Abstract
This chapter discusses conceptual issues, basic requirements and practical suggestions for designing dynamically configured security infrastructure provisioned on demand as part of the cloud-based infrastructure. This chapter describes general use cases for provisioning cloud infrastructure services and the proposed architectural framework that provides a basis for defining the security infrastructure requirements. The proposed security services lifecycle management (SSLM) model addresses specific on-demand infrastructure service provisioning security problems that can be solved by introducing special security mechanisms to allow security services synchronisation and their binding to the virtualisation platforms’ run-time environment. This chapter describes the proposed dynamically provisioned access control infrastructure (DACI) architecture and defines the necessary security mechanisms to ensure consistent security services operation in the provisioned virtual infrastructure. In particular, this chapter discusses the design and use of a security token service for federated access control and security context management in the generically multi-domain and multi-provider cloud environment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
NIST SP 800-145: The NIST definition of cloud computing. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. Accessed 29 Jan 2012
NIST SP 500-292: Cloud computing reference architecture, v1.0. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ReferenceArchitectureTaxonomy/NIST_SP_500-292_-_090611.pdf. Accessed 29 Jan 2012
Demchenko, Y., Mavrin, A., de Laat, C.: Defining generic architecture for cloud infrastructure as a service provisioning model. In: Proceedings CLOSER2011 Conference, Nordwijk, Netherlands, 7–9 May 2011. SciTePress (2011). ISBN 978-989-8425-52-2
Demchenko, Y., van der Ham, J., Ghijsen, M., Cristea. M., Yakovenko, V., de Laat, C.: On-demand provisioning of cloud and grid based infrastructure services for collaborative projects and groups. In: Proceedings of the 2011 International Conference on Collaboration Technologies and Systems (CTS 2011), Philadelphia, PA, USA, 23–27 May 2011
Demchenko, Y., de Laat, C., Lopez, D.R., Garcia-Espin, J.A.: Security services lifecycle management in on-demand infrastructure services provisioning. In: Proceedings of the IEEE Second International Conference on Cloud Computing Technology and Science, Indianapolis, IN, USA, pp. 644–650 (2010)
Demchenko, Y., Ngo, C., de Laat, C., Wlodarczyk, T., Rong, C., Ziegler, W.: Security infrastructure for on-demand provisioned cloud infrastructure services. In: Proceedings of the 3rd IEEE Conference on Cloud Computing Technologies and Science (CloudCom2011), Athens, Greece, 29 Nov–1 Dec 2011 (2011). ISBN 978-0-7695-4622-3
Ngo, C., Membrey, P., Demchenko, Y., de Laat, C.: Security framework for virtualised infrastructure services provisioned on-demand. In: Proceedings of the 3rd IEEE Conference on Cloud Computing Technologies and Science (CloudCom2011), Athens, Greece, 29 Nov–1 Dec 2011 (2011). ISBN 978-0-7695-4622-3
European Grid Infrastructure (EGI). https://www.egi.eu/. Accessed 9 Nov 2011
NIST-SP 500-291: NIST cloud computing standards roadmap. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909024. Accessed 29 Jan 2012
OASIS reference architecture foundation for service oriented architecture 1.0, Committee Draft 2, 14 Oct 2009. http://docs.oasis-open.org/soa-rm/soa-ra/v1.0/soa-ra-cd-02.pdf (2009). Accessed 9 Nov 2011
Pautasso, C., Zimmermann, O., Leymann, F.: RESTful Web Services vs. Big Web Services: Making the Right Architectural Decision, 17th International World Wide Web Conference (WWW2008), Beijing, China (2008)
Chappell, D.: Enterprise Service Bus. O’Reilly, Beijing/Cambridge (2004)
OSGi service platform release 4, version 4.2. http://www.osgi.org/Download/Release4V42. Accessed 9 Nov 2011
TMF service delivery framework. http://www.tmforum.org/servicedeliveryframework/4664/home.html. Accessed 9 Nov 2011
TMF software enabled services management solution. At http://www.tmforum.org/BestPracticesStandards/SoftwareEnabledServices/4664/Home.html. Accessed 9 Nov 2011
Generalised architecture for dynamic infrastructure services (GEYSERS Project). http://www.geysers.eu/. Accessed 9 Nov 2011
OWL 2 web ontology language. http://www.w3.org/TR/owl2-overview/. Accessed 9 Nov 2011
van der Ham, J., Dijkstra, F., Grosso, P., van der Pol, R., Toonk, A., de Laat, C.: A distributed topology information system for optical networks based on the semantic web. Elsevier J. Opt. Switch. Netw. 5(2–3), 85–93 (2008)
GEANT project. http://www.geant.net/pages/home.aspx. Accessed 9 Nov 2011
GEMBus architecture, GEANT3 project report deliverable DJ3.3.2, Jan 2011
Fuse ESB: OSGi based ESB. http://fusesource.com/products/enterpriseservicemix/#documentation. Accessed 9 Nov 2011
Apache ServiceMix an open source ESB. http://servicemix.apache.org/home.html. Accessed 9 Nov 2011
Spring security. Reference documentation. http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html. Accessed 9 Nov 2011
Demchenko, Y., de Laat, C., Koeroo, O., Groep, D.: Re-thinking grid security architecture. In: Proceedings of the IEEE Fourth eScience 2008 Conference, Indianapolis, USA, 7–12 Dec 2008, pp. 79–86. IEEE Computer Society Publishing, Los Alamitos (2008). ISBN 978-0-7695-3535-7/ISBN 978-1-4244-3380-3
Foster, I., Kishimoto, H., Savva, A., Berry, D., Grimshaw, A., Horn, B., Maciel, F., Siebenlist, F., Subramaniam, R., Treadwell, J., Von Reich, J.: GFD.80 The Open Grid Services Architecture, Version 1.5. Open Grid Forum, 5 Sept 2006
NIST SP 800-14: Generally accepted principles and practices for securing information technology systems. National Institute of Standards and Technology. September 1996. http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf (1996). Accessed 29 Jan 2012
TCG Infrastructure Working Group reference architecture for interoperability. Specification ver. 1.0. 16 June 2005. http://www.trustedcomputinggroup.org/specs/IWG/IWG_Architecture_v1_0_r1.pdf (2005). Accessed 9 Nov 2011
Demchenko, Y., Gommans, L., de Laat, C.: Extending user-controlled security domain with TPM/TCG in grid-based virtual collaborative environment. In: Proceedings of the International Symposium on Collaborative Technologies and Systems, Orlando, FL, USA, 2007, pp. 57–65
RFC5280 Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. May 2008. http://www.ietf.org/rfc//rfc5280 (2008). Accessed 9 Nov 2011
Web services trust language (WS-Trust). ftp://www6.software.ibm.com/software/developer/library/ws-trust.pdf. Accessed 9 Nov 2011
Li, H., Singhal, M.: Trust management in distributed systems. Computer 40(2), 45–53 (2007)
Abdul-Rahman, A., Hailes, S.: A distributed trust model. In: Proceedings of the 1997 Workshop on New Security Paradigms – NSPW’97, Langdale, Cumbria, UK, pp. 48–60 (1997)
Assertions and protocols for the OASIS security assertion markup language (SAML) V2.0, OASIS Standard, 15 March 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (2005). Accessed 9 Nov 2011
Fisher, D., McCune, J.M., Andrews, A.D.: Trust and Trusted Computing Platforms. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2011)
Intel hardware technologies to secure clouds. http://www.intel.com/content/www/us/en/enterprise-security/processors-with-built-in-cloud-security.html. Accessed 9 Nov 2011
Intel cloud builders guide for enhancing server platform security with VMWare. http://www.intel.com/Assets/PDF/general/icb_ra_cloud_computing_VMware_TCP.pdf. Accessed 9 Nov 2011
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security – CCS’04, Washington DC, p. 132 (2004)
Parno, B.: The Trusted Platform Module (TPM) and Sealed Storage. RSA Laboratories’ Technical Notes, 21 June 2007. http://www.rsa.com/rsalabs/technotes/tpm/sealedstorage.pdf Accessed 9 Nov 2011
Demchenko, Y., Wan, A., Cristea, M., de Laat, C.: Authorisation infrastructure for on-demand network resource provisioning. In: Proceedings of the 9th IEEE/ACM International Conference on Grid Computing (Grid 2008), Tsukuba, Japan, 29 Sept–1 Oct 2008, pp. 95–103 (2008). ISBN 978-1-4244-2579-2
GAAA Toolkit pluggable components and XACML policy profile for ONRP. Phosphorus Project Deliverable D4.3.1, 30 September 2008. http://www.ist-phosphorus.eu/files/deliverables/Phosphorus-deliverable-D4.3.1.pdf. Accessed 9 Nov 2011
Web services federation language (WS-Federation), version 1.0, 8 July 2003. http://msdn.microsoft.com/ws/2003/07/ws-federation/ (2003). Accessed 9 Nov 2011
RFC4120 The Kerberos network authentication service (V5). http://www.ietf.org/rfc/rfc4120.txt. Accessed 9 Nov 2011
XML-signature syntax and processing. W3C recommendation, 10 June 2008. http://www.w3.org/TR/xmldsig-core/. Accessed 9 Nov 2011
XML encryption XML encryption syntax and processing. W3C recommendation, 10 December 2002. http://www.w3.org/TR/xmlenc-core/ (2002). Accessed 9 Nov 2011
Web services secure conversation language (WS-SecureConversation). http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-secureconversation.asp. Accessed 9 Nov 2011
Web services policy framework (WSPolicy), version 1.2, March 2006. http://specs.xmlsoap.org/ws/2004/09/policy/ws-policy.pdf. Accessed 9 Nov 2011
eduGAIN – GEANT federated authentication and authorisation infrastructure. http://www.geant.net/service/edugain/pages/home.aspx. Accessed 9 Nov 2011
EduPKI GEANT PKI service. https://www.edupki.org/. Accessed 9 Nov 2011
TERENA Certificate Service (TCS). http://www.terena.org/activities/tcs/. Accessed 9 Nov 2011
The International Grid Trust Federation. http://www.igtf.net/. Accessed 9 Nov 2011
Acknowledgement
This work is supported by the FP7 EU-funded project GEANT3 (FP7-ICT-238875) and the FP7 EU-funded integrated project the Generalised Architecture for Dynamic Infrastructure Services (GEYSERS, FP7-ICT-248657).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Recommended Reading
Recommended Reading
For interested readers, it is recommended to become familiar with general background information related to both cloud technologies and basic security models and standards. In particular, the following additional literature can be recommended.
First of all, it is recommended to read NIST standards on cloud computing and virtualisation technologies for which an up-to-date list is available at the NIST Cloud Program webpage (http://www.nist.gov/itl/cloud/):
NIST SP 800-145, “A NIST definition of cloud computing”. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
NIST SP 500-292, Cloud Computing Reference Architecture, v1.0. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ReferenceArchitectureTaxonomy/NIST_SP_500-292_-_090611.pdf
DRAFT NIST SP 800-146, Cloud Computing Synopsis and Recommendations. http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
Draft SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
DRAFT NIST SP 800-293, US Government Cloud Computing Technology Roadmap, Volume I, Release 1.0. http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeI-2.pdf
NIST SP500-291 NIST Cloud Computing Standards Roadmap. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/StandardsRoadmap/NIST_SP_500-291_Jul5A.pdf
SP 800-125 Guide to Security for Full Virtualisation Technologies.
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
For background security, read the following literature:
These RFCs on the generic AAA Authorisation framework provide a general context for developing authorisation infrastructure for on-demand provisioned services and access control infrastructure:
RFC2903 Generic AAA Architecture Experimental RFC 2903, Internet Engineering Task Force, August 2000. ftp://ftp.isi.edu/in-notes/rfc2903.txt
RFC 2904 AAA Authorization Framework. Internet Engineering Task Force, August 2000.ftp://ftp.isi.edu/in-notes/rfc2904.txt
Cloud computing technologies with their distributed virtualised computing environments motivate revisiting foundational security concepts and models and rethinking existing security models and solutions. The following foundation publications on computer security (proposed for the mainframe-based computing model) can be recommended:
Anderson, J.: Computer Security Technology Planning Study. ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Oct. 1972) [NTIS AD-758 206]. http://csrc.nist.gov/publications/history/ande72.pdf
Bell. DE., La Padula, L.: Secure Computer System: Unified Exposition and Multics Interpretation. ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975) [DTIC AD-A023588]. http://csrc.nist.gov/publications/history/bell76.pdf
Biba K.J.: Integrity Considerations for Secure Computer Systems. MTR-3153, The Mitre Corporation, Apr 1977
Anderson, R., Stajano, F., Lee, J:. Security Policies. http://www.cl.cam.ac.uk/∼rja14/Papers/security-policies.pdf
Rights and permissions
Copyright information
© 2013 Springer-Verlag London
About this chapter
Cite this chapter
Demchenko, Y., Ngo, C., de Laat, C., Lopez, D.R., Morales, A., García-Espín, J.A. (2013). Security Infrastructure for Dynamically Provisioned Cloud Infrastructure Services. In: Pearson, S., Yee, G. (eds) Privacy and Security for Cloud Computing. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-4189-1_5
Download citation
DOI: https://doi.org/10.1007/978-1-4471-4189-1_5
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-4188-4
Online ISBN: 978-1-4471-4189-1
eBook Packages: Computer ScienceComputer Science (R0)