云计算服务安全问题研究

该文章介绍和分析了云计算的发展现状和存在的安全问题,提出了相关对策和建议,并对云计算服务安全问题进行了探究.     

A Data Security Framework for Cloud Computing Services

Cyberattacks are difficult to prevent because the targeted companies and organizations are often relying on new and fundamentally insecure cloud-based technologies, such as the Internet of Things. With increasing industry adoption and migration of traditional computing services to the cloud, one of the main challenges in cybersecurity is to provide mechanisms to secure these technologies. This work proposes a Data Security Framework for cloud computing services (CCS) that evaluates and improves CCS data security from a software engineering perspective by evaluating the levels of security within the cloud computing paradigm using engineering methods and techniques applied to CCS. This framework is developed by means of a methodology based on a heuristic theory that incorporates knowledge generated by existing works as well as the experience of their implementation. The paper presents the design details of the framework, which consists of three stages: identification of data security requirements, management of data security risks and evaluation of data security performance in CCS.     

PERSIST: Policy-Based Data Management Middleware for Multi-Tenant SaaS Leveraging Federated Cloud Storage

NoSQL data stores are often combined to address different requirements within the same application. The implication of this trend is particularly important and relevant in the context of multi-tenant SaaS applications where tenants commonly have different storage- and privacy-related requirements and thus they desire to customize the storage setup according to their specific needs. Consequently, application developers are increasingly combining storage resources: on-premise and public cloud resources in a hybrid cloud setup, different external public cloud storage resources and providers in a federated cloud storage setup, etc. The consequences of these trends are twofold: (i) application developers and SaaS providers have to deal with heterogeneous technologies, different APIs, and implement complex storage logic (to address different requirements of tenants), all within the application layer; and (ii) storage architectures have become less rigid, and techniques are required to flexibly change the storage configuration of running applications, up to the level of individual service requests. To address these challenges, we present PERSIST, a middleware architecture that (i) externalizes the complexity of a federated cloud storage architecture and the complex storage logic from the SaaS application to storage policies, allows tenants to enforce different storage- and privacy-related requirements at a fine-grained level; and (ii) supports the dynamic (re)configurability of the underlying federated cloud storage architecture. Application-specific policies can be customized by individual tenants at run time, and PERSIST offers support for run-time cross-provider polyglot persistence and the confidentiality of sensitive data through encryption. We have validated PERSIST in a working prototype implementation. Our extensive evaluation efforts show (i) the accomplished reduction in the required development effort to support complex storage policies, (ii) the reduction in cost/effort to change the data storage architecture itself, and finally (iii) the acceptability of the performance overhead (around 6% for insert, and 2% for read, update and delete transactions).     

PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services

Enterprises increasingly recognize the compelling economic and operational benefits from virtualizing and pooling IT resources in the cloud. Nevertheless, the significant and valuable transformation of organizations that adopt cloud computing is accompanied by a number of security threats that should be considered. In this paper, we outline significant security challenges presented when migrating to a cloud environment and propose PaaSword – a novel holistic framework that aspires to alleviate these challenges. Specifically, the proposed framework involves a context-aware security model, the necessary policies enforcement mechanism along with a physical distribution, encryption and query middleware.     

云计算数据中心的新能源应用:研究现状与趋势

随着大规模云计算数据中心在全球范围内的广泛部署,其高能耗、高费用、高污染等问题日益突出.为了节能减排,越来越多的云服务商尝试利用绿色新能源,像太阳能或风能,为其数据中心供电.然而,不同于稳定供电的传统电网,新能源往往具有不稳定性、间歇性和随时变化等特点,这使得新能源在数据中心中的高效可靠应用面临诸多新挑战.本文剖析了新能源应用的机遇与挑战,回答了为什么、何时、何地及如何在云计算数据中心利用新能源.从绿色数据中心现状与新评价标准、新能源产电模型与预测机制、绿色数据中心能源配额规划、数据中心内负载调度机制、跨区域云数据中心间负载均衡机制五个关键方面,对新能源在云计算数据中心应用的最新研究成果进行分类、对比与总结,并展望了未来研究趋势.     

云计算服务中数据安全的相关问题研究

云计算是一种数据密集型的运算方式,它在数据存储、数据计算及数据传输等方面都具有很大的优势。但是云计算在实际应用中所产生的数据安全问题令人担忧,数据的集中存储及网络上的安全传输问题目前没有得到充分的研究和解决,这也是云计算服务面临的挑战。该文对于云计算服务的数据安全现状进行详细的研究与分析,并且提出云计算服务数据安全保障的基本策略来提高云计算数据的安全性。     

云计算与云安全

云计算无疑是眼下的一个热点问题.有无数的论坛与专家在关注云计算与云安全问题.本文在分析了云计算的关键技术及其优势后.探讨了目前云计算所带来的云安全问题.     

Bayesian Coalition Game for Contention-Aware Reliable Data Forwarding in Vehicular Mobile Cloud

The exponential growth in the demands of users to access various resources during mobility has led to the popularity of Vehicular Mobile Cloud. Vehicular users may access various resources on road from the cloud which acts as a service provider for them. Most of the existing proposals on vehicular cloud use unicast sender-based data forwarding, which results in an overall performance degradation with respect to the metrics such as packet delivery ratio, end-to-end delay, and reliable data transmission. Most of the applications for vehicular cloud have tight upper bounds with respect to reliable transmission. In view of the above, in this paper, we formulate the problem of reliable data forwarding as a Bayesian Coalition Game (BCG) using Learning Automata concepts. Learning Automata (LA) are assumed as the players in the game stationed on the vehicles. For taking adaptive decisions about reliable data forwarding, each player observes the moves of the other players in the game. For this purpose, a coalition game is formulated among the players of the game for taking adaptive decisions. For each action taken by a player in the game, it gets a reward or a penalty from the environment, and accordingly, it updates its action probability vector. An adaptive Learning Automata based Contention Aware Data Forwarding (LACADF) is also proposed. The proposed scheme is evaluated in different network scenarios with respect to parameters such as message overhead, throughput, and delay by varying the density and mobility of the vehicles. The results obtained show that the proposed scheme is better than the other conventional schemes with respect to the above metrics.     

Toward Cloud Computing QoS Architecture: Analysis of Cloud Systems and Cloud Services

Cloud can be defined as a new computing paradigm that provides scalable, on-demand, and virtualized resources for users. In this style of computing, users can access a shared pool of computing resources which are provisioned with minimal management efforts of users. Yet there are some obstacles and concerns about the use of clouds. Guaranteeing quality of service (QoS) by service providers can be regarded as one of the main concerns for companies tending to use it. Service provisioning in clouds is based on service level agreements representing a contract negotiated between users and providers. According to this contract, if a provider cannot satisfy its agreed application requirements, it should pay penalties as compensation. In this paper, we intend to carry out a comprehensive survey on the models proposed in literature with respect to the implementation principles to address the QoS guarantee issue.      

PIPIO：一个新的面向区分服务确保转发的主动队列管理算法

RIO是用于支持区分服务确保转发逐跳行为的主动队列管理算法，该算法是对RED算法的简单扩充。由于RED算法的性能对配置参数敏感，因此基于RED算法的RIO算法必然具有配置参数敏感的特点。PI算法是基于控制论的主动队列管理算法，具有队列长度抖动小的特点。PIP算法是PI算法的改进，比PI具有更快的收敛速度。本文基于PIP算法设计了一个新的主动队列管理算法PIPIO。该算法队列长度抖动小，同时能保护高优先级报文。     

一种云安全攻击检测与分类方案

由于云服务提供商不愿向用户提供安全审计报告、日志、安全策略、安全漏洞和安全事故响应机制等相关安全数据,所以在云计算下用户难以发现安全攻击。为此,提出了一种基于机器学习的云安全攻击检测方案。在分析现有攻击场景的基础上,设计了实验数据的采集方案,提取了包括Dos攻击、跨虚拟机的旁路攻击、恶意的内部员工攻击、共享内存攻击和欺诈攻击共五种安全攻击场景数据,并在WEKA下使用支持向量机学习算法对攻击进行了分类实验。结果表明,除欺诈攻击外,对其他四种安全攻击的识别率均达到90%以上。     

云计算及其安全在美国的发展研究

文章分析研究了美国政府对于云计算的积极推动与发展应用,着重分析了云安全和云标准两大影响云计算发展的瓶颈,详细介绍了美国政府、军方和业界围绕云安全和云标准进行的研究、实践和探求,向读者呈现云计算在美国的发展应用概貌.     

HDCache: A Distributed Cache System for Real-Time Cloud Services

Providing a real-time cloud service requires simultaneously retrieving a large amount of data. How to improve the performance of file access becomes a great challenge. This paper first addresses the preconditions of dealing with this problem considering the requirements of applications, hardware, software, and network environments in the cloud. Then, a novel distributed layered cache system named HDCache is proposed. HDCahe is built on the top of Hadoop Distributed File System (HDFS). Applications can integrate the client library of HDCache to access the multiple cache services. The cache services are built up with three access layers an in-memory cache, a snapshot of the local disk, and a network disk provided by HDFS. The files loaded from HDFS are cached in a shared memory which can be directly accessed by the client library. In order to improve robustness and alleviate workload, the cache services are organized in a peer-to-peer style using a distributed hash table and every cached file has three replicas scattered in different cache service nodes. Experimental results show that HDCache can store files with a wide range in their sizes and has the access performance in a millisecond level under highly concurrent environments. The tested hit ratio obtained from a real-world cloud serviced is higher than 95 %.     

Security and Control in the Cloud

ABSTRACT

Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how today's generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing.

This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.     

Data Security Model for Cloud Computing

From the perspective of data security, which has always been an important aspect of quality of service, cloud computing focuses a new challenging security threats. Therefore, a data security model must solve the most challenges of cloud computing security. The proposed data security model provides a single default gateway as a platform. It used to secure sensitive user data across multiple public and private cloud applications, including Salesforce, Chatter, Gmail, and Amazon Web Services, without influencing functionality or performance. Default gateway platform encrypts sensitive data automatically in a real time before sending to the cloud storage without breaking cloud application. It did not effect on user functionality and visibility. If an unauthorized person gets data from cloud storage, he only sees encrypted data. If authorized person accesses successfully in his cloud, the data is decrypted in real time for your use. The default gateway platform must contain strong and fast encryption algorithm, file integrity, malware detection, firewall, tokenization and more. This paper interested about authentication, stronger and faster encryption algorithm, and file integrity.     

面向个性化云服务的动态信任模型

为更好地实践云计算为用户提供廉价按需服务的宗旨,满足服务请求者的个性化需求,提出一种面向个性化云服务的动态信任模型。基于细粒度服务思想定义个性化云服务,通过引入时间衰减因子和建立高效激励机制修正直接信任值,以灰色系统理论为基础计算实体间的评价相似度,并将评价相似度和推荐者的推荐可信度作为合成推荐信任值的重要因素,同时提出一种基于评价相似度的自信因子赋值方法,以提高合成综合信任值的准确性。实验结果表明,与GM-Trust模型及CCIDTM模型相比,该模型的交互成功率分别平均提高了4%和11%。     

“云计算”与信息安全最新研究进展

“云计算”（CloudComputing）作为崭新的互联网应用模式,被称为科学技术领域里的又一次革命,具有超大规模、虚拟化、高可靠性、通用性和成本低廉等特点,它的出现彻底改变了旧有的互联网应用模式。“云计算”在带来诸多便利的同时,也给国家的信息安全带来新的挑战。本文介绍了“云计算”的概念,并讨论了“云计算”对国家信息安全的影响。