Next-Generation Blockchain-Enabled Virtualized Cloud Security Solutions: Review and Open Challenges
Furthermore, blockchain technology also helps cloud computing CSPs to offer the best approach for the application developers to create a virtual database of their services and transactions with one click, just as Pay-Per-User can be used to improve the autonomy of their cloud services further since these services will be carried out through a decentralized mechanism where functionalities are performed autonomously without the intervention of central authorities. This process enhances the trustworthiness amongst the participating clients as QoS information is persistent and cannot be modified [ 22 ]. This paper explores and evaluates various cloud security issues and threats happening at multiple cloud infrastructure levels, focusing on virtualization specific threats and vulnerabilities. It then provides Blockchain-enabled solutions for these problems highlighted to improve and enhance the services provided in virtualized cloud computing platforms.
Blockchain technology provides resilience in cloud infrastructure by creating a distributed ledger of processed and executed transactions on the cloud platform. It diminishes the problem of a single point of failure as provided by the cloud paradigm [ 20 ]. It also enhances transparency and scalability in the cloud network by improving the computation power through the number of distributed peers in the network without using a centralized computing model. The encrypted security model supported by blockchain also enhances the security and integrity of data being stored and processed on the cloud infrastructure through robust cryptographic hashing mechanisms such as SHA-256 or encryption using ECC or RSA to generate digital signatures for every transaction being processed or accessed on the network [ 21 ].
Blockchain is one of the latest core technologies that has drawn attention as a next-generation promising solution for the problems mentioned above highlighted in cloud computing infrastructures in the recent information era. It helps to create a decentralized network of untrusted participants (peers) where a ledger of blocks of records is created. It enables us to establish an authentication system for peer nodes to share securely virtual cash, services, and encrypted transactions on the network to develop a secure and trusted relationship among the participating peers [ 18 ]. Blockchain helps CSPs to handle (distribute, store, and record) cloud transactions and services effectively in a way that does not compromise end-users’ Quality of Service (QoS), and acts as middleware technology to provide sensitive data protection, avoid delays in sensitive data, and avoid delays in searching and sorting vast chunks of data being stored and processed on the cloud platform using encrypted cryptographic methods [ 19 ].
The services provided by virtualized cloud infrastructure act as a black box to the end-user who has no idea or visibility about the location of actual storage and network mechanisms being used in the cloud data centre. In a multi-tenant environment, where a client has no idea about what is happening inside the cloud infrastructure, this engenders different vulnerabilities such as the CSP system administrator being able easily to change the operational functionality of different virtual machines (VMs) running in the facility as well as to modify the user authentication and authorization rules on behalf of CSPs, interrupting and changing user privacy and data integrity settings. Some of the existing virtualized cloud-enabled solutions such as VPNs, Firewalls, security policies, and procedures provide data and service security protocols and solutions such as differential-privacy mechanisms. However, lack of privacy and transparency controls on both the CSP side and client-side along with connectivity amongst the cloud vendors and their interactions can be easily abused by the attackers and assailants to unveil attacks, such as triggering linkages attacks against differential-privacy protection methods, and data mining-based linkage attacks as shown in Figure 2 17 ].
In a virtualized cloud computing infrastructure facility, different types of services provided by CSPs include Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service (PaaS) where cloud users can easily download and upload their required content from cloud storage and network systems, from anyplace and anywhere in the world using high-speed Internet [ 10 11 ]. The profligate rising of cloud computing adoption and migration is unavoidable. Most people are becoming more and more dependent on technology by storing their sensitive data and information on outsourced cloud platforms owned by CSPs. It is causing severe security risks and breaches, allowing attackers and cybercriminals to break into clients’ data and services and cause substantial potential losses to cloud infrastructure platforms and systems [ 12 ]. Some of the major cloud security breaches include security at the physical level, virtual level, and, more importantly, web-based level in tier level virtualized cloud data centres [ 13 14 ]. Furthermore, there are security gaps between end-user and vendor assessments of cloud security, privacy, and transparency [ 15 ]. Similarly, the majority of enterprises with sensitive data, such as banks, financial institutions, insurance companies, etc., are also very reluctant to choose cloud computing services and platforms, as their primary concerns revolve around the integrity, privacy, secrecy, and confidentiality of their data being stored and accessed from the cloud platform [ 16 ].
It is essential to highlight that today’s virtualized tier level cloud computing platforms require improved collaboration, responsiveness, promptness, and scalability features involving new technologies to enable better and dynamic on-demand service allocation and provisioning at the client level to support and enhance industrial throughputs, global competitive advantage using business analytical tools, etc. [ 4 5 ]. As cloud computing provides efficient, reliable, flexible, scalable, cost-effective, and agility-based solutions, its usage, adoption, and migration have tremendously enlarged and helped business enterprises earn better revenues every year [ 6 ]. This trend is helping CSPs, and their market share is increasing to more than 12% in software-based companies only, with increased revenue of almost95 billion in the next five years of technology [ 7 ]. One of the significant advantages of cloud computing is its reliable and high-speed X as a Service (XaaS) facility, where different application and computing development processes and platforms are provided to clients on-demand, enabling them to save huge costs of installations and deployments as shown in Figure 1 9 ].
In today’s Digital World era, everything is available and accessible on the Internet through various technology-enabled solutions. Cloud computing is a data storage and access platform where client data is stored and accessed through digital devices and gadgets from any location using the Internet platform. It provides end-users with the facility to research out their data records, software and application tools, infrastructure platforms, and several additional cloud-enabled services and facilities effortlessly. The current revolution in information edge in big data and IoT engenders several security-related challenges that need to be solved and appropriately handled to help business enterprises grow and make better decisions for their business benefits. One of the critical questions is: how to store, access, and adequately manage these enormous quantities of data being generated through Information Communication Technology (ICT). Cloud computing provides the most flexible, reliable, and efficient ways to handle this vast data using cloud data centres called data farms or server farms. These facilities comprise millions of server machines arranged and placed in different infrastructures and models such as blade servers, racks, etc., to provide on-demand provisioning services and facilities to end-users and business firms [ 1 ]. The cloud computing platform is an innovative, extended, and improved computing facility compared to existing computing models such as grid and parallel computing, autonomic, and utility computing infrastructures based on a centralized client-server computing model being implemented and deployed in large tier level data centres [ 2 ]. It provides a ubiquitous service distribution model where different infrastructure facilities are provided to end-users in a wide range of personal file-sharing services to enterprise data warehouses [ 3 ].
Denial of Service (DoS) attacks impend the cloud vendor’s and CSPs’ aptitude to respond to authentic clients’ requests, which results in substantial economic losses. During DoS attacks, legitimate cloud users are prevented from accessing their data, resources, or services they want to use and access. During this attack, the hackers can create and install rouge and malicious VMs inside, which exhaust and block all the server resources and services from being provided to cloud users. These VMs can be used to initiate DoS and DDoS attacks against the hypervisor or any other VM that runs on the same hypervisor. These attacks can also be conducted against application software, such as operating systems and network components with servers or network routers, etc., to exploit weaknesses and vulnerabilities in communication protocols [ 51 ]. DoS attacks can also be applied against the hypervisor, where the attacker intends to utilize maximum resources and services memory, bandwidth, CPU cycles, etc. to degrade the cloud environment’s performance by leveraging the hypervisor’s design flaws and misconfigurations [ 47 ]. DoS attacks can also occur because of the weaknesses in various communication protocols such as TCP Sessions hijacking, IP Spoofing, and Corrupting DNS Server Cache.
Consequently, everything on the editor will be unsafe and insecure, causing the data to be naked and accessed by any unauthorized user in the cloud environment. Another possible vulnerability for data leakage happens during the live and offline VM migration process when VMs are transferred from source hosts to destination hosts while running. In this scenario, the current state of a running VM and other sensitive information stored in memory pages, etc. can be leaked while being transferred from source to destination. It can cause security vulnerability towards stored data integrity and confidentiality [ 50 ].
Confidential and sensitive data stored on third-party cloud storage platforms are potentially vulnerable to unauthorized access and manipulations. In cloud environments, when secure shell protocols are employed to encrypt and secure the stored data on virtual disks and communication between different VMs, hackers still apply different types of attacks such as side-channel attacks, which give hackers complete control of the CSPs’ network. The hackers can efficiently extract useful and secret information such as a client’s password lists and snatch personal and confidential data stored on cloud disks. Another vulnerability can be the hypervisor’s compromise, which compromises the security of all VMs running on that hypervisor [ 49 ]. It is essential to highlight that all encrypted data will ultimately be stored in plain text in memory; otherwise, reading and writing become impossible using an editor.
A hypervisor or VMM is installed to execute several guest VMs and applications concurrently on a single host physical server machine and provide separation amongst the guest VMs in a cloud environment [ 33 ]. These hypervisors are vulnerable and prone to attacks from various hackers. Hyperjacking is an attack on the hypervisor. In this attack, hackers inject a rogue hypervisor or take malicious control over the installed hypervisor between the target system and the hardware to control the internal server resources within a virtualized cloud environment. The attacker tries to attack the target operating system below the VMs to execute its malicious code and applications on VM [ 48 ]. The most important thing about the hypervisor is that attackers can efficiently run unauthorized applications over the system without realizing any suspicious activity to the administrator. It is essential to highlight that regular security measures such as firewalls, IDS systems, and other antivirus tools are ineffective against these threats. The operating system, running above the rogue hypervisor, is unaware that the machine has been compromised.
Obsolete software packages in virtualized cloud environments allow us to create and install new low-cost VMs for performing diverse tasks, extend and branch new VMs based on old ones, create image files of existing VMs, and even roll back machines to previous states [ 41 ]. These operations pose serious security threats, and implications such as a VM rollback may depict a software bug or vulnerability that has already been fixed.
In virtualized cloud infrastructures, resource sharing techniques such as deduplication of data and co-location of computation (multiple VMs placed on the same physical server machines) are critical for enhancing the efficiencies of VMs. However, they also increase the security risks to OpenSSL AES implementations as they build a powerful cache-based attack on AES and recover the keys of an AES implementation in a targeted VM. Therefore, it is essential to highlight that long-term co-location of computation should not be allowed along with the deduplication of data being disabled. In these cross VM side-channel attacks, a malicious VM can quickly penetrate the isolation between several VMs and get access to shared hardware and software resources and cache locations to extract confidential information from the target VMs [ 34 ].
In outside attacks, VMs are co-located and connected through virtual network connections, shared memory, and other shared resources. A malicious VM inside this network can determine where another VM’s allocated memory lies. It allows this VM to read or write to that specific location and interfere with the other’s operation [ 37 ].
Virtual machines can be attacked and infected with malware and operating system rootkits. An attacker can have multiple perspectives. An inside attacker always wants to attack a cloud data centre’s IT infrastructure for personal gains. Another attacker can be a rouge CSP administrator or an inside employee who intends to exploit cloud vulnerabilities for getting access to sensitive and critical information. It can also be a cloud owner with malicious intent. In this attack, the attackers get complete control of the VMs in the facility and ultimately control the whole network to create illegitimate copies and backups of VMs, delete and modify several VMs service-level-agreements and can log in to a customer’s VMs for administrative purposes [ 23 ].
Virtual machine sprawl or virtualization sprawl and VM image sprawl is a situation in a virtualized cloud infrastructure. Cloud vendors, CSPs, and cloud administrators have no effective control and management over the creation, deletion, and configuration of VMs and their image files during the live migration process. The sprawl also includes resources shared and provisioned to these VMs such as memory, cache, storage, network channels, CPU, etc. This scenario underutilizes these resources as they cannot be assigned to other VMs because of a lack of control and proper management of these cloud resources [ 40 ]. This situation usually occurs when multiple VMs are created and set up by different departments in the same enterprise without the knowledge, control, policies, and proper procedures followed by cloud administrators. It leads to the formation of bottlenecks on server machines, which further leads to crashed systems because of low resource availability in a cloud environment.
In a virtualized cloud infrastructure, VMs are designed and created to support secure isolation between the host physical machines and VMs. Virtual machine escape is a security vulnerability within a VM or the whole virtualized cloud infrastructure. An attacker exploits the operating system’s exposures running inside a virtual machine and inserts malicious code. When a VM executes this malicious package code, it allows the attacker to access and control the virtual network’s primary hypervisor. It further breaks up the isolated boundaries between several VMs, thus bypassing the hypervisor to interconnect with other VMs in the network directly and get control of the host. It creates privacy, integrity, and trust issues in the cloud infrastructure and opens up the doors for other attackers to access and control other host machines and launch further attacks. These attacks include VM creation, VM manipulation, VM deletion, resource quota amendment, and changes, etc., and the attacker can also play with access privileges allocated to explicit VMs [ 47 ].
Hypervisor vulnerabilities allow an attacker to use VMs for a longer duration of time. By changing/manipulating the set configurations, such as memory, CPU, and cache manipulations, an attacker is permitted to hijack the VM along with its resources. This type of attack is also called VM theft or VM stealing or theft-of-service attack, as VMs have insufficient security controls permitting their unapproved duplication of development [ 45 ]. In this attack, the cloud infrastructure is financially affected, along with no record or logs of the user’s activities, leading to further risks related to the cloud paradigm. VM theft can be restricted by applying Duplicate and Move restrictions on VMs, which have more sensitive and critical data. This solution is considered an underlying security mechanism where VMs are limited/tied to function and operate in a fixed secure physical server machine to stop VM duplication. A VM with duplicate and move limitations cannot run on a hypervisor familiarized with other physical machines; hence, its movement and duplication can be prevented. Even though these limitations are fundamental to the protection of VMs against VM theft, it still has several disadvantages, such as limiting the VM’s crosswise movement across multiple physical machines to share and execute different workloads based on applications being executed [ 46 ].
This section has identified and evaluated numerous virtualized cloud security issues and challenges revealed in recent years in diverse virtualization components, such as VMM, VMs, and guest operating systems, and disk storage images and devices [ 43 ]. Attackers use specific malicious and spiteful programs and tools in VMs to get illegal access permissions to record and log different screen updates and keystrokes across physical and virtual server machines (terminals) to gain sensitive and critical information required. Once a cloud network is compromised, it becomes relatively easy to duplicate and copy live VM images to create and configure new VM image files causing VM image sprawl. In this vulnerability, a colossal number of rogue VMs are created to generate DDoS and other types of network attacks. Similarly, attackers and intruders cause hypervisor-based attacks to exploit the vulnerabilities. The hypervisor controls multiple operating systems to operate concurrently on a single hardware platform, usually the physical server machine. A hacked and compromised hypervisor allows hackers to attack and control each VM installed and configured on a virtual host. Attackers use different APIs, software stacks, and coding bugs to control the degree of security assurance for the privacy and secrecy of cloud environments [ 44 ]. Figure 3 highlights various attack types in different virtualized environments.
One of the significant issues in the virtualized cloud data centre is protecting clients’ sensitive data from leaking over the Internet from attackers and unwanted people [ 40 ]. On the other hand, the stored data in the storage devices are unencrypted and handled by a different type of cloud administrators hired by CSPs, causing trust and integrity issues [ 41 ]. These vulnerabilities and limitations require a macro-level solution for identified common cloud infrastructure level security threats and concerns to provide secure, efficient, and transparent services to cloud end-users. Cloud vendors and CSPs are putting substantial costs and exertions in securing their virtualized cloud infrastructures to achieve maximum compliance with the prevailing industry security services management standards, such as Amazon Cloud lately accomplished the Payment Card Industry Data Security Standard (PCIDSS) compliance certification and Microsoft Azure Cloud prerogatives compliance with ISO27001 security standards [ 42 ]. However, cloud-based applications and services’ overall security still needs better implementation and configuration services and advanced security services with fine-grained access controls bonded between virtualized services such as IaaS, SaaS, and PaaS cloud virtualization platforms.
IaaS permits the clients to access different VMs and install their own operating systems as needed to perform their computational queries without installing appropriate security measures and solutions. Unfortunately, these types of settings in virtualized cloud infrastructures create significant vulnerabilities and limitations when we perform security-critical computations and store sensitive data. For example, there are no secure means currently available that guarantee the trustworthiness and fidelity of a Virtual Machine (VM) in terms of its origin and identity and the reliability of the data being uploaded, stored, and processed by server machines and storage devices [ 37 ]. Furthermore, other attack pathways, such as predefined and prebuilt VMs and other virtual equipment and appliances carrying malicious and malevolent codes, erroneously configured virtual firewalls, Intrusion Detection Systems (IDS) systems and networks, an inaccurately installed and configured hypervisor, and information leakage or VM escape through offline configurations. In reality, protecting a VM is more complicated and resource-consuming compared to physical machines [ 38 ]. Furthermore, multiple clients sharing the same virtualized environment can cause security vulnerabilities, as many components involved in the configuration process create complex management issues, leading to DDoS types of service attacks and losing clients’ sensitive and critical data [ 39 ]. Another problem is the deficiency of trust among participating clients with their data privacy and data assurance requirements.
In its technological uprising, virtualization technology enables us to implement cloud computing key attributes by creating a virtualized environment from abstract hardware resources (servers, storage, and other network equipment) by separating operational functionalities from the underlying hardware devices. It allows the creation, installation, configuration, effective allocation, and adjustment of multiple VMs on a different physical host machine (servers). The hypervisor, also called the Virtual Machine Monitor (VMM), one of the critical components of virtualization technology in the cloud computing paradigm, offers significant benefits in terms of functional segregation, performance isolation, live-migration-enabled load balance, fault tolerance, portability of applications, and higher resource utilization [ 36 ]. However, the design, implementation, and deployment of virtualization technology also open up new threats and security vulnerabilities and is being targeted by attackers for malicious activities in the cloud infrastructures.
Information protection and ownership are key cloud security issues for clients. It guarantees that information stored in the cloud is “sheltered.” Data privacy and proprietorship explicitly identify the menaces of unapproved information exposure due to a lack of privacy policies in cloud infrastructure. Clients do not know if the third-party or cloud computing vendors have privacy policies similar to or better than their policies. Therefore, CSPs’ responsibility is to let a client create and assign an access control list outlining how, when, and by whom the data will be accessed. Moreover, clients also fear that their critical and confidential data are being viewed by cloud vendors and owners while stored and processed. They also want to see the access logs and audit trails of all cloud users and vendor employees. Furthermore, cloud CSPs and vendors might need provisions for external audits on their infrastructure and controls [ 35 ]. A CSP needs to guarantee that private and Personally Identifiable Information (PII) about its customers is lawfully shielded from unapproved exposure. Confidential information includes:
The issues of end-to-end security, privacy, and business integrity and continuity are of greater complexity in a cloud computing world than in a single data centre. Some critical issues of cloud security include trust, multitenancy, encryption, and compliance. Information assurance is collecting innumerable information practices that cloud computing service providers and vendors must follow and implement to certify the privacy, secrecy, confidentiality, integrity, accessibility, and availability of their customers’ information and data stored on cloud storage. It is one of the foremost security characteristics and apprehensions which makes sure that every client working on the cloud infrastructure is real and are appropriately authenticated and authorized with legitimate rights and extensions assigned to them by CSPs [ 34 ].
The virtualized cloud computing infrastructure harnesses the power of thousands of computing nodes, combined with the homogeneity of the hosts’ operating system. It leads to a situation where any present security threat will spread and amplify more rapidly, called the “speed of ambush” factor, and has a more significant impact than a typical client-server network. It is essential to highlight that the hosts in a virtualized environment must understand their trust boundaries and responsibilities to secure the cloud environment set by CSPs before moving to the cloud [ 32 33 ].
Multitenancy has been recognized as one of the significant security issues in a virtualized cloud computing model. It is defined as a shared virtualized environment where computing resources are shared, i.e., separate virtual machines are operating and processing in the same physical server machine to achieve economic gain. It directly enables attackers with information leakage and increased attack surface that directly affects the integrity, confidentiality, privacy, and trust issues. It creates new targets for intrusions as both the attacker and the victim share the same physical server machine. The major problem in a multitenancy environment is “how to assure data isolation in a multi-tenant environment?”. It needs a vertical solution from the Software-as-a-Service (SaaS) down to Infrastructure-as-a-Service (IaaS). Regardless of the advantage of multitenancy (distributed processing groundwork) to a CSP, it is an enormous security stress for cloud clients [ 31 ].
Furthermore, the cloud paradigm introduces several security vulnerabilities to the infrastructure. This paper revolves around IaaS security issues and challenges, where traditional virtualization functionalities are commonly used. A break in the virtualized infrastructure’s security opens a direct gateway for attackers to ambush unswervingly on organizational layers, making such attacks more prevailing and perilous [ 29 ]. The majority of cloud users are uninformed about the risks of storing and communicating their private data and information in a shared virtualized cloud environment. Therefore, critical technological restraints such as transparency, multi-tenancy, velocity-of-attack, information assurance, data privacy and ownership, compliance, encryption, and integrity should be handled more prudently. It implies that the clients are entirely not secure and immune to the threats in their cloud infrastructures. It calls for an appropriate secure cloud mechanism to be developed and deployed to handle today’s Internet technologies [ 30 ]. This paper also discourses various security issues at different levels in virtualized data centre infrastructures, threats, and specific solutions provided by blockchain technology. Some of the prevalent virtualized security issues are explained below.
One of the critical challenges faced by today’s clouds is their data level security, as the majority of the enterprise’s sensitive and vital data needs proper security measures as hackers can steal the business data, such as daily sales, profit reports, financial reports, etc. [ 26 ]. These security issues pose substantial barriers to adopting cloud-enabled solutions in business enterprises, especially the cloud services provided by trusted and non-trusted third-party service providers [ 27 ]. Thus, cloud computing paradigm apprehensions with traditional data privacy, data integrity, accessibility, and privacy issues need to be sorted out and solved using the newest technologies and techniques [ 28 ]. So far, our work has focused on discussing various security threats in the cloud environment. However, while promising virtually unlimited storage and computing power, the cloud paradigm introduces latency to the equation, which might not be acceptable in specific scenarios.
Cloud computing technology has become another buzzword after the introduction of Web 2.0 to Web 5.0. It provides on-demand services such as storage, processing, infrastructure, etc., to business enterprises over the Internet. It supports another vision of IT whereby programming applications and computational resources are pooled and provisioned as organizations and end-users demand these services over virtualized ICT infrastructures accessible through the Internet [ 23 ]. The end-users do not need to have built-in computing and network infrastructure to use these services provided by a cloud computing platform. The collaboration and integration of cloud computing with industrial applications have currently brought many security issues and challenges for both the CSPs and the clients [ 24 ]. Cloud computing supports inclinations for customers (i.e., end-users and pro-communities), which can refit some part of their businesses to the cloud infrastructures, helping them in lessening the cost of ownership, working, and keeping up the enrolling establishment, as well as in growing flexibility and scalability by adopting to cloud platforms [ 25 ].
Furthermore, Yang proposes a BCoT framework with a joint cloud computing collaboration environment where multiple clouds are interconnected securely through a P2P ledge network called IoT service based on a joint cloud blockchain: The case study of smart traveling [ 61 ]. Equations and mathematical expressions must be inserted into the main text. Two different types of styles can be used for equations and mathematical expressions. They are in-line style and display style.
Tavana proposes a BCoT system for handling security-critical applications in cloud scenarios between cloud service providers, clients, and cloud devices. Their strategy was based on a forensic investigation framework using a decentralized blockchain platform [ 57 ]. Wang presents a blockchain-based data protection mechanism for cloud users to prevent inappropriate cloud data movement in cloud services and applications due to malicious tampering in Virtual Machine (VM) migration on cloud computing platforms [ 58 ]. Ruqia proposed Mchain: blockchain-based VM measurements secure storage approach in IaaS cloud with enhanced integrity and controllability in the same course. In this architecture, a two-layer blockchain network comprising a data validation layer and a PoW task layer is integrated with the IaaS cloud to enhance system integrity [ 59 ]. Zhang et al. propose blockchain-based public integrity verification for cloud storage against procrastinating auditors. This system’s implementation demonstrates that blockchain technology has enormous potential to benefit cloud computing infrastructures to overcome controllability and performance problems in low system overhead and high data integrity [ 60 ].
Ali et al. [ 54 ]. propose a secure data provenance model in the cloud-centric Internet of things via blockchain smart contracts to achieve better cloud security and privacy. Waheed suggested a mobile intercloud system with blockchain to support complex cloud collaborative scenarios. Alcaraz, Cristina et al. discussed various security threats and their possible countermeasures for cloud-based IoT. The authors describe user identity and location privacy, cloud node compromising, layer removing or adding, and key management threats for clouds. The authors describe how blockchain-enabled platforms can facilitate and support the autonomous workflow and the sharing of services among cloud users and devices [ 55 ]. Nguyen introduces a mechanism for securely handling decentralized edge micro clouds’ collaborative governance with blockchain-based distributed ledgers. This technique builds a joint cloud blockchain to secure decentralized collaborative governance services, i.e., storage, monitoring, and resource management for suitable performance on lightweight cloud computing nodes [ 56 ].
In the literature, research work on cloud security and blockchain is limited, with most work being engrossed in leveraging blockchain technology to benefit cloud computing security in general. The recent growing interest in integrating blockchain and cloud computing infrastructures has created many opportunities for researchers and cloud service providers to propose new innovative and commercial solutions involving next-generation blockchain-enabled cloud systems. Zhao propose a differentially private data sharing model in a cloud federation using blockchain technology. This model enables distributed resource provisions using a single cloud under the management of the blockchain network. Notably, the security is improved using blockchain-enabled smart contracts to allow distributed data control by cloud owners [ 52 ]. Sharma proposes a cryptocurrency-enabled blockchain solution for reducing cloud security risks [ 53 ].
To create a trusted environment between untrusted participants, the hyperledger fabric provisions an identity management service that manages user IDs and authenticates all network participants. It introduces a membership service that establishes rules and regulations by which different stakeholders are governed, authenticated, validated, and verified to be part of the blockchain network and allowed to access the ledger for ensuring secrecy, privacy, and confidentiality. The membership service is a new comprehensive novel design that revamps the whole process of nondeterminism, resource exhaustion, and performance attacks for the participating stakeholders [ 76 ]. Access control lists can be used to provide additional layers of permission. A specific user ID could be permitted to invoke a chain code application but blocked from deploying a chain code. ACLs are created and managed by network administrators in the hyperledger fabric, which can configure access to resources by associating those resources with existing policies. The ledger data can be stored in multiple formats, and consensus mechanisms can be switched in and out. The fabric provides secure and transparent Byzantine-Fault Tolerant (BFT) consensus algorithms for ensuring secure and reliable communication amongst the group of untrusted stakeholders [ 77 ].
It is a private, permissioned blockchain network that benefits from creating publicly accessible ledger data using open standards. Currently, hyperledger, which includes many versions such as Fabric, Besu, Indy, etc., is being used and implemented by various enterprises with production environments. It helps to create multiple private permissioned networks between different organizations or organizational units in the same organizations using channels. Access to these private blockchains is restricted to only selected stakeholders. The participating stakeholders’ identities are already known and can perform their transactions securely and privately with better scalability, transparency, performance, and efficiency. These private blockchains focus on specific supply chain vulnerabilities and data to solve the privacy and confidentiality issues and challenges. These blockchain platforms bridge the gap between current systems and legacy systems and provide immutable, auditable, and traceable systems that complement the existing systems and processes.
The idea of Ethereum was first tossed and used publicly in July 2015 [ 75 ]. As opposed to the bitcoin blockchain, which is primarily used for digital currency transactions, Ethereum is developed to store transaction records using smart contracts. A smart contract is fundamentally a computerized transaction protocol (business logic) that executes the contract between the blockchain network’s participating stakeholders to execute transactions. They are automated programs written in programming languages, such as Solidity, Java, etc., by the users to be executed on the blockchain network. An Ethereum blockchain network comprises EVMs (Ethereum Virtual Machines) similar to miner nodes in the bitcoin network. These EVMs are proficient in providing the cryptographically tamper-proof trustworthy execution and enforcement of smart contracts. The digital currency supported by Ethereum is called Ether. The smart contracts used in Ethereum have their accounts and addresses and are linked with their executable code and balance of Ether coins (gas). These smart contracts are executed on the EVM nodes. The storage space supported by EVMs is comparatively expensive; thus, for the execution and storage of large transactions, other remote decentralized data storage such as BitTorrent, IPFS, or Swarm can be used.
It is one of the earliest and most popular digital currency-based blockchain platforms that runs on top of the blockchain infrastructure. It allows transactions between peers without a third-party, central authority, or server to issue and manage the currency transactions for many of today’s most popular cryptocurrencies. The bitcoin transaction information is always displayed on the ledger network so that all participating peers can validate and verify it to limit the currency issuance problem. The electronic currency supported by bitcoin is called a digital signature and is a chain of signatures in the blockchain network, as shown in Figure 4 . When a peer performs a transaction in the network, the transaction owner’s coin is transferred to the next chain on the ledger with the hash value calculated from the previous transaction. The digital signature is transmitted to the public key of the next owner. The recipient peer of the signature can confirm and verify the ledger’s ownership to validate the blockchain network’s processed transaction [ 74 ]. In this way, all the participating peers on the network have the same blockchain and transaction records as stored by the peer nodes. Nevertheless, the invention of other blockchain platforms such as Ethereum and Hyperledger blockchains has wholly transformed this technology’s potential use in almost all industrial and technological domains. The potential use of space for blockchain has become interminable.
Blockchain is an immutable distributed decentralized ledger technology that enables sharing of data among the participating stakeholders in a peer-to-peer network. Blockchains are used and implemented in various technological scenarios based on their architectural characteristics and other parameters such as operation mode, consensus algorithms, programming languages support, smart contracts, transaction capacity, etc., as presented in Table 1 below.
Blockchain uses Elliptic Curve Cryptography (ECC) and various hashing algorithms such as SHA-256 to provide strong cryptographic proof for data authentication and integrity [ 65 ]. It ensures that blocks of data being stored and recorded on the ledger should remain integrated and untampered with. Hence, it improves the immutability and security of cloud user transactions.
Smart contracts and chain codes offer better services and applications to cloud users. Once we create and load smart contracts on the blockchain network, they execute independently with business logic built to perform the required tasks. It helps to create trust in existing cloud systems. Furthermore, smart contracts also provide security services, in particular, services related to user authentications and fined-grained access controls for data sharing and storage.
Proof-of-Stake (POS): This solution was invented to overcome some of the discrepancies and inefficiencies of POW. It does not involve the mining process. Instead, participating users in the network are required to stake, i.e., lock up, some of their coins in a network wallet for a certain time to validate data blocks.
The consensus mechanism aims to create an agreement within the blockchain network on different transactions performed on the ledger amongst the participating nodes. The consensus mechanism helps verify and substantiate the transactions being executed on the network by most peer nodes using some consensus algorithms to ensure that the network participant must follow the transaction rules. The primary objective of blockchain consensus mechanisms includes: facilitating a uniform agreement between nodes on the network, ensuring fairness and equity, incentivizing participant stakeholders to follow the rules making sure that the network remains fault-tolerant.
Blockchain technology is a shared distributed ledger open for all participating stakeholders on the network (i.e., cloud users, cloud nodes, and blockchain entities) to store and record their transactions such as information exchange or data sharing among cloud devices and cloud users securely and transparently after being verified by a majority of the participating peers using agreed consensus protocols. It enables industrial networks where cloud users can control and verify their transactions when communicating with the blockchain cloud.
Blockchain-enabled solutions in cloud infrastructures provide transparent and secure cloud network management and services to end-users to help build a trust relationship to increase cloud services’ usage in enterprises further. Along with other services, the blockchain network can also be deployed and hosted on an existing cloud platform to provide more secure and trustworthy services to cloud users and be called Blockchain-as-a-Service (BaaS). In particular, BaaS can offer several blockchain-enabled services to support cloud services and applications. Some of these services are described below:
One of the most alluring facets of blockchain technology that makes it more useful and trustable is the notion of security and privacy on the ledger network. It uses Elliptic Curve Cryptography, distributed logs, and symmetric homomorphic mapping techniques where cryptographic hashing keys are randomly generated comprising alphanumeric codes, making it mathematically impossible to guess or decrypt. This property helps protect blockchain records against potential attacks, reduces data leakage apprehensions, and improves the blockchain network’s overall security [ 64 ]. Furthermore, smart contracts and chain codes are created to provide privacy features to end-users by providing data provenance and trace and track facilities on the ledger network. Thus, blockchain guarantees data privacy and data ownership of individuals.
The blockchain network’s transparency feature ensures that all the transactions stored and recorded on the blockchain ledger are discernable and apparent to all the participating stakeholders on the blockchain network. It helps to achieve public integrity and verifiability of transactions performed on the P2P network by all the peers, reducing the risks of unauthorized data alternations.
This characteristic of blockchain makes it different from today’s centralized networks where central systems or servers have complete control. There is no central authority or control mechanism in decentralized blockchains or third-party service providers to manage transaction processing. Instead, blockchain uses various consensus protocols to substantiate and corroborate transactions processed on the blockchain network in a more secure, transparent, reliable, and incorruptible manner. This incomparable property conveys promising benefits, such as eliminating the risk of single-point failure, saving operational and technical costs, and building trust among the participating stakeholders on the blockchain network.
It is one of the critical properties of blockchain where the stored and recorded transactions on the blockchain ledger cannot be undone; hence, they remain immutable and unchanged over a period of time. All the transactions executed on the blockchain network are by default timestamped and cryptographically hashed and linked to the previous block of data on the ledger. In this way, multiple data blocks are connected to build a chronological chain of blocks. The hashing process applied on every new block encompassing metadata of hash values of the previous block makes the blockchain ledger immutable, i.e., strongly unalterable. Thus, this property of blockchain makes it almost impossible to alter, amend, or even delete data from any block recorded on the ledger after being verified and validated by a majority of the participating peers on the blockchain network.
Blockchain is a revolutionary technology being implemented in almost all supply chain scenarios with several significant characteristics. These include immutability, transparency, decentralization, security, and privacy. All of these are extremely valuable and beneficial for cloud security platforms and applications. This section will briefly describe these fundamental properties as follows:
Private or Permissioned Blockchains: A user or participating node has to be permitted by the blockchain network authority before he/she could get access to the network. It is restricted to a particular group of participants (better access control), making it more secure and transparent, increasing popularity.
The block data contain a cryptographic list of all performed transactions and a hash to the ledger network’s previously stored block. The new information recorded on the ledger is immutable and append-only. It helps create and provide a cross-border global distributed trust among various participating stakeholders to determine the information provenance, called the “System of Proof”. It enables us to develop faster settlements, increased network capacity (scalability), enhanced transparency, enhanced integrity, and more secured transactions without the involvement of Trusted Third Parties (TTP) or centralized authorities and services that can be easily disrupted, compromised, or hacked. A blockchain network provides a shared and distributed ledger that is open to all stakeholders on the network. Each transaction is verified and validated by most consensus nodes actively participating in the P2P network before being appended to the ledger. Once these transactions are validated and verified by consensus algorithms, the block data become immutable [ 63 ]. Blockchains can be classified as:
A blockchain is an open, distributed, decentralized, shared, and immutable ledger technology that records the registry of assets and transactions between multiple parties across a peer-to-peer (P2P) network in an efficiently verifiable and permanent way. It comprises chained blocks of immutable data timestamped and validated by miners or participating stakeholders of the network replicated across multiple participants, each of whom collaborates in its maintenance. A blockchain platform is a (P2P) network environment where transaction records and parameters (value, state) are controlled through business logic using smart contracts. Blockchain uses Elliptic Curve Cryptography (ECC) and various hashing mechanisms such as SHA-256 to provide strong cryptographic proof for data authentication and the integrity system [ 62 ].
Mục Lục
5. Blockchain-Enabled Virtualized Cloud Security Solutions
Cloud computing amasses large networks of virtualized services hosted in large data centres referred to as data farms or server farms. These services are called Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The existing cloud infrastructures have reconciliation issues, particularly a Multi-Party environment where multiple users share the infrastructure. Some of the problems highlighted include expensive, vulnerable, and inefficient services and applications on cloud platforms. Today’s cloud users require that the transactions, services, and applications provided to them by cloud service providers should be transparent, efficient, secure, and authenticated, and have maximum granular access controls. All the transactions performed on the cloud network should be verified, corroborated, and endorsed by the trusted relevant parties. Business logic should be embedded within the database (Ledger) and executed to validate and store the transactions.
Blockchain technology has the potential and aptitude to resolve and unravel the majority of the problems and challenges being faced by today’s virtualized cloud infrastructures. It provides secure, transparent, trustworthy, and efficient solutions for creating authorized identity management and registration systems for all cloud stakeholders. It also offers a reliable, dependable, distributed, and decentralized management and governance system for integrity, privacy, and efficient tracking and tracing service for all cloud-related transactions performed by cloud users. Blockchain also enables identities and services to be hidden entirely from end-users and can be managed and stored on the blockchain distributed ledger.
The use and implementation of blockchain technology in cloud infrastructures improve the cloud systems’ overall security paradigm [ 78 ]. Some of the recent examples where blockchain-enabled cloud solutions are being implemented include the Oracle Blockchain Cloud Service project [ 79 ]. Furthermore, blockchain can also be beneficial in virtualized cloud environments. It provides the facility to register and give identity to all the connected cloud devices and services, with a set of attributes and complex relationships recorded on the blockchain ledger. This enables it to provide provenance at all levels in virtualized cloud supply chain networks. The cloud-enabled supply chain network can include multiple stakeholders such as cloud infrastructure facilities, vendors, suppliers, services, distributors, shippers, installers, owners, repairers, re-installers, etc. It also ensures anonymity in large-scale cloud environments. An electronic wallet is created and installed in cloud systems for anonymity to avoid access to private users’ information to third-party service providers [ 80 ]. Blockchain-enabled smart contracts also play a significant role in managing, controlling, and most importantly securing cloud services and devices. In this section, we discourse and recapitulate some of the essential features of blockchain technology that can be enormously useful for cloud platforms, particularly in cloud security. Some of the blockchain-enabled cloud security solutions include:
5.1. Blockchain-Enabled Virtualized Task Scheduling
As virtualized cloud data centre operations and services are expanding, the need for a distributed, transparent, and integrated security solution is never more apparent than now. It entails dealing with complicated, critical, and long-term issues such as virtual machine task scheduling in a cluster of server machines. The blockchain-enabled distributed P2P virtualized cloud cluster solution provides better management of these tasks amongst the server machines distributed in a cloud infrastructure. The blockchain-enabled smart contract-based solution enables each node in the P2P blockchain network to correspond to a complex CSP. The blockchain system handles the optimal scheduling of virtualized tasks by generating optimum schedules for each connected virtual machine to engender a recommendation list of cloud services, storage servers, and cloud resource providers. The proposed solution is an attempt that determines cluster servers that guarantees minimum power penalty and also increases the overall resource utilization of a given server cluster. It further increases the decision logic to improve the efficiency and performance of virtualized server machines.
5.2. Blockchain-Enabled Anonymity of Data Algorithms
A virtualized cloud infrastructure comprises hardware and software components, devices, services, and applications. The implementation of blockchain can improve the security of these enabled algorithms to secure the whole system. One of the prominent features of virtualized cloud systems is the anonymity of users’ information and services data available on virtualized cloud environments. This feature is further inspired and improved by implementing blockchain-technology-enabled solutions [ 81 ] such as Electronic Wallets installed in large-scale clouds to store users’ and services’ data through blockchain platforms [ 82 ]. It is essential to highlight that these electronic wallets must be deleted appropriately to ensure user information security on the cloud once used. The recent example of such successful integration of the blockchain with cloud platforms is the Oracle Blockchain Cloud Service project [ 83 ].
Furthermore, cloud service records can be stored on a distributed ledger on the blockchain network where recorded data and services cannot be changed or added without the consensus of all peer nodes participating on the blockchain network. The identity of these cloud users and service providers can also be validated by applying consensus over the blockchain. Blockchain also provides better security and privacy solutions. It can effectively hide the physical location of data and use blockchain-enabled cryptographic algorithms to store the data on the blockchain ledger securely considering data sovereignty rules and guidelines in the permitted locations.
5.3. Blockchain-Enabled Data Integrity and Privacy
The services and data processed and provisioned by CSPs connected through a blockchain network will always be cryptographically proofed and signed by the real sender that holds the unique public key and Global Unique Identifier (GUID). It ensures the authentication and integrity of the transmitted data or the on-demand provisioned service. Besides, these transactions will be recorded and stored on the blockchain-distributed ledger. These transactions can easily be traced and tracked by any of the participating cloud users or CSPs, which provides provenance to all cloud system stakeholders, thus creating trust and worthiness. Blockchain-enabled smart contracts help ensure user and service privacy using custom-defined access rules, conditions, and time to allow specific individuals or groups of users or machines to own, control, and have access to data at rest or in transit in a cloud infrastructure. These smart contracts have the control and authority to manage who has the right to update, upgrade, patch the data and services (software or hardware), provide new keypairs, initiate a service or repair request, change ownership, and initiate the provision or re-provision of a service.
5.4. Blockchain-Enabled Authentication and Authorization
Blockchain smart contracts are created and executed by peer nodes (peers) to facilitate and enforce decentralized authentication and authorization rules and logic for providing single- and multi-party authentication to all cloud devices and users on the cloud computing platform. These smart contracts also provide improved authorization access rules for cloud users while accessing cloud services and data using Access Control Lists (ACLs). While in traditional clouds, authorization and authentication are done using Role-Based Access Management (RBAC), O-Auth 2.0, OpenID, OMA-DM, and LWM2M protocols. A smart contract’s business logic has many programming functions, predefined rules, and conditions (contractual terms) defined by mutual agreement between the participating peers to read, execute, and update the ledger’s current state, and are initiated through a transaction proposal [ 84 ].
5.5. Blockchain-Enabled System Resilience and Fault Tolerance
One of the key characteristics of a blockchain network is its fault tolerance and resilience capacity as it provides provenance and tracks and a trace facility for all types of data and services being provisioned to cloud users at any location by CSPs. It implies that any single node in the blockchain network’s failure will not affect the whole virtualized cloud infrastructure’s functionality and continuity. It can be implemented by using blockchain as a sub-system in a cloud infrastructure solution. This blockchain-adopted sub-system works as a back-end solution (back-end-service) to record and store cloud data and services in a temper-resistant way using some blockchain algorithm. The overall system is called Blockchain-as-a-Service (BaaS). In this solution, the connectivity between the virtualized cloud and back-end blockchain is implemented using smart contracts. In this complex infrastructure, cloud computing plays offloading when a complex computation workload is required and can be processed using these smart contracts.