On the Management of Cloud Non-Functional Properties - IEEE Xplore

On the Management of Cloud Non-Functional Properties: The Cloud Transparency Toolkit Claudio A. Ardagna, Ernesto Damiani

Rasool Asal, Quang Hieu Vu

DI – Universit`a degli Studi di Milano 26013 Crema – Italy Email: [email protected]

ETISALAT BT Innovation Center Khalifa University, Abu Dhabi – UAE Email: [email protected], [email protected]

Abstract—The cloud computing paradigm supports a vision of IT where virtual resources are distributed as commodities on either a subscription or a pay-per-use price model, without the need for any upfront investment in hardware or software assets for its tenants (i.e., customers and service providers). Since these resources, as well as data and applications moved to the cloud, are no longer directly controlled by their owners under tenancy, there is an increasing need for new solutions that reduce the uncertainty of tenants about the status of their data and applications in the cloud. In this paper, we present the architecture of the Cloud Transparency Toolkit (CTT), whose goal is to provide a general purpose and interoperable approach that increases the transparency of the cloud, improving the effectiveness of nonfunctional property verification and management.

I.

I NTRODUCTION

The success of cloud computing is radically changing the design, development, and distribution of IT services. Service deployment and provisioning take place on top of heterogeneous and distributed hardware and software systems [1], [2], which are available as commodities on either a subscription or a pay-per-use price model. Today, public clouds offer infrastructure, platform, and software services - known as IaaS, PaaS, and SaaS, respectively [3] - reducing the costs required to its tenants for the management of computational infrastructures. Even though cloud computing provides several benefits to its tenants, a number of potential customers and service providers are still reluctant to adopt it. Many new issues and requirements, as for instance, in the context of security, privacy, scalability, monitoring, need to be addressed. In general, while the cloud computing paradigm provides a flexible, scalable, and low-cost infrastructure, it makes customers and service providers unsure about the non-functional properties (e.g., security, reliability, performance) guaranteed for their data and applications by the cloud provider. In fact, tenants need to outsource their services, data, and business processes to the public cloud, while retaining only partial control on their management. The problem is even exacerbated by the fact that often cloud functionalities (e.g., migration, federation, scalability, elasticity) impair the operation of ordinary mechanisms for the management of non-functional properties in distributed networks. This scenario resulted in the definition of several ad hoc solutions, which target different angles of the cloud management problem and rarely consider the problem as a whole. Such solutions also fail to specify service interfaces that can be integrated to form a consistent and comprehensive framework for non-functional property verification and management.

This paper presents the architecture of our toolkit, called Cloud Transparency Toolkit (CTT), aimed to support better management of non-functional properties by both cloud providers and cloud tenants. The goal of CTT is then to provide a general purpose and interoperable approach, which increases the transparency of the cloud, increases the involvement of tenants and their trust in the cloud, and can be integrated with different cloud technologies. By taking into account generic non-functional properties, CTT defines an approach to cloud management that improves the effectiveness of nonfunctional property verification and management, and reduces the uncertainty of potential customers and service providers about the status of their applications when moved to the cloud. The remainder of this paper is organized as follows. Section II introduces requirements for non-functional property verification and management in the cloud, discussing the concepts at the basis of CTT, that is, transparency, introspection, and outrospection. Section III describes the architecture of CTT, while Section IV discusses the application of CTT to two real world scenarios. Section V presents related work and Section VI gives our concluding remarks. II. R EQUIREMENTS ON THE M ANAGEMENT OF N ON -F UNCTIONAL P ROPERTIES IN THE C LOUD The verification and management of non-functional properties of software is a time-honored problem [4], [5], which has been exacerbated by the advent of cloud computing. This new computing paradigm, which affects equally data and applications moved to the cloud, introduces new requirements as follows. First, all stakeholders (users, cloud/service providers, third parties) require a sound, standard approach to cloud management, which not only gives some evidence on the status of the cloud, and their data, but also puts management of their applications non-functional properties firmly in their hands. Secondly, public cloud suppliers (as well as, possibly, some third parties) require reliable techniques that provide trustworthy and accurate data on cloud status, supporting the definition of added-value services to customers, such as, advanced dashboards reporting the cloud status and new metering services. Following these two requirements, we propose a solution that, on one hand, can be smoothly integrated with different cloud stacks at different levels (e.g., IaaS, PaaS, SaaS [3]) and, on the other hand, provides a standard interface available to external actors consuming the cloud back-end data. This standard interface–with a shared data format–can foster new added-value services and rebalance control of public

978-1-4799-3223-8/14/$31.00 ©2014 IEEE

The above requirements allow us to introduce three concepts underlying our approach: transparency, introspection, and outrospection. Transparency. Cloud transparency [6], [7], [8] refers to the set of techniques guaranteeing access to low-level (back-end) data produced by the cloud infrastructure and to evidence collected on non-functional properties of cloud data and applications. Cloud back-end data represent a hidden treasure over which one can build new services, enhance performance management, optimize billing and metering, and improve cloud functionalities. Today, the lack of transparency makes the cloud and its non-functional issues not clear to end-users, which are then unsure in their movement to the cloud, and limit providers in the definition of new services and functionalities. Introspection. Cloud introspection refers to the capability of a cloud provider of examining and observing its internal processes. Increasing the level and the trustworthiness of introspection can support the cloud provider in the definition of new services for its tenants. Outrospection. Cloud outrospection refers to the set of techniques aimed to empower customers and service providers with the ability to examine and observe cloud’s internal processes impacting on their activities/applications/data. Outrospection can increase the trust of tenants in the cloud and support the definition of an infrastructure balancing the burden of controlling non-functional properties between tenants and providers. In general, proper solutions to cloud management should empower public cloud users, giving them the ability to perform the evaluation of non-functional properties of their data and applications. In other words, in addition to transparency and introspection, cloud management should provide better support for cloud outrospection, where cloud tenants have the ability of accessing and evaluating the status of the cloud, and eventually act on the cloud configurations in case misbehaviors are observed. It is important to note that a correct support for outrospection must not allow tenants to infer private data of or interfere with the activities of other tenants. III.

C LOUD T RANSPARENCY TOOLKIT

CTT aims to define a solution providing both transparency, introspection, and outrospection, to support verification and management of non-functional properties in the cloud and balance cloud controls between providers and tenants. In this section we present the architecture of CTT (Figure 1), focusing on the role of probes and actuators. CTT enables cloud providers to instrument their cloud stacks to include transparency hooks providing access to evidence of non-functional properties, collected and aggregated by trustworthy probes. Hooks depend on the selected cloud

tĞď ^ĞƌǀŝĐĞ tĞď ^ĞƌǀĞƌ sD

tĞď ^ĞƌǀŝĐĞ



sD

sD

tĞď ^ĞƌǀŝĐĞ

WůƵŐŝŶ ŚŽŽŬ

WƌŽďĞ

ĞǀĞůŽƉĞƌ dŽŽůƐͬ>ŝďƐ

WůƵŐŝŶ ŚŽŽŬ

WƌŽďĞ

WůƵŐŝŶ ŚŽŽŬ

WƌŽďĞ

^ƚŽƌĂŐĞ

EĞƚǁŽƌŬ

^ĞƌǀŝĐĞŵŽĚĞůƐ

Fig. 1.

ůŽƵĚƐƚĂĐŬĐŽŵƉŽŶĞŶƚƐ

ĐƚƵĂƚŽƌƐ

^ƚĂŶĚĂƌĚŝŶƚĞƌĨĂĐĞ

^ĂĂ^ WĂĂ^ /ĂĂ^

clouds non-functional properties between providers and their tenants. Another important feature of our approach is cloud autonomy: the availability of accurate information on the cloud status is the starting point towards the definition of a cloud that adapts its configuration according to contextual information, manages the life-cycle of its non-functional properties, and supports new compliance and audit solutions.

ƵƐƚŽŵĞƌƐ

dŚŝƌĚƉĂƌƚŝĞƐ ůŽƵĚƉƌŽǀŝĚĞƌƐ ^ĞƌǀŝĐĞƉƌŽǀŝĚĞƌƐ

ůŽƵĚĚĞƉĞŶĚĞŶƚƉůƵŐŝŶŚŽŽŬƐ

Cloud transparency toolkit

technologies and insist on the different levels of the cloud stack. Data collected by probes through hooks are then made available to external actors, using a standard interface and supporting the definition of added-value services for customers. Collection of uniform and homogeneous data on cloud activities permits to enrich solutions evaluating cloud compliance and audit, as well as approaches supporting dynamic adaptation of the cloud infrastructure to changes that would affect both the cloud provider (and its management activities) and the customer (and its services). As shown in Figure 1, probes play a central role in our architecture and act as the trait d’union between the internal cloud infrastructure and external actors, to enhance cloud management functionalities. Among external actors, cloud actuators support the definition of an adaptive cloud that changes configuration depending on the context. A. Probes Probes are agents responsible for collecting and aggregating data about events and activities that are observed in the cloud back-end. Probes are more complex than simple monitors. They can collect data by either monitoring cloud activities and events, or forcing traffic by means of testing. Test injection permits to observe the behavior of a cloud stack in well-defined and precise scenarios, which are difficult to evaluate using monitoring approaches, as for instance the correct behavior of an encryption mechanism. Testing activities can be done both offline, meaning that the cloud environment is reproduced and tested in a lab, and online, meaning that test activities are done in the cloud production environment. In the latter case, to avoid interference with real traffic, test cases are executed only when certain conditions are met (e.g., at a certain scheduled time, when traffic is under a given threshold). As an example, probes can be used to prove the support for a given security property by collecting data, through monitoring and testing, on the functioning of the implemented security mechanisms (e.g., an access control mechanism for authorization). Probes connect, on one side, with the cloud stack they are monitoring/testing and, on the other side, with the actors consuming the data. Clearly, while the interface between the probes and the cloud stack (hooks) changes depending on the adopted cloud stack technology, a standard interface with a fixed syntax and semantics should be presented across actors consuming back-end data. Such standard interface should be independent from the considered cloud stack, simple to use, and support the management of the non-functional property life-cycle.

B. Actuators Actuators are agents that automatically configure the cloud infrastructure on the basis of events and information collected by probes (e.g., scaling the infrastructure, shutting down a compromised VM, starting/reconfiguring a given security mechanism, increasing the reliability level). They provide the basis for the implementation of a general purpose, selfadaptive cloud, which supports continuous verification and management of non-functional property lifecycle according to the data provided by probes and the preferences/rules of the providers/customers. We note that this support can also be manual, meaning that end-users (acting as actuators) access and evaluate the status of their data and applications in real time through APIs/dashboards, and manually configure the cloud in case something wrong is observed. In summary, CTT introduces an infrastructure supporting shared controls of non-functional properties between tenants and providers. Tenants can then focus on the status of the portion of the infrastructure assigned to their data and applications, while providers will consider the status of the whole cloud framework. We remark that an important aspect to consider here is that increased management functionalities for tenants should not lower the security of the infrastructure. The data collected and showed by probes to tenants must be such that no interference between tenants or inference on private data of other tenants can be possible. Furthermore, there is the need to guarantee the trustworthiness and integrity of probes and actuators, and in turn of the produced data, for instance, through the use of virtual TPMs [9]. IV.

U SE C ASES

We present two use cases on the applicability of CTT considering non-functional properties performance and security. A. Performance Management Performance management is a fundamental requirement for the cloud and is at the basis of a huge number of scalability and elasticity approaches (e.g., [10], [11], [12], [13]). Current techniques usually consider scalability at a single level of the cloud stack and assume an infinite amount of resources available for scaling. Here, we put forward the idea that a more consistent and sound approach to scalability should consider interference between different levels of the stack (e.g., computing infrastructure and database) and assume a limited amount of available resources, due to limited IT resources in a private cloud or limited budget in a hybrid/public cloud. CTT can be used to develop enhanced scalability approaches in the above scenario, where different levels of the cloud stack compete for limited resources that are not enough to satisfy all scale out requests. To this aim, our probes can be used to test a given cloud configuration assigned to a customer (including deployed services) and generate a set of rules, in the form of a lookup table, which drive scalability in competitive scenarios. As an example, the lookup table provides information on the level to scale first, to achieve best scalability, according to different loads of requests directed to the customer services (e.g., when a peak of requests to service s is observed, the greatest performance improvement

is achieved by scaling out the database). An actuator acting as a scalability manager can finally be used, when the customer environment is put in production, to manage scalability at run time. The actuator accesses data on the request load provided by the probes and decides how to react according to the lookup table generated for the environment under evaluation. B. Security Management The FP7 EU Certification infrastrUcture for MULtiLayer cloUd Services (CUMULUS) project – http://www. cumulus-project.eu/ – aims to provide a security certification scheme for the cloud. CUMULUS is focusing on developing an integrated framework of models, processes, and tools supporting the certification of security properties of infrastructure (IaaS), platform (PaaS), and software application (SaaS) layers. Its final goal is to put service customers, service providers, and cloud providers together with certification authorities to ensure security certificate validity in the cloud. CUMULUS security certification scheme supports the certification of security properties collecting evidence of different types by means of testing-, monitoring-, and trusted computing-based techniques. Our architecture supports the CUMULUS goals by increasing the transparency of the cloud. Our probes can in fact be used by CUMULUS to collect (either by monitoring or testing) security data, events, and activities observed in the cloud backend. This information can then be accessed by the CUMULUS certification infrastructure (actuator) to carry on the security certification process of a given cloud service. As an example, let us consider the certification of property authorization guaranteed by an access control mechanism that regulates access to the cloud storage and database. Similar to the work in [14], [15], our probes can be used to monitor accesses to data and evaluate the correct behavior of the access control mechanism. In addition, to test special cases that are not common in real transactions, ad hoc and specific test cases can be generated by our probes. The data collected by our probes are then taken by the certification infrastructure that continuously evaluates the validity of a given certificate and the corresponding security property. V.

R ELATED W ORK

We describe some of the relevant efforts done in the management, verification, and validation of non-functional properties in the cloud. The first line of research has focused on security, which is a main issue harnessing the potential of the cloud. The cloud security problem is very challenging, due to i) the heterogeneity of cloud stacks, ii) lack of formal and semantically equivalent security requirements, iii) lack of a stable categorization of techniques, and iv) need of balancing between security, flexibility, and high performance. Different solutions have focused on different aspects such as, to name but a few, communication security, availability and integrity of data, secure virtualization [16], [17], [18], [19], [20]. Much in line with CTT, Doelitzscher et al. [14] propose Security Audit as a Service (SAaaS), a cloud audit and incident detection system. Their goal is to present a solution that addresses the limitations of traditional audit and intrusion detection systems when moved to the cloud and which reacts to changes in the

cloud infrastructure. SAaaS is aimed to increase transparency of cloud by giving customers access to data about security incidents. An architecture and a prototype based on autonomous agents and a modeling of the business flow are described. In a subsequent work [15], the authors present a cloud audit policy language for the SAaaS architecture and its applicability to a cloud scenario. The presented approaches mostly target IaaS level, is focused on security monitoring, and is aimed to present auditing data through a standard interface. CTT instead targets all levels of the cloud stack, considers non-functional properties in general, is based on a mix of monitoring and testing probes, and finally proposes actuators that build on probe data to automatically configure the cloud when certain events happen. In the context of performance management and evaluation, approaches to scalability and elasticity have focused on a single cloud level (e.g., computing infrastructure, database) and a single scenario at a time, and compared the performance provided by different technologies supplying functionality for that level (e.g., [10], [11], [12], [13], [21]). Finally, other work has focused on assurance solutions for cloud verification and validation that can be divided in three main categories as follows: solutions based on testing (e.g., [22], [23]), solutions based on monitoring (e.g., [24], [25]), and solutions based on certification (e.g., [26], [27]). VI.

C ONCLUSIONS

The future success of cloud computing in critical scenarios highly depends on the trust cloud tenants will have on the cloud provider, to manage their data and applications in a proper way. Verification and management of non-functional properties then assume a fundamental importance to increase the tenant trust in the cloud. In this paper, we presented the architecture of CTT, a toolkit based on cloud transparency, introspection, and outrospection, which supports verification and management of non-functional properties in the cloud and balance cloud controls between providers and tenants. ACKNOWLEDGMENTS This work was partly supported by the EU-funded projects CUMULUS (contract n. FP7-318580) and by the Italian MIUR project SecurityHorizons (c.n. 2010XSEMLC). R EFERENCES [1] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “Above the clouds: A berkeley view of cloud computing,” in Tech. Rep. UCB/EECS2009-28, EECS Department, U.C. Berkeley, February 2009. [2] L. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, “A break in the clouds: towards a cloud definition,” ACM SIGCOMM Computer Communication Review, vol. 39, pp. 50–55, December 2008. [3] P. Mell and T. Grance, The NIST Definition of Cloud Computing, December 2011, NIST SP-800-145, http://csrc.nist.gov/publications/ nistpubs/800-145/SP800-145.pdf. [4] L. Chung, B. Nixon, E. Yu, and J. Mylopoulos, Non-Functional Requirements in Software Engineering, ser. International Series in Software Engineering, Vol. 5. Springer, Heidelberg, 1999. [5] H. Yu and S. Reiff-Marganiec, “Non-functional property based service selection: A survey and classification of approaches,” in Proc. of NFPSLAM-SOC 2008, Dublin, Ireland, November 2008.

[6] N. Chauhan, A. Saxena, and J. Murthy, “An approach to measure security of cloud hosted application,” in Proc. of IEEE CCEM 2013, Bangalore, India, October 2013. [7] C. Jenkins, “The three pillars of a secure hybrid cloud environment,” Computer Fraud & Security, vol. 2013, no. 6, pp. 13–15, 2013. [8] R. Knode, Digital Trust in the Cloud: Liquid Security in Cloudy Places, CSC, August 2009, http://assets1.csc.com/au/downloads/0610 20 Digital trust in the cloud.pdf. [9] S. Berger, R. C´aceres, K. A. Goldman, R. Perez, R. Sailer, and L. van Doorn, “vTPM: Virtualizing the trusted platform module,” in Proc. of USENIX-SS 2006, Vancouver, Canada, July-August 2006. [10] A. Ali-Eldin, J. Tordsson, and E. Elmroth, “An adaptive hybrid elasticity controller for cloud infrastructures,” in Proc. of IEEE NOMS 2012, Maui, HI, USA, April 2012. [11] B. Cooper, A. Silberstein, E. Tam, R. Ramakrishnan, and R. Sears, “Benchmarking cloud serving systems with ycsb,” in Proc. of ACM SoCC 2010, Indianapolis, IN, USA, March 2010. [12] A. Iosup, S. Ostermann, N. Yigitbasi, R. Prodan, T. Fahringer, and D. Epema, “Performance analysis of cloud computing services for many-tasks scientific computing,” IEEE TDPS, vol. 22, pp. 931–945, June 2011. [13] L. M. Vaquero, L. Rodero-Merino, and R. Buyya, “Dynamically scaling applications in the cloud,” CCR, vol. 41, no. 1, pp. 45–52, January 2011. [14] F. Doelitzscher, C. Reich, M. Knahl, A. Passfall, and N. Clarke, “An agent based business aware incident detection system for cloud environments,” Journal of Cloud Computing, vol. 1, no. 1, pp. 1–19, 2012. [15] F. Doelitzscher, T. Ruebsamen, T. Karbe, M. Knahl, C. Reich, and N. Clarke, “Sun behind clouds - on automatic cloud security audits and a cloud audit policy language,” International Journal on Advances in Networks and Services, vol. 6, no. 1–2, pp. 1–16, 2013. [16] D. Fernandes, L. Soares, J. Gomes, M. Freire, and P. Inacio, “Security issues in cloud environments: a survey,” International Journal of Information Security, pp. 1–58, September 2013. [17] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your clouds are belong to us: Security analysis of cloud management interfaces,” in Proc. of ACM CCSW 2011, Chicago, IL, USA, October 2011. [18] K. D. Bowers, A. Juels, and A. Oprea, “Hail: A high-availability and integrity layer for cloud storage,” in Proc. of ACM CCS 2009, Chicago, IL, USA, November 2009. [19] M. van Dijk, A. Juels, A. Oprea, R. L. Rivest, E. Stefanov, and N. Triandopoulos, “Hourglass schemes: How to prove that cloud files are encrypted,” in Proc. of ACM CCS 2012, Raleigh, NC, USA, October 2012. [20] F. Lombardi and R. Di Pietro, “Secure virtualization for cloud computing,” Journal of Network and Computer Applications, vol. 34, no. 4, pp. 1113–1122, 2011. [21] D. Tsoumakos, I. Konstantinou, C. Boumpouka, S. Sioutas, and N. Koziris, “Automated, elastic resource provisioning for nosql clusters using tiramola,” in Proc. of ACM CCGrid 2013, Delft, The Netherlands, May 2013. [22] X. Bai, M. Li, B. Chen, W.-T. Tsai, and J. Gao, “Cloud testing tools,” in Proc of. IEEE SOSE 2011, Irvine, CA, USA, December 2011. [23] T. Parveen and S. Tilley, “When to migrate software testing to the cloud?” in Proc of ICSTW 2010, Paris, France, April 2010. [24] A. Monfared and M. Jaatun, “Monitoring intrusions and security breaches in highly distributed cloud environments,” in Proc. of IEEE CloudCom 2011, Athens, Greece, November–December 2011. [25] J. Shao, H. Wei, Q. Wang, and H. Mei, “A runtime model based monitoring approach for cloud,” in Proc. of IEEE CLOUD 2010, Miami, FL, USA, July 2010. [26] S. Cimato, E. Damiani, F. Zavatarelli, and R. Menicocci, “Towards the certification of cloud services,” in Proc. of IEEE SERVICES 2013, Santa Clara, CA, USA, June–July 2013. [27] M. Krotsiani, G. Spanoudakis, and K. Mahbub, “Incremental certification of cloud services,” in Proc. of SECURWARE 2013, Barcelona, Spain, August 2013.