Towards Supercloud Computing: User-Centric Security Management for - - PowerPoint PPT Presentation

towards supercloud computing
SMART_READER_LITE
LIVE PREVIEW

Towards Supercloud Computing: User-Centric Security Management for - - PowerPoint PPT Presentation

Apr 19, 2023 2.36k likes •2.73k views

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS15 Workshop on Cloud Security Lille, June 30, 2015 Cloud Security Today Security = key concern in cloud adoption for the

slide-1
SLIDE 1

Towards Supercloud Computing:

User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs

SEC2 ComPAS’15 Workshop on Cloud Security Lille, June 30, 2015

slide-2
SLIDE 2

Security = key concern in cloud adoption for the enterprise market

Cloud Security Today

  • Threats are on the rise
  • Attacks are costly
  • Awareness is growing, but is not enough

Source: Cloud Security Alliance, 2013. Source: Ponemon, 2013.

slide-3
SLIDE 3

The Cloud everywhere, increasingly complex…

slide-4
SLIDE 4

Classical cloud threats…

…and so are security breaches!

… and new threats ...

  • Challenges: central PoF, trust
  • Mitigation:
  • Replication, diversity, authentication
  • Policy consistency, secure SDN toolkits
  • Intrusion prevention?
  • Fault tolerance?

Secure, Robust SDN NFV Security

  • Topology validation
  • Availability of management network
  • Secure boot
  • I/O partitioning
  • Performance isolation
  • Root causes: commodity hardware,

cloud isolation technology

  • Issues:
slide-5
SLIDE 5

Hasn’t someone been forgotten?

The User? The Customer?

  • Are they going to use those infrastructures?
  • Are they going to pay for them?
slide-6
SLIDE 6

Provider-centric clouds prevent interoperability and unified control The Cloud as utility

Promise: high availability & security,

energy efficiency, scalability, … Feature-rich services: intrusion monitoring, elastic load balancing, …

Multi-provider clouds NOT ACHIEVED NOT DEPLOYED

Provider-centric cloud deficiencies

INTEROPERABILITY

  • Vendor lock-in
  • Different SLAs

UNIFIED CONTROL

  • Heterogeneous

infrastructure services

  • Monolithic infrastructure
  • Technological choices

S E C U R I T Y

slide-7
SLIDE 7

Outline

  • Moving to User-Centric Cloud Security
  • Secure Supercloud Computing
  • 11 Key Enabling Technologies
  • The H2020 SUPERCLOUD Project
  • Next Steps
slide-8
SLIDE 8

User-centric clouds require a resource distribution layer

slide-9
SLIDE 9

Customer Security Expectations

slide-10
SLIDE 10

Taking Into Account Security Challenges

Infrastructure security: strong, flexible, automated security for compute resources

  • Vulnerabilities in complex infrastructure, mitigation of cross-layer attacks
  • Lack of flexibility and control in security management
  • Automation of security management: in layers, between providers

Data management: on-demand, unified experience in protection of data assets

  • Management of access rights, continuum between provider vs. user control
  • Blind compute over data stored in multi-clouds
  • Traceability of information for accountability and privacy

Network management: resilient, secure virtual networking

  • Resilient resource provisioning across heterogeneous clouds
  • End-to-end inter-cloud network security with different security SLAs
slide-11
SLIDE 11

Outline

  • Moving to User-Centric Cloud Security
  • Secure Supercloud Computing
  • 11 Key Enabling Technologies
  • The H2020 SUPERCLOUD Project
  • Next Steps
slide-12
SLIDE 12

Secure Supercloud Computing

The Supercloud NORTH INTERFACE provides user-centric self-service security & dependability The Supercloud SOUTH INTERFACE provides provider-centric self-managed security & dependability

slide-13
SLIDE 13

Supercloud Computing: Self-Service Security

Self-service security relies on:

  • a distributed, flexible resource & control layer

spanning compute, data, network

  • multi-provider security policies

Abstraction & Control Layer

Policies

slide-14
SLIDE 14

Supercloud Computing: Self-Managed Security

Self-managed security relies on:

  • bi-dimensional (cross-layer, multi-provider) self-protection

for compute and network resources

  • bi-dimensional trust management

Security and Trust management

slide-15
SLIDE 15

Supercloud Computing: End-to-End Security

End-to-end security relies on:

  • E2E security SLAs for VMs & data protection
  • E2E network security in control and data planes

E2E network security E2E VM SLAs E2E network security E2E data security

slide-16
SLIDE 16

Supercloud Computing: Resilience

Resilience relies on:

  • multi-cloud data availability
  • resilient networking in data and control plane

Resilience Resilience Resilience

slide-17
SLIDE 17

Outline

  • Moving to User-Centric Cloud Security
  • Secure Supercloud Computing
  • 11 Key Enabling Technologies
  • The H2020 SUPERCLOUD Project
  • Next Steps
slide-18
SLIDE 18

Key Enabling Technologies: Self-Service Security

Flexible hypervisor security architectures:

  • User data isolation + protection against the cloud provider
  • Modular, secure interface for the hypervisor

Blind computation:

  • Lightweight homomorphic operations over encrypted data
  • Advanced cryptographic tools for data security

Security SLA management:

  • Security SLA (SSLA) language bridging the gap between layers
  • SSLA templates and combination functions for easy specification
slide-19
SLIDE 19

Key Enabling Technologies: Self-Managed Security

Autonomic IaaS security supervision:

  • Cross-layer security monitoring, even if some layers are

compromised

  • Cross-provider security monitoring, seamless integration

Security policies:

  • Flexible security policy languages and deployment tools
  • Policy negotiation tools for conflict resolution

Network security management:

  • Finer-grained network control than current specifications
  • SDN components/APIs for advanced policy monitoring
slide-20
SLIDE 20

Key Enabling Technologies: End-to-End Security

Cryptographic protection:

  • Integrity and consistency verification
  • Processing cryptographically protected data

Storage access control:

  • Transparent cryptographic protection mechanisms
  • Flexible cloud-based key management

Trust management:

  • Horizontal trust management between different cloud entities
  • Vertical trust management across cloud system configurations
  • Abstraction of trust through specification language
slide-21
SLIDE 21

Key Enabling Technologies: Resilience

SDN Resilience:

  • Secure, dependable SDN controller for multi-cloud networking
  • Intra/inter-cloud infrastructure resilient to network failures

Data availability:

  • Integration of disruptive secrecy technology to multi-cloud

storage replication

  • New services based on multi-cloud storage algorithms
  • Adaptive multi-cloud algorithms with outstanding performance

for real workloads

slide-22
SLIDE 22

What is VESPA?

= Virtual Environments Self-Protecting Architecture

An automated security supervision framework for IaaS and multi-DC infrastructures

APPLICATION ONS

CLOUD PROVIDER IaaS monitoring

  • Anti-malware.
  • Anti-DDoS.
  • End-to-end security.

CUSTOMERS SecaaS appliances

STRONG SECURITY

  • Cross-layer security: detect / respond

to overall extent of attack.

  • Open architecture: mitigate new threats,

integrate legacy counter-measures.

SIMPLE E SECURITY

  • Automated security supervision:

choose in-layer, cross-layer, multi-DC.

  • Tuneable defense patterns: orchestrate

multiple loops for rich defense strategy.

Design principles

slide-23
SLIDE 23

VESPA System Architecture

HO

Resource Plane Security Plane Agent Plane Orchestration Plane

VM Hypervisor Physical

VO HO

Detection Manager

DETECTION

Detection Agent

DECISION

Reaction Manager

REACTION

Reaction Agent

RESOURCES

slide-24
SLIDE 24

VESPA System Architecture

HO

Resource Plane Security Plane Agent Plane Orchestration Plane

VM Hypervisor Physical

Intra-Layer Self-Protection VO HO

Detection Manager

DETECTION

Detection Agent

DECISION

Reaction Manager

REACTION

Reaction Agent

RESOURCES

slide-25
SLIDE 25

VESPA System Architecture

HO

Resource Plane Security Plane Agent Plane Orchestration Plane

Cross-Layer Self-Protection

VM Hypervisor Physical

VO HO

Detection Manager

DETECTION

Detection Agent

DECISION

Reaction Manager

REACTION

Reaction Agent

RESOURCES

slide-26
SLIDE 26
  • Research results :
  • Framework [ICAC’12]..
  • Extensions:
  • Network management (SDN approach).
  • Mobile cloud SLAs: Orange MC2 [UCC’13].
  • VMM self-protection: KungFuVisor [EURODW’12], self-stabilization [DSS’14].
  • Keynotes [SSS’11], panels [IM’11, NOMS’14], tutorials [ICAR’13, MOBILECLOUD’14].
  • Code available at : https://github.com/Orange-OpenSource/vespa-core

The VESPA Project

RESULTS LTS

  • Framework: supervision of single

cloud and multi-DC security. Available in open source.

  • Different applications demonstrating

viability of self-defending cloud concept.

So far

CURRENT T VESPA FUNCTI TION ONALITI ALITIES VESPA = core + security plug-ins.

Supporte ted In progres ess Anti-virus Integration with Heat + Horizon Hypervisor control Network zones Firewall vSwitch management (SDN) Log analysis

slide-27
SLIDE 27

Outline

  • Moving to User-Centric Cloud Security
  • Secure Supercloud Computing
  • 11 Key Enabling Technologies
  • The H2020 SUPERCLOUD Project
  • Next Steps
slide-28
SLIDE 28

28

The SUPERCLOUD Project

slide-29
SLIDE 29

The SUPERCLOUD Project: Goals and Expected Results

Goal: a security management infrastructure for secure supercloud computing Expected Results:

A security management infrastructure:

  • 360°autonomic security supervision, horizontally and vertically for superclouds
  • A user-centric to provider-centric continuum of security services
  • End-to-end trust management

A data management framework:

  • Advanced cryptographic tools (e.g., access control, secure computation)
  • A resilience framework for multi-cloud storage infrastructures

A multi-cloud network management infrastructure:

  • Resilient virtual network provisioning across multiple clouds
  • Sanitized network environment with tunable security guarantees
slide-30
SLIDE 30

Use Cases and Dissemination of Results

Use cases:

  • Healthcare-oriented:

Distributed medical imaging platform Healthcare Laboratory Information System

  • NFV security
  • Smart home
  • Decentralized, location-aware cloud security

SUPERCLOUD Technology Dissemination: fully open source

Ambition: open toolbox for trustworthy management of clouds of clouds

Standardization: aim for open standards

slide-31
SLIDE 31

Outline

  • Moving to User-Centric Cloud Security
  • Secure Supercloud Computing
  • 11 Key Enabling Technologies
  • The H2020 SUPERCLOUD Project
  • Next Steps
slide-32
SLIDE 32

Conclusion and Next Steps

Key take-aways:

  • User-centric distributed clouds should overcome provider-centric limitations
  • Secure Supercloud Computing enables to build such clouds,

with security that is self-service, self-managed, end-to-end, and resilient

  • Open innovation enables to build such next-generation security technology
  • More trustworthy cloud services with increased customer experience are expected

Next steps:

  • SUPERCLOUD requirements, security architecture, prototypes
  • Push into open source and standardization

https://supercloud-project.eu/

slide-33
SLIDE 33

Thank you!

marc.lacoste@orange.com