Framework for Assessing Cloud Trustworthiness (FACT)

ABSTRACT: When Air Force applications or data reside in a third-party"gray"cloud, trustworthiness can be compromised due to lack of control over the underlying infrastructure. The user must treat the cloud as a black box that cannot be instrumented or modified. To support verifiable access to applications and data residing in gray cloud infrastructures, we will develop a framework that treats the cloud as a black box and assesses trustworthiness at the cloud client to execute tests within a trusted environment. Our solution integrates diagnostic tests to assess application trustworthiness with the application client, so they are run within a single process. The integration process optimizes test coverage while accounting for properties of the diagnostic tests, parameters of the mission supported by the application, and properties of the cloud infrastructure. If a test fails, the framework attempts to redeploy the application on more trustworthy cloud resources. Diagnostic tests for data objects stored in the cloud are based on a separate cryptographic hash-based check that verifies their data integrity. As with the diagnostic tests for applications, the diagnostic tests for data objects are evaluated outside of the cloud. BENEFIT: We expect the full-scope framework to have immediate and tangible benefit to users requiring trustworthy execution of applications and storage of data in both blue and gray clouds. Companies that provide commercial cloud computing services are potential licensees of this technology, which will enhance their competitive advantage for security-conscious consumers.