d32035052

Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and

Applications (IJERA) ISSN: 2248-9622 www.ijera.com

Vol. 3, Issue 2, March -April 2013, pp.035-052

35 | P a g e

Research on preserving User Confidentiality in Cloud Computing

– Design of a Confidentiality Framework

Chaitanya Dwivedula1, Anusha Choday

1

M.Sc- 1

in Software Engineering,

Blekinge Institute of Technology (BTH), Karlskrona, Sweden

I.

GROUP MEMBERS‟ PARTICIPATION

Group Member Idea Creation Report Writing Group Member 1 45 % 65% Group Member 2 55 % 35%

Abstract Cloud Computing creates a dynamic

resource sharing platform that provides data

analytically to the proficient users who are at

demand to access data present in the cloud. As

this data is stored outside the data owner's

boundaries, they are skeptical for utilizing

cloud technology in order to store or access

their data from those external cloud

providers who are outside their own control

environment. There are many issues for these

active clients (companies or individuals) to be

petrified at the thought of using cloud

computing paradigm. Some of the main issues

that make the clients swear against Cloud

Computing are generated from three

important security aspects:

Confidentiality, Integrity, and Availability.

In this Research, we focused only on security

models that relate Confidentiality issues.

We performed a literature Review for

analyzing the existing confidentiality

frameworks and security models. We then

designed a new theoretical framework for

confidentiality in Cloud computing by

extracting this literature. We expect this

Framework when implemented practically in

the cloud computing paradigm, may generate

huge successful results that motivate the clients

to transform their businesses on to Cloud.

Keywords: Cloud Computing,

Confidentiality, Security, Framework.

II. INTRODUCTION Cloud Computing evolves to be a

consistent term with collaboration of various IT

technologies involved in it [15]. Resource pooling

technology in Cloud Computing paradigm renders

the ability to store and dynamically allocate space

to the resources that occur for storage periodically

[15]. Virtualization technology [6] in Cloud

Computing paradigm renders the ability to run

resources that dynamically scale the user's necessity

and share the resources available to support the

need [15]. Similarly, there are many other

technologies that contribute to Cloud Computing. The data storage mechanisms by Resources Pooling

occur in Data-Centers [8] [15] which indirectly act

like a CLOUD. On the other hand, the concept of

„provisioning services in a timely (near on instant),

on-demand manner, to allow the scaling up and

down of resources‟ generates a virtualization

mechanism which pretends to be COMPUTING

[15]. Hence, CLOUD COMPUTING deserves to be

a collective term of several technologies that

interrupt effectively for dynamic

allocation/de-allocation of resources [15]. The generally accepted standard definition [15] of

Cloud Computing is published with efforts from

National Institute of Standards and Technology

(NIST). Their published1 definition is used in our

Research Report for analysis about Cloud

Computing.

In short, to describe NIST definition [15], we

understood that, the 'convenient and Ubiquitous

network access' creates a moderate effort to the cloud clients to establish their resources on to the

Cloud. The 'shared pool of configurable computing

resources' contribute an Instant allocation/de-

allocation of resources that occur for on-demand

data access [15] The 'rapid provisioning' provides a

flexible operation of cloud for the cloud

providers to scale the resources with

assigning and releasing resources from time to time

when they are required elsewhere [15].

As the technologies keep intruding

into Cloud Computing paradigm, there is no means to say cloud computing is exhaustive.

Cloud Computing key- characteristics,

models and implementations are more extensively

discussed in Section-III. The discovery of cloud

computing generated a reported progress 2 of

Software Industry and its services to the




36 | P a g e

companies worldwide; but along with it, the

security issues kept eroding to change [2]. This

resulted in The Client's View about Cloud

Computing as that it lacks in confidentiality for

moving their resources onto cloud [10]. Potential

clients are now waiting for the answers about

how, why and by what means the security is

provided to Cloud computing [2].

The Problem is distinct as the security issues occur frequently in parallel to the Cloud development.

The environment of Cloud Computing is vast

making it more vulnerable to threats [2]. Hence, we

decided to focus on the most eminent security

issues that significantly standardize the

Confidentiality of Cloud Computing to a better

extent. In our Systematic literature review made

before our research proposal, we analyzed that

Confidentiality alone can specify approximately

50% of the security issues that when satisfied-

cloud computing can emphasis to more interesting

software development. The data behind the Cloud is technically said to be

off- premise and is never under the boundaries of

the data owners [8]. These data that are stored

in Cloud are beyond the control of data owners

which may converge with loss of confidentiality

[2]. We believe that, Most of the effective

customers condemn the use of cloud computing

because they are aware of the ethics beneath cloud

technologies that are unclear or unknown to them.

The goal of this Research is to

generate a successive framework for Cloud Computing that can predict sufficient

Confidentiality gain in this particular Cloud

environment. Hence, this Framework will be an

extension to our understandings of Frameworks

analyzed from Systematic literature review (SLR)

that is done at the time of our research.

Our Research Questions relate this main objective

mentioned above and are detailed to study from

section-IV. The study process, data collection &

analysis methods involved for this research are

discussed to detail in the section-V and section-VI.

The problems (that may generate during the implementation of the resulted framework), the

limitations and the sustainable arguments to our

study are brought-up to note in section-VII. Our

final research results that are concerned with our

research goals are presented to acknowledge our

study in conclusions part (section VIII).

III. BACKGROUND AND MOTIVATION The consistent approach of our previous

SLR (PRE-SLR) lead us to a clear understanding of

security issues present in Cloud Computing.

Mainly, the security issues such as Confidentiality;

Integrity; Availability; are indefinitely implemented

to reach the efforts constraining to Healthy on-

demand network access [2]. Thus, these efforts

when indistinct may route to problems in Cloud

service models (such as SAAS; PAAS; IAAS;)

which when left unsolved might cause 'lack of

proficient security (CIA)' [2] [7]. One of the main

reasons for Cloud Computing to be inconsistent in

confidentiality is due to differences in Cloud

models that are getting deployed [2]. The three

deployment models (Public Cloud; Private Cloud;

& Hybrid cloud;) generate a multiple framework

activity that has to be satisfied with confidentiality [7].

This SLR has also been understood as a proven

theory when we re-reviewed the NIST definition for

a several times.

The definition is supported by five key cloud

characteristics, three delivery models and four

deployment models [15]. We understood this

definition as of three interlinking properties of a

Cloud: key Characteristics of a cloud, delivery

models and deployment models. Our

understandings on this definition are presented in

the Figure-3.1.

Figure-3. 1: Our understandings on NIST

definition [15]

The key characteristics describe the operations

performed in a cloud computing environment. The

key characteristics such as On-demand resource

sharing; Resource Pooling;

Rapid elasticity; monitoring resource

allocation; Wide network access; service

provisioning; has elaborated the Cloud technology

in detail [15]. The Cloud service Models such as

Software-as-a-service (SAAS); Platform-as-a-

Service (PAAS); infrastructure-as-a-Service

(IAAS); are said to be general classifications of the

Cloud [15]. Regardless of the service models that

are classified, there exist 3 basic deployment

models of Cloud such as Public Cloud; Private

Cloud; and Hybrid Cloud. “Hence, the key characteristics of Cloud when applied (to

deployment models) provide data (or) services to

its Clients.”




37 | P a g e

Classifying Security Issues in Common Technical issues

Organizational issues Legal issues.

Here, we also analyzed that Confidentiality

issues underlie the challenges in finding answers to

questions like:

How will Cloud provisioning occur to act?

What are Cloud security requirements?

How will Data storage occur in Cloud

Computing?

How reliable is Security architecture of the

Cloud? How reliable are the Cloud Services offered?

So, indirectly we understood that “gaining

knowledge

about Cloud technology improves half of the

Confidentiality levels in the Clients”. Hence, these

above questions have worked as partial hypothesis

for us.

We are focused to propose a unique framework that

can produce a single architecture which allows

combination of required security goals; along with

all the reliable policies, procedures for all Cloud

deployment models in common. So, we further continued our research on classifying the security

issues that are analyzed from our PRE-SLR results.

With the understandings we have - upon the found

security issues, we now classified them as the

issues that relate to Confidentiality with one among

the three, they are:

The entire list of Security issues are

generalized into these three issues in common.

This Complete list of Security issues obtained in

PRE-SLR is presented in Appendix-C.

Our reasoning for the above classification is as

follows:

Technical issues: All the security issues like

„Shared

Technology Vulnerabilities‟, „network security‟

and many others

that can find solutions framing security goals in technical area are analyzed as Technical issues.

Organizational issues: All the security issues

like

„Malicious Insiders‟, „data location transparency‟

and many

others that can find solutions by framing security

goals in organizational area are analyzed as

Organizational issues.

Legal issues: All the security issues like „policy

based or procedural based problems‟ and many

others can get the solutions by framing security goals in this area are sorted to be legal issues.

The basis of this classification is just to unite all the

security issues relevant to confidentiality in Cloud

Computing. The main idea besides this type of

classification

is -„if we unite all the confidentiality issues in

common, then we can easily map them onto our

framework that is going to be generated.‟

We hope the companies will need a unique frame

work like this and future researchers might not fail

to be stimulated by the ideas presented by us. While

this is a diving cause for the need that encompasses

cloud computing, if we can't find the solution for

this research, the implications of not solving this problem might be the same as explained above:

The confidentiality that lacks behind will generate a

fear for the clients (companies, organizations,

individuals, etc) to share/store their resources (or)

to transform their businesses on to the Cloud

environment.

IV. RESEARCH DEFINITION AND

PLAN A. Research objective:

The goal of this Research is “To generate

a sufficient security model-framework for the

extent possible, which when implemented: can

moderate the activities (that occur for security

threats or implicating risks) that are indeed capable

of reducing Confidentiality of the Cloud and its

environment.”

This Research objective focused our aims onto:

Specifying the security issues that relate to

Confidentiality in Cloud Computing.

Understanding the possible research

results of the effective security models presented by

the previous researchers.

Proposing a more extensive security

model- framework that can uniquely state the

province of all service and deployment models in

collaboration.

B. Research Questions: The interpretation of the above objective is

extensively scrutinized, with the need for the

necessary knowledge that has to be obtained in

collaboration with the new framework to be

generated. These following research questions 3

(R.Q‟s) will guide our research:

R.Q.1: What are the Security issues that sufficiently

support Confidentiality -inducible in security

Framework of Cloud Computing?

The Question has been framed in such a way that

all the issues found in our PRE-SLR are

now to be

brought out to analysis where we can know how

the security issues collide with the security models

framed. For this, we need to know how actually a security model in Cloud Computing is exists.

Hence, R.Q.1.1 is framed for

this analysis. Interpreting the solutions

occurred for

R.Q.1.1 will relevance the solutions to be found for




38 | P a g e

R.Q.1.

R.Q.1.1: How are these Confidentiality issues

classified to indulge with consistent security

operations in Cloud Computing?

3 These R.Q‟s are re-framed for „adequacy need‟ for this report (as commented by our professor

{proposal evaluator}) but comply with same

research meaning as that of research proposal

R.Q‟s framed earlier. This R.Q. is generated in

such a way that we can understand several

constrains for security issues getting involved in the

security operations. This question needs a though

analysis of security models presents in the

literature. Hence, SLR is conducted to extract the

results.

R.Q.2: How to uniquely frame Confidentiality

within the boundaries of all Cloud security

models/Architectures in common?

Our entire research concept is to find a unique

framework for confidentiality in cloud

computing and this questions serves the purpose of

our scope.

C. Research Methodology:

Our research is originated by understanding Cloud Computing as a start and

then conceived with an objective of what needs to

be done. The R.Q.s are framed with the basic

understanding from the PRE-SLR results and by

reading several: research news articles, websites

regarding Cloud service offerings, and soon. As,

Our research has to provide solutions with

analysis of various security models or

confidentiality frameworks in Cloud Computing,

we observed that qualitative form of extracting

information is an SLR.

Hence, we conduct an SLR again but now with focus on extracting Security models. For clarity,

the SLR that has to be performed now is named as

POST-SLR. The difference between these two

SLRs is as shown in Appendix-A.

A Review methodology of this type (SLR) is

helpful to generate sufficient solutions for our

R.Qs. In addition, our ideas with reference to the

issues found in PRE-SLR will be presented for

qualitative elaboration in the Framework being

generated.

Systematic Literature Review: (POST-SLR): To gain knowledge in Security Models and

previous researchers' works on Security Framework

activity in cloud computing, we choose SLR as our

best means to obtain it. Some of the sufficient

reasons for relying only upon SLR are as follows:

Analyzing the generally accepted security models in cloud environment.

Analyzing the future work that remains unfurnished in the previous security models in

Cloud Computing.

Analyzing the inconsistent results found

in the literature from other researchers.

Analyzing ideas that are firmly achieved

by the others in this field of study.

Applying their models more

extensively by clubbing the ideas; to generate new

framework with the current security issues that

enhance Confidentiality in Cloud.

With experiences from PRE-SLR, We now choose top journals refereed from several good

publications. In our first step, the Journal

Ranking is collected from an International

Research Group4 by name: "Association of

Information Systems (AIS)". We have only selected these Top ranked Journal Publications in

which again through filters we were able to analyze

that only few occur for Cloud Computing study.

The task of finding a search engine had been easier

for us than finding best journal publications; as

most of the search engines are available through

our BTH University 'Find database' library

portal. We only focused on the search engines that

can especially present these Top ranked journal

publications. We then filtered our keywords again

and again for a proficient search refinement

on „Confidentiality frameworks and security models in Cloud Computing‟. The

complete operation of POST-SLR in presented in

the below data collection & analysis methods.

Data Collection method:

The Qualitative analysis of literature amends with

the use of SLR. However, if the distillation process

of extracting literature fails, the quality might

reduce its heights. Hence, opting for highly

qualitative journal publications, selecting effective

search databases and framing the search strings for

the search operations are said to be the three main aspects of SLR.

a) Step1: Journal selection: we required papers

that present studies of all forms such as Empirical

studies, Case- studies, research findings, and all

other available literature; but we restricted our

search only to the peer-reviewed Journal articles.

The list of Journal Publications that attracted

us in our study (on security models in Cloud

Computing) are presented below. These top

ranked journals are sorted with searches made for

our Cloud Computing study. The original ranking list of Top Journals as described above are sent to

Appendix-B inorder to make it clear.

Journal Articles (Scrutinized)

MIS Quarterly (MISQ)

Communications of the ACM (CACM)

IEEE Transactions (various)

Journal of Computer and System Sciences (JCSS) Information Systems Journal (ISJ) Database for Advances of Information Systems (DATABASE) Decision Support Systems (DSS)

b) Step2: Database selection:




39 | P a g e

Our experience upon the search engine mattered for

a while as this selection is a priority for major

papers to be found. Hence, we limited our search

within databases where almost all the top ranked

Journals can be found. The analysis list of most

prominent Search databases that cover all the

ranked Journals in relation to Cloud Computing

Findings in their search Query; are presented

below: Search Databases (scrutinized)

SCOPUS

Engineering village (INSPEC; COMPENDEX;)

The search operation designed below is applied

with one of these two databases at a time; For

example, if we can‟t find the relevantly interesting

data in „Scopus‟ then, for clarification, we

followed the same search query in

„Engineering Village‟ database.

c) Step3: Search operation:

The Search operation of finding relevant data for our search has been the basic task for our

research operation. We now focused on framing

the search strings, extracting results, stimulating

search results with the scope and refining the

search strings if relevant data is not found. The

below figure-4.2 demonstrates our search

operation.

Figure-4. 1: Search Operation As almost all the papers are published online, we

have selected Online Databases over the internet

and did not use any library or other external

sources for our data search. We developed a General Search Query baseline

for generating our search in such a way that by

inserting keywords into this formula may give

desired results for our Research Area. This idea is

originally developed from the idea behind search

interface present in the research database:

„Scopus‟. The Search Query we adopted in

“Scopus” -„Advanced search‟ interface is as below:

(TITLE-ABS-KEY("SEARCH STRING") AND

SRCTITLE("ACM")

OR SRC TITLE("MIS Quarterly")

OR SRCTITLE("IEEE")

OR SRCTITLE("Journal of Computer and System

Sciences") OR SRCTITLE("Information Systems

Journal")

OR SRCTITLE("DATABASE")

OR SRCTITLE("Decision Support Systems"))

AND PUBYEAR > 2004

The search strings framed are directly inserted into

this formula for results in our research area. A complete list of search strings along with the

Strings that even found no results are presented in

Appendix –B in order to make it clear.

All the keywords that extracted exciting results

- when applied to search strings framed under this

above search formula are presented below:

Keywords (scrutinized) Cloud Computing Security and privacy

Security model Confidentiality Framework

Privacy Policy(s) Grid Computing

Virtualization Security Architecture

… …

In the search operation made, we got 11 research

articles that are firmly relevant to our study. The

process of analyzing these articles is presented

below.

Data Analysis Method:

For data analysis, consistent tracking of search results is the ultimate task which dissolves the

barriers between knowledge gain and its

implementation. The Quality of the search results is

assessed with include/Exclude Criteria, as

described below:

d) Include Criteria:

Only Peer reviewed Articles

(available) from

Journals or Conference papers.

Articles should be written in English

language. The article has to be published during

or after the year 2005.

Articles that found relevance

with Cloud

Computing security models in their Abstracts.

All the other articles that do not meet the include

criteria are said to be excluded.

In order to validate our Research Methodology, we

have also cross-checked our SLR with two

other SLRs [17] & [18] in which one is a Thesis

paper [18].

V. RESEARCH OPERATION The Scope of this Research is to elaborate

the unconditional use of Confidentiality framework

that can peers all the service and Deployment

models present in the cloud. Hence, our major tasks

constitute the operations contributing with the minimal tasks of analyzing security issues,

generating a framework that architects all the

security solutions for the issues generated and soon.




40 | P a g e

To achieve our research objective, we started

with PRE-SLR for analyzing all the possible

security issues and then specifying them

to predictable general classifications

(such as Technical, organizational, legal issues) as

shown in the Section-III. As we can‟t detail each

and every Security issue in the framework and also

as we can't map all the issues directly into the

framework, we choose this way to generalize them. We believe that most part of the R.Q.1 can be

addressed to solutions 'by analyzing security issues

found in PRE-SLR' and rest of R.Q.1 is 'to analyze

how these security issues indulge into the

framework being generated'.

For solving this remaining part of R.Q.1, again

R.Q.1.1 is framed. Now, the research analysis

(from POST-SLR) has shown the path for

implementing a new framework. The Found

literatures that solved R.Q1.1 for the concept

of"finding Confidentiality requirements

that are classified to indulge with security operations in Cloud computing" are presented

below:

A. Literature Analysis:

In Engineering privacy [10], the authors generated

a three sphere models (User Sphere; Joint Sphere;

and Recipient Sphere;)that occur for user

privacy concerns. they relate all the Confidentiality

issues to these three spheres. We analyze these

models as operations that obscure privacy views.

They also generated some architectural mechanisms that can also partially generate

confidentiality in Cloud Computing

area. These mechanisms are as below:

Privacy-by-policy: Based on policy generation

which results in Fair Information Practices (FIP).

This FIP was contributed to

European Legislation privacy [10].

Privacy-by-architecture: Based on anonymizing

information which results in little or no personal

data detection by third parties [10].

Hybrid approach: Based on the combination

of above two approaches where policies collide with technical mechanisms (architecture), they

then enforce privacy enhancements [10].

These policy centric architectures have given a

start to our security framework idea being

generated.

In [4], the authors developed security

classification framework which sorted the

presence of our research idea for R.Q.1.1 towards

a solution. They classified the security issues for

Grid Computing environment also with

decentralized data control over its architecture. The Figure 5.1 presents their framework:

Figure-5. 1: Classifications of grid computing

Security [4]

As they focused on grid computing, the security issues resulted to solutions in their

framework will lead to grid environment's security

province but as they interlinked these security

issues to grid Deployment models (computational

grid; data grid; service grid;) and as the same

security issues (like intrusion detection) can be

found in Cloud deployment models, their

framework helped us in our Cloud

Computing-Confidentiality

framework initiation. Their classification

framework also presented the solutions to the issues area-wise (system solutions, Behavioral

solutions, Hybrid Solutions ;). In the same way we

focused our solutions to the Confidentiality issues

area-wise; they are named as: Technical solutions,

Organizational solutions, Legal solutions.

In 'Cloud Security Issues' article [2]; B. R.

Kandukuri et al. described several Service Level

Agreements (SLAs) for generating notion to

different levels of security. According to them

SLAs are documents that define relationship between two parties: the cloud Provider and the

Customer (recipient). Even they have immensely

guided us for our research as their concept of

indulging Security Risks in the SLA has given a

complete understanding of what needs to be done

in our frame work. The simple analysis of SLA and

its contents are like these:

Definition of services

Performance management

Problem management

Customer duties and responsibilities

Warranties and remedies We analyzed that these contents when applied into

action can generate answers for the partial

research

hypothesis presented above in the Background




41 | P a g e

Section. We took steps forward in that means of

approach.

To be consciously readying about

Encryption concepts in many literatures [5] [11]

saying that they have generated a mechanism

for confidentiality is not trust-worthy for us. They

have generated some encryption key-mechanisms,

encryption algorithms, Cryptography methods and soon which can be sorted like a solution for “data

privacy” alone but not to entire confidentiality

measures in security framework. We believe that

only a key generation concept might not itself

provide confidentiality to the user. We can support

this analysis, as said by S. Spiekermann et al

[10], the user is out of the boundaries of the

organizational sphere where these keys get

generated, and so, even though the key is set

private to the users themselves, we can‟t find any

proof to say that these consistent key encryption

mechanisms alone can stabilize confidentiality requirement in Cloud

environment.

A new concept said to be RAIN (Redundant Array

of Independent Net-storages) [9] has been

analyzed from the literature. According to the

authors of this article [9], they used a divide and

conquer method for the data passing through the

clouds. They have also presented their

background work of deploying 5 Cloud service

models. They are as shown below: Separation model: separates data

storage from data processing [9].

Availability model: separates stored

data from data providers during the time of

processing [9].

Migration model: describes the data

migration from one storage provider to another

other storage provider [9].

Tunnel model: describes data tunneling

service between data processing service and data

storage service [9].

Cryptography model: describes data encryption that is also not intelligible even to the

storage provider [9].

Their procedural implementation gave us an idea

for the framework that implements process

activities one- onto-one presenting itself as security

control-flow architecture.

In another paper named „understanding Cloud

Vulnerabilities‟ [1], the authors have generated a

framework mitigating the Risk factors into two

kinds, “loss event frequency” and “probable loss magnitude”, all the rest are classified into those

two risk factors. This can be seen as of a

relevance to our security issues generalization

concept; for mapping them into the framework that

can give solutions to any kind of issues that occur

in the open risk taxonomy [1].

As we are about to conclude our literature review

analysis, even though we are unable to completely

find a security framework or security model or

architecture, we felt that we are satisfied with the

solutions that are obtained to R.Q.1. & R.Q.1.1.

This Review has shown the relevant security

threats or risks or issues that are interlinked with the security models; but for complete solution of

R.Q.1 & R.Q.1.1, we also considered a few

NIST drafts that enabled the Risk analysis process

or frameworks consistent with cloud environment.

The below are the knowledge gained concepts

from different drafts of NIST.

In NIST Draft SP800-30 [12], Risk Assessment

Methodology Flowchart is presented where we

have successively understood each and every

concept beneath the Risk taxonomy and its control

flow. The seven steps that determine this sequential flow are as follows [12]:

Step1: System Characterization

Step2: Threat Identification

Step3: Vulnerability Identification

Step4: Control Analysis

Step5: Likelihood Determination

Step6: Impact Analysis

Step7: Risk Determination

Step8: Control recommendations

Step9: Results Documentation

With elaboration, NIST Draft SP800-37 [13] has further presented a Risk Management Framework

which became the key to our Research for

confidentiality on

cloud. This framework is as shown in Figure-5.2

below.

Figure-5. 2: Risk Assessment Framework (NIST

SP80037) [13] In NIST draft SP800-125 [14], the architecture of

Virtualization technologies is enabled with

hypervisors that have played a major role for

providing security to the Cloud Computing

environment. The security controls when operated

in the hypervisors (virtual machine managers for




42 | P a g e

monitoring multiple hosts) that are placed just before the cloud offering applications can implement controlled security operations for this environment.

Even though deployment models exist, a general

scope and control flow of the service models in

cloud computing with the views of both consumer

and cloud provider are presented in Draft SP800-

144 [16]. This Scope in terms of control flow is

thus also implemented by us where the cloud

provider‟s view and the customer‟s view on the framework being generated are extracted to

act.

Hence, R.Q.1 is completely fulfilled with

knowledge base of security issues as shown above

with relevance to security models that are deployed

to eradicate trouble caused by these issues.

VI. DATA ANALYSIS AND

INTERPRETATION

Even though there are many other security models

or frameworks, we presented only the important

articles. As the knowledge for relevant data models

got its place for our idea creation from among

these articles, hence, we concluded the literature

review for analysis. Here in this section, we

present a Data Framework activity by analyzing all

the above frameworks, models and other security

concepts that are found in the above literature. The

framework that satisfies our R.Q.2 is contributed to

effect from the FIGURE-6.1 below:

This Framework is done in such a way that cloud

providers and their customers have a generalized

view on the security operations in their cloud. The

framework

has also shown the difference between the operations

that are carried for stepwise flow. We used

orange, blue green and red colors for

differentiating and clubbing several operations

carried in the cloud. All the orange boxes denote

the general tasks by the cloud provider or their

customers. All the blue boxes denote the original

security operational flow in the framework. Green

and red denote the organizational and technical

issues/tasks respectively. The description of this

tasks and operations will refer back to the POST-

SLR review made in Section- V. If anything is unclear, all the rest including Security concepts

and other keywords used in the below framework

are clearly elaborated in Appendix-D.

Figure 6. 1: Confidentiality Framework for Cloud Computing (our research solution)

VII. DISCUSSIONS A. Contributions & limitations :

The framework has deployed a risk

management activity for security provisioning in

cloud environment. We are sure that results

generated by us are completely involved with all

the levels of security issues and their solutions in

all kinds of users‟ views; and hence, will provide a

constant baseline for drawing security architecture

in any Cloud based company that indeed can satisfy the cloud customers. Even though just an

SLR can't deal with the entire problem area and

also as there is no proof that our research analysis

can work in the real time industry, we had no

other choice as time is our major constraint rather

than just implementing a Framework only based

on SLR. This framework is limited to the general

activities without concise on any further

clarifications on the inside elements such as




43 | P a g e

cryptography and soon.

B. General proceedings(future work):

As of now this model needs to be scrutinized.

This model needs to be briefly elaborated

deriving each and every activity in the framework

analytically with real-time proofs. If we get a

chance in thesis, then we are sure that we can get a

clear scrutinized security model along with the suggestions made by the professors and real time

industry people with the surveys and experiments

conducted.

VIII. CONCLUSION Confidentiality for Cloud Computing

deals with the emerging cloud architectures that

evolve with time. This continuous evolution

process might necessitate to with stand a baseline framework activity. We enabled a framework

activity with reference to general security models

and patterns. We expect this framework to be a

consistent approach to trigger any kind of security

mechanism in Cloud Computing. As the views on

this model are focused to analysis with both Cloud

provider and the customer, we hope that

organizations can be at ease to implement their

operations directly on to this framework without

further discussions.

REFERENCES [1]. B. Grobauer, T. Walloschek, and E.

Stocker, “Understanding Cloud

Computing Vulnerabilities,” IEEE

Security & Privacy Magazine, vol. 9, no.

2, pp. 50–57, Mar. 2011.

[2]. B. R. Kandukuri, R. Paturi. V., and

A. Rakshit, “Cloud Security Issues,”

2009, pp. 517–520.

[3]. C. Chapman, W. Emmerich, F. G. Márquez, S. Clayman, and A. Galis,

“Software architecture definition for on-

demand cloud provisioning,” Cluster

Computing, vol. 15, no. 2, pp. 79–100,

Feb. 2011.

[4]. E. Cody, R. Sharman, R. H. Rao, and

S. Upadhyaya, “Security in grid

computing: A review and synthesis,”

Decision Support Systems, vol. 44, no. 4,

pp. 749–764, Mar. 2008.

[5]. G. Zhao, C. Rong, J. Li, F. Zhang, and

Y. Tang, “Trusted Data Sharing over Untrusted Cloud Storage Providers,”

2010, pp. 97–103.

[6]. K. Riemer and N. Vehring, “Virtual or

vague? a literature review exposing

conceptual differences in defining

virtual organizations in IS research,”

Electronic Markets, May 2012.

[7]. K. 'Shade O, I. Frank and A. Oludele,

“Cloud Computing Security Issues and

Challenges,” Journal of Network and

Computer Applications, vol. 3, no. 5,

pp. 247-255, Dec. 2011.

[8]. M. Armbrust, I. Stoica, M. Zaharia, A.

Fox, R. Griffith, A. D. Joseph, R. Katz,

A. Konwinski, G. Lee, D. Patterson, and

A. Rabkin, “A view of cloud

computing,” Communications of the

ACM, vol. 53, no. 4, p. 50, Apr. 2010. [9]. M. G. Jaatun, G. Zhao, and S. Alapnes,

“A Cryptographic Protocol for

Communication in a Redundant Array

of Independent Net-storages,” 2011, pp.

172–179.

[10]. S. Spiekermann and L. F. Cranor,

“Engineering Privacy,” IEEE

Transactions on Software Engineering,

vol. 35, no. 1, pp. 67–82, Jan. 2009.

[11]. S. Yu, C. Wang, K. Ren, and W. Lou,

“Achieving Secure, Scalable, and Fine-

grained Data Access Control in Cloud Computing,” 2010, pp. 1–9.

NIST Special Publication (SP) Drafts:

[Online](Available:

http://csrc.nist.gov/publications/PubsDraft

s.html)

[12]. S. Gary, G. Alice, and F. Alexis, “SP:

Risk Management Guide for

Information Technology Systems,”

National Institute of Standards and

Technology (NIST), CSRC-SP800-30, July. 2002.

[13]. “SP: Guide for Applying the Risk

Management Framework to Federal

Information Systems,” National

Institute of Standards and Technology

(NIST), CSRC-SP 800-37(Rev-1), Feb.

2010.

[14]. S. Karen, S. Murugiah and H. Paul, “SP:

Guide to Security for Full Virtualization

Technologies,” National Institute of

Standards and Technology (NIST),

CSRC-SP 800-125, Jan. 2011. [15]. M. Peter and G. Timothy, “NIST

Definition of Cloud Computing,”

National Institute of standards and

Technology (NIST), CSRC-SP 800-145,

Sept. 2011.

[16]. J. Wayne and G. Timothy, “SP:

Guidelines on Security and Privacy in

Public Cloud Computing,” National

Institute of Standards and Technology

(NIST), CSRC-SP 800-144, Dec. 2011.

SLR model review references:

[17]. S. Jalali and C. Wohlin, „Agile practices

in global software engineering - a

systematic map‟, in 2010 Fifth IEEE

International Conference Global

http://csrc.nist.gov/publications/PubsDrafts.html

http://csrc.nist.gov/publications/PubsDrafts.html




44 | P a g e

Software Engineering (ICGSE 2010),

23-26 Aug. 2010, Los Alamitos, CA,

USA, 2010, pp. 45–54.

[18]. Guido Kok, “Cloud computing &

confidentiality,” M.S. thesis, Dept.

Comp. Sci. Eng., University of

Twente., Enschede-Noord, Nederland,

May.24.2010.[Online] (Available:

http://purl.utwente.nl/essays/61039)

APPENDIX A

A. Differentiating Our Previous works from

this research operation performed now.

A Review methodology of this type (SLR)

has already been conducted in our previous

assignment (asst-1). The results of that PRE-SLR

obtained, have been utilized in background

Section-III. As shown in below Figure-A, we name

this SLR (made in the research operation) as

'POST-SLR' in order to differentiate from the SLR

that is done before our proposal (assignment-1) (For clarity, we name this previous SLR as 'PRE-

SLR').

Figure A: Figure-4. 2: Differentiating our work from the past.

APPENDIX B – SEARCH OPERATION

The Journal Publication ranking with relevance to

“CLOUD COMPUTING” is roughly analysed for

search in every Top ranked public ation with basic keywords as „Cloud Computing' AND

'Confidentiality'. The main motive behind this

search is to analyse all the top ranked

publications that publish topics in concern to

Cloud computing. We found only 7 top

Publications that gave unique results with the rest

left behind with the same search result (as that of the previous publications‟ search) or no search

result at all. The Table-A shows top ranked

journal publications list and cloud findings in them.

http://purl.utwente.nl/essays/61039




45 | P a g e

Serial TOP JOURNALS (AIS-MIS Journal Ranking Sequence) Resulted Search Articles

Research Area relevance

Search operated through:

1. MIS Quarterly Management Information Systems (MISQ) 2681 EBSCOhost 2. Information Systems Research (ISR) 2681 EBSCOhost 3. Communications of the ACM (CACM) 168 ACM Dl library 4. Management Science (MS) 2681 EBSCOhost 5. Journal of Management Information Systems (JMIS) 2681 EBSCOhost 6. Artificial Intelligence (AI) 3(X) ScienceDirect 7. Data Sciences (DSI) -NA- --- 8. Harvard Business Review (HBR) 2681 EBSCOhost 9. IEEE Transactions (various) 7 IEEE Explore 10. AI Magazine 2(X) AI Magazine 11. European Journal of Information Systems (EJIS) -NA- --- 12. Decision Support Systems (DSS) 17 ScienceDirect 13. IEEE Software (IEEESw) 7 IEEE Explore 14. Information and Management (I&M) -NA- --- 15. ACM Transactions on Database Systems (ACMTDS) 168 ACM Dl library 16. IEEE Transactions on Software Engineering (IEEETSE) 7 IEEE Explore 17. ACM Transactions (ACMTrans) 168 ACM Dl library 18. Journal of Computer and System Sciences (JCSS) 10 ScienceDirect 19. Sloan Management review (SMR) 2681 EBSCOhost 20. Communications of AIS (CAIS) 168 ACM Dl library

21. IEEE Transactions on Systems, Man & Cybernetics

(IEEETSMC)

7

IEEE Explore

22. ACM Computing Surveys (ACMCS) 168 ACM Dl library 23. Journal on Computing (JCOMP) 168 ACM Dl library 24. Academy of Management Journal 2681 EBSCOhost 25. International Journal of Electronic Commerce 2681 EBSCOhost 26. Journal of the AIS -NA- --- 27. IEEE Transactions on Computers (IEEETC) 7 IEEE Explore 28. Information Systems Frontiers (ISF) -NA- --- 29. Journal of Management Systems 2681 EBSCOhost 30. Organisation Science (OS) -NA- --- 31. IEEE Computer (IEEEComp) 7 IEEE Explore

32. Information Systems Journal (ISJ) 135 WILEY online Library

33. Administrative Science Quarterly 129(X) SAGE Journals 34. Journal of Global Information Management (JGIM) -NA- ---

35. The Database for Advances of Information Systems (DATABASE)

1066

EBSCOhost

36. Journal of Database Management (JDM) 2681 EBSCOhost 37. Information Systems (IS) 11 ScienceDirect … … … …

Table A: Top ranked journal publication selection from AIS-Journal ranking5 with relevance to cloud

computing.




46 | P a g e

NOTE: The top ranked Cloud computing

publications are marked with three colours: Green,

Yellow and Red. The Green colour shows unique

search result at the start before finding the same

result in other publications. The Yellow represents

the Publications which carry Cloud papers but

show same result (-repeat-) as that of previous

publications and hence neglected. The Red shows that the publications are unavailable (-NA-) or no

results found with relevance to Cloud computing

topic. The (X) mark besides the search result

denotes the papers found irrelevant to the cloud

computing research area technically.

After finding these top 7 journals, the search string

formula is generated (in section IV) for finding the

papers relevant to our research area in Cloud

computing. We analyzed that most of the Journals

from IEEE and ACM publications defer in name

but gave same results. So we sorted them just to be

“IEEE” and “ACM” in our search formula

generated. The idea behind this is to grab as much

as many resu lts from all the publications of IEEE, ACM and all the rest of the 7 unique journals.

The below table-B presents the search strings

framed that are applied into that search formula

generated in the report.

Table B: Search strings framed and (number of) results obtained.

Iteration

Search String

[IN (Title, Abstract, Keywords)]

Search

Results

Relevant

and

available

Very well

guided

1 “Cloud Computing” AND “Confidentiality” AND

(“framework” OR “model” OR “architecture”)

23 12 2

2 “Cloud Computing” AND “Security” AND (“model” OR

“Framework” OR “Architecture”)

266 8 2

3 “Cloud Computing” AND “Privacy policy*” 29 -Repeat- 0 4 “Cloud Computing” AND “Risk management” 15 -Repeat- 0 5 “Cloud Computing” AND “Security requirement*” 89 3 1 6 “Cloud Computing” AND “Security management” 153 -Repeat- 0 7 “Grid Computing” AND “Security” AND (“model” OR

“framework” OR “Architecture”)

225 1 1

8 “Virtualization” AND “Security” AND (“model” OR “Framework” OR “Architecture”)

146 2 0

… … … … … … … … … …

We started with the initial search string-Iteration1

to get initial idea on the search results. All the

rest of the iterations follow the search made in

order to find the results for “cloud computing and confidentiality frameworks”. Inclusion of

synonyms and similar wo rds occurred for refining

the searches strings framed. Singular and plurals

were included in the search and hence „*‟ was

included in the search strings above to represent

the same. As we involved synonyms, we included

OR operator in the search strings framed.

When the above framed 8 search strings are

inserted into the search formula we got 26 relevant

and available articles. Even though, these

26 articles are found only through analysis on Title relevance and (then if needed) abstract readings,

we further made a thorough review on these papers

and found that only 11 support our Research area

firmly. We made use of these 11 articles in our

research operation and also refereed them to final

Confidentiality framework design in cloud

computing (our analyzed research solution). Also,

among these 11 finally

extracted papers, we found that 6 papers guided us

very well for our research conclusion. All these 11 articles are listed as references in the research

report. All the rest excluding these 11 articles

also helped us in gaining some additional

knowledge and hence presented in Appendix-E.

APPENDIX C –SECUIRTY ISSUES

GENERALISATION (FROM PRE-SLR)

The security issues that relate to confidentiality

are presented here with analysis from our

previous studies (PRE -SLR, Assignment-1). As said in the research report, these issues are focused

to generalize them into 3 main categories such as

Technical, Organizational, Legal issues; as shown

in the Table –A below.




47 | P a g e

Table C: Security issues found in PRE-SLR and our view of generalizing them to 3 main issues

Security Issues Issues found from PRE-SLR (references)

Issues can Relate to Confidentiality as :-

Abuse and Nefarious Use of Cloud Computing [R7], [R12] Technical issue Account, Service and Traffic Hijacking [R7], [R12] Technical issue Authentication and authorization [R17] Technical issue Cost and Limited availability of technical personals [R1] Organizational issue Customer Isolation and Information Flow. [R 15] Technical issue Cloud Integrity and Binding Issues [R10] Organizational issue Cloud Security vulnerabilities and Security Attacks [R2], [R10] Technical issue Cloud Governance [R16], [R18] Legal Issue Data access and Control [R17] Technical issue Data back-up and recovery [R2], [R14], [R20] Technical issue Data breaches (controlling XML signatures and soon) [R17] Technical issue Data location [R14] Organizational issue Data protection (Loss/Leakage) [R7], [R12], [R21] Technical issue Data provisioning (Audits, etc) [R2], [R10], [R15] Technical issue Data segregation [R17] Technical issue Ensuring user rights (End user Trust) [R18], [R21] Legal issue Federation and Secure Composition [R15] Legal issue Identity/Key management (Encryptions) [R20] Technical issue Insecure Application Programming Interfaces (web application security)

[R7], [R12] Technical issue

Integrity for user's dynamic changes [R21] Organizational issue Investigative support (data forensics and soon) [R2], [R16] Technical issue legal, policy based and commercial problems [R18] Legal issue Long-term viability (End user trust) [R2], [R16] Organizational issue Malicious Insiders [R7], [R12], [R15] Organizational issue Multi-Compliance Clouds [R15] Technical issue Network security [R17], [R21] Technical issue Non-Repudiation [R16] Organizational Issue Privileged user access [R14] Organizational issue Regulatory Compliance [R16] Legal issue Reliability [R8], [R20] Organizational issue Risk/Threat Management [R2] Technical issue Security assurance to cloud users [R10] Organizational issue Security Integration & Transparency. [R15] Technical issue Shared Technology Vulnerabilities [R7], [R12] Technical issue undefined cloud boundaries [R21] Legal issue Unknown Risk Profile (lack of transparency) [R12] Organizational issue Virtualization vulnerability [R2], [R17] Technical issue

NOTE: The references “[R]” refer to the PRE-SLR

references. These references are presented in Appendix-E.

All the security issues presented above

that are generalized into these 3 issues are only

through our understandings upon them. As we

cannot elaborate our analysis on each and every

issue in this RM research report, the referenced

papers besides the issue (in the above table) can

show what exactly each and every issue is. Along

with these issues in our hand, in the same way, the

further issues that evolve with time or any other

issues that are not sighted by us can also be set into on e of these 3 issues in the future.

APPENDIX D –KEYWORDS USED (IN THE

RESEARCH REPORT)

Cloud Computing & confidentiality (As it is): Cloud computing (NIST definition)

“Cloud computing is a model for enabling

ubiquitous, convenient, on-demand network access

to a shared pool of configurable computing

resources (e.g., networks, servers, storage,

applications, and services) that can be rapidly

provisioned and released with minimal

management effort or service provider interaction.

This cloud model is composed of five essential

characteristics, three service models, and four

deployment models.” [15]

Confidentiality (NIST definition-FIPS PUB 199)

[S15]

“Preserving authorized restrictions on information




48 | P a g e

access and disclosure, including means for

protecting personal privacy and proprietary

information.”

Integrity (NIST definition-FIPS PUB 199) [S15]

“Guarding against improper information

modification or destruction, and includes ensuring

information non-repudiation and authenticity.”

Availability (NIST definition-FIPS PUB 199) [S15]

“Ensuring timely and reliable access to and use

information.”

Cloud service models

Software as a service (SaaS) [15]

The SaaS service model is defined to services that

render software applications to the cloud

customers. Here, if needed, the Cloud provider can

also operate these applications instead of customers

like application management (updates), storage

backups, infrastructure and soon.

Platform as a service (PaaS) [15]

The PaaS service model is derived to offer

interfaces such as operational platforms to the

cloud customer. These platforms ar e helpful to the

customer in order to build some new applications

that are supported on cloud based technologies.

Here, the operations such as network management,

storage, and operating systems are managed by the

cloud provider itself and hence the customer can be

relieved to work only for their application development but not in other matters of cloud

maintenance.

Infrastructure as a service (IaaS) [15]

The IaaS service model is derived from the concept

for reducing costs to the customer. IaaS is

structured to provide the capabilities of cloud

provisioning, storage management and other

fundamental needs to the customer for making

them to use cloud technologies. Here, the customer

is application or file management is indirectly

controlled by the cloud provider.

Grid Deployment models

Computational grid [4]

The concept of separating resources for setting

them aside in order to automate the computational

works that can reduce compu tational power and

man-power is said to be Computational grid.

Data grid [4]

The information and data are stored or retrieved to

analysis from this data grid. This data grid is modeled in such a way that large volumes of data

are accessed from single Cloud data centre at a time

by several users (or companies or organizations).

Service grid [4]

The grid that offers services to its clients is said

to be Service grid. This grid is designed with

mechanisms of provisioning customer

requirements and offering services they require.

Cloud deployment models

Private Cloud [15]

the services offered are monitored by the

organization itself where its services are not shared to be monitored by outsiders for any other

purposes, i.e., the physical infrastructure (cloud)

may or may not be owned by the organization and

might be on-premise or off-premise but will

contain a designated service provider (employees

or entities) for its cloud computations.

Public cloud [15]

The cloud is provisioned to use by any source that

is in need, this source can be an individual, an

organization, or some other entity. This cloud is

generally maintained by ordinary cloud provider and mechanisms where low-level security is

provided for usage.

Hybrid cloud [15]

It is a combination of public or private or any

other deployment cloud (such as community

clouds) that is designed into single cloud

architecture. The user may vary according to the

organizational needs and hence the security may

also vary with it.

Cloud key characteristics

On-demand resource sharing [15]

The provisioning of services offered can leverage

a concept of 'On-demand resource sharing'. This

is automated process that enables the control

mechanism of reducing human efforts for enabling

services to the right users.

Resource Pooling [15]

As delivered to our research report above from

NIST, Resource pooling technology in Cloud Computing Paradigm renders the ability to store

and dynamically allocate space to the resources to

occur for storage periodically.

Rapid elasticity [15]

The rapid elasticity is derived as: provisioning

services with capabilities to automatically scale the

exact user-demand. The resource is set to use for

the demand and this service is reverted back when

the customer is not in need of that resource.

Wide network access [15]

The ability to control or mange large area

networks is delivered to output by this wide

network access. With this characteristic we can be

access data or information or service even through




49 | P a g e

mobile devices.

Cloud Spheres models

User Sphere: [10]

The user sphere is a technical domain name which

seems to be encompassing a user's device. This

sphere has to enable a full access control to the

users who own it. The data is set to privacy and is

accessible to entities present in external boundaries only with th e data owner's

permissions. Additionally, user sphere models

are trumped with respect to owner's physical

privacy and hence, will wait for their

interruption to change their access setting when

needed.

Recipient Sphere: [10]

In the same way as that of user sphere above, the

recipient sphere is a company centric sphere where

the organization is responsible for its complete

access controls. As the control is within the organization itself, the risk is low when

compared to user sphere and so can potentially

minimizes the risk of privacy breaches.

Joint Sphere [10]

The joint sphere is also a technical domain term of

cloud spheres where this sphere can derive the

complete cloud to its privacy by setting the

controls completely within the organization and

also involving its customers with some limitations

to access them. we analyzed that this kind of model is not impossible to see in the real world, as we

can see social networking sites where the users has

given free of charge for using data storage, email

services and many other features but the users

should indirectly need to know that the full

control of these services is withheld with the

company (social networking site) itself but not

with the user. Hence the privacy control is derived

with the complete understandings of the

organizations and its customers involved in joint

sphere.

Classification of types of Solutions for issues found

in grid computing

System solutions [4]

The system based solutions approach is a concept

where the technical issues are to be analyzed for

solutions and rectifications. Issues such as

accessing grid information, auditing grid functions

and soon are set to solutions here. We named

them to be technical solutions in our research

report for our confidentiality framework

Behavioural solutions [4]

The Behavioral solutions denotes the category

where solutions for issues like Immediate job

execution, advanced scheduling, job control are

sorted out for answers. We named them as

Organizational solutions in our research report for

our confidentiality framework.

Hybrid solutions [4]

These solutions denote the category that

combines all kinds of issues for sorting them

to gain hybrid solutions. Here, trust is the

fundamental for solving any kind of issue. We

did not use this kind of solutions in our framework but instead as trust occurs better with policies and

laws, we involved legal issues in our research

framework.

Some other keywords from literature

RAIN (Redundant Array of Independent Net-

storages) [9]

All the deployment models are split to several

independent (non-colluding) storage providers

that pretend to be Redundant Array of

Independent Net-storages (RAIN). In authors view

a single chunk of data doesn't comprise Confidentiality and hence they derive that the data

should be stored using one or several cloud storage

providers.

Open risk taxonomy [1]

Open risk taxonomy is nothing but generalizing

the issues (factors contributing) into much similar

generalized issue categories. In this paper [1], the

risk focus is divided mainly into two types „loss

event frequency‟, „probable loss magnitude‟ with

all the rest of the factors that occur for risk must be falling into one of these categories.

Hypervisors [14]

Cloud Computing evaluates a Concept of

„provisioning services in a timely (near on

instant), on-demand manner, to allow the scaling

up and down of resources‟. This approach of

making computing a utility in cloud environment

provides an Opportunity to dynamically scale the

computing resource that are shared among

customers using virtualization technology. Allocating / de-allocating these resources

efficiently, is an open challenge that is solved by

Hypervisors. They allocation and de-allocation

mechanisms are automated through these

hypervisors. In addition, we have analyzed that at

present: VMware, XEN systems (using XEN

hypervisors), Kernel-based Virtual Machine

(KVM); implementing their services pretend to be

Hypervisors in the real-time cloud computing

world.

Keywords that occurred in our Confidentiality

Framework

(Clear and extra explanation of each and every

word used in our Framework)




50 | P a g e

Cloud system analysis and design

The system analysis and design is the initial step

where we choose the Cloud deployment model

[15] and designing the tasks that work upon that

model that is chosen.

Cloud security requirements

The general security requirements like key

encryptions [5] [11], data storage privacy [8], and many other fundamental requirements should be

analyzed before implementing every cloud model.

This helps in reducing the risk of cloud failure in

security matters. This general loo k- up what of

security requirements needed will somewhat

increase the confidentiality in the cloud customers.

Data Location Dimension

Cloud confidentiality fails due to lack of cloud

transparency to the customers. Customers are

reluctant to transform their businesses on to cloud

as they can‟t see where their data is located and hence, data location dimension distinguishes the

data location in data owner's perspective rather

than data provider's perspective [10].

System security control structure

The original security model that is designed to

operations for cloud security requirements found

earlier is developed here in security control

structure. All the security issues are analyzed here

and further classified into 3 major chunks

(technical, organizational, legal) and are sent to be solved by those different departments that are

responsible for solving them [4].

Access controls

The Cloud sphere models [10] such as recipient

sphere, user sphere, hybrid sphere occur in access

control criteria and will work as the same by

transforming their responsibilities and concepts in

access controls functions. These access controls

even though arose from that sphere concept, the

main duty is to preserve confidentiality for the

data that is being processed in-and-out of the cloud. As soon as we set the access control to one

of these sphere, the cloud will adhere the

responsibilities of those sphere that is set and will

work for the same.

General security limitations

The general security limitations occur from the

concept of data provisioning and security controls

that are limited to them in NIST draft SP800-125

[14] and NIST Draft SP800-30 [12] respectively.

The general security limitations such as enabling encryption techniques; implementation of virtual

private networks; implementation of security

settings that suit the service level agreements [2]

(that render to organizational standards);

generating security assurance criteria and soon

come under general security limitations concept.

Cloud offerings

The cloud offering is the final step where we

choose the Cloud service model [15] and designing

the tasks that work upon that model that is chosen.

APPENDIX E –INCLUDED STUDIES

POST-SLR EXTRA HELPFUL REFERENCES6

([S])

[S1]. C. Alcaraz, I. Agudo, D. Nunez, and

J. Lopez, “Managing Incidents in

Smart Grids a` la Cloud,” in 2011

IEEE Third International Conference on

Cloud Computing Technology and Science

(CloudCom), 2011, pp. 527 –531.

[S2]. C. I. Dalton, D. Plaquin, W. Weidner, D.

Kuhlmann, B. Balacheff, and R. Brown,

“Trusted virtual platforms,” ACM SIGOPS Operating Systems Review, vol.

43, no. 1, p. 36, Jan. 2009.

[S3]. D. W. Chadwick and K. Fatema, “A

privacy preserving authorisation system

for the cloud,” Journal of Computer and

System Sciences, vol. 78, no. 5, pp. 1359–

1373, Sep. 2012.

[S4]. H. Takabi, J. B. D. Joshi, and G.-J. Ahn,

“Security and Privacy Challenges in

Cloud Computing Environments,” IEEE

Security & Privacy Magazine, vol. 8, no. 6, pp. 24–31, Nov. 2010.

[S5]. J. Li, B. Stephenson, H. R. Motahari-

Nezhad, and S. Singhal, “GEODAC: A

Data Assurance Policy Specification

and Enforcement Framework for

Outsourced Services,” IEEE Transactions

on Services Computing, vol. 4, no. 4, pp.

340–354, Oct. 2011.

[S6]. J. Hao and W. Cai, “Trusted Block as a

Service: Towards Sensitive Applications

on the Cloud,” in 2011 IEEE 10th

International Conference on Trust, Security and Privacy in Computing and

Communications (TrustCom), 2011, pp.

73 –82.

[S7]. L. M. Kaufman, “Data Security in the

World of Cloud Computing,” IEEE

Security & Privacy Magazine, vol. 7, no.

4, pp. 61–64, Jul. 2009.

[S8]. P. Angin, B. Bhargava, R. Ranchal, N.

Singh, M. Linderman, L. Ben Othmane,

and L. Lilien, “An Entity-Centric

Approach for Privacy and Identity Management in Cloud Computing,” in

2010 29th IEEE Symposium on Reliable

Distributed Systems, 2010, pp. 177 –183.

[S9]. R. Padilha and F. Pedone, “Belisarius:

BFT Storage with Confidentiality,” in

2011 10th IEEE International




51 | P a g e

Symposium on Network Computing and

Applications (NCA), 2011, pp. 9 –16.

[S10]. R. K. L. Ko, P. Jagadpramana, M.

Mowbray, S. Pearson, M. Kirchberg, Q.

Liang, and B. S. Lee, “TrustCloud: A

Framework for Accountability and Trust

in Cloud Computing,” in 2011 IEEE

World Congress on Services (SERVICES),

2011, pp. 584 –588. [S11]. R. Seiger, S. Gross, and A. Schill,

“SecCSIE: A Secure Cloud Storage

Integrator for Enterprises,” in 2011 IEEE

13th Conference on Commerce and

Enterprise Computing (CEC), 2011, pp.

252 –255.

[S12]. S. Pearson and A. Benameur, “Privacy,

Security and Trust Issues Arising from

Cloud Computing,” in 2010 IEEE

Second International Conference on

Cloud Computing Technology and Science

(CloudCom), 2010, pp. 693 –702. [S13]. U. Greveler, B. Justus, and D. Loehr, “A

Privacy Preserving System for Cloud

Computing,” in 2011 IEEE 11th

International Conference on Computer

and Information Technology (CIT), 2011,

pp. 648 –653.

[S14]. X. Zhang, N. Wuwong, H. Li, and X.

Zhang, "Information security risk

management framework for the cloud

computing environments", Proceedings -

10th IEEE International Conference on Computer and Information Technology,

CIT-2010, 7th IEEE International

Conference on Embedded Software and

Systems, ICESS-2010, ScalCom-2010, pp.

1328.

[S15]. "Standards for Security Categorization of

Federal Information and Information

Systems," National Institute of Standards

and Technology (NIST), FIPS Pub. 199,

Feb. 2004.

We found 26 relevant and available papers in

which only 11 supported our study relating Confidentiality framework. Here, some extra

references (excluding those 11references that are

presented in the research report). Those that did

not support for our Framework in any kind but

helped us in gaining some extra knowledge are

presented here.

PRE-SLR (ASSIGNMENT-1 SLR) -

REFERENCES ([R])

[R1]. D. Carrell, “A Strategy for Deploying

Secure Cloud-Based Natural Language Processing Systems for Applied Research

Involving Clinical Text,” in 2011 44th

Hawaii International Conference on

System Sciences (HICSS 2011), 4-7 Jan.

2011, Los Alamitos, CA, USA, 2011, pp.

11.

[R2]. F. B. Shaikh and S. Haider, “Security

threats in cloud computing,” in 2011 6th

International Conference for Internet

Technology and Secured Transactions

(ICITST), 11-14 Dec. 2011, Piscataway,

NJ, USA, 2011, p. 214–19.

[R3]. Hao Sun and K. Aida, “A Hybrid and Secure Mechanism to Execute Parameter

Survey Applications on Local and Public

Cloud Resources,” in 2010 IEEE 2nd

International Conference on Cloud

Computing Technology and Science

(CloudCom 2010), 30 Nov.-3 Dec. 2010,

Los Alamitos, CA, USA, 2010, p. 118–26.

[R4]. Jen-Sheng Wang, Che-Hung Liu, and G.

T. R. Lin, “How to manage information

security in cloud computing,” in 2011

IEEE International Conference on

Systems, Man and Cybernetics, 9-12 Oct. 2011, Piscataway, NJ, USA, 2011, p.

1405–10.

[R5]. J. C. Roberts II and W. Al-Hamdani,

“Who can you trust in the cloud? A review

of security issues within cloud

computing,” in 2011 Information Security

Curriculum Development Conference,

InfoSecCD’11, September 30, 2011 -

October 1, 2011, Kennesaw, GA, United

states, 2011, pp. 15–19.

[R6]. K. Dahbur, B. Mohammad, and A. B. Tarakji, “A survey of risks, threats and

vulnerabilities in cloud computing,” in

2nd International Conference on

Intelligent Semantic Web-Services and

Applications, ISWSA 2011, April 18, 2011

- April 20, 2011, Amman, Jordan, 2011, p.

The Isra University.

[R7]. L. M. Vaquero, L. Rodero-Merino, and D.

Moran, “Locking the sky: a survey on

IaaS cloud security,” Computing, vol. 91,

no. 1, pp. 93–118, Jan. 2011.

[R8]. L. Sumter, “Cloud computing: Security risk,” in 48th Annual Southeast Regional

Conference, ACM SE’10, April 15, 2010 –

April 17, 2010, Oxford, MS, United states,

2010.

[R9]. Minqi Zhou, Rong Zhang, Wei Xie,

Weining Qian, and Aoying Zhou,

“Security and Privacy in Cloud

Computing: A Survey,” in 2010 Sixth

International Conference on Semantics

Knowledge and Grid (SKG 2010), 1-3

Nov. 2010, Los Alamitos, CA, USA, 2010, p. 105–12.

[R10]. M. Jensen, J. Schwenk, N. Gruschka, and

L. L. Iacono, “On technical security issues

in cloud computing,” in 2009 IEEE

International Conference on Cloud




52 | P a g e

Computing (CLOUD), 21-25 Sept. 2009,

Piscataway, NJ, USA, 2009, p. 109–16.

[R11]. M. Townsend, “Managing a security

program in a cloud computing

environment,” in 2009 Information

Security Curriculum Development Annual

Conference, InfoSecCD’09, September 25,

2009 - September 26, 2009, Kennesaw,

GA, United states, 2009, pp. 128–133. [R12]. M. T. Khorshed, A. B. M. Shawkat Ali,

and S. A. Wasimi, “Trust issues that create

threats for cyber attacks in cloud computin

g,” in 2011 17th IEEE International

Conference on Parallel and Distributed

Systems, ICPADS 2011, December 7,

2011 – December 9, 2011, Tainan,

Taiwan, 2011, pp. 900–905.

[R13]. M. T. Khorshed, A. B. M. S. Ali, and S.

A. Wasimi, “A survey on gaps, threat

remediation challenges and some thoughts

for proactive attack detection in cloud computing,” P.O. Box 211, Amsterdam,

1000 AE, Netherlands, 2012, vol. 28, pp.

833–851.

[R14]. P. Jain, D. Rane, and S. Patidar, “A survey

and analysis of cloud model-based

security for computing secure cloud

bursting and aggregation in renal

environment,” in 2011 World Congress on

Information and Communication

Technologies (WICT), 11-14 Dec. 2011,

Piscataway, NJ, USA, 2011, p. 456–61. [R15]. R. Glott, E. Husmann, A.-R. Sadeghi, and

M. Schunter, “Trustworthy Clouds

Underpinning the Future Internet,” in The

Future Internet, Berlin, Germany:

Springer Verlag, 2011, p. 209–21.

[R16]. S. Ramgovind, M. M. Eloff, and E. Smith,

“The management of security in Cloud

computing,” in 2010 Information Security

for South Africa (ISSA 2010), 2-4 Aug.

2010, Piscataway, NJ, USA, 2010, p. 7 pp.

[R17]. S. Subashini and V. Kavitha, “A survey on

security issues in service delivery models of cloud computing,” Journal of Network

and Computer Applications, vol. 34, no. 1,

pp. 1–11, Jan. 2011.

[R18].S. Tabet and M. Pohlman, “Cloud

Computing: Combining Governance,

Compliance, and Trust Standards with

Declarative Rule- Based Frameworks,” in

Rule-Based Modeling and Computing on

the Semantic Web. 5th International

Symposium, RuleML 2011 - America, 3-5

Nov. 2011, Berlin, Germany, 2011, p. 230–6.

[R19]. Tsung-Hui Lu, Li-Yun Chang, and Zhe-

Jung Lee, “Integrating Security

Certification with IT Education,” in 2011

International Conference on System

Science and Engineering (ICSSE), 8-10

June 2011, Piscataway, NJ, USA, 2011, p.

582–7.

[R20]. Xin Yang, Qingni Shen, Yahui Yang, and

Sihan Qing, “A Way of Key Management

in Cloud Storage Based on Trusted

Computing,” in Network and Parallel

Computing. 8th IFIP International

Conference, NPC 2011, 21-23 Oct. 2011, Berlin, Germany, 2011, p. 135–45.

[R21]. Xue Jing and Zhang Jian-jun, “A brief

survey on the security model of cloud

computing,” in 2010 Ninth International

Symposium on Distributed Computing and

Applications to Business, Engineering and

Science (DCABES 2010), 10-12 Aug.

2010, Los Alamitos, CA, USA, 2010, p.

475–8.

[R22]. X. Lin, “Survey on cloud based mobile

security and a new framework for

improvement,” in 2011 International Conference on Information and

Automation, ICIA 2011, June 6, 2011 -

June 8, 2011, Shenzhen, China, 2011, pp.

710–715.

d32035052

Technology

dynamically allocate space

open risk taxonomy

nist draft sp800

data collection

search strings framed

decision support systems

demand resource sharing

end user trust