La lecture à portée de main
Découvre YouScribe en t'inscrivant gratuitement
Je m'inscrisDécouvre YouScribe en t'inscrivant gratuitement
Je m'inscrisDescription
Informations
Publié par | biomed |
Publié le | 01 janvier 2012 |
Nombre de lectures | 5 |
Langue | English |
Poids de l'ouvrage | 1 Mo |
Extrait
WatsonJournalofCloudComputing:Advances,SystemsandApplications2012,1:15
http://www.journalofcloudcomputing.com/content/1/1/15
RESEARCH OpenAccess
Amulti-levelsecuritymodelforpartitioning
workflowsoverfederatedclouds
PaulWatson
Abstract
Cloudcomputinghasthepotentialtoprovidelow-cost,scalablecomputing,butcloudsecurityisamajorareaof
concern.Manyorganizationsarethereforeconsideringusingacombinationofasecureinternalcloud,alongwith
(whattheyperceivetobe)lesssecurepublicclouds.However,thisraisestheissueofhowtopartitionapplications
acrossasetofclouds,whilemeetingsecurityrequirements.Currently,thisisusuallydoneonanad-hocbasis,whichis
potentiallyerror-prone,orforsimplicitythewholeapplicationisdeployedonasinglecloud,soremovingthepossible
performanceandavailabilitybenefitsofexploitingmultiplecloudswithinasingleapplication.Thispaperdescribesan
alternativetoad-hocapproaches–amethodthatdeterminesallwaysinwhichapplicationsstructuredasworkflows
canbepartitionedoverthesetofavailablecloudssuchthatsecurityrequirementsaremet.Theapproachisbasedon
aMulti-LevelSecuritymodelthatextendsBell-LaPadulatoencompasscloudcomputing.Thisincludesintroducing
workflowtransformationsthatareneededwheredataiscommunicatedbetweenclouds.Inspecificcasesthese
transformationscanresultinsecuritybreaches,butthepaperdescribeshowthesecanbedetected.Onceasetof
validoptionshasbeengenerated,acostmodelisusedtorankthem.Themethodhasbeenimplementedinatool,
whichisdescribedinthepaper.
Introduction a public or private cloud based on a judgment of its over-
Cloud computing is of growing interest due to its poten- all sensitivity. This eliminates the potential benefits for
tial for delivering cheap, scalable storage and processing. partitioning an application across a set of clouds, while
However, cloud security is a major area of concern that still meeting its overall security requirements. For exam-
is restricting its use for certain applications: “Data Confi- ple,consideramedicalresearchapplicationinwhichdata
dentiality and Auditability” is cited as one of the top ten from a set of patients’ heart rate monitors is analyzed. A
obstaclestotheadoptionofcloudcomputingintheinflu- workflow used to analyze the data from each patient is
ential Berkeley report [1]. While security concerns are shown in Figure 1. The input data is a file with a header
preventingsomeorganizationsfromadoptingcloudcom- identifying the patient, followed by a set of heart rate
puting at all, others are considering using a combination measurements recorded over a period of time. A service
ofasecureinternal“private”cloud,alongwith(whatthey (Anonymize) strips off the header, leaving only the mea-
perceivetobe)lesssecure“public”clouds.Sensitiveappli- surements (this application is concerned with the overall
cations can then be deployed on a private cloud, while results from a cohort of patients, not with individuals). A
those without security concerns can be deployed exter- secondservice(Analyze)thenanalyzesthemeasurements,
nallyonapubliccloud.However,thereareproblemswith producingasummary.
this approach. Currently, the allocation of applications to Analyzingtheheartratedataiscomputationallyexpen-
cloudsisusuallydoneonanad-hoc,per-applicationbasis, sive,andwouldbenefitfromthecheap,scalableresources
which is not ideal as it lacks rigour and auditability. Fur- that are available on public clouds. However, most orga-
ther,decisionsareoftenmadeatthelevelofgranularityof nizations would be unlikely to consider storing medical
thewholeapplication,whichisallocatedentirelytoeither records on a public cloud for confidentiality and, in some
cases, legal reasons. Therefore, one solution is to deploy
Correspondence:Paul.Watson@ncl.ac.uk the whole workflow on a secure private cloud. However,
SchoolofComputingScience,NewcastleUniversity,Newcastle-upon-Tyne, thismayoverloadthefiniteresourcesoftheprivatecloud,
NE17RU,UK
©2012Watson;licenseeSpringer. ThisisanOpenAccessarticledistributedunderthetermsoftheCreativeCommons
AttributionLicense(http://creativecommons.org/licenses/by/2.0),whichpermitsunrestricteduse,distribution,andreproduction
inanymedium,providedtheoriginalworkisproperlycited.WatsonJournalofCloudComputing:Advances,SystemsandApplications2012,1:15 Page2of15
http://www.journalofcloudcomputing.com/content/1/1/15
Figure1Anexamplemedicaldataanalysisworkflow.
resulting in poor performance, and potentially a negative TheCalculatingvaliddeploymentoptions section then
impactonotherapplications. defines a method for enumerating all valid options for
An alternative solution is to partition the application deploying a workflow over a set of clouds so as to meet
between the private cloud and an external public cloud securityrequirements.Ithighlightstheissuesraisedwhen
in order to exploit the strengths of both. This could be data must flow between clouds, and shows the work-
attempted in an ad-hoc fashion by a security expert but, flow transformations and security checks that must be
as this paper describes, there are challenges in work- includedinthemethodifsecurityistobeguaranteed.The
ing out the set of partitioning options that still preserve result is a set of valid options; the Selecting a deploy-
the required security of data and services. This paper ment option with a cost model section then introduces
therefore describes an alternative to ad-hoc solutions – amodelthatcanbeusedtoselectthebestoption.The
a method that takes an application consisting of a set of method is then applied to a second, more complex exam-
services and data connected in a workflow, and deter- ple (in the A more complex example section). A tool
mines the valid set of deployments over a set of clouds, has been designed and built to implement the method.
ensuringthatsecurityrequirementsaremet.Althoughthe As described in the Tooling Section, it is structured as a
paper is focused on workflows in which services commu- set of rules, transforms and a cost model, allowing it to
nicate through passing data, the method can be applied be enhanced to meet other non-functional requirements,
to other types of distributed system that are composed including dependability. Following a review of related
of a set of communicating components. The method is work, the paper draws conclusions and outlines further
based on Multi-Level Security models [2], specifically work.
Bell-LaPadula [3]. The result of the method is the com-
plete set of options that meet the organization’s security Method
requirements for the application. The method introduces This section describes how the Bell-LaPadula security
transformations that need to be performed on the work- model can be applied to workflows, and can then be
flows where data is communicated between clouds; the extended to the deployment of workflows on clouds.
paper identifies the security issues that can be raised Throughthissection,aworkflowismodeledasadirected
as a result, and the extra security checks that need to graphinwhichservicesanddataarerepresentedasnodes.
be performed to address this. When the method results Services consume zero or more data items and generate
in more than one valid partitioning option, there is the one or more data items; the edges in the graph represent
issue of how to choose the best. The paper shows how a thedatadependencies.
cost model can be introduced to rank the valid options;
a model based on price is defined, and applied to the Representingsecurityrequirements
running medical workflow example. The full method, The Bell-LaPadula multi-level access control model [3] is
including the cost model, has been implemented in a adopted, with services modeled as the subjects (S), and
tool that has been built to automate and explore its data as the objects (O) [4]. The security model therefore
application. consistsofthefollowing:
Thepaperisstructuredasfollows.TheMethodsection
• asetofactions(A)thatsubjects(S)cancarryoutongives a brief introduction to Multi-Level Security models
objects(O).Inthecaseofservicesoperatingondataand Bell-LaPadula. It then describes how the Bell-
inaworkflow,theactionsarelimitedtoreadandLaPadula rules can be applied to ensure that a workflow
write.Therefore,thesetofactions(A)is:A={r,w}meetsthesecurityrequirementsofitsconstituentservices
• aposetofsecuritylevels:Land data. The method is then extended to cloud com-
•putingbyassigningsecuritylevelstoclouds,andbuilding apermissionsmatrix:M : S ×O → A(thecontents
on Bell-LaPadula to define a method for determining if ofthematrixaredeterminedbytheworkflowdesign;
security requirements are met in a particular deployment i.e.ifservices readsdatumd thentherewillbean1 0
oftheconstituentpartsofaworkflowontoasetofclouds. entryinthematrix:s ×d → r ;similarly,ifservice1 0WatsonJournalofCloudComputing:Advances,SystemsandApplications2012,1:15 Page3of15
http://www.journalofcloudcomputing.com/content/1/1/15
s writesdatumd thentherewillbeanentryinthe identified by the subscript). The following rules must be1 2
matrix:s ×d → w) met:1 2
• anaccessmatrix:B : S×O → A(thisisdeterminedby by(3)
theexecutionoftheworkflow:iftherearenochoice
c(s ) ≥ l(d ) (5)1 0pointsthenitwillequalthepermissionsmatrix,