International Workshop on Trustworthiness, Accountability and Forensics in the Cloud (TAFC 2013) Sessions 1-4 reports
Session 1: ACCOUNTABILITY Reported by: Lenore Zuck, University of Illinois at Chicago (UIC) Discussion points Panel Discussions What is accountability? Do we need it? • Point 1: can accountability always be assigned If so then: (is it always well defined) Rigorous definition(s) • Point 2 : is accountability always important Does is need to be predictable? • Point 3: Dealing with loss of data Can it always be defined (multiple sources) • Point 4: Guaranteeing loss of data weaker definitions (deterrence?) Ties to privacy/ethics/contextual remediation, verifiability, transparency, how to implement/enforce Is accountability goal or means? If latter, then are there alternatives? Should we focus on it? Does it imply responsibility? Why is International cooperation necessary? Research areas identified • Self regulations of various privacy laws and • New directions in privacy and accountability seamless merging of those laws for data in face of new technical advancements sharing/transfer/disclosure • Teasing apart the new from the old • Enforcement of policies across borders (including • Definitions of Privacy and Accountability that compliance transfers) can be used to gauge compliance with • • Defining the lines between tech solvable issues Enforcement of policies and those that are beyond tech solutions
Session 2: Forensics, Evidence and Accountability Reported by: Nick Papanikolaou, HP Labs, Bristol Discussion points Panel Discussions • Identifying the artifacts that are useful for • Toolkits for forensics – what are the right tools and how investigations across the cloud stack – which often should they be updated? artifacts? • How to build cloud architectures that provide forensic • What patterns do we need to look for in executable mechanisms? traces? • What about digital freedoms? Forensic mechanisms • What types of analysis can be carried out at the have good and bad uses hardware level? • Debate about need of chain of custody for legal • Hakim Weatherspoon’s example of covert channels cases/prosecution • Spanner for Google – time synchronization across a • In practice most cases not taken to court, or penalties network not enforceable. Why is International cooperation necessary Research areas identified • Data centres located worldwide; need ability for law • Forensics-as-a-Service enforcement to work transparently across borders • Research into types of evidence for cloud, and • Interoperability between standards used by different how it can be automatically produced agencies for forensic data is needed • Graph-based matching for malware detection • Using network hardware to forensically check compliance to SLAs
SESSION 3. TRUST AND CLOUD SECURITY Reported by: Jim Clarke, Waterford Institute of Technology, Ireland Discussion points • Certification, Panel Discussions standardization and international • How does TSC language map to standards? Own convergence issues in cloud security (CIRRUS project), interpreter is written. bridging between various activities, initiatives ETSI, CSA, • TSC deals with transfer of data between providers with NIST, ENISA, … • Securing services running over untrusted clouds: the a primitive for sending / receiving encrypted data. On both sides, you can make policy checks. two-tiered trust model via crypto protocols • Mobile Cloud Computing Paradigm - To augment the • Dealing with scalability issues when moving from lightweight to more intensive machines. Bootstrap capability, capacity and battery time of the mobile devices, process only happens once and then when that is computationally intensive and storage demanding jobs finished, you have a clean system. should be moved to cloud • A critical infrastructure network or DoD type network for • Crypto protocol for securing services was developed specifically for to obtain the ‘dream bound’ of corruption lightweight devices (e.g. tablets) • Trust storage controller (TSC) an interpreter for very rich resiliency • Good link between India context and TSC work. policies. Research areas identified Why is International cooperation necessary • Crypto protocols for distributing trust • Leverage skill bases of int’l peers e.g • Outsourcing to Service Providers and guaranteeing trust crypto expertise, RFID, … via Crypto protocols • Preparation of semantic data for security parameters for • Good example was from the India mobile and cloud Security attributes • Mobile Cloud security features and respective parameters context where the government have and Security algorithm under different security committed to a mobile government requirements; Platform Independent Security Architecture model where all data will be available on • Trusted Cloud Arch. incl. private cloud deployment and trusted service providers, trusted cloud monitor, access mobiles by 2015. The work on crypto, control model for computing services that supports need Trusted cloud architecture, and Trust to know and separation of duties policies, TC-compliant storage controller (TSC) presented all computing services, Lightweight TC-compliant client service endpoints. gels very well with this. • TSC mapping to security and privacy requirements for cloud apps. • Including legal requirements in the cloud?
SESSION 4: Policy, Ethics AND Int’l cooperation Reporting by: Karima Boudaoud, Mounib Mekhilef Trust AND International cooperation, reporting by Aaron Jaggard Panel Discussions Discussion points • These will be provided later as there was no time How to design ethical code • during the workshop . Ethics does not sell but data privacy does • Which cultural & ethical norms • EU strengthen individuals’ right to be forgotten : • Do we have a death of privacy ? • Stabilize international security architectures • Cyber security and multi-lateral strategy • economic security demands robust policy • Establish international cyber norms • Intelligent development environment • Highly effective code re-use & sharing & collaboration • Good practice - • Research areas identified Business Why is International cooperation necessary • • Philosophy Opportunities Model building Context • • • Mathematics Operations some places "field trial" • Protectionism • • • Computer science Information logistics small markets • Global market • • • Information theory Practices(Good:bad) • Closeness to clients • lawless lands • • Graph theory Lessons learned • Open-ness to change • different priorities • • Decision theory low investment • Growing market • Non western-world inc • • optimization international trading • • Lack of: Horizon 2020 coming soon • • Simulation/ Policy • • Framework, Roadmap, Threads • • Predictability education • Body, Coordination Co-design as a context • • Human Sciences Strategy building • • Coming Needs Values • • Sociology Risk & conflict Mngmt • • Impacts on large networks Needs vs time • • industrial anthropology Economy • • Continuity of actions cultural differences • Psychology • incentives • • Missing common objective Clock speed • Legal • Design • • ->Future building Sophistication growing IPR • User oriented • • • Funding planning Laws/regulation • Co/Eco -design • • Sharing experiences Standardisation • Design for X • •
More recommend
