Framework and Assessment Model for Cloud Computing Security
Wu Wei-min1,2,a 1College of Computer Science and Engineering, Nanjing University of Science and Technology,
2 College of Educational Science and Technology, Nanjing University of Post and Telecommunications, Nanjing, China
Keywords: Cloud Computing; Cloud Security Framework; Cloud Security Assessment
Abstract. In the last few years, cloud computing has grown from a business concept to one of the fastest growing IT industry. It is a fundamental change and represents a movement towards the intensive, large scale specialized calculation model. But as more information and organizations are moved to the cloud, more concerns about security emerge. This paper discusses security issues, requirements and challenges, and provides a Cloud Computing security framework and an ESI assessment model.
Today more companies are realizing that simply by using the cloud they can access best business applications or boost their infrastructure resources at a lower costs. The cloud offers several benefits such as fast deployment, charge-on-use, scalability, elasticity, low-cost disaster recovery and data storage solutions, on-demand security controls, etc.
According to CA Technologies (NASDAQ:CA), respondents indicate the cloud has moved beyond adolescence and is on the path to maturity in the enterprise. Although the number of users of cloud computing is growing, organizations are still confronted with some problems. A survey performed by IDCI shows that 74% of IT executives and CIOs cited security as the top challenge preventing their adoption of the cloud services model . A survey, performed in 2011 on a sample made up of 521 IT professionals, shows that the training of users in cloud computing (43%) and the security challenges (36%) are still barriers in adopting cloud computing . Analysts estimate that within the next few years, independent research firm Forrester Research expects the global cloud computing market to reach $241 billion in 2020 compared to $40.7 in 2010, according to a new Forrester report called Sizing the Cloud. To realize this tremendous potential, business must address the security and privacy problems raised by future computing model.
Layer Model of Cloud Computing Services
Cloud computing utilizes three delivery models by which different types of services are delivered to the end user. The three delivery models are the SaaS(Salesforces CRM), PaaS(Googles Google App Engine, Microsofts Azure) and IaaS(Amazons elastic compute cloud, IBMs blue cloud) which provide software as services, infrastructure resources, platform and application to the consumer. IaaS is the foundation of all cloud services, then PaaS and SaaS on top of it. The Relationship of Iaas, Paas and Saas is shown in Fig.1. Just as capabilities are inherited, so are the information security issues and risks. There are significant trade-offs to each model in the terms of integrated features, complexity vs. extensibility and security. If the cloud service provider takes care of only the security at the lower part of the security architecture, the consumers become more responsible for implementing and managing the security capabilities themselves.
From the point of view of service that cloud provide, future cloud will move to a huge global service network, based on cloud infrastructure, including cloud fundamental software service and cloud application service. The multi-layer model of Cloud Computing services is shown in Fig.2.
Advanced Materials Research Vols. 791-793 (2013) pp 1739-1742Online available since 2013/Sep/04 at www.scientific.net (2013) Trans Tech Publications, Switzerlanddoi:10.4028/www.scientific.net/AMR.791-793.1739
All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of TTP,www.ttp.net. (ID: 18.104.22.168, Pennsylvania State University, University Park, United States of America-13/06/14,00:23:52)
Fig. 1. The Relationship of Iaas, Paas and Saas. Fig 2. Multi-layer Model of Cloud Computing Services
The cloud infrastructure layer is the foundation that supports all upper services and applications. The middle layer, cloud fundamental software layer, is able to provide basic and general services, such as cloud development platform services, cloud data management services, cloud operating system services and cloud search services. The cloud application layer is a customer-oriented layer and support E-commerce, storage services, video services, BBS and Email, etc. All layers may be geographical independent and provided by different service vendors.
Security Challenge of Cloud Computing
With the development of computing technology, the focus of security moves. In standalone computer, threats are mainly from cryptography and data security. And in the Internet era, main threats are network and information security. While in cloud computing, threats are cloud data security, privacy protection, platform and cloud security, etc. Cloud age needs a multi-dimensional system to ensure overall security. The multi-dimensional system will include warning, attack prevention, recovery mechanism, risk assessment and safety supervision.
Cloud computing security framework. Vendor has cloud data access privilege, and there is potential risk in data security, such as illegal use of data and data lost. One cloud vendor may be incompatible with anothers services when user migrates. Virtualization can share resources among users and may cause different virtual resource mapping to same physical resource. So there is also risk of user data leakage as security vulnerability exists.
There are some products dealing general security problem on separate layer. But regarding the whole dependable computing environment, all parts as a whole and the association between parts such as VM security and services outsourcing security and so on must take into account.
Security standard and assessment system. Lack of standardization makes a customer trying to switch from a private to a public cloud from doing so as seamlessly as switching browsers or mail systems. In addition, it would keep users from knowing the basic capabilities they could expect from any cloud service. Moreover, interoperability would keep users from being locked by a single provider. Cloud computing standard should support boarder security objects, e.g. avoid sensitive user information collect, storage and usage, provide a model and privilege domain that is standardized between user and vendor. And it should be measurable, verifiable, auditable and implementable.
Due to the distributed nature, the cloud security assessment process should be dynamic and transparency. The assessment standard developed should regulate and support management process.
Controllable supervision system. Attacks on cloud are easier and can cause greater losses than ever, so recognize and prevent this disaster is vital. Besides, content monitoring and privacy protection in cloud should be balanced. Moreover, globalization makes supervision harder and more expensive.
Cloud Service Security Framework
It is important to build a comprehensive security framework to against the threat and guide the security practice. The reference cloud service security framework proposed is shown in Fig.3.
1740 Chemical and Mechanical Engineering, Information Technologies
Fig 3. Cloud service security framework
Cloud Service Security Standard. Cloud security objects define the security requirement and performance index. And they are measurable and can be evaluated by clearly defined standard. It is to be researched that the evaluation standard for multi-level cloud service delegation.
Cloud security functional standard defines the fundamental cloud service security, such as cloud access control, cloud authentication service, cloud audit service, cloud cryptographic service, etc. The test approach and regulation is provided to judge whether a provider is qualified.
Interoperability requires translation of specific application and service functionality from one cloud provider to another, and this wont happen without proper standardization. So cloud interoperability standard is necessary.
Cloud Service Security Architecture. The centre of this framework is cloud infrastructure security, which provides basic security service, such as data storage, reliable computing function and resource. Security on physical layer provide facility safety; on storage layer data integrity, encryption, backup, disaster recovery, etc; network layer DNS safety, confidential transmission, anti-DOS, etc; on system level authentication service; database safety, access control, etc.
The middle circle represents cloud fundamental security, which is a basic software layer. It ensures general information safe. Services, including cloud authentication service, cloud cryptographic service, cloud audit service and cloud access control service, etc, are provided here.
The outer circle indicates cloud application security that is most close to users requirements. IDS, anti-virus, failure recovery and cloud content filtering services are provided here.
Cloud User Standard. It covers the life cycle of user data, namely: create, store, share, use maintain and destroy. On any stage of the cycle, data should be safe and privacy. And the corresponding services (e.g. object definition service, security management service) are needed.
Cost-effectiveness Assessment Model for Cloud Computing Security Investment
In order to identify ways to redirect valuable resources to achieve more, a model for evaluating the relationship between investment and outcome is needed. Any organization could use the follow formula to make decision. The effectiveness of security investment (ESI) can be measured by Eq.1.
CLLESI = (1)
L1 stands for loss without the investment. L2 stands for loss with the investment. C1 is cost of the investment for cloud security. Here losses avoided are considered benefits. To analyze the result, the higher ESI value, the better effectiveness the investment returns. If the value is negative, it means the investment is still not totally returned yet.
Advanced Materials Research Vols. 791-793 1741
Regarding organization adopting cloud service, the compensations provided by cloud provider must take into account. In this case Eq. 1 can be revised to Eq. 2:
C2 is the compensations offered by the cloud provider caused by failure or service interrupt. Although other assessment approach, namely TCO (Total Cost of Ownership) IRR (Internal Rate
of Return) and NPV (Net Present Value), etc, can also used to make the evaluation, they have the limitation that many users tend to use subjective value and cause the final result inaccurate. 
As described in this paper, though there are certain advantages in adopting a cloud system, there are still many practical problems. Security in cloud computing is elaborated in a way that covers security issues and challenges, security standards and security framework. We have argued that it is very important to perceive that solve these problems need both technical and social measures and so we provide the comprehensive cloud service security framework. This security framework and ESI assessment approach are trying to address the issues arising from the cloud.
 CA Technologies, The Tech Insights Report 2013: Cloud Succeeds. Now What?,
 Clavister, Security in the cloud-Clavister White Paper, http://www.findthatpdf.com/
 D. Teneyuca, Internet cloud security: The illusion of inclusion, Information security technical
report, Sept (2011), p. 1-6
 kiril, Cloud Computing Market Will Top $241 Billion In 2020, http://www.cloudtweaks.com/
 L. Hayden: IT Security Metrics: A practical framework for measuring security & protecting
data, (2010), McGraw-Hill
 Marinela Mircea, Addressing Data Security in the Cloud, World Academy of Science,
Engineering and Technology, Vol.66(2012), p. 539-546
1742 Chemical and Mechanical Engineering, Information Technologies
Chemical and Mechanical Engineering, Information Technologies 10.4028/www.scientific.net/AMR.791-793 Framework and Assessment Model for Cloud Computing Security 10.4028/www.scientific.net/AMR.791-793.1739