Skip to main content
SpringerLink
Log in

Security Infrastructure for Dynamically Provisioned Cloud Infrastructure Services

  • Chapter
  • First Online:
Book cover Privacy and Security for Cloud Computing

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

This chapter discusses conceptual issues, basic requirements and practical suggestions for designing dynamically configured security infrastructure provisioned on demand as part of the cloud-based infrastructure. This chapter describes general use cases for provisioning cloud infrastructure services and the proposed architectural framework that provides a basis for defining the security infrastructure requirements. The proposed security services lifecycle management (SSLM) model addresses specific on-demand infrastructure service provisioning security problems that can be solved by introducing special security mechanisms to allow security services synchronisation and their binding to the virtualisation platforms’ run-time environment. This chapter describes the proposed dynamically provisioned access control infrastructure (DACI) architecture and defines the necessary security mechanisms to ensure consistent security services operation in the provisioned virtual infrastructure. In particular, this chapter discusses the design and use of a security token service for federated access control and security context management in the generically multi-domain and multi-provider cloud environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. NIST SP 800-145: The NIST definition of cloud computing. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. Accessed 29 Jan 2012

  2. NIST SP 500-292: Cloud computing reference architecture, v1.0. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ReferenceArchitectureTaxonomy/NIST_SP_500-292_-_090611.pdf. Accessed 29 Jan 2012

  3. Demchenko, Y., Mavrin, A., de Laat, C.: Defining generic architecture for cloud infrastructure as a service provisioning model. In: Proceedings CLOSER2011 Conference, Nordwijk, Netherlands, 7–9 May 2011. SciTePress (2011). ISBN 978-989-8425-52-2

    Google Scholar 

  4. Demchenko, Y., van der Ham, J., Ghijsen, M., Cristea. M., Yakovenko, V., de Laat, C.: On-demand provisioning of cloud and grid based infrastructure services for collaborative projects and groups. In: Proceedings of the 2011 International Conference on Collaboration Technologies and Systems (CTS 2011), Philadelphia, PA, USA, 23–27 May 2011

    Google Scholar 

  5. Demchenko, Y., de Laat, C., Lopez, D.R., Garcia-Espin, J.A.: Security services lifecycle management in on-demand infrastructure services provisioning. In: Proceedings of the IEEE Second International Conference on Cloud Computing Technology and Science, Indianapolis, IN, USA, pp. 644–650 (2010)

    Google Scholar 

  6. Demchenko, Y., Ngo, C., de Laat, C., Wlodarczyk, T., Rong, C., Ziegler, W.: Security infrastructure for on-demand provisioned cloud infrastructure services. In: Proceedings of the 3rd IEEE Conference on Cloud Computing Technologies and Science (CloudCom2011), Athens, Greece, 29 Nov–1 Dec 2011 (2011). ISBN 978-0-7695-4622-3

    Google Scholar 

  7. Ngo, C., Membrey, P., Demchenko, Y., de Laat, C.: Security framework for virtualised infrastructure services provisioned on-demand. In: Proceedings of the 3rd IEEE Conference on Cloud Computing Technologies and Science (CloudCom2011), Athens, Greece, 29 Nov–1 Dec 2011 (2011). ISBN 978-0-7695-4622-3

    Google Scholar 

  8. European Grid Infrastructure (EGI). https://www.egi.eu/. Accessed 9 Nov 2011

  9. NIST-SP 500-291: NIST cloud computing standards roadmap. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909024. Accessed 29 Jan 2012

  10. OASIS reference architecture foundation for service oriented architecture 1.0, Committee Draft 2, 14 Oct 2009. http://docs.oasis-open.org/soa-rm/soa-ra/v1.0/soa-ra-cd-02.pdf (2009). Accessed 9 Nov 2011

  11. Pautasso, C., Zimmermann, O., Leymann, F.: RESTful Web Services vs. Big Web Services: Making the Right Architectural Decision, 17th International World Wide Web Conference (WWW2008), Beijing, China (2008)

    Google Scholar 

  12. Chappell, D.: Enterprise Service Bus. O’Reilly, Beijing/Cambridge (2004)

    Google Scholar 

  13. OSGi service platform release 4, version 4.2. http://www.osgi.org/Download/Release4V42. Accessed 9 Nov 2011

  14. TMF service delivery framework. http://www.tmforum.org/servicedeliveryframework/4664/home.html. Accessed 9 Nov 2011

  15. TMF software enabled services management solution. At http://www.tmforum.org/BestPracticesStandards/SoftwareEnabledServices/4664/Home.html. Accessed 9 Nov 2011

  16. Generalised architecture for dynamic infrastructure services (GEYSERS Project). http://www.geysers.eu/. Accessed 9 Nov 2011

  17. OWL 2 web ontology language. http://www.w3.org/TR/owl2-overview/. Accessed 9 Nov 2011

  18. van der Ham, J., Dijkstra, F., Grosso, P., van der Pol, R., Toonk, A., de Laat, C.: A distributed topology information system for optical networks based on the semantic web. Elsevier J. Opt. Switch. Netw. 5(2–3), 85–93 (2008)

    Google Scholar 

  19. GEANT project. http://www.geant.net/pages/home.aspx. Accessed 9 Nov 2011

  20. GEMBus architecture, GEANT3 project report deliverable DJ3.3.2, Jan 2011

    Google Scholar 

  21. Fuse ESB: OSGi based ESB. http://fusesource.com/products/enterpriseservicemix/#documentation. Accessed 9 Nov 2011

  22. Apache ServiceMix an open source ESB. http://servicemix.apache.org/home.html. Accessed 9 Nov 2011

  23. Spring security. Reference documentation. http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html. Accessed 9 Nov 2011

  24. Demchenko, Y., de Laat, C., Koeroo, O., Groep, D.: Re-thinking grid security architecture. In: Proceedings of the IEEE Fourth eScience 2008 Conference, Indianapolis, USA, 7–12 Dec 2008, pp. 79–86. IEEE Computer Society Publishing, Los Alamitos (2008). ISBN 978-0-7695-3535-7/ISBN 978-1-4244-3380-3

    Google Scholar 

  25. Foster, I., Kishimoto, H., Savva, A., Berry, D., Grimshaw, A., Horn, B., Maciel, F., Siebenlist, F., Subramaniam, R., Treadwell, J., Von Reich, J.: GFD.80 The Open Grid Services Architecture, Version 1.5. Open Grid Forum, 5 Sept 2006

    Google Scholar 

  26. NIST SP 800-14: Generally accepted principles and practices for securing information technology systems. National Institute of Standards and Technology. September 1996. http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf (1996). Accessed 29 Jan 2012

  27. TCG Infrastructure Working Group reference architecture for interoperability. Specification ver. 1.0. 16 June 2005. http://www.trustedcomputinggroup.org/specs/IWG/IWG_Architecture_v1_0_r1.pdf (2005). Accessed 9 Nov 2011

  28. Demchenko, Y., Gommans, L., de Laat, C.: Extending user-controlled security domain with TPM/TCG in grid-based virtual collaborative environment. In: Proceedings of the International Symposium on Collaborative Technologies and Systems, Orlando, FL, USA, 2007, pp. 57–65

    Google Scholar 

  29. RFC5280 Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. May 2008. http://www.ietf.org/rfc//rfc5280 (2008). Accessed 9 Nov 2011

  30. Web services trust language (WS-Trust). ftp://www6.software.ibm.com/software/developer/library/ws-trust.pdf. Accessed 9 Nov 2011

  31. Li, H., Singhal, M.: Trust management in distributed systems. Computer 40(2), 45–53 (2007)

    Article  Google Scholar 

  32. Abdul-Rahman, A., Hailes, S.: A distributed trust model. In: Proceedings of the 1997 Workshop on New Security Paradigms – NSPW’97, Langdale, Cumbria, UK, pp. 48–60 (1997)

    Google Scholar 

  33. Assertions and protocols for the OASIS security assertion markup language (SAML) V2.0, OASIS Standard, 15 March 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (2005). Accessed 9 Nov 2011

  34. Fisher, D., McCune, J.M., Andrews, A.D.: Trust and Trusted Computing Platforms. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2011)

    Google Scholar 

  35. Intel hardware technologies to secure clouds. http://www.intel.com/content/www/us/en/enterprise-security/processors-with-built-in-cloud-security.html. Accessed 9 Nov 2011

  36. Intel cloud builders guide for enhancing server platform security with VMWare. http://www.intel.com/Assets/PDF/general/icb_ra_cloud_computing_VMware_TCP.pdf. Accessed 9 Nov 2011

  37. Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security – CCS’04, Washington DC, p. 132 (2004)

    Google Scholar 

  38. Parno, B.: The Trusted Platform Module (TPM) and Sealed Storage. RSA Laboratories’ Technical Notes, 21 June 2007. http://www.rsa.com/rsalabs/technotes/tpm/sealedstorage.pdf Accessed 9 Nov 2011

  39. Demchenko, Y., Wan, A., Cristea, M., de Laat, C.: Authorisation infrastructure for on-demand network resource provisioning. In: Proceedings of the 9th IEEE/ACM International Conference on Grid Computing (Grid 2008), Tsukuba, Japan, 29 Sept–1 Oct 2008, pp. 95–103 (2008). ISBN 978-1-4244-2579-2

    Google Scholar 

  40. GAAA Toolkit pluggable components and XACML policy profile for ONRP. Phosphorus Project Deliverable D4.3.1, 30 September 2008. http://www.ist-phosphorus.eu/files/deliverables/Phosphorus-deliverable-D4.3.1.pdf. Accessed 9 Nov 2011

  41. Web services federation language (WS-Federation), version 1.0, 8 July 2003. http://msdn.microsoft.com/ws/2003/07/ws-federation/ (2003). Accessed 9 Nov 2011

  42. RFC4120 The Kerberos network authentication service (V5). http://www.ietf.org/rfc/rfc4120.txt. Accessed 9 Nov 2011

  43. XML-signature syntax and processing. W3C recommendation, 10 June 2008. http://www.w3.org/TR/xmldsig-core/. Accessed 9 Nov 2011

  44. XML encryption XML encryption syntax and processing. W3C recommendation, 10 December 2002. http://www.w3.org/TR/xmlenc-core/ (2002). Accessed 9 Nov 2011

  45. Web services secure conversation language (WS-SecureConversation). http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-secureconversation.asp. Accessed 9 Nov 2011

  46. Web services policy framework (WSPolicy), version 1.2, March 2006. http://specs.xmlsoap.org/ws/2004/09/policy/ws-policy.pdf. Accessed 9 Nov 2011

  47. eduGAIN – GEANT federated authentication and authorisation infrastructure. http://www.geant.net/service/edugain/pages/home.aspx. Accessed 9 Nov 2011

  48. EduPKI GEANT PKI service. https://www.edupki.org/. Accessed 9 Nov 2011

  49. TERENA Certificate Service (TCS). http://www.terena.org/activities/tcs/. Accessed 9 Nov 2011

  50. The International Grid Trust Federation. http://www.igtf.net/. Accessed 9 Nov 2011

Download references

Acknowledgement

This work is supported by the FP7 EU-funded project GEANT3 (FP7-ICT-238875) and the FP7 EU-funded integrated project the Generalised Architecture for Dynamic Infrastructure Services (GEYSERS, FP7-ICT-248657).

Author information

Authors and Affiliations

  1. University of Amsterdam, Amsterdam, The Netherlands

    Yuri Demchenko, Canh Ngo & Cees de Laat

  2. Telefonica I+D, Madrid, Spain

    Diego R. Lopez

  3. RedIRIS, Madrid, Spain

    Antonio Morales

  4. I2CAT Foundation, Barcelona, Spain

    Joan A. García-Espín

Authors
  1. Yuri Demchenko
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Canh Ngo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cees de Laat
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Diego R. Lopez
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Antonio Morales
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Joan A. García-Espín
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuri Demchenko .

Editor information

Editors and Affiliations

  1. Cloud and Security Laboratory HP Labs, Filton, Bristol, UK

    Siani Pearson

  2. Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada

    George Yee

Recommended Reading

Recommended Reading

For interested readers, it is recommended to become familiar with general background information related to both cloud technologies and basic security models and standards. In particular, the following additional literature can be recommended.

First of all, it is recommended to read NIST standards on cloud computing and virtualisation technologies for which an up-to-date list is available at the NIST Cloud Program webpage (http://www.nist.gov/itl/cloud/):

NIST SP 800-145, “A NIST definition of cloud computing”. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

NIST SP 500-292, Cloud Computing Reference Architecture, v1.0. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ReferenceArchitectureTaxonomy/NIST_SP_500-292_-_090611.pdf

DRAFT NIST SP 800-146, Cloud Computing Synopsis and Recommendations. http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

Draft SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

DRAFT NIST SP 800-293, US Government Cloud Computing Technology Roadmap, Volume I, Release 1.0. http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeI-2.pdf

NIST SP500-291 NIST Cloud Computing Standards Roadmap. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/StandardsRoadmap/NIST_SP_500-291_Jul5A.pdf

SP 800-125 Guide to Security for Full Virtualisation Technologies.

http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf

For background security, read the following literature:

These RFCs on the generic AAA Authorisation framework provide a general context for developing authorisation infrastructure for on-demand provisioned services and access control infrastructure:

RFC2903 Generic AAA Architecture Experimental RFC 2903, Internet Engineering Task Force, August 2000. ftp://ftp.isi.edu/in-notes/rfc2903.txt

RFC 2904 AAA Authorization Framework. Internet Engineering Task Force, August 2000.ftp://ftp.isi.edu/in-notes/rfc2904.txt

Cloud computing technologies with their distributed virtualised computing environments motivate revisiting foundational security concepts and models and rethinking existing security models and solutions. The following foundation publications on computer security (proposed for the mainframe-based computing model) can be recommended:

Anderson, J.: Computer Security Technology Planning Study. ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Oct. 1972) [NTIS AD-758 206]. http://csrc.nist.gov/publications/history/ande72.pdf

Bell. DE., La Padula, L.: Secure Computer System: Unified Exposition and Multics Interpretation. ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975) [DTIC AD-A023588]. http://csrc.nist.gov/publications/history/bell76.pdf

Biba K.J.: Integrity Considerations for Secure Computer Systems. MTR-3153, The Mitre Corporation, Apr 1977

Anderson, R., Stajano, F., Lee, J:. Security Policies. http://www.cl.cam.ac.uk/∼rja14/Papers/security-policies.pdf

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag London

About this chapter

Cite this chapter

Demchenko, Y., Ngo, C., de Laat, C., Lopez, D.R., Morales, A., García-Espín, J.A. (2013). Security Infrastructure for Dynamically Provisioned Cloud Infrastructure Services. In: Pearson, S., Yee, G. (eds) Privacy and Security for Cloud Computing. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-4189-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-1-4471-4189-1_5

  • Published:

  • Publisher Name: Springer, London

  • Print ISBN: 978-1-4471-4188-4

  • Online ISBN: 978-1-4471-4189-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation