CLOUD COMPUTING SECURITY
The concept of cloud computing emerged in response to the need to provide computing and storage services in a flexible, on-demand business model. However, since its inception, the cloud computing paradigm and its associated nature of outsourced data management and computing has also brought with it security and privacy issues. Security in cloud computing has traditionally been one of the main concerns of enterprises and organizations. In addition, there are no global and harmonized privacy policies across different countries, which makes interoperability difficult both legally and technically. Trust in the various actors that make up the cloud ecosystem is also a challenge, as the cloud model is inherently opaque. All of these issues have hindered the adoption of cloud computing.
Accountability in the Cloud
The problem of accountability (e.g., “Who is responsible for the security and proper stewardship of my data in the cloud?”) has no clear answer today because there are no accountability frameworks for distributed IT services. This makes it difficult for users to understand, influence and determine how their service providers respond to their obligations. NICS participated in the FP7 A4Cloud, project, which aims to extend accountability across the entire cloud service value chain, covering personal and business sensitive information in the cloud. A4Cloud will develop solutions to help users decide and track how their data is used by cloud service providers. The role of NICS in A4Cloud, was mainly focused on developing metrics for accountability in the cloud. In , we propose a metamodel for describing accountability properties and metrics for measuring them, which is a first step towards developing a metrics elicitation methodology.
Privacy and Identity Management in the Cloud
Identity management is an essential component of today’s organizations, playing a key role in authentication and access control. However, it is widely recognized as a costly and time-consuming task. The advent of cloud computing technologies, along with the promise of flexible, inexpensive and efficient service delivery, has provided the opportunity to outsource such a common process, giving rise to what is known as Identity Management as a Service (IDaaS). However, as with other cloud-based services, IDaaS raises significant security and privacy concerns, such as loss of control over outsourced data. One of our lines of research addresses this problem by using cryptographic means instead of relying solely on access control policies and models.
We first investigated how cryptography can be applied to cloud computing to address some of the concerns that limit its adoption. In , we report on the applicability of several cryptographic techniques to the cloud environment, highlighting their advantages and limitations. Cryptographic means for privacy are usually neglected due to the complexity of managing encryption keys in the cloud, but there are still some novel approaches that can be used satisfactorily. Regarding the privacy and data confidentiality problem in cloud-based identity services, we have explored the application of cryptographic techniques to achieve user data protection in identity management systems. In , we applied proxy re-encryption techniques to create a special OpenID provider that is not able to read the user’s information, but still provides an identity service. This research was further refined in . In this work, we propose a general model for privacy-preserving Identity Management as a Service, and describe a particular instantiation of this model using SAML 2.0.
Identity management does not only involve users in the system. Within the PASSIVE project, we have worked towards an authentication and authorization scheme for applications, users and resources that is suitable for its use in large and highly dynamic deployments such as the Cloud . Other work in this area identifies the challenges that arise in the intersection of interconnected clouds and identity management .
Trust Management and Interoperability in the Cloud
One of the current trends in cloud computing is the federation of different cloud providers. The idea is that a federation of clouds enables local cloud providers (i.e. SMEs) to form business alliances with other cloud providers (possibly scattered around the globe) to offer more competitive solutions. We have been working in this direction in the FISICCO project, where we have developed and integrated services for the federation and interconnection of cloud computing infrastructures in a secure way, by extending existing interconnection architectures and defining new connectors. In previous work, we have also explored the challenges at the intersection of federated clouds and identity management . We have also focused on social cloud scenarios where users provide the resources themselves. In such scenarios, users may not know each other, and then it becomes essential to have a mechanism that tells them which cloud provider is the most appropriate to collaborate with. We have proposed a development framework  on which developers can implement trust-aware social cloud applications. Developers can also customize the framework to meet their application-specific needs.
Smart Grid and Cloud
During the last decade, the Cloud Computing paradigm has emerged as a panacea for many problems in traditional IT infrastructures and in critical systems. Little by little we are seeing how part of the Industry is adopting the cloud in order to obtain some benefits against serious incidents, such as availability of information, resilience and recovery of states by keeping copies of backups within the cloud. One of the main demands of industry is the building of smart remote substations with the ability to connect to external infrastructures for the control from anywhere and at any time, such as the Internet or the cloud, moving from the private cloud (current situation) to the public Cloud. In this way, sensors, RTUs, gateways and any smart device (e.g., smart phones) will have to be able to access, with the suitable permissions, the cloud and (temporarily or permanently) store information related to alarms, configurations, processes and measurements in a secure way.
Moreover, through the TIGRIS project, NICS Lab is going to deal with these new needs by analysing the integration of control elements into much more complex systems. This includes control systems (e.g., smart meters, sensors, RTUs, etc.), IT systems, engineering devices and the interaction of different types of users (e.g., contractors, operators, customers, providers, etc.), where any information from substations will have to be replicated within the cloud, and more specifically when this information is related to configurations related of devices, roles, permissions, credentials, etc. We are aware that critical data availability, integrity and confidentiality within the cloud, as well as the virtualization and operational privacy are the major drawbacks within the cloud, and more specifically when it developes within a Smart Grid. In  which security mechanisms, in particular cryptographic schemes, can help for a better integration of elements of a Smart Grid within the cloud (e.g., resources and data). Within this research, we propose the use of a Virtual SCADA in the Cloud (VS-Cloud) as a means to improve reliability and efficiency whilst maintaining the same protection level as in traditional SCADA architectures.
- (2013): A Metamodel for Measuring Accountability Attributes in the Cloud. In: 2013 IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2013), pp. 355-362, IEEE IEEE, Bristol, UK, 2013, ISBN: 978-0-7685-5095-4.
- (2011): Cryptography Goes to the Cloud. In: Lee, Changhoon; Seigneur, Jean-Marc; Park, James J.; Wagner, Roland R. (Ed.): 1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011), pp. 190-197, Springer Springer, 2011, ISBN: 978-3-642-22364-8.
- (2012): Integrating OpenID with Proxy Re-Encryption to enhance privacy in cloud-based identity services. In: IEEE CloudCom 2012, pp. 241 – 248, IEEE Computer Society IEEE Computer Society, Taipei, Taiwan, 2012, ISSN: 978-1-4673-4509-5.
- (2014): BlindIdM: A Privacy-Preserving Approach for Identity Management as a Service. In: International Journal of Information Security, vol. 13, pp. 199-215, 2014, ISSN: 1615-5262.
- (2013): Leveraging Privacy in Identity Management as a Service through Proxy Re-Encryption. In: Ph.D Symposium of the European Conference on Service-Oriented and Cloud Computing (ESOCC) 2013, Málaga, Spain, 2013.
- (2012): Strong Authentication of Humans and Machines in Policy Controlled Cloud Computing Environment Using Automatic Cyber Identity. In: Pohlmann, Norbert; Reimer, Helmut; Schneider, Wolfgang (Ed.): Information Security Solutions Europe 2012, pp. 195-206, Springer Vieweg Springer Vieweg, Brussels, Belgium, 2012, ISBN: 978-3-658-00332-6.
- (2011): Identity Management Challenges for Intercloud Applications. In: 1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011), pp. 198-204, Crete (Greece), 2011.
- (2013): A Framework for Enabling Trust Requirements in Social Cloud Applications. In: Requirements Engineering, vol. 18, pp. 321-341, 2013, ISSN: 0947-3602.
- (2011): Managing Incidents in Smart Grids à la Cloud. In: IEEE CloudCom 2011, pp. 527-531, IEEE Computer Society IEEE Computer Society, Athens, Greece, 2011, ISBN: 978-0-7695-4622-3.