Information Technology Reference
In-Depth Information
Cross-Site Scripting
,
Sybil
and
Buffer Overflow
are the most prominent and well known attacks.
Also, the Cloud administrators must follow
notification and alert bulletins that warn about
new security incidents and threats. Such infor-
mation is offered by several entities often called
Computer Emergency Response Team
(CERT),
like for example the one from Carnegie Mellon
University. The
Internet Storm Center
, managed
by the World Wide Web Consortium, is another
source of useful information.
Finally, the Container can reinforce certain
security policies through
Execution Monitoring
(EM), which is based on the usage of
Reference
Monitors
(RM) that check the execution of un-
trusted code and take corrective actions when
some policy is broken.
Inline Reference Monitors
(IRM) are a type of RM injected in the code to be
monitored. Containers could use
Aspect Oriented
Programing
(AOP) techniques to transparently
weave IRMs with the users' code to monitor it
(Yi et al. 2004).
type of database engines. These systems sacrifice
the complexity of the queries that can be run
by users (generally, joins are to be avoided) in
order to get a greater scalability and availability.
Google's
BigTable
(Chang 2008), built on top of
the
Google File System
, is arguably the best well-
known technology and has raised considerable
interest. It powers the storage service of
Google
App Engine
(GAE) (GAE 2010), providing a
non-relational database (although with support
for strong transactions) for the Servlets running
there. Other systems are under development, such
as
Apache HBase
,
Apache Cassandra
,
Project
Voldemort
, etc. It is the decision of the Cloud
provider which degree of query complexity should
be implemented, taking into account the impact
on costs and scalability.
Access Control
. This is provided by the Cloud
so components can know the identity of the call-
ers of their clients. This identity is handled by the
platform itself, which has its own user management
system. For example, GAE Servlets can identify
users by their Google account. It is Google who
takes care of the login process.
It is up to the platform, however, to provide
greater access control capabilities, for example
to assign roles to users and define mappings of
allowed actions/roles to be reinforced by the
system. Also, this could be combined with
ac-
counting
capabilities that allowed monitoring the
amount of resources demanded to attend each user
request. This kind of control granularity will be
more demanded as the complexity of the applica-
tions deployed grows.
Communication Protocols
. Due to security
issues, it is likely that the Cloud platform will
ban components from directly handling network
connections. Instead, they will only be allowed
to communicate through the set of APIs available
in the Container. On the other hand, these APIs
can be used to provide an easy way to use a wide
range of protocols and communication models.
For example, a communication service could be
based on the deliverance of a distributed bus for
2.1.2 Cloud Services
Besides providing a runtime for components, the
Cloud can supply several
Cloud Services
that
implement useful functionality for components.
Which functionality is provided, how to access it,
the guarantees included (SLAs)... must be clearly
specified, possibly in the form of service contracts.
Here we will comment some fundamental services
that we deem any Cloud platform should provide.
Persistence
. Data storage services are needed
by almost any application (save maybe stateless
ones). Storage can be oriented to provide a simple
repository for (typically big) chunks of data, or to
make available a database system for the manage-
ment of structured data.
Structured data has typically being managed
through relational, SQL-compliant databases and
Cloud systems like
Microsoft Azureus
do provide
components with such solutions. However, Cloud
systems have promoted the usage of a different
Search WWH ::
Custom Search