On the Security of Data Stored in the Cloud Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design Contact: {srijith.nair,theo.dimitrakos }@bt.com Dr Srijith Nair Senior Researcher Security Futures Practice BT Innovate & Design SecureClouud 2012 9-10 May
SecureClouud 2012 9-10 May. On the Security of Data Stored in the Cloud. Dr Srijith Nair Senior Researcher Security Futures Practice BT Innovate & Design. Dr Theo Dimitrakos Head of Security Architectures Research Security Futures Practice BT Innovate & Design. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
On the Security of Data Stored in the CloudDr Theo DimitrakosHead of Security Architectures Research Security Futures PracticeBT Innovate & Design
Contact: {srijith.nair,theo.dimitrakos}@bt.com
Dr Srijith NairSenior ResearcherSecurity Futures PracticeBT Innovate & Design
Overview: Secure Cloud Data Hosting (VDC enhancement)
• The usage control of cloud storage is offered as a service• Customer in control of connection, protection and access to secure virtual storage • Keys and policy server are off the cloud data host• Decryption only possible when data is used in a specific “safe” environment following policy-based
approval• Security is enforced by “sand-boxed” context-aware intelligent agents embedded in customer’s VM
• Data stored in non-ephemeral storage volumes are encrypted at file system level • The encryption/decryption keys are stored off site.• Decryption only possible when used in specific environment• Rules-based approval (automatic or manual) before the keys are released to ensure release into
safe envelope (IP address, VM provenance, presence of DLP software etc.)
Overview: Secure Cloud Data Hosting (VDC enhancement)
• Encrypt a storage volume (iSCSI, NFS) at file system levelEncrypt volume
• Store decryption key outside the cloud in a Key Management ServerKeep keys safe
• Create a gold build Machine Image (e.g. VS template) with secure cloud agent installedInstall secure cloud agent
• Create instances from this image as requiredCreate customer image
• Agent requests keys when Virtual Machine is booted upKey request
• Keys may be released based on policy rules like IP address, OS type, CPU arch etc.Key provisioning
• On receiving keys, the volume is attached to VM instance, in read or read/write mode.Volume mounting
• Key released by agent when it is stopped (eg. when VM shuts down).Key release
• Extend solution to federated storage that spans across• Multiple VDCs on the same cloud infrastructure• Cloud islands by different providers
• Combine solution with data shredding, variants of key split / group encryption, and optimal data fragment distribution algorithms to ensure that:• if all nodes hosting fragments of a customer's files are off all other customers can
continue to operate securely• root access all nodes hosting fragments of one customer's files will not provide
enough fragments to reconstruct / decrypt another customers file• customers can inspect the integrity of their shredded data
Secure Cloud (Shared) Storage:
• Cover protection of VM images at rest• Cover integrity checks of data and VM image volumes• Hypervisor root-kit to cover encryption of communication between protected VMs in
operation
Secure Cloud Container:
2 BT patents pending including combination of data shredding
and cloud encryption
Cloud security innovation roadmap at BT Research & Technology
Technical innovation challenges & solutions
Cloud Security Innovation Strategy
Market evolution analysis
Recommendations for High-level Secure Cloud Architecture for Government (IaaS)
In-cloud security cost-benefit analysis
Cloud information assurance metrics
Cloud security risk assessment (eGov)
Secure Cloud Service BrokerCloud Federation Fabric v1
Virtual hosing on federated clouds (basic functionality)
Recommendations for High-level Secure Cloud Architecture for Government (SaaS)
Cloud ecosystem security value network
Market analysis revision
Cloud security value network
revision
Virtual hosing on federated clouds (enhanced functionality)