9 - A Design Methodology for Developing Resilient Cloud Services

Abstract

Cloud computing is emerging as a new paradigm that aims at delivering computing as a utility. For the cloud computing paradigm to be fully adopted and effectively used, it is critical that the security mechanisms are robust and resilient to malicious faults and attacks. Security in cloud computing is of major concern and a challenging research problem since it involves many interdependent tasks including application layer firewalls, configuration management, alert monitoring and analysis, source code analysis, and user identity management. It is widely accepted that we cannot build software and computing systems that are free from vulnerabilities and cannot be penetrated or attacked. Therefore, it is widely accepted that cyber resilient techniques are the most promising solutions to mitigate cyberattacks and change the game to advantage the defender over the attacker. Moving Target Defense (MTD) has been proposed as a mechanism to make it extremely difficult for an attacker to exploit existing vulnerabilities by varying the attack surface of the execution environment. By continuously changing the environment (e.g., software versions, programming language, operating system, connectivity, etc.), we can shift the attack surface and, consequently, evade attacks. In this chapter we present a methodology for designing resilient cloud services that is based on the following capabilities: Redundancy, Diversity, Shuffling, and Autonomic Management. Redundancy is used to tolerate attacks if any redundant version or resource is compromised. The diversity is to use to avoid the software monoculture problem where one attack vector can successfully attack many instances of the same software module. Shuffling is needed to randomly change the execution environment and is achieved by “hot” shuffling of multiple functionally equivalent, behaviorally different software versions (code implementation) at runtime (e.g., the software task can have multiple versions where each version can be a different algorithm implemented in different programming language running on different computing systems). We also present our experimental results and evaluation of the RCS design methodology. We have implemented the applications on an IBM blade server with four blades, where each blade has 24 cores and can run several virtual machines. Our experimental results show that our environment is resilient against attacks with less than 7% in overhead time.