Yanhuang Li scite author profile

Crom³

et al. 2014

International audienceThe secure interaction between different applications and services requires negotiation of their security properties. This is typically defined as a security policy contract, which aims at coordinating diverse security policies of different actors. Although considerable attention has been attracted to this theme in the recent literature of e-contract and negotiation, there is not a complete framework to negotiate security policies. In this paper, we propose a framework and an algorithm to negotiate security policy. The paper shows mainly how an agreement could be reached between two negotiators with our negotiation model. Besides, it advances an approach to evaluate the relationship between security policies

Similarity Measure for Security Policies in Service Provider Selection

Crom

et al. 2015

The interaction between different applications and services requires expressing their security properties. This is typically defined as security policies, which aim at specifying the diverse privileges of different actors. Today similarity measure for comparing security policies becomes a crucial technique in a variety of scenarios, such as finding the cloud service providers which satisfy client's security concerns. Existing approaches cover from semantic to numerical dimensions and the main work focuses mainly on XACML policies. However, few efforts have been made to extend the measure approach to multiple policy models and apply it to concrete scenarios. In this paper, we propose a generic and lightweight method to compare and evaluate security policies belonging to different models. Our technique enables client to quickly locate service providers with potentially similar policies. Comparing with other works, our approach takes policy elements' logic relationships into account and the experiment and implementation demonstrate the efficiency and accuracy of our approach.

Expression and Enforcement of Security Policy for Virtual Resource Allocation in IaaS Cloud

Crom

et al. 2016

Part 3: Cyber InfrastructureInternational audienceMany research works focus on the adoption of cloud infrastructure as a service (IaaS), where virtual machines (VM) are deployed on multiple cloud service providers (CSP). In terms of virtual resource allocation driven by security requirements, most of proposals take the aspect of cloud service customer (CSC) into account but do not address such requirements from CSP. Besides, it is a shared understanding that using a formal policy model to support the expression of security requirements can drastically ease the cloud resource management and conflict resolution. To address these theoretical limitations, our work is based on a formal model that applies organization-based access control (OrBAC) policy to IaaS resource allocation. In this paper, we first integrate the attribute-based security requirements in service level agreement (SLA) contract. After transformation, the security requirements are expressed by OrBAC rules and these rules are considered together with other non-security demands during the enforcement of resource allocation. We have implemented a prototype for VM scheduling in OpenStack-based multi-cloud environment and evaluated its performance

Firewall Policies Provisioning Through SDN in the Cloud

Cuppens

Zerkane

et al. 2017

Part 3: Cloud SecurityInternational audienceThe evolution of the digital world drives cloud computing to be a key infrastructure for data and services. This breakthrough is transforming Software Defined Networking into the cloud infrastructure backbone because of its advantages such as programmability, abstraction and flexibility. As a result, many cloud providers select SDN as a cloud network service and offer it to their customers. However, due to the rising number of network cloud providers and their security offers, network cloud customers strive to find the best provider candidate who satisfies their security requirements. In this context, we propose a negotiation and an enforcement framework for SDN firewall policies provisioning. Our solution enables customers and SDN providers to express their firewall policies and to negotiate them via an orchestrator. Then, it reinforces these security requirements using the holistic view of the SDN controllers and it deploys the generated firewall rules into the network elements. We evaluate the performance of the solution and demonstrate its advantages

Test Result Of Psm.Xlsx

Li¹,

Crom³

et al. 2016