![Page 1: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/1.jpg)
Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds
Marc Lacoste
Orange Labs
SEC2 ComPAS’15 Workshop on Cloud Security
Lille, June 30, 2015
![Page 2: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/2.jpg)
Security = key concern in cloud adoption
for the enterprise market Cloud Security Today
Threats are on the rise
Attacks are costly
Awareness is growing, but is not enough
Source: Cloud Security Alliance, 2013.
Source: Ponemon, 2013.
![Page 3: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/3.jpg)
The Cloud everywhere, increasingly complex…
![Page 4: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/4.jpg)
Classical
cloud threats…
…and so are security breaches!
…
and
new threats
...
Challenges: central PoF, trust
Mitigation: Replication, diversity, authentication
Policy consistency, secure SDN toolkits
Intrusion prevention?
Fault tolerance?
Secure, Robust SDN NFV Security
Topology validation
Availability of management network
Secure boot
I/O partitioning
Performance isolation
Root causes: commodity hardware,
cloud isolation technology
Issues:
![Page 5: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/5.jpg)
Hasn’t someone been forgotten?
The User? The Customer?
Are they going to use those infrastructures?
Are they going to pay for them?
![Page 6: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/6.jpg)
Provider-centric clouds prevent interoperability and unified control
The Cloud as utility
Promise: high availability & security, energy efficiency, scalability, …
Feature-rich services: intrusion monitoring, elastic load balancing, …
Multi-provider clouds
NOT ACHIEVED
NOT DEPLOYED
Provider-centric cloud
deficiencies
INTEROPERABILITY
Vendor lock-in
Different SLAs
UNIFIED CONTROL
Heterogeneous infrastructure services
Monolithic infrastructure
Technological choices
S
E
C
U
R
I
T
Y
![Page 7: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/7.jpg)
Outline
Moving to User-Centric Cloud Security
Secure Supercloud Computing 11 Key Enabling Technologies
The H2020 SUPERCLOUD Project
Next Steps
![Page 8: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/8.jpg)
User-centric clouds require a resource distribution layer
![Page 9: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/9.jpg)
Customer Security Expectations
![Page 10: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/10.jpg)
Taking Into Account Security Challenges
Infrastructure security: strong, flexible, automated security for compute resources
Vulnerabilities in complex infrastructure, mitigation of cross-layer attacks
Lack of flexibility and control in security management
Automation of security management: in layers, between providers Data management: on-demand, unified experience in protection of data assets
Management of access rights, continuum between provider vs. user control
Blind compute over data stored in multi-clouds
Traceability of information for accountability and privacy Network management: resilient, secure virtual networking
Resilient resource provisioning across heterogeneous clouds
End-to-end inter-cloud network security with different security SLAs
![Page 11: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/11.jpg)
Outline
Moving to User-Centric Cloud Security
Secure Supercloud Computing 11 Key Enabling Technologies
The H2020 SUPERCLOUD Project
Next Steps
![Page 12: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/12.jpg)
Secure Supercloud Computing
The Supercloud NORTH INTERFACE
provides user-centric self-service
security & dependability
The Supercloud SOUTH INTERFACE
provides provider-centric self-managed
security & dependability
![Page 13: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/13.jpg)
Supercloud Computing: Self-Service Security
Self-service security relies on:
a distributed, flexible resource & control layer spanning compute, data, network
multi-provider security policies
Abstraction & Control Layer Policies
![Page 14: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/14.jpg)
Supercloud Computing: Self-Managed Security
Self-managed security relies on:
bi-dimensional (cross-layer, multi-provider) self-protection for compute and network resources
bi-dimensional trust management
Security and Trust management
![Page 15: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/15.jpg)
Supercloud Computing: End-to-End Security
End-to-end security relies on:
E2E security SLAs for VMs & data protection
E2E network security in control and data planes
E2E network
security E2E VM SLAs
E2E network
security
E2E data
security
![Page 16: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/16.jpg)
Supercloud Computing: Resilience
Resilience relies on:
multi-cloud data availability
resilient networking in data and control plane
Resilience
Resilience
Resilience
![Page 17: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/17.jpg)
Outline
Moving to User-Centric Cloud Security
Secure Supercloud Computing 11 Key Enabling Technologies
The H2020 SUPERCLOUD Project
Next Steps
![Page 18: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/18.jpg)
Key Enabling Technologies: Self-Service Security
Flexible hypervisor security architectures:
User data isolation + protection against the cloud provider
Modular, secure interface for the hypervisor Blind computation:
Lightweight homomorphic operations over encrypted data
Advanced cryptographic tools for data security Security SLA management:
Security SLA (SSLA) language bridging the gap between layers
SSLA templates and combination functions for easy specification
![Page 19: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/19.jpg)
Key Enabling Technologies: Self-Managed Security
Autonomic IaaS security supervision:
Cross-layer security monitoring, even if some layers are
compromised
Cross-provider security monitoring, seamless integration Security policies:
Flexible security policy languages and deployment tools
Policy negotiation tools for conflict resolution Network security management:
Finer-grained network control than current specifications
SDN components/APIs for advanced policy monitoring
![Page 20: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/20.jpg)
Key Enabling Technologies: End-to-End Security
Cryptographic protection:
Integrity and consistency verification
Processing cryptographically protected data
Storage access control:
Transparent cryptographic protection mechanisms
Flexible cloud-based key management Trust management:
Horizontal trust management between different cloud entities
Vertical trust management across cloud system configurations
Abstraction of trust through specification language
![Page 21: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/21.jpg)
Key Enabling Technologies: Resilience
SDN Resilience:
Secure, dependable SDN controller for multi-cloud networking
Intra/inter-cloud infrastructure resilient to network failures Data availability:
Integration of disruptive secrecy technology to multi-cloud
storage replication
New services based on multi-cloud storage algorithms
Adaptive multi-cloud algorithms with outstanding performance
for real workloads
![Page 22: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/22.jpg)
What is VESPA?
= Virtual Environments Self-Protecting Architecture
An automated security supervision framework for IaaS and multi-DC infrastructures
APPLICATIONS
CLOUD PROVIDER
IaaS monitoring
Anti-malware.
Anti-DDoS.
End-to-end security.
CUSTOMERS
SecaaS
appliances
STRONG SECURITY Cross-layer security: detect / respond
to overall extent of attack.
Open architecture: mitigate new threats,
integrate legacy counter-measures.
SIMPLE SECURITY Automated security supervision:
choose in-layer, cross-layer, multi-DC.
Tuneable defense patterns: orchestrate
multiple loops for rich defense strategy.
Design principles
![Page 23: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/23.jpg)
VESPA System Architecture
HO
Resource
Plane
Security
Plane
Agent
Plane
Orchestration
Plane
VM
Hypervisor
Physical
VO
HO
Detection Manager
DETECTION
Detection Agent
DECISION
Reaction Manager
REACTION
Reaction Agent
RESOURCES
![Page 24: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/24.jpg)
VESPA System Architecture
HO
Resource
Plane
Security
Plane
Agent
Plane
Orchestration
Plane
VM
Hypervisor
Physical
Intra-Layer
Self-Protection
VO
HO
Detection Manager
DETECTION
Detection Agent
DECISION
Reaction Manager
REACTION
Reaction Agent
RESOURCES
![Page 25: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/25.jpg)
VESPA System Architecture
HO
Resource
Plane
Security
Plane
Agent
Plane
Orchestration
Plane
Cross-Layer
Self-Protection VM
Hypervisor
Physical
VO
HO
Detection Manager
DETECTION
Detection Agent
DECISION
Reaction Manager
REACTION
Reaction Agent
RESOURCES
![Page 26: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/26.jpg)
Research results :
Framework [ICAC’12]..
Extensions:
Network management (SDN approach).
Mobile cloud SLAs: Orange MC2 [UCC’13].
VMM self-protection: KungFuVisor [EURODW’12], self-stabilization [DSS’14].
Keynotes [SSS’11], panels [IM’11, NOMS’14], tutorials [ICAR’13, MOBILECLOUD’14].
Code available at : https://github.com/Orange-OpenSource/vespa-core
The VESPA Project
RESULTS
Framework: supervision of single cloud and multi-DC security.
Available in open source.
Different applications demonstrating
viability of self-defending cloud concept.
So far CURRENT VESPA FUNCTIONALITIES
VESPA = core + security plug-ins.
Supported In progress
Anti-virus Integration with Heat + Horizon
Hypervisor control Network zones
Firewall vSwitch management (SDN)
Log analysis
![Page 27: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/27.jpg)
Outline
Moving to User-Centric Cloud Security
Secure Supercloud Computing 11 Key Enabling Technologies
The H2020 SUPERCLOUD Project
Next Steps
![Page 28: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/28.jpg)
28
The SUPERCLOUD Project
![Page 29: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/29.jpg)
The SUPERCLOUD Project: Goals and Expected Results
Goal: a security management infrastructure for secure supercloud computing
Expected Results: A security management infrastructure:
360°autonomic security supervision, horizontally and vertically for superclouds
A user-centric to provider-centric continuum of security services
End-to-end trust management
A data management framework:
Advanced cryptographic tools (e.g., access control, secure computation)
A resilience framework for multi-cloud storage infrastructures
A multi-cloud network management infrastructure:
Resilient virtual network provisioning across multiple clouds
Sanitized network environment with tunable security guarantees
![Page 30: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/30.jpg)
Use Cases and Dissemination of Results
Use cases:
Healthcare-oriented:
Distributed medical imaging platform
Healthcare Laboratory Information System
NFV security
Smart home
Decentralized, location-aware cloud security
SUPERCLOUD Technology Dissemination: fully open source
Ambition: open toolbox for trustworthy management of clouds of clouds Standardization: aim for open standards
![Page 31: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/31.jpg)
Outline
Moving to User-Centric Cloud Security
Secure Supercloud Computing 11 Key Enabling Technologies
The H2020 SUPERCLOUD Project
Next Steps
![Page 32: Towards Supercloud Computing · Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS’15 Workshop on Cloud Security](https://reader034.vdocuments.mx/reader034/viewer/2022042909/5f3d743c98963a062d75cc98/html5/thumbnails/32.jpg)
Conclusion and Next Steps
Key take-aways: User-centric distributed clouds should overcome provider-centric limitations
Secure Supercloud Computing enables to build such clouds,
with security that is self-service, self-managed, end-to-end, and resilient
Open innovation enables to build such next-generation security technology
More trustworthy cloud services with increased customer experience are expected
Next steps: SUPERCLOUD requirements, security architecture, prototypes
Push into open source and standardization
https://supercloud-project.eu/