COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT.

Slides:



Advertisements
Similar presentations
1 Making the Desktop Dynamic. 2 What does RES do? »IT as a Service & Automation »Context Aware Security »Dynamic Desktop Delivery »Follow-me Secure Data.
Advertisements

1 © 2004 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID The spoken words remain IP and Video Telephony Recording from TC & C Anthony.
Operating Systems Components of OS
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1 The following is intended to outline our general product direction. It is intended.
Geneva, Switzerland, 17 October 2011 ITU Workshop on Service Delivery Platforms (SDP) for Telecommunication Ecosystems: from todays realities to requirements.
Tunis, Tunisia, June 2012 Privacy in Cloud Computing Vijay Mauree, Programme Coordinator, TSB, ITU ITU Workshop on Cloud Computing.
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT INTERNAL PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION Alberto Ríos Head - Solutions.
Overview Environment for Internet database connectivity
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.
November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.
AirWatch United Kingdom Pricing Mobile Device Management Including Mobile Application Management and Mobile Management Effective April 1, 2012.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Taiwan ITQ.
Palo Alto Networks Jay Flanyak Channel Business Manager
© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
Office 365 for Enterprises ITExpo February 2, 2012.
Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5 14 Protection and Security.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
Customer Strategic Presentation March 2010
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
2  Industry trends and challenges  Windows Server 2012: Beyond virtualization  Complete virtualization platform  Improved scalability and performance.
Reduce Cost & Complexity Partner logo here Presenters Name (16pt) Presenters Title (14pt) Company/ (14pt) Manage and Deploy Applications using Virtualization.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Cloud Computing Security Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧ nen, Pasquale Puzio December 18, 2013 – Sophia-Antipolis, France.
KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,
Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5.
Oracle User Productivity Kit Professional Ensuring Success with Oracle Apps
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
System Center 2012 R2 Overview
What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect
Internet of Things Security Architecture
PlanetLab Operating System support* *a work in progress.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Understanding Active Directory
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
Cloud Computing Cloud Security– an overview Keke Chen.
Cloud Computing All Copyrights reserved to Talal Abu-Ghazaleh Organization
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.
MODULE – 8 OBJECT-BASED AND UNIFIED STORAGE
Presented by: Sanketh Beerabbi University of Central Florida COP Cloud Computing.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Module 7 Planning and Deploying Messaging Compliance.
NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.
Microsoft Azure Active Directory. AD Microsoft Azure Active Directory.
Wireless and Mobile Security
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
Picturex Secures and Scales Event-Photo Sharing for Enterprise and Private Customers by Relying on the Powerful, Scalable Microsoft Azure Platform MICROSOFT.
Data-Centric Security and User Access Controls for Hadoop on Microsoft Azure MICROSOFT AZURE APP BUILDER PROFILE: BLUETALON BlueTalon provides data-centric.
MICROSOFT AZURE ISV: CloudLink WEB SITE: LOCATION: Ottawa, Canada ORG SIZE: 35+ MICROSOFT AZURE ISV PROFILE:
Information Systems Design and Development Technical Implications (Software) Computing Science.
Tomaž Čebul Principal Consultant Microsoft Bring Your Own Device, kaj pa je to?
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Windows 2012R2 Hyper-V and System Center 2012
Chapter 6: Securing the Cloud
Design and Implement Cloud Data Platform Solutions
Understanding best practices in classifying sensitive data
12: :00     Welcome   13: :55     Terumo and Flexso will share insights on the successful implementation of SuccessFactors Compensation module.
Interlake Hybrid Cloud Management Suite
PLANNING A SECURE BASELINE INSTALLATION
Microsoft Virtual Academy
Microsoft Data Insights Summit
Presentation transcript:

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION S. Betgé-Brezetz, M.P. Dupont, G.B. Kamga, A. Guesmi Alcatel-Lucent Bell Labs, France IEEE CloudNet, San Francisco, November 11 th, 2013 END-TO-END PRIVACY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE

COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT INTERNAL PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION PRIVACY & DATA PROTECTION IN THE CLOUD BUSINESS & REGULATION CONTEXT (1/2) Enterprises are moving in the cloud their data & applications (even for a time-bound project) ­ Various data sensitivities (eg HR, eHealth data), applications (eg business, communication) and policies (regulation, enterprise, end-user) Key issue: End-to-end protection of sensitive data stored, processed and moving in the cloud Traditional Enterprise IT (on-premise based) Cloud-based Enterprise IT (incl. Private & Public cloud) Applications Data Policy Where are located my data? Who has accessed to my data? From where? How many times? How many pieces of a given data exist in the cloud? I know where my data are. Data, apps & policy are controlled by my IT staff. I control the access to my data. Keep privacy & confidentiality of the sensitive data in the cloud all along their lifecycle (creation, processing, transfer, deletion)

COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT INTERNAL PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION PRIVACY & DATA PROTECTION IN THE CLOUD BUSINESS & REGULATION CONTEXT (2/2) Enterprise (as a Cloud User) is responsible for the right application of the privacy/data protection policies on their customer data (eg, see* for the European regulation context) The Cloud Service Provider (CSP) has to provide the adequate protection features so that the Cloud User can appropriately set the privacy policies for each of his sensitive data These privacy settings have to be specified in the SLA agreed between the CU and the CSP The CSP has to enforce the SLA and provide evidences of the SLA fulfillment Data Applicable policies Cloud Management (e.g., Orchestration, Monitoring) Cloud Infrastructure (Computing node, Storage, Network) Cloud User (Data Controller) Cloud Service Provider (Data Processor) Privacy-related metadata Cloud privacy settings SLA Compliance Analysis Cloud Privacy Settings *Article 29 Data Protection Working Party, Opinion 05/2012 on cloud computing, WP 196, Brussels, July 2012 Data protection : a mandatory requirement for the CSP

4 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION PRIVACY & DATA PROTECTION IN THE CLOUD KEY REQUIREMENTS Data storage ­ Data location ­ Data access control per application/per user ­ Data retention and deletion ­ Data usage tracing ­ Data breach notification ­ etc. Data processing (in Virtual Machines) ­ VM location and co-location constraints ­ VM isolation ­ VM security level ­ etc. This Data Protection should be handled end-to-end (from the Cloud User through all the cloud nodes/VMs of the CSP)

5 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION PRIVACY & DATA PROTECTION IN THE CLOUD RELATED WORK Prevent the CSP to access the plain data Encryption [Diallo 2012, HekaFS], Data Shredding [Rabin 1989] Enable some processing on encrypted data: Homomorphic encryption [Gentry 2009] Adapted for storage service, but not for benefiting from the cloud computation capabilities Not flexible access control Sticky policy approaches: Using consent & revocation module [Casassa 2012] Scalable authorization infrastructure with conflict resolution capabilities [Chadwick 2012] Proprietary solution: Rights Management System (RMS) [Microsoft] Infrastructure-related constraints not enforced Not transparent to the application (application upgrade or applicative plug-in needed) Data obfuscation before sending to the cloud Privacy policy enforcement

6 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. PRIVACY & DATA PROTECTION IN THE CLOUD OUR APPROACH: END-TO-END DATA PROTECTION Customer Site Data usage historic Client Data Protection Module Cloud Infrastructure Level Data Protection Module Cloud Infrastructure Level Data Protection Module Data Policy Cloud User Applications Cloud Provider Services End-to-end policy enforcement from the client device to the cloud infrastructure Controls are governed by the data itself (PDE: sticky policy based approach) In-depth and fine-grained access control within the cloud (based on user ID and location, data location, action purpose, etc.) and transparent to the applications Overall data access tracking in order to build a comprehensive data usage dashboard Plain text dataPrivacy policiesEncryption PDE ( Privacy Data Envelope)

7 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. PRIVACY & DATA PROTECTION IN THE CLOUD IMPLEMENTATION: FILE DATA PROTECTION MODULE File Data Protection Module (FDPM) /Backend _Dir file.pde Linux Ubuntu FUSE Kernel Module Policy Checking FUSE-J based FS Wrapper Data Access Manager Trace Manager User Context Manager User Applications System Applications FS requests / responses Client Data Protection Module (CDPM) /Protected _dir Virtual Machine (VM) Cloud Compute Node Customer Device Illustration in the case of VM File System: File Data Protection Module (FDPM) Use FUSE* (Linux standard) for intercepting all File System calls done to the files stored in a protected directory (/protected_dir) Enforce the privacy policies for each action done on a protected file Replace the POSIX ACL (eg, ugo+rw) by the policy attached to the file * File system in user space

8 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION PRIVACY & DATA PROTECTION IN THE CLOUD FDPM PROTOTYPE CHARACTERISTICS Virtual Machines ­ Linux Ubuntu ­ Deployed on Cloud Platforms in France and in the US File system wrapper ­ FUSE version 2.8 ­ FUSE-J (JNI Java/C binding) Policy checking –Java SunXacml (XACML 2.0) Data access management: file & policy hybrid encryption ­ Blowfish (FEK/File Encryption Key, PEK/Policy Encryption Key) ­ GPG (PEK and FEK encryption)

9 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Client laptop Nozay-Vx (FR) US Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B France sftp US Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country Cloud Compute Node VM-US-2 Application_A OS Application_B sftp PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (1/7): SETUP 7

10 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Client laptop Nozay-Vx (FR) PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (2/7): DATA & POLICY US Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B France sftp US Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country Cloud Compute Node VM-US-2 Application_A OS Application_B sftp First Name: Marc Name: Durand Citizenship: French Address: 10 rue de la Paix, Paris, France Phone: Purchase history & customer profile: … Location history & geo-profile:... Call history & social profile:... First Name: Marc Name: Durand Citizenship: French Address: 10 rue de la Paix, Paris, France Phone: Purchase history & customer profile: … Location history & geo-profile:... Call history & social profile:... 7 The profile shall only be stored in a protected VM (i.e., in the protected_dir of a VM equipped with the FDPM). The profile shall only be stored in France or in the US. This profile shall be accessed/processed by Application_A (e.g., content recommendation application) but not by the Application_B (e.g., targeted advertising application). The profile shall only be stored in a protected VM (i.e., in the protected_dir of a VM equipped with the FDPM). The profile shall only be stored in France or in the US. This profile shall be accessed/processed by Application_A (e.g., content recommendation application) but not by the Application_B (e.g., targeted advertising application).

11 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Client laptop Nozay-Vx (FR) PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (3/7): PROTECTED FILE GENERATION US Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B France US Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country Cloud Compute Node VM-US-2 Application_A OS Application_B sftp MarcDurand.pde sftp 2 Generation of the protected file (MarcDurand.pde) 7

12 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Client laptop Nozay-Vx (FR) PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (4/7): UPLOAD IN THE CLOUD US Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B France MarcDurand.pde sftp US Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country MarcDurand.pde VM-FR with MarcDurand.pde file stored in the directory /protected_dir Cloud Compute Node VM-US-2 Application_A OS Application_B sftp Transfer of MarcDurand.pde in VM-FR 7

13 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Client laptop Nozay-Vx (FR) PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (5/7): ACCESS FROM APPLI A & B CONTROLLED BY POLICY US Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B France MarcDurand.pde sftp US Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country Cloud Compute Node VM-US-2 Application_A OS Application_B sftp MarcDurand.pde 7 Appli_A is authorized to read the file MarcDurand.pde Appli_B is not authorized to read the file MarcDurand.pde

14 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Client laptop Nozay-Vx (FR) US Cloud Compute Node VM-US-2 Application_A OS Application_B PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (6/7): FILE TRANSFER CONTROLLED BY POLICY Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B France MarcDurand.pde sftp US sftp Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country VM-Other after unauthorized sftp transfer of MarcDurand.pde (0% transferred, policy not ok) MarcDurand.pde VM-US-1 after authorized sftp transfer of MarcDurand.pde (100% transferred, policy ok) VM-US-2 after unauthorized sftp transfer of MarcDurand.pde (0% transferred, policy not ok)

15 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. PRIVACY & DATA PROTECTION IN THE CLOUD SCENARIO (7/7): GENERATED TRACES US Client Data Protection Module Cloud Compute Node VM-FR Application_A FDPM Policy.xml OS Application_B Europe MarcDurand.pde sftp US Other country Cloud Compute Node VM-US-1 Application_A FDPM OS Application_B MarcDurand.pde Cloud Compute Node VM-Other Application_A OS Application_B FDPM sftp 6 8 MarcDurand.xml ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Nozay-Vx (FR) ALU CLOUDBAND Naperville (US) ALU Bell Labs AxP Cloud Emulated Other Country Cloud Compute Node VM-US-2 Application_A OS Application_B sftp Client laptop Nozay-Vx (FR) Generated traces

16 COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. PRIVACY & DATA PROTECTION IN THE CLOUD PERFORMANCE EVALUATION Total computation time = 220 ms (compared to 60 ms for a plaintext file) Computation time split (500 Kb PDE file, file read access control) Performance of the FDPM modules according to the PDE file size

17 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION Support of various types of policies encompassing storage and computing (VM, file system) End-to-end monitoring of data allowing to build a comprehensive data usage dashboard (enabling security & privacy audits) Solution fully transparent for the applications (no need to modify the applications) Use of Secure Elements (eg SD card, smart card) embedded in the cloud nodes in order to further enforce security –Support of the European SEED4C research project ( Enforce privacy constraints on the network path notably by relying on SDN technologies ­ E.g., data transferred between VMs should not cross some given unauthorized areas CONCLUSION & PERSPECTIVES Conclusion: end-to–end & in-depth protection of sensitive data Some perspectives

18 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY USE PURSUANT TO COMPANY INSTRUCTION

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.