Abstract
A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many companies build on this infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS applications. From the start, strong isolation between cloud tenants was seen to be of paramount importance, provided first by virtual machines (VM) and later by containers, which share the operating system (OS) kernel. Increasingly it is the case that applications also require facilities to effect isolation and protection of data managed by those applications. They also require flexible data sharing with other applications, often across the traditional cloud-isolation boundaries; for example, when government provides many related services for its citizens on a common platform. Similar considerations apply to the end-users of applications. But in particular, the incorporation of cloud services within `Internet of Things' architectures is driving the requirements for both protection and cross-application data sharing. These concerns relate to the management of data. Traditional access control is application and principal/role specific, applied at policy enforcement points, after which there is no subsequent control over where data flows; a crucial issue once data has left its owner's control by cloud-hosted applications and within cloud-services. Information Flow Control (IFC), in addition, offers system-wide, end-to-end, flow control based on the properties of the data. We discuss the potential of cloud-deployed IFC for enforcing owners' dataflow policy with regard to protection and sharing, as well as safeguarding against malicious or buggy software. In addition, the audit log associated with IFC provides transparency, giving configurable system-wide visibility over data flows. [...]
Highlights
AND MOTIVATIONA MODEL of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications infrastructure—datacenters with worldwide replication to achieve high data integrity and availability at low latency
We argue that incorporating Information Flow Control (IFC) into the underlying PaaS-provided operating system (OS), as a small, trusted computing base would greatly enhance the trustworthiness of cloud services, whether public or private, and all their hosted services/applications
Our evaluation shows that IFC would incur acceptable overhead and our IFC model is designed to ensure that application developers need not be aware of IFC, some application providers may wish to take explicit advantage of IFC
Summary
A MODEL of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications infrastructure—datacenters with worldwide replication to achieve high data integrity and availability at low latency. Decryption is only allowed by parties accepting the management constraints and able to enforce them This forms the basis for establishing contractual relationships between data owners and service providers or other applications. Log records can be made efficiently of all attempted flows, whether permitted or rejected, and this log provides a possible basis for audit, data provenance and compliance checking By this means it can be checked whether application level policy has been enforced and whether cloud service provision has complied with contractual obligations. Our approach enables: (1) protection of applications from each other (non-interference); (2) flexible, managed data sharing across isolation boundaries; (3) prevention of data leakage due to bugs/misconfigurations; (4) extension of access control beyond application boundaries; (5) increased transparency, through detailed logs of information flow decisions. Evaluation is included within the section. §8 summarises, concludes and suggests future work
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
