Related Work on Resilience

The need for real-time and more dynamic nature of cloud infrastructure has made the task of defining a resilience framework very challenging. The policy based management has proven to be very effective for complex system management as evident in previous literature. The policy based approach to network and system management proposed in [95, 59] defines a framework for management for polices, policy hierarchies and policy transformation. In [117], the authors propose to enrich managed objects with policy goals as required by the management policy. It describes policies in two parts: an active part, containing application specific functionality, and a passive

part which can be re-used without any change. In [69], the authors used an approach to enforce policies by means of rules, but the understanding of a rule is more restrictive.

The works mentioned above are in the context of specification and imple- mentation of policies and recently SLA, while little focus has been given to the refinement of the high-level requirements into low level polices. In [140], the authors presented an approach to policy translation that is based on a set of tables. The tables identify the relationships between users, applications, servers, routers and classes of service supported by network. Whilst this technique offers the advantage of being fully automated, it is an inflexible approach, only supporting a very specific type of high-level SLA policy and low level device configuration policy.

The work in [29] outlines a policy authoring environment that provides a policy tool, called POWER, for refining policy. A domain expert first develops a set of policy templates, expressed as Prolog Programs. The pol- icy authoring tools have an integrated inference engine that interprets these programs to guide the user in selecting the appropriated elements from the management information model to be included in the final policy. The main limitation of this approach is the absence of any analysis capabilities to eval- uate the consistency of the refined policies. Similarly, work presented in [18] allows for the translation of service-level objectives into configuration pa- rameters of a managed system. The transformation engine takes the service requirements of the user as input, and search the database to determine the optimal parameters values that provide level of service limitation of this tech- nique include its dependence on a rich enough database which is only possible by observing the system for some period of time; and the inability to deal with situations where a given requirement specification results in different configurations. There are several relevant projects which are highlighted below.

1. ResumeNet [113] defines a multi-level systematic framework to network

resilience. ResumeNet provides blueprints and design guidelines for the cloud resilience management framework. The proposed resilience strat- egy in theResumeNet is validated by detailing the guidelines which can be applied to the problem of channel interference in wireless mesh net- work and to explore the implications of multi-staged and collaborative detection.

2. TClouds [135] was an EU FP7 project aimed at developing a cloud in-

frastructure that achieves security, privacy and resilience. It objectives include to identify and address legal and business issues, define a se- curity architecture for the cloud, and provide resilient middle-ware for

Chapter 2. Background and Related Work 26 adaptive security on the cloud-of-clouds. The TClouds project tar- gets cloud computing security and minimization of the widespread concerns about the security of personal data by putting its focus on privacy protection in cross-border infrastructures and on ensuring re- silience against failures and attacks. They published work about an advanced cloud infrastructure that can deliver computing and storage which achieves a new level of security, privacy, and resilience.

3. PRECYSE [109] is an EU FP7 project. The strategic goal of PRE-

CYSE is to define, develop and validate a methodology, an architecture and a set of technologies and tools to improve – by design – the secu- rity, reliability, and resilience of the information and communication technology (ICT) systems that support critical infrastructures (CIs).

4. Cloud Controls Matrix (CCM) [136] is specifically designed to provide

fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA (Cloud Security Alliance) CCM (Cloud Control Matrix) provides a controls framework that gives detailed un- derstanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Control Matrix rest on its customized rela- tionship to other industry accepted security standards, regulations, and controls framework such as theISO 27001/27002,ISACA CoBIT,

PCI and NIST and will evolve to provide internal control directions for SAS 70 attestations provided by cloud providers. This control framework can possibly serve as as the backbone for evaluation of the security levels of the CRMF.

5. OrBAC [70] was developed inside the RNRT MP6 project (communi-

cation and information system models and security policies of health- care and social matters). The purpose of this project is to define a conceptual and industrial framework to meet the needs of information security and sensitive healthcare communications. OrBAC provides a well-defined access control policy model, which can be integrated into the CRMF framework, and shall enable fine-grained access control of the resources. The OrBAC API has been created to help software de- velopers introduce security mechanisms into their software. This API implements the OrBAC model, which is used to specify security policies and also implements the AdOrBAC model [40], which is used to manage the administration of the security policies. The MotOrBAC [39] tool has been developed using this API to edit and manage OrBAC security policies. OrBAC has only been realized on homogeneous systems (such as firewall) or at software level.