10.3. Digital Signature The digital signature mechanism is a means of providing data authenticity and integrity through authentication and non-repudiation. A message is assigned a digital signature prior to transmission, which is then rendered invalid if the message experiences any subsequent, unauthorized modifications. A digital signature provides evidence that the message received is the same as the one created by its rightful sender. Both hashing and asymmetrical encryption are involved in the creation of a digital signature, which essentially exists as a message digest that was encrypted by a private key and appended to the original message. The recipient verifies the signature validity and uses the corresponding public key to decrypt the digital signature, which produces the message digest. The hashing mechanism can also be applied to the original message to produce this message digest. Identical results from the two different processes indicate that the message maintai...

10.2. Hashing The hashing mechanism is used when a one-way, non-reversible form of data protection is required. Once hashing has been applied to a message, it is locked and no key is provided for the message to be unlocked. A common application of this mechanism is the storage of passwords. Hashing technology can be used to derive a hashing code or message digest from a message, which is often of a fixed length and smaller than the original message. The message sender can then utilize the hashing mechanism to attach the message digest to the message. The recipient applies the same hash function to the message to verify that the produced message digest is identical to the one that accompanied the message. Any alteration to the original data results in an entirely different message digest and clearly indicates that tampering has occurred. In addition to its utilization for protecting stored data, the cloud threats that can be mitigated by the hashing mechanism include malicio...

10.1. Encryption Data, by default, is coded in a readable format known as plaintext. When transmitted over a network, plaintext is vulnerable to unauthorized and potentially malicious access. The encryption mechanism is a digital coding system dedicated to preserving the confidentiality and integrity of data. It is used for encoding plaintext data into a protected and unreadable format. Encryption technology commonly relies on a standardized algorithm called a cipher to transform original plaintext data into encrypted data, referred to as ciphertext. Access to ciphertext does not divulge the original plaintext data, apart from some forms of metadata, such as message length and creation date. When encryption is applied to plaintext data, the data is paired with a string of characters called an encryption key, a secret message that is established by and shared among authorized parties. The encryption key is used to decrypt the ciphertext back into its original plaintext format. The e...

Chapter10. Cloud Security Mechanisms This chapter establishes a set of fundamental cloudsecuritymechanisms , several of which can be used to counter the security threats described in Chapter6. 10.1 Encryption :- The encryption mechanism is a digital coding system dedicated to preserving the confidentiality and integrity of data. 10.2 Hashing :- The hashing mechanism is used when a one-way, non-reversible form of data protection is required. 10.3 DigitalSignature :- The digital signature mechanism is a means of providing data authenticity and integrity through authentication and non_repudiation. 10.4 Public Key Infrastructure ( PKI) :- A common approach for managing the issuance of asymmetric keys is based on the public key infrastructure (PKI) mechanism, which exists as a system of protocols, dataformats, rules, and practices that enable large-scale systems to securely use public key cryptography. 10.5 Identity and Access Management ( IAM) :- Th...

9.4. Billing Management System The billing management system mechanism is dedicated to the collection and processing of usage data as it pertains to cloud provider accounting and cloud consumer billing. Specifically, the billing management system relies on pay-per-use monitors to gather runtime usage data that is stored in a repository that the system components then draw from for billing, reporting, and invoicing purposes (Figures 9.9 and 9.10). Figure 9.9. A billing management system comprised of a pricing and contract manager and a pay-per-use measurements repository. Figure 9.10. (1) A cloud service consumer exchanges messages with a cloud service . (2A) A pay-per-use monitor keeps track of the usage and collects data relevant to billing , (2B) which is forwarded to a repository that is part of the billing management system . (3) The system periodically calculates the consolidated cloud service usage fees and generates an invoice for the cloud consumer . (4) The invoice...

9.3. SLA Management System The SLA management system mechanism represents a range of commercially available cloud management products that provide features pertaining to the administration, collection, storage, reporting, and runtime notification of SLA data (Figure 9.7). Figure 9.7. An SLA management system encompassing an SLA manager and QoS measurements repository. An SLA management system deployment will generally include a repository used to store and retrieve collected SLA data based on pre-defined metrics and reporting parameters. It will further rely on one or more SLA monitor mechanisms to collect the SLA data that can then be made available in near-real time to usage and administration portals to provide on-going feedback regarding active cloud services (Figure 9.8). The metrics monitored for individual cloud services are aligned with the SLA guarantees in corresponding cloud provisioning contracts. Figure 9.8. (1) A cloud service consumer interacts with a cloud se...