Security Policy Enforcement in Cloud Infrastructure
Security Policy Enforcement in Cloud Infrastructure
Security Policy Enforcement in Cloud Infrastructure
Innovation Lab, Tata Consultancy Services, Kolkata, India Birla Institute of Technology, Mesra Kolkata Campus, Kolkata, India
1
ABSTRACT
Cloud computing is a computing environment consisting of different facilitating components like hardware, software, firmware, networking, and services. Internet or a private network provides the required backbone to deliver the cloud services. The benefits of cloud computing like ondemand, customized resource availability and performance management are overpowered by the associated security risks to the cloud system, particularly to the cloud users or clients. Existing traditional IT and enterprise security are not adequate to address the cloud security issues. In order to deploy different cloud applications, it is understood that security concerns of cloud computing are to be effectively addressed. Cloud security is such an area which deals with the concerns and vulnerabilities of cloud computing for ensuring safer computing environment. This paper explores the challenges and issues of security concerns of cloud computing through different standard and novel solutions. This paper proposes architecture for incorporating different security schemes, techniques and protocols for cloud computing, particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and is not coupled with the underlying backbone. This would facilitate to manage the cloud system more effectively and provide the administrator to include the specific solution to counter the threat.
KEYWORDS
Cloud computing; security; PaaS; IaaS; authentication.
1. INTRODUCTION
Cloud computing provides a distributed computing environment comprising of heterogeneous facilitating components like hardware, software, firmware, networking as well as services. Challenges arise when access through the cloud infrastructure is done from a public domain like internet. Even when privately held, security challenges prevail. Internet or even a private network provides the required backbone to deliver the cloud services. Common cloud services are: IaaS, PaaS, and Software-as-a-Service (SaaS), and may include other overlayed services on top of these basic service models. The model of metered usage of infrastructure, application, data and services bring about economy of scale, reduced computing and storage cost. However, without adequate assessment of the capability, benefit, vulnerability and optimality, cloud computing may pose severe challenges and threats, which can transform the immense advantages to massive risk and catastrophic loss. The unorthodox architecture and operation of cloud operation bring in different security and privacy vulnerabilities. Cloud security helps in delivering the resilience for different attacks to disrupt the confidentiality, integrity and availability of cloud information and user data.
David C. Wyld (Eds) : ICCSEA, SPPR, CSIA, WimoA - 2013 pp. 0109, 2013. CS & IT-CSCP 2013
DOI : 10.5121/csit.2013.3501
It is worthy to find trustworthiness of cloud service providers based on some parameters like system update frequency, mean down time, previous attack history [1]. In this paper, we explore the above-mentioned challenges and issues of security concerns of cloud computing through different standard and novel solutions. Our discussion on cloud security is independent of the type of cloud deployment. We propose a security-enabled cloud environment which significantly protects clients interest and security concerns over its data based on user or applications requirement, which helps in mitigating the scalability issues. This paper is organized as follows. In Section 2, related work done by several researchers is documented. In Section 3, we discuss about the security in cloud infrastructure, its key issues and open challenges. Section 4 depicts proposed architecture for implementing cloud system security, and the Security-as-a-Service in a cloud system. Finally, In Section 5 we conclude the paper citing our future work.
2. RELATED WORK
Conner et al [1] have presented an effective reputation management system with associated trust establishment through multiple scoring functions and implemented the security service on a realistic application scenario in distributed environments. Privacy issue in cloud computing is dealt in [2]. In [3], a nice scheme for handling data protection in terms of confidentiality through amalgamation of identity management with hierarchical identity-based cryptography is described. Trust needs to be established means for better security of cloud platforms. In [14], trust and reputation based scheme in collaborative computing is presented. With this backdrop, we present our proposed architecture and security model towards better protection of confidentiality, privacy in a public cloud infrastructure.
Homomorphic encryption scheme allows to efficiently compute arbitrary functions over encrypted data i.e., given encryptions E(d1), , E(dN) of d1, , dN for any computable function f. In order to ensure client data security from cloud service provider where cloud service provider needs to compute on client data, homomorphic encryption is the only available option. Though it is in developing stage and incurs high computational cost for sophisticated functions, we propose the following algorithm to balance between the security and usability:
Security-utility balancing algorithm Begin Find the confidentiality requirement from client Repository of trust scores of the cloud service provider is supplied If the specific cloud service provider Blacklisted cloud service providers Sensitive application (like finance data) Use functional encryption (homomorphic encryption) Elseif client data sensitive statistical meaning is of importance Negotiate with privacy primitives like perturbation, randomization, and generalization Else Use standard on-transit TLS/SSL encryption End
The proposed protocol for XACML-based cloud authentication is described below, where we depict an activity diagram for better understanding of the protocol for XACML based cloud authentication. In this case, we consider cloud service provider as a reliable (trusted) third party.
It is to be noted that Policy.xml is a very sensitive and an important file maintaining the access and authorization policy for different applications and cloud users and should be stored in encrypted or hardware-secured method. Another important requirement is to ensure higher usability such that client users with multiple application subscription. Cloud accounts should easily access data while security is safeguarded. One of the striking usability features is to provide Single-Sign-On (SSO) based authentication so that the user can maintain only single authentication credential for accessing different applications, even different cloud service providers. Following architecture can be conceptualized as depicted in fig. 3, where a cloud user authenticates through a cloud SSO hosted by a particular cloud service provider to access other cloud apps, other (owned) cloud service provider accounts, even authorized data of other cloud user.
Security-as-a-Service consists of different components like PaaS consists of service, compute components; IaaS consists of storage, network components. The main components of Securityas-a-Service are shown in Table 1. Based on the requirements, these components can be incorporated on demand basis. For example, for storage security or data at rest integrity data integrity components can be used; cloud users can negotiate with cloud service provider for homomorphic encryption such that users data is processed in encrypted domain. In a similar way, this security primitive can be integrated in a proactive or adaptively to different rendered services for seamless protection against possible attacks. For example, when SaaS is handling request for financial transactions more security primitives (like HTTPS, XACML, digital signature) are used while handling request for chat applications, HTTPS, digital signature are not needed.
Table 1.Security-as-a-service for other cloud services and stakeholders
Services/ Stakeholders
Security primitives of Security-as-a-service Homomorphic encryption, TPM TPM, SSO OpenID, OAuth, XACML, HTTPS Homomorphic encryption, OpenID, OAuth, XACML TPM
When the cloud client, the owner registers to the cloud C for allowing C to host D , client patient gets registered and authenticates to C using OpenID. When patient avails the service of ehealth application, it posts its medical record D to C undersigning with the constraints S . There can be a negotiation process between patient and C such that C accepts a subset of S . For sake of simplicity, we do not consider the negotiation phase. In fig. 5, we show the initial data hosting and constraint sharing between patient and C .
After registers in , shares and , it is the responsibility of to ensure the security requirements as per when acknowledgement is made. It is to be mentioned that service and business model does also participate as the amount of and directly impact the pricing of rendering the service. After patient registers in C , shares D and S , it is the responsibility of C to ensure the security requirements S as per when acknowledgement is made. It is to be mentioned that service and business model does also participate as the amount of D and S directly impact the pricing of rendering the service. Let us consider that medical researcher intends to avail some information from D through query function Q , which can be searching for a piece of data, aggregated result etc. So, medical _ researcher queries C on D for Q . In order to retain secrecy, C negotiates with
medical _ researcher for homomorphic key exchange, public and private key ( K pu , K pr ) and installing
homomorphic encryption agent (if already not present) on medical _ researcher . C performs homomorphic encryption on D with K pu and medical _ researcher decrypts with K pr .The decrypted content is Q on D . For example, D may consist of medical investigation data of patient and Q requires information on the investigation data that is higher than reference range. We depict the protocol in fig. 6. Our proposal is to address this issue through functional encryption. However, other cryptographic primitives can be used.
In order to satisfy other constraints primitives from security-as-a-service needs to be incorporated. For example, satisfying 6 requires HTTPS channel set up among patient , D and
medical _ researcher for data sharing. For 5, OpenID and OAuth primitives need to be set up.
REFERENCES
1. 2. 3. Conner, W., Iyengar, A., Mikalsen, T.,Rouvellou, I., and Nahrstedt, K. A Trust Management Framework for Service-Oriented Environments. In Proceedings of the WWW Conference, 891- 900, 2009 Ukil, A. Security and Privacy in Wireless Sensor Networks. In Smart Wireless Sensor Networks, 395 418, 2010 Yan, L., Rong, C., and Zhao, G. Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography. In Proceedings of CloudCom, 167 177. 2009 Yau, S., S., and Ho G. Protection of users' data confidentiality in cloud computing. In Proceedings of the 2nd Asia-Pacific Symposium on Internetware, 2010 Rivest, R. L., Adleman, L., and Dertouzos, M., L. On data banks and privacy homomorphisms. In Foundations of Secure Computation, 1978
4. 5.
Computer Science & Information Technology (CS & IT) 6. 7. 8. 9. 10. 11. 12. 13.
14.
Gentry, C. Fully Homomorphic Encryption Using Ideal Lattices. In Proceedings of 41st ACM Symposium on Theory of Computing, 169 178, 2009 Leiba, B. OAuth Web Authorization Protocol. IEEE Internet Computing, 16, 1, 74-77, 2012 Ukil, A. Secure Trust Management in Distributed Computing Systems. IEEE DELTA, Newzealand, 116 121, 2011 Ukil, A., Sen, J., and Koilakonda, S. Embedded Security for Internet of Things. In Proceedings of 2nd IEEE National Conference on Emerging Trends and Applications in Computer Science, 1-6, 2011 Van Dijk, M., Juel, A. On the impossibility of cryptography alone for privacy-preserving cloud computing. In Proceedings of USENIX Hotsec, 2010. http://www.trustedcomputinggroup.org (accessed on 27 Aug, 2012) Ukil, A.,Sen, J. Secure multiparty privacy preserving data aggregation by modular arithmetic. In Proceedings of IEEE International Conference on Parallel Distributed and Grid Computing, 344 349, 2010 Mather, T., Kumaraswamy, S., and Latif, S. Cloud Security and Privacy: An Enterprise perspective of Risks and Compliance. O'Reilly Media, Inc., 2009 Ukil, A. Trust and Reputation Based Collaborating Computing in Wireless Sensor Networks. In Proceedings of IEEE International Conference on Computational Intelligence, Modelling and Simulation, 464 469, 2010