mdh.sePublikationer
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Bringing Visibility in the Clouds: using Security, Transparency and Assurance Services
Mälardalens högskola, Akademin för innovation, design och teknik. Mälardalens högskola, Akademin för innovation, design och teknik, Inbyggda system.ORCID-id: 0000-0003-3223-4234
2014 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

The evolution of cloud computing allows the provisioning of IT resources over the Internet and promises many benefits for both - the service users and providers. Despite various benefits offered by cloud based services, many users hesitate in moving their IT systems to the cloud mainly due to many new security problems introduced by cloud environments. In fact, the characteristics of cloud computing become basis of new problems, for example, support of third party hosting introduces loss of user control on the hardware; similarly, on-demand availability requires reliance on complex and possibly insecure API interfaces; seamless scalability relies on the use of sub-providers; global access over public Internet exposes to broader attack surface; and use of shared resources for better resource utilization introduces isolation problems in a multi-tenant environment. These new security issues in addition to existing security challenges (that exist in today's classic IT environments) become major reasons for the lack of user trust in cloud based services categorized in Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS).

The focus of this thesis is on IaaS model which allows users to lease IT resources (e.g. computing power, memory, storage, etc.) from a public cloud to create Virtual Machine (VM) instances. The public cloud deployment model considered in this thesis exhibits most elasticity (i.e. degree of freedom to lease/release IT resources according to user demand) but is least secure as compared to private or hybrid models. As a result, public clouds are not trusted for many use cases which involve processing of security critical data such as health records, financial data, government data, etc. However, public IaaS clouds can also be made trustworthy and viable for these use cases by providing better transparency and security assurance services for the user. In this thesis, we consider such assurance services and identify security aspects which are important for making public clouds trustworthy. Based upon our findings, we propose solutions which promise to improve cloud transparency thereby realizing trustworthy clouds.

The solutions presented in this thesis mainly deal with the secure life cycle management of the user VM which include protocols and their implementation for secure VM launch and migration. The VM launch and migration solutions ensure that the user VM is always hosted on correct cloud platforms which are setup according to a profile that fulfills the use case relevant security requirements. This is done by using an automated platform security audit and certification mechanism which uses trusted computing and security automation techniques in an integrated solution. In addition to provide the assurance about the cloud platforms, we also propose a solution which provides assurance about the placement of user data in correct and approved geographical locations which is critical from many legal aspects and usually an important requirement of the user. Finally, the assurance solutions provided in this thesis increase cloud transparency which is important for user trust and to realize trustworthy clouds.

Ort, förlag, år, upplaga, sidor
Västerås: Mälardalen University , 2014.
Serie
Mälardalen University Press Dissertations, ISSN 1651-4238 ; 161
Nyckelord [en]
Cloud Security, Trusted Computing, Trustworthy Clouds, Cloud Audits, Security Automation, SCAP, Virtual Machine
Nationell ämneskategori
Datorsystem
Forskningsämne
datavetenskap
Identifikatorer
URN: urn:nbn:se:mdh:diva-25376ISBN: 978-91-7485-156-4 (tryckt)OAI: oai:DiVA.org:mdh-25376DiVA, id: diva2:728448
Disputation
2014-09-05, Kappa, Mälardalen University, Västerås, 10:00 (Engelska)
Opponent
Handledare
Tillgänglig från: 2014-06-24 Skapad: 2014-06-24 Senast uppdaterad: 2014-08-20Bibliografiskt granskad
Delarbeten
1. Trusted Geolocation Aware Data Placement in Infrastructure Clouds
Öppna denna publikation i ny flik eller fönster >>Trusted Geolocation Aware Data Placement in Infrastructure Clouds
2014 (Engelska)Ingår i: 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications IEEE TrustCom-14, Beijing, China, 2014Konferensbidrag, Publicerat paper (Refereegranskat)
Ort, förlag, år, upplaga, sidor
Beijing, China: , 2014
Nationell ämneskategori
Teknik och teknologier
Identifikatorer
urn:nbn:se:mdh:diva-25192 (URN)
Konferens
13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications IEEE TrustCom-14, 24 Sep 2014, Beijing, China
Tillgänglig från: 2014-06-05 Skapad: 2014-06-05 Senast uppdaterad: 2014-12-29Bibliografiskt granskad
2. ASArP: Automated Security Assessment & Audit of Remote Platforms: using TCG-SCAP synergies
Öppna denna publikation i ny flik eller fönster >>ASArP: Automated Security Assessment & Audit of Remote Platforms: using TCG-SCAP synergies
2015 (Engelska)Ingår i: Journal of Internet Services and Applications JISA-14, ISSN 1869-0238, Vol. 22, s. 28-39Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Many enterprise solutions today are built upon complex distributed systems which are accessible to the users globally. Due to this global access, the security of the host platforms becomes critical. The platform administrators use security automation techniques such as those provided by Security Content Automation Protocol (SCAP) standards to protect the systems from the vulnerabilities that are reported daily; furthermore, they are responsible for keeping their systems compliant to the relevant security recommendations (governmental or industrial). Additionally, third party audit and certification processes are used to increase user trust in enterprise solutions. However, traditional audit and certification mechanisms are not continuous, that is, not frequent enough to deal with the daily reported vulnerabilities, and for that matter even auditors expect platform administrators to keep the systems updated. As a result, the end user is also forced to trust the platform administrators about the latest state of the platform. In this paper we develop an automated security audit and certification system (ASArP) which can be used by platform users or by third party auditors. We use security automation techniques for continuous monitoring of the platform security posture and make the results trustworthy by using trusted computing (TCG) techniques. The prototype development of ASArP validates the implementation feasibility; it also provides performance benchmarks which show that the ASArP based audit and certification can be done much more frequently (e.g. daily or weekly). The feasibility of ASArP based continuous audits is significantly better than traditional platform audits which are dependent on the physical presence of the auditors, thus making frequent audits much more expensive and operationally infeasible.

Ort, förlag, år, upplaga, sidor
United Kingdom: , 2015
Nationell ämneskategori
Teknik och teknologier Elektroteknik och elektronik
Identifikatorer
urn:nbn:se:mdh:diva-25191 (URN)10.1016/j.jisa.2014.09.001 (DOI)000362220400004 ()2-s2.0-84951909927 (Scopus ID)
Tillgänglig från: 2014-06-05 Skapad: 2014-06-05 Senast uppdaterad: 2018-01-26Bibliografiskt granskad
3. Security and Trust Preserving VM Migrations in Public Clouds
Öppna denna publikation i ny flik eller fönster >>Security and Trust Preserving VM Migrations in Public Clouds
2012 (Engelska)Ingår i: Proceedings of the 11th IEEE International Conference onTrust, Security and Privacy in Computingand Communications (TrustCom-2012), IEEE Computer Society Digital Library, 2012, s. 869-876Konferensbidrag, Enbart muntlig presentation (Refereegranskat)
Abstract [en]

In this paper we consider the security and trustimplications of virtual machine (VM) migration from one cloudplatform to the other in an Infrastructure-as-a-Service (IaaS) cloud service model. We show how to extend and complement previous Trusted Computing techniques for secure VM launchto also cover the VM migration case. In particular, we propose a Trust_Token based VM migration protocol which guarantees that the user VM can only be migrated to a trustworthy cloud platform. Different from previous schemes, our solution is not dependent on an active (on-line) trusted third party. We show how our proposed mechanisms fulfill major security and trust requirements for secure VM migration in cloud environments.

Ort, förlag, år, upplaga, sidor
IEEE Computer Society Digital Library, 2012
Nyckelord
VM migration, trusted platforms, cloud security, IaaS, TPM
Nationell ämneskategori
Elektroteknik och elektronik
Forskningsämne
datavetenskap
Identifikatorer
urn:nbn:se:mdh:diva-15239 (URN)10.1109/TrustCom.2012.256 (DOI)2-s2.0-84868116561 (Scopus ID)978-0-7695-4745-9 (ISBN)
Konferens
2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Liverpool, UK, 25-27 June 2012
Forskningsfinansiär
VINNOVA
Tillgänglig från: 2012-09-06 Skapad: 2012-09-06 Senast uppdaterad: 2016-05-17Bibliografiskt granskad
4. Trusted Launch of Virtual Machine Instances in Public IaaS Environments
Öppna denna publikation i ny flik eller fönster >>Trusted Launch of Virtual Machine Instances in Public IaaS Environments
2012 (Engelska)Ingår i: Lecture Notes in Computer Science, vol 7839: Information Security and Cryptology – ICISC 2012, Springer Berlin Heidelberg , 2012, s. 309-323Kapitel i bok, del av antologi (Refereegranskat)
Abstract [en]

Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging and promising technologies, however their adoption is hampered by data security concerns. At the same time, Trusted Computing (TC) is experiencing an increasing interest as a security mechanism for IaaS. In this paper we present a protocol to ensure the launch of a virtual machine (VM) instance on a trusted remote compute host. Relying on Trusted Platform Module operations such as binding and sealingto provide integrity guarantees for clients that require a trusted VM launch, we have designed a trusted launch protocol for VM instances in public IaaS environments. We also present a proof-of-concept implementation of the protocol based on OpenStack, an open-source IaaS platform. The results provide a basis for the use of TC mechanisms within IaaS platforms and pave the way for a wider applicability of TC to IaaS security.

Ort, förlag, år, upplaga, sidor
Springer Berlin Heidelberg, 2012
Serie
Lecture Notes in Computer Science, ISSN 0302-9743 ; 7839
Nationell ämneskategori
Teknik och teknologier
Identifikatorer
urn:nbn:se:mdh:diva-22269 (URN)10.1007/978-3-642-37682-5_22 (DOI)978-3-642-37681-8 (ISBN)
Konferens
15th International Conference, Seoul, Korea, November 28-30, 2012
Anmärkning

15th International Conference, Seoul, Korea, November 28-30, 2012, Revised Selected Papers

Tillgänglig från: 2013-11-03 Skapad: 2013-10-31 Senast uppdaterad: 2014-06-24Bibliografiskt granskad
5. Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud
Öppna denna publikation i ny flik eller fönster >>Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud
2012 (Engelska)Ingår i: CLOSER 2012 - Proceedings of the 2nd International Conference on Cloud Computing and Services Science, 2012, s. 511-521Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

In this paper we consider the Infrastructure-as-a-Service (IaaS) cloud model which allows cloud users to run their own virtual machines (VMs) on available cloud computing resources. IaaS gives enterprises the possibility to outsource their process workloads with minimal effort and expense. However, one major problem with existing approaches of cloud leasing, is that the users can only get contractual guarantees regarding the integrity of the offered platforms. The fact that the IaaS user himself or herself cannot verify the provider promised cloud platform integrity, is a security risk which threatens to prevent the IaaS business in general. In this paper we address this issue and propose a novel secure VM launch protocol using Trusted Computing techniques. This protocol allows the cloud IaaS users to securely bind the VM to a trusted computer configuration such that the clear text VM only will run on a platform that has been booted into a trustworthy state. This capability builds user confidence and can serve as an important enabler for creating trust in public clouds. We evaluate the feasibility of our proposed protocol via a full scale system implementation and perform a system security analysis.

Nyckelord
Security, Trusted Computing, Virtualization, Cloud Computing, IaaS
Nationell ämneskategori
Elektroteknik och elektronik
Forskningsämne
datavetenskap
Identifikatorer
urn:nbn:se:mdh:diva-15237 (URN)2-s2.0-84864878200 (Scopus ID)978-989-8565-05-1 (ISBN)
Konferens
The 2nd International Conference on Cloud Computing and Services Science, CLOSER 2012, 18-21 April 2012, Porto, Portugal
Forskningsfinansiär
Vinnova
Tillgänglig från: 2012-09-06 Skapad: 2012-09-06 Senast uppdaterad: 2014-06-24Bibliografiskt granskad
6. Security Considerations for Virtual Platform Provisioning
Öppna denna publikation i ny flik eller fönster >>Security Considerations for Virtual Platform Provisioning
2011 (Engelska)Ingår i: PROCEEDINGS OF THE 10TH EUROPEAN CONFERENCE ON INFORMATION WARFARE AND SECURITY, Reading, 2011, s. 283-290Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

The concept of virtualization is not new but leveraging virtualization in different modes and at different layers has revolutionized its usage scenarios. Virtualization can be applied at application layer to create sandbox environment, operating system layer to virtualize shared system resources (e.g. memory, CPU), at platform level or in any other useful possible hybrid scheme. When virtualization is applied at platform level, the resulting virtualized platform can run multiple virtual machines as if they were physically separated real machines. Provisioning virtualized platforms in this way is often also referred to as Infrastructure-as-a-Service or Platform-as-a-Service when full hosting and application support is also offered. Different business models, like data-centers or telecommunication providers and operators, can get business benefits by using platform virtualization due to the possibility of increased resource utilization and reduced upfront infrastructure setup expenditures. This opportunity comes together with new security issues. An organization that runs services in form of virtual machine images on an offered platform needs security guarantees. In short, it wants evidence that the platforms it utilizes are trustworthy and that sensitive information is protected. Even if this sounds natural and straight forward, few attempts have been made to analyze in details what these expectations means from a security technology perspective in a realistic deployment scenario. In this paper we present a telecommunication virtualized platform provisioning scenario with two major stakeholders, the operator who utilizes virtualized telecommunication platform resources and the service provider, who offers such resources to operators. We make threats analysis for this scenario and derive major security requirements from the different stakeholders’ perspectives. Through investigating a particular virtual machine provisioning use case, we take the first steps towards a better understanding of the major security obstacles with respect to platform service offerings. The last couple of years we have seen increased activities around security for clouds regarding different usage and business models. We contribute to this important area through a thorough security analysis of a concrete deployment scenario. Finally, we use the security requirements derived through the analysis to make a comparison with contemporary related research and to identify future research challenges in the area.

Ort, förlag, år, upplaga, sidor
Reading: , 2011
Nyckelord
security; trust; virtualization; virtual private server; telecommunication networks, clouds
Nationell ämneskategori
Elektroteknik och elektronik
Forskningsämne
datavetenskap
Identifikatorer
urn:nbn:se:mdh:diva-15234 (URN)978-1-908272-07-2 (ISBN)978-1-908272-06-5 (ISBN)
Konferens
European Conference on Information Warfare and Security ECIW-2011, 7-8 July 2011, Tallin,Estonia.
Tillgänglig från: 2012-09-06 Skapad: 2012-09-06 Senast uppdaterad: 2014-06-24Bibliografiskt granskad

Open Access i DiVA

fulltext(1590 kB)877 nedladdningar
Filinformation
Filnamn FULLTEXT02.pdfFilstorlek 1590 kBChecksumma SHA-512
3525497d8709b729d503f83a13a276e036bd2f20c933985892581ff9abae1c3f67d7038f890f4f5702c406eb3a308664d23e498eef2cea276e3014c40606e13d
Typ fulltextMimetyp application/pdf

Personposter BETA

Aslam, Mudassar

Sök vidare i DiVA

Av författaren/redaktören
Aslam, Mudassar
Av organisationen
Akademin för innovation, design och teknikInbyggda system
Datorsystem

Sök vidare utanför DiVA

GoogleGoogle Scholar
Totalt: 877 nedladdningar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

isbn
urn-nbn

Altmetricpoäng

isbn
urn-nbn
Totalt: 1323 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf