SPO-403
Gatekeeping the
Cloud
Ullrich Martini
Al R i C l b iAlex Rovira Calabuig
Giesecke & Devrient GmbH
04/24/09 | S i ID SPO 40304/24/09 | Session ID: SPO-403
Giesecke & Devrient
Agenda
The Cloud
Security, ,Mobility and Standards
C l i
Security, ,Mobility...
Gatekeeping the
Cloud
Ullrich Martini
Al R i C l b iAlex Rovira Calabuig
Giesecke & Devrient GmbH
04/24/09 | S i ID SPO 40304/24/09 | Session ID: SPO-403
Giesecke & Devrient
Agenda
The Cloud
Security, ,Mobility and Standards
C l i
Security, ,Mobility and Standards
Conclusions
Questions and Open discussion
Giesecke & Devrient 2
Classic Service
Service provider
• Runs specific application SW on the PC
• Data might be stored locally
Service user
• Runs a background system supporting the
user software
• Data might be stored temporarily
• Focus on one specific service (e.g.
SMTP/POP3)
Giesecke & Devrient
Software as a Service
SaaS provider• Runs web client to access SaaS (e.g. Hotmail)
Data is not stored locally anymore (e g• Data is not stored locally anymore (e.g.
switch off POP3 in Hotmail)
• Share, collaborate and store data easily
• Keep their data store remotely and
SaaS user
y
securely
• Focus on Software (e.g. Hotmail web
interface)
• Data is stored on central locations
• Activities are managed by SaaS provider
• Make sure data is securely stored
• Provision resource on demand
Giesecke & Devrient
Increase of complexity
SaaS provider
• User infrastructure remains the same
• The demand for services increases
• The services become more complexp
• Access to the date anytime and
anywhere
• Web applications
SaaS user
• Need for security and privacy increases
• Focus on Software
• Data storage becomes larger
• Activities are managed by SaaS provider
• Make sure data is securely stored
• Up – front cost increasing
Giesecke & Devrient
• Capacity planing is difficult
New player in the game
SaaS provider
• User infrastructure remains the same
• The demand for services increases
• The services become more complexp
• Access to the date anytime and
anywhere
• Web applications
Large Data Center
• Focus on base services
• Hardware
SaaS user
• Need for security and privacy increases
Hardware
• Operating systems and firewalls
• Data storage
• Utility Computing
• Service sold to SaaS
N f t t
• Focus on Software
• Data storage becomes larger
• No up front cost
• Resources available on demand
• Elasticity
• Infinitive capacity
• Activities are managed by SaaS provider
• Make sure data is securely stored
• Up – front cost increasing
Giesecke & Devrient
• Capacity planing is difficult
The Cloud
Data center
Cloud Provider
SaaS provider
Cloud UserCloud User
SaaS user
Cloud UserCloud User
Giesecke & Devrient
Driving Forces
• can't have all data locally
• Flexibility (user response in real time)
• Elasticity (Shifting the risks)• Elasticity (Shifting the risks)
• Efficiency of data management
• Collaboration, Communication and Social
Networks
• Conflict between local computing
resources and battery lifetime
Giesecke & Devrient
Assets
• Commercial Information
• Computing ressources
• Page views
• Money
• Access rights
• Personal information
• Pay-per-use licensingy p g
• Usability with small mobile devices
• Usability with different devices
• Scale and move services
Giesecke & Devrient
Consequences
• Outsourcing to a virtual machine
which may move from one data
center to another
• Requires two-way authentication
• More data sent through networks
• Requires encryptionequ es e c ypt o
• More commercial transactions
• Requires non-repudiation
Giesecke & Devrient
The Cloud
Data center
Cloud Provider
• Amount of damage done may increase
• Strong authentication to protect data
• User credentials become essential
SaaS provider
Cloud User
• Secure communication
Cloud User
SaaS user
Cloud UserCloud User
Need to balance Security and
Convenience !
Giesecke & Devrient
The Cloud
Data center
Cloud Provider
• Best balance for the user:
• Mobility
• Security
Data center
Host Provider
SaaS provider
Cloud User
• Standards
SaaS provider
Secure remoteCloud User
SaaS user
Cloud User
Secure remote
access broker
SaaS user
Mobile employeeCloud UserMobile employee
DEMO
Giesecke & Devrient
The Cloud
Data center
Host Provider
• Best balance for the user:
• Mobility
• Security
SaaS provider
Secure remote
• Standards
Secure remote
access broker
SaaS user
Mobile employeeMobile employee
Giesecke & Devrient
- SecuritySecurity
- Mobility
S d d- Standards
Giesecke & Devrient
Solution Concept
• Two-factor authentication: token and PIN
• Token comes with software pre-installed
• No installation or administrative rights required• No installation or administrative rights required
• SaaS provider performs enrolment and creates certificates
• trust relationships
• token issuer can sign security assertions
• other SaaS providers can consume security assertions
Giesecke & Devrient
Token Architecture
Token
Flash Memory Terminal Controller
Token
Public
CDROM
Smart Card
Security
D i
Applet Applet
PKCS#15Encrypted DomainAES key
Giesecke & Devrient
Device Software
Giesecke & Devrient
Transfer Modes on the Network
•http(s)
•Cellular networks
•HSDPA/HSUPA
•WiMAX
•Not before 2011
Giesecke & Devrient
Transfer Security on the Network
•SSL•SSL
•Point-to-point security
•SSL handshake for
every SOAP callevery SOAP call
•VPN
•Not application-level
•WS-Security
•SAML
•XML Digital
Signatures
XML C i li ti•XML Canonicalisation
Giesecke & Devrient
The SaaS provider
•Secure Web server
•Web service (SOAP)
•Web application
Giesecke & Devrient
The Data Center
Virtual Machine accessible from
the mobile client
Giesecke & Devrient
ConclusionsConclusions
Giesecke & Devrient
Conclusions
•We are in the hype of the cloud
•There are stong economic forces behind cloud computing
•Take security into account from the beginning•Take security into account from the beginning
•Security is not necessarily anoying
•Balance security and convenience
What´s your role in the cloud?
Giesecke & Devrient
本文档为【SPO-403】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。