By : Jean-Marc Lambert, Cloud Computing R&D, Gemalto - - PowerPoint PPT Presentation

by jean marc lambert cloud computing r amp d gemalto http
SMART_READER_LITE
LIVE PREVIEW

By : Jean-Marc Lambert, Cloud Computing R&D, Gemalto - - PowerPoint PPT Presentation

Sep 13, 2022 944 likes •1.1k views

S S ecu cure re mb mbed edded ded E E E E leme ments nts & D ata protec at otection tion the 4 C loud ud By : Jean-Marc Lambert, Cloud Computing R&D, Gemalto http://www.celticplus-seed4c.org/ Context Security of

slide-1
SLIDE 1

http://www.celticplus-seed4c.org/

ecu cure re mb mbed edded ded leme ments nts & at ata protec

  • tection

tion the loud ud S S E E E E D 4 C

By : Jean-Marc Lambert, Cloud Computing R&D, Gemalto

slide-2
SLIDE 2

2

Context

Security of the Cloud is still an roadblock to massive cloud adoption in critical segments. Customers need trust, and want to keep control of their assets Need to harden cloud security

  • Enforce various security policies

(e.g., regulation and business policies)

  • Let customers define & control these policies
  • Provide evidences of the policy enforcement
slide-3
SLIDE 3

3

Objectives

 Building a Trusted Cloud Computing Base (TCCB) Based on

  • A Cloud of minimal Trusted Computing Bases: the SEEDs

(Managed by the NoSE : Network of Secure Elements)

slide-4
SLIDE 4

4

Objectives

 Building a Trusted Cloud Computing Base (TCCB) Based on

  • A Cloud of minimal Trusted Computing Bases: the SEEDs

(Managed by the NoSE : Network of Secure Elements)

And

  • That can guarantee end-to-end security of service
slide-5
SLIDE 5

5

Alcatel-Lucent Gemalto ENSI Bourges Inria Wallix Cygate Mikkelin Puhelin Oy Nokia Solutions & Networks Oy, Finceptum Oy VTT Innovalia Association Nextel Software Quality Systems (SQS) Fundación Vicomtech IKUSI BISCAYTIK SOLACIA SEED4C: Security Embedded Element and Data Privacy for Cloud France Finland Spain Korea

slide-6
SLIDE 6

6

Isolated Security Coordinated Security

NoSEE SEE SEE SEE

  • Secure Element Extended (SEE)
  • Store securely critical data and execute securely critical apps
  • Support multi-tenant data & apps
  • Network of Secure Element Extended (NoSEE)
  • Secure administration & exchange across cloud nodes.
  • Allow Tenants to manage their credentials & trust seeds.
  • Eg. allow critical data to be processed only in secure & compliant VMs

(certified location, local key storage,…)

SEED4C approach

From an isolated security to a coordinated security

slide-7
SLIDE 7

7

7

Deliver Trusted Services in a multi-nodes Trusted Cloud Execution Environment

Policy Execution Trust & Assurance

  • Network
  • Servers

Trusted Execution Trust & Assurance

slide-8
SLIDE 8

8

SEED4C scope of work

Modeling, Deployment, Enforcement and Assurance

M D E A Modeling Enforcement Deployment Assurance End 2 End In depth security and assurance

slide-9
SLIDE 9

9

SEED4C process

Policy Modeling SEED4C Users App & Policy Deployment Policy Assurance Policy Monitoring SEE–based Policy Enforcement SEE NoSEE

slide-10
SLIDE 10

10

SEED4C: Enforcement engine

Cooperative security: the SEE model

M D E A

SEE VM

Hardened Hypervisor (KVM)

NoSEE Admin Web

Internal VLAN

Network of Secure Elements (NoSEE) Intranet

West

SECURE ELEMENT

South West East

1 HOST 1 SEE VM per HOST 1 SE per HOST NoSEE Admin Tenant Admin

  • SE are multi-tenant (isolated security domains)
  • SE services offered by a dedicated SEE VM
  • NoSEE Admin: Manage the attached SE (GP), the allocation of nodes to

tenants & mirroring Tenant’s security domain into SE(s)

  • Tenant Admin: Manage security data and function in tenant security domains

SE

Tenant 1 security domain Data

  • Keys

Functions

Tenant 2 security domain Data

  • Keys

Functions

Shared security domain Data

  • Location
  • Time/date
  • Functions
  • Encrypt/decrypt
slide-11
SLIDE 11

11

SEED4C Use-cases

Various types of use-cases at different cloud levels (IaaS, PaaS, SaaS)

MSC A U C H L R V L R NSS EIR SMSC SMSC2 VLR2 Security Operations Center W eb Server Application/ Processing Server Database Servers Use Case Environment User Authentication Server Authenticaton Domain Ba nk Do mai n Possible location of SE or SEE Passengers Airport Group N Airport 1 Airport Group 1 iKloud AOS in SaaS AODB MUSIK Integration Platform ANSP AIRLINES AFTN Messages IATA Messages Passenger Services Airport 1 Advertising information Airport N BI Operational Department Operational Department Operational Department Possible locations of the SE

Airport system mgt e-Gov services e-Banking Telco services in the cloud (NFV)

File Sharing App WebCom Services (eg WebRTC, vIMS) EU Other File Sharing App

SEE

SE E

SEE SEE

IMS communication services Security monitoring PaaS environment IAM authentication and auditing IaaS level security Administrative access mgt vHSM + key ceremony

slide-12
SLIDE 12

12

  • Tenant’s defined Security Policy & Control
  • Security aware placement & deployment engine
  • Modeling, Deployment, Enforcement

and Assurance solution

  • Enforced by :
  • The Network of Secure Elements Extended (NoSEE)
  • The Secure Elements physically present in each trustable cloud node.
  • The Assurance Framework providing evidences and allowing

continuous monitoring.

As a Conclusion : Seed4C provides :

slide-13
SLIDE 13

13

http://projects.celtic-initiative.org/seed4c/