Much like its meteorological counterpart, Cloud Computing is an amorphous agglomeration of entities. It is amorphous in that the exact layout of the servers, the load balancers and their functions are neither known nor fixed. Its an agglomerate in that multiple service providers and vendors often coordinate to form a multitenant system using virtualization. This complex environment offers great potential to providers and adopters, but also introduces great challenges in managing, combining and providing a variety of highly heterogeneous services. In particular, users interaction with these providers is often cumbersome, as the details of a cloud system are often abstracted away and unclear to most adopters. Further, cloud computing does not offer strong security guarantees, or traceability of data, and its indeterminate nature makes accountability of providers and users operations difficult. This nebulous nature and the lack of security assurances of Cloud services together form the foremost barriers to its adoption.;In this dissertation, we aim to address some of the most significant barriers to the adoption of Cloud services. We propose a novel brokerage-based architecture called GABE - a Cloud brokeraGe system for service selection, AccountaBility and, policy Enforcement. GABE fulfills two major needs of cloud users: helping them understand the Cloud services best suited for them; and providing security assurances on their data. As the core part of the brokerage system, we design a unique indexing technique for managing the information of a large number of Cloud service Providers. Multiple alternatives to the indexing are studied to address specific needs in service selection. We then develop efficient service selection algorithms that rank potential service providers and aggregate them if necessary.;GABE also helps users protect their data by providing a policy driven node selection methodology for map reduce architectures. GABE seamlessly integrates node selection control to the MapReduce framework for increased data security. It leverages data preprocessing techniques and distributed node verification protocols to achieve strong policy enforcement. We further augment GABE by equipping it with accountability features. In order to support accountability, we propose a novel highly decentralized information accountability framework to keep track of the actual usage of the users' data in the Cloud. In particular, we propose an object-centered approach that enables enclosing our logging mechanism together with users' data and policies. We leverage object oriented programming techniques to create a dynamic and traveling object, and to ensure that any access to users' data will trigger authentication and automated logging local to the JARs. We take a policy-driven approach that strongly couples data and content protection policies (CPPs). This approach constitutes an effective and practical solution for content protection for a number of reasons. First of all, both the CPPs and the protection mechanism travel with the content, which is stored in its original form. Secondly, users do not need to rely on any dedicated management system to specify and apply the CPPs. Thirdly, to strengthen users' control, we also provide distributed auditing mechanisms. We provide extensive experimental studies on real cloud computing testbeds that demonstrate the efficiency and effectiveness of the proposed policy driven node selection, auditing, and service selection approaches with real and synthetic Cloud data. (Abstract shortened by UMI.).
展开▼
