クラウド・コンピューティングにおける情報セキュリティ管理の課題と対応

Size: px

Start display at page:

Download "クラウド・コンピューティングにおける情報セキュリティ管理の課題と対応"

ときもてぎ
5 years ago
Views:

1 IMES DISCUSSION PAPER SERIES Discussion Paper No J-24 INSTITUTE FOR MONETARY AND ECONOMIC STUDIES BANK OF JAPAN

3 IMES Discussion Paper Series 2010-J * ** *** JEL classification: L86L96Z00 * masashi.une@boj.or.jp ** masataka.suzuki@boj.or.jp *** sachikoy@jp.ibm.com

4 A...22 B

6 SaaS 4 Vamosi [2008]1 CPU CPU Ristenpart et al. [2009] Armbrust et al. [2009] ENISA [2009] 2009 Wang et al. [2009]Bowers et al. [2010] Gentry [2009] 3 multi-tenancy 4 SaaSSoftware as a Service 2

7 2009 3

8 IT 2009NIST: National Institute for Standards and Technology 5 Mell and Grance [2009] NIST Cloud Security Alliance Open Cloud Manifesto ENISA 5 NIST CSA [2009]ENISA [2009] OCM [2010] NIST 6 5 ENISAEuropean Network and Information Security Agency EU 6 4

9 1 NIST 5

10 SaaSSoftware as a Service Ajax 7 SaaS ID PaaSPlatform as a Service) PaaS PaaS IaaSInfrastructure as a Service) OS IaaS 7 AjaxAsynchronous JavaScript + XML 6

11 1 7

12 1 8

13 PDCA 10 PDCA Plan Do Check PDCA PlanDo Check Act 9

14 Act 10

15 A B C DoS A B C 2 CPU Ristenpart et al. [2009] US Patriot Act EU 25 EU 11

16 ENISA ENISA [2009] 12 ENISA ENISA 13, 14 SLAservice level agreement 15 EU 12 ENISA A 13 Armbrust et al.[2009] 14 basically available soft state eventually consistency 3 BASE A B C 12

17 16 Do Plan Check Check D 16 PaaS SLA IaaS OS SaaS SLA

18 ENISA [2009] 1 R DoS IP 14

19 2 15

21 Amazon EC

22 Wang et al. [2009] Bowers et al. [2010] Gentry [2009]van Dijk and Juels [2010] van Dijk et al. [2010] B 18

23 3 Wang et al. [2009] RSA Bowers et al. [2010] Gentry [2009] *Dijk and Juels [2010] * 1 SAS-70Statement on Auditing Standards ISMS ISMSInformation Security Management System ISMS 19

24 ISMS JIS Q ENISA [2009]ISMS PCI DSS * * PCI DSSPayment Card Industry Data Security Standard 5 AmexDiscoverJCBMasterCardVISA 20

25 21

26 A ENISA [2009] R.1 R.2 R.3 R.4 R.5 R.6 R.7 R.8 R.9 R.10 R.11 R.12 R.13 R.14 R.15 Distributed Denial of 22

27 Service R.16 Economic Denial of Service R.17 R.18 R.19 service engine R.20 R.21 e-discovery R.22 R.23 R.24 R.25 R.26 R.27 R.28 R.29 R.30 R.31 R.32 R.33 R.34 R.35 R.2 R.3R.23 R.22 23

28 B Wang et al. [2009] 26 RSA Google File System

29 99.9 Bowers et al. [2010] Bowers et al. [2010] 1987 Gentry [2009] Dijk et al. [2010] 28 Bowers et al. [2010] 25

30 Dijk and Juel [2010] Gentry [2009] Gentry [2009]

31 (5)NBLNo Vol.50No URL: No No SaaS SLA IT Vol.2010-CSEC-48 (4) Amazon EC2 DDoS BP ASPSaaS

32 NBLNo Vol.2009-CSEC-47 (4) IC BP Armbrust, Micheal, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, Above the Clouds: A Berkeley View of Cloud Computing, Technical Report No. UCB/EECS , Electrical Engineering and Computer Sciences, University of Berkeley, February 10, Bowers, Kevin, Marten van Dijk, Ari Juels, Alina Oprea, and Ronald L. Rivest, How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes, IACR eprint 2010/214, IACR, Cloud Security Alliance (CSA), Security Guidance for Critical Area of Focus in Cloud Computing, V2.1, CSA, December van Dijk, Marten, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan, Fully Homomorphic Encryption over the Integers, Proceedings of Eurocrypt 2010, LNCS 6110, Springer-Verlag, May 2010, pp van Dijk, Marten, and Ari Juels, On the Impossibility of Cryptography Alone for Privacy- Preserving Cloud Computing, IACR eprint 2010/305, IACR, European Network and Information Security Agency (ENISA), Cloud Computing Benefits, risks and recommendations for information security, ENISA, November 20 th, ( Gentry, Craig, A Fully Homomorphic Encryption Scheme, A Dissertation Submitted to the Department of Computer Science and the Committee on Graduate Studies of Stanford University, September Open Cloud Manifesto (OCM), Cloud Computing Use Cases White Paper Version 3.0, OCM, February 2 nd, ( Vamosi, Robert, Gmail cookie stolen via Google Spreadsheets, CNET, April 14th, ( Peter Mell and Tim Grance, The NIST Definition of Cloud Computing, Version 15, NIST, October 7 th, ( Ristenpart, Thomas, Eran Tromer, Hovav Shacham, and Stefan Savage, Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Proceedings of the 6 th ACM Conference on Computer and Communications Security, ACM, Wang, Cong, Qian Wang, Kui Ren, and Wenjing Lou, Ensuring Data Storage Security in Cloud Computing, IACR eprint 2009/081, IACR,

クラウド・コンピューティングにおける情報セキュリティ管理の課題と対応

クラウド・コンピューティングにおける情報セキュリティ管理の課題と対応 E-mail: masashi.une@boj.or.jp E-mail: masataka.suzuki@boj.or.jp E-mail: sachikoy@jp.ibm.com / /2011.1 227 1. 1 1 2010 1 2 2 3 1 2010 2010 2 1 1 3 multi-tenancy 228 /2011.1 SaaS 4 Vamosi [2008] 1 CPU CPU