Page 855 - Cloud computing: From paradigm to operation
P. 855

Intercloud and interoperability                                     5


            6.1     Isolation and security management mechanism

            The isolation and security of trusted inter-cloud is based on distributed cloud management. It enables the
            CSP who provides cloud services to a CSC to have end-to-end (E2E) and unified control for trust of cloud
            services across multiple CSPs.

            For implementation of managing isolation and security, mechanisms could be used as follows:
            –       Annotation  of  workloads  and  data:  to  increase  security  of  trusted  inter-cloud  computing,  it  is
                    necessary to define a terminology (language) to annotate (or tag) workloads and data with security
                    requirements (such as permissible storage locations). These annotations will be processed by the
                    system  during  scheduling  and  migration  to  ensure  that  workload  constraints  are  maintained.
                    Additionally, annotation of workloads allows the use of appropriate network data plane mechanisms
                    (e.g., software defined network (SDN)) for strong security protection and traffic isolation to ensure
                    that  the  above  constraints  are  reached  when  workloads  are  practically  placed,  executed  (data
                    accessed and stored) and migrated. Such annotation of workloads and data might be based on
                    standards for data categorization (see clause 6.4 of [ITU-T Y.3514]).
            –       Modular hypervisors partly controlled by the CSC: hypervisors usually have a large and complex
                    administrative domain with privileges to inspect a client’s VM state. Attacks against or misuse of the
                    administrative domain can compromise client security and privacy. Moreover, these hypervisors
                    provide clients inflexible control over their own VMs. Modular hypervisors simultaneously address
                    problems with security/privacy and inflexible control. It introduces a novel privilege model that
                    reduces the power of the administrative domain and gives the CSC more flexible control over their
                    own  VMs.  It  splits  administrative  privileges  between  a  system-wide  domain  and  per-client
                    administrative domains. Each CSC can manage and perform privileged system tasks on its own VMs,
                    thereby providing flexibility. The system-wide administrative domain cannot inspect the code, data
                    or computation of client VMs, thereby ensuring security and privacy.

            –       Secure enclave based on hardware security mechanisms: secure enclave is an isolated process,
                    executed on a platform that provides confidentiality and integrity of code and data as well as sealing
                    and  attestation.  Isolated execution of  a  process  restricts access to  a  subset of memory  to that
                    particular  process  or  enclave.  No  other  process  on  the  same  processor,  operating  system,
                    hypervisor, or system management module, can access this memory. Sealing is the authenticated
                    encryption of data with an encryption key based on the identity of the enclave and the platform it
                    is running on. Attestation is the ability to prove to third parties that a secure enclave is running with
                    a particular identity securely on the hardware.

            –       Single  sign-on  (SSO):  in  an  inter-cloud  environment,  the  CSC  should  be  able  to  access  various
                    resources and services offered by different CSPs once they are successfully authenticated in the
                    inter-cloud. Since each CSP has its own authentication mechanism, a standard method that provides
                    SSO  authentication  within  inter-cloud  environments  should  be  deployed.  In  an  inter-cloud
                    environment, SSO can be achieved through the delegation of trust that allows an entity to act on
                    another  entity's  behalf.  This  mechanism  allows  entities  of  inter-cloud  to  securely  interact  by
                    establishing a chain of trust of proxy certificates. SSO can also be achieved through the use of a
                    trusted third party who will certify credentials on behalf of all parties of inter-cloud.
                    NOTE – The functionalities for managing isolation and security mechanisms are provided in Appendix II.


            6.2     Inter-cloud trust management model
            The inter-cloud trust management is realized based on a two-dimensional (vertical and horizontal) model as
            follows:
            –       The vertical axis (cross-layer) is based on the layers of the cloud computing reference architecture
                    [ITU-T  Y.3502].  The  inter-cloud  trust  management  in  this  dimension  is  realized  over  functional
                    components for managing isolation and security mechanisms. The components managing isolation
                    ensure that different tenants and their workloads and data are isolated and inaccessible to one
                    another in each layer. The components managing security, establish a chain of trust in the cross-
                    layer  dimension.  In  higher  layers,  it  focusses  on  user-centric  trust,  such  as  user  identity


                                                                                                         847
   850   851   852   853   854   855   856   857   858   859   860