Cloud Security Using Fine-Grained Efficient Information Flow Tracking

Future Internet Pub Date : 2024-03-25 DOI:10.3390/fi16040110
Fahad Alqahtani, Mohammed Almutairi, Frederick T. Sheldon
{"title":"Cloud Security Using Fine-Grained Efficient Information Flow Tracking","authors":"Fahad Alqahtani, Mohammed Almutairi, Frederick T. Sheldon","doi":"10.3390/fi16040110","DOIUrl":null,"url":null,"abstract":"This study provides a comprehensive review and comparative analysis of existing Information Flow Tracking (IFT) tools which underscores the imperative for mitigating data leakage in complex cloud systems. Traditional methods impose significant overhead on Cloud Service Providers (CSPs) and management activities, prompting the exploration of alternatives such as IFT. By augmenting consumer data subsets with security tags and deploying a network of monitors, IFT facilitates the detection and prevention of data leaks among cloud tenants. The research here has focused on preventing misuse, such as the exfiltration and/or extrusion of sensitive data in the cloud as well as the role of anonymization. The CloudMonitor framework was envisioned and developed to study and design mechanisms for transparent and efficient IFT (eIFT). The framework enables the experimentation, analysis, and validation of innovative methods for providing greater control to cloud service consumers (CSCs) over their data. Moreover, eIFT enables enhanced visibility to assess data conveyances by third-party services toward avoiding security risks (e.g., data exfiltration). Our implementation and validation of the framework uses both a centralized and dynamic IFT approach to achieve these goals. We measured the balance between dynamism and granularity of the data being tracked versus efficiency. To establish a security and performance baseline for better defense in depth, this work focuses primarily on unique Dynamic IFT tracking capabilities using e.g., Infrastructure as a Service (IaaS). Consumers and service providers can negotiate specific security enforcement standards using our framework. Thus, this study orchestrates and assesses, using a series of real-world experiments, how distinct monitoring capabilities combine to provide a comparatively higher level of security. Input/output performance was evaluated for execution time and resource utilization using several experiments. The results show that the performance is unaffected by the magnitude of the input/output data that is tracked. In other words, as the volume of data increases, we notice that the execution time grows linearly. However, this increase occurs at a rate that is notably slower than what would be anticipated in a strictly proportional relationship. The system achieves an average CPU and memory consumption overhead profile of 8% and 37% while completing less than one second for all of the validation test runs. The results establish a performance efficiency baseline for a better measure and understanding of the cost of preserving confidentiality, integrity, and availability (CIA) for cloud Consumers and Providers (C&P). Consumers can scrutinize the benefits (i.e., security) and tradeoffs (memory usage, bandwidth, CPU usage, and throughput) and the cost of ensuring CIA can be established, monitored, and controlled. This work provides the primary use-cases, formula for enforcing the rules of data isolation, data tracking policy framework, and the basis for managing confidential data flow and data leak prevention using the CloudMonitor framework.","PeriodicalId":509567,"journal":{"name":"Future Internet","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Future Internet","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3390/fi16040110","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

This study provides a comprehensive review and comparative analysis of existing Information Flow Tracking (IFT) tools which underscores the imperative for mitigating data leakage in complex cloud systems. Traditional methods impose significant overhead on Cloud Service Providers (CSPs) and management activities, prompting the exploration of alternatives such as IFT. By augmenting consumer data subsets with security tags and deploying a network of monitors, IFT facilitates the detection and prevention of data leaks among cloud tenants. The research here has focused on preventing misuse, such as the exfiltration and/or extrusion of sensitive data in the cloud as well as the role of anonymization. The CloudMonitor framework was envisioned and developed to study and design mechanisms for transparent and efficient IFT (eIFT). The framework enables the experimentation, analysis, and validation of innovative methods for providing greater control to cloud service consumers (CSCs) over their data. Moreover, eIFT enables enhanced visibility to assess data conveyances by third-party services toward avoiding security risks (e.g., data exfiltration). Our implementation and validation of the framework uses both a centralized and dynamic IFT approach to achieve these goals. We measured the balance between dynamism and granularity of the data being tracked versus efficiency. To establish a security and performance baseline for better defense in depth, this work focuses primarily on unique Dynamic IFT tracking capabilities using e.g., Infrastructure as a Service (IaaS). Consumers and service providers can negotiate specific security enforcement standards using our framework. Thus, this study orchestrates and assesses, using a series of real-world experiments, how distinct monitoring capabilities combine to provide a comparatively higher level of security. Input/output performance was evaluated for execution time and resource utilization using several experiments. The results show that the performance is unaffected by the magnitude of the input/output data that is tracked. In other words, as the volume of data increases, we notice that the execution time grows linearly. However, this increase occurs at a rate that is notably slower than what would be anticipated in a strictly proportional relationship. The system achieves an average CPU and memory consumption overhead profile of 8% and 37% while completing less than one second for all of the validation test runs. The results establish a performance efficiency baseline for a better measure and understanding of the cost of preserving confidentiality, integrity, and availability (CIA) for cloud Consumers and Providers (C&P). Consumers can scrutinize the benefits (i.e., security) and tradeoffs (memory usage, bandwidth, CPU usage, and throughput) and the cost of ensuring CIA can be established, monitored, and controlled. This work provides the primary use-cases, formula for enforcing the rules of data isolation, data tracking policy framework, and the basis for managing confidential data flow and data leak prevention using the CloudMonitor framework.
利用细粒度高效信息流跟踪实现云安全
本研究对现有的信息流跟踪(IFT)工具进行了全面回顾和比较分析,强调了在复杂的云系统中减少数据泄漏的必要性。传统方法给云服务提供商(CSP)和管理活动带来了巨大的开销,促使人们探索 IFT 等替代方法。通过用安全标签增强消费者数据子集并部署监控器网络,IFT 可帮助检测和防止云租户之间的数据泄漏。这里的研究重点是防止滥用,例如云中敏感数据的外泄和/或挤出,以及匿名化的作用。CloudMonitor 框架旨在研究和设计透明、高效的 IFT(eIFT)机制。通过该框架,可以对创新方法进行实验、分析和验证,从而为云服务消费者(CSC)提供更大的数据控制权。此外,eIFT 还能增强可视性,以评估第三方服务的数据传输,从而避免安全风险(如数据外泄)。我们对该框架的实施和验证采用了集中式和动态 IFT 方法来实现这些目标。我们衡量了被跟踪数据的动态性和粒度与效率之间的平衡。为了建立一个安全和性能基线,以实现更好的纵深防御,这项工作主要侧重于使用基础设施即服务(IaaS)等独特的动态 IFT 跟踪功能。消费者和服务提供商可以使用我们的框架协商特定的安全执行标准。因此,本研究通过一系列真实世界的实验来协调和评估不同的监控功能如何结合起来提供相对更高的安全级别。通过多项实验对输入/输出性能的执行时间和资源利用率进行了评估。结果表明,性能不受跟踪的输入/输出数据量的影响。换句话说,随着数据量的增加,我们注意到执行时间呈线性增长。不过,这种增长速度明显慢于严格的比例关系。在所有验证测试运行中,系统平均 CPU 和内存消耗开销分别为 8%和 37%,而完成时间却不到一秒。这些结果为更好地衡量和理解云消费者和提供商(C&P)保护机密性、完整性和可用性(CIA)的成本建立了性能效率基准。消费者可以仔细检查各种优势(即安全性)和权衡(内存使用率、带宽、CPU 使用率和吞吐量),以及确保建立、监测和控制 CIA 的成本。这项工作提供了主要用例、执行数据隔离规则的公式、数据跟踪策略框架,以及使用 CloudMonitor 框架管理机密数据流和防止数据泄漏的基础。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信