Canh Ngo

Intercloud Architecture Framework for Heterogeneous Cloud Based Infrastructure Services Provisioning On-Demand

This paper presents on-going research to develop the Intercloud Architecture Framework (ICAF) that addresses problems in multi-provider multi-domain heterogeneous cloud based infrastructure services and applications integration and interoperability, to allow their on-demand provisioning. The paper refers to existing standards and ongoing standardisation activity in Cloud Computing, in particular, recently published NIST Cloud Computing Reference Architecture (CCRA) and ITU-T JCA-Cloud activity. The proposed ICAF defines four complementary components addressing Intercloud integration and interoperability: multi-layer Cloud Services Model that combines commonly adopted cloud service models, such as IaaS, PaaS, SaaS, in one multilayer model with corresponding inter-layer interfaces, Intercloud Control and Management Plane that supports cloud based applications interaction, Intercloud Federation Framework, and Intercloud Operations Framework. The paper briefly describes the Service delivery and lifecycle management as an important ICAF component that provides a basis for consistent management and security of the provisioned on-demand complex cloud based services. The paper describes an implementation of the Intercloud Control and Management Plane in the GEYSERS project to allow optimal provisioning of the combined Network+IT resources in the inter-cloud environment. The proposed architecture is intended to provide an architectural model for developing Intercloud middleware and in this way will facilitate clouds interoperability and integration.

Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns

This paper presents on-going research to define the basic models and architecture patterns for federated access control in heterogeneous (multi-provider) multi-cloud and inter-cloud environment. The proposed research contributes to the further definition of Intercloud Federation Framework (ICFF) which is a part of the general Intercloud Architecture Framework (ICAF) proposed by authors in earlier works. ICFF attempts to address the interoperability and integration issues in provisioning on-demand multi-provider multi-domain heterogeneous cloud infrastructure services. The paper describes the major inter-cloud federation scenarios that in general involve two types of federations: customer-side federation that includes federation between cloud based services and customer campus or enterprise infrastructure, and provider-side federation that is created by a group of cloud providers to outsource or broker their resources when provisioning services to customers. The proposed federated access control model uses Federated Identity Management (FIDM) model that can be also supported by the trusted third party entities such as Cloud Service Broker (CSB) and/or trust broker to establish dynamic trust relations between entities without previously existing trust. The research analyses different federated identity management scenarios, defines the basic architecture patterns and the main components of the distributed federated multi-domain Authentication and Authorisation infrastructure.

Toward a Dynamic Trust Establishment approach for multi-provider Intercloud environment

In cloud computing, data are managed by different entities, not only by the actual data owner but also by many cloud providers. Sophisticated clouds collaboration scenarios may require that the data objects are distributed at cloud providers and accessed remotely, while still being under the control of the data owners. This brings security challenges for distributed authorization and trust management that existing proposed schemes have not fully solved. In this paper, we propose a Dynamic Trust Establishment approach which can be incorporated into cloud services provisioning life-cycles for the multi-provider Intercloud environment. It relies on attribute-based policies as the mechanism for trust evaluation and delegation. The paper proposes a practical implementation approach for attribute-based policies evaluation using Multi-type Interval Decision Diagrams extended from Integer Decision Diagrams which is more efficient in terms of evaluation complexity than other evaluation approaches.

Multi-data-types interval decision diagrams for XACML evaluation engine

XACML policy evaluation efficiency is an important factor influencing the overall system performance, especially when the number of policies grows. Some existing approaches on high performance XACML policy evaluation can support simple policies with equality comparisons and handle requests with well defined conditions. Such mechanisms do not provide the semantic correctness of combining algorithms in cases with indeterminate and not-applicable states. They ignore the critical attribute setting, a mandatory property in XACML, leading to potential missing attribute attacks. In this paper, we present a solution using data interval partition aggregation together with new decision diagram combinations, that not only optimizes the performance but also provides correctness and completeness of XACML 3.0 features, including complex logical expressions, correctness in indeterminate states processing, critical attribute setting, obligations and advices as well as complex comparison functions for multiple data types.

Bringing optical networks to the cloud: an architecture for a sustainable future internet

Over the years, the Internet has become a central tool for society. The extent of its growth and usage raises critical issues associated with its design principles that need to be addressed before it reaches its limits. Many emerging applications have increasing requirements in terms of bandwidth, QoS and manageability. Moreover, applications such as Cloud computing and 3D-video streaming require optimization and combined provisioning of different infrastructure resources and services that include both network and IT resources. Demands become more and more sporadic and variable, making dynamic provisioning highly needed. As a huge energy consumer, the Internet also needs to be energyconscious. Applications critical for society and business (e.g., health, finance) or for real-time communication demand a highly reliable, robust and secure Internet. Finally, the future Internet needs to support sustainable business models, in order to drive innovation, competition, and research. Combining optical network technology with Cloud technology is key to addressing the future Internet/Cloud challenges. In this context, we propose an integrated approach: realizing the convergence of the IT- and optical-network-provisioning models will help bring revenues to all the actors involved in the value chain. Premium advanced network and IT managed services integrated with the vanilla Internet will ensure a sustainable future Internet/Cloud enabling demanding and ubiquitous applications to coexist.

Multi-tenant attribute-based access control for cloud infrastructure services

Cloud Computing is developed as a new wave of ICT technologies, offering a common approach to on-demand provisioning of computation, storage and network resources that are generally referred to as infrastructure services. Most of currently available commercial cloud services are built and organized reflecting simple relations between single provider and customers with the simple security and trust model. New architectural models should deliver multi-provider heterogeneous cloud services environments to organizational customers representing multiple user groups. These models need to be enforced by consistent security services operating in virtualized multi-provider cloud environment. They should incorporate complex access control mechanisms and trust relations among cloud actors. In this paper, we analyze cloud services provisioning use-cases and propose an access control model for multi-tenant cloud services using attribute-based access control model. We also extend the model for Intercloud scenarios with the exchanging tokens approach. To facilitate attribute-based policy evaluation and implementing the proposed model, we apply an efficient mechanism to transform complex logical expressions in policies to compact decision diagrams. Our prototype of the multi-tenant attribute-based access control system for Intercloud is developed, tested and integrated into the GEYSERS project. Evaluations prove that our approach has a good performance in terms of numbers of cloud resources and numbers of clients.

Big Security for Big Data: Addressing Security Challenges for the Big Data Infrastructure

Big Data technologies are changing the traditional technology domains and their successful use will require new security models and new security design approaches to address emerging security challenges. This paper intends to provide initial analysis of the security issues and challenges in Big Data and map new challenges and problems to the traditional security domains and technologies. The paper starts with the Big Data definition and discusses the features that impact the most the Big Data security, such as Veracity, Volume, Variety, and dynamicity. The paper analyses the paradigm change and new challenges to Big Data security. The paper refers to the generic Scientific Data Infrastructure SDI model and discusses security services related to the proposed Federated Access and Delivery Infrastructure FADI that serves as an integration layer for potentially multi-provider multi-domain federated project oriented services infrastructure. The paper provides suggestions for practical implementation of such important security infrastructure components as federated access control and identity management, fine-grained data-centric access control policies, and the Dynamic Infrastructure Trust Bootstrap Protocol DITBP that allows deploying trusted remote virtualised data processing environment. The paper refers to the past and ongoing project experience by authors and discusses how this experience can be consolidated to address new Big Data security challenges identified in this paper.

Security Framework for Virtualised Infrastructure Services Provisioned On-demand

Cloud computing is developing as a new wave of ICT technologies, offering a common approach to on-demand provisioning computation, storage and network resources which are generally referred to as infrastructure services. Most of currently available commercial Cloud services are built and organized reflecting simple relations between single provider and single customer with simple security and trust model. New architectural models should allow multi-provider heterogeneous services environment that can be delivered to organizational customers representing multiple user groups. These models should be supported by new security approaches to create consistent security services in virtualised multi-provider Cloud environment and incorporate complex access control and trust relations among Cloud actors. The paper analyzes basis use cases in Cloud services provisioning and defines a security infrastructure reference model which is used to define other security infrastructure aspects such as dynamic trust management, distributed access control, policy and security context management. It also provides information about ongoing implementation of the proposed Dynamic Access Control Infrastructure based on Enterprise Service Bus as a part of complex infrastructure services provisioning system.

Policy and Context Management in Dynamically Provisioned Access Control Service for Virtualized Cloud Infrastructures

Cloud computing is developing as a new wave of ICT technologies, offering a common approach to on-demand provisioning of computation, storage and network resources which are generally referred to as infrastructure services. Most of currently available commercial Cloud services are built and organized reflecting simple relations between a single provider and multiple customers with simple security and trust model. New architectural models should allow multi-provider heterogeneous service environment that can be delivered to organizational customers representing multiple user groups. These models should be supported by new security approaches for multi-provider, multi-tenant environment crossing multiple security domains to create consistent and dynamically configurable security services for virtualized infrastructures. This paper proposes an on-demand provisioned access control infrastructure with dynamic trust establishment for entities in a Cloud IaaS architecture model. It applies XACML-based RBAC model for the flexible authorization policy configuration and management. It uses authorization ticket as a security session management mechanism to solve the security context synchronization and exchange between multiple Cloud providers. The paper describes practical implementation of the proposed Dynamic Access Control Infrastructure as the part of a complex infrastructure services provisioning system.

Decision Diagrams for XACML Policy Evaluation and Management

One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries.