IEEE TRANSACTIONS ON CLOUD COMPUTING,
VOL. 2,
NO. 4,
OCTOBER-DECEMBER 2014
377
Guest Editorial: Cloud Security David S. L. Wei, Senior Member, IEEE, Siani Pearson, Senior Member, IEEE, Kanta Matsuura, Senior Member, IEEE, Patrick P. C. Lee, and Kshirasagar Naik, Senior Member, IEEE
Ç
C
LOUD computing is the future but it will not be if users’ security concerns remain unaddressed. Cloud security issues include data privacy, data integrity, and service availability, among others. Due to the extra computing involved, security controls often incur a certain amount of performance degradation in cloud computing where performance is crucial and its computation and communication complexities are already high. This poses challenges to system developers with regards to preventing privacy leaks, performing data auditing, and guaranteeing high availability in the face of various security attacks. On the other hand, should the task of addressing these security issues be solely placed on the shoulders of the cloud service providers, or indeed should both the service providers and the service users be responsible for this task? A number of studies have been carried out that investigate the fundamental properties of cloud security issues, including data auditing, searchable data encryption, hypervisor protection, cloud forensics, and disaster recovery, to name but a few. In fact, cloud security is driving how we define and develop cloud computing solutions. The objective of this special issue is to provide a forum for researchers working on cloud security to present their recent research results. This special issue attracted 58 submissions of high quality research from around the world. Through a rigorous review process, the following 10 papers were selected for publication. These papers present results of analysis, experimentation, simulation, advanced theories, and system implementation. More specifically, they cover the topics of Operating System (OS) Fingerprinting, Side-Channel Attacks, Attribute-Based Signatures (ABSs), Fuzzy Authorization for Cloud Storage, Secure Software-Defined Network (SDN) Architecture for Cloud, Self-Destructing Data, Secure Group Data Sharing, Data Access Control for Peer-to-Peer Storage Cloud, SQL Operations on Encrypted Data, and Linear Regression
D.S.L. Wei is with the Computer and Information Science Department, Fordham University, Bronx, NY 10458. E-mail:
[email protected]. Dr. Siani is with Pearson Principal Research Scientist Security and Cloud Lab, Hewlett-Packard Laboratories, Long Down Avenue, Bristol BS34 8QZ, United Kingdom. E-mail:
[email protected]. K. Matsuura is with the Institute of Industrial Science, The University of Tokyo, Komaba 4-6-1, Meguro-ku, Tokyo 153-8505, Japan. E-mail:
[email protected]. P.P.C. Lee is with the Department of Computer Science and Engineering, Ho Sin Hang Engineering Building, The Chinese University of Hong Kong, Shatin, Hong Kong. E-mail:
[email protected]. K.(Sagar) Naik is with the Department of Electrical and Computer Engineering, University of Waterloo, 200 University Avenue West Waterloo, ON N2L3G1, Canada. E-mail:
[email protected].
For information on obtaining reprints of this article, please send e-mail to:
[email protected], and reference the Digital Object Identifier below. Digital Object Identifier no. 10.1109/TCC.2014.2382766
Outsourcing. We now summarize these papers in the order of the listed topics above. In the paper “Multi-Aspect, Robust, and Memory Exclusive Guest OS Fingerprinting,” Z. Lin et al. propose a multiaspect and memory exclusive approach for precise and robust guest operating system fingerprinting in cloud. Their implemented prototype system was evaluated and experimental results with 27 OS kernels show that code signature of their design can precisely fingerprint all known OSs in a fast fashion. In the paper “Preventing Cache-Based Side-Channel Attacks in a Cloud Environment,” M. Godfrey et al. investigate the usage of central processing unit (CPU)-cache based side-channels in the cloud and how they compare to traditional side-channel attacks. The authors show that new techniques are necessary to mitigate these sorts of attacks in a cloud environment, and specify the requirements for such solutions. They also design and implement two new cachebased side-channel mitigation techniques. They implement their proposed techniques, and test them against traditional cloud technology, and show that the two techniques are able to prevent cache-based side-channels in a cloud environment without interfering with the cloud model. In the paper “Efficient Attribute-Based Signatures for Non-Monotone Predicates in the Standard Model,” K. Takashima et al. present a fully secure attribute-based signature (ABS) scheme in the standard model. The proposed ABS scheme is the first to support general non-monotone predicates, which can be expressed using NOT gates as well as AND, OR, and Threshold gates, while the existing ABS schemes only support monotone predicates. In the paper “Fuzzy Authorization for Cloud Storage,” S. Zhu et al. propose a new authorization scheme, called fuzzy authorization, to facilitate an application registered with one cloud party to access data residing in another cloud party. Their scheme enables the fuzziness of authorization to enhance the scalability and flexibility of file sharing by taking advantage of the one-to-one correspondence between the Linear Secret-Sharing Scheme (LSSS) and generalized Reed Solomon (GRS) code. In the paper “Byzantine-Resilient Secure SoftwareDefined Networks with Multiple Controllers in Cloud,” S. Guo et al. present a secure software-defined network (SDN) structure for the cloud system, in which each device is managed by multiple controllers, instead of using only a single one as in a traditional manner. The proposed structure can resist Byzantine attacks on controllers and the communication links between controllers and SDN switches. The authors also study a controller minimization problem with security requirement and propose a cost-efficient controller assignment algorithm with a constant approximation ratio.
2168-7161 ß 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
378
IEEE TRANSACTIONS ON CLOUD COMPUTING,
In the paper “A secure data self-destructing scheme in cloud computing,” J. Xiong et al. combine an identity-based timed-release encryption (ITE) algorithm with the distributed hash table (DHT) network to improve the so called secure self-destructing data (SSDD) scheme, and propose a secure data self-destructing scheme with ITE (DSITE) in cloud computing, which can cope with some important security problems in data privacy. Security analysis shows that their proposed DSITE scheme is able to satisfy the security requirements and resist against both the traditional attacks from the cloud servers and the Sybil attacks from the DHT network. The results of performance measurement show that the increment of total computation overheads of the proposed scheme is smaller and acceptable. In the paper “A Dynamic Secure Group Sharing Framework in Public Cloud Computing,” K. Xue et al. propose a novel secure group sharing framework for the public cloud, which can effectively take advantage of the cloud servers’ assistance without having sensitive data being exposed to attackers and the cloud provider. The framework combines proxy signature, enhanced tree-based group Diffie-Hellman (TGDH), and proxy re-encryption such that the management privilege can be granted to some specific group members based on proxy signature scheme, all the sharing files are securely stored in cloud servers, and all the session key are protected in the digital envelopes. In the paper “Secure, Efficient and Fine-grained Data Access Control Mechanism for P2P Storage Cloud,” R. Li et al. propose a secure, efficient and fine-grained data access control mechanism for P2P storage Cloud based on their own design of a ciphertext-policy attribute-based encryption scheme and a proxy re-encryption scheme. It is shown that their mechanism is provably secure under the standard security model and can resist collusion attacks and protect user access privilege information effectively. In the paper “Scalable architecture for multi-user encrypted SQL operations on cloud database services,” L. Ferretti et al. propose a novel architecture, named MuteDB, for cloud database services that guarantees for the first time data confidentiality through SQL-aware encryption algorithms and data isolation through access control enforcement based on encryption and key derivation techniques. In the paper “Highly Efficient Linear Regression Outsourcing to a Cloud,” F. Chen et al., propose two protocols that enable secure and efficient outsourcing of linear regression problems to the cloud. The two protocols have been designed in such a way that one is more secure while the other is more efficient so that the applications can choose either one based on their own needs. In conclusion, we sincerely hope that this special issue provides up-to-date and valuable research information for the researchers currently conducting research in cloud security. We would like to take this opportunity to thank all the authors for their submissions, and thank the reviewers for their efforts and high-quality reviews. We are grateful to Dr. Rajkumar Buyya for his support and help in bringing forward this special issue. Our special thanks go to Joyce Arnold who rendered prompt advice and assistance in the preparation of this special issue. We also thank Erin Espriu for her quick responses to our various queries and the timely processing of the final manuscripts.
VOL. 2,
NO. 4, OCTOBER-DECEMBER 2014
David S. L. Wei received the PhD degree in computer and information science from the University of Pennsylvania in 1991. He is currently a professor of Computer and Information Science Department at Fordham University. From May 1993 to August 1997, he was on the Faculty of Computer Science and Engineering at the University of Aizu, Japan (as an associate professor and then a professor). He has authored and co-authored more than 90 technical papers in the areas of distributed and parallel processing, wireless networks and mobile computing, optical networks, peer-to-peer communications, cognitive radio networks, and cloud computing in various archival journals and conference proceedings. He served on the program committee and was a session chair for several reputed international conferences. He was a lead guest editor of IEEE Journal on Selected Areas in Communications for the special issue on Mobile Computing and Networking, a lead guest editor of IEEE Journal on Selected Areas in Communications for the special issue on Networking Challenges in Cloud Computing Systems and Applications, and was a guest editor of IEEE Journal on Selected Areas in Communications for the special issue on Peer-to-Peer Communications and Applications. He was the chair of Intelligent Transportation Forum of Globecom 2010, the general chair of Intelligent Transportation Workshop of ICC 2011, and the chair of Cloud Security Forum and Intelligent Transportation Forum of Globecom 2011. He is currently a lead guest editor of IEEE Transactions on Cloud Computing for the special issue on Cloud Security, an associate editor of IEEE Transactions on Cloud Computing, and an associate editor of Journal of Circuits, Systems and Computers. Currently, he focuses his research efforts on cloud computing, wireless sensor networks, and cognitive radio networks. He is a senior member of the IEEE. Dr Siani Pearson received the MA degree from Oxford University in logic, the PhD degree in artificial intelligence from the University of Edinburgh and was a research fellow at Cambridge University before joining HP in 1994. She is a principal research scientist in the Security and Cloud Lab, at HP Labs Bristol, which is HP’s European long term applied research centre. Her current research focuses on accountability, privacy and the cloud and she holds more than 60 patents and is the author or co-author of well more than 100 papers and technical reports in these fields. She has been editor and co-author of books on Trusted Computing and on Privacy and Security for Cloud Computing. She has been the technical lead on a number of research projects and is currently the scientific co-ordinator of a major European research project on Accountability for the Cloud (A4Cloud). She is also a member of HP Privacy and Data Protection Board; UK Cloud Security Alliance Board; HP cloud security WG; CSA PLA and OCF WGs; UK IEC subcommittee on data principles; numerous programme committees, including being Program Chair of IEEE CloudCom 2014; the advisory boards of several universities and EU projects. She is a fellow of the British Computer Society, senior member of the IEEE, a Certified Information Privacy Professional/Information Technology and CCSK certified. Kanta Matsuura received the BEng, MEng, and PhD degrees from the University of Tokyo, Japan, in 1992, 1994, and 1997, respectively. He is currently a professor at the Institute of Industrial Science, the University of Tokyo. His research interests include cryptography, network security, and security management. In 2008, he won Distinguished-Service Award from the IEICE Communications Society. He served as an associate editor of IEICE Transactions on Communications between 2005 and 2008, and the editorin-chief of Japan Society of Security Management (JSSM) Journal between 2008 and 2012. He has been serving as a member of Editorial Board of Designs, Codes and Cryptography since 2010. He is a member of the Board-of-Directors of JSSM, and a member of IACR. He is a senior member of the ACM, the IEEE, the IEICE, and the IPSJ.
IEEE TRANSACTIONS ON CLOUD COMPUTING,
VOL. 2,
NO. 4,
OCTOBER-DECEMBER 2014
Patrick P. C. Lee received the BEng degree (first-class honor’s) in information engineering from the Chinese University of Hong Kong in 2001, the MPhil degree in computer science and engineering from the Chinese University of Hong Kong in 2003, and the PhD degree in computer science from Columbia University in 2008. He is currently an assistant professor of the Department of Computer Science and Engineering at the Chinese University of Hong Kong. His research interests are in various applied/systems topics including storage systems, distributed systems and networks, operating systems, dependability, and security.
379
Kshirasagar (Sagar) Naik received the BSc engineering degree from Sambalpur University, India, and the MTech degree from the Indian Institute of Technology, Kharagpur, respectively. Next, he received the MMath degree in computer science from the University of Waterloo and the PhD degree in electrical and computer engineering from Concordia University, Montreal, respectively. He worked as a software developer in Wipro Information Technology Limited, Bangalore, for three years. He worked as a faculty member at the University of Aizu in Japan and Carleton University in Ottawa. Currently, he is a full professor in the Department of Electrical and Computer Engineering at the University of Waterloo. He was a coguest editor of three special issues of IEEE Journal on Selected Areas in Communications. He was an associate editor of Journal of Peer-to-Peer Networking and Applications from 2008 to 2013. He is serving as an associate editor of International Journal of Parallel, Emergent and Distributed System, International Journal of Distributed Sensor Networks and IEEE Transactions on Parallel and Distributed Systems. In addition, he is serving as a regional editor (America) of Journal of Circuits, Systems, and Computers. His research interests include dependable wireless communication, resource allocation in wireless networks, mobile computing, vehicular networks, energy efficiency of smartphones and tablet computers, energy performance testing of mobile apps, communication protocols for smart power grids, and energy performance testing of software systems running on servers. He received the Outstanding Performance Award in the Faculty of Engineering at the University of Waterloo in 2014. His book entitled Software Testing and Quality Assurance: Theory and Practice (Wiley, 2008) has been adopted as a text in many universities around the world. He has co-authored a second book entitled Software Evolution and Maintenance (Wiley, 2014). He is a senior member of the IEEE.