Page 1

Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052

Research on preserving User Confidentiality in Cloud Computing – Design of a Confidentiality Framework Chaitanya Dwivedula1, Anusha Choday1 1 M.Sc- in Software Engineering, Blekinge Institute of Technology (BTH), Karlskrona, Sweden

I. GROUP MEMBERS‟ PARTICIPATION Group Member Idea Creation Report Writing Group Member 1 45 % 65% Group Member 2 55 % 35%

Abstract Cloud Computing creates a dynamic resource sharing platform that provides data analytically to the proficient users who are at demand to access data present in the cloud. As this data is stored outside the data owner's boundaries, they are skeptical for utilizing cloud technology in order to store or access their data from those external cloud providers who are outside their own control environment. There are many issues for these active clients (companies or individuals) to be petrified at the thought of using cloud computing paradigm. Some of the main issues that make the clients swear against Cloud Computing are generated from three important security aspects: Confidentiality, Integrity, and Availability. In this Research, we focused only on security models that relate Confidentiality issues. We performed a literature Review for analyzing the existing confidentiality frameworks and security models. We then designed a new theoretical framework for confidentiality in Cloud computing by extracting this literature. We expect this Framework when implemented practically in the cloud computing paradigm, may generate huge successful results that motivate the clients to transform their businesses on to Cloud. Keywords: Cloud Computing, Confidentiality, Security, Framework. II. INTRODUCTION Cloud Computing evolves to be a consistent term with collaboration of various IT technologies involved in it [15]. Resource pooling technology in Cloud Computing paradigm renders

the ability to store and dynamically allocate space to the resources that occur for storage periodically [15]. Virtualization technology [6] in Cloud Computing paradigm renders the ability to run resources that dynamically scale the user's necessity and share the resources available to support the need [15]. Similarly, there are many other technologies that contribute to Cloud Computing. The data storage mechanisms by Resources Pooling occur in Data-Centers [8] [15] which indirectly act like a CLOUD. On the other hand, the concept of „provisioning services in a timely (near on instant), on-demand manner, to allow the scaling up and down of resources‟ generates a virtualization mechanism which pretends to be COMPUTING [15]. Hence, CLOUD COMPUTING deserves to be a collective term of several technologies that interrupt effectively for dynamic allocation/de-allocation of resources [15]. The generally accepted standard definition [15] of Cloud Computing is published with efforts from National Institute of Standards and Technology (NIST). Their published1 definition is used in our Research Report for analysis about Cloud Computing. In short, to describe NIST definition [15], we understood that, the 'convenient and Ubiquitous network access' creates a moderate effort to the cloud clients to establish their resources on to the Cloud. The 'shared pool of configurable computing resources' contribute an Instant allocation/deallocation of resources that occur for on-demand data access [15] The 'rapid provisioning' provides a flexible operation of cloud for the cloud providers to scale the resources with assigning and releasing resources from time to time when they are required elsewhere [15]. As the technologies keep intruding into Cloud Computing paradigm, there is no means to say cloud computing is exhaustive. Cloud Computing keycharacteristics, models and implementations are more extensively discussed in Section-III. The discovery of cloud computing generated a reported progress 2 of Software Industry

and

its

services

to

the

35 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 companies worldwide; but along with it, the security issues kept eroding to change [2]. This resulted in The Client's View about Cloud Computing as that it lacks in confidentiality for moving their resources onto cloud [10]. Potential clients are now waiting for the answers about how, why and by what means the security is provided to Cloud computing [2]. The Problem is distinct as the security issues occur frequently in parallel to the Cloud development. The environment of Cloud Computing is vast making it more vulnerable to threats [2]. Hence, we decided to focus on the most eminent security issues that significantly standardize the Confidentiality of Cloud Computing to a better extent. In our Systematic literature review made before our research proposal, we analyzed that Confidentiality alone can specify approximately 50% of the security issues that when satisfiedcloud computing can emphasis to more interesting software development. The data behind the Cloud is technically said to be off- premise and is never under the boundaries of the data owners [8]. These data that are stored in Cloud are beyond the control of data owners which may converge with loss of confidentiality [2]. We believe that, Most of the effective customers condemn the use of cloud computing because they are aware of the ethics beneath cloud technologies that are unclear or unknown to them. The goal of this Research is to generate a successive framework for Cloud Computing that can predict sufficient Confidentiality gain in this particular Cloud environment. Hence, this Framework will be an extension to our understandings of Frameworks analyzed from Systematic literature review (SLR) that is done at the time of our research. Our Research Questions relate this main objective mentioned above and are detailed to study from section-IV. The study process, data collection & analysis methods involved for this research are discussed to detail in the section-V and section-VI. The problems (that may generate during the implementation of the resulted framework), the limitations and the sustainable arguments to our study are brought-up to note in section-VII. Our final research results that are concerned with our research goals are presented to acknowledge our study in conclusions part (section VIII). III. BACKGROUND AND MOTIVATION The consistent approach of our previous SLR (PRE-SLR) lead us to a clear understanding of security issues present in Cloud Computing. Mainly, the security issues such as Confidentiality; Integrity; Availability; are indefinitely implemented to reach the efforts constraining to Healthy ondemand network access [2]. Thus, these efforts when indistinct may route to problems in Cloud

service models (such as SAAS; PAAS; IAAS;) which when left unsolved might cause 'lack of proficient security (CIA)' [2] [7]. One of the main reasons for Cloud Computing to be inconsistent in confidentiality is due to differences in Cloud models that are getting deployed [2]. The three deployment models (Public Cloud; Private Cloud; & Hybrid cloud;) generate a multiple framework activity that has to be satisfied with confidentiality [7]. This SLR has also been understood as a proven theory when we re-reviewed the NIST definition for a several times. The definition is supported by five key cloud characteristics, three delivery models and four deployment models [15]. We understood this definition as of three interlinking properties of a Cloud: key Characteristics of a cloud, delivery models and deployment models. Our understandings on this definition are presented in the Figure-3.1.

Figure-3. 1: definition [15]

Our

understandings

on

NIST

The key characteristics describe the operations performed in a cloud computing environment. The key characteristics such as On-demand resource sharing; Resource Pooling; Rapid elasticity; monitoring resource allocation; Wide network access; service provisioning; has elaborated the Cloud technology in detail [15]. The Cloud service Models such as Software-as-a-service (SAAS); Platform-as-aService (PAAS); infrastructure-as-a-Service (IAAS); are said to be general classifications of the Cloud [15]. Regardless of the service models that are classified, there exist 3 basic deployment models of Cloud such as Public Cloud; Private Cloud; and Hybrid Cloud. “Hence, the key characteristics of Cloud when applied (to deployment models) provide data (or) services to its Clients.�

36 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Here, we also analyzed that Confidentiality issues underlie the challenges in finding answers to questions like: How will Cloud provisioning occur to act? What are Cloud security requirements?  How will Data storage occur in Cloud Computing?  How reliable is Security architecture of the Cloud? How reliable are the Cloud Services offered? So, indirectly we understood that “gaining knowledge about Cloud technology improves half of the Confidentiality levels in the Clients”. Hence, these above questions have worked as partial hypothesis for us. We are focused to propose a unique framework that can produce a single architecture which allows combination of required security goals; along with all the reliable policies, procedures for all Cloud deployment models in common. So, we further continued our research on classifying the security issues that are analyzed from our PRE-SLR results. With the understandings we have - upon the found security issues, we now classified them as the issues that relate to Confidentiality with one among the three, they are: Classifying Security Issues in Common Technical issues Organizational issues Legal issues. The entire list of Security issues are generalized into these three issues in common. This Complete list of Security issues obtained in PRE-SLR is presented in Appendix-C. Our reasoning for the above classification is as follows: Technical issues: All the security issues like „Shared Technology Vulnerabilities‟, „network security‟ and many others that can find solutions framing security goals in technical area are analyzed as Technical issues. Organizational issues: All the security issues like „Malicious Insiders‟, „data location transparency‟ and many others that can find solutions by framing security goals in organizational area are analyzed as Organizational issues. Legal issues: All the security issues like „policy based or procedural based problems‟ and many others can get the solutions by framing security goals in this area are sorted to be legal issues. The basis of this classification is just to unite all the security issues relevant to confidentiality in Cloud Computing. The main idea besides this type of classification

is -„if we unite all the confidentiality issues in common, then we can easily map them onto our framework that is going to be generated.‟ We hope the companies will need a unique frame work like this and future researchers might not fail to be stimulated by the ideas presented by us. While this is a diving cause for the need that encompasses cloud computing, if we can't find the solution for this research, the implications of not solving this problem might be the same as explained above: The confidentiality that lacks behind will generate a fear for the clients (companies, organizations, individuals, etc) to share/store their resources (or) to transform their businesses on to the Cloud environment.

IV. RESEARCH PLAN

DEFINITION

AND

A. Research objective: The goal of this Research is “To generate a sufficient security model-framework for the extent possible, which when implemented: can moderate the activities (that occur for security threats or implicating risks) that are indeed capable of reducing Confidentiality of the Cloud and its environment.” This Research objective focused our aims onto:  Specifying the security issues that relate to Confidentiality in Cloud Computing.  Understanding the possible research results of the effective security models presented by the previous researchers.  Proposing a more extensive security model- framework that can uniquely state the province of all service and deployment models in collaboration. B. Research Questions: The interpretation of the above objective is extensively scrutinized, with the need for the necessary knowledge that has to be obtained in collaboration with the new framework to be generated. These following research questions 3 (R.Q‟s) will guide our research: R.Q.1: What are the Security issues that sufficiently support Confidentiality -inducible in security Framework of Cloud Computing? The Question has been framed in such a way that all the issues found in our PRE-SLR are now to be brought out to analysis where we can know how the security issues collide with the security models framed. For this, we need to know how actually a security model in Cloud Computing is exists. Hence, R.Q.1.1 is framed for this analysis. Interpreting the solutions occurred for R.Q.1.1 will relevance the solutions to be found for

37 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 R.Q.1. R.Q.1.1: How are these Confidentiality issues classified to indulge with consistent security operations in Cloud Computing?

3 These R.Q‟s are re-framed for „adequacy need‟ for this report (as commented by our professor {proposal evaluator}) but comply with same research meaning as that of research proposal R.Q‟s framed earlier. This R.Q. is generated in such a way that we can understand several constrains for security issues getting involved in the security operations. This question needs a though analysis of security models presents in the literature. Hence, SLR is conducted to extract the results. R.Q.2: How to uniquely frame Confidentiality within the boundaries of all Cloud security models/Architectures in common? Our entire research concept is to find a unique framework for confidentiality in cloud computing and this questions serves the purpose of our scope.

 Analyzing the inconsistent results found in the literature from other researchers.  Analyzing ideas that are firmly achieved by the others in this field of study.  Applying their models more extensively by clubbing the ideas; to generate new framework with the current security issues that enhance Confidentiality in Cloud. With experiences from PRE-SLR, We now choose top journals refereed from several good publications. In our first step, the Journal Ranking is collected from an International Research Group4 by name: "Association of Information Systems (AIS)". We have only selected these Top ranked Journal Publications in which again through filters we were able to analyze that only few occur for Cloud Computing study. The task of finding a search engine had been easier for us than finding best journal publications; as most of the search engines are available through our BTH University 'Find database' library portal. We only focused on the search engines that can especially present these Top ranked journal publications. We then filtered our keywords again and again for a proficient search refinement on „Confidentiality frameworks and security models in Cloud Computing‟. The complete operation of POST-SLR in presented in the below data collection & analysis methods.  Data Collection method: The Qualitative analysis of literature amends with the use of SLR. However, if the distillation process of extracting literature fails, the quality might reduce its heights. Hence, opting for highly qualitative journal publications, selecting effective search databases and framing the search strings for the search operations are said to be the three main aspects of SLR. a) Step1: Journal selection: we required papers that present studies of all forms such as Empirical studies, Case- studies, research findings, and all other available literature; but we restricted our search only to the peer-reviewed Journal articles. The list of Journal Publications that attracted us in our study (on security models in Cloud Computing) are presented below. These top ranked journals are sorted with searches made for our Cloud Computing study. The original ranking list of Top Journals as described above are sent to Appendix-B inorder to make it clear.

C. Research Methodology: Our research is originated by understanding Cloud Computing as a start and then conceived with an objective of what needs to be done. The R.Q.s are framed with the basic understanding from the PRE-SLR results and by reading several: research news articles, websites regarding Cloud service offerings, and soon. As, Our research has to provide solutions with analysis of various security models or confidentiality frameworks in Cloud Computing, we observed that qualitative form of extracting information is an SLR. Hence, we conduct an SLR again but now with focus on extracting Security models. For clarity, the SLR that has to be performed now is named as POST-SLR. The difference between these two SLRs is as shown in Appendix-A. A Review methodology of this type (SLR) is helpful to generate sufficient solutions for our R.Qs. In addition, our ideas with reference to the issues found in PRE-SLR will be presented for qualitative elaboration in the Framework being generated. Journal Articles (Scrutinized)  Systematic Literature Review: (POST-SLR): MIS Quarterly (MISQ) To gain knowledge in Security Models and Communications of the ACM (CACM) previous researchers' works on Security Framework activity in cloud computing, we choose SLR as our IEEE Transactions (various) best means to obtain it. Some of the sufficient Journal of Computer and System Sciences (JCSS) Information Systems Journal (ISJ) reasons for relying only upon SLR are as follows: Database for Advances of Information Systems (DATABASE)  Analyzing the generally accepted security models in cloud environment. Decision Support  Analyzing the future work that remains unfurnished in the Systems previous (DSS) security models in b) Step2: Database selection: Cloud Computing.

38 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Our experience upon the search engine mattered for a while as this selection is a priority for major papers to be found. Hence, we limited our search within databases where almost all the top ranked Journals can be found. The analysis list of most prominent Search databases that cover all the ranked Journals in relation to Cloud Computing Findings in their search Query; are presented below: Search Databases (scrutinized) SCOPUS Engineering village (INSPEC; COMPENDEX;) The search operation designed below is applied with one of these two databases at a time; For example, if we can‟t find the relevantly interesting data in „Scopus‟ then, for clarification, we followed the same search query in „Engineering Village‟ database. c) Step3: Search operation: The Search operation of finding relevant data for our search has been the basic task for our research operation. We now focused on framing the search strings, extracting results, stimulating search results with the scope and refining the search strings if relevant data is not found. The below figure-4.2 demonstrates our search operation.

Figure-4. 1: Search Operation As almost all the papers are published online, we have selected Online Databases over the internet and did not use any library or other external sources for our data search. We developed a General Search Query baseline for generating our search in such a way that by inserting keywords into this formula may give desired results for our Research Area. This idea is originally developed from the idea behind search interface present in the research database: „Scopus‟. The Search Query we adopted in “Scopus” -„Advanced search‟ interface is as below: (TITLE-ABS-KEY("SEARCH STRING") AND SRCTITLE("ACM") OR SRC TITLE("MIS Quarterly")

OR SRCTITLE("IEEE") OR SRCTITLE("Journal of Computer and System Sciences") OR SRCTITLE("Information Systems Journal") OR SRCTITLE("DATABASE") OR SRCTITLE("Decision Support Systems")) AND PUBYEAR > 2004 The search strings framed are directly inserted into this formula for results in our research area. A complete list of search strings along with the Strings that even found no results are presented in Appendix –B in order to make it clear. All the keywords that extracted exciting results - when applied to search strings framed under this above search formula are presented below: Keywords (scrutinized) Cloud Computing Security and privacy Security model Confidentiality Framework Privacy Policy(s) Grid Computing Virtualization Security Architecture … … In the search operation made, we got 11 research articles that are firmly relevant to our study. The process of analyzing these articles is presented below.  Data Analysis Method: For data analysis, consistent tracking of search results is the ultimate task which dissolves the barriers between knowledge gain and its implementation. The Quality of the search results is assessed with include/Exclude Criteria, as described below: d) Include Criteria:  Only Peer reviewed Articles (available) from Journals or Conference papers.  Articles should be written in English language.  The article has to be published during or after the year 2005.  Articles that found relevance with Cloud Computing security models in their Abstracts. All the other articles that do not meet the include criteria are said to be excluded. In order to validate our Research Methodology, we have also cross-checked our SLR with two other SLRs [17] & [18] in which one is a Thesis paper [18].

V. RESEARCH OPERATION The Scope of this Research is to elaborate the unconditional use of Confidentiality framework that can peers all the service and Deployment models present in the cloud. Hence, our major tasks constitute the operations contributing with the minimal tasks of analyzing security issues, generating a framework that architects all the security solutions for the issues generated and soon.

39 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 To achieve our research objective, we started with PRE-SLR for analyzing all the possible security issues and then specifying them to predictable general classifications (such as Technical, organizational, legal issues) as shown in the Section-III. As we can‟t detail each and every Security issue in the framework and also as we can't map all the issues directly into the framework, we choose this way to generalize them. We believe that most part of the R.Q.1 can be addressed to solutions 'by analyzing security issues found in PRE-SLR' and rest of R.Q.1 is 'to analyze how these security issues indulge into the framework being generated'. For solving this remaining part of R.Q.1, again R.Q.1.1 is framed. Now, the research analysis (from POST-SLR) has shown the path for implementing a new framework. The Found literatures that solved R.Q1.1 for the concept of"finding Confidentiality requirements that are classified to indulge with security operations in Cloud computing" are presented below: A. Literature Analysis: In Engineering privacy [10], the authors generated a three sphere models (User Sphere; Joint Sphere; and Recipient Sphere;)that occur for user privacy concerns. they relate all the Confidentiality issues to these three spheres. We analyze these models as operations that obscure privacy views. They also generated some architectural mechanisms that can also partially generate confidentiality in Cloud Computing area. These mechanisms are as below:  Privacy-by-policy: Based on policy generation which results in Fair Information Practices (FIP). This FIP was contributed to European Legislation privacy [10].  Privacy-by-architecture: Based on anonymizing information which results in little or no personal data detection by third parties [10].  Hybrid approach: Based on the combination of above two approaches where policies collide with technical mechanisms (architecture), they then enforce privacy enhancements [10]. These policy centric architectures have given a start to our security framework idea being generated. In [4], the authors developed security classification framework which sorted the presence of our research idea for R.Q.1.1 towards a solution. They classified the security issues for Grid Computing environment also with decentralized data control over its architecture. The Figure 5.1 presents their framework:

Figure-5. 1: Classifications of grid computing Security [4] As they focused on grid computing, the security issues resulted to solutions in their framework will lead to grid environment's security province but as they interlinked these security issues to grid Deployment models (computational grid; data grid; service grid;) and as the same security issues (like intrusion detection) can be found in Cloud deployment models, their framework helped us in our Cloud Computing-Confidentiality framework initiation. Their classification framework also presented the solutions to the issues area-wise (system solutions, Behavioral solutions, Hybrid Solutions ;). In the same way we focused our solutions to the Confidentiality issues area-wise; they are named as: Technical solutions, Organizational solutions, Legal solutions. In 'Cloud Security Issues' article [2]; B. R. Kandukuri et al. described several Service Level Agreements (SLAs) for generating notion to different levels of security. According to them SLAs are documents that define relationship between two parties: the cloud Provider and the Customer (recipient). Even they have immensely guided us for our research as their concept of indulging Security Risks in the SLA has given a complete understanding of what needs to be done in our frame work. The simple analysis of SLA and its contents are like these:  Definition of services  Performance management  Problem management  Customer duties and responsibilities  Warranties and remedies We analyzed that these contents when applied into action can generate answers for the partial research hypothesis presented above in the Background

40 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Section. We took steps forward in that means of approach. To be consciously readying about Encryption concepts in many literatures [5] [11] saying that they have generated a mechanism for confidentiality is not trust-worthy for us. They have generated some encryption key-mechanisms, encryption algorithms, Cryptography methods and soon which can be sorted like a solution for “data privacy” alone but not to entire confidentiality measures in security framework. We believe that only a key generation concept might not itself provide confidentiality to the user. We can support this analysis, as said by S. Spiekermann et al [10], the user is out of the boundaries of the organizational sphere where these keys get generated, and so, even though the key is set private to the users themselves, we can‟t find any proof to say that these consistent key encryption mechanisms alone can stabilize confidentiality requirement in Cloud environment. A new concept said to be RAIN (Redundant Array of Independent Net-storages) [9] has been analyzed from the literature. According to the authors of this article [9], they used a divide and conquer method for the data passing through the clouds. They have also presented their background work of deploying 5 Cloud service models. They are as shown below:  Separation model: separates data storage from data processing [9].  Availability model: separates stored data from data providers during the time of processing [9].  Migration model: describes the data migration from one storage provider to another other storage provider [9].  Tunnel model: describes data tunneling service between data processing service and data storage service [9].  Cryptography model: describes data encryption that is also not intelligible even to the storage provider [9]. Their procedural implementation gave us an idea for the framework that implements process activities one- onto-one presenting itself as security control-flow architecture. In another paper named „understanding Cloud Vulnerabilities‟ [1], the authors have generated a framework mitigating the Risk factors into two kinds, “loss event frequency” and “probable loss magnitude”, all the rest are classified into those two risk factors. This can be seen as of a relevance to our security issues generalization concept; for mapping them into the framework that can give solutions to any kind of issues that occur

in the open risk taxonomy [1]. As we are about to conclude our literature review analysis, even though we are unable to completely find a security framework or security model or architecture, we felt that we are satisfied with the solutions that are obtained to R.Q.1. & R.Q.1.1. This Review has shown the relevant security threats or risks or issues that are interlinked with the security models; but for complete solution of R.Q.1 & R.Q.1.1, we also considered a few NIST drafts that enabled the Risk analysis process or frameworks consistent with cloud environment. The below are the knowledge gained concepts from different drafts of NIST. In NIST Draft SP800-30 [12], Risk Assessment Methodology Flowchart is presented where we have successively understood each and every concept beneath the Risk taxonomy and its control flow. The seven steps that determine this sequential flow are as follows [12]: Step1: System Characterization Step2: Threat Identification Step3: Vulnerability Identification Step4: Control Analysis Step5: Likelihood Determination Step6: Impact Analysis Step7: Risk Determination Step8: Control recommendations Step9: Results Documentation With elaboration, NIST Draft SP800-37 [13] has further presented a Risk Management Framework which became the key to our Research for confidentiality on cloud. This framework is as shown in Figure-5.2 below.

Figure-5. 2: Risk Assessment Framework (NIST SP80037) [13] In NIST draft SP800-125 [14], the architecture of Virtualization technologies is enabled with hypervisors that have played a major role for providing security to the Cloud Computing environment. The security controls when operated in the hypervisors (virtual machine managers for

41 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 monitoring multiple hosts) that are placed just Even though deployment models exist, a general scope and control flow of the service models in cloud computing with the views of both consumer and cloud provider are presented in Draft SP800144 [16]. This Scope in terms of control flow is thus also implemented by us where the cloud provider‟s view and the customer‟s view on the framework being generated are extracted to act. Hence, R.Q.1 is completely fulfilled with knowledge base of security issues as shown above with relevance to security models that are deployed to eradicate trouble caused by these issues.

VI. DATA ANALYSIS INTERPRETATION

AND

Even though there are many other security models or frameworks, we presented only the important articles. As the knowledge for relevant data models got its place for our idea creation from among these articles, hence, we concluded the literature review for analysis. Here in this section, we present a Data Framework activity by analyzing all

before the above frameworks, the cloudmodels offering and other applications security concepts that are found in the above literature. The framework that satisfies our R.Q.2 is contributed to effect from the FIGURE-6.1 below: This Framework is done in such a way that cloud providers and their customers have a generalized view on the security operations in their cloud. The framework has also shown the difference between the operations that are carried for stepwise flow. We used orange, blue green and red colors for differentiating and clubbing several operations carried in the cloud. All the orange boxes denote the general tasks by the cloud provider or their customers. All the blue boxes denote the original security operational flow in the framework. Green and red denote the organizational and technical issues/tasks respectively. The description of this tasks and operations will refer back to the POSTSLR review made in Section- V. If anything is unclear, all the rest including Security concepts and other keywords used in the below framework are clearly elaborated in Appendix-D.

Figure 6. 1: Confidentiality Framework for Cloud Computing (our research solution) VII. DISCUSSIONS A. Contributions & limitations : The framework has deployed a risk management activity for security provisioning in cloud environment. We are sure that results generated by us are completely involved with all the levels of security issues and their solutions in all kinds of users‟ views; and hence, will provide a constant baseline for drawing security architecture

in any Cloud based company that indeed can satisfy the cloud customers. Even though just an SLR can't deal with the entire problem area and also as there is no proof that our research analysis can work in the real time industry, we had no other choice as time is our major constraint rather than just implementing a Framework only based on SLR. This framework is limited to the general activities without concise on any further clarifications on the inside elements such as

42 | P a g e

can implemen


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 cryptography and soon. B. General proceedings(future work): As of now this model needs to be scrutinized. This model needs to be briefly elaborated deriving each and every activity in the framework analytically with real-time proofs. If we get a chance in thesis, then we are sure that we can get a clear scrutinized security model along with the suggestions made by the professors and real time industry people with the surveys and experiments conducted. VIII. CONCLUSION Confidentiality for Cloud Computing deals with the emerging cloud architectures that evolve with time. This continuous evolution process might necessitate to with stand a baseline framework activity. We enabled a framework activity with reference to general security models and patterns. We expect this framework to be a consistent approach to trigger any kind of security mechanism in Cloud Computing. As the views on this model are focused to analysis with both Cloud provider and the customer, we hope that organizations can be at ease to implement their operations directly on to this framework without further discussions.

Challenges,” Journal of Network and Computer Applications, vol. 3, no. 5, pp. 247-255, Dec. 2011. [8]. M. Armbrust, I. Stoica, M. Zaharia, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, and A. Rabkin, “A view of cloud computing,” Communications of the ACM, vol. 53, no. 4, p. 50, Apr. 2010. [9]. M. G. Jaatun, G. Zhao, and S. Alapnes, “A Cryptographic Protocol for Communication in a Redundant Array of Independent Net-storages,” 2011, pp. 172–179. [10]. S. Spiekermann and L. F. Cranor, “Engineering Privacy,” IEEE Transactions on Software Engineering, vol. 35, no. 1, pp. 67–82, Jan. 2009. [11]. S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving Secure, Scalable, and Finegrained Data Access Control in Cloud Computing,” 2010, pp. 1–9. NIST

[12].

REFERENCES [1].

[2].

[3].

[4].

[5].

[6].

[7].

B. Grobauer, T. Walloschek, and E. Stocker, “Understanding Cloud Computing Vulnerabilities,” IEEE Security & Privacy Magazine, vol. 9, no. 2, pp. 50–57, Mar. 2011. B. R. Kandukuri, R. Paturi. V., and A. Rakshit, “Cloud Security Issues,” 2009, pp. 517–520. C. Chapman, W. Emmerich, F. G. Márquez, S. Clayman, and A. Galis, “Software architecture definition for ondemand cloud provisioning,” Cluster Computing, vol. 15, no. 2, pp. 79–100, Feb. 2011. E. Cody, R. Sharman, R. H. Rao, and S. Upadhyaya, “Security in grid computing: A review and synthesis,” Decision Support Systems, vol. 44, no. 4, pp. 749–764, Mar. 2008. G. Zhao, C. Rong, J. Li, F. Zhang, and Y. Tang, “Trusted Data Sharing over Untrusted Cloud Storage Providers,” 2010, pp. 97–103. K. Riemer and N. Vehring, “Virtual or vague? a literature review exposing conceptual differences in defining virtual organizations in IS research,” Electronic Markets, May 2012. K. 'Shade O, I. Frank and A. Oludele, “Cloud Computing Security Issues and

[13].

[14].

[15].

[16].

Special Publication (SP) Drafts: [Online](Available: http://csrc.nist.gov/publications/PubsDraft s.html) S. Gary, G. Alice, and F. Alexis, “SP: Risk Management Guide for Information Technology Systems,” National Institute of Standards and Technology (NIST), CSRC-SP800-30, July. 2002. “SP: Guide for Applying the Risk Management Framework to Federal Information Systems,” National Institute of Standards and Technology (NIST), CSRC-SP 800-37(Rev-1), Feb. 2010. S. Karen, S. Murugiah and H. Paul, “SP: Guide to Security for Full Virtualization Technologies,” National Institute of Standards and Technology (NIST), CSRC-SP 800-125, Jan. 2011. M. Peter and G. Timothy, “NIST Definition of Cloud Computing,” National Institute of standards and Technology (NIST), CSRC-SP 800-145, Sept. 2011. J. Wayne and G. Timothy, “SP: Guidelines on Security and Privacy in Public Cloud Computing,” National Institute of Standards and Technology (NIST), CSRC-SP 800-144, Dec. 2011.

SLR model review references: [17]. S. Jalali and C. Wohlin, „Agile practices in global software engineering - a systematic map‟, in 2010 Fifth IEEE International Conference Global

43 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Software Engineering (ICGSE 2010), 23-26 Aug. 2010, Los Alamitos, CA, USA, 2010, pp. 45–54. [18]. Guido Kok, “Cloud computing & confidentiality,” M.S. thesis, Dept. Comp. Sci. Eng., University of Twente., Enschede-Noord, Nederland, May.24.2010.[Online] (Available: http://purl.utwente.nl/essays/61039)

this research operation performed now. A Review methodology of this type (SLR) has already been conducted in our previous assignment (asst-1). The results of that PRE-SLR obtained, have been utilized in background Section-III. As shown in below Figure-A, we name this SLR (made in the research operation) as 'POST-SLR' in order to differentiate from the SLR that is done before our proposal (assignment-1) (For clarity, we name this previous SLR as 'PRESLR').

APPENDIX A A. Differentiating Our Previous works from

Figure A: Figure-4. 2: Differentiating our work from the past. APPENDIX B – SEARCH OPERATION The Journal Publication ranking with relevance to “CLOUD COMPUTING” is roughly analysed for search in every Top ranked public ation with basic keywords as „Cloud Computing' AND 'Confidentiality'. The main motive behind this search is to analyse all the top ranked

publications that publish topics in concern to Cloud computing. We found only 7 top Publications that gave unique results with the rest left behind with the same search result (as that of the previous publications‟ search) or no search result at all. The Table-A shows top ranked journal publications list and cloud findings in them.

44 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Table A: Top ranked journal publication selection from AIS-Journal ranking5 with relevance to cloud computing.

Serial 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31.

TOP JOURNALS (AIS-MIS Journal Ranking Sequence) MIS Quarterly Management Information Systems (MISQ) Information Systems Research (ISR) Communications of the ACM (CACM) Management Science (MS) Journal of Management Information Systems (JMIS) Artificial Intelligence (AI) Data Sciences (DSI) Harvard Business Review (HBR) IEEE Transactions (various) AI Magazine European Journal of Information Systems (EJIS) Decision Support Systems (DSS) IEEE Software (IEEESw) Information and Management (I&M) ACM Transactions on Database Systems (ACMTDS) IEEE Transactions on Software Engineering (IEEETSE) ACM Transactions (ACMTrans) Journal of Computer and System Sciences (JCSS) Sloan Management review (SMR) Communications of AIS (CAIS) IEEE Transactions on Systems, Man & Cybernetics (IEEETSMC) ACM Computing Surveys (ACMCS) Journal on Computing (JCOMP) Academy of Management Journal International Journal of Electronic Commerce Journal of the AIS IEEE Transactions on Computers (IEEETC) Information Systems Frontiers (ISF) Journal of Management Systems Organisation Science (OS) IEEE Computer (IEEEComp)

Resulted Search Articles 2681 2681 168 2681 2681 3(X) -NA2681 7 2(X) -NA17 7 -NA168 7 168 10 2681 168

Research Area relevance

Search operated through: EBSCOhost EBSCOhost ACM Dl library EBSCOhost EBSCOhost ScienceDirect --EBSCOhost IEEE Explore AI Magazine --ScienceDirect IEEE Explore --ACM Dl library IEEE Explore ACM Dl library ScienceDirect EBSCOhost ACM Dl library

7

IEEE Explore

168 168 2681 2681 -NA7 -NA2681 -NA7

32.

Information Systems Journal (ISJ)

135

33. 34.

Administrative Science Quarterly Journal of Global Information Management (JGIM) The Database for Advances of Information Systems (DATABASE) Journal of Database Management (JDM) Information Systems (IS) …

129(X) -NA-

ACM Dl library ACM Dl library EBSCOhost EBSCOhost --IEEE Explore --EBSCOhost --IEEE Explore WILEY online Library SAGE Journals ---

1066

EBSCOhost

2681 11 …

EBSCOhost ScienceDirect …

35. 36. 37. …

45 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 NOTE: The top ranked Cloud computing publications are marked with three colours: Green, Yellow and Red. The Green colour shows unique search result at the start before finding the same result in other publications. The Yellow represents the Publications which carry Cloud papers but show same result (-repeat-) as that of previous publications and hence neglected. The Red shows that the publications are unavailable (-NA-) or no results found with relevance to Cloud computing topic. The (X) mark besides the search result denotes the papers found irrelevant to the cloud computing research area technically.

After finding these top 7 journals, the search string formula is generated (in section IV) for finding the papers relevant to our research area in Cloud computing. We analyzed that most of the Journals from IEEE and ACM publications defer in name but gave same results. So we sorted them just to be “IEEE” and “ACM” in our search formula generated. The idea behind this is to grab as much as many resu lts from all the publications of IEEE, ACM and all the rest of the 7 unique journals. The below table-B presents the search strings framed that are applied into that search formula generated in the report.

Table B: Search strings framed and (number of) results obtained.

Iteration 1 2 3 4 5 6 7 8 … …

Search String [IN (Title, Abstract, Keywords)]

Search Results

“Cloud Computing” AND “Confidentiality” AND (“framework” OR “model” OR “architecture”) “Cloud Computing” AND “Security” AND (“model” OR “Framework” OR “Architecture”) “Cloud Computing” AND “Privacy policy*” “Cloud Computing” AND “Risk management” “Cloud Computing” AND “Security requirement*” “Cloud Computing” AND “Security management” “Grid Computing” AND “Security” AND (“model” OR “framework” OR “Architecture”) “Virtualization” AND “Security” AND (“model” OR “Framework” OR “Architecture”) … …

We started with the initial search string-Iteration1 to get initial idea on the search results. All the rest of the iterations follow the search made in order to find the results for “cloud computing and confidentiality frameworks”. Inclusion of synonyms and similar wo rds occurred for refining the searches strings framed. Singular and plurals were included in the search and hence „*‟ was included in the search strings above to represent the same. As we involved synonyms, we included OR operator in the search strings framed. When the above framed 8 search strings are inserted into the search formula we got 26 relevant and available articles. Even though, these 26 articles are found only through analysis on Title relevance and (then if needed) abstract readings, we further made a thorough review on these papers and found that only 11 support our Research area firmly. We made use of these 11 articles in our research operation and also refereed them to final Confidentiality framework design in cloud

Very well guided

23

Relevant and available 12

266

8

2

29 15 89 153 225

-Repeat-Repeat3 -Repeat1

0 0 1 0 1

146

2

0

… …

… …

… …

2

computing (our analyzed research solution). Also, among these 11 finally extracted papers, we found that 6 papers guided us very well for our research conclusion. All these 11 articles are listed as references in the research report. All the rest excluding these 11 articles also helped us in gaining some additional knowledge and hence presented in Appendix-E.

APPENDIX C –SECUIRTY ISSUES GENERALISATION (FROM PRE-SLR) The security issues that relate to confidentiality are presented here with analysis from our previous studies (PRE -SLR, Assignment-1). As said in the research report, these issues are focused to generalize them into 3 main categories such as Technical, Organizational, Legal issues; as shown in the Table –A below.

46 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Table C: Security issues found in PRE-SLR and our view of generalizing them to 3 main issues

Security Issues Abuse and Nefarious Use of Cloud Computing Account, Service and Traffic Hijacking Authentication and authorization Cost and Limited availability of technical personals Customer Isolation and Information Flow. Cloud Integrity and Binding Issues Cloud Security vulnerabilities and Security Attacks Cloud Governance Data access and Control Data back-up and recovery Data breaches (controlling XML signatures and soon) Data location Data protection (Loss/Leakage) Data provisioning (Audits, etc) Data segregation Ensuring user rights (End user Trust) Federation and Secure Composition Identity/Key management (Encryptions) Insecure Application Programming Interfaces (web application security) Integrity for user's dynamic changes Investigative support (data forensics and soon) legal, policy based and commercial problems Long-term viability (End user trust) Malicious Insiders Multi-Compliance Clouds Network security Non-Repudiation Privileged user access Regulatory Compliance Reliability Risk/Threat Management Security assurance to cloud users Security Integration & Transparency. Shared Technology Vulnerabilities undefined cloud boundaries Unknown Risk Profile (lack of transparency) Virtualization vulnerability

NOTE: The references “[R]” refer to the PRE-SLR references. These references are presented in Appendix-E. All the security issues presented above that are generalized into these 3 issues are only through our understandings upon them. As we cannot elaborate our analysis on each and every issue in this RM research report, the referenced papers besides the issue (in the above table) can show what exactly each and every issue is. Along with these issues in our hand, in the same way, the further issues that evolve with time or any other issues that are not sighted by us can also be set into on e of these 3 issues in the future.

Issues found from PRE-SLR (references) [R7], [R12] [R7], [R12] [R17] [R1] [R 15] [R10] [R2], [R10] [R16], [R18] [R17] [R2], [R14], [R20] [R17] [R14] [R7], [R12], [R21] [R2], [R10], [R15] [R17] [R18], [R21] [R15] [R20] [R7], [R12]

Issues can Relate to Confidentiality as :Technical issue Technical issue Technical issue Organizational issue Technical issue Organizational issue Technical issue Legal Issue Technical issue Technical issue Technical issue Organizational issue Technical issue Technical issue Technical issue Legal issue Legal issue Technical issue Technical issue

[R21] [R2], [R16] [R18] [R2], [R16] [R7], [R12], [R15] [R15] [R17], [R21] [R16] [R14] [R16] [R8], [R20] [R2] [R10] [R15] [R7], [R12] [R21] [R12] [R2], [R17]

Organizational issue Technical issue Legal issue Organizational issue Organizational issue Technical issue Technical issue Organizational Issue Organizational issue Legal issue Organizational issue Technical issue Organizational issue Technical issue Technical issue Legal issue Organizational issue Technical issue

APPENDIX D –KEYWORDS USED (IN THE RESEARCH REPORT) Cloud Computing & confidentiality (As it is): Cloud computing (NIST definition) “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” [15] Confidentiality (NIST definition-FIPS PUB 199) [S15] “Preserving authorized restrictions on information

47 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 access and disclosure, including means for protecting personal privacy and proprietary information.” Integrity (NIST definition-FIPS PUB 199) [S15] “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” Availability (NIST definition-FIPS PUB 199) [S15] “Ensuring timely and reliable access to and use information.” Cloud service models Software as a service (SaaS) [15] The SaaS service model is defined to services that render software applications to the cloud customers. Here, if needed, the Cloud provider can also operate these applications instead of customers like application management (updates), storage backups, infrastructure and soon. Platform as a service (PaaS) [15] The PaaS service model is derived to offer interfaces such as operational platforms to the cloud customer. These platforms ar e helpful to the customer in order to build some new applications that are supported on cloud based technologies. Here, the operations such as network management, storage, and operating systems are managed by the cloud provider itself and hence the customer can be relieved to work only for their application development but not in other matters of cloud maintenance. Infrastructure as a service (IaaS) [15] The IaaS service model is derived from the concept for reducing costs to the customer. IaaS is structured to provide the capabilities of cloud provisioning, storage management and other fundamental needs to the customer for making them to use cloud technologies. Here, the customer is application or file management is indirectly controlled by the cloud provider. Grid Deployment models Computational grid [4] The concept of separating resources for setting them aside in order to automate the computational works that can reduce compu tational power and man-power is said to be Computational grid. Data grid [4] The information and data are stored or retrieved to analysis from this data grid. This data grid is modeled in such a way that large volumes of data are accessed from single Cloud data centre at a time by several users (or companies or organizations). Service grid [4]

The grid that offers services to its clients is said to be Service grid. This grid is designed with mechanisms of provisioning customer requirements and offering services they require. Cloud deployment models Private Cloud [15] the services offered are monitored by the organization itself where its services are not shared to be monitored by outsiders for any other purposes, i.e., the physical infrastructure (cloud) may or may not be owned by the organization and might be on-premise or off-premise but will contain a designated service provider (employees or entities) for its cloud computations. Public cloud [15] The cloud is provisioned to use by any source that is in need, this source can be an individual, an organization, or some other entity. This cloud is generally maintained by ordinary cloud provider and mechanisms where low-level security is provided for usage.

Hybrid cloud [15] It is a combination of public or private or any other deployment cloud (such as community clouds) that is designed into single cloud architecture. The user may vary according to the organizational needs and hence the security may also vary with it. Cloud key characteristics On-demand resource sharing [15] The provisioning of services offered can leverage a concept of 'On-demand resource sharing'. This is automated process that enables the control mechanism of reducing human efforts for enabling services to the right users. Resource Pooling [15] As delivered to our research report above from NIST, Resource pooling technology in Cloud Computing Paradigm renders the ability to store and dynamically allocate space to the resources to occur for storage periodically. Rapid elasticity [15] The rapid elasticity is derived as: provisioning services with capabilities to automatically scale the exact user-demand. The resource is set to use for the demand and this service is reverted back when the customer is not in need of that resource. Wide network access [15] The ability to control or mange large area networks is delivered to output by this wide network access. With this characteristic we can be access data or information or service even through

48 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 mobile devices. Cloud Spheres models User Sphere: [10] The user sphere is a technical domain name which seems to be encompassing a user's device. This sphere has to enable a full access control to the users who own it. The data is set to privacy and is accessible to entities present in external boundaries only with th e data owner's permissions. Additionally, user sphere models are trumped with respect to owner's physical privacy and hence, will wait for their interruption to change their access setting when needed. Recipient Sphere: [10] In the same way as that of user sphere above, the recipient sphere is a company centric sphere where the organization is responsible for its complete access controls. As the control is within the organization itself, the risk is low when compared to user sphere and so can potentially minimizes the risk of privacy breaches. Joint Sphere [10] The joint sphere is also a technical domain term of cloud spheres where this sphere can derive the complete cloud to its privacy by setting the controls completely within the organization and also involving its customers with some limitations to access them. we analyzed that this kind of model is not impossible to see in the real world, as we can see social networking sites where the users has given free of charge for using data storage, email services and many other features but the users should indirectly need to know that the full control of these services is withheld with the company (social networking site) itself but not with the user. Hence the privacy control is derived with the complete understandings of the organizations and its customers involved in joint sphere. Classification of types of Solutions for issues found in grid computing System solutions [4] The system based solutions approach is a concept where the technical issues are to be analyzed for solutions and rectifications. Issues such as accessing grid information, auditing grid functions and soon are set to solutions here. We named them to be technical solutions in our research report for our confidentiality framework Behavioural solutions [4] The Behavioral solutions denotes the category where solutions for issues like Immediate job execution, advanced scheduling, job control are sorted out for answers. We named them as

Organizational solutions in our research report for our confidentiality framework. Hybrid solutions [4] These solutions denote the category that combines all kinds of issues for sorting them to gain hybrid solutions. Here, trust is the fundamental for solving any kind of issue. We did not use this kind of solutions in our framework but instead as trust occurs better with policies and laws, we involved legal issues in our research framework. Some other keywords from literature RAIN (Redundant Array of Independent Netstorages) [9] All the deployment models are split to several independent (non-colluding) storage providers that pretend to be Redundant Array of Independent Net-storages (RAIN). In authors view a single chunk of data doesn't comprise Confidentiality and hence they derive that the data should be stored using one or several cloud storage providers. Open risk taxonomy [1] Open risk taxonomy is nothing but generalizing the issues (factors contributing) into much similar generalized issue categories. In this paper [1], the risk focus is divided mainly into two types „loss event frequency‟, „probable loss magnitude‟ with all the rest of the factors that occur for risk must be falling into one of these categories.

Hypervisors [14] Cloud Computing evaluates a Concept of „provisioning services in a timely (near on instant), on-demand manner, to allow the scaling up and down of resources‟. This approach of making computing a utility in cloud environment provides an Opportunity to dynamically scale the computing resource that are shared among customers using virtualization technology. Allocating / de-allocating these resources efficiently, is an open challenge that is solved by Hypervisors. They allocation and de-allocation mechanisms are automated through these hypervisors. In addition, we have analyzed that at present: VMware, XEN systems (using XEN hypervisors), Kernel-based Virtual Machine (KVM); implementing their services pretend to be Hypervisors in the real-time cloud computing world. Keywords that occurred in our Confidentiality Framework (Clear and extra explanation of each and every word used in our Framework)

49 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Cloud system analysis and design The system analysis and design is the initial step where we choose the Cloud deployment model [15] and designing the tasks that work upon that model that is chosen. Cloud security requirements The general security requirements like key encryptions [5] [11], data storage privacy [8], and many other fundamental requirements should be analyzed before implementing every cloud model. This helps in reducing the risk of cloud failure in security matters. This general loo k- up what of security requirements needed will somewhat increase the confidentiality in the cloud customers. Data Location Dimension Cloud confidentiality fails due to lack of cloud transparency to the customers. Customers are reluctant to transform their businesses on to cloud as they can‟t see where their data is located and hence, data location dimension distinguishes the data location in data owner's perspective rather than data provider's perspective [10]. System security control structure The original security model that is designed to operations for cloud security requirements found earlier is developed here in security control structure. All the security issues are analyzed here and further classified into 3 major chunks (technical, organizational, legal) and are sent to be solved by those different departments that are responsible for solving them [4]. Access controls The Cloud sphere models [10] such as recipient sphere, user sphere, hybrid sphere occur in access control criteria and will work as the same by transforming their responsibilities and concepts in access controls functions. These access controls even though arose from that sphere concept, the main duty is to preserve confidentiality for the data that is being processed in-and-out of the cloud. As soon as we set the access control to one of these sphere, the cloud will adhere the responsibilities of those sphere that is set and will work for the same. General security limitations The general security limitations occur from the concept of data provisioning and security controls that are limited to them in NIST draft SP800-125 [14] and NIST Draft SP800-30 [12] respectively. The general security limitations such as enabling encryption techniques; implementation of virtual private networks; implementation of security settings that suit the service level agreements [2] (that render to organizational standards); generating security assurance criteria and soon

come under general security limitations concept. Cloud offerings The cloud offering is the final step where we choose the Cloud service model [15] and designing the tasks that work upon that model that is chosen. APPENDIX E –INCLUDED STUDIES POST-SLR EXTRA HELPFUL REFERENCES6 ([S]) [S1]. C. Alcaraz, I. Agudo, D. Nunez, and J. Lopez, “Managing Incidents in Smart Grids a` la Cloud,” in 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom), 2011, pp. 527 –531. [S2]. C. I. Dalton, D. Plaquin, W. Weidner, D. Kuhlmann, B. Balacheff, and R. Brown, “Trusted virtual platforms,” ACM SIGOPS Operating Systems Review, vol. 43, no. 1, p. 36, Jan. 2009. [S3]. D. W. Chadwick and K. Fatema, “A privacy preserving authorisation system for the cloud,” Journal of Computer and System Sciences, vol. 78, no. 5, pp. 1359– 1373, Sep. 2012. [S4]. H. Takabi, J. B. D. Joshi, and G.-J. Ahn, “Security and Privacy Challenges in Cloud Computing Environments,” IEEE Security & Privacy Magazine, vol. 8, no. 6, pp. 24–31, Nov. 2010. [S5]. J. Li, B. Stephenson, H. R. MotahariNezhad, and S. Singhal, “GEODAC: A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services,” IEEE Transactions on Services Computing, vol. 4, no. 4, pp. 340–354, Oct. 2011. [S6]. J. Hao and W. Cai, “Trusted Block as a Service: Towards Sensitive Applications on the Cloud,” in 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2011, pp. 73 –82. [S7]. L. M. Kaufman, “Data Security in the World of Cloud Computing,” IEEE Security & Privacy Magazine, vol. 7, no. 4, pp. 61–64, Jul. 2009. [S8]. P. Angin, B. Bhargava, R. Ranchal, N. Singh, M. Linderman, L. Ben Othmane, and L. Lilien, “An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing,” in 2010 29th IEEE Symposium on Reliable Distributed Systems, 2010, pp. 177 –183. [S9]. R. Padilha and F. Pedone, “Belisarius: BFT Storage with Confidentiality,” in 2011 10th IEEE International

50 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Symposium on Network Computing and Applications (NCA), 2011, pp. 9 –16. [S10]. R. K. L. Ko, P. Jagadpramana, M. Mowbray, S. Pearson, M. Kirchberg, Q. Liang, and B. S. Lee, “TrustCloud: A Framework for Accountability and Trust in Cloud Computing,” in 2011 IEEE World Congress on Services (SERVICES), 2011, pp. 584 –588. [S11]. R. Seiger, S. Gross, and A. Schill, “SecCSIE: A Secure Cloud Storage Integrator for Enterprises,” in 2011 IEEE 13th Conference on Commerce and Enterprise Computing (CEC), 2011, pp. 252 –255. [S12]. S. Pearson and A. Benameur, “Privacy, Security and Trust Issues Arising from Cloud Computing,” in 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom), 2010, pp. 693 –702. [S13]. U. Greveler, B. Justus, and D. Loehr, “A Privacy Preserving System for Cloud Computing,” in 2011 IEEE 11th International Conference on Computer and Information Technology (CIT), 2011, pp. 648 –653. [S14]. X. Zhang, N. Wuwong, H. Li, and X. Zhang, "Information security risk management framework for the cloud computing environments", Proceedings 10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, ScalCom-2010, pp. 1328. [S15]. "Standards for Security Categorization of Federal Information and Information Systems," National Institute of Standards and Technology (NIST), FIPS Pub. 199, Feb. 2004. We found 26 relevant and available papers in which only 11 supported our study relating Confidentiality framework. Here, some extra references (excluding those 11references that are presented in the research report). Those that did not support for our Framework in any kind but helped us in gaining some extra knowledge are presented here. PRE-SLR (ASSIGNMENT-1 SLR) REFERENCES ([R]) [R1]. D. Carrell, “A Strategy for Deploying Secure Cloud-Based Natural Language Processing Systems for Applied Research Involving Clinical Text,” in 2011 44th Hawaii International Conference on System Sciences (HICSS 2011), 4-7 Jan.

2011, Los Alamitos, CA, USA, 2011, pp. 11. [R2]. F. B. Shaikh and S. Haider, “Security threats in cloud computing,” in 2011 6th International Conference for Internet Technology and Secured Transactions (ICITST), 11-14 Dec. 2011, Piscataway, NJ, USA, 2011, p. 214–19. [R3]. Hao Sun and K. Aida, “A Hybrid and Secure Mechanism to Execute Parameter Survey Applications on Local and Public Cloud Resources,” in 2010 IEEE 2nd International Conference on Cloud Computing Technology and Science (CloudCom 2010), 30 Nov.-3 Dec. 2010, Los Alamitos, CA, USA, 2010, p. 118–26. [R4]. Jen-Sheng Wang, Che-Hung Liu, and G. T. R. Lin, “How to manage information security in cloud computing,” in 2011 IEEE International Conference on Systems, Man and Cybernetics, 9-12 Oct. 2011, Piscataway, NJ, USA, 2011, p. 1405–10. [R5]. J. C. Roberts II and W. Al-Hamdani, “Who can you trust in the cloud? A review of security issues within cloud computing,” in 2011 Information Security Curriculum Development Conference, InfoSecCD’11, September 30, 2011 October 1, 2011, Kennesaw, GA, United states, 2011, pp. 15–19. [R6]. K. Dahbur, B. Mohammad, and A. B. Tarakji, “A survey of risks, threats and vulnerabilities in cloud computing,” in 2nd International Conference on Intelligent Semantic Web-Services and Applications, ISWSA 2011, April 18, 2011 - April 20, 2011, Amman, Jordan, 2011, p. The Isra University. [R7]. L. M. Vaquero, L. Rodero-Merino, and D. Moran, “Locking the sky: a survey on IaaS cloud security,” Computing, vol. 91, no. 1, pp. 93–118, Jan. 2011. [R8]. L. Sumter, “Cloud computing: Security risk,” in 48th Annual Southeast Regional Conference, ACM SE’10, April 15, 2010 – April 17, 2010, Oxford, MS, United states, 2010. [R9]. Minqi Zhou, Rong Zhang, Wei Xie, Weining Qian, and Aoying Zhou, “Security and Privacy in Cloud Computing: A Survey,” in 2010 Sixth International Conference on Semantics Knowledge and Grid (SKG 2010), 1-3 Nov. 2010, Los Alamitos, CA, USA, 2010, p. 105–12. [R10]. M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono, “On technical security issues in cloud computing,” in 2009 IEEE International Conference on Cloud

51 | P a g e


Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Computing (CLOUD), 21-25 Sept. 2009, Piscataway, NJ, USA, 2009, p. 109–16. [R11]. M. Townsend, “Managing a security program in a cloud computing environment,” in 2009 Information Security Curriculum Development Annual Conference, InfoSecCD’09, September 25, 2009 - September 26, 2009, Kennesaw, GA, United states, 2009, pp. 128–133. [R12]. M. T. Khorshed, A. B. M. Shawkat Ali, and S. A. Wasimi, “Trust issues that create threats for cyber attacks in cloud computin g,” in 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011, December 7, 2011 – December 9, 2011, Tainan, Taiwan, 2011, pp. 900–905. [R13]. M. T. Khorshed, A. B. M. S. Ali, and S. A. Wasimi, “A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing,” P.O. Box 211, Amsterdam, 1000 AE, Netherlands, 2012, vol. 28, pp. 833–851. [R14]. P. Jain, D. Rane, and S. Patidar, “A survey and analysis of cloud model-based security for computing secure cloud bursting and aggregation in renal environment,” in 2011 World Congress on Information and Communication Technologies (WICT), 11-14 Dec. 2011, Piscataway, NJ, USA, 2011, p. 456–61. [R15]. R. Glott, E. Husmann, A.-R. Sadeghi, and M. Schunter, “Trustworthy Clouds Underpinning the Future Internet,” in The Future Internet, Berlin, Germany: Springer Verlag, 2011, p. 209–21. [R16]. S. Ramgovind, M. M. Eloff, and E. Smith, “The management of security in Cloud computing,” in 2010 Information Security for South Africa (ISSA 2010), 2-4 Aug. 2010, Piscataway, NJ, USA, 2010, p. 7 pp. [R17]. S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications, vol. 34, no. 1, pp. 1–11, Jan. 2011. [R18].S. Tabet and M. Pohlman, “Cloud Computing: Combining Governance, Compliance, and Trust Standards with Declarative Rule- Based Frameworks,” in Rule-Based Modeling and Computing on the Semantic Web. 5th International Symposium, RuleML 2011 - America, 3-5 Nov. 2011, Berlin, Germany, 2011, p. 230–6. [R19]. Tsung-Hui Lu, Li-Yun Chang, and ZheJung Lee, “Integrating Security Certification with IT Education,” in 2011 International Conference on System

Science and Engineering (ICSSE), 8-10 June 2011, Piscataway, NJ, USA, 2011, p. 582–7. [R20]. Xin Yang, Qingni Shen, Yahui Yang, and Sihan Qing, “A Way of Key Management in Cloud Storage Based on Trusted Computing,” in Network and Parallel Computing. 8th IFIP International Conference, NPC 2011, 21-23 Oct. 2011, Berlin, Germany, 2011, p. 135–45. [R21]. Xue Jing and Zhang Jian-jun, “A brief survey on the security model of cloud computing,” in 2010 Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science (DCABES 2010), 10-12 Aug. 2010, Los Alamitos, CA, USA, 2010, p. 475–8. [R22]. X. Lin, “Survey on cloud based mobile security and a new framework for improvement,” in 2011 International Conference on Information and Automation, ICIA 2011, June 6, 2011 June 8, 2011, Shenzhen, China, 2011, pp. 710–715.

52 | P a g e

D32035052  
Read more
Read more
Similar to
Popular now
Just for you