Twenty Security Considerations for Cloud-Supported Internet of Things

IEEE Internet of Things Journal

Volumn 3, Issue 3, 2016, Pages 269-284

  Singh, Jatinder ^a   Pasquier, Thomas ^a   Bacon, Jean ^a   Ko, Hajoon ^a   Eyers, David ^b  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

^b UNIVERSITY OF OTAGO   (New Zealand)

Author keywords

Cloud; Data; Internet of Things; Privacy; Security

Indexed keywords

CLOUDS; DATA PRIVACY; INTERNET; UBIQUITOUS COMPUTING;

CLOUD PROVIDERS; CLOUD SERVICES; DATA; OR APPLICATIONS; PERSONAL SAFETY; SECURITY; SECURITY CONSIDERATIONS; TECHNOLOGY-BASED;

INTERNET OF THINGS;

EID: 84969847954     PISSN: None     EISSN: 23274662     Source Type: Journal    
DOI: 10.1109/JIOT.2015.2460333     Document Type: Article

References (95)

1. M. Weiser, "Ubiquitous computing," Computer, vol. 26, no. 10, pp. 71-72, 1993.
2. P. Middleton, P. Kjeldsen, and J. Tully, Forecast: The Internet of Things, Worldwide. Gartner, 2013 [Online]. Available: http://www. gartner.com/document/2625419?ref=QuickSearch&sthkw=G00259115.
3. S. Jankowski, J. Covello, H. Bellini, J. Ritchie, and D. Costa, "The Internet of Things: Making Sense of the Next Mega-Trend," Goldman Sachs, New York, Tech. Rep., 2014 [Online]. Available: http://www. goldmansachs.com/our-thinking/outlook/internet-of-things/iot-report.pdf
4. A. Zanella, "Internet of Things for smart cities," IEEE Internet Things J., vol. 1, no. 1, pp. 22-32, Feb. 2014.
5. J. Bacon et al., "Personal and social communication services for health and lifestyle monitoring," in Proc. 1st Int. Conf. Global Health Challenges (Global Health'12) IARIA DataSys 2012, Venice, Italy, 2012, pp. 41-48.
6. M. Kovatsch, S. Mayer, and B. Ostermaier, "Moving application logic from the firmware to the cloud: Towards the thin server architecture for the Internet of Things," in Proc. 6th Int. Conf. Innov. Mobile Internet Serv. Ubiq. Comput. (IMIS), 2012, pp. 751-756.
7. E. P. Leverett, "Quantitatively assessing and visualising industrial system attack surfaces," M.S. thesis, Dept. Comput. Lab., Univ. Cambridge, Cambridge, U.K., 2011.
8. J. Bacon, D. Eyers, T. Pasquier, J. Singh, I. Papagiannis, and P. Pietzuch, "Information flow control for secure cloud computing," IEEE Trans. Netw. Serv. Manage., vol. 11, no. 1, pp. 76-89, Mar. 2014.
9. P. Ohm, "Broken promises of privacy: Responding to the surprising failure of anonymization," UCLA Law Rev., vol. 57, no. 6, pp. 1701-1777, Aug. 2010.
10. J. Singh et al., "Regional clouds: Technical considerations," Univ. Cambridge, Cambridge, U.K., Tech. Rep. UCAM-CL-TR-863, 2014 [Online]. Available: http://www.cl.cam.ac.uk/techreports/UCAM-CLTR-863.pdf, accessed on Jul. 21, 2015.
11. "Overview of the Internet of Things," ITU Telecommun. Standard. Sector, Tech. Rep. Y.2060, Jun. 2012.
12. J. Mineraud, O. Mazhelis, X. Su, and S. Tarkoma, "A gap analysis of Internet-of-Things platforms," 2015, arXiv:1502.01181 [Online]. Available: http://arxiv.org/abs/1502.01181
13. S. Abdelwahab, B. Hamdaoui, M. Guizani, and A. Rayes, "Enabling smart cloud services through remote sensing: An Internet of Everything enabler," IEEE Internet Things J., vol. 1, no. 3, pp. 276-288, 2014.
14. L. Atzori, A. Iera, and G. Morabito, "The Internet of Things: A survey," Comput. Netw., vol. 54, no. 15, pp. 2787-2805, 2010.
15. D. Kozlov, J. Veijalainen, and Y. Ali, "Security and privacy threats in IoT architectures," in Proc. 7th Int. Conf. Body Area Netw. (BodyNets), 2012, pp. 256-262.
16. W. A. Jansen, "Cloud hooks: Security and privacy issues in cloud computing," in Proc. 44th Hawaii Int. Conf. Syst. Sci. (HICSS), 2011, pp. 1-10.
17. T. Dierks and C. Allen, "The TLS protocol version 1.0," IETF, Tech. Rep., RFC 5246, 1999 [Online]. Available: https://tools.ietf.org/html/rfc5246
18. D. McGrew and E. Rescorla, "Datagram transport layer security (DTLS) extension to establish keys for the secure real-time transport protocol (SRTP)," Internet Engineering Task Force (IETF), RFC 5764, 2010 [Online]. Available: http://datatracker.ietf.org/doc/rfc5764
19. S. L. Keoh, S. Kumar, and H. Tschofenig, "Securing the Internet of Things: A standardization perspective," IEEE Internet Things J., vol. 1, no. 3, pp. 265-275, 2014.
20. P. Urien, "LLCPS: A new security framework based on TLS for NFC P2P applications in the Internet of Things," in Proc. IEEE Consum. Commun. Netw. Conf. (CCNC), 2013, pp. 845-846.
21. R. J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. Hoboken, NJ, USA: Wiley, 2008.
22. Z. Durumeric et al., "The matter of heartbleed," in Proc. Internet Meas. Conf. (IMC), 2014, pp. 475-488.
23. T. Morris, "Trusted platform module," in Encyclopedia of Cryptography and Security. New York, NY, USA: Springer, 2011, pp. 1332-1335.
24. C. Lesjak, T. Ruprechter, J. Haid, H. Bock, and E. Brenner, "A secure hardware module and system concept for local and remote industrial embedded system identification," in Proc. Emerg. Technol. Factory Autom. (ETFA), 2014, pp. 1-7.
25. M. Hutter and R. Toegl, "A trusted platform module for near field communication," in Proc. Int. Conf. Syst. Netw. Commun. (ICSNC), 2010, pp. 136-141.
26. J. Singh and J. Bacon, "On middleware for emerging health services," J. Internet Serv. Appl., vol. 5, no. 6, pp. 1-34, 2014.
27. N. Dhanjani. (2013). Hacking lightbulbs: Security evaluation of the Philips hue personal wireless lighting system [Online]. Available: http://www.dhanjani.com/docs/Hacking%20Lighbulbs% 20Hue %20Dha njani%202013.pdf, accessed on Jul. 21, 2015.
28. R. M. Savola and H. Abie, "Metrics-driven security objective decomposition for an e-health application with adaptive security management," in Proc. Int. Workshop Adapt. Secur., 2013, p. 6.
29. C. J. Millard, Ed., Cloud Computing Law. London, U.K.: Oxford Univ. Press, 2013.
30. N. Dhanjani. (2013). Reconsidering the perimeter security argument [Online]. Available: http://www.dhanjani.com/docs/Reconsidering%20 the%20Perimeter%20Security%20Argument.pdf, accessed on Jul. 21, 2015.
31. Intel IT Centre, What's Holding Back the Cloud?, Intel Corporation, 2012 [Online]. Available: http://www.intel.co.uk/content/dam/www/public/ us/en/documents/ reports/whats-holding-back-The-cloud-peer-researchreport2. pdf
32. T. Pasquier, B. Shand, and J. Bacon, "Information flow control for a medical web portal," in Proc. IADIS Int. Conf. e-Society, IADIS, Lisbon, Portugal, 2013, pp. 123-130 [Online]. Available: http://www.iadisportal.org/e-society-2013-proceedings
33. S. Soltesz, H. Pötzl, M. E. Fiuczynski, A. Bavier, and L. Peterson, "Container-based operating system virtualization: A scalable, highperformance alternative to hypervisors," in ACMSIGOPS Operating Syst. Rev. New York, NY, USA: ACM, 2007, vol. 41, no. 3, pp. 275-287.
34. P. Barham et al., "Xen and the art of virtualization," in SIGOPS Operating Syst. Rev., 2003, vol. 37, no. 5, pp. 164-177.
35. I. Anati, S. Gueron, S. P. Johnson, and V. R. Scarlata, "Innovative technology for CPU based attestation and sealing," Intel Corporation, 2013 [Online]. Available: https://software.intel.com/sites/default/files/ article /413939/hasp-2013-innovative-technology-for-attestation-andsealing. pdf.
36. T. F. J.-M. Pasquier, J. Singh, and J. Bacon, "Information flow control for strong protection with flexible sharing in PaaS," in Proc. Int. Workshop Future of PaaS (IC2E), 2015, pp. 279-282.
37. T. Pasquier, J. Singh, D. Eyers, and J. Bacon, CamFlow: Managed datasharing for cloud services, 2015, arXiv:1506.04391 [Online]. Available: http://arxiv.org/abs/1506.04391
38. J. Singh, T. Pasquier, J. Bacon, and D. Eyers, "Integrating middleware with information flow control," in Proc. Int. Conf. Cloud Eng. (IC2E), 2015, pp. 54-59.
39. J. Singh and J. Bacon, "Governance in patient-centric healthcare," in Proc. Int. Conf. Inf. Soc. (i-Society), 2010, pp. 502-509.
40. M. Naehrig, K. Lauter, and V. Vaikuntanathan, "Can homomorphic encryption be practical?" in Proc. 3rd ACM Workshop Cloud Comput. Secur. (CCSW), 2011, pp. 113-124.
41. D. Hrestak and S. Picek, "Homomorphic encryption in the cloud," in Proc. 37th Int. Conv. Inf. Commun. Technol. Electron. Microelectron. (MIPRO), 2014, pp. 1400-1404.
42. A. Narayanan and V. Shmatikov, "Myths and fallacies of personally identifiable information," Comm. ACM, vol. 53, pp. 24-26, 2010.
43. C. Dwork, "Differential privacy: A survey of results," in Theory and Applications of Models of Computation. New York, NY, USA: Springer, 2008, pp. 1-19.
44. Ú. Erlingsson, V. Pihur, and A. Korolova, "RAPPOR: Randomized aggregatable privacy-preserving ordinal response," in Proc. SIGSAC Conf. Comput. Commun. Secur., 2014, pp. 1054-1067.
45. M. Jensen, "Challenges of privacy protection in big data analytics," in Proc. IEEE Int. Congr. Big Data, 2013, pp. 235-238.
46. D. Recordon and D. Reed, "OpenID 2.0: A platform for user-centric identity management," in Proc. 2nd ACM Workshop Digital Identity Manage., 2006, pp. 11-16.
47. R. Morgan, S. Cantor, S. Carmody, W. Hoehn, and K. Klingenstein, "Federated security: The Shibboleth approach," Educause Q., vol. 27, pp. 12-17, 2004.
48. T. El Maliki and J.-M. Seigneur, "A survey of user-centric identity management technologies," in Proc. Int. Conf. Emerg. Secur. Inf. Syst. Technol. (SecureWare), 2007, pp. 12-17.
49. P. N. Mahalle, B. Anggorojati, N. R. Prasad, and R. Prasad, "Identity authentication and capability based access control (IACAC) for the Internet of Things," J. Cyber Secur. Mobility, vol. 1, no. 4, pp. 309-348, 2013.
50. P. De Leusse, P. Periorellis, T. Dimitrakos, and S. K. Nair, "Self managed security cell, a security model for the Internet of Things and services," in Proc. 1st Int. Conf. Adv. Future Internet, 2009, pp. 47-52.
51. Boston Consulting Group, The Value of our Digital Identity. Liberty Global Inc., 2012 [Online]. Available: http://www.libertyglobal. com/PDF/public-policy/The-Value-of-Our-Digital-Identity.pdf
52. P. De Hert, "A right to identity to face the Internet of Things?," UNESCO 2008 [Online]. Available: http://portal.unesco.org/ci/en/files/ 25857/12021328273de-Hert-Paul.pdf/de%2BHert-Paul.pdf
53. P. De Hert, S. Gutwirth, A. Moscibroda, D. Wright, and G. G. Fuster, "Legal safeguards for privacy and data protection in ambient intelligence," Pers. Ubiq. Comput., vol. 13, no. 6, pp. 435-444, 2009.
54. K. Cameron, The Laws of Identity.Microsoft Corporation, 2005 [Online]. Available: https://msdn.microsoft.com/en-us/library/ms996456.aspx
55. L. Douglas, "3D data management: Controlling data volume, velocity and variety," Gartner Inc. [Online]. Available: http://blogs.gartner.com/ doug-laney/files /2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf
56. S. Yu, "DDoS attack and defence in cloud," in Distributed Denial of Service Attack and Defense. New York, NY, USA: Springer, 2014, pp. 77-93.
57. R. K. Ko et al., "TrustCloud: A framework for accountability and trust in cloud computing," in Proc. IEEE World Congr. Serv. (SERVICES), 2011, pp. 584-588.
58. R. K. Ko, M. Kirchberg, and B. S. Lee, "From system-centric to datacentric logging-accountability, trust &security in cloud computing," in Proc. Defense Sci. Res. Conf. Expo. (DSR), 2011, pp. 1-4.
59. A. Rabkin and R. H. Katz, "Chukwa: A system for reliable large-scale log collection," in Proc. 24th Int. Conf. Large Install. Syst. Admin. (LISA), USENIX, 2010, vol. 10, pp. 1-15.
60. A. Rabkin, M. Arye, S. Sen, V. Pai, and M. J. Freedman, "Making every bit count in wide-area analytics," in HotOS, May 2013, 6 pp.
61. A. Oliner, A. Ganapathi, and W. Xu, "Advances and challenges in log analysis," Comm. ACM, vol. 55, no. 2, pp. 55-61, 2012.
62. A. Elyasov, I. Prasetya, and J. Hage, "Log-based reduction by rewriting," Utrecht Univ., Tech. Rep. UU-CS-2012-013, 2012.
63. S. Subashini and V. Kavitha, "A survey on security issues in service delivery models of cloud computing," J. Netw. Comput. Appl., vol. 34, no. 1, pp. 1-11, 2011.
64. M. Jensen, J. Schwenk, N. Gruschka, and L. Iacono, "On technical security issues in cloud computing," in Proc. IEEE Int. Conf. Cloud Comput. (CLOUD'09), 2009, pp. 109-116.
65. T. Moore, J. Clulow, S. Nagaraja, and R. Anderson, "New strategies for revocation in ad-hoc networks," in Proc. 4th Eur. Conf. Secur. Privacy Ad-Hoc Sens. Netw., 2007, pp. 232-246.
66. P. Michiardi and R. Molva, "Core: A collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks," in Proc. IFIP TC6/TC11 6th Joint Work. Conf. Commun. Multimedia Secur. Adv. Commun. Multimedia Secur. Norwell, MA, USA: Kluwer, 2002, pp. 107-121.
67. "ISO/IEC JTC 1/SC 27 IT-security technology-Security techniques-Information security management systems-requirements," ISO, Tech. Rep. 27001, 2013.
68. A. Sunyaev and S. Schneider, "Cloud services certification," Commun. ACM, vol. 56, no. 2, pp. 33-36, 2013.
69. R. Accorsi, D.-I. L. Lowis, and Y. Sato, "Automated certification for compliant cloud-based business processes," in Business &Information Systems Engineering. New York, NY, USA: Springer, 2011, vol. 3, no. 3, pp. 145-154.
70. A. Muñoz and A. Mana, "Bridging the GAP between software certification and trusted computing for securing cloud computing," in Proc. 9th World Congr. Serv. (SERVICES), 2013, pp. 103-110.
71. T. Kunz, A. Selzer, and U. Waldmann, "Automatic data protection certificates for cloud-services based on secure logging," in Trusted Cloud Computing. New York, NY, USA: Springer, 2014, pp. 59-75.
72. S. A. de Chaves, C. B. Westphall, and F. R. Lamin, "SLA perspective in security management for cloud computing," in Proc. 6th Int. Conf. Netw. Serv. (ICNS), 2010, pp. 212-217.
73. K. Bernsmed, M. G. Jaatun, P. H. Meland, and A. Undheim, "Security SLAs for federated cloud services," in Proc. 6th Int. Conf. Availability Reliab. Secur. (ARES), 2011, pp. 202-209.
74. Intel, Software guard extensions programming reference, Tech. Rep. 329298-001US, 2013 [Online]. Available: https://software.intel.com/ sites/default/files/329298-001.pdf, accessed on Jul. 21, 2015.
75. S. Berger, R. Cáceres, K. A. Goldman, R. Perez, R. Sailer, and L. van Doorn, "vTPM: Virtualizing the trusted platform module," in Proc. Secur. Symp., 2006, pp. 305-320.
76. A. Baumann, M. Peinado, and G. Hunt, "Shielding applications from an untrusted cloud with haven," in Proc. 11th USENIX Conf. Oper. Syst. Des. Implement. (OSDI), 2014, pp. 267-283.
77. K. R. Jayaram, D. Safford, U. Sharma, V. Naik, D. Pendarakis, and S. Tao, "Big ideas paper: Trustworthy geographically fenced hybrid clouds," in Proc. ACM/IFIP/USENIX Middleware, 2014, pp. 37-48.
78. S. Berger, K. Goldman, D. Pendarakis, D. Safford, E. Valdez, and M. Zohar, "Scalable attestation: A step toward secure and trusted clouds," in Proc. Int. Conf. Cloud Eng. (IC2E), 2015, pp. 185-194.
79. S. Lee, E. L. Wong, D. Goel, M. Dahlin, and V. Shmatikov, "φBox: A platform for privacy-preserving apps," in Proc. 10th USENIX Symp. Netw. Syst. Des. Implement., 2013, pp. 501-514.
80. K. Singh, S. Bhola, and W. Lee, "xBook: Redesigning privacy control in social networking platforms," in Proc. USENIX Secur. Symp., 2009, pp. 249-266.
81. K. Ruan, J. Carthy, T. Kechadi, and M. Crosbie, "Cloud forensics," in Advances in Digital Forensics VII. New York, NY, USA: Springer, 2011, pp. 35-46.
82. A. Haeberlen, "A case for the accountable cloud," SIGOPS Oper. Syst. Rev., vol. 44, no. 2, pp. 52-57, 2010.
83. P. Massonet, S. Naqvi, C. Ponsard, J. Latanicki, B. Rochwerger, and M. Villari, "A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures," in Proc. Int. Symp. Parallel Distrib. Process. Workshops PhD Forum (IPDPSW), 2011, pp. 1510-1517.
84. K. Hon, C. Millard, C. Reed, J. Singh, I. Walden, and J. Crowcroft, Policy, legal and regulatory implications of a Europe-only cloud, School of Law, Queen Mary Univ. London, London, U.K., Tech. Rep. 191, 2015 [Online]. Available: http://papers.ssrn.com/sol3/papers. cfm?abstract-id=2527951, accessed on Jul. 21, 2015.
85. M. Henze, R. Hummen, and K.Wehrle, "The cloud needs cross-layer data handling annotations," in Proc. Secur. Privacy Workshops (SPW), 2013, pp. 18-22.
86. J. Singh, "Controlling the dissemination and disclosure of healthcare events," Ph.D. dissertation, Computer Lab., Univ. Cambridge, London, U.K.: Tech. Rep. TR 770, 2009.
87. F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, "Fog computing and its role in the Internet of Things," in Proc. 1st MCC Workshop Mobile Cloud Comput., 2012, pp. 13-16.
88. T. Pasquier and J. Powles, "Expressing and enforcing location requirements in the cloud using information flow control," in Proc. IC2E Int. Workshop Legal Tech. Issues Cloud Comput. (Claw'15), 2015, pp. 410-415.
89. K. Hong, D. Lillethun, U. Ramachandran, B. Ottenwälder, and B. Koldehofe, "Mobile fog: A programming model for large-scale applications on the Internet of Things," in Proc. 2nd SIGCOMM Workshop Mobile Cloud Comput. (MCC), 2013, pp. 15-20.
90. A. Davis, J. Parikh, and W. E. Weihl, "Edgecomputing: Extending enterprise applications to the edge of the internet," in Proc. 13th Int. World Wide Web Conf. Altern. Track Papers, 2004, pp. 180-187.
91. M. Satyanarayanan, P. Bahl, R. Caceres, and N. Davies, "The case for VM-based cloudlets in mobile computing," IEEE Pervasive Comput., vol. 8, no. 4, pp. 14-23, 2009.
92. J. Crowcroft, A. Madhavapeddy, M. Schwarzkopf, T. Hong, and R. Mortier, "Unclouded vision," in Distributed Computing and Networking. New York, NY, USA: Springer, 2011, pp. 29-40.
93. A. Madhavapeddy and D. J. Scott, "Unikernels: The rise of the virtual library operating system," Commun. ACM, vol. 57, no. 1, pp. 61-69, 2014.
94. J. Singh, D. Eyers, and J. Bacon, "Policy enforcement within emerging distributed, event-based systems," in Proc. ACM Distrib. Event Based Syst. (DEBS'14), 2014, pp. 246-255.
95. J. Singh, J. Powles, T. Pasquier, and J. Bacon, "Data flow management and compliance in cloud computing," IEEE Cloud Comput. Magaz. SI Legal Clouds, 2015, to be published.