Building Trust and Compliance in the Cloud for Services

Security is a key barrier to the broader adoption of cloud computing. The real and perceived risks of providing, accessing and controlling services in multitenant cloud environments can slow or preclude the migration to services by IT organizations. In a non-virtualized environment, the separation provided by physical infrastructure is assumed to provide a level of protection for applications and data. In the cloud, this traditional physical isolation between applications no longer exists. Cloud infrastructure is multi-tenant, with multiple applications utilizing a shared common physical infrastructure. This provides the benefit of much more efficient resource utilization. However, because the physical barriers between applications have been eliminated, it is important to establish compensating security controls to minimize the potential for malware to spread through the cloud. Newer types of malware threats, such as rootkit attacks, can be increasingly difficult to detect using traditional antivirus products. These threats use various methods of concealment to remain undetected as they infect key system components such as hypervisors and drivers. This increases the likelihood that the malware can operate in the background, spread through a cloud environment, and cause greater damage over time. This paper explores challenges in deploying and managing services in a cloud infrastructure from a security perspective, and as an example, discusses work that Intel is doing with partners and the software vendor ecosystem to enable a security enhanced platform and solutions with security anchored and rooted in hardware and firmware to increase visibility and control in the cloud.

[1]  Mark Ryan,et al.  Cloud computing security: The scientific challenge, and a survey of solutions , 2013, J. Syst. Softw..

[2]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[3]  Ray Strong,et al.  Complex Service Management in a Hybrid Cloud , 2011, 2011 Annual SRII Global Conference.

[4]  Richard Kissel,et al.  Guidelines for Media Sanitization , 2006 .

[5]  Michael Goul,et al.  A Service-Oriented Web Application Framework , 2011, IT Professional.

[6]  Uwe Kylau,et al.  Service Delivery Framework - An Architectural Strategy for Next-Generation Service Delivery in Business Network , 2011, 2011 Annual SRII Global Conference.

[7]  Christoph Meinel,et al.  Infrastructure as a service security: Challenges and solutions , 2010, 2010 The 7th International Conference on Informatics and Systems (INFOS).

[8]  Khaled M. Khan,et al.  Establishing Trust in Cloud Computing , 2010, IT Professional.

[9]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[10]  P. Gallagher Recommended Security Controls for Federal Information Systems and Organizations , 2010 .

[11]  Weidong Liu,et al.  Security Issues and Solutions in Cloud Computing , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[12]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[13]  Joint Task Force Transformation Initiative Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach , 2014 .

[14]  Lori M. Kaufman,et al.  Can Public-Cloud Security Meet Its Unique Challenges? , 2010, IEEE Security & Privacy.