The role of transparency and trust in the selection of cloud service providers

PhD ThesisPotential customers started to adopt cloud computing because of the promised benefits such as the flexibility of resources and most importantly cost reduction. In spite of the benefits that could flow from its adoption, cloud computing brings new challenges associated with its potential lack of transparency, trust and loss of controls. In the shadow of these challenges, the number of cloud service providers in the marketplace is growing, making the comparison and selection process very difficult for potential customers and requiring methods for selecting trustworthy and transparent providers. This thesis discusses the existing tools, methods and frameworks that promote the adoption of cloud computing models, and the selection of trustworthy cloud service providers. A set of customer assurance requirements has been proposed as a basis for comparative evaluation, and is applied to several popular tools (Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR), CloudTrust Protocol (CTP), Complete, Auditable, and Reportable Approach (C.A.RE) and Cloud Provider Transparency Scorecard (CPTS)). In addition, a questionnaire-based survey has been developed and launched where by respondents evaluate the extent to which these tools have been used, and assess their usefulness. The majority of respondents agreed on the importance of using the tools to assist migration to the cloud and, although most respondents have not used the tools, those who have used them reported them to be helpful. It has been noticed that there might be a relationship between a tool’s compliance to the proposed requirements and the popularity of using these tools, and these results should encourage cloud providers to address customers’ assurance requirements. Some previous studies have focused on comparing cloud providers based on trustworthiness measurement and others focused only on transparency measurement. In this thesis, a framework (called CloudAdvisor) is proposed that couples both of these features. CloudAdvisor aims to provide potential cloud customers with a way to assess trustworthiness based on the history of the cloud provider and to measure transparency based on the Cloud Controls Matrix (CCM) framework. The reason for choosing CCM is because it aims to promote transparency in cloud computing by adopting the best industry standards. The selection process is based on a set of assurance requirements that, if met by the cloud provider or if it has been considered in a tool, could bring assurance and confidence to cloud customers. Two possible approaches (Questionnaire-based and Simulation-based approach) are proposed in order to evaluate the CloudAdvisor framework.Ministry of Higher and Education in Saudi Arabi

Framework for Security Transparency in Cloud Computing

The migration of sensitive data and applications from the on-premise data centre to a cloud environment increases cyber risks to users, mainly because the cloud environment is managed and maintained by a third-party. In particular, the partial surrender of sensitive data and application to a cloud environment creates numerous concerns that are related to a lack of security transparency. Security transparency involves the disclosure of information by cloud service providers about the security measures being put in place to protect assets and meet the expectations of customers. It establishes trust in service relationship between cloud service providers and customers, and without evidence of continuous transparency, trust and confidence are affected and are likely to hinder extensive usage of cloud services. Also, insufficient security transparency is considered as an added level of risk and increases the difficulty of demonstrating conformance to customer requirements and ensuring that the cloud service providers adequately implement security obligations. The research community have acknowledged the pressing need to address security transparency concerns, and although technical aspects for ensuring security and privacy have been researched widely, the focus on security transparency is still scarce. The relatively few literature mostly approach the issue of security transparency from cloud providers’ perspective, while other works have contributed feasible techniques for comparison and selection of cloud service providers using metrics such as transparency and trustworthiness. However, there is still a shortage of research that focuses on improving security transparency from cloud users’ point of view. In particular, there is still a gap in the literature that (i) dissects security transparency from the lens of conceptual knowledge up to implementation from organizational and technical perspectives and; (ii) support continuous transparency by enabling the vetting and probing of cloud service providers’ conformity to specific customer requirements. The significant growth in moving business to the cloud – due to its scalability and perceived effectiveness – underlines the dire need for research in this area. This thesis presents a framework that comprises the core conceptual elements that constitute security transparency in cloud computing. It contributes to the knowledge domain of security transparency in cloud computing by proposing the following. Firstly, the research analyses the basics of cloud security transparency by exploring the notion and foundational concepts that constitute security transparency. Secondly, it proposes a framework which integrates various concepts from requirement engineering domain and an accompanying process that could be followed to implement the framework. The framework and its process provide an essential set of conceptual ideas, activities and steps that can be followed at an organizational level to attain security transparency, which are based on the principles of industry standards and best practices. Thirdly, for ensuring continuous transparency, the thesis proposes an essential tool that supports the collection and assessment of evidence from cloud providers, including the establishment of remedial actions for redressing deficiencies in cloud provider practices. The tool serves as a supplementary component of the proposed framework that enables continuous inspection of how predefined customer requirements are being satisfied. The thesis also validates the proposed security transparency framework and tool in terms of validity, applicability, adaptability, and acceptability using two different case studies. Feedbacks are collected from stakeholders and analysed using essential criteria such as ease of use, relevance, usability, etc. The result of the analysis illustrates the validity and acceptability of both the framework and tool in enhancing security transparency in a real-world environment

Trusted Computing and Secure Virtualization in Cloud Computing

Large-scale deployment and use of cloud computing in industry is accompanied and in the same time hampered by concerns regarding protection of data handled by cloud computing providers. One of the consequences of moving data processing and storage off company premises is that organizations have less control over their infrastructure. As a result, cloud service (CS) clients must trust that the CS provider is able to protect their data and infrastructure from both external and internal attacks. Currently however, such trust can only rely on organizational processes declared by the CS provider and can not be remotely verified and validated by an external party. Enabling the CS client to verify the integrity of the host where the virtual machine instance will run, as well as to ensure that the virtual machine image has not been tampered with, are some steps towards building trust in the CS provider. Having the tools to perform such verifications prior to the launch of the VM instance allows the CS clients to decide in runtime whether certain data should be stored- or calculations should be made on the VM instance offered by the CS provider. This thesis combines three components -- trusted computing, virtualization technology and cloud computing platforms -- to address issues of trust and security in public cloud computing environments. Of the three components, virtualization technology has had the longest evolution and is a cornerstone for the realization of cloud computing. Trusted computing is a recent industry initiative that aims to implement the root of trust in a hardware component, the trusted platform module. The initiative has been formalized in a set of specifications and is currently at version 1.2. Cloud computing platforms pool virtualized computing, storage and network resources in order to serve a large number of customers customers that use a multi-tenant multiplexing model to offer on-demand self-service over broad network. Open source cloud computing platforms are, similar to trusted computing, a fairly recent technology in active development. The issue of trust in public cloud environments is addressed by examining the state of the art within cloud computing security and subsequently addressing the issues of establishing trust in the launch of a generic virtual machine in a public cloud environment. As a result, the thesis proposes a trusted launch protocol that allows CS clients to verify and ensure the integrity of the VM instance at launch time, as well as the integrity of the host where the VM instance is launched. The protocol relies on the use of Trusted Platform Module (TPM) for key generation and data protection. The TPM also plays an essential part in the integrity attestation of the VM instance host. Along with a theoretical, platform-agnostic protocol, the thesis also describes a detailed implementation design of the protocol using the OpenStack cloud computing platform. In order the verify the implementability of the proposed protocol, a prototype implementation has built using a distributed deployment of OpenStack. While the protocol covers only the trusted launch procedure using generic virtual machine images, it presents a step aimed to contribute towards the creation of a secure and trusted public cloud computing environment

Data Privacy and Trust in Cloud Computing

This open access book brings together perspectives from multiple disciplines including psychology, law, IS, and computer science on data privacy and trust in the cloud. Cloud technology has fueled rapid, dramatic technological change, enabling a level of connectivity that has never been seen before in human history. However, this brave new world comes with problems. Several high-profile cases over the last few years have demonstrated cloud computing's uneasy relationship with data security and trust. This volume explores the numerous technological, process and regulatory solutions presented in academic literature as mechanisms for building trust in the cloud, including GDPR in Europe. The massive acceleration of digital adoption resulting from the COVID-19 pandemic is introducing new and significant security and privacy threats and concerns. Against this backdrop, this book provides a timely reference and organising framework for considering how we will assure privacy and build trust in such a hyper-connected digitally dependent world. This book presents a framework for assurance and accountability in the cloud and reviews the literature on trust, data privacy and protection, and ethics in cloud computing

A MAS-Based Cloud Service Brokering System to Respond Security Needs of Cloud Customers

Cloud computing is becoming a key factor in computer science and an important technology for many organizations to deliver different types of services. The companies which provide services to customers are called as cloud service providers. The cloud users (CUs) increase and require secure, reliable and trustworthy cloud service providers (CSPs) from the market. So, it’s a challenge for a new customer to choose the highly secure provider. This paper presents a cloud service brokering system in order to analyze and rank the secured cloud service provider among the available providers list. This model uses an autonomous and flexible agent in multi-agent system (MASs) that have an intelligent behavior and suitable tools for helping the brokering system to assess the security risks for the group of cloud providers which make decision of the more secured provider and justify the business needs of users in terms of security and reliability

Evaluation Theory for Characteristics of Cloud Identity Trust Framework

Trust management is a prominent area of security in cloud computing because insufficient trust management hinders cloud growth. Trust management systems can help cloud users to make the best decision regarding the security, privacy, Quality of Protection (QoP), and Quality of Service (QoS). A Trust model acts as a security strength evaluator and ranking service for the cloud and cloud identity applications and services. It might be used as a benchmark to setup the cloud identity service security and to find the inadequacies and enhancements in cloud infrastructure. This chapter addresses the concerns of evaluating cloud trust management systems, data gathering, and synthesis of theory and data. The conclusion is that the relationship between cloud identity providers and Cloud identity users can greatly benefit from the evaluation and critical review of current trust models

TrustE-VC: Trustworthy Evaluation Framework for Industrial Connected Vehicles in the Cloud

The integration between cloud computing and vehicular ad hoc networks, namely, vehicular clouds (VCs), has become a significant research area. This integration was proposed to accelerate the adoption of intelligent transportation systems. The trustworthiness in VCs is expected to carry more computing capabilities that manage large-scale collected data. This trend requires a security evaluation framework that ensures data privacy protection, integrity of information, and availability of resources. To the best of our knowledge, this is the first study that proposes a robust trustworthiness evaluation of vehicular cloud for security criteria evaluation and selection. This article proposes three-level security features in order to develop effectiveness and trustworthiness in VCs. To assess and evaluate these security features, our evaluation framework consists of three main interconnected components: 1) an aggregation of the security evaluation values of the security criteria for each level; 2) a fuzzy multicriteria decision-making algorithm; and 3) a simple additive weight associated with the importance-performance analysis and performance rate to visualize the framework findings. The evaluation results of the security criteria based on the average performance rate and global weight suggest that data residency, data privacy, and data ownership are the most pressing challenges in assessing data protection in a VC environment. Overall, this article paves the way for a secure VC using an evaluation of effective security features and underscores directions and challenges facing the VC community. This article sheds light on the importance of security by design, emphasizing multiple layers of security when implementing industrial VCsThis work was supported in part by the Ministry of Education, Culture, and Sport, Government of Spain under Grant TIN2016-76373-P, in part by the Xunta de Galicia Accreditation 2016–2019 under Grant ED431G/08 and Grant ED431C 2018/2019, and in part by the European Union under the European Regional Development FundS

Development of an intelligent e-commerce assurance model to promote trust in online shopping environment

Electronic commerce (e-commerce) markets provide benefits for both buyers and sellers; however, because of cyber security risks consumers are reluctant to transact online. Trust in e-commerce is paramount for adoption. Trust as a subject for research has been a term considered in depth by numerous researchers in various fields of study, including psychology and information technology. Various models have been developed in e-commerce to alleviate consumer fears, thus promoting trust in online environments. Third-party web seals and online scanning tools are some of the existing models used in e-commerce environments, but they have some deficiencies, e.g. failure to incorporate compliance, which need to be addressed. This research proposes an e-commerce assurance model for safe online shopping. The machine learning model is called the Page ranking analytical hierarchy process (PRAHP). PRAHP builds complementary strengths of the analytical hierarchy process (AHP) and Page ranking (PR) techniques to evaluate the trustworthiness of web attributes. The attributes that are assessed are Adaptive legislation, Adaptive International Organisation for Standardisation Standards, Availability, Policy and Advanced Security login. The attributes were selected based on the literature reviewed from accredited journals and some of the reputable e-commerce websites. PRAHP’s paradigms were evaluated extensively through detailed experiments on business-to-business, business-to-consumer, cloud-based and general e-commerce websites. The results of the assessments were validated by customer inputs regarding the website. The reliability and robustness of PRAHP was tested by varying the damping factor and the inbound links. In all the experiments, the results revealed that the model provides reliable results to guide customers in making informed purchasing decisions. The research also reveals hidden e-commerce topics that have not received attention, which generates knowledge and opens research questions for future researchers. These ultimately made significant contributions in e-commerce assurance, in areas such as security and compliance through the fusing of AHP and PR, integrated into a decision table for alleviating trustworthiness anxiety in various e-commerce transacting partners, e-commerce platforms and markets.College of Engineering, Science and TechnologyD. Phil. Information System