Building a security reference architecture for cloud systems

Reference architectures (RAs) are useful tools to understand and build complex systems, and many cloud providers and software product vendors have developed versions of them. RAs describe at an abstract level (no implementation details) the main features of their cloud systems. Security is a fundamental concern in clouds and several cloud vendors provide security reference architectures (SRAs) to describe the security features of their services. A SRA is an abstract architecture describing a conceptual model of security for a cloud system and provides a way to specify security requirements for a wide range of concrete architectures. We propose here a method to build a SRA for clouds defined using UML models and patterns, which goes beyond existing models in providing a global view and a more precise description. We present a metamodel as well as security and misuse patterns for this purpose. We validate our approach by showing that it can describe more precisely existing models and that it has a variety of uses. We describe in detail one of these uses, a way of evaluating the security level of a SRA.

[1]  Takuya Suzuki,et al.  Security Architectures for Cloud Computing , 2010 .

[2]  Eduardo B. Fernandez,et al.  Two patterns for cloud computing: secure virtual machine image repository and cloud policy management point , 2013 .

[3]  Christian Senk Adoption of security as a service , 2013, Journal of Internet Services and Applications.

[4]  Ruth Breu,et al.  SeAAS - A Reference Architecture for Security Services in SOA , 2009, J. Univers. Comput. Sci..

[5]  Samee Ullah Khan,et al.  Modeling and Analysis of State-of-the-art VM-based Cloud Management Platforms , 2013, IEEE Transactions on Cloud Computing.

[6]  Eduardo B. Fernández,et al.  Modeling Misuse Patterns , 2009, 2009 International Conference on Availability, Reliability and Security.

[7]  Roy H. Campbell,et al.  A middleware for assured clouds , 2011, Journal of Internet Services and Applications.

[8]  Eduardo B. Fernandez,et al.  A Methodology to Develop Secure Systems Using Patterns , 2006 .

[9]  Eduardo B. Fernández,et al.  An analysis of security issues for cloud computing , 2013, Journal of Internet Services and Applications.

[10]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[11]  Paul W. P. J. Grefen,et al.  A framework for analysis and design of software reference architectures , 2012, Inf. Softw. Technol..

[12]  Martin Fowler,et al.  Analysis patterns - reusable object models , 1996, Addison-Wesley series in object-oriented software engineering.

[13]  Bridget McCrea,et al.  On Cloud Nine , 2011 .

[14]  Mahesh H. Dodani On 'Cloud Nine' Through Architecture , 2010, J. Object Technol..

[15]  Eduardo B. Fernández,et al.  A Survey of Patterns for Web Services Security and Reliability Standards , 2012, Future Internet.

[16]  Richard N. Taylor,et al.  A Classification and Comparison Framework for Software Architecture Description Languages , 2000, IEEE Trans. Software Eng..

[17]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[18]  Armin Haller,et al.  An ontology-based system for Cloud infrastructure services' discovery , 2012, 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom).

[19]  Haralambos Mouratidis,et al.  A framework to support selection of cloud providers based on security and privacy requirements , 2013, J. Syst. Softw..

[20]  Suhaimi Ibrahim,et al.  A Service Oriented Security Reference Architecture , 2013 .

[21]  Haralambos Mouratidis,et al.  Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts , 2014, Comput. Stand. Interfaces.

[22]  José A. B. Fortes,et al.  Cloud Computing Security: What Changes with Software-Defined Networking? , 2014, Secure Cloud Computing.

[23]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[24]  Peter Sommerlad,et al.  Pattern-Oriented Software Architecture: A System of Patterns: John Wiley & Sons , 1987 .

[25]  Eduardo B. Fernández,et al.  Abstract security patterns for requirements specification and analysis of secure systems , 2014, WER.

[26]  Richard N. Taylor Software architecture: many faces, many places, yet a central discipline , 2009, ESEC/FSE '09.

[27]  Rocco Aversa,et al.  Proceedings of the Federated Conference on Computer Science and Information Systems pp. 973–980 ISBN 978-83-60810-22-4 An Analysis of mOSAIC ontology for Cloud Resources annotation , 2022 .

[28]  Neil B. Harrison,et al.  How do architecture patterns and tactics interact? A model and annotation , 2010, J. Syst. Softw..

[29]  Eduardo B. Fernández,et al.  Securing distributed systems using patterns: A survey , 2012, Comput. Secur..

[30]  D. Gresham,et al.  Oracle® Reference Architecture , 2010 .

[31]  Roy H. Campbell,et al.  Distributed Security Policy Conformance , 2011, SEC.

[32]  Mario Golling,et al.  Security management spectrum in future multi-provider Inter-Cloud environments — Method to highlight necessary further development , 2011, 2011 5th International DMTF Academic Alliance Workshop on Systems and Virtualization Management: Standards and the Cloud (SVM).

[33]  Paris Avgeriou,et al.  Describing, Instantiating and Evaluating a Reference Architecture : A Case Study , 2003 .

[34]  Eduardo B. Fernández,et al.  An Approach to Model-based Development of Secure and Reliable Systems , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[35]  Muttukrishnan Rajarajan,et al.  A survey of intrusion detection techniques in Cloud , 2013, J. Netw. Comput. Appl..

[36]  Haibo Chen,et al.  PALM: Security Preserving VM Live Migration for Systems with VMM-enforced Protection , 2008, 2008 Third Asia-Pacific Trusted Infrastructure Technologies Conference.

[37]  Eduardo B. Fernández,et al.  An extensible pattern-based library and taxonomy of security threats for distributed systems , 2014, Comput. Stand. Interfaces.

[38]  Ghassan O. Karame,et al.  Enabling secure VM-vTPM migration in private clouds , 2011, ACSAC '11.

[39]  Keiko Hashizume,et al.  Web Services Security: Standards and Industrial Practice , 2010 .

[40]  Ari Juels,et al.  New approaches to security and availability for cloud data , 2013, CACM.

[41]  Mario Piattini,et al.  Security Engineering for Cloud Computing: Approaches and Tools , 2012 .

[42]  Richard N. Taylor,et al.  Software architecture: foundations, theory, and practice , 2009, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[43]  Nancy G. Leveson,et al.  An integrated approach to safety and security based on systems theory , 2014, CACM.

[44]  Seyyed Mohsen Hashemi,et al.  Cloud computing: use cases & various applications , 2014 .

[45]  Eduardo B. Fernández,et al.  Attack Patterns: A New Forensic and Design Tool , 2007, IFIP Int. Conf. Digital Forensics.

[46]  Roberto Di Pietro,et al.  Secure virtualization for cloud computing , 2011, J. Netw. Comput. Appl..

[47]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[48]  James E. Rumbaugh,et al.  Unified Modeling Language (UML) , 2010, Encyclopedia of Software Engineering.

[49]  Michael D. Hogan,et al.  NIST Cloud Computing Standards Roadmap , 2013 .

[50]  Gerrit Muller,et al.  Researching Reference Architectures , 2010 .

[51]  Eduardo B. Fernandez,et al.  Security patterns in practice : designing secure architectures using software patterns , 2013 .

[52]  Qing Li,et al.  Unified Modeling Language , 2009 .

[53]  Eduardo Fernandez-Buglioni,et al.  Security Patterns in Practice: Designing Secure Architectures Using Software Patterns , 2013 .

[54]  Wouter Joosen,et al.  Towards application driven security dashboards in future middleware , 2011, Journal of Internet Services and Applications.

[55]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[56]  David Bernstein,et al.  Intercloud Security Considerations , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[57]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[58]  Frank Buschmann,et al.  A system of patterns , 1995 .

[59]  Eduardo B. Fernández,et al.  Eliciting Security Requirements through Misuse Activities , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[60]  Kristian Beckers,et al.  A pattern-based method for establishing a cloud-specific information security management system , 2013, Requirements Engineering.

[61]  Mark Ryan,et al.  Cloud computing security: The scientific challenge, and a survey of solutions , 2013, J. Syst. Softw..

[62]  Eduardo B. Fernandez,et al.  Cloud service model patterns , 2012 .

[63]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[64]  Eduardo B. Fernandez,et al.  Three Misuse Patterns for Cloud Computing , 2013 .

[65]  Jin Tong,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[66]  James Bret Michael,et al.  Atomic-Level Security for Web Applications in a Cloud Environment , 2012, Computer.

[67]  Xiaohong Yuan,et al.  Semantic Analysis Patterns , 2000, ER.

[68]  Wanlei Zhou,et al.  Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks , 2011, J. Netw. Comput. Appl..

[69]  Rajkumar Buyya,et al.  Modeling and simulation of scalable Cloud computing environments and the CloudSim toolkit: Challenges and opportunities , 2009, 2009 International Conference on High Performance Computing & Simulation.

[70]  Jin Tong,et al.  NIST cloud computing standards roadmap :: version 1.0 , 2011 .

[71]  Dr. A. Leventi-Peetz Summary of the book : Formal Methods for Safe and Secure Computer Systems , 2013 .

[72]  Martin Fowler,et al.  Patterns of Enterprise Application Architecture , 2002 .

[73]  Mike P. Papazoglou,et al.  Service oriented architectures: approaches, technologies and research issues , 2007, The VLDB Journal.

[74]  E.B. Fernandez,et al.  A Pattern Language for Identity Management , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[75]  Klaus Pohl,et al.  Creating a Reference Architecture for Service-Based Systems - A Pattern-Based Approach , 2010, Future Internet Assembly.

[76]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[77]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[78]  David M. Nicol,et al.  Trust mechanisms for cloud computing , 2013, Journal of Cloud Computing: Advances, Systems and Applications.

[79]  Rajkumar Buyya,et al.  Cost of Virtual Machine Live Migration in Clouds: A Performance Evaluation , 2009, CloudCom.

[80]  Roy H. Campbell,et al.  Attack-resilient compliance monitoring for large distributed infrastructure systems , 2011, 2011 5th International Conference on Network and System Security.

[81]  Tong Jin,et al.  NIST-SP 500-291, NIST Cloud Computing Standards Roadmap | NIST , 2011 .

[82]  Eduardo B. Fernández,et al.  Engineering Security into Distributed Systems: A Survey of Methodologies , 2012, J. Univers. Comput. Sci..

[83]  Roger Clarke,et al.  Data Risks in the Cloud , 2013, J. Theor. Appl. Electron. Commer. Res..