Page 810 - Cloud computing: From paradigm to operation
P. 810
5 Intercloud and interoperability
Trusted inter-cloud resiliency is a set of technical procedures (rely on shifting control and security
mechanisms) to:
– monitor CSC or CSP's environment and collect relevant data;
– analyse monitored data;
– predict faults and;
– mitigate or restore the cloud service parameters after service failure (related to certain equipment
or software functionality, laws and regulations, local policies, service contracts, etc.) and availability
(related to technical systems functionality).
Complementary to trusted inter-cloud resiliency is the reliability of trusted inter-cloud. This means the ability
of the trusted inter-cloud environment to perform and maintain under stated conditions as required for a
specified period of time.
6.4 Security and confidentiality of trusted inter-cloud
The security and confidentiality of trusted inter-cloud is the main challenge of integrating multiple CSP
platforms. This is necessary to provide self-service, self-managed and end-to-end security services for the
CSC, and for the CSP to guarantee a level of confidentiality, integrity, as well as availability of services and
resources hosted on CSP's cloud computing environments. To establish and specify trust between different
cloud computing environments as well as trust between CSC and CSPs, a dedicated security and
confidentiality terminology, together with a master service agreement (MSA) is needed.
The security and confidentiality of trusted inter-cloud is based on distributed cloud management. It enables
the primary CSP to provide end-to-end dynamic deployment, configuration and unified control of security
and confidentiality of cloud services across multiple CSPs. In implementation, distributed cloud management
supported trust can be realised by combining specialised protocol design with smart interaction with the
underlying cloud network fabric (e.g., using software-defined networking (SDN) traffic engineering and cloud-
tailored smart queue management).
To increase security and confidentiality of trusted inter-cloud computing, it is necessary to define a
terminology (language) to annotate (or tag) workloads and data with security requirements (such as
permissible storage locations). These annotations will be processed by the system during scheduling and
migration to ensure that workload constraints are maintained. Additionally, annotation of workloads allows
the use of appropriate network data plane mechanisms (e.g., SDN) for strong security protection and traffic
isolation in order to ensure that the above constraints are reached when workloads are practically placed,
executed (data accessed and stored) and migrated. Such annotation of workloads and data sets might be
based on standards for data categorisation.
The security and confidentiality of trusted inter-cloud is realized based on a two dimensional (vertical and
horizontal) model as follows. The vertical axis is based on the layers of the cloud computing reference
architecture [ITU-T Y.3502]:
– in the higher layers focussed on user-centric security and confidentiality through a unified
distribution layer for cloud resources (independently from their type and from underlying CSP), such
as user identity management, authentication and authorization;
– in the lower layers focused on provider-independent control, security and confidentiality over the
whole distributed inter-cloud infrastructure, such as disk and network encryption.
The horizontal axis is based on the interconnection of CSPs based on the inter-cloud framework
[ITU-T Y.3511].
Consequently, security and confidentiality of trusted inter-cloud are based on satisfying both horizontal
(cross-provider) and vertical (cross-layer) dimensions.
802
