Skip to main content
SpringerLink
Log in

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration. We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data and Code Availability

OVAL and CVSS descriptions coming from the official open source repositories, code under deposit at INRIA and will be provided on a case-by-case manner.

Notes

  1. Composite Cloud Configuration Security - Trusted Third Party.

  2. Topology and Orchestration Specification for Cloud Applications.

  3. Open Vulnerability and Assessment Language.

  4. Extensible Configuration Checklist Description Format.

  5. A theorem prover from Microsoft Research. It is licensed under the MIT license.

  6. Open-source SMT solver. It is proof-producing and complete for quantifier-free formulas with uninterpreted functions and linear arithmetic on real number and integers.

  7. An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT).

  8. Security Configuration Automation Protocol.

References

  1. Ray, B., Saha, A., Khatua, S., Roy, S.: Proactive fault-tolerance technique to enhance reliability of cloud service in cloud federation environment. IEEE Trans. Cloud Comput. (2020). https://doi.org/10.1109/TCC.2020.2968522

    Article  Google Scholar 

  2. Ala’Anzy, M., Othman, M.: Load balancing and server consolidation in cloud computing environments: a meta-study. IEEE Access 7, 141868–141887 (2019). https://doi.org/10.1109/ACCESS.2019.2944420

    Article  Google Scholar 

  3. Zhou, Z., Yu, J., Li, F., Yang, F.: Virtual machine migration algorithm for energy efficiency optimization in cloud computing. Concurr. Comput. (2018). https://doi.org/10.1002/cpe.4942

    Article  Google Scholar 

  4. Pellegrini, R., Rottmann, P., Strieder, G.: IEEE (ed.) Preventing Vendor Lock-ins via an Interoperable Multi-cloud Deployment Approach. (ed.IEEE) Proc. of the 12th International Conference for Internet Technology and Secured Transactions (ICITST), 382–387 (2017)

  5. Opara-Martins, J., Sahandi, R., Tian, F.: Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. (2016). https://doi.org/10.1186/s13677-016-0054-z

    Article  Google Scholar 

  6. Kumar, R., Goyal, R.: On Cloud Security Requirements, Threats, Vulnerabilities and Countermeasures: A Survey. Computer Science Review 33, 1–48 (2019). https://www.sciencedirect.com/science/article/pii/S1574013718302065. https://doi.org/10.1016/j.cosrev.2019.05.002

  7. Rajasree, S., Elizabeth, B. (2016) Trust Based Cloud Service Provider Selection. International Journal Of Engineering And Computer Science. https://doi.org/10.18535/ijecs/v5i5.63

  8. Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: IEEE (ed.) ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds. (ed.IEEE) 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 237–248 (2017)

  9. Oulaaffart, M., Badonnel, R., Bianco, C.: IEEE (ed.) An Automated SMT-based Security Framework for Supporting Migrations in Cloud Composite Services. (ed.IEEE) Proc. of the IEEE Network Operations and Management Symposium (NOMS) (2022)

  10. Martins, J.O., Sahandi, R., Tian, F.: Critical analysis of vendor lock in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. 5, 1–18 (2016)

    Google Scholar 

  11. Nodehi, T., Jardim-Goncalves, R., Zutshi, A., Grilo, A.: ICIF: an inter-cloud interoperability framework for computing resource cloud providers in factories of the future. Int. J. Comput. Integr. Manuf. 30(1), 147–157 (2017). https://doi.org/10.1080/0951192X.2015.1067921

    Article  Google Scholar 

  12. Ramalingam, C., Mohan, P.: Addressing semantics standards for cloud portability and interoperability in multi cloud environment. Symmetry 13(2), 312 (2021)

    Article  Google Scholar 

  13. Celesti, A., Tusa, F., Villari, M., Puliafito, A.: IEEE (ed.) Security and Cloud Computing: InterCloud Identity Management Infrastructure. (ed.IEEE) Proc. of the 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises, 263–265 (2010)

  14. Demchenko, Y., Ngo, C., de Laat, C., Lee, C.: IEEE (ed.) Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns. (ed.IEEE) Proc. of the IEEE International Conference on Cloud Engineering, 439–445 (2014)

  15. Demchenko, Y., Turkmen, F., Slawik, M., Laat, C. d.: IEEE (ed.) Defining Intercloud Security Framework and Architecture Components for Multi-cloud Data Intensive Applications. (ed.IEEE) Proc. of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), 945–952 (2017)

  16. V Thomas, M., Dhole, A., Chandrasekaran, K.: Single sign-on in cloud federation using CloudSim. Int. J. Comput. Netw. Inf. Secur 7, 50–58 (2015). https://doi.org/10.5815/ijcnis.2015.06.06

    Article  Google Scholar 

  17. Bernal Bernabe, J., Martinez Perez, G., Skarmeta, A.: Intercloud trust and security decision support system: an ontology-based approach. J. Grid Comput. (2015). https://doi.org/10.1007/s10723-015-9346-7

    Article  Google Scholar 

  18. Compastié, M., Badonnel, R., Festor, O., He, R.: IEEE (ed.) A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds. (ed.IEEE) Proc. of the IEEE Conference on Network Softwarization (NetSoft), 151–159 (2019)

  19. Barrere, M., Badonnel, R., Festor, O.: IEEE (ed.) A SAT-based Autonomous Strategy for Security Vulnerability Management. (ed.IEEE) Proc. of the IEEE Network Operations and Management Symposium (NOMS) (2014)

  20. Anisetti, M., Ardagna, C. A., Damiani, E.: IEEE (ed.) Security Certification of Composite Services: A Test-Based Approach. (ed.IEEE) Proc. of the IEEE International Conference on Web Services (ICWS) (2013)

  21. Anisetti, M., Ardagna, C., Damiani, E., Gaudenzi, F.: A semi-automatic and trustworthy scheme for continuous cloud service certification. IEEE Trans. Serv. Comput. 13, 30–43 (2017)

    Article  Google Scholar 

  22. Ismail, U. M., Islam, S., Mouratidis, H.: IEEE (ed.) Cloud Security Audit for Migration and Continuous Monitoring. (ed.IEEE) Proc. of the the IEEE Trustcom Conference, Vol. 1 (2015)

  23. Ullah, K. W., Ahmed, A. S. & Ylitalo, J. IEEE (ed.) Towards Building an Automated Security Compliance Tool for the Cloud. (ed.IEEE) Proc. of the IEEE TrustCom Conference, 1587–1593 (2013)

  24. Walkowski, M., Oko, J., Sujecki, S.: Vulnerability management models using a common vulnerability scoring system. Appl. Sci. (2021). https://doi.org/10.3390/app11188735

    Article  Google Scholar 

  25. Celesti, A., Salici, A., Villari, M., Puliafito, A.: IEEE (ed.) A remote attestation approach for a secure virtual machine migration in federated cloud environments. (ed.IEEE) Proc. of the First International Symposium on Network Cloud Computing and Applications, 99–106 (2011)

  26. Aslam, M., Gehrmann, C., Björkman, M.: IEEE (ed.) Security and Trust Preserving VM Migrations in Public Clouds. (ed.IEEE) Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 869–876 (2012)

  27. Oulaaffart, M., Badonnel, R., Festor, O.: IEEE (ed.) Towards Automating Security Enhancement for Cloud Services. (ed.IEEE) Proc. of the International Symposium on Integrated Network Management (IM) (2021)

  28. Herrmann, D.S.: Using the Common Criteria for It Security Evaluation. CRC Press Inc, USA (2002)

    Book  Google Scholar 

  29. Schnepf, N., Badonnel, R., Lahmadi, A., Merz, S.: IEEE (ed.) Automated Verification of Security Chains in SDN Networks with Synaptic. (ed.IEEE) Proc. of the Conference on Network Softwarization (NetSoft) (2017)

  30. Gupta, B., Mittal, P., Mufti, T.: IEEE (ed.) A Review on Amazon Web Service (AWS), Microsoft Azure and Google Cloud Platform (GCP) Services. (ed.IEEE) (EAI, 2021)

  31. Neto, M. Z.: et al. Security Troubleshooting on AWS, 339–362 (IEEE, 2021)

  32. Jalili, V., Afgan, E., Taylor, J., Goecks, J.: Cloud bursting galaxy: federated identity and access management. Bioinformatics 36(1), 1–9 (2019). https://doi.org/10.1093/bioinformatics/btz472

    Article  Google Scholar 

  33. Potti, S.: Supercharging security with generative AI (2023). https://cloud.google.com/blog/products/identity-security/rsa-google-cloud-security-ai-workbench-generative-ai?hl=en

  34. Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: Cloud Security: Emerging Threats and Current Solutions. Computers and Electrical Engineering 59, 126–140 (2017). https://www.sciencedirect.com/science/article/pii/S0045790616300544. https://doi.org/10.1016/j.compeleceng.2016.03.004

  35. Ramachandra, G., Iftikhar, M., Khan, F. A.: A Comprehensive Survey on Security in Cloud Computing. Procedia Computer Science 110, 465–472 (2017). https://www.sciencedirect.com/science/article/pii/S1877050917313030. https://doi.org/10.1016/j.procs.2017.06.124, 14th International Conference on Mobile Systems and Pervasive Computing (MobiSPC 2017) / 12th International Conference on Future Networks and Communications (FNC 2017) / Affiliated Workshops

  36. CloudFormation, A.: AWS CloudFormation API Reference (2020)

  37. Esposito, A., Di Martino, B., Cretella, G.: IEEE (ed.) Defining Cloud Services Workflow: a Comparison between TOSCA and OpenStack Hot. (ed.IEEE) (2015)

  38. NIST. XCCDF - The Extensible Configuration Checklist Description Format (2020). https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/xccdf

  39. Booth H., D., Rike, Witte, G.: The National Vulnerability Database (NVD): Overview, ITL Bulletin, National Institute of Standards and Technology (2020). https://tsapps.nist.gov/publication

  40. Scarfone, K., Mell, P.: IEEE (ed.) An Analysis of CVSS version 2 Vulnerability Scoring. (ed.IEEE) 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 516–525 (2009)

  41. Wagner, C., Dulaunoy, A., Wagener, G., Iklody, A.: IEEE (ed.) MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform. (ed.IEEE) Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, 49–56 (ACM, 2016)

Download references

Funding

Supported by the CONCORDIA project that has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 83092.

Author information

Authors and Affiliations

  1. RESIST Research Team, LORIA / INRIA Nancy Grand Est, University of Lorraine, CNRS, 615 Rue du Jardin Botanique, 54600, Villers-les-Nancy, France

    Mohamed Oulaaffart, Rémi Badonnel & Olivier Festor

Authors
  1. Mohamed Oulaaffart
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rémi Badonnel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Olivier Festor
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

MO, RB, OF all authors contributed equally to this work.

Corresponding author

Correspondence to Mohamed Oulaaffart.

Ethics declarations

Conflict of interest

The authors have not disclosed any conflict of interest.

Ethical Approval

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Oulaaffart, M., Badonnel, R. & Festor, O. C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services. J Netw Syst Manage 32, 21 (2024). https://doi.org/10.1007/s10922-023-09792-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10922-023-09792-7

Keywords

Search

Navigation