Keiko Hashizume

An analysis of security issues for cloud computing

Cloud Computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer IT services over the Internet. However, cloud Computing presents an added level of risk because essential services are often outsourced to a third party, which makes it harder to maintain data security and privacy, support data and service availability, and demonstrate compliance. Cloud Computing leverages many technologies (SOA, virtualization, Web 2.0); it also inherits their security issues, which we discuss here, identifying the main vulnerabilities in this kind of systems and the most important threats found in the literature related to Cloud Computing and its environment as well as to identify and relate vulnerabilities and threats with possible solutions.

Building a security reference architecture for cloud systems

Reference architectures (RAs) are useful tools to understand and build complex systems, and many cloud providers and software product vendors have developed versions of them. RAs describe at an abstract level (no implementation details) the main features of their cloud systems. Security is a fundamental concern in clouds and several cloud vendors provide security reference architectures (SRAs) to describe the security features of their services. A SRA is an abstract architecture describing a conceptual model of security for a cloud system and provides a way to specify security requirements for a wide range of concrete architectures. We propose here a method to build a SRA for clouds defined using UML models and patterns, which goes beyond existing models in providing a global view and a more precise description. We present a metamodel as well as security and misuse patterns for this purpose. We validate our approach by showing that it can describe more precisely existing models and that it has a variety of uses. We describe in detail one of these uses, a way of evaluating the security level of a SRA.

Symmetric encryption and XML encryption patterns

Most of the time information handled by organizations has been collected and processed by computers and transmitted across networks to other computers. How can we protect this information from unauthorized access when it is being transmitted? Encryption provides confidentiality by protecting sensitive information from being read by intruders. In this paper, we present two patterns: a Symmetric Encryption pattern that describes a basic type of algorithms and XML Encryption that describes how to apply symmetric and asymmetric encryption to XML messages.

Misuse patterns for cloud computing

Cloud Computing is a new computing structure that allows providers to deliver services on demand by means of virtualization. We are studying some security attacks in cloud computing by describing them in the form of misuse patterns. A misuse pattern describes how an information misuse is performed from the point of view of the attacker. It defines the environment where the attack is performed, how the attack is performed, countermeasures to stop it, and how to find forensic information to trace the attack once it happens. We are building a catalog of misuse patterns and we present here two of them: Resource Usage Monitoring (complete) and Malicious Virtual Machine Creation (partially). We discuss also the value of having such a catalog.

A Survey of Patterns for Web Services Security and Reliability Standards

An important aspect for the acceptance of Service-Oriented Architectures is having convenient ways to help designers build secure applications. Numerous standards define ways to apply security in web services. However, these standards are rather complex and sometimes overlap, which makes them hard to use and may produce inconsistencies. Representing them as patterns makes them easier to understand, to compare to other patterns, to discover inconsistencies, and to use them to build secure web services applications. Security patterns abstract the key aspects of a security mechanism and can thus be applied by non-experts. We survey here our work on security patterns for web services and their standards and we put them in perspective with respect to each other and to more fundamental patterns. We also consider other patterns for web services security. All the patterns described here have been previously published, we only show here one of them in detail as an illustration of our style for writing patterns. Our main purpose here is to enumerate them, show their use, and show how they relate to each other.