Policy enforcement in cloud computing

Cloud Computing is an emerging technology, providing attractive way of hosting and delivering services over the Internet. Many organizations and individuals are utilizing Cloud services to share information and collaborate with partners. However, Cloud provides abstraction over the underlying physical infrastructure to the customers, that raises information security concerns, while storing data in a virtualized environment without having physical access to it. Additionally, certain standards have been issued to provide interoperability between users and various distributed systems(including Cloud infrastructures), in a standardized way. However, implementation and interoperability issues still exist and introduce new challenges. This thesis explores the feasibility of securing data in a cloud context, using existing standards and specifications, while retaining the benefits of the Cloud. The thesis provides a view on increasing security concerns of moving to the cloud and sharing data over it. First, we define security and privacy requirements for the data stored in the Cloud. Based on these requirements, we propose the requirements for an access control system in the Cloud. Furthermore, we evaluate the existing work in the area of currently available access control systems and mechanisms for secure data sharing over the Cloud, mostly focusing on policy enforcement and access control characteristics. Moreover, we determine existing mechanisms and standards to implement secure data sharing and collaborative systems over the Cloud. We propose an architecture supporting secure data sharing over the untrusted Cloud environment, based on our findings. The architecture ensures policy based access control inside and outside Cloud, while allowing the benefits of Cloud Computing to be utilized. We discuss the components involved in the architecture and their design considerations. To validate the proposed architecture, we construct the proof of concept prototype. We present a novel approach for implementing policy based access control, by achieving interoperability between existing standards and addressing certain issues, while constructing the system prototype. Furthermore, we deploy our solution in the Cloud and perform the performance tests to evaluate the performance of the system. Finally, we perform a case study by utilizing our system in a real-life scenario. To do this we slightly tailor our solution to meet specific needs. Overall, this thesis provides a solid foundation for the policy enforcement and access control mechanisms in the Cloud-based systems and motivates further work within this field. Cloud Computing is an emerging technology, providing attractive way of hosting and delivering services over the Internet. Many organizations and individuals are utilizing Cloud services to share information and collaborate with partners. However, Cloud provides abstraction over the underlying physical infrastructure to the customers, that raises information security concerns, while storing data in a virtualized environment without having physical access to it. Additionally, certain standards have been issued to provide interoperability between users and various distributed systems(including Cloud infrastructures), in a standardized way. However, implementation and interoperability issues still exist and introduce new challenges. This thesis explores the feasibility of securing data in a cloud context, using existing standards and specifications, while retaining the benefits of the Cloud. The thesis provides a view on increasing security concerns of moving to the cloud and sharing data over it. First, we define security and privacy requirements for the data stored in the Cloud. Based on these requirements, we propose the requirements for an access control system in the Cloud. Furthermore, we evaluate the existing work in the area of currently available access control systems and mechanisms for secure data sharing over the Cloud, mostly focusing on policy enforcement and access control characteristics. Moreover, we determine existing mechanisms and standards to implement secure data sharing and collaborative systems over the Cloud. We propose an architecture supporting secure data sharing over the untrusted Cloud environment, based on our findings. The architecture ensures policy based access control inside and outside Cloud, while allowing the benefits of Cloud Computing to be utilized. We discuss the components involved in the architecture and their design considerations. To validate the proposed architecture, we construct the proof of concept prototype. We present a novel approach for implementing policy based access control, by achieving interoperability between existing standards and addressing certain issues, while constructing the system prototype. Furthermore, we deploy our solution in the Cloud and perform the performance tests to evaluate the performance of the system. Finally, we perform a case study by utilizing our system in a real-life scenario. To do this we slightly tailor our solution to meet specific needs. Overall, this thesis provides a solid foundation for the policy enforcement and access control mechanisms in the Cloud-based systems and motivates further work within this field

Policy-driven Security Management for Gateway-Oriented Reconfigurable Ecosystems

abstract: With the increasing user demand for low latency, elastic provisioning of computing resources coupled with ubiquitous and on-demand access to real-time data, cloud computing has emerged as a popular computing paradigm to meet growing user demands. However, with the introduction and rising use of wear- able technology and evolving uses of smart-phones, the concept of Internet of Things (IoT) has become a prevailing notion in the currently growing technology industry. Cisco Inc. has projected a data creation of approximately 403 Zetabytes (ZB) by 2018. The combination of bringing benign devices and connecting them to the web has resulted in exploding service and data aggregation requirements, thus requiring a new and innovative computing platform. This platform should have the capability to provide robust real-time data analytics and resource provisioning to clients, such as IoT users, on-demand. Such a computation model would need to function at the edge-of-the-network, forming a bridge between the large cloud data centers and the distributed connected devices. This research expands on the notion of bringing computational power to the edge- of-the-network, and then integrating it with the cloud computing paradigm whilst providing services to diverse IoT-based applications. This expansion is achieved through the establishment of a new computing model that serves as a platform for IoT-based devices to communicate with services in real-time. We name this paradigm as Gateway-Oriented Reconfigurable Ecosystem (GORE) computing. Finally, this thesis proposes and discusses the development of a policy management framework for accommodating our proposed computational paradigm. The policy framework is designed to serve both the hosted applications and the GORE paradigm by enabling them to function more efficiently. The goal of the framework is to ensure uninterrupted communication and service delivery between users and their applications.Dissertation/ThesisMasters Thesis Computer Science 201

Secure policy-based device-to-device offloading for mobile applications

Mobile application offloading, with the purpose of extending battery lifetime and increasing performance has been intensively discussed recently, resulting in various different solutions: mobile device clones operated as virtual machines in the cloud, simultaneously running applications on the mobile device and on a distant server, as well as flexible solutions dynamically acquiring other mobile devices’ resources in the user’s surrounding. Existing solutions have gaps in the fields of data security and application security. These gaps can be closed by integrating data usage policies, as well as application-flow policies. In this paper, we propose and evaluate a novel approach of integrating XACML into existing mobile application offloading-frameworks. Data owners remain in full control of their data, still, technologies like device-to-device offloading can be used

Secure Data Sharing and Collaboration in the Cloud

Cloud technology can be leveraged to enable data-sharing capabilities, which can benefit the user through greater productivity and efficiency. However, the Cloud is susceptible to many privacy and security vulnerabilities, which hinders the progress and widescale adoption of data sharing for the purposes of collaboration. Thus, there is a strong demand for data owners to not only ensure that their data is kept private and secure in the Cloud, but to also have a degree of control over their own data contents once they are shared with data consumers. Specifically, the main issues for data sharing in the Cloud include key management, security attacks, and data-owner access control. In terms of key management, it is vital that data must first be encrypted before storage in the Cloud, to prevent privacy and security breaches. However, the management of encryption keys is a great challenge. The sharing of keys with data consumers has proven to be ineffective, especially when considering data-consumer revocation. Security attacks may also prevent the widescale usage of the Cloud for data-sharing purposes. Common security attacks include insider attacks, collusion attacks, and man-in-the-middle attacks. In terms of access control, authorised data consumers could do anything they wish with an owner's data, including sending it to their peers and colleagues without the data owner's knowledge. Throughout this thesis, we investigate ways in which to address these issues. We first propose a key partitioning technique that aims to address the key management problem. We deploy this technique in a number of scenarios, such as remote healthcare management. We also develop secure data-sharing protocols that aim to mitigate and prevent security attacks on the Cloud. Finally, we focus on giving the data owner greater control, by developing a self-controlled software object called SafeProtect

Secure Data Control: Privacy and Security based on ABE for Access Control over Cloud

In today's world, there is a strong requirement for sharing information over cloud. However, privacy and security remains a setback especially when working with bulk amounts of data in the Cloud. Data is abundantly stored outside the control of the data owner’s machine with lack of his knowledge to the data owner, how the data being used and where the data are being stored. So, there is a necessity for the data owner to have a more control over their data, similar to the level of control they possess when the data are being stored on their own machine. For example, when a data owner shares an important file with his colleague, he cannot trust what his colleague will do with his data. In this paper, we try to address this problem by monitoring and preventing unauthorized operations by the data consumer. We present a solution called Secure-Data, which bundles the data owner’s data and specified policy, based on XACML, in an object called Secure-Data object. Secure-Data enforces the policies set out by the data owner by communicating with the cloud based applications to disable certain operations and/or run a background process for monitoring the data. We define a software based protocol that will enable to secure the data in the cloud and will support the use of the android app for authentication purposes

A Novel Framework for Big Data Security Infrastructure Components

Big data encompasses enormous data and management of huge data collected from various sources like online social media contents, log files, sensor records, surveys and online transactions. It is essential to provide new security models, concerns and efficient security designs and approaches for confronting security and privacy aspects of the same. This paper intends to provide initial analysis of the security challenges in Big Data. The paper introduces the basic concepts of Big Data and its enormous growth rate in terms of pita and zettabytes. A model framework for Big Data Infrastructure Security Components Framework (BDAF) is proposed that includes components like Security Life Cycle, Fine-grained data-centric access control policies, the Dynamic Infrastructure Trust Bootstrap Protocol (DITBP). The framework allows deploying trusted remote virtualised data processing environment and federated access control and identity management

ENFORCING SECURITY ON CLOUD COMPUTING NETWORK: A THEORETICAL FRAME WORK

Cloud computing offers reduced capital expenditure, operational risks, complexity and maintenance, and increasedscalability as well as providing services at different abstraction levels, namely Software-as-a-Service (SaaS), Platform-as-a-Service(PaaS), and Infrastructure-as-a-Service (IaaS). The paper highlighted various threats in cloud computing networking,and also proffered solution by discussing extensively various security measures to be enforced on the system to achievesecurity to a large extent. This paper presents a security architecture that enables a user of cloud networking to definesecurity requirements and enforces them in the cloud networking infrastructure.Keywords: Cloud Computing, Infrastructure, Abstraction, Services, Security & Framework