Abstract
Cloud computing is becoming popular due to its ability to provide dynamic scalability and elasticity of resources at affordable cost. In spite of these advantages key concerns that prevent large scale adoption of cloud computing today are related to security and privacy of customer’s data in the cloud. The main security concerns of clients are loss of direct control of their data and being forced to trust a third party provider with confidential information. Among security threats in the cloud, insider threats pose a serious risk to clients. This paper presents a new access control mechanism that can mitigate security threats in the cloud including those caused by insiders, such as malicious system administrators. The problem is challenging because the cloud provider’s system administrators have elevated privileges for performing genuine system maintenance and administration tasks. We describe an access control mechanism that generates immutable security policies for a client, propagates and enforces them at the provider’s infrastructure.
This work is supported by the Department of Information Technology (DIT), Government of India. The contents of this paper do not necessarily reflect the position or the policies of the Indian Government.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Amazon Web Services (AWS), http://aws.amazon.com
Google App Engine, http://code.google.com/appengine/
Microsoft Azure, http://www.microsoft.com/azure/
Malicious insider attacks to rise, http://news.bbc.co.uk/2/hi/7875904.stm
2010 DataBreach Investigations Report, http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Top Threats to Cloud computing by Cloud Security Alliance (2010), http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable Data Possession at Un-trusted Stores. In: Proc. of ACM CCS 2007 (2007); Full version: Cryptology ePrint Archive. Report 2007/202
Curtmola, R., Khan, O., Burns, R., Ateniese, G.: MR-PDP: Multiple-Replica Provable Data Possession. In: Proceedings The 28th International Conference on Distributed Computing Systems, pp. 411–420 (2008)
Juels, A., Bowers, K.D., Oprea, A.: Proofs of Retrievability: Theory and Implementation. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, pp. 43–54. ACM, New York (2009)
Ristenpart, T., Tromer, E., Shacham, S., Savage, S.: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM, New York (2009)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-Based Integrity Measurement Architecture. In: Proceedings of the 13th conference on USENIX Security Symposium. Usenix Association, Berkeley (2004)
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A Virtual Machine-Based Platform for Trusted Computing. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 193–206. ACM, New York (2009)
Sailer, R., Valdez, E., Jaeger, T., Perez, R., van Doorn, L., Griffin, J.L., Berger, S.: sHype: Secure Hypervisor Approach to Trusted Virtualized System, IBM Research Report, New York (2005)
Wang, Z., Jiang, X.: HyperSafe - A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In: IEEE Symposium on Security and Privacy, pp. 380–395 (2010)
Kuhlmann, D., Landfermann, R., Ramasamy, H., Schunter, M., Ramunno, G., Vernizzi, D.: An Open Trusted Computing Architecture — Secure Virtual Machines Enabling User - Defined Policy Enforcement, IBM Research Report, New York (2006)
Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: HIMA: A Hypervisor-Based Integrity Measurement Agent. In: Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 461–470. IEEE Computer Society, Washington, DC (2009)
Berger, S., Caceres, R., Goldman, K., Pendarakis, D., Perez, R., Rao, J.R., Rom, E., Sailer, R., Schildhauer, W., Srinivasan, D., Tal, S., Valdez, E.: Security for the Cloud Infrastructure: Trusted Virtual Data Center Implementation. IBM Journal of Research and Development 4, 6:1–6:12 (2009)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-Based Integrity Measurement Architecture. In: Proceedings of the 13th conference on USENIX Security Symposium. Usenix Association, Berkeley (2004)
DDoS Attack Rains Down on Amazon cloud, http://www.theregister.co.uk/2009/10/05/amazon_bitbucket_outage/
Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., Zagorodnov, D.: Eucalyptus opensource cloud-computing system. In: CCA 2008: Cloud Computing and Its Applications (2008)
http://upload.wikimedia.org/wikipedia/commons/2/2f/Eucalyptus_cloud_architecture-1.6.png
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sundararajan, S., Narayanan, H., Pavithran, V., Vorungati, K., Achuthan, K. (2011). Preventing Insider Attacks in the Cloud. In: Abraham, A., Lloret Mauri, J., Buford, J.F., Suzuki, J., Thampi, S.M. (eds) Advances in Computing and Communications. ACC 2011. Communications in Computer and Information Science, vol 190. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22709-7_48
Download citation
DOI: https://doi.org/10.1007/978-3-642-22709-7_48
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22708-0
Online ISBN: 978-3-642-22709-7
eBook Packages: Computer ScienceComputer Science (R0)