Trusted Computing and Secure Virtualization in Cloud Computing

Large-scale deployment and use of cloud computing in industry is accompanied and in the same time hampered by concerns regarding protection of data handled by cloud computing providers. One of the consequences of moving data processing and storage off company premises is that organizations have less control over their infrastructure. As a result, cloud service (CS) clients must trust that the CS provider is able to protect their data and infrastructure from both external and internal attacks. Currently however, such trust can only rely on organizational processes declared by the CS provider and can not be remotely verified and validated by an external party. Enabling the CS client to verify the integrity of the host where the virtual machine instance will run, as well as to ensure that the virtual machine image has not been tampered with, are some steps towards building trust in the CS provider. Having the tools to perform such verifications prior to the launch of the VM instance allows the CS clients to decide in runtime whether certain data should be stored- or calculations should be made on the VM instance offered by the CS provider. This thesis combines three components -- trusted computing, virtualization technology and cloud computing platforms -- to address issues of trust and security in public cloud computing environments. Of the three components, virtualization technology has had the longest evolution and is a cornerstone for the realization of cloud computing. Trusted computing is a recent industry initiative that aims to implement the root of trust in a hardware component, the trusted platform module. The initiative has been formalized in a set of specifications and is currently at version 1.2. Cloud computing platforms pool virtualized computing, storage and network resources in order to serve a large number of customers customers that use a multi-tenant multiplexing model to offer on-demand self-service over broad network. Open source cloud computing platforms are, similar to trusted computing, a fairly recent technology in active development. The issue of trust in public cloud environments is addressed by examining the state of the art within cloud computing security and subsequently addressing the issues of establishing trust in the launch of a generic virtual machine in a public cloud environment. As a result, the thesis proposes a trusted launch protocol that allows CS clients to verify and ensure the integrity of the VM instance at launch time, as well as the integrity of the host where the VM instance is launched. The protocol relies on the use of Trusted Platform Module (TPM) for key generation and data protection. The TPM also plays an essential part in the integrity attestation of the VM instance host. Along with a theoretical, platform-agnostic protocol, the thesis also describes a detailed implementation design of the protocol using the OpenStack cloud computing platform. In order the verify the implementability of the proposed protocol, a prototype implementation has built using a distributed deployment of OpenStack. While the protocol covers only the trusted launch procedure using generic virtual machine images, it presents a step aimed to contribute towards the creation of a secure and trusted public cloud computing environment

Smart Grid Metering Networks: A Survey on Security, Privacy and Open Research Issues

Smart grid (SG) networks are newly upgraded networks of connected objects that greatly improve reliability, efficiency and sustainability of the traditional energy infrastructure. In this respect, the smart metering infrastructure (SMI) plays an important role in controlling, monitoring and managing multiple domains in the SG. Despite the salient features of SMI, security and privacy issues have been under debate because of the large number of heterogeneous devices that are anticipated to be coordinated through public communication networks. This survey paper shows a brief overview of real cyber attack incidents in traditional energy networks and those targeting the smart metering network. Specifically, we present a threat taxonomy considering: (i) threats in system-level security, (ii) threats and/or theft of services, and (iii) threats to privacy. Based on the presented threats, we derive a set of security and privacy requirements for SG metering networks. Furthermore, we discuss various schemes that have been proposed to address these threats, considering the pros and cons of each. Finally, we investigate the open research issues to shed new light on future research directions in smart grid metering networks

데이터 보호 표준의 중요한 분기점 미국과 유럽연합의 데이터 보호 법률 비교

학위논문 (석사) -- 서울대학교 대학원 : 국제대학원 국제학과(국제협력전공), 2020. 8. 신성호.In the last few decades, technology has faced an extraordinary evolution that has revolutionized the way we communicate. In particular, the rise of the Internet and digital platforms has turned data into an incredibly powerful, global resource. Yet, through the increasing sophistication of technology, the world now faces a major privacy dilemma, and governments must make critical decisions to determine whether established privacy laws encompass personal data on the Internet. As leaders in technological innovation and privacy legislation, the world is looking to the United States and the European Union to establish standards in data protection. However, despite ideological similarities between the two powers, it is clear that the U.S. and EU have vastly different approaches to data legislation. On one hand, the EU has passed the most comprehensive and strictest data protection rules in the world, while the U.S. has struggled to institute uniform regulations. A sharp rise in cyber-attacks and data misuse cases have led many to question why the U.S. has been unable or unwilling to legislate protection laws, while the EU has been quick to do so. With mounting public pressure, the U.S. now faces a critical juncture in its data policies, and must delineate its stance on data protection. In order to unpack the current approaches to data protection in the U.S. and the EU, this research will dive into the historical response to privacy and personal information through comparative analysis and case studies.Chapter I. Introduction 1 1. Background 1 2. Literature Review 3 Chapter II. Research Plan 14 1. Research Question 14 2. Significance of the Research 17 3. Research Methodology 18 4. Conceptual Framework 19 Chapter III. Data Protection Legislation in the European Union 22 1. Defining "personal information" in the EU 22 2. A History of Data Protection in the EU 23 3. The EU'S General Data Protection Regulations 27 4. Initial Reactions to GDPR 33 5. Analysis of EU Data Protection Laws 34 Chapter IV. Data Protection Legislation in the United States 36 1. Defining "personal information" in the U.S. 36 2. U.S. Data Protection Legislation 38 3. U.S. Case Studies 50 4. Barriers to Legislation in the U.S. 54 5. Analysis of U.S. Data Protection Laws 59 Chapter V. Comparative Analysis 60 Chapter VI. Conclusion 63 Bibliography 68 Tables and Figures - 79Maste

Security, Privacy, Confidentiality and Integrity of Emerging Healthcare Technologies: A Framework for Quality of Life Technologies to be HIPAA/HITECH Compliant, with Emphasis on Health Kiosk Design

This dissertation research focused on the following: 1. Determined possible vulnerabilities that exist in multi-user kiosks and the computer systems that make up multi-user kiosk systems. 2. Developed an evaluation system and audit checklist for multi-user kiosk systems adapted from the Office for Civil Rights (OCR) audit protocols to address the vulnerabilities identified from our research. 3. Improved the design of a multi-user health kiosk to meet the HIPAA/HITECH standards by incorporating P&S policies. 4. Explored the feasibility and preliminary efficacy of an intervention to explore the magnitude of differences in users’ perceived risk of privacy and security (P&S) breaches as well as correlation between perceived risk and their intention to use a multi-user health kiosk. A gap analysis demonstrated that we successfully incorporated 81% of our P&S polices into the current design of our kiosk that is undergoing pilot testing. This is higher than our initial target of 50%. Repeated measures ANOVA was performed to analyze baseline and six-month follow-up of 36 study participants to measure the magnitude of the change in their “perceived risk”. Results from the ANOVA found significant group-by-time interaction (Time*Group) F (2, 33) = .27, P=.77, ηp2=.02, significant time interaction F (1, 33) = 4.73, P=.04, ηp2=.13, and no significant group interaction F (2, 33) =1.27, P=.30 ηp2=.07. The study intervention was able to significantly reduce users’ “perceived risk with time (baseline and six-month follow-up), even though the magnitude of the change was small. We were however, unable to perform the correlation analysis as intended since all the kiosk participants used in the analysis intended to use the kiosk both at baseline and at six-month follow-up. These findings will help in direct research into methods to reduce “perceived risk” as well as using education and communication to affect human behavior to reduce risky behavior on both internal and external use of new health IT applications and technologies. It could then serve as framework to drive policy in P&S of health applications, technologies and health IT systems

Complying with Data Handling Requirements in Cloud Storage Systems

In past years, cloud storage systems saw an enormous rise in usage. However, despite their popularity and importance as underlying infrastructure for more complex cloud services, today's cloud storage systems do not account for compliance with regulatory, organizational, or contractual data handling requirements by design. Since legislation increasingly responds to rising data protection and privacy concerns, complying with data handling requirements becomes a crucial property for cloud storage systems. We present PRADA, a practical approach to account for compliance with data handling requirements in key-value based cloud storage systems. To achieve this goal, PRADA introduces a transparent data handling layer, which empowers clients to request specific data handling requirements and enables operators of cloud storage systems to comply with them. We implement PRADA on top of the distributed database Cassandra and show in our evaluation that complying with data handling requirements in cloud storage systems is practical in real-world cloud deployments as used for microblogging, data sharing in the Internet of Things, and distributed email storage.Comment: 14 pages, 11 figures; revised manuscript, accepted for publication in IEEE Transactions on Cloud Computin

Executive Trade Secrets

The article presents information on the commercial secrets of corporations and the need of its legal protection against disclosure. The divergent treatment of secrets in the case of public corporations and private individuals, challenges related to executive disclosures and the privacy interests of executives are discussed. The related obligations, legal tensions and inconsistent practices are also discussed

Strengthening e-crime legislation in the UAE: learning lessons from the UK and the EU

The electronic revolution brought with it technological innovations that are now integral to communication, business, commerce and the workings of governments all over the world. It also significantly changed the criminal landscape. Globally it has been estimated that crime conducted via the internet (e-crime) costs more than €290 billion annually. Formulating a robust response to cybercrime in law is a top priority for many countries that presents ongoing challenges. New cybercrime trends and behaviours are constantly emerging, and debates surrounding legal provisions to deal with them by increasing online tracking and surveillance are frequently accompanied by concerns of the rights of citizens to freedom, privacy and confidentiality. This research compares the ways that three different legislative frameworks have been navigating these challenges. Specifically, it examines the legal strategies of the United Arab Emirates (UAE), the United Kingdom (UK) and the European Union (EU). The UAE is comparatively inexperienced in this area, its first law to address e-crime was adopted in 2006, sixteen years after the UK, and so the express purpose of this study is to investigate how e-crime legislation in the UAE can be strengthened. Drawing on a range of theoretical resources supplemented with empirical data, this research seeks to provide a comprehensive account of how key e-crime legislation has evolved in the UAE, the UK and the EU, and to evaluate how effective it has been in tackling cybercrime. Integral to this project is an analysis of some of the past and present controversies related to surveillance, data retention, data protection, privacy, non-disclosure and the public interest. An important corollary of this research is how e-crime legislation is not only aligned with political and economic aims, but when looking at the UAE, the discrete ways that legislation can be circumscribed by cultural, social and religious norms comes into focus

Optimizing Proactive Measures for Security Operations

Digital security threats may impact governments, businesses, and consumers through intellectual property theft, loss of physical assets, economic damages, and loss of confidence. Significant effort has been placed on technology solutions that can mitigate threat exposure. Additionally, hundreds of years of literature have focused on non-digital, human-centric strategies that proactively allow organizations to assess threats and implement mitigation plans. For both human and technology-centric solutions, little to no prior research exists on the efficacy of how humans employ digital security defenses. Security professionals are armed with commonly adopted "best practices" but are generally unaware of the particular artifacts and conditions (e.g., organizational culture, procurement processes, employee training/education) that may or may not make a particular environment well-suited for employing the best practices. In this thesis, I study proactive measures for security operations and related human factors to identify generalizable optimizations that can be applied for measurable increases in security. Through interview and survey methods, I investigate the human and organizational factors that shape the adoption and employment of defensive strategies. Case studies with partnered organizations and comprehensive evaluations of security programs reveal security gaps that many professionals were previously unaware of --- as well as opportunities for changes in security behaviors to mitigate future risk. These studies highlight that, in exemplar environments, the adoption of proactive security assessments and training programs lead to measurable improvements in organizations' security posture