Cloud Computing [PDF]

Department of Computer Science | Institute of Systems Architecture | Chair of Computer Networks

Today's forecast: cloudy with some rain Towards secure & reliable Cloud Computing

Dr.-Ing. Stephan Groß

DESY Computing Seminar Hamburg, 16 January 2012

Faculty of Computer Science Chair for Computer Networks

26 professors 2300 students

DESY Computing Seminar, 2012/01/16

9 post-docs 31 total staff and PhD candidates

#2

Research Topics Applications Peer-to-Peer Internet

Devices

DESY Computing Seminar, 2012/01/16

Access Technologies

Large-Scale Computing

#3

Flexible Service Architectures for Cloud Computing

Mobile and Ubiquitous Computing Internet Information Retrieval

Real-Time Collaboration Energy Lab

Network Planing and Security

Service & Cloud Computing

EU-funded research group: 10/2010 – 9/2013

Dr.-Ing. Josef Spillner Dipl.-Medieninf. Marc Mosch Dr.-Ing. Stephan Groß Dipl.-Medieninf. Yvonne Thoß Dr.-Ing. Anja Strunk

Exploring Cyber Physical Systems

DESY Computing Seminar, 2012/01/16

#4

Outline

Cloud Computing

• What is it all about? • Problems? • π-Box: Building your personal secure cloud • Secure Cloud Storage • Conclusion & Future Work

DESY Computing Seminar, 2012/01/16

#5

The shape of a cloud …

… is in the eye of the beholder.

DESY Computing Seminar, 2012/01/16

#6

Definition

Cloud Computing is …

On-demand self service

Rapid elasticity

… the on-demand and pay-per-use application of virtualised IT services over the Internet.

Broadband network access

Measured service Resource pooling Adopted from the NIST Definition of Cloud Computing [MeGr2011]

DESY Computing Seminar, 2012/01/16

#7

• What is it all about? • Problems? • π-Box: Building your personal secure cloud • Secure Cloud Storage • Conclusion & Future Work

DESY Computing Seminar, 2012/01/16

#8

FlexCloud Objectives

Unified Cloud Prevent Vendor-Lock-in + Integration of existing IT Secure Cloud Ensure data privacy and security Managed Cloud Keep the user in command Efficient Cloud Adapt to user preferences and cloud's vital signs

DESY Computing Seminar, 2012/01/16

#9

FlexCloud research topics

Cloud Adaption and Optimization Strategies for the compensation of SLA violations Strategies for minimisation of energy consumption Mechanisms for the visualisation of comples Cloud Monitoring data

Cloud Surveillance and Incident Detection Specification of monitoring targets and SLA violations Models for the proactive recognition of SLA violations and the evaluation of Cloud‘s energy efficiency Mechanisms for reliable distributed Monitoring DESY Computing Seminar, 2012/01/16

Fine-grained Service Level Agreements Methods to determine fine-grained nonfunctional properties of Cloud Services Identification of assets and corresponding requirements Deduction of monitoring targets from SLAs

Dynamic Provider Selection and Cloud Setup Flexible distribution mechanisms for Cloud Platforms Strategies for the performance optimization of Cloud Applications Reputation consideration to improve reliability and trustworthiness

# 10

• What is it all about? • Problems? • π -Box: Building your personal secure cloud • Secure Cloud Storage • Conclusion & Future Work

DESY Computing Seminar, 2012/01/16

# 11

FlexCloud's approach

Subsume all end devices within a Personal Secure Cloud (π-Cloud) controlled by the π-Box.

π-Cloud

π-Box

DESY Computing Seminar, 2012/01/16

# 12

FlexCloud's approach

π-Box distinguishes between public and sensitive data and enforces security mechanisms for the later.

π-Cloud

π-Box

DESY Computing Seminar, 2012/01/16

# 13

Transparent encryption

Analysis of structured, unstructured data and context information π-Cloud

PKI PKI

??

DESY Computing Seminar, 2012/01/16

# 14

Building a cloud of clouds

… by connecting several π-Clouds. Propagation of data and services within one π-Cloud and to others.

π-Cloud

π-Box

DESY Computing Seminar, 2012/01/16

# 15

π-Box architecture User Interface / GUI

Service execution wrt. to security and other non-functional requirements.

Virtualisation

Service Service Controller Controller

Data Data Controller Controller

Data storage & distribution wrt. to security and other non-functional requirements.

Infrastructure management Resource ResourceManager Manager Peer2Peer Network

private resources (trustworthy) DESY Computing Seminar, 2012/01/16

public resources (not necessarily trustworthy) # 16

π-Box deployment models

π-Box

DESY Computing Seminar, 2012/01/16

# 17

• What is it all about? • Problems? • π-Box: Building your personal secure cloud • Secure Cloud Storage • Conclusion & Future Work

DESY Computing Seminar, 2012/01/16

# 18

Increasing availability: From RAID to RAIC RAIC: Redundant Array of Independent Clouds RAID: Redundant Array of Independent Disks

DESY Computing Seminar, 2012/01/16

# 19

Secure Cloud Storage Integrator for Enterprises (SecCSIE) System Architecture [SGS11]

DESY Computing Seminar, 2012/01/16

# 20

Uploading files (1/5)

DESY Computing Seminar, 2012/01/16

# 21

Shared Folder

• • • •

Technology: FUSE (Filesystem in Userspace) CIFS/SMB network share on proxy file server Unified user interface for arbitrary cloud storage services Utilizing CIFS access control mechanisms

DESY Computing Seminar, 2012/01/16

# 22

Uploading files (2/5)

DESY Computing Seminar, 2012/01/16

# 23

File dispersion

k n

E.g. k=6, n=8 Ensure availability despite of unreliable cloud storage provides. DESY Computing Seminar, 2012/01/16

# 24

Secret Sharing aka Threshold schemes Objective:

Divide a secret s2S in n pieces s1,…,sn with

1. Knowledge of any k or more si pieces makes s easily computable. 2. Knowledge of any k-1 or fewer si pieces leave s completely undetermined (in the sense that all its possible values are equally likely).

Sharing Input: s

Dealer

Share holders

… s1

Share holders store

Reconstruction

s1

DESY Computing Seminar, 2012/01/16

s2

s2

si1

sn …

si2

sik Reconstructor

sn

Output: s*

# 25

Secret Sharing: An informal example

[Source: http://goo.gl/watJC]

Visual Cryptography

DESY Computing Seminar, 2012/01/16

[NaSh1994]

# 26

Secret Sharing: More formalism

e r u c e ! s ic ent t e ci r o ffi e th e e n c o a i t sp a Shamir's scheme m ot r Idea: It takes k points n a polynomial of degree k-1. o to define f t Sharing: Be a :=s2S In where buS is an infinite field.

Source: Wikipedia

Blakley's scheme [Blakley1979] Idea: Any n nonparallel n-dimensional hyper-planes intersect at a specific point. Sharing: Encode the secret as any single coordinate of the point of intersection. Recovering: 1. Calculating the planes' point of intersection. 2. Take a specified coordinate of that intersection.

[Shamir1979]

0

Randomly choose (k-1) coefficients a1,a2,…ak-12S to build f(x):=ÆaiÁxi. Calculate shares sj:=[j,f(j)] mit j2ℕn. Recovering: Use Lagrange interpolation to find coefficients of the polynomial including constant term a0. DESY Computing Seminar, 2012/01/16

# 27

Information Dispersal: Computationally secure secret sharing Rabin's scheme [Rabin1989] • Be ai:=s2S where i=1,…k. Rest as with Shamir's secret sharing. • With a polynomial and shares of the same size as before, we can now share a value k times as long as before. • Length of each share is only 1/k-th of the length of the secret, and if k shares must be sufficient for reconstruction, one can obviously not get shorter. ➔ Space optimal • However, one might gain some information if he gets access to several shares ➔ Computationally secure • More efficient codes: – Need to be maximum distance separable to use k arbitrary shares for reconstruction – Examples: Cauchy-Reed-Solomon, Liberation, Blaum-Roth [PSS2008] DESY Computing Seminar, 2012/01/16

# 28

Uploading files (3/5)

DESY Computing Seminar, 2012/01/16

# 29

Cryptography: Confidentiality & Integrity

DESY Computing Seminar, 2012/01/16

AES-CBC

+ SHA256

AES-CBC

+ SHA256

AES-CBC

+ SHA256

AES-CBC

+ SHA256

# 30

Uploading files (4/5)

DESY Computing Seminar, 2012/01/16

# 31

Uploading files (5/5)

Met a

DESY Computing Seminar, 2012/01/16

dat

a

# 32

Downloading files (1/3)

X X

DESY Computing Seminar, 2012/01/16

# 33

Downloading files (2/3)

X X

DESY Computing Seminar, 2012/01/16

# 34

Downloading files (3/3)

Met a

X dat

a

X

DESY Computing Seminar, 2012/01/16

# 35

Prototype implementations

SecCSIE: [SGS11]

NubiSave:[SBM+11] DESY Computing Seminar, 2012/01/16

# 36

Cloud Computing

• What is it all about? • Problems? • π-Box: Building your personal secure cloud • Secure Cloud Storage • Conclusion & Future Work

DESY Computing Seminar, 2012/01/16

# 37

Results so far & Future work • Integration of existing cloud storage services (Cloud-of-Clouds) • Proxy server for transparent mediation ➔ easy to use for end-user ➔ common scheme for enterprises • High security and data sovereignty for the user • Good performance but space for improvement • • • •

Collaboration scenarios, file sharing, access by external entities Securing the meta data database Automatic classification of data Improving performance, e.g. scheduling algorithms, Caching/Prefetching, parallelisation • Data store for database system

DESY Computing Seminar, 2012/01/16

# 38

Tomorrow's forecast: still cloudy with sunny spots Contact:

DESY Computing Seminar, 2012/01/16

[email protected] http://flexcloud.eu/

# 39

References & Credits References [Blakley1979]

G. R. Blakley: Safeguarding cryptographic keys; AFIPS Conference Proceedings Vol. 48, National Computer Conference (NCC) 1979, 313-317.

[MeGr2011]

P. Mell and T. Grace: The NIST Definition of Cloud Computing. NIST Special Publication 800-145, September 2011.

[NaSh1994]

M. Naor and A. Shamir, Visual Cryptography , Eurocrypt 94.

[PSS2008]

J. S. Plank, S. Simmerman, C. D. Schuman: Jerasure: A Library in C/C++ Facilitating Erasure Coding for Storage Applications – Version 1.2. Technical Report CS-08-627, University of Tennessee, 2008.

[Rabin1989]

M. O. Rabin: Efficient Dispersal of Information for Security, Load Balancing, and Fault Tolerance; Journal of the ACM 36/2 (1989) 335-348.

[SBM+2011]

J. Spillner, G. Bombach, S. Matthischke, R. Tzschicholz, and A. Schill: Information Dispersion over Redundant Arrays of Optimal Cloud Storage for Desktop Users. In: IEEE International Conference on Utility and Cloud Computing. Melbourne, Australien, December 2011.

[SGS2011]

R. Seiger, S. Groß, and A. Schill: A Secure Cloud Storage Integrator for Enterprises. In: International Workshop on Clouds for Enterprises. Luxemburg, September 2011.

[Shamir1979]

A. Shamir: How to Share a Secret; Communications of the ACM 22/11 (1979) 612613.

Credits Kudos to Ronny Seiger and Josef Spillner, both for providing slides and contributing to the research work. Furthermore, I would like to thank Marc Mosch for the best styled graphics.

DESY Computing Seminar, 2012/01/16

# 40