2017 International Conference on Computer, Electronics and Communication Engineering (CECE 2017) ISBN: 978-1-60595-476-9
New Cloud Security Architecture System
Jun-fang LIU
1*and He-zhi HU
21Langfang Teachers University, Langfang, China
2Langfang, Hebei University of Technology, Langfang, China
*Corresponding author
Keywords: Cloud computing, Safety, Architecture.
Abstract. Gartner statistics report shows that the future growth of cloud computing market will remain above 15%. With the rapid proliferation of cloud computing, cloud security requirements are gradually improving. Elastic architectures, multi-tenant, virtualized resource pools, on-demand services and other unique characteristics of the traditional security architectures are insufficient to meet the needs of cloud security. this paper presents a an architecture system satisfying requirements of cloud computing and covering rich angle. The system architecture expand from three dimensions: the overall architecture, functional architecture and product service model. In accordance with the three service models, safety factors of overall architecture were analyzed from the cloud services and cloud management domain. On this basis, the cloud security induces some functions and thus derived from products service mode.
Introduction
Cloud computing is a new calculation mode following the distributed computing[1], the grid computing[2], and the peer to peer computing[3], which is the product of traditional computing technology and network technology based on parallel computing, virtualization, network storage, hot
backup redundancy and so on. It rapidly becomes the hotspot[4] due to its key value, such as resource
leasing, application hosting, service outsourcing. The nature of cloud computing is characterized by distributed computing and storage characteristics, virtualization technology, dynamic scalability, flexible service customization, super large computing and storage capabilities, good management, and etc..
Cloud computing includes three levels of service: IaaS, PaaS and SaaS[5].
IaaS(Infrastructure-as-a-Service): Consumers can acquire services from the computer infrastructure via the Internet. PaaS(Platform-as-a-Service): PaaS another application form of SaaS actually refers to the software development platform as a service and submits to users by SaaS mode. However, PaaS can accelerate the development of SaaS, especially can speed the development of SaaS application. For example: personalization and customization of software. SaaS (Software-as-a-Service: a mode of providing software through the Internet. Users can manage their own business activities by the rented software based on web instead of purchasing any software.
The main deployment model of cloud computing includes public cloud, private cloud and hybrid
cloud [6], above of which differ in the degree of openness in cloud computing network. So the basic
HybridC loud Private
Cloud Public Cloud
IaaS
PaaS
SaaS
[image:2.612.242.369.70.175.2]Scale Effectiveness Control/Management
Figure 1. Cloud computing mode.
Overview of Cloud Computing Security
The Importance of Cloud Security
Cloud computing has become a significant trend for the development of IT, which is greatly promoted by the users rage. As shown in Fig. 2 provided by Gartner in 2009, security turns into the biggest concern of users.
Figure 2. Challenges of Cloud computing[7](Source: IDC enterprise Panel, 3Q09, n=263).
However in the early period of cloud computing, safety problems are inevitable. For example, the interrupt of Microsoft's cloud computing platform Windows Azure, two interrupts of Amazon Simple Storage Service "(Simple Storage Service, S3) which causes provided sites dysfunctional. There are some possible reasons for these security issues: insufficient of security measure brings the attack of hijackers; lack of reliability of the system[8]. All of above refers to the generalized cloud security problem. So security plays essential role in the development of cloud computing.
Perspective of Cloud Security Architecture
I. Technical perspective.
Cloud security architecture involves complex technical content, mainly including network security, interface security, VM security, privacy security, compliance security, and etc. The requirements vary with different business types, needs, and levels. A unified, standardized, comprehensive technical framework can provide users with personalized security requirements
II. Non-technical perspective
At present, although domestic and foreign research results are based on the technical perspective, influence factors of non-technology should not be underestimated, such as human factors. Service of Didi has been stopped for about 5 hours due to incorrect manipulation by some operator. Therefore, combination of technical and nontechnical factors plays essential role in the development of cloud computing.
Research Progress of Cloud Security Architecture
[image:2.612.172.440.303.380.2]Table 1. Cloud security architecture.
Base class subclass Reference Key content
Service level
IaaS [9] A IaaS security architecture based on SEE is proposed.
[10] IaaS clouds, networking, virtualization, physical
PaaS [11] According to the PaaS service provider, the security architecture of.NET and Java in sharing platform is proposed.
SaaS
[12] Combine the security architecture with the software engine and security
[13] Based on SABSA security architecture, using BYOD Smartphone method to build enterprise class security architecture
Service model
Storage
[14] Construction of data storage security architecture using based symmetric cryptography algorithm block
[15] The use of improved Hash Tree Merkle architecture to achieve data storage
security.
Calaculat ion
[16] The PasS (Privacy as Service) security architecture, the use of private mechanisms
to ensure user privacy data in the calculation of phase and compliance
[17] The private mechanism is expressed, and the private management mechanism is built to protect the private data. Calculati
on and
storage [18]
SecCloud model is proposed, the calculation and storage stage of security risks are considered, and the combination of private mechanism and security audit protocol to achieve data security
Manage ment
[19] Referring to the FISMA standard, cloud security management architecture is constructed to improve the security management and control capabilities of the cloud users and providers.
[20] Summarizes the security management concerns, in order to build a private cloud security management architecture
[21] Using access control architecture to achieve the management of VM
Applicatio n types
grade of service
[22] The influencing factors of Sec-SLAs were analyzed.
[23] Security architecture for introducing environmental SLAs into basic platform service
network monitori
ng
[24] According to the Trusted platform modules (TPM) cloud monitoring host and client virtual machine architecture
[25]
The network security factors are introduced into the basis of the host and guest housing structure, to achieve high credibility, high availability monitoring capabilities
[26] The use of HW based TPM to achieve remote control security
Risk analysis
[27] The security model of risk analysis is constructed by introducing the traditional CC and CSP into ISP agent.
[28] The security model of risk analysis is constructed by introducing the traditional CC and CSP into ISP agent.
[29] Construction of security architecture based on the level of security services
provided by CSP
Technical means Authenti cation and access managem ent
[30] According to the sensitive information, the IAM system is constructed based on the global security cooperation and security access.
[31]
Based on ACS (Control Server Access), AFS (Filter Server Access), User (Dynamic Constraint Server UDCS) PMS and (Permission), AUC (Management Center), (Center Authentication) proposed the SaaS layer of the S-RBAC model
[32] Based on the anti access control theory, Protection for Cloud Computing (MPCC) is proposed, and the Mutual MPCC function (Matching Function Initial and Monitoring Function Continuous) is proposed.
data security
[33] Using RSA algorithm to construct RSASS system to ensure data security
[34] Building security architecture by combining Hellman AES and encryption Diffie
Trust guarante e mechanis m [35]
Security Architecture
Integrated Framework
[image:4.612.178.436.170.301.2]Combined with three services model of cloud computing, a more comprehensive security architecture is put forward. The overall framework consists of two parts: cloud services domain security and cloud security, former of which focuses on service security provided by cloud service provider, and the latter of which focuses on the management security.
Figure 3. Overall architecture.
(1). Cloud service domain
Cloud service domain contains terminal security, communication security, IaaS security, PaaS security, SaaS security. SaaS, PaaS and part of IaaS require data security, encryption and key management, identity and access management, while SaaS, PaaS and IaaS require security evaluation and audit, disaster recovery and business continuity.
Terminal security-user side security is guaranteed by themselves; Communication security ensures the data security in the process of transmission; IaaS security mainly includes interface security, host security, virtualization security, network security, physical security and log management; PaaS security mainly includes the operation security and interface security; SaaS security mainly includes interface security.
(2). Cloud management domain
Cloud management domain includes security policy, regulations and standards, personnel security management, system construction management and system operation management.
Function Architecture
According to the overall structure, the function of service domain and management domain is classified, as shown in Figure 4.
Figure 4 .Function architecture.
[image:4.612.164.444.550.693.2]The functions through the cloud service domain include: Security assessment of data lifecycle, design of data security management, data sensitivity analysis, data loss prevention, data encryption protection, data isolation protection, flow cleaning, planning and implementation of information system disaster recovery, uniform identity and access, integration of strong identity authentication, database audit, data audit, content audit, data backup and disaster recovery, data recovery, transmission encryption. Security of IaaS includes: network intrusion prevention, united threat management, network security reinforcement, host intrusion prevention, host access control, host system reinforcement, terminal security control, virtual firewall and log audit. Security of PaaS includes: interface management of API and database Access Control. Security of SaaS includes: permeate test, evaluation of application security, webpage tamperproof, application isolation of multi-tenant and traffic monitoring.
(2) Cloud management domain
The functions through the cloud management domain include: analysis of security management, risk assessment of enterprise information system, design and construction of security operation management center, development of security policy, security emergency response, design of security performance, security event audit, planning and construction of security incident audit platform, planning and construction of operation behavior audit platform, strategy planning of enterprise security, Security education and training.
Product Service Model
According to the functional architecture, it is classified into two types: basic service model (Table 2) and value-added service model (Table 3), former of which is the essential product and latter of which provides the need for additional orders.
Table 2. Basic product service model.
Servic e model security audit Netwo rk Intrusi on Preve ntion Host intrusi on preve ntion Netwo rk securit y reinfor cemen t Host syste m reinfor cemen t Virtual firewal l Flow cleani ng Unifie d Threat Mana gemen t Web anti tampe r Data protec tion Penetr ation testing Traffi c monit oring secu rity audi t
IaaS
PaaS
[image:5.612.75.541.387.675.2]SaaS
Table 3. Value-added service model.
Service model
Accelerated Service Other services
Page
compression Domain analysis Forever online Intelligent cache analysis Report Compatible with IPv6
Application security evaluation
service
IaaS
PaaS
SaaS
Conclusion
management domain includes the key security contents. According above, a clear, comprehensive, and functional architecture is built. Therefore the function nodes is abstracted into product service mode. In all, a system chain from basic security architecture to security product provides whole security solution for cloud computing providers and reliable security product for cloud computing users
References
[1] Garg V.K. Elements of distributed computing [M]. Wiley-IEEE Press, 2002.
[2] Foster I., Kesselman C., Tuecke S. The anatomy of the grid: Enabling scalable virtual organizations [J]. International Journal of High Performance Computing Application, 2001, 15(3): 200-222.
[3] Schoder D., Fischbach K. Peer-to-peer prospects. Communications of the ACM, 2003, 46(2): 27-29.
[4] Lin Chuang, Su Wenbo, Meng Kun, Liu Qu, Liu Weidong. Cloud computing security: architecture, mechanism and modeling. [J]. Chinese journal of computers, 2013, 36(9): 1765-1784. [5] IDC. IDC Ranking of issues of Cloud Computing model[EB/OL]. [2009-02-27]. http://blogs.idc.com/ie/ ?p=730/.
[6] Michael. Cloud Computing Bible [M]. Wiley John + Sons, 2010.
[7] Schoder D., Fischbach K. Peer-peer prospects [J]. Communication of the ACM, 2003, 46(2): 27-29
[8] Operators cloud security focus on "technology" and "service."[2009-12-22]. http://www.enet. com.cn/ security/Communication world.
[9] Bobelin L., Bousquet A., Briffaut J., et al. An advanced security-aware Cloud architecture [C]. 2014 International Conference on High Performance Computing & Simulation (HPCS). July 21-25, 2014. Bologna, Italy: IEEE Press, 2014: 572-579.
[10] Vaquero L.M., Rodero-Merino L., Morán D. Locking the sky: a survey on IaaS cloud security [J]. Computing, 2011, 91(1): 93-118.
[11] Rodero-Merino, L., Vaquero, L.M., Caron, E., Desprez, F., Muresan, A. Building safe PaaS clouds: a survey on security in multitenant software platforms [J]. Computer. Security, 31(1): 96–108.
[12] S. Bode, A. Fischer, W. Kuhnhauser, M. Riebisch. Software architectural design meets security engineering [C]. 16th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems, April 14-16, 2009. San Francisco, California, USA: IEEE Press, 2009:
109-118.
[13] Vasileios Samaras, Semir Daskapan, Rizwan Ahmad, Sayan Kumar Ray. An Enterprise Security Architecture for Accessing SaaS Cloud Services with BYOD[C]. 2014 Australasian Telecommunication Networks and Applications Conference (ATNAC). Nov. 26-28, 2014. Melbourne, Australia: IEEE Press, 2014: 129-134.
[15] C. Wang, Q. Wang, K. Ren, W. Lou. Privacy-preserving public auditing for data storage security in cloud computing [C]. 29th IEEE Conference on computer communications(INFOCOM’10), March 14-19,2 010. San Diego, California, USA: IEEE Press, 2010: 1-9.
[16] Wassim Itani, Ayman Kayssi, Ali Chehab. Privacy as a service: privacy-aware data storage and processing in cloud computing architectures [C]. Proceedings of the 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing. December 12-14, 2009. Chengdu, China: IEEE Press, 2009: 711-716.
[17] Siani Pearson, Yun Shen, and Miranda Mowbray. A privacy manager for cloud computing [M]. Cloud Computing. Springer Berlin Heidelberg, 2009: 90-106.
[18] Wei L., Zhu H., Cao Z., et al. Security and privacy for storage and computation in cloud computing [J]. Information Sciences, 2014, 258(3): 371-386.
[19] Mohemed Almorsy, John Grundy and Amani S. Ibrahim. Collaboration-Based Cloud Computing Security Management Framework [C]. 2011 IEEE 4th International Conference on Cloud Computing. July 4-9, 2011. Washington DC, USA: IEEE Press. 2011: 364-371.
[20] Michael Kretzschmar, Mario Golling and Sebastian Hanigk. Security Management Areas in the Inter-Cloud [C]. 2011 IEEE 4th International Conference on Cloud Computing. July 4-9, 2011. Washington DC, USA: IEEE Press. 2011: 762-763.
[21] Wei J., Zhang X., Ammons G., et al. Managing security of virtual machine images in a cloud environment. [C]// Proceedings of the first ACM Cloud Computing Security Workshop. November 13, 2009. Chicago, IL, USA: ACM, 2009: 91-96
[22] Shirlei Aparecida de Chaves, Carlos Becker Westphall and Flavio Rodrigo Lamin. SLA Perspective in Security Management for Cloud Computing [C]. 2010 6th International Conference on Networking and Services. 7-13 March 2010. Cancun, Mexico: IEEE Press, 2010: 212-217.
[23] V. Stantchev and C. Schröpfer. Negotiating and enforcing QOS and SLAs in grid and cloud computing [C]. Proceedings of the 4th International Conference on Advances in Grid and Pervasive Computing (GPC '09). May 4-8, 2009. Geneva, Switzerland: IEEE Press. 2009: 25-35.
[24] Teemu Kanstrén, Sami Lehtonen, Reijo Savola, Kimmo Hätönen. Architecture for High Confidence Cloud Security Monitoring [C]. 2015 IEEE International Conference on Cloud Engineering. Mar 9-12, 2015. Tempe, AZ, USA: IEEE Press, 2015: 195-200.
[25] R.M. Savola and J. Ahola. Towards Remote Security Monitoring in Cloud Services Utilizing Security Metrics [C]. 2012 6th International Conference on Application of Information and Communication Technologies (AICT), 2012: 1-7.
[26] S. Bounchenak, et al.. Verifying Cloud Services: Present and Future [J]. ACM SIGOPS Operating Systems Review, 2013, 47(2): 6-19.
[27] Paulo F. Silva1, Carlos B. Westphall, Carla M. Westphall, Mauro M. Mattos, Daniel Ricardo dos Santos. An Architecture for Risk Analysis in Cloud [C]. 10th International Conference on Networking and Services. November 17-21, 2014. Rio de Janeiro, Brazil: IEEE Press. 2014: 29-33. [28] S. Ristov, M. Gusev and M. Kostoska. A new methodology for security evaluation in cloud computing [C]. 2012 Proceedings of the 35th International Convention. May 21-25. Opatijaz, Croatia: IEEE Press. 2012: 1484-1489
[30] Khandakar Entenam, Unayes Ahmed and Vassil Alexandrov. Identity and Access Management in Cloud Computing [M]. Cloud Computing for Enterprise Architectures. Springer London, 2011: 115-133.
[31] Li, D., Liu, C., Wei, Q., Liu, Z., Liu, B. RBAC-based access control for SaaS systems [C]. 2010 2nd International Conference on Information Engineering and Computer Science (ICIECS). December 25-26, 2010. Wuhan, China: IEEE Press. 2010: 1-4.
[32] Albeshri., A., Caelli, W. Mutual protection in cloud computing environment [C]. The proceedings of 2010 12th IEEE International Conference on High Performance Computing and Communications. Sept. 1-3, 2010. Melbourne, Australia: IEEE Press. 2010: 641–646.
[33] M. Venkatesh, M.R. Sumalatha, Mr. C. SelvaKumar. Improving Public Auditability, Data Possession in Data Storage Security for Cloud Computing [C]. 2012 International Conference on Recent Trends In Information Technology (ICRTIT). April 19-21, 2012. Mumbai, Maharashtra, India: IEEE Press, 2012: 463-467.
[34] Prashant Rewagad, Yogita Pawar in. Use of Digital Signature with Diffie Hellman Key Exchange and AES Encryption Algorithm to Enhance Data Security in Cloud Computing [C]. 2013 International Conference on Communication Systems and Network Technologies. April 6-8, 2013. Gwalior, India: IEEE Press, 2013: 437-439.
](https://thumb-us.123doks.com/thumbv2/123dok_us/281931.1028796/2.612.242.369.70.175/figure-challenges-cloud-computing-source-idc-enterprise-panel.webp)
