Conference PaperPDF Available

A Distributed Infrastructure for Democratic Cloud Federations

Authors:

Abstract and Figures

Cloud federation is a novel concept that has been drawing attention from research and industry. However, there is a lack of solid proposal that can be widely adopted in practice to guarantee adequate governance of federations, especially in the Public Sector contexts due to legal requirements. In this paper, we propose an innovative governance approach that ensures distributed and democratic control in cloud federations. Starting from FaaS, a recent cloud federation proposal, we propose a blockchain infrastructure for the federation registry that implements the proposed governance approach.
Content may be subject to copyright.
A Distributed Infrastructure for Democratic Cloud Federations
Andrea Margheri, Md Sadek Ferdous, Mu Yang, Vladimiro Sassone
University of Southampton
{a.margheri;s.ferdous;mu.yang;vsassone}@soton.ac.uk
Abstract—Cloud federation is a novel concept that has been
drawing attention from research and industry. However, there
is a lack of solid proposal that can be widely adopted in practice
to guarantee adequate governance of federations, especially in
the Public Sector contexts due to legal requirements.
In this paper, we propose an innovative governance approach
that ensures distributed and democratic control in cloud feder-
ations. Starting from FaaS, a recent cloud federation proposal,
we propose a blockchain infrastructure for the federation
registry that implements the proposed governance approach.
Keywords-Cloud Federation, Governance, Blockchain, Reg-
istry, Privacy.
I. INTRODUCTION
The increasing proliferation of cloud systems raises new
issues, particularly on the interconnectivity and cooperation
of already deployed clouds. Organisations are looking for
appropriate solutions to create a flexible aggregation of cloud
systems, which can be formed dynamically by different
individual clouds that cooperate to achieve specific business
goals. Indeed, the underlying motivations can be multiple.
Among these, sharing of computing resources, controlled us-
age of third-party services or data, collaboration among en-
tities belonging to different administrative domains. Hence,
cloud aggregation leads the constituent clouds to achieve
goals that were not possible to achieve otherwise.
A prominent proposal for cloud aggregation is cloud
federation [1], [2], [3]. It is a recent concept that allows
services from different cloud providers to be aggregated in a
single pool. However, there is no widely accepted proposal
that organisations can adopt, and the few available lacks
of adequate governance solutions: all federation members
should be a network of peers equally concurring to their
governance. Indeed, collusion of outacting members can
cause the forgery of malicious data, thereby compromising,
e.g., the integrity of the federation or the achievement of
its goals. These deficiencies are more compelling in the
European Public Sector, where public administrations are
forced to adopt cloud interoperability solutions according to
the new European Digital Single Market agenda.
In response to this need, as part of the European project
SUNFISH (http://www.sunfishproject.eu/), we are contribut-
ing to design and implement an innovative cloud federation
solution, called Federation-as-a-Service (FaaS) [4]. Based on
the experience gathered within SUNFISH and collaborations
with public administrations, this paper proposes a pioneering
governance for FaaS that can lead to its wide-scale adoption
in the Public Sector.
Our governance proposal is firstly based on the distributed
control of data: all members have a consistent copy of data
that cannot be corrupted by any means. Secondly, on the
democratic control of governance actions: the federation
is ruled according to consensus criteria ensuring that the
rights of each member cannot be violated due to collusion
of others. Finally, on trustworthy data services: access
and sharing data services (e.g., access control and data
anonymisation) must be protected to avoid confidentiality
and integrity attacks [5]. It is worth noticing that the term
democratic is used to reflect the direct participation and
control of the federation by its members, in a way similar
to a direct democracy, and carries no deeper meaning.
To implement this governance, we propose here a first
exploitation of blockchain technology [6] as an infras-
tructure to build the federation registry underlying FaaS.
Blockchain is a novel technology that, besides its application
to cryptocurrency, features fascinating properties concerning
integrity, distribution and control of data. More specifically,
we utilise so-called smart-contracts, i.e. programs deployed
and executed autonomously on blockchain.
The blockchain-based registry offers a set of core func-
tionalities upon which our governance proposal is built.
A preliminary implementation has been realised by using
Ethereum (https://www.ethereum.org/). To the best of our
knowledge, this is the first proposal to use blockchain to
support a cloud federation, both to carry out the federation
governance and to strengthen the trustworthiness of security
services. On the face of it, FaaS appears to be the first
blockchain-based cloud architecture of its denomination.
Paper Structure. Section II illustrates our governance pro-
posal. Section III outlines FaaS. Section IV introduces the
blockchain-based registry infrastructure. Section V discusses
on it. Section VI concludes and touches upon future works.
II. A NEW CLOUD FEDERATION GOVERNANCE
In this section, we synthesise and articulate an innovative
governance for cloud federations that ensures distributed and
democratic control of the federation, and strengthens the
trustworthiness of security-preserving services.
2017 IEEE 10th International Conference on Cloud Computing
2159-6190/17 $31.00 © 2017 IEEE
DOI 10.1109/CLOUD.2017.93
688
The creation of a cloud federation is triggered by a
business goal shared among the participating clouds. The
cooperation of clouds to achieve the goal should be a
priori defined to ensure that the governance is carried out
with the consensus of all members. The cornerstone of the
governance must be a business contract [3], which reports
the types of services to be federated, the guaranteed SLA
and the actions to be taken to rule the federation.
A key driver for the adoption of any cloud federation,
especially in the European Public Sector, is the absence of
a centralised governance. As a matter of fact, among differ-
ent public administrations being federation members, there
cannot be a designated leader (i.e., there is no primus inter
pares), rather federation members must form a network of
peers. To this aim, we identify the following key objectives
to achieve a fully distributed governance
distributed data, the governance data is consistently
distributed among all the federation members; and
democratic control, all federation members have the
same obligations and rights, i.e. the same capacity of
triggering and performing a governance action.
Achieving such objectives would ensure that any governance
action, e.g. the enforcement of access control policies, is
carried out with the consensus of all the members.
To ensure that these objectives are continuously guaran-
teed, the federation governance must secure the provisioning
and sharing of federated service and data. Indeed, the
accountability of all security-preserving functionalities of the
federation (e.g., access control and data anonymisation) is
of paramount importance. Therefore, the governance has to
provide adequate means to ensure
trustworthy data services, i.e. protecting services from
confidentiality and integrity violation attacks.
A cloud participating to such a federation will be relieved
from any additional security management task and enjoy
advanced security-preserving functionalities.
To realise this distributed, democratic and trustworthy
governance, it is needed a distributed infrastructure that,
on one hand, ensures strong integrity and confidentiality
guarantees of data and, on the other hand, supports the non-
repudiable enforcement of the business contract.
III. FAAS:ACLOUD FEDERATION SOLUTION
To address the need of cloud interoperability, the
SUNFISH project has proposed Federation-as-a-Service
(FaaS) [4], a new cloud federation solution. It amounts to
a service for clouds that enables the secure creation and
management of cloud federations.
FaaS is implemented via the SUNFISH software platform
depicted in Figure 1; the description of its components
follow. Most of all, the platform is conceived to be deployed
in a distributed manner on top of all members, thus to avoid
any centralised control and component.
Private
Cloud
Public
Cloud . . .
Data Security (DS) Federated Security
Audit (FSA)
Federated Administration and
Monitoring (FAM)
Anonymization (ANM)
Dynamic Masking (DM)
Secure MpC (SMC) Intelligent Workload Manager
(IWM)
Identity Manager
(IDM)
SUNFISH
PLATFORM
FEDERATED CLOUD
Federated
Cloud
Registry
Interface (RI) Federated Runtime
Monitoring (FRM)
Figure 1. FaaS: Software Platform
The DS component offers a state-of-the-art attribute-based
access control system distributed across all the member
clouds [7]. By relying on the expressiveness of attributes,
which are provided by a federated identity manager (IDM),
the DS is transparently connected with security-preserving
data sharing services: data anonymisation (ANM) and mask-
ing (DM), and secure data computation service (SMC).
Specifically, data masking and anonymisation services are
used, respectively, to ensure the privacy of sensitive datasets
to be stored and released.
The inter-cloud interactions, controlled by the DS, are
monitored by the FRM [8] via a distributed set of probes,
and audited offline by the FSA.
The IWM and FAM are in charge of managing tenants
by providing optimised workload strategies and SLA mon-
itoring. Finally, the RI is the logical entry-point to the un-
derlying blockchain-based infrastructure implementing the
federation registry and realising the proposed governance.
IV. A BLOCKCHAIN INFRASTRUCTURE FOR CLOUD
FEDERATIONS
To realise the FaaS federation registry and the proposed
governance, we introduce here the use of a blockchain
system featuring smart-contracts, both to store data and to
offer computational resources.
The advantages of using blockchain amount to the strong
integrity guarantees of the stored data and of the non-
repudiable, persistence of smart-contract executions. Due to
the replication of data on blockchain, the service availability
is also always guaranteed.
689
DS2RI
DS2RI RI
RI FSA
DS1RI
DS1RI
Smart-contract Blockchain
FAM
RI
DM
DataData
DS2RI RI
RI FSA
DS1RI
Smart-contract Blockchain
FAM
RI
DM
Data
Tenant1
Tenant2
Tenant3
Tenant4
Tenant5
FRM
FRM
DS2RI RI
RI FSA
DS1RI
Smart-contract Blockchain
FAM
RI
DM
Data
Tenant1
Tenant2
Tenant3
Tenant4
Tenant5
FRM
FRM
Figure 2. Blockchain Infrastructure and its interaction with FaaS platform components (Coloured boxes are components from Figure 1)
A. Functionality
The blockchain infrastructure implements the proposed
governance by offering the following functionalities.
Federation Contract: It offers the storage of the busi-
ness contract and the contract signature of each federation
member. According to the needs, it supports the evaluation
of precise metrics to evaluate the contract rules.
Federated Services: It offers up-to-date snapshots of
the whole federation state, thus to correctly manage the
allocation of and access to available services.
Access Control and SLA policies: It stores access con-
trol and SLA policies concerning provisioning of federated
services. It also supports administration actions on policies.
Data Sharing Services: Although security-preserving
techniques are proven individually secure, various studies
(see, e.g., [5]) show that they can be circumvented, e.g.
by linkage attacks. Thus, this functionality offers supporting
functions for strengthening their reliability.
Federation Monitoring: It stores and processes logs
gathered by the access control monitoring system.
B. Architecture
The infrastructure consists of a private blockchain system
shared among multiple FaaS federations. Each federation has
its own smart-contracts, one for each of the functionality, and
relies on RIs to interact with them.
Focussing on a single federation, the infrastructure and
its interaction can be represented as in Figure 2. Indeed, the
platform components willing to use a functionality interacts
via the APIs of the RI1. In its own turn, the RI invokes the
corresponding smart-contracts with the given parameters and
returns the received outputs. Push notifications are also sup-
ported to allow multiple side-effects of single invocations.
The architectural design based on API fully decouples the
functionalities from the specific software used to implement
the smart-contract blockchain. Additionally, exploiting one
1https://github.com/sunfish-prj/SUNFISH-Platform- API/tree/master/
RegistryInterfaceAPI
infrastructure for multiple federations has significant advan-
tages. On the one hand, the more the nodes of the blockchain
network are, the higher the integrity and availability guar-
antees are. On the other hand, as the infrastructure is stan-
dalone, new federations can be built upon by only setting up
the needed contracts and their access parameters. Obviously,
every RI can only access its federation data: a trusted
computing platform is used to store a federation membership
token needed for interacting with smart-contracts.
C. Implementation
A preliminary implementation of the blockchain-based
registry for FaaS is based on Ethereum. Other blockchain
solutions, e.g. Hyperledger (https://www.hyperledger.org/),
could be similarly used. In the rest, we comment on the
smart-contracts implementing some of the functionalities.
1) Data Sharing Services: This functionality concerns
the security enhancements offered to the data masking and
anonymisation services. To the former, it offers a reliable
storage to secure the masking ingredients. To the latter, it
prevents on the fly the degradation of ensured privacy levels.
Data masking. As shown in Figure 2, a masking table
is generated and used by the DM to carry out the data
(un)masking process. To avoid a centralised, untrustworthy
storage of the table, we rely on a smart-contract. Specifically,
the table is first encrypted with the public key of the party
authorised to access the table. Then, it is divided into chucks
and stored, together with the masking table identifier, via a
smart-contract. Hence, the authorised party can download
the table, decrypt it and unmask the data.
Anonymisation. The ANM offers, among others, a differ-
ential privacy [9] service for obfuscating sensitive datasets
before release. To avoid linkage attacks that will degrade
the privacy level of already released datasets, we rely on a
smart-contract. It stores a privacy budget that (i) controls the
amount of noise generated in the obfuscation; (ii) evaluates
on the fly data release queries; (iii) adapts the used differen-
tial privacy parameters. As outlined in Listing 1, the contract
690
Listing 1
DATA QUERY RECORD (‘query’ is a data structure)
contract QueryRecord{
struct record {
string dataset_id;
unit budget;
mapping (unit => query) queries;
}
mapping (string => record) queryRecord;
function evalQuery(query param) public returns (...){
uint requestedBdgt = evalBudget(param);
if (queryRecord[param.name].budget > = requestedBdgt)
//query authorised, return differential privacy
parameters, update remaining budget
else
//query not authorised
}
}
maintains, via the data structure record, all the information
on managed datasets. When a new query arrives, the function
evalQuery checks the query parameters according to the
available budget and provides the appropriate information
to tune the release; the budget is then updated accordingly.
2) Access Control Monitoring: The distributed set of
probes of FRM [8] are used to intercept and monitor inter-
cloud interactions. The sensed logs are stored and evaluated
by means of smart-contracts. Specifically, they perform
semantics checks on the attributes forming access requests
and on how the distributed DS components operate to carry
out the distributed authorisation process.
Additionally, these checks are paired with off-chain, in-
tensive checks on the policy evaluation process; this policy
analyser is developed by using the formal framework in [10].
V. D ISCUSSION
The proposed governance needs no trusted-third-party
to base a federation upon. Hence, there is no single-
point-of-failure and it advocates the democratic control and
enforcement of the federation business contract, thus to
avoid collusion attacks against federation members. This is
realised by exploiting a blockchain-based registry.
The registry is also used to improve the security of the
whole federation. In fact, on the one hand, it mitigates well-
known vulnerabilities of data sharing services and, most
of all, it ensures the availability of services. On the other
hand, it puts in place the ingredients to support decentralised
runtime monitoring of the federation.
It is also worth mentioning that we are aware of typical
disadvantages of blockchain (i.e., limited speed, limited
computing resources, possible scalability issues, etc.), but
some preliminary research activities we carried out [11]
exemplified that a balance between security guarantees and
performance can be achieved. It is there introduced a layered
blockchain deployment which anchors a fast blockchain, e.g.
Hyperledger, to a slow one in order to enhance the overall
security, while offering adequate performance.
VI. CONCLUSION
In this paper, we have presented a blockchain infras-
tructure for implementing a cloud federation registry and
realising an innovative governance for cloud federations. The
distributed and democratic governance properties ensured
by this blockchain-based solution will pave the way to a
wider adoption of cloud federation solutions, especially in
the Public Sector.
In future, we plan to finalise the implementation of the in-
frastructure and to introduce new governance functionalities
like, e.g., a reliable reputation system.
ACKNOWLEDGMENT
This work has been supported by the EU project SUN-
FISH project, grant agreement N. 644666.
REFERENCES
[1] T. Kurze, M. Klems, D. Bermbach, A. Lenk, S. Tai, and
M. Kunze, “Cloud Federation,” in Cloud Computing, GRIDs,
and Virtualization, 2011, pp. 32–38.
[2] A. Celesti, F. Tusa, M. Villari, and A. Puliafito, “How to
enhance cloud architectures to enable cross-federation,” in
CLOUD. IEEE, 2010, pp. 337–345.
[3] M. R. M. Assis and L. F. Bittencourt, “A survey on
cloud federation architectures: Identifying functional and non-
functional properties,” J. Network and Computer Applica-
tions, vol. 72, pp. 51–71, 2016.
[4] F. P. Schiavo, V. Sassone, L. Nicoletti, and A. Margheri (Eds.),
“Faas: Federation-as-a-service,” CoRR, vol. abs/1612.03937,
2016.
[5] S. Garfinkel, “NIST SP 800-188: De-Identifying Government
Datasets,” 2016.
[6] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash sys-
tem,” 2008, available at https://bitcoin.org/bitcoin.pdf.
[7] B. Suzic, B. Pr¨
unster, D. Ziegler, A. Marsalek, and A. Reiter,
“Balancing Utility and Security: Securing Cloud Federa-
tions of Public Entities,” in C&TC, ser. LNCS, vol. 10033.
Springer, 2016, pp. 943–961.
[8] M. S. Ferdous, A. Margheri, M. Yang, F. Paci, and V. Sassone,
“Decentralised runtime monitoring for distributed access con-
trol systems,” in ICDCS. IEEE, 2017, To appear.
[9] C. Dwork, “Differential privacy,” in Proceedings of the 33rd
International Conference on Automata, Languages and Pro-
gramming, 2006, pp. 1–12.
[10] A. Margheri, M. Masi, R. Pugliese, and F. Tiezzi, “A rigorous
framework for specification, analysis and enforcement of
access control policies,” CoRR, vol. abs/1612.09339, 2016.
[11] E. Gaetani, L. Aniello, R. Baldoni, F. Lombardi, A. Margheri,
and V. Sassone, “Blockchain-based database to ensure data
integrity in cloud computing environments,” in ITA-SEC, vol.
1816. CEUR-WS.org, 2017.
691
... Platform Purpose Inter-operability Privacy Schiavo et al. [36] Any Democratic governance on data and services Alansari et al. [37] Ethereum Finegrained attribute-based access control Alansari et al. [38] Ethereum Attribute based access control Yang et al. [39] Fabric Differntially-private data sharing DRAMS [40] Ethereum Decentralised runtime monitoring -Margheri et al. [41] Ethereum Governance for democratic control -CloudChain [42] Fabric Democratic control on IaaS provisioning ness logic stages. Apart from other conventional BaaS models, Big Data Open Architecture (BDOA) with four layers has been incorporated with this model. ...
... DRAMS [40] proposes a blockchain-based decentralized runtime access monitoring system for a federated cloud in order to ensure that the components that receive, process and exchange access requests can not be subverted. Margheri et al. [41] proposed an innovative governance approach, data masking, anonymization and access control monitoring services, to ensure a democratic control of different providers in a cloud federation. On the other hand, CloudChain [42] proposed a blockchain-based democratic infrastructure service provisioning system for a cloud federation ensuring the transparency and immutability in resource and information exchange. ...
Conference Paper
Full-text available
Blockchain is one of the emerging technologies with the potential to disrupt many application domains. Cloud is an on-demand service paradigm facilitating the availability of shared resources for data storage and computation. In recent years, the integration of blockchain and cloud has received significant attention for ensuring efficiency, transparency, security and even for offering better cloud services in the form of novel service models. In order to exploit the full potential of blockchain-cloud integration, it is essential to have a clear understanding on the existing works within this domain. To facilitate this, there have been several survey papers, however, none of them covers the aspect of blockchain-cloud integration from a service-oriented perspective. This paper aims to fulfil this gap by providing a service oriented review of blockchain-cloud integration. Indeed, in this survey, we explore different service models into which blockchain has been integrated. For each service model, we review the existing works and present a comparative analysis so as to offer a clear and concise view in each category.
... Platform Purpose Inter-operability Privacy Schiavo et al. [36] Any Democratic governance on data and services Alansari et al. [37] Ethereum Finegrained attribute-based access control Alansari et al. [38] Ethereum Attribute based access control Yang et al. [39] Fabric Differntially-private data sharing DRAMS [40] Ethereum Decentralised runtime monitoring -Margheri et al. [41] Ethereum Governance for democratic control -CloudChain [42] Fabric Democratic control on IaaS provisioning ness logic stages. Apart from other conventional BaaS models, Big Data Open Architecture (BDOA) with four layers has been incorporated with this model. ...
... DRAMS [40] proposes a blockchain-based decentralized runtime access monitoring system for a federated cloud in order to ensure that the components that receive, process and exchange access requests can not be subverted. Margheri et al. [41] proposed an innovative governance approach, data masking, anonymization and access control monitoring services, to ensure a democratic control of different providers in a cloud federation. On the other hand, CloudChain [42] proposed a blockchain-based democratic infrastructure service provisioning system for a cloud federation ensuring the transparency and immutability in resource and information exchange. ...
Preprint
Full-text available
Blockchain is one of the emerging technologies with the potential to disrupt many application domains. Cloud is an on-demand service paradigm facilitating the availability of shared resources for data storage and computation. In recent years, the integration of blockchain and cloud has received significant attention for ensuring efficiency, transparency, security and even for offering better cloud services in the form of novel service models. In order to exploit the full potential of blockchain-cloud integration, it is essential to have a clear understanding on the existing works within this domain. To facilitate this, there have been several survey papers, however, none of them covers the aspect of blockchain-cloud integration from a service-oriented perspective. This paper aims to fulfil this gap by providing a service oriented review of blockchain-cloud integration. Indeed, in this survey, we explore different service models into which blockchain has been integrated. For each service model, we review the existing works and present a comparative analysis so as to offer a clear and concise view in each category.
... All block chains use Merkle tree and use Smart Contract to make transactions between their block chains. Margueri et al. [25] defined a private cloud blockchain using the Ethereum platform in a distributed environment, using Smart Contracts to formalize transactions and establish network consensus. ...
... CTL CBA E.A CSS PTF CLD IoT S.C STR [31] HB DTD LDG PTD ETH X X SG [39] HB DTD LDG PTD X LG [34] HB DTD LDG X X SD [33] HB DTD LDG CL X X SD [12] HB DTD LDG CL SR [42] HB LDG CL ETH X SD [14] HB DTD HPL PTD HPL LG [20] PV DCD LDG CL SD [28] PV DTD LDG CL SD [10] PV DTD LDG CL ETH X SD [25] PV DTD LDG CL ETH X X FD [2] PV DTD LDG CL ETH X X FD [1] PV DTD HPL PTD HPL X X SD [36] PV DCD LDG PTD SG [8] PV DTD LDG CL X X X ED [23] PV DTD LDG PTD EG [37] PV DCD LDG CL X X SD [29] PV DTD LDG CL X X SD [21] PV DTD LDG CL ETH X X UB [17] PV DTD LDG CL ETH SD [24] PV DTD LDG PTD X X FD [9] PV DCD LDG CL SD [6] PV DTD LDG X X X SD [40] PV DTD LDG CL X SD [35] PU DCD LDG CL ETH X SE [27] PU DCD LDG PTD ETH X X PL [11] PU DCD LDG PTD X SG [4] PU DCD LDG PTD SE [7] PU DCD LDG PTD BTC SE [22] PU DCD LDG PTD AG [16] PU DCD LDG PTD X SG [32] PU DCD LDG PTD ETH X ED [30] PU DCD LDG PTD X SE IV. DISCUSSIONS It is observed that the articles were published from 2016 to 2018 and the subject is a recent scientific research area. ...
... When looking into the application domain, most of the research (7 articles) discuss the application of blockchain for e-Government in general, discuss the idea, potential benefits, current issues, potential use, approach and evaluation of blockchain adoption [19,24,26,28,[33][34][35]. Blockchain applications in public healthcare received the highest attention, with four articles looking into the possible use of blockchain to improve patient medical records integrity [1,2,27,38]. ...
... After reading all the selected articles, we identified 11 articles that are focused on providing conceptual frameworks of blockchain utilization in e-Government applications. Some of the articles discuss current issues, the potential benefits, the importance and general vision of adopting blockchain technology to improve public services delivery [19,24,26,28,[33][34][35], and e-voting [12]. Furthermore, Sun et al. [41] analyzed the influence of blockchain technology on the smart city development while Maria-Lluïsa and Marsal-Llacuna [29] show how blockchain networks could disrupt the urban context. ...
Conference Paper
Full-text available
In the past few years, researchers and practitioners have highlighted the potential of Blockchain (BC) and distributed ledger technology to revolutionize government processes. Blockchain technology enables distributed power and embedded security. As such, Blockchain is regarded as an innovative, general purpose technology, offering new ways of organization in many domains, including e-government for transactions and information exchange. However, due to its very characteristics of peer to peer information exchange, its distributed nature, the still developing technology, the involvement of new actors, roles, etc., the implementation of blockchain applications raise issues that need governance attention. BC initiatives have implications for citizen trust, privacy, inclusion and participation. Governmental organizations need a thorough understanding of the BC design principles, the possible applications in the domain of e-government and the exploration of governance mechanisms to deal with the limitations and challenges of the BC technology when used in a myriad of sectors, ranging from the financial and business sector to the social domains of healthcare and education. In this panel we explore the impact of block chain technology on all levels of government and create an awareness of effects or applications in society that raise governance issues.
... When looking into the application domain, most of the research (7 articles) discuss the application of blockchain for e-Government in general, discuss the idea, potential benefits, current issues, potential use, approach and evaluation of blockchain adoption [20,25,27,29,[35][36][37]. Blockchain applications in public healthcare received the highest attention, with four articles looking into the possible use of blockchain to Meanwhile, three articles examined the use of blockchain in educational services to overcome the lack of data integration and integrity in the public education sector [7,40,41]. ...
... In accordance with the categorization of the systems development research process by Nunamaker et al. [34], we identified 11 articles that are focused on providing conceptual frameworks of blockchain utilization in e-Government applications. Some of the articles discuss current issues, the potential benefits, the importance and general vision of adopting blockchain technology to improve public services delivery [20,25,27,29,[35][36][37], and e-voting [12]. Furthermore, Sun et al. [43] analyzed the influence of blockchain technology on the smart city development while Maria-Lluïsa and Marsal-Llacuna [30] show how blockchain networks could disrupt the urban context. ...
Conference Paper
The ability of blockchain technology to record transactions on distributed ledgers offers new opportunities for governments to improve transparency, prevent fraud, and establish trust in the public sector. However, blockchain adoption and use in the context of e-Government is rather unexplored in academic literature. In this paper, we systematically review relevant research to understand the current research topics, challenges and future directions regarding blockchain adoption for e-Government. The results show that the adoption of blockchain-based applications in e-Government is still very limited and there is a lack of empirical evidence. The main challenges faced in blockchain adoption are predominantly presented as technological aspects such as security, scalability and flexibility. From an organizational point of view, the issues of acceptability and the need of new governance models are presented as the main barriers to adoption. Moreover, the lack of legal and regulatory support is identified as the main environmental barrier of adoption. Based on the challenges presented in the literature, we propose future research questions that need to be addressed to inform how the public sector should approach the blockchain technology adoption.
... Moreover, this heterogeneity makes it more difficult for users to switch from one provider to another. To overcome the heterogeneity issue, the concept of trust is introduced by several research works within multi-cloud environments in order to create a single access point and to run this environment as a single organisation by creating a cloud federation [21,24,28,[34][35][36][37][38][39][40][41][42]. ...
Article
Full-text available
Nowadays, the multi-cloud environment is gaining a momentum since it provides its users with reduced costs, greater flexibility and elasticity, high availability and better fault-tolerance. Despite these advantages, these environments present many challenges, including service management and interoperability issues. Due to the diversity of cloud service providers, their heterogeneity and the exponential growth of offered services, user requirements cannot be adequately met. These problems, if not addressed effectively, can have a negative impact on the cloud environment as well as on the user experience. Thus, to answer the service management problem in multi-cloud environments, we propose in this paper a threefold contribution (i) a noval cloud federation architecture, (ii) a suitable service management system and (iii) a service publication algorithm in order to manage, store and retrieve efficiently cloud services within the federation. Our solution consists in combining several concepts including trust, clustering and , ontologies. Our aim is to automate the management process, maximise the profit and ensure a better user experience. Our experiments highlight the effectiveness of the proposed cloud federation architecture as well as the deployed management system in optimizing the storage space and answering effectively and rapidly users’ requests.
... According to Margheri et al. (2017) and Kurze et al. (2011) each federation aims to achieve a business need that the constituent clouds would not have achieved by themselves. As members in clouds federation can offer resources in the form of data and services to other federated clouds, such collaboration implies a certain level of trust between the participating organisations, mainly to validate users' identities. ...
Thesis
Data sharing is the key motivation behind today’s communications. Cross-organisation data sharing has become a must in modern systems. These systems mostly rely on trusted third parties to transfer, store and even protect personal data. However, the increased reliance on trusted third parties and the sophistication of cyber attacks expose users to several privacy and security threats. In addition, new regulations, like the General Data Protection Regulation (GDPR), extend the scope of personal data, require more transparency on data collection and processing and impose legal liabilities on organisations affected by data breaches. This work proposes SeTA a secure, transparent and accountable data sharing framework that relies on two novel technologies: blockchain and Intel’s Software Guard Extensions (SGX). The framework allows data providers to enforce their attribute-based access control policies via encryption. Access control policies along with the attributes required for their evaluation are managed by smart contracts deployed on the blockchain. The transparency and immutability inherited from the blockchain participate in enhancing the evaluation process of the policies conditions against user’s identity attributes . To prove the security of our blockchain-based data sharing protocol, we analyse the protocol using the ProVerif verification tool. We integrate our data sharing protocol with an accountable decryption approach by exploiting SGX. The approach allows generating a tamper-resistant log containing information about each data decryption occurrence. The log works as a proof of data access and can be used for auditability and accountability purposes.
Article
Full-text available
Cloud Computing was a disruptive technology that reshaped the entire global industry, decentralizing the operational exchange and use of data and information. More companies are transitioning to a cloud-based infrastructure and are shifting some basic as well as advanced functionalities to it due to its salient features such as security, availability, scalability and popularity. Nevertheless, there is uncertainty attached to its limitations considering the possible saturation of the ceiling of growth and subsequent maturity of the technology’s potential. Therefore, it is essential to grasp the scope of the technology to be ready for the prospective trends and changes, as well as to channel its full incremental potential. For this, an elucidated statistical analysis of the technology is conducted, including the assessment of the trends of publications and patents signifying the evolution of the technology, its projected time of maturity, and finally, a befitting evidential roadmap for its future. This original work aims to add value by analyzing the numerical information concerning the growth of the technology over the years since its inception, and subsequently construct a detailed plan to adapt business objectives to the possible tapering of the growth curve of Cloud and build a suggestive and tentative contingency plan for the stage of technological maturity. Our finding indicates that Cloud technology may reach its maturity sooner than expected and an investment today might give the companies a competitive edge early on in the era of technological advancements and uncertainty.
Conference Paper
The current implementations of federated clouds depend on a central broker that takes care of the resource allocation as well as scheduling and pricing for the shared resources under the federation. In this paper, we propose an alternate architecture for federated Infrastructure-as-a-service (IaaS) provisioning with the help of a completely decentralized marketplace designed using the blockchain technology. The proposed architecture is free from any central broker and supports decentralization, transparency of resource exchanges, autonomy of service providers, immutability in information exchange for dispute-free billing and fairness for service provisioning. An in-house implementation of the proposed architecture with three cloud service providers shows that CloudChain indeed supports resource allocation fairness while achieving almost similar service provisioning performance compared to a central broker based federation architecture.
Article
Full-text available
Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the accesses to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automatic verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, as e.g. missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse- based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.
Article
Full-text available
This document is the main high-level architecture specification of the SUNFISH cloud federation solution. Its main objective is to introduce the concept of Federation-as-a-Service (FaaS) and the SUNFISH platform. FaaS is the new and innovative cloud federation service proposed by the SUNFISH project. The document defines the functionalities of FaaS, its governance and precise objectives. With respect to these objectives, the document proposes the high-level architecture of the SUNFISH platform: the software architecture that permits realising a FaaS federation. More specifically, the document describes all the components forming the platform, the offered functionalities and their high-level interactions underlying the main FaaS functionalities. The document concludes by outlining the main implementation strategies towards the actual implementation of the proposed cloud federation solution.
Conference Paper
Following their practical needs and legal constraints, recent application of the cloud paradigm among public administrations has been focused on the deployment of private clouds. Due to the increasing amount of data and processing requirements, many organizations are considering possibilities to additionally optimize their infrastructures and collaborative processes by employing private cloud federations. In this work, we present our contribution based on three real-world use cases implemented in the course of the SUNFISH project. We consider intra- and inter-organizational processes which demand secure and transparent infrastructure and data sharing. Based on derived requirements for data security and privacy in cloud federations, we propose a security governance architecture which enables a multi-layered, context and process-aware policy enforcement in heterogeneous environments. The proposed architecture relies on the micro-services paradigm to support scalability and provides additional security by integrating reactive and transformative security controls. To prove the feasibility of this work we provide performance evaluation of our implementation.
Article
The cloud computing paradigm as originally conceived has reached a plateau of evolution, exposing several limitations that compromise the main features of the paradigm: resource contention, interruption of services, lack of interoperability in data representation, quality of service degradation, and others. Consequently, several new approaches to its use and optimization have been implemented to maintain continuity of technology. In this way, multiple clouds organizations have been formed with the objective of maximizing the use of cloud computing, in particular small- and medium-sized cloud providers who present difficulties to maintain all properties of the paradigm have mobilized themselves into organizations to maximize their revenues. Such organizations, formally called inter-clouds, have been gaining attention, where solutions like hybrid clouds, multi-clouds, and cloud federations are the main elements in the academic-scientific and industrial world. In particular, cloud federations are well behaved because organizations governed by a contract can be interesting and useful in many critical environments. However, there is a lack of works dedicated only to clouds federations. In addition, the existing works are not able to describe federations as unique inter-cloud entities to highlight specific properties and characteristics. In this paper, we present the desired functional and non-functional properties for cloud federations through the identification of the main architectures in the literature, and we evaluate these architectures based on the described properties.
Article
Propose. Break. Propose again. So pre-modern cryptography cycled. An encryption scheme was proposed; a cryptanalyst broke it; a modification, or even a completely new scheme, was proposed. Nothing ensured that the new scheme would in any sense be better than the old. Among the astonishing breakthroughs of modern cryptography is the methodology of rigorously defining the goal of a cryptographic primitive - what it means to break the primitive - and providing a clear delineation of the power - information, computational ability - of the adversary to be resisted (Goldwasser and Micali 1984; Goldwasser et al. 1988). Then, for any proposed method, one proves that no adversary of the specified class can break the primitive. If the class of adversaries captures all feasible adversaries, the scheme can be considered to achieve the stated goal. This does not mean the scheme is invulnerable, as the goal may have been too weak to capture the full demands placed on the primitive. For example, when the cryptosystem needs to be secure against a passive eavesdropper the requirements are weaker than when the cryptosystem needs to be secure against an active adversary that can determine whether or not arbitrary ciphertexts are well formed (such an attack was successfully launched against PKCS#1; Bleichenbacher 1998). In this case the goal may be reformulated to be strictly more stringent than the original goal, and a new system proposed (and proved). This strengthening of the goal converts the propose-break-propose again cycle into a path of progress.
Article
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.