A SEMANTIC BASED POLICY MANAGEMENT FRAMEWORK FOR CLOUD COMPUTING ENVIRONMENTS

Cloud computing paradigm has gained tremendous momentum and generated intensive interest. Although security issues are delaying its fast adoption, cloud computing is an unstoppable force and we need to provide security mechanisms to ensure its secure adoption. In this dissertation, we mainly focus on issues related to policy management and access control in the cloud. Currently, users have to use diverse access control mechanisms to protect their data when stored on the cloud service providers (CSPs). Access control policies may be specified in different policy languages and heterogeneity of access policies pose significant problems.An ideal policy management system should be able to work with all data regardless of where they are stored. Semantic Web technologies when used for policy management, can help address the crucial issues of interoperability of heterogeneous CSPs. In this dissertation, we propose a semantic based policy management framework for cloud computing environments which consists of two main components, namely policy management and specification component and policy evolution component. In the policy management and specification component, we first introduce policy management as a service (PMaaS), a cloud based policy management framework that give cloud users a unified control point for specifying authorization policies, regardless of where the data is stored. Then, we present semantic based policy management framework which enables users to specify access control policies using semantic web technologies and helps address heterogeneity issues of cloud computing environments. We also model temporal constraints and restrictions in GTRBAC using OWL and show how ontologies can be used to specify temporal constraints. We present a proof of concept implementation of the proposed framework and provide some performance evaluation. In the policy evolution component, we propose to use role mining techniques to deal with policy evolution issues and present StateMiner, a heuristic algorithm to find an RBAC state as close as possible to both the deployed RBAC state and the optimal state. We also implement the proposed algorithm and perform some experiments to demonstrate its effectiveness

Secure cloud computing implementation study for Singapore military operations

Cloud computing benefits organizations in many ways. With characteristics such as resource pooling, broad network access, on-demand self-service, and rapid elasticity, an organization's overall IT management can be significantly reduced (in terms of labor, software, and hardware) and its work processes made more efficient. However, is cloud computing suitable for the Singapore Armed Forces (SAF)? How can the SAF migrate its traditional system to cloud-based services in a safe and secure manner? These were questions answered in this thesis. In this thesis, cloud computing was shown to increase cost-effectiveness in the healthcare and business sectors. In addition, from the military perspective, the benefits of cloud computing were analyzed from a study of the U.S. Department of Defense. Then, using cloud computing–related documents from the United States, a list of recommended policy statements were developed for the SAF to consider for guidance as it migrates to greater adoption of cloud-based computing in support of its operations. These policy statements encompass the various aspects of information security deemed most important to the SAF's adoption of a cloud-based computing environment.http://archive.org/details/securecloudcompu1094550572Major, Singapore Armed ForcesApproved for public release; distribution is unlimited

Achieving trust-oriented data protection in the cloud environment

University of Technology, Sydney. Faculty of Engineering and Information Technology.Cloud computing has gained increasing acceptance in recent years. In privacy-conscious domains such as healthcare and banking, however, data security and privacy are the greatest obstacles to the widespread adoption of cloud computing technology. Despite enjoying the benefits brought by this innovative technology, users are concerned about losing the control of their own data in the outsourced environment. Encrypting data can resolve confidentiality and integrity challenges, but the key to mitigating users’ concerns and encouraging broader adoption of cloud computing is the establishment of a trustworthy relationship between cloud providers and users. In this dissertation, we investigate a novel trust-oriented data protection framework adapted to the cloud environment. By investigating cloud data security, privacy, and control related issues, we propose a novel data protection approach that combines active and passive protection mechanisms. The active protection is used to secure data in an independent and smart data cube that can survive even when the host is in danger. The passive protection covers the actions and mechanisms taken to monitor and audit data based on third party security services such as access control services and audit services. Furthermore, by incorporating full mobility and replica management with the active and passive mechanisms, the proposed framework can satisfy confidentiality, integrity, availability, scalability, intrusion-tolerance, authentication, authorization, auditability, and accountability, increasing users’ confidence in consuming cloud-based data services. In this work we begin by introducing cloud data storage characteristics and then analyse the reasons for issues of data security, privacy and control in cloud. On the basis of results of analysis, we identify desirable properties and objectives for protecting cloud data. In principle, cryptography-based and third party based approaches are insufficient to address users’ concerns and increase confidence in consuming cloud-based data services, because of possible intrusion attacks and direct tampering of data. Hence, we propose a novel way of securing data in an active data cube (ADCu) with smart and independent functionality. Each ADCu is a deployable data protection unit encapsulating sensitive data, networking, data manipulation, and security verification functions within a coherent data structure. A sealed and signed ADCu encloses dynamic information-flow tracking throughout the data cube that can precisely monitor the inner data and the derivatives. Any violations of policy or tampering with data would be compulsorily recorded and reported to bundled users via the mechanisms within the ADCu. This active and bundled architecture is designed to establish a trustworthy relationship between cloud and users. Subsequently, to establish a more comprehensive security environment cooperating with an active data-centric (ADC) framework, we propose a cloud-based privacy-aware role-based access control (CPRBAC) service and an active auditing service (AAS). These components in the entire data protection framework contribute to the passive security mechanisms. They provide access control management and audit work based on a consistent security environment. We also discuss and implement full mobility management and data replica management related to the ADCu, which are regarded as significant factors to satisfy data accountability, availability, and scalability. We conduct a set of practical experiments and security evaluation on a mini-private cloud platform. The outcome of this research demonstrates the efficiency, feasibility, dependability, and scalability of protecting outsourced data in cloud by using the trust-oriented protection framework. To that end, we introduce an application applying the components and mechanisms of the trust-oriented security framework to protecting eHealth data in cloud. The novelty of this work lies in protecting cloud data in an ADCu that is not highly reliant on strong encryption schemes and third-party protection schemes. By proposing innovative structures, concepts, algorithms, and services, the major contribution of this thesis is that it helps cloud providers to deliver trust actively to cloud users, and encourages broader adoption of cloud-based solutions for data storage services in sensitive areas

Setting Up Personal Cloud Server Tonido @ Department of Computer Studies, CSIBER and Integration with Moodle Server - A Case Study

Cloud computing represents a real paradigm shift in the way softwares are developed, deployed and used. Cloud computing, which is based on utility computing has a remarkable contribution in realizing long held dream of utility computing in achieving the development of infinitely scalable and universally available systems as, with cloud computing user can start very small and become big very fast limited only by his/her needs, which means cloud computing is revolutionary even if the technology it is based on is evolutionary. There is a handful of free open source cloud softwares available which guide an end user from setting up of file server to drive mapping and file synchronization. All these utilities are bundled into a single software module. The authors have performed a survey of different open source softwares currently available on Internet and have performed their relative comparisons. A private file cloud server has been installed in the Department of Computer Studies, CSIBER, Kolhapur, MS, India. For sharing and synchronizing files Tonido cloud software is employed. The security has been implemented using role based authentication wherein all inter and intra department communications are modeled by assigning different roles to the users of the system. The drive mapping is achieved at admin and user level using free add-ons available for Tonido. The folder changes are monitored periodically and notification messages are sent to appropriate users instantly. The cloud server enables stream-lining various house-keeping chores such as uploading notices, syllabi for students and also helps in keeping all the documents centralized, structured and updated. The system has rendered the whole process automatic and there is very little chance for committing any mistake which results in extremely effective communication system between users of different categories. At the OS level, security trimming is performed by programmatically editing requisite registry entries using Group Policy Editor, Microsoft management console program at runtime depending on the user logged in and mapping user credentials to the corresponding drives accessible only to that user. Finally, the Tonido server is integrated with institute’s Moodle server and the data is synchronized with the help of an interface e application implemented in Java. DOI: 10.17762/ijritcc2321-8169.15072

Cloud computing adoption framework:A security framework for business clouds

This paper presents a Cloud Computing Adoption Framework (CCAF) security suitable for business clouds. CCAF multi-layered security is based on the development and integration of three major security technologies: firewall, identity management and encryption based on the development of Enterprise File Sync and Share technologies. This paper presents our motivation, related work and our views on security framework. Core technologies have been explained in details and experiments were designed to demonstrate the robustness of the CCAF multi-layered security. In penetration testing, CCAF multi-layered security could detect and block 99.95% viruses and trojans and could maintain 85% and above of blocking for 100 hours of continuous attacks. Detection and blocking took less than 0.012 second per trojan and viruses. A full CCAF multi-layered security protection could block all SQL injection providing real protection to data. CCAF multi-layered security had 100% rate of not reporting false alarm. All F-measures for CCAF test results were 99.75% and above. How CCAF multi-layered security can blend with policy, real services and blend with business activities have been illustrated. Research contributions have been justified and CCAF multi-layered security can offer added value for volume, velocity and veracity for Big Data services operated in the Cloud