Part I Sciencific achievements
3.4 Cloud Security Architectures
The General Cloud Computing Architecture is composed by a massive network of
“cloud servers” [R 139] that uses virtualization to maximize the utilization of the computing power available/per server (Figure 31). Clouds users’ interfaces with the cloud by the Cloud Portal, which allows the user to select a service from a service catalogue and system management will find the correct resources that will be allocated in the cloud by the provisioning service. The optional Monitoring and metering tracks the usage of the cloud, so the resources used can be attributed to a certain user.
Figure 31 Cloud Computing Architecture
Figure 32 Security Components and Architecture for Cloud Computing Environments [R 164]
CC offer a lot of advantages such as: it is an efficient way to store and maintain databases, being a helpful tool for business, the services offered by CC are in cloud as SaaS, cloud computing solutions are in general less expensive than their software counterparts (pricing being offered on a per-user basis), an efficient use of CC reduce energy consumption significantly, the costumers are freed of problems related to the technological issues of installing and maintaining the IT.
In CC the servers are not accessed direct through network connections, they are accessed by the services they provide, ensuring a high degree of transparency to the cloud. Users in fact access certain cloud components (request brokers) and those
cloud components distribute requests to individual servers, as appropriate. This important cloud functioning aspect, was use as a basis for the security components and architecture solution for CC Environments given in [R 189].
To preserve the transparency character for CC, Security components and services must be transparent and also generic - adjustable to individual users, requirements, applications, and required services (Figure 32).
• The Application Access Point (AAP) Server is the service that distributes - based on types of requests, or other parameters - cloud service requests to individual application servers. It is related and use the Services Publishing and Dispatching (SPD) Server. The SPD server is based on the UDDI standard for discovering application services available in the cloud and it is used for publishing and discovering of cloud applications services.
• The Communication Access Point (CAP) is in fact the communication services provider, which can accept requests coming through different communications protocols.
• The Security Access Point (SAP) is the cloud server that provides front-end security services and is responsible with the authentication of users. It must be based on open standards and applicable in an open environment.
• Certification Authority (CA) server provides certification services in the cloud by issuing certificate to the client and to the SAP.
• The Identity Management System (IDMS) X.500 compliant directory, is another server that provides registration and identification services in the cloud.
To ensure the CC security, security techniques should be implemented at the Client level, at the SAP level and at the AAP level.
In [R 127] was proposed for the customers that belongs to a private cloud and want to outsource their services to a Cloud Service Provider (CSP), a 4 layer Architectural Security Solution in Cloud Computing (Figure 33)
3.4.1 The 5 Layer Cloud Security Architecture
A 4 Layer Cloud Security Architecture was proposed in [R 127] and is presented in Figure 33. This architectural solution covers the security for the all three above discussed elements: the identity, information and the infrastructure.
Figure 33 The 4 Layer CSA [R 127]
Layer 1, based on a Cloud IAM Gateway that belongs to a third-party cloud provider, introduces the Identity Access Management function. This will be realized by creating web security applications services which integrate the provisioning/deprovisioning, authentication, federation, authorization. These web security applications will be used like an external security approach.
Layer 2 of this architectural security solution introduce a firewall for enhancing the network security control (allow ports and IP access). This layer protects the physical infrastructure of both service customer and of cloud service providers [R 127].
Layer 3 by segregating the organizations’ data, by using private VLAN, improve the isolation of data customer. VLAN are configured based on the access restrictions for each customers’ virtual machine, based on Access Control Lists.
Layer 4 of security is assured by creating virtual demilitarized zone (DMZ) for each customer. This virtual zone could be accessed by other customers, and will restrict the access to the information that resides on private VLAN. Also, CSP will also have a DMZ zone to be accessed by all customers. In this zone will be stored data concerning all the customers – without affecting the customer’s data.
This architecture will be completed with a 5th layer in Section 1.1.12. This 5th layer will be an additional layer introduced for enhancing the security for data-at-rest, by hiding the information in images.
Considering the steganography approach for securing at-rest data in public clouds, which is proposed in [R 17] and presented in Figure 20, I propose to complete the 4 layer CSA [R 127] with an extra Layer to hide data stored in the public cloud in images.
It results the following architecture given in Figure 34.
Figure 34 The 5 Layer CSA Architecture
The Security strength of the proposed approach
This 5 layer architecture combines the advantages given by the 4 layer architecture with the advantages offered by the combination of encrypting and data hiding technique proposed in [R 17] to prevent unauthorized data access in cloud data storage - based on using the Huffman Coding. Unauthorized users cannot rectify the original content of the data due to human visual system which has very low sensitivity.
The authors made a detailed presentation of all processes needed to realize this security system (Embedding Data into Images, File Codifications, Hiding Data within Images Steganography, Searching of Valid Image, Mapping Data from a File to Image, Retrieving Data from Image, Construction of Huffman Tree, and a detailed security and performance analysis to prove that their approach offers high security of data-at-rest at any Cloud Service Provider (CSP) [R 17].