervisor
– Deployable by the service provider, infrastructure provider or
trusted 3rd party
55
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensor VM properties
– It’s hard to detect the presence of the
sensors.
– We can look for evidence of the use
of different “virus components”
– It’s impossible to hide the code or IO
from the sensors
– We do not look only for specific
attacks
– We can see if the OS tables have been
manipulated
– We gain evidence to suggest the
existence of malware.
– We can see into disc and network buffers
– We can sit in the IO path and carry out
specific deep inspection
56
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Our Demonstrator
57
©2009 HP Confidential
© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Related documents
Words in italics are to be deleted in the completed... UNIVERSITY OF SASKATCHEWAN BOARD OF GOVERNORS
Words in italics are to be deleted in the completed... UNIVERSITY OF SASKATCHEWAN BOARD OF GOVERNORS
ABSTRACT RESEARCH PAPER: A Content Analysis of the Use of Time
ABSTRACT RESEARCH PAPER: A Content Analysis of the Use of Time
NtregaBusinessPlanExpress 1.1 MB
NtregaBusinessPlanExpress 1.1 MB
Model Template Agency Release of Information Form
Model Template Agency Release of Information Form
Download
advertisement