Visible to the public A Monitoring Approach for Policy Enforcement in Cloud Services

TitleA Monitoring Approach for Policy Enforcement in Cloud Services
Publication TypeConference Paper
Year of Publication2017
AuthorsFernando, R., Ranchal, R., Bhargava, B., Angin, P.
Conference Name2017 IEEE 10th International Conference on Cloud Computing (CLOUD)
Date Publishedjun
ISBN Number978-1-5386-1993-3
Keywordsauthorisation, Authorization, Biomedical monitoring, cloud computing, cloud services, cloud-based service orchestrations, Collaboration, data privacy, end-to-end security, end-to-end service invocation chain, interaction authorization policies, Monitoring, policy enforcement monitoring, policy-based governance, Privacy Policies, pubcrawl, quality of service, real-world service composition scenario, security of data, security policies, Security Policies Analysis, security policy, service guarantees, service interactions, service performance policies, service-oriented architecture, SOA, SOA services, software architecture, web services

When clients interact with a cloud-based service, they expect certain levels of quality of service guarantees. These are expressed as security and privacy policies, interaction authorization policies, and service performance policies among others. The main security challenge in a cloud-based service environment, typically modeled using service-oriented architecture (SOA), is that it is difficult to trust all services in a service composition. In addition, the details of the services involved in an end-to-end service invocation chain are usually not exposed to the clients. The complexity of the SOA services and multi-tenancy in the cloud environment leads to a large attack surface. In this paper we propose a novel approach for end-to-end security and privacy in cloud-based service orchestrations, which uses a service activity monitor to audit activities of services in a domain. The service monitor intercepts interactions between a client and services, as well as among services, and provides a pluggable interface for different modules to analyze service interactions and make dynamic decisions based on security policies defined over the service domain. Experiments with a real-world service composition scenario demonstrate that the overhead of monitoring is acceptable for real-time operation of Web services.

Citation Keyfernando_monitoring_2017