Framework for Assessing Cloud Trustworthiness (FACT)

ABSTRACT: Assured Cloud Computing is needed by US Cyber Command to implement the USAF vision of global vigilance, global reach, and global power. When an Air Force application runs in a third-party"gray"cloud, the trustworthiness of the application is of special concern because there is little to no control over the underlying infrastructure. The user must treat the cloud as a black box that cannot be instrumented or modified. To support the trustworthiness assessment of applications running in gray cloud infrastructures, we propose a framework for assessing cloud trustworthiness that treats the cloud as a black box and assesses trustworthiness at the application level rather than at the cloud component level where we have limited insight. Diagnostic tests to assess application trustworthiness are integrated with the application binary, so they are run on the cloud within a single process. The integration process optimizes test coverage while accounting for properties of the diagnostic tests, parameters of the mission supported by the application, and properties of the cloud infrastructure. If a test fails, the framework reruns the application in the cloud until it executes on correctly functioning infrastructure and passes all tests, or until time constraints are exceeded. BENEFIT: We expect the full-scope framework to have immediate and tangible benefit for a number of military applications that would benefit from deployment in a cloud infrastructure. In particular, the framework will support the trustworthy execution of applications in the cloud, both blue and gray. In addition, we will look at companies that provide commercial cloud computing services as potential licensees of this technology to enhance their competitive advantage for security-conscious consumers.