当前位置: X-MOL 学术J. Parallel Distrib. Comput. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Toward security as a service: A trusted cloud service architecture with policy customization
Journal of Parallel and Distributed Computing ( IF 3.8 ) Pub Date : 2020-11-26 , DOI: 10.1016/j.jpdc.2020.11.002
Chenlin Huang , Wei Chen , Lu Yuan , Yan Ding , Songlei Jian , Yusong Tan , Hua Chen , Dan Chen

With the rise of concerns over security and privacy in the cloud, the “security-on-demand” service mode dynamically provides cloud customers with trusted computing environments according to their specific security needs. Major challenges, however, remain to achieve this goal: (1) integrating an auditable, tamper-resistant trust-management mechanism into the cloud infrastructure and (2) building a protocol to guarantee the consistency of customers’ policies during virtual machine (VM) migrations. This study develops a new security-on-demand framework called a “policy-customized trusted cloud service” (PC-TCS) architecture that comprises two core components: an attribute-based signature (ABS)-based remote-attestation scheme to achieve trusted remote attestation with customized security policies and an ABS- and blockchain-based VM-migration protocol to support policy-customized trusted migration. To prove the availability of this architecture, we implemented a PC-TCS prototype based on Xen Hypervisor, the results of which indicate that (1) PC-TCS can be integrated into cloud infrastructure as part of a trusted computing base; (2) cloud users can customize the security policies of computing environments and validate their enforcement throughout the service life-cycle with the support of PC-TCS; and (3) PC-TCS can support policy-customized remote attestation and policy-customized migration with a minimal impact on performance.



中文翻译:

迈向安全即服务:具有策略自定义功能的可信赖云服务架构

随着人们对云安全性和隐私性的关注日益增加,“按需安全”服务模式根据其特定的安全需求为云客户动态提供了可信的计算环境。但是,要实现此目标,仍然存在主要挑战:(1)将可审计的,防篡改的信任管理机制集成到云基础架构中;(2)构建协议以确保虚拟机(VM)期间客户策略的一致性迁移。这项研究开发了一种新的按需安全框架,称为“策略定制的可信云服务”(PC-TCS)架构,该架构包括两个核心组件:基于属性的签名(ABS)的远程证明方案,可通过自定义安全策略以及基于ABS和基于区块链的VM迁移协议来实现受信任的远程证明,以支持策略自定义的受信任迁移。为了证明这种体系结构的可用性,我们基于Xen Hypervisor实现了PC-TCS原型,其结果表明:(1)PC-TCS可以作为受信任的计算基础的一部分集成到云基础架构中;(2)云用户可以在PC-TCS的支持下自定义计算环境的安全策略,并在整个服务生命周期中验证其执行;(3)PC-TCS可以支持策略定制的远程证明和策略定制的迁移,而对性能的影响最小。为了证明该体系结构的可用性,我们基于Xen Hypervisor实现了PC-TCS原型,其结果表明:(1)PC-TCS可以作为受信任的计算基础的一部分集成到云基础架构中;(2)云用户可以在PC-TCS的支持下自定义计算环境的安全策略,并在整个服务生命周期中验证其执行;(3)PC-TCS可以支持策略定制的远程证明和策略定制的迁移,而对性能的影响最小。为了证明该体系结构的可用性,我们基于Xen Hypervisor实现了PC-TCS原型,其结果表明:(1)PC-TCS可以作为受信任的计算基础的一部分集成到云基础架构中;(2)云用户可以在PC-TCS的支持下自定义计算环境的安全策略,并在整个服务生命周期中验证其执行;(3)PC-TCS可以支持策略定制的远程证明和策略定制的迁移,而对性能的影响最小。(2)云用户可以在PC-TCS的支持下自定义计算环境的安全策略,并在整个服务生命周期中验证其执行;(3)PC-TCS可以支持策略定制的远程证明和策略定制的迁移,而对性能的影响最小。(2)云用户可以在PC-TCS的支持下自定义计算环境的安全策略,并在整个服务生命周期中验证其执行;(3)PC-TCS可以支持策略定制的远程证明和策略定制的迁移,而对性能的影响最小。

更新日期:2020-12-11
down
wechat
bug