クラウド・コンピューティングにおける情報セキュリティ管理の課題と対応

E-mail: masashi.une@boj.or.jp E-mail: masataka.suzuki@boj.or.jp E-mail: sachikoy@jp.ibm.com / /2011.1 227

1. 1 1 2010 1 2 2 3 1 2010 2010 2 1 1 3 multi-tenancy 228 /2011.1

SaaS 4 Vamosi [2008] 1 CPU CPU Ristenpart, Tromer, Shacham, and Savage [2009] 2009 2010 2001 2008 Armbrust et al. [2009] ENISA [2009] 2009 Wang, Wang, Ren, and Lou [2009] Bowers et al. [2010] Gentry [2009] 2009 4 SaaS Software as a Service 229

2. 1 IT 2009 National Institute for Standards and Technology; NIST 5 Mell and Grance [2009] ffl ffl ffl ffl ffl NIST Cloud Security Alliance Open Cloud Manifesto ENISA 5 NIST CSA [2009] ENISA [2009] OCM [2010] NIST 6 5ENISA European Network and Information Security Agency EU 6 230 /2011.1

2 1 NIST 1 231

3. ffl SaaS Software as a Service Ajax 7 SaaS ID ffl PaaS Platform as a Service PaaS PaaS ffl IaaS Infrastructure as a Service OS IaaS. ffl 7Ajax Asynchronous JavaScript C XML 232 /2011.1

ffl ffl 1 ffl 4 ffl ffl 1 ffl 233

3 3. 2 1 PDCA 8 9 2001 8PDCA Plan Do Check Act 9 2001 234 /2011.1

10 2008 2007 PDCA PDCA D Plan Do Check Act 2 2 2 PDCA. Plan 1 10 235

2 A B C 2 CPU Ristenpart, Tromer, Shacham, and Savage [2009] 2009 1 11 11 US Patriot Act EU 25 EU 236 /2011.1

ENISA ENISA [2009] 12 ENISA ENISA 13 14 service level agreement; SLA 15 16 EU 12 ENISA 1 13 Armbrust et al. [2009] 14 basically available soft state eventual consistency 3 BASE 2010 15 2001 A B C D 16 PaaS 237

. Do Check Do Plan Check. Act Check 3 2 2 1 2 SLA IaaS OS SaaS SLA 2008 238 /2011.1

1 2 17 ENISA [2009] 1 R.9 18 2 2 4. 2 19 1 17 2010 18 DoS IP 19 239

2 1 1 20. 2001 ffl ffl ffl ffl 21 20 21 2009 10 Amazon EC2 17 1 2009 240 /2011.1

. 2010 2. 2006 2010 241

3 Wang, Wang, Ren, and Lou [2009] Bowers et al. [2010] Gentry [2009] RSA * van Dijk and Juels [2010] * 22 Wang, Wang, Ren, and Lou [2009] Bowers et al. [2010] Gentry [2009] van Dijk and Juels [2010] van Dijk, Gentry, Halevi, and Vaikuntanathan [2010] 3 23 3 22 2010 23 2 242 /2011.1

. 1 SAS-70 Statement on Auditing Standards 70 2009 ISMS 24 25 2009 2009 24 ISMS Information Security Management System ISMS ISMS JIS Q 27001 2008 25 ENISA [2009] ISMS PCI DSS * *PCIDSS Payment Card Industry Data Security Standard 5 Amex Discover JCB MasterCard VISA 243

5. 244 /2011.1

12 2010 3 5 5 NBL 928 2010 5 56 61 50 11 2009 11 1099 1105 2009 10 9 http:// www.gartner.co.jp/press/html/ref20091009-01.html 2 2008 308 2010 4 44 78 SaaS SLA 2008 1 21 2009 7 IT 2010-CSEC-48 4 2010 3 20 2 2006 9 49 61 2010 3 Amazon EC2 DDoS 2009 10 8 http:// www.netsecrity.ne.jp/2_14112.html 2010 3 BP 2010 144 149 27 1 2008 79 114 2001 4 17 2007 245

377 2008 2 NBL 919 2009 12 58 63 2009-CSEC-47 4 2009 12 IC 10 1987 17 22 2010 5 BP 2010 5 64 67 Armbrust, Micheal, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, Above the Clouds: A Berkeley View of Cloud Computing, Technical Report No. UCB/EECS-2009-28, Electrical Engineering and Computer Sciences, University of Berkeley, 10 February, 2009. Bowers, Kevin, Marten van Dijk, Ari Juels, Alina Oprea, and Ronald L. Rivest, How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes, IACR eprint 2010/214, IACR, 2010. Cloud Security Alliance (CSA), Security Guidance for Critical Area of Focus in Cloud Computing, V2.1, CSA, December, 2009. van Dijk, Marten, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan, Fully Homomorphic Encryption over the Integers, Proceedings of Eurocrypt 2010, LNCS 6110, Springer-Verlag, May, 2010, pp. 24 43., and Ari Juels, On the Impossibility of Cryptography Alone for Privacy- Preserving Cloud Computing, IACR eprint 2010/305, IACR, 2010. European Network and Information Security Agency (ENISA), Cloud Computing Benefits, Risks and Recommendations for Information Security, ENISA, 20 November, 2009 (http://www.enisa.europa.eu/act/rm/files/deliverables/ cloud-computing-risk-assessment/). Gentry, Craig, A Fully Homomorphic Encryption Scheme, A Dissertation Submitted to the Department of Computer Science and the Committee on Graduate Studies of Stanford University, September, 2009. Mell, Peter, and Tim Grance, The NIST Definition of Cloud Computing, Version 15, NIST, 7 October, 2009 (http://csrc.nist.gov/groups/sns/cloud-computing/). Open Cloud Manifesto (OCM), Cloud Computing Use Cases White Paper Version 3.0, OCM, 2 February, 2010 (http://www.opencloudmanifesto.org/). 246 /2011.1

Ristenpart, Thomas, Eran Tromer, Hovav Shacham, and Stefan Savage, Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Proceedings of the 6th ACM Conference on Computer and Communications Security, ACM, 2009. Vamosi, Robert, Gmail Cookie Stolen via Google Spreadsheets, CNET, 14 April, 2008 (http://news.cnet.com/8301-10789_3-9918582-52.html). Wang, Cong, Qian Wang, Kui Ren, and Wenjing Lou, Ensuring Data Storage Security in Cloud Computing, IACR eprint 2009/081, IACR, 2009. 247

1. ENISA [2009] R.1 R.2 R.3 R.4 R.5 R.6 R.7 R.8 R.9 R.10 R.11 R.12 R.13 R.14 R.15 Distributed Denial of Service 248 /2011.1

R.16 Economic Denial of Service R.17 R.18 R.19 R.20 R.21 R.22 R.23 R.24 service engine e-discovery R.25 R.26 R.27 R.28 R.29 R.30 R.31 R.32 R.33 R.34 R.35 R.2 R.3 R.23 R.22 249

2. 4 2 1 Wang, Wang, Ren, and Lou [2009] 26 RSA 27 2 99.9% 26 Google File System 64 27 2010 250 /2011.1

Bowers et al. [2010] 28 1 1 2 2 Bowers et al. [2010] 3 1987 Gentry [2009] van Dijk, Gentry, Halevi, and Vaikuntanathan [2010] 28 Bowers et al. [2010] 251

van Dijk and Juels [2010] Gentry [2009] Gentry [2009] 29 29 252 /2011.1