S S ecu cure re mb mbed edded ded E E E E leme ments nts & D ata protec at otection tion the 4 C loud ud By : Jean-Marc Lambert, Cloud Computing R&D, Gemalto http://www.celticplus-seed4c.org/
Context Security of the Cloud is still an roadblock to massive cloud adoption in critical segments. Customers need trust, and want to keep control of their assets Need to harden cloud security • Enforce various security policies (e.g., regulation and business policies) • Let customers define & control these policies • Provide evidences of the policy enforcement 2
Objectives Building a Trusted Cloud Computing Base (TCCB) Based on • A Cloud of minimal Trusted Computing Bases: the SEEDs (Managed by the NoSE : Network of Secure Elements) 3
Objectives Building a Trusted Cloud Computing Base (TCCB) Based on • A Cloud of minimal Trusted Computing Bases: the SEEDs (Managed by the NoSE : Network of Secure Elements) And • That can guarantee end-to-end security of service 4
Alcatel-Lucent France Gemalto ENSI Bourges Inria Wallix Cygate Mikkelin Puhelin Oy Finland Nokia Solutions & Networks Oy, Finceptum Oy VTT SEED4C: Security Embedded Element and Data Privacy for Cloud Innovalia Association Spain Nextel Software Quality Systems (SQS) Fundación Vicomtech IKUSI BISCAYTIK Korea SOLACIA 5
SEED4C approach From an isolated security to a coordinated security • Secure Element Extended (SEE) - Store securely critical data and execute securely critical apps - Support multi-tenant data & apps • Network of Secure Element Extended (NoSEE) - Secure administration & exchange across cloud nodes. - Allow Tenants to manage their credentials & trust seeds. - Eg. allow critical data to be processed only in secure & compliant VMs (certified location, local key storage,…) NoSEE SEE SEE SEE Coordinated Security Isolated Security 6
Deliver Trusted Services in a multi-nodes Trusted Cloud Execution Environment Trust & Assurance Policy Execution Trust & Assurance Trusted Execution • Network • Servers • … 7 7
SEED4C scope of work Modeling, Deployment, Enforcement and Assurance End 2 End M D Deployment Modeling E A Assurance Enforcement In depth security and assurance 8
SEED4C process SEED4C Users Policy Modeling Policy Assurance NoSEE SEE App & Policy Policy Deployment Monitoring SEE – based Policy Enforcement 9
SEED4C: Enforcement engine M D Cooperative security: the SEE model E A • SE are multi-tenant (isolated security domains) • SE services offered by a dedicated SEE VM • NoSEE Admin : Manage the attached SE (GP), the allocation of nodes to tenants & mirroring Tenant’s security domain into SE(s) • Tenant Admin : Manage security data and function in tenant security domains NoSEE Tenant SE Admin Admin Tenant 1 security domain Data - Keys Functions - … Tenant 2 security domain Network of Secure Elements (NoSEE) Intranet Data West East - Keys SEE NoSEE Functions Admin - … VM West Web Internal VLAN Shared security domain South Hardened Hypervisor (KVM) Data - Location SECURE - Time/date 1 HOST ELEMENT - … 1 SEE VM per HOST - Functions 1 SE per HOST - Encrypt/decrypt - … 10
SEED4C Use-cases Various types of use-cases at different cloud levels (IaaS, PaaS, SaaS) ANSP AIRLINES AFTN Messages IATA Messages File File WebCom Services Sharing iKloud AOS in SaaS Sharing (eg WebRTC, vIMS) App App Integration Platform Passenger Services AODB MUSIK SEE SE E Advertising information SEE SEE EU Other Airport Group 1 Airport Group N Passengers Airport 1 Airport N Airport 1 BI Operational Operational Department Department Operational Department Possible locations of the SE Airport system mgt e-Gov services IMS communication services Use Case Environment NSS Authenticaton Domain Security Operations Center User V L R Authentication Server H L R Ba nk A Do U mai C n W eb Server EIR Application/ Processing Server Database Servers MSC SMSC SMSC2 VLR2 Possible location of SE or SEE IAM authentication Security monitoring Telco services e-Banking and auditing PaaS environment in the cloud (NFV) Administrative access IaaS level security vHSM + key ceremony mgt 11
As a Conclusion : Seed4C provides : Tenant’s defined Security Policy & Control Security aware placement & deployment engine Modeling, Deployment, Enforcement and Assurance solution Enforced by : The Network of Secure Elements Extended (NoSEE) The Secure Elements physically present in each trustable cloud node. The Assurance Framework providing evidences and allowing continuous monitoring. 12
13 http://projects.celtic-initiative.org/seed4c/
Recommend
More recommend
