Abstract
The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration. We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.
Similar content being viewed by others
Data and Code Availability
OVAL and CVSS descriptions coming from the official open source repositories, code under deposit at INRIA and will be provided on a case-by-case manner.
Notes
Composite Cloud Configuration Security - Trusted Third Party.
Topology and Orchestration Specification for Cloud Applications.
Open Vulnerability and Assessment Language.
Extensible Configuration Checklist Description Format.
A theorem prover from Microsoft Research. It is licensed under the MIT license.
Open-source SMT solver. It is proof-producing and complete for quantifier-free formulas with uninterpreted functions and linear arithmetic on real number and integers.
An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT).
Security Configuration Automation Protocol.
References
Ray, B., Saha, A., Khatua, S., Roy, S.: Proactive fault-tolerance technique to enhance reliability of cloud service in cloud federation environment. IEEE Trans. Cloud Comput. (2020). https://doi.org/10.1109/TCC.2020.2968522
Ala’Anzy, M., Othman, M.: Load balancing and server consolidation in cloud computing environments: a meta-study. IEEE Access 7, 141868–141887 (2019). https://doi.org/10.1109/ACCESS.2019.2944420
Zhou, Z., Yu, J., Li, F., Yang, F.: Virtual machine migration algorithm for energy efficiency optimization in cloud computing. Concurr. Comput. (2018). https://doi.org/10.1002/cpe.4942
Pellegrini, R., Rottmann, P., Strieder, G.: IEEE (ed.) Preventing Vendor Lock-ins via an Interoperable Multi-cloud Deployment Approach. (ed.IEEE) Proc. of the 12th International Conference for Internet Technology and Secured Transactions (ICITST), 382–387 (2017)
Opara-Martins, J., Sahandi, R., Tian, F.: Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. (2016). https://doi.org/10.1186/s13677-016-0054-z
Kumar, R., Goyal, R.: On Cloud Security Requirements, Threats, Vulnerabilities and Countermeasures: A Survey. Computer Science Review 33, 1–48 (2019). https://www.sciencedirect.com/science/article/pii/S1574013718302065. https://doi.org/10.1016/j.cosrev.2019.05.002
Rajasree, S., Elizabeth, B. (2016) Trust Based Cloud Service Provider Selection. International Journal Of Engineering And Computer Science. https://doi.org/10.18535/ijecs/v5i5.63
Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: IEEE (ed.) ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds. (ed.IEEE) 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 237–248 (2017)
Oulaaffart, M., Badonnel, R., Bianco, C.: IEEE (ed.) An Automated SMT-based Security Framework for Supporting Migrations in Cloud Composite Services. (ed.IEEE) Proc. of the IEEE Network Operations and Management Symposium (NOMS) (2022)
Martins, J.O., Sahandi, R., Tian, F.: Critical analysis of vendor lock in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. 5, 1–18 (2016)
Nodehi, T., Jardim-Goncalves, R., Zutshi, A., Grilo, A.: ICIF: an inter-cloud interoperability framework for computing resource cloud providers in factories of the future. Int. J. Comput. Integr. Manuf. 30(1), 147–157 (2017). https://doi.org/10.1080/0951192X.2015.1067921
Ramalingam, C., Mohan, P.: Addressing semantics standards for cloud portability and interoperability in multi cloud environment. Symmetry 13(2), 312 (2021)
Celesti, A., Tusa, F., Villari, M., Puliafito, A.: IEEE (ed.) Security and Cloud Computing: InterCloud Identity Management Infrastructure. (ed.IEEE) Proc. of the 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises, 263–265 (2010)
Demchenko, Y., Ngo, C., de Laat, C., Lee, C.: IEEE (ed.) Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns. (ed.IEEE) Proc. of the IEEE International Conference on Cloud Engineering, 439–445 (2014)
Demchenko, Y., Turkmen, F., Slawik, M., Laat, C. d.: IEEE (ed.) Defining Intercloud Security Framework and Architecture Components for Multi-cloud Data Intensive Applications. (ed.IEEE) Proc. of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), 945–952 (2017)
V Thomas, M., Dhole, A., Chandrasekaran, K.: Single sign-on in cloud federation using CloudSim. Int. J. Comput. Netw. Inf. Secur 7, 50–58 (2015). https://doi.org/10.5815/ijcnis.2015.06.06
Bernal Bernabe, J., Martinez Perez, G., Skarmeta, A.: Intercloud trust and security decision support system: an ontology-based approach. J. Grid Comput. (2015). https://doi.org/10.1007/s10723-015-9346-7
Compastié, M., Badonnel, R., Festor, O., He, R.: IEEE (ed.) A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds. (ed.IEEE) Proc. of the IEEE Conference on Network Softwarization (NetSoft), 151–159 (2019)
Barrere, M., Badonnel, R., Festor, O.: IEEE (ed.) A SAT-based Autonomous Strategy for Security Vulnerability Management. (ed.IEEE) Proc. of the IEEE Network Operations and Management Symposium (NOMS) (2014)
Anisetti, M., Ardagna, C. A., Damiani, E.: IEEE (ed.) Security Certification of Composite Services: A Test-Based Approach. (ed.IEEE) Proc. of the IEEE International Conference on Web Services (ICWS) (2013)
Anisetti, M., Ardagna, C., Damiani, E., Gaudenzi, F.: A semi-automatic and trustworthy scheme for continuous cloud service certification. IEEE Trans. Serv. Comput. 13, 30–43 (2017)
Ismail, U. M., Islam, S., Mouratidis, H.: IEEE (ed.) Cloud Security Audit for Migration and Continuous Monitoring. (ed.IEEE) Proc. of the the IEEE Trustcom Conference, Vol. 1 (2015)
Ullah, K. W., Ahmed, A. S. & Ylitalo, J. IEEE (ed.) Towards Building an Automated Security Compliance Tool for the Cloud. (ed.IEEE) Proc. of the IEEE TrustCom Conference, 1587–1593 (2013)
Walkowski, M., Oko, J., Sujecki, S.: Vulnerability management models using a common vulnerability scoring system. Appl. Sci. (2021). https://doi.org/10.3390/app11188735
Celesti, A., Salici, A., Villari, M., Puliafito, A.: IEEE (ed.) A remote attestation approach for a secure virtual machine migration in federated cloud environments. (ed.IEEE) Proc. of the First International Symposium on Network Cloud Computing and Applications, 99–106 (2011)
Aslam, M., Gehrmann, C., Björkman, M.: IEEE (ed.) Security and Trust Preserving VM Migrations in Public Clouds. (ed.IEEE) Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 869–876 (2012)
Oulaaffart, M., Badonnel, R., Festor, O.: IEEE (ed.) Towards Automating Security Enhancement for Cloud Services. (ed.IEEE) Proc. of the International Symposium on Integrated Network Management (IM) (2021)
Herrmann, D.S.: Using the Common Criteria for It Security Evaluation. CRC Press Inc, USA (2002)
Schnepf, N., Badonnel, R., Lahmadi, A., Merz, S.: IEEE (ed.) Automated Verification of Security Chains in SDN Networks with Synaptic. (ed.IEEE) Proc. of the Conference on Network Softwarization (NetSoft) (2017)
Gupta, B., Mittal, P., Mufti, T.: IEEE (ed.) A Review on Amazon Web Service (AWS), Microsoft Azure and Google Cloud Platform (GCP) Services. (ed.IEEE) (EAI, 2021)
Neto, M. Z.: et al. Security Troubleshooting on AWS, 339–362 (IEEE, 2021)
Jalili, V., Afgan, E., Taylor, J., Goecks, J.: Cloud bursting galaxy: federated identity and access management. Bioinformatics 36(1), 1–9 (2019). https://doi.org/10.1093/bioinformatics/btz472
Potti, S.: Supercharging security with generative AI (2023). https://cloud.google.com/blog/products/identity-security/rsa-google-cloud-security-ai-workbench-generative-ai?hl=en
Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: Cloud Security: Emerging Threats and Current Solutions. Computers and Electrical Engineering 59, 126–140 (2017). https://www.sciencedirect.com/science/article/pii/S0045790616300544. https://doi.org/10.1016/j.compeleceng.2016.03.004
Ramachandra, G., Iftikhar, M., Khan, F. A.: A Comprehensive Survey on Security in Cloud Computing. Procedia Computer Science 110, 465–472 (2017). https://www.sciencedirect.com/science/article/pii/S1877050917313030. https://doi.org/10.1016/j.procs.2017.06.124, 14th International Conference on Mobile Systems and Pervasive Computing (MobiSPC 2017) / 12th International Conference on Future Networks and Communications (FNC 2017) / Affiliated Workshops
CloudFormation, A.: AWS CloudFormation API Reference (2020)
Esposito, A., Di Martino, B., Cretella, G.: IEEE (ed.) Defining Cloud Services Workflow: a Comparison between TOSCA and OpenStack Hot. (ed.IEEE) (2015)
NIST. XCCDF - The Extensible Configuration Checklist Description Format (2020). https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/xccdf
Booth H., D., Rike, Witte, G.: The National Vulnerability Database (NVD): Overview, ITL Bulletin, National Institute of Standards and Technology (2020). https://tsapps.nist.gov/publication
Scarfone, K., Mell, P.: IEEE (ed.) An Analysis of CVSS version 2 Vulnerability Scoring. (ed.IEEE) 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 516–525 (2009)
Wagner, C., Dulaunoy, A., Wagener, G., Iklody, A.: IEEE (ed.) MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform. (ed.IEEE) Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, 49–56 (ACM, 2016)
Funding
Supported by the CONCORDIA project that has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 83092.
Author information
Authors and Affiliations
Contributions
MO, RB, OF all authors contributed equally to this work.
Corresponding author
Ethics declarations
Conflict of interest
The authors have not disclosed any conflict of interest.
Ethical Approval
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Oulaaffart, M., Badonnel, R. & Festor, O. C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services. J Netw Syst Manage 32, 21 (2024). https://doi.org/10.1007/s10922-023-09792-7
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10922-023-09792-7