CyberGuarder: A virtualization security assurance architecture for green cloud computing

As the sizes of IT infrastructure continue to grow, cloud computing is a natural extension of virtualisation technologies that enable scalable management of virtual machines over a plethora of physically connected systems. The so-called virtualisation-based cloud computing paradigm offers a practical approach to green IT/clouds, which emphasise the construction and deployment of scalable, energy-efficient network software applications (NetApp) by virtue of improved utilisation of the underlying resources. The latter is typically achieved through increased sharing of hardware and data in a multi-tenant cloud architecture/environment and, as such, accentuates the critical requirement for enhanced security services as an integrated component of the virtual infrastructure management strategy. This paper analyses the key security challenges faced by contemporary green cloud computing environments, and proposes a virtualisation security assurance architecture, CyberGuarder, which is designed to address several key security problems within the ‘green’ cloud computing context. In particular, CyberGuarder provides three different kinds of services; namely, a virtual machine security service, a virtual network security service and a policy based trust management service. Specifically, the proposed virtual machine security service incorporates a number of new techniques which include (1) a VMM-based integrity measurement approach for NetApp trusted loading, (2) a multi-granularity NetApp isolation mechanism to enable OS user isolation, and (3) a dynamic approach to virtual machine and network isolation for multiple NetApp’s based on energy-efficiency and security requirements. Secondly, a virtual network security service has been developed successfully to provide an adaptive virtual security appliance deployment in a NetApp execution environment, whereby traditional security services such as IDS and firewalls can be encapsulated as VM images and deployed over a virtual security network in accordance with the practical configuration of the virtualised infrastructure. Thirdly, a security service providing policy based trust management is proposed to facilitate access control to the resources pool and a trust federation mechanism to support/optimise task privacy and cost requirements across multiple resource pools. Preliminary studies of these services have been carried out on our iVIC platform, with promising results. As part of our ongoing research in large-scale, energy-efficient/green cloud computing, we are currently developing a virtual laboratory for our campus courses using the virtualisation infrastructure of iVIC, which incorporates the important results and experience of CyberGuarder in a practical context.     

一种多层次的云平台安全解决方案

论述了云平台的整体安全解决方案。该方案分为应用级别安全、容器级别安全、网络级别安全等层次。着重阐述了针对PaaS云平台的解决方案,从容器内部应用安全、容器自身安全、容器外部的入侵防御安全三个方面做出了分析。     

Empirical evaluation of a cloud computing information security governance framework

ContextCloud computing is a thriving paradigm that supports an efficient way to provide IT services by introducing on-demand services and flexible computing resources. However, significant adoption of cloud services is being hindered by security issues that are inherent to this new paradigm. In previous work, we have proposed ISGcloud, a security governance framework to tackle cloud security matters in a comprehensive manner whilst being aligned with an enterprise’s strategy.ObjectiveAlthough a significant body of literature has started to build up related to security aspects of cloud computing, the literature fails to report on evidence and real applications of security governance frameworks designed for cloud computing environments. This paper introduces a detailed application of ISGCloud into a real life case study of a Spanish public organisation, which utilises a cloud storage service in a critical security deployment.MethodThe empirical evaluation has followed a formal process, which includes the definition of research questions previously to the framework’s application. We describe ISGcloud process and attempt to answer these questions gathering results through direct observation and from interviews with related personnel.ResultsThe novelty of the paper is twofold: on the one hand, it presents one of the first applications, in the literature, of a cloud security governance framework to a real-life case study along with an empirical evaluation of the framework that proves its validity; on the other hand, it demonstrates the usefulness of the framework and its impact to the organisation.ConclusionAs discussed on the paper, the application of ISGCloud has resulted in the organisation in question achieving its security governance objectives, minimising the security risks of its storage service and increasing security awareness among its users.     

A QoS-driven approach for cloud computing addressing attributes of performance and security

In recent years, cloud computing has been one of the most widely discussed topics in the field of Information Technology. Owing to the popularity of services offered by cloud environments, several critical aspects of security have aroused interest in the academic and industrial world, where there is a concern to provide efficient mechanisms to combat a wide range of threats. As is well known, the application of security techniques and methodologies has a direct influence on the performance of the system, since security and performance are two quantities that are inversely proportional. This means that if the service providers fail to manage their computing infrastructure efficiently, the demand for services may not be met with the quality required by clients, including security and performance requirements, and the computational resources may be used inefficiently. The aim of this paper was to define QoS-driven approaches for cloud environments on the basis of the results of a performance evaluation of a service in which different security mechanisms are employed. These mechanisms impose additional overhead on the performance of the service, and to counter this, an attempt was made to change computational resources dynamically and on-the-fly. On the basis of the results, it could be shown that in a cloud environment, it is possible to maintain the performance of the service even with the overhead imposed by the security mechanisms, through an alteration in the virtualized computational resources. However, this change in the amount of resources had a direct effect on the response variables.     

Improving cloud network security using the Tree-Rule firewall

This study proposes a new model of firewall called the ‘Tree-Rule Firewall’, which offers various benefits and is applicable for large networks such as ‘cloud’ networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their limitations in performing the tasks and are inapplicable for working on some networks with huge firewall rule sizes. The Listed-Rule firewall is mathematically tested in this paper to prove that the firewall potentially causes conflict rules and redundant rules and hence leads to problematic network security systems and slow functional speed. To overcome these problems, we show the design and development of Tree-Rule firewall that does not create conflict rules and redundant rules. In a Tree-Rule firewall, the rule positioning is based on a tree structure instead of traditional rule listing. To manage firewall rules, we implement a Tree-Rule firewall on the Linux platform and test it on a regular network and under a cloud environment respectively to show its performance. It is demonstrated that the Tree-Rule firewall offers better network security and functional speed than the Listed-Rule firewall. Compared to the Listed-Rule firewall, rules of the Tree-Rule firewall are easier to be created, especially on a large network such as a cloud network.     

SLA guarantees for cloud services

Quality-of-service and SLA guarantees are among the major challenges of cloud-based services. In this paper we first present a new cloud model called SLAaaS — SLA aware Service. SLAaaS considers QoS levels and SLA as first class citizens of cloud-based services. This model is orthogonal to other SaaS, PaaS, and IaaS cloud models, and may apply to any of them. More specifically we make three contributions: (i) we provide a novel domain specific language that allows to describe QoS-oriented SLA associated with cloud services; (ii) we present a general control-theoretic approach for managing cloud service SLA; (iii) we apply the proposed language and control approach to guarantee SLA in various case studies, ranging from cloud-based MapReduce service, to locking service, and higher-level e-commerce service; these case studies successfully illustrate SLA management with different QoS aspects of cloud services such as performance, dependability, financial energetic costs.     

云计算下网络安全技术实现的路径分析

随着我国科技不断进步,计算机也得到普及,企业生产中云计算的应用也比较广泛,在于其计算和数据储备的能力。云计算在计算机网络环境中,可以结合网络资源,实现效率和质量的最大化,但也不能忽视云计算下网络安全问题。本文阐述云计算下网络安全技术的意义,并对云计算下网络安全中存在的问题进行分析,对云计算下网络安全技术实现的路径进行总结。     

GMonE: A complete approach to cloud monitoring

The inherent complexity of modern cloud infrastructures has created the need for innovative monitoring approaches, as state-of-the-art solutions used for other large-scale environments do not address specific cloud features. Although cloud monitoring is nowadays an active research field, a comprehensive study covering all its aspects has not been presented yet. This paper provides a deep insight into cloud monitoring. It proposes a unified cloud monitoring taxonomy, based on which it defines a layered cloud monitoring architecture. To illustrate it, we have implemented GMonE, a general-purpose cloud monitoring tool which covers all aspects of cloud monitoring by specifically addressing the needs of modern cloud infrastructures. Furthermore, we have evaluated the performance, scalability and overhead of GMonE with Yahoo Cloud Serving Benchmark (YCSB), by using the OpenNebula cloud middleware on the Grid’5000 experimental testbed. The results of this evaluation demonstrate the benefits of our approach, surpassing the monitoring performance and capabilities of cloud monitoring alternatives such as those present in state-of-the-art systems such as Amazon EC2 and OpenNebula.     

智能电网中虚拟化云计算的应用和安全技术分析

智能电网符合当前需求,意义重大。首先简单介绍了云计算和智能电网,并对云计算在智能电网中的应用做了阐述,然后主要对云计算的安全技术进行了分析。     

基于云计算的网络安全的探析

随着云计算的快速的发展,越来越多的用户将应用和数据托管到了云端。但是由于云计算具有的虚拟化、多用户、可伸缩等新特性,使得传统的安全技术并不能保证云计算的安全,云计算中的安全问题成了阻碍云计算发展的最主要的问题之一。因此,云计算的安全性成为了当前研究云计算的重点。     

Addressing cloud computing security issues

The recent emergence of cloud computing has drastically altered everyone’s perception of infrastructure architectures, software delivery and development models. Projecting as an evolutionary step, following the transition from mainframe computers to client/server deployment models, cloud computing encompasses elements from grid computing, utility computing and autonomic computing, into an innovative deployment architecture. This rapid transition towards the clouds, has fuelled concerns on a critical issue for the success of information systems, communication and information security. From a security perspective, a number of unchartered risks and challenges have been introduced from this relocation to the clouds, deteriorating much of the effectiveness of traditional protection mechanisms. As a result the aim of this paper is twofold; firstly to evaluate cloud security by identifying unique security requirements and secondly to attempt to present a viable solution that eliminates these potential threats. This paper proposes introducing a Trusted Third Party, tasked with assuring specific security characteristics within a cloud environment. The proposed solution calls upon cryptography, specifically Public Key Infrastructure operating in concert with SSO and LDAP, to ensure the authentication, integrity and confidentiality of involved data and communications. The solution, presents a horizontal level of service, available to all implicated entities, that realizes a security mesh, within which essential trust is maintained.     

基于云计算下的计算机网络安全问题研究

云计算作为计算机技术与互联网有效结合的里程碑,其引领IT界和信息领域的进一步技术变革。在云计算快速发展形势下,其中云计算的网络安全问题变得十分重要。本文通过对云计算的理念与存在的问题分析基础上,结合实际状况总结出相应的网络安全保护对策。     

云计算的安全性探讨

云计算是当前信息产业中研究与应用的热点.云计算在快速发展的同时,也存在着很多的安全隐患,安全是云计算领域亟待解决的主要问题之一.当今各种云计算安全技术尚未十分成熟,对于普通用户来说,还不能完全依赖服务商和利用既有的安全技术来保障自己的数据安全.文章介绍了云计算安全的现状,根据云计算的特点分析了其主要的安全风险,并提出了降低安全风险的主要思路,使云计算用户能积极部署风险管理措施,在享受云计算的诸多好处的同时,把安全风险尽量降低.     

A survey on design and implementation of protected searchable data in the cloud

While cloud computing has exploded in popularity in recent years thanks to the potential efficiency and cost savings of outsourcing the storage and management of data and applications, a number of vulnerabilities that led to multiple attacks have deterred many potential users.As a result, experts in the field argued that new mechanisms are needed in order to create trusted and secure cloud services. Such mechanisms would eradicate the suspicion of users towards cloud computing by providing the necessary security guarantees. Searchable Encryption is among the most promising solutions—one that has the potential to help offer truly secure and privacy-preserving cloud services. We start this paper by surveying the most important searchable encryption schemes and their relevance to cloud computing. In light of this analysis we demonstrate the inefficiencies of the existing schemes and expand our analysis by discussing certain confidentiality and privacy issues. Further, we examine how to integrate such a scheme with a popular cloud platform. Finally, we have chosen – based on the findings of our analysis – an existing scheme and implemented it to review its practical maturity for deployment in real systems. The survey of the field, together with the analysis and with the extensive experimental results provides a comprehensive review of the theoretical and practical aspects of searchable encryption.     

BECloud: A new approach to analyse elasticity enablers of cloud services

Elasticity is a key property of cloud computing but there is a lack of standard elasticity metrics or analysis procedures to easily quantify this performance figure of cloud services. This absence of a unique general elasticity metric makes difficult to consider elasticity as a service level objective in Service Level Agreements, to benchmark cloud services or to explicitly improve the elasticity of scaling and provisioning mechanisms, to mention only some examples. This paper defines a new elasticity metric capable of considering its four main components, scalability, accuracy, time and cost, independently of the service level (infrastructure, platform or software). Furthermore, an analysis procedure to evaluate the behaviour of service elasticity and a benchmarking tool to automate this analysis are presented. The main elasticity enablers of cloud services are identified and analysed using this metric, procedure and tool via real use cases on private and public clouds, drawing interesting conclusions about this important performance aspect of cloud services.     

Analysis of a trust model for SLA negotiation and enforcement in cloud markets

Online Reputation Systems help mitigate the information asymmetry between clients and providers in Cloud Computing Markets. However, those systems raise two main drawbacks: the disagreement for assuming the cost of ownership of such services and their vulnerability to reputation attacks from dishonest parties that want to increase their reputation. This article faces both problems by describing a decentralised (peer-to-peer) trust model that does not require the intervention of a central entity to manage it. This model includes mechanisms to allow participants to avoid dishonest behaviour from other peers: each client statistically analyses the external reports about providers and updates the trustworthiness of the peers. The trustworthiness values will be used to negotiate prices in later transactions. The trust model is then incorporated in the Service-Level Agreement negotiation and enforcement processes, prioritising trusted clients over non-trusted clients to minimise the consequences of low Quality of Service in relation to the trust of the provider, and incentivise accurate trust reports from the clients. Finally, this article evaluates and discusses the validity of the trust model under different attacks from dishonest clients and providers.     

From cloud computing to cloud manufacturing

Cloud computing is changing the way industries and enterprises do their businesses in that dynamically scalable and virtualized resources are provided as a service over the Internet. This model creates a brand new opportunity for enterprises. In this paper, some of the essential features of cloud computing are briefly discussed with regard to the end-users, enterprises that use the cloud as a platform, and cloud providers themselves. Cloud computing is emerging as one of the major enablers for the manufacturing industry; it can transform the traditional manufacturing business model, help it to align product innovation with business strategy, and create intelligent factory networks that encourage effective collaboration. Two types of cloud computing adoptions in the manufacturing sector have been suggested, manufacturing with direct adoption of cloud computing technologies and cloud manufacturing—the manufacturing version of cloud computing. Cloud computing has been in some of key areas of manufacturing such as IT, pay-as-you-go business models, production scaling up and down per demand, and flexibility in deploying and customizing solutions. In cloud manufacturing, distributed resources are encapsulated into cloud services and managed in a centralized way. Clients can use cloud services according to their requirements. Cloud users can request services ranging from product design, manufacturing, testing, management, and all other stages of a product life cycle.     

基于云计算的信息安全风险分析的研究

作为一种新型的商业计算模式,云计算的直用和推广会给用户带来巨大的经济效益,但同时也带来更多的安全风险,而原有的风险分析方法和安全保护模式已不再适用。文章在借鉴传统风险分析方法的基础上,对云环境下的风险分析的主要要素和流程进行定性的研究,以期能起到抛砖引玉的作用。     

A secure dynamic collaboration environment in a cloud context

In recent years, the cloud has emerged as an attractive means for hosting and delivering services over the Internet. This has resulted in a renewed focus on information security in the case where data is stored in the virtual space of the cloud and is not physically accessible to the customer. This paper addresses the increasing security concerns of migrating to the cloud and utilising it for data storage, focusing on securing data in an untrusted cloud environment and ensuring detailed data access control in the cloud. Two Conceptual designs have been devised by exploring and extending the boundaries of existing secure data-storage schemes, and then combining these with well-known security principles and cutting-edge research within the field of cryptography. To further validate the conceptual designs, proof of concept prototypes have been constructed.