Defining, Securing, and

Standardizing Cloud Computing

Tim Grance

NIST, Information Technology Laboratory

22 July 2010

2

Caveats and Disclaimers

• This presentation provides education on

cloud technology and its benefits to set up a

discussion of cloud security

• Looking for feedback on NIST role and ideas

presented

• It is NOT intended to provide official NIST

guidance and NIST does not make policy

• Any mention of a vendor or product is NOT

an endorsement or recommendation

Our Challenge

Technology is not kind. It does not wait. It

does not say please. It slams into existing

systems often destroying them whilst

creating new ones

Joseph Alois Schumpeter

1883-1950

Three Views on “Software”

Trustworthiness

1. Satisfies requirements/specs

2. Satisfies development processes (e.g.,

CMM)

3. Fit for purpose/operation

Cloud Trustworthiness

• Requires confidence in:

– Hardware

– Software

– Bandwidth (communications)

• Only (3) fit for purpose applies to cloud from

the consumer/user standpoint

(3) Fit For Purpose Attributes

Reliable/

accurate

(integrity)

Secure/

private

Timeliness

Trustworthiness

Problem: Intuitive

Lower Attributes

Reliable/

accurateSecure/

private

Timeliness

reliability security performanceavailabilityprivacy

fault tolerance fault tolerance

confidentiality

intrusion tolerancetestability

confidentiality, availability, integrity

Trustworthiness

Two Components

x y

With Attributes

x y

x has the following properties:

(aR, bP, cF, dSa, eSe, fA, gT, hM)

y has the following properties:

(iR, jP, kF, lSa, mSe, nA, oT, pM)

Compose Them:

What Have You Got?

xy

Then F(x o y) will inherit some level of trustworthiness from

the individual components. Is that level of trustworthiness

an integer? Probability? An n-tuple of values? Color coded

(green, red, yellow)?

Key Point: Predictions of future behavior

Key Message for Cloud

• Trustworthiness attributes are only reasonable to talk about within a

system context, i.e., it is not reasonable to talk about them and attempt

to measure them as standalone component properties. Eventual target

environments must be anticipated.

System Context: Operational Environment

Reliable/

accurateSecure/

private

Timeliness

reliability security performanceavailabilityprivacy

fault tolerance fault tolerance

confidentiality

intrusion tolerancetestability

Operational Environment!

t0 t∞Time

t0 t∞

Threat Space

EnvironmentSoftware

System

Time

“attributes”

Policies

Δ

A2

A1

P2

P1

S1

E2E1

T1

S2

V1.1V1.2

QUALITY ASSURANCE AND THE SINKING OF THE LARGEST OFFSHOREOIL PLATFORM

March 2001

For those of you who may

be involved in project cost

control (at whatever level),

please read this quote from a

Petrobras executive,

extolling the benefits of

cutting quality assurance

and inspection costs,

on the project that

was deployed in the

Atlantic Ocean off the

coast of Brazil in

March 2001.

"Petrobras has established new global benchmarks for the generation of exceptional shareholder wealth

through an aggressive and innovative program of cost cutting on its P36 production facility.

Conventional constraints have been successfully challenged

and replaced with new paradigms appropriate to the globalized corporate market place.

Through an integrated network of facilitated workshops,

the project successfully rejected: (1) the established constricting and negative influences of prescriptive engineering,

(2) onerous quality requirements, and (3) outdated concepts of inspection and client control.

Elimination of these unnecessary straitjackets has empowered the project's suppliers and contractors to propose highly economical solutions,

with the win-win bonus of enhanced profitability margins for themselves.

The P36 platform shows the shape of things to come

in the unregulated global market economy of the 21st Century.”

And now you have seen the final result of

this proud achievement by Petrobras.

QUIZ:

1. How many lives were lost to this cost saving effort and

how did this impact the environment, needlessly?

2. Did the person giving this speech or anyone in upper management connected with this decision lose their

job/bonus?

3. How much did Petrobras really save?

4. Does your company feel the same way about QA? If so,

you’d better know how to swim.

32

A Working Definition of Cloud Computing

• Cloud computing is a model for enabling

convenient, on-demand network access to a

shared pool of configurable computing

resources (e.g., networks, servers, storage,

applications, and services) that can be rapidly

provisioned and released with minimal

management effort or service provider

interaction.

• This cloud model promotes availability and is composed

of five essential characteristics, three service models,

and four deployment models.

What is Cloud Computing?

5 Key Characteristics

Broad network access

Resource pooling

anywhere / any device

On-demand self service

renting takes minutes

$

1

2

=conserve resources

Measured Service3

Rapid Elasticity

Jan Feb Mar …… Dec�

� Jan

=$(

(

)

)$rent it in any quantity

4

5

off off on

reduces cost

34

3 Cloud Service Models

• Cloud Software as a Service (SaaS)

– Use provider’s applications over a network

• Cloud Platform as a Service (PaaS)

– Deploy customer-created applications to a cloud

• Cloud Infrastructure as a Service (IaaS)

– Rent processing, storage, network capacity, and other fundamental computing resources

• To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics

35

4 Cloud Deployment Models

• Private cloud

– enterprise owned or leased

• Community cloud

– shared infrastructure for specific community

• Public cloud

– Sold to the public, mega-scale infrastructure

• Hybrid cloud

– composition of two or more clouds

36

Common Cloud Characteristics

• Cloud computing often leverages:

– Massive scale

– Homogeneity

– Virtualization

– Resilient computing

– Low cost software

– Geographic distribution

– Service orientation

The NIST Cloud Definition Framework

37

CommunityCloud

Private Cloud

Public Cloud

Hybrid Clouds

Deployment

Models

Service

Models

Essential

Characteristics

Common

Characteristics

Software as a

Service (SaaS)

Platform as a

Service (PaaS)

Infrastructure as a

Service (IaaS)

Resource Pooling

Broad Network Access Rapid Elasticity

Measured Service

On Demand Self-Service

Low Cost Software

Virtualization Service Orientation

Advanced Security

Homogeneity

Massive Scale Resilient Computing

Geographic Distribution

What are the issues?

• Security & Privacy

• Network Access

• Interoperability/Portability

• Lifecycle Costs, Architectural Considerations

• Compliance

• Service Level Agreements

• Legal

• Standards

Cloud Standards Vision

• Provide advice to industry and government

for the creation and management of relevant

cloud computing standards allowing all

parties to gain the maximum value from

cloud computing

39

4040

NIST and Standards

• Promote cloud standards:

– Propose roadmaps

– Act as a catalyst

– Promote adoption of cloud standards

– Use cases, reference implementations

41

Cloud Standards Ideas

• Fungible clouds

– (mutual substitution of services)

– Data and customer application portability

– Common interfaces, semantics, programming

models

– Federated security services

– Vendors compete on effective implementations

• Enable and foster value add on services

– Advanced technology

– Vendors compete on innovative capabilities

4242

A proposal:

Standards Roadmap

• We need to define minimal standards

– Enable secure cloud integration, application

portability, and data portability

– Avoid over specification that will inhibit innovation

– Separately addresses different cloud models

43

Towards the Creation of

a Roadmap (I)

• Thoughts on standards:

– Usually more service lock-in as you move up the

SPI stack (IaaS->PaaS->SaaS)

– IaaS is a natural transition point from traditional

enterprise datacenters

• Base service is typically computation, storage, and

networking

– The virtual machine is the best focal point for

fungibility

– Security and data privacy concerns are the two

critical barriers to adopting cloud computing

44

Towards the Creation of

a Roadmap (II)

• Result:

– Focus on an overall IaaS standards roadmap as

a first major deliverable

– Research PaaS and SaaS roadmaps as we

move forward

– Provide visibility, encourage collaboration in

addressing these standards as soon as possible

– Identify common needs for security and data

privacy standards across IaaS, PaaS, SaaS

45

A Roadmap for IaaS

• Needed standards

– VM image distribution (e.g., DMTF OVF)

– VM provisioning and control (e.g., EC2 API)

– Inter-cloud VM exchange (e.g., ??)

– Persistent storage (e.g., Azure Storage, S3, EBS,

GFS, Atmos)

– VM SLAs (e.g., ??) – machine readable

• uptime, resource guarantees, storage redundancy

– Secure VM configuration (e.g., SCAP)

46

A Roadmap for PaaS and SaaS

• More difficult due to proprietary nature

• A future focus for NIST

• Standards for PaaS could specify

– Supported programming languages

– APIs for cloud services

• Standards for SaaS could specify

– SaaS-specific authentication / authorization

– Formats for data import and export (e.g., XML schemas)

– Separate standards may be needed for each application

space

47

Security and Data Privacy Across

IaaS, PaaS, SaaS

• Many existing standards

• Identity and Access Management (IAM)

– IdM federation (SAML, WS-Federation, Liberty ID-FF)

– Strong authentication standards (HOTP, OCRA, TOTP)

– Entitlement management (XACML)

• Data Encryption (at-rest, in-flight), Key Management

– PKI, PKCS, KEYPROV (CT-KIP, DSKPP), EKMI

• Records and Information Management (ISO 15489)

• E-discovery (EDRM)

48

Security Relevant Cloud

Components

• Cloud Provisioning Services

• Cloud Data Storage Services

• Cloud Processing Infrastructure

• Cloud Support Services

• Cloud Network and Perimeter Security

• Identity Management, Crypto/Key

Management, Compliance, etc

• Elastic Elements: Storage, Processing, and

Virtual Networks

49

Analyzing Cloud Security

• Some key issues:

– trust, multi-tenancy, encryption, compliance

• Clouds are massively complex systems can

be reduced to simple primitives that are

replicated thousands of times and common functional units

• Cloud security is a tractable problem

– There are both advantages and challenges

Former Intel CEO, Andy Grove: “only the paranoid survive”

50

General Security Advantages

• Shifting public data to a external cloud

reduces the exposure of the internal

sensitive data

• Cloud homogeneity makes security

auditing/testing simpler

• Clouds enable automated security

management

• Redundancy / Disaster Recovery

51

General Security Challenges

• Trusting vendor’s security model

• Customer inability to respond to audit findings

• Obtaining support for investigations

• Indirect administrator accountability

• Proprietary implementations can’t be examined

• Loss of physical control

52

Security Relevant Cloud

Components

• Cloud Provisioning Services

• Cloud Data Storage Services

• Cloud Processing Infrastructure

• Cloud Support Services

• Cloud Network and Perimeter Security

• Elastic Elements: Storage, Processing, and

Virtual Networks

53

Provisioning Service

• Advantages

– Rapid reconstitution of services

– Enables availability

• Provision in multiple data centers / multiple instances

– Advanced honey net capabilities

• Challenges

– Impact of compromising the provisioning service

54

Data Storage Services

• Advantages

– Data fragmentation and dispersal

– Automated replication

– Provision of data zones (e.g., by country)

– Encryption at rest and in transit

– Automated data retention

• Challenges

– Isolation management / data multi-tenancy

– Storage controller

• Single point of failure / compromise?

– Exposure of data to foreign governments

55

Cloud Processing Infrastructure

• Advantages

– Ability to secure masters and push out secure

images

• Challenges

– Application multi-tenancy

– Reliance on hypervisors

– Process isolation / Application sandboxes

56

Cloud Support Services

• Advantages

– On demand security controls (e.g.,

authentication, logging, firewalls…)

• Challenges

– Additional risk when integrated with customer

applications

– Needs certification and accreditation as a

separate application

– Code updates

57

Additional Issues

• Issues with moving PII and sensitive data to the cloud

– Privacy impact assessments

• Using SLAs to obtain cloud security

– Suggested requirements for cloud SLAs

– Issues with cloud forensics

• Contingency planning and disaster recovery for cloud implementations

• Handling compliance

– FISMA

– HIPAA

– SOX

– PCI

– SAS 70 Audits

58

Secure Migration Paths

for Cloud Computing

59

The ‘Why’ and ‘How’ of Cloud Migration

• There are many benefits that explain

why to migrate to clouds

– Cost savings, power savings, green

savings, increased agility in software

deployment

• Cloud security issues may drive and

define how we adopt and deploy

cloud computing solutions

60

Balancing Threat Exposure and

Cost Effectiveness

• Private clouds may have less threat exposure than community clouds which

have less threat exposure than public clouds.

• Massive public clouds may be more cost effective than large community clouds which

may be more cost effective than small private

clouds.

• Doesn’t strong security controls mean that I can adopt the most cost effective approach?

61

Cloud Migration and Cloud Security

Architectures

• Clouds typically have a single security architecture

but have many customers with different demands

– Clouds should attempt to provide configurable security

mechanisms

• Organizations have more control over the security

architecture of private clouds followed by

community and then public

– This doesn’t say anything about actual security

• Higher sensitivity data is likely to be processed on

clouds where organizations have control over the

security model

62

Putting it Together

• Most clouds will require very strong security

controls

• All models of cloud may be used for differing

tradeoffs between threat exposure and

efficiency

• There is no one “cloud”. There are many

models and architectures.

• How does one choose?

63

Migration Paths for

Cloud Adoption

• Use public clouds

• Develop private clouds

– Build a private cloud

– Procure an outsourced private cloud

– Migrate data centers to be private clouds (fully virtualized)

• Build or procure community clouds

– Organization wide SaaS

– PaaS and IaaS

– Disaster recovery for private clouds

• Use hybrid-cloud technology

– Workload portability between clouds

64

Possible Effects of

Cloud Computing

• Small enterprises use public SaaS and public

clouds and minimize growth of data centers

• Large enterprise data centers may evolve to act as

private clouds

• Large enterprises may use hybrid cloud

infrastructure software to leverage both internal and

public clouds

• Public clouds may adopt standards in order to run

workloads from competing hybrid cloud

infrastructures

Use CasesUse Case: a description of how groups of users and their resources may

interact with one or more systems to achieve specific goals.

Goal

Step 1

Step 2

…

Step a

Step b

…

Step I

Step j

…OR OR . . .

abstract

use case

add concrete details

case study

65

Use CasesUse Case: a description of how groups of users and their resources may

interact with one or more cloud computing systems to achieve specific goals.

Goal

Step 1

Step 2

…

Step a

Step b

…

Step I

Step j

…OR OR . . .

abstract

use case

add concrete details

case study

Example:

Parent

Student

Bank

$$

66

• transfer data in

• transfer data out

• backup to cloud7

• restore from cloud7

• archive/preservation

to cloud7

• SLA comparison

• info discovery7

• user Acct mgmt

• compliance4

• special security4

• inter-cloud data transfer

• multi-hop data transfer

• storage peering7

• backup between clouds7

• cloud broker4

• cloud burst

• VM migration

• dynamic dispatch5

• fault-tolerant group

• alloc/start/stop…1

• queueing1

•horizontal

scaling of

data/processing

• services

• sharing access

• access by name

• access by pattern

• strong erase

• cloud drive7

- synchronization

Preliminary Use Case Taxonomy for a

Public Cloud (focus on IaaS)

File/Object SystemLike

Job Control &Programming

Cloud-2-Cloud Admin Data Management

Portability Interoperability Security

Note: these use cases are preliminary.

Credits: SNIA [7], aws.amazon.com [1], DMTF [4], libcloud [5], May 11 Use Case Workshop, Gaithersburg MD (first of a sequence).

67

File/Object System LikeSharing access ProviderCustomer

12 other Customers

Users

data

data

grant-cmd

Access by name ProviderCustomer

data

read /foo/bar Compatible modes: read, write, append, truncate, chown, chmod, chgrp, …

Access by pattern ProviderCustomer

matching records

query “pattern”Specifying patterns, records.Access control?

Strong erase ProviderCustomer erase-cmd Getting confidence?Zero out, multi-pass?DoD 5220-22?“ok!”

Cloud Drive ProviderCustomer Looks like a local diskSynchronization?Security defaults?like NFS, AFS

credit: SNIA [7]

68

Job Control and Programming

Alloc/start/stopallocate

Configure

Internal

resources

Configure

External

Resources

Manage

Instances:

run, restart, terminate…deallocate

compatibility, portability…

compatibility,portability…upstream workers downstream workers

Queue services

. . .

(thread synchronization

in the large)

Services

“services”

like ordinaryhosting, butwith morescale, lesslocationawareness.

credit: aws.amazon.com [1]

credit: aws.amazon.com [1]

69

Cloud-2-Cloud

Inter-clouddata transfer

Provider 1

Customer

Data Object

Network Scenario

Provider 2

request request

Provider 1

Customer

Physical Scenario

Provider 2

request request

Physical DataContainer

protection of data in transitverification of data receivedcoherent namingcompatible cryptocompatible access control metadata, ownership

some issues:

Multi-hopinter-clouddata transfer

Provider 1

Customer

Data Object

Network Scenario

Provider 2

request request

Provider 1

Customer

Physical Scenario

Provider 2

request request

Physical DataContainer

same issues, and in addition: after round trip, data is still as useful

70

Cloud-2-Cloud (2)

Storagepeering

Provider 1

Customer

Provider 2other

client data

need common policies for naming of data objects, access control, snapshot/cloning, etc.

credit: SNIA [7]

someclient data

commonpolicies

Backup/restorebetweenclouds

Provider 1

Customer

Provider 2backup

data

common archivalformat, procedures,data protection intransit, verification,key management, …

credit: SNIA [7]

client working data

backup

restore

(an example of multi-hop)

Cloud broker Provider 1

Customer

Provider 2broker could providea simple or stableinterface to customers,even when providerschange or have diverse APIs.

credit: DMTF [4]

broker

(resources) (resources)

(no resources)

71

Cloud-2-Cloud (3)Cloud Burst

Provider Customer Datacenter

need common policies for naming of data objects, access control, snapshot/cloning, etc.

1 vm1 vmNvm2 ...

Provider Customer Datacenter

vm1 vmNvm2 ...

Provider Customer Datacenter

vm1 vmNvm2 ...

2

3

vmN+1 vmN+2 vmN+M

VM migration(suspend-resume orlive)

Provider 1

Customer

dynamic configof networks,VM formats (e.g., OVF [6]),hypervisordiversity…

vm1 vmNvm2 ...Provider 2

vmNvm2 ...

72

Cloud-2-Cloud (4)

Fault-tolerantgroup

Customer

cloudaccesslibrary

API 1API 2…API N

API

wrappers for clouds(e.g., libCloud)

transactions

replicationconcurrency controlnestingACID propertiesbyzantine?other…

standardized fault tolerance protocols,QOS requirements,etc.

Dynamic dispatchCustomer

credit: libCloud [5]

73

Admin

SLAcomparison

Customer

. . .

SLA 1

SLA 2

SLA 3

?

Cloud ProviderPromises

availability

remedies for failure to perform

data preservation

legal care of customer info

Limitations

scheduled outages

force majeure events

changes to the SLA

security

service API changes

User Promises

acceptable use policies

provided software

on-time payment

An SLA Template?

perhaps as a prelude to more detailed terms that extend but do not contradict?

Info Discovery A search service that retrieves documents

subpoenaed for court.

who gets notified?who bears costs?timeliness?

User AcctMgmt

A cloud customer may have his/her own

customers, and a provider sometimes provides

SaaS-style customer management services.

How to prevent “jar’ing” of customer-customers when providers change?

credit: SNIA [7]

74

Admin (2)

Compliance Providers sometimes assert compliance with

(HIPPA, PCI, Sarbanes-Oxley, FISMA)

requirements.

how can customers tell?

SpecialSecurity

E.g., a “mono-tenancy” requirement for a

customer’s workloads.

how can customers specifyand tell?

credit: DMTF [4]

credit: DMTF [4]

75

Data Management

• transfer data in

• transfer data out

• backup to cloud

• restore from cloud

• archive/preservation

to cloud

Provider

Customer

Data Object

Provider

Customer

Physical Data Container

Network Scenario Physical Scenario

protection in transit;verification of correct data received;correct naming;initialization of access rules;…

76

77

Questions?

• Tim Grance, Peter Mell, Lee Badger, Jeff

Voas, Chandramouli, and Karygiannis

• NIST, Information Technology Laboratory

• Computer Security Division

References

[7] “Cloud Storage Use Cases”, Storage Network Industry Association, Version 0.5 rev 0, June 8, 2009.

[6] “Open Virtualization Format Specification”, DMTF Document Number DSP0243, Version 1.0, Feb. 22, 2009.

[8] “Starting Amazon EC2 with Mac OS X”. Robert Sosinski. http://www.robertsosinski.com/2008/01/26

/starting-amazon-ec2-with-mac-os-x/

[1] Amazon Web Services, aws.amazon.com.

[4] “Interoperable Clouds, A White Paper from the Open Cloud Standards Incubator”, Distributed Management

Task Force, Version 1.0, DMTF Informational, Nov. 11, 2009, DSP-IS0101

[3] IDC Enterprise Panel, August 2008 n=244

[2] “Eucalyptus: A Technical Report on an Elastic Utility Computing Architecture Linking Your Programs to

Useful Systems”, UCSB Computer Science Technical Report Number 2008-10.

[10] “Ubuntu Enterprise Cloud Architecture”, S. Wardley, E. Goyer and N. Barcet, Technical White Paper, 2009,

www.canonical.com

[9] “The Eucalyptus Open-source Cloud-computing System”, D. Nurmi, R. Wolski, C. Grzegorcyk, G. Obertelli,

S. Soman, L. Youseff, D. Zagorodnov, in Proceedings of Cloud Computing and Its Applications, Oct. 2008.

[5] libcloud, http://incubator.apache.org/libcloud/

78