les nouveux défis de la sécurité du cloud dr. eduardo ...€¦ · les nouveux défis de la...
TRANSCRIPT
Les Nouveux Défis de la Sécurité du Cloud
Dr. Eduardo Solana
Centre Universitaire d’InformatiqueUniversité de Genève
3 Mai 2016
3 Mai 2016 2
Definitions
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST, September 2011)
Cloud computing, also on-demand computing, is a kind of Internet-based computing that provides shared processing resources and data to computers and other devices on demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services),which can be rapidly provisioned and released with minimal management effort.(Wikipedia, Mai 2016)
3 Mai 2016 3
Cloud Advantages• Elasticity - Resources are dynamically assigned in a per demand
basis• Scalability - Easy to adapt to changing business demand• Efficiency - Don’t buy under-utilized computers anymore...Get what
you need!• Ubiquity - Computing resources adapt to business/human
environment and not the other way around• Rapidity - Get your business applications running faster• Improved manageability - Cloud provider takes care of the hassle
(deployment, configuration, updates, patches, support, etc.)• Cost efficiency - Reduce IT spending, pay-as-you-use• Green! - Better energy utilization
These are NOT absolute statements!
3 Mai 2016 4
Delivery Models and Accountability
Who is accountable for?
3 Mai 2016 5
Old and New Topologies
Source: http://www.cloudsecurityalliance.org
3 Mai 2016 6
Old and New Risks
Source: http://www.cloudsecurityalliance.org
3 Mai 2016 7
Everything as a Service...
Infrastructure as a Service - Platform as a ServiceSoftware as a Service - Application as a Service
Storage as a Service - Network as a Service - Database as a Service ERP as a Service - Directory as a Service
Security as a Service - Secure Storage as a ServiceEncryption as a Service - Identity Management as a ServiceAuthentication as a Service - Key Management as a Service
But also...:
Hacking as a Service - Crime as a Service - Cybercrime as a Service - Malware as a Service...
3 Mai 2016 8
La Rendición de Breda - Diego Velázquez (1634)
3 Mai 2016 9
Dealing with Encryption• Cloud provider hosts the keys of the kingdom• Data, algorithms and processes available to hosting environment• Encryption may only apply to data at rest.
Solution: Working in Encrypted Environments......
Craig Gentry (2009) prooves its feasibility!
3 Mai 2016 10
Homomorphic Cryptography
Homomorphic From Ancient Greek “Same Shape”
Mathematically, an homomorpism is a transformation between two sets that preserves relations between elements.
Simplified example applied to cryptography: if we concatenate data in the plainspace domain, data remains concatenated in the cipherspace domain (concatenation is preserved by encryption):
A B A B
Plainspace Cipherspace
Encryption
3 Mai 2016 11
Cryptography in the Cloud: Where are we now?• Searchable encryption on untrusted servers:
• Non homomorphic but prevents download-then-decrypt approach.
• Mainly based on encrypted indexes.
• Protects query and query results.
Addresses data at rest issue but does not protect the execution environment• Partial homomorphic encryption (PHE) results in tangible solutions available with today’s
algorithms:
• Homomorphic searches (as an alternative to encrypted index techniques).
• Limited data mining: computing (simple) statistics on data in the cipherspace such as a means, standard deviation, etc.
• Homomorphism-based commercial solutions for key management prevent secret key disclosure in the cipherspace.
• Other applications such as electronic voting and video processing.
Addresses data in execution with limited functionality
Fully homomorphic solutions still impractical (today...).
3 Mai 2016 12
The Holy Grail: Running an Encrypted Virtual Machine
• Full protection of the execution environment• No risk of interference from other guest VMs• No access to confidential data inside the Encrypted VM by the cloud provider operator• Algorithms also kept confidential!• Side-channel attacks provide only access to encrypted memory zones. No possible inference on
secret keys
Not there in a foreseeable future (10 years...?)
VM
Centre Universitaire d’Informatique
Thank you!