Services de sécurité inter-locataire et multi-locataire pour les logiciels en tant que service

Récemment, l’infonuagique a joué un rôle essentiel dans l’évolution de la technologie d’informatique. Les logiciels en tant que service (SaaS for software as a service) sont parmi les services infonuagiques les plus attractifs qui ont suscité l’intérêt des fournisseurs et des consommateurs d’applications Web. D’une part, l’externalisation des ressources permet au fournisseur de déployer une application dans une infonuagique publique au lieu de gérer ses ressources sous-jacentes (machines physiques). D’autant plus, les ressources de cette application peuvent être dynamiquement et automatiquement mises à l’échelle en fonction de l’évolution de la clientèle et/ou de la quantité du trafic. D’autre part, la mutualisation (partage) des ressources permet au fournisseur une réduction significative des coûts d’infrastructure et de maintenance en partageant la même instance d’application entre plusieurs locataires, appelés tenants (en anglais). Un locataire peut s’abonner aux SaaS à la demande en payant à l’usage. En dépit de leurs avantages, l’externalisation et la mutualisation des ressources entraînent de nouveaux défis et risques de sécurité qui doivent être inventoriés et résolus par le fournisseur d’un SaaS. Le locataire d’un SaaS ne peut pas déployer ses systèmes de détection d’intrusion (IDS for intrusion detection system) préférés puisqu’il ne contrôle ni le code source ni l’infrastructure de l’application (déployée par le fournisseur dans une infonuagique publique). Le fournisseur doit donc non seulement intégrer des IDS en tant que service dans son infrastructure infonuagique, mais aussi protéger chaque locataire selon ses propres exigences de sécurité. Dans un SaaS multi-locataire, les données des locataires, qui peuvent être des compétiteurs, sont stockées dans la même base de données. Le fournisseur doit donc détecter et prévenir les attaques réalisées par un locataire contre les données d’autres locataires. Plusieurs recherches scientifiques proposent des IDS infonuagiques qui se focalisent sur l’infrastructure (réseaux virtuels, machines virtuelles, etc.). Cependant, ces IDS n’offrent pas une sécurité en tant que service au fournisseur et aux locataires d’un SaaS. D’autres recherches scientifiques et entreprises informatiques suggèrent des mécanismes d’isolation des données des locataires afin de réduire les risques d’attaques entre eux. Cependant, ces mécanismes ne sont pas automatisés et ne permettent pas de prévenir les attaques entre les locataires partageant la même base de données.----------ABSTRACT: Recently, cloud computing plays a vital role in the evolution of computer technology. Softwareas-a-Service (SaaS) is one of the cloud services that has attracted the providers and clients (tenants) of Web applications. On the one hand, outsourcing allows a SaaS provider to deploy an application in a public cloud instead of managing its underlying resources (physical machines). The resources of this application can be scaled dynamically and automatically according to the evolution of the customer and/or the amount of traffic. On the other hand, multi-tenancy (or resources pooling) enables a SaaS provider to significantly reduce the infrastructure and maintenance costs by sharing the same application and database instances among several tenants. A tenant can subscribe to SaaS on-demand and pay according to pay-per-use model. However, the outsourcing and multi-tenancy bring new challenges and security risks that must be addressed by the SaaS provider. A tenant can not deploy its preferred intrusion detection systems (IDS) since it does not control the source code and the infrastructure of the application (deployed by the provider in a public cloud). Therefore, the provider must not only integrate IDS as a service into its cloud infrastructure, but also protect each tenant according to its own security requirements. In a multi-tenant SaaS, the data of tenants that can be competitors are stored in the same database. Therefore, the provider must detect and prevent attacks realized by a tenant (maliciously or accidentally) against the data of other tenants. The cloud-based IDS proposed by scientific research focus on the infrastructure (e.g., virtual networks, virtual machines, etc.). However, they do not detect attacks between the tenants of SaaS and do not provide security as a service for both SaaS provider and tenant. Other scientific research and IT companies propose tenant data isolation mechanisms to reduce the risk of inter-tenant attacks. However, these mechanisms are not automated and do not prevent attacks between tenants sharing the same database

Using Microservices to Customize Multi-Tenant SaaS: From Intrusive to Non-Intrusive

Customization is a widely adopted practice on enterprise software applications such as Enterprise resource planning (ERP) or Customer relation management (CRM). Software vendors deploy their enterprise software product on the premises of a customer, which is then often customized for different specific needs of the customer. When enterprise applications are moving to the cloud as mutli-tenant Software-as-a-Service (SaaS), the traditional way of on-premises customization faces new challenges because a customer no longer has an exclusive control to the application. To empower businesses with specific requirements on top of the shared standard SaaS, vendors need a novel approach to support the customization on the multi-tenant SaaS. In this paper, we summarize our two approaches for customizing multi-tenant SaaS using microservices: intrusive and non-intrusive. The paper clarifies the key concepts related to the problem of multi-tenant customization, and describes a design with a reference architecture and high-level principles. We also discuss the key technical challenges and the feasible solutions to implement this architecture. Our microservice-based customization solution is promising to meet the general customization requirements, and achieves a balance between isolation, assimilation and economy of scale

Cloud Security : A Review of Recent Threats and Solution Models

The most significant barrier to the wide adoption of cloud services has been attributed to perceived cloud insecurity (Smitha, Anna and Dan, 2012). In an attempt to review this subject, this paper will explore some of the major security threats to the cloud and the security models employed in tackling them. Access control violations, message integrity violations, data leakages, inability to guarantee complete data deletion, code injection, malwares and lack of expertise in cloud technology rank the major threats. The European Union invested €3m in City University London to research into the certification of Cloud security services. This and more recent developments are significant in addressing increasing public concerns regarding the confidentiality, integrity and privacy of data held in cloud environments. Some of the current cloud security models adopted in addressing cloud security threats were – Encryption of all data at storage and during transmission. The Cisco IronPort S-Series web security appliance was among security solutions to solve cloud access control issues. 2-factor Authentication with RSA SecurID and close monitoring appeared to be the most popular solutions to authentication and access control issues in the cloud. Database Active Monitoring, File Active Monitoring, URL Filters and Data Loss Prevention were solutions for detecting and preventing unauthorised data migration into and within clouds. There is yet no guarantee for a complete deletion of data by cloud providers on client requests however; FADE may be a solution (Yang et al., 2012)

Cloud based testing of business applications and web services

This paper deals with testing of applications based on the principles of cloud computing. It is aimed to describe options of testing business software in clouds (cloud testing). It identifies the needs for cloud testing tools including multi-layer testing; service level agreement (SLA) based testing, large scale simulation, and on-demand test environment. In a cloud-based model, ICT services are distributed and accessed over networks such as intranet or internet, which offer large data centers deliver on demand, resources as a service, eliminating the need for investments in specific hardware, software, or on data center infrastructure. Businesses can apply those new technologies in the contest of intellectual capital management to lower the cost and increase competitiveness and also earnings. Based on comparison of the testing tools and techniques, the paper further investigates future trend of cloud based testing tools research and development. It is also important to say that this comparison and classification of testing tools describes a new area and it has not yet been done

Assessing database and network threats in traditional and cloud computing

Cloud Computing is currently one of the most widely-spoken terms in IT. While it offers a range of technological and financial benefits, its wide acceptance by organizations is not yet wide spread. Security concerns are a main reason for this and this paper studies the data and network threats posed in both traditional and cloud paradigms in an effort to assert in which areas cloud computing addresses security issues and where it does introduce new ones. This evaluation is based on Microsoft’s STRIDE threat model and discusses the stakeholders, the impact and recommendations for tackling each threat

Cloud Multi-Tenancy: Issues and Developments

Cloud Computing (CC) is a computational paradigm that provides pay-per use services to customers from a pool of networked computing resources that are provided on demand. Customers therefore does not need to worry about infrastructure or storage. Cloud Service Providers (CSP) make custom built applications available to customers online. Also, organisations and enterprises can build and deploy applications based on platforms provided by the Cloud service provider. Scalable storage and computing resources is also made available to consumers on the Clouds at a cost. Cloud Computing takes virtualization a step further through the use of virtual machines, it allows several customers share the same physical machine. In addition, it is possible for numerous customers to share applications provided by a CSP; this sharing model is known as multi-tenancy. Though Multi-tenancy has its drawbacks but however, it is highly desirable based on its cost efficiency. This paper presents the comprehensive study of existing literatures on relevant issues and development relating to cloud multitenancy using reliable methods. This study examines recent trends in the area of cloud multi-tenancy and provides a guide for future research. The analyses of this comprehensive study was based on the following questions relating to recent study in multi-tenancy which are: what is the current trend and development in cloud multi-tenancy? Existing publications were analyzed in this area including journals, conferences, white papers and publications in reputable magazines. The expected result at the end of this review is the identification of trends in cloud multi-tenancy. This will be of benefit to prospective cloud users and even cloud providers