Research Proposal on Design of a User Confidentiality Framework in Cloud Computing
I. Abstract
Cloud computing has emerged a s dynamic resource sharing platform in which relays data analytically to both individual and corporate users of cloud technology around the world. Considering that information stored on cloud is outside the owner’s parameters, many users are skeptical about using it for storing or accessing their data from the external cloud service providers who are themselves outside their own control environment. As such, there are lots of security concerns among active clients of the cloud paradigm such as confidentiality, integrity and availability. This research proposal relates to the specific issue of confidentiality in cloud computing and examines how a reliable confidentially framework can be developed. The literature review section analyzes the existing confidentiality frameworks as well as security models relating to the cloud computing phenomenon. A theoretical framework about confidentiality in cloud computing is developed from the literature review. It is expected that proper implementation of the proposed framework would inspire both individual and corporate users to adopt cloud computing.
Keywords: Cloud Computing, Confidentiality, Security, Framework
II. Background to the problem or study
a. Introduction
Cloud Computing has evolved to be an integral part of doing business and communicating with the growth of information technologies (IT). Cloud computing service providers have increasingly taken advantage of resource pooling technology to improve their ability to dramatically store and allocate space to periodic materials on cloud by individuals and corporations. They is also use of virtualization technology that brings about the ability to dynamically scale the cloud user’s necessity as well as share the resources available so as to support the clients’ needs. In this regard, Cloud Computing is a collection of technologies that effectively interact to enable dynamic allocation or de-allocation of resources.
The growth of the cloud computing phenomenon has significantly transformed the software industry along with its services to companies across the world. At the same time, confidentiality of user data has emerged as a major concern to for cloud users and cloud computing providers. Confidentiality in cloud computing is especially a major challenge considering that the problem keeps transforming itself parallel to the increasing development of cloud technologies. The problem of Confidentiality accounts for about 50% of all security issues in cloud computing among users mainly due to the aspect that Cloud is off-premise tool that is outside the parameters of data owners. The aim of this research proposal is to explore the issue of confidentiality and how an effective confidentiality framework can be developed to address the issue. The framework is drawn from frameworks analyzed in the systematic literature review section. The research questions for this study are presented in section IV while the proposed methodology and analysis system are discussed in detail in sections V and VI respectively.
b. Background and Motivation
The proliferation of IT and ICT in the modern world has seen the increasing implementation of Cloud Computing by companies and individuals. Along with this, however, there have emerged security issues among cloud providers and their clients on the other about confidentiality, Integrity and Availability. These security issues compromise the clients’ trust in such cloud applications as Software-as-a-Service (SAAS), Platform-as-a-Service (PAAS), and Infrastructure-as-a-Software (IAAS). The problem is further exacerbated by the differences in cloud models being deployed: Public Cloud, Private Cloud, and Hybrid Cloud.
For the proposed study, Cloud security issues relating to confidentiality are classified into three main categories: Technical Issues (e.g. network security, shared technology vulnerabilities), Organizational Issues (e.g. data location transparency, malicious insiders), and Legal Issues (policy- or procedural-based problems). The goal of this categorization is to unite all confidentiality-related security issues in Cloud Computing to inform development of a confidentiality framework. There is currently insufficient knowledge among cloud users on the impact on confidentiality/privacy preservation, how data classification on cloud relate to security controls require to ensure confidentiality of data, and how they to deal with negative impacts of cloud computing of preservation of data confidentiality.
This study is motivated by the desire to find answers to questions relating to cloud computing confidentiality such as: What are the Cloud Computing security requirements? What is the nature of Cloud Computing data stroage? How reliable is the Cloud security architecture? What is the mechanism of Cloud provisioning? It is believed that gaining knowledge on such aspects of Cloud technology would contribute design of an effective Cloud Confidentiality Framework. The resulting framework is envisioned to be a single architecture that would integrate necessary security objectives, policies and procedures for Cloud Computing. It is hoped that the recommendations of the study will be built upon by future researchers to develop more unique confidentiality frameworks in Cloud Computing. It is further believed that there is need to find solutions to the problem of confidentiality in Cloud Computing because lack thereof will instill fear in Cloud clients to store or share their resources and/or add their business transactions on the Cloud environment.
III. Problem statement /Objectives of research
a. General Research Objective
The general objective of the proposed research is “To explore confidentiality issues in Cloud Computing and propose an effective security model to ensure confidentiality of data on Cloud and its environment
b. Specific Objectives
i) To explore the specific security issues relating to confidentiality aspect in Cloud Computing
ii) To comprehend the potential benefits of security models from previous efforts
iii) To propose a more effective security model for confidentiality in Cloud Computing that will integrate all service and deployment models of the technology.
c. Research Questions
The research questions for the proposed study result from thorough scrutiny of the above objectives. As such, the study will be guided by the following three research questions:
i) What are the Cloud security issues related to confidentiality?
ii) How have previous security efforts succeeded/failed in addressing the problem of confidentiality in Cloud Computing?
iii) How can a new confidentiality framework integrate all service and deployment models in Cloud Computing?
IV. Scope and limitation of study
The scope of the proposed study will involve the particular issues related to confidentiality in Cloud Computing, the effectiveness of the previous security models to safeguard confidentiality in the Cloud environment, and suggestions towards developing a new more effective security framework to ensure confidentiality for Cloud users. The main limitation of the proposed study relates to the aspect that the Systematic Literature Review use is not sufficient to address the entire problem area. In addition, there is evidence that the proposed research analysis tool can function in the real time industry. The framework is also limited to general activities and does not delve into the inner elements such as cryptography.
V. Literature review
Jensen et al. (2009) defines Cloud Computing as “dramatically scalable computing resources available over the Internet.” Pfleeger & Pfleeger (2007) define confidentiality as “secrecy or privacy” of an individual’s information. According to Krutz & Vines (2010), confidentiality in the context of cloud computing relates to such areas as intellectual property rights, encryption, interference, covert channels, and traffic analysis. Gilliam (2004) observes that ensuring the confidentiality/secrecy/privacy of sensitive information such as medical records or intellectual property is a critical issue. According to Stoneburner et al. (2002), the failure by an enterprise to ensure privacy of data that stored computer systems results in damaged reputation, great embarrassment or potential legal implication.
Security risks in Cloud Computing
Dawoud et al. (2010) observes that the ease of moving and copying virtual machines poses considerable security threat to the entire cloud system, its software, and the information can be easily stolen without physically stealing the data storage device. Even a user data on an offline virtual machine is susceptible to theft through the internet or to removable disk media like a flash drive or virtually corrupted. Live VM migration techniques pose potential security threats to cloud user data because they respond to the process of copying system memory pages over the network onto another machine, which exposes the user data and and/or application to eavesdropping.
Jensen et al. (2009) reckons that a flooding attack where the server hosting IaaS services is overloaded with huge amount of requests for data processing poses danger to the confidentiality of user data on cloud when an attacker denies service. Also, cloud user data face the risk of security breaches posed by malware attack on the host server of their user’s machine. According to Ibrahim et al. (2010), attacks of the host server are attractive to IT-savvy hackers due to the scope of control they often gain after installing and executing their code on the hypervisor layer of the virtual machine software. A cloud malware injection is threatening to the cloud user data – it entails creation of virtual machine image and insertion of the image on the host server in order to be taken as a legitimate system in the network (Jensen et al. (2009). Wei et al. (2009) notes that virtual images is a major area of concern and cloud computing vendors strive to provide image template to their customers who depend on the good image integrity in maintaining security.
Yousef et al, (2008) highlight the potential risk posed to cloud user data due to the lack of express isolation of data and application on the shared resource. This is especially problematic because cloud servers often contain multiple virtual machines originating from different areas around the world. Cloud user data on shared resources face greater level of security threat because a malicious injection can be instigated through the shared memory or network connections without necessarily compromising the programs on the hypervisor.
Confidentiality security frameworks for cloud
Some research findings have argued to the effect that cloud user data/information is more secure if managed internally. However, some researchers have concluded that cloud service providers often have strong incentive to win and maintain trust of their clients and thus adopt a higher level of security as relates to personal information. The nature of the cloud is such that the user’s data is distributed over many individual computers notwithstanding the location of their base repository of data. The growing technological capability poses the greatest challenge to confidentiality on Cloud environment as hackers can access almost any server. Wang et al. (2011) reckoned that data security is a major issue in cloud storage given that it is a networked storage system. The research proposed a security model that would ensure correctness of cloud user’s data in storage, efficient and flexible distributed framework with clear robustt data support features such as block update and edit based on removal correcting code located in the file distribution preparedness that would ensure redundancy parity as well as guarantee the data reliability.
Takabi et al. (2010) devised a comprehensive security model for Cloud Computing environments. The model entailed a variety of modules of handling security and trust issues of core elements of cloud computing e.g. identity management, policy incorporation in multiple clouds, access control, semantic heterogeneity among policies and procedures from different clouds, and trust management between and among clouds as well as between a cloud and its users.
Kernel et al. developed a cloud architecture based on two separate spaces – User Space and Kernal Space – which connect via the network interface to offer different interaction levels within the cloud environment. The Kernel Space would regulate physical allocation and access-control in the cloud while the User Space contained specific process directly used by cloud users. Du et al. proposed the RunTest, a service integrity attestation framework used to confirm the integrity of the dataflow processing in multitenant cloud infrastructures. The study proposed for adoption of a new integrity attestation graph framework for capturing aggregated data to process integrity attestation results.
A number of researches have categorized three main types of threats to confidentiality or privacy in the Cloud Computing environment: User Sphere-related threats, Joint Sphere-related threats, and Recipient Sphere-related threats (Pfleeger & Pfleeger, 2007). Other studies have cited some architectural mechanisms that address confidentiality issues in the Cloud Computing environment: Privacy-by-policy, Privacy-by-architecture, and Hybrid Approach. Privacy-by-policy mechanisms are based on policy development resulting in Fair Information Practices (FIP) from the European Legislation privacy. Privacy-by-architecture mechanisms relates to techniques of rendering anonymous the information in Cloud so that there is little if not no detection of personal information by third parties. Hybrid approach integrates the two above approaches where technical mechanisms (architecture) collide with policies in enforcing privacy enhancements (Krutz & Vines, 2010). The security framework proposed by this study builds on these policy-centric architectures.
VI. Methodology
Research Design
The proposed research shall use a questionnaire to collect information on the security issues in cloud computing and security frameworks. The questionnaire will be validated by experts to ensure that it is error free and correct so that the questionnaire would truly reflect the aims and objectives of the study. The questionnaire would be designed according to the specification and study requirements. The process will entail identifying experts in cloud computing with experience in cloud security. Researchers shall send emails to IT administration and IT staff from four cloud service providing firms requesting their participation in the survey. The email shall identify us, the research topic, and the purpose for undertaking the study. Consenting respondents will be sent questionnaire to respond to. The questionnaire will begin with the name of the IT expert, their organization, their experience in Cloud Computing as well as their experience in security-related issues. The questionnaire shall contain a total of ten relevant questions represented in Appendix 1.
In order to gain insight on how best to formulate the new security framework for confidentiality in cloud, data analysis will done using the Rasch measurement model commonly used in social science and education research to measure observable events and performance of participants as well as questionnaire items.
Limitations
The main limitation of the systematic literature review method for the study is that contains some elements which are not easily applicable in a student research project due to constraints of time and resources. For instance, it would prove problematic to regularly bring together a panel of experts in both methodology and the research area to discuss relevant issues (Yousef et al., 2008). The SLR could also result in a beaurocratic review process as it is highly concerned with technical elements of its workings as opposed to analytical interpretations resulting from it. Thirdly, the inclusion/exclusion method assumes that objective judgment will be made concerning the quality of journals/articles chosen as they are only evaluated on methodological criteria and ignores greater quality of empirical studies (Yousef et al., 2008). To solve these problems, the researchers would rely on supervisor’s knowledge during the literature review planning stage.
VII. Proposed schedule
Stage
February
2014 March
2014 April
2014 May
14 June
2014 July
2014 August
2014 September
2014
Review of Literature
√
Preparation of
Proposal √
Approval by Ethics Committee. √
Sampling
√
Experimental study √
Data
Gathering √
Analysis of data √
Final
Draft √
VIII. Significance of the study
Cloud computing has become popular as a result of many enterprise applications moving to the cloud platforms. However, the issue of security has become a major barrier point for cloud computing adoption. Based on a recent survey research conducted by the International Data Corporation almost 87.5% of the IT executives stated that security is a major challenge that must be dealt with in each cloud service (Unnikrishnan et al., 2011). The main aim of the study is to come up with applications that will be used to curb the threats brought about by security by using some security elements such as confidentiality, integrity, authentication, authorization, non-repudiation and availability.
References:
Dawoud, W., Takouna, I., & Meinel, C. (2010). Infrastructure as a service security: Challenges and solutions. Paper presented at the 7th International Conference on Informatics and Systems (INFOS).
Takabi, H., Joshi, J.& Ahn, G. “Security and privacy challenges in cloud computing environments,” Security Privacy, IEEE, vol. 8, no. 6, pp. 24 –31..
Ibrahim, A. S., Hamlyn-Harris, J., & Grundy, J. (2010). Emerging security challenges of cloud virtual infrastructure. Paper presented at the Asia Pacific Software Engineering Conference 2010 Cloud Workshop, Sydney, Australia.
Jensen, M., Schwenk J. Gruschka, N. & Iacono, L. L. (2009). “On technical security issues in cloud computing,” in 2009 IEEE International Conference on Cloud Computing (CLOUD), 21-25 Sept. 2009, Piscataway, NJ, USA.
Krutz, R. L., & Vines, R. D. (2010). Cloud security : A comprehensive guide to secure cloud computing. Indianapolis, IN: Wiley.
Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in computing. Upper Saddle River [etc.]:Prentice-Hall.
security: Challenges and solutions. Paper presented at the 7th International Conference
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems : Recommendations of the national institute of standards and technology Retrieved from http://purl.access.gpo.gov/GPO/LPS23533
Wang, J. Liu C., & Lin G. T. R. (2011). “How to manage information security in cloud computing,” in 2011 IEEE International Conference on Systems, Man and Cybernetics, 9-12 Oct. 2011, Piscataway, NJ, USA.
Wei, J., Zhang, X., Ammons, G., Bala, V., & Ning, P. (2009). Managing security of virtual machine images in a cloud environment. Paper presented at the Proceedings of the 2009 ACM workshop on Cloud computing security, Chicago, Illinois, USA.
Youseff, L., Butrico, M., & Da Silva, D. (2008, 12-16 Nov. 2008). Toward a unified ontology of cloud computing. Paper presented at the Grid Computing Environments Workshop, 2008.GCE ’08.
Unnikrishnan, S.,Surve, S., Bhoir, D., & ICAC3. (2011).Advances in computing, communication and control: International conference ; proceedings. Berlin: Springer.
APPENDIX 1
QUESTIONNAIRE
Question 1
Do current cloud computing services as they currently stand appear to pose risks for you? (please specify)
Question 2
What do you think about the legal restrictions affecting the potentially extra-territorial storage and the protection of data?
Question 3
If you have already subscribed to a cloud computing service, what were your contractual requirements with regard to the cloud service provider in terms of the security of data and data processing (confidentiality, integrity, availability) and the auditability of the services provided?
Question 4
If you have not subscribed to such a service, what would be your main contractual requirements in terms of data protection and supervision of the service?
Question 5
In your opinion, are European and national laws and regulations relating to data protection suited to the characteristics of cloud computing services?
Question 5
In your opinion, in the event of dissatisfaction with cloud confidentiality, what are the key factors ensuring a successful re-internalization process (reversibility, etc.)?
Question 6
What risk analysis methodology do you use or would you use to identify the security objectives to be met and to define security requirements?
Question 7
Appropriate security measures are required to protect assets (data and applications or infrastructure services). In your opinion, which measures are essential for:
– Ensuring data confidentiality?
– Avoiding data loss?
– Ensuring continuity and quality of service?
Question 8
In your opinion, does the lack of control over the location of data require specific security measures? Is it necessary to encrypt data before they are hosted in the cloud, and do you think this requirement would be applicable? If so, to which elements do you think it should be applied (data transport, data storage, key management procedures, etc.)?
Question 9
If cloud computing is used, how do you control or how would you control the level of security? Is the ability to conduct an audit a prerequisite for use of a cloud computing service?
10. Which of the following issues are most likely concerns of Cloud adopters
Not Important Medium Important Very Important Most Important
Privacy
Availability of services and/or data
Integrity of services and/or data
Confidentiality of corporate data
Denial Of Service
Loss of control of services and/or data
Lack of liability of providers in case of security incidents
Inconsistency between trans national laws and regulations
Unclear scheme in the pay per use approach
Uncontrolled variable cost
Cost and difficulty of migration to the cloud (legacy software etc…)
Intra-clouds (vendor lock-in) migration
Other (please specify)
