See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/271908602

Introducing a Hybrid Infrastructure and Information-Centric Approach for

Secure Cloud Computing

Conference Paper · March 2015

DOI: 10.1109/WAINA.2015.80

CITATIONS READS
2 396

3 authors:

Mahdi Aiash Robert Colson

Middlesex University, UK Middlesex University, UK
71 PUBLICATIONS   663 CITATIONS    10 PUBLICATIONS   108 CITATIONS   

SEE PROFILE SEE PROFILE

Mohammad Muneer Kallash

University of Kalamoon
4 PUBLICATIONS   3 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Security and Privacy in Next Gen Mobile Network View project

Secure Information Centric Networks View project

All content following this page was uploaded by Mahdi Aiash on 07 February 2015.

The user has requested enhancement of the downloaded file.

 Introducing a Hybrid Infrastructure and
Information-Centric Approach for Secure Cloud
Computing

Mahdi Aiash and Robert Colson Mohammad Muneer Kallash

School of Science and Technology University of Kalamoon
Middlesex University Syrian Arab Republic
London, UK Email: M.Kallash@hotmail.com
Email: M.Aiash, R.Colson@mdx.ac.uk

Abstract—Security has been considered as the key concern the traditional approach for addressing security in the current
of adopting cloud computing. This could be ascribed to the Internet, the current solutions to secure cloud computing
customers’ lack of control over their confidential data once are Infrastructure-Centric; the main focus is to secure the
in the cloud and to the absence of trust in cloud providers. infrastructure in terms of hosting machines, virtual hosts and
Unfortunately, the research efforts in the area of cloud security the communications among themselves. However, consider-
have not yet succeeded to give the required ”peace of mind” to
cloud customers. Therefore, in an attempt to figure out the main
ing the multi-tenancy and open nature of the cloud as well
loopholes in cloud security, this paper questions the fundamental as the mobility of sensitive data across different platforms,
principles of the security approaches in the cloud. The paper Infrastructure-Centric solutions, on their own, might not be
highlights two main drawbacks; the first is due to a potential the ideal solution for cloud security.
incompatibility among security measures, while the other is due
to the focus on securing the infrastructure rather than the data This situation highlights the fact that in order to leverage
itself. Therefore, the paper advocates the need for integrating the benefits of the cloud while maintaining data confidentiality,
information-centric security approaches, and hence presents a there is a need for a novel approach for cloud security.
novel security framework that adopts both infrastructure and Influenced by the emergence of new domains of internet-
information-centric security services. work such as Information-Centric Networks [7], the idea of
integrating Information-Centric security techniques for secure
I. I NTRODUCTION cloud computing has been discussed in a number of research
papers such as [8] and [9] as well as different technical and
Cloud computing is no longer on the cutting edge of the white papers such as [5], [6]. With the Information-Centric
technology adoption according to a study by the Right Scale security approach, the focus is to protect data (rather than the
in March 2013 [2]. The study covered 625 technical orga- infrastructure) at rest and on the move across operating systems
nizations and showed that three-quarters of the respondents and computing platforms.
were deploying cloud and virtualization-based solutions. Other
studies such as the ones in [3] and [4] show similar figures While not dismissing the importance of Infrastructure-
and highlight the main outstanding concerns about deploying based security measures, the authors are of the opinion that
virtualization and adopting cloud-based solutions. One major Information-Centric security solutions offer interesting func-
concern is related to security challenges in the cloud. There are tionalities. Therefore, this paper introduces a hybrid framework
also other challenges such as Governance/Control, Integration that involves both infrastructure and information security solu-
to internal systems and lack of expertise [2]. In terms of cloud tions. thus strives against a wide spectrum of security threats.
security, data and information protection seems to be a real The rest of this paper is organized as follows: Section II briefly
source of confusion. From the clients’ perspective, once data describes the reference model of cloud computing. Section III
moves into the cloud, maintaining data security becomes the defines the main drawbacks of current security approaches
responsibility of the cloud provider. However, cloud providers in the cloud. The hybrid security framework is presented in
cannot guarantee such level of assurance, e.g. Amazon in its Section IV, and the paper concludes in Section V.
web contract states that ” we strive to keep your content
secure, but cannot guarantee that we will be successful at
doing so” [5]. II. C LOUD C OMPUTING R EFERENCE M ODEL
The authors believe that such uncertainty is due to the ”Cloud Computing is a type of parallel and distributed sys-
fact that data centres and cloud providers are not fully aware tem consisting of a collection of interconnected and virtualized
of the potential security threats surrounding their business; computers that are dynamically provisioned and presented as
they follow a tactical approach where security measures are one or more unified computing resources based on a service-
deployed as separated silos in reaction to security breaches, level agreement” [10]. As shown in Fig 1, cloud computing
which in turn might lead to incompatibility between different comprises the following computing services at both hardware
security measures already in place. Furthermore, influenced by and software levels.
 security approach that address discrete threats in a series of
isolated solutions. Consequently, the more valuable and sensi-
tive the data, the more security layers to be implemented. This
approach can be costly and difficult to manage. It also does not
offer the benefits of an integrated, modular defensive solution.
In the second approach, the majority of security measures
are Infrastructure-Centric where the focus is to secure the
infrastructure and the hardware as a way to protect data. Thus,
mechanisms like firewalls, Access Control List and physical
security measures have been widely deployed. The fact that
data might be transferred outside the cloud provider’s realm,
implies that Infrastructure-Centric security is not sufficient
Fig. 1. Cloud Computing Architecture. [10]
enough on its own. Information and data security should be
preserved wherever data flows, rather than being dependent on
• Infrastructure as a Service (IaaS): provides the the security of the hosting infrastructure.
infrastructural components in terms of processing,
storage and networking. It uses virtualization tech- The above observations highlight the need for a new
niques to provide multi-tenancy, scalability and iso- model where security is completely integrated with the data
lation; different virtual machines can be allocated while moving freely. In this model data needs to be securely
to a single physical machine known as the host. stored in any cloud provider and even securely accessible
Examples of such service are Amazon S3, EC2 and over any network or medium. While we share the views of
OpenNebula [11] [12]. other work in the literature in advocating the need for a
more Information-Centric security approach, we believe that
• Platform as a Service (PaaS): provides the service of infrastructure security is still crucial to mitigate attacks against
running applications without the hassle of maintaining services and information availability such as Denial of Service
the hardware and software infrastructure of the IaaS. Attacks. Therefore, in the following section, a hybrid security
Google App Engine and Microsoft Azure [13] are framework will be introduced which will combine both Infor-
examples of PaaS. mation and Infrastructure-Centric security approaches.
• Software as a Service (SaaS): is a model of soft-
ware deployment that enables end-users to run their IV. T HE H YBRID S ECURITY F RAMEWORK
software and applications on-demand. Examples of The authors believe that in order to get the full poten-
Software as a Service are Salesforce.com and Clar- tial of cloud computing, costumers need to be able to trust
izen.com. cloud providers holding their data. Therefore, reflecting on
the reference model of cloud computing and the security
III. P ROBLEM D EFINITION threats discussed in sections II and III, respectively, this section
Until recently, most companies and organization stored proposes a novel security framework for cloud computing to
their confidential and sensitive data in physically separated data support the required level of trust. Our view of trust involves
centres on their own premises. However, with the increasing three main dimensions:
deployment of cloud computing and cloud-based services, 1) Information Security: This dimension focuses mainly
more companies are turning to the cloud as alternative for data on meeting information Confidentiality, Integrity and
storage and software-as-a-service (SaaS) solution. Scalability, Availability, known as the CIA triangle.
allocation of resources and hassle-free management are among 2) Access Control: This dimension controls when, where
the main advantages of this new business model. However, one and by whom data could be accessed. It also supports
of the main concerns of this model is the lack of control over issues like incident detection and monitoring.
the cloud environment that hosts the data. This is manifested 3) Compliance and Service-Level management: This
in two ways: dimension is concerned with enforcing the service-
• Firstly, once data is moved onto the cloud, privileged level of agreements between the different parties and
cloud administrators have access to cloud-hosted data to conform with standards, regulations and industry
and systems as part of their maintenance and support requirements [16].
duties [6]. This is a fundamental risk to the data
secrecy and confidentiality. A. The Framework Structure
• Secondly, with the emerging trends in cloud comput- The new framework is shown in Figure 2 and comprises
ing such as Mobile Cloud Computing (MCC) [14] the following modules.
and virtual machines live migration (LM) [15], cloud-
• The Infrastructure Module: This module consists of
based services ,along with the stored information
the building blocks of the data center which are related
are being transferred across external platforms which
to the following fields:
might not comply with the security policies of the
cloud provider. ◦ Networking: This includes networking ele-
ments such as virtual switches (VSwitch), Data
The reaction to these security threats seems to have been Center Ethernet and Enhanced Ethernet tech-
manifested in two approaches. Firstly, adopting a tactical nologies such as Fibre Channel over Ethernet
 quently, accessing data files requires huge
management and encounters delay, hence the
concept of Object Storage came about. With
Object Storage, data files are stored in discrete
units of storage called objects. Every object
exists at the same level in a flat address space
called a storage pool and one object cannot
be placed inside another object. Each object
is given a unique identifier in the form of
a hashed value, and is attached to extended
metadata that defines its history and current
status.
Considering these storage technologies, this module
will benefit from the features of the Object Storage
while supporting backward compatibility with tradi-
tional storage. Therefore, the module is concerned
with discovering data repositories, tagging and clas-
sifying sensitive data for policy enforcement as well
as data tracking as explained below:
◦ Data Tagging: Not all Information stored in
Fig. 2. The Hybrid Security Framework for Cloud Computing . cloud will have the same sensitivity and hence
a uniform level of security is not advantageous.
Therefore, this service discovers data reposito-
(FCoE) [16] for communications with the Stor- ries, tag data based on information included in
age Area Network (SAN). the metadata or a predefined pattern. At the end
◦ Storage: It is crucial to secure data from acci- of the tagging stage, data should be identified
dental or malicious disclosure. Hence, SAN se- and uniquely addressed.
curity should be carefully considered and then ◦ Data Classification: Once data is tagged, tags
implemented in accordance with applicable will be embedded with the metadata and ac-
security policies. Therefore, this module will company data in rest and on transit. Infor-
support features such as secure Fibre Channel mation in tags will define categories for data
(FC) SAN [17] which secure data transfer be- with regards to its sensitivity and will tell
tween SAN storage and servers. Furthermore, servers and devices what actions need to be
in order to limit access to the SAN storage, taken. This arrangement will enable data-level
zoning techniques and Logical Unit Number policy enforcement based on information and
(LUN) Masking [18] could be used. instructions included in the tags.
◦ Computing: With the increasing need for se- ◦ Data Tracking: Cloud computing supports data
cure applications and software, most of the mobility across platforms and between data
cryptographic processing will take place on centres. However, in the case of confiden-
the cloud side using dedicated co-processors tial data, it is crucial to know when data is
on the storage media. Techniques like On- changed, and where it moves to. The tags of
Board Data Processing or On-Board Data Han- confidential data will be stored in a database.
dling [19] will make cryptographic computa- Supported by strong visualization and data
tion more ubiquitous and bring it into the core analysis tools, data centres’ administrators and
of the storage media. data privacy officers could have a real-time
• The Object Storage and Data Services Module: map of data history and flow. An example of
Two main storage technologies have been proposed such tools is the Privacy-Preserving Analytics
to facilitate data storage in the cloud [20]. (PPA) [21] developed by CSIRO to analyse
1) The Network-Attached Storage (NAS): In this personal or commercially sensitive data while
system, dedicated storage nodes, organized in protecting confidentiality and privacy.
clusters and equipped with special operating • The Management Services Module: This module
systems are used to store data. has two interfaces. The first is with the Access Ser-
2) The Object-Based Storage: Storage technolo- vices Module and defines services for monitoring and
gies based on the NAS or SAN storage have enforcing security policies such as role-based access
two major drawbacks: firstly, they do not scale policies, policies for managing cryptographic keys and
to the ever increasing volume of data. These digital certificates. While the second is with the Data
clustered storage systems have the potential Services Module which gathers information about the
to manage petabytes of data across more than health and status of data for analysis.
100 nodes. Secondly, they are traditional file
storage systems which follows a hierarchical • The Access Services Module: This module provides
address space to identify data files. Conse- services for:
 ◦User Authentication and Auditing Services: [2] CDW LLC, CDWs 2013 State of The Cloud Report,
These services define who is allowed to ac- http://www.cdwnewsroom.com/wp-content/uploads/2013/02/CDW\
cess data; they identify cloud customers and 2013\ State\ of\ The\ Cloud\ Report\ 021113\ FINAL.pdf, 2013.
[Last Accessed 30.08.2014].
provide an audit trail.
[3] S. Florentine and T. Olavsrud. 2014 Forecast for Cloud Com-
◦ User Authorization Service: After authenticat- puting. 2013. http://www.computerworld.com/s/article/9245094/2014\
ing users, this service will define what users Forecast\ for\ Cloud\ Computing. [Last Accessed 30.08.2014].
can do with data. [4] D. Kelley. How Data-Centric Protection Increases Security in
The authentication and authorization policies are de- Cloud Computing and Virtualization. https://cloudsecurityalliance.org/
wp-content/uploads/2011/11/DataCentricProtection\ intheCloud.pdf.
fined by the Management Services Module and passed [Last Accessed 30.08.2014].
up to the Access Services Module which invokes [5] M. Bowker and S. Analyst. VMware Mobile Secure
technologies for access enforcement. Workplace. White Paper, ESG: The Enterprise Strategy
Group, Inc. 2013. http://www.vmware.com/files/pdf/view/
• The Threat Profile Module: This module portrays ESG-VMware-View-Mobile-Secure-Desktop-WP.pdf. [Last Accessed
the threat model across the four aforementioned core 30.08.2014].
modules; the main motivation is that security should [6] B. Ahlgren, C. Dannewitz, C. Imbrenda, D. Kutscher, B. Ohlman. A sur-
not be an afterthought or a building block; it should vey of information-centric networking. IEEE Communication Magazine.
be pervasively implemented across all modules of doi:10.1109/mcom.2012.6231276. 2012.
architecture. This module highlights threats such as [7] G. Mapp, M. Aiash, B. Ondiege, M. Clarke. Exploring a New Security
Framework for Cloud Storage Using Capabilities. International Work-
data leakage and disclosure, intrusion takeover, denial shop on Cyber Security and Cloud Computing. 2014.
of service; identity theft and impersonation. Newly de- [8] B. Ohlman, A. Eriksson, R. Rembarz. What Networking of Information
fined threats will be fed into the Management Service Can Do for Cloud Computing. WETICE ’09, 18th IEEE International
Module. Workshops on Enabling Technologies: Infrastructures for Collaborative
Enterprises, 2009.
• The Compliance and Service of Agreement Mod- [9] D. Duncan, X. Chu, C. Vecchiola, and R. Buyya. The structure of the
ule: This module shows the overarching controls, new it frontier: Cloud computing part i. http://www.buyya.com/papers/
compliance, and SLA components. This module AnekaMagazineArticle1.pdf. 2009.
should address issues like: [10] J. Varia, S. Mathew. Overview of Amazon Web Services. https://
d36cz9buwru1tt.cloudfront.net/AWS\ Overview.pdf. 2014.
◦ To specify SLA metrics in an unambiguous
[11] I. Llorente. OpenNebula: Enabling Business in
and accessible way to both cloud providers and the Cloud. http://www.slideshare.net/opennebula/
users [22]. opennebula-enabling-business-in-cloud-fia-2014. 2014.
◦ To audit and assess security and risk require- [12] M. Tulloch, Introducing Windows Azure. Microsoft.2013.
ments and make sure they address compliance [13] N. Fernando, S.W. Loke, W. Rahayu. Mobile cloud computing: A survey.
requirements. The Security Compliance Man- Future Generation Computer Systems. Volume 29. 2013
ager (SCM) is example of such service [23]. [14] J. Siniti, F. Jiffry, M. Aiash. Investigating the Impact of Live Migration
SCM provides ready-to-deploy policies based on the Network Infrastructure in Enterprise Environments. In proceeding
on Microsoft security guide recommendations of: Proceedings of The 28th IEEE International Conference on Advanced
Information Networking and Applications (AINA-2014). 2014.
and industry best practices.
[15] Cisco Systems, Inc. Cisco Cloud Computing - Data Center Strategy, Ar-
chitecture, and Solutions. http://www.cisco.com/web/strategy/docs/gov/
CiscoCloudComputing WP.pdf. 2009.
V. C ONCLUSION
[16] M. Haron. Is Your Storage Area Network Secure? An
Despite security in Cloud environment has been extensively Overview of Storage Area Network from Security Perspec-
tive. http://www.sans.org/reading-room/whitepapers/storage/
investigated by research groups, security and trust seem to be storage-area-network-secure-overview-storage-area-network-security\
the main issues discouraging customers to fully adopt cloud \-perspective-516. 2009.
solutions. This paper discusses the fundamental principles of [17] B. King. LUN Masking in a SAN. QLogic Communications, Inc. http:
the current approach for securing the cloud and highlights //docs.vlas.co.uk/library2/Qlogic/wp/whitepaper.lunmasking.pdf. 2001.
major concerns. One key issue is that current approaches [18] B. G. Evans, I. E. Casewell and A. D. Craig. An on-board processing
focus on addressing security incidents in an isolated manner satellite payload for european mobile communications. International
and mainly target securing the environment infrastructure. The Journal of Satellite Communications. DOI 10.1002/sat.4600050208.
1987.
paper ,therefore, advocates shifting towards more Information-
[19] M. Mesnier, G.R. Ganger, E. Riedel. Object-based storage. IEEE
Centric security measures and hence presents a new hybrid Communications Magazine. 2003.
framework that combines both Information and Infrastructure- [20] CSIRO. Privacy-Preserving Analytics: software for analysing confiden-
centric measures. Work has already started to design and tial data. http://www.csiro.au/solutions/PPA.
validate new underlining mechanisms and protocols for the [21] N. J. Dingle, W. J. Knottenbelt, L. Wang. Service Level Agreement
proposed framework as well as to design the interface between Specification, Compliance Prediction And Monitoring With Performance
them. Trees. 22nd Annual European Simulation and Modelling Conference
(ESM’08). 2008.
[22] Microsoft. Microsoft Security Compliance Manager. http://technet.
R EFERENCES microsoft.com/en-us/library/cc677002.aspx. 2013.

[1] RightScale, The Cloud Value Imparative: How Cloud

Maturity Unlocks Cloud Value, http://pt.slideshare.net/arms8586/
rightscale-state-of-the-cloud-report-2013, 2013.[Last Accessed
30.08.2014]

View publication stats