SECaaS: Security as a Service for Cloud-based Applications

Mohammed Hussain
College of Computer and Information Technology Taif University Taif, Saudi Arabia

Hanady Abdulsalam
Department of Information Sciences Kuwait University Kuwait city, Kuwait

m.hussein@tu.edu.sa

hanady.abdulsalam@ku.edu.kw
cloud technologies assume that the security of a cloud is maintained by the cloud provider. SECaaS, on the other hand, allows users of one cloud to rely on the security measures provided by other clouds. SECaaS treats security as a service that users can subscribe to it, so that cloud users are no longer limited to the security solutions of their cloud provider. There can be many benets of such an approach. Some of the most important ones are: Increase protection. SECaaS permits users to subscribe to those security solutions they need, whether they are provided by their provider cloud or others. For security critical applications, users may have several lines of defence. Provide choice. SECaaS enables users to choose the provider of their security in the same way they choose the provider of their cloud. Target user and provider. SECaaS protects cloud user assets (data, programs and virtual machine), as well as provider assets (software, platform and infrastructure). This paper is organized as follows. Section 2 describes cloud computing and shows its security issues and requirements. Section 3 presents our approach and architecture and illustrates the approach through a use-case. Section 4 shows the design details. Section 5 reviews the related work to this paper. Finally, Section 6 concludes the paper.

ABSTRACT
Cloud computing is a great target for many applications since it provides the storage and computation needs for cloud users with relatively low-cost. Although the area of cloud computing has grown rapidly in the last few years, the area still lacks appropriate security measures that protect the data and/or applications for cloud users. We introduce a new architecture, namely Security as a Service (SECaaS) that addresses the security issues for cloud-based applications. SECaaS deals with existing services of cloud computing on its dierent levels. SECaaS takes a user-centric approach, in which cloud users have more control over their security. It provides security means for both cloud users and providers.

Keywords
Cloud Computing, Security as a Service, Security.

1.

INTRODUCTION

Cloud computing has established itself as a new and promising model for on-demand and scalable computations over the internet [3]. The model simply consists of cloud providers that provide online services to cloud users. Cloud providers manage large data-centers equipped with high performance computing and storage units (clouds) [8]. The simplicity of using cloud computing is another advantage. Despite the quick progress of cloud-computing applications, security risks still form an important challenge that needs to be addressed in a solid way. This is because once cloud users upload their data to a cloud, controlling who access it becomes the responsibility of the cloud provider. The data owners cannot assert the status of their dataset and cannot guarantee that the cloud provider is protecting their dataset properly. Due to the fear of negative reputation, providers tend not to disclose all security breaches that occur. This paper presents Security as a Service (SECaaS), a new approach to secure cloud-based applications. Current

2.

SECURE CLOUD COMPUTING

Cloud computing is a paradigm where software, platforms, and infrastructure are treated as virtualized units that are accessed by users [3]. Cloud services are provided on demand and governed by service level agreements between providers and users. Cloud users can be education and research institutions, businesses, governments, as well as individuals. Cloud computing inherits security risks of web services, virtual machines and mobile computing. For example, dataloss, phishing attacks, malware, and spam are problems that exist before cloud computing.

2.1
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation on the rst page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specic permission and/or a fee. Second Kuwait Conf. on E-Services and E-Systems April 5-7, 2011 Copyright 2011 ACM 978-1-4503-0793-2 ...$10.00.

Cloud Security at Leading Providers

Leading cloud computing providers are working on frameworks that enables secure cloud computing. Microsoft approach focuses on planning risk, designing security controls and ensuring compliance [12]. Risks to cloud computing assets are assessed and prioritized. Security controls are implemented to mitigate the risks. Compliance framework is used to monitor and evaluate security controls to ensure they

Figure 1: SECaaS dierent cloud computing levels

are operating as required. The framework veries that security controls meet industry and governmental standards, such as, Health Insurance Portability and Accountability Act and Payment Card Industry Data Security Standard. In addition, security incident management is used to identify attacks, contain the attacks, mitigate them and recover from these attacks. IBM cloud security is based on an Service Oriented Architecture model [10]. The model allows cloud users to choose which security services they need, and in what conguration. The model is supported by the Web Services (WS) framework. IBM Security Policy Manager can be used by cloud users to write and enforce data access policies. IBM AppScan can be used to monitor user applications. As the case with Microsoft approach, IBM also follows industry and governmental standards. Amazon [1] provide cloud computing and storage services, EC2 and S3, respectively. The security of EC2 and S3 is based on ensuring that user virtual machines are well separated from each other, and that Amazon servers are protected from being directly controlled by these machines. Security controls at the above three providers targets applications, data and identities, networks, and physical security. The controls also ensures compliance to regulations and standards. Cloud users may require their cloud providers to comply to regulations and standards. Some known standards are the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and European privacy laws.

Figure 2: SECaaS: Protection of cloud user and provider assets

tect user applications, as well as provider platform. At the IaaS level, security services protect user virtual machines, as well as provider infrastructure. The architecture depicted in Figure 2 illustrates the SECaaS approach. This architecture targets user perspective, which is securing user data and programs, as well as provider perspective. The central component of the SECaaS architecture is the security manager. The security manager cloud allows users to choose the needed security measures. It lays between the group and other clouds that oer security services. It is responsible for managing the security clouds. See Figure 2. The following is a list of the security manager duties. 1. Helps the user in choosing security services. 2. Congures chosen security services. 3. Provides single sign-on to all security services that the user is subscribed to. Figure 2 depicts a cloud user and a cloud provider. The cloud provider oers computation and storage services to the user. To protect the users VM and the clouds resources, the provider has several security services 1 - 3 in place. The gure also shows three clouds, named Security Service a, Security Service b and Security Service c. The security services may represent any security mechanism, for example, access control, identity management, auditing, etc. Each of services a - c is shown as a separate cloud, but note that each cloud may oer more than one security service. For example, an intrusion detection service and an anti-malware service may be oered by the same cloud. Any of the clouds can be a sub-cloud of the security manager. The security manager need not be a cloud; it can be a webservice. The same applies for other clouds in Figure 2. Using clouds to provide security services is not new. To the best of our knowledge, however, current approaches that address security in cloud computing do not have a framework that takes a holistic approach for security. Muttik et al. [13] uses cloud computing to design an anti-malware system, while Guilbault et al. [9] implements an intrusion detection system using Amazon Cloud service. The previous two are examples of what may be referred to as cloud-based security [13].

2.2

The Need for a User-Centric Approach

A common factor among leading cloud providers is that security is addressed in a provider-centric fashion, that is, the cloud provider chooses, congures, runs and monitors security controls that protect the cloud. A user-centric architecture empowers users by giving them more control. It allows users to choose security services oered at other clouds. It enables users to monitor the status of their applications and data at the cloud. It also takes into consideration the security of cloud providers resources and assets. The following section presents such an architecture.

3.

SECAAS: SECURITY AS A SERVICE

We present Security as a Service (SECaaS), a service oriented architecture (SOA) that handles security of cloud computing. The basic principal of SECaaS is to give cloud users more control over the process of securing their applications and data. SECaaS targets all levels of cloud computing, as shown in Figure 1. SECaaS protects user and provider assets. Given a cloud, SECaaS is applied at the SaaS, PaaS and IaaS levels. At the SaaS level, security services protect user data, as well as provider software. At the PaaS level, security services pro-

3.1

A Use-case Using SECaaS

This section describes SECaaS with respect to our running example. The research group uses the security manager to congure four clouds. The four clouds provide intrusion detection, identity and access control, auditing and anti-malware services. We describe each component. Cloud User. Represents the research group. The group choose a computational and storage cloud for their data mining research. They also choose a security manager cloud to manage their security needs. Security Manager Cloud. Allows the cloud user to congure the four available security services. Firewall. Firewalls are needed to shield cloud resources from network trac that may harm users VMs or data. Physical Security. Physical security ensures that access to the physical servers of the cloud provider is regulated. Operational Compliance. Compliance ensures that cloud providers meet governed by standards put forth to protect cloud users privacy and security. Identity and Access Control Cloud. Provides identity management and access control services. It is responsible for: 1. Creating identities for the members who join the group, and deleting the identities of those who leave. 2. Allowing the members to control the ow of their identity information. 3. Managing access policies for every computational and storage cloud. 4. Providing single sign-on to all computational and storage clouds. This cloud allows group leader to specify access privileges of each member at each cloud. For example, the group leader may specify that some members are allowed to access one cloud, while the remaining members are allowed to access another cloud. Single signon enables a member to have one credential to access all clouds, rather than having dierent user name and password for each cloud. Anti-Malware Cloud. Monitors the groups VM and detect spyware, worms and viruses. This is needed to prevent spyware from stealing data, and to prevent other malware from using the groups VM to send spam. The duties of this cloud are: 1. Preventing a member from installing malware on the VM. 2. Alerting the group if malware is discovered on the VM. Intrusion Detection Cloud. Monitors the groups VM against a set of signatures that denes intrusions, and/or monitor the groups VM and detect deviations from normal one. Intrusion detection cloud is responsible for:

1. Monitoring the groups VM. 2. Reporting attacks and intrusions on the VM to the group. Auditing Cloud. Ensures that the cloud provider is fullling the contract (service level agreement). For example, if the cloud provider claims to not disclose the members identity information to third parties, then reports generated by an auditing service may help users to detect violations of this claim. The duties of the auditing cloud are: 1. Allowing the group to specify which events to record at their VM. 2. Monitoring the VM. 3. Generating reports to the group on regular basis with required information.

4.

DESIGN

To realize SECaaS, we use a service oriented architecture (SOA) for security services. Each cloud provider interested in oering security controls for the users of other cloud providers needs to design oered security controls as services that can be congured, invoked and charged for. The Representational State Transfer (REST) [7] methodology can be used to design and implement services in an SOA environment. REST is used for the IBM cloud. Security Assertion Markup Language (SAML) [17] is used to communicate security assertions among entities. OpenID [15] can be used as underlying protocol for an identity management system. Various identity and access control systems has been proposed for cloud computing [2, 18]. One example of an anti-malware system that ts SECaaS is the system presented by Muttik et al. [13]. Malware signatures are stored at a designated cloud, while user machines communicate with that cloud to detect malware. Another example is CloudAV [14]. Several intrusion detection systems for cloud computing has been presented. Dastjerdi et al. [6] presents an intrusion detection system for the clouds using mobile agents. Guilbault et al. [9] uses Amazon cloud service to provide intrusion detection services.

4.1

Service Continuity Check Example

Let a web advertisement management organization has moved its services to the cloud. The organization allows advertisers to submit advertisements, while the organization places and rotates these advertisements at participating websites. Should the service of placing advertisements gets disrupted, advertisers loose trac to their products, while participating websites looses the revenue from advertising. To ensure that this scenario does not occur. The organization may rely on the cloud computing provider to ensure service continuity. But this is not enough since the services of the cloud provider may itself gets disrupted. Using the SECaaS architecture, the organization may design a simple service that checks for the advertising service. The checking service is placed on a dierent cloud, so even if the cloud hosting the organization fails, the organization will still be able to detect the disruption of service. Such a service continuity check can be implemented using a HTTP request and response messages, repeated once every specic period of time.

4.2

Communication Overhead Limitation

The main limitation for SECaaS is the potential communication overhead between clouds hosting users data, and clouds oering security services. This overhead introduces cost that cloud users will be charged for. Ecient and responsible design of security services, however, can limit this overhead. For example, the availability check service described in the previous section requires few periodic HTTP requests and responses. Further, benets gained from early detection of security vulnerabilities and attacks justies such an overhead. Imagine how much a disruption to a very popular web service may cost the service provider.

5.

RELATED WORK

Jensen et al. [11] studies security risks when applying current standard cryptography techniques, for example, XML signatures, to the clouds. Chen et al. [4] and Ristenpart et al. [16] provide an insight into new security risks specic to cloud computing. These risks are described in the introductory section of this paper. Creese et al. [5] presents a capability maturity model for an assessment of the security and protection of user programs and data at cloud providers. Cloud providers may use design patterns to construct measures that mitigate security and privacy risks. Cloud providers are monitored to ensure that the providers implement the controls specied in the service level agreement. Yan et al. [18] uses public cryptography along with federated identity management to address the case where each cloud contains multiple clouds. The approach achieves single sign-on, that is, allowing a user to authenticate at one cloud provider, yet be able to access her accounts at other cloud providers as well. Single sign-on simplies the authentication of users.

6.

CONCLUSION

Cloud computing applications play an important role in many recent applications, such as astronomy, weather forecasting, and nancial applications. Since these applications process large amounts of data, cloud computing is one promising solution to handle such data since it provides the needed storage and processing equipments though clouds. Security is one main concern for cloud-computing applications, since user data and/or applications are uploaded to clouds that are owned by service hosts (cloud providers). The user data and applications, hence, become a great target for security treats. Architectures for security for cloud computing focuses on security from the cloud provider perspective. This paper introduced Security as a Service (SECaaS), a user-centric architecture that provides security means for cloud computing on its dierent levels (SaaS, PaaS, and IaaS). SECaaS gives cloud users more control over their security. SECaaS is mainly proposed to control security issues in cloud-based applications. Users data and programs, as well as, providers resources are protected from dierent security threats.

[2] E. Bertino, F. Paci, R. Ferrini, and N. Shang. Privacy-preserving digital identity management for cloud computing. IEEE Data Engineering Bulletin, 32(1):2127, 2009. [3] R. Buyya, C. Yeo, S. Venugopal, J. Broberg, and I. Brandic. Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6):599616, 2009. [4] Y. Chen, V. Paxson, and R. Katz. WhatSs New About Cloud Computing Security? Tech. Rep. UCB/EECS-2010-5, EECS Department, University of California, Berkeley, 2010. [5] S. Creese, P. Hopkins, S. Pearson, and Y. Shen. Data protection-aware design for cloud computing. In Proceedings of the rst International Conference on Cloud Computing, pages 119130. Springer-Verlag, 2009. [6] A. V. Dastjerdi, K. A. Bakar, and S. G. H. Tabatabaei. Distributed intrusion detection in clouds using mobile agents. In Advanced Engineering Computing and Applications in Sciences, International Conference on, volume 0, pages 175180. IEEE Computer Society, 2009. [7] R. T. Fielding and R. N. Taylor. Principled design of the modern web architecture. ACM Transactions on Internet Technolgies, 2(2):115150, 2002. [8] I. Foster, Y. Zhao, I. Raicu, and S. Lu. Cloud computing and grid computing 360-degree compared. In Proceedings of the Grid Computing Environments Workshop, pages 110. IEEE Computer Society, 2008. [9] N. Guilbault and R. Guha. Experiment setup for temporal distributed intrusion detection system on amazons elastic compute cloud. In Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, pages 300302. IEEE Press, 2009. [10] IBM Point of View: Security and Cloud Computing. IBM, Nov 2009. Retrieved December 2010, from www-03.ibm.com/security/cloud-security.html. [11] M. Jensen, J. Schwenk, N. Gruschka, and L. Iacono. On technical security issues in cloud computing. In Proceedings of the IEEE International Conference on Cloud Computing, pages 109116. IEEE Computer Society, 2009. [12] Securing MicrosoftSs Cloud Infrastructure. Microsoft, May 2009. Retrieved December 2010, from www.globalfoundationservices.com/security. [13] I. Muttik and C. Barton. Cloud security technologies. Information Security Technical Report, 14(1):16, 2009. [14] J. Oberheide, E. Cooke, and F. Jahanian. Cloudav: N-version antivirus in the network cloud. In Proceedings of the 17th Conference on Security Symposium, pages 91106. USENIX Association, 2008. [15] D. Recordon and D. Reed. Openid 2.0: A platform for user-centric identity management. In Proceedings of the Second ACM Workshop on Digital Identity Management, pages 1116. ACM Press, 2006. [16] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get o of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, pages 199212. ACM, 2009. [17] Security Assertion Markup Language (SAML). Retrieved Dec 2010, from oasis-open.org/committees/security. [18] L. Yan, C. Rong, and G. Zhao. Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography. In Proceedings of the rst International Conference on Cloud Computing, pages 167177. Springer-Verlag, 2009.

7.

REFERENCES

[1] Amazon Web Services: Overview of Security Processes. Amazon, Sep 2008. Retrieved December 2010, from aws.amazon.com.