GABE: A Cloud Brokerage System for Service Selection, Accountability and Enforcement

Open Access
Sundareswaran, Smitha
Graduate Program:
Information Sciences and Technology
Doctor of Philosophy
Document Type:
Date of Defense:
January 17, 2014
Committee Members:
  • Anna Cinzia Squicciarini, Dissertation Advisor
  • Dongwon Lee, Committee Member
  • Dinghao Wu, Committee Member
  • John Metzner, Special Member
  • brokerage
  • service selection
  • accountability
  • cloud computing
  • node selection
  • security
Much like its meteorological counterpart, em Cloud Computing is an amorphous agglomeration of entities. It is amorphous in that the exact layout of the servers, the load balancers and their functions are neither known nor fixed. Its an agglomerate in that multiple service providers and vendors often coordinate to form a multitenant system using virtualization. This complex environment offers great potential to providers and adopters, but also introduces great challenges in managing, combining and providing a variety of highly heterogeneous services. In particular, users interaction with these providers is often cumbersome, as the details of a cloud system are often abstracted away and unclear to most adopters. Further, cloud computing does not offer strong security guarantees, or traceability of data, and its indeterminate nature makes accountability of providers and users operations difficult[1]. This nebulous nature and the lack of security assurances of Cloud services together form the foremost barriers to its adoption. The ambiguous nature of Cloud services also makes choosing the best service challenging. First of all, users may not be aware of all the service providers available to them. Secondly, the users may not be aware of the comprehensive list of options offered by the various service providers even if they know a particular provider. In the scenario where the users know which service option they are looking for, they may not be aware of all the providers supporting the option leading to uninformed choices. Thirdly, users may not be aware of the relationships among service providers, in case the users' requests would be satisfied by a set of providers, and not a single entity. These relationships between the service providers can cause resources, such as storage space, to be overextended. As a result, the process of collecting and analyzing the information required to make a good decision involves a lot of time-consuming computations for consumers. The time-consuming computations involve identifying all the service providers and the relationships between them before making a final choice. As these arduous computations are repeated by multiple consumers who have similar requirements, it is also computationally wasteful. Protecting the data once the service provider is chosen is also major challenge not only because of the changeable relationships between the service providers, but also due to the potentially untrustworthy components of a single service provider. A major feature of the Cloud services is that users' data is usually processed remotely in unknown machines that the users do not own or operate. While enjoying the convenience of remote storage and processing brought by the Cloud services, users' fears of losing control of their own data, particularly financial and health data or any Personally Identifying Information (PII), can become a significant barrier to the wide-spread adoption of Cloud services [2]. In this dissertation, we aim to address some of the most significant barriers to the adoption of Cloud services. We propose a novel brokerage-based architecture called GABE - a Cloud brokeraGe system for service selection, AccountaBility and, policy Enforcement. GABE fulfills two major needs of cloud users: helping them understand the Cloud services best suited for them; and providing security assurances on their data. As the core part of the brokerage system, we design a unique indexing technique for managing the information of a large number of Cloud service Providers. Multiple alternatives to the indexing are studied to address specific needs in service selection. We then develop efficient service selection algorithms that rank potential service providers and aggregate them if necessary. GABE also helps users protect their data by providing a policy driven node selection methodology for map reduce architectures. GABE seamlessly integrates node selection control to the MapReduce framework for increased data security. It leverages data preprocessing techniques and distributed node verification protocols to achieve strong policy enforcement.We further augment GABE by equipping it with accountability features. In order to support accountability, we propose a novel highly decentralized information accountability framework to keep track of the actual usage of the users' data in the Cloud. In particular, we propose an object-centered approach that enables enclosing our logging mechanism together with users' data and policies. We leverage object oriented programming techniques to create a dynamic and traveling object, and to ensure that any access to users' data will trigger authentication and automated logging local to the JARs. We take a policy-driven approach that strongly couples data and content protection policies (CPPs). This approach constitutes an effective and practical solution for content protection for a number of reasons. First of all, both the CPPs and the protection mechanism travel with the content, which is stored in its original form. Secondly, users do not need to rely on any dedicated management system to specify and apply the CPPs. Thirdly, to strengthen users' control, we also provide distributed auditing mechanisms.We provide extensive experimental studies on real cloud computing testbeds that demonstrate the efficiency and effectiveness of the proposed policy driven node selection, auditing, and service selection approaches with real and synthetic Cloud data.