Advanced Systems Security: Cloud Computing Security
|
|
- Deborah Hoover
- 5 years ago
- Views:
Transcription
1 Advanced Systems Security: Cloud Computing Security Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1
2 Cloudy Foundations Can customers move their services and validate that they still protect data security? Systems and Internet Infrastructure Security (SIIS) Laboratory 2
3 Reasons to Doubt History has shown they are vulnerable to attack SLAs, audits, and armed guards offer few guarantees Insiders can subvert even hardened systems Data Loss Incidents Incident Attack Vector External 54% Accidental 23% Insider 16% Unknown 7% Systems and Internet Infrastructure Security Laboratory (SIIS) Credit: The Open Security Foundation datalossdb.org 3
4 Cloudy Future New problem or new solution? New challenges brought on by the cloud (plus old ones) Utility could provide a foundation for solving such challenges Systems and Internet Infrastructure Security (SIIS) Laboratory 4
5 Cloudy Future Improve on data centers? On home computing? Seems like a low bar Systems and Internet Infrastructure Security (SIIS) Laboratory 5
6 AmazonIA Consumers use published instances [CCS 2011]!),/%0()*!"#$%&'()* -.&/#012$+,& =05*60/,>3 '?=>3& 9.&($:"45;& 3.&405*6076*,&!"#$%&'((& )*#+,& '?=>3 & 8.&$5,& =05*60/,>- '?=>-& <.&405*6076*,& '?=>- & +,-&".()* Instances may be flawed - have adversarycontrolled public and private keys Systems and Internet Infrastructure Security (SIIS) Laboratory 6
7 Security Configuration Zillions of security-relevant configurations for instances Firewalls Mandatory access control SELinux, AppArmor, TrustedBSD, Trusted Solaris, MIC Discretionary access control Application policies (e.g., Database, Apache) Pluggable Authentication Modules (PAM) Application configuration files Application code enforces security Plus new configuration tasks for the cloud - e.g., storage Systems and Internet Infrastructure Security (SIIS) Laboratory 7
8 Insiders Although the vendor may have a good reputation, not every employee may Trust me with your code & data You have to trust us as well Client Cloud Provider Cloud operators Systems and Internet Infrastructure Security (SIIS) Laboratory 8
9 Side Channels Shared infrastructure leads to visibility for others You can t monitor, but others can Get Off My Cloud - Ristenpart et al. [CCS 2009] Caches (Memory) Devices (I/O) CPU Scheduling Ari Juels -- Many of the security implications of the cloud stem from tenants entrusting computing resources to a third party that they controlled in the past. Not really going to discuss this further Systems and Internet Infrastructure Security (SIIS) Laboratory 9
10 Side Channels Max Planck Institute for Shared infrastructure leads to visibility for others You can t monitor, but others can Get Off My Cloud - Ristenpart et al. [CCS 2009] Caches (Memory) Devices (I/O) Software Systems CPU A New Abstraction for Building Trusted Cloud Services Scheduling Ari Juels -- Many of the security implications of the cloud Nuno Santos stem from tenants 1, Rodrigo Rodrigues entrusting 2, Krishna P. Gummadi computing resources 1, Stefan Saroiu to a 3 third MPI-SWS party that they controlled 1, CITI / Universidade Nova Lisboa in the past. 2, Microsoft Research 3 Not really going to discuss this further Policy-Sealed Data: Systems and Internet Infrastructure Security (SIIS) Laboratory 10
11 Side Channels Managing the Cloud is Complex & Error-Prone Shared infrastructure leads to visibility for others You can t monitor, but others can Is my data Get Off My Cloud Data Customer - Ristenpart et properly al. [CCS managed? 2009] Caches (Memory) Devices (I/O) CPU Scheduling Cloud Software Ari Juels -- Many Administrator of the security implications of the cloud stem from tenants entrusting computing resources to a third party that they controlled in the past. Cloud Provider Not really going to discuss this further Cloud software admins. can compromise customers data 2 Systems and Internet Infrastructure Security (SIIS) Laboratory Nuno Santos 4/13/18 11
12 Side Channels Trusted Computing Can Help Mitigate Threats Shared infrastructure leads to visibility for others You can t monitor, but others can Get Off My Cloud - Ristenpart et al. [CCS 2009] Caches (Memory) Devices (I/O) CPU Scheduling Ari Juels -- Many of the security implications of the cloud stem from Cloud tenants Node entrusting computing resources to a third party that they controlled But, in TPMs the past. alone ill-suited for the Not really going to discuss this further 3 Attest Cloud Provider Customer VM HW Customer Hypervisor TPM Nuno Santos 1. Newer hypervisors can offer protection from SW admins. } e.g., nested virtualization: CloudVisor [SOSP 11], Credo [MSR-TR] 2. Trusted computing can attest cloud node runs correct hypervisor } Trusted Platform Module (TPM) cloud 4/13/18 Systems and Internet Infrastructure Security (SIIS) Laboratory 12
13 Side Channels Our Contributions Shared infrastructure leads to visibility for others 1. Policy-sealed data abstraction } Data You is can t handled monitor, only but by others nodes can satisfying customer-chosen policy } Examples: Get Off My Cloud - Ristenpart et al. [CCS 2009] } Handle data only by nodes running CloudVisor Caches (Memory) } Handle data only by nodes located in the EU Devices (I/O) 2. Use CPUattribute-based encryption (CP-ABE) to implement abstraction efficiently Scheduling } Binds policies and node attributes to node configurations Ari Juels -- Many of the security implications of the cloud } Ciphertext-Policy stem from tenants Attribute-Based entrusting computing Encryption resources [Bethencourt07] to a third party that they controlled in the past. Excalibur incorporates both contributions Not really going to discuss this further 5 Nuno Santos 4/13/18 Systems and Internet Infrastructure Security (SIIS) Laboratory 13
14 Side Channels Excalibur Addresses TPM Limitations in Cloud Shared infrastructure leads } Enables to visibility flexible for data others migration across cloud nodes You can t monitor, but others can } Customer data accessible to any node that satisfies the customer policy Get Off My Cloud - Ristenpart et al. [CCS 2009] Caches (Memory) Devices (I/O) CPU Scheduling Ari Juels -- Many of the security implications of the cloud Attribute-based } Masks TPMs poor performance stem from tenants entrusting computing resources to a third encryption } Enforcing policies does not require party that they controlled in the past. Not really going to discuss this further 6 Policy-sealed data } Hides node s identities and lowlevel details of the software } Only high-level attributes are revealed direct calls to TPMs Nuno Santos 4/13/18 Systems and Internet Infrastructure Security (SIIS) Laboratory 14
15 Side Channels Policy-Sealed Data Shared infrastructure leads to visibility for others You Seal can t monitor, but others can + encrypt and bind Get Off My Cloud - Ristenpart et al. [CCS 2009] data to policy Caches (Memory) Devices (I/O) CPU Seal to: visor = secure visor Scheduling Policy-Sealed Data Ari Juels -- Many of the security implications of the cloud stem from tenants entrusting computing resources to a third Secure Customer party that they controlled in the Provider past. Not really going to discuss this further Unseal decrypt data iff node meets policy 10 Nuno Santos 4/13/18 Hypervisors Commodity Systems and Internet Infrastructure Security (SIIS) Laboratory 15
16 Side Channels Excalibur Architecture Shared infrastructure leads to visibility for others + } Check You can t node monitor, but others can Customer configurations Get Off My Cloud - Ristenpart et al. [CCS 2009] } Monitor attests nodes Caches in (Memory) background Devices (I/O) CPU } Scalable policy Scheduling enforcement } Ari CP-ABE Juels -- Many of the security implications of the cloud stem operations from at tenants entrusting computing resources to a third party client-side that lib they controlled in the past. Not really going to discuss this further 13 Monitor seal Nuno Santos attest & send credential Policy-Sealed Data unseal 4/13/18 Datacenter Systems and Internet Infrastructure Security (SIIS) Laboratory 16
17 Side Channels Excalibur Mediates TPM Access w/ Monitor Shared infrastructure leads Monitor visibility goals: for others You can t monitor, but others can } Track node ids + TPM-based Get Customer Off My Cloud - Ristenpart attestations et al. [CCS 2009] Caches (Memory) Devices (I/O) CPU TPM Scheduling Ari Juels -- Many of the security implications of the cloud stem from tenants Monitor entrusting } Form computing the cloud s resources root of to trust a third } party that they controlled in the Customers past. only need to attest the Cloud Node Not really going to discuss this further 14 } Hides low-level details from users } Track nodes attributes that cannot be attested via today s TPMs } e.g., nodes locations (EU vs. US) Nuno Santos monitor s software configuration 4/13/18 Systems and Internet Infrastructure Security (SIIS) Laboratory 17
18 IaaS Cloud Platform IaaS clouds rely on a variety of cloud services to provision and manage users data (e.g., VM and container) API Auth DB Network Scheduler Compute Service Hypervisor Compute Service Hypervisor VM VM Storage Compute Service VM Msg Queue Image Hypervisor IaaS service vendors: IaaS software stack vendors: Systems and Internet Infrastructure Security Laboratory (SIIS)
19 Vulnerabilities in Cloud Services Over 150 vulnerabilities reported! Systems and Internet Infrastructure Security Laboratory (SIIS)
20 Attacks via Service Vulnerabilities Cloud services run with all users permissions, and even cloud vendor s permission Confused deputy attacks Inadvertent or intentional data leakage Problem compounded by the need of cloud services to make critical security decisions over users data Take Inadvertent a snapshot Cloud or Services of Cloud Services volume intentional Alice s VM leakage (CVE ) (CVE ) (CVE ) Mallory Alice s VM Mallory s VM Vendor s DB Alice s VM Credendtial volume Mallory s VM Mallory s VM Systems and Internet Infrastructure Security Laboratory (SIIS)
21 Attacks via Flawed Trust Assumption Cloud services fully trust each other Once an adversary controls a cloud service or node (e.g., via hypervisor vulnerabilities), she can perform arbitrary operations on benign cloud nodes via cloud service interactions Compromise of one cloud service can lead to data compromise cloud wide A user s TCB includes each and every cloud service & node Compute Service Take a snapshot Destroy Alice s VM Shutdown cloud node Compute Service Alice s VM Cloud Node Cloud Node Systems and Internet Infrastructure Security Laboratory (SIIS)
22 Insight Cloud services themselves cannot control data propagation due to vulnerabilities Information flow control (IFC) over cloud services Compromised cloud services and nodes have unlimited access to any user s data on any cloud node Bound the data accessibility of a cloud node to the users that are using (thus trusting) the cloud node Decentralized security principle: a user s data security does not depend on system components that the user does not trust [Arden 2012] Systems and Internet Infrastructure Security Laboratory (SIIS)
23 DIFC over Cloud Services Enforce Decentralized Information Flow Control (DIFC) over cloud services to mitigate cloud service vulnerabilities Confine cloud services to individual users security labels Cloud services must explicitly declassify or endorse data using ownerships Alice-API S = {a} Alice-Compute S = {a} Alice-VM S = {a} Alice-API S = {a} Alice-Volume S = {a} Alice-Declassifier S = {a}, O= {a} Bob-API S = {b} Bob-Compute S = {b} Bob-VM S = {b} Volumes Store S = { } Isolating cloud users Export protection Systems and Internet Infrastructure Security Laboratory (SIIS)
24 Control of Cloud Services Cloud services(stateless) > ephemeral event handlers [Insight] Cloud services are constructed using event dispatch loop [Efstah. 05] Dispatcher on a cloud node spawns event handlers on-demand with users labels Dispatch Event-Handler Events Dispatcher Result S = {a} Responses O = {a, b} Result Event-Handler Dispatch S = {b} Systems and Internet Infrastructure Security Laboratory (SIIS)
25 Spawning Event Handlers Requirements: [who can spawn] prevent nodes that do not have a user s authority from spawning event handlers that may access that user s data [where can it spawn] prevent nodes that fail to satisfy cloud policy (e.g., CoI) from being selected to execute the user s event handler [best place to spawn] find the ideal cloud node to spawn Spawn Mallory s Coke s API S = {m}, {a}, I= {a} {m} Coke s Alice s Compute S = {a}, I= {a} Pepsi s Alice s Compute VM S = {a}, I= {a} Cloud Node Cloud Cloud Node Node Systems and Internet Infrastructure Security Laboratory (SIIS)
26 Spawn Sketch Daemon (dispatcher) needs to be delegated with authority to spawn new event handlers with ownership capabilities authority = {ownership, node, auth} Having the authority indicates the node is trusted by the user Event Handler p S p = {a} Event Handler q S q = {a} 1 Pileus Daemon D p 3 5 Pileus Daemon D q 2 Ownership Registry 4 Systems and Internet Infrastructure Security Laboratory (SIIS)
27 Capability (Ownership) Delegation centralized control over authority distribution: [who can spawn] only a cloud node trusted with a user s authority can spawn on other cloud nodes with the user s label [where can it spawn] enforces mandatory cloud policy (e.g., ICAP) [best place to spawn] most compatible security requirements Event Handler p S p = {a} Event Handler q S q = {a} 1 Pileus Daemon D p 3 5 Pileus Daemon D q 2 Ownership Registry 4 Systems and Internet Infrastructure Security Laboratory (SIIS)
28 Mitigating Vulnerabilities Pileus blocks 6 * zero-day OpenStack vulnerabilities that were newly reported after Pileus s deployment Systematic mitigation of 1/3 vulnerabilities reported in OpenStack Systems and Internet Infrastructure Security Laboratory (SIIS)
29 OpenStack on Pileus Pileus does not block normal cloud operations Cloud services are confined as-is in majority of cloud operations Few requires declassification and endorsement When an operation causes data flow across user boundaries (i.e., resource sharing) Declassifiers and endorsers are simple Volume declassifier (50 SLOC), image endorser (150 SLOC) Systems and Internet Infrastructure Security Laboratory (SIIS)
30 Conclusion Pileus is a model and system that protects users data from vulnerable cloud services It mitigates cloud service vulnerabilities by enforcing Decentralized Information Flow Control (DIFC) It addresses the mutual trust assumed by cloud services and nodes by enforcing Decentralized Security Principle (DSP) Systems and Internet Infrastructure Security Laboratory (SIIS)
Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services
Max Planck Institute for Software Systems Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services 1, Rodrigo Rodrigues 2, Krishna P. Gummadi 1, Stefan Saroiu 3 MPI-SWS 1, CITI / Universidade
More informationModule: Cloud Computing Security
Module: Computing Security Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Computing Is Here Systems and Internet Infrastructure Security (SIIS)
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationGood Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy
Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy SESSION ID: CSV-W01 Bryan D. Payne Director of Security Research Nebula @bdpsecurity Cloud Security Today Cloud has lots of momentum
More informationSecurity and Privacy in Cloud Computing
Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Securing Clouds Goal: Learn about different techniques for protecting a cloud against
More informationAttack Graphs. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems
More informationThe Road to a Secure, Compliant Cloud
The Road to a Secure, Compliant Cloud The Road to a Secure, Compliant Cloud Build a trusted infrastructure with a solution stack from Intel, IBM Cloud SoftLayer,* VMware,* and HyTrust Technology innovation
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOS Security IV: Virtualization and Trusted Computing
1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+
More informationUsing System-Enforced Determinism to Control Timing Channels
Using System-Enforced Determinism to Control Timing Channels Bryan Ford, Amittai Aviram, Weiyi Wu, Jose Faleiro, Ramki Gummadi Yale University http://dedis.cs.yale.edu/ ASPLOS PC Symposium, November 2,
More informationInevitable Failure: The Flawed Trust Assumption in the Cloud
Inevitable Failure: The Flawed Trust Assumption in the Cloud Yuqiong Sun Department of Computer Science and Engineering Pennsylvania State University yus138@cse.psu.edu Giuseppe Petracca Department of
More informationCSE 544 Advanced Systems Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems
More informationAdvanced Systems Security: Putting It Together Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationDefending against VM Rollback Attack
Defending against VM Rollback Attack Yubin Xia, Yutao Liu, Haibo Chen, Binyu Zang Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University School of Computer Science, Fudan University
More informationDistributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 02/06/14 Goals Understand principles of: Authenticated booting, diference to (closed) secure
More informationCMPSC 497 Attack Surface
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Attack Surface
More informationCloud Essentials for Architects using OpenStack
Cloud Essentials for Architects using OpenStack Course Overview Start Date 5th March 2015 Duration 2 Days Location Dublin Course Code SS15-13 Programme Overview Cloud Computing is gaining increasing attention
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com
Cloud Computing Faculty of Information Systems Duc.NHM nhmduc.wordpress.com Evaluating Cloud Security: An Information Security Framework Chapter 6 Cloud Computing Duc.NHM 2 1 Evaluating Cloud Security
More informationRed Hat OpenStack Platform 10 Product Guide
Red Hat OpenStack Platform 10 Product Guide Overview of Red Hat OpenStack Platform OpenStack Team Red Hat OpenStack Platform 10 Product Guide Overview of Red Hat OpenStack Platform OpenStack Team rhos-docs@redhat.com
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationThe Pennsylvania State University The Graduate School PROTECTING IAAS CLOUDS THROUGH CONTROL OF CLOUD SERVICES
The Pennsylvania State University The Graduate School PROTECTING IAAS CLOUDS THROUGH CONTROL OF CLOUD SERVICES A Dissertation in Computer Science and Engineering by Yuqiong Sun c 2016 Yuqiong Sun Submitted
More informationPart2: Let s pick one cloud IaaS middleware: OpenStack. Sergio Maffioletti
S3IT: Service and Support for Science IT Cloud middleware Part2: Let s pick one cloud IaaS middleware: OpenStack Sergio Maffioletti S3IT: Service and Support for Science IT, University of Zurich http://www.s3it.uzh.ch/
More informationOperating System Security: Building Secure Distributed Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Operating System Security:
More informationSystem Approach for Single Keyword Search for Encrypted data files Guarantees in Public Infrastructure Clouds
System Approach for Single Keyword Search for Encrypted data files Guarantees in Public Infrastructure s B.Nandan 1, M.Haripriya 2, N.Tejaswi 3, N. Sai Kishore 4 Associate Professor, Department of CSE,
More informationProtecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel
Protecting Keys/Secrets in Network Automation Solutions Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel Agenda Introduction Private Key Security Secret Management Tamper Detection Summary
More informationPresenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe
Presenting the ware NSX ECO System May 2015 Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe Agenda 10:15-11:00 ware NSX, the Network Virtualization Platform 11.15-12.00 Palo Alto
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationDistributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 30/05/11 Goals Understand principles of: Authenticated booting The difference to (closed) secure
More informationROTE: Rollback Protection for Trusted Execution
ROTE: Rollback Protection for Trusted Execution Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, Srdjan Capkun Siniša Matetić ETH Zurich Institute of
More informationPractical Verification of System Integrity in Cloud Computing Environments
Practical Verification of System Integrity in Cloud Computing Environments Trent Jaeger Penn State NSRC Industry Day April 27 th, 2012 1 Overview Cloud computing even replaces physical infrastructure Is
More informationSYMANTEC DATA CENTER SECURITY
SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information
More informationCONIKS: Bringing Key Transparency to End Users
CONIKS: Bringing Key Transparency to End Users Morris Yau 1 Introduction Public keys must be distributed securely even in the presence of attackers. This is known as the Public Key Infrastructure problem
More informationJustifying Integrity Using a Virtual Machine Verifier
Justifying Integrity Using a Virtual Machine Verifier Joshua Schiffman, Thomas Moyer, Christopher Shal, Trent Jaeger, and Patrick McDaniel ACSAC 09 1 1 Cloudy Horizons Utility-based cloud computing is
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationHow Microsoft Built MySQL, PostgreSQL and MariaDB for the Cloud. Santa Clara, California April 23th 25th, 2018
How Microsoft Built MySQL, PostgreSQL and MariaDB for the Cloud Santa Clara, California April 23th 25th, 2018 Azure Data Service Architecture Share Cluster with SQL DB Azure Infrastructure Services Azure
More informationUse Case Brief BORDERLESS DATACENTERS
Use Case Brief BORDERLESS DATACENTERS Today s cloud service providers must maintain consistent levels of service for each end user or customer, independent of physical location and hardware. This brief
More informationM2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres
M2M / IoT Security Eurotech`s Everyware IoT Security Elements Overview Robert Andres 23. September 2015 The Eurotech IoT Approach : E2E Overview Application Layer Analytics Mining Enterprise Applications
More informationContainer Deployment and Security Best Practices
Container Deployment and Security Best Practices How organizations are leveraging OpenShift, Quay, and Twistlock to deploy, manage, and secure a cloud native environment. John Morello CTO Twistlock Dirk
More informationCPS 510 final exam, 4/27/2015
CPS 510 final exam, 4/27/2015 Your name please: This exam has 25 questions worth 12 points each. For each question, please give the best answer you can in a few sentences or bullets using the lingo of
More informationA QUICK INTRODUCTION TO THE NFV SEC WG. Igor Faynberg, Cable Labs Chairman ETSI NFV SEC WG
A QUICK INTRODUCTION TO THE NFV SEC WG Igor Faynberg, Cable Labs Chairman ETSI NFV SEC WG 1 The NFV SEC Working Group Misson The NFV SEC Working Group comprises computer. network, and Cloud security experts
More informationHypervisor Security First Published On: Last Updated On:
First Published On: 02-22-2017 Last Updated On: 05-03-2018 1 Table of Contents 1. Secure Design 1.1.Secure Design 1.2.Security Development Lifecycle 1.3.ESXi and Trusted Platform Module 2.0 (TPM) FAQ 2.
More informationAuthenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009
Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2009 Goals Understand principles of: authenticated booting the
More informationDISTRIBUTED SYSTEMS [COMP9243] Lecture 8a: Cloud Computing WHAT IS CLOUD COMPUTING? 2. Slide 3. Slide 1. Why is it called Cloud?
DISTRIBUTED SYSTEMS [COMP9243] Lecture 8a: Cloud Computing Slide 1 Slide 3 ➀ What is Cloud Computing? ➁ X as a Service ➂ Key Challenges ➃ Developing for the Cloud Why is it called Cloud? services provided
More informationW11 Hyper-V security. Jesper Krogh.
W11 Hyper-V security Jesper Krogh jesper_krogh@dell.com Jesper Krogh Speaker intro Senior Solution architect at Dell Responsible for Microsoft offerings and solutions within Denmark Specialities witin:
More informationSecuring your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008
Securing your Virtualized Datacenter Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008 Agenda VMware Virtualization Technology How Virtualization Affects Datacenter Security Keys to
More information2018 Cisco and/or its affiliates. All rights reserved.
Beyond Data Center A Journey to self-driving Data Center with Analytics, Intelligent and Assurance Mohamad Imaduddin Systems Engineer Cisco Oct 2018 App is the new Business Developer is the new Customer
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationDelivering High-mix, High-volume Secure Manufacturing in the Distribution Channel
Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel Steve Pancoast Vice President, Engineering Secure Thingz Inc Rajeev Gulati Vice President and CTO Data IO Corporation 1
More informationSecuring Your Cloud Introduction Presentation
Securing Your Cloud Introduction Presentation Slides originally created by IBM Partial deck derived by Continental Resources, Inc. (ConRes) Security Division Revision March 17, 2017 1 IBM Security Today
More informationSystems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees
Trustworthy Computing s View -- Current Trent Jaeger February 18, 2004 Process 1 Web server Process 2 Mail server Process 3 Java VM Operating Hardware (CPU, MMU, I/O devices) s View -- Target TC Advantages
More informationCSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger
CSCI 420: Mobile Application Security Lecture 7 Prof. Adwait Nadkarni Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger 1 cryptography < security Cryptography isn't the solution to
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationTechnical Brief Distributed Trusted Computing
Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,
More informationNFV SEC TUTORIAL. Igor Faynberg, CableLabs Chairman, NFV Security WG
NFV SEC TUTORIAL Igor Faynberg, CableLabs Chairman, NFV Security WG 1 The NFV SEC Working Group Mission The NFV SEC Working Group comprises Computing, Networking and Cloud security experts representing
More informationDELIVERING TRUSTED CLOUDS How Intel and Red Hat integrated solutions for secure cloud computing
DELIVERING TRUSTED CLOUDS How Intel and Red Hat integrated solutions for secure cloud computing Steve Orrin - Federal Chief Technologist, Intel Steve Forage - Senior Director, Cloud Solutions, Red Hat
More informationThales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen
Thales e-security Security Solutions PosAm, 06th of May 2015 Robert Rüttgen Hardware Security Modules Hardware vs. Software Key Management & Security Deployment Choices For Cryptography Software-based
More informationWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control SESSION ID: CDS-T11 Sheung-Chi NG Senior Security Consulting Manager, APAC SafeNet, Inc. Cloud and Virtualization Are Change the
More informationInformation Flow Control For Standard OS Abstractions
Information Flow Control For Standard OS Abstractions Maxwell Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris MIT SOSP 2007 Presenter: Lei Xia Mar. 2 2009 Outline
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2017/18 Roadmap: TPM
More informationCompTIA SY CompTIA Security+
CompTIA SY0-501 CompTIA Security+ https://killexams.com/pass4sure/exam-detail/sy0-501 QUESTION: 338 The help desk is receiving numerous password change alerts from users in the accounting department. These
More informationTerra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)
Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006) Trusted Computing Hardware What can you do if you have
More informationBUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY
SOLUTION OVERVIEW BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY Every organization is exploring how technology can help it disrupt current operating models, enabling it to better serve
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationARM TrustZone for ARMv8-M for software engineers
ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016 The need for security Communication protection Cryptography,
More informationSecuring Cloud Computing
Securing Cloud Computing NLIT Summit, May 2018 PRESENTED BY Jeffrey E. Forster jeforst@sandia.gov Lucille Forster lforste@sandia.gov Sandia National Laboratories is a multimission laboratory managed and
More informationLecture Embedded System Security Trusted Platform Module
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2015 Roadmap: TPM Introduction to TPM TPM architecture
More informationHOW CLOUD, MOBILITY AND SHIFTING APP ARCHITECTURES WILL TRANSFORM SECURITY: GAINING THE HOME-COURT ADVANTAGE
#RSAC SESSION ID: SPO3-T07 HOW CLOUD, MOBILITY AND SHIFTING APP ARCHITECTURES WILL TRANSFORM SECURITY: GAINING THE HOME-COURT ADVANTAGE Tom Corn Senior Vice President/GM Security Products VMware @therealtomcorn
More informationUse Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION
Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION At many enterprises today, end users are demanding a powerful yet easy-to-use Private
More informationBest Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter
White Paper Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter Overcoming Security, Privacy & Compliance Concerns 333 W. San Carlos Street San Jose, CA 95110 Table of Contents
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationAgenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2
GRC3386BUS GDPR Readiness with IBM Cloud Secure Virtualization Raghu Yeluri, Intel Corporation Shantu Roy, IBM Bill Hackenberger, Hytrust #VMworld #GRC3386BUS Agenda GDPR Overview & Requirements IBM Secure
More informationOracle Solaris Virtualization: From DevOps to Enterprise
Oracle Solaris Virtualization: From DevOps to Enterprise Duncan Hardie Principal Product Manager Oracle Solaris 17 th November 2015 Oracle Confidential Internal/Restricted/Highly Restricted Safe Harbor
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced Systems Security: Multics
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationEnforcing declara.ve data policies
Enforcing declara.ve data policies Peter Druschel with Anjo Vahldiek, Eslam Elnikety, Aastha Mehta, Deepak Garg, MPI- SWS (with contribu@ons from Rodrigo Rodrigues Nova Lisboa, Johannes Gehrke Cornell/Microso>,
More informationExtend your datacenter with the power of Citrix Open Cloud
Extend your datacenter with the power of Citrix Open Cloud Peter Leimgruber Sr. SE Datacenter & Networking, CE Mikael Lindholm Sr. SE XenServer & Cloud, EMEA Sales Dev Agenda Cloud Expectations and reality
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Roadmap: TPM
More informationTRESCCA Trustworthy Embedded Systems for Secure Cloud Computing
TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing IoT Week 2014, 2014 06 17 Ignacio García Wellness Telecom Outline Welcome Motivation Objectives TRESCCA client platform SW framework for
More informationAuthenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007
Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2007 Goals Understand: authenticated booting the difference
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationCloud Computing Lectures. Cloud Security
Cloud Computing Lectures Cloud Security 1/17/2012 Why security is important for cloud computing? Multi Tenancy, that is same infrastructure, platform, Service is shared among vendors. It is accessed over
More informationLecture 3 MOBILE PLATFORM SECURITY
Lecture 3 MOBILE PLATFORM SECURITY You will be learning: What techniques are used in mobile software platform security? What techniques are used in mobile hardware platform security? Is there a common
More informationOpen Hybrid Cloud & Red Hat Products Announcements
Open Hybrid Cloud & Red Hat Products Announcements FREDERIK BIJLSMA Cloud BU EMEA Red Hat 14th December 2012 PERVASIVE NEW EXPECTATIONS AGILITY. EFFICIENCY. COST SAVINGS. PUBLIC CLOUDS 2 ENTERPRISE IT
More informationMulti-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date
Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12 What is Cloud? What is IaaS? IaaS = Infrastructure-as-a-Service What is PaaS? PaaS = Platform-as-a-Service
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET2896BU Expanding Protection Across the Software Defined Data Center with Encryption VMworld 2017 Chris Corde Senior Director, Security Product Management Content: Not for publication #VMworld #NET2896BU
More informationCLOUD WORKLOAD SECURITY
SOLUTION OVERVIEW CLOUD WORKLOAD SECURITY Bottom line: If you re in IT today, you re already in the cloud. As technology becomes an increasingly important element of business success, the adoption of highly
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 12: Database Security Department of Computer Science and Engineering University at Buffalo 1 Review of Access Control Types We previously studied four types
More informationSecuring Devices in the Internet of Things
AN INTEL COMPANY Securing Devices in the Internet of Things WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe
More informationHardened Security in the Cloud Bob Doud, Sr. Director Marketing March, 2018
Hardened Security in the Cloud Bob Doud, Sr. Director Marketing March, 2018 1 Cloud Computing is Growing at an Astounding Rate Many compelling reasons for business to move to the cloud Cost, uptime, easy-expansion,
More informationSentinet for Windows Azure VERSION 2.2
Sentinet for Windows Azure VERSION 2.2 Sentinet for Windows Azure 1 Contents Introduction... 2 Customer Benefits... 2 Deployment Topologies... 3 Isolated Deployment Model... 3 Collocated Deployment Model...
More informationSecuring Multiple Mobile Platforms
Securing Multiple Mobile Platforms CPU-based Multi Factor Security 2010 Security Workshop ETSI 2010 Security Workshop Navin Govind Aventyn, Inc. Founder and CEO 1 Mobile Platform Security Gaps Software
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2012 Roadmap: Trusted Computing Motivation Notion of trust
More information