Keywords- Internet clouds, data centers, network security, virtualization, reputation system, and cloud computing services.. Security Requirements Table 1 identifies the demand of th
Trang 1Cloud Security with Virtualized Defense and Reputation-based Trust Management*
Kai Hwang and Sameer Kulkarni
University of Southern California
Los Angeles, USA Email: {kaihwang, sgkukar}@usc.edu
Yue Hu
University of Science and Technology
Beijing, China Email: huhuyue_001@sina.com
Abstract—Internet clouds work as service factories built
around web-scale datacenters The elastic cloud resources
and huge datasets processed are subject to security
breaches, privacy abuses, and copyright violations
Provisioned cloud resources on-demand are especially
vulnerable to cyber attacks The cloud platforms built by
Google, IBM, and Amazon all reveal this weaknesses We
propose a new approach to integrating virtual clusters,
security-reinforced datacenters, and trusted data accesses
guided by reputation systems A hierarchy of P2P
reputation systems is suggested to protect clouds and
datacenters at the site level and to safeguard the data
objects at the file-access level Different security
countermeasures are suggested to protect cloud service
models: IaaS, PaaS, and SaaS, currently implemented by
Amazon, IBM, and Google, respectively
Keywords- Internet clouds, data centers, network security,
virtualization, reputation system, and cloud computing
services
I INTRODUCTION
Cloud computing applies a virtual platform with
elastic resources putting together by on-demand
provision of hardware, software, and datasets,
dynamically [8, 16] The idea is to move desktop
computing to a service-oriented platform using server
clusters and huge databases at datacenters [3] Cloud
computing leverages its low cost and simplicity to both
providers and users [11, 22] Machine virtualization
[26] has enabled such cost-effectiveness
Cloud computing intends to satisfy many
heterogeneous applications simultaneously [12] Trust
and security become crucial to safeguard the healthy
development of cloud platforms [9, 23] Clouds may
become worrisome to some users for lack of privacy
protection [5], security assurance, and copyright
protection [19] As a virtual environment, cloud poses
new security threats that differ from attacks on physical
systems Trust models for distributed systems like
clouds and P2P networks are assesses in this paper
_
x Presented in IEEE Int’l Workshop on Security in Cloud
Computing, (SCC09) held in conjunction with the IEEE Int’l
Conf on Pervasive Intelligence and Computing, (PICom2009),
Chengdu, China, Dec.12-14, 2009 Corresponding author is Kai
Hwang Contact him at: kaihwang@usc.edu
Virtual resources and datacenters are facing many operational uncertainties We prefer to extend the fuzzy-theoretic trust models by Song, et al [21] and by
He, et al [14] in a cloud application environment The reputation-based trust management issues [21, 24, 25] are studied for cloud applications
The remaining sections are organized as follows:
We first review cloud service models and assess existing cloud platforms in Sections II and III Then we propose new secure cloud architecture in Sec.IV Section V is devoted to virtualization support for cloud security Section VI suggests data-access protection through trust management with reputation systems Finally, we summarize our contributions and discuss further research needed
II CLOUD SERVICE MODELS AND SECURITY CHALLENGES
We assess the security demands of three cloud service models: IaaS, PaaS, and SaaS that have used in cloud practices [4] These models are based on various
service level agreements (SLAs) between providers
and users
A Cloud Service Models
Figure 1 illustrates the mapping of cloud models to various security measures needed at different operational levels of the clouds [23]
Infrastructure as a Service (IaaS): This model allows
users to rent processing, storage, networks, and other resources The user can deploy and run the guest OS and applications The user does not manage or control the underlying cloud infrastructure but has control over
OS, storage, deployed applications, and possibly select networking components
Platform as a Service (PaaS): This model provides the
user to deploy user-built applications onto the cloud infrastructure that are built using programming languages and software tools supported by the provider (e.g., Java, python, Net) The user does not manage the underlying cloud infrastructure
Software as a Service (SaaS): This refers to
browser-initiated application software over thousands of cloud customers On the customer side, there is no upfront investment in servers or software licensing On the
2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing
Trang 2provider side, costs are rather low, compared with
conventional hosting of user applications
Cloud offers four service deployment modes:
private, public, managed, and hybrid [22] These
modes demand different levels of security implications
The different service level agreements and service
deployment modalities imply the security to be a
shared responsibility of all the cloud providers, the
cloud resource consumers and the third party cloud
enabled software providers
With service as the key concept of clouds, the
critical issues include the data integrity and
confidentiality, and the demand of a trust model
between service providers and users Figure 1 maps
three cloud models to the required security measures at
various cloud operational levels
B Security Requirements
Table 1 identifies the demand of three security
requirements: confidentiality, integrity, and availability by most service providers and by cloud
users under three service models In the order of SaaS, PaaS, and IaaS, the providers gradually release the responsibilities of security control to the cloud users
In summary, the SaaS model relies on the cloud provider to perform all security functions On the other extreme, the IaaS model wants the users to assume almost all security functions except leaving the availability to the hands of the providers The PaaS model relies on the provider to maintain data integrity and availability, but counts on the user to preserve confidentiality and data privacy
Figure 1: Cloud service models on the left and corresponding security measures on the right: The IaaS is at
the lowest level, PaaS at the mid-level, and SaaS at the widest level including all resources
Table 1: Cloud Service Models and Security Responsibilities by Providers and Users
Provider’s Responsibilities Confidentiality, Integrity, Availability Integrity Availability Availability
User’s responsibilities None Confidentiality, Data Privacy Confidentiality, Data Privacy and Integrity
III V ULNERABILITY IN E XISTING C LOUDS
We assess below the vulnerability of three
commercial cloud platforms built since 2007 Table 2
assesses their architecture features, service models
applied, system vulnerability, and resilience to network
attacks We find that all three platforms are weak in the
security area [7]
A Three Existing Cloud Platforms
Google has hundreds of datacenters over 460,000
servers The platform consists of the server cluster,
GFS, and datacenters [13] In 2008, Google has made
200 such clusters available for cloud applications Data
items are stored in texts, images, and video replicated
to tolerate faults or failures Google’s AppEngine supports cloud and web applications The cloud platform extends MapReduce [8] for upgraded web-scale cloud services
IBM BlueCloud offers a total system solution to cloud computing The system sells the entire server cluster plus open software like Apache Hadoop, and IBM-developed software packages for resources management and performance monitory Blue cloud offers limited scalability
Amazon runs a global e-commerce platform that serves millions of customers The elasticity in Amazon cloud comes from the flexibility provided by the
Trang 3hardware and software services The EC2 provides an
environment for running virtual servers on demand The
S3 provides unlimited online storage space Both EC2
and S3 are supported in Amazon Web Services (AWS)
[1]
Table 2: Strength and Vulnerability of Three Commercial Cloud Platforms Features Google Cloud Platform IBM Blue Cloud Amazon Elastic Cloud
Architecture and
Service Models
applied
Highly scalable server clusters, GFS, and datacenters operating with a SaaS model [17]
A sever cluster with limited scalability for distributed problem solving and web- scale under a PaaS model [4]
A 2000-node utility cluster (iDataPlex) for distributed computing/storage services under the IaaS model [1]
Technology,
Virtualization,
and Reliability
Commodity hardware
application-level API, simple service, and high reliability
Custom hardware, Open software, Hadoop library, virtualization with XEN and PowerVM, high reliability
e-commerce platform, virtualization based on XEN, and simple reliability
System
Vulnerability,
and Security
Resilience
Datacenter security is loose, no copyright protection, Google rewrites desktop applications for web
WebSphere-2 security, PowerVM could be tuned for security protection, and access control and VPN support
Rely on PKI and VPN for authentication and access control, lack of security defense mechanisms
B Protection Desired by Cloud Users
We desire a software environment that provides
many useful tools to build cloud applications over large
datasets In addition to MapReduce, BigTable, EC2,
and 3S, Hadoop, AWS, AppEngine, and WebSphere2
We identify below 8 security and privacy features
desired by cloud users
a Customized extensions of MapReduce, BigTable,
EC2 and 3S for personal use
b Special APIs for authenticating users and sending
email using commercial accounts
c Cloud resources are accessed with security
protocols like HTTPS or SSL
d Fine-grain access control is desired to protect data
integrity and deter intruders or hackers
e Shared datasets are protected from malicious
alteration, deletion, or copyright violation
IV SECURITY-AWARE CLOUD ARCHITECTURE
Risky cloud platforms had caused billions of dollars loss in business and government services A new security-aware cloud architecture is proposed in Fig.2
A The Secure Cloud Architecture
An Internet cloud is envisioned as a massive cluster
of servers These servers are provisioned on demand to perform collective web services or distributed applications using datacenter resources Cloud platform
is formed dynamically by provisioning or de-provisioning, of servers, software, and database resources Servers in the cloud can be physical machines or virtual machines User interfaces are applied to request services The provisioning tool carves out the systems from the cloud to deliver on the requested service
Figure 2: A trusted cloud architecture with secured cloud resources, including datasets for on-demand services
(Solid lines for data flows and dash lines for control flows in trust management and security enforcement).
Resource Provisioning, Virtualization, Management, and User Interfaces
Services Catalogs Security and Performance
Monitoring
Cloud Platform: A virtual cluster of servers, software, and datasets provisioned for specific user applications
The Internet
Clients
Trust Delegation, Reputation
Systems for Cloud Resource
Sites/datacenters
Provider Server clusters Data Centers
Trang 4B Protection Mechanisms:
Cloud security enforcement has many aspects
Malware-based attacks like worms, viruses and DoS
exploit the system vulnerabilities and compromise the
system functionalities or provide the intruders an
unauthorized access to critical information Thus,
security defense is needed in cloud systems to protect
all cluster servers and datacenters as listed below:
Protection of servers form malicious software
attacks like worms viruses and malwares
Protection of hypervisors or VM monitors from
software based attacks and vulnerabilities
Protection of VMs and monitors from service
disruption and denial of service attacks
Protection of data and information from theft, corruption and natural disasters
Providing the authentication and authorized access
to the critical data and services
We suggest in Table 3 five protection mechanisms to secure public clouds and datacenters Details of these protection mechanisms are given in subsequent sections Malicious intrusions may destroy valuable hosts, network, and storage resources Internet anomalies found in routers, gateways, and distributed hosts may stop cloud services Details of these security mechanisms are given in subsequent sections
Table 3: Security Protection Mechanisms for Public Clouds Mechanism Brief description and Key References
Trust delegation and
Negotiation
Cross certificates must be used to delegate trust across different PKI domains Trust negotiation among different CSPs demands resolution of policy conflicts [27]
Worm containment and
DDoS Defense Internet worm containment and distributed defense against DDoS attacks are necessary to secure all datacenters and cloud platforms [8] Reputation system
of Resource Sites
Reputation system could be built with P2P technology One can build a hierarchy of reputation systems from datacenters to distributed file systems [30]
Fine-grain
access control
This refers to fine-grain access control at the file or object level This adds up the security protection beyond firewalls and intrusion detection systems [9]
Collusive Piracy
prevention Piracy prevention achieved with peer collusion detection and content poisoning techniques [22]
V VIRTUALIZATION FOR CLOUD SECURITY
D EFENSE
Virtualization can enhance cloud security But
virtual machines (VMs) add an additional layer of
software which could become a single-point of failure
Virtualization techniques are elaborated below for
security enhancement in open clouds
A Security via Virtualization
With virtualization, a single physical machine can
be divided or partitioned into multiple VMs (E.g
Server Consolidation) This provides each VM with
better security isolation and each partition is protected
from the possibility of Denial of Service (DoS) attacks
from other partitions and also the security attacks in
one VM are isolated and contained from affecting the
other VMs
Any software failures on one VM do not affect the
operation of the other VMs VM failures do not
propagate to other VMs Virtualization provides the
extended computing stack namely the Hypervisor,
which provides the visibility of the guest OS, with
complete guest isolation Thus fault containment and
failure isolation characteristics of VMs provides a more
secure and robust environment
B Virtual Machines as a Sandbox
Sandbox can be defined as a security mechanism
that provides a safe execution platform for running the
programs Further, Sandbox can provide a tightly
controlled set of resources for the guest operating systems, which allows in defining a security test-bed to run the untested code and programs from the un-trusted third party vendors
With virtualization, the VM is decoupled from the physical hardware The entire VM can be represented
as a software component and can be regarded as a binary or digital data This implies that the VM can be saved, cloned, encrypted, moved, or restored with ease VMs enable a higher availability and faster disaster recovery
C Defense against Intrusions and DDoS Attacks
Virtual machines for intrusion detection and DDoS defense could be designed to support distributed security enforcement [6].We suggest life migration of
VMs specifically designed for building distributed
intrusion detection system (DIDS) Multiple IDS
virtual machines can be deployed at various resource sites including the datacenters [15]
DIDS design demands trust negation among PKI
domains Security policy conflicts must be resolved at design time and updated periodically Defense scheme
is needed to protect user data from server attacks The user private data must not be leaked to other users without permission Google platform essentially applies in-house software to protect resources The Amazon EC2 applies HMEC and X.509 certificates in securing resources
Trang 5VI D A T A A CCESS C ONTROL BY
TRUST MANAGEMENT
We suggest fine-grain access control at the file
level in datacenters Trust among resource sites can be
negotiated with non-conflicting security policies To
secure elastic resources, the reputation system is
needed to safeguard scattered resource sites and
datacenters Site security index and user-access records
must be maintained We suggest four approaches to
solving trust and security problems in clouds:
A Trust and Reputation Management
We propose to build a hierarchy of DHT-based
overlay networks for developing reputation systems for
trust management on all datacenters used in a cloud
application [14] Figure 3 illustrates the security
infrastructure needed to support personalized web
search, distributed query processing, and
communications demanded in most cloud services
At the bottom is the overlay layer for reputation
aggregation and probing colluders At the top are the
overlay layer for various security precautions for worm
containment [14], intrusion detection [15], and content
poisoning against DDoS attacks [8] and copyright
violations [16] We design the reputation system using
the trust overlay network
A hierarchy of P2P reputation systems is
suggested to protect cloud resources at the site level
and data objects at the file level This demands both
coarse-grain and fine-grained access control of shared
resources These reputation systems keep track of
security breaches at all levels The reputation system
must be designed to benefit both cloud users and the
cloud providers
B Consistency of Replicated Data Items
Data objects used in cloud computing reside in
multiple datacenters over a storage-area network
(SAN) The distributed SAN optimizes in spatial locality Data consistency is checked across multiple databases Copyright protection [16] secures wide-area content distributions To separate user data from specific application programs, we assume cloud applications as SaaS, by which the providers take the most responsibility in maintaining data integrity and consistency
Users can switch among different services using their own data Only the users have the keys to access the requested data We need to support reliable data retrieval to or from the datacenters The multiple-replica mechanism brings the benefit of higher data availability and faster data access The data objects must be uniquely named to ensure global consistency
To ensure data consistency, unauthorized updates of data objects are prohibited
C Data Privacy in Public Clouds
Listed below are several methods to preserve data privacy in a public cloud
(a) Putting up cyber defense by securing the ISP or
cloud service providers (CSP) from invading user
privacy
(b) Establish a privacy policy that is consistent with
the CSP’s policy Cloud users must protect against identity theft, spyware, and web bugs
(c) Apply spyware diagnostics, encryption methods,
and automated spam, virus, and worm removers
VII CONCLUSIONS
We suggest extensive use of virtualization support for security enforcement in cloud or datacenter environments We also propose to build a hierarchy of reputation systems to control the datacenter access at coarse-grain level and to limit the data access at the
fine-grain file-access level .
Figure 3: DHT-based trust management and security enforcement in cloud computing services.
Defense against Piracy or
Network Attacks
Trust Integration/Negotiation over distributed cloud resource sites
User/Server Authentication Access Authorization Trust Delegation Data Integrity Control
Distributed reputation aggregation and probing of piracy colluders
Trust Overlay over Cloud/Datacenters
Reputation aggregation and integration
Terminate DDoS Attacks Penalize Pirates
Distributed defense against worms, DDoS attacks, and copyright violations
Anomaly Detection Misuse Detection
Signature Update Invoke Response
Alert vulnerable hosts
DDoS defense and Piracy prevention Hybrid intrusion detection Worm containment
Trang 6This paper presented an integrated cloud architecture
to reinforce the security and privacy in cloud
applications All proposed security features and trust
management schemes are still in the early
development stage We call for extended research
initiatives by both academia and the IT industry to
transform cloud services into truly trusted practices
Several security mechanisms are suggested to
reinforce the public clouds These mechanisms are
crucial to the universal acceptance of web-scale cloud
computing in personal, business, and government
applications Internet clouds are certainly in line with
the goal of IT globalization However, the
interoperability and common cloud standards are still
wide open problems
Acknowledgements: We would like to thank the
partial support of this research work by National
Natural Science Foundation of China under grant
60903208, Major Research Equipment Development
Plan of Chinese Academy of Sciences under grant
YZ200824, and by National Basic Research Program
of China under the 973 Program 2004CB318202
R EFERENCES :
[1] A a o , “Ela t c Comp te Clo d (EC2)”
ht p: en.wikipedia.org/wiki A a o _Ela t c
_Comp te_Clo d
[2] M Armbrust, et al, “Above the Clouds: A Berkeley View of
Cloud Computing”, UC Berkeley, Feb 2009
[3] G Bos , P Ml adi et al “Clo d Comp t n - The BlueClo d
Proje t “, w w bm.com/ develo erworks/
websp ere/zo e /hip ds/ /, Oct 2 0
[4] R Buyya, R.; C S Yeo; and S Venugopal,
"Market-Oriented Cloud Computing: Vision, Hype, and Reality for
Delivering IT Services as Computing Utilities," 10th IEEE
Int’l Conf on High Perf Computing and Comm., Sept 2008
[5] A Cav u ian, “Priva y in The Clo ds ,ht p: w w pc.o c /
image/Re o rc s%5Cpriva yinthe lo ds.p f
[6] Y Chen, K Hwang, and W S Ku, “Collaborative
Detection of DDoS Attacks over Multiple Network
Domains”, IEEE Trans on Parallel and Distributed
Systems , Vol 18, No.12, Dec 2007, pp.1649-1662
[7] Cloud Security Alliance, “Security guidance for Critical
Areas of Focus in Cloud Computing”, April 2009
[8] A Costanzo, M Assuncao, and R Buyya, “Harnessing
Cloud Technologies for a Virtualized Distributed
Computing Infrastructure”, IEEE Internet Computing,
Sept 2009
[9] J Dean and S Ghemawat, “MapReduce: Simplified Data
Processing on Large Clusters”, Proce of the 6th Symp on
Operating Systems Design & Implementation (OSDI),
August 2004
[10] Q Y Feng, K Hwang, and Y Dai, “”Rainbow Product
ranking for Upgrading e-Commerce”, IEEE Internet
Computing, Sept 2009
[1 ] I Foster, Ian; Y Zhao, I Raicu, and S Lu, "Cloud
Computing and Grid Computing 360-Degree Compared,"
Grid Computing Environments Workshop, 12-16 Nov 2008
[12] J Girard and J Pescatore, “ Teleworking in Cloud: Security Risks and Services” – A Gartner Report, May 15 2009
[1 ] Go gle, Inc “ Go gle n the Wisd m of Clo ds ,
ht p: w w.b sine swe k.com/ maga ine/co tent
0 5 /b 0 4 4 9 5 3 htm
[1 ] R He, J Niu, M Yuan, an J Hu, “A No al Clo d-Ba ed Trust
Mo el for Perva ive Comp t n ”,, The Fourth International Conference on Computer and Information Technology,Sept.
14-16 2004, pp 693 - 700
[15] J Heiser, “What you need to know about Cloud computing security and compliance” – A Gartner Report, July 13, 2009
[16] C Hoffa, et al., "On the Use of Cloud Computing for
Scientific Workflows," IEEE Fourth Int’l Conf on eScience,Dec 2008
[1 ] K Hwang, et.al., "Security Binding and Worm/DDoS Defense
Infrastructure for Trusted Grid Computing," Int’l Journal of Critical Infrastructures, Vol 2, No 4, 2005
[18] K Hwang, et al, “Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet
Episodes”, IEEE Trans on Dependable and Secure Computing, Vol.4, No.1, Jan-March, 2007, pp.41-55
[19] X Lou and K Hwang, “Collusive Piracy Prevention in P2P
Content Delivery Networks”, IEEE Trans on Computers,
July 2009
[20] M Rosenblum and T Garfinkel, “Virtual Machine Monitors:
Current Technology and Future Trends”, IEEE Computer,
May 2005, pp.39-47
[21] S Song, K Hwang, R Zhou, and Y.K Kwok, “Trusted P2P
Transactions with Fuzzy Reputation Aggregation”, IEEE Internet Computing, Special Issue on Security for P2P and Ad
Hoc Networks, Nov/Dec 2005, pp 24-34.
[22] B Sotomayor, et al, “Virtual Infrastructure Management in
Private and Hybrid Clouds”, IEEE Internet Computing,
Sept 2009
[23] J Viega, “Cloud Computing and the Common Man”, IEEE Computer Magazine, Aug 2009, pp 106-108
[24] K Vlitalo and Y Kortesniemi, “Privacy in Distributed
Reputation Management”, Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005 Sept 2005, pp.63 – 71
[25] R Zhou, K Hwang, et al, “GossipTrust for Fast Reputation
Aggregation in Peer-to-Peer Networks”, IEEE Trans Knowledge and Data Engineering, (TKDE), Sept 2008