Professional Documents
Culture Documents
net/publication/224202015
CITATIONS READS
1,120 36,472
3 authors, including:
Some of the authors of this publication are also working on these related projects:
Inter-Domain Authentication for Seamless Roaming In Heterogeneous Wireless Networks View project
All content following this page was uploaded by James B. D. Joshi on 26 May 2014.
C
Hassan loud computing has generated significant Cloud
Takabi and interest in both academia and industry, but Computing:
James B.D. it’s still an evolving paradigm. Essentially, Definition and Features
Joshi it aims to consolidate the economic utility Although several researchers have tried to define cloud
University of model with the evolutionary development of many computing, no single, agreed-upon definition exists
Pittsburgh existing approaches and computing technologies, yet. The US National Institute of Standards and Tech-
including distributed services, applications, and in- nology (NIST, http://csrc.nist.gov) defines it as follows:
Gail-Joon formation infrastructures consisting of pools of com-
Ahn puters, networks, and storage resources. Confusion Cloud computing is a model for enabling conve-
Arizona State exists in IT communities about how a cloud differs nient, on-demand network access to a shared pool
University from existing models and how these differences af- of configurable computing resources (e.g., networks,
fect its adoption. Some see a cloud as a novel technical servers, storage, applications, and services) that can
revolution, while others consider it a natural evolution be rapidly provisioned and released with minimal
of technology, economy, and culture.1 management effort or service provider interaction.
Nevertheless, cloud computing is an important This cloud model promotes availability and is com-
paradigm, with the potential to significantly reduce posed of five essential characteristics, three delivery
costs through optimization and increased operat- models, and four deployment models.
ing and economic efficiencies.1,2 Furthermore, cloud
computing could significantly enhance collaboration, To understand the importance of cloud computing
agility, and scale, thus enabling a truly global comput- and its adoption, we must understand its principal
ing model over the Internet infrastructure. However, characteristics, its delivery and deployment models,
without appropriate security and privacy solutions how customers use these services, and how to safe-
designed for clouds, this potentially revolutionizing guard them. The five key characteristics of cloud
computing paradigm could become a huge failure. computing include on-demand self-service, ubiqui-
Several surveys of potential cloud adopters indicate tous network access, location-independent resource
that security and privacy is the primary concern hin- pooling, rapid elasticity, and measured service, all of
dering its adoption.3 which are geared toward using clouds seamlessly and
This article illustrates the unique issues of cloud transparently. Rapid elasticity lets us quickly scale up
computing that exacerbate security and privacy chal- (or down) resources. Measured services are primarily de-
lenges in clouds.4 We also discuss various approaches rived from business model properties and indicate that
to address these challenges and explore the future cloud service providers control and optimize the use
work needed to provide a trustworthy cloud comput- of computing resources through automated resource
ing environment. allocation, load balancing, and metering tools.1,2
24 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES ■ 1540-7993/10/$26.00 © 2010 IEEE ■ NOVEMBER/DECEMBER 2010
Cloud Computing
Applications running on or being developed for that hasn’t been agreed upon. It seems unlikely that
cloud computing platforms pose various security and any technical means could completely prevent cloud
privacy challenges depending on the underlying de- providers from abusing customer data in all cases, so
livery and deployment models. we need a combination of technical and nontechnical
The three key cloud delivery models are software means to achieve this. Clients need to have significant
as a service (SaaS), platform as a service (PaaS), and trust in their provider’s technical competence and eco-
infrastructure as a service (IaaS). In IaaS, the cloud nomic stability.
provider supplies a set of virtualized infrastructural
components such as virtual machines (VMs) and stor- Extensibility and Shared Responsibility
age on which customers can build and run applica- Cloud providers and customers must share the re-
tions. The application will eventually reside on the sponsibility for security and privacy in cloud com-
VM and the virtual operating system. Issues such as puting environments, but sharing levels will differ
trusting the VM image, hardening hosts, and securing for different delivery models, which in turn affect
inter-host communication are critical areas in IaaS. cloud extensibility:
PaaS enables programming environments to ac-
cess and utilize additional application building blocks. • In SaaS, providers typically enable services with a
Such programming environments have a visible im- large number of integrated features, resulting in less
pact on the application architecture, such as con- extensibility for customers. Providers are more re-
straints on which services the application can request sponsible for the security and privacy of application
from an OS. For example, a PaaS environment might services, more so in public than private clouds where
limit access to well-defined parts of the file system, the client organization might have stringent security
thus requiring a fine-grained authorization service. requirements and provide the needed enforcement
Finally, in SaaS, the cloud providers enable and services. Private clouds could also demand more ex-
provide application software as on-demand services. tensibility to accommodate customized requirements.
Because clients acquire and use software components • In PaaS, the goal is to enable developers to build
from different providers, crucial issues include secure- their own applications on top of the platforms pro-
ly composing them and ensuring that information vided. Thus, customers are primarily responsible
handled by these composed services is well protected. for protecting the applications they build and run
Cloud deployment models include public, pri- on the platforms. Providers are then responsible for
vate, community, and hybrid clouds. Public clouds isolating the customers’ applications and workspaces
are external or publicly available cloud environments from one another.
that are accessible to multiple tenants, whereas pri- • IaaS is the most extensible delivery model and pro-
vate clouds are typically tailored environments with vides few, if any, application-like features. It’s ex-
dedicated virtualized resources for particular organi- pected that the consumers secure the operating
zations. Similarly, community clouds are tailored for systems, applications, and content. The cloud pro-
particular groups of customers. vider still must provide some basic, low-level data
protection capabilities.
Unique Security and Privacy
Implications in Cloud Computing Multi-tenancy is another feature unique to clouds,
Understanding the security and privacy risks in cloud especially in public clouds. Essentially, it allows cloud
computing and developing efficient and effective so- providers to manage resource utilization more ef-
lutions are critical for its success. Although clouds ficiently by partitioning a virtualized, shared infra-
allow customers to avoid start-up costs, reduce oper- structure among various customers. From a customer’s
ating costs, and increase their agility by immediately perspective, the notion of using a shared infrastruc-
acquiring services and infrastructural resources when ture could be a huge concern. However, the level of
needed, their unique architectural features also raise resource sharing and available protection mechanisms
various security and privacy concerns. can make a big difference. For example, to isolate
multiple tenants’ data, Salesforce.com employs a query
Outsourcing Data and Applications rewriter at the database level, whereas Amazon uses
Cloud computing provides access to data, but the chal- hypervisors at the hardware level. Providers must ac-
lenge is to ensure that only authorized entities can gain count for issues such as access policies, application de-
access to it. When we use cloud environments, we rely ployment, and data access and protection to provide a
on third parties to make decisions about our data and secure, multi-tenant environment.
platforms in ways never seen before in computing. It’s
critical to have appropriate mechanisms to prevent Service-Level Agreements
cloud providers from using customers’ data in a way The on-demand service or utility-based economic
www.computer.org/security 25
Cloud Computing
secure-service composition to build a comprehensive Hence, utilizing a privacy-aware framework for ac-
policy-based management framework in cloud com- cess control and accounting services is crucial, and it
puting environments. should be easily amenable to compliance checking.
www.computer.org/security 27
Cloud Computing
provisioning and composition framework that consid- standards to ensure the deployment and adoption of
ers security and privacy issues is crucial. secure clouds. These issues necessitate a well-structured
cyberinsurance industry, but the global nature of cloud
Privacy and Data Protection computing makes this prospect extremely complex.
Privacy is a core issue in all the challenges we’ve dis-
cussed so far, including the need to protect identity Security and Privacy Approaches
information, policy components during integration, Here, we discuss various approaches to cope with the
and transaction histories. Many organizations aren’t previously mentioned challenges, existing solutions, and
comfortable storing their data and applications on sys- the work needed to provide a trustworthy cloud com-
tems that reside outside of their on-premise datacen- puting environment. The approaches address security
ters.5 This might be the single greatest fear of cloud and privacy requirements of cloud service providers,
clients. By migrating workloads to a shared infrastruc- service integrators, and cloud environments in general.
ture, customers’ private information faces increased risk
of potential unauthorized access and exposure. Cloud Authentication and Identity Management
service providers must assure their customers and pro- User-centric IDM has recently received attention for
vide a high degree of transparency into their operations handling private and critical identity attributes.7 In
and privacy assurance. Privacy-protection mechanisms this approach, identifiers or attributes help identify
must be embedded in all security solutions. and define a user. Such an approach lets users control
In a related issue, it’s becoming important to know their digital identities and takes away the complexity
who created a piece of data, who modified it and how, of IDM from the enterprises, thereby allowing them
and so on. Provenance information could be used to focus on their own functions. Because users can ac-
for various purposes such as traceback, auditing, and cess the cloud from various places such as home, office,
history-based access control. Balancing between data school, or other public places, they must be able to ex-
provenance and privacy is a significant challenge in port their digital identities and securely transfer them
clouds where physical perimeters are abandoned. to various computers. User-centric IDM also implies
that the system properly maintains the semantics of
Organizational Security Management the context of users’ identity information, sometimes
Existing security management and information secu- constraining or relaxing them to best respond to a user
rity life-cycle models significantly change when en- request in a given situation.
terprises adopt cloud computing. In particular, shared Researchers are currently pursuing other feder-
governance can become a significant issue if not prop- ated IDM solutions that might benefit cloud environ-
erly addressed. Despite the potential benefits of using ments.6,7 IDM services in the cloud should be able
clouds, it might mean less coordination among differ- to be integrated with an enterprise’s existing IDM
ent communities of interest within client organiza- framework.1,2 In some cases, it’s important to have
tions. Dependence on external entities can also raise privacy-preserving protocols to verify various iden-
fears about timely responses to security incidents and tity attributes by using, for example, zero-knowledge
implementing systematic business continuity and di- proof-based techniques.6 These techniques, which use
saster recovery plans. Similarly, risk and cost-benefit pseudonyms and accommodate multiple identities to
issues will need to involve external parties. Customers protect users’ privacy, can further help build a desired
consequently need to consider newer risks introduced user-centric federated IDM for clouds. IDM solu-
by a perimeter-less environment, such as data leakage tions can also be extended with delegation capabilities
within multi-tenant clouds and resiliency issues such as to address identification and authentication issues in
their provider’s economic instability and local disasters. composed services.
Similarly, the possibility of an insider threat is sig-
nificantly extended when outsourcing data and pro- Access Control Needs
cesses to clouds. Within multi-tenant environments, Among the many methods proposed so far, role-based
one tenant could be a highly targeted attack victim, access control (RBAC) has been widely accepted as the
which could significantly affect the other tenants. Ex- most promising model because of its simplicity, flex-
isting life-cycle models, risk analysis and management ibility in capturing dynamic requirements, and sup-
processes, penetration testing, and service attestation port for the principle of least privilege and efficient
must be reevaluated to ensure that clients can enjoy privilege management.8 Furthermore, RBAC is policy
the potential benefits of clouds. neutral, can capture various policy requirements, and
The information security area has faced significant is best suited for policy-integration needs. Due to the
problems in establishing appropriate security metrics for highly dynamic nature of clouds, obligations and con-
consistent and realistic measurements that help risk as- ditions are crucial decision factors for richer and finer
sessment. We must reevaluate best practices and develop controls on usage of resources provided by the cloud.
Recent RBAC extensions—such as credential- introduces new measures for optimality and presents
based RBAC, generalized temporal RBAC a heuristic solution to find an RBAC state with the
(GTRBAC),8 and location-based RBAC models— smallest structural complexity and that’s as similar as
provide necessary modeling constructs and capa- possible to both the existing and optimal state.
bilities to capture context-based fine-grained access
requirements. In clouds, service providers usually do Secure-Service Provisioning
not know their users in advance, so it is difficult to and Composition
assign users directly to roles in access control poli- To optimize resource utilization, cloud service pro-
cies. Therefore, using credential- or attribute-based viders often use virtualization technologies that sepa-
policies might enhance this capability. However, lit- rate application services from infrastructure. In the
tle work exists in employing RBAC and extensions cloud, service providers and service integrators need
within intensely service-oriented environments such to collaborate to provide newly composed services
as clouds. to customers. This sort of activity requires automatic
service provisioning and composition frameworks that
Secure Interoperation allow cloud service providers and service integrators
Several recent works have focused on multidomain to describe services with unified standards to intro-
access control policies and policy integration issues, duce their functionalities, discover existing interoper-
which can be adopted to build a comprehensive poli- able services, and securely integrate them to provide
cy management framework in clouds.2,6 Researchers services. Such frameworks must include a declarative
have addressed secure interoperation and policy en- language to describe services, features, and mecha-
gineering mechanisms to integrate access policies of nisms to provision and compose appropriate services.
different domains and define global access policies.9,10 The Open Services Gateway Initiative (OSGi) ser-
A centralized approach creates a global policy that vice platform provides an open, common architecture
mediates all accesses and is appropriate for a cloud ap- for service providers, developers, software vendors,
plication that consists of various services with differ- gateway operators, and equipment vendors to coop-
ent requirements and is more or less fixed. In a more eratively develop, deploy, and manage services.13 Re-
dynamic environment, the domains are transient and searchers have developed ways to configure and map
might need to interact for a specific purpose, making the OSGi authorization mechanism to RBAC.13 De-
centralized approaches inappropriate and demanding clarative OWL-based language can be used to pro-
decentralized approaches. We also need specification vide a service definition manifest, including a list of
frameworks to ensure that the cross-domain accesses distinct component types that make up the service,
are properly specified, verified, and enforced. Security functional requirements, component grouping and
Assertion Markup Language (SAML), Extensible Ac- topology instructions, and so on. OSGi can also be
cess Control Markup Language (XACML), and Web adopted to develop an agent-based collaboration sys-
services standards are viable solutions toward this.10 tem for automatic service provisioning.
Policy engineering mechanisms can help define The challenges of such collaboration systems in-
global policies to accommodate all collaborators’ re- clude dynamic access control to resources shared by
quirements. Emerging role-mining techniques can agents and controlling collaborative actions that are
support this. Role mining uses the existing system geared toward a collaboration goal.
configuration data to define roles. It first considers the
existing users’ permissions and aggregates them into Trust Management Framework
roles.8 In a cloud, users acquire different roles from To facilitate policy integration between various do-
different domains based on the services they need. To mains in cloud environments, a trust-based framework
define global policies, we can utilize these RBAC sys- that facilitates automated trust-based policy integration
tems’ configurations from different domains to define is essential. In doing so, we must answer several ques-
global roles and policies. Each global role can include tions: How do we establish trust and determine access
roles from different domains that have been assigned
to the same groups of users. How do we manage and maintain dynamically
Several new approaches have been proposed for role
engineering that could be adopted in clouds for policy changing trust values and adapt access
engineering purposes. Changes to the existing role
set might cause disruptions to the organization and requirements as trust evolves?
prevent it from functioning properly. Therefore, role
mining should look for a set of roles as close as pos- mapping to satisfy interdomain access requirements,
sible to both the existing and optimal sets of roles. One and how do we manage and maintain dynamically
possible solution is the StateMiner approach,12 which changing trust values and adapt access requirements
www.computer.org/security 29
Cloud Computing
as trust evolves? Existing trust negotiation mecha- ment attributes and properties description.10 Although
nisms primarily focus on credential exchange9,10 and we can capture semantics using RDF, representing re-
don’t address the more challenging need of integrat- lations between the various concepts that the elements
ing requirements-driven trust negotiation techniques represent is essential for facilitating semantic integra-
with fine-grained access control mechanisms.10,11 tion of policy information in interacting domains.
One possible approach is to develop a comprehen- Use of an ontology is the most promising approach
sive trust-based policy integration framework that to addressing the semantic heterogeneity issue.14 To
facilitates policy integration and evolution based on support ontology development, we can use both XML
interdomain- and service-access requirements. Schema and Resource Description Framework Schema
Because service composition dynamics in the cloud (RDFS) to accommodate the domain-specific con-
can be complex, trust and access control frameworks cepts.8 However, although RDF is based on XML syn-
should include delegation primitives.11 Existing work tax and OWL is based on the RDFS representation of
related to delegation, including role-based delegation, concepts, neither of these technologies is likely to com-
has focused on issues related to delegation of privileg- pletely subsume the lower technology in clouds. An
es among subjects and various levels of controls with OWL-based framework is desirable to support semantic
regard to privilege propagation and revocation. Effi- heterogeneity management across multiple providers
cient cryptographic mechanisms for trust delegation within a cloud. For such a framework, a system-driv-
involve complex trust-chain verification and revoca- en policy framework to facilitate managing security
tion issues, raising significant key management issues. policies in heterogeneous environments and a policy
These approaches must be incorporated in service enforcement architecture are essential.14,15 Several infer-
composition frameworks.9 ence engines are available for inferring policy semantics.
vacy, Security Challenges,” Bureau of Nat’l Affairs, 2009; security; usable privacy and security; and security, privacy,
www.hunton.com/f iles/tbl_s47Details/FileUpload and trust issues in cloud computing environments. Takabi has
265/2488/CloudComputing_Bruening-Treacy.pdf. an MS in information technology from Sharif University of
4. H. Takabi, J.B.D. Joshi, and G.-J. Ahn, “SecureCloud: Technology, Iran. He is student member of IEEE and the ACM.
Towards a Comprehensive Security Framework for Contact him at hatakabi@sis.pitt.edu.
Cloud Computing Environments,” Proc. 1st IEEE Int’l
Workshop Emerging Applications for Cloud Computing James B.D. Joshi is an associate professor and the director of
(CloudApp 2010), IEEE CS Press, 2010, pp. 393–398. the Laboratory for Education and Research on Security As-
5. Y. Chen, V. Paxson, and R.H. Katz, “What’s New sured Information Systems (LERSAIS) in the School of Infor-
About Cloud Computing Security?” tech. report mation Sciences at the University of Pittsburgh. His research
UCB/EECS-2010-5, EECS Dept., Univ. of Califor- interests include role-based access control, trust manage-
nia, Berkeley, 2010; www.eecs.berkeley.edu/Pubs/ ment, and secure interoperability. Joshi has a PhD in computer
TechRpts/2010/EECS-2010-5.html. engineering from Purdue University. He is a member of IEEE
6. E. Bertino, F. Paci, and R. Ferrini, “Privacy-Preserving and the ACM. Contact him at jjoshi@sis.pitt.edu.
Digital Identity Management for Cloud Computing,”
IEEE Computer Society Data Engineering Bulletin, Mar. Gail-Joon Ahn is an associate professor and the director of the
2009, pp. 1–4. Security Engineering for Future Computing (SEFCOM) Labora-
7. M. Ko, G.-J. Ahn, and M. Shehab “Privacy-Enhanced tory in the School of Computing, Informatics, and Decision
User-Centric Identity Management,” Proc. IEEE Int’l Systems Engineering at Arizona State University. His research
Conf. Communications, IEEE Press, 2009, pp. 998–1002. interests include information and systems security, vulnerabil-
8. J. Joshi et al., “Access Control Language for Multi- ity and risk management, access control, and security archi-
domain Environments,” IEEE Internet Computing, vol. tecture for distributed systems. Ahn has a PhD in information
8, no. 6, 2004, pp. 40–50. technology from George Mason University. He is a recipient of
9. M. Blaze et al., “Dynamic Trust Management,” Com- the US Department of Energy Career Award and the Educator
puter, vol. 42, no. 2, 2009, pp. 44–52. of the Year Award from the Federal Information Systems Secu-
10. Y. Zhang and J. Joshi, “Access Control and Trust Man- rity Educators Association (FISSEA). Ahn is a senior member of
agement for Emerging Multidomain Environments,” IEEE and the ACM. Contact him at gahn@asu.edu.
Annals of Emerging Research in Information Assurance, Se-
curity and Privacy Services, S. Upadhyaya and R.O. Rao, Selected CS articles and columns are also available for
eds., Emerald Group Publishing, 2009, pp. 421–452. free at http://ComputingNow.computer.org.
11. D. Shin and G.-J. Ahn, “Role-Based Privilege and
Trust Management,” Computer Systems Science & Eng. J.,
vol. 20, no. 6, 2005, pp. 401–410.
12. H. Takabi and J. Joshi, “StateMiner: An Efficient Sim-
ilarity-Based Approach for Optimal Mining of Role
Hierarchy,” Proc. 15th ACM Symp. Access Control Models
and Technologies, ACM Press, 2010, pp. 55–64.
13. G.-J. Ahn, H. Hu, and J. Jin, “Security-Enhanced
OSGi Service Environments,” IEEE Trans. Systems,
Man, and Cybernetics-Part C: Applications and Reviews,
vol. 39, no. 5, 2009, pp. 562–571.
14. L. Teo and G.-J. Ahn, “Managing Heterogeneous
Network Environments Using an Extensible Policy
Framework,” Proc. Asian ACM Symp. Information, Com-
puter and Communications Security, ACM Press, 2007, pp.
362–364.
15. H. Takabi et al., “An Architecture for Specification and
Enforcement of Temporal Access Control Constraints
using OWL,” Proc. 2009 ACM Workshop on Secure Web
Services, ACM Press, 2009, pp. 21–28.
www.computer.org/security 31
View publication stats