Security transparency: the next frontier for security research in the cloud

The recent advances in networking and the ubiquity of the Internet have enabled the emergence of cloud computing as a viable solution for a convenient, elastic and economical usage of services. In spite of these apparent advantages, the cloud model presents some challenges that hamper its wider adoption, most of which relate to security and privacy. This paper provides a review of the current initiatives devised by both academia and industry for addressing the security concerns inherent to the cloud model. Our analysis of the state of the art reveals that although initiatives such as SLA and virtual machines monitoring, and recent development in encryption mechanisms, have contributed to addressing some of the salient issues of security and privacy in the cloud, larger initiatives, other than standards, aiming at enabling security transparency and a mutual auditability in the cloud remain to be seen. With this in mind, the paper proposes some routes towards related solutions by discussing a number of desiderata for establishing a better security transparency between a Cloud Service Provider (CSP) and a Cloud Service Consumer (CSC). Given the current reluctance of some major businesses to embrace the trend, owing mainly to the devolution of some of the security aspects to a third party, the authors argue that undertaking some initiatives in that direction is a key to sustaining the current momentum of the cloud.

[1]  David Teneyuca Internet cloud security: The illusion of inclusion , 2011, Inf. Secur. Tech. Rep..

[2]  Jürgen Falkner,et al.  Essential Elements of an SME-specific Search of Trusted Cloud Services , 2014, CLOSER.

[3]  Ali Sunyaev,et al.  A Taxonomic Perspective on Certification Schemes: Development of a Taxonomy for Cloud Service Certification Criteria , 2014, 2014 47th Hawaii International Conference on System Sciences.

[4]  M. Phil,et al.  PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING , 2015 .

[5]  Gary Anthes,et al.  Security in the cloud , 2010, Commun. ACM.

[6]  Kristin E. Lauter,et al.  Cryptographic Cloud Storage , 2010, Financial Cryptography Workshops.

[7]  S. O. Kuyoro,et al.  Cloud computing security issues and challenges , 2011 .

[8]  Jie Xu,et al.  Quantification of Security for Compute Intensive Workloads in Clouds , 2009, 2009 15th International Conference on Parallel and Distributed Systems.

[9]  Brian Hayes,et al.  What Is Cloud Computing? , 2019, Cloud Technologies.

[10]  DuboisEric,et al.  Appraisal and reporting of security assurance at operational systems level , 2012 .

[11]  Vic Winkler Securing the Cloud: Data Security , 2011 .

[12]  Jonathan Leibiusky,et al.  Getting Started with Storm , 2012 .

[13]  Alessandro Margara,et al.  Complex event processing with T-REX , 2012, J. Syst. Softw..

[14]  Ramin Yahyapour,et al.  Service Level Agreements for Cloud Computing , 2011 .

[15]  Ilkka Uusitalo,et al.  Towards wider cloud service applicability by security, privacy and trust measurements , 2010, 2010 4th International Conference on Application of Information and Communication Technologies.

[16]  Sebastian Rudolph,et al.  REAL-TIME COMPLEX EVENT RECOGNITION AND REASONING–A LOGIC PROGRAMMING APPROACH , 2012, Appl. Artif. Intell..

[17]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[18]  Stephen S. Yau,et al.  Efficient audit service outsourcing for data integrity in clouds , 2012, J. Syst. Softw..

[19]  Vinod Vaikuntanathan,et al.  On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption , 2012, STOC '12.

[20]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[21]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .

[22]  Neeraj Suri,et al.  Security as a Service Using an SLA-Based Approach via SPECS , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[23]  Roberto Di Pietro,et al.  Secure virtualization for cloud computing , 2011, J. Netw. Comput. Appl..

[24]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[25]  T. Grance,et al.  SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing , 2011 .

[26]  Dave Cliff,et al.  A financial brokerage model for cloud computing , 2011, Journal of Cloud Computing: Advances, Systems and Applications.

[27]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[28]  F. John Krautheim,et al.  Private Virtual Infrastructure for Cloud Computing , 2009, HotCloud.

[29]  Wayne Pauley,et al.  Cloud Provider Transparency: An Empirical Evaluation , 2010, IEEE Security & Privacy.

[30]  Frank Doelitzscher,et al.  An agent based business aware incident detection system for cloud environments , 2012, Journal of Cloud Computing: Advances, Systems and Applications.

[31]  Olaf Spinczyk,et al.  FederatedCloudSim: a SLA-aware federated cloud simulation framework , 2014, CCB '14.

[32]  Ali Sunyaev,et al.  Cloud services certification , 2013, CACM.

[33]  Fermín Galán Márquez,et al.  From infrastructure delivery to service management in clouds , 2010, Future Gener. Comput. Syst..

[34]  Christoph Reich,et al.  Cloud Audits and Privacy Risks , 2013, OTM Conferences.

[35]  Neal Ziring,et al.  Specification for the Extensible Configuration Checklist Description Format (XCCDF) , 2005 .

[36]  Agostino Poggi,et al.  JADE: A software framework for developing multi-agent applications. Lessons learned , 2008, Inf. Softw. Technol..

[37]  Yevgeniy Dodis,et al.  Proofs of Retrievability via Hardness Amplification , 2009, IACR Cryptol. ePrint Arch..

[38]  Haralambos Mouratidis,et al.  Taxonomy of quality metrics for assessing assurance of security correctness , 2011, Software Quality Journal.

[39]  David Luckham,et al.  The power of events - an introduction to complex event processing in distributed enterprise systems , 2002, RuleML.

[40]  Nilay V. Oza,et al.  User Experience and Security in the Cloud -- An Empirical Study in the Finnish Cloud Consortium , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[41]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[42]  Luis Miguel Vaquero Gonzalez,et al.  Locking the sky: a survey on IaaS cloud security , 2010, Computing.

[43]  Moussa Ouedraogo,et al.  Towards the Integration of Security Transparency in the Modelling and Design of Cloud Based Systems , 2015, CAiSE Workshops.

[44]  Haralambos Mouratidis,et al.  A new approach to evaluating security assurance , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[45]  Meikang Qiu,et al.  A Review on Cloud Computing: Design Challenges in Architecture and Security , 2011, J. Comput. Inf. Technol..

[46]  Mla Citations,et al.  Getting Started with , 2006 .

[47]  Haralambos Mouratidis,et al.  Appraisal and reporting of security assurance at operational systems level , 2012, J. Syst. Softw..

[48]  Murray Shanahan,et al.  The Event Calculus Explained , 1999, Artificial Intelligence Today.

[49]  Paul Rodrigues,et al.  State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment , 2012, ICACCI '12.

[50]  Florian Kerschbaum Searching over encrypted data in cloud systems , 2013, SACMAT '13.

[51]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[52]  Rania Fahim El-Gazzar,et al.  Cloud Computing Adoption Factors and Processes for Enterprises - A Systematic Literature Review , 2014, CLOSER.

[53]  Antonin Chazalet,et al.  Service Level Checking in the Cloud Computing Context , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[54]  D. M. Hutton,et al.  Securing the Cloud: Cloud Computer Security Techniques and Tactics , 2012 .

[55]  Dana Petcu A Taxonomy for SLA-Based Monitoring of Cloud Security , 2014, 2014 IEEE 38th Annual Computer Software and Applications Conference.

[56]  Timothy Grance,et al.  Specification for the Extensible Configuration Checklist Description Format (XCCDF), Version 1.1 , 2006 .

[57]  Rocco Aversa,et al.  A SLA-based interface for security management in cloud and GRID integrations , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[58]  Siani Pearson,et al.  A Metamodel for Measuring Accountability Attributes in the Cloud , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[59]  Arindam Chaudhuri,et al.  Optimal negotiation of SLA in federated cloud using multiobjective genetic algorithms , 2014, 2014 IEEE 3rd International Conference on Cloud Networking (CloudNet).

[60]  Carlos Becker Westphall,et al.  Toward an architecture for monitoring private clouds , 2011, IEEE Communications Magazine.

[61]  Haralambos Mouratidis,et al.  Selecting a Cloud Service Provider in the age of cybercrime , 2013, Comput. Secur..

[62]  Luis Miguel Vaquero Gonzalez,et al.  Building safe PaaS clouds: A survey on security in multitenant software platforms , 2012, Comput. Secur..

[63]  Opher Etzion,et al.  Event Processing in Action , 2010 .

[64]  Yanpei Chen,et al.  What's New About Cloud Computing Security? , 2010 .

[65]  George Spanoudakis,et al.  EVEREST+: run-time SLA violations prediction , 2010, MW4SOC '10.

[66]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[67]  A. Leite,et al.  Commentary: Cloud computing - A security problem or solution? , 2011, Inf. Secur. Tech. Rep..

[68]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .