Top

Journal of Network and Systems Management

Published in:

01-03-2024

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

Authors: Mohamed Oulaaffart, Rémi Badonnel, Olivier Festor

Published in: Journal of Network and Systems Management | Issue 1/2024

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration. We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.

previous article A CNN-Based SIA Screenshot Method to Visually Identify Phishing Websites

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Composite Cloud Configuration Security - Trusted Third Party.

Topology and Orchestration Specification for Cloud Applications.

Open Vulnerability and Assessment Language.

Extensible Configuration Checklist Description Format.

A theorem prover from Microsoft Research. It is licensed under the MIT license.

Open-source SMT solver. It is proof-producing and complete for quantifier-free formulas with uninterpreted functions and linear arithmetic on real number and integers.

An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT).

Security Configuration Automation Protocol.

Ray, B., Saha, A., Khatua, S., Roy, S.: Proactive fault-tolerance technique to enhance reliability of cloud service in cloud federation environment. IEEE Trans. Cloud Comput. (2020). https://doi.org/10.1109/TCC.2020.2968522CrossRef

Ala’Anzy, M., Othman, M.: Load balancing and server consolidation in cloud computing environments: a meta-study. IEEE Access 7, 141868–141887 (2019). https://doi.org/10.1109/ACCESS.2019.2944420CrossRef

Zhou, Z., Yu, J., Li, F., Yang, F.: Virtual machine migration algorithm for energy efficiency optimization in cloud computing. Concurr. Comput. (2018). https://doi.org/10.1002/cpe.4942CrossRef

Pellegrini, R., Rottmann, P., Strieder, G.: IEEE (ed.) Preventing Vendor Lock-ins via an Interoperable Multi-cloud Deployment Approach. (ed.IEEE) Proc. of the 12th International Conference for Internet Technology and Secured Transactions (ICITST), 382–387 (2017)

Opara-Martins, J., Sahandi, R., Tian, F.: Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. (2016). https://doi.org/10.1186/s13677-016-0054-zCrossRef

Kumar, R., Goyal, R.: On Cloud Security Requirements, Threats, Vulnerabilities and Countermeasures: A Survey. Computer Science Review 33, 1–48 (2019). https://www.sciencedirect.com/science/article/pii/S1574013718302065. https://doi.org/10.1016/j.cosrev.2019.05.002

Rajasree, S., Elizabeth, B. (2016) Trust Based Cloud Service Provider Selection. International Journal Of Engineering And Computer Science. https://doi.org/10.18535/ijecs/v5i5.63

Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: IEEE (ed.) ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds. (ed.IEEE) 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 237–248 (2017)

Oulaaffart, M., Badonnel, R., Bianco, C.: IEEE (ed.) An Automated SMT-based Security Framework for Supporting Migrations in Cloud Composite Services. (ed.IEEE) Proc. of the IEEE Network Operations and Management Symposium (NOMS) (2022)

10.

Martins, J.O., Sahandi, R., Tian, F.: Critical analysis of vendor lock in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. 5, 1–18 (2016)

11.

Nodehi, T., Jardim-Goncalves, R., Zutshi, A., Grilo, A.: ICIF: an inter-cloud interoperability framework for computing resource cloud providers in factories of the future. Int. J. Comput. Integr. Manuf. 30(1), 147–157 (2017). https://doi.org/10.1080/0951192X.2015.1067921CrossRef

12.

Ramalingam, C., Mohan, P.: Addressing semantics standards for cloud portability and interoperability in multi cloud environment. Symmetry 13(2), 312 (2021)CrossRef

13.

Celesti, A., Tusa, F., Villari, M., Puliafito, A.: IEEE (ed.) Security and Cloud Computing: InterCloud Identity Management Infrastructure. (ed.IEEE) Proc. of the 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises, 263–265 (2010)

14.

Demchenko, Y., Ngo, C., de Laat, C., Lee, C.: IEEE (ed.) Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns. (ed.IEEE) Proc. of the IEEE International Conference on Cloud Engineering, 439–445 (2014)

15.

Demchenko, Y., Turkmen, F., Slawik, M., Laat, C. d.: IEEE (ed.) Defining Intercloud Security Framework and Architecture Components for Multi-cloud Data Intensive Applications. (ed.IEEE) Proc. of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), 945–952 (2017)

16.

V Thomas, M., Dhole, A., Chandrasekaran, K.: Single sign-on in cloud federation using CloudSim. Int. J. Comput. Netw. Inf. Secur 7, 50–58 (2015). https://doi.org/10.5815/ijcnis.2015.06.06CrossRef

17.

Bernal Bernabe, J., Martinez Perez, G., Skarmeta, A.: Intercloud trust and security decision support system: an ontology-based approach. J. Grid Comput. (2015). https://doi.org/10.1007/s10723-015-9346-7CrossRef

18.

Compastié, M., Badonnel, R., Festor, O., He, R.: IEEE (ed.) A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds. (ed.IEEE) Proc. of the IEEE Conference on Network Softwarization (NetSoft), 151–159 (2019)

19.

Barrere, M., Badonnel, R., Festor, O.: IEEE (ed.) A SAT-based Autonomous Strategy for Security Vulnerability Management. (ed.IEEE) Proc. of the IEEE Network Operations and Management Symposium (NOMS) (2014)

20.

Anisetti, M., Ardagna, C. A., Damiani, E.: IEEE (ed.) Security Certification of Composite Services: A Test-Based Approach. (ed.IEEE) Proc. of the IEEE International Conference on Web Services (ICWS) (2013)

21.

Anisetti, M., Ardagna, C., Damiani, E., Gaudenzi, F.: A semi-automatic and trustworthy scheme for continuous cloud service certification. IEEE Trans. Serv. Comput. 13, 30–43 (2017)CrossRef

22.

Ismail, U. M., Islam, S., Mouratidis, H.: IEEE (ed.) Cloud Security Audit for Migration and Continuous Monitoring. (ed.IEEE) Proc. of the the IEEE Trustcom Conference, Vol. 1 (2015)

23.

Ullah, K. W., Ahmed, A. S. & Ylitalo, J. IEEE (ed.) Towards Building an Automated Security Compliance Tool for the Cloud. (ed.IEEE) Proc. of the IEEE TrustCom Conference, 1587–1593 (2013)

24.

Walkowski, M., Oko, J., Sujecki, S.: Vulnerability management models using a common vulnerability scoring system. Appl. Sci. (2021). https://doi.org/10.3390/app11188735CrossRef

25.

Celesti, A., Salici, A., Villari, M., Puliafito, A.: IEEE (ed.) A remote attestation approach for a secure virtual machine migration in federated cloud environments. (ed.IEEE) Proc. of the First International Symposium on Network Cloud Computing and Applications, 99–106 (2011)

26.

Aslam, M., Gehrmann, C., Björkman, M.: IEEE (ed.) Security and Trust Preserving VM Migrations in Public Clouds. (ed.IEEE) Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 869–876 (2012)

27.

Oulaaffart, M., Badonnel, R., Festor, O.: IEEE (ed.) Towards Automating Security Enhancement for Cloud Services. (ed.IEEE) Proc. of the International Symposium on Integrated Network Management (IM) (2021)

28.

Herrmann, D.S.: Using the Common Criteria for It Security Evaluation. CRC Press Inc, USA (2002)CrossRef

29.

Schnepf, N., Badonnel, R., Lahmadi, A., Merz, S.: IEEE (ed.) Automated Verification of Security Chains in SDN Networks with Synaptic. (ed.IEEE) Proc. of the Conference on Network Softwarization (NetSoft) (2017)

30.

Gupta, B., Mittal, P., Mufti, T.: IEEE (ed.) A Review on Amazon Web Service (AWS), Microsoft Azure and Google Cloud Platform (GCP) Services. (ed.IEEE) (EAI, 2021)

31.

Neto, M. Z.: et al. Security Troubleshooting on AWS, 339–362 (IEEE, 2021)

32.

Jalili, V., Afgan, E., Taylor, J., Goecks, J.: Cloud bursting galaxy: federated identity and access management. Bioinformatics 36(1), 1–9 (2019). https://doi.org/10.1093/bioinformatics/btz472CrossRef

33.

Potti, S.: Supercharging security with generative AI (2023). https://cloud.google.com/blog/products/identity-security/rsa-google-cloud-security-ai-workbench-generative-ai?hl=en

34.

Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: Cloud Security: Emerging Threats and Current Solutions. Computers and Electrical Engineering 59, 126–140 (2017). https://www.sciencedirect.com/science/article/pii/S0045790616300544. https://doi.org/10.1016/j.compeleceng.2016.03.004

35.

Ramachandra, G., Iftikhar, M., Khan, F. A.: A Comprehensive Survey on Security in Cloud Computing. Procedia Computer Science 110, 465–472 (2017). https://www.sciencedirect.com/science/article/pii/S1877050917313030. https://doi.org/10.1016/j.procs.2017.06.124, 14th International Conference on Mobile Systems and Pervasive Computing (MobiSPC 2017) / 12th International Conference on Future Networks and Communications (FNC 2017) / Affiliated Workshops

36.

CloudFormation, A.: AWS CloudFormation API Reference (2020)

37.

Esposito, A., Di Martino, B., Cretella, G.: IEEE (ed.) Defining Cloud Services Workflow: a Comparison between TOSCA and OpenStack Hot. (ed.IEEE) (2015)

38.

NIST. XCCDF - The Extensible Configuration Checklist Description Format (2020). https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/xccdf

39.

Booth H., D., Rike, Witte, G.: The National Vulnerability Database (NVD): Overview, ITL Bulletin, National Institute of Standards and Technology (2020). https://tsapps.nist.gov/publication

40.

Scarfone, K., Mell, P.: IEEE (ed.) An Analysis of CVSS version 2 Vulnerability Scoring. (ed.IEEE) 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 516–525 (2009)

41.

Wagner, C., Dulaunoy, A., Wagener, G., Iklody, A.: IEEE (ed.) MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform. (ed.IEEE) Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, 49–56 (ACM, 2016)

Title: C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services
Authors: Mohamed Oulaaffart
Rémi Badonnel
Olivier Festor
Publication date: 01-03-2024
Publisher: Springer US
Published in: Journal of Network and Systems Management / Issue 1/2024
Print ISSN: 1064-7570
Electronic ISSN: 1573-7705
DOI: https://doi.org/10.1007/s10922-023-09792-7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2024

The Path Towards Virtualized Wireless Communications: A Survey and Research Challenges

A Distributed Virtual-Machine Placement and Migration Approach Based on Modern Portfolio Theory

Privacy-Aware Anomaly Detection in IoT Environments using FedGroup: A Group-Based Federated Learning Approach

A Group Teaching Optimization-Based Approach for Energy and QoS-Aware Internet of Things Services Composition

BoostSec: Adaptive Attack Detection for Vehicular Networks

Simplifying Forwarding Data Plane Operations with XOR-Based Source Routing

Premium Partner