Gestion de la sécurité des réseaux à l'aide d'un service innovant de Cloud Based Firewall / Network Security Management Using a Novel Firewall Cloud-Based Service

Guenane, Fouad Amine

13 October 2014

Le Cloud Computing a évolué au cours de la dernière décennie, passant d’un simple service de stockage à des services plus complexes, en proposant le software comme service (SaaS), les plateformes comme service(PaaS) et très récemment la sécurité comme service (SECaaS).Dans notre travail, nous sommes partis de l'idée simple d'utiliser les ressources offertes par le Cloud avec un faible coût financier pour proposer des nouvelles architectures de service de sécurité. La sécurité des environnements virtuels est un sujet majeur pour le déploiement de l’usage du Cloud. Malheureusement, comme ces environnements sont composés d’un ensemble de technologies déjà existantes, utilisées d'une manière nouvelle, de nombreuses solutions sécuritaires ne sont que des solutions traditionnelles reconditionnées à la problématique Cloud et réseaux virtuels. Le travail effectué dans le cadre de cette thèse vient répondre à la limitation de ressources des équipements physiques de sécurité comme les Firewalls et a pour objectif de proposer de nouveaux services de sécurité composés d’architectures de gestion de la sécurité des réseaux dans le Cloud basé sur le modèle Security as a Service, ainsi que des architectures de management de ces services. Nous avons pris l’initiative de proposer une architecture totalement Cloud-Based. Cette dernière, permet à un Cloud provider de proposer un service de Firewalling à ses clients. Celui-ci leur demande de s’abonner à l’offre en leur garantissant le traitement (analyse) d’une capacité de bande-passante de trafic avec des règles de filtrages fonctionnelles et d’autres proposées par l’abonné. Les résultats obtenus ont démontré les aptitudes de nos architectures à gérer et à faire face à des attaques réseaux de type DDoS et à augmenter la capacité d’analyse en distribuant le trafic sur plusieurs pare-feu virtuels. / Cloud computing has evolved over the last decade from a simple storage service for more complex services, offering the software as a service (SaaS) platforms as a service (PaaS) and most recently the security as a service (SECaaS). In our work, we started with the simple idea to use the resources offered by the Cloud with a low financial cost to propose new architectures of security service. The security of virtual environments is a major issue for the deployment of the use of the Cloud. Unfortunately, these environments are composed of a set of already existing technologies used in a new way, many security solutions are only traditional reconditioned solutions to solve the Cloud and virtual networks security issues. The work done in this thesis is a response to the resource limitations of physical security devices such as firewalls and propose new security architectures consist of management of network security in the cloud-based services following Security as a Service model and propose novel architectures for managing these services. We took the initiative to propose a completely Cloud-Based architecture. The latter allows a cloud provider to provide firewalling service to its customers. It asks them to subscribe to the offer by guaranteeing treatment (analysis) with a capacity of bandwidth traffic with functional filtering rules and other proposed by the subscriber. The results demonstrated the ability of our architecture to manage and cope with network DDoS attacks and to increase analytical capacity by distributing traffic over multiple virtual

Security as a Service

Cloud Computing

Sécurité de réseau

DDoS

Firewall

Cloud computing

Security Management

005.8

Securing Cloud Storage Service

Zapolskas, Vytautas

January 2012

Cloud computing brought flexibility, scalability, and capital cost savings to the IT industry. As more companies turn to cloud solutions, securing cloud based services becomes increasingly important, because for many organizations, the final barrier to adopting cloud computing is whether it is sufficiently secure. More users rely on cloud storage as it is mainly because cloud storage is available to be used by multiple devices (e.g. smart phones, tablets, notebooks, etc.) at the same time. These services often offer adequate protection to user's private data. However, there were cases where user's private data was accessible to other users, since this data is stored in a multi-tenant environment. These incidents reduce the trust of cloud storage service providers, hence there is a need to securely migrate data from one cloud storage provider to another. This thesis proposes a design of a service for providing Security as a Service for cloud brokers in a federated cloud. This scheme allows customers to securely migrate from one provider to another. To enable the design of this scheme, possible security and privacy risks of a cloud storage service were analysed and identified. Moreover, in order to successfully protect private data, data protection requirements (for data retention, sanitization, and processing) were analysed. The proposed service scheme utilizes various encryption techniques and also includes identity and key management mechanisms, such as "federated identity management". While our proposed design meets most of the defined security and privacy requirements, it is still unknown how to properly handle data sanitization, to meet data protection requirements, and provide users data recovery capabilities (backups, versioning, etc.). / Cloud computing erbjuder flexibilitet, skalbarhet, och kapital kostnadsbesparingar till IT-industrin. Eftersom fler företag vänder sig till moln lösningar, trygga molntjänster blir allt viktigare, eftersom det för många organisationer, det slutliga hindret att anta cloud computing är om det är tillräckligt säkert. Fler användare förlita sig påmoln lagring som det är främst pågrund moln lagring är tillgängligt att användas av flera enheter (t.ex. smarta telefoner, tabletter, bärbara datorer, etc.) påsamtidigt. Dessa tjänster erbjuder ofta tillräckligt skydd för användarens privata data. Men det fanns fall där användarens privata uppgifter var tillgängliga för andra användare, eftersom denna data lagras i en flera hyresgäster miljö. Dessa händelser minskar förtroende molnleverantörer lagring tjänsteleverantörer, därför finns det ett behov av att säkert migrera data från en moln lagring till en annan. Denna avhandling föreslår en utformning av en tjänst för att erbjuda säkerhet som tjänst för molnmäklare i en federativ moln. Detta system gör det möjligt för kunderna att säkert flytta från en leverantör till en annan. För att möjliggöra utformningen av detta system, möjliga säkerhet och risker integritet av ett moln lagring tjänst har analyserats och identifierats. Dessutom att man framgångsrikt skydda privata uppgifter, dataskydd krav (för data retention, sanering och bearbetning) analyserades. Den föreslagna tjänsten systemet utnyttjar olika krypteringsteknik och även inkluderar identitet och nyckelhantering mekanismer, såsom "federerad identitetshantering". Även om vår föreslagna utformningen uppfyller de flesta av den definierade säkerhet och integritet krav, är det fortfarande okänt hur korrekt hantera data sanering, för att uppfyller kraven för dataskydd och ge användarna data recovery kapacitet (säkerhetskopior, versionshantering osv.)

Cloud

storage

security

privacy

zero knowledge

Security as a Service

federation

broker

Cloud Service Provider (CSP)

federated cloud

federated identity management

OAuth

OpenID

CDMI

interoperability

Communication Systems

Kommunikationssystem