Upload
ijera-editor
View
256
Download
1
Tags:
Embed Size (px)
DESCRIPTION
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Citation preview
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
35 | P a g e
Research on preserving User Confidentiality in Cloud Computing
– Design of a Confidentiality Framework
Chaitanya Dwivedula1, Anusha Choday
1
M.Sc- 1
in Software Engineering,
Blekinge Institute of Technology (BTH), Karlskrona, Sweden
I.
GROUP MEMBERS‟ PARTICIPATION
Group Member Idea Creation Report Writing Group Member 1 45 % 65% Group Member 2 55 % 35%
Abstract Cloud Computing creates a dynamic
resource sharing platform that provides data
analytically to the proficient users who are at
demand to access data present in the cloud. As
this data is stored outside the data owner's
boundaries, they are skeptical for utilizing
cloud technology in order to store or access
their data from those external cloud
providers who are outside their own control
environment. There are many issues for these
active clients (companies or individuals) to be
petrified at the thought of using cloud
computing paradigm. Some of the main issues
that make the clients swear against Cloud
Computing are generated from three
important security aspects:
Confidentiality, Integrity, and Availability.
In this Research, we focused only on security
models that relate Confidentiality issues.
We performed a literature Review for
analyzing the existing confidentiality
frameworks and security models. We then
designed a new theoretical framework for
confidentiality in Cloud computing by
extracting this literature. We expect this
Framework when implemented practically in
the cloud computing paradigm, may generate
huge successful results that motivate the clients
to transform their businesses on to Cloud.
Keywords: Cloud Computing,
Confidentiality, Security, Framework.
II. INTRODUCTION Cloud Computing evolves to be a
consistent term with collaboration of various IT
technologies involved in it [15]. Resource pooling
technology in Cloud Computing paradigm renders
the ability to store and dynamically allocate space
to the resources that occur for storage periodically
[15]. Virtualization technology [6] in Cloud
Computing paradigm renders the ability to run
resources that dynamically scale the user's necessity
and share the resources available to support the
need [15]. Similarly, there are many other
technologies that contribute to Cloud Computing. The data storage mechanisms by Resources Pooling
occur in Data-Centers [8] [15] which indirectly act
like a CLOUD. On the other hand, the concept of
„provisioning services in a timely (near on instant),
on-demand manner, to allow the scaling up and
down of resources‟ generates a virtualization
mechanism which pretends to be COMPUTING
[15]. Hence, CLOUD COMPUTING deserves to be
a collective term of several technologies that
interrupt effectively for dynamic
allocation/de-allocation of resources [15]. The generally accepted standard definition [15] of
Cloud Computing is published with efforts from
National Institute of Standards and Technology
(NIST). Their published1 definition is used in our
Research Report for analysis about Cloud
Computing.
In short, to describe NIST definition [15], we
understood that, the 'convenient and Ubiquitous
network access' creates a moderate effort to the cloud clients to establish their resources on to the
Cloud. The 'shared pool of configurable computing
resources' contribute an Instant allocation/de-
allocation of resources that occur for on-demand
data access [15] The 'rapid provisioning' provides a
flexible operation of cloud for the cloud
providers to scale the resources with
assigning and releasing resources from time to time
when they are required elsewhere [15].
As the technologies keep intruding
into Cloud Computing paradigm, there is no means to say cloud computing is exhaustive.
Cloud Computing key- characteristics,
models and implementations are more extensively
discussed in Section-III. The discovery of cloud
computing generated a reported progress 2 of
Software Industry and its services to the
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
36 | P a g e
companies worldwide; but along with it, the
security issues kept eroding to change [2]. This
resulted in The Client's View about Cloud
Computing as that it lacks in confidentiality for
moving their resources onto cloud [10]. Potential
clients are now waiting for the answers about
how, why and by what means the security is
provided to Cloud computing [2].
The Problem is distinct as the security issues occur frequently in parallel to the Cloud development.
The environment of Cloud Computing is vast
making it more vulnerable to threats [2]. Hence, we
decided to focus on the most eminent security
issues that significantly standardize the
Confidentiality of Cloud Computing to a better
extent. In our Systematic literature review made
before our research proposal, we analyzed that
Confidentiality alone can specify approximately
50% of the security issues that when satisfied-
cloud computing can emphasis to more interesting
software development. The data behind the Cloud is technically said to be
off- premise and is never under the boundaries of
the data owners [8]. These data that are stored
in Cloud are beyond the control of data owners
which may converge with loss of confidentiality
[2]. We believe that, Most of the effective
customers condemn the use of cloud computing
because they are aware of the ethics beneath cloud
technologies that are unclear or unknown to them.
The goal of this Research is to
generate a successive framework for Cloud Computing that can predict sufficient
Confidentiality gain in this particular Cloud
environment. Hence, this Framework will be an
extension to our understandings of Frameworks
analyzed from Systematic literature review (SLR)
that is done at the time of our research.
Our Research Questions relate this main objective
mentioned above and are detailed to study from
section-IV. The study process, data collection &
analysis methods involved for this research are
discussed to detail in the section-V and section-VI.
The problems (that may generate during the implementation of the resulted framework), the
limitations and the sustainable arguments to our
study are brought-up to note in section-VII. Our
final research results that are concerned with our
research goals are presented to acknowledge our
study in conclusions part (section VIII).
III. BACKGROUND AND MOTIVATION The consistent approach of our previous
SLR (PRE-SLR) lead us to a clear understanding of
security issues present in Cloud Computing.
Mainly, the security issues such as Confidentiality;
Integrity; Availability; are indefinitely implemented
to reach the efforts constraining to Healthy on-
demand network access [2]. Thus, these efforts
when indistinct may route to problems in Cloud
service models (such as SAAS; PAAS; IAAS;)
which when left unsolved might cause 'lack of
proficient security (CIA)' [2] [7]. One of the main
reasons for Cloud Computing to be inconsistent in
confidentiality is due to differences in Cloud
models that are getting deployed [2]. The three
deployment models (Public Cloud; Private Cloud;
& Hybrid cloud;) generate a multiple framework
activity that has to be satisfied with confidentiality [7].
This SLR has also been understood as a proven
theory when we re-reviewed the NIST definition for
a several times.
The definition is supported by five key cloud
characteristics, three delivery models and four
deployment models [15]. We understood this
definition as of three interlinking properties of a
Cloud: key Characteristics of a cloud, delivery
models and deployment models. Our
understandings on this definition are presented in
the Figure-3.1.
Figure-3. 1: Our understandings on NIST
definition [15]
The key characteristics describe the operations
performed in a cloud computing environment. The
key characteristics such as On-demand resource
sharing; Resource Pooling;
Rapid elasticity; monitoring resource
allocation; Wide network access; service
provisioning; has elaborated the Cloud technology
in detail [15]. The Cloud service Models such as
Software-as-a-service (SAAS); Platform-as-a-
Service (PAAS); infrastructure-as-a-Service
(IAAS); are said to be general classifications of the
Cloud [15]. Regardless of the service models that
are classified, there exist 3 basic deployment
models of Cloud such as Public Cloud; Private
Cloud; and Hybrid Cloud. “Hence, the key characteristics of Cloud when applied (to
deployment models) provide data (or) services to
its Clients.”
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
37 | P a g e
Classifying Security Issues in Common Technical issues
Organizational issues Legal issues.
Here, we also analyzed that Confidentiality
issues underlie the challenges in finding answers to
questions like:
How will Cloud provisioning occur to act?
What are Cloud security requirements?
How will Data storage occur in Cloud
Computing?
How reliable is Security architecture of the
Cloud? How reliable are the Cloud Services offered?
So, indirectly we understood that “gaining
knowledge
about Cloud technology improves half of the
Confidentiality levels in the Clients”. Hence, these
above questions have worked as partial hypothesis
for us.
We are focused to propose a unique framework that
can produce a single architecture which allows
combination of required security goals; along with
all the reliable policies, procedures for all Cloud
deployment models in common. So, we further continued our research on classifying the security
issues that are analyzed from our PRE-SLR results.
With the understandings we have - upon the found
security issues, we now classified them as the
issues that relate to Confidentiality with one among
the three, they are:
The entire list of Security issues are
generalized into these three issues in common.
This Complete list of Security issues obtained in
PRE-SLR is presented in Appendix-C.
Our reasoning for the above classification is as
follows:
Technical issues: All the security issues like
„Shared
Technology Vulnerabilities‟, „network security‟
and many others
that can find solutions framing security goals in technical area are analyzed as Technical issues.
Organizational issues: All the security issues
like
„Malicious Insiders‟, „data location transparency‟
and many
others that can find solutions by framing security
goals in organizational area are analyzed as
Organizational issues.
Legal issues: All the security issues like „policy
based or procedural based problems‟ and many
others can get the solutions by framing security goals in this area are sorted to be legal issues.
The basis of this classification is just to unite all the
security issues relevant to confidentiality in Cloud
Computing. The main idea besides this type of
classification
is -„if we unite all the confidentiality issues in
common, then we can easily map them onto our
framework that is going to be generated.‟
We hope the companies will need a unique frame
work like this and future researchers might not fail
to be stimulated by the ideas presented by us. While
this is a diving cause for the need that encompasses
cloud computing, if we can't find the solution for
this research, the implications of not solving this problem might be the same as explained above:
The confidentiality that lacks behind will generate a
fear for the clients (companies, organizations,
individuals, etc) to share/store their resources (or)
to transform their businesses on to the Cloud
environment.
IV. RESEARCH DEFINITION AND
PLAN A. Research objective:
The goal of this Research is “To generate
a sufficient security model-framework for the
extent possible, which when implemented: can
moderate the activities (that occur for security
threats or implicating risks) that are indeed capable
of reducing Confidentiality of the Cloud and its
environment.”
This Research objective focused our aims onto:
Specifying the security issues that relate to
Confidentiality in Cloud Computing.
Understanding the possible research
results of the effective security models presented by
the previous researchers.
Proposing a more extensive security
model- framework that can uniquely state the
province of all service and deployment models in
collaboration.
B. Research Questions: The interpretation of the above objective is
extensively scrutinized, with the need for the
necessary knowledge that has to be obtained in
collaboration with the new framework to be
generated. These following research questions 3
(R.Q‟s) will guide our research:
R.Q.1: What are the Security issues that sufficiently
support Confidentiality -inducible in security
Framework of Cloud Computing?
The Question has been framed in such a way that
all the issues found in our PRE-SLR are
now to be
brought out to analysis where we can know how
the security issues collide with the security models
framed. For this, we need to know how actually a security model in Cloud Computing is exists.
Hence, R.Q.1.1 is framed for
this analysis. Interpreting the solutions
occurred for
R.Q.1.1 will relevance the solutions to be found for
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
38 | P a g e
R.Q.1.
R.Q.1.1: How are these Confidentiality issues
classified to indulge with consistent security
operations in Cloud Computing?
3 These R.Q‟s are re-framed for „adequacy need‟ for this report (as commented by our professor
{proposal evaluator}) but comply with same
research meaning as that of research proposal
R.Q‟s framed earlier. This R.Q. is generated in
such a way that we can understand several
constrains for security issues getting involved in the
security operations. This question needs a though
analysis of security models presents in the
literature. Hence, SLR is conducted to extract the
results.
R.Q.2: How to uniquely frame Confidentiality
within the boundaries of all Cloud security
models/Architectures in common?
Our entire research concept is to find a unique
framework for confidentiality in cloud
computing and this questions serves the purpose of
our scope.
C. Research Methodology:
Our research is originated by understanding Cloud Computing as a start and
then conceived with an objective of what needs to
be done. The R.Q.s are framed with the basic
understanding from the PRE-SLR results and by
reading several: research news articles, websites
regarding Cloud service offerings, and soon. As,
Our research has to provide solutions with
analysis of various security models or
confidentiality frameworks in Cloud Computing,
we observed that qualitative form of extracting
information is an SLR.
Hence, we conduct an SLR again but now with focus on extracting Security models. For clarity,
the SLR that has to be performed now is named as
POST-SLR. The difference between these two
SLRs is as shown in Appendix-A.
A Review methodology of this type (SLR) is
helpful to generate sufficient solutions for our
R.Qs. In addition, our ideas with reference to the
issues found in PRE-SLR will be presented for
qualitative elaboration in the Framework being
generated.
Systematic Literature Review: (POST-SLR): To gain knowledge in Security Models and
previous researchers' works on Security Framework
activity in cloud computing, we choose SLR as our
best means to obtain it. Some of the sufficient
reasons for relying only upon SLR are as follows:
Analyzing the generally accepted security models in cloud environment.
Analyzing the future work that remains unfurnished in the previous security models in
Cloud Computing.
Analyzing the inconsistent results found
in the literature from other researchers.
Analyzing ideas that are firmly achieved
by the others in this field of study.
Applying their models more
extensively by clubbing the ideas; to generate new
framework with the current security issues that
enhance Confidentiality in Cloud.
With experiences from PRE-SLR, We now choose top journals refereed from several good
publications. In our first step, the Journal
Ranking is collected from an International
Research Group4 by name: "Association of
Information Systems (AIS)". We have only selected these Top ranked Journal Publications in
which again through filters we were able to analyze
that only few occur for Cloud Computing study.
The task of finding a search engine had been easier
for us than finding best journal publications; as
most of the search engines are available through
our BTH University 'Find database' library
portal. We only focused on the search engines that
can especially present these Top ranked journal
publications. We then filtered our keywords again
and again for a proficient search refinement
on „Confidentiality frameworks and security models in Cloud Computing‟. The
complete operation of POST-SLR in presented in
the below data collection & analysis methods.
Data Collection method:
The Qualitative analysis of literature amends with
the use of SLR. However, if the distillation process
of extracting literature fails, the quality might
reduce its heights. Hence, opting for highly
qualitative journal publications, selecting effective
search databases and framing the search strings for
the search operations are said to be the three main aspects of SLR.
a) Step1: Journal selection: we required papers
that present studies of all forms such as Empirical
studies, Case- studies, research findings, and all
other available literature; but we restricted our
search only to the peer-reviewed Journal articles.
The list of Journal Publications that attracted
us in our study (on security models in Cloud
Computing) are presented below. These top
ranked journals are sorted with searches made for
our Cloud Computing study. The original ranking list of Top Journals as described above are sent to
Appendix-B inorder to make it clear.
Journal Articles (Scrutinized)
MIS Quarterly (MISQ)
Communications of the ACM (CACM)
IEEE Transactions (various)
Journal of Computer and System Sciences (JCSS) Information Systems Journal (ISJ) Database for Advances of Information Systems (DATABASE) Decision Support Systems (DSS)
b) Step2: Database selection:
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
39 | P a g e
Our experience upon the search engine mattered for
a while as this selection is a priority for major
papers to be found. Hence, we limited our search
within databases where almost all the top ranked
Journals can be found. The analysis list of most
prominent Search databases that cover all the
ranked Journals in relation to Cloud Computing
Findings in their search Query; are presented
below: Search Databases (scrutinized)
SCOPUS
Engineering village (INSPEC; COMPENDEX;)
The search operation designed below is applied
with one of these two databases at a time; For
example, if we can‟t find the relevantly interesting
data in „Scopus‟ then, for clarification, we
followed the same search query in
„Engineering Village‟ database.
c) Step3: Search operation:
The Search operation of finding relevant data for our search has been the basic task for our
research operation. We now focused on framing
the search strings, extracting results, stimulating
search results with the scope and refining the
search strings if relevant data is not found. The
below figure-4.2 demonstrates our search
operation.
Figure-4. 1: Search Operation As almost all the papers are published online, we
have selected Online Databases over the internet
and did not use any library or other external
sources for our data search. We developed a General Search Query baseline
for generating our search in such a way that by
inserting keywords into this formula may give
desired results for our Research Area. This idea is
originally developed from the idea behind search
interface present in the research database:
„Scopus‟. The Search Query we adopted in
“Scopus” -„Advanced search‟ interface is as below:
(TITLE-ABS-KEY("SEARCH STRING") AND
SRCTITLE("ACM")
OR SRC TITLE("MIS Quarterly")
OR SRCTITLE("IEEE")
OR SRCTITLE("Journal of Computer and System
Sciences") OR SRCTITLE("Information Systems
Journal")
OR SRCTITLE("DATABASE")
OR SRCTITLE("Decision Support Systems"))
AND PUBYEAR > 2004
The search strings framed are directly inserted into
this formula for results in our research area. A complete list of search strings along with the
Strings that even found no results are presented in
Appendix –B in order to make it clear.
All the keywords that extracted exciting results
- when applied to search strings framed under this
above search formula are presented below:
Keywords (scrutinized) Cloud Computing Security and privacy
Security model Confidentiality Framework
Privacy Policy(s) Grid Computing
Virtualization Security Architecture
… …
In the search operation made, we got 11 research
articles that are firmly relevant to our study. The
process of analyzing these articles is presented
below.
Data Analysis Method:
For data analysis, consistent tracking of search results is the ultimate task which dissolves the
barriers between knowledge gain and its
implementation. The Quality of the search results is
assessed with include/Exclude Criteria, as
described below:
d) Include Criteria:
Only Peer reviewed Articles
(available) from
Journals or Conference papers.
Articles should be written in English
language. The article has to be published during
or after the year 2005.
Articles that found relevance
with Cloud
Computing security models in their Abstracts.
All the other articles that do not meet the include
criteria are said to be excluded.
In order to validate our Research Methodology, we
have also cross-checked our SLR with two
other SLRs [17] & [18] in which one is a Thesis
paper [18].
V. RESEARCH OPERATION The Scope of this Research is to elaborate
the unconditional use of Confidentiality framework
that can peers all the service and Deployment
models present in the cloud. Hence, our major tasks
constitute the operations contributing with the minimal tasks of analyzing security issues,
generating a framework that architects all the
security solutions for the issues generated and soon.
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
40 | P a g e
To achieve our research objective, we started
with PRE-SLR for analyzing all the possible
security issues and then specifying them
to predictable general classifications
(such as Technical, organizational, legal issues) as
shown in the Section-III. As we can‟t detail each
and every Security issue in the framework and also
as we can't map all the issues directly into the
framework, we choose this way to generalize them. We believe that most part of the R.Q.1 can be
addressed to solutions 'by analyzing security issues
found in PRE-SLR' and rest of R.Q.1 is 'to analyze
how these security issues indulge into the
framework being generated'.
For solving this remaining part of R.Q.1, again
R.Q.1.1 is framed. Now, the research analysis
(from POST-SLR) has shown the path for
implementing a new framework. The Found
literatures that solved R.Q1.1 for the concept
of"finding Confidentiality requirements
that are classified to indulge with security operations in Cloud computing" are presented
below:
A. Literature Analysis:
In Engineering privacy [10], the authors generated
a three sphere models (User Sphere; Joint Sphere;
and Recipient Sphere;)that occur for user
privacy concerns. they relate all the Confidentiality
issues to these three spheres. We analyze these
models as operations that obscure privacy views.
They also generated some architectural mechanisms that can also partially generate
confidentiality in Cloud Computing
area. These mechanisms are as below:
Privacy-by-policy: Based on policy generation
which results in Fair Information Practices (FIP).
This FIP was contributed to
European Legislation privacy [10].
Privacy-by-architecture: Based on anonymizing
information which results in little or no personal
data detection by third parties [10].
Hybrid approach: Based on the combination
of above two approaches where policies collide with technical mechanisms (architecture), they
then enforce privacy enhancements [10].
These policy centric architectures have given a
start to our security framework idea being
generated.
In [4], the authors developed security
classification framework which sorted the
presence of our research idea for R.Q.1.1 towards
a solution. They classified the security issues for
Grid Computing environment also with
decentralized data control over its architecture. The Figure 5.1 presents their framework:
Figure-5. 1: Classifications of grid computing
Security [4]
As they focused on grid computing, the security issues resulted to solutions in their
framework will lead to grid environment's security
province but as they interlinked these security
issues to grid Deployment models (computational
grid; data grid; service grid;) and as the same
security issues (like intrusion detection) can be
found in Cloud deployment models, their
framework helped us in our Cloud
Computing-Confidentiality
framework initiation. Their classification
framework also presented the solutions to the issues area-wise (system solutions, Behavioral
solutions, Hybrid Solutions ;). In the same way we
focused our solutions to the Confidentiality issues
area-wise; they are named as: Technical solutions,
Organizational solutions, Legal solutions.
In 'Cloud Security Issues' article [2]; B. R.
Kandukuri et al. described several Service Level
Agreements (SLAs) for generating notion to
different levels of security. According to them
SLAs are documents that define relationship between two parties: the cloud Provider and the
Customer (recipient). Even they have immensely
guided us for our research as their concept of
indulging Security Risks in the SLA has given a
complete understanding of what needs to be done
in our frame work. The simple analysis of SLA and
its contents are like these:
Definition of services
Performance management
Problem management
Customer duties and responsibilities
Warranties and remedies We analyzed that these contents when applied into
action can generate answers for the partial
research
hypothesis presented above in the Background
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
41 | P a g e
Section. We took steps forward in that means of
approach.
To be consciously readying about
Encryption concepts in many literatures [5] [11]
saying that they have generated a mechanism
for confidentiality is not trust-worthy for us. They
have generated some encryption key-mechanisms,
encryption algorithms, Cryptography methods and soon which can be sorted like a solution for “data
privacy” alone but not to entire confidentiality
measures in security framework. We believe that
only a key generation concept might not itself
provide confidentiality to the user. We can support
this analysis, as said by S. Spiekermann et al
[10], the user is out of the boundaries of the
organizational sphere where these keys get
generated, and so, even though the key is set
private to the users themselves, we can‟t find any
proof to say that these consistent key encryption
mechanisms alone can stabilize confidentiality requirement in Cloud
environment.
A new concept said to be RAIN (Redundant Array
of Independent Net-storages) [9] has been
analyzed from the literature. According to the
authors of this article [9], they used a divide and
conquer method for the data passing through the
clouds. They have also presented their
background work of deploying 5 Cloud service
models. They are as shown below: Separation model: separates data
storage from data processing [9].
Availability model: separates stored
data from data providers during the time of
processing [9].
Migration model: describes the data
migration from one storage provider to another
other storage provider [9].
Tunnel model: describes data tunneling
service between data processing service and data
storage service [9].
Cryptography model: describes data encryption that is also not intelligible even to the
storage provider [9].
Their procedural implementation gave us an idea
for the framework that implements process
activities one- onto-one presenting itself as security
control-flow architecture.
In another paper named „understanding Cloud
Vulnerabilities‟ [1], the authors have generated a
framework mitigating the Risk factors into two
kinds, “loss event frequency” and “probable loss magnitude”, all the rest are classified into those
two risk factors. This can be seen as of a
relevance to our security issues generalization
concept; for mapping them into the framework that
can give solutions to any kind of issues that occur
in the open risk taxonomy [1].
As we are about to conclude our literature review
analysis, even though we are unable to completely
find a security framework or security model or
architecture, we felt that we are satisfied with the
solutions that are obtained to R.Q.1. & R.Q.1.1.
This Review has shown the relevant security
threats or risks or issues that are interlinked with the security models; but for complete solution of
R.Q.1 & R.Q.1.1, we also considered a few
NIST drafts that enabled the Risk analysis process
or frameworks consistent with cloud environment.
The below are the knowledge gained concepts
from different drafts of NIST.
In NIST Draft SP800-30 [12], Risk Assessment
Methodology Flowchart is presented where we
have successively understood each and every
concept beneath the Risk taxonomy and its control
flow. The seven steps that determine this sequential flow are as follows [12]:
Step1: System Characterization
Step2: Threat Identification
Step3: Vulnerability Identification
Step4: Control Analysis
Step5: Likelihood Determination
Step6: Impact Analysis
Step7: Risk Determination
Step8: Control recommendations
Step9: Results Documentation
With elaboration, NIST Draft SP800-37 [13] has further presented a Risk Management Framework
which became the key to our Research for
confidentiality on
cloud. This framework is as shown in Figure-5.2
below.
Figure-5. 2: Risk Assessment Framework (NIST
SP80037) [13] In NIST draft SP800-125 [14], the architecture of
Virtualization technologies is enabled with
hypervisors that have played a major role for
providing security to the Cloud Computing
environment. The security controls when operated
in the hypervisors (virtual machine managers for
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
42 | P a g e
monitoring multiple hosts) that are placed just before the cloud offering applications can implement controlled security operations for this environment.
Even though deployment models exist, a general
scope and control flow of the service models in
cloud computing with the views of both consumer
and cloud provider are presented in Draft SP800-
144 [16]. This Scope in terms of control flow is
thus also implemented by us where the cloud
provider‟s view and the customer‟s view on the framework being generated are extracted to
act.
Hence, R.Q.1 is completely fulfilled with
knowledge base of security issues as shown above
with relevance to security models that are deployed
to eradicate trouble caused by these issues.
VI. DATA ANALYSIS AND
INTERPRETATION
Even though there are many other security models
or frameworks, we presented only the important
articles. As the knowledge for relevant data models
got its place for our idea creation from among
these articles, hence, we concluded the literature
review for analysis. Here in this section, we
present a Data Framework activity by analyzing all
the above frameworks, models and other security
concepts that are found in the above literature. The
framework that satisfies our R.Q.2 is contributed to
effect from the FIGURE-6.1 below:
This Framework is done in such a way that cloud
providers and their customers have a generalized
view on the security operations in their cloud. The
framework
has also shown the difference between the operations
that are carried for stepwise flow. We used
orange, blue green and red colors for
differentiating and clubbing several operations
carried in the cloud. All the orange boxes denote
the general tasks by the cloud provider or their
customers. All the blue boxes denote the original
security operational flow in the framework. Green
and red denote the organizational and technical
issues/tasks respectively. The description of this
tasks and operations will refer back to the POST-
SLR review made in Section- V. If anything is unclear, all the rest including Security concepts
and other keywords used in the below framework
are clearly elaborated in Appendix-D.
Figure 6. 1: Confidentiality Framework for Cloud Computing (our research solution)
VII. DISCUSSIONS A. Contributions & limitations :
The framework has deployed a risk
management activity for security provisioning in
cloud environment. We are sure that results
generated by us are completely involved with all
the levels of security issues and their solutions in
all kinds of users‟ views; and hence, will provide a
constant baseline for drawing security architecture
in any Cloud based company that indeed can satisfy the cloud customers. Even though just an
SLR can't deal with the entire problem area and
also as there is no proof that our research analysis
can work in the real time industry, we had no
other choice as time is our major constraint rather
than just implementing a Framework only based
on SLR. This framework is limited to the general
activities without concise on any further
clarifications on the inside elements such as
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
43 | P a g e
cryptography and soon.
B. General proceedings(future work):
As of now this model needs to be scrutinized.
This model needs to be briefly elaborated
deriving each and every activity in the framework
analytically with real-time proofs. If we get a
chance in thesis, then we are sure that we can get a
clear scrutinized security model along with the suggestions made by the professors and real time
industry people with the surveys and experiments
conducted.
VIII. CONCLUSION Confidentiality for Cloud Computing
deals with the emerging cloud architectures that
evolve with time. This continuous evolution
process might necessitate to with stand a baseline framework activity. We enabled a framework
activity with reference to general security models
and patterns. We expect this framework to be a
consistent approach to trigger any kind of security
mechanism in Cloud Computing. As the views on
this model are focused to analysis with both Cloud
provider and the customer, we hope that
organizations can be at ease to implement their
operations directly on to this framework without
further discussions.
REFERENCES [1]. B. Grobauer, T. Walloschek, and E.
Stocker, “Understanding Cloud
Computing Vulnerabilities,” IEEE
Security & Privacy Magazine, vol. 9, no.
2, pp. 50–57, Mar. 2011.
[2]. B. R. Kandukuri, R. Paturi. V., and
A. Rakshit, “Cloud Security Issues,”
2009, pp. 517–520.
[3]. C. Chapman, W. Emmerich, F. G. Márquez, S. Clayman, and A. Galis,
“Software architecture definition for on-
demand cloud provisioning,” Cluster
Computing, vol. 15, no. 2, pp. 79–100,
Feb. 2011.
[4]. E. Cody, R. Sharman, R. H. Rao, and
S. Upadhyaya, “Security in grid
computing: A review and synthesis,”
Decision Support Systems, vol. 44, no. 4,
pp. 749–764, Mar. 2008.
[5]. G. Zhao, C. Rong, J. Li, F. Zhang, and
Y. Tang, “Trusted Data Sharing over Untrusted Cloud Storage Providers,”
2010, pp. 97–103.
[6]. K. Riemer and N. Vehring, “Virtual or
vague? a literature review exposing
conceptual differences in defining
virtual organizations in IS research,”
Electronic Markets, May 2012.
[7]. K. 'Shade O, I. Frank and A. Oludele,
“Cloud Computing Security Issues and
Challenges,” Journal of Network and
Computer Applications, vol. 3, no. 5,
pp. 247-255, Dec. 2011.
[8]. M. Armbrust, I. Stoica, M. Zaharia, A.
Fox, R. Griffith, A. D. Joseph, R. Katz,
A. Konwinski, G. Lee, D. Patterson, and
A. Rabkin, “A view of cloud
computing,” Communications of the
ACM, vol. 53, no. 4, p. 50, Apr. 2010. [9]. M. G. Jaatun, G. Zhao, and S. Alapnes,
“A Cryptographic Protocol for
Communication in a Redundant Array
of Independent Net-storages,” 2011, pp.
172–179.
[10]. S. Spiekermann and L. F. Cranor,
“Engineering Privacy,” IEEE
Transactions on Software Engineering,
vol. 35, no. 1, pp. 67–82, Jan. 2009.
[11]. S. Yu, C. Wang, K. Ren, and W. Lou,
“Achieving Secure, Scalable, and Fine-
grained Data Access Control in Cloud Computing,” 2010, pp. 1–9.
NIST Special Publication (SP) Drafts:
[Online](Available:
http://csrc.nist.gov/publications/PubsDraft
s.html)
[12]. S. Gary, G. Alice, and F. Alexis, “SP:
Risk Management Guide for
Information Technology Systems,”
National Institute of Standards and
Technology (NIST), CSRC-SP800-30, July. 2002.
[13]. “SP: Guide for Applying the Risk
Management Framework to Federal
Information Systems,” National
Institute of Standards and Technology
(NIST), CSRC-SP 800-37(Rev-1), Feb.
2010.
[14]. S. Karen, S. Murugiah and H. Paul, “SP:
Guide to Security for Full Virtualization
Technologies,” National Institute of
Standards and Technology (NIST),
CSRC-SP 800-125, Jan. 2011. [15]. M. Peter and G. Timothy, “NIST
Definition of Cloud Computing,”
National Institute of standards and
Technology (NIST), CSRC-SP 800-145,
Sept. 2011.
[16]. J. Wayne and G. Timothy, “SP:
Guidelines on Security and Privacy in
Public Cloud Computing,” National
Institute of Standards and Technology
(NIST), CSRC-SP 800-144, Dec. 2011.
SLR model review references:
[17]. S. Jalali and C. Wohlin, „Agile practices
in global software engineering - a
systematic map‟, in 2010 Fifth IEEE
International Conference Global
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
44 | P a g e
Software Engineering (ICGSE 2010),
23-26 Aug. 2010, Los Alamitos, CA,
USA, 2010, pp. 45–54.
[18]. Guido Kok, “Cloud computing &
confidentiality,” M.S. thesis, Dept.
Comp. Sci. Eng., University of
Twente., Enschede-Noord, Nederland,
May.24.2010.[Online] (Available:
http://purl.utwente.nl/essays/61039)
APPENDIX A
A. Differentiating Our Previous works from
this research operation performed now.
A Review methodology of this type (SLR)
has already been conducted in our previous
assignment (asst-1). The results of that PRE-SLR
obtained, have been utilized in background
Section-III. As shown in below Figure-A, we name
this SLR (made in the research operation) as
'POST-SLR' in order to differentiate from the SLR
that is done before our proposal (assignment-1) (For clarity, we name this previous SLR as 'PRE-
SLR').
Figure A: Figure-4. 2: Differentiating our work from the past.
APPENDIX B – SEARCH OPERATION
The Journal Publication ranking with relevance to
“CLOUD COMPUTING” is roughly analysed for
search in every Top ranked public ation with basic keywords as „Cloud Computing' AND
'Confidentiality'. The main motive behind this
search is to analyse all the top ranked
publications that publish topics in concern to
Cloud computing. We found only 7 top
Publications that gave unique results with the rest
left behind with the same search result (as that of the previous publications‟ search) or no search
result at all. The Table-A shows top ranked
journal publications list and cloud findings in them.
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
45 | P a g e
Serial TOP JOURNALS (AIS-MIS Journal Ranking Sequence) Resulted Search Articles
Research Area relevance
Search operated through:
1. MIS Quarterly Management Information Systems (MISQ) 2681 EBSCOhost 2. Information Systems Research (ISR) 2681 EBSCOhost 3. Communications of the ACM (CACM) 168 ACM Dl library 4. Management Science (MS) 2681 EBSCOhost 5. Journal of Management Information Systems (JMIS) 2681 EBSCOhost 6. Artificial Intelligence (AI) 3(X) ScienceDirect 7. Data Sciences (DSI) -NA- --- 8. Harvard Business Review (HBR) 2681 EBSCOhost 9. IEEE Transactions (various) 7 IEEE Explore 10. AI Magazine 2(X) AI Magazine 11. European Journal of Information Systems (EJIS) -NA- --- 12. Decision Support Systems (DSS) 17 ScienceDirect 13. IEEE Software (IEEESw) 7 IEEE Explore 14. Information and Management (I&M) -NA- --- 15. ACM Transactions on Database Systems (ACMTDS) 168 ACM Dl library 16. IEEE Transactions on Software Engineering (IEEETSE) 7 IEEE Explore 17. ACM Transactions (ACMTrans) 168 ACM Dl library 18. Journal of Computer and System Sciences (JCSS) 10 ScienceDirect 19. Sloan Management review (SMR) 2681 EBSCOhost 20. Communications of AIS (CAIS) 168 ACM Dl library
21. IEEE Transactions on Systems, Man & Cybernetics
(IEEETSMC)
7
IEEE Explore
22. ACM Computing Surveys (ACMCS) 168 ACM Dl library 23. Journal on Computing (JCOMP) 168 ACM Dl library 24. Academy of Management Journal 2681 EBSCOhost 25. International Journal of Electronic Commerce 2681 EBSCOhost 26. Journal of the AIS -NA- --- 27. IEEE Transactions on Computers (IEEETC) 7 IEEE Explore 28. Information Systems Frontiers (ISF) -NA- --- 29. Journal of Management Systems 2681 EBSCOhost 30. Organisation Science (OS) -NA- --- 31. IEEE Computer (IEEEComp) 7 IEEE Explore
32. Information Systems Journal (ISJ) 135 WILEY online Library
33. Administrative Science Quarterly 129(X) SAGE Journals 34. Journal of Global Information Management (JGIM) -NA- ---
35. The Database for Advances of Information Systems (DATABASE)
1066
EBSCOhost
36. Journal of Database Management (JDM) 2681 EBSCOhost 37. Information Systems (IS) 11 ScienceDirect … … … …
Table A: Top ranked journal publication selection from AIS-Journal ranking5 with relevance to cloud
computing.
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
46 | P a g e
NOTE: The top ranked Cloud computing
publications are marked with three colours: Green,
Yellow and Red. The Green colour shows unique
search result at the start before finding the same
result in other publications. The Yellow represents
the Publications which carry Cloud papers but
show same result (-repeat-) as that of previous
publications and hence neglected. The Red shows that the publications are unavailable (-NA-) or no
results found with relevance to Cloud computing
topic. The (X) mark besides the search result
denotes the papers found irrelevant to the cloud
computing research area technically.
After finding these top 7 journals, the search string
formula is generated (in section IV) for finding the
papers relevant to our research area in Cloud
computing. We analyzed that most of the Journals
from IEEE and ACM publications defer in name
but gave same results. So we sorted them just to be
“IEEE” and “ACM” in our search formula
generated. The idea behind this is to grab as much
as many resu lts from all the publications of IEEE, ACM and all the rest of the 7 unique journals.
The below table-B presents the search strings
framed that are applied into that search formula
generated in the report.
Table B: Search strings framed and (number of) results obtained.
Iteration
Search String
[IN (Title, Abstract, Keywords)]
Search
Results
Relevant
and
available
Very well
guided
1 “Cloud Computing” AND “Confidentiality” AND
(“framework” OR “model” OR “architecture”)
23 12 2
2 “Cloud Computing” AND “Security” AND (“model” OR
“Framework” OR “Architecture”)
266 8 2
3 “Cloud Computing” AND “Privacy policy*” 29 -Repeat- 0 4 “Cloud Computing” AND “Risk management” 15 -Repeat- 0 5 “Cloud Computing” AND “Security requirement*” 89 3 1 6 “Cloud Computing” AND “Security management” 153 -Repeat- 0 7 “Grid Computing” AND “Security” AND (“model” OR
“framework” OR “Architecture”)
225 1 1
8 “Virtualization” AND “Security” AND (“model” OR “Framework” OR “Architecture”)
146 2 0
… … … … … … … … … …
We started with the initial search string-Iteration1
to get initial idea on the search results. All the
rest of the iterations follow the search made in
order to find the results for “cloud computing and confidentiality frameworks”. Inclusion of
synonyms and similar wo rds occurred for refining
the searches strings framed. Singular and plurals
were included in the search and hence „*‟ was
included in the search strings above to represent
the same. As we involved synonyms, we included
OR operator in the search strings framed.
When the above framed 8 search strings are
inserted into the search formula we got 26 relevant
and available articles. Even though, these
26 articles are found only through analysis on Title relevance and (then if needed) abstract readings,
we further made a thorough review on these papers
and found that only 11 support our Research area
firmly. We made use of these 11 articles in our
research operation and also refereed them to final
Confidentiality framework design in cloud
computing (our analyzed research solution). Also,
among these 11 finally
extracted papers, we found that 6 papers guided us
very well for our research conclusion. All these 11 articles are listed as references in the research
report. All the rest excluding these 11 articles
also helped us in gaining some additional
knowledge and hence presented in Appendix-E.
APPENDIX C –SECUIRTY ISSUES
GENERALISATION (FROM PRE-SLR)
The security issues that relate to confidentiality
are presented here with analysis from our
previous studies (PRE -SLR, Assignment-1). As said in the research report, these issues are focused
to generalize them into 3 main categories such as
Technical, Organizational, Legal issues; as shown
in the Table –A below.
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
47 | P a g e
Table C: Security issues found in PRE-SLR and our view of generalizing them to 3 main issues
Security Issues Issues found from PRE-SLR (references)
Issues can Relate to Confidentiality as :-
Abuse and Nefarious Use of Cloud Computing [R7], [R12] Technical issue Account, Service and Traffic Hijacking [R7], [R12] Technical issue Authentication and authorization [R17] Technical issue Cost and Limited availability of technical personals [R1] Organizational issue Customer Isolation and Information Flow. [R 15] Technical issue Cloud Integrity and Binding Issues [R10] Organizational issue Cloud Security vulnerabilities and Security Attacks [R2], [R10] Technical issue Cloud Governance [R16], [R18] Legal Issue Data access and Control [R17] Technical issue Data back-up and recovery [R2], [R14], [R20] Technical issue Data breaches (controlling XML signatures and soon) [R17] Technical issue Data location [R14] Organizational issue Data protection (Loss/Leakage) [R7], [R12], [R21] Technical issue Data provisioning (Audits, etc) [R2], [R10], [R15] Technical issue Data segregation [R17] Technical issue Ensuring user rights (End user Trust) [R18], [R21] Legal issue Federation and Secure Composition [R15] Legal issue Identity/Key management (Encryptions) [R20] Technical issue Insecure Application Programming Interfaces (web application security)
[R7], [R12] Technical issue
Integrity for user's dynamic changes [R21] Organizational issue Investigative support (data forensics and soon) [R2], [R16] Technical issue legal, policy based and commercial problems [R18] Legal issue Long-term viability (End user trust) [R2], [R16] Organizational issue Malicious Insiders [R7], [R12], [R15] Organizational issue Multi-Compliance Clouds [R15] Technical issue Network security [R17], [R21] Technical issue Non-Repudiation [R16] Organizational Issue Privileged user access [R14] Organizational issue Regulatory Compliance [R16] Legal issue Reliability [R8], [R20] Organizational issue Risk/Threat Management [R2] Technical issue Security assurance to cloud users [R10] Organizational issue Security Integration & Transparency. [R15] Technical issue Shared Technology Vulnerabilities [R7], [R12] Technical issue undefined cloud boundaries [R21] Legal issue Unknown Risk Profile (lack of transparency) [R12] Organizational issue Virtualization vulnerability [R2], [R17] Technical issue
NOTE: The references “[R]” refer to the PRE-SLR
references. These references are presented in Appendix-E.
All the security issues presented above
that are generalized into these 3 issues are only
through our understandings upon them. As we
cannot elaborate our analysis on each and every
issue in this RM research report, the referenced
papers besides the issue (in the above table) can
show what exactly each and every issue is. Along
with these issues in our hand, in the same way, the
further issues that evolve with time or any other
issues that are not sighted by us can also be set into on e of these 3 issues in the future.
APPENDIX D –KEYWORDS USED (IN THE
RESEARCH REPORT)
Cloud Computing & confidentiality (As it is): Cloud computing (NIST definition)
“Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider interaction.
This cloud model is composed of five essential
characteristics, three service models, and four
deployment models.” [15]
Confidentiality (NIST definition-FIPS PUB 199)
[S15]
“Preserving authorized restrictions on information
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
48 | P a g e
access and disclosure, including means for
protecting personal privacy and proprietary
information.”
Integrity (NIST definition-FIPS PUB 199) [S15]
“Guarding against improper information
modification or destruction, and includes ensuring
information non-repudiation and authenticity.”
Availability (NIST definition-FIPS PUB 199) [S15]
“Ensuring timely and reliable access to and use
information.”
Cloud service models
Software as a service (SaaS) [15]
The SaaS service model is defined to services that
render software applications to the cloud
customers. Here, if needed, the Cloud provider can
also operate these applications instead of customers
like application management (updates), storage
backups, infrastructure and soon.
Platform as a service (PaaS) [15]
The PaaS service model is derived to offer
interfaces such as operational platforms to the
cloud customer. These platforms ar e helpful to the
customer in order to build some new applications
that are supported on cloud based technologies.
Here, the operations such as network management,
storage, and operating systems are managed by the
cloud provider itself and hence the customer can be
relieved to work only for their application development but not in other matters of cloud
maintenance.
Infrastructure as a service (IaaS) [15]
The IaaS service model is derived from the concept
for reducing costs to the customer. IaaS is
structured to provide the capabilities of cloud
provisioning, storage management and other
fundamental needs to the customer for making
them to use cloud technologies. Here, the customer
is application or file management is indirectly
controlled by the cloud provider.
Grid Deployment models
Computational grid [4]
The concept of separating resources for setting
them aside in order to automate the computational
works that can reduce compu tational power and
man-power is said to be Computational grid.
Data grid [4]
The information and data are stored or retrieved to
analysis from this data grid. This data grid is modeled in such a way that large volumes of data
are accessed from single Cloud data centre at a time
by several users (or companies or organizations).
Service grid [4]
The grid that offers services to its clients is said
to be Service grid. This grid is designed with
mechanisms of provisioning customer
requirements and offering services they require.
Cloud deployment models
Private Cloud [15]
the services offered are monitored by the
organization itself where its services are not shared to be monitored by outsiders for any other
purposes, i.e., the physical infrastructure (cloud)
may or may not be owned by the organization and
might be on-premise or off-premise but will
contain a designated service provider (employees
or entities) for its cloud computations.
Public cloud [15]
The cloud is provisioned to use by any source that
is in need, this source can be an individual, an
organization, or some other entity. This cloud is
generally maintained by ordinary cloud provider and mechanisms where low-level security is
provided for usage.
Hybrid cloud [15]
It is a combination of public or private or any
other deployment cloud (such as community
clouds) that is designed into single cloud
architecture. The user may vary according to the
organizational needs and hence the security may
also vary with it.
Cloud key characteristics
On-demand resource sharing [15]
The provisioning of services offered can leverage
a concept of 'On-demand resource sharing'. This
is automated process that enables the control
mechanism of reducing human efforts for enabling
services to the right users.
Resource Pooling [15]
As delivered to our research report above from
NIST, Resource pooling technology in Cloud Computing Paradigm renders the ability to store
and dynamically allocate space to the resources to
occur for storage periodically.
Rapid elasticity [15]
The rapid elasticity is derived as: provisioning
services with capabilities to automatically scale the
exact user-demand. The resource is set to use for
the demand and this service is reverted back when
the customer is not in need of that resource.
Wide network access [15]
The ability to control or mange large area
networks is delivered to output by this wide
network access. With this characteristic we can be
access data or information or service even through
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
49 | P a g e
mobile devices.
Cloud Spheres models
User Sphere: [10]
The user sphere is a technical domain name which
seems to be encompassing a user's device. This
sphere has to enable a full access control to the
users who own it. The data is set to privacy and is
accessible to entities present in external boundaries only with th e data owner's
permissions. Additionally, user sphere models
are trumped with respect to owner's physical
privacy and hence, will wait for their
interruption to change their access setting when
needed.
Recipient Sphere: [10]
In the same way as that of user sphere above, the
recipient sphere is a company centric sphere where
the organization is responsible for its complete
access controls. As the control is within the organization itself, the risk is low when
compared to user sphere and so can potentially
minimizes the risk of privacy breaches.
Joint Sphere [10]
The joint sphere is also a technical domain term of
cloud spheres where this sphere can derive the
complete cloud to its privacy by setting the
controls completely within the organization and
also involving its customers with some limitations
to access them. we analyzed that this kind of model is not impossible to see in the real world, as we
can see social networking sites where the users has
given free of charge for using data storage, email
services and many other features but the users
should indirectly need to know that the full
control of these services is withheld with the
company (social networking site) itself but not
with the user. Hence the privacy control is derived
with the complete understandings of the
organizations and its customers involved in joint
sphere.
Classification of types of Solutions for issues found
in grid computing
System solutions [4]
The system based solutions approach is a concept
where the technical issues are to be analyzed for
solutions and rectifications. Issues such as
accessing grid information, auditing grid functions
and soon are set to solutions here. We named
them to be technical solutions in our research
report for our confidentiality framework
Behavioural solutions [4]
The Behavioral solutions denotes the category
where solutions for issues like Immediate job
execution, advanced scheduling, job control are
sorted out for answers. We named them as
Organizational solutions in our research report for
our confidentiality framework.
Hybrid solutions [4]
These solutions denote the category that
combines all kinds of issues for sorting them
to gain hybrid solutions. Here, trust is the
fundamental for solving any kind of issue. We
did not use this kind of solutions in our framework but instead as trust occurs better with policies and
laws, we involved legal issues in our research
framework.
Some other keywords from literature
RAIN (Redundant Array of Independent Net-
storages) [9]
All the deployment models are split to several
independent (non-colluding) storage providers
that pretend to be Redundant Array of
Independent Net-storages (RAIN). In authors view
a single chunk of data doesn't comprise Confidentiality and hence they derive that the data
should be stored using one or several cloud storage
providers.
Open risk taxonomy [1]
Open risk taxonomy is nothing but generalizing
the issues (factors contributing) into much similar
generalized issue categories. In this paper [1], the
risk focus is divided mainly into two types „loss
event frequency‟, „probable loss magnitude‟ with
all the rest of the factors that occur for risk must be falling into one of these categories.
Hypervisors [14]
Cloud Computing evaluates a Concept of
„provisioning services in a timely (near on
instant), on-demand manner, to allow the scaling
up and down of resources‟. This approach of
making computing a utility in cloud environment
provides an Opportunity to dynamically scale the
computing resource that are shared among
customers using virtualization technology. Allocating / de-allocating these resources
efficiently, is an open challenge that is solved by
Hypervisors. They allocation and de-allocation
mechanisms are automated through these
hypervisors. In addition, we have analyzed that at
present: VMware, XEN systems (using XEN
hypervisors), Kernel-based Virtual Machine
(KVM); implementing their services pretend to be
Hypervisors in the real-time cloud computing
world.
Keywords that occurred in our Confidentiality
Framework
(Clear and extra explanation of each and every
word used in our Framework)
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
50 | P a g e
Cloud system analysis and design
The system analysis and design is the initial step
where we choose the Cloud deployment model
[15] and designing the tasks that work upon that
model that is chosen.
Cloud security requirements
The general security requirements like key
encryptions [5] [11], data storage privacy [8], and many other fundamental requirements should be
analyzed before implementing every cloud model.
This helps in reducing the risk of cloud failure in
security matters. This general loo k- up what of
security requirements needed will somewhat
increase the confidentiality in the cloud customers.
Data Location Dimension
Cloud confidentiality fails due to lack of cloud
transparency to the customers. Customers are
reluctant to transform their businesses on to cloud
as they can‟t see where their data is located and hence, data location dimension distinguishes the
data location in data owner's perspective rather
than data provider's perspective [10].
System security control structure
The original security model that is designed to
operations for cloud security requirements found
earlier is developed here in security control
structure. All the security issues are analyzed here
and further classified into 3 major chunks
(technical, organizational, legal) and are sent to be solved by those different departments that are
responsible for solving them [4].
Access controls
The Cloud sphere models [10] such as recipient
sphere, user sphere, hybrid sphere occur in access
control criteria and will work as the same by
transforming their responsibilities and concepts in
access controls functions. These access controls
even though arose from that sphere concept, the
main duty is to preserve confidentiality for the
data that is being processed in-and-out of the cloud. As soon as we set the access control to one
of these sphere, the cloud will adhere the
responsibilities of those sphere that is set and will
work for the same.
General security limitations
The general security limitations occur from the
concept of data provisioning and security controls
that are limited to them in NIST draft SP800-125
[14] and NIST Draft SP800-30 [12] respectively.
The general security limitations such as enabling encryption techniques; implementation of virtual
private networks; implementation of security
settings that suit the service level agreements [2]
(that render to organizational standards);
generating security assurance criteria and soon
come under general security limitations concept.
Cloud offerings
The cloud offering is the final step where we
choose the Cloud service model [15] and designing
the tasks that work upon that model that is chosen.
APPENDIX E –INCLUDED STUDIES
POST-SLR EXTRA HELPFUL REFERENCES6
([S])
[S1]. C. Alcaraz, I. Agudo, D. Nunez, and
J. Lopez, “Managing Incidents in
Smart Grids a` la Cloud,” in 2011
IEEE Third International Conference on
Cloud Computing Technology and Science
(CloudCom), 2011, pp. 527 –531.
[S2]. C. I. Dalton, D. Plaquin, W. Weidner, D.
Kuhlmann, B. Balacheff, and R. Brown,
“Trusted virtual platforms,” ACM SIGOPS Operating Systems Review, vol.
43, no. 1, p. 36, Jan. 2009.
[S3]. D. W. Chadwick and K. Fatema, “A
privacy preserving authorisation system
for the cloud,” Journal of Computer and
System Sciences, vol. 78, no. 5, pp. 1359–
1373, Sep. 2012.
[S4]. H. Takabi, J. B. D. Joshi, and G.-J. Ahn,
“Security and Privacy Challenges in
Cloud Computing Environments,” IEEE
Security & Privacy Magazine, vol. 8, no. 6, pp. 24–31, Nov. 2010.
[S5]. J. Li, B. Stephenson, H. R. Motahari-
Nezhad, and S. Singhal, “GEODAC: A
Data Assurance Policy Specification
and Enforcement Framework for
Outsourced Services,” IEEE Transactions
on Services Computing, vol. 4, no. 4, pp.
340–354, Oct. 2011.
[S6]. J. Hao and W. Cai, “Trusted Block as a
Service: Towards Sensitive Applications
on the Cloud,” in 2011 IEEE 10th
International Conference on Trust, Security and Privacy in Computing and
Communications (TrustCom), 2011, pp.
73 –82.
[S7]. L. M. Kaufman, “Data Security in the
World of Cloud Computing,” IEEE
Security & Privacy Magazine, vol. 7, no.
4, pp. 61–64, Jul. 2009.
[S8]. P. Angin, B. Bhargava, R. Ranchal, N.
Singh, M. Linderman, L. Ben Othmane,
and L. Lilien, “An Entity-Centric
Approach for Privacy and Identity Management in Cloud Computing,” in
2010 29th IEEE Symposium on Reliable
Distributed Systems, 2010, pp. 177 –183.
[S9]. R. Padilha and F. Pedone, “Belisarius:
BFT Storage with Confidentiality,” in
2011 10th IEEE International
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
51 | P a g e
Symposium on Network Computing and
Applications (NCA), 2011, pp. 9 –16.
[S10]. R. K. L. Ko, P. Jagadpramana, M.
Mowbray, S. Pearson, M. Kirchberg, Q.
Liang, and B. S. Lee, “TrustCloud: A
Framework for Accountability and Trust
in Cloud Computing,” in 2011 IEEE
World Congress on Services (SERVICES),
2011, pp. 584 –588. [S11]. R. Seiger, S. Gross, and A. Schill,
“SecCSIE: A Secure Cloud Storage
Integrator for Enterprises,” in 2011 IEEE
13th Conference on Commerce and
Enterprise Computing (CEC), 2011, pp.
252 –255.
[S12]. S. Pearson and A. Benameur, “Privacy,
Security and Trust Issues Arising from
Cloud Computing,” in 2010 IEEE
Second International Conference on
Cloud Computing Technology and Science
(CloudCom), 2010, pp. 693 –702. [S13]. U. Greveler, B. Justus, and D. Loehr, “A
Privacy Preserving System for Cloud
Computing,” in 2011 IEEE 11th
International Conference on Computer
and Information Technology (CIT), 2011,
pp. 648 –653.
[S14]. X. Zhang, N. Wuwong, H. Li, and X.
Zhang, "Information security risk
management framework for the cloud
computing environments", Proceedings -
10th IEEE International Conference on Computer and Information Technology,
CIT-2010, 7th IEEE International
Conference on Embedded Software and
Systems, ICESS-2010, ScalCom-2010, pp.
1328.
[S15]. "Standards for Security Categorization of
Federal Information and Information
Systems," National Institute of Standards
and Technology (NIST), FIPS Pub. 199,
Feb. 2004.
We found 26 relevant and available papers in
which only 11 supported our study relating Confidentiality framework. Here, some extra
references (excluding those 11references that are
presented in the research report). Those that did
not support for our Framework in any kind but
helped us in gaining some extra knowledge are
presented here.
PRE-SLR (ASSIGNMENT-1 SLR) -
REFERENCES ([R])
[R1]. D. Carrell, “A Strategy for Deploying
Secure Cloud-Based Natural Language Processing Systems for Applied Research
Involving Clinical Text,” in 2011 44th
Hawaii International Conference on
System Sciences (HICSS 2011), 4-7 Jan.
2011, Los Alamitos, CA, USA, 2011, pp.
11.
[R2]. F. B. Shaikh and S. Haider, “Security
threats in cloud computing,” in 2011 6th
International Conference for Internet
Technology and Secured Transactions
(ICITST), 11-14 Dec. 2011, Piscataway,
NJ, USA, 2011, p. 214–19.
[R3]. Hao Sun and K. Aida, “A Hybrid and Secure Mechanism to Execute Parameter
Survey Applications on Local and Public
Cloud Resources,” in 2010 IEEE 2nd
International Conference on Cloud
Computing Technology and Science
(CloudCom 2010), 30 Nov.-3 Dec. 2010,
Los Alamitos, CA, USA, 2010, p. 118–26.
[R4]. Jen-Sheng Wang, Che-Hung Liu, and G.
T. R. Lin, “How to manage information
security in cloud computing,” in 2011
IEEE International Conference on
Systems, Man and Cybernetics, 9-12 Oct. 2011, Piscataway, NJ, USA, 2011, p.
1405–10.
[R5]. J. C. Roberts II and W. Al-Hamdani,
“Who can you trust in the cloud? A review
of security issues within cloud
computing,” in 2011 Information Security
Curriculum Development Conference,
InfoSecCD’11, September 30, 2011 -
October 1, 2011, Kennesaw, GA, United
states, 2011, pp. 15–19.
[R6]. K. Dahbur, B. Mohammad, and A. B. Tarakji, “A survey of risks, threats and
vulnerabilities in cloud computing,” in
2nd International Conference on
Intelligent Semantic Web-Services and
Applications, ISWSA 2011, April 18, 2011
- April 20, 2011, Amman, Jordan, 2011, p.
The Isra University.
[R7]. L. M. Vaquero, L. Rodero-Merino, and D.
Moran, “Locking the sky: a survey on
IaaS cloud security,” Computing, vol. 91,
no. 1, pp. 93–118, Jan. 2011.
[R8]. L. Sumter, “Cloud computing: Security risk,” in 48th Annual Southeast Regional
Conference, ACM SE’10, April 15, 2010 –
April 17, 2010, Oxford, MS, United states,
2010.
[R9]. Minqi Zhou, Rong Zhang, Wei Xie,
Weining Qian, and Aoying Zhou,
“Security and Privacy in Cloud
Computing: A Survey,” in 2010 Sixth
International Conference on Semantics
Knowledge and Grid (SKG 2010), 1-3
Nov. 2010, Los Alamitos, CA, USA, 2010, p. 105–12.
[R10]. M. Jensen, J. Schwenk, N. Gruschka, and
L. L. Iacono, “On technical security issues
in cloud computing,” in 2009 IEEE
International Conference on Cloud
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
52 | P a g e
Computing (CLOUD), 21-25 Sept. 2009,
Piscataway, NJ, USA, 2009, p. 109–16.
[R11]. M. Townsend, “Managing a security
program in a cloud computing
environment,” in 2009 Information
Security Curriculum Development Annual
Conference, InfoSecCD’09, September 25,
2009 - September 26, 2009, Kennesaw,
GA, United states, 2009, pp. 128–133. [R12]. M. T. Khorshed, A. B. M. Shawkat Ali,
and S. A. Wasimi, “Trust issues that create
threats for cyber attacks in cloud computin
g,” in 2011 17th IEEE International
Conference on Parallel and Distributed
Systems, ICPADS 2011, December 7,
2011 – December 9, 2011, Tainan,
Taiwan, 2011, pp. 900–905.
[R13]. M. T. Khorshed, A. B. M. S. Ali, and S.
A. Wasimi, “A survey on gaps, threat
remediation challenges and some thoughts
for proactive attack detection in cloud computing,” P.O. Box 211, Amsterdam,
1000 AE, Netherlands, 2012, vol. 28, pp.
833–851.
[R14]. P. Jain, D. Rane, and S. Patidar, “A survey
and analysis of cloud model-based
security for computing secure cloud
bursting and aggregation in renal
environment,” in 2011 World Congress on
Information and Communication
Technologies (WICT), 11-14 Dec. 2011,
Piscataway, NJ, USA, 2011, p. 456–61. [R15]. R. Glott, E. Husmann, A.-R. Sadeghi, and
M. Schunter, “Trustworthy Clouds
Underpinning the Future Internet,” in The
Future Internet, Berlin, Germany:
Springer Verlag, 2011, p. 209–21.
[R16]. S. Ramgovind, M. M. Eloff, and E. Smith,
“The management of security in Cloud
computing,” in 2010 Information Security
for South Africa (ISSA 2010), 2-4 Aug.
2010, Piscataway, NJ, USA, 2010, p. 7 pp.
[R17]. S. Subashini and V. Kavitha, “A survey on
security issues in service delivery models of cloud computing,” Journal of Network
and Computer Applications, vol. 34, no. 1,
pp. 1–11, Jan. 2011.
[R18].S. Tabet and M. Pohlman, “Cloud
Computing: Combining Governance,
Compliance, and Trust Standards with
Declarative Rule- Based Frameworks,” in
Rule-Based Modeling and Computing on
the Semantic Web. 5th International
Symposium, RuleML 2011 - America, 3-5
Nov. 2011, Berlin, Germany, 2011, p. 230–6.
[R19]. Tsung-Hui Lu, Li-Yun Chang, and Zhe-
Jung Lee, “Integrating Security
Certification with IT Education,” in 2011
International Conference on System
Science and Engineering (ICSSE), 8-10
June 2011, Piscataway, NJ, USA, 2011, p.
582–7.
[R20]. Xin Yang, Qingni Shen, Yahui Yang, and
Sihan Qing, “A Way of Key Management
in Cloud Storage Based on Trusted
Computing,” in Network and Parallel
Computing. 8th IFIP International
Conference, NPC 2011, 21-23 Oct. 2011, Berlin, Germany, 2011, p. 135–45.
[R21]. Xue Jing and Zhang Jian-jun, “A brief
survey on the security model of cloud
computing,” in 2010 Ninth International
Symposium on Distributed Computing and
Applications to Business, Engineering and
Science (DCABES 2010), 10-12 Aug.
2010, Los Alamitos, CA, USA, 2010, p.
475–8.
[R22]. X. Lin, “Survey on cloud based mobile
security and a new framework for
improvement,” in 2011 International Conference on Information and
Automation, ICIA 2011, June 6, 2011 -
June 8, 2011, Shenzhen, China, 2011, pp.
710–715.