The case for cloud service trustmarks and assurance-as-a-service

Cloud computing represents a significant economic opportunity for Europe. However, this growth is threatened by adoption barriers largely related to trust. This position paper examines trust and confidence issues in cloud computing and advances a case for addressing them through the implementation of a novel trustmark scheme for cloud service providers. The proposed trustmark would be both active and dynamic featuring multi-modal information about the performance of the underlying cloud service. The trustmarks would be informed by live performance data from the cloud service provider, or ideally an independent third-party accountability and assurance service that would communicate up-to-date information relating to service performance and dependability. By combining assurance measures with a remediation scheme, cloud service providers could both signal dependability to customers and the wider marketplace and provide customers, auditors and regulators with a mechanism for determining accountability in the event of failure or non-compliance. As a result, the trustmarks would convey to consumers of cloud services and other stakeholders that strong assurance and accountability measures are in place for the service in question and thereby address trust and confidence issues in cloud computing

The Case for Cloud Service Trustmarks and Assurance-as-a-Service

Cloud computing represents a significant economic opportunity for Europe. However, this growth is threatened by adoption barriers largely related to trust. This position paper examines trust and confidence issues in cloud computing and advances a case for addressing them through the implementation of a novel trustmark scheme for cloud service providers. The proposed trustmark would be both active and dynamic featuring multi-modal information about the performance of the underlying cloud service. The trustmarks would be informed by live performance data from the cloud service provider, or ideally an independent third-party accountability and assurance service that would communicate up-to-date information relating to service performance and dependability. By combining assurance measures with a remediation scheme, cloud service providers could both signal dependability to customers and the wider marketplace and provide customers, auditors and regulators with a mechanism for determining accountability in the event of failure or non-compliance. As a result, the trustmarks would convey to consumers of cloud services and other stakeholders that strong assurance and accountability measures are in place for the service in question and thereby address trust and confidence issues in cloud computing.Comment: 6 pages and 1 figur

Putting the "Account" into Cloud Accountability

Security concerns are often cited as the most prominent reason for not using cloud computing, but customers of cloud users, especially end-users, frequently do not understand the need to control access to personal information. On the other hand, some users might understand the risk, and yet have inadequate means to address it. In order to make the Cloud a viable alternative for all, accountability of the service providers is key, and with the advent of the EU General Data Protection Regulation (GDPR), ignoring accountability is something providers in the EU market will do at their peril. To be able to hold cloud service providers accountable for how they manage personal, sensitive and confidential information, there is a need for mechanisms that can mitigate risk, identify emerging risks, monitor policy violations, manage any incidents, and provide redress. We believe that being able to offer accountability as part of the service provision will represent a competitive edge for service providers catering to discerning cloud customers, also outside the GDPR sphere of influence. This paper will outline the fundamentals of accountability, and provide more details on what the actual "account'' is all about.publishedVersio

Safeguarding the liabilities of Data Accessing in Cloud Computing

Cloud computing is the process of providing the virtualized services over the internet The space in the web commonly known as Cloud has been monitored by service provider In a real time scenario a user registers for a particular service and shares his data as well as access credential policies with CSP cloud service provider Though cloud computing has got major flexibility in data accessing users are very much concerned about their data security as it may be mislead by service providers They may share the owner s data to unauthenticated persons This is a big threat to the data owners In this paper a modern approach is proposed namely Cloud Information Accountability CIA framework and based on the notion of data liability We identify the common requirements and develop several guidelines to achieve data accountability in the cloud Once the data owner provides data the service provider will have full access and permission rights on the data Using traditional access control mechanisms after data rights are permitted the data is in the hands of the service provider We propose an algorithm which gives the details of people accessing the data using the automated logging details through the JAR file

Data Mobility as a Service

© 2016 IEEE. Cloud computing and cloud services provide an alternative IT infrastructure and service models for users. The users use cloud to store their data, delegate the management of the data, and deploy their services cost-effectively. This usage model, however, raised a number of concerns relating to data control, data protection and data mobility: 1) users may lose control of their resource, 2) data protection schemes are not adequate when data is moved to a new cloud, 3) tracking and tracing changes of data location as well as accountability of data operations are not well supported. To address these issues, this paper proposes a novel cloud service for data mobility from two aspects: data mobility and data protection. A data mobility service is designed and implemented to manage data mobility and data traceability. A Location Register Database (LRD) is also developed to support the service. Furthermore, data is protected by a data security service CPRBAC (Cloud-based Privacy-Aware Role Based Access Control) and an Auditing service that are capable of verifying data operations and triggering alarms on data violations in the Cloud environment

A Conceptual Framework for Accountability in Cloud Computing Service Provision

This paper uses a comprehensive review of the academic and professional literature in relation to accountability in the area of cloud computing service provision. It identifies four key conceptual factors that are necessary for an organisation to be considered as accountable. The four factors were found to be: responsibility, assurance, transparency and remediation. A key finding of the paper is that in order to be considered as an accountable cloud service provider, all four factors need to be implemented and be demonstrable by the organisation

Intrusion detection and prevention of web service attacks for software as a service:Fuzzy association rules vs fuzzy associative patterns

Cloud computing inherits all the systems, networks as well asWeb Services’ security vulnerabilities, in particular for software as a service (SaaS), where business applications or services are provided over the Cloud as Web Service (WS). Hence, WS-based applications must be protected against loss of integrity, confidentiality and availability when they are deployed over to the Cloud environment. Many existing IDP systems address only attacks mostly occurring at PaaS and IaaS. In this paper, we present our fuzzy association rule-based (FAR) and fuzzy associative pattern-based (FAP) intrusion detection and prevention (IDP) systems in defending against WS attacks at the SaaS level. Our experimental results have validated the capabilities of these two IDP systems in terms of detection of known attacks and prediction of newvariant attacks with accuracy close to 100%. For each transaction transacted over the Cloud platform, detection, prevention or prediction is carried out in less than five seconds. For load and volume testing on the SaaS where the system is under stress (at a work load of 5000 concurrent users submitting normal, suspicious and malicious transactions over a time interval of 300 seconds), the FAR IDP system provides close to 95% service availability to normal transactions. Future work involves determining more quality attributes besides service availability, such as latency, throughput and accountability for a more trustworthy SaaS

Genomic cloud computing:Legal and ethical points to consider

The biggest challenge in twenty-first century data-intensive genomic science, is developing vast computer infrastructure and advanced software tools to perform comprehensive analyses of genomic data sets for biomedical research and clinical practice. Researchers are increasingly turning to cloud computing both as a solution to integrate data from genomics, systems biology and biomedical data mining and as an approach to analyze data to solve biomedical problems. Although cloud computing provides several benefits such as lower costs and greater efficiency, it also raises legal and ethical issues. In this article, we discuss three key 'points to consider' (data control; data security, confidentiality and transfer; and accountability) based on a preliminary review of several publicly available cloud service providers' Terms of Service. These 'points to consider' should be borne in mind by genomic research organizations when negotiating legal arrangements to store genomic data on a large commercial cloud service provider's servers. Diligent genomic cloud computing means leveraging security standards and evaluation processes as a means to protect data and entails many of the same good practices that researchers should always consider in securing their local infrastructure.</p