Page 807 - Cloud computing: From paradigm to operation
P. 807

Intercloud and interoperability                                     5


            The governance of trusted inter-cloud is a continuous process to monitor particular indicators from systems
            (e.g., performance, conformance), evaluate proposals and plans, and direct strategy and policies between
            the governance body and governance executive. The governance body takes into account external trusted
            inter-cloud  conditions  related  to  business  pressures,  regulatory  obligations,  source  of  authority,  stake-
            holders' expectations and business needs.
            The trusted inter-cloud governance is based on the following principles:

            –       responsibility, which indicates clearly defined roles for demand and support of the environment;
            –       strategy, which is strongly related to phase of plans, builds and runs trusted inter-cloud enabled
                    business;

            –       acquisition of inter-cloud data, which depends on the business case;
            –       performance, which has to be realized according to SLAs for cloud services;
            –       compliance, which covers the necessary respect of laws and regulations;
            –       human behaviour, which addresses the dynamics of interaction in the governance process.

            The governance of trusted inter-cloud can be considered with respect to internal or external aspects. Internal
            cloud  governance  allows  a  CSP  to  control  its  own  processes  in  a  way  that  it  can  give  assurance  and
            transparency  to  other  CSPs  participating  in  a  trusted  inter-cloud  environment  according  to  specified
            expectations in terms of cloud computing cross-cutting aspects [ITU-T Y.3502].
            External cloud governance spans processes of monitoring and controlling the inter-cloud environment to
            reach objectives of trust. This can refer to a service level agreement which provides detailed information
            about functional and non-functional aspects of cloud services.

            For both internal governance and external governance of trusted inter-cloud, these refer to matters that are
            decided by the governing board of a CSP, such as how policy decisions are made, and how these are converted
            into policies that can be implemented in the CSP’s management system.


            6.2     Management of trusted inter-cloud
            Management in trusted inter-cloud computing environments is based on access control mechanisms and a
            trust management system. They are complementary to each other. Appropriate access control mechanisms
            guarantee a level of confidentiality and trust between a CSC and CSPs or between CSPs.

            Access control mechanisms determine authorization of shifting physical control over applications, services,
            resources and data. An authorization, authentication and accounting (AAA) module to control the access to
            cloud computing resources relies on a customisable access control policy model and its implementation
            requirements. The specification of the access control mechanism is usually predefined in an access control
            policy. This specification is used to specify permissions and access control to cloud computing resources and
            cloud services.
            The  traditional  access  control  mechanisms  (e.g.,  identity-based,  lattice-based,  role-based,  organisation-
            based, attribute-based) cannot be successfully used in trusted inter-cloud computing due to high dynamics
            in cloud computing environments. Therefore, new mechanisms based on mixing traditional functionality can
            be used to control cross-tenant at the policy administration level.
            The objectives of access control mechanisms in trusted inter-cloud environment are as follows:
            –       expressivity  as  the  ability  to  provide  appropriate  mechanisms  of  access  control  policies.  This
                    depends on the implementation;
            –       granularity as the ability to decompose an access control mechanism into smaller size components.
                    This is in line with granularity of the cloud computing resources and cloud services as well as the SLA
                    established between the CSC and CSP or between CSPs;

            –       context-awareness as the ability of an authorization mechanism to take context information into
                    consideration when making access decisions. Context awareness is significant in trusted inter-cloud
                    environments due to their distributed nature: access to inter-cloud from different locations, during
                    different time periods, etc.

                                                                                                         799
   802   803   804   805   806   807   808   809   810   811   812