CHIPS Articles: The Nomad Project: Targeting Security and Availability Issues in the Cloud

The three deployment models of cloud computing, infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS), offer significant benefits over traditional software deployment models. These benefits include economies of scale, reduced spending, improved accessibility, and enhanced scalability, which reduces personnel training, minimizes software licensing costs, and improves flexibility.

However, organizations with sensitive data, such as the U.S. Department of Defense (DoD), cannot take advantage of these benefits because of security and availability concerns.

Today, many organizations can store data securely using encryption techniques within the cloud. However, these encryption techniques do not support processing (e.g., data analysis) of the data. In order to process the data, it must first be decrypted. Otherwise, it needs to be stored as unencrypted data.

With these limitations, outsourcing data and processing to a third-party cloud provider requires a high degree of trust. How do you know if a cloud service provider is trustworthy?

In addition, the availability of cloud services is not guaranteed. If cloud services go offline, then all applications using those services will also go offline. How can you guarantee that the services you need from the cloud will be available whenever you need them?

The Nomad project at the Space and Naval Warfare Systems Center Pacific (SSC Pacific) in San Diego, California, is addressing these cloud security and availability issues to promote adoption of the cloud.

Organizational Relevance

The confidentiality of data stored within public clouds is not guaranteed due to multiple cloud security threats identified by the Cloud Security Alliance and other cybersecurity organizations.

As a result, organizations with sensitive data, especially government agencies, are usually hesitant to use public clouds. The DoD, for example, is cautiously adopting public clouds to take advantage of IT efficiencies and reduced costs. However, the threat of data leakage posed by insider and outsider attacks has led to the construction of a cloud security model and other DoD guidance about how to secure access to the cloud, as well as the creation of separate cloud enclaves for use solely by U.S. government organizations.

The Nomad team at SSC Pacific believes that their high assurance cloud framework will directly address the security and availability issues with existing cloud services by employing state-of-the-art technologies.

SSC Pacific’s Technological Solution

To address the vulnerability of privacy information in the cloud, SSC Pacific researchers are tackling the problem of securely processing encrypted data using homomorphic encryption. This new cryptographic technology uses abstract mathematical concepts to enable computations (e.g., arithmetic, relational operations) directly on encrypted data. This technology will enable processing of protected data in the cloud.

However, the fundamental problem with homomorphic encryption is that current schemes are computationally intensive, which makes their implementation slow. Today, the focus of the homomorphic encryption research community is accelerating existing schemes, and developing more efficient schemes to make their implementation more practical.

The Nomad team has led the development of a homomorphic encryption performance optimization effort utilizing general-purpose graphics processing unit (GPGPU) technology. Performance measurements indicate that usage of GPGPU parallelization techniques is encouraging in improving the efficiency of homomorphic encryption.

To address the availability issue, SSC Pacific researchers are using virtual machine live migration techniques, which enable the movement of services from one cloud to another to preserve availability. These techniques are useful for addressing threats to a cloud service provider, as services can be migrated away from the problematic cloud to preserve their availability.

To combat these availability issues, the Nomad team implemented an automatic live migration triggering capability based on machine learning techniques. Nomad’s monitoring system tracks the resource usage of each running virtual machine and decides when to migrate a virtual machine based on usage anomalies. This scenario presents challenges in determining where, when and what virtual machine to migrate.

The SSC Pacific researchers are looking at efficiently migrating cloud services using machine learning and optimization techniques. One of the goals of Nomad is to use cyber indicators of compromise, such as logs from Network Intrusion Detection Systems (e.g., Snort, Suricata) — as an input to triggering a live migration.

The Nomad project integrates homomorphic encryption and live migration technologies to create a framework for developing applications that require the privacy and availability of a high-assurance cloud service. This framework provides a means for developing secure applications in the cloud, thereby enabling developers to focus on the value-added aspects of their applications without worrying about privacy data and availability anomalies. The framework also speeds up and simplifies the work of developing secure cloud applications.

To test the Nomad framework, the SSC Pacific researchers developed an end-to-end cloud application named CallForFire, which is one of the first applications that uses homomorphic encryption to process its underlying data securely. CallForFire implements the “call for indirect fire” protocol, which infantry uses during combat operations to observe and attack enemy targets. In this case, CallForFire places the sensitive computations involved in calling for indirect fire, specifically computation of an enemy target location, into a secure, homomorphically-encrypted cloud environment.

Way Ahead

While CallForFire is an end-to-end application, it runs slowly due to its computationally intensive homomorphic operations. Improved performance of these homomorphic encryption operations can be realized by employing multiple techniques, including field-programmable gate arrays and software-based parallelization techniques.

Because public cloud service providers today are not very interoperable, researchers are also investigating how to conduct inter-cloud live migration of virtual machines between different cloud service providers. The ability to live-migrate virtual machines from one cloud provider to another will ensure continuity of service above and beyond a service level agreement of any single cloud provider.

SSC Pacific is engaging with Navy program offices to identify applications of the Nomad framework and its underlying technologies of homomorphic encryption and live migration. The SSC Pacific researchers are also looking to identify other potential DoD programs that can benefit from the use of these technologies.

By adopting Nomad technology, applications deployed in the cloud will be highly secure and available, thereby enabling organizations with sensitive data to take advantage of all the benefits that the cloud has to offer.

Space and Naval Warfare Systems Center Pacific provides the U.S. Navy and military with essential capabilities in the areas of command and control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR).

Mamadou H. Diallo is an SSC Pacific computer scientist with expertise in cloud security and privacy research.
Michael August is a cloud and mobility engineer at SSC Pacific.
Roger Hallman is a mathematician at SSC Pacific.
Megan Kline is a mathematician at SSC Pacific.
Henry Au is an electrical engineer at SSC Pacific.
Scott M. Slayback is a computer scientist at SSC Pacific.
Patric Petrie is the lead staff writer for SSC Pacific. Petrie is a veteran journalist and a former Navy hospital corpsman.