Conclusions on modelling information flow

In this thesis, a model for information flow control in clouds based on the classification of virtual resources is developed. In this section, the modelling assumptions and prerequisites are summarised.

Assumption 1: Multiple corporate customers operate concurrently on a cloud infrastruc- tures with multi-level classification.

provider is contracted by multiple corporate customers to provision cloud resources (cf. Sec- tion 2.2.1). Consequently, there are multiple corporate customers operating concurrently on cloud infrastructures. Further, for practical and security reasons, a cloud infrastructure has to be able to distinguish the requests and virtual resources of the different corporate customers. This property is called multitenancy. Additionally, each corporate customers can have differ- ent security requirements, and therefore thenecessary level of securitycan be different, too (cf. Section3.6.1). This implies that a cloud infrastructure has to be able to handle these differ- ent levels of security requirement and, thus, has multi-level classification with respect to the security requirements.

Assumption 2: A cloud infrastructure is operated by a single cloud provider and hosted at multiple hosting sites, which are operated by hardware providers (one hardware provider per hosting site).

Evidence: In this thesis, global clouds are investigated, which are operated in multiple coun- tries (cf. Def. 2.5). This implies that there exist multiple hosting sites that are located in different countries. Explicitly, national clouds and particularly clouds with only a single host- ing site are excluded by this assumption. They are not in the scope of this thesis, since they are generally location homogeneous (cf. Def.2.2and usually there is no need for transmission control within the cloud. Further, for practical reasons, the operation of a cloud infrastruc- ture requires a single responsible entity coordinating the operation of hardware and virtual resources. Additionally, such an entity is the contractual partner of corporate customers and is liable for executing the contracted IT outsourcing in a legally compliantly manner. However, in a global cloud, there might be multiple national cloud providers operating each a local/global cluster of the cloud (cf. Section4.1.4). In any case, there is only a single cloud provider that is operating the Cloud Service Fabric (cf. Section4.1.4), since there is only one per cloud in- frastructure. Otherwise, the existence of multiple Cloud Service Fabrics implies that there are multiple cloud infrastructures. Therefore, the cloud provider operating the Cloud Service Fab- ricis considered the cloud provider operating the cloud infrastructure. For analogous reasons, it is assumed that there is only a single responsible entity (i.e., hardware provider) for each hosting site, which is the contractual partner of the cloud provider. Having a single responsible entity for clouds and hosting sites is more structuring than restricting.

Assumption 3: There are two types of information flow relevant to the challenge of location inhomogeinity: (1) information flow of processed data and (2) information flow of virtual resources.

Evidence: In Section5.1.1, three types of information flow were identified in clouds. Further, theinformation flow of processed data(cf. Def.5.1) and that of virtual resources (cf. Def.5.2) were identified as the most relevant for addressing the challenge of location inhomogeneity (cf. Def.2.2), since they cover customers’ data, which are sensitive to the effective level of protection. Additionally, it is assumed that the information flow of meta data does not cover customers’ data and, therefore, is not investigated in this thesis. This assumption is made plausible in Section5.1.2, due to the observation that theinformation flow of processed data

changes the state of virtual resources only with respect to the data contained.

Assumption 4: The information flow of processed data does not cause theinformation flow of virtual resources.

Evidence: The assumption is made plausible in Section5.1.2by clarifying that theinformation flow of processed data changes the state of virtual resources only with respect to contained data. Further, this assumptions makes it possible to investigate theinformation flow of virtual resourcesseparately from that of processed data.

Assumption 5: Theinformation flow of processed datais classified by categories of data and by allowed information flow.

Evidence: This assumption is a necessary prerequisite for classifying virtual resources based on what types of data will be processed within and for controlling theinformation flow of vir- tual resourcesaccording to the allowedinformation flow of processed data(cf. Section5.1.2

and Assumption 6). Good candidates for classifying theinformation flow of processed dataare the categories (and subcategories) of data to which legal norms correspond (cf. Section3.1.1

and Section3.6.1). The same classification can be applied to virtual resources to control infor- mation flow.

Assumption 6: All virtual resources are classified by categories of data, which are pro- cessed within the virtual resources. This classification does not change during the lifetime of a virtual resource, and the corporate customer utilises virtual resources according to their clas- sification to process data of the respective category.

Evidence: This assumption is made to avoid unwanted interference between theinformation flow of processed dataand that of virtual resources and to sustain the separation of information flow control (cf. Section5.1.2). Without this assumption, theinformation flow of processed datacan result in the change of classification of virtual resources with respect to the data pro- cessed within (cf. Section5.1.2). Such changes of classification can result in security conflicts, for example, when the new classification is forbidden for the allocated hardware resource. To prevent such conflicts, it is necessary to verify the classification of hardware resources and if necessary to migrate virtual resources to hardware resources with sufficient classification. Thus, everyinformation flow of processed datacan result in a reorganisation of the virtual re- source placement. This implies a shift in the control of virtual resource placement from the cloud provider to the corporate customers, which is neither in the interest of corporate cus- tomers nor in the interest of cloud providers. In particular, the corporate customer has no knowledge of the classification of hardware resources and allocation to host virtual resources, and consequently, the virtual resource placement can be arbitrary and inefficient. Further, a migration has to be performed before the classification changes, i.e., before theinformation flow of processed datathat implies the change of the classification. If the cloud provider pre- vents conflicted changes of classification then this results in the prevention of theinformation flow of processed data. Thus, this is a shift in the control of processed data from the corporate customer to the cloud provider, which is again in the interest neither of corporate customers nor of cloud providers. Consequently, it is assumed that changes of classification are not made during the lifetime of a virtual resource in order to sustain the separation of information flow control.

Assumption 7: There exists a cloud management process cmp:P(VR) ×P(HW) that

is controlled by the cloud provider and assigns virtual resources V R∈P(VR) to hardware

resources HR∈P(_HW) (cf. Section4.1.4.4).

(cf. Section 4.1.4) and is defined in Section 4.1.4.4. With the cloud management process it is possible to abstract from individual types of virtual resource and hardware resources and to describe theinformation flow of virtual resourcesbased on virtual resources and hardware resources in general.

Assumption 8: Hardware resources are trustworthy with respect to their classification. In particular, there are no covert channels in hardware resources.

Evidence: This assumption is made to establish the basis for reliable control of theinformation flow of virtual resourcesbetween hardware resources. Further, it helps to focus on the problem of location inhomogeneity by avoiding the modelling of information flow that occurs only on untrustworthy hardware resources (and at untrustworthy hosting sites) like the translocation of hardware resources and data extraction via physical access (both unauthorised) at the hosting sites. In practice, the trustworthiness of the hardware resources and the hardware provider is a common requirement in IT outsourcing scenarios, and is covered by IT security standards like German ‘IT-Grundschutz’ [30], ISO 27001 [112] and specifically by TÜViT – Trusted Site In- frastructure [206]. For the control of theinformation flow of virtual resources, virtual resources have to be assigned to hardware resources which have a classification that is suitable for the assigned virtual resource. However, the cloud providers’ control of the operation of hardware resources is limited since this is in the hardware providers’ sphere of responsibility. Thus, the cloud provider has to rely on the hardware provider to ensure that the hardware resources are operated according to their classification (e.g., having the samenecessary level of security; cf. Section3.6.1). In particular, it is important that the classification of hardware resources does not change without first notifying the cloud provider. In general, the classification of hard- ware only changes when it is physically manipulated (e.g., is moved to a different location or physically reconfigured), which is rather a rare event at hardware providers and is usually possible only if the hardware resource is powered off beforehand. In contrast, for mobile hard- ware resources, a change of location is a regular event. However, in cloud infrastructures, it is reasonable to assume that hardware resources have static locations and, moreover, are not phys- ically manipulated by the hardware provider. But even if hardware resources have a trustworthy classification, they can be a source of unrecognised information flow. For example, virtual re- sources are migrated within hardware pools of virtualised data centres (and without notifying the cloud provider). Further, the hardware provider can copy or extract any information from virtual resources (e.g., by using virtual machine introspection [80]). There are methods to pre- vent such types of unrecognised information flow, for example, by using a trusted hypervisor [79]. Therefore, it is assumed in this thesis that hardware resources and hardware providers are trustworthy with respect to their classification and that there are no covert channels on a hardware level.

Assumption 9: The control on theinformation flow of processed dataand theinformation flow of virtual resourcesis decoupled.

Evidence: Assumption 4, Assumption 5, and Assumption 6 implies that decoupling the con- trol of theinformation flow of processed dataand that of virtual resources is possible. This is achieved by classifying both types of information flow by the categories of data that are pro- cessed by the corporate customers (cf. Assumption 5 and Assumption 6). On the one hand, this implies that theinformation flow of processed datadoes not change the state of virtual re-

sources with respect to the processed data contained within (i.e., the classification of the virtual resource does not change). In conjunction with Assumption 4, this implies that theinformation flow of processed datadoes not interfere with the that of virtual resources. On the other hand, this implies too that theinformation flow of virtual resourcesis compliant with the category of data processed within. Thus, the information flow of processed datathat is caused by the

information flow of virtual resourcesis compliant with respect to the category of data, too. Consequently, the information flow of processed datacannot result in a forbidden infor- mation flow of virtual resourcesand vice versa. Therefore, it is reasonable to assume that the control of theinformation flow of processed dataand that of virtual resources are decoupled if Assumption 4, Assumption 5, and Assumption 6 are satisfied.

Remark 5.3 (Focusing on information flow of virtual resources) If the control of theinfor- mation flow of processed dataand that of virtual resources are decoupled (cf. Assumption 9) then the control of both types of information flow can be modelled independently. To address the challenge of location inhomogeneity (cf. Def.4.6), it is paramount to control the infor- mation flow of virtual resources, since this provides a basis for reliably provisioning virtual resources with the necessary level of security, which is required by the corporate customers when processing data within. Therefore and without loss of generality, this thesis focuses on controlling theinformation flow of virtual resources. How the control of theinformation flow of processed data can be established on top of the control of theinformation flow of virtual resourcesis discussed in Section7.3.