Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC)

Download Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC)

Post on 12-May-2015

2.091 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

SAJACC description from NIST

TRANSCRIPT

  • 1.Standards Acceleration to Jumpstart Adoption of Cloud Computing(SAJACC)Lee Badger Tim GranceMay. 20, 2010 Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov National Institute of Standards and Technology

2. Outline1Brief review of clouds, and introduction to SAJACC. (15 minutes)2 Security issues in the cloud. (15 minutes)3 Preliminary Cloud Computing Use Cases. (20 minutes)4 Questions! (10 minutes) moreNote: Any mention of a vendor or product is NOT feedback? an endorsement or recommendation. Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov2 National Institute ofStandards and Technology 3. 1 Brief review of clouds, and introduction to SAJACC Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 3 National Institute of Standards and Technology 4. NIST Working Cloud Definition (1 of 3)5 Key Characteristics 1 On-demand self service4 Elasticity$ $( Jan Feb Mar Dec) renting takes minutes =2 Ubiquitous network access $( Jan) rent it in any quantity 5 Resource pooling anywhere / any device reduces cost3 Metered use= off offon conserve resources Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 4 National Institute of Standards and Technology 5. NIST Working Cloud Definition (1 of 3)5 Key Characteristics 1 On-demand self service4 Elasticity$ $( Jan Feb Mar Dec) renting takes minutes =2 Ubiquitous network access $( Jan) rent it in any quantity 5 Resource pooling anywhere / any device reduces cost3 Metered use= off offon conserve resources where is my workload? Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 5 National Institute of Standards and Technology 6. NIST Working Cloud Definition (2 of 3)3 Deployment ModelsCloud ProviderCloud CustomerAdmin controlApplication e.g., mailLimited Admin control1 SoftwareMiddleware e.g., .Netas a ServiceTotal control Operating SystemNo control(SaaS)Hardware Application 2 PlatformAdmin control Limited programmability as a ServiceMiddleware Operating System (PaaS)Total controlNo controlHardware Application 3 InfrastructureTotal controlNo control Middleware as a Service (IaaS)Operating SystemHypervisorAdmin controlNo controlHardware Information Technology LaboratoryNIST Computer Security Divisioncloudcomputing@nist.gov6National Institute ofStandards and Technology 7. NIST Working Cloud Definition (3 of 3) 4 Delivery ModelsCloud Provider Infrastructure Cloud Customer Data Center1 Private management2 Community 3 Public 4 Hybrid Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov7 National Institute ofStandards and Technology 8. A Quick Trip Through the (simplified) API Setting up: Steady state (simplified) aws.amazon.com create account RegisterImage set password email confirmation PEM-encodedRSA private keyConfigure ManageConfigureManage TLSx.509 cert storage keypairsIP addresses Instances: (routable) runrebootterminate CreateKeyPairqueryUse to talk with new VMs DeregisterImageEvery operation digitally signed. Credit: [8], aws.amazon.com [1] Every key pair public key stored in the cloud infrastructure.Information Technology LaboratoryNIST Computer Security Divisioncloudcomputing@nist.gov9National Institute ofStandards and Technology 9. Important Cloud Computing Requirements interoperability: clouds work together portability: workloads can move around security: customer workloads protected (to the extent possible) Well-formulated standards could help, butInformation Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 10 National Institute ofStandards and Technology 10. Standards Creation is Time Consuming Critical features (interoperability, portability) require high quality, mature standards. But standards development is a consensus- oriented process: often years to complete. Even longer for international standards.Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 11 National Institute ofStandards and Technology 11. Shorter Term Standards Effort Until standards mature: What is needed is a process to test important cloud system requirements --- NIST will provide that.PortableInteroperableSAJACCSecure (as possible)Standards Acceleration Jumpstarting Adoption of Cloud Computing Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 12National Institute of Standards and Technology 12. SAJACC Communication Strategy NIST will deploy and populate NIST Cloud Standards PortalUse Cases specificationsStandards Development Validated Organizations Reference Community SpecificationsImplementations Outreachstandards Populate a web portal that distributes cloud specifications and reference implementations that are: Known to work for critical use cases (e.g., interoperability, portability, bulk data transfer). Can be easily used by cloud service providers and consumers. Provide a basis for innovation i.e. are extensible. Enables future innovation.Information Technology LaboratoryNIST Computer Security Divisioncloudcomputing@nist.gov 13National Institute ofStandards and Technology 13. Populating the PortalNIST Cloud Standards PortalUse CasesValidated Reference SpecificationsImplementations Three complementary activities, all performed in collaboration with otheragencies and standards development organizations:(1) NIST inserts existing standards and de-facto interfaces as specifications. NIST identifies and validates specifications using use cases.(2) Organizations contribute open specifications. NIST receives and coordinates the prioritization of specifications, andvalidates using use cases.(3) NIST identifies gaps in cloud standards (and specifications) andpublishes the gaps on the portal: produces opportunity for outsideorganizations to fill them. Information Technology LaboratoryNIST Computer Security Divisioncloudcomputing@nist.gov14 National Institute ofStandards and Technology 14. (1) NIST Inserts Existing Standards and De-factoInterfaces 1 Initial Use Cases NIST Cloud Standards Portal Provided by Gov.Success?Use Cases2 yesLegacy ValidatedspecificationsReference Identified by Gov.4 Government-runSpecifications Implementations Validation Exercises Spec 1 Test 13 Spec 2 Test 2 Proposed Reference Generate Spec nTest n Specifications Implementations Test cases specifications, use cases: provide insight on how clouds can workreference implementations: enable validation exercisescontinuously growing portal: new content added over timepublically available: anyone can accessInformation Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 15National Institute of Standards and Technology 15. (2) Organizations Contribute Open Specifications 1Initial Use Cases NIST Cloud Standards PortalProvided by Gov.Success?Use Cases2 yesLegacy ValidatedspecificationsReference Identified by Gov.4Government-run Specifications ImplementationsValidation ExercisesSpec 1Test 13Spec 2Test 2 Proposed Reference Organization-submittedSpec nTest n Specifications Implementations specifications continuously growing portal: new content added over time publically available: anyone can access or submit Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 16 National Institute ofStandards and Technology 16. 2 Security issues in the cloud. Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 17 National Institute ofStandards and Technology 17. Security is a Major Issue[3] Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 18 National Institute ofStandards and Technology 18. What is Security? Traditionally, approximately: confidentiality: your data not leaked integrity: your data or system not corrupted availability: your system keeps running What does this mean in the cloud? without user physical control Some issues with dynamically changing infrastructure secure access to the cloud protecting different users from one another Information Technology Laboratory NIST Computer Security Divisioncloudcomputing@nist.gov 19 National Institute of Standards and Technology 19. Analyzing Cloud Security Some key issues: trust, multi-tenancy, encryption, compliance Clouds are massively complex systemsthat can be reduced to simple primitivesthat are replicated thousands of times andcommon functional units Cloud security is a tractable problem There are both advantages and challengesFormer Intel CEO, Andy Grove: only the paranoid survive Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 20 National Institute ofStandards and Technology 20. General Security Advantages Shifting public data to a external cloudreduces the exposure of the internalsensitive data Cloud homogeneity makes securityauditing/testing simpler Clouds enable automated securitymanagement Redundancy / Disaster Recovery Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 21 National Institute ofStandards and Technology 21. General Security Challenges Trusting vendors security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations cant be examined Loss of physical control Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 22 National Institute ofStandards and Technology 22. Data Storage Services Advantages Data fragmentation and dispersal Automated replication Provision of data zones (e.g., by country) Encryption at rest and in transit Automated data retention Challenges Isolation management / data multi-tenancy Storage controller Single point of failure / compromise? Exposure of dataInformation Technology LaboratoryNIST Computer Security Divisioncloudcomputing@nist.gov23 National Institute ofStandards and Technology 23. Cloud Processing Infrastructure Advantages Ability to secure masters and push out secure images Challenges Application multi-tenancy Reliance on hypervisors Process isolation / Application sandboxes Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 24 National Institute ofStandards and Technology 24. Additional Issues Issues with moving sensitive data to the cloud Privacy impact assessments Risk assessment Contingency planning and disaster recovery for cloud implementations Using SLAs to obtain cloud security Suggested requirements for cloud SLAs Issues with cloud forensics Handling compliance FISMA HIPAA SOX PCI SAS 70 Audits Information Technology Laboratory NIST Computer Security Divisioncloudcomputing@nist.gov 25 National Institute of Standards and Technology 25. Putting it Together Most clouds will require very strongsecurity controls All models of cloud may be used fordiffering tradeoffs between threatexposure and efficiency There is no one cloud. There are manymodels and architectures. How does one choose? Information Technology Laboratory NIST Computer Security Divisioncloudcomputing@nist.gov 26 National Institute of Standards and Technology 26. 3 Use Cases to drive portability, interoperability, security in clouds Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov 27 National Institute ofStandards and Technology 27. Use Cases Use Case: a description of how groups of users and their resources may interact with one or more systems to achieve specific goals.Goalabstract add concrete detailsuse case Step 1Step aStep I Step 2 OR Step b OR Step j ... case study Information Technology LaboratoryNIST Computer Security Divisioncloudcomputing@nist.gov 28National Institute ofStandards and Technology 28. Use Cases Use Case: a description of how groups of users and their resources may interact with one or more cloud computing systems to achieve specific goals.Goalabstract add concrete detailsuse case Step 1Step aStep I Step 2 OR Step b OR Step j ... case study Example:Parent$Bank $ Student Information Technology LaboratoryNIST Computer Security Division cloudcomputing@nist.gov29National Institute ofStandards and Technology 29. Preliminary Use Case Taxonomy for a Public Cloud (focus on IaaS)Portability InteroperabilitySecurityFile/Object System Job Control & Cloud-2-Cloud AdminData ManagementLike Programming inter-cloud data transfer SLA comparison transfer data in sharing access alloc/start/stop1 multi-hop data transfer info discovery7 transfer data out access by name queueing1 storage peering7 user Acct mgmt backup to cloud7 access by pattern horizontal backup between clouds7 compliance4 restore from cloud7 strong erasescaling of data/ cloud broker4 special security4 archive/preservation cloud drive7processing cloud burstto cloud7 - synchronization services VM migration dynamic dispatch5 fault-tolerant group Note: these use cases are preliminary. Credits: SNIA [7], aws.amazon.com [1], DMTF [4], libcloud [5] Information Technology Laboratory NIST Computer Security Division cloudcomputing@nist.gov 30National Institute of Standards and Technology 30. File/Object System LikeSharing accessCustomerProvider datagrantcmd 2otherCustomers1 data Users Access by nameCustomerread/foo/bar Compa&blemodes:read, Provider write,append,truncate, chown,chmod,chgrp,data Access by pattern Customer querypa>ernProviderSpecifyingpa