An On-Demand Security Mechanism for Cloud-Based Telecommunications Services

ZhaojiLin,Ping Lu,ShengmeiLuo,Feng Gao,and Jianyong Chen

(ZTE Corporation)

Abstract:As cloud computing gains in popularity,data migrated off premises is exposed to more threats than ever before.This is because data is out of control of the owner while floating in the cloud.Traditional device-centric security systems are not efficient enough and need to be evolved to data-centric protection systems.Cloud telecommunications services require security measures in three domains:data storage,processing,and transmission.Data stored in the cloud requires a mechanism to protect it;data in transit needs to be protected either at the service or transmission level;and data being processed needs to be protected during the processing stage.In this paper,we propose a security model based on a new method of security domain division to provide on-demand,dynamic,and differentiated protection for cloud-based telecommunications services.

Keyw ords:cloud computing;security;on demand

1 Introduction

W ith innovation in cloud technologies,services need to be rebuilt for the cloud.Commercial cloud applications include Amazon EC2/S3[1],Google Apps[2],and Force.com[3].In addition,Microsoft and Chinese carriers such as China Mobile,China Telecom,and China Unicom have also launched cloud services.Government activities are fast catching up to commercialactivities;in the U.S.there is Apps.gov[4],the U.K.government operates G-Cloud,and the Canadian government also has a cloud.

Generally speaking,a cloud is discussed in terms of services,and services are being enriched and reinvented as Software as a Service(SaaS),Platform as a Service(PaaS)and Infrastructure as a Service(IaaS).Cloud computing is a promising paradigm that has drawn attention from both academia and industry.By combining existing and emerging techniques from Service-Oriented Architectures(SOA)and virtualization,cloud computing resources in the computing infrastructure can be provided as services over the Internet.As promising as this sounds,cloud computing also faces many challenges that,if not resolved well,may impede its fast growth.Data security is of significant concern for users who store their sensitive information on cloud servers.These concerns are exacerbated by the fact that cloud servers are usually owned by commercial providers and are very likely to be outside the trusted domain of users.Data confidentiality in cloud servers is highly desired when data storage is outsourced.In some practical applications,data confidentiality is not only a security and privacy issue,but also a legalconcern.A cloud is distinguished from other environments in that users may feel a vague insecurity about participating in a cloud,and this feeling cannot be easily overcome.In a public cloud,users can delegate system administration to cloud providers,but this also means that administration and operations are not controlled by the user.Furthermore,because of virtualization in multitenant services,there may be additionalconcerns about the physical proximity of data to competitors and protection of that data from competitors in a virtual environment.An IDC survey on Cloud/On-Demand showed that more than seventy percent of potentialcloud users view security as a major reason against adopting clouds.

Cloud security has many facets,and researchers have discussed cloud security from their own viewpoints.Many of these researchers work in the cloud security alliance[5]and are making efforts to publish guidelines on security.Here,a dynamic,on-demand security mechanism is proposed to protect data and infrastructure in the cloud.

Domain division and a dynamic on-demand/security mechanism can protect the data and infrastructure residing in security domains.Enhanced security can accelerate the deployment of cloud-based telecommunications services.

▼Table 1.Comparison of traditionalservice environment security and CTSEsecurity

2 Cloud-Based Telecommunications Service Environment

In cloud computing,the traditional telecommunications service environment constructed in silo manner is transformed into the environment in a resource sharing model(Fig.1).This transformation significantly decreases investment in service deployment and expansion.

The security requirements of Cloud-Based Telecommunications Service Environment(CTSE)are significantly different from those of a traditional service environment.A comparison of these two environments is given in Table 1.The technology used to solve CTSEsecurity issues in column 2 is suggested in column 3 of Table 1.

3 A New Methodology for Studying Security in Cloud-Based Telecommunications Services

Data being migrated off premises is exposed to more threats than ever before because it is not within the reach and control of the owner while floating in the cloud.

In this regard,traditional device-centric security systems are being evolved to data-centric security systems.Cloud-based telecommunications service needs to be protected in three key domains:data storage,processing,and transmission,as shown in Fig.2.The service must provide a mechanism to protect the stored data in the cloud,and data in transit needs to be protected either at the service or the transmission level.In most services,transmission level protection is chosen,and Secure Sockets Layer(SSL)/Transport Layer Security(TLS)protocols are used.Data also needs to be protected in the processing stage.

The relationship between data storage,processing,and transmission is shown Fig.3.

The data storage and processing domains are connected with the end user through the data transmission domain.During its lifecycle,information can move through the data storage domain and data processing domain,and to the end user via the data transmission domain.At any moment,itmust be protected by the domain it resides in.

Figure 2.?Security framework forcloud-based telecommunications service.

▲Figure 1.Evolution of telecommunication service provision from silo to cloud-based.

?Figure 3.Relationship of data storage,processing,and transmission domains.

4 On-Demand Security Conceptual Model

A conceptual security model(Fig.4)is given to illustrate how on-demand security can be achieved in a cloud-based telecommunications service environment.

On-demand security for cloud-based telecommunications service is computed as A1×f1⊕A2×f2⊕A3×f3;that is,the integration of the security solutions of three domains,where⊕is the connector.

The security units in Aiare security functions such as encryption,authentication,and integration that were already realized by the cloud platform during the R&D stage.

fiis the security assessment model that should be implemented by Security Operation Center(SOC).It is a mathematics model plus necessary security policies.In this model,a security administrator needs to configure parameters for x1and x2，and the user configures the parameter for x3.These parameters are only relevant to the service platform.Once a service and cloud platform has been decided,these parameters are determined accordingly.

The benefits of this new approach are:

(1)Each security domain faces the same type of security threats,which means the same security unit set is needed(Aiis the same).Division of security domains with the same security unit set is beneficial to SOC in establishing a corresponding policy(security parameter)model.

(2)For the service cloud platform,data transmission,processing,and storage is not necessarily provided by an individualoperator.They could be provided by different operators or partly belong to a private cloud provider.

Security domain division proposed in this paper has at least four overall advantages:

(1)Only 3 types of parameters need to be configured.Users configure the security requirements for a service(x3),and SOC configures service location(x2)and service type(x1).Once a cloud platform is built,x2and x1are determined and kept static,while x3is determined by user requirements.So input of parameters is manageable and configurable.

(2)Each security domain constructs its own policy model depending on its own security unit characteristics.Changes of f1are independent from f2and f3;that is,f1,f2,and f3are thoroughly decoupled.This simplifies the policy models and means they can be easily and accurately implemented.

(3)Only implementation of security unit technologies needs to be considered while execution is delegated to the policy model.In this way,the development of security modules involved is made easier.Existing network,services,and storage can be used simply by adding a configuration interface open to the policy model.

(4)The execution result can be fed back to a charging center so that on-demand security or Security as a Service can be provided.

▲Figure 4.An on-demand security mechanism for cloud-based telecommunications services.

Fig.5 illustrates the application of this model in a real cloud-based telecommunications service scenario.Alice,Bob,and George are employees at the same company.Alice is staying in a hotel during a business trip,and Bob and George are both in the office.Alice initiates a video call with Bob and a text conversation with George to discuss the market strategy for next year(which requires high level confidentiality).The cloud-based conference server chooses the appropriate security mechanism for Alice,Bob,and George by acquiring the location indicator(can be determined from IPaddress),service type indicator,and the security assurance level that Alice,George and Bob set beforehand.The conference sever chooses a stronger authentication mechanism for Alice because she is in a less secure environment than Bob and George.For Alice,authentication using a password and usb key is necessary;while for Bob and George,only a password is required.Considering the confidential nature of their meeting and the high security assurance level selected by all of them,at least 256 bits or stronger encryption key and Advanced Encryption Standard(AES)encryption algorithm is needed.Data integrity protection is not applicable for communication between Alice and Bob so that high real-time performance can be achieved,but it should be applied between Bob and George to avoid the texts being tampered with.The security unit set in this case is the security capabilities supported by the cloud-based conference system.

?Figure 5.On-demand,differentiated security service for cloud-based conferencing.

5 Conclusion

In a cloud computing environment,on-demand and differentiated security services are of utmost concern to end users.We propose a new method using security domain division and present a conceptual security model based on these domains.This model can be used to provide dynamic,on-demand,and differentiated protection for cloud-based telecommunications.In this way,SECurity as a Service(SECaaS)can become reality at only smallcost.