Abstract
Security concerns are widely seen as an obstacle to the adoption of cloud computing solutions. Information Flow Control (IFC) is a well understood Mandatory Access Control methodology. The earliest IFC models targeted security in a centralised environment, but decentralised forms of IFC have been designed and implemented, often within academic research projects. As a result, there is potential for decentralised IFC to achieve better cloud security than is available today. In this paper we describe the properties of cloud computing—Platform-as-a-Service clouds in particular—and review a range of IFC models and implementations to identify opportunities for using IFC within a cloud computing context. Since IFC security is linked to the data that it protects, both tenants and providers of cloud services can agree on security policy, in a manner that does not require them to understand and rely on the particulars of the cloud software stack in order to effect enforcement.
Highlights
C LOUD computing has matured into providing inexpensive, practical and on-demand access to computing resources
In this paper we describe the properties of cloud computing— Platform-as-a-Service clouds in particular—and review a range of Information Flow Control (IFC) models and implementations to identify opportunities for using IFC within a cloud computing context
We argue that data-centric security mechanisms such as Information Flow Control (IFC)—and Decentralised IFC (DIFC) in particular—have the potential to enhance substantially today’s cloud security approaches
Summary
C LOUD computing has matured into providing inexpensive, practical and on-demand access to computing resources. A data store may provide facilities to isolate the confidential data of different users of an application (e.g. via separate user accounts as supported by most database management systems) but such functionality is not typically exposed to tenant applications Traditional security practices such as access control [1], [2] Chinese Wall [3] and promising technologies such as homomorphic encryption [4] are already being used or considered in cloud environments, but are unable to achieve the flexibility, generality and efficiency expected by cloud providers and tenants. We envision future secure cloud computing platforms that support the attachment of security policies to data and use these policies at runtime to control where user data flows Such data-centric security mechanisms, which track or enforce information flow, can improve cloud security in many ways.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have