Mathias Slawik

Towards a federated cloud ecosystem: enabling managed cloud service consumption

While cloud computing has seen widespread usage, there exist domains where the diminishing of management capabilities associated with cloud computing prevent adoption. One such domain is the health sector, which is the focus of the TRESOR project. Enabling cloud computing usage under strict compliance constraints such as enterprise policies and legal regulations is the goal of TRESOR. The main approach consists of a distributed cloud proxy, acting as a trusted mediator between cloud consumers and service providers. In this paper we analyze issues which arise within the TRESOR context and show how an architecture for a proposed ecosystem bypasses these issues. The practicability of our solution is shown by a proof of concept proxy implementation. As all components of the architecture will be part of our proposed cloud ecosystem, we provide a holistic and generic proposal to regain management capabilities in cloud computing.

The Trusted Cloud Transfer Protocol

Contemporary cloud computing solutions incorporate HTTP intermediaries, such as reverse proxies, load balancers, and intrusion prevention systems. These act as TLS server connection ends and access HTTP/TLS plaintext to carry out their functions. This raises many concerns: increased security efforts, the risk of losing confidentiality and integrity, and potentially unauthorized data access. Current HTTP entity-body encryption technologies address these concerns by providing end-to-end security between user agents and origin servers. However, they present disparate deficiencies, e.g., inefficient presentation languages, message-flow vulnerabilities, and the circumvention of HTTP streaming. This paper introduces the Trusted Cloud Transfer Protocol (TCTP), which presents a novel approach to entity-body encryption overcoming these deficiencies. The pivotal idea of TCTP are HTTP application layer encryption channels (HALECs), which integrate TLS functionality into the HTTP application layer. TCTP can be deployed immediately, as it is fully HTTP compliant, and rapidly implemented, as required TLS libraries are widely available. The reliance upon the mature TLS protocol minimizes the risk of introducing new security threats. Furthermore, TLS brings the benefit of relative efficiency, which is demonstrated on the basis of an example TCTP implementation.

CYCLONE: A Platform for Data Intensive Scientific Applications in Heterogeneous Multi-cloud/Multi-provider Environment

This paper presents results of the ongoing development of the CYCLONE as a platform for scientific applications in heterogeneous multi-cloud/multi-provider environment. The paper explains the general use case that provides a general motivation for the CYCLONE architecture and provides detailed analysis of the bioinformatics use cases that define specific requirements to the CYCLONE infrastructure components. Special attention is given to the federated access control and security infrastructure that must provide consistent security and data protection for distributed bioinformatics data processing infrastructure and distributed cross-organisations collaborating teams of scientists. The paper provides information about selected use cases implementation using SlipStream cloud automation and management platform with application recipe example. The paper also addresses requirements for providing dedicated intercloud network infrastructure which is currently not addressed by cloud providers (both public and scientific/community).

Cloud Service Matchmaking Using Constraint Programming

Service requesters with limited technical knowledge should be able to compare services based on their quality of service (QoS) requirements in cloud service marketplaces. Existing service matching approaches focus on QoS requirements as discrete numeric values and intervals. The analysis of existing research on non-functional properties reveals two improvement opportunities: list-typed QoS properties as well as explicit handling of preferences for lower or higher property values. We develop a concept and constraint models for a service matcher which contributes to existing approaches by addressing these issues using constraint solvers. The prototype uses an API at the standardisation stage and discovers implementation challenges. This paper concludes that constraint solvers provide a valuable tool to solve the service matching problem with soft constraints and are capable of covering all QoS property types in our analysis. Our approach is to be further investigated in the application context of cloud federations.

TRESOR – Towards the Realization of a Trusted Cloud Ecosystem

The TRESOR (Trusted Ecosystem for Standardized and Open cloud-based Resources http://www.cloud-tresor.de/) project enables cloud computing solutions for the German health sector. This sector deals with sensitive medical information and is in general not suitable for current cloud-based solutions, which are lacking appropriate privacy and security features. The project evaluates and proposes new architectural components to address these shortcomings. These will be combined into a secure and trustworthy ecosystem that will enable the health industry and other sectors to take advantage of cloud computing. The architecture consists of components, such as a marketplace, a broker, a proxy and a PaaS-platform. TRESOR addresses privacy and data protection issues and aims at providing a standardized solution with reduced lock-in effects that can also be used in other domains. In this paper the specific tasks and the architecture of these components are presented, important challenges of the TRESOR project are highlighted and preliminary results, such as a secure transfer protocol, and policy integration are shown.

A Domain Specific Language and a Pertinent Business Vocabulary for Cloud Service Selection

As more cloud computing offerings become available globally, cloud consumers’ efforts of gathering relevant information to support their service selection are raised considerably. On the one hand, high-volume marketplaces, such as Salesforce AppExchange, feature nonformalized offering descriptions. This abstinence of a service formalization impedes cloud consumers’ capabilities to both rapidly assess the fulfillment of their selection criteria and to compare different services uniformly. On the other hand, contemporary research on formalized service marketplaces faces significant challenges in its practical application, especially its ease of use and pertinence. In this article we present a novel textual domain specific language for describing services, a pertinent business vocabulary of selection criteria, and a brokering component. These artifacts raise cloud consumers’ capabilities while being practically applicable, pertinent to businesses, and easy to use.

CYCLONE unified deployment and management of federated, multi-cloud applications

Various Cloud layers have to work in concert in order to manage and deploy complex multi-cloud applications, executing sophisticated workflows for Cloud resource deployment, activation, adjustment, interaction, and monitoring. While there are ample solutions for managing individual Cloud aspects (e.g. network controllers, deployment tools, and application security software), there are no well-integrated suites for managing an entire multi cloud environment with multiple providers and deployment models. This paper presents the CYCLONE architecture that integrates a number of existing solutions to create an open, unified, holistic Cloud management platform for multicloud applications, tailored to the needs of research organizations and SMEs. It discusses major challenges in providing a network and security infrastructure for the Intercloud and concludes with the demonstration how the architecture is implemented in a real life bioinformatics use case.

Cloud Service Matchmaking Approaches: A Systematic Literature Survey

Service matching concerns finding suitable services according to the service requesters requirements, which is a complex task due to the increasing number and diversity of cloud services available. Service matching is discussed in web services composition and user oriented service marketplaces contexts. The suggested approaches have different problem definitions and have to be examined closer in order to identify comparable results and to find out which approaches have built on the former ones. One of the most important use cases is service requesters with limited technical knowledge who need to compare services based on their QoS requirements in cloud service marketplaces. Our survey examines the service matching approaches in order to find out the relation between their context and their objectives. Moreover, it evaluates their applicability for the cloud service marketplaces context.

Defining Intercloud Security Framework and Architecture Components for Multi-Cloud Data Intensive Applications

This paper presents results of the ongoing development of the Intercloud Security Framework (ICSF), that is a part of the Intercloud Architecture Framework (ICAF), and provides an architectural basis for building security infrastructure services for multi-cloud applications. The paper refers to general use case of the data intensive applications that indicate need for multi-cloud applications platforms that will require corresponding multi-cloud security services. The paper presents analysis of the general multi-cloud use case that helps eliciting the general requirement to ICSF and identifying the security infrastructure functional components that would allow using distributed cloud based resources and data sets. The paper defines the main ICSF services and functional components, and explains importance of consistent implementation of the Security Services Lifecycle Management in cloud based applications. The paper provides overview of the cloud compliance standards and their role in cloud security. The paper refers to the security infrastructure development in the CYCLONE project that implements federated identify management, secure logging service, and multi-domain Attribute Based Access Control, security services lifecycle management. The paper discusses implementation of the Trust Bootstrapping Protocol as an important mechanism to ensure consistent security in the virtualised inter-cloud environment.

The Open Service Compendium

When trying to discover, assess, and select cloud services, companies face many challenges, such as fast-moving markets, vast numbers of offerings, and highly ambiguous selection criteria. This publication presents the Open Service Compendium (OSC), an information system which supports businesses in their discovery, assessment and cloud service selection by offering a simple dynamic service description language, business-pertinent vocabularies, as well as matchmaking functionality. It contributes to the state of the art by offering a more practical, mature, simple, and usable approach than related works.