Skip to main content

Enforcing End-to-End Application Security in the Cloud

Bacon, Jean and Evans, David and Eyers, David M. and Migliavacca, Matteo and Pietzuch, Peter and Shand, Brian (2010) Enforcing End-to-End Application Security in the Cloud. In: Middleware 2010 ACM/IFIP/USENIX 11th International Middleware Conference. Lecture Notes in Computer Science, 6452 . Springer, Berlin, Germany, pp. 293-312. ISBN 978-3-642-16954-0. E-ISBN 978-3-642-16955-7. (doi:10.1007/978-3-642-16955-7_15) (KAR id:31863)


Security engineering must be integrated with all stages of application specification and development to be effective. Doing this properly is increasingly critical as organisations rush to offload their software services to cloud providers. Service-level agreements (SLAs) with these providers currently focus on performance-oriented parameters, which runs the risk of exacerbating an impedance mismatch with the security middleware. Not only do we want cloud providers to isolate each of their clients from others, we also want to have means to isolate components and users within each client’s application.

We propose a principled approach to designing and deploying end-to-end secure, distributed software by means of thorough, relentless tagging of the security meaning of data, analogous to what is already done for data types. The aim is to guarantee that—above a small trusted code base—data cannot be leaked by buggy or malicious software components. This is crucial for cloud infrastructures, in which the stored data and hosted services all have different owners whose interests are not aligned (and may even be in competition). We have developed data tagging schemes and enforcement techniques that can help form the aforementioned trusted code base. Our big idea—cloud-hosted services that have end-to-end information flow control—preempts worries about security and privacy violations retarding the evolution of large-scale cloud computing.

Item Type: Book section
DOI/Identification number: 10.1007/978-3-642-16955-7_15
Uncontrolled keywords: application-level virtualisation; information flow control; publish/subscribe; policy; cloud computing
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Matteo Migliavacca
Date Deposited: 23 Oct 2012 20:53 UTC
Last Modified: 16 Nov 2021 10:09 UTC
Resource URI: (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.