2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing

Cloud Security with Virtualized Defense and Reputation-based Trust Management*

Kai Hwang and Sameer Kulkarni
University of Southern California Los Angeles, USA Email: {kaihwang, sgkukar}@usc.edu Abstract Internet clouds work as service factories built
around web-scale datacenters. The elastic cloud resources and huge datasets processed are subject to security breaches, privacy abuses, and copyright violations. Provisioned cloud resources on-demand are especially vulnerable to cyber attacks. The cloud platforms built by Google, IBM, and Amazon all reveal this weaknesses. We propose a new approach to integrating virtual clusters, security-reinforced datacenters, and trusted data accesses guided by reputation systems. A hierarchy of P2P reputation systems is suggested to protect clouds and datacenters at the site level and to safeguard the data objects at the file-access level. Different security countermeasures are suggested to protect cloud service models: IaaS, PaaS, and SaaS, currently implemented by Amazon, IBM, and Google, respectively.

Yue Hu
University of Science and Technology Beijing, China Email: huhuyue_001@sina.com Virtual resources and datacenters are facing many operational uncertainties. We prefer to extend the fuzzy-theoretic trust models by Song, et al [21] and by He, et al [14] in a cloud application environment. The reputation-based trust management issues [21, 24, 25] are studied for cloud applications. The remaining sections are organized as follows: We first review cloud service models and assess existing cloud platforms in Sections II and III. Then we propose new secure cloud architecture in Sec.IV. Section V is devoted to virtualization support for cloud security. Section VI suggests data-access protection through trust management with reputation systems. Finally, we summarize our contributions and discuss further research needed. II. CLOUD SERVICE MODELS AND SECURITY CHALLENGES

Keywords- Internet clouds, data centers, network security,

virtualization, reputation system, and cloud computing services.

I.

INTRODUCTION

Cloud computing applies a virtual platform with elastic resources putting together by on-demand provision of hardware, software, and datasets, dynamically [8, 16]. The idea is to move desktop computing to a service-oriented platform using server clusters and huge databases at datacenters [3]. Cloud computing leverages its low cost and simplicity to both providers and users [11, 22]. Machine virtualization [26] has enabled such cost-effectiveness. Cloud computing intends to satisfy many heterogeneous applications simultaneously. [12] Trust and security become crucial to safeguard the healthy development of cloud platforms [9, 23]. Clouds may become worrisome to some users for lack of privacy protection [5], security assurance, and copyright protection [19]. As a virtual environment, cloud poses new security threats that differ from attacks on physical systems. Trust models for distributed systems like clouds and P2P networks are assesses in this paper. _____________________________
Presented in IEEE Intl Workshop on Security in Cloud Computing, (SCC09) held in conjunction with the IEEE Intl Conf. on Pervasive Intelligence and Computing, (PICom2009), Chengdu, China, Dec.12-14, 2009. Corresponding author is Kai Hwang. Contact him at: kaihwang@usc.edu.

We assess the security demands of three cloud service models: IaaS, PaaS, and SaaS that have used in cloud practices [4]. These models are based on various service level agreements (SLAs) between providers and users. A. Cloud Service Models Figure 1 illustrates the mapping of cloud models to various security measures needed at different operational levels of the clouds [23]. Infrastructure as a Service (IaaS): This model allows users to rent processing, storage, networks, and other resources. The user can deploy and run the guest OS and applications. The user does not manage or control the underlying cloud infrastructure but has control over OS, storage, deployed applications, and possibly select networking components. Platform as a Service (PaaS): This model provides the user to deploy user-built applications onto the cloud infrastructure that are built using programming languages and software tools supported by the provider (e.g., Java, python, .Net). The user does not manage the underlying cloud infrastructure. Software as a Service (SaaS): This refers to browserinitiated application software over thousands of cloud customers. On the customer side, there is no upfront investment in servers or software licensing. On the
717

978-0-7695-3929-4/09 $26.00 2009 IEEE DOI 10.1109/DASC.2009.149

provider side, costs are rather low, compared with conventional hosting of user applications. Cloud offers four service deployment modes: private, public, managed, and hybrid [22]. These modes demand different levels of security implications. The different service level agreements and service deployment modalities imply the security to be a shared responsibility of all the cloud providers, the cloud resource consumers and the third party cloud enabled software providers. With service as the key concept of clouds, the critical issues include the data integrity and confidentiality, and the demand of a trust model between service providers and users. Figure 1 maps three cloud models to the required security measures at various cloud operational levels.

B. Security Requirements Table 1 identifies the demand of three security requirements: confidentiality, integrity, and availability by most service providers and by cloud users under three service models. In the order of SaaS, PaaS, and IaaS, the providers gradually release the responsibilities of security control to the cloud users. In summary, the SaaS model relies on the cloud provider to perform all security functions. On the other extreme, the IaaS model wants the users to assume almost all security functions except leaving the availability to the hands of the providers. The PaaS model relies on the provider to maintain data integrity and availability, but counts on the user to preserve confidentiality and data privacy.

Figure 1: Cloud service models on the left and corresponding security measures on the right: The IaaS is at the lowest level, PaaS at the mid-level, and SaaS at the widest level including all resources. Table 1: Cloud Service Models and Security Responsibilities by Providers and Users Cloud Model SaaS (Google) PaaS (IBM) IaaS (Amazon)
Degree of control by provider Providers Responsibilities Degree of control by users Users responsibilities High Confidentiality, Integrity, Availability Low None Medium Integrity Availability Medium Confidentiality, Data Privacy Low Availability High Confidentiality, Data Privacy and Integrity

III.

VULNERABILITY IN EXISTING CLOUDS

We assess below the vulnerability of three commercial cloud platforms built since 2007. Table 2 assesses their architecture features, service models applied, system vulnerability, and resilience to network attacks. We find that all three platforms are weak in the security area [7]. A. Three Existing Cloud Platforms Google has hundreds of datacenters over 460,000 servers. The platform consists of the server cluster, GFS, and datacenters [13]. In 2008, Google has made 200 such clusters available for cloud applications. Data
718

items are stored in texts, images, and video replicated to tolerate faults or failures. Googles AppEngine supports cloud and web applications. The cloud platform extends MapReduce [8] for upgraded webscale cloud services. IBM BlueCloud offers a total system solution to cloud computing. The system sells the entire server cluster plus open software like Apache Hadoop, and IBM-developed software packages for resources management and performance monitory. Blue cloud offers limited scalability. Amazon runs a global e-commerce platform that serves millions of customers. The elasticity in Amazon cloud comes from the flexibility provided by the

hardware and software services. The EC2 provides an environment for running virtual servers on demand. The S3 provides unlimited online storage space. Both EC2

and S3 are supported in Amazon Web Services (AWS) [1]

Table 2: Strength and Vulnerability of Three Commercial Cloud Platforms Features

Architecture and Service Models applied Technology, Virtualization, and Reliability System Vulnerability, and Security Resilience

Google Cloud Platform

Highly scalable server clusters, GFS, and datacenters operating with a SaaS model [17] Commodity hardware. application-level API, simple service, and high reliability Datacenter security is loose, no copyright protection, Google rewrites desktop applications for web

IBM Blue Cloud

A sever cluster with limited scalability for distributed problem solving and web- scale under a PaaS model [4] Custom hardware, Open software, Hadoop library, virtualization with XEN and PowerVM, high reliability WebSphere-2 security, PowerVM could be tuned for security protection, and access control and VPN support

Amazon Elastic Cloud

A 2000-node utility cluster (iDataPlex) for distributed computing/storage services under the IaaS model [1] e-commerce platform, virtualization based on XEN, and simple reliability Rely on PKI and VPN for authentication and access control, lack of security defense mechanisms

B. Protection Desired by Cloud Users We desire a software environment that provides many useful tools to build cloud applications over large datasets. In addition to MapReduce, BigTable, EC2, and 3S, Hadoop, AWS, AppEngine, and WebSphere2. We identify below 8 security and privacy features desired by cloud users. a. Customized extensions of MapReduce, BigTable, EC2 and 3S for personal use. b. Special APIs for authenticating users and sending email using commercial accounts. c. Cloud resources are accessed with security protocols like HTTPS or SSL. d. Fine-grain access control is desired to protect data integrity and deter intruders or hackers. e. Shared datasets are protected from malicious alteration, deletion, or copyright violation

IV.

SECURITY-AWARE CLOUD ARCHITECTURE

Risky cloud platforms had caused billions of dollars loss in business and government services. A new security-aware cloud architecture is proposed in Fig.2. A. The Secure Cloud Architecture An Internet cloud is envisioned as a massive cluster of servers. These servers are provisioned on demand to perform collective web services or distributed applications using datacenter resources. Cloud platform is formed dynamically by provisioning or deprovisioning, of servers, software, and database resources. Servers in the cloud can be physical machines or virtual machines. User interfaces are applied to request services. The provisioning tool carves out the systems from the cloud to deliver on the requested service.

Provider Server clusters

The Internet

Data Centers

Cloud Platform: A virtual cluster of servers, software, and datasets provisioned for specific user applications

Trust Delegation, Reputation Systems for Cloud Resource Sites/datacenters

Resource Provisioning, Virtualization, Management, and User Interfaces

Clients

Services Catalogs

Security and Performance Monitoring

Figure 2: A trusted cloud architecture with secured cloud resources, including datasets for on-demand services. (Solid lines for data flows and dash lines for control flows in trust management and security enforcement).

719

B. Protection Mechanisms: Cloud security enforcement has many aspects. Malware-based attacks like worms, viruses and DoS exploit the system vulnerabilities and compromise the system functionalities or provide the intruders an unauthorized access to critical information. Thus, security defense is needed in cloud systems to protect all cluster servers and datacenters as listed below: Protection of servers form malicious software attacks like worms viruses and malwares. Protection of hypervisors or VM monitors from software based attacks and vulnerabilities. Protection of VMs and monitors from service disruption and denial of service attacks.
Mechanism
Trust delegation and Negotiation Worm containment and DDoS Defense Reputation system of Resource Sites Fine-grain access control Collusive Piracy prevention

Protection of data and information from theft, corruption and natural disasters. Providing the authentication and authorized access to the critical data and services. We suggest in Table 3 five protection mechanisms to secure public clouds and datacenters. Details of these protection mechanisms are given in subsequent sections. Malicious intrusions may destroy valuable hosts, network, and storage resources. Internet anomalies found in routers, gateways, and distributed hosts may stop cloud services. Details of these security mechanisms are given in subsequent sections.

Table 3: Security Protection Mechanisms for Public Clouds Brief description and Key References
Cross certificates must be used to delegate trust across different PKI domains. Trust negotiation among different CSPs demands resolution of policy conflicts. [27] Internet worm containment and distributed defense against DDoS attacks are necessary to secure all datacenters and cloud platforms [8]. Reputation system could be built with P2P technology. One can build a hierarchy of reputation systems from datacenters to distributed file systems [30]. This refers to fine-grain access control at the file or object level. This adds up the security protection beyond firewalls and intrusion detection systems [9]. Piracy prevention achieved with peer collusion detection and content poisoning techniques [22].

V.

VIRTUALIZATION FOR CLOUD SECURITY DEFENSE

Virtualization can enhance cloud security. But virtual machines (VMs) add an additional layer of software which could become a single-point of failure. Virtualization techniques are elaborated below for security enhancement in open clouds. A. Security via Virtualization With virtualization, a single physical machine can be divided or partitioned into multiple VMs (E.g. Server Consolidation). This provides each VM with better security isolation and each partition is protected from the possibility of Denial of Service (DoS) attacks from other partitions and also the security attacks in one VM are isolated and contained from affecting the other VMs. Any software failures on one VM do not affect the operation of the other VMs VM failures do not propagate to other VMs. Virtualization provides the extended computing stack namely the Hypervisor, which provides the visibility of the guest OS, with complete guest isolation. Thus fault containment and failure isolation characteristics of VMs provides a more secure and robust environment. B. Virtual Machines as a Sandbox Sandbox can be defined as a security mechanism that provides a safe execution platform for running the programs. Further, Sandbox can provide a tightly
720

controlled set of resources for the guest operating systems, which allows in defining a security test-bed to run the untested code and programs from the un-trusted third party vendors. With virtualization, the VM is decoupled from the physical hardware. The entire VM can be represented as a software component and can be regarded as a binary or digital data. This implies that the VM can be saved, cloned, encrypted, moved, or restored with ease. VMs enable a higher availability and faster disaster recovery. C. Defense against Intrusions and DDoS Attacks Virtual machines for intrusion detection and DDoS defense could be designed to support distributed security enforcement [6]. We suggest life migration of VMs specifically designed for building distributed intrusion detection system (DIDS). Multiple IDS virtual machines can be deployed at various resource sites including the datacenters [15]. DIDS design demands trust negation among PKI domains. Security policy conflicts must be resolved at design time and updated periodically. Defense scheme is needed to protect user data from server attacks. The user private data must not be leaked to other users without permission. Google platform essentially applies in-house software to protect resources. The Amazon EC2 applies HMEC and X.509 certificates in securing resources.

VI. DATA ACCESS CONTROL BY TRUST MANAGEMENT We suggest fine-grain access control at the file level in datacenters. Trust among resource sites can be negotiated with non-conflicting security policies. To secure elastic resources, the reputation system is needed to safeguard scattered resource sites and datacenters. Site security index and user-access records must be maintained. We suggest four approaches to solving trust and security problems in clouds: A. Trust and Reputation Management . We propose to build a hierarchy of DHT-based overlay networks for developing reputation systems for trust management on all datacenters used in a cloud application [14]. Figure 3 illustrates the security infrastructure needed to support personalized web search, distributed query processing, and communications demanded in most cloud services. At the bottom is the overlay layer for reputation aggregation and probing colluders. At the top are the overlay layer for various security precautions for worm containment [14], intrusion detection [15], and content poisoning against DDoS attacks [8] and copyright violations [16]. We design the reputation system using the trust overlay network. A hierarchy of P2P reputation systems is suggested to protect cloud resources at the site level and data objects at the file level. This demands both coarse-grain and fine-grained access control of shared resources. These reputation systems keep track of security breaches at all levels. The reputation system must be designed to benefit both cloud users and the cloud providers. B. Consistency of Replicated Data Items Data objects used in cloud computing reside in multiple datacenters over a storage-area network
Alert vulnerable hosts Terminate DDoS Attacks Worm containment

(SAN). The distributed SAN optimizes in spatial locality. Data consistency is checked across multiple databases. Copyright protection [16] secures wide-area content distributions. To separate user data from specific application programs, we assume cloud applications as SaaS, by which the providers take the most responsibility in maintaining data integrity and consistency. Users can switch among different services using their own data. Only the users have the keys to access the requested data. We need to support reliable data retrieval to or from the datacenters. The multiplereplica mechanism brings the benefit of higher data availability and faster data access. The data objects must be uniquely named to ensure global consistency. To ensure data consistency, unauthorized updates of data objects are prohibited C. Data Privacy in Public Clouds . Listed below are several methods to preserve data privacy in a public cloud. (a) Putting up cyber defense by securing the ISP or cloud service providers (CSP) from invading user privacy. (b) Establish a privacy policy that is consistent with the CSPs policy. Cloud users must protect against identity theft, spyware, and web bugs. (c) Apply spyware diagnostics, encryption methods, and automated spam, virus, and worm removers VII. CONCLUSIONS We suggest extensive use of virtualization support for security enforcement in cloud or datacenter environments. We also propose to build a hierarchy of reputation systems to control the datacenter access at coarse-grain level and to limit the data access at the fine-grain file-access level. .
Signature Update Penalize Pirates
Misuse Detection Anomaly Detection

Invoke Response

DDoS defense and Piracy prevention

Hybrid intrusion detection

Distributed defense against worms, DDoS attacks, and copyright violations Defense against Piracy or Network Attacks Trust Overlay over Cloud/Datacenters

Reputation aggregation and integration

Distributed reputation aggregation and probing of piracy colluders

User/Server Authentication Access Authorization Trust Delegation Data Integrity Control

Trust Integration/Negotiation over distributed cloud resource sites

Figure 3: DHT-based trust management and security enforcement in cloud computing services.
721

This paper presented an integrated cloud architecture to reinforce the security and privacy in cloud applications. All proposed security features and trust management schemes are still in the early development stage. We call for extended research initiatives by both academia and the IT industry to transform cloud services into truly trusted practices. Several security mechanisms are suggested to reinforce the public clouds. These mechanisms are crucial to the universal acceptance of web-scale cloud computing in personal, business, and government applications. Internet clouds are certainly in line with the goal of IT globalization. However, the interoperability and common cloud standards are still wide open problems. Acknowledgements: We would like to thank the partial support of this research work by National Natural Science Foundation of China under grant 60903208, Major Research Equipment Development Plan of Chinese Academy of Sciences under grant YZ200824, and by National Basic Research Program of China under the 973 Program 2004CB318202. REFERENCES: [1] [2] [3] [4]
Amazon, Elastic Compute Cloud (EC2) http://en.wikipedia.org/wiki/Amazon_Elastic _Compute_Cloud M. Armbrust, et al, Above the Clouds: A Berkeley View of Cloud Computing, UC Berkeley, Feb. 2009 G. Boss, P. Mllladi, et al, Cloud Computing- The BlueCloud Project , www.ibm.com/ developerworks/ websphere/zones/hipods/, Oct. 2007. R. Buyya, R.; C. S. Yeo; and S. Venugopal, "MarketOriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities," 10th IEEE Intl Conf. on High Perf. Computing and Comm., Sept. 2008 A. Cavoukian, Privacy in The Clouds,http://www.ipc.on.ca/ image/Resources%5Cprivacyintheclouds.pdf Y. Chen, K. Hwang, and W. S. Ku, Collaborative Detection of DDoS Attacks over Multiple Network Domains, IEEE Trans. on Parallel and Distributed Systems , Vol. 18, No.12, Dec. 2007, pp.1649-1662. Cloud Security Alliance, Security guidance for Critical Areas of Focus in Cloud Computing, April 2009 A. Costanzo, M. Assuncao, and R. Buyya, Harnessing Cloud Technologies for a Virtualized Distributed Computing Infrastructure, IEEE Internet Computing, Sept. 2009. J. Dean and S. Ghemawat, MapReduce: Simplified Data Processing on Large Clusters, Proce. of the 6th Symp. on Operating Systems Design & Implementation (OSDI), August 2004. Q. Y. Feng, K. Hwang, and Y. Dai, Rainbow Product ranking for Upgrading e-Commerce, IEEE Internet Computing, Sept. 2009 I. Foster, Ian; Y. Zhao, I. Raicu, and S. Lu, "Cloud Computing and Grid Computing 360-Degree Compared," Grid Computing Environments Workshop, 12-16 Nov. 2008

[12] [13] [14]

[15] [16] [17] [18]

[19] [20] [21]

[22] [23] [24]

[25]

J. Girard and J. Pescatore, Teleworking in Cloud: Security Risks and Services A Gartner Report, May 15 2009. Google, Inc. Google and the Wisdom of Clouds, http://www.businessweek.com/ magazine/content/ 0752/b4064048925836.htm R. He, J. Niu, M. Yuan, and J. Hu, A Noval Cloud-Based Trust Model for Pervasive Computing, The Fourth International Conference on Computer and Information Technology,Sept. 14-16 2004, pp. 693 - 700 J. Heiser, What you need to know about Cloud computing security and compliance A Gartner Report, July 13, 2009. C. Hoffa, et al., "On the Use of Cloud Computing for Scientific Workflows," IEEE Fourth Intl Conf. on eScience,Dec. 2008 K. Hwang, et.al., "Security Binding and Worm/DDoS Defense Infrastructure for Trusted Grid Computing," Intl Journal of Critical Infrastructures, Vol. 2, No. 4, 2005. K. Hwang, et al, Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes, IEEE Trans. on Dependable and Secure Computing, Vol.4, No.1, Jan-March, 2007, pp.41-55. X. Lou and K. Hwang, Collusive Piracy Prevention in P2P Content Delivery Networks, IEEE Trans. on Computers, July 2009. M. Rosenblum and T. Garfinkel, Virtual Machine Monitors: Current Technology and Future Trends, IEEE Computer, May 2005, pp.39-47. S. Song, K. Hwang, R Zhou, and Y.K. Kwok, Trusted P2P Transactions with Fuzzy Reputation Aggregation, IEEE Internet Computing, Special Issue on Security for P2P and Ad Hoc Networks, Nov/Dec. 2005, pp. 24-34. B. Sotomayor, et al, Virtual Infrastructure Management in Private and Hybrid Clouds, IEEE Internet Computing, Sept. 2009. J. Viega, Cloud Computing and the Common Man, IEEE Computer Magazine, Aug. 2009, pp. 106-108. K. Vlitalo and Y. Kortesniemi, Privacy in Distributed Reputation Management, Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005. Sept. 2005, pp.63 71. R. Zhou, K. Hwang, et al, GossipTrust for Fast Reputation Aggregation in Peer-to-Peer Networks, IEEE Trans. Knowledge and Data Engineering, (TKDE), Sept. 2008.

[5] [6]

[7] [8]

[9]

[10] [11]

722