Figure 1
Figure 1. Systems Engineering Process (INCOSE, 1995)

1. Cloud Security Critical Issues


Cloud security is analyzed in some existing studies (Gu and Cheung, 2009, IDC White Paper, 2010), but the development of realistic and applicable solutions is still in the early stages.

Privacy issues in cloud environments have been described by Pearson (2009), and some interesting security aspects are presented by Siebenlist (2009). A complete survey of security in the context of cloud storage is provided by Cachin et al. (2009). Kandukuri et al. (2009) have provided insights of the requirements for the service level agreement (SLA), which is the document that defines the relationship between the provider and recipient of services. An exhaustive cloud security risk assessment has been presented by European Network Information Security Agency - ENISA (2009). A “cloud-free” security model for cloud computing proposed by Yunis (2009) considers the following critical security issues for the related infrastructures:

  1. Extensive resource sharing
  2. Lack of data ownership
  3. Reducing encryption in order to increase the speed of service delivery
  4. Refusal of service
  5. Loss of data due to technical failure
  6. Unknown attacks


However, the above security issues are valid to some extent for web enterprise systems and services defined within an enterprise service-oriented platform. It appears cloud computing is not fundamentally different from existing web infrastructure that is vulnerable to various threats and attacks, especially due to lack of protection through adequate mechanisms, regulations and policies. It also represents an increased danger in the changing nature and evolution of attacks.

An initial analysis of the general requirements for cloud computing has identified the following:


1.1 Applying Systems Engineering Process


Systems Engineering Process (SEP) as defined by INCOSE (1995) includes four main components: requirements analysis, functional analysis, synthesis, system analysis, and controls (Figure 1).

The aim of applying SEP for cloud computing systems is mainly the requirements analysis and functional allocation in order to identify and construct an agile adaptive system security model. Considering the identified requirements outlined in the previous section, the following categories are defined and could be included within a framework of requirements engineering for secure cloud systems:


Lombardi and Di Petro (2010) have proposed the Advanced Cloud Protection System (ACPS), which is intended to actively protect the integrity of the guest virtual machines and of the distributed computing middleware by allowing the host to monitor guest virtual machines and infrastructure components. The identified set of requirements to be met by a security monitoring system for clouds is as follows (Lombardi and Di Pietro, 2010):


However, ACPS is too restrictive and could compromise the system performance and privacy through monitoring activities. Also, it is not flexible enough to accommodate changing threats and actions of the adversarial communities.

Standardization principles described as follows should be also adopted:
ISO/IEC 15288 (INCOSE, 2007), which establishes a common framework for describing the life cycle of systems; and ISO 12207, which includes systems level descriptions such as requirements analysis, architectural design, systems integration and qualification testing.

For adoption of clouds, the data security standards such as ISO 27001/ISO 27002 are essential because of data protection problems in the clouds having a huge potential to disclose data.
Adaptive Security Systems
Figure 2. How cloud computing can meet the challenges of adaptive system security systems by applying systems engineering standards and architecting principles

Architecting cloud-driven adaptive security systems


Based on the linkage between security systems engineering toward agile strategies for the development of adaptive security systems and cloud computing paradigms an architectural infrastructure could be suggested, and it is depicted in figure 2.

Some challenges that need to be solved in order to realize this synergy have been discussed in the essay, and these are mainly related to dealing with systems requirements according to SEP (INCOSE, 1995). The cloud computing model for adaptive security systems engineering could be developed through the application of model driven engineering as suggested by Brumiliere et al. (2010), but this is still ongoing work.

A framework for Enterprise Security Architecture is provided by Sherwoods Applied Business-driven Security Architecture (SABSA) (Sherwood et al, 2005).

The Open Group Architecture Framework (TOGAF) describes an Architecture Development Method (ADM) that can be used to deliver an enterprise architecture. A current development is the integration of security features represented in SABSA into TOGAF. The idea is that SABSA can provide the security architectural models within TOGAF. When the link between SABSA and TOGAF is defined, it will be possible to use SABSA for organizations/enterprises that already use TOGAF (TOGAF & SABSA Working Group, 2010).

We plan to continue our work by further exploring these challenges and breaking new ground. Due to the lack of maturity of cloud computing technology, there are several key aspects requiring efforts of different communities of software, systems and security researchers and practitioners.

References


Bruneliere, H., Cabot, J. and Jouault, F. 2010 Combining Model-Driven Engineering and Cloud Computing, INRIA Report, Cachin C., Keidar I., and Shraer A. 2009 Trusting the cloud. SIGACT News 40(2): 81–6.

European Commission (2010) The Future of Cloud Computing - Opportunities for European Cloud Beyond 2010, European Commission Public Report.

ENISA (European Network Information Security Agency) 2009, Cloud computing risk assessment. http://www.enisa.europa.eu/act/rm/ files/deliverables.

IDC 2010 Leveraging the benefits of Cloud Computing with Specialized Security, White Paper, 2010.

INCOSE (International Council on Systems Engineering) 1995 Metrics Guidebook for Integrated Systems and Product Development. Seattle, WA, USA.

INCOSE (International Council on Systems Engineering) 2007 Systems Engineering Handbook – A guide for system life cycle processes and activities, V3.1.

Lombardi F, and Di Pietro R. 2010 Secure virtualization for cloud computing. Journal of Network and Computer Applications, Elsevier Ltd.

Jaeger, P. T., Lin, J. and Grimes, J. M.(2008) 'Cloud Computing and Information Policy: Computing in a Policy Cloud?', Journal of Information Technology & Politics, 5: 3: 269 -283. Publisher Routledge.

Grace, L. (2010), Basics about Cloud Computing, Software Engineering Insititute, Carnegie Mellon University, USA at: http://www.sei.cmu.edu/library/assets/whitepapers/Cloudcomputingbasics.pdf

Grobauer, B., Walloschek T., and Stöcker, E (2010), Understanding Cloud Computing Vulnerabilities, accepted for publication in IEEE Security and Privacy, Special Issue on Cloud Computing, 2010 IEEE

Gu L, Cheung S-C. (2009) Constructing and testing privacy-aware services in a cloud computing environment: challenges and opportunities. In Internetware ’09: Proceedings of the first Asia-Pacific symposium on internetware. ACM New York, NY, USA, pp. 1–10.

Kandukuri, B.R Paturi V, R. and Rakshi, A. (2009) Cloud Security Issues, 2009 IEEE International Conference on Services Computing, pp. 517-520.

Mell, P. and Grance, T. (2009) Effectively and Securely Using the Cloud Computing Paradigm (v0.25), NIST, http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

Yunis, M.M. (2009) A “cloud free” security model for cloud computing in Int. J. of Services and Standards 5(4): 354 - 375, Inderscience.

Pearson S. (2009) Taking account of privacy when designing cloud computing services. In Cloud’09: Proceedings of the 2009 ICSE workshop on software engineering challenges of cloud computing, IEEE Computer Society, Washington, DC, USA, pp. 44–52.

Rittinghouse, J.W. and Ransome, J.F. (2010) Cloud Computing Implementation, Management and Security, CRC Press Taylor and Francis, 2010.

Siebenlist F. (2009) Challenges and opportunities for virtualized security in the clouds. In SACMAT ’09: Proceedings of the 14th ACM symposium on access control models and technologies, ACM, New York, NY, USA, 2009. pp. 1–2.

Sherwood, J., Clark, A. and Lynas, D. (2005) Enterprise Security Architecture: A Business Driven Approach, CMP Press.
TOGAF & SABSA Working Group (2010). TOGAF-SABSA integration, Version 1.0 Prepared by Pascal de Koning.

About Irina Neaga

Researcher at LoughboroughUniversity

Irina's research interests include: Systems metamodeling, Architectural frameworks and reference models, Knowledge strategies and management, Collaborative networks, Web infrastructures and technologies.

view the cloudbook profile for Irina Neaga >>

Cloudbook Journal
Vol 2 Issue 3, 2011

This article is featured in the
Vol 2 Issue 3, 2011 of the
Cloudbook Journal

Find more Stories from this Issue >>