A Framework for Security Transparency in Cloud Computing

Individuals and corporate users are persistently considering cloud adoption due to its significant benefits compared to traditional computing environments. The data and applications in the cloud are stored in an environment that is separated, managed and maintained externally to the organisation. Therefore, it is essential for cloud providers to demonstrate and implement adequate security practices to protect the data and processes put under their stewardship. Security transparency in the cloud is likely to become the core theme that underpins the systematic disclosure of security designs and practices that enhance customer confidence in using cloud service and deployment models. In this paper, we present a framework that enables a detailed analysis of security transparency for cloud based systems. In particular, we consider security transparency from three different levels of abstraction, i.e., conceptual, organisation and technical levels, and identify the relevant concepts within these levels. This allows us to provide an elaboration of the essential concepts at the core of transparency and analyse the means for implementing them from a technical perspective. Finally, an example from a real world migration context is given to provide a solid discussion on the applicability of the proposed framework.

[1]  Sebastian Ries,et al.  Certain trust: a trust model for users and agents , 2007, SAC '07.

[2]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[3]  C. R. Kothari,et al.  Research Methodology: Methods and Techniques , 2009 .

[4]  Sushil Kumar,et al.  Analytic hierarchy process: An overview of applications , 2006, Eur. J. Oper. Res..

[5]  Oscar Cordón,et al.  International Journal of Approximate Reasoning a Historical Review of Evolutionary Learning Methods for Mamdani-type Fuzzy Rule-based Systems: Designing Interpretable Genetic Fuzzy Systems , 2022 .

[6]  Eyal de Lara,et al.  Safe Inspection of Live Virtual Machines , 2017, VEE.

[7]  Audun Jøsang,et al.  Subjective Logic , 2016, Artificial Intelligence: Foundations, Theory, and Algorithms.

[8]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[9]  Siani Pearson,et al.  Privacy, Security and Trust Issues Arising from Cloud Computing , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[10]  B. J. Oates,et al.  Researching Information Systems and Computing , 2005 .

[11]  A. Bryman Integrating quantitative and qualitative research: how is it done? , 2006 .

[12]  Laurian M. Chirica,et al.  The entity-relationship model: toward a unified view of data , 1975, SIGF.

[13]  M. Sugeno FUZZY MEASURES AND FUZZY INTEGRALS—A SURVEY , 1993 .

[14]  Rocco Aversa,et al.  A SLA-based interface for security management in cloud and GRID integrations , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[15]  Min Zhu,et al.  T-VMI: Trusted Virtual Machine Introspection in Cloud Environments , 2017, 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID).

[16]  Brij B. Gupta,et al.  Security challenges in cloud computing: state-of-art , 2017, Int. J. Big Data Intell..

[17]  Steven Furnell,et al.  Security transparency: the next frontier for security research in the cloud , 2015, Journal of Cloud Computing.

[18]  Anol Bhattacherjee,et al.  Explaining information technology usage: A test of competing models☆ , 2008 .

[19]  Rajiv Ranjan,et al.  An overview of the commercial cloud monitoring tools: research dimensions, design issues, and state-of-the-art , 2013, Computing.

[20]  S. Kemmis,et al.  Participatory Action Research: Communicative Action and the Public Sphere. , 2005 .

[21]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[22]  Jim Conallen,et al.  Building Web applications with UML , 1999 .

[23]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[24]  Robert L. Grossman,et al.  The Case for Cloud Computing , 2009, IT Professional.

[25]  Sajjad Haider,et al.  Security threats in cloud computing , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[26]  Muthu Ramachandran,et al.  Cloud Computing Adoption Framework – a security framework for business clouds , 2015 .

[27]  Aiko Pras,et al.  Inside dropbox: understanding personal cloud storage services , 2012, Internet Measurement Conference.

[28]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[29]  Edgar R. Weippl,et al.  An empirical study on the implementation and evaluation of a goal-driven software development risk management model , 2014, Inf. Softw. Technol..

[30]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[31]  Stafford Beer,et al.  The Viable System Model : its provenance , development , methodology and pathology * Stafford Beer = President of the World Organization for Systems and Cybernetics , 2000 .

[32]  James F. Baldwin,et al.  Readings in Fuzzy Sets for Intelligent Systems , 1993 .

[33]  Haralambos Mouratidis,et al.  Modelling security and trust with Secure Tropos , 2006 .

[34]  Eric Dubois,et al.  Adopting an Agent and Event Driven Approach for Enabling Mutual Auditability and Security Transparency in Cloud based Services , 2015, CLOSER.

[35]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[36]  Haralambos Mouratidis,et al.  Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts , 2014, Comput. Stand. Interfaces.

[37]  Joel J. P. C. Rodrigues,et al.  SecSVA: Secure Storage, Verification, and Auditing of Big Data in the Cloud Environment , 2018, IEEE Communications Magazine.

[38]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[39]  Robert Meersman,et al.  Data modelling versus ontology engineering , 2002, SGMD.

[40]  Joseph D. Piotroski,et al.  What Determines Corporate Transparency? , 2003 .

[41]  N. Mackenzie,et al.  Research dilemmas: Paradigms, methods and methodology , 2006 .

[42]  S Ramgovind,et al.  The management of security in Cloud computing , 2010, 2010 Information Security for South Africa.

[43]  M. Munot,et al.  Research Methodology , 2019, Storytelling with Data in Healthcare.

[44]  John W. Rittinghouse,et al.  Cloud Computing: Implementation, Management, and Security , 2009 .

[45]  Marty Hall Core Servlets and JavaServer Pages , 2000 .

[46]  J. Fox,et al.  The uncertain relationship between transparency and accountability , 2007 .

[47]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[48]  Amitai Etzioni Is Transparency the Best Disinfectant , 2016 .

[49]  John Mylopoulos,et al.  Towards requirements-driven information systems engineering: the Tropos project , 2002, Inf. Syst..

[50]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[51]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[52]  Cynthia A. Williams The Securities and Exchange Commission and Corporate Social Transparency , 1999 .

[53]  Bilal Succar,et al.  Building information modelling framework: A research and delivery foundation for industry stakeholders , 2009 .

[54]  Steffen Staab,et al.  What Is an Ontology? , 2009, Handbook on Ontologies.

[55]  Frank van Harmelen,et al.  Web Ontology Language: OWL , 2004, Handbook on Ontologies.

[56]  Raouf Boutaba,et al.  Cloud computing: state-of-the-art and research challenges , 2010, Journal of Internet Services and Applications.

[57]  Robert J. Kauffman,et al.  The Impact of IT on Market Information and Transparency: A Unified Theoretical Framework , 2006, J. Assoc. Inf. Syst..

[58]  John A. Zachman,et al.  A Framework for Information Systems Architecture , 1987, IBM Syst. J..

[59]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[60]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[61]  Ernesto Damiani,et al.  Towards Transparent and Trustworthy Cloud , 2017, IEEE Cloud Computing.

[62]  Wde Cloud Storage Services , 2016 .

[63]  Carole A. Goble,et al.  Ontology-based Knowledge Representation for Bioinformatics , 2000, Briefings Bioinform..

[64]  Mudassar Aslam Bringing Visibility in the Clouds : using Security, Transparency and Assurance Services , 2014 .

[65]  Z. Zainal Case Study As a Research Method , 2007 .

[66]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[67]  James Y. L. Thong,et al.  An Integrated Model of Information Systems Adoption in Small Businesses , 1999, J. Manag. Inf. Syst..

[68]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[69]  L. Theuvsen,et al.  Transparency in Supply Chains: Is Trust a Limiting Factor? , 2006 .

[70]  Daniel L. Sherrell,et al.  Communications of the Association for Information Systems , 1999 .

[71]  F. John Krautheim,et al.  Private Virtual Infrastructure for Cloud Computing , 2009, HotCloud.

[72]  Wayne Pauley,et al.  Cloud Provider Transparency: An Empirical Evaluation , 2010, IEEE Security & Privacy.

[73]  Brian Foote,et al.  Designing Reusable Classes , 2001 .

[74]  José Júlio Alferes,et al.  Principles and Practice of Semantic Web Reasoning , 2004, Lecture Notes in Computer Science.

[75]  Lizhe Wang,et al.  Scientific Cloud Computing: Early Definition and Experience , 2008, 2008 10th IEEE International Conference on High Performance Computing and Communications.

[76]  Haralambos Mouratidis,et al.  Selecting a Cloud Service Provider in the age of cybercrime , 2013, Comput. Secur..

[77]  K. Selvamani,et al.  Data Security Challenges and Its Solutions in Cloud Computing , 2015 .

[78]  Frank Doelitzscher,et al.  Understanding Cloud Audits , 2013 .

[79]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[80]  Twittie Senivongse,et al.  Enhancing service selection with a provider trustworthiness model , 2011, 2011 Eighth International Joint Conference on Computer Science and Software Engineering (JCSSE).

[81]  K. Goodpaster Business Ethics and Stakeholder Analysis , 1991, Business Ethics Quarterly.

[82]  Haralambos Mouratidis,et al.  Assurance of Security and Privacy Requirements for Cloud Deployment Models , 2018, IEEE Transactions on Cloud Computing.

[83]  T Valère,et al.  Control Objectives for Information and related Technology : Su... , 2013 .

[84]  J. Mccarthy The Ingredients of Financial Transparency , 2007 .

[85]  Marjan Sarshar,et al.  Quantitative and qualitative research in the built environment: application of “mixed” research approach , 2002 .

[86]  John C. Grundy,et al.  An Analysis of the Cloud Computing Security Problem , 2016, APSEC 2010.

[87]  Valentina Casola,et al.  Security Monitoring in the Cloud: An SLA-Based Approach , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[88]  Nicola Guarino,et al.  Ontologies and Knowledge Bases. Towards a Terminological Clarification , 1995 .

[89]  Donald A. Schön,et al.  Organizational Learning: A Theory Of Action Perspective , 1978 .

[90]  Valentina Casola,et al.  Preliminary Design of a Platform-as-a-Service to Provide Security in Cloud , 2014, CLOSER.

[91]  Nor Badrul Anuar,et al.  Towards Dynamic Remote Data Auditing in Computational Clouds , 2014, TheScientificWorldJournal.

[92]  Geoffrey E. Mills Action Research: A Guide for the Teacher Researcher , 1999 .

[93]  Jie Xu,et al.  A novel intrusion severity analysis approach for Clouds , 2013, Future Gener. Comput. Syst..

[94]  Julio Cesar Sampaio do Prado Leite,et al.  Software Transparency , 2010, Bus. Inf. Syst. Eng..

[95]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[96]  Tharam S. Dillon,et al.  Cloud Computing: Issues and Challenges , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[97]  Subhajyoti Bandyopadhyay,et al.  Cloud computing - The business perspective , 2011, Decis. Support Syst..

[98]  Bharati Ainapure,et al.  An Intelligent Virtual Machine Monitoring System Using KVM for Reliable And Secure Environment in Cloud , 2016, 2016 IEEE International Conference on Advances in Electronics, Communication and Computer Technology (ICAECCT).

[99]  Jungwoo Ryoo,et al.  Cloud Security Auditing: Challenges and Emerging Approaches , 2014, IEEE Security & Privacy.

[100]  Jason Gerner,et al.  Beginning PHP, Apache, MySQL Web Development , 2004 .

[101]  Detmar W. Straub,et al.  The psychological origins of perceived usefulness and ease-of-use , 1999, Inf. Manag..

[102]  Sadie Creese,et al.  The Cloud: Understanding the Security, Privacy and Trust Challenges , 2011 .

[103]  Jonathan M. Spring,et al.  Monitoring Cloud Computing by Layer, Part 1 , 2011, IEEE Security & Privacy.

[104]  Ville Leppänen,et al.  Virtual Machine Introspection based Cloud Monitoring Platform , 2018, CompSysTech.

[105]  Xiaowei Yang,et al.  CloudCmp: comparing public cloud providers , 2010, IMC '10.

[106]  Stephen Kosack,et al.  Does Transparency Improve Governance , 2014 .

[107]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[108]  Rasmus Lerdorf,et al.  Programming PHP , 2002 .

[109]  Sebastiaan H. von Solms,et al.  Information Security governance: COBIT or ISO 17799 or both? , 2005, Comput. Secur..

[110]  George Kopits,et al.  Transparency in government operations , 1998 .

[111]  Gary Garrison,et al.  Success factors for deploying cloud computing , 2012, CACM.

[112]  Ramin Yahyapour,et al.  Multi-level SLA Management for Service-Oriented Infrastructures , 2008, ServiceWave.

[113]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[114]  Haralambos Mouratidis,et al.  Cloud Security Audit for Migration and Continuous Monitoring , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[115]  John Domingue,et al.  The future of the internet , 1997, ACM '97.

[116]  Lutz Schubert,et al.  Towards autonomous SLA management using a proxy-like approach , 2007, Multiagent Grid Syst..

[117]  Grace A. Lewis,et al.  Role of Standards in Cloud-Computing Interoperability , 2013, 2013 46th Hawaii International Conference on System Sciences.

[118]  Rajiv Ranjan,et al.  CloudGenius: decision support for web server cloud migration , 2012, WWW.

[119]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[120]  Daniele Catteddu and Giles Hogben Cloud Computing. Benefits, risks and recommendations for information security , 2009 .

[121]  D. Polkinghorne Language and meaning: Data collection in qualitative research. , 2005 .

[122]  O. Mugenda Research Methods: Quantitative and Qualitative Approaches , 1999 .

[123]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[124]  Julio Cesar Sampaio do Prado Leite,et al.  Transparency versus security: early analysis of antagonistic requirements , 2010, SAC '10.

[125]  Daniel Naurin,et al.  Transparency, Publicity, Accountability—The missing links , 2006 .

[126]  Michael Frankfurter Integrating Security And Software Engineering Advances And Future Visions , 2016 .

[127]  H. Zimmermann,et al.  Fuzzy Set Theory and Its Applications , 1993 .

[128]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[129]  C. Cassell,et al.  Essential guide to qualitative methods in organizational research , 2004 .

[130]  Tomás Pitner,et al.  Distributed Event-Driven Model for Intelligent Monitoring of Cloud Datacenters , 2013, IDC.

[131]  B. Berg Qualitative Research Methods for the Social Sciences , 1989 .

[132]  Catharina Lindstedt,et al.  Transparency is not Enough: Making Transparency Effective in Reducing Corruption , 2010 .

[133]  Martin Gilje Jaatun,et al.  Accountability for cloud and other future Internet services , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[134]  Balachandra Reddy Kandukuri,et al.  Cloud Security Issues , 2009, 2009 IEEE International Conference on Services Computing.

[135]  David Heald,et al.  Why is transparency about public expenditure so elusive? , 2012 .

[136]  Chitu Okoli,et al.  A Guide to Conducting a Systematic Literature Review of Information Systems Research , 2010 .

[137]  Schahram Dustdar,et al.  Composable cost estimation and monitoring for computational applications in cloud computing environments , 2010, ICCS.

[138]  Moussa Ouedraogo,et al.  Towards the Integration of Security Transparency in the Modelling and Design of Cloud Based Systems , 2015, CAiSE Workshops.

[139]  Steffen Staab,et al.  Ontology Learning for the Semantic Web , 2002, IEEE Intell. Syst..

[140]  Miguel P Caldas,et al.  Research design: qualitative, quantitative, and mixed methods approaches , 2003 .

[141]  Rajkumar Buyya,et al.  A framework for ranking of cloud computing services , 2013, Future Gener. Comput. Syst..

[142]  H. V. Jagadish,et al.  Information warfare and security , 1998, SGMD.

[143]  Taisir E. H. El-Gorashi,et al.  Energy Efficient Virtual Network Embedding for Cloud Networks , 2015, Journal of Lightwave Technology.

[144]  Philipp Leitner,et al.  Patterns in the Chaos—A Study of Performance Variation and Predictability in Public IaaS Clouds , 2014, ACM Trans. Internet Techn..

[145]  George Spanoudakis,et al.  Requirements monitoring for service-based systems: towards a framework based on event calculus , 2004, Proceedings. 19th International Conference on Automated Software Engineering, 2004..

[146]  A. Parry Handbook of Qualitative Research , 2002 .

[147]  H. Russell Bernard,et al.  Social Research Methods: Qualitative and Quantitative Approaches , 2000 .

[148]  Reza Curtmola,et al.  Remote data checking using provable data possession , 2011, TSEC.

[149]  Barbara Kitchenham,et al.  Procedures for Performing Systematic Reviews , 2004 .

[150]  Roland Bless,et al.  CloudInspector: A Transparency-as-a-Service Solution for Legal Issues in Cloud Computing , 2016, 2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW).

[151]  Jaydip Sen,et al.  Security and Privacy Issues in Cloud Computing , 2013, ArXiv.

[152]  Kakali Chatterjee,et al.  Cloud security issues and challenges: A survey , 2017, J. Netw. Comput. Appl..

[153]  Rene Saint-Germain,et al.  Information Security Management Best Practice Based on ISO/IEC 17799 , 2005 .

[154]  Stefan Decker,et al.  Creating Semantic Web Contents with Protégé-2000 , 2001, IEEE Intell. Syst..

[155]  Tiago Oliveira,et al.  Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors , 2014, Inf. Manag..

[156]  Ronald L. Krutz,et al.  Cloud Security: A Comprehensive Guide to Secure Cloud Computing , 2010 .

[157]  Haralambos Mouratidis,et al.  Evaluating cloud deployment scenarios based on security and privacy requirements , 2013, Requirements Engineering.

[158]  Frank Doelitzscher,et al.  Security audit compliance for cloud computing , 2014 .

[159]  Eduardo B. Fernández,et al.  An analysis of security issues for cloud computing , 2013, Journal of Internet Services and Applications.

[160]  G. Rajesh Babu,et al.  Security Risks Associated with the Cloud Computing , 2015 .

[161]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[162]  Sateesh K. Peddoju,et al.  HIDS: A host based intrusion detection system for cloud computing environment , 2018, Int. J. Syst. Assur. Eng. Manag..

[163]  Petter Gottschalk,et al.  Implementation of formal plans: the case of information technology strategy , 1999 .

[164]  L. Youseff,et al.  Toward a Unified Ontology of Cloud Computing , 2008, 2008 Grid Computing Environments Workshop.

[165]  Sugata Sanyal,et al.  A Survey on Security Issues in Cloud Computing , 2011, 1109.5388.

[166]  Antonio Pescapè,et al.  Cloud monitoring: A survey , 2013, Comput. Networks.

[167]  O. KuyoroS. Cloud Computing Security Issues and Challenges , 2011 .

[168]  Latifa Ben Arfa Rabai,et al.  A Security Framework for Secure Cloud Computing Environments , 2016, Int. J. Cloud Appl. Comput..

[169]  Yvette Ghormley,et al.  Security Policies and Procedures , 2009 .

[170]  Lynda M. Baker,et al.  Introduction: Research Methods , 2006, Libr. Trends.

[171]  Martin Gilje Jaatun,et al.  Accountability Requirements in the Cloud Provider Chain , 2018, Symmetry.

[172]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[173]  Joseph A. Maxwell,et al.  Qualitative Research Design: An Interactive Approach , 1996 .

[174]  Jens Happe,et al.  A Reference Architecture for Multi-Level SLA Management , 2011 .

[175]  Bharat K. Bhargava,et al.  An End-to-End Security Auditing Approach for Service Oriented Architectures , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[176]  K. H. Masiyev,et al.  Cloud computing for business , 2012, 2012 6th International Conference on Application of Information and Communication Technologies (AICT).