EPICS: A Framework for Enforcing Security Policies in Composite Web Services

With advances in cloud computing and the emergence of service marketplaces, the popularity of composite services marks a paradigm shift from single-domain monolithic systems to cross-domain distributed services, which raises important privacy and security concerns. Access control becomes a challenge in such systems because authentication, authorization and data disclosure may take place across endpoints that are not known to clients. The clients lack options for specifying policies to control the sharing of their data and have to rely on service providers which provide limited selection of security and privacy preferences. This lack of awareness and loss of control over data sharing increases threats to a client\u27s data and diminishes trust in these systems

EPICS: A Framework for Enforcing Security Policies in Composite Web Services

With advances in cloud computing and the emergence of service marketplaces, the popularity of composite services marks a paradigm shift from single-domain monolithic systems to cross-domain distributed services, which raises important privacy and security concerns. Access control becomes a challenge in such systems because authentication, authorization and data disclosure may take place across endpoints that are not known to clients. The clients lack options for specifying policies to control the sharing of their data and have to rely on service providers which offer limited selection of security and privacy preferences. This lack of awareness and loss of control over data sharing increases threats to a client's data and diminishes trust in these systems. We propose EPICS, an efficient and effective solution for enforcing security policies in composite Web services that protects data privacy throughout the service interaction lifecycle. The solution ensures that the data are distributed along with the client policies that dictate data access and an execution monitor that controls data disclosure. It empowers data owners with control of data disclosure decisions during interactions with remote services and reduces the risk of unauthorized access. The paper presents the design, implementation, and evaluation of the EPICS framework

Cross-Domain Data Dissemination and Policy Enforcement

Modern information systems are distributed and highly dynamic. They comprise a number of hosts from heterogeneous domains, which collaborate, interact, and share data to handle client requests. Examples include cloud-hosted solutions, service-oriented architectures, electronic healthcare systems, product lifecycle management systems, and so on. A client request translates into multiple internal interactions involving different parties; each party can access and further share the client\u27s data. However, such interactions may share data with unauthorized parties and violate the client\u27s disclosure policies. In this case, the client has no knowledge of or control over interactions beyond its trust domain; therefore, the client has no means of detecting violations. Opaque data sharing in such distributed systems introduces new security challenges not present in the traditional systems. Existing solutions provide point-to-point secure data transmission and ensure security within a single domain, but are insufficient for distributed data dissemination because of the involvement of multiple cross-domain parties. This dissertation addresses the problem of policy-based distributed data dissemination (PD3) and proposes a data-centric solution for end-to-end secure data disclosure in distributed interactions. The solution ensures that the data are distributed along with the policies that dictate data access and an execution monitor (a policy evaluation and enforcement mechanism) that controls data disclosure and protects data dissemination throughout the interaction lifecycle. It empowers data owners with control of data disclosure decisions outside their trust domains and reduces the risk of unauthorized access. This dissertation makes the following contributions. First, it presents a formal description of the PD3 problem and identifies the main requirements for a new solution. Second, it introduces EPICS, an extensible framework for enforcing policies in composite Web services, and describes its design, implementation, and evaluation. Third, it demonstrates a novel application of the proposed solution to address privacy and identity management in cloud computing

A self-protecting agents based model for high-performance mobile-cloud computing

Mobile-cloud computing (MCC) allows devices with resource and battery limitations to achieve computation-intensive tasks in real-time. While this new paradigm of computing seems beneficial for real-time mobile computing, existing MCC models mainly rely on keeping full clones of program code at remote sites and unstandardized/uninteroperable environments, hampering wider adoption. Moreover, the security risks arising from offloading data and code to an untrusted platform and the computational overhead introduced by complex security mechanisms stand as deterrents for adoption of MCC at large. In this paper, we present a context-dependent computation-offloading model for MCC, which is based on application segments packed into autonomous agents. This approach only requires isolated execution containers in the cloud to provide a runtime environment for the agents, and minimal involvement of the mobile platform during the computation process. The agents in the proposed model are able to protect themselves from tampering using integrity-checkpointing and an authenticated encryption-based communication mechanism. Experiments with two mobile applications demonstrate the effectiveness of the approach for high-performance, secure MCC

Privacy-preserving data sharing and adaptable service compositions in mission-critical clouds

© 2021 CEUR-WS. All rights reserved.Existing cloud systems lack robust mechanisms to monitor compliance of services with security and performance policies under changing contexts, and to ensure uninterrupted operation in case of failures. On the other hand, microservices-based cloud system architectures that have become indispensable for defense applications require systematic monitoring of service operations to satisfy their resiliency and antifragility goals. In this work we propose a unified model for enforcing security and performance requirements of mission-critical cloud systems even in the presence of anomalous behavior/attacks and failure of services. The model allows for proactive mitigation of threats and failures in cloud-based systems through active monitoring of the performance and behavior of services, promising achievement of resiliency and antifragility under various failures and attacks. It also provides secure dissemination of data between services to ensure end-to-end secure operation of critical missions

Tamper-Resistant Autonomous Agents-Based Mobile-Cloud Computing

The rise of the mobile-cloud computing paradigm has enabled mobile devices with limited processing power and battery life to achieve complex tasks in real-time. While mobile-cloud computing is promising to overcome limitations of mobile devices for real-time computing needs, the reliance of existing models on strong assumptions such as the availability of a full clone of the application code and non-standard system environments in the cloud makes it harder to manage the performance of mobile-cloud computing based applications. Furthermore, offloading mobile computation to the cloud entails security risks associated with sending data and code to an untrusted platform and perfect security is hard to achieve due to the extra computational overhead introduced by complex mechanisms. In this paper, we present a dynamic computation-offloading model for mobile-cloud computing, based on autonomous agent-based application partitions. We propose a dynamic tamper-resistance approach for managing the security of offloaded computation, by augmenting agents with self-protection capability using a low-overhead introspection and integrity-preserving communication mechanism. Experiments with a real-world mobile application demonstrates the effectiveness of the approach for high-performance, tamper-resistant mobile-cloud computing

Secure Information Sharing in Digital Supply Chains

Abstract—Modern organizations interact with their partners through digital supply chain business processes for producing and delivering products and services to consumers. A partner in this supply chain can be a sub-contractor to whom work is outsourced. Each partner in a supply chain uses data, generates data and shares data with other partners, and all this collaboration contributes to producing and delivering the product(s) or service(s). The main security challenge in supply chains is the unauthorized disclosure and data leakage of information shared among the partners. Current approaches for protecting data in supply chain rely on the use of standards, service level agreements, and legal contracts. We propose an auditing based approach for protecting shared data in digital supply chains. Keywords—supply chain; security; privacy; auditing; data sharing I