Policy enforcement in cloud computing

Cloud Computing is an emerging technology, providing attractive way of hosting and delivering services over the Internet. Many organizations and individuals are utilizing Cloud services to share information and collaborate with partners. However, Cloud provides abstraction over the underlying physical infrastructure to the customers, that raises information security concerns, while storing data in a virtualized environment without having physical access to it. Additionally, certain standards have been issued to provide interoperability between users and various distributed systems(including Cloud infrastructures), in a standardized way. However, implementation and interoperability issues still exist and introduce new challenges. This thesis explores the feasibility of securing data in a cloud context, using existing standards and specifications, while retaining the benefits of the Cloud. The thesis provides a view on increasing security concerns of moving to the cloud and sharing data over it. First, we define security and privacy requirements for the data stored in the Cloud. Based on these requirements, we propose the requirements for an access control system in the Cloud. Furthermore, we evaluate the existing work in the area of currently available access control systems and mechanisms for secure data sharing over the Cloud, mostly focusing on policy enforcement and access control characteristics. Moreover, we determine existing mechanisms and standards to implement secure data sharing and collaborative systems over the Cloud. We propose an architecture supporting secure data sharing over the untrusted Cloud environment, based on our findings. The architecture ensures policy based access control inside and outside Cloud, while allowing the benefits of Cloud Computing to be utilized. We discuss the components involved in the architecture and their design considerations. To validate the proposed architecture, we construct the proof of concept prototype. We present a novel approach for implementing policy based access control, by achieving interoperability between existing standards and addressing certain issues, while constructing the system prototype. Furthermore, we deploy our solution in the Cloud and perform the performance tests to evaluate the performance of the system. Finally, we perform a case study by utilizing our system in a real-life scenario. To do this we slightly tailor our solution to meet specific needs. Overall, this thesis provides a solid foundation for the policy enforcement and access control mechanisms in the Cloud-based systems and motivates further work within this field. Cloud Computing is an emerging technology, providing attractive way of hosting and delivering services over the Internet. Many organizations and individuals are utilizing Cloud services to share information and collaborate with partners. However, Cloud provides abstraction over the underlying physical infrastructure to the customers, that raises information security concerns, while storing data in a virtualized environment without having physical access to it. Additionally, certain standards have been issued to provide interoperability between users and various distributed systems(including Cloud infrastructures), in a standardized way. However, implementation and interoperability issues still exist and introduce new challenges. This thesis explores the feasibility of securing data in a cloud context, using existing standards and specifications, while retaining the benefits of the Cloud. The thesis provides a view on increasing security concerns of moving to the cloud and sharing data over it. First, we define security and privacy requirements for the data stored in the Cloud. Based on these requirements, we propose the requirements for an access control system in the Cloud. Furthermore, we evaluate the existing work in the area of currently available access control systems and mechanisms for secure data sharing over the Cloud, mostly focusing on policy enforcement and access control characteristics. Moreover, we determine existing mechanisms and standards to implement secure data sharing and collaborative systems over the Cloud. We propose an architecture supporting secure data sharing over the untrusted Cloud environment, based on our findings. The architecture ensures policy based access control inside and outside Cloud, while allowing the benefits of Cloud Computing to be utilized. We discuss the components involved in the architecture and their design considerations. To validate the proposed architecture, we construct the proof of concept prototype. We present a novel approach for implementing policy based access control, by achieving interoperability between existing standards and addressing certain issues, while constructing the system prototype. Furthermore, we deploy our solution in the Cloud and perform the performance tests to evaluate the performance of the system. Finally, we perform a case study by utilizing our system in a real-life scenario. To do this we slightly tailor our solution to meet specific needs. Overall, this thesis provides a solid foundation for the policy enforcement and access control mechanisms in the Cloud-based systems and motivates further work within this field

Security Enhancement in Cloud System by Anonymous Request Access

Cloud computing is a computing technology or information technology architecture used by organization or individuals. It launches data storage and interactive paradigm with some advantages like on-demand self-services, ubiquitous network access. Due to popularity of cloud services, security and privacy becomes major issue. There is the issue of legitimate responsibility for information (If a client stores some information in the cloud, can the cloud supplier benefit from it?). Numerous Terms of Service assentions are quiet on the topic of proprietorship. Physical control of the PC hardware (private cloud) is more secure than having the gear off site and under another person's control (open cloud). This conveys awesome motivation to open distributed computing administration suppliers to organize building and keeping up solid administration of secure administration. This paper addresses design of proposed system

Use of Service Oriented Architecture for Scada Networks

Supervisory Control and Data Acquisition (SCADA) systems involve the use of distributed processing to operate geographically dispersed endpoint hardware components. They manage the control networks used to monitor and direct large-scale operations such as utilities and transit systems that are essential to national infrastructure. SCADA industrial control networks (ICNs) have long operated in obscurity and been kept isolated largely through strong physical security. Today, Internet technologies are increasingly being utilized to access control networks, giving rise to a growing concern that they are becoming more vulnerable to attack. Like SCADA, distributed processing is also central to cloud computing or, more formally, the Service Oriented Architecture (SOA) computing model. Certain distinctive properties differentiate ICNs from the enterprise networks that cloud computing developments have focused on. The objective of this project is to determine if modern cloud computing technologies can be also applied to improving dated SCADA distributed processing systems. Extensive research was performed regarding control network requirements as compared to those of general enterprise networks. Research was also conducted into the benefits, implementation, and performance of SOA to determine its merits for application to control networks. The conclusion developed is that some aspects of cloud computing might be usefully applied to SCADA systems but that SOA fails to meet ICN requirements in a certain essential areas. The lack of current standards for SOA security presents an unacceptable risk to SCADA systems that manage dangerous equipment or essential services. SOA network performance is also not sufficiently deterministic to suit many real-time hardware control applications. Finally, SOA environments cannot as yet address the regulatory compliance assurance requirements of critical infrastructure SCADA systems

A Cloud-Oriented Cross-Domain Security Architecture

The Monterey Security Architecture addresses the need to share high-value data across multiple domains of different classification levels while enforcing information flow policies. The architecture allows users with different security authorizations to securely collaborate and exchange information using commodity computers and familiar commercial client software that generally lack the prerequisite assurance and functional security protections. MYSEA seeks to meet two compelling requirements, often assumed to be at odds: enforcing critical, mandatory security policies, and allowing access and collaboration in a familiar work environment. Recent additions to the MYSEA design expand the architecture to support a cloud of cross-domain services, hosted within a federation of multilevel secure (MLS) MYSEA servers. The MYSEA cloud supports single-sign on, service replication, and network-layer quality of security service. This new cross domain, distributed architecture follows the consumption and delivery model for cloud services, while maintaining the federated control model necessary to support and protect cross domain collaboration within the enterprise. The resulting architecture shows the feasibility of high-assurance, cross-domain services hosted within a community cloud suitable for interagency, or joint, collaboration. This paper summarizes the MYSEA architecture and discusses MYSEA's approach to provide an MLS-constrained cloud computing environment.Approved for public release; distribution is unlimited

Secure & Encrypted Accessing and Sharing of Data in Distributed Virtual Cloud: A Review

Cloud Computing has been accepted as the next generation architecture of IT Enterprise. The Cloud computing idea offers dynamically scalable resources provisioned as a service over and the Internet Economic benefits are the main driver for the Cloud, since it promises the reduction of capital expenditure and operational expenditure Placing critical data in the hands of a cloud provider should come with the guarantee of security and availability for data and in use. various alternatives available for storage services, while data confidentiality is the solutions for the database as a service pattern are still undeveloped This architecture is supporting purely distributed clients to connect directly to an encrypted cloud database, and to execute simultaneous and independent operations including those modifying the database structure. The Access control policy is set out in which only authorised users are able to decrypt the stored information. This scheme prevents from replay attacks and supports formation, modification, and reading data stored in the cloud. This unique attribute, however, creates many new security challenges which have not been well understood. Security is to protect data from danger and vulnerability. There are various dangers and vulnerabilities to be handle. Various security issues and some of their solution are explained and are concentrating mainly on public cloud security issues and their solutions. Data should always be encrypted in a time when stored and transmitted

A role and attribute based encryption approach to privacy and security in cloud based health services

Cloud computing is a rapidly emerging computing paradigm which replaces static and expensive data centers, network and software infrastructure with dynamically scalable “cloud based” services offered by third party providers on an on-demand basis. However, with the potential for seemingly limitless scalability and reduced infrastructure costs comes new issues regarding security and privacy as processing and storage tasks are delegated to potentially untrustworthy cloud providers. For the eHealth industry this loss of control makes adopting the cloud problematic when compliance with privacy laws (such HIPAA, PIPEDA and PHIPA) is required and limits third party access to patient records. This thesis presents a RBAC enabled solution to cloud privacy and security issues resulting from this loss of control to a potentially untrustworthy third party cloud provider, which remains both scalable and distributed. This is accomplished through four major components presented, implemented and evaluated within this thesis; the DOSGi based Health Cloud eXchange (HCX) architecture for managing and exchanging EHRs between authorized users, the Role Based Access Control as a Service (RBACaaS) model and web service providing RBAC policy enforcement and services to cloud applications, the Role Based Single Sign On (RBSSO) protocol, and the Distributed Multi-Authority Ciphertext-Policy Shared Attribute-Based Encryption (DMACPSABE) scheme for limiting access to sensitive records dependent on attributes (or roles) assigned to users. We show that when these components are combined the resulting system is both scalable (scaling at least linearly with users, request, records and attributes), secure and provides a level of protection from the cloud provider which preserves the privacy of user’s records from any third party. Additionally, potential use cases are presented for each component as well as the overall system

Secure Access Control Architectures for Multi-Tenancy Cloud Environments

RÉSUMÉ L'Infonuagique est un paradigme de système informatique distribué qui offre la possibilité aux usagers (clients) d’accéder à des services et ressources partagés hébergés chez des fournisseurs, afin de mieux répondre à leur besoin en matière de service et d’infrastructure informatiques. Dans l’environnement infonuagique, une même machine ou serveur physique peut héberger plusieurs machines virtuelles (VMs) qui sont partagées entre différents usagers ou clients, rendant ainsi transparent le partage des ressources matériels. De ce fait, l’Infonuagique crée un environnement propice à des cibles faciles, vulnérables et sujettes à des attaques accrues de pirates informatiques. A cause de la complexité des contrôles d’accès et de la difficulté à surveiller les interconnexions entre les différents systèmes, les applications et les données, l’on s’expose à de nouvelles opportunités. Il ne fait aucun doute que, en termes de sécurité, le plus grand défis auquel les fournisseurs et clients sont confrontés dans l’environnement Infonuagique multi-usager est le contrôle d’accès. La prévention des accès illicites et non autorisés aux ressources infonuagiques passe par un mécanisme de contrôle efficace des accès. D’un côté, les techniques de contrôle d’accès conçues originalement pour des systèmes locaux d’entreprise ne sont pas appropriées à l’Infonuagique et au système de colocation. D’un autre côté, un mécanisme de contrôle d’accès bien conçu ne devrait pas surcharger le système d’Infonuagique et devrait s’adapter avec facilité à l’infrastructure existante. De nos jours, on se fie au VLAN et Coupe-feu par exemple pour assurer le contrôle d’accès dans l’environnement infonuagique. Ces techniques sont tout à fait efficaces mais des techniques complémentaires spécifiques à l’Infonuagique sont nécessaires pour prévenir les accès non autorisés aux ressources partagées dans le système distribué. Dans le cadre de ce projet de recherche nous proposons CloudGuard, un système qui implémente un mécanisme de contrôle d'accès basé sur un hyperviseur. Suivant le concept de sécurité en profondeur (security-in-depth), CloudGuard ajoute une couche complémentaire de sécurité aux environnements en colocation de l'infonuagique et prévient les accès non autorisés et illicites aux ressources infonuagiques. Cette architecture de sécurité peut être simplement appliquée à l'hyperviseur et fourni un contrôle d'accès évolutif et plus robuste que les techniques basées sur les réseaux existants.----------ABSTRACT Cloud Computing is a distributed computing paradigm which allows the users to access the services and shared resources hosted by the various service providers, to meet their services or resources requirements. In a multi-tenancy cloud computing environment, multiple virtual machines (VMs) are collocated on the same physical server. In such system, physical resources are transparently shared by the VMs belonging to multiple users. Cloud computing also creates a suitable environment for easy targets, vulnerable and prone to sophisticated attacks. Also, due to the complexity of access and difficulty in monitoring all interconnection point between systems, applications and data sets, this can create new targets for intrusion. Undoubtedly, one of the most important security mechanisms in multi-tenancy cloud computing environment is access control. Implementing a proper access control mechanism can lead us to prevent unauthorized or illegal access to cloud resources. In one hand, most of current access control techniques were originally designed for enterprise environments that do not consider the characteristics of cloud computing and multi-tenancy environments. On the other hand, a well-designed access control mechanism should impose less possible overhead to the cloud computing system and it should easily leverage with the existing cloud infrastructure. Today, VLANs and firewalls are example of techniques that provide access control for cloud environments. These techniques are definitely effective but we need complimentary techniques that fit cloud computing and prevent unauthorized access to the resources in the distributed system. In this research project we propose CloudGuard, a system that implements a hypervisor-based access control mechanism. Based on the concept of security-in-depth, CloudGuard adds another layer of security to multi-tenancy cloud computing environments and prevents unauthorized and illegal access to the cloud resources. This security architecture can be simply implemented to hypervisor and provide scalable and more robust access control than existing network-based techniques

A User-Customized Virtual Network Platform for NaaS Cloud

Now all kinds of public cloud providers take computing and storage resources as the user's main demand, making it difficult for users to deploy complex network in the public cloud. This paper proposes a virtual cloud platform with network as the core demand of the user, which can provide the user with the capacity of free network architecture as well as all kinds of virtual resources. The network is isolated by port groups of the virtual distributed switch and the data forwarding and access control between different network segments are implemented by virtual machines loading a soft-routing system. This paper also studies the management interface of network architecture and the uniform way to connect the remote desktop of virtual resources on the web, hoping to provide some new ideas for the Network as a Service model

Resource Brokering in Grid Computing

Grid Computing has emerged in the academia and evolved towards the bases of what is currently known as Cloud Computing and Internet of Things (IoT). The vast collection of resources that provide the nature for Grid Computing environment is very complex; multiple administrative domains control access and set policies to the shared computing resources. It is a decentralized environment with geographically distributed computing and storage resources, where each computing resource can be modeled as an autonomous computing entity, yet collectively can work together. This is a class of Cooperative Distributed Systems (CDS). We extend this by applying characteristic of open environments to create a foundation for the next generation of computing platform where entities are free to join a computing environment to provide capabilities and take part as a collective in solving complex problems beyond the capability of a single entity. This thesis is focused on modeling “Computing” as a collective performance of individual autonomous fundamental computing elements interconnected in a “Grid” open environment structure. Each computing element is a node in the Grid. All nodes are interconnected through the “Grid” edges. Resource allocation is done at the edges of the “Grid” where the connected nodes are simply used to perform computation. The analysis put forward in this thesis identifies Grid Computing as a form of computing that occurs at the resource level. The proposed solution, coupled with advancements in technology and evolution of new computing paradigms, sets a new direction for grid computing research. The approach here is a leap forward with the well-defined set of requirements and specifications based on open issues with the focus on autonomy, adaptability and interdependency. The proposed approach examines current model for Grid Protocol Architecture and proposes an extension that addresses the open issues in the diverged set of solutions that have been created