Cloud Storage Security - PowerPoint Presentation

giovanna-bartolotta . @giovanna-bartolotta

443 views
Uploaded On 2017-04-21

Cloud Storage Security - PPT Presentation

Murat Kantarcioglu Main Cloud Security Problems VM level attacks Exploit potential vulnerabilities in hypervisor Cloud provider vulnerabilities Eg crosssite scripting vulnerability in Salesforcecom ID: 540174

cloud data public text data cloud text public key conf hadoop access security output control cpp mapreduce map input

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/540174" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "Cloud Storage Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Cloud Storage Security

Murat KantarciogluSlide2

Main Cloud Security Problems

VM- level attacks

Exploit potential vulnerabilities in hypervisor

Cloud provider vulnerabilities

E.g. cross-site scripting vulnerability in Salesforce.com

Phishing

Integrating cloud authentication with company authentication mechanisms

Availability

Single point of Failure

Assurance of computational integrity by cloud providerSlide3

Issues with moving data to cloud providers

Will cloud provider fight against a subpoena?

Do you trust Azure logs to show gross negligence on Microsoft part?

Contractual obligations?

If you can hack one place for espionage Gmail could be a good starting point?

Data lock-inSlide4

What is new in cloud computing security?

Too big to fail?

What if Amazon hardware is confiscated?

What if Amazon fails?

Hiding activity patterns

Using cloud for crime?

Secure cloud auditing

Mutual auditability

Snowden AffairsSlide5

Cloud Computing

Like Software as a service and DAS model offers many advantages

Better availability

Reduced Costs

Unlimited scalability and elasticity

Cloud Computing

Database

App Server

Code

MultimediaSlide6

Hybrid Cloud

Integrates local infrastructure with public cloud resources

Hybrid Cloud

Extra Advantages

The flexibility of shifting workload to

public cloud

when the

private cloud

is overwhelmed (Cloud Bursting)

Utilizing in-house resources along with public resourcesConsSensitive data exposure Public Cloud Resource Allocation Cost (both storage and computing)

Public/ External

Private/ InternalSlide7

Constraints

Data & Computation Partitioning Challenge

s_id

name

ssn

dept

James

1234

Charlie

4321

3John5645

CS4Matt

8743ECON

SELECT name, ssn from Student

: SELECT dept, count(*) FROM Student GROUP_BY dept

Student

Q1 contains sensitive information

Q2 execution is more expensive

Sensitive

How to partition the table ?

How to split computation? Slide8

Our Hybrid Cloud Architecture

Relations R

Queries Q

Constraints C

priv

pub,

pub

Results for Q

priv

User Interface Layer

Statistics Gathering

Layer

Hive

Hadoop HDFS

Hive

Hadoop HDFS

Private

Public

Results for Q

pub

Data and Query Management

LayerSlide9

Design Spectrum

Data Model

Relational

, Semi-structured, Key-Value Stores, Text

Sensitivity Model

Attribute Level

, Privacy Associations, View-Based

Partitioning Models

Workload Partitioning

, Intra-query Parallelism, Dynamic WorkloadMinimization Priority

Running Time, Sensitive Data Disclosure, Monetary Cost

9Slide10

Outline of Solution

Notation

Formulate Computation Partition Problem (CPP)

Solution to CPP

Experimental Results

10Slide11

Notation

sens(R’):

The estimated number of sensitive cells in dataset R’

baseTables(q):

The estimated minimum set of data items necessary to answer query q

runT

(q): The estimated running time of query q Є Q at site x (either public or private)ORunT(Q’,Q’’): Overall execution time of queries in Q’, given that queries in Q’’ are executed on the public cloud

11Slide12

pub,

pub

priv

Detailed Hybrid Cloud Architecture

runT

(q), baseTables(q)

Statistics Gathering

Layer

Data And Query Management Layer

Computation Partitioning Module

Monetary Cost Estimator

Disclosure Risk Estimator

Relations R

Queries Q

Constraints C

Hive

Hadoop HDFS

Hive

Hadoop HDFS

Private

PublicSlide13

Computation Partitioning Problem (CPP)

Find a

subset of given query workload

, and

subset of the given dataset

where

are user defined constraints

13Slide14

Metrics in CPP

Query Execution Time (

runT

(q)

)

Monetary Costs

stor(R

pub) : Storage monetary cost of the public cloud partition

proc(q) : Processing monetary cost of a public side query qSensitive Data Disclosure Risk (sens(Rpub))Estimated number of sensitive cells within Rpub

14Slide15

Solution to CPP

CPP can be simplified to only finding

pub

Dynamic Programming Approach

CPP (Q, MC, DC)

Qpub

Input Query Set

Monetary Const.

Disclosure Const

OutputSlide16

Example

MC < 25

DC < 20

CPP({

, q2, q3}, MC, DC) = CPP({q1, q2}, MC , DC)

can only run on private side.

Slide17

Example

If q

can run on both sides

Case 1

CPP({

1, q2, q3}, MC, DC) = CPP({q1, q2}, MC , DC)

What if q

runs on private side.

Slide18

Example

Case 2

CPP(Q, MC, DC) = MIN_TIME (CPP( , j, k)+

)

where

MC-25 ≤ j ≤ MC-15 and DC-20 ≤ j ≤ DC-0 Choose the minimum overall running time between Case 1 and Case 2

What if q

runs on public side.

Max-Min possible monetary cost by

Max-Min possible disclosure risk by

Slide19

Experimental Setting

Private Cloud:

Nodes, located at UTD, Pentium IV,

GB Ram,

290-320

GB disk space

Public Cloud: 38 Nodes, located at UCI, AMD Dual Core, 8GB Ram, 631GB disk spaceHadoop

0.20.2 and Hive 0.7.1Dataset and Statistic Collection100GB TPC-H DataQuery Workload 40 queries containing modified versions of Q1, Q3, Q6, Q11

19Slide20

Experimental Setting

Estimation of Weight (

)

Running all

TPC-H queries for a

300

GB datasetwpub ≈ 40MB/sec , w

priv ≈ 8MB/secResource Allocation CostAmazon S3 Pricing for storage and communicationStorage = $0.140/GB + PUT, Communication= $0.120/GB + GETPUT=$0.01/1000 request, GET=$0.01/10000 requestAmazon EC2 and EMR Pricing for processing$0.085 + $0.015 = $0.1/hourSensitivityCustomer : c_name, c_phone, c_address attributesLineitem: All attributes in %1-5-10 of tuples

20Slide21

Experimental Results

21Slide22

Experimental Results

22Slide23

Hadoop - Why ?

Need to process huge datasets on large clusters of computers

Very expensive to build reliability into each application

Nodes fail every day

Failure is expected, rather than exceptional

The number of nodes in a cluster is not constant

Need a common infrastructure

Efficient, reliable, easy to use

Open Source, Apache Licence version of Google File SystemSlide24

Who uses Hadoop?

Amazon/A9

Facebook

Google

It has GFS

New York Times

Veoh

Yahoo!

…. many more

ClouderaSimilar to Redhat business model.

Added services on HadoopSlide25

Commodity Hardware

Typically in 2 level architecture

Nodes are commodity PCs

30-40 nodes/rack

Uplink from rack is 3-4 gigabit

Rack-internal is 1 gigabit

Aggregation switch

Rack switchSlide26

Hadoop Distributed File System (HDFS)

Original Slides by

Dhruba Borthakur

Apache Hadoop Project Management CommitteeSlide27

Goals of HDFS

Very Large Distributed File System

10K nodes, 100 million files, 10PB

Yahoo is working on a version that can scale to large amounts of data.

Assumes Commodity Hardware

Files are replicated to handle hardware failure

Detect failures and recover from them

Optimized for Batch Processing

Data locations exposed so that computations can move to where data resides

Remember moving large data is an important bottleneck.

Provides very high aggregate bandwidthSlide28

Distributed File System

Single Namespace for entire cluster

Again this is changing soon!!!

Data Coherency

Write-once-read-many access model

Client can only append to existing files

Files are broken up into blocks

Typically 64MB block size

Each block replicated on multiple DataNodes

Intelligent Client

Client can find location of blocksClient accesses data directly from DataNodeSlide29

HDFS ArchitectureSlide30

MapReduce

Original Slides by

Owen O’Malley (Yahoo!)

Christophe Bisciglia, Aaron Kimball & Sierra Michells-SlettvetSlide31

MapReduce - What?

MapReduce is a programming model for efficient distributed computing

It works like a Unix pipeline

cat input | grep | sort | uniq -c | cat > output

Input | Map |

Shuffle & Sort

| Reduce | Output

Efficiency from

Streaming through data, reducing seeks

PipeliningA good fit for a lot of applicationsLog processingWeb index buildingSlide32

MapReduce - DataflowSlide33

MapReduce - Features

Fine grained Map and Reduce tasks

Improved load balancing

Faster recovery from failed tasks

Automatic re-execution on failure

In a large cluster, some nodes are always slow or flaky

Framework re-executes failed tasks

Locality optimizations

With large data, bandwidth to data is a problem

Map-Reduce + HDFS is a very effective solution

Map-Reduce queries HDFS for locations of input dataMap tasks are scheduled close to the inputs when possibleSlide34

Word Count Example

Mapper

Input: value: lines of text of input

Output: key: word, value: 1

Reducer

Input: key: word, value: set of counts

Output: key: word, value: sum

Launching program

Defines this job

Submits job to clusterSlide35

Word Count DataflowSlide36

Word Count Mapper

public static class Map extends

MapReduceBase

implements

Mapper

LongWritable,Text,Text,IntWritable

> {

private static final

IntWritable

one = new IntWritable(1); private Text word = new Text(); public static void map(LongWritable key, Text value, OutputCollector<Text,IntWritable> output, Reporter reporter) throws IOException { String line = value.toString(); StringTokenizer

= new StringTokenizer(line);

while(tokenizer.hasNext()) {

word.set(tokenizer.nextToken());

output.collect(word,one

); }

} }Slide37

Word Count Reducer

public static class Reduce extends MapReduceBase implements Reducer<Text,IntWritable,Text,IntWritable> {

public static void reduce(Text key, Iterator<IntWritable> values, OutputCollector<Text,IntWritable> output, Reporter reporter) throws IOException {

int sum = 0;

while(values.hasNext()) {

sum += values.next().get();

}

output.collect(key, new IntWritable(sum));

}

}Slide38

Word Count Example

Jobs are controlled by configuring

JobConfs

JobConfs are maps from attribute names to string values

The framework defines attributes to control how the job is executed

conf.set(“mapred.job.name”, “MyApp”);

Applications can add arbitrary values to the JobConf

conf.set(“my.string”, “foo”);

conf.set(“my.integer”, 12);

JobConf is available to all tasksSlide39

Putting it all together

Create a launching program for your application

The launching program configures:

The

Mapper

and

Reducer

to use

The output key and value types (input types are inferred from the

InputFormat)The locations for your input and output

The launching program then submits the job and typically waits for it to completeSlide40

Putting it all together

JobConf

conf = new

JobConf

(

WordCount.class

);

conf.setJobName

(“

wordcount

”);conf.setOutputKeyClass(Text.class);conf.setOutputValueClass(IntWritable.class);conf.setMapperClass(Map.class);conf.setCombinerClass(Reduce.class);

conf.setReducer(Reduce.class);

conf.setInputFormat(TextInputFormat.class

);Conf.setOutputFormat(

TextOutputFormat.class);

FileInputFormat.setInputPaths(conf, new Path(args[0]));

FileOutputFormat.setOutputPath(conf, new Path(args

[1]));

JobClient.runJob(conf);Slide41

Input and Output Formats

A Map/Reduce may specify how it’s input is to be read by specifying an

InputFormat

to be used

A Map/Reduce may specify how it’s output is to be written by specifying an

OutputFormat

to be used

These default to

TextInputFormat

and TextOutputFormat, which process line-based text data

Another common choice is SequenceFileInputFormat and SequenceFileOutputFormat for binary dataThese are file-based, but they are not required to beSlide42

Vigiles

Fine-grained

Access Control for

MapReduce

Systems **

Murat

Kantarcioglu

Joint work

Huseyin

Ulusoy, Erman Pattuk, Kevin HamlenSlide43

Motivation

MapReduce

systems become

popular

for processing big data. (e.g., Hadoop)

Initially

security and privacy

were not the primary concerns of the

MapReduce

systemsNew challenges due to high volume and high varietyNeed to support relational, semi-structured and unstructured dataSlide44

Does NoSQL mean No Security??Slide45

Motivation

Many security applications are

being developed for different needs

Apache

Accumulo

allows multi-level access

control for key-value stores

Apache Knox

allows authorization, authentication, and auditing capabilitiesApache Argus tries to achieve “Centralized security administration to manage all security related tasks in a central

UI”“Fine” grained access control for HDFS (file level) , Hive (column level) and HBase (column level)Slide46

Why file level access is not fine-grained enough?

Given HDFS file may have significant

sensitive information

Log file for a web service supporting multiple companies contains billions of records from different users.

Allowing one user to see all the info. in a given file makes it

easier to abuse and/or misuse

the data.

No need for an employee to see company X related logs if he/she is working in company Y account.

Fine-grained access control need is addressed in relational database management systems Slide47

View-based access control in RDBMs

Define a view containing

the predicates

to select the tuples to be returned to a given

subject

Grant

S the select privilge on the view, and

not

on the underlying tableExample:CREATE VIEW

CompanyXLog AS SELECT * FROM Log WHERE Log.Company=X;- GRANT Select ON CompanyXLog TO Ann;Slide48

Our Previous Work: Access control for Hive**

Thuraisingham

et al. Secure

data storage and retrieval in the cloud.

CollaborateCom

2010: 1-8Slide49

Comparison to Apache Sentry

Apache Sentry allows view definition at the column level

Our

HiveAC

framework allows arbitrary view definition based on any predicate

Developed late 2009, we did not release an open source version

 Slide50

Fine-grained access control for non-relational

ata

Fine-grained access control is not supported for generic

MapReduce

computation

Example:Slide51

Goal

Propose a fine-grained access control mechanism for the generic

MapReduce

model

Provide a modular architecture to be independent of underlying

MapReduce

version

Incur the minimal overhead

Have easy to use and expressive security policy specificationSlide52

High Level Idea

Apply a predicate to all generated/read key-value pairs before the map functions process Slide53

System OverviewSlide54

FGAC Predicate Model

Let denote FGAC predicate model

denote the set of subjects

denote the set of objects

Objects are composed of atomic entries ,

denote the set of predicates

Each predicate independently run an access control filter (ACF) for each key-value pairSlide55

Security and privacy

olicy

iscussion

Any policy that is

dependent

on just

one key-value pair

could be implemented in this frameworkSanitizationGeneralize all zip codes to 3 digitDelete SSN valuesPredicate based access control including RBACAttribute based access control based on key, value pairs

Cannot enforce policies defined based on set of key-value pairsK-anonymity cannot be easily enforcedSlide56

In-lined Reference Monitor

ACFs are in-lined into

MapReduce

systemSlide57

RecordReaderSlide58

Enhanced RecordReaderSlide59

Enhanced RecordReaderSlide60

Security Discussion / Assumptions

The

Java Security sandbox

prevents unauthorized data accesses