A Trust-Aware Framework for Evaluating Security Controls of Service Providers in Cloud Marketplaces

Trustworthy selection of cloud services has become a significant issue in emerging cloud marketplaces. As a consequence, the Cloud Security Alliance (CSA) has formulated a self-assessment framework for cloud providers to publish their cloud platform's security controls and capabilities. This framework enables consumers to select a cloud service based on the capabilities and controls published by the providers. However, a fundamental question that arises is, how can consumers trust that the security controls are satisfied as claimed by the providers and are compliant with consumers' requirements. This paper proposes a trust-aware framework to verify and evaluate these security controls considering consumers' requirements. First, we model the security controls in the form of trust properties. Then, we introduce a taxonomy of these properties based on their semantics and identify the authorities who can validate the properties. The taxonomy of these properties is the basis of trust formalisation in our proposed framework. The framework rests on the notion of hybrid trust that combines hard and soft trust mechanisms for verifying the trust properties. Furthermore, a decision model is proposed as an integral part of the framework in order to empower consumers to determine trustworthiness of cloud providers. Finally, we demonstrate that the proposed trust-aware security evaluation framework could be potentially useful in practice for consumers to determine trustworthy cloud providers in a competitive marketplace.

[1]  F. John Krautheim,et al.  Private Virtual Infrastructure for Cloud Computing , 2009, HotCloud.

[2]  M. Schunter,et al.  Property Attestation — Scalable and Privacy-friendly Security Assessment of Peer Computers , 2004 .

[3]  张莉,et al.  A Cloud-Based Trust Model for Evaluating Quality of Web Services , 2010 .

[4]  Vijay Varadharajan,et al.  Enhancing grid security with trust management , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.

[5]  S. Buchegger,et al.  A Robust Reputation System for Peer-to-Peer and Mobile Ad-hoc Networks , 2004 .

[6]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[7]  Ahmad-Reza Sadeghi,et al.  Property-Based TPM Virtualization , 2008, ISC.

[8]  Christoph Meinel,et al.  Distributed Trust Management for Validating SLA Choreographies , 2010 .

[9]  Nicholas R. Jennings,et al.  TRAVOS: Trust and Reputation in the Context of Inaccurate Information Sources , 2006, Autonomous Agents and Multi-Agent Systems.

[10]  Audun Jøsang,et al.  A Logic for Uncertain Probabilities , 2001, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[11]  Jean-Yves Le Boudec,et al.  Self-policing mobile ad hoc networks by reputation systems , 2005, IEEE Communications Magazine.

[12]  Max Mühlhäuser,et al.  Towards a trust management system for cloud computing marketplaces: using CAIQ as a trust information source , 2014, Secur. Commun. Networks.

[13]  Max Mühlhäuser,et al.  CertainLogic: A Logic for Modeling Trust and Uncertainty - (Short Paper) , 2011, TRUST.

[14]  Muttukrishnan Rajarajan,et al.  Trust Model for Optimized Cloud Services , 2012, IFIPTM.

[15]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..

[16]  Sebastian Ries,et al.  Extending Bayesian trust models regarding context-dependence and user friendly representation , 2009, SAC '09.

[17]  Trent Jaeger,et al.  Seeding clouds with trust anchors , 2010, CCSW '10.

[18]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.