flexcloud : reliable and secure cloud overlay infrastructures
DESCRIPTION
FlexCloud : Reliable and Secure Cloud Overlay Infrastructures. Prof. Dr. Alexander Schill. 2013. Outline. Cloud Computing … What is it all about ? Problems π -Box : Building your personal secure cloud π -Data Controller: Secure Cloud Storage Conclusion & Future Work. - PowerPoint PPT PresentationTRANSCRIPT
Department of Computer Science | Institute of Systems Architecture | Chair of Computer Networks
FlexCloud: Reliable and Secure Cloud Overlay Infrastructures
2013
Prof. Dr. Alexander Schill
# 3
Cloud Computing …
• What is it all about?
• Problems
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
Outline
# 4
The shape of a cloud …
… is in the eye of the beholder.
IaaS/PaaS*
Cloud Operating System, part of Azure Platform
* SaaS = Software as a Service PaaS = Platform as a Service IaaS = Infrastructure as a Service
PaaS*
Development and hosting of web applicationsSaaS/PaaS*
Business cloud services focussing on customer
relationship management
IaaS*
Migration of virtual machines between private
and public clouds
SaaS*
Customized applications for business and home user, based on Google
App Engine, e.g. collaboration tools
# 5
Cloud Computing Characteristics
Cloud Computing is …
… the on-demand and pay-per-use application of
virtualised IT services over the Internet.
On-demandself service
Broadband networkaccess
Resource pooling
Measured andoptimized service
Rapid elasticity
Adopted from the NIST Definition of Cloud Computing [MeGr2011]
# 6
Service & Deployment Models
Software Services (SaaS)
Platform Services (PaaS)
Infrastructure Services (IaaS)
User Interface Machine Interface
Components Services
Compute Network Storage
User/Clients
Ad
op
ted
fro
m [
MeG
r20
11
] and
[B
KN
T2
01
0]
Cloud Architecture Stack
Public
Hybrid
Private
CommunityC
onvenie
nce
User Control
Cloud Organization
Physical Resource Set (PRS)
Virtual Resource Set (VRS)
Programming Environment
Execution Environment
Applications Services
Applications
# 7
Cloud Computing …
• What is it all about?
• Problems
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 8
Reliability and security when giving up physical possession> Failure of monocultures> Cloud providers‘ trustworthiness> Staying in control
Problems of Cloud Computing
# 9
FlexCloud Objectives
π-Cloud: Establishing a secure cloud computing life cycleHybrid cloud platform to integrate a user’s (cloud) resources, services and data.
> Unified CloudPrevent Vendor-Lock-in + Integration of existing IT
> Secure CloudEnsure data privacy and security
> Managed CloudKeep the user in command
> Efficient CloudAdapt to user preferences and cloud's vital signs
# 10
Cloud Computing …
• What is it all about?
• Problems
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 11
Subsume all end devices within a Personal Secure Cloud (π-Cloud) controlled by the π-Box.
π-Cloud
π-Box
FlexCloud's Approach
# 13
Analysis of structured, unstructured data andcontext information
PKIπ-Cloud
?
Document classification concerning security requirements.
Addressee identification and derivation of respective keys.
Transparent Encryption
# 15
Cloud Computing …
• What is it all about?
• Problems?
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 16
Unreliable, proprietary
and insecure
cloud storage
Unreliable, low quality hard disk
Increasing Availability: from RAID to RAIC
RAID:Redundant Array of Independent Disks
RAIC:Redundant Array of Independent Clouds
Integration Layer
Logical partition
Preprocessing Layer
RAID level redundancy routine (mirror, stripe, …)
Transport Layer
Block resources
Reliable, universal
and secure cloud
storage
Integration Layer
Versioning
Distributed file system
Webaccess
Preprocessing Layer
Fragment level transformation (e.g. encryption)
File level transformation(e.g. compression)
Dispersal routine
Transport LayerCaching
Local persistence
Provider Storage API adapter
Reliable disk storage
# 17
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Secure Cloud Storage Integrator for Enterprises (System Architecture)
WebDAV
HTTP
APIFTP
WebDAVHTTP
CIFS
# 18
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Storing Files (1/5)
# 19
• Technology: FUSE (Filesystem in Userspace)
• CIFS/SMB network share on proxy file server
• Unified user interface for arbitrary cloud storage services
• Utilizing CIFS access control mechanisms
User space
Kernel
VFS
FUSE
NFS
Ext3
…
ls - /tmp/fuse
./xmp /tmp/fuse
glibcglibc
libfuse
CIFS = Common Internet File System NFS = Network File SystemExt3 = Third Extended File System SMB = Server Message BlockFUSE = Filesystem in Userspace VFS = Virtual File Systemglibc = GNU C library
Implementation of the Shared Folder
# 20
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Storing Files (2/5)
# 21
Ensure availability despite ofunreliable cloud storage providers …
ntotal # of shares a file is split into
kthreshold, i.e. # of necessary shares to reconstruct
E.g. k=6, n=8 If k < n, we need redundant information.
File Dispersion
# 22
Objective: Divide a secret in shares with
1. Knowledge of any or more shares makes easily computable.
2. Knowledge of any or fewer shares leave completely undetermined (in the sense that all its possible values are equally likely).
Input:
𝑠1 𝑠2 𝑠𝑛…
Dealer
Share holders store
Sharing
… Share holders
Reconstructor
Reconstruction
Output:
si1𝑠𝑖2 sik
Secret Sharing aka Threshold Schemes
# 23
[Sourc
e:
htt
p:/
/goo.g
l/w
atJ
C]
Secret Sharing:An informal example with 2 shares
Visual Cryptography [NaSh1994]
Simplification: n = k = 2
Secret cannot be determined independently!
… revealed!
# 24
Shamir's scheme [Shamir1979]
Idea: It takes k points to define a polynomial of degree k-1.Sharing: Be a
0:=s є S the secret to be shared where S is
an infinite field known to all share holders.Randomly choose (k-1) coefficients a
1,a2,…a
k-1 є S to build
f(x):=Σai·xi.
Calculate shares sj:=[j,f(j)] with j є ℕ
n.
Recovering: Use Lagrange interpolation to find coefficients of the polynomial including constant term a
0.
s1
s2
Secret Sharing: More formalism
s3
Gra
phic
s ta
ken
from
Wik
iped
ia.
s
Blakley's scheme [Blakley1979]
Idea: Any n nonparallel n-dimensional hyper-planes intersect at a specific point.
Sharing: Encode the secret as any single coordinate of the point of intersection.
Recovering: 1. Calculating the planes' point of intersection.2. Take a specified coordinate of that
intersection.
Example:n≥3, k=3
1 share available 2 shares available 3 shares available
# 25
Information Dispersal:Computationally secure secret sharing
Rabin's scheme [Rabin1989]
• Guarantees only availability but no secrecy.
• ConstructionBe where , i.e. .Rest as with Shamir's secret sharing.
• Properties• With a polynomial and shares of the same size as before, we can now
share a value times as long as before.• Length of each share is only -th of the length of the secret, and
if shares must be sufficient for reconstruction, one can obviously not get shorter.➔ Space optimal
• However, one might gain some information if he gets access to several shares.➔ Computationally secure
More efficient information dispersal schemes• Need to be maximum distance separable to use arbitrary shares
for reconstruction.• Examples: Cauchy-Reed-Solomon, Liberation, Blaum-Roth [PSS2008]
# 26
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Storing Files (3/5)
# 27
+ SHA256
+ SHA256
+ SHA256
+ SHA256
AES-CBC
AES-CBC
AES-CBC
AES-CBC
Cryptography: Confidentiality & Integrity
# 28
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Storing Files (4/5)
# 29
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Storing Files (5/5)
Stored Meta Data per component• Shared Folder: General file system information, e.g. file size, access
rights …
• File Dispersion: Used dispersion algorithm/parameters (n, k), shares‘ locations
• Cryptography: Used cryptographic keys and calculated checksums per share
• Cloud StorageProtocol Adapter: Storage protocol parameters and provider login data
# 30
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Retrieving Files (1/3)
Dispersion parameters: n=6
# 31
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Retrieving Files (2/3)
Dispersion parameters: n=6, k=3
# 32
π-Data Controller
π-Cloud =Company Intranet
Clo
ud S
tora
ge
Pro
toco
l A
dap
ter
Sh
are
d F
old
er
Meta DataFi
le D
ispers
ion
Cry
pto
gra
phy
Retrieving Files (3/3)
# 33
[SGS11] web interface for π-Cockpit
[SBM+11]π-Cockpit desktop application
ResUbic Cloud Storage Allocator for Cyber Physical Systems
Prototype Implementation
# 34
Performance Evaluation Upload
Towards User Centric Data Governance and Control in the Cloud
Test case π-Box used # local storage # cloud storage # encrypted shares
1 No 0 1 0
2 Yes 0 1 0
3 Yes 8 0 0
4 Yes 4 4 4
5 Yes 0 8 8
File size: 24 MB; Dispersion parameters: n=8, k=6;Cryptography parameters: AES (256 bit, 14 iterations), SHA256;Network Up/Downlink: 10/20 Mbit/s
# 35
Performance Evaluation Download
Towards User Centric Data Governance and Control in the Cloud
Test case π-Box used # local storage # cloud storage # encrypted shares
1 No 0 1 0
2 Yes 0 1 0
3 Yes 8 0 0
4 Yes 4 4 4
5 Yes 0 8 8
File size: 24 MB; Dispersion parameters: n=8, k=6;Cryptography parameters: AES (256 bit, 14 iterations), SHA256;Network Up/Downlink: 10/20 Mbit/s
# 37
Cloud Computing …
• What is it all about?
• Problems?
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 38
Results so far & future work (π-Data Controller)
• Integration of existing cloud storage services (Cloud-of-Clouds)• Proxy server for transparent mediation
➔ easy to use for end-user, common scheme for enterprises• Good performance, high security & data control for the user
• Data store for database system (block-based dispersion)• Collaboration scenarios, file sharing, access by external
entities• Securing the meta data database• Automatic classification of data• Improving performance, e.g. scheduling algorithms,
caching/prefetching, parallelization• Optimized cloud storage
# 40
Towards a secure cloud life cycle
Cloud Adaption and Optimization
Strategies for the compensation ofSLA violationsStrategies for minimization ofenergy consumptionMechanisms for the visuali-zation of complex CloudMonitoring data
Fine-grained Service Level Agreements
Methods to determine fine-grained non-functional properties of Cloud Services
Identification of assets andcorresponding requirements
Deduction of monitoringtargets from SLAs
Cloud Surveillanceand Incident Detection
Specification of monitoringtargets and SLA violationsModels for the proactive recognition ofSLA violations and the evaluation of aCloud‘s energy efficiencyMechanisms for reliable distributed Monitoring
Dynamic ProviderSelection and Cloud Setup
Flexible distribution mechanisms forCloud Platforms
Strategies for the performance optimization ofCloud Applications
Reputation consideration to improve reliabilityand trustworthiness
# 41
Tomorrow's forecast: still cloudy but sunny spots
Contact: [email protected]@tu-dresden.dehttp://flexcloud.eu/
# 42
References
[BKNT2010] C. Baun, M. Kunze, J. Nimis and S. Tai: Cloud Computing. Web-basierte dynamische IT-Services. Springer Verlag, 2010.
[Blakley1979] G. R. Blakley: Safeguarding cryptographic keys; AFIPS Conference Proceedings Vol. 48, National Computer Conference (NCC) 1979, 313-317.
[MeGr2011] P. Mell and T. Grace: The NIST Definition of Cloud Computing. NIST Special Publication 800-145, September 2011.
[NaSh1994] M. Naor and A. Shamir, Visual Cryptography , Eurocrypt 94.
[PSS2008] J. S. Plank, S. Simmerman, C. D. Schuman: Jerasure: A Library in C/C++ Facilitating Erasure Coding for Storage Applications – Version 1.2. Technical Report CS-08-627, University of Tennessee, 2008.
[Rabin1989] M. O. Rabin: Efficient Dispersal of Information for Security, Load Balancing, and Fault Tolerance; Journal of the ACM 36/2 (1989) 335-348.
[SBM+2011] J. Spillner, G. Bombach, S. Matthischke, R. Tzschicholz, and A. Schill: Information Dispersion over Redundant Arrays of Optimal Cloud Storage for Desktop Users. In: IEEE International Conference on Utility and Cloud Computing. Melbourne, Australien, December 2011.
[SGS2011] R. Seiger, S. Groß, and A. Schill: A Secure Cloud Storage Integrator for Enterprises. In: International Workshop on Clouds for Enterprises. Luxemburg, September 2011.
[Shamir1979] A. Shamir: How to Share a Secret; Communications of the ACM 22/11 (1979) 612- 613.