Virtualization and Cloud Security: Benefits, Caveats, and Future Developments

The Cloud computing paradigm allows for fast provisioning and deprovisioning of a large variety of, in most cases, preconfigured services. This would not have been possible without certain supporting technologies enabling rapid deployment and release of services. Virtualization technologies have been the solution to the service management requirements. In particular, hardware virtualization technology has speeded up the deployment of possibly a large number of virtual machines (VM) on multiple hosts. These achievements enable a far more efficient usage of physical resources which can be shared among multiple tenants in order to benefit from cost savings and ease of management. Multitenancy is a fundamental feature of Cloud computing. However, multitenancy and in general resource sharing increases the exposure to security threats. In particular, timing attacks can infer information from sibling VMs running on the same physical host. Furthermore, security and privacy issues are due to the present architecture of virtualization-based services in the Cloud. In particular, platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) on both Public and Hybrid Clouds potentially allow the Cloud host administrators to get access to service provider (SP) and service consumer data. This way, service execution time and outcome reliability can be affected. Enterprises are mostly aware of the risks involved with multitenancy. As such, they often opt for a Private or Hybrid Cloud approach that is more costly and usually less scalable than a Public Cloud. In this context, novel Cloud approaches are required to enhance monitoring and security auditing of VMs and services. At the same time, a better privacy for both the SP and the service user (SU) should be guaranteed. The objective of this chapter is to shed light on virtualization technologies that empower the Cloud and that will be increasingly relevant for the evolution of Cloud services, together with the associated frameworks and principles. It also reviews present and possible future approaches to security for Cloud resources.

[1]  Mauro Conti,et al.  MOSES: supporting operation modes on smartphones , 2012, SACMAT '12.

[2]  Opher Etzion,et al.  Towards proactive event-driven computing , 2011, DEBS '11.

[3]  Idit Keidar,et al.  Trusting the cloud , 2009, SIGA.

[4]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[5]  Roberto Di Pietro,et al.  KvmSec: a security extension for Linux kernel virtual machines , 2009, SAC '09.

[6]  Thomas Ristenpart,et al.  When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography , 2010, NDSS.

[7]  Engin Kirda,et al.  A security analysis of Amazon's Elastic Compute Cloud service , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[8]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[9]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Информатика Advanced Intrusion Detection Environment , 2010 .

[11]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[12]  Roberto Di Pietro,et al.  Secure virtualization for cloud computing , 2011, J. Netw. Comput. Appl..

[13]  Wenke Lee,et al.  Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection , 2012, RAID.

[14]  Christopher Krügel,et al.  Escape from Monkey Island: Evading High-Interaction Honeyclients , 2011, DIMVA.

[15]  Zhoujun Li,et al.  VM-based Architecture for Network Monitoring and Analysis , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[16]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[17]  Prashant J. Shenoy,et al.  PipeCloud: using causality to overcome speed-of-light delays in cloud-based disaster recovery , 2011, SOCC '11.

[18]  Roberto Di Pietro,et al.  Windows Mobile LiveSD Forensics , 2013, J. Netw. Comput. Appl..

[19]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[20]  Thomas C. Schmidt,et al.  First insights from a mobile honeypot , 2012, SIGCOMM '12.

[21]  Kazuhiko Kato,et al.  Detecting malware signatures in a thin hypervisor , 2012, SAC '12.

[22]  Roberto Di Pietro,et al.  A Security Management Architecture for the Protection of Kernel Virtual Machines , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[23]  James Newsome,et al.  Trustworthy Execution on Mobile Devices: What Security Properties Can My Mobile Platform Give Me? , 2012, TRUST.

[24]  Roberto Di Pietro,et al.  CloRExPa: Cloud resilience via execution path analysis , 2014, Future Gener. Comput. Syst..

[25]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[26]  Arun K. Sood,et al.  Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT) , 2009, 2009 Second International Conference on Dependability.