“No longer does the word “cloud” merely stand for a type of atmospheric phenomena,” Kamhoua said. “Today, the word “cloud” denotes the computational cloud as well.”
“It has made computing a utility – much like water and power,” Kamhoua said.
The National Institute of Standards and Technology defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
According to the researchers, among the multiple benefits that have emerged from a computational cloud meeting these NIST-defined properties are: lower costs, a pay-as-you-go structure, quick deployment, ease of access, dynamic scalability of resources on demand, low overhead and no long-term commitments.
“These benefits are consistent with people’s expectation of a general utility – benefits derived from a community’s sharing of resources in a well-governed manner,” Kamhoua said. “However, there are significant risks associated with using the computational cloud.”
Kamhoua said one of the biggest cyber security concerns is the inherent and unknown danger arising from a shared platform, namely the hypervisor.
According to Kamhoua, one can think of the hypervisor as the infrastructure that is the basis for the cloud’s utility – it is a shared resource where all users interface and connect.
“Herein lies the unseen danger: an attacker can target an unsecured VM, and once that VM is compromised, the attack can move on to compromise the hypervisor,” Kamhoua said. “At that point, the utility of a shared resource of the hypervisor has tipped toward the attacker because once the hypervisor is compromised, all other virtual machines on that hypervisor are easy prey for the attacker.”
A shared platform emphasizes a problem referred to as negative externalities.
“In this case, the negative externality manifests as the (in)security of one virtual machine affecting the security of all other co-located virtual machines,” Kamhoua said.
This security challenge attracted a research team including Kamhoua and researchers from the University of Florida, Haloed Sun TEK of the CAESAR Group and Syracuse University.
“Due to the unique structuring of the competing interests in the cloud, our research team evaluated the problem in question using game theory, which, according to Myerson, in his landmark book “Game Theory: Analysis of Conflict,” is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers,” Kamhoua said.
Their research arrived at a non-intuitive conclusion that improves upon current cloud security approaches.
“The importance of attaining this outcome is this: in cybersecurity, attacker indifference makes a big difference,” Kamhoua said. “By compelling the attacker to be inattentive to any single target, the research team made a novel contribution to cloud security.”
According to Kamhoua, this research reinforces the widely-held understanding that risk in cyberspace can never be eliminated, so it must therefore be rigorously managed. It is advantageous for VMs having the same level of security and risk to be clustered together on the same hypervisor.
“This research reveals a novel virtual machine allocation scheme that can provide the necessary incentive for a large organization with sensitive information such as the Department of Defense to join the cloud,” Kamhoua said. “A quantitative approach to cloud computing security using game theory captures the strategic view of attackers and gains a precise characterization of the cyber threats facing the cloud”.
“This research arms cloud service providers that contract with the DOD with a proven mathematical framework to minimize the impact of cyberattacks in the cloud,” Kamhoua said. “This allow Soldiers with lightweight mobile devices on tactical networks to securely perform fast computation leveraging the cloud.”
Details of this research are presented in the book chapter “Risk and Benefit: Game-Theoretical Analysis and Algorithm for Virtual Machine Security Management in the Cloud” by Luke Kwiat, Charles A. Kamhoua, Kevin A. Kwiat, Jian Tang, in the book “Assured Cloud Computing,” Edited by Roy H. Campbell, Charles A. Kamhoua, and Kevin A. Kwiat, Published by Wiley-IEEE press, October 2018.
The results of the research were also put on the path towards technology transfer to the commercial sector by being submitted to the U.S. Patent and Trademark Office, where US Patent number 9832220 was awarded to Luke Kwiat, Charles Kamhoua and Kevin Kwiat, for the invention “Security method for allocation of virtual machines in a cloud computing network“.
Source : U.S. Army Research Laboratory