An On-Demand Security Mechanism for Cloud-Based Telecommunications Services

1 Introduction
    With innovation in cloud technologies, services need to be rebuilt for the cloud. Commercial cloud applications include Amazon EC2/S3 [1], Google Apps [2], and Force.com [3]. In addition, Microsoft and Chinese carriers such as China Mobile, China Telecom, and China Unicom have also launched cloud services. Government activities are fast catching up to commercial activities; in the U.S. there is Apps.gov [4], the U.K. government operates G-Cloud, and the Canadian government also has a cloud.

    Generally speaking, a cloud is discussed in terms of services, and services are being enriched and reinvented as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Cloud computing is a promising paradigm that has drawn attention from both academia and industry. By combining existing and emerging techniques from Service-Oriented Architectures (SOA) and virtualization, cloud computing resources in the computing infrastructure can be provided as services over the Internet. As promising as this sounds, cloud computing also faces many challenges that, if not resolved well, may impede its fast growth. Data security is of significant concern for users who store their sensitive information on cloud servers. These concerns are exacerbated by the fact that cloud servers are usually owned by commercial providers and are very likely to be outside the trusted domain of users. Data confidentiality in cloud servers is highly desired when data storage is outsourced. In some practical applications, data confidentiality is not only a security and privacy issue, but also a legal concern. A cloud is distinguished from other environments in that users may feel a vague insecurity about participating in a cloud, and this feeling cannot be easily overcome. In a public cloud, users can delegate system administration to cloud providers, but this also means that administration and operations are not controlled by the user. Furthermore, because of virtualization in multitenant services, there may be additional concerns about the physical proximity of data to competitors and protection of that data from competitors in a virtual environment. An IDC survey on Cloud/On-Demand showed that more than seventy percent of potential cloud users view security as a major reason against adopting clouds.

    Cloud security has many facets, and researchers have discussed cloud security from their own viewpoints. Many of these researchers work in the cloud security alliance [5] and are making efforts to publish guidelines on security. Here, a dynamic, on-demand security mechanism is proposed to protect data and infrastructure in the cloud.

    Domain division and a dynamic on-demand/security mechanism can protect the data and infrastructure residing in security domains. Enhanced security can accelerate the deployment of cloud-based telecommunications services.

2 Cloud-Based Telecommunications Service Environment
    In cloud computing, the traditional telecommunications service environment constructed in silo manner is transformed into the environment in a resource sharing model (Fig. 1). This transformation significantly decreases investment in service deployment and expansion.

    The security requirements of Cloud-Based Telecommunications Service Environment (CTSE) are significantly different from those of a traditional service environment. A comparison of these two environments is given in Table 1. The technology used to solve CTSE security issues in column 2 is suggested in column 3 of Table 1.

3 A New Methodology for Studying Security in Cloud-Based Telecommunications Services
    Data being migrated off premises is exposed to more threats than ever before because it is not within the reach and control of the owner while floating in the cloud.

    In this regard, traditional device-centric security systems are being evolved to data-centric security systems. Cloud-based telecommunications service needs to be protected in three key domains: data storage, processing, and transmission, as shown in Fig. 2. The service must provide a mechanism to protect the stored data in the cloud, and data in transit needs to be protected either at the service or the transmission level. In most services, transmission level protection is chosen, and Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols are used. Data also needs to be protected in the processing stage.

    The relationship between data storage, processing, and transmission is shown Fig. 3.
The data storage and processing domains are connected with the end user through the data transmission domain. During its lifecycle, information can move through the data storage domain and data processing domain, and to the end user via the data transmission domain. At any moment, it must be protected by the domain it resides in.

4 On-Demand Security Conceptual Model
    A conceptual security model (Fig. 4) is given to illustrate how on-demand security can be achieved in a cloud-based telecommunications service environment.

    Assume that vector A is the security unit set. Let A1 be the security unit set of the transmission security domain, A2 the security unit set of the processing security domain and A3 the security unit set of the storage security domain. A1, A2, and A3 are the subsets of A; that is, A1?A, A2?A, and A3?A. Let f1, f2, and f3 be the security parameter vectors of the security unit sets of the above three domains. The expression of these security parameter vectors is fi (x1, x2, x3), where x1 is service type, x2 is site where the data is located, and x3 is the level of security.

    On-demand security for cloud-based telecommunications service is computed as A1×f1⊕A2×f2⊕A3×f3; that is, the integration of the security solutions of three domains, where ⊕ is the connector.

    The security units in Ai are security functions such as encryption, authentication, and integration that were already realized by the cloud platform during the R&D stage.
fi is the security assessment model that should be implemented by Security Operation Center (SOC). It is a mathematics model plus necessary security policies. In this model, a security administrator needs to configure parameters for x1 and x2，and the user configures the parameter for x3. These parameters are only relevant to the service platform. Once a service and cloud platform has been decided, these parameters are determined accordingly.

    The benefits of this new approach are:
    (1) Each security domain faces the same type of security threats, which means the same security unit set is needed (Ai is the same). Division of security domains with the same security unit set is beneficial to SOC in establishing a corresponding policy (security parameter) model.

    (2) For the service cloud platform, data transmission, processing, and storage is not necessarily provided by an individual operator. They could be provided by different operators or partly belong to a private cloud provider.

Security domain division proposed in this paper has at least four overall advantages:

    (1) Only 3 types of parameters need to be configured. Users configure the security requirements for a service (x3), and SOC configures service location (x2) and service type (x1). Once a cloud platform is built, x2 and x1 are determined and kept static, while x3 is determined by user requirements. So input of parameters is manageable and configurable.

    (2) Each security domain constructs its own policy model depending on its own security unit characteristics. Changes of f1 are independent from f2 and f3; that is, f1, f2, and f3 are thoroughly decoupled. This simplifies the policy models and means they can be easily and accurately implemented.

    (3) Only implementation of security unit technologies needs to be considered while execution is delegated to the policy model. In this way, the development of security modules involved is made easier. Existing network, services, and storage can be used simply by adding a configuration interface open to the policy model.

    (4) The execution result can be fed back to a charging center so that on-demand security or Security as a Service can be provided.

    Fig. 5 illustrates the application of this model in a real cloud-based telecommunications service scenario. Alice, Bob, and George are employees at the same company. Alice is staying in a hotel during a business trip, and Bob and George are both in the office. Alice initiates a video call with Bob and a text conversation with George to discuss the market strategy for next year (which requires high level confidentiality). The cloud-based conference server chooses the appropriate security mechanism for Alice, Bob, and George by acquiring the location indicator (can be determined from IP address), service type indicator, and the security assurance level that Alice, George and Bob set beforehand. The conference sever chooses a stronger authentication mechanism for Alice because she is in a less secure environment than Bob and George. For Alice, authentication using a password and usb key is necessary; while for Bob and George, only a password is required. Considering the confidential nature of their meeting and the high security assurance level selected by all of them, at least 256 bits or stronger encryption key and Advanced Encryption Standard (AES) encryption algorithm is needed. Data integrity protection is not applicable for communication between Alice and Bob so that high real-time performance can be achieved, but it should be applied between Bob and George to avoid the texts being tampered with. The security unit set in this case is the security capabilities supported by the cloud-based conference system.

5 Conclusion
    In a cloud computing environment, on-demand and differentiated security services are of utmost concern to end users. We propose a new method using security domain division and present a conceptual security model based on these domains. This model can be used to provide dynamic, on-demand, and differentiated protection for cloud-based telecommunications. In this way, SECurity as a Service (SECaaS) can become reality at only small cost.

References
[1] AmazonWebServices, Amazon. [online]. Available: http://aws.amazon.com/
[2]GoogleApps, Google. [online]. Available: http://www.google.com/apps/intl/en/business/index.html
[3] Force.com, Salesforce.com. [online]. Available: http://www.salesforce.com/platform/
[4] http://www.info.apps.gov/[5]CloudSecurityAlliance. [online]. Available: http://www.cloudsecurityalliance.org/

Biographies

Zhaoji Lin (lin.zhaoji@zte.com.cn) graduated from Huazhong University of Science and Technology, majoring in Systems Engineering. He is a project manager for service and application security in the Standards Development and Industry Relations department of ZTE Corporation. His research interests include cloud computing and ubiquitous network and identity management. He has published more than 60 contributions and proposals on cloud computing security, identity management, device management, and digital rights management for ITU-T SG17, Open Mobile Alliance (OMA) and China Communications Standards Association (CCSA). He has also been an editor and convenor for several work items in these SDOs.

Ping Lu (lu.ping@zte.com.cn) graduated from South East University, China majoring in Automatic Control Theory and Application. He is chief executive officer of the Service Institute of ZTE Corporation. For more than a decade, he has steered the Institute towards innovative research and development of value added services, cloud computing, Internet services, ICT services, and home network services.

Shengmei Luo (luo.shengmei@zte.com.cn) graduated from Harbin Institute of Technology, China, majoring in Communications and Electronic Information. He is a chief engineer and architect at ZTE Corporation. He is also a member of the China Cloud Computing Committee, and heads pre-research into new technologies. He was awarded the second prize of scientific and technological progress, with several invention patents. He has published a number of academic papers in core national communication journals.

Feng Gao (gao.feng1@zte.com.cn) graduated from Beijing University of Aeronautics & Astronautics, majoring in Computer Science. He is a senior engineer in the Standards Development and Industry Relations department of ZTE Corporation. His research interests include bearer network controlling and network security. He has published more than 10 academic papers.

Jianyong Chen (chen.jianyong@zte.com.cn) received a Ph.D. degree from City University of Hong Kong in 2003. Currently, he is technical advisor at ZTE Corporation. His research interests include security of cloud computing and identity management. He has published more than 20 contributions and proposals on cloud computing security and identity management for the ITU-T SG17 and China Communications Standards Association (CCSA). He is also the vice-chairman of ITU-T SG17, chairman of ITU-T WP3/SG17 and chairman of fix network security working group in CCSA.

[Abstract] As cloud computing gains in popularity, data migrated off premises is exposed to more threats than ever before. This is because data is out of control of the owner while floating in the cloud. Traditional device-centric security systems are not efficient enough and need to be evolved to data-centric protection systems. Cloud telecommunications services require security measures in three domains: data storage, processing, and transmission. Data stored in the cloud requires a mechanism to protect it; data in transit needs to be protected either at the service or transmission level; and data being processed needs to be protected during the processing stage. In this paper, we propose a security model based on a new method of security domain division to provide on-demand, dynamic, and differentiated protection for cloud-based telecommunications services.

[Keywords] cloud computing; security; on demand