Secure Cloud Computing

This book presents a range of cloud computing security challenges and promising solution paths. The first two chapters focus on practical considerations of cloud computing. In Chapter 1, Chandramouli, Iorga, and Chokani describe the evolution of cloud computing and the current state of practice, followed by the challenges of cryptographic key management in the cloud. In Chapter 2, Chen and Sion present a dollar cost model of cloud computing and explore the economic viability of cloud computing with and without security mechanisms involving cryptographic mechanisms. The next two chapters address security issues of the cloud infrastructure. In Chapter 3, Szefer and Lee describe a hardware-enhanced security architecture that protects the confidentiality and integrity of a virtual machines memory from an untrusted or malicious hypervisor. In Chapter 4, Tsugawa et al. discuss the security issues introduced when Software-Defined Networking (SDN) is deployed within and across clouds. Chapters 5-9 focus on the protection of data stored in the cloud. In Chapter 5, Wang et al. present two storage isolation schemes that enable cloud users with high security requirements to verify that their disk storage is isolated from some or all other users, without any cooperation from cloud service providers. In Chapter 6, De Capitani di Vimercati, Foresti, and Samarati describe emerging approaches for protecting data stored externally and for enforcing fine-grained and selective accesses on them, and illustrate how the combination of these approaches can introduce new privacy risks. In Chapter 7, Le, Kant, and Jajodia explore data access challenges in collaborative enterprise computing environments where multiple parties formulate their own authorization rules, and discuss the problems of rule consistency, enforcement, and dynamic updates. In Chapter 8, Smith et al. address key challenges to the practical realization of a system that supports query execution over remote encrypted data without exposing decryption keys or plaintext at the server. In Chapter 9, Sun et al. provide an overview of secure search techniques over encrypted data, and then elaborate on a scheme that can achieve privacy-preserving multi-keyword text search. The next three chapters focus on the secure deployment of computations to the cloud. In Chapter 10, Oktay el al. present a risk-based approach for workload partitioning in hybrid clouds that selectively outsources data and computation based on their level of sensitivity. The chapter also describes a vulnerability assessment framework for cloud computing environments. In Chapter 11, Albanese et al. present a solution for deploying a mission in the cloud while minimizing the missions exposure to known vulnerabilities, and a cost-effective approach to harden the computational resources selected to support the mission. In Chapter 12, Kontaxis et al. describe a system that generates computational decoys to introduce uncertainty and deceive adversaries as to which data and computation is legitimate. The last section of the book addresses issues related to security monitoring and system resilience. In Chapter 13, Zhou presents a secure, provenance-based capability that captures dependencies between system states, tracks state changes over time, and that answers attribution questions about the existence, or change, of a systems state at a given time. In Chapter 14, Wu et al. present a monitoring capability for multicore architectures that runs monitoring threads concurrently with user or kernel code to constantly check for security violations. Finally, in Chapter 15, Hasan Cam describes how to manage the risk and resilience of cyber-physical systems by employing controllability and observability techniques for linear and non-linear systems.

[1]  Matthew R. Pocock,et al.  Taverna: a tool for the composition and enactment of bioinformatics workflows , 2004, Bioinform..

[2]  Xiaofeng Meng,et al.  Providing freshness guarantees for outsourced databases , 2008, EDBT '08.

[3]  Jonathan M. Smith,et al.  MOSAIC: Unified Platform for Dynamic Overlay Selection and Composition , 2008 .

[4]  Gene Tsudik,et al.  Authentication and integrity in outsourced databases , 2006, TOS.

[5]  Wolf-Tilo Balke,et al.  Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations , 2008, Secure Data Management.

[6]  Sushil Jajodia,et al.  Keep a Few: Outsourcing Data While Maintaining Confidentiality , 2009, ESORICS.

[7]  Cláudio T. Silva,et al.  Querying and Creating Visualizations by Analogy , 2007, IEEE Transactions on Visualization and Computer Graphics.

[8]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[9]  Hakan Hacigümüs,et al.  Ensuring the Integrity of Encrypted Databases in the Database-as-a-Service Model , 2003, DBSec.

[10]  Sabrina De Capitani di Vimercati,et al.  Expressive and Deployable Access Control in Open Web Service Applications , 2011, IEEE Transactions on Services Computing.

[11]  Sushil Jajodia,et al.  Private data indexes for selective access to outsourced data , 2011, WPES '11.

[12]  Kian-Lee Tan,et al.  Verifying Completeness of Relational Query Answers from Online Servers , 2008, TSEC.

[13]  Sushil Jajodia,et al.  Fragments and loose associations , 2010, Proc. VLDB Endow..

[14]  Sushil Jajodia,et al.  On information leakage by indexes over data fragments , 2013, 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW).

[15]  Ilkay Altintas,et al.  Provenance Collection Support in the Kepler Scientific Workflow System , 2006, IPAW.

[16]  Hakan Hacigümüs,et al.  Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[17]  Walter F. Tichy,et al.  Implementation and evaluation of a revision control system , 1982 .

[18]  Yin Yang,et al.  Authenticated join processing in outsourced databases , 2009, SIGMOD Conference.

[19]  Rajeev Motwani,et al.  Two Can Keep A Secret: A Distributed Architecture for Secure Database Services , 2005, CIDR.

[20]  Stelvio Cimato,et al.  Privacy-Aware Biometrics: Design and Implementation of a Multimodal Verification System , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[21]  Hakan Hacigümüs,et al.  Providing database as a service , 2002, Proceedings 18th International Conference on Data Engineering.

[22]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[23]  Marianne Winslett,et al.  Towards a Secure and Efficient System for End-to-End Provenance , 2010, TaPP.

[24]  Christopher Ré,et al.  Efficient Top-k Query Evaluation on Probabilistic Data , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[25]  Hamid Pirahesh,et al.  A Transaction Model for an Open Publication Environment , 1991, Database Transaction Models for Advanced Applications.

[26]  Sushil Jajodia,et al.  Encryption policies for regulating access to outsourced data , 2010, TODS.

[27]  Sushil Jajodia,et al.  Balancing confidentiality and efficiency in untrusted relational DBMSs , 2003, CCS '03.

[28]  Vyas Sekar,et al.  Forensic Analysis for Epidemic Attacks in Federated Networks , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[29]  Sabrina De Capitani di Vimercati,et al.  Data protection in outsourcing scenarios: issues and directions , 2010, ASIACCS '10.

[30]  Sabrina De Capitani di Vimercati,et al.  Minimizing Disclosure of Private Information in Credential-based Interactions: A Graph-based Approach , 2010, 2010 IEEE Second International Conference on Social Computing.

[31]  Vincenzo Piuri,et al.  Supporting Security Requirements for Resource Management in Cloud Computing , 2012, 2012 IEEE 15th International Conference on Computational Science and Engineering.

[32]  Sabrina De Capitani di Vimercati,et al.  Supporting privacy preferences in credential-based interactions , 2010, WPES '10.

[33]  Pierangela Samarati,et al.  Exploiting cryptography for privacy-enhanced access control: A result of the PRIME Project , 2010, J. Comput. Secur..

[34]  Alberto Ceselli,et al.  Modeling and assessing inference exposure in encrypted databases , 2005, TSEC.

[35]  Andreas Haeberlen,et al.  Private and verifiable interdomain routing decisions , 2012, SIGCOMM '12.

[36]  Philip S. Yu,et al.  Dual encryption for query integrity assurance , 2008, CIKM '08.

[37]  Sushil Jajodia,et al.  Authorization enforcement in distributed query evaluation , 2011, J. Comput. Secur..

[38]  Peter Williams,et al.  Single round access privacy on outsourced storage , 2012, CCS '12.

[39]  Michael T. Goodrich,et al.  Privacy-preserving group data access via stateless oblivious RAM simulation , 2011, SODA.

[40]  Xiaofeng Meng,et al.  Integrity Auditing of Outsourced Data , 2007, VLDB.

[41]  Ion Stoica,et al.  Implementing declarative overlays , 2005, SOSP '05.

[42]  Jennifer Widom,et al.  Trio: A System for Integrated Management of Data, Accuracy, and Lineage , 2004, CIDR.

[43]  Micah Sherr,et al.  A3: An Extensible Platform for Application-Aware Anonymity , 2010, NDSS.

[44]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[45]  Sushil Jajodia,et al.  Combining fragmentation and encryption to protect privacy in data storage , 2010, TSEC.

[46]  Hakan Hacigümüs,et al.  Efficient Execution of Aggregation Queries over Encrypted Relational Databases , 2004, DASFAA.

[47]  Sabrina De Capitani di Vimercati,et al.  Protecting Data in Outsourcing Scenarios , 2012 .

[48]  Andreas Haeberlen,et al.  Secure network provenance , 2011, SOSP.

[49]  Marina Blanton,et al.  Efficient Multi-dimensional Key Management in Broadcast Services , 2010, ESORICS.

[50]  Marina Blanton,et al.  Dynamic and Efficient Key Management for Access Hierarchies , 2009, TSEC.

[51]  Gerardo Pelosi,et al.  Efficient and Private Access to Outsourced Data , 2011, 2011 31st International Conference on Distributed Computing Systems.

[52]  Sushil Jajodia,et al.  Enforcing dynamic write privileges in data outsourcing , 2013, Comput. Secur..

[53]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX Annual Technical Conference, General Track.

[54]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[55]  Atul Singh,et al.  Using queries for distributed monitoring and forensics , 2006, EuroSys.

[56]  V. Piuri,et al.  Fault tolerance management in IaaS clouds , 2012, 2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL).

[57]  Sabrina De Capitani di Vimercati,et al.  Minimising disclosure of client information in credential-based interactions , 2012, Int. J. Inf. Priv. Secur. Integr..

[58]  Carl Staelin,et al.  An Implementation of a Log-Structured File System for UNIX , 1993, USENIX Winter.

[59]  Israel Koren,et al.  On the propagation of faults and their detection in a hardware implementation of the Advanced Encryption Standard , 2002, Proceedings IEEE International Conference on Application- Specific Systems, Architectures, and Processors.

[60]  Renata Teixeira,et al.  A measurement framework for pin-pointing routing changes , 2004, NetT '04.

[61]  Andreas Haeberlen,et al.  NetTrails: a declarative platform for maintaining and querying provenance in distributed systems , 2011, SIGMOD '11.

[62]  Alexander Aiken,et al.  A query language for understanding component interactions in production systems , 2010, ICS '10.

[63]  Nasir D. Memon,et al.  ForNet: A Distributed Forensics Network , 2003, MMM-ACNS.

[64]  Amin Vahdat,et al.  Pip: Detecting the Unexpected in Distributed Systems , 2006, NSDI.

[65]  Christopher Ré,et al.  Approximate lineage for probabilistic databases , 2008, Proc. VLDB Endow..

[66]  Ramakrishnan Srikant,et al.  Order preserving encryption for numeric data , 2004, SIGMOD '04.

[67]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[68]  Peter Williams,et al.  Building castles out of mud: practical access pattern privacy and correctness on untrusted storage , 2008, CCS.

[69]  Sushil Jajodia,et al.  Providing Users’ Anonymity in Mobile Hybrid Networks , 2013, TOIT.

[70]  Gerardo Pelosi,et al.  Supporting Concurrency in Private Data Outsourcing , 2011, ESORICS.

[71]  Laks V. S. Lakshmanan,et al.  Efficient secure query evaluation over encrypted XML databases , 2006, VLDB.

[72]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[73]  Dan Suciu,et al.  Controlling Access to Published Data Using Cryptography , 2003, VLDB.

[74]  Nick Feamster,et al.  Packets with Provenance , 2008 .

[75]  Margo I. Seltzer,et al.  Provenance for the Cloud , 2010, FAST.

[76]  Andrea Calì,et al.  Querying Data under Access Limitations , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[77]  Andreas Haeberlen,et al.  Distributed Time-aware Provenance , 2012, Proc. VLDB Endow..

[78]  Murat Kantarcioglu,et al.  Sovereign Joins , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[79]  Ion Stoica,et al.  Declarative routing: extensible routing with declarative queries , 2005, SIGCOMM '05.

[80]  Eyal Kushilevitz,et al.  Private information retrieval , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[81]  Feifei Li,et al.  Dynamic authenticated index structures for outsourced databases , 2006, SIGMOD Conference.

[82]  Dan S. Wallach,et al.  Enforcing Fair Sharing of Peer-to-Peer Resources , 2003, IPTPS.

[83]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..