seguridad: sembrando confianza en el cloud
TRANSCRIPT
Sembrando confianza en el CLOUD
Oscar LópezÁrea I+D+i
XV Jornadas de Seguridad NEXTEL S.A.
27/06/2013
SEED4C. Sembrando confianza en el CLOUD
Servicios en CLOUD
IaaS PaaS SaaS
Cloud provider
Cloud customer
¿Seguridad TI y ahorro de costes es posible?
SEED4C. Sembrando confianza en el CLOUD
• Coordinación del proyecto: Alcatel-Lucent Bell Labs• Inicio: Abril 2012• Cierre: Septiembre 2014• Duración: 30 meses• 4 países: Finlandia, Francia, Corea y España
SEED4C. Sembrando confianza en el CLOUD
• How to increase the Trust in Cloud Services ?
Up to
80% of problems may be
solved with a protected execution & a proper policy enforcement.
SEED4C. Sembrando confianza en el CLOUD
• Can we “plant” SEEDs in the Cloud to increase trust ?
Building a
Trusted Cloud Computing Base
TCCB
Based on
A Cloud of minimal Trusted Computing Bases:
the SEEDs managed by the NoSE
SEED4C. Sembrando confianza en el CLOUD
• Security Embedded Element and Data Privacy for Cloud infraestructures
Introduction of NoSE. Network of Secure elements
SEED4C. Sembrando confianza en el CLOUD
• SEED4C. Concept
SEED4C. Sembrando confianza en el CLOUD
• SEED4C. Concept
SEED4C. Sembrando confianza en el CLOUD
• SEED4C. Concept
SEED4C. Sembrando confianza en el CLOUD
• Deliver Trusted Services in a multi-nodes Trusted Cloud Execution Enviroment
10
PolicyExecution
Trust &Assurance
• Network• Servers• more…
TrustedExecution
Trust &Assurance
SEED4C. Sembrando confianza en el CLOUD
SECURITY PLANE / NoSEUSER’SDEVICE
END to END TRUSTED SERVICESEND to END TRUSTED SERVICES
User’s SEED enrolled in NoSETrust &Assurance
• And deliver End to End security to users
SEED4C. Sembrando confianza en el CLOUD
InfraProvider
SaaSProvider
User / Tenant
PaaSProvider
DeviceProvider
• In a multi-party policy driven architecture
SEED4C. Sembrando confianza en el CLOUD
• And provide compliance and evidence
• Logs and audit features enforced by the NoSE
• Change Management of the Trusted Architecture tracked down thanks to the NoSE and central management
• Change workflow may be enforced too by trusted actors
SEED4C. Sembrando confianza en el CLOUD
• Cómo distribuir los elementos seguros dentro de una infraestructura para que proporcionen valor añadido a la plataforma y los servicios.
• Cómo conseguir un balance de carga y comunicación seguros entre y desde los elementos seguros (SE) a las máquinas integradas.
• Cómo abordar la ejecución de políticas (centradas en la Identidad y Privacidad), trazabilidad y garantía de los servicios finales.
• Retos de investigación
SEED4C. Sembrando confianza en el CLOUD
• Retos de investigación
SEED4C. Sembrando confianza en el CLOUD
• SEEDs planting: Granularity– Network, hypervisors, servers, storage, devices– Strategic places IaaS, PaaS, SaaS
• Multiple form factors required to match physical constraints– Secure Embedded Elements, TPM, Software in a TEE,
Dedicated VM, OS Component
• Network of Secure Elements (NoSE) – Communication protocols across SEEDs
• Scalability of the architecture
• Enrollment & Lifecycle of equipment, VMs, SEEDs in the NoSE– Enroll equipment, attach them to SEEDs
• Credential management
• Valor añadido
SEED4C. Sembrando confianza en el CLOUD
• Mapeo de los casos de uso
NetaaS
PaaS
IaaS
SaaS
NoSE
ClientAccessDevice
1: BYOD / protection
of corp data
2: Airport equipment Mgt.
3: HSM+Key Ceremony
4: Enterprise Collaboration
5: ePayment,
PCI/DSS
6: IAM Auth +
Auditing
7: Security at IaaS Level
8: Monitoring Security at PaaS Layer
9: Admin Access & Audit management/logs
10: Telco Services in the cloud, multi
tenancy protection
11: eGov. Services,
Data protection
12: SVPDC, Virtual Data Center
management
SEED4C. Sembrando confianza en el CLOUD
• eGoverment services data protection
SEED4C. Sembrando confianza en el CLOUD
• eGoverment services data protection
SEED4C. Sembrando confianza en el CLOUD
Before SEED4C After SEED4C•Security solutions based on independent, proprietary and independent elements to secure data in the cloud
•Enhanced security related functionality to control, access and store protected data in the cloud
•Adopt the seeds developed for the e-Government service to manage and store this protected data in their own infrastructure
•Add more layers of security using a network of secure elements: Compliance, Traceability and Auditability.
• eGoverment services data protection
SEED4C. Sembrando confianza en el CLOUD
• Centralized cloud services for airport management
SEED4C. Sembrando confianza en el CLOUD
Before SEED4C After SEED4C
•Security solutions based on independent, proprietary and independent elements to secure data in the cloud
•Enhanced security related functionalities
•Add more layers of security using a network of secure elements
•Provide a NoSE interconnected generating a trusted network that provides a layer of security to the entire system: Compliance, Traceability and Auditability.
• Centralized cloud services for airport management
SEED4C. Sembrando confianza en el CLOUD
• Propiedades de seguridad
SEED4C. Sembrando confianza en el CLOUD
¡Muchas Gracias!
XV Jornadas de Seguridad NEXTEL S.A.
27/06/2013
Oscar LópezArea I+D+i
¡Síguenos en Redes Sociales!