Outline
- Cloud Computing
- Security issues
6.1 Cloud Computing
| Name |
名字 |
| Network Computing |
網絡計算 |
| Cluster Computing |
集群計算 |
| Grid Computing |
格網計算 |
| Utility Computing |
效用計算 |
| Cloud Computing |
云計算 |
| Name |
名字 |
| Shared pool of configurable computing resources |
可配置計算資源的共享池 |
| On-demand network access |
按需網絡訪問 |
| Provisioned by the Service Provider |
由服務提供者提供 |
| hide the complexity |
隱藏底層的復雜性 |
| anywhere, anytime and any place |
|
| Pay for use |
按需支付 |
| hardware and software service |
|
- pros and cons of Cloud Computer
| pros |
中文翻譯 |
| Easy to conceptualize |
容易概念化 |
| Easy to deploy |
容易部署(服務器) |
| Easy to backup |
容易備份 |
| any application/service can be run from this type of setup |
兼容性強 |
| cons |
中文翻譯 |
| Expensive to acquire and maintain hardware |
獲取和維護硬件費用高 |
| Not very scalable |
不是很可伸縮 |
| Difficult to replicate |
難以復制 |
| Vulnerable to hardware outages |
容易出現硬件中斷 |
Virtual Server
- Concepts
① Virtual servers seek to encapsulate the server software away from the hardware.
虛擬服務器試圖將服務器軟件封裝在硬件之外.
② A virtual server can be serviced by one or more hosts, and one host may house more than one virtual server.
一個虛擬服務器可以由一個或多個主機提供服務,一個主機可以容納多個虛擬服務器区端。
③ If the environment built correctly, virtual servers will not be affected by the loss of a host.
如果環(huán)境構建正確,虛擬服務器不會受到主機丟失的影響。
④ Can be scaled out easily.
可以很容易地擴展蚯瞧。
- Advantages
① Run operating systems where the physical hardware is unavailable.
運行物理硬件不可用的操作系統
② Easier to create new machines, backup machines, etc.,
更容易創(chuàng)建新機器,備份機器等白筹,
③ Software testing using “clean” installs of operating systems and software,
使用“干凈”安裝的操作系統和軟件進行軟件測試
④ Emulate more machines than are physically available
仿真比實際可用的更多的機器
⑤ Timeshare lightly loaded systems on one host
一個主機上的分時系統負載很輕
⑥ Debug problems (suspend and resume the problem machine)
調試問題(掛起并恢復問題機器)带兜,
⑦ Easy migration of virtual machines
輕松遷移虛擬機
⑧ Run legacy systems!
遺留系統運行!
- Pros and cons of virtualization
| pros |
中文翻譯 |
| Resource pooling |
資源池 |
| Highly redundant |
高度冗余 |
| Highly available |
高可用性 |
| Rapidly deploy new servers |
快速部署新服務器 |
| Easy to deploy |
易于部署 |
| Reconfigurable while services are running |
服務運行時可重新配置 |
| Optimizes physical resources by doing more with less |
通過用更少的資源做更多的事情來優(yōu)化物理資源 |
| cons |
中文翻譯 |
| harder to conceptualize |
難以概念化 |
| more costly |
貴 |
Layers of Cloud Service 云計算層結構
| layer |
service |
功能 |
| Client |
|
|
| Application |
SaaS |
為客戶制作并維護應用程序 |
| Platform |
PaaS |
為客戶提供平臺,API |
| Infrastructure |
IaaS |
為客戶提供硬件資源 |
| Server |
|
|
SaaS
use provider’s applications running on provider's cloud infrastructure.
使用運行在提供商云基礎設施上的提供商應用程序卒废。
PaaS
can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure.
可以使用提供商支持的編程工具創(chuàng)建自定義應用程序沛厨,并將它們部署到提供商的云基礎設施上。
IaaS
provisions computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications.
在提供商的基礎設施中提供計算資源摔认,他們可以在這些資源上部署和運行任意軟件逆皮,包括操作系統和應用程序。
知名云服務商
① Google Cloud
② VMware Cloud
③ IBM-Google Cloud
④ Salesforce Cloud
Hadoop
用戶可以在不了解分布式底層細節(jié)的情況下参袱,開發(fā)分布式程序电谣。充分利用集群的威力進行高速運算和存儲秽梅。
| framework |
功能 |
| Hadoop Distributed File System (HDFS) |
provide storage |
| MapReduce |
provide processing |
6.2 Security Issue
Computer Security
integrity(完整性), availability(可用性) and confidentiality(保密性) of information system resources
保護信息系統資源的完整性、可用性和保密性
Authenticity and Accountability 真實性和問責制
| Key Objectives |
具體體現 |
翻譯 |
| Confidentiality |
Concealment of information or resources |
信息或資源的隱瞞 |
|
Data Confidentiality |
數據保密性 |
|
Privacy |
隱私 |
| Integrity |
Trustworthiness of data or resources |
數據或資源的可靠性 |
|
Data Integrity |
數據完整性 |
|
System Integrity |
系統的完整性 |
| Availability |
Service not denied to authorized users |
未拒絕授權用戶的服務 |
|
Ability to use information or resources |
能夠使用信息或資源 |
| Authenticity |
being genuine, verified or trust |
真實的剿牺,能夠被核實或信任的 |
|
verifying the users |
驗證用戶 |
| Accountability |
can be traced uniquely to that entity |
唯一地追溯到該實體 |
Computer Security Challenges
- not simple
- must consider potential attacks
必須考慮潛在的攻擊
- procedures used counter-intuitive
程序使用反直覺的
- involve algorithms and secret info
涉及算法和秘密信息
- must decide where to deploy mechanisms
必須決定在何處部署機制
- battle of wits between attacker/administrator
攻擊者/管理員之間的斗智斗勇
- not perceived to be a benefit until fails
直到失敗才被認為是有益的
- requires regular monitoring
需要定期監(jiān)測
- too regarded as impediment to efficient and user friendly use of system
也被認為是高效和用戶友好使用系統的障礙
- often an after-thought
往往恍然大悟
OSI Security Architecture OSI安全體系結構
The OSI security architecture focuses on security attacks, mechanisms and services.
OSI的安全架構關注于安全攻擊企垦、機制和服務。
| Cryptography Goals |
翻譯 |
| confidentiality |
保密 |
| data integrity |
數據完整性 |
| entity authentication |
身份驗證 |
| Non-repudiation |
不可抵賴性 |
要背的概念
- Security Attack: Any action (active or passive) that compromises the security of information
安全攻擊:危害信息安全的任何行為(主動或被動)
- Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.
安全機制:用于檢測晒来、防止或從安全攻擊中恢復的機制钞诡。
- Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
安全服務:提高數據處理系統和信息傳輸安全性的服務。安全服務使用一個或多個安全機制湃崩。
- Threat: a potential for violation of security or a possible danger that might exploit a vulnerability
威脅: 潛在的安全威脅或可能利用漏洞的危險.
- Attack: an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.
攻擊: 一種故意逃避安全服務和違反系統安全策略的智能行為荧降。
- 填空
A Safeguard is a countermeasure to protect against a threat.
防護措施是防范威脅的對策。
A weakness in a safeguard is called a vulnerability.
安全防護中的弱點稱為“漏洞”攒读。
Damage to any IT-based system or activity can result in severe disruption of services and losses.
任何基于it的系統或活動的損壞都可能導致服務的嚴重中斷和損失朵诫。
Security Attacks
- Interruption: This is an attack on availability
中斷:這是對可用性的攻擊
- Interception: This is an attack on confidentiality
攔截:這是對保密性的攻擊
- Modification: This is an attack on integrity
修改:這是對完整性的攻擊
- Fabrication: This is an attack on authenticity
捏造:這是對真實性的攻擊
Security Threats
- Disclosure: unauthorized access to information
披露-未經授權的信息訪問
- Deception: acceptance of false data
欺騙-接受虛假資料
- Disruption: interruption or prevention of correct operation
中斷-正確操作的中斷或預防
- Usurpation: unauthorized control of some part of a system
篡奪-對系統某些部分的未經授權的控制
Passive and Active Attacks 被動攻擊和主動攻擊
- Passive: attempts to learn or make use of information from the system, but does not affect system resources.
被動:嘗試從系統中學習或利用信息,但不影響系統資源整陌。
- Active: attempts to alter system resources or affect their operation.
主動:試圖改變系統資源或影響它們的操作拗窃。
Security Services
- enhance security of data processing systems and information transfers of an organization
提高數據處理系統和組織信息傳輸的安全性
- intended to counter security attacks
為了對抗安全攻擊
- use one or more security mechanisms
使用一個或多個安全機制
- often replicate functions normally associated with physical documents
經常復制通常與物理文檔相關的功能
- have signatures, dates; need protection from disclosure, tampering, or destruction; are notarized or witnessed;
有簽名,日期;需要保護以免泄露泌辫、篡改或銷毀;
Security Services Examples
| Examples |
解釋 |
翻譯 |
| uthentication |
(who created or sent the data) |
身份驗證 (誰創(chuàng)建或發(fā)送數據) |
| Access control |
(prevent misuse of resources) |
訪問控制 (防止資源濫用) |
| Confidentiality |
(privacy) |
機密性 (隱私) |
| Integrity |
(has not been altered) |
完整性 (未更改) |
| Non-repudiation |
(the order is final) |
不可抵賴性 (訂單為最終) |
| Availability |
(permanence, non-erasure) |
可用性 (永久性随夸、非擦除) |
Security Machanism
- feature designed to detect, prevent, or recover from a security attack
用于檢測、防止或從安全攻擊中恢復的特性
- no single mechanism that will support all services required
沒有一種機制可以支持所有需要的服務
- however one particular element underlies many of the security mechanisms in use: cryptographic techniques
然而震放,在使用的許多安全機制的基礎上有一個特殊的元素:密碼技術
Security Machanism Examples
- Specific mechanisms existing to provide certain security services
提供某些保安服務的特定機制
| Examples |
翻譯 |
| encryption used for authentication |
用于身份驗證的加密 |
| digital signatures |
數字簽名 |
| access controls |
訪問控制 |
| data integrity |
數據完整性 |
| authentication exchange |
身份驗證交換 |
| traffic padding |
流量填充 |
| routing control |
路由控制 |
| notarization |
公證 |
- Pervasive mechanisms which are general mechanisms incorporated into the system and not specific to a service
無處不在的機制宾毒,是納入系統的一般機制,而不是特定于服務
| Examples |
翻譯 |
| security audit trail |
安全審計跟蹤 |
| trusted functionality |
信任的功能?? |
| security labels |
安全標簽 |
| event detection |
事件檢測 |
| security recovery |
安全恢復 |
Two Types of Program Threats
- Information access threats:
信息訪問的威脅
Intercept or modify data on behalf of users who should not have access to that data.
代表不應該訪問該數據的用戶攔截或修改數據殿遂。
E.g. corruption of data by injecting malicious code
例如诈铛,注入惡意程式碼破壞資料
- Service threats:
服務的威脅
Exploit service flaws in computers to inhibit use by legitimate uses.
利用電腦上的服務漏洞,禁止合法使用墨礁。
Viruses and worms are examples of software attacks
病毒和蠕蟲是軟件攻擊的例子
Public-Key Cryptosystems 公鑰密碼體制
| categories |
翻譯 |
| Encryption/decryption |
加密/解密 |
| Digital signature |
數字簽名 |
| Key exchange |
密鑰交換 |
Advantage of Symmetric key 對稱密鑰的優(yōu)點
- It can be designed for high rates of data throughput, may be using hardware implementations
-它可以設計為高數據吞吐率幢竹,可以使用硬件實現
- Key lengths are relatively short
-密鑰長度相對較短
- Can be used to produce stronger ciphers
-可用于產生更強的密碼
Disadvantage of Symmetric key 對稱密鑰的缺點
- Key must remain secret at both ends
鑰匙兩端必須保密
- In a large network, there are many key pairs to be managed. Effective key management requires use of an unconditionally trusted third party.
在大型網絡中,有許多密鑰對需要管理恩静。有效的密鑰管理需要使用一個無條件信任的第三方焕毫。
- Digital signature schemes using private key cryptography requires large key.
使用私鑰加密的數字簽名方案需要大密鑰。
Advantage of Public key cryptography 公鑰密碼學的優(yōu)點
- Only the private key to be kept secret
只有私鑰要保密
- The administration of key requires only a functionally trusted TTP.
密鑰的管理只需要一個功能可靠的TTP驶乾。
- A private/public key pair may remain unchanged for a long time.
私鑰/公鑰對可能長時間保持不變邑飒。
- Gives relatively efficient digital signature schemes
提供相對有效的數字簽名方案
Disadvantages of public key cryptography 公鑰密碼學的缺點
- Several orders of magnitudes slower
慢了幾個數量級
- Key sizes are larger.
鑰匙尺寸更大。
- No public-key cryptosystem is proven to
secure.
沒有公鑰密碼系統被證明是安全的。
