2011 International Conference on Electronic & Mechanical Engineering and Information Technology

The Issues of Cloud Computing Security in High-speed Railway

Xiang Tana, Bo Aib

State Key Laboratory of Rail Traffic Control and Safety Beijing Jiaotong University

Beijing, P.R.China a. txlyylmok@163.com; b. boai@bjtu.edu.cn

Abstract—Cloud computing has brought new changes and opportunities to IT industry. It is the result of the evolution of a variety of techniques. And the railway department will use the cloud computing technology to achieve the sharing of the railway information resources and to improve the capacity of information processing. But with the development of the cloud computing, it also faced with many difficulties, cloud computing security has become the leading cause of impeding its development. Cloud computing security has become a hot topic in industry and academic research. This paper will explore the status of the development of cloud computing security, analyze the data privacy, security auditing, data monitoring and other challenges that the cloud computing security faced with. We will describe the solutions which the industry and academia proposed for some key issues of cloud computing security, such as virtualization security and traffic monitoring between virtual machines and so on. And we analyzed the security of cloud computing in railway environment. We proposed a cloud computing security reference framework. The purpose of this paper is attempted to bring greater clarity landscape about cloud computing security.

Keywords-cloud computing; cloud computing security; cloud security framework; high-speed railway

I. INTRODUCTION

Since 2007, cloud computing has become hot issue, many companies began to attempt to use cloud computing services. The typical cloud computing service are Amazon's EC2 and Google's Google App Engine, they use the Internet to connect to external users, and take the large number of software and IT infrastructure as a service provided to users. With the convenience, economy, high scalability and other advantages, cloud computing enables the enterprise liberation from the heavy pressure of the IT infrastructure management and maintenance. Cloud computing change the Internet into a new computing platform, is a business model that achieve purchase on-demand and pay-per-use in network, has a broad development prospects. Railway is the one of the areas that proposed to give priority to develop in national "Eleventh Five-Year Plan"; the development trend of high­speed, heavy and dense in railway, makes all types of data including video and audio data in large-scale growing, so it brings enormous challenges to the information process of the

railway, including large-scale distributed computing, data analysis and processing, data sharing and the integration of computing resources and so on; the cloud computing as the evolution of multiple technologies, has the key technical characteristics of dealing with the issues abovefl]. But the development of cloud computing is facing many critical issues, the most prominent is the security issue, with the growing popularity of cloud computing, the importance of security show gradual upward trend, become an important factor in the development of cloud computing. 2009 Gartner survey showed that more than 70% of respondents said they do not intend to use the cloud computing at recent, the main reason is afraid of the data security and privacy. And the burst of a number of security incidents continue to increase more people worried about the cloud. For example, in March 2009, the event that a large number of user's files were leaked occurred in Google. Therefore, in order to organizations and businesses can make use of large-scale cloud services, cloud computing technology and platforms, rest assured that their data were migrated to the cloud, we must solve the issues that cloud computing security faced with. The purpose of this paper is attempted to bring greater clarity landscape about cloud computing security.

II. THE CONCEPT OF CLOUD COMPUTING AND CHALLENGES

A. The concept of Cloud Computing Cloud computing is in under development, there are no

widely accepted unified definition. In different stages of development or from a different perspective has a different understanding on the cloud. U.S. National Institute of Standards and Technology (NIST) defines 5 key features, 3 service model and 4 deployment model of cloud[2], This definition is broad industry adoption.

B. Challenges In 2008, the U.S. information technology research and

consulting firm Gartner issued a "cloud computing security risk assessment" report, mainly from the vendor's point of view about security capabilities analyzed security risks faced by the cloud, listing seven major security risks that the cloud computing technology exist [3], as shown in Table I .

978-l-61284-088-8/ll/$26.00 ©2011 IEEE 4358 12-14 August, 2011

TABLE I. SEVEN TOP SECURITY RISKS GARTNER

RISK Privileged user access Regulatory compliance

Data location

Data segregation

Recovery

Investigative support Long-term viability

Description Sensitive data processed outside the enterprise brings with it an inherent level of risk Cloud computing providers who refuse to external audits and security certifications When you use the cloud, you probably won't know exactly where your data is hosted Data in the cloud is typically in a shared environment alongside data from other customers Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster Investigating inappropriate or illegal activity may be impossible in cloud computing You must be sure your data will remain available even after such an event

CS A published in 2009 "in key areas of the cloud Safety Guide" and updated to version 2.1 [4], mainly from the perspective of the attacker summarized the major threats that cloud computing environment may be faced, proposed 12 key fields that security concerns, then issued a cloud concise reports security risks, the Security Guide was concentrated to 7 of the most common, the greatest threat to harmful levels, as shown in Table II.

TABLE II. SEVEN TOP SECURITY RISKS CSA

RISK Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs

Malicious Insiders

Shared Technology Issues

Data Loss or Leakage

Account or Service Hijacking.

Unknown Risk Profile

Description By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity It increases risk as organizations may be required to relinquish their credentials to third parties in order to enable their agency. A provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. The underlying components that make up this infrastructure (e.g., CPU caches.) were not designed to offer strong isolation properties for a multi-tenant architecture. The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment. Your account or service instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks. Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating your company's security posture.

Other challenges to be aware of: [5]

• Security auditing and data monitoring: the dynamic nature of the virtual machine, how can organizations ensure the audit ability of records and monitor their data?

• Data privacy: As a user, we lose control over physical security, how can we ensure that data will not leakage and privacy can be protected.

• Key management: If the information is encrypted, then who controls the encryption/decryption key? Customer or Service provider ?

• Data Integrity: It is not exist that a common standard to ensure data integrity.

III. SAFETY STATUS OF THE CLOUD. ..

A. The government concern about the safety of the cloud November 2010, the U.S. government and agency CIO

asked the government to assess the security risks about the cloud computing, described the challenges of cloud computing and the security for cloud computing.

September 2010, Westone held a conference about cloud security and cloud storage in Beijing, responded enthusiastically.

May 2010, in the second session of the China Cloud Computing Conference, the Ministry of Industry Vice Minister Lou said, we should strengthen the information security of cloud computing to solve common technical problems.

March 2010, the European Network and Information Security Agency (ENISA) announced they will promote the management department to request cloud service provider not conceal attacks on cloud.

B. The Cloud Security Standards Organization and Progress on Cloud Many standards organizations have begun to develop standards of cloud computing and cloud security, in order to enhance interoperability and security, to promote the healthy development of cloud computing industry. Such as: Open Cloud Manifesto (OCM), National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA) and Distributed Management Task Force (DMFT).

• Open Cloud Manifesto (OCM)

There are more than 300 units join in the organization currently, the main results of the organization is open cloud manifesto [6], the open cloud manifesto describes the challenges that cloud computing faced with, including governance and management, security, data and application interoperability and portability, measuring and monitoring.

• National Institute of Standards and Technology (NIST)

NIST mainly through technical guidance and promote the standardization work to help government and industry safe and effective use the cloud computing technology. In

4359

the May 2010, the NIST held symposium about the cloud computing, in October 2009, issued a "safe and effective use of cloud computing" academic speech. The main results of NIST are:

NIST definition of cloud computing VI5 [7], the document gives the definition of cloud computing, and describes five characteristics of cloud computing, three service models and four deployment patterns, and reference by many Standards Alliance such as DMTF.

Safe and efficient use of cloud computing report [8], the report introduces the concept of cloud computing, features, frame, and detailed analysis of the cloud computing security, migration and other related technologies and the standardization about cloud security.

• Cloud Security Alliance (CSA)

CSA is a non-profit organization, establishment in the RSA Conference in 2009, main focused on the security risks that the enterprise faced with when deployment the cloud computing system and given the appropriate safety advice. CSA proposal a cloud computing security architecture reference model [4], as shown in Figure 1

Cloud management

Compliance and Audit

Governance and Enterprise risk management

Portability and Interoperability

Legal and Electronic discovery

Information Lifecycle Management

Cloud computing run

Traditional Security

Emergency Response

Business Continuity

Encryption and Key Management

Data Center Security

Disaster Recovery

Notification and Repair

Application Security

Virtual ization

Identity Access Management

• Distributed Management Task Force (DMFT) The organization concerned about the cloud computing management standards, focus on improving the interoperability about cloud management between cloud service providers and users, and between cloud service providers and cloud service developers, developed the interoperability standards through development the agreement of cloud resources management, encapsulation format and security mechanisms. The main results of DMTF [9] are: the Open Virtualization Format Specification (OVF), cloud management architecture, cloud interoperability white paper.

IV. THE KEY TECHNOLOGIES OF CLOUD COMPUTING SECURITY

Figure 1. CSA cloud computing security architecture reference model

CSA proposed 15 focus areas of cloud computing security from the point of cloud management and cloud computing run, as shown in Tablelll

A. Virtualization Virtualization technology is a core technology of cloud

computing, the virtual machine is the basic unit of the cloud computing platforms, cloud providers provided services to clients by virtual machines must ensure the security and isolation. Sometimes, however, because of the business needs, the virtual machine need communication with others, which destroyed the isolation. The traffic between virtual machines is difficult to monitor, it will lead to malicious attacks between virtual machines if there exists a malicious virtual machine. The company, Altor [10], has developed virtual firewall for the issues of traffic between the virtual machines, and monitor the traffic between the virtual machines. Wei et al [11] focus on the security of virtual machine image file, the proposed image file management system to achieve the image file access control, source tracking, filtering and scanning, can detect and fix security breach issues. In the untrusted operating system environment, [12] proposed a secure virtual architecture to provide a safe operating environment and network interface to store the virtual machine.

TABLE III. CSA 15 FOCUS AREAS OF CLOUD SECURITY

4360

B. Trusted Cloud Computing In 2011 RSA Conference [13], EMC Executive Vice

President Arthur described a strategy for ending the lack of trust about cloud computing, pointed out the reason of many companies still not deployed the critical applications in cloud computing environment is the lack of trust, and use the virtualization technology can achieve the cloud environment controllable and visible which two are the key elements of credibility. Santos et al [14] presents a trusted cloud computing platform TCCP, based on this platform, IaaS service providers can offer their subscribers a sealed box execution environment to ensure customer confidentiality of the virtual machine is running. In addition, it allows the user test IaaS service provider if it is safe before start the virtual machine.

C Identity Management and Access Control Organization for the Advancement of Structured Information Standards (OASIS) [15] collect and coordinate the relevant terms and vocabulary definition about cloud computing, developed the open standards of identity deployment, supply and management, through the collection of use cases to identify the existing gaps in identity management standards in order to explore the interoperability scenarios in the existing standards. Under the cloud computing model, the researchers concerned about how access control through non-traditional means of implementation of the data object class access control. Which received the most attention is the access control methods based on cryptography, including: key generation and distribution based on hierarchical access control policy enforcement methods [16,17]; attribute-based encryption algorithm (such as key encryption based on the attribute rules program (KP-ABE) [18], and based proxy re-encryption [19] methods

V. CLOUD SECURITY REFERENCE FRAMEWORK

To solve the problem of cloud computing security, create a comprehensive cloud computing security framework is necessary, we are under the cloud computing service model, proposed a reference of the cloud security framework, as shown in Figure 2

Figure 2. Cloud Security Reference Framework

• Infrastructure layer

Cloud computing is combine of network computational units and storage units, the infrastructure layer involved to the physical equipment security and network security, the network security including internal network security and access security when user access to the cloud computing system, we can ensure the confidentiality of data through the encrypted tunnel technology, ensure data integrity and non-tampering through digital abstract, digital certificates and digital time stamp, the cloud computing internal security can achieve logical security isolation through VLAN to set security zone. We need host-based firewall, host-based intrusion prevention systems, disk encryption management systems and so on to protect the security of physical device, and need the appropriate security incident response management to complete the audit function.

• Platform layer

The security of platform layer involved to virtualization security and data security; in platform layer, about access and authentication, we can authenticate user identity by the user fingerprint, user passwords and other means. Virtualization security is the most basic safety requirements about cloud computing platform security. Data stored in the cloud, so that owners and managers of data separation, brings challenges to the data security, we should enhance data security, protect data privacy through data integrity and anti-leakage management.

• Software layer

Cloud service providers should concern about abuse management prevention, and the user's behavior should be identified, to prevent a malicious user to take advantage of cloud computing system for unlawful violence to crack the password and DDOS attacks.

4361

VI. THE CLOUD COMPUTING IN RAILWAY AND SECURITY

[20] has investigated how cloud technology could be used at Enterprise Datacenter in the business environment of China Railway by building a Cloud test bed that simulates the information system of China Railway and running the Railway applications and data in this test bed. The architecture of Cloud test bed for China Railway as shown in Figure 3 below.

Figure 3. Cloud Test bed Architecture for China Railway

This architecture use the Tashi cloud middleware to manage the resource, and require use the physical resource maximum and guarantee application execution efficiency.

[21] proposed a kind of cloud-augment mobile computing(CMC) concept, and discussed the meaning of its implement technology, including name space, data analysis, data operation, media sharing, group management and expert-supported system; and discussed the railway emergency disposing system based on the CMC concept by china railway application scenario.

Cloud computing applications can bring many benefits to the railway information system, such as efficiency, information sharing and data operations protection in the management field and so on. However, cloud computing security problems can not be ignored. Due to the cloud computing technology application in the rail system, the traditional applications of the railway information systems and management systems will migrate to the cloud platform. We should concern on the disaster recovery problem of the scheduling system in the cloud platform; if the cloud resources used by malicious people or terrorists, then will create a serious consequences unexpected. Therefore, the access control of cloud resources is the key issue of the security mechanisms. Agarwal constructed semantic Web services strategy synthesis scheme [22].Bonatti proposed a compound algebra access control policy, use the synthetic operators to synthesize the security policy based on set

theory [23]. Wijesekera et al proposed a strategy based on authorized state changes to synthesize algebraic framework [24].

VII. CONCLUSION AND OUTLOOK

Cloud computing deployment model led the physical boundary of the network disappears, the cloud facing the challenges of access control. Users put their data in the cloud, the privacy of users at risk result from lost control of the data. Virtualization technology is the core technology of Cloud computing, users are most concerned about data security, so virtualization security and data security are the main problem of the cloud computing security. Legislation make cloud computing to accord with compliance is a means of ensuring data security, there is little literature on the issue of compliance, basically from the point of view about technical to consider the cloud computing security problems, but this is not enough. Cloud computing security needs consider both technology and strategy, including: audit, compliance and risk assessment. At the aspect of strategy management of security mechanisms in the china railway, we should concern on the strategy of network security and management field.

ACKNOWLEDGMENT

The authors would like to thank Songlin Bai and Jing Fang for their invaluable expert advice that made the successful completion of this project possible.

Project Supported by the National Natural Science Foundation of China under Grant 60830001, Program for New Century Excellent Talents in University under Grant NCET-09-0206, the Key Project of State Key Lab. of Rail Traffic Control and Safety under Grant RCS2008ZZ006, Program for Changjiang Scholars and Innovative Research Team in University under Grant No. IRT0949, the Project of State Key Lab. of Rail Traffic Control and Safety under Grant RCS2008ZT005

REFERENCES

[1] LIU Zhen, LIU Feng, ZHANC Baopeng, MA Fei, CA 0 Shiyu. Research on Cloud Computing and Its Application in Railway [J].Journal of Beijing Jiaotong University, 2010,34(5): 14-19.(in Chinese)

[2] MELL P, GRANCE T. The NIST Definition of Cloud Computmg[EB/OL]. [2010-05-10]. http://csrc.nist.gov/groups/SNS/cloud-computing/.

[3] MATHER T, KUMARASWAMY S, LATIF S. Cloud Security and Privacy :An Enterprise Perspective on Risks and Compliance[M].[s.l.]:O'ReillyMedia,Inc.,2009.

[4] Cloud Security Alliance. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. 2009.

[5] http://www.infosectoday.com/Articles/Cloud_Security_Challenges.ht m

[6] http://www.opencloudmanifesto.org/ [7] National Institute of Standards and Technology. NIST definition of

cloud computing VI5. 2010 [8] National Institute of Standards and Technology. Safe and efficient use

of cloud computing report. 2009

4362

[9] http://www.dmtf.org/ [10] http://www.altor.com/altor/opencms/index.html [11] Wei J, Zhang X, Ammons G, Bala V, Ning P. Managing security of

virtual machine images in a cloud environment. In: Proc. of the 2009 ACM Workshop on Cloud Computing Security. 2009.

[12] Chunxiao Li. Anand Raghunathan. Niraj K. Jha. Secure Virtual Machine Execution under an Untrusted Management OS. DOI 10.1109/CLOUD.2010.29

[13] http://www.rsaconference. com/2011 /usa/ [14] Santos N, Gummadi KP, Rodrigues R. Towards trusted cloud

computing. In: Proc. of the Workshop on Hot Topics in Cloud Computing 2009. San Diego, 2009.

[15] http://www.oasis-open.org/ [16] Crampton J, Martin K, Wild P. On key assignment for hierarchical

access control. In: Proc. of the 19th IEEE CSFW 2006. Venice, 2006. 98-111.

[17] Damiani E, et al. An experimental evaluation of multi-key strategies for data outsourcing. In: Proc. of the 22nd IFIP TC-11 IntT Information Security Conf. South Africa, 2007.

[18] Goyal V, Pandey A, Sahai A, Waters B. "Attribute-Based encryption for fine-grained access control of encrypted data". In: Proc. Of the

ACM Conf. on Computer and Communications Security. 2006. 89-98.

[19] Chang YC, Mitzenmacher M. Privacy preserving keyword searches on remote encrypted data. Report 2004/051. Cryptology ePrint Archive, 2004. http://eprint.iacr.org/2004/051/

[20] Baopeng Zhang, Shiyu Gao,Liming Xia, Jackson He, Kai Miao. Resource Management Policy for Cloud Testbed of China Railway. In: International Conference on Computer Application and System Modeling, 2010.

[21] Baopeng Zhang, Ning Zhang, Feng Liu, Kai Miao, Jackson.He. A Novel Cloud Computing Paradigm for China Railway Application. In : Intelligent Computing and Intelligent Systems (ICIS), 2010. DOI: 10.1109/ICICISYS.2010.5658556.

[22] Agarwal S, Sprick B. Access control for semantic Web services. In: Proc. of the IEEE IntT Conf. on Web Services. 2004. 770-773.

[23] Bonatti P, Vimercati SC, Samarati P. An algebra for composing access control policies. ACM Trans, on Information and System Security, 2002,5(1): 1-35.

[24] Wijesekera D, Jajodia S. A propositional policy algebra for access control. ACM Trans, on Information and System Security, 2003, 6(2):286-325.

4363