Ecosystem thrust
A research direction is to explore how cloud providers can broker trust among tenants. Cloud platforms continue to advance their offerings of foundational services, e.g., managed storage, coordination/consensus, and security-enhancing services. We envision that new cloud services can help to mediate secure interactions among tenants, and further enable tenants to offer secure foundational services and application services to one another, even without a priori trust in the service owner. Flexible trust management, rooted in shared trust in cloud infrastructure providers, can enhance the potential for an open marketplace of cloud-based services.
One motivating scenario is to enable secure sharing of data and code for cooperative analytics, in which analytics software is offered as a service for computing with datasets or algorithms that are considered confidential by their owners. A goal is to enable jointly trusted computations that combine confidential datasets from multiple owners, and produce a privacy-preserving output. Safe data sharing can help to unlock the potential of “big data” in areas where data privacy is paramount, e.g., healthcare. We are developing cloud-based technologies to place such collaborations on more secure foundations.
A mutually trusted cloud provider can enhance security by mediating these kinds of cross-tenant interactions. One obvious way to approach these goals is to extend cloud authorization models to allow richer policy control over data sharing and other interactions among tenants. A more ambitious direction is to establish new cloud-based trust services that enable clients to derive trust in a tenant service without prior knowledge or trust in the identity of its owner. In our approach the cloud provider serves as a root of trust by certifying facts about the tenant security properties or code identity. Other tenants may specify trust policies to evaluate against these assertions. For example, a data owner may trust a third-party service to access a sensitive dataset if the cloud provider attests that the service is contained—it is restricted in how it can communicate or release information.
We are developing an extended IaaS-layer framework for managing contained execution, in which a group of tenant instances (VMs) have their network connectivity restricted according to a declared policy as a defense against information leakage. One system prototype, called CQSTR (say “sequester”), implements a new cloud container abstraction as a set of extensions to the OpenStack IaaS platform.
A CQSTR cloud container is a grouping of virtual machine instances comprising an application deployment. A cloud container specifies containment properties that limit network and storage access for computations in the container. CQSTR modifies existing IaaS-level management services to ensure that backups, log monitoring, and other management services cannot be abused to extract data from a closed container. In addition, the policy may specify the set of images that are allowable to boot VM instances into the container. Attesting to a limited set of boot images enables a client to ensure that a service runs on a patched, locked-down operating system, and a trusted application framework, which may implement additional security controls.
We have experimented with several application scenarios that use cloud containers for secure analytics. In these scenarios, CQSTR enables a data owner to enforce control over how its data is used by an analytics service. The owner can demand and verify that data is held securely in a cloud container that is safe from data leakage and misuse. With a cloud container, code interacting with a service can contact CQSTR to verify the containment and code properties of the service in advance. A data owner can specify access-control lists (ACLs) with the containment properties needed to access the data. CQSTR extends IaaS storage services to be aware of cloud containers: storage services can base access control on the declared container properties governing the calling VM instance, according to the ACL policies specified by the data owner.
CQSTR is just one example of a cloud provider service that makes trusted statements about security properties of a tenant’s configuration, and allows other client software to check these properties for compliance with a security policy. Other useful security properties available to the cloud platform include a tenant’s firewall posture, whether its software is patched adequately, whether it runs defensive (e.g., anti-virus) software, whether it encrypts its stored data, whether its password system is protected by Pythia, attestations of software identity, network security services, and so forth. They might also reflect continuous auditing or monitoring checks or incident history. Clients may use this information to make informed decisions about whether a service is trustworthy, rather than relying merely on its reputation, as is common today.
Our research seeks to provide a general and practical foundation to manage trust in cloud ecosystems based on authenticated assertions and policies, building on a wealth of prior work in authorization logics. Our approach addresses a number of potential concerns. First, the policy language should be expressive, efficient, easy to use, and extensible to a growing vocabulary of security properties. Second, the approach should protect the secrecy of sensitive data, including security configurations and the policies themselves.
We have developed a declarative logic-based language (a trust logic) and interpreter software (called SAFE) to enable participating entities—including services of the cloud providers, tenants, external services, and client software for end users—to issue authenticated assertions about one another, and reason from the assertions of others. The language also expresses logical policy rules, which are verifiable. Declarative policy enables brokered compliance checks, in which a client submits a declarative security policy to a trusted policy engine (interpreter) that is operated—or attested—by the cloud platform: the policy engine checks compliance with the policy without revealing the policy or the security properties to anyone. A privacy-preserving compliance intermediary is itself an example of a secure foundational service for mediating tenant interactions in the cloud.
SAFE is suitable for more general trust management in federated environments, including systems spanning multiple networked cloud providers (e.g., ExoGENI [2]). In this case the participants may exchange SAFE security assertions and policy rules as signed certificates, and run a local off-the-shelf interpreter to generate proofs of policy compliance end-to-end. SAFE also serves as a basis for more general access control in networked cloud systems. For example, we have implemented a reusable package of rules for nested groups and roles within a secure hierarchical name space, equivalent in power to the naming and authorization structure of AWS Identity and Access Management (IAM), but applicable to multi-domain systems rather than relying on a single trust anchor. SAFE can also support rich policies to authorize interconnection among tenants and connectivity with external networks.
Increasingly, commercial cloud operators offer higher- level platform abstractions (PaaS) for tenants, e.g., Google’s AppEngine and AWS Elastic MapReduce. PaaS systems simplify cloud programming with more powerful models that enhance customer productivity and add value to cloud services. PaaS systems are also offered by tenants to other tenants (e.g., Heroku, CloudFoundry).
Flexibility to offer layered platforms is fundamental to an open cloud ecosystem. We are exploring how to enable deployment of third-party PaaS services that inherit trust from the underlying IaaS cloud system via attesta- tion, auditing, and mediated access to security credentials for IaaS-layer services. The PaaS service, in turn, may leverage its higher-level programming model to enforce language-based safety checks or interpose higher-level monitoring or containment. In addition, we believe that PaaS platforms are promising targets for trustworthy computing via software attestation and code-based access control. Our premise is that higher-level PaaS programs are more practical to verify and attest than binary executables because they are compact: they build on powerful languages and a library of standard primitives whose implementations may be trusted.
As one example, we are developing minimal trust extensions to a standard Spark analytics stack (http://spark.apache.org) to provide a PaaS service for secure cooperative analytics. It offers rich access control that allows data owners to control data sharing with other tenants on their own terms. The PaaS service attests to code identity for the stages of the analytics workflow: parties may designate mutually trusted Spark programs that can input sensitive data, possibly from multiple owners, and generate “declassified” outputs that are safe to share. The system tracks flow through the workflow to ensure that the security label for each object reflects the potential sensitivity of its contents.
Publications
- Trusted Platform-as-a-Service: A foundation for trustworthy cloud-hosted applications
A. Brown and J. Chase
In 3rd ACM Cloud Computing Security Workshop, October 2011. - Trust as the foundation of resource exchange in GENI
M. Brinn, N. Bastin, A. Bavier, M. Berman, J. Chase, and R. Ricci
In 10th EAI International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, June 2015. - Secure authorization for federated environments (SAFE): Overview and progress report
J. Chase and V. Thummala
Technical Report CS-2014-003, Department of Computer Science, Duke University, 2014. - A guided tour of SAFE GENI
J. Chase and V. Thummala
Technical Report CS-2014-002, Department of Computer Science, Duke University, 2014. - CQSTR: Securing cross-tenant applications with cloud containers
Y. Zhai, L. Yin, J. Chase, T. Ristenpart, and M. Swift
In 7th ACM Symposium on Cloud Computing, October 2016. - Certificate Linking and Caching for Logical Trust
Q. Cao, V. Thummala, J. Chase, Y. Yao, and B. Xie
Technical Report, Department of Computer Science, Duke University, 2016. - TapCon: Practical third-party attestation for the cloud
Y. Zhai, Q. Cao, J. Chase, and M. Swift
In 9th USENIX Workshop on Hot Topics in Cloud Computing, July 2017. - About PaaS security
D. Kim, H. Schaffer, M. Vouk
In International Journal of Cloud Computing, 2017. - Personalized pseudonyms for servers in the cloud
Q. Xiao, M. K. Reiter, and Y. Zhang
In Proceedings on Privacy Enhancing Technologies, October 2017.