security infrastructure for trusted offloading in...
TRANSCRIPT
1
Security Infrastructure for Trusted Offloading in Mobile Cloud Computing
Professor Kai HwangUniversity of Southern California
Presentation at Huawei Forum, Santa Clara, Nov. 8, 2014
� Mobile Cloud Security and Big Data Privacy Issues and
their plausible Solutions
� Convergence of Five Emerging Technologies: Big Data Science,
Cloud Computing, Social Networks, Mobile Systems, and the IoT.
� Cloud-based Radio Access Networks (C-RAN) for building the
5G Mobile Core Networks.
� New Solutions from Academia and Industry: WiFi cloudlets, mobile
clouds, Data Coloring, PowerTrust Reputation System, Network Worm
Containment, Hybrid IDS, Spam Filtering, and Security Analytics.
Point of Contact: [email protected]
Privacy and Security Enforcement
2
Infrastructure security
Secure Computations in
Distributed Programming Frameworks
Security Best Practices for
NonrelationalData Stores
Data Privacy
Privacy Preserving Data
Mining and Analytics
Cryptographically Enforced Data
Centric Security
Granular Access Control
Data Management
Secure Data Storage and
Transaction Logs
Granular Audits
Data Provenance
Integrity/ Reactive Security
End-point validation
and filtering
Real time Security
Monitoring
Source: K. Hwang, G. Fox, and J. Dongarra,Distributed and Cloud Computing : from Parallel Processing
to The Internet of Things, Morgan Kaufmann, Oct. 2011
Prof. Kai Hwang, USC
� Protecting datacenters must first secure cloud resources Protecting datacenters must first secure cloud resources Protecting datacenters must first secure cloud resources Protecting datacenters must first secure cloud resources and uphold user privacy and data integrity. and uphold user privacy and data integrity. and uphold user privacy and data integrity. and uphold user privacy and data integrity.
� We suggested the use of a trust overlay network to build reputation We suggested the use of a trust overlay network to build reputation We suggested the use of a trust overlay network to build reputation We suggested the use of a trust overlay network to build reputation systems for trusted cloud computing systems for trusted cloud computing systems for trusted cloud computing systems for trusted cloud computing
� A watermarking technique is suggested to protect shared data A watermarking technique is suggested to protect shared data A watermarking technique is suggested to protect shared data A watermarking technique is suggested to protect shared data objects and massively distributed software modules. objects and massively distributed software modules. objects and massively distributed software modules. objects and massively distributed software modules.
� These techniques safeguard user authentication and tighten the data These techniques safeguard user authentication and tighten the data These techniques safeguard user authentication and tighten the data These techniques safeguard user authentication and tighten the data accessaccessaccessaccess----control in public clouds. control in public clouds. control in public clouds. control in public clouds.
� The new approach could be more costThe new approach could be more costThe new approach could be more costThe new approach could be more cost----effective than using the effective than using the effective than using the effective than using the traditional encryption and firewalls traditional encryption and firewalls traditional encryption and firewalls traditional encryption and firewalls
Security and Trust BarriersSecurity and Trust BarriersSecurity and Trust BarriersSecurity and Trust Barriersin Mobile Cloud Computing
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 4
Cloudlets- A trusted portal for Mobile Devices with
cognitive abilities and pervasive capacity to access distance cloud to catch special events, check security alerts, and make intelligent decision making, etc.
Source: Satyanarayana, et al, “The Case of VM-based Cloudlets in Mobile Computing”, IEEE Pervasive Computing, April 2009
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 5
Fast VM synthesis
makes it possible to
build VM overlay in
transient cloudlets, that
is customized to bind
cloud resources in
distance to satisfy the
user need.
Trust and security
issues are major factors
in Cloudlet deployment.
Mobile Cloud Offloading Environment
Source: Y. Shi, S. Abhilash and K. Hwang, “Cloudlet Mesh for Securing Mobile Clouds: Security Infrastructure and Protocols”, IEEE Int’l Conf. Mobile Cloud
Computing, March 2015 (submitted in Nov. 2014)
Remote Cloud
Remote Cloud
Cloudlet
Cloudlet
Cloudlet
The Internet
Cloudlet Mesh
Mobile
Devices
�Two approaches for Cloudlet:
� VM migration (~8GB)
� Dynamic VM synthesis(100 ~ 200MB)
� Performance is determined by local recourses:
� Bandwidth
� Compute power
8
For 100 Mbpslinks:
� VM overlay is 100~200MB
� Synthesizing a VM takesaround 60 ~ 90s
Other New Wireless Technologies
� 802.11n: 300~600Mbps
� UWB: 100~480 Mbps
� 60-GHz radio: 1~5 Gbps
9
Some Design Considerationsby Satyanarayana, et al, (2009):
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 10
Mobility Support and Security Measures for Mobile Cloud Computing
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 12
Security Protocols Developed at USC for Mobile Cloud Computing
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 13
Collective Intrusion Detection Results by Multiple Cloudlets in the Mesh
Prof. Kai Hwang, USC
Cloud Service Models and Their Security Demands
Source: K. Hwang and D. Li, “ Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Vol.14, Sept. 2010.
An DHT-based Trust Overlay Network for Developing Reputation Systems to Secure Cloud Resources over Datacenters
(2) Y. Chen, K. Hwang, and W. S. Ku, “Collaborative Detection of DDoS Attacks over Multiple Network Domains”, IEEE Trans. on Parallel and Distributed Systems , Dec. 2007.
Sources: (1). M. Cai, K. Hwang, Y. K. Kwok, S. Song, and Y. Chen, “Collaborative Internet Worm Containment”, IEEE Security and Privacy, May/June 2005, pp.25-33.
Cloud and Data Security and
Copyright Protection
Source: S. Song, K. Hwang, R Zhou, and Y.K. Kwok, “Trusted P2P Transactions with Fuzzy Reputation Aggregation”, IEEE Internet Computing, Special Issue on Security
for P2P and AD Hoc Networks, Vol.9, Nov/Dec. 2004.
Data Coloring for Privacy Protection on The Cloud
Source: K. Hwang and D. Li, “ Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Vol.14, Sept. 2010.
HIDS for Automated Intrusion Response generation
Source: K. Hwang, M. Cai, Y. Chen, and M. Qin, “Hybrid Intrusion Detection with
Weighted Signature Generation over Anomalous Internet Episodes”, IEEE Trans.
on Dependable and Secure Computing, Vol.4, No.1, Jan-March, 2007.
CSA Top 10 Data Security and Privacy Challenges
21
1. Secure computations
2. Secure non-relational datastores
3. Secure data storage and logs
4. End-point input validation/filtering
5. Real time security monitoring
6. Privacy- preserving data mining and analytics
7. Cryptographic access control
8. Granular access control
9. Granular audits
10. Data provenance
Prof. Kai Hwang, USC, May 28, 2014
2
2
� The BYOD has already posed an increased risk to many business
organizations. With BYOC, employees are installing public cloud
services such as Dropbox and iCloud on their corporate desktops
and mobile devices.
� BYOC introduces additional security threats to the organizations
by blurring the boundaries between personal data and business
confidential data. This makes the organizations to deman more
control on their security policy for access and distribution of
corporate information.
BYOD (Bring your Own Device) vs.
BYOC (Bring Your Own Cloud)
BYOC Demands More Security Enforcement
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 28
MapReduce Filtering Results of Spam Detectionin Twitter Blogs over The Amazon EC2 Cloud
Source: Y. Shi, S. Abhilash and K. Hwang, “Cloudlet Mesh for Securing Mobile Clouds: Security
Architecture and Protocols”, IEEE Int’l Conf. Mobile Cloud Computing, March 2015
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 29
Architecture of The Internet of Things
Merchandise Tracking
Environment Protection
Intelligent Search
Tele-medicine
Intelligent Traffic
Cloud Computing Platform
Smart Home
Mobile Telecom Network
The Internet
InformationNetwork
RFID
RFID Label
Sensor Network
Sensor Nodes
GPS
Road Mapper
Sensing Layer
Network Layer
Application Layer
Source: K. Hwang, G. Fox, and J. Dongarra, Distributed and Cloud Computing : from
Parallel Processing to The Internet of Things, Morgan Kaufmann Publisher, Oct. 2011
Prof. Kai Hwang, USC, Huawei Forum, Nov.8, 2014 9 - 30
Cloud Support of the Internet of Things
and Social Network Applications
1. Smart and pervasive cloud applications for individuals, homes,
communities, companies, and governments, etc.
2. Coordinated calendar, itinerary, job management, events, and
consumer record management (CRM) services
3. Coordinated word processing, on-line presentations, web-based
desktops, sharing on-line documents, datasets, photos, video, and
databases, content distribution, etc.
4. Deploy conventional cluster, grid, P2P, social networking
applications in the cloud environments, more cost-effectively.
5. Earthbound applications that demand elasticity and parallelism to
avoid large data movement and reduce the storage costs
Concluding Remarks :
� Mobile cloud security and big data privacy are facing a trust
dilemma by the general public. Without security assurance,
most users will be reluctant to accept clouds, P2P, social
networks, and IoT apps in the future.
� Due to the economies of scale, the cloud providers must have
dedicated teams of security professionals or specialists.
Cloud datacenters must have stronger protection in par of the
military standards.
� SMACT technologies (Social, Mobile, Analytics, Clouds, and
IoT) are changing our world, reshaping the human relations,
promoting the global economy, and triggering even some
societal and political reforms in different regions of the world
like it or not.
Contact: [email protected]