Ali Sajjad

Security-as-a-Service in Multi-cloud and Federated Cloud Environments

The economic benefits of cloud computing are encouraging customers to bring complex applications and data into the cloud. However security remains the biggest barrier in the adoption of cloud, and with the advent of multi-cloud and federated clouds in practice security concerns are for applications and data in the cloud. This paper proposes security as a value added service, provisioned dynamically during deployment and operation management of an application in multi-cloud and federated clouds. This paper specifically considers a data protection and a host & application protection solution that are offered as a SaaS application, to validate the security services in a multi-cloud and federated cloud environment. This paper shares our experiences of validating these security services over a geographically distributed, large scale, multi-cloud and federated cloud infrastructure.

Integrating Security Services in Cloud Service Stores

Protecting systems, applications and data hosted on a Cloud environment against cyber-threats, and accounting for security incidents across the Cloud estate are prerequisites to Cloud adoption by business, and a fundamental element of both national and corporate cyber-security and Cloud strategies. Yet, Cloud IaaS and PaaS providers typically hold Cloud consumers accountable for protecting their applications, while Cloud users often find that protecting their proprietary system, application and data stacks on public or hybrid Cloud environments can be complex, expensive and time-consuming. In this paper we describe a novel Cloud-based security management solution that empowers Cloud consumers to protect their systems, applications and data in the Cloud, whilst also improving the control and visibility of their Cloud security operations. This is achieved by enhancing the security policy management of commercial technologies, and via their integration with multiple Cloud-based hosts and applications. The result of this integration is then offered as a re-usable service across multiple Cloud platforms through a Cloud service store.

A scalable and dynamic application-level secure communication framework for inter-cloud services

Most of the current cloud computing platforms offer Infrastructure as a Service (IaaS) model, which aims to provision basic virtualized computing resources as on-demand and dynamic services. Nevertheless, a single cloud does not have limitless resources to offer to its users, hence the notion of an Inter-Cloud environment where a cloud can use the infrastructure resources of other clouds. However, there is no common framework in existence that allows the service owners to seamlessly provision even some basic services across multiple cloud service providers, albeit not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms is built. In this paper we present a novel solution which aims to cover a gap in a subsection of this problem domain. Our solution offers a security architecture that enables service owners to provision a dynamic and service-oriented secure virtual private network on top of multiple cloud IaaS providers. It does this by leveraging the scalability, robustness and exibility of peer-to-peer overlay techniques to eliminate the manual configuration, key management and peer churn problems encountered in setting up the secure communication channels dynamically, between different components of a typical service that is deployed on multiple clouds. We present the implementation details of our solution as well as experimental results carried out on two commercial clouds.

Secure communication using dynamic VPN provisioning in an Inter-Cloud environment

Most of the current cloud computing platforms offer Infrastructure as a Service (IaaS) model, which aims to provision basic virtualised computing resources as on-demand and dynamic services. Nevertheless, a single cloud does not have limitless resources to offer to its users, hence the notion of an Inter-Cloud enviroment where a cloud can use the infrastructure resources of other clouds. However, there is no common framework in existence that allows the service owners to seamlessly provision even some basic services across multiple cloud service providers, albeit not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms are built. In this paper we present a novel solution which aims to cover a gap in a subsection of this problem domain. Our solution offers a security architecture that enables service owners to provision a dynamic and service-oriented secure virtual private network on top of multiple cloud IaaS providers. It does this by leveraging the scalability, robustness and flexibility of peer-to-peer overlay techniques to eliminate the manual configuration, key management and peer churn problems encountered in setting up the secure communication channels dynamically, between different components of a typical service that is deployed on multiple clouds. We present the implementation details of our solution as well as experimental results carried out on two commercial clouds.

A ranked searchable encryption scheme for encrypted data hosted on the Public Cloud

Public Cloud storage services can be used as a document store to host a large number of documents. In many cases, the documents have to be encrypted in order to ensure their confidentiality, integrity and privacy. As the number of documents increases, searching for the desired documents over the encrypted dataset can be a difficult and resource intensive task. In this paper a novel ranked searchable encryption scheme has been presented, implemented and deployed on a public Cloud Service Provider. The scheme exploits the properties of modular inverse to generate a secure inverted index and a probabilistic trapdoor respectively. The probabilistic trapdoor helps in preserving the privacy while searching. The scheme is deployed on British Telecoms public Cloud offering and the efficiency of the algorithm is tested on a real-world dataset of documents. The performance analysis yields that our scheme not only provides a higher level of security but also lightweight.

Secure Cloud Storage: A framework for Data Protection as a Service in the multi-cloud environment

This paper introduces Secure Cloud Storage (SCS), a framework for Data Protection as a Service (DPaaS) to cloud computing users. Compared to the existing Data Encryption as a Service (DEaaS) such as those provided by Amazon and Google, DPaaS provides more flexibility to protect data in the cloud. In addition to supporting the basic data encryption capability as DEaaS does, DPaaS allows users to define fine-grained access control policies to protect their data. Once data is put under an access control policy, it is automatically encrypted and only if the policy is satisfied, the data could be decrypted and accessed by either the data owner or anyone else specified in the policy. The key idea of the SCS framework is to separate data management from security management in addition to defining a full cycle of data security automation from encryption to decryption. As a proof-of-concept for the design, we implemented a prototype of the SCS framework that works with both BT Cloud Compute platform and Amazon EC2. Experiments on the prototype have proved the efficiency of the SCS framework.

Fuzzy keywords enabled ranked Searchable Encryption scheme for a public cloud environment

Searchable Encryption allows a user or organization to outsource their encrypted documents to a Cloud-based storage service, while maintaining the ability to perform keyword searches over the encrypted text. However, most of the existing search schemes do not take the almost certain presence of typographical errors in the documents under consideration, when trying to obtain meaningful and accurate results. This paper presents a novel ranked searchable encryption scheme that addresses this issue by supporting fuzzy keywords. The proposed construction is based on probabilistic trapdoors that help resist distinguishability attacks. This paper for the first time proposes Searchable Encryption as a Service (SEaaS). The proposed construction is deployed on the British Telecommunication’s public Cloud architecture and evaluated over a real-life speech corpus. Our security analysis yields that the construction satisfies strong security guarantees and is also quiet lightweight, by analyzing its performance over the speech corpus.

A secure cloud framework for ICMetric based IoT health devices

Wearable devices are an important part of internet of things (IoT)with many applications in healthcare. Prevalent security concerns create a compelling case for a renewed approach by incorporating the ICMetric technology in IoT healthcare. The ICMetric technology is a novel security approach and uses the features of a device to form the basis of cryptographic services like key generation, authentication and admission control. Cryptographic systems designed using ICMetric technology use unique measurable device features to form a root of trust. This paper uses the MEMS bias in a body wearable Shimmer sensor to create a device ICMetric. The ICMetric identity is used to generate cryptographic key to perform encryption and decryption of patients data which is being communicated to health professionals. The cloud based component of the proposed framework provides much needed distributed data processing and availability. The proposed schemes have been simulated and tested for conformance to high levels of security and performance.

EncSwift and key management: An integrated approach in an industrial setting

The use of cloud technology is continually expanding. Yet, in many scenarios the adoption of an external cloud service provider may be a worry for data confidentiality since it leads to a partially loss of control over data. One of the solutions for letting users put trust in a provider is the use of encryption to protect data. EncSwift [1] is a solution that provides transparent support for the encryption of objects stored on OpenStack based providers, adopting Barbican, the OpenStack secret storage, as a key manager. In this work we introduce a new key manager, BT KMS, already adopted in industrial systems, that offers a large set of features, and that it is designed to be flexible, transparent, and scalable. Moreover, we analyze the possibility of integration between the BT KMS and the EncSwift approach, and provide an architectural overview of this new integrated system.

Deploying Visual Analytics Through a Multi-cloud Service Store with Encrypted Big Data (Short Paper)

The benefits of Cloud Computing are now widely recognised, in terms of easy, flexible, scalable and cost effective deployment of services and storage. At the same time, the growth in Big Data solutions is offering a plethora of new service opportunities. However, significant barriers of trust and privacy concerns are slowing the adoption of Big Data cloud services.