Advancing Security Services for Cloud Applications

Abstract

With cloud computing taking roots, Software as a Service (SaaS) is transforming the future of Information Technology (IT). SaaS is a modern pervasive software delivery model in the Cloud in which software providers host applications and provide them to consumers over the Internet. The Cloud brings operational and analytical applications together to empower software innovation. SaaS has become indispensable to the advancement of applications spanning different domains such as business, banking, and health. Although the glory of SaaS grows in popularity, an important question remains: how secure are cloud SaaS applications? Cloud SaaS applications are highly accessible, and the vast amount of sensitive data they manipulate makes them an attractive target by attackers. Nevertheless, software providers and consumers overlook critical security measures as they move to the Cloud, obliterating any gains made. In this thesis, we address these concerns and aim to advance security services for cloud SaaS applications. Cloud Security as a Service (SecaaS) model expands the horizon to deliver security solutions over the Internet. Motivated by the rise of the SecaaS model, this research proposes a platform introducing Information Flow Control as a Service (IFCaaS) notion. The platform embeds robust and effective IFC-based security services in different phases of the software development lifecycle (SDLC) to govern end-to-end protection of cloud applications. Further, the platform is augmented by the Cloud capabilities to provide efficient and scalable security services. Data breaches due to security vulnerabilities, insecure APIs and interfaces as well as insecure computations and unauthorized access are prevalent security issues to cloud applications. Hence, this research expands on targeting two different types of applications in the Cloud: operational and analytical. It presents two different security services and builds a framework for each service. They aim at mitigating the aforesaid security issues regarding each application type. Extensive evaluation of the proposed frameworks is conducted over benchmark applications in real-world settings. The experimental results reveal that the presented frameworks provide robust, effective, and yet efficient protection for cloud applications against prevalent security breaches. They offer significant improvement in terms of detection accuracy, performance, scalability, and resource consumption.