Skip to main content

Open Access CloudSafetyNet

Download Article:
Security considerations are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. The focus of the CloudSafetNet project is to fundamentally rethink how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet software, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies – agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the software and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such information flow control (IFC) models have been used successfully to enhance programming language, operating system and web application security. Since data flows are audited, compliance with policy, law can be demonstrated and data provenance recorded.

Keywords: ACCOUNTABILITY; AUDIT; CAMBRIDGE FLOW CONTROL ARCHITECTURE; CLOUD COMPUTING; CLOUD RESOURCES; COMPLIANCE; DATA PROVENANCE; DATA-CENTRIC SECURITY MECHANISM; DECENTRALISED INFORMATION FLOW CONTROL; INFORMATION FLOW CONTROL (IFC)

Document Type: Research Article

Publication date: January 1, 2017

More about this publication?
  • Impact is a series of high-quality, open access and free to access science reports designed to enable the dissemination of research impact to key stakeholders. Communicating the impact and relevance of research projects across a large number of subjects in a content format that is easily accessible by an academic and stakeholder audience. The publication features content from the world's leading research councils, policy groups, universities and research projects. Impact is published under a CC-BY Creative Commons licence.

  • Subscribe to this Title
  • Terms & Conditions
  • Disseminating research in Impact
  • Information about Impact
  • Ingenta Connect is not responsible for the content or availability of external websites
  • Access Key
  • Free content
  • Partial Free content
  • New content
  • Open access content
  • Partial Open access content
  • Subscribed content
  • Partial Subscribed content
  • Free trial content