Pramod S. Pawar,Ali Sajjad,Theo Dimitrakos,David W. Chadwick

DOI: https://doi.org/10.1007/978-3-319-18491-3_21

2015-01-01

Abstract:The economic benefits of cloud computing are encouraging customers to bring complex applications and data into the cloud. However security remains the biggest barrier in the adoption of cloud, and with the advent of multi-cloud and federated clouds in practice security concerns are for applications and data in the cloud. This paper proposes security as a value added service, provisioned dynamically during deployment and operation management of an application in multi-cloud and federated clouds. This paper specifically considers a data protection and a host & application protection solution that are offered as a SaaS application, to validate the security services in a multi-cloud and federated cloud environment. This paper shares our experiences of validating these security services over a geographically distributed, large scale, multi-cloud and federated cloud infrastructure.

Joshua Daniel,Fadi El-Moussa,Gery Ducatel,Pramod Pawar,Ali Sajjad,Robert Rowlingson,Theo Dimitrakos

DOI: https://doi.org/10.1007/978-3-319-18491-3_19

2015-01-01

Abstract:Protecting systems, applications and data hosted on a Cloud environment against cyber-threats, and accounting for security incidents across the Cloud estate are prerequisites to Cloud adoption by business, and a fundamental element of both national and corporate cyber-security and Cloud strategies. Yet, Cloud IaaS and PaaS providers typically hold Cloud consumers accountable for protecting their applications, while Cloud users often find that protecting their proprietary system, application and data stacks on public or hybrid Cloud environments can be complex, expensive and time-consuming. In this paper we describe a novel Cloud-based security management solution that empowers Cloud consumers to protect their systems, applications and data in the Cloud, whilst also improving the control and visibility of their Cloud security operations. This is achieved by enhancing the security policy management of commercial technologies, and via their integration with multiple Cloud-based hosts and applications. The result of this integration is then offered as a re-usable service across multiple Cloud platforms through a Cloud service store.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

Hootan Alavizadeh,Hooman Alavizadeh,Julian Jang-Jaccard

DOI: https://doi.org/10.1109/trustcom50675.2020.00171

2020-12-01

Abstract:The cloud model allows many enterprises able to outsource computing resources at an affordable price without having to commit the expense upfront. Although the cloud providers are responsible for the security of the cloud, there are still many security concerns due to inherently complex model the cloud providers operate on (e.g.,multi-tenancy). In addition, the enterprises whose services have migrated into the cloud have a preference for their own cybersecurity situation awareness capability on top of the security mechanisms provided by the cloud providers. In this way, the enterprises can monitor the performance of the security offerings of the cloud and have a choice to decide and select potential response strategies more appropriate to the enterprise in the presence of the attack where the defense provided by the cloud doesn't work for them. However, some response strategies, such as Moving Target Defense (MTD) techniques shown to be effective to secure cloud, cannot be deployed by the enterprise themselves. In this paper, we propose a framework that enables better collaboration between enterprises and cloud providers. Our proposed framework, which offers more in-depth security analysis based on the set of most advanced security metrics, allows the security experts of the enterprise to obtain better situational awareness in the cloud. With better and more effective situation awareness of cloud security, our framework can support better decision-making and further allows to deploy more appropriate threat responses to protect the outsourced resources. We also propose a secure protocol which can facilitate more secure communication between the enterprises and cloud provider. Using our proposed secure protocol, which is based on authentication and key exchange mechanism, the enterprises can send a secure request to the cloud provider to perform a selected defensive strategy.

Seyed Hossein Ahmadpanah

DOI: https://doi.org/10.48550/arXiv.1611.08889

2016-11-28

Abstract:In the cloud computing environment, cloud virtual machine (VM) will be more and more the number of virtual machine security and management faced giant Challenge. In order to address security issues cloud computing virtualization environment, this paper presents a virtual machine based on efficient and dynamic deployment VM security management model state migration and scheduling, study of which virtual machine security architecture, based on AHP (Analytic Hierarchy Process) virtual machine deployment and scheduling method, based on CUSUM (Cumulative Sum) DDoS attack detection algorithm, and the above-described method for functional testing and validation.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Mohemed Almorsy,John Grundy,Amani S. Ibrahim

DOI: https://doi.org/10.1109/cloud.2011.9

2011-07-01

Abstract:Although the cloud computing model is considered to be a very promising internet-based computing platform, it results in a loss of security control over the cloud-hosted assets. This is due to the outsourcing of enterprise IT assets hosted on third-party cloud computing platforms. Moreover, the lack of security constraints in the Service Level Agreements between the cloud providers and consumers results in a loss of trust as well. Obtaining a security certificate such as ISO 27000 or NIST-FISMA would help cloud providers improve consumers trust in their cloud platforms' security. However, such standards are still far from covering the full complexity of the cloud computing model. We introduce a new cloud security management framework based on aligning the FISMA standard to fit with the cloud computing model, enabling cloud providers and consumers to be security certified. Our framework is based on improving collaboration between cloud providers, service providers and service consumers in managing the security of the cloud platform and the hosted services. It is built on top of a number of security standards that assist in automating the security management process. We have developed a proof of concept of our framework using. NET and deployed it on a testbed cloud platform. We evaluated the framework by managing the security of a multi-tenant SaaS application exemplar.

Quang Hieu Vu,Maurizio Colombo,Rasool Asal,Ali Sajjad,Fadi Ali El-Moussa,Theo Dimitrakos

DOI: https://doi.org/10.1109/cns.2015.7346879

2015-01-01

Abstract:This paper introduces Secure Cloud Storage (SCS), a framework for Data Protection as a Service (DPaaS) to cloud computing users. Compared to the existing Data Encryption as a Service (DEaaS) such as those provided by Amazon and Google, DPaaS provides more flexibility to protect data in the cloud. In addition to supporting the basic data encryption capability as DEaaS does, DPaaS allows users to define fine-grained access control policies to protect their data. Once data is put under an access control policy, it is automatically encrypted and only if the policy is satisfied, the data could be decrypted and accessed by either the data owner or anyone else specified in the policy. The key idea of the SCS framework is to separate data management from security management in addition to defining a full cycle of data security automation from encryption to decryption. As a proof-of-concept for the design, we implemented a prototype of the SCS framework that works with both BT Cloud Compute platform and Amazon EC2. Experiments on the prototype have proved the efficiency of the SCS framework.

Hootan Alavizadeh,Hooman Alavizadeh,Dong Seong Kim,Julian Jang-Jaccard,Masood Niazi Torshiz

DOI: https://doi.org/10.48550/arXiv.1904.01758

2019-04-03

Abstract:Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.

Cryptography and Security

Dimitrios Zissis,Dimitrios Lekkas

DOI: https://doi.org/10.1016/j.future.2010.12.006

IF: 7.307

2012-03-01

Future Generation Computer Systems

Abstract:The recent emergence of cloud computing has drastically altered everyone’s perception of infrastructure architectures, software delivery and development models. Projecting as an evolutionary step, following the transition from mainframe computers to client/server deployment models, cloud computing encompasses elements from grid computing, utility computing and autonomic computing, into an innovative deployment architecture. This rapid transition towards the clouds, has fuelled concerns on a critical issue for the success of information systems, communication and information security. From a security perspective, a number of unchartered risks and challenges have been introduced from this relocation to the clouds, deteriorating much of the effectiveness of traditional protection mechanisms. As a result the aim of this paper is twofold; firstly to evaluate cloud security by identifying unique security requirements and secondly to attempt to present a viable solution that eliminates these potential threats. This paper proposes introducing a Trusted Third Party, tasked with assuring specific security characteristics within a cloud environment. The proposed solution calls upon cryptography, specifically Public Key Infrastructure operating in concert with SSO and LDAP, to ensure the authentication, integrity and confidentiality of involved data and communications. The solution, presents a horizontal level of service, available to all implicated entities, that realizes a security mesh, within which essential trust is maintained.

Robail Yasrab

DOI: https://doi.org/10.48550/arXiv.1804.04731

2018-04-13

Abstract:Cloud computing has brought a revolution in the field of information technology and improving the efficiency of computational resources. It offers computing as a service enabling huge cost and resource efficiency. Despite its advantages, certain security issues still hinder organizations and enterprises from it being adopted. This study mainly focused on the security of Platform-as-a-Service (PaaS) as well as the most critical security issues that were documented regarding PaaS infrastructure. The prime outcome of this study was a security model proposed to mitigate security vulnerabilities of PaaS. This security model consists of a number of tools, techniques and guidelines to mitigate and neutralize security issues of PaaS. The security vulnerabilities along with mitigation strategies were discussed to offer a deep insight into PaaS security for both vendor and client that may facilitate future design to implement secure PaaS platforms.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Mirsaeid Hosseini Shirvani,Amir Masoud Rahmani,Amir Sahafi

DOI: https://doi.org/10.1002/spe.2528

2017-09-13

Abstract:This paper presents an iterative mathematical decision model for organizations to evaluate whether to invest in establishing information technology (IT) infrastructure on‐premises or outsourcing IT services on a multicloud environment. This is because a single cloud cannot cover all types of users’ functional/nonfunctional requirements, in addition to several drawbacks such as resource limitation, vendor lock‐in, and prone to failure. On the other hand, multicloud brings several merits such as vendor lock‐in avoidance, system fault tolerance, cost reduction, and better quality of service. The biggest challenge is in selecting an optimal web service composition in the ever increasing multicloud market in which each provider has its own pricing schemes and delivers variation in the service security level. In this regard, we embed a module in the cloud broker to log service downtime and different attacks to measure the security risk. If security tenets, namely, security service level agreement, such as availability, integrity, and confidentiality for mission‐critical applications, are targeted by cybersecurity attacks, it causes disruption in business continuity, leading to financial losses or even business failure. To address this issue, our decision model extends the cost model by using the cost present value concept and the risk model by using the advanced mean failure cost concept, which are derived from the embedded module to quantify cloud competencies. Then, the cloud economic problem is transformed into a bioptimization problem, which minimizes cost and security risks simultaneously. To deal with the combinatorial problem, we extended a genetic algorithm to find a Pareto set of optimal solutions. To reach a concrete result and to illustrate the effectiveness of the decision model, we conducted different scenarios and a small‐to‐medium business IT development for a 5‐year investment as a case study. The result of different implementation shows that multicloud is a promising and reliable solution against IT on‐premises deployment.

computer science, software engineering

Karim Djemame,Afnan Ullah Khan,Manuel Oriol,Ming Jiang,Mariam Kiran

DOI: https://doi.org/10.1109/CloudCom.2012.6427574

2012-01-01

Abstract:Cloud computing provides outsourcing of resources bringing economic benefits. The outsourcing however does not allow data owners to outsource the responsibility of confidentiality, integrity and access control, as it still is the responsibility of the data owner. As cloud computing is transparent to both the programmers and the users, it induces challenges that were not present in previous forms of distributed computing. Furthermore, cloud computing enables its users to abstract away from low-level configuration such as configuring IP addresses and routers. It creates an illusion that this entire configuration is automated. This illusion is also true for security services, for instance automating security policies and access control in cloud, so that individuals or end-users using the cloud only perform very high-level (business oriented) configuration. This paper investigates the security challenges posed by the transparency of distribution, abstraction of configuration and automation of services by performing a detailed threat analysis of cloud computing across its different deployment scenarios (private, bursting, federation or multi-clouds). This paper also presents a risk inventory which documents the security threats identified in terms of availability, integrity and confidentiality for cloud infrastructures in detail for future security risks. We also propose a methodology for performing security risk assessment for cloud computing architectures presenting some of the initial results.

Chenlin Huang,Wei Chen,Lu Yuan,Yan Ding,Songlei Jian,Yusong Tan,Hua Chen,Dan Chen

DOI: https://doi.org/10.1016/j.jpdc.2020.11.002

IF: 4.542

2021-03-01

Journal of Parallel and Distributed Computing

Abstract:<p>With the rise of concerns over security and privacy in the cloud, the "security-on-demand" service mode dynamically provides cloud customers with trusted computing environments according to their specific security needs. Major challenges, however, remain to achieve this goal: (1) integrating an auditable, tamper-resistant trust-management mechanism into the cloud infrastructure and (2) building a protocol to guarantee the consistency of customers' policies during virtual machine (VM) migrations. This study develops a new security-on-demand framework called a "policy-customized trusted cloud service" (PC-TCS) architecture that comprises two core components: an attribute-based signature (ABS)-based remote-attestation scheme to achieve trusted remote attestation with customized security policies and an ABS- and blockchain-based VM-migration protocol to support policy-customized trusted migration. To prove the availability of this architecture, we implemented a PC-TCS prototype based on Xen Hypervisor, the results of which indicate that (1) PC-TCS can be integrated into cloud infrastructure as part of a trusted computing base; (2) cloud users can customize the security policies of computing environments and validate their enforcement throughout the service life-cycle with the support of PC-TCS; and (3) PC-TCS can support policy-customized remote attestation and policy-customized migration with a minimal impact on performance.</p>

computer science, theory & methods

Charles A. Kamhoua,Luke Kwiat,Kevin A. Kwiat,Joon S. Park,Ming Zhao,Manuel Rodriguez

DOI: https://doi.org/10.1007/978-3-319-75268-6_11

2018-01-01

Abstract:As cloud computing thrives, many organizations - both large and small - are taking advantage of the multiple benefits of joining a public cloud. Public cloud computing is cost-effective: a cloud user can reduce spending on technology infrastructure and have easy access to their information without an up-front or long-term commitment of resources. Despite such benefits, concern over cyber security deters many large organizations with sensitive information to use a public cloud such as the Department of Defense. This is because different public cloud users share a common platform such as the hypervisor. An attacker can compromise a virtual machine (VM) to launch an attack on the hypervisor which, if compromised, can instantly yield the compromising of all the VMs running on top of that hypervisor. In this paper we evaluate the cloud user-attacker dynamic using game theory, which models competition among rational agents. This work will show that there are multiple Nash equilibria of the public cloud game. The Nash equilibrium profile that results will be shown to depend on several factors, including the probability that the hypervisor is compromised given a successful attack on a user and the total expense required to invest in security.

Keke Gai,Meikang Qiu,Hui Zhao

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids.2016.68

2016-01-01

Abstract:Implementing cloud computing empowers numerous paths to Web-based computing service offerings for meeting diverse needs. However, cloud data security and privacy information protection have also become a critical issue restraining the cloud applications. One of the major concerns in security is that cloud operators will have a chance to reach sensitive data, which dramatically increases users' anxiety and reduces the adoptability of cloud computing in many fields, such as the financial industry and governmental agencies. This paper focuses on this issues and proposes a novel approach that can efficiently split the file and separately store the data in the distributed cloud servers, in which the data cannot be directly reached by cloud service operators. The proposed scheme is entitled as Security-Aware Efficient Distributed Storage (SAEDS) model, which is mainly supported by the proposed algorithms, named Secure Efficient Data Distributions (SED2) Algorithm and Efficient Data Conflation (EDCon) Algorithm. Our experimental evaluations have assessed both security and efficiency performances.

Saddek Benabied,Abdelhafid Zitouni,Mahieddine Djoudi

DOI: https://doi.org/10.1109/CloudTech.2015.7336962

2020-01-22

Abstract:Cloud computing as a potential paradigm offers tremendous advantages to enterprises. With the cloud computing, the market's entrance time is reduced, computing capabilities is augmented and computing power is really limitless. Usually, to use the full power of cloud computing, cloud users has to rely on external cloud service provider for managing their data. Nevertheless, the management of data and services are probably not fully trustworthy. Hence, data owners are uncomfortable to place their sensitive data outside their own system .i.e., in the cloud. Bringing transparency, trustworthiness and security in the cloud model, in order to fulfill client's requirements are still ongoing. To achieve this goal, our paper introduces two levels security framework: Cloud Service Provider (CSP) and Cloud Service User (CSU). Each level is responsible for a particular task of the security. The CSU level includes a proxy agent and a trust agent, dealing with the first verification. Then a second verification is performed at the CSP level. The framework incorporates a trust model to monitor users' behaviors. The use of mobile agents will exploit their intrinsic features such as mobility, deliberate localization and secure communication channel provision. This model aims to protect user's sensitive information from other internal or external users and hackers. Moreover, it can detect policy breaches, where the users are notified in order to take necessary actions when malicious access or malicious activity would occur.

Cryptography and Security,Networking and Internet Architecture

Morgan Reece,Theodore Lander Jr.,Sudip Mittal,Nidhi Rastogi,Josiah Dykstra,Andy Sampson

2023-11-02

Abstract:As organizations increasingly use cloud services to host their IT infrastructure, there is a need to share data among these cloud hosted services and systems. A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. When an organization grows their multi-cloud environment, the threat vectors and vulnerabilities for their cloud systems and services grow as well. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures to best defend a multi-cloud environment against attacks. Utilizing multiple industry standard risk analysis tools, we conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures. The prioritizations from the analysis showed that authentication and architecture are the highest risk areas of threat vectors. Armed with this data, IT managers are able to more appropriately budget cybersecurity expenditure to implement the most impactful mitigations and countermeasures.

Cryptography and Security

Qingni Shen,Yahui Yang,Zhonghai Wu,Dandan Wang,Min Long

DOI: https://doi.org/10.1504/ijguc.2013.057118

2013-01-01

International Journal of Grid and Utility Computing

Abstract:With the growth of business, an enterprise would like to make its PSC private storage cloud approach an infrastructure service in a partner/public cloud. In such PSCs, there are some new data security issues, First, how to keep the data rest in the PSC isolated from internal and external attackers; second, how to make secure intra-cloud data migration within the enterprise; third, how to secure inter-cloud data migrating between the PSC and the partner/public cloud. In this paper, we propose an architecture design for enforcing data security services on the layer of HDFS in the PSC, including secure data isolation service, secure intra-cloud data migration service, and secure inter-cloud data migration service. Finally, it gives the prototype implemented as pluggable security modules in accord with our custom security policies through AOP Aspect-Oriented Programming method. The time cost is given and evaluated efficiently.

Qingni Shen,Lizhe Zhang,Xin Yang,Yahui Yang,Zhonghai Wu,Ying Zhang

DOI: https://doi.org/10.1109/dasc.2011.114

2011-01-01

Abstract:With the development of cloud computing, cloud security issues have recently gained traction in the research community. Although much of the efforts are focused on securing the operation system and virtual machine, or securing data storage inside a cloud system, this paper takes an alternative perspective to cloud security-the security of data migration between different clouds. First, we describe some threats when we are doing data migration. Second, we propose a security mechanism to deal with the security issues on data migration from one cloud to another. Third, we design a prototype to give the mechanism a brief implementation based on HDFS (Hadoop Distributed File System) and we do a series of tests to evaluate our prototype. Here, the solutions to securing data migration between clouds mainly involve in SSL negotiation, migration ticket design and block encryption in distributed file system and cluster parallel computing.