Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Tiago Espinha Gasiba,Iosif Andrei-Cristian,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.1145/3465481.3470030

2021-08-17

Abstract:Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency and speed, by abstracting away from the underlying actions. However, this simplicity may distract from architectural or configuration faults, potentially compromising the secure development lifecycle. One way to address this issue involves awareness training. Sifu is a platform that provides education on security through serious games, developed in the industry, for the industry. The presented work extends the Sifu platform with challenges addressing Terraform-aided cloud deployment on Amazon Web Services. This paper proposes an evaluation pipeline behind the challenges, and provides details of the vulnerability detection and feedback mechanisms, as well as a novel technique for detecting undesired differences between a given architecture and a target result. Furthermore, this paper quantifies the challenges’ perceived usefulness and impact, by evaluating the challenges among a total of twelve participants. Our preliminary results show that the challenges are suitable for education and the industry, with potential usage in internal training. A key finding is that, although the participants understand the importance of secure coding, their answers indicate that universities leave them unprepared in this area. Finally, our results are compared with related industry works, to extract and provide good practices and advice for practitioners.

Victor Chang,Yen-Hung Kuo,Muthu Ramachandran

DOI: https://doi.org/10.1016/j.future.2015.09.031

IF: 7.307

2016-04-01

Future Generation Computer Systems

Abstract:This article presents a cloud computing adoption framework (CCAF) security suitable for business clouds. CCAF multilayered security is based on the development and integration of three major security technologies: firewall, identity management, and encryption based on the development of enterprise file sync and share technologies. This article presents the vision, related works, and views on security framework. Core technologies have been explained in detail, and experiments were designed to demonstrate the robustness of the CCAF multilayered security. In penetration testing, CCAF multilayered security could detect and block 99.95% viruses and trojans, and could achieve ≥85% of blocking for 100 h of continuous attack. Detection and blocking took <0.012s/trojan or virus. A full CCAF multilayered security protection could block all SQL (structured query language) injection, providing real protection to data. CCAF multilayered security did not report any false alarm. All F-measures for CCAF test results were ≥99.75%. The mechanism of blending of CCAF multilayered security with policy, real services, and business activities has been illustrated. Research contributions have been justified and CCAF multilayered security can be beneficial for volume, velocity, and veracity of big data services operated in the cloud.

Hootan Alavizadeh,Hooman Alavizadeh,Dong Seong Kim,Julian Jang-Jaccard,Masood Niazi Torshiz

DOI: https://doi.org/10.48550/arXiv.1904.01758

2019-04-03

Abstract:Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.

Cryptography and Security

Jianbin Hu,Yonggang Wang,Cong Tang,Zhi Guan,Fengxian Ren,Zhong Chen

DOI: https://doi.org/10.5815/ijcnis.2011.03.01

2011-01-01

International Journal of Computer Network and Information Security

Abstract:in current cloud services, users put their data and resources into the cloud so as to enjoy the on-demand high quality applications and services. Different from the conventional services, users in cloud services lose control of their data which is instead manipulated by the large-scale cloud. Therefore, cloud service providers (CSP) guarantee that the cloud which they provide is of high confidence in accuracy and integrity. Traditional penetration test is carried out manually and has low efficiency. In this paper, we propose FPTC, a novel framework of penetration test in cloud environment. In FPTC, there are managers, executors and toolkits. FPTC managers guide FPTC executors to gather information from the cloud environment, generate appropriate testing scenarios, run matched tools in the toolkit and collect test results to do evaluation. The capacity and quality of the toolkit is a key issue in FPTC. We develop a prototype in which FPTC is implemented and the experimental results show that FPTC is helpful to automatically carry out penetration test in cloud environment.

Seoungmo An,Taehoon Eom,Jong Sou Park,Jin B. Hong,Armstrong Nhlabatsi,Noora Fetais,Khaled M. Khan,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.1903.04271

2019-03-11

Abstract:Cloud computing has been adopted widely, providing on-demand computing resources to improve perfornance and reduce the operational costs. However, these new functionalities also bring new ways to exploit the cloud computing environment. To assess the security of the cloud, graphical security models can be used, such as Attack Graphs and Attack Trees. However, existing models do not consider all types of threats, and also automating the security assessment functions are difficult. In this paper, we propose a new security assessment tool for the cloud named CloudSafe, an automated security assessment for the cloud. The CloudSafe tool collates various tools and frameworks to automate the security assessment process. To demonstrate the applicability of the CloudSafe, we conducted security assessment in Amazon AWS, where our experimental results showed that we can effectively gather security information of the cloud and carry out security assessment to produce security reports. Users and cloud service providers can use the security report generated by the CloudSafe to understand the security posture of the cloud being used/provided.

Cryptography and Security

Morgan Reece,Theodore Lander Jr.,Sudip Mittal,Nidhi Rastogi,Josiah Dykstra,Andy Sampson

2023-11-02

Abstract:As organizations increasingly use cloud services to host their IT infrastructure, there is a need to share data among these cloud hosted services and systems. A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. When an organization grows their multi-cloud environment, the threat vectors and vulnerabilities for their cloud systems and services grow as well. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures to best defend a multi-cloud environment against attacks. Utilizing multiple industry standard risk analysis tools, we conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures. The prioritizations from the analysis showed that authentication and architecture are the highest risk areas of threat vectors. Armed with this data, IT managers are able to more appropriately budget cybersecurity expenditure to implement the most impactful mitigations and countermeasures.

Cryptography and Security

Michael Soltys

DOI: https://doi.org/10.48550/arXiv.2003.12905

2020-03-28

Cryptography and Security

Abstract:This paper re-examines the content of a standard advanced course in Cybersecurity from the perspective of Cloud Computing. More precisely, we review the core concepts of Cybersecurity, as presented in a senior undergraduate or graduate class, in light of the Amazon Web Services (AWS) cloud.

Alexandre Verdet,Mohammad Hamdaqa,Leuson Da Silva,Foutse Khomh

2023-08-08

Abstract:Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools, allowing the community to conveniently manage and configure cloud infrastructure using scripts. However, the scripting process itself does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices. In order to understand how practitioners deal with this problem, in this work, we perform an empirical study analyzing the adoption of IaC scripted security best practices. First, we select and categorize widely recognized Terraform security practices promulgated in the industry for popular cloud providers such as AWS, Azure, and Google Cloud. Next, we assess the adoption of these practices by each cloud provider, analyzing a sample of 812 open-source projects hosted on GitHub. For that, we scan each project configuration files, looking for policy implementation through static analysis (checkov). Additionally, we investigate GitHub measures that might be correlated with adopting these best practices. The category Access policy emerges as the most widely adopted in all providers, while Encryption in rest are the most neglected policies. Regarding GitHub measures correlated with best practice adoption, we observe a positive, strong correlation between a repository number of stars and adopting practices in its cloud infrastructure. Based on our findings, we provide guidelines for cloud practitioners to limit infrastructure vulnerability and discuss further aspects associated with policies that have yet to be extensively embraced within the industry.

Cryptography and Security,Software Engineering

Komal Bhupendra Vekaria,Prasad Calyam,Songjie Wang,Ramya Payyavula,Matthew Rockey,Nafis Ahmed

DOI: https://doi.org/10.1109/tlt.2021.3091904

2021-06-01

IEEE Transactions on Learning Technologies

Abstract:There is an increasing trend in cloud adoption of enterprise applications in, for example, manufacturing, healthcare, and finance. Such applications are routinely subject to targeted cyberattacks, which result in significant loss of sensitive data (e.g., due to data exfiltration in advanced persistent threats) or valuable utilities (e.g., due to resource the exfiltration of power in cryptojacking). There is a critical need to train highly skilled cybersecurity professionals, who are capable of defending against such targeted attacks. In this article, we present the design, development, and evaluation of the Mizzou Cyber Range, an online platform to learn basic/advanced cyber defense concepts and perform training exercises to engender the next-generation cybersecurity workforce. Mizzou Cyber Range features flexibility, scalability, portability, and extendability in delivering cyberattack/defense learning modules to students. We detail our "research-inspired learning" and "learn–apply–create" three-phase pedagogy methodologies in the development of four learning modules that include laboratory exercises and self-study activities using realistic cloud-based application testbeds. The learning modules allow students to gain skills in using latest technologies (e.g., elastic capacity provisioning, software-defined everything infrastructure) to implement sophisticated "attack defense by pretense" techniques. Students can also use the learning modules to understand the attacker–defender game in order to create disincentives (i.e., pretense initiation) that make the attacker's tasks more difficult, costly, time consuming, and uncertain. Lastly, we show the benefits of our Mizzou Cyber Range through the evaluation of student learning using auto-grading, rank assessments with peer standing- and monitoring of students' performance via feedback from prelab evaluation surveys and postlab technical assessments.

Fabian Süß,Marco Freimuth,Andreas Aßmuth,George R. S. Weir,Bob Duncan

2024-05-19

Abstract:In recent years, Cloud Computing has transformed local businesses and created new business models on the Internet- and Cloud services are still flourishing. But after the emphatic hype in the early years, a more realistic perception of Cloud services has emerged. One reason for this surely is that today, Cloud Computing is considered as an established and well-accepted technology and no longer as a technical novelty. But the second reason for this assessment might also be numerous security issues that Cloud Computing in general or specific Cloud services have experienced since then. In this paper, we revisit attacks on Cloud services and Cloud-related attack vectors that have been published in recent years. We then consider successful or proposed solutions to cope with these challenges. Based on these findings, we apply a security metric in order to rank all these Cloud-related security challenges concerning their severity. This should assist security professionals to prioritize their efforts toward addressing these issues.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Hootan Alavizadeh,Hooman Alavizadeh,Julian Jang-Jaccard

DOI: https://doi.org/10.1109/trustcom50675.2020.00171

2020-12-01

Abstract:The cloud model allows many enterprises able to outsource computing resources at an affordable price without having to commit the expense upfront. Although the cloud providers are responsible for the security of the cloud, there are still many security concerns due to inherently complex model the cloud providers operate on (e.g.,multi-tenancy). In addition, the enterprises whose services have migrated into the cloud have a preference for their own cybersecurity situation awareness capability on top of the security mechanisms provided by the cloud providers. In this way, the enterprises can monitor the performance of the security offerings of the cloud and have a choice to decide and select potential response strategies more appropriate to the enterprise in the presence of the attack where the defense provided by the cloud doesn't work for them. However, some response strategies, such as Moving Target Defense (MTD) techniques shown to be effective to secure cloud, cannot be deployed by the enterprise themselves. In this paper, we propose a framework that enables better collaboration between enterprises and cloud providers. Our proposed framework, which offers more in-depth security analysis based on the set of most advanced security metrics, allows the security experts of the enterprise to obtain better situational awareness in the cloud. With better and more effective situation awareness of cloud security, our framework can support better decision-making and further allows to deploy more appropriate threat responses to protect the outsourced resources. We also propose a secure protocol which can facilitate more secure communication between the enterprises and cloud provider. Using our proposed secure protocol, which is based on authentication and key exchange mechanism, the enterprises can send a secure request to the cloud provider to perform a selected defensive strategy.

Charles A. Kamhoua,Luke Kwiat,Kevin A. Kwiat,Joon S. Park,Ming Zhao,Manuel Rodriguez

DOI: https://doi.org/10.1007/978-3-319-75268-6_11

2018-01-01

Abstract:As cloud computing thrives, many organizations - both large and small - are taking advantage of the multiple benefits of joining a public cloud. Public cloud computing is cost-effective: a cloud user can reduce spending on technology infrastructure and have easy access to their information without an up-front or long-term commitment of resources. Despite such benefits, concern over cyber security deters many large organizations with sensitive information to use a public cloud such as the Department of Defense. This is because different public cloud users share a common platform such as the hypervisor. An attacker can compromise a virtual machine (VM) to launch an attack on the hypervisor which, if compromised, can instantly yield the compromising of all the VMs running on top of that hypervisor. In this paper we evaluate the cloud user-attacker dynamic using game theory, which models competition among rational agents. This work will show that there are multiple Nash equilibria of the public cloud game. The Nash equilibrium profile that results will be shown to depend on several factors, including the probability that the hypervisor is compromised given a successful attack on a user and the total expense required to invest in security.

Eric Pauley,Ryan Sheatsley,Blaine Hoak,Quinn Burke,Yohan Beugin,Patrick McDaniel

DOI: https://doi.org/10.1109/SP46214.2022.9833784

2022-04-11

Abstract:Public clouds provide scalable and cost-efficient computing through resource sharing. However, moving from traditional on-premises service management to clouds introduces new challenges; failure to correctly provision, maintain, or decommission elastic services can lead to functional failure and vulnerability to attack. In this paper, we explore a broad class of attacks on clouds which we refer to as cloud squatting. In a cloud squatting attack, an adversary allocates resources in the cloud (e.g., IP addresses) and thereafter leverages latent configuration to exploit prior tenants. To measure and categorize cloud squatting we deployed a custom Internet telescope within the Amazon Web Services us-east-1 region. Using this apparatus, we deployed over 3 million servers receiving 1.5 million unique IP addresses (56% of the available pool) over 101 days beginning in March of 2021. We identified 4 classes of cloud services, 7 classes of third-party services, and DNS as sources of exploitable latent configurations. We discovered that exploitable configurations were both common and in many cases extremely dangerous; we received over 5 million cloud messages, many containing sensitive data such as financial transactions, GPS location, and PII. Within the 7 classes of third-party services, we identified dozens of exploitable software systems spanning hundreds of servers (e.g., databases, caches, mobile applications, and web services). Lastly, we identified 5446 exploitable domains spanning 231 eTLDs-including 105 in the top 10,000 and 23 in the top 1000 popular domains. Through tenant disclosures we have identified several root causes, including (a) a lack of organizational controls, (b) poor service hygiene, and (c) failure to follow best practices. We conclude with a discussion of the space of possible mitigations and describe the mitigations to be deployed by Amazon in response to this study.

Cryptography and Security

Jie Xu,Paul Townend,Junaid Arshad,Wei Jie

DOI: https://doi.org/10.4018/jghpc.2012010104

2012-01-01

International Journal of Grid and High Performance Computing

Abstract:The evolution of modern computing systems has lead to the emergence of Cloud computing. Cloud computing facilitates on-demand establishment of dynamic, large scale, flexible, and highly scalable computing infrastructures. However, as with any other emerging technology, security underpins widespread adoption of Cloud computing. This paper presents the state-of-the-art about Cloud computing along with its different deployment models. The authors also describe various security challenges that can affect an organization's decision to adopt Cloud computing. Finally, the authors list recommendations to mitigate with these challenges. Such review of state-of-the-art about Cloud computing security can serve as a useful barometer for an organization to make an informed decision about Cloud computing adoption.

DOI: https://doi.org/10.30534/ijeter/2022/051042022

2022-04-07

International Journal of Emerging Trends in Engineering Research

Abstract:Cloud computing is a term, which involves virtualization, distributed computing, networking, software and web services. A cloud consists of several elements such as clients, data center and distributed servers. It includes fault tolerance, high availability, scalability, flexibility, reduced overhead for users, reduced cost of ownership, on demand services etc.Cloud Computing offers better computing through improved utilization and reduced administration and infrastructure costs. Cloud Computing is the sum of Software as a Service (SaaS) and Utility Computing. Cloud Computing is still at its infant stage and a very new technology. Therefore, most of the users are not very confident to adopt it.The main issue that faced the cloud computing is “security”. In this paper, we try to find out what countermeasures best strengthen the confidentiality, integrity and availability (CIA) of the implementation of cloud computing within the DOD This will be done by analyzing threats and countermeasures within the context of the ten domains comprising the Certified Information System Security Professional (CISSP) Common Body of Knowledge (CBK). The ten domains include access control; telecommunications and network security; information security governance and risk management; application security; cryptography; security architecture and design; operations security; business continuity planning and disaster planning; legal regulations, compliance, and investigation; and physical security. The results will provide a comprehensive guide for any Department of DefenseDoD entity attempting to secure its cloud solution.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Kui Ren,Cong Wang,Qian Wang

DOI: https://doi.org/10.1109/MIC.2012.14

IF: 2.68

2012-01-01

IEEE Internet Computing

Abstract:Cloud computing represents today's most exciting computing paradigm shift in information technology. However, security and privacy are perceived as primary obstacles to its wide adoption. Here, the authors outline several critical security challenges and motivate further investigation of security solutions for a trustworthy public cloud environment.

Jiyi Wu,Qianli Shen,Tong Wang,Ji Zhu,Jianlin Zhang

DOI: https://doi.org/10.4304/jcp.6.10.2156-2163

2011-01-01

Abstract:Cloud computing emerges as a new computing paradigm which aims to provide reliable, customized and QoS guaranteed dynamic computing environments for endusers. Although cloud computing industry promises tremendous prospects of market growth, for users of cloud services, cloud computing has a wide range of potential risks and safety issues. This article gives a quick introduction to cloud security. It covers the key technologies of cloud computing, security challenge and problem in cloud computing, recent advances in cloud security. © 2011 ACADEMY PUBLISHER.

Oulaaffart, Mohamed,Badonnel, Rémi,Festor, Olivier

DOI: https://doi.org/10.1007/s10922-023-09792-7

2024-01-06

Journal of Network and Systems Management

Abstract:The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration. We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.

computer science, information systems,telecommunications