Cloud usage in certain applications or by

Cloud Computing is a technology for the delivery of computing services that are hosted
over the Internet. It is an area of great interest due to its many potential benefits as it provides
self-service provisioning, elasticity, migration flexibility, and a low-cost
with high performance scalable computing. Yet, cloud computing is a technology
of a major  concern on the security
aspects; and one of the top ten cited obstacles to the adoption of cloud
computing is “Data Confidentiality and Auditability”. This cloud security
concern limits its usage in certain applications or by certain organizations.
Other organizations consider partitioning their workload over a combination of
federated clouds, that contains a secure internal private cloud, along with
less secure public clouds based on a set of security requirements. This
approach of partitioning has the potential benefit of exploiting the strengths
of both types of clouds; the secure private and the less-secure public clouds.
It can offer much higher performance with a lower cost and higher security by
deploying the sensitive applications on a private cloud and those applications
without security concerns on the external less-secure public clouds.

applications are allocated to the cloud on an ad-hoc per-application basis
where an application is allocated entirely either on a private cloud or a
public one. This is not ideal as it lacks auditability and the quality of
extreme thoroughness during the process of allocation of the whole application
based on its overall sensitivity. That said, even raising the level of
sensitivity of a whole application unnecessarily and deploying it on a secure
private cloud may lead to the overload of the finite resources of the private
cloud which results in having poor performance and potentially a negative
impact on other applications. This paper describes another approach of
partitioning, alternative to the ad-hoc based partitioning, an approach that
has the potential benefit from partitioning an application over a set of clouds
while still meeting its overall security requirements, that is the multi-level
security model for partitioning workflows over federated clouds. This approach
is based on the multi-level security Bell-LaPadula method. It takes an
application that consists of a set of data and services connected in a
workflow, and results in having a complete set of options of valid deployments
over a set of clouds while meeting the security requirements of the application
as specified by the organization. And since this method results in having more
than just one valid option for the partitioning, this leads to the issue of how
to choose the best option. The solution to this issue is also covered in the
paper. This is solved by introducing a cost model to rank the resulting valid

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now




Directed graphs are
used in modeling a workflow through this section, where data and services are
represented as nodes, and data dependencies are represented by the edges in the
graph. Services (operations performed) consume zero or more data items and
result in generating one or more data items.

Adopting the
Bell-LaPadula multi-level access model, the services are modeled as subjects
(S) and data items are modeled as objects (O). The set of actions that a
service can perform on a data item is noted as (A), these actions are limited
to either read or write (a service either consumes a data item or generates
one), therefore A = {r,w}.

The model also
consists of a poset of security levels (L), a permissions matrix (M) whose
contents are determined by the workflow design (M: S x O ? A), if a service s1
reads the data item d0  an entry (s1 x d0   ? r) will be in the matrix, similarly if s1
writes the data item d2, there will be an entry (s1 x d2
? w) in the matrix. There is also an access
matrix (B), a clearance map (C) and a location map (l).

The access matrix is
determined by the execution of the workflow, that is, if there are no choice
points it will be equal to the permissions matrix that is based on the workflow
design. However if there are choice points, then in that case the access matrix
B will equal a subset of the permissions matrix M corresponding to the path taken
through the workflow during its execution.

The clearance map C :
S ? L represents the maximum level of
security at which each service can operate, while the location map l : S + O ? L represents the security level of each
service and data item in the workflow.

In a typical
multi-level security scenario, the system goes through multiple states, and in
each state throughout the model, the values of permissions, access, clearance
and location can differ. However we will consider an example whose workflow
model is executed within a single state. That is a medical research application
where data gathered from a set of patients’ heart rate monitors is analyzed as
follows in figure 1.



This workflow is
executed in two steps: first, an anonymize service for removing the header that
consists of the data identifying each patient, thus leaving only the
measurements of patients’ heart rates as the application is concerned only with
the overall results from a group of patients, not with individuals having these
measurements. The second step is an analysis service that takes the output
generated by the anonymize service and analyzes it generating datum d4
containing the results.

Normally a service
would have a constant clearance in all its uses in workflows, however the
location differs and can be specified for each workflow. But the Bell-LaPadula
model is general, and does not  make any
assumptions regarding that point.  The
model states that a system is secure when the following conditions are
satisfied for all subjects u belonging to the set of
subjects (i.e. services) S and all objects i belonging
to the set of objects (data) O: