Change search
Refine search result
1 - 25 of 25
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Dowsley, Rafael
    et al.
    Aarhus University, Denmark.
    Michalas, Aantonis
    University of Westminster, UK.
    Nagel, Matthias
    Karlsruhe Institute of Technology, Germany.
    Paladi, Nicolae
    RISE - Research Institutes of Sweden, ICT, SICS.
    A survey on design and implementation of protected searchable data in the cloud2017In: Computer Science Review, ISSN 1574-0137, E-ISSN 1876-7745, Vol. 26, p. 17-30Article in journal (Refereed)
    Abstract [en]

    While cloud computing has exploded in popularity in recent years thanks to the potential efficiency and cost savings of outsourcing the storage and management of data and applications, a number of vulnerabilities that led to multiple attacks have deterred many potential users. As a result, experts in the field argued that new mechanisms are needed in order to create trusted and secure cloud services. Such mechanisms would eradicate the suspicion of users towards cloud computing by providing the necessary security guarantees. Searchable Encryption is among the most promising solutions—one that has the potential to help offer truly secure and privacy-preserving cloud services. We start this paper by surveying the most important searchable encryption schemes and their relevance to cloud computing. In light of this analysis we demonstrate the inefficiencies of the existing schemes and expand our analysis by discussing certain confidentiality and privacy issues. Further, we examine how to integrate such a scheme with a popular cloud platform. Finally, we have chosen – based on the findings of our analysis – an existing scheme and implemented it to review its practical maturity for deployment in real systems. The survey of the field, together with the analysis and with the extensive experimental results provides a comprehensive review of the theoretical and practical aspects of searchable encryption.

  • 2.
    Girtler, Daniel
    et al.
    Stockholm University, Sweden.
    Paladi, Nicolae
    RISE - Research Institutes of Sweden, ICT, SICS.
    Component integrity guarantees in software-defined networking infrastructure2017In: 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks, NFV-SDN 2017, Institute of Electrical and Electronics Engineers Inc. , 2017, p. 292-296Conference paper (Refereed)
    Abstract [en]

    Operating system level virtualization containers are commonly used to deploy virtual network functions (VNFs) which access the centralized network controller in software-defined networking (SDN) infrastructure. While this allows flexible network configuration, it also increases the attack surface, as sensitive information is transmitted between the controller and the virtual network functions. In this work we propose a mechanism for bootstrapping secure communication between the SDN controller and deployed network applications. The proposed mechanism relies on platform integrity evaluation and execution isolation mechanisms, such as Linux Integrity Measurement Architecture and Intel Software Guard Extensions. To validate the feasibility of the proposed approach, we have implemented a proof of concept which was further tested and evaluated to assess its performance. The prototype can be seen as the first step into providing users with security guarantees regarding the integrity of components in the SDN infrastructure.

  • 3.
    Michalas, Antonis
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Paladi, Nicolae
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Security Aspects of e-Health Systems Migration to the Cloud2014Conference paper (Refereed)
    Abstract [en]

    As adoption of e-health solutions advances, new computing paradigms - such as cloud computing - bring the potential to improve efficiency in managing medical health records and help reduce costs. However, these opportunities introduce new security risks which can not be ignored. Based on our experience with deploying part of the Swedish electronic health records management system in an infrastructure cloud, we make an overview of major requirements that must be considered when migrating e-health systems to the cloud. Furthermore, we describe in-depth a new attack vector inherent to cloud deployments and present a novel data confidentiality and integrity protection mechanism for infrastructure clouds. This contribution aims to encourage exchange of best practices and lessons learned in migrating public e-health systems to the cloud.

  • 4.
    Paladi, Nicolae
    RISE - Research Institutes of Sweden. Lund University.
    Protecting OpenFlow Flow Tables with Intel SGX2019Conference paper (Other academic)
    Abstract [en]

    OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasized when collocated tenants compete for the limited entries available to install flow rules. From a security point of view, OpenFlow flow tables are a valuable asset that requires both confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from either obtaining information about the installed flows or modifying the contents of flow tables. In this work, we adopt a radical approach to enabling OpenFlow flow table protection through decomposition. Based on a careful analysis of the architecture and implementation of Open vSwitch, we identify core assets requiring security guarantees, design an approach to isolating OpenFlow flow tables, and implement a prototype using Open vSwitch and Software Guard Extensions enclaves.

  • 5.
    Paladi, Nicolae
    RISE, Swedish ICT, SICS, Security Lab.
    Towards secure SDN policy management2015In: 2015 IEEE/ACM 8th International Conference on Utility and Cloud Computing (UCC), 2015, 10, p. 607-611, article id 7431482Conference paper (Refereed)
    Abstract [en]

    Software-Defined Networking (SDN) has emerged as a novel network architectural model that facilitates management of large-scale networks, enables efficient network virtualisation and scalable network multi-tenancy. Centralised network controllers, an important component in the SDN paradigm, deploy on the data plane devices network policies from several independent sources, defined based on a global network view. While this approach allows to efficiently manage network connectivity and reduce the time and cost of deploying new configurations, it also increases the risk for errors – either introduced by accident, through a combination with previous policies, or by a motivated adversary. In this position paper we review the state of the art for network policy verification for SDN deployments, identify existing challenges and outline a secure framework for network policy management in SDN deployments. Combined with existing work on cloud platform and storage security, this will contribute towards creating secure and trusted cloud deployments.

  • 6.
    Paladi, Nicolae
    RISE - Research Institutes of Sweden, ICT, SICS. Lund University, Sweden.
    Trust but verify: trust establishment mechanisms in infrastructure clouds2017Doctoral thesis, monograph (Other academic)
    Abstract [en]

    In the cloud computing service model, users consume computation resources provided through the Internet, often without any awareness of the cloud service provider that owns and operates the supporting hardware infrastructure. This marks an important change compared to earlier models of computation, for example when such supporting hardware infrastructure was under the control of the user. Given the ever increasing importance of computing, the shift to cloud computing raises several challenging issues, which include protecting the computation and ancillary resources such as network communication and the stored or produced data.While the potential risks for data isolation and confidentiality in cloud infrastructure are somewhat known, they are obscured by the convenience of the service model and claimed trustworthiness of cloud service providers, backed by reputation and contractual agreements. Ongoing research on cloud infrastructure has the potential to strengthen the security guarantees of computation, data and communication for users of cloud computing. This thesis is part of such research efforts, focusing on assessing the trustworthiness of components of the cloud network infrastructure and cloud computing infrastructure and controlling access to data and network resources and addresses select aspects of cloud computing security.The contributions of the thesis include mechanisms to verify or enforce security in cloud infrastructure. Such mechanisms have the potential to both help cloud service providers strengthen the security of their deployments and empower users to obtain guarantees regarding security aspects of service level agreements. By leveraging functionality of components such as the Trusted Platform Module, the thesis presents mechanisms to provide user guarantees regarding integrity of the computing environment and geographic location of plaintext data, as well as to allow users maintain control over the cryptographic keys for integrity and confidentiality protection of data stored in remote infrastructure. Furthermore, the thesis leverages recent innovations for platform security such as Software Guard Extensions to introduce mechanisms to verify the integrity of the network infrastructure in the Software-Defined Networking model. A final contribution of the thesis is an access control mechanism for access control of resources in the Software-Defined Networking model. 

  • 7.
    Paladi, Nicolae
    RISE, Swedish ICT, SICS, Security Lab.
    Trusted Computing and Secure Virtualization in Cloud Computing2012Independent thesis Advanced level (degree of Master (Two Years))Student thesis
    Abstract [en]

    Large-scale deployment and use of cloud computing in industry is accompanied and in the same time hampered by concerns regarding protection of data handled by cloud computing providers. One of the consequences of moving data processing and storage off company premises is that organizations have less control over their infrastructure. As a result, cloud service (CS) clients must trust that the CS provider is able to protect their data and infrastructure from both external and internal attacks. Currently however, such trust can only rely on organizational processes declared by the CS provider and can not be remotely verified and validated by an external party. Enabling the CS client to verify the integrity of the host where the virtual machine instance will run, as well as to ensure that the virtual machine image has not been tampered with, are some steps towards building trust in the CS provider. Having the tools to perform such verifications prior to the launch of the VM instance allows the CS clients to decide in runtime whether certain data should be stored- or calculations should be made on the VM instance offered by the CS provider. This thesis combines three components -- trusted computing, virtualization technology and cloud computing platforms -- to address issues of trust and security in public cloud computing environments. Of the three components, virtualization technology has had the longest evolution and is a cornerstone for the realization of cloud computing. Trusted computing is a recent industry initiative that aims to implement the root of trust in a hardware component, the trusted platform module. The initiative has been formalized in a set of specifications and is currently at version 1.2. Cloud computing platforms pool virtualized computing, storage and network resources in order to serve a large number of customers customers that use a multi-tenant multiplexing model to offer on-demand self-service over broad network. Open source cloud computing platforms are, similar to trusted computing, a fairly recent technology in active development. The issue of trust in public cloud environments is addressed by examining the state of the art within cloud computing security and subsequently addressing the issues of establishing trust in the launch of a generic virtual machine in a public cloud environment. As a result, the thesis proposes a trusted launch protocol that allows CS clients to verify and ensure the integrity of the VM instance at launch time, as well as the integrity of the host where the VM instance is launched. The protocol relies on the use of Trusted Platform Module (TPM) for key generation and data protection. The TPM also plays an essential part in the integrity attestation of the VM instance host. Along with a theoretical, platform-agnostic protocol, the thesis also describes a detailed implementation design of the protocol using the OpenStack cloud computing platform. In order the verify the implementability of the proposed protocol, a prototype implementation has built using a distributed deployment of OpenStack. While the protocol covers only the trusted launch procedure using generic virtual machine images, it presents a step aimed to contribute towards the creation of a secure and trusted public cloud computing environment.

  • 8.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Aslam, Mudassar
    RISE, Swedish ICT, SICS.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Trusted Geolocation-Aware Data Placement in Infrastructure Clouds2014Conference paper (Refereed)
    Abstract [en]

    Data geolocation in the cloud is becoming an increasingly pressing problem, aggravated by incompatible legislation in different jurisdictions and compliance requirements of data owners. In this work we present a mechanism allowing cloud users to control the geographical location of their data, stored or processed in plaintext on the premises of Infrastructure-as-a-Service cloud providers. We use trusted computing principles and remote attestation to establish platform state. We enable cloud users to confine plaintext data exclusively to the jurisdictions they specify, by sealing decryption keys used to obtain plaintext data to the combination of cloud host geolocation and platform state. We provide a detailed description of the implementation as well as performance measurements on an open source cloud infrastructure platform using commodity hardware.

  • 9.
    Paladi, Nicolae
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Gehrmann, Christian
    Lund University, Sweden.
    SDN Access Control for the Masses2019In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 80, p. 155-172Article in journal (Refereed)
    Abstract [en]

    The evolution of Software-Defined Networking (SDN) has so far been predominantly geared towards defining and refining the abstractions on the forwarding and control planes. However, despite a maturing south-bound interface and a range of proposed network operating systems, the network management application layer is yet to be specified and standardized. It has currently poorly defined access control mechanisms that could be exposed to network applications. Available mechanisms allow only rudimentary control and lack procedures to partition resource access across multiple dimensions. We address this by extending the SDN north-bound interface to provide control over shared resources to key stakeholders of network infrastructure: network providers, operators and application developers. We introduce a taxonomy of SDN access models, describe a comprehensive design for SDN access control and implement the proposed solution as an extension of the ONOS network controller intent framework.

  • 10.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Towards Secure Multi-tenant Virtualized Networks2015In: 2015 IEEE Trustcom/BigDataSE/ISPA, 2015, 7, Vol. 1, p. 1180-1185, article id 7345410Conference paper (Refereed)
    Abstract [en]

    Network virtualization enables multi-tenancy over physical network infrastructure, with a side-effect of increased network complexity. Software-defined networking (SDN) is a novel network architectural model – one where the control plane is separated from the data plane by a standardized API – which aims to reduce the network management overhead. However, as the SDN model itself is evolving, its application to multi-tenant virtualized networks raises multiple security challenges. In this paper, we present a security analysis of SDN- based multi-tenant virtualized networks: we outline the security assumptions applicable to such networks, define the relevant adversarial model, identify the main attack vectors for such network infrastructure deployments and finally synthesize a set of high-level security requirements for SDN-based multi-tenant virtualized networks. This paper sets the foundation for future design of secure SDN-based multi-tenant virtualized networks.

  • 11.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    TruSDN: Bootstrapping trust in cloud network infrastructure2017In: Security and Privacy in Communication Networks, 2017, p. 104-124Conference paper (Refereed)
    Abstract [en]

    Software-Defined Networking (SDN) is a novel architectural model for cloud network infrastructure, improving resource utilization, scalability and administration. SDN deployments increasingly rely on virtual switches executing on commodity operating systems with large code bases, which are prime targets for adversaries attacking the network infrastructure. We describe and implement TruSDN, a framework for bootstrapping trust in SDN infrastructure using Intel Software Guard Extensions (SGX), allowing to securely deploy SDN components and protect communication between network endpoints. We introduce ephemeral flow-specific pre-shared keys and propose a novel defense against cuckoo attacks on SGX enclaves. TruSDN is secure under a powerful adversary model, with a minor performance overhead.

  • 12.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Aslam, Mudassar
    RISE, Swedish ICT, SICS.
    Morenius, Fredric
    Trusted Launch of Virtual Machine Instances in Public IaaS Environments2013In: Lecture Notes in Computer Science, 2013, 12Conference paper (Refereed)
    Abstract [en]

    Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging and promising technologies, however their adoption is hampered by data security concerns. At the same time, Trusted Computing (TC) is experiencing an increasing interest as a security mechanism for IaaS. In this paper we present a protocol to ensure the launch of a virtual machine (VM) instance on a trusted remote compute host. Relying on Trusted Platform Module operations such as binding and sealing to provide integrity guarantees for clients that require a trusted VM launch, we have designed a trusted launch protocol for VM instances in public IaaS environments. We also present a proof-of-concept implementation of the protocol based on OpenStack, an open-source IaaS platform. The results provide a basis for the use of TC mechanisms within IaaS platforms and pave the way for a wider applicability of TC to IaaS security.

  • 13.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Aslam, Mudassar
    RISE, Swedish ICT, SICS.
    Morenius, Fredric
    Trusted Launch of Virtual Machine Instances in Public IaaS Environments2013In: Lecture Notes in Computer Science, Vol. 7839, p. 309-323Article in journal (Refereed)
    Abstract [en]

    Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging and promising technologies, however their adoption is hampered by data security concerns. At the same time, Trusted Computing (TC) is experiencing an increasing interest as a security mechanism for IaaS. In this paper we present a protocol to ensure the launch of a virtual machine (VM) instance on a trusted remote compute host. Relying on Trusted Platform Module operations such as binding and sealing to provide integrity guarantees for clients that require a trusted VM launch, we have designed a trusted launch protocol for VM instances in public IaaS environments. We also present a proof-of-concept implementation of the protocol based on OpenStack, an open-source IaaS platform. The results provide a basis for the use of TC mechanisms within IaaS platforms and pave the way for a wider applicability of TC to IaaS security.

  • 14.
    Paladi, Nicolae
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Gehrmann, Christian
    RISE - Research Institutes of Sweden, ICT, SICS.
    Michalas, Antonis
    RISE - Research Institutes of Sweden, ICT, SICS.
    Providing User Security Guarantees in Public Infrastructure Clouds2017In: IEEE Transactions on Cloud Computing, ISSN 2168-7161, Vol. 5, no 3, p. 405-419, article id 7399365Article in journal (Refereed)
    Abstract [en]

    The infrastructure cloud (IaaS) service model offers improved resource flexibility and availability, where tenants – insulated from the minutiae of hardware maintenance – rent computing resources to deploy and operate complex systems. Large-scale services running on IaaS platforms demonstrate the viability of this model; nevertheless, many organisations operating on sensitive data avoid migrating operations to IaaS platforms due to security concerns. In this paper, we describe a framework for data and operation security in IaaS, consisting of protocols for a trusted launch of virtual machines and domain-based storage protection. We continue with an extensive theoretical analysis with proofs about protocol resistance against attacks in the defined threat model. The protocols allow trust to be established by remotely attesting host platform configuration prior to launching guest virtual machines and ensure confidentiality of data in remote storage, with encryption keys maintained outside of the IaaS domain. Presented experimental results demonstrate the validity and efficiency of the proposed protocols. The framework prototype was implemented on a test bed operating a public electronic health record system, showing that the proposed protocols can be integrated into existing cloud environments.

  • 15.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Morenius, Fredric
    Domain-Based Storage Protection (DBSP) in Public Infrastructure Clouds2013Conference paper (Refereed)
    Abstract [en]

    Confidentiality and integrity of data in Infrastructure-as-a-Service (IaaS) environments increase in relevance as adoption of IaaS advances towards maturity. While current solutions assume a high degree of trust in IaaS provider staff and infrastructure management processes, earlier incidents have demon- strated that neither are impeccable. In this paper we introduce Domain-Based Storage Protection (DBSP) a data confidentiality and integrity protection mechanism for IaaS environments, which relies on trusted computing principles to provide transparent storage isolation between IaaS clients. We describe the building blocks of this mechanism and provide a set of detailed protocols for generation and handling of keys for confidentiality and integrity pro- tection of data stored by guest VM instances. The protocols assume an untrusted IaaS provider and aim to prevent both malicious and accidental faulty config- urations that could lead to breach of data confidentiality and integrity in IaaS deployments.

  • 16.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Morenius, Fredric
    State of The Art and Hot Aspects in Cloud Data Storage Security2013Report (Other academic)
    Abstract [en]

    Along with the evolution of cloud computing and cloud storage towards matu- rity, researchers have analyzed an increasing range of cloud computing security aspects, data security being an important topic in this area. In this paper, we examine the state of the art in cloud storage security through an overview of selected peer reviewed publications. We address the question of defining cloud storage security and its different aspects, as well as enumerate the main vec- tors of attack on cloud storage. The reviewed papers present techniques for key management and controlled disclosure of encrypted data in cloud storage, while novel ideas regarding secure operations on encrypted data and methods for pro- tection of data in fully virtualized environments provide a glimpse of the toolbox available for securing cloud storage. Finally, new challenges such as emergent government regulation call for solutions to problems that did not receive enough attention in earlier stages of cloud computing, such as for example geographical location of data. The methods presented in the papers selected for this review represent only a small fraction of the wide research effort within cloud storage security. Nevertheless, they serve as an indication of the diversity of problems that are being addressed.

  • 17.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Karlsson, Linus
    RISE - Research Institutes of Sweden, ICT, SICS.
    Safeguarding VNF Credentials with Intel SGX2017In: SIGCOMM Posters and Demos '17 Proceedings of the SIGCOMM Posters and Demos, Association for Computing Machinery (ACM), 2017, p. 144-146Conference paper (Refereed)
    Abstract [en]

    Operators use containers – enabled by operating system (OS) level virtualization – to deploy virtual network functions (VNFs) that access the centralized network controller in software-defined net- working (SDN) deployments. While SDN allows flexible network configuration, it also increases the attack surface on the network deployment [8]. For example, insecure communication channels may be tapped to extract or inject sensitive data transferred on the north-bound interface, between the network controller and VNFs; furthermore, to protect the network controller from malicious VNF instances, the integrity and authenticity of VNFs must be verified prior to deployment.o mitigate the risks described above, we implemented a prototype that leverages hardware-based mechanisms for isolated execution implemented by Intel SGX in combination with a run-time integrity measurement subsystem, namely Linux Integrity Measure- ment Architecture (IMA)1. This prototype is a first step towards providing to tenants and end-users integrity guarantees regarding the network components in SDN deployments.

  • 18.
    Paladi, Nicolae
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Karlsson, Linus
    Lund University, Sweden.
    Elbashir, Khalid
    KTH Royal Institute of Technology, Sweden.
    Trust Anchors in Software Defined Networks2018In: Computer Security: 23rd European Symposium on Research in Computer Security, ESORICS 2018 Barcelona, Spain, September 3–7, 2018, Proceedings, Part II / [ed] Javier Lopez · Jianying Zhou Miguel Soriano, Springer, 2018, Vol. 11099, p. 485-594Conference paper (Refereed)
    Abstract [en]

    Advances in software virtualization and network processing lead to increasing network softwarization. Software network elements running on commodity platforms replace or complement hardware com- ponents in cloud and mobile network infrastructure. However, such com- modity platforms have a large attack surface and often lack granular control and tight integration of the underlying hardware and software stack. Often, software network elements are either themselves vulnerable to software attacks or can be compromised through the bloated trusted computing base. To address this, we protect the core security assets of network elements - authentication credentials and cryptographic context - by provisioning them to and maintaining them exclusively in isolated execution environments. We complement this with a secure and scalable mechanism to enroll network elements into software defined networks. Our evaluation results show a negligible impact on run-time performance and only a moderate performance impact at the deployment stage.

  • 19.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Michalas, Antonis
    RISE, Swedish ICT, SICS.
    "One of Our Hosts in Another Country": Challenges of Data Geolocation in Cloud Storage2014Conference paper (Refereed)
    Abstract [en]

    Physical location of data in cloud storage is an increasingly urgent problem. In a short time, it has evolved from the concern of a few regulated businesses to an important consideration for many cloud storage users. One of the characteristics of cloud storage is fluid transfer of data both within and among the data centres of a cloud provider. However, this has weakened the guarantees with respect to control over data replicas, protection of data in transit and physical location of data. This paper addresses the lack of reliable solutions for data placement control in cloud storage systems. We analyse the currently available solutions and identify their shortcomings. Furthermore, we describe a high-level architecture for a trusted, geolocation-based mechanism for data placement control in distributed cloud storage systems, which are the basis of an on-going work to define the detailed protocol and a prototype of such a solution. This mechanism aims to provide granular control over the capabilities of tenants to access data placed on geographically dispersed storage units comprising the cloud storage.

  • 20.
    Paladi, Nicolae
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Michalas, Antonis
    Tampere University of Technology, Finland.
    Dan, Hai-Van
    University of Westminster, UK.
    Towards secure cloud orchestration for multi-cloud deployments2018In: Proceedings of the 5th Workshop on CrossCloud Infrastructures & Platforms, Porto, 2018, article id 4Conference paper (Refereed)
    Abstract [en]

    Cloud orchestration frameworks are commonly used to deploy and operate cloud infrastructure. Their role spans both vertically (deployment on infrastructure, platform, application and microservice levels) and horizontally (deployments from many distinct cloud resource providers). However, despite the central role of orchestration, the popular orchestration frameworks lack mechanisms to provide security guarantees for cloud operators. In this work, we analyze the security landscape of cloud orchestration frameworks for multi-cloud infrastructure. We identify a set of attack scenarios, define security enforcement enablers and propose an architecture for a security-enabled cloud orchestration framework for multi-cloud application deployments.

  • 21.
    Paladi, Nicolae
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Michalas, Antonis
    Tampere University of Technology, Finland.
    Dang, Hai-Van
    University of Westminster, UK.
    Towards secure cloud orchestration for multi-cloud deployments2018In: CrossCloud 2018 - 5th Workshop on CrossCloud Infrastructures and Platforms, colocated with EuroSys 2018, 2018Conference paper (Refereed)
    Abstract [en]

    Cloud orchestration frameworks are commonly used to deploy and operate cloud infrastructure. Their role spans both vertically (deployment on infrastructure, platform, application and microservice levels) and horizontally (deployments from many distinct cloud resource providers). However, despite the central role of orchestration, the popular orchestration frameworks lack mechanisms to provide security guarantees for cloud operators. In this work, we analyze the security landscape of cloud orchestration frameworks for multi-cloud infrastructure. We identify a set of attack scenarios, define security enforcement enablers and propose an architecture for a security-enabled cloud orchestration framework for multi-cloud application deployments.

  • 22.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Michalas, Antonis
    RISE, Swedish ICT, SICS.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Domain Based Storage Protection with Secure Access Control for the Cloud2014In: Proceedings of the 2nd International Workshop on Security in Cloud Computing, ACM , 2014, 17, p. 35-42Conference paper (Refereed)
    Abstract [en]

    Cloud computing has evolved from a promising concept to one of the fastest growing segments of the IT industry. How- ever, many businesses and individuals continue to view cloud computing as a technology that risks exposing their data to unauthorized users. We introduce a data confidential- ity and integrity protection mechanism for Infrastructure-as- a-Service (IaaS) clouds, which relies on trusted computing principles to provide transparent storage isolation between IaaS clients. We also address the absence of reliable data sharing mechanisms, by providing an XML-based language framework which enables clients of IaaS clouds to securely share data and clearly define access rights granted to peers. The proposed improvements have been prototyped as a code extension for a popular cloud platform.

  • 23.
    Paladi, Nicolae
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Michalas, Antonis
    RISE, Swedish ICT, SICS.
    Gehrmann, Christian
    RISE, Swedish ICT, SICS, Security Lab.
    Domain based storage protection with secure access control for the cloud2014Conference paper (Refereed)
    Abstract [en]

    Cloud computing has evolved from a promising concept to one of the fastest growing segments of the IT industry. However, many businesses and individuals continue to view cloud computing as a technology that risks exposing their data to unauthorized users. We introduce a data confidentiality and integrity protection mechanism for Infrastructure-as-a-Service (IaaS) clouds, which relies on trusted computing principles to provide transparent storage isolation between IaaS clients. We also address the absence of reliable data sharing mechanisms, by providing an XML-based language framework which enables clients of IaaS clouds to securely share data and clearly define access rights granted to peers. The proposed improvements have been prototyped as a code extension for a popular cloud platform.

  • 24.
    Paladi, Nicolae
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Michalas, Antonis
    Tampere University of Technology, Finland.
    Hai-Van, Dang
    University of Westminster, UK.
    Towards Secure Cloud Orchestration for Multi-Cloud Deployments2018In: EuroSys'18 companion proceedings, 2018Conference paper (Refereed)
    Abstract [en]

    Cloud orchestration frameworks are commonly used to deploy and operate cloud infrastructure. Their role spans both vertically (deployment on infrastructure, platform, application and microservice levels) and horizontally (deployments from many distinct cloud resource providers). However, despite the central role of orchestration, the popular orchestration frameworks lack mechanisms to provide security guarantees for cloud operators. In this work, we analyze the security landscape of cloud orchestration frameworks for multicloud infrastructure. We identify a set of attack scenarios, define security enforcement enablers and propose an architecture for a security-enabled cloud orchestration framework for multi-cloud application deployments.

  • 25.
    Svensson, Martin
    et al.
    RISE, Swedish ICT, SICS.
    Paladi, Nicolae
    RISE, Swedish ICT, SICS, Security Lab.
    Giustolisi, Rosario
    RISE, Swedish ICT, SICS.
    5G: Towards secure ubiquitous connectivity beyond 20202015Report (Other academic)
    Abstract [en]

    The growing demand for mobile Internet, and the increasing number of connected devices, has required significant advancements in radio technology and networks compared to the previous generations of mobile telecommunication. Security however has only seen incremental changes to the previous mobile telecommunication generation, with enhancements that mitigate new threats and address revealed weaknesses. 5G is expected to change this, as novel use-cases will demand new trust models and require novel security solutions. In this paper, we examine the state of 5G Security, and start by describing the new expectations, requirements and enablers in 5G and the design principles conferred by material presented in selected publications. Furthermore, we describe the historic development of the authentication and key agreement protocols, which were introduced with GSM (2G), as an example of the incremental improvements to security. Additionally, we present select published papers that suggest different types of attacks on the current generations of mobile networks, and solutions to the identified weaknesses, which must be taken into account in 5G security. Finally, we describe a proposed 5G Security architecture, which bring new models for authentication, authorization and accounting (AAA) to 5G. The role of 5G security is clear, it must not only meet the basic security requirements in confidentiality, integrity and privacy, but also foster user confidence in mobile telecommunication.

1 - 25 of 25
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.35.7