Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
67 Cards in this Set
- Front
- Back
|
Cloud Computing Introduction
|
[4] "In the cloud computing environment, storage service providers must have in place data practices to ensure that their clients' data is safe from unauthorized access and disclosure."
|
|
|
Cloud Computing Introduction
|
[4] "The special features of cloud computing include the storage of user data in the cloud and the lack of any need for software installation on the client side."
|
|
|
Cloud Computing Introduction
|
[8] Cloud computing is more prone to security threats and vulnerabilities because it supports distributed service oriented architecture, multi-user and multi-domain administrative infrastructure.
|
|
|
Cloud Computing Introduction
|
[8] "Once the client hosts data to the cloud there should be some guarantee that access to that data will only be limited to the authorized access."
|
|
|
Cloud Computing Introduction
|
[7] The following criteria define the class of applications best fit for the cloud: provide services to a large number of distinct end users, as opposed to bulk data processing or workflow management for a single entity; use a data model consisting mostly of sharable units, where all data objects have access control lists (ACLs) with one or more users; and developers could run the applications on a separate computing platform tha encompasses th ephysical infrastructure, job scheduling, user authentication, and the base software environment, rather than implementing the platform themselves."
|
|
|
Cloud Computing Introduction
|
[1] The most widely used definition of cloud computing is 'Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction...'
|
|
|
Cloud Computing Introduction
|
[3] "There are three types cloud deployment models that widely used in cloud computing are: Private Cloud - The cloud infrastructure is owned or leased by a single organization and is operated solely for that organization. Community Cloud - Several organizations that have similar policies, objectives, aims and concerns share the cloud infrastructure. Public Cloud - A large organization owns the cloud infrastructure and sells cloud services to industries or public."
|
|
|
Cloud Computing Introduction
|
[9] There are three models of resource sharing that can be used: In the first model, sharing is disabled and only one customer is given the resource at one time. In the second model, sharing is allowed and it's up to the customer to decide whether other customers can share the resource with them or if they wish to sue the resource exclusively. In the third model, sharing is always possible and it forces all customers to share the resource with the others.
|
|
|
Cloud Computing Introduction
|
[6] "Public clouds are less secure than the other cloud models because it places an additional burden of ensuring all applications and data accessed on the public cloud are not subjected to malicious attacks."
|
|
|
Cloud Computing Introduction
|
[6] "Infrastructure as a Service is a single tenant cloud layer where the Cloud computing vendor's dedicated resources are only shared with contracted clients at a pay-per-use fee."
|
|
|
Cloud Computing Introduction
|
[6] "Software as a Service also operates on the virtualized and pay-per-use costing model whereby software applications are leased out to contracted organizations by specialized SaaS vendors."
|
|
|
Cloud Computing Introduction
|
[6] "Platform as a service cloud layer works like IaaS but it provides an additional level of "rented" functionality."
|
|
|
Cloud Data Protection Introduction
|
[4] "A common approach to protect user data is that user data is encrypted before it is stored."
|
|
|
Cloud Data Protection Introduction
|
[4] "Encrypting data prior to storage is a common method of data protection, and service providers may be able to build firewalls to ensure that the decryption keys associated with encrypted user data are not disclosed to outsiders."
|
|
|
Cloud Data Protection Introduction
|
[4] "Common methods for protecting user data include encryption prior to storage, user authentication procedures prior to storage or retrieval, and building secure channels for data transmission. These protection methods normally require cryptography algorithms and digital signature techniques..."
|
|
|
Cloud Data Protection Introduction
|
[4] "The concept of dividing authority is often applied to business management."
|
|
|
Cloud Data Protection Introduction
|
[8] "By providing security of data, service providers should implement mechanisms to ensure data integrity and be able to explain what happened to a certain dataset and at what point."
|
|
|
Cloud Data Protection Introduction
|
To enhance security, data can be turned into cipher text, but many features can be lost when data is turned into cipher text.
|
|
|
Cloud Data Protection Introduction
|
[7] "To ensure a practical solution, we considered the following goals relating to data protection as well as ease of development and maintenance: Integrity. The user's stored data won't be corrupted. Privacy. Private data won't be leaked to any unauthorized entity. Access transparency. Logs will clearly indicate who or what accessed any data. Ease of verification. Users will be able to easily verify what platform or application code is running, as well as whether the cloud has strictly enforced their data's privacy policies. Rich computation. The platform will allow efficient, rich computations on sensitive user data. Development and maintenance support. Because they face a long list of challenges - bugs to find and fix, frequent software upgrades, continuous usage pattern changes, and user demand for high performance - developers will receive both development and maintenance support."
|
|
|
Cloud Data Protection Introduction
|
[5] "In the cloud, we observe the following two important characteristics that impose challenges to the development of data protection techniques: a cloud service can be provided through a chain of service providers...For a user to select a service provider, the candidate service providers' privacy policies need to be checked to ensure that they conform with users' privacy preferences." "Some possible changes to the parties involved in a cloud service, need to be considered as discussed in the literature: a participating party may need to update its privacy policies; a service provider may need to transfer its operations together with users; data to someone else because to the sale of company, a merger, seizure by the government, etc."
|
|
|
Cloud Data Protection (Internal)
|
[4] "...cloud computing service providers must have specific methods for constraining internal system management personnel to prevent them from obtaining both encrypted data and their decryption keys - this is critical to protecting user data."
|
|
|
Encryption/Decryption Separation
|
[4] "This study proposes a business model for cloud computing based on the concept of separating the encryption and decryption service from the storage service."
|
|
|
Encryption/Decryption Separation
|
[4] "Under the business model proposed in this study, the data storage cloud system provider is authorized to store the user's encrypted data, but does not have access to the Decryption Key."
|
|
|
Encryption/Decryption Separation
|
[4] "Given that encryption is an independent cloud computing service, a unique feature of the business model is that different services are provided by multiple operators."
|
|
|
Encryption/Decryption Separation
|
[4] "After the user's logs into the CRM system, if the CRM Service System requires any client information, it will execute a Data Storage Program."
|
|
|
Encryption/Decryption Separation
|
[4] "After the user's login has been successful verified, if the CRM Service System requires client information from the user, it sends a request for information to the Storage Service System."
|
|
|
Encryption/Decryption Separation
|
[4] "Since the Encryption/Decryption Service System can serve multiple users and the encryption/decryption for each user's data requires a different key, therefore each user's unique ID and keys are stored together."
|
|
|
Encryption/Decryption Separation
|
[4] "...Once the client data is encrypted by the Encryption/Decryption Service System it must be transferred to the Storage Service System where the user ID and encrypted data are stored together."
|
|
|
Cloud Services Architecture
|
[4] "The architecture of cloud services can be divided into three levels: infrastructure, platform, and application software. Application software constructs the user interface and presents the application system's functions."
|
|
|
Security Guidelines
|
[4] "Special privilege user data access must be controlled to prevent unauthorized storage or retrieval. Cloud computing services must comply with relevant laws. User data must be properly stored and encrypted. A reset mechanism must be provided in case of service discontinuation due to change or dissolution of the provider. Service must be sustainable and guaranteed against service discontinuation due to change or dissolution of the provider. If cloud computing services are used for illegal purposes, the provider must be able to provide records to assist with investigations."
|
|
|
Block Based Symmetric Cryptography
|
[8] "The proposed architecture uses block based symmetric cryptography having better speed of storing the data which when compared with the existing encryption algorithms."
|
|
|
Block Based Symmetric Cryptography
|
[8] "The proposed architecture encrypts the secured data by inserting the symmetric layer."
|
|
|
Block Based Symmetric Cryptography
|
[8] The proposed technique also uses a common key between the sender and the receiver.
|
|
|
Data Protection as a Service
|
[7] "DPaaS is a suite of security primitives offered by a cloud platform, which enforces data security and privacy and offers evidence of privacy to data owners, even in the presence of potentially compromised or malicious applications."
|
|
|
Data Protection as a Service
|
[7] "The DPaaS approach places two additional requirements on the platform: It must be able to perform user authentication, or at least have a trusted way to know who's logged in and accessing the service; and it must rely on encryption and authenticated data store techniques to remove the need to trust the storage service."
|
|
|
Data Protection as a Service
|
[7] "DPaaS can log four basic kinds of actions: Ordinary online data accesses that occur in response to external user requests when a user is online and operating an application; access control modification by authorized users, the provenance of which can assists in forensics or problem diagnosis; offline/batch access to handle requests while users are offline...to compute aggregates or to reorganize data such as during schema changes; and administrative access for maintenance operations such as debugging."
|
|
|
Questions for the Future
|
[7] "Can we standardize technology across platforms to facilitate switching among providers?"
|
|
|
Questions for the Future
|
[7] "How can we make migrations to the DPaaS cloud as easy as possible for existing applications?"
|
|
|
Questions for the Future
|
[7] "How can we minimize the cost of application audits?"
|
|
|
Questions for the Future
|
[7] "What kinds of audits are most important for building user confidence?"
|
|
|
Questions for the Future
|
[7] "Can technologies such as TC and code attestation be made scalable in the presences of constantly evolving software?"
|
|
|
Questions for the Future
|
[7] "How can we generalize the ideas presented here to other classes of applications?"
|
|
|
Security Concerns
|
[2] Traditional security concerns include: "Potential vulnerabilities in the hypervisor or VM technology used by cloud vendors are a potential problem in multi-tenant architectures." Cloud provider vulnerabilities such as SQL-injection or a cross-site scripting vulnerability.
|
|
|
Security Concerns
|
[2] Availability concerns center on critical applications and data being available. "As with Traditional Security concerns, cloud providers argue that their server uptime compares well with the availability of the cloud user's own data centers." "Cloud services are thought of as providing more availability, but perhaps not - there are more single points of failure and attack."
|
|
|
Security Concerns
|
[2] Third party provider concerns. "Audit difficulty is another side effect of the lack of control in the cloud. Is there sufficient transparency in the operations of the cloud provider for auditing purposes?" "Contractual obligations. One problem wiht using another company's infrastructure besides the uncertain alignment of interests is that there might be surprising legal implications." "Cloud Provider Espionage. This is the worry of theft of company proprietary information by the cloud provider."
|
|
|
Cloud Data Protection Methods
|
[2] "When accessed, data should consult its policy and attempt to re-create a secure environment using virtualization and reveal itself only if the environment is verified as trustworthy (using Trusted Computing)."
|
|
|
Cloud Data Protection Methods
|
[2] "A different approach to retaining control of data is to require the encryption of all cloud data. The problem is that encryption limits data use."
|
|
|
Cloud Data Protection Methods
|
[2] "Apart form ensuring privacy, applied cryptography may also offer tools to address other security problems related to cloud computing."
|
|
|
Policy-Driven Framework
|
[5] "...we introduce a policy-driven framework which integrates three key functions: policy ranking that helps users quickly identify a suitable policy provider; automatic policy generation that takes policies and requirements from the user and the service providers to automatically generate an integrated policy to be adopted by the participating parties; policy enforcement that enforces privacy policies across multiple parties."
|
|
|
Policy-Driven Framework
|
[5] "We summarize the desired major properties of a policy ranking approach to be adopted in the cloud as follows: Property 1: The ranking approach should be time efficient...For a user to quickly obtain services form a proper service provider which satisifes the user's privacy concerns, the ranking approach should guarantee shor tresponse time...and report back a list of service providers in a descending order of their policy similarity to the user's requirements. Property 2: The ranking approach should closely estimate the similarity between two given policies. Property 3: The ranking approach should preserve privacy as much as possible."
|
|
|
Policy-Driven Framework
|
[5] User-oriented Ranking Model. "In this model, users are assumed to have certain processing and storage capability and responsible for policy comparison. First, users need to collect privacy policies form service providers who provide the required services. After the users receive policies from providers, the users can start the policy ranking program and select the most suitable one.
|
|
|
Policy-Driven Framework
|
[5] Service-provider-oriented Ranking Model. "This model relies on service providers to carry out the policy comparison task. Users need to broadcast their service needs as a\well as privacy requirements...According to the obtained ranking scores from different service providers, users can select their preferred service providers." "In terms of privacy, this model requires users to disclose more information than the user-oriented ranking model does. In terms of processing cost, users have little workload while service providers take care of most computation."
|
|
|
Policy-Driven Framework
|
[5] Broker-based Ranking Model. "In the previous two models, either users need to have some computational capability to avoid disclosing their privacy policies to all service providers, or service providers may need to carry out some extra work for potential users." "the broker collects policies from service providers and cache them for a certain period of time according to the popularity of the service. When a user requires some service, he/she just needs to send his/her service needs and privacy requirements to the broker. The broker will be responsible for policy ranking and report back to the user a short list of service providers along with the ranking scores.""
|
|
|
Tight Coupling Model
|
[5] "For policies that are rarely changed after their definition, we propose a tight coupling model which tightly couples the policies with the data being exchanged by physically attaching the two, so that the data cannot be left unprotected at any time."
|
|
|
Tight Coupling Model
|
[5] "In the case of policies subject to frequent updates, tightly coupling the policies with the data may not be a suitable approach...In the loose coupling model, the enforcement engine maintains its portability while the policies are dynamically ported when the data is accessed."
|
|
|
Loose Coupling Model
|
[5] "...a decentralized architecture which preserves the elegant portability properties obtained with loose coupling has the following main features: Remotely stored policies are not modifiable by any entity other than the authorized user and service provider(s)... Time-based protection is supported, wherein the policy owners set either time the protection scheme for which they want the protection to be valid, or set the time period in which the data expires... The service provider is not required to login for the re-synchronization; the executable files that form the engine utilize the authorization token provided by the service provider to complete the re-synchronization process without the user's input..."
|
|
|
Multi-tenant Security Concerns
|
[1] "Due to the openness and multi-tenant characteristic of the cloud, cloud computing is bringing tremendous impact on information security field: Due to dynamic scalability, service abstraction, and location transparency features of cloud computing models, all kinds of applications and data on the cloud platform have no fixed infrastructure and security boundarires. In the event of security breach, it's difficult to isolate a particular physical resource that has a threat or has been compromised.
|
|
|
Multi-tenant Security Concerns, part two
|
[1] According to the service delivery models of cloud computing, resources cloud services based on may be owned by multiple providers. As there is a conflict of interest, it is difficult to deploy a unified security measures.
|
|
|
Multi-tenant Security Concerns, part three
|
[1] As the openness of cloud and sharing virtualized resources by multi-tenant, user data may be accessed by other unauthorized users.
|
|
|
Multi-tenant Security Concerns, part four
|
[1] As the cloud platform has to deal with massive information storage and to deliver a fast access, cloud security measures have to meet the need of massive information processing."
|
|
|
User Data to be Protected
|
[1] The user data that needs to be protected is personally identifiable information, sensitive information, usage data, and unique device identities.
|
|
|
User Data to be Protected
|
[1] Personally identifiable information includes any information that could be used to identify or discover an individual and information that may be correlated with other information to identify or locate an individual.
|
|
|
User Data to be Protected
|
[1] Sensitive information requires additional safeguards and includes information on religion, race, health, or other information that is considered private and information that is considered being sensitive personally identifiable information.
|
|
|
User Data to be Protected
|
[1] Usable data consist of information collected from computer devices and behavioral information.
|
|
|
User Data to be Protected
|
[1] Unique device identities are other types of information that might be uniquely traceable to a user device.
|
|
|
Protected Data Security Principles
|
[1] The key data security principles that need to be protected are: Announcement, openness, and transparency; right, license and authority; minimization; accuracy; security safeguards; compliance; purpose; limiting use-disclosure and retention; accountability.
|
|
|
Security Methods
|
[6] "Non-repudiation in Cloud computing can be obtained by applying the traditional e-commerce security protocols and token provisioning to data transmission within cloud applications such as digital signatures, timestamps and confirmation receipts services..."
|
