Table of Contents
Critical Review of Published Research Article 223963. 3
Report section 1- Critical Review.. 4
Research focus. 4
Topic of Interest 5
Dominant Paradigms in Cloud Security and Building Trust 6
Cloud Environments Studied. 7
Research Results and Measurements. 8
Article Points of Interests. 8
Report Section 2- Additional References. 9
Report Section 3- Literature Gap. 11
Report: Conclusions. 14
When an organization has decided to implement a cloud service platform to conducts its functions and operations on the cloud, it is critical that the platform upholds trust. It is critical that businesses seeking to implement cloud platform for its end users identify a cloud identity provider that has put in place systems that ensure trust in the platform. Cloud identity providers refers to organizations which provide cloud service to enable an organization to store its Information Technology resources and enterprise data on the cloud. The cloud identity provider goes further to investigate the end user to verify if they certificates allow it to connect to the resources requested. When an end user is accessing a given application or platform online, they prioritize on the security and privacy provided by the platform to determine whether the cloud platform upholds trust. End users are at times required to provide some private information to register and access most business cloud platforms. As a result, end users require that the cloud platform to uphold and secure their information to ensure privacy and confidentiality.
This paper will analyze several articles that tackle the topic of trust frameworks in the cloud environment. The analyzed articles provide information on the perspective of the end user and trust requirements when they are accessing digital services in the delivery of IT identity service. It is critical for cloud identity providers to provide a trust framework that enables the system end user to evaluate the trust they can place on the cloud service platform. It is recommended that cloud identity providers and businesses using the cloud platform create a single trust value that sums the overall level and strength of security provided by the cloud identity service provider. This provides the end user with a metric of trust levels to guide them in their decision making process.
There should be frequent monitoring of updating of the trust value by considering the transactions and experiences of end users in specific time. The aim of this report is to evaluate the process of developing a trust management framework that will guide businesses in selecting the right cloud identity provider using the trust requirements of the end user. The scope of this report covers all aspects and perspectives of end users on the specific security aspects they require from cloud platforms to develop a single trust value for the business to assist in deciding the best cloud identity provider. The key terms used in this report are:
Trust Management Framework- a system of measuring the reputation, reliability, security and privacy of Cloud Identity Provider
End user- customer accessing the business digital platform
Cloud Identity Provider- organization that verifies end users and requested cloud resources before allowing access to resources
The major problems that businesses have with cloud service providers is the lack of control of cloud service platform since the cloud service provider controls all aspects including decryption keys (Cusack and Ghazizadeh, 2016). Other major cloud service concerns are governance issues and security concerns. The main threats in cloud service are leakage of data, account hijack, traffic hijacking, and loss of data (Cusack & Ghazizadeh, 2016, pp. 1-15).
As the number of businesses using cloud service platforms to conduct their businesses increases compared to businesses using an in- house enterprise network, the number of cloud identity providers are on the rise. The common characteristics of cloud services offered by different cloud identity providers include the ability to deploy the cloud service on massive scale, provision of homogeneous services and products, virtualization, low cost of cloud services, resilient computing, geographic distribution, advanced security protocols and orientation towards service delivery. The essential characteristics of cloud service providers are broad network access opening the computer grid to the world wide web WWW services, resource pooling, flexibility and scalability and metrics to measure the service. Despite these common characteristics of the cloud services platform, different cloud identity service providers differ on how they implement the aspects of cloud. As a result the scope of what cloud computing entails is diverse and continues changing due to the fact that cloud technology is an unfolding concept.
The increasing cyber related threats and risks have made it necessary for cloud service providers to add multiple design layers compared to traditional computing systems, increasing vulnerabilities in the platform.
It is critical that cloud service providers to enhance cloud security. This will involve integrating complex security and protection mechanisms that safeguard confidentiality by ensuring that information is not disclosed to unauthorized users, promotes integrity of information by ensuring there is no unauthorized editing or deletion of data and ensuring that cloud services or information is available to authorized users.
Privacy can be described as the ability of individuals to control personal information to determine people or organizations which are allowed or denied access. Different cloud scenarios implementation of privacy issues differs divided into how to assist end users to maintain control of their data that is stored or processed on the cloud platform to prevent theft, unauthorized re-selling of data and nefarious use of data. The other category is guaranteeing replication of data in a fixed jurisdiction to ensure consistency of data and prevent data loss, data leakage or fabrication. The next category identifies the party tasked with ensuring compliance of legal issues when handling personal information and finally identification, verification and checking of cloud service sub-contractors who engage in data processing.
The cloud trust issues evaluate the cloud platform attributes that increase the confidence of the end user of the reliability, privacy and security of the platform (Cusack && Ghazizadeh, 2016, pp. 1-15). The levels of trust in the cloud platform differs depending on type of deployment with private cloud model having the highest trust levels since cloud infrastructure and assets are used by specific and known users, while the community cloud trust level is less since the platform serves diverse consumers. The public cloud platform involves users who do not know each other and thus increased insecurity issues (Cusack & Ghazizadeh, 2016, pp. 1-15). Cloud service environments are categorized by the way they consider and provide differing security levels based on the trust degree and methods of managing the trust degree, monitoring over time and adjusting the trust levels accurately.
In order to ensure accurate and efficient monitoring of the cloud platform it is important to describe the best way to monitor critical attributes in the cloud platform including scalability, quality of service, service continuity, load balancing and application performance, ways of guaranteeing service level agreements SLAs, the best measurement strategies to manage large scale and complex cloud infrastructures and ways to measure the root causes of end to end performance in the cloud platform. One critical factor of an efficient and trustworthy cloud platform is user identification. This is involves developing a user directory containing end user identities and authorizing and authenticating end users based on their identity before giving them access to cloud information and data. Identity management system develops trust between providers and domains enabling the control and exchange of identity based information while maintaining privacy of users.
According to Cusack and Ghazizadeh (2016), identity management systems are critical systems that assign users a cloud identity to verify users and enable them to access cloud services depending on their authorization level. The Single Sign On method requires users to sign in for an account with their personal information stored on cloud identity providers IdPs tasked with managing the user identity, enabling users to access different cloud services with a single account, and releasing requested information to external entities. Cloud identity providers use different protocols to manage user identities including the OAuth mechanism that provides end users with a platform to authorize 3rd parties access to their cloud resources without sharing user credentials, the Yang open source integrates identity profiles and social relationship information on multiple web sites and managing data flows to external businesses.
Individuals should establish a trust mechanism so as to enable individuals have faith in cloud service systems (Cusack & Ghazizadeh, 2016, pp.1-15). The key elements evaluated include the cloud entity which is tasked with discovery and ranking of trusted services using trust management, direct and indirect trust and evaluation design. The other element is monitoring trust performance of current and historical cloud services, and the computing service network structure and catalogue which divides IT resources into different classes.
The trust models available for use include the Service Level Agreements based trust model STM that involves the SLA agents outlining parameters for encryption and key management to ensure confidentiality and establishing access controls to safeguard data ownership, and requirements for data replication to ensure availability. However, STM does not allow updating of trust parameters or evaluation of the end user trust. The Trust model for security aware cloud collects feedback from external cloud service providers to analyze the different levels of quality of service and transparency offered by CSPs. The Ticket based trust model involves issuing TTMs to authorized users using the capability lists which include user ID, data ID and access rights to determine users who can access information. The certification based trust model does not offer any form of execution control or transparency of the quality of service.
The common attributes examined by these trust frameworks involve evaluating the risk level, authentication, security, accuracy, integration and privacy as the basis of trust (Cusack and Ghazizadeh, 2016). This article is well detailed and contains up to date information on what trust in the cloud environment entails, the different trust frameworks and the parameters for organizations to measure trust before selecting a cloud service provider for their business cloud platform.
|Full Article References||Short Summary of the Article||Short Account of How the Article is Relevant|
|Ardagna, C., Asal, R, & Vu, Q. From security to assurance in the cloud: A survey. ACM computing surveys, 48, 1, 2-50.||This article provides an elaborate and detailed view of the cloud computing system. It has an in-depth analysis of the suitability of cloud computing in the deployment of various computing processes to businesses and various organizations. The main study discussed in this paper is on the service level and non-functional properties of cloud computing. In particular, the paper evaluates on the significance of cloud security and cloud assurance. Finally, the article provides recommendations concerning the aforementioned issues.||This paper highlights on the importance of cloud computing in ensuring that information and data belonging to its users is kept in a safe manner. More importantly, the articles shows the link between cloud computing in assuring its users on the consistency in the provision of critical computing services and access to various applications.|
|Albakri, SH, Shanmugam, B, Samy, GN, Idris, NB & Ahmed, A 2014, ‘Security risk assessment framework for cloud computing environments’ Security and Communication Networks, vol 7, no. 11, pp. 2114-2124. DOI: 10.1002/sec.923||This article has a detailed assessment of the security risk associated with cloud computing. Generally, this paper highlights on the importance of cloud computing, especially in minimizing cost of computing by letting people to only pay for the computing service that they need. Importantly, this paper discusses on the security risks associated with cloud computing. In particular, it notes that although most risk assessment standards assume that an organization fully manages its assets and accordingly, all security with regards to them, this assumption do not apply to cloud computing.||This article is relevant to this paper as it enabled me to have a critical view of the security risk and framework of cloud computing. Moreover, it enabled me to have a realistic and accurate assessment of the cloud computing with regards to its complexity and risks to clients.|
|Cusack, B. and Ghazizadeh, E. 2016. Analyzing Trust Issues in Cloud Identity Environments. Australasian Conference on Information Systems.||This paper provides a detailed and elaborate analysis of the factors that create trust among users of the cloud computing system on its reliability, security, and assurance. In particular, it evaluates on the importance of maintaining contractual and jurisdiction boundaries among the providers of cloud services. Importantly, these measures ensure there is credibility and trust in the cloud environment. The creation of a trust-based model ensures the decision making is done is trustworthy manner.||This article is relevant to this paper since it gives important information on the establishment and assessment of trust issues in clouding system. In particular, it shows the relationship between security and the creation of a trustworthy system that adheres to contractual and jurisdiction boundaries in creating a cloud system.|
Businesses now have a wide pool of cloud identity providers to choose from, a task that can be challenging due to emerging issues such as security, monitoring, privacy and trust. Cloud service end users base their decisions on which cloud platform to visit based on the level of trust that the platform offers. Since security risks and the probability of unauthorized access or altering of information in the cloud platform are plenty, there is need for development of an effective and up to date trust management framework be developed by organizations when they are selecting the cloud service provider for their business. The cloud platform removes the power to control and manage the security and trust attributes from the business. Since businesses will be outsourcing the role of security, reliability, confidentiality and trust to the cloud service provider, it is critical for businesses to develop effective strategies in the selection of the cloud service provider hence the need for a trust management framework to guide this process.
The Cusack and Ghazizadeh (2016) article recommends the use of the trust value metric as an effective parameter to measure the trust levels of a cloud service provider and identity provider. The trust value metric is based on how the cloud service provider weighs on attributes such as security, risk, reliability, scalability, efficiency, confidentiality, availability and trust scale. The article proposes the use of the trust based modelling as the basis of developing the trust framework to create a trustworthy foundation that will facilitate the end user in their decision making on the most trustworthy cloud platforms that will secure and maintain privacy of their information. The Ardagna et.al (2015) proposes the use of cloud security assurance as an added layer of increasing client trust on a cloud platform. The cloud service provider is required to survey the security techniques used in its platform and measuring the security level provided at the platform. Other aspects considered when determining cloud security assurance proven expertise in migration, transition and integration of cloud platform, the security design and level of implementation, business analysis, interaction and support provided by the CSP. The cloud service provider is then issued with a cloud security assurance based on how they measure on these attributes. The Albakri et.al (2014) article details the cloud security risk assessment framework as a platform to assess cloud risks to assist businesses in deciding the most effective cloud platform. The Alhamazani et.al (2015) article on the other hand proposes building end user trust by the continuous monitoring of the cloud platform and operations to detect failures and weaknesses, followed by instituting measures to curb the identified failures to continually improve the cloud platform and build trust.
The articles evaluated in this report have provided different designs of measuring the trust level of the cloud service provider and identity provider, but they can still be improved. The recommendations of developing a trust management framework based on the trust model as described by Cusack and Ghazizadeh (2016) is based on metrics developed by the cloud client or business. In order to improve this trust framework, there is need to include customer or end user input on the attributes related to trust they consider important. As a result the parameters and attributes used to define trust are business based and may thus not reflect the actual perspective of customers who are part of the end users. As a result there is need to develop a framework that enables businesses to interact with their customer base and conduct a survey of the trust parameters they consider important in building their trust on a given cloud platform. This will provide the business or cloud client with actionable metrics to measure trust based on elements that customer end users value. There is thus need for future research on the development of frameworks that include end users/ customers in analyzing trust parameters and including this information when choosing cloud service providers and identity providers. The Cusack and Ghazizadeh (2016) also describe their trust based model on a one time evaluation of cloud service providers. This should not be the case since cloud technologies continue to change and cloud security risks increase.
This creates the need for a framework that continually evaluates the trust credentials and parameters of trust attributes to provide up to date information since a cloud service provider that passes the trust parameters can stagnate its efforts to continually improve its security mechanisms, hence dropping down on the trust scale. The cloud security risk assessment framework proposed by Albakri et.al (2014) and the security assurance model proposed by Ardagna et.al (2015) also be continuously evaluated to determine if the cloud service provider are continually improving their security mechanisms and risk management processes. Cloud service providers and identity providers which do not offer continual development of their products, security and privacy aspects need to be replaced by more proactive, security vibrant and trustworthy providers since the business and customer cloud preferences, and cyber threats continue to change with time. The issue of a continuous trust evaluation and cloud service provider needs further research since it has direct impacts on the business.
The proposed frameworks and methods of identifying cloud service providers offering reliable and trustworthy cloud platforms do not address the issue of trust scale completely, the main topic of focus. There is need for a standardized framework and scale thcloudat can be used to measure the level of trust of different cloud service and identity providers. There is thus need for future research on the information and progress currently available on the development of a standardized trust scale to measure trust among CSPs and IdPs.
As information technology continues to penetrate the global market and people shift to conducting a majority of their transactions online, it is critical that businesses which seek to remain relevant and competitive adopt digitalization of their operations and core businesses activities. The cloud service platform especially the Software as a service SaaS platform is a game changer for businesses since it enables businesses to develop cloud platforms for its business at minimal costs since cloud service providers charge on a pay as you use basis. The business is also able to save on IT costs since cloud platforms do not require huge initial capital to purchase IT assets or IT staff to operate, administer and maintain the platform since this tasks are conducted by the service provider.
Businesses which are seeking to transform their operations and activities on the cloud platform need to develop a trust management framework that analyzes different cloud identity providers, the reliability of the cloud service offered and the trust level provided by the cloud service provider. Development of a trust management framework involves the business conducting research on the trust related information on the provider from sources provided by the cloud identity provider and from external sources. The trust related information is collected, aggregated and compared to determine the best cloud identity provider. The metrics for measuring the trust levels provided by the cloud identity provider are based on the perspectives of the end user. When individuals are transacting on the digital cloud platform, they are inclined to source for cloud services from cloud platforms that prioritize on security and privacy critical aspects that build trust in a cloud platform.
The trust value metric is a parameter that is used to rank cloud service and identity providers based on attributes such as risk, reliability, confidentiality and security to measure trust. The trust based is a recommended trust management framework that will enable the cloud service provider and the identity provider can develop a trust foundation with the cloud client enabling easier verification and protection of end user information through Single Sign Ons and other protocols.
Further measures to increase trust and enable a business to choose the right cloud service provider is checking their security assurance certifications which prove the provider expertise in ensuring reliability, integration and data management. Another method is the use of security risk assessment framework to measure the level of security and reliability of the cloud service provider. The continuous monitoring tool is a proven tool that ensures continued identification of cloud risks and patching them before the cause damage. Finally it is recommended that future study be conducted on ways to involve customers in collecting their views on what trust constitutes and need for development of a standardized trust scale to measure the trust element among cloud service and identity providers.
Ardaggna, C., Etisalat, R., and Vu, Q., 2015. From security to assurance in the cloud: A survey. ACM computing surveys, 48, 1, 2-50.
Alhamazani, K., Ranjan, R., Mitra, K., Rabhi, F., Jayaraman, P. P., Khan, S. U., 2015. An overview of the commercial cloud monitoring tools: research dimensions, design issues, and state-of-the-art. Computing, 97(4), 357-377.
Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., & Ahmed, A., 2014. Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11), 2114-2124.
Cusack, B. and Ghazizadeh, E. 2016. Analyzing Trust Issues in Cloud Identity Environments. Australasian Conference on Information Systems. Retrieved https://business.uow.edu.au/content/groups/public/@web/@bus/documents/doc/uow223 17.pdf. Retrieval date March 27, 2017.
Critical Review Journal Reflection and Evaluation Report
Date of research activity
Full description of activity/
References/ resources visited
Reflection related to the activity
|28/03/2017||Researching and analysis on different cloud assurance processes and their importance in building trust between businesses, cloud service and identity providers.||8 hours||Ardaggna, C.,Etisalat,R., and Vu, Q., 2015. From security to assurance in the cloud: a survey. ACM computing surveys, 48, 1, 2-50.||According to Ardaggna et.al (2015) cloud computing has gained importance in the provision of computing services for businesses. The main reason behind the continuous rise and adoption of cloud computing is because cloud service providers offer businesses a vision for their cloud platform, provide IT infrastructure, cloud platform and software services for minimal costs compared to an in house network. Many businesses also value cloud service platforms due to their flexibility, high performance without the need of hiring IT personnel to manage the cloud platform and infrastructure. Despite the many benefits offered by the cloud platform, many businesses have concerns on the level of security, the level and quality of service QoS and availability of nonfunctional properties that the business digital application can rely on. Researchers and cloud service providers have in the recent past invested heavily in the nonfunctional aspects of the cloud platform. This nonfunctional provided by cloud service providers include performance, response time of the platform, reliability, scalability and fast workload scaling.
Ardaggna et.al (2015) moves a step further to conduct a detailed study that focuses on the interface between cloud platform security and cloud security assurance. The article provides insight on the critical importance of providing cloud security assurance and how it affects the end user decision to visit or not to visit a site. Cloud security assurance is the process of assuring and building confidence of the end user or business on the ability and readiness of the cloud service provider to provide security and fulfilling cloud client requirements. The aspects of cloud security assurance include proving to the client that the cloud service provider has proven expertise in conducting migration to cloud, transition and integration of cloud platforms, providing public and private Cloud security assurance services. The features of cloud security assurance also include domain knowledge system security design and effective implementation, Subject Matter Experts SMEs expertise, security model development, interaction, and cloud support. The assurance service should also feature an elaborate business and requirements analysis and platform development by engaging the client in the process. The advantages of the cloud security assurance is that it assures the client that the cloud service provider has expertise in integrating, migrating and transitioning to cloud. The client also benefits from an efficient and focused cloud service provision and an interactive planning, development and integration design together with the cloud service provider. The article examines the phenomenal growth of cloud security assurance as a metric of determining the trust level of the cloud service provider, and recommends future development of assurance solutions. Cloud assurance provides cloud clients and end users with a reliability and security guarantee building trust in the cloud service provider.
|29/03/2017||Analyzing cloud monitoring tools and the role they play in building trust in organizations.||4.5 hours||Alhamazani, K., Ranjan, R., Mitra, K., Rabhi, F., Jayaraman, P. P., Khan, S. U., 2015. An overview of the commercial cloud monitoring tools: research dimensions, design issues, and state-of-the-art. Computing, 97(4), 357-377.||Alhamazani et.al (2015) describes the importance of an organization continually monitoring the cloud platform to determine its effectiveness, reliability and security. Monitoring of cloud platforms involves tracking the cloud platform’s Quality of Service QoS as the main parameter to measure virtual resources like the Virtual Machine VM, cloud storage, cloud network and applications. Cloud monitoring also involves evaluating the physical resources such as servers and databases that different cloud clients share, the applications running on the physical resources and the data stored in the shared physical resources. The cloud platform utilizes a large set of heterogeneous cloud resources which makes it hard to configure applications and resources on the cloud platform. The need for continuous changes in the cloud resources configuration over time to meet quality of services requirements despite uncertainties such as resource failure, resource overloading and spike in work load.
Cloud platform monitoring is thus a crucial process when operating a business cloud service platform. Cloud monitoring helps cloud service providers and application developers to monitor the efficiency and performance of the cloud platform. This information is used to implement changes in the cloud platform to ensure that the cloud resources and applications operate at the peak level of efficiency at all times. Cloud monitoring is also critical to compare and determine times when the service level agreements do not conform to the quality of services parameters. The article is very insightful in describing the design process of efficient cloud monitoring tools which provide regular reports on cloud performance on different attributes to enable cloud service providers and clients identify when trust has been broken and solutions to build trust on the cloud service platform.
|1/04/2017||Researching on the importance of security risk assessments in cloud environments and their importance in building trust in organization cloud platforms.||6 hours||Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., & Ahmed, A., 2014. Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11), 2114-2124.||Cloud computing continues to attract a growing number of business clients utilizing the cloud platform due to the low cost, scalability and high reliability of the platform. Despite these well- known benefits of cloud, many people remain skeptical of the cloud platform due to various security concerns. The traditional risk assessment standards such as ISO27005, AS/NZS 4360 and NIST SP800-30 have the assumption that the organization assets and security management procedures are controlled by the organization (Albakri, Shanmugam, Samy, Idris, & Ahmed, 2014). This is not the case when it comes to cloud computing since the security and resource management and control is conducted by the cloud service provider. The Albakri et.al (2014) article recommends the use of a cloud security risk assessment framework which will enable cloud service providers to assess the level of risks in the cloud setting, while at the same time enabling cloud clients to contribute in the risk assessment process.
The framework proposed provides a realistic and accurate assessment of risks which considers system evaluation conducted by the cloud clients with complicating the process by direct involvement of cloud clients in risk assessment. This article is relevant for this report since it considers the process of risk assessment and risk management processes as critical factors in improving the security of the cloud platform using the views of the cloud service provider and the cloud client perspective. These two viewpoints are able to identify majority of risk factors and enables the CSP to identify measures to address the risk and security concerns hence building confidence and trust for the cloud platform, requirements which are required by end users.