Academic literature on the topic 'SECURE CLOUD SYSTEMS'

Approved for public release; distribution is unlimited.<br>Reissued 1 Jul 2014 with corrections to in-text Figure and Table citations.<br>There is a need to have secure information sharing in the industry and government sectors. For example, countries within the North Atlantic Treaty Organization (NATO) often have a common goal requiring them to communicate, but they lack a technological platform for fast information sharing, especially if the countries have different access rights to the information. Thus, the same information that an organization wants to share with multiple partners needs to be securely shared at multiple levels. In addition, the manner in which information is shared needs to be flexible enough to accommodate changes on demand, due to the nature of the information or relationship with the sharing organizations. This thesis proposes a configurable, cloud infrastructure that enables multiple layers of secure information sharing between multiple organizations. This thesis follows a systems engineering process to propose a preliminary architecture of such a system, including an analysis of alternatives of some of the attributes of the system. Secondly, the thesis instantiates part of the proposed architecture with a proof-of-concept physical system in a laboratory environment. The proof-of-concept chooses a specific scenario of information sharing that would allow NATO members to access shared data faster, and in a secure fashion, in order to make decisions more quickly with the authorized information.

<p> Recent expansions of cloud computing have been growing at a phenomenal rate. Security and privacy issues have become a considerable issue while the applications of big data are growing dramatically fast in cloud computing. However, there exists a contradiction between ensuring a high performance and achieving a high-level security and privacy protection due to the restrictions of the computing resources, based on the findings of the literature review. This study focuses on this contradiction issue and intend to develop an approach of effectuating the cloud system design for a high-level security and privacy protection while acquiring a high performance. The work consists of four research tasks that support the solution to the proposed problem. They are (i) designing a <i>Optimal Fully Homomorphic Encryption</i> (O-FHE) mechanism that can both avoid noise and execute efficiently; (ii) designing a privacy-preserving data encryption strategy while considering efficiency; (iii) developing an approach of the data analytics manager system for in-memory big data analytics; (iv) designing an adaptive energy-aware data allocation approach for heterogeneous memory and creating an efficient data allocation approach for cloud-based heterogeneous memory. The research implements experimental evaluations to examine the performance of the proposed approaches. The main contributions of this study address three aspects. First, this study has proposed an O-FHE method that is different from all approaches proposed by the prior researches. Second, this study addresses the contradiction between the data security and system performance and presents a privacy-preserving strategy for secure data transmissions in cloud systems. Finally, this study attempts to increase the computation efficiency by enhancing the functioning of hardware, more specifically, using heterogeneous memory and in-memory data analytics.</p><p>

Cloud computing and big data technology continue to revolutionize how computing and data analysis are delivered today and in the future. To store and process the fast-changing big data, various scalable systems (e.g. key-value stores and MapReduce) have recently emerged in industry. However, there is a huge gap between what these open-source software systems can offer and what the real-world applications demand. First, scalable key-value stores are designed for simple data access methods, which limit their use in advanced database applications. Second, existing systems in the cloud need automatic performance optimization for better resource management with minimized operational overhead. Third, the demand continues to grow for privacy-preserving search and information sharing between autonomous data providers, as exemplified by the Healthcare information networks. My Ph.D. research aims at bridging these gaps. First, I proposed HINDEX, for secondary index support on top of write-optimized key-value stores (e.g. HBase and Cassandra). To update the index structure efficiently in the face of an intensive write stream, HINDEX synchronously executes append-only operations and defers the so-called index-repair operations which are expensive. The core contribution of HINDEX is a scheduling framework for deferred and lightweight execution of index repairs. HINDEX has been implemented and is currently being transferred to an IBM big data product. Second, I proposed Auto-pipelining for automatic performance optimization of streaming applications on multi-core machines. The goal is to prevent the bottleneck scenario in which the streaming system is blocked by a single core while all other cores are idling, which wastes resources. To partition the streaming workload evenly to all the cores and to search for the best partitioning among many possibilities, I proposed a heuristic based search strategy that achieves locally optimal partitioning with lightweight search overhead. The key idea is to use a white-box approach to search for the theoretically best partitioning and then use a black-box approach to verify the effectiveness of such partitioning. The proposed technique, called Auto-pipelining, is implemented on IBM Stream S. Third, I proposed ǫ-PPI, a suite of privacy preserving index algorithms that allow data sharing among unknown parties and yet maintaining a desired level of data privacy. To differentiate privacy concerns of different persons, I proposed a personalized privacy definition and substantiated this new privacy requirement by the injection of false positives in the published ǫ-PPI data. To construct the ǫ-PPI securely and efficiently, I proposed to optimize the performance of multi-party computations which are otherwise expensive; the key idea is to use addition-homomorphic secret sharing mechanism which is inexpensive and to do the distributed computation in a scalable P2P overlay.

Secure multi-party computation (secure MPC) has been established as the de facto paradigm for protecting privacy in distributed computation. One of the earliest secure MPC primitives is the Shamir's secret sharing (SSS) scheme. SSS has many advantages over other popular secure MPC primitives like garbled circuits (GC) -- it provides information-theoretic security guarantee, requires no complex long-integer operations, and often leads to more efficient protocols. Nonetheless, SSS receives less attention in the signal processing community because SSS requires a larger number of honest participants, making it prone to collusion attacks. In this dissertation, I propose an agent-based computing framework using SSS to protect privacy in distributed signal processing. There are three main contributions to this dissertation. First, the proposed computing framework is shown to be significantly more efficient than GC. Second, a novel game-theoretical framework is proposed to analyze different types of collusion attacks. Third, using the proposed game-theoretical framework, specific mechanism designs are developed to deter collusion attacks in a fully distributed manner. Specifically, for a collusion attack with known detectors, I analyze it as games between secret owners and show that the attack can be effectively deterred by an explicit retaliation mechanism. For a general attack without detectors, I expand the scope of the game to include the computing agents and provide deterrence through deceptive collusion requests. The correctness and privacy of the protocols are proved under a covert adversarial model. Our experimental results demonstrate the efficiency of SSS-based protocols and the validity of our mechanism design.

Cloud computing can be used as a way to access services and resources for many organizations; however, hackers have created security concerns for users that incorporate cloud computing in their everyday functions. The purpose of this qualitative multiple case study was to explore strategies used by cloud security managers to implement secure access methods to protect data on the cloud infrastructure. The population for this study was cloud security managers employed by 2 medium size businesses in the Atlanta, Georgia metropolitan area and that have strategies to implement secure access methods to protect data on the cloud infrastructure. The technology acceptance model was used as the conceptual framework for the study. Data were collected from semi-structured interviews of 7 security managers and review of 21 archived documents that reflected security strategies from past security issues that occurred. Data analysis was performed using methodological triangulation and resulted in the identification of three major themes: implementing security policies, implementing strong authentication methods, and implementing strong access control methods. The findings from this research may contribute to positive social by decreasing customers' concerns regarding personal information that is stored on the cloud being compromised.

Email is a well established technology used worldwide for enterprise and private communication through the Internet. It allows people to communicate using text, but also other information formats used either as HTML or attached files. The communication is performed without the need of synchronized endpoints, based on the use of email servers that take care of storing and forwarding email letters. All these properties and much more standardized ones do not include security, which makes the choice of service provider hard when the letters sent in the email system include sensitive information. In the last few years there has been a big interest and growth in the area of cloud computing. Placing resources (computers, applications, information) out of local environments, thanks to the high speed connections in the Internet, provides countless possibilities. Actually, even email systems can be deployed in cloud computing environments, including all the email services (interface, client, and server) or a part of them. From a security point of view, the use of cloud computing leads to many threats generated by external parties and even the cloud providers. Because of these reasons, this work intends to present an innovative approach to security in a cloud environment, focusing on the security of an email system. The purpose is to find a solution for an email system deployable in a cloud environment, with all the functionality deployed on a external machine. This email system must be completely protected, minimizing the actions taken by the user, which should just connect to a portal through a web browser. Along this report there are details about the foundations, progress and findings of the research that has been carried out. The main objectives involve: researching on the concepts and state of the art of cloud computing, email systems and security; presenting a cloud computing architecture that will take care of the general aspects of security; designing an email system for that architecture that contains mechanisms protecting it from the possible security threats; and finally, implementing a simplified version of the design to test and prove the feasibility of it. After all the mentioned activities, the findings are commented, mentioning the applicability of research results to the current situation. Obviously, there is place for more research in depth of several topics related to cloud computing and email, that is why some of them are suggested.

A current challenge in the Internet of Things is the seeking after conceptual structures to connect the presumably billions of devices of innumerable forms and capabilities. An emerging architectural concept, the fog cloud computing, moves the seemingly unlimited computational power of the distant cloud to the edge of the network, closer to the potentially computationally limited things, effectively diminishing the experienced latency. To allow computationally-constrained devices partaking in the network they have to be relieved from the burden of constant availability and extensive computational execution. Establishing a publish/subscribe communication pattern with the utilization of the popular Internet of Things application layer protocol Constrained Application Protocol is depicted one approach of overcoming this issue. In this project, a Java based library to establish a publish/subscribe communication pattern for the Constrained Application Protocol was develop. Furthermore, efforts to build and assess prototypes of several publish/subscribe application layer protocols executed over varying common as well as secured versions of the standard and non-standard transport layer protocols were made to take advantage, evaluate, and compare the developed library. The results indicate that the standard protocol stacks represent solid candidates yet one non-standard protocol stack is the considered prime candidate which still maintains a low response time while not adding a significant amount of communication overhead.

Most applications and documents are stored in a public cloud for storage and management purposes in a cloud computing environment. The major advantages of storing applications and documents in public cloud are lower cost through use of shared computing resources and no upfront infrastructure costs. However, in this case the management of data and other services is insecure. Therefore, security is a major problem in a public cloud as the cloud and the network are open to many other users. In order to provide security, it is necessary for data owners to store their data in the public cloud in a secure way and to use an appropriate access control scheme. Designing a computation and communication efficient key management scheme to selectively share documents based on fine-grained attribute-based access control policies in a public cloud is a challenging task. There are many existing approaches that encrypt documents prior to storage in the public cloud: These approaches use different keys and a public key cryptographic system to implement attribute-based encryption and/or proxy re-encryption. However, these approaches do not efficiently handle users joining and leaving the system when identity attributes and policies change. Moreover, these approaches require keeping multiple encrypted copies of the same documents, which has a high computational cost or incurs unnecessary storage costs. Therefore, this project focused on the design and development of an efficient key management scheme to allow the data owner to store data in a cloud service in a secure way. Additionally, the proposed approach enables cloud users to access the data stored in a cloud in a secure way. Many researchers have proposed key management schemes for wired and wireless networks. All of these existing key management schemes differ from the key management schemes proposed in this thesis. First, the key management scheme proposed in this thesis increases access level security. Second, the proposed key management scheme minimizes the computational complexity of the cloud users by performing only one mathematical operation to find the new group key that was computed earlier by the data owner. In addition, this proposed key management scheme is suitable for a cloud network. Third, the proposed key distribution and key management scheme utilizes privacy preserving methods, thus preserving the privacy of the user. Finally, a batch key updating algorithm (also called batch rekeying) has been proposed to reduce the number of rekeying operations required for performing batch leave or join operations. The key management scheme proposed in this thesis is designed to reduce the computation and communication complexity in all but a few cases, while increasing the security and privacy of the data.<br>De flesta program och dokument lagras i ett offentligt moln för lagring och hantering ändamål i en molnmiljö. De stora fördelarna med att lagra program och dokument i offentliga moln är lägre kostnad genom användning av delade datorresurser och ingen upfront infrastruktur costs.However, i detta fall hanteringen av data och andra tjänster är osäker. Därför är säkerhet ett stort problem i en offentlig moln som molnet och nätverket är öppna för många andra användare. För att ge trygghet, är det nödvändigt för dataägare att lagra sina data i det offentliga molnet på ett säkert sätt och att använda en lämplig åtkomstkontroll schema. Utforma en beräkning och kommunikation effektiv nyckelhantering system för att selektivt dela dokument som grundar sig på finkorniga attributbaserad åtkomstkontroll politik i en offentlig moln är en utmanande uppgift. Det finns många befintliga metoder som krypterar dokument före lagring i det offentliga molnet: Dessa metoder använder olika tangenter och en publik nyckel kryptografiskt system för att genomföra attributbaserad kryptering och / eller proxy re-kryptering. Dock har dessa metoder inte effektivt hantera användare som ansluter och lämnar systemet när identitetsattribut och politik förändras. Dessutom är dessa metoder kräver att hålla flera krypterade kopior av samma dokument, som har en hög beräkningskostnad eller ådrar sig onödiga lagringskostnader. Därför fokuserade projektet på design och utveckling av en effektiv nyckelhantering system för att möjliggöra dataägaren att lagra data i en molntjänst på ett säkert sätt. Dessutom, den föreslagna metoden gör det möjligt för molnanvändare att få tillgång till uppgifter lagras i ett cloud på ett säkert sätt. Många forskare har föreslagit viktiga förvaltningssystem för fasta och trådlösa nätverk. Alla dessa befintliga system ke, skiljer sig från de centrala förvaltningssystemen som föreslås i denna avhandling. Först föreslog nyckelhanteringssystemet i denna avhandling ökar Medverkan nivå säkerhet. För det andra, minimerar den föreslagna nyckelhanteringssystemet beräkningskomplexiteten för molnanvändare genom att utföra endast en matematisk operation för att hitta den nya gruppknapp som tidigare beräknades av dataägaren. Dessutom är denna föreslagna nyckelhanteringsschema lämpligt för ett moln nätverk. För det tredje, den föreslagna nyckeldistribution och nyckelhantering systemet utnyttjar integritets bevara metoder och därmed skydda privatlivet för användaren. Slutligen har ett parti viktig uppdatering algoritm (även kallad batch nya nycklar) föreslagits för att minska antalet Ny serieläggning av operationer som krävs för att utföra batch ledighet eller gå med i verksamheten. Nyckelhanteringssystemet som föreslås i denna avhandling är utformad för att minska beräknings-och kommunikations komplexitet i alla utom ett fåtal fall, och samtidigt öka säkerheten och integriteten av uppgifterna.

Advent of cloud computing has brought a lot of benefits for users based on its essential characteristics. Users are attracted by its costs per use service and rapidly deploy their applications in the cloud and scale by using virtualization technology without investing in their own IT infrastructure. These applications can be accessed through web based technology, such as web browsers or mobile apps. However, security becomes a major challenge when user’s data and applications are stored in a remote server in a virtualized environment and Internet is medium for accessing them. Internet is always prone to known and unknown threats and a successful breach in the security in cloud environment could lead to a massive loss to property, data and thereafter future of cloud computing technology. In order to meet the challenges of security needs in cloud computing, security architecture is presented in this Thesis. This Cloud Security Architecture delivers security solutions to deployed applications in the cloud as a service. Security solutions that are delivered by the architecture are Authentication, Authorization, Identity Management and Access Control. With these security solutions by Cloud Security Architecture, the Thesis proposes Secure Web System that incorporates secure authentication and privacy enhancing applications in cloud environment. Authentication utilizes the use of the smart card technology and thus is able to provide robustness to the procedure. Further, two more methods of authentication, browser certificate and username/password based give flexible approach when smart card is not available to clients. Applications deployed in a cloud environment would provide security and privacy for users while searching for any query in remote search engine or browsing a remote web server. Thus, the Thesis lays a foundation towards approaching security and privacy for applications that are deployed in Cloud Security Architecture and building up a Secure Web System.

With the current trend of cloud services available in every market area in IT business, it is somewhat surprising that security services are not migrated to the cloud widely. Security as a Service (SECaaS) model is hardly popular at the moment even though the infrastructure of the cloud, or web, can support most of the functionalities of conventional distributed security services. Another uncommon phenomenon in the cloud is sharing secure files with multi-tenant support. This kind of service would be best available integrated with a SECaaS platform that may offer more similar application services. This thesis proposes, studies, designs, develops and evaluates a Secure Documents Sharing System for Cloud Environment with the possibility of integrating to a SECaaS platform.