Outline

• Cloud Computing
• Security issues

6.1 Cloud Computing

• 網(wǎng)絡(luò)計(jì)算方式的進(jìn)化

• 云計(jì)算要點(diǎn)

• pros and cons of Cloud Computer

Virtual Server

• Concepts
  ① Virtual servers seek to encapsulate the server software away from the hardware.
  虛擬服務(wù)器試圖將服務(wù)器軟件封裝在硬件之外.
  ② A virtual server can be serviced by one or more hosts, and one host may house more than one virtual server.
  一個(gè)虛擬服務(wù)器可以由一個(gè)或多個(gè)主機(jī)提供服務(wù)，一個(gè)主機(jī)可以容納多個(gè)虛擬服務(wù)器。
  ③ If the environment built correctly, virtual servers will not be affected by the loss of a host.
  如果環(huán)境構(gòu)建正確，虛擬服務(wù)器不會(huì)受到主機(jī)丟失的影響。
  ④ Can be scaled out easily.
  可以很容易地?cái)U(kuò)展。
• Advantages
  ① Run operating systems where the physical hardware is unavailable.
  運(yùn)行物理硬件不可用的操作系統(tǒng)
  ② Easier to create new machines, backup machines, etc.,
  更容易創(chuàng)建新機(jī)器，備份機(jī)器等，
  ③ Software testing using “clean” installs of operating systems and software,
  使用“干凈”安裝的操作系統(tǒng)和軟件進(jìn)行軟件測(cè)試
  ④ Emulate more machines than are physically available
  仿真比實(shí)際可用的更多的機(jī)器
  ⑤ Timeshare lightly loaded systems on one host
  一個(gè)主機(jī)上的分時(shí)系統(tǒng)負(fù)載很輕
  ⑥ Debug problems (suspend and resume the problem machine)
  調(diào)試問(wèn)題(掛起并恢復(fù)問(wèn)題機(jī)器)，
  ⑦ Easy migration of virtual machines
  輕松遷移虛擬機(jī)
  ⑧ Run legacy systems!
  遺留系統(tǒng)運(yùn)行!
• Pros and cons of virtualization

Layers of Cloud Service 云計(jì)算層結(jié)構(gòu)

• SaaS
  use provider’s applications running on provider's cloud infrastructure.
  使用運(yùn)行在提供商云基礎(chǔ)設(shè)施上的提供商應(yīng)用程序。

• PaaS
  can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure.
  可以使用提供商支持的編程工具創(chuàng)建自定義應(yīng)用程序，并將它們部署到提供商的云基礎(chǔ)設(shè)施上。

• IaaS
  provisions computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications.
  在提供商的基礎(chǔ)設(shè)施中提供計(jì)算資源，他們可以在這些資源上部署和運(yùn)行任意軟件，包括操作系統(tǒng)和應(yīng)用程序。

• 知名云服務(wù)商
  ① Google Cloud
  ② VMware Cloud
  ③ IBM-Google Cloud
  ④ Salesforce Cloud

• 注重例子（看PPT）

Hadoop

用戶可以在不了解分布式底層細(xì)節(jié)的情況下，開(kāi)發(fā)分布式程序。充分利用集群的威力進(jìn)行高速運(yùn)算和存儲(chǔ)。

6.2 Security Issue

Computer Security

integrity（完整性）, availability（可用性） and confidentiality（保密性） of information system resources
保護(hù)信息系統(tǒng)資源的完整性、可用性和保密性

CIA Traid

Authenticity and Accountability 真實(shí)性和問(wèn)責(zé)制

Computer Security Challenges

1. not simple
2. must consider potential attacks
   必須考慮潛在的攻擊
3. procedures used counter-intuitive
   程序使用反直覺(jué)的
4. involve algorithms and secret info
   涉及算法和秘密信息
5. must decide where to deploy mechanisms
   必須決定在何處部署機(jī)制
6. battle of wits between attacker/administrator
   攻擊者/管理員之間的斗智斗勇
7. not perceived to be a benefit until fails
   直到失敗才被認(rèn)為是有益的
8. requires regular monitoring
   需要定期監(jiān)測(cè)
9. too regarded as impediment to efficient and user friendly use of system
   也被認(rèn)為是高效和用戶友好使用系統(tǒng)的障礙
10. often an after-thought
    往往恍然大悟

OSI Security Architecture OSI安全體系結(jié)構(gòu)

The OSI security architecture focuses on security attacks, mechanisms and services.
OSI的安全架構(gòu)關(guān)注于安全攻擊、機(jī)制和服務(wù)。

• Cryptography 密碼學(xué)

要背的概念

• Security Attack: Any action (active or passive) that compromises the security of information
  安全攻擊:危害信息安全的任何行為(主動(dòng)或被動(dòng))
• Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.
  安全機(jī)制:用于檢測(cè)、防止或從安全攻擊中恢復(fù)的機(jī)制。
• Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
  安全服務(wù):提高數(shù)據(jù)處理系統(tǒng)和信息傳輸安全性的服務(wù)。安全服務(wù)使用一個(gè)或多個(gè)安全機(jī)制。
• Threat: a potential for violation of security or a possible danger that might exploit a vulnerability
  威脅: 潛在的安全威脅或可能利用漏洞的危險(xiǎn).
• Attack: an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.
  攻擊: 一種故意逃避安全服務(wù)和違反系統(tǒng)安全策略的智能行為。
• 填空
  A Safeguard is a countermeasure to protect against a threat.
  防護(hù)措施是防范威脅的對(duì)策。
  A weakness in a safeguard is called a vulnerability.
  安全防護(hù)中的弱點(diǎn)稱為“漏洞”。
  Damage to any IT-based system or activity can result in severe disruption of services and losses.
  任何基于it的系統(tǒng)或活動(dòng)的損壞都可能導(dǎo)致服務(wù)的嚴(yán)重中斷和損失。

Security Attacks

• Interruption: This is an attack on availability
  中斷:這是對(duì)可用性的攻擊
• Interception: This is an attack on confidentiality
  攔截:這是對(duì)保密性的攻擊
• Modification: This is an attack on integrity
  修改:這是對(duì)完整性的攻擊
• Fabrication: This is an attack on authenticity
  捏造:這是對(duì)真實(shí)性的攻擊

Security Threats

• Disclosure: unauthorized access to information
  披露-未經(jīng)授權(quán)的信息訪問(wèn)
• Deception: acceptance of false data
  欺騙-接受虛假資料
• Disruption: interruption or prevention of correct operation
  中斷-正確操作的中斷或預(yù)防
• Usurpation: unauthorized control of some part of a system
  篡奪-對(duì)系統(tǒng)某些部分的未經(jīng)授權(quán)的控制

Passive and Active Attacks 被動(dòng)攻擊和主動(dòng)攻擊

• Passive: attempts to learn or make use of information from the system, but does not affect system resources.
  被動(dòng):嘗試從系統(tǒng)中學(xué)習(xí)或利用信息，但不影響系統(tǒng)資源。
• Active: attempts to alter system resources or affect their operation.
  主動(dòng):試圖改變系統(tǒng)資源或影響它們的操作。

Security Services

• enhance security of data processing systems and information transfers of an organization
  提高數(shù)據(jù)處理系統(tǒng)和組織信息傳輸?shù)陌踩?/li>
• intended to counter security attacks
  為了對(duì)抗安全攻擊
• use one or more security mechanisms
  使用一個(gè)或多個(gè)安全機(jī)制
• often replicate functions normally associated with physical documents
  經(jīng)常復(fù)制通常與物理文檔相關(guān)的功能
• have signatures, dates; need protection from disclosure, tampering, or destruction; are notarized or witnessed;
  有簽名，日期;需要保護(hù)以免泄露、篡改或銷毀;

Security Services Examples

Security Machanism

• feature designed to detect, prevent, or recover from a security attack
  用于檢測(cè)、防止或從安全攻擊中恢復(fù)的特性
• no single mechanism that will support all services required
  沒(méi)有一種機(jī)制可以支持所有需要的服務(wù)
• however one particular element underlies many of the security mechanisms in use: cryptographic techniques
  然而，在使用的許多安全機(jī)制的基礎(chǔ)上有一個(gè)特殊的元素:密碼技術(shù)

Security Machanism Examples

• Specific mechanisms existing to provide certain security services
  提供某些保安服務(wù)的特定機(jī)制

• Pervasive mechanisms which are general mechanisms incorporated into the system and not specific to a service
  無(wú)處不在的機(jī)制，是納入系統(tǒng)的一般機(jī)制，而不是特定于服務(wù)

Two Types of Program Threats

• Information access threats:
  信息訪問(wèn)的威脅
  Intercept or modify data on behalf of users who should not have access to that data.
  代表不應(yīng)該訪問(wèn)該數(shù)據(jù)的用戶攔截或修改數(shù)據(jù)。
  E.g. corruption of data by injecting malicious code
  例如，注入惡意程式碼破壞資料
• Service threats:
  服務(wù)的威脅
  Exploit service flaws in computers to inhibit use by legitimate uses.
  利用電腦上的服務(wù)漏洞，禁止合法使用。
  Viruses and worms are examples of software attacks
  病毒和蠕蟲(chóng)是軟件攻擊的例子

Public-Key Cryptosystems 公鑰密碼體制

Advantage of Symmetric key 對(duì)稱密鑰的優(yōu)點(diǎn)

• It can be designed for high rates of data throughput, may be using hardware implementations
  -它可以設(shè)計(jì)為高數(shù)據(jù)吞吐率，可以使用硬件實(shí)現(xiàn)
• Key lengths are relatively short
  -密鑰長(zhǎng)度相對(duì)較短
• Can be used to produce stronger ciphers
  -可用于產(chǎn)生更強(qiáng)的密碼

Disadvantage of Symmetric key 對(duì)稱密鑰的缺點(diǎn)

• Key must remain secret at both ends
  鑰匙兩端必須保密
• In a large network, there are many key pairs to be managed. Effective key management requires use of an unconditionally trusted third party.
  在大型網(wǎng)絡(luò)中，有許多密鑰對(duì)需要管理。有效的密鑰管理需要使用一個(gè)無(wú)條件信任的第三方。
• Digital signature schemes using private key cryptography requires large key.
  使用私鑰加密的數(shù)字簽名方案需要大密鑰。

Advantage of Public key cryptography 公鑰密碼學(xué)的優(yōu)點(diǎn)

• Only the private key to be kept secret
  只有私鑰要保密
• The administration of key requires only a functionally trusted TTP.
  密鑰的管理只需要一個(gè)功能可靠的TTP。
• A private/public key pair may remain unchanged for a long time.
  私鑰/公鑰對(duì)可能長(zhǎng)時(shí)間保持不變。
• Gives relatively efficient digital signature schemes
  提供相對(duì)有效的數(shù)字簽名方案

Disadvantages of public key cryptography 公鑰密碼學(xué)的缺點(diǎn)

• Several orders of magnitudes slower
  慢了幾個(gè)數(shù)量級(jí)
• Key sizes are larger.
  鑰匙尺寸更大。
• No public-key cryptosystem is proven to
  secure.
  沒(méi)有公鑰密碼系統(tǒng)被證明是安全的。