Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                 Applications (IJERA...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                 Applications (IJERA...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                   Applications (IJE...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                  Applications (IJER...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and                 Applications (IJERA...
Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and               Applications (IJERA) ...
Upcoming SlideShare
Loading in …5
×

D32035052

291 views

Published on

IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
291
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

D32035052

  1. 1. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Research on preserving User Confidentiality in Cloud Computing – Design of a Confidentiality Framework Chaitanya Dwivedula1, Anusha Choday1 1 M.Sc- in Software Engineering, Blekinge Institute of Technology (BTH), Karlskrona, SwedenI.GROUP MEMBERS‟ PARTICIPATION the ability to store and dynamically allocate space to the resources that occur for storage periodically Group Member Idea Creation Report Writing [15]. Virtualization technology [6] in Cloud Group Member 1 45 % 65% Computing paradigm renders the ability to run Group Member 2 55 % 35% resources that dynamically scale the users necessity and share the resources available to support the need [15]. Similarly, there are many otherAbstract technologies that contribute to Cloud Computing. Cloud Computing creates a dynamic The data storage mechanisms by Resources Poolingresource sharing platform that provides data occur in Data-Centers [8] [15] which indirectly actanalytically to the proficient users who are at like a CLOUD. On the other hand, the concept ofdemand to access data present in the cloud. As „provisioning services in a timely (near on instant),this data is stored outside the data owners on-demand manner, to allow the scaling up andboundaries, they are skeptical for utilizing down of resources‟ generates a virtualizationcloud technology in order to store or access mechanism which pretends to be COMPUTINGtheir data from those external cloud [15]. Hence, CLOUD COMPUTING deserves to beproviders who are outside their own control a collective term of several technologies thatenvironment. There are many issues for these interrupt effectively for dynamicactive clients (companies or individuals) to be allocation/de-allocation of resources [15]. Thepetrified at the thought of using cloud generally accepted standard definition [15] ofcomputing paradigm. Some of the main issues Cloud Computing is published with efforts fromthat make the clients swear against Cloud National Institute of Standards and TechnologyComputing are generated from three (NIST). Their published1 definition is used in ourimportant security aspects: Research Report for analysis about CloudConfidentiality, Integrity, and Availability. Computing.In this Research, we focused only on security In short, to describe NIST definition [15], wemodels that relate Confidentiality issues. understood that, the convenient and UbiquitousWe performed a literature Review for network access creates a moderate effort to theanalyzing the existing confidentiality cloud clients to establish their resources on to theframeworks and security models. We then Cloud. The shared pool of configurable computingdesigned a new theoretical framework for resources contribute an Instant allocation/de-confidentiality in Cloud computing by allocation of resources that occur for on-demandextracting this literature. We expect this data access [15] The rapid provisioning provides aFramework when implemented practically in flexible operation of cloud for the cloudthe cloud computing paradigm, may generate providers to scale the resources withhuge successful results that motivate the clients assigning and releasing resources from time to timeto transform their businesses on to Cloud. when they are required elsewhere [15]. As the technologies keep intrudingKeywords: Cloud Computing, into Cloud Computing paradigm, there is noConfidentiality, Security, Framework. means to say cloud computing is exhaustive. Cloud Computing key- characteristics,II. INTRODUCTION models and implementations are more extensively Cloud Computing evolves to be a discussed in Section-III. The discovery of cloudconsistent term with collaboration of various IT computing generated a reported progress 2 oftechnologies involved in it [15]. Resource pooling Software Industry and its services to thetechnology in Cloud Computing paradigm renders 35 | P a g e
  2. 2. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052companies worldwide; but along with it, the service models (such as SAAS; PAAS; IAAS;)security issues kept eroding to change [2]. This which when left unsolved might cause lack ofresulted in The Clients View about Cloud proficient security (CIA) [2] [7]. One of the mainComputing as that it lacks in confidentiality for reasons for Cloud Computing to be inconsistent inmoving their resources onto cloud [10]. Potential confidentiality is due to differences in Cloudclients are now waiting for the answers about models that are getting deployed [2]. The threehow, why and by what means the security is deployment models (Public Cloud; Private Cloud;provided to Cloud computing [2]. & Hybrid cloud;) generate a multiple frameworkThe Problem is distinct as the security issues occur activity that has to be satisfied withfrequently in parallel to the Cloud development. confidentiality [7].The environment of Cloud Computing is vast This SLR has also been understood as a provenmaking it more vulnerable to threats [2]. Hence, we theory when we re-reviewed the NIST definition fordecided to focus on the most eminent security a several times.issues that significantly standardize the The definition is supported by five key cloudConfidentiality of Cloud Computing to a better characteristics, three delivery models and fourextent. In our Systematic literature review made deployment models [15]. We understood thisbefore our research proposal, we analyzed that definition as of three interlinking properties of aConfidentiality alone can specify approximately Cloud: key Characteristics of a cloud, delivery50% of the security issues that when satisfied- models and deployment models. Ourcloud computing can emphasis to more interesting understandings on this definition are presented insoftware development. the Figure-3.1.The data behind the Cloud is technically said to beoff- premise and is never under the boundaries ofthe data owners [8]. These data that are storedin Cloud are beyond the control of data ownerswhich may converge with loss of confidentiality[2]. We believe that, Most of the effectivecustomers condemn the use of cloud computingbecause they are aware of the ethics beneath cloudtechnologies that are unclear or unknown to them.The goal of this Research is togenerate a successive framework for CloudComputing that can predict sufficientConfidentiality gain in this particular Cloudenvironment. Hence, this Framework will be anextension to our understandings of Frameworksanalyzed from Systematic literature review (SLR)that is done at the time of our research.Our Research Questions relate this main objective Figure-3. 1: Our understandings on NISTmentioned above and are detailed to study from definition [15]section-IV. The study process, data collection &analysis methods involved for this research are The key characteristics describe the operationsdiscussed to detail in the section-V and section-VI. performed in a cloud computing environment. TheThe problems (that may generate during the key characteristics such as On-demand resourceimplementation of the resulted framework), the sharing; Resource Pooling;limitations and the sustainable arguments to ourstudy are brought-up to note in section-VII. Our Rapid elasticity; monitoring resourcefinal research results that are concerned with our allocation; Wide network access; serviceresearch goals are presented to acknowledge our provisioning; has elaborated the Cloud technologystudy in conclusions part (section VIII). in detail [15]. The Cloud service Models such as Software-as-a-service (SAAS); Platform-as-a-III. BACKGROUND AND MOTIVATION Service (PAAS); infrastructure-as-a-Service The consistent approach of our previous (IAAS); are said to be general classifications of theSLR (PRE-SLR) lead us to a clear understanding of Cloud [15]. Regardless of the service models thatsecurity issues present in Cloud Computing. are classified, there exist 3 basic deploymentMainly, the security issues such as Confidentiality; models of Cloud such as Public Cloud; PrivateIntegrity; Availability; are indefinitely implemented Cloud; and Hybrid Cloud. “Hence, the keyto reach the efforts constraining to Healthy on- characteristics of Cloud when applied (todemand network access [2]. Thus, these efforts deployment models) provide data (or) services towhen indistinct may route to problems in Cloud its Clients.” 36 | P a g e
  3. 3. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Here, we also analyzed that Confidentiality is -„if we unite all the confidentiality issues inissues underlie the challenges in finding answers to common, then we can easily map them onto ourquestions like: framework that is going to be generated.‟How will Cloud provisioning occur to act? We hope the companies will need a unique frameWhat are Cloud security requirements? work like this and future researchers might not fail How will Data storage occur in Cloud to be stimulated by the ideas presented by us. WhileComputing? this is a diving cause for the need that encompasses How reliable is Security architecture of the cloud computing, if we cant find the solution forCloud? this research, the implications of not solving thisHow reliable are the Cloud Services offered? problem might be the same as explained above:So, indirectly we understood that “gaining The confidentiality that lacks behind will generate aknowledge fear for the clients (companies, organizations,about Cloud technology improves half of the individuals, etc) to share/store their resources (or)Confidentiality levels in the Clients”. Hence, these to transform their businesses on to the Cloudabove questions have worked as partial hypothesis environment.for us.We are focused to propose a unique framework that IV. RESEARCH DEFINITION ANDcan produce a single architecture which allows PLANcombination of required security goals; along with A. Research objective:all the reliable policies, procedures for all Cloud The goal of this Research is “To generatedeployment models in common. So, we further a sufficient security model-framework for thecontinued our research on classifying the security extent possible, which when implemented: canissues that are analyzed from our PRE-SLR results. moderate the activities (that occur for securityWith the understandings we have - upon the found threats or implicating risks) that are indeed capablesecurity issues, we now classified them as the of reducing Confidentiality of the Cloud and itsissues that relate to Confidentiality with one among environment.”the three, they are: This Research objective focused our aims onto: Classifying Security Issues in Common  Specifying the security issues that Technical issues relate to Organizational issues Confidentiality in Cloud Computing. Legal issues.  Understanding the possible research results of the effective security models presented byThe entire list of Security issues are the previous researchers.generalized into these three issues in common.  Proposing a more extensive securityThis Complete list of Security issues obtained in model- framework that can uniquely state thePRE-SLR is presented in Appendix-C. province of all service and deployment models in collaboration.Our reasoning for the above classification is asfollows: B. Research Questions:Technical issues: All the security issues like The interpretation of the above objective is„Shared extensively scrutinized, with the need for theTechnology Vulnerabilities‟, „network security‟ necessary knowledge that has to be obtained inand many others collaboration with the new framework to bethat can find solutions framing security goals in generated. These following research questions 3technical area are analyzed as Technical issues. (R.Q‟s) will guide our research:Organizational issues: All the security issueslike R.Q.1: What are the Security issues that sufficiently„Malicious Insiders‟, „data location transparency‟ support Confidentiality -inducible in securityand many Framework of Cloud Computing?others that can find solutions by framing security The Question has been framed in such a way thatgoals in organizational area are analyzed as all the issues found in our PRE-SLR areOrganizational issues. now to beLegal issues: All the security issues like „policy brought out to analysis where we can know howbased or procedural based problems‟ and many the security issues collide with the security modelsothers can get the solutions by framing security framed. For this, we need to know how actually agoals in this area are sorted to be legal issues. security model in Cloud Computing is exists.The basis of this classification is just to unite all the Hence, R.Q.1.1 is framed forsecurity issues relevant to confidentiality in Cloud this analysis. Interpreting the solutionsComputing. The main idea besides this type of occurred forclassification R.Q.1.1 will relevance the solutions to be found for 37 | P a g e
  4. 4. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052R.Q.1.  Analyzing the inconsistent results found in the literature from other researchers.R.Q.1.1: How are these Confidentiality issues  Analyzing ideas that are firmly achievedclassified to indulge with consistent security by the others in this field of study.operations in Cloud Computing?  Applying their models more extensively by clubbing the ideas; to generate new framework with the current security issues that3 These R.Q‟s are re-framed for „adequacy need‟ enhance Confidentiality in Cloud.for this report (as commented by our professor With experiences from PRE-SLR, We now choose{proposal evaluator}) but comply with same top journals refereed from several goodresearch meaning as that of research proposal publications. In our first step, the JournalR.Q‟s framed earlier. This R.Q. is generated in Ranking is collected from an Internationalsuch a way that we can understand several Research Group4 by name: "Association ofconstrains for security issues getting involved in the Information Systems (AIS)". We have onlysecurity operations. This question needs a though selected these Top ranked Journal Publications inanalysis of security models presents in the which again through filters we were able to analyzeliterature. Hence, SLR is conducted to extract the that only few occur for Cloud Computing study.results. The task of finding a search engine had been easier for us than finding best journal publications; asR.Q.2: How to uniquely frame Confidentiality most of the search engines are available throughwithin the boundaries of all Cloud security our BTH University Find database librarymodels/Architectures in common? portal. We only focused on the search engines thatOur entire research concept is to find a unique can especially present these Top ranked journalframework for confidentiality in cloud publications. We then filtered our keywords againcomputing and this questions serves the purpose of and again for a proficient search refinementour scope. on „Confidentiality frameworks and security models in Cloud Computing‟. TheC. Research Methodology: complete operation of POST-SLR in presented in Our research is originated by the below data collection & analysis methods.understanding Cloud Computing as a start and  Data Collection method:then conceived with an objective of what needs to The Qualitative analysis of literature amends withbe done. The R.Q.s are framed with the basic the use of SLR. However, if the distillation processunderstanding from the PRE-SLR results and by of extracting literature fails, the quality mightreading several: research news articles, websites reduce its heights. Hence, opting for highlyregarding Cloud service offerings, and soon. As, qualitative journal publications, selecting effectiveOur research has to provide solutions with search databases and framing the search strings foranalysis of various security models or the search operations are said to be the three mainconfidentiality frameworks in Cloud Computing, aspects of SLR.we observed that qualitative form of extracting a) Step1: Journal selection: we required papersinformation is an SLR. that present studies of all forms such as EmpiricalHence, we conduct an SLR again but now with studies, Case- studies, research findings, and allfocus on extracting Security models. For clarity, other available literature; but we restricted ourthe SLR that has to be performed now is named as search only to the peer-reviewed Journal articles.POST-SLR. The difference between these two The list of Journal Publications that attractedSLRs is as shown in Appendix-A. us in our study (on security models in CloudA Review methodology of this type (SLR) is Computing) are presented below. These tophelpful to generate sufficient solutions for our ranked journals are sorted with searches made forR.Qs. In addition, our ideas with reference to the our Cloud Computing study. The original rankingissues found in PRE-SLR will be presented for list of Top Journals as described above are sent toqualitative elaboration in the Framework being Appendix-B inorder to make it clear.generated. Systematic Literature Review: (POST-SLR): Journal Articles (Scrutinized)To gain knowledge in Security Models and MIS Quarterly (MISQ)previous researchers works on Security Framework Communications of the ACM (CACM)activity in cloud computing, we choose SLR as our IEEE Transactions (various)best means to obtain it. Some of the sufficient Journal of Computer and System Sciences (JCSS)reasons for relying only upon SLR are as follows: Information Systems Journal (ISJ) Database for Advances of Information Systems (DATABASE) Analyzing the generally accepted security models in cloud environment. Analyzing the future work that remains unfurnished in the Systems (DSS) models in Decision Support previous securityCloud Computing. b) Step2: Database selection: 38 | P a g e
  5. 5. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Our experience upon the search engine mattered for OR SRCTITLE("IEEE")a while as this selection is a priority for major OR SRCTITLE("Journal of Computer and Systempapers to be found. Hence, we limited our search Sciences") OR SRCTITLE("Information Systemswithin databases where almost all the top ranked Journal")Journals can be found. The analysis list of most OR SRCTITLE("DATABASE")prominent Search databases that cover all the OR SRCTITLE("Decision Support Systems"))ranked Journals in relation to Cloud Computing AND PUBYEAR > 2004Findings in their search Query; are presented The search strings framed are directly inserted intobelow: this formula for results in our research area. ASearch Databases (scrutinized) complete list of search strings along with theSCOPUS Strings that even found no results are presented inEngineering village (INSPEC; COMPENDEX;) Appendix –B in order to make it clear. All the keywords that extracted exciting resultsThe search operation designed below is applied - when applied to search strings framed under thiswith one of these two databases at a time; For above search formula are presented below:example, if we can‟t find the relevantly interestingdata in „Scopus‟ then, for clarification, we Keywords (scrutinized)followed the same search query in Cloud Computing Security and privacy„Engineering Village‟ database. Security model Confidentiality Frameworkc) Step3: Search operation: Privacy Policy(s) Grid ComputingThe Search operation of finding relevant data Virtualization Security Architecturefor our search has been the basic task for our … …research operation. We now focused on framing In the search operation made, we got 11 researchthe search strings, extracting results, stimulating articles that are firmly relevant to our study. Thesearch results with the scope and refining the process of analyzing these articles is presentedsearch strings if relevant data is not found. The below.below figure-4.2 demonstrates our search  Data Analysis Method:operation. For data analysis, consistent tracking of search results is the ultimate task which dissolves the barriers between knowledge gain and its implementation. The Quality of the search results is assessed with include/Exclude Criteria, as described below: d) Include Criteria:  Only Peer reviewed Articles (available) from Journals or Conference papers.  Articles should be written in English language.  The article has to be published during or after the year 2005.  Articles that found relevance with Cloud Computing security models in their Abstracts.Figure-4. 1: Search Operation All the other articles that do not meet the includeAs almost all the papers are published online, we criteria are said to be excluded.have selected Online Databases over the internet In order to validate our Research Methodology, weand did not use any library or other external have also cross-checked our SLR with twosources for our data search. other SLRs [17] & [18] in which one is a ThesisWe developed a General Search Query baseline paper [18].for generating our search in such a way that byinserting keywords into this formula may give V. RESEARCH OPERATIONdesired results for our Research Area. This idea is The Scope of this Research is to elaborateoriginally developed from the idea behind search the unconditional use of Confidentiality frameworkinterface present in the research database: that can peers all the service and Deployment„Scopus‟. The Search Query we adopted in models present in the cloud. Hence, our major tasks“Scopus” -„Advanced search‟ interface is as below: constitute the operations contributing with the(TITLE-ABS-KEY("SEARCH STRING") AND minimal tasks of analyzing security issues,SRCTITLE("ACM") generating a framework that architects all theOR SRC TITLE("MIS Quarterly") security solutions for the issues generated and soon. 39 | P a g e
  6. 6. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052To achieve our research objective, we startedwith PRE-SLR for analyzing all the possiblesecurity issues and then specifying themto predictable general classifications(such as Technical, organizational, legal issues) asshown in the Section-III. As we can‟t detail eachand every Security issue in the framework and alsoas we cant map all the issues directly into theframework, we choose this way to generalize them.We believe that most part of the R.Q.1 can beaddressed to solutions by analyzing security issuesfound in PRE-SLR and rest of R.Q.1 is to analyzehow these security issues indulge into theframework being generated.For solving this remaining part of R.Q.1, againR.Q.1.1 is framed. Now, the research analysis(from POST-SLR) has shown the path forimplementing a new framework. The Found Figure-5. 1: Classifications of grid computingliteratures that solved R.Q1.1 for the concept Security [4]of"finding Confidentiality requirementsthat are classified to indulge with security As they focused on grid computing, theoperations in Cloud computing" are presented security issues resulted to solutions in theirbelow: framework will lead to grid environments security province but as they interlinked these securityA. Literature Analysis: issues to grid Deployment models (computationalIn Engineering privacy [10], the authors generated grid; data grid; service grid;) and as the samea three sphere models (User Sphere; Joint Sphere; security issues (like intrusion detection) can beand Recipient Sphere;)that occur for user found in Cloud deployment models, theirprivacy concerns. they relate all the Confidentiality framework helped us in our Cloudissues to these three spheres. We analyze these Computing-Confidentialitymodels as operations that obscure privacy views. framework initiation. Their classificationThey also generated some architectural framework also presented the solutions to themechanisms that can also partially generate issues area-wise (system solutions, Behavioralconfidentiality in Cloud Computing solutions, Hybrid Solutions ;). In the same way wearea. These mechanisms are as below: focused our solutions to the Confidentiality issues Privacy-by-policy: Based on policy generation area-wise; they are named as: Technical solutions,which results in Fair Information Practices (FIP). Organizational solutions, Legal solutions.This FIP was contributed toEuropean Legislation privacy [10]. In Cloud Security Issues article [2]; B. R. Privacy-by-architecture: Based on anonymizing Kandukuri et al. described several Service Levelinformation which results in little or no personal Agreements (SLAs) for generating notion todata detection by third parties [10]. different levels of security. According to them Hybrid approach: Based on the combination SLAs are documents that define relationshipof above two approaches where policies collide between two parties: the cloud Provider and thewith technical mechanisms (architecture), they Customer (recipient). Even they have immenselythen enforce privacy enhancements [10]. guided us for our research as their concept ofThese policy centric architectures have given a indulging Security Risks in the SLA has given astart to our security framework idea being complete understanding of what needs to be donegenerated. in our frame work. The simple analysis of SLA andIn [4], the authors developed security its contents are like these:classification framework which sorted the  Definition of servicespresence of our research idea for R.Q.1.1 towards  Performance managementa solution. They classified the security issues for  Problem managementGrid Computing environment also with  Customer duties and responsibilitiesdecentralized data control over its architecture. The  Warranties and remediesFigure 5.1 presents their framework: We analyzed that these contents when applied into action can generate answers for the partial research hypothesis presented above in the Background 40 | P a g e
  7. 7. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Section. We took steps forward in that means of in the open risk taxonomy [1].approach. As we are about to conclude our literature review To be consciously readying about analysis, even though we are unable to completelyEncryption concepts in many literatures [5] [11] find a security framework or security model orsaying that they have generated a mechanism architecture, we felt that we are satisfied with thefor confidentiality is not trust-worthy for us. They solutions that are obtained to R.Q.1. & R.Q.1.1.have generated some encryption key-mechanisms, This Review has shown the relevant securityencryption algorithms, Cryptography methods and threats or risks or issues that are interlinked withsoon which can be sorted like a solution for “data the security models; but for complete solution ofprivacy” alone but not to entire confidentiality R.Q.1 & R.Q.1.1, we also considered a fewmeasures in security framework. We believe that NIST drafts that enabled the Risk analysis processonly a key generation concept might not itself or frameworks consistent with cloud environment.provide confidentiality to the user. We can support The below are the knowledge gained conceptsthis analysis, as said by S. Spiekermann et al from different drafts of NIST.[10], the user is out of the boundaries of theorganizational sphere where these keys get In NIST Draft SP800-30 [12], Risk Assessmentgenerated, and so, even though the key is set Methodology Flowchart is presented where weprivate to the users themselves, we can‟t find any have successively understood each and everyproof to say that these consistent key encryption concept beneath the Risk taxonomy and its controlmechanisms alone can stabilize flow. The seven steps that determine this confidentiality requirement in Cloud sequential flow are as follows [12]:environment. Step1: System Characterization Step2: Threat IdentificationA new concept said to be RAIN (Redundant Array Step3: Vulnerability Identificationof Independent Net-storages) [9] has been Step4: Control Analysisanalyzed from the literature. According to the Step5: Likelihood Determinationauthors of this article [9], they used a divide and Step6: Impact Analysisconquer method for the data passing through the Step7: Risk Determinationclouds. They have also presented their Step8: Control recommendationsbackground work of deploying 5 Cloud service Step9: Results Documentationmodels. They are as shown below: With elaboration, NIST Draft SP800-37 [13] has Separation model: separates data further presented a Risk Management Frameworkstorage from data processing [9]. which became the key to our Research for Availability model: separates stored confidentiality ondata from data providers during the time of cloud. This framework is as shown in Figure-5.2processing [9]. below. Migration model: describes the datamigration from one storage provider to anotherother storage provider [9]. Tunnel model: describes data tunnelingservice between data processing service and datastorage service [9]. Cryptography model: describes dataencryption that is also not intelligible even to thestorage provider [9].Their procedural implementation gave us an ideafor the framework that implements processactivities one- onto-one presenting itself as securitycontrol-flow architecture.In another paper named „understanding CloudVulnerabilities‟ [1], the authors have generated a Figure-5. 2: Risk Assessment Framework (NISTframework mitigating the Risk factors into two SP80037) [13]kinds, “loss event frequency” and “probable loss In NIST draft SP800-125 [14], the architecture ofmagnitude”, all the rest are classified into those Virtualization technologies is enabled withtwo risk factors. This can be seen as of a hypervisors that have played a major role forrelevance to our security issues generalization providing security to the Cloud Computingconcept; for mapping them into the framework that environment. The security controls when operatedcan give solutions to any kind of issues that occur in the hypervisors (virtual machine managers for 41 | P a g e
  8. 8. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052monitoring multiple hosts) that are placed just before above the the frameworks, models and other security cloud offering applications can implemen concepts that are found in the above literature. TheEven though deployment models exist, a general framework that satisfies our R.Q.2 is contributed toscope and control flow of the service models in effect from the FIGURE-6.1 below:cloud computing with the views of both consumer This Framework is done in such a way that cloudand cloud provider are presented in Draft SP800- providers and their customers have a generalized144 [16]. This Scope in terms of control flow is view on the security operations in their cloud. Thethus also implemented by us where the cloud frameworkprovider‟s view and the customer‟s view on has also shown the difference between thethe framework being generated are extracted to operationsact. that are carried for stepwise flow. We usedHence, R.Q.1 is completely fulfilled with orange, blue green and red colors forknowledge base of security issues as shown above differentiating and clubbing several operationswith relevance to security models that are deployed carried in the cloud. All the orange boxes denoteto eradicate trouble caused by these issues. the general tasks by the cloud provider or their customers. All the blue boxes denote the originalVI. DATA ANALYSIS AND security operational flow in the framework. GreenINTERPRETATION and red denote the organizational and technicalEven though there are many other security models issues/tasks respectively. The description of thisor frameworks, we presented only the important tasks and operations will refer back to the POST-articles. As the knowledge for relevant data models SLR review made in Section- V. If anything isgot its place for our idea creation from among unclear, all the rest including Security conceptsthese articles, hence, we concluded the literature and other keywords used in the below frameworkreview for analysis. Here in this section, we are clearly elaborated in Appendix-D.present a Data Framework activity by analyzing all Figure 6. 1: Confidentiality Framework for Cloud Computing (our research solution)VII. DISCUSSIONS in any Cloud based company that indeed canA. Contributions & limitations : satisfy the cloud customers. Even though just an The framework has deployed a risk SLR cant deal with the entire problem area andmanagement activity for security provisioning in also as there is no proof that our research analysiscloud environment. We are sure that results can work in the real time industry, we had nogenerated by us are completely involved with all other choice as time is our major constraint ratherthe levels of security issues and their solutions in than just implementing a Framework only basedall kinds of users‟ views; and hence, will provide a on SLR. This framework is limited to the generalconstant baseline for drawing security architecture activities without concise on any further clarifications on the inside elements such as 42 | P a g e
  9. 9. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052cryptography and soon. Challenges,” Journal of Network and Computer Applications, vol. 3, no. 5,B. General proceedings(future work): pp. 247-255, Dec. 2011.As of now this model needs to be scrutinized. [8]. M. Armbrust, I. Stoica, M. Zaharia, A.This model needs to be briefly elaborated Fox, R. Griffith, A. D. Joseph, R. Katz,deriving each and every activity in the framework A. Konwinski, G. Lee, D. Patterson, andanalytically with real-time proofs. If we get a A. Rabkin, “A view of cloudchance in thesis, then we are sure that we can get a computing,” Communications of theclear scrutinized security model along with the ACM, vol. 53, no. 4, p. 50, Apr. 2010.suggestions made by the professors and real time [9]. M. G. Jaatun, G. Zhao, and S. Alapnes,industry people with the surveys and experiments “A Cryptographic Protocol forconducted. Communication in a Redundant Array of Independent Net-storages,” 2011, pp.VIII. CONCLUSION 172–179. Confidentiality for Cloud Computing [10]. S. Spiekermann and L. F. Cranor,deals with the emerging cloud architectures that “Engineering Privacy,” IEEEevolve with time. This continuous evolution Transactions on Software Engineering,process might necessitate to with stand a baseline vol. 35, no. 1, pp. 67–82, Jan. 2009.framework activity. We enabled a framework [11]. S. Yu, C. Wang, K. Ren, and W. Lou,activity with reference to general security models “Achieving Secure, Scalable, and Fine-and patterns. We expect this framework to be a grained Data Access Control in Cloudconsistent approach to trigger any kind of security Computing,” 2010, pp. 1–9.mechanism in Cloud Computing. As the views onthis model are focused to analysis with both Cloud NIST Special Publication (SP) Drafts:provider and the customer, we hope that [Online](Available:organizations can be at ease to implement their http://csrc.nist.gov/publications/PubsDraftoperations directly on to this framework without s.html)further discussions. [12]. S. Gary, G. Alice, and F. Alexis, “SP: Risk Management Guide forREFERENCES Information Technology Systems,” [1]. B. Grobauer, T. Walloschek, and E. National Institute of Standards and Stocker, “Understanding Cloud Technology (NIST), CSRC-SP800-30, Computing Vulnerabilities,” IEEE July. 2002. Security & Privacy Magazine, vol. 9, no. [13]. “SP: Guide for Applying the Risk 2, pp. 50–57, Mar. 2011. Management Framework to Federal [2]. B. R. Kandukuri, R. Paturi. V., and Information Systems,” National A. Rakshit, “Cloud Security Issues,” Institute of Standards and Technology 2009, pp. 517–520. (NIST), CSRC-SP 800-37(Rev-1), Feb. [3]. C. Chapman, W. Emmerich, F. G. 2010. Márquez, S. Clayman, and A. Galis, [14]. S. Karen, S. Murugiah and H. Paul, “SP: “Software architecture definition for on- Guide to Security for Full Virtualization demand cloud provisioning,” Cluster Technologies,” National Institute of Computing, vol. 15, no. 2, pp. 79–100, Standards and Technology (NIST), Feb. 2011. CSRC-SP 800-125, Jan. 2011. [4]. E. Cody, R. Sharman, R. H. Rao, and [15]. M. Peter and G. Timothy, “NIST S. Upadhyaya, “Security in grid Definition of Cloud Computing,” computing: A review and synthesis,” National Institute of standards and Decision Support Systems, vol. 44, no. 4, Technology (NIST), CSRC-SP 800-145, pp. 749–764, Mar. 2008. Sept. 2011. [5]. G. Zhao, C. Rong, J. Li, F. Zhang, and [16]. J. Wayne and G. Timothy, “SP: Y. Tang, “Trusted Data Sharing over Guidelines on Security and Privacy in Untrusted Cloud Storage Providers,” Public Cloud Computing,” National 2010, pp. 97–103. Institute of Standards and Technology [6]. K. Riemer and N. Vehring, “Virtual or (NIST), CSRC-SP 800-144, Dec. 2011. vague? a literature review exposing conceptual differences in defining SLR model review references: virtual organizations in IS research,” [17]. S. Jalali and C. Wohlin, „Agile practices Electronic Markets, May 2012. in global software engineering - a [7]. K. Shade O, I. Frank and A. Oludele, systematic map‟, in 2010 Fifth IEEE “Cloud Computing Security Issues and International Conference Global 43 | P a g e
  10. 10. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Software Engineering (ICGSE 2010), this research operation performed now. 23-26 Aug. 2010, Los Alamitos, CA, A Review methodology of this type (SLR) USA, 2010, pp. 45–54. has already been conducted in our previous [18]. Guido Kok, “Cloud computing & assignment (asst-1). The results of that PRE-SLR confidentiality,” M.S. thesis, Dept. obtained, have been utilized in background Comp. Sci. Eng., University of Section-III. As shown in below Figure-A, we name Twente., Enschede-Noord, Nederland, this SLR (made in the research operation) as May.24.2010.[Online] (Available: POST-SLR in order to differentiate from the SLR http://purl.utwente.nl/essays/61039) that is done before our proposal (assignment-1) (For clarity, we name this previous SLR as PRE- SLR).APPENDIX AA. Differentiating Our Previous works from Figure A: Figure-4. 2: Differentiating our work from the past.APPENDIX B – SEARCH OPERATION publications that publish topics in concern toThe Journal Publication ranking with relevance to Cloud computing. We found only 7 top“CLOUD COMPUTING” is roughly analysed for Publications that gave unique results with the restsearch in every Top ranked public ation with basic left behind with the same search result (as that ofkeywords as „Cloud Computing AND the previous publications‟ search) or no searchConfidentiality. The main motive behind this result at all. The Table-A shows top rankedsearch is to analyse all the top ranked journal publications list and cloud findings in them. 44 | P a g e
  11. 11. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Table A: Top ranked journal publication selection from AIS-Journal ranking5 with relevance to cloudcomputing. Resulted Search Research Area Search operatedSerial TOP JOURNALS (AIS-MIS Journal Ranking Sequence) Articles relevance through: 1. MIS Quarterly Management Information Systems (MISQ) 2681 EBSCOhost 2. Information Systems Research (ISR) 2681 EBSCOhost 3. Communications of the ACM (CACM) 168 ACM Dl library 4. Management Science (MS) 2681 EBSCOhost 5. Journal of Management Information Systems (JMIS) 2681 EBSCOhost 6. Artificial Intelligence (AI) 3(X) ScienceDirect 7. Data Sciences (DSI) -NA- --- 8. Harvard Business Review (HBR) 2681 EBSCOhost 9. IEEE Transactions (various) 7 IEEE Explore 10. AI Magazine 2(X) AI Magazine 11. European Journal of Information Systems (EJIS) -NA- --- 12. Decision Support Systems (DSS) 17 ScienceDirect 13. IEEE Software (IEEESw) 7 IEEE Explore 14. Information and Management (I&M) -NA- --- 15. ACM Transactions on Database Systems (ACMTDS) 168 ACM Dl library 16. IEEE Transactions on Software Engineering (IEEETSE) 7 IEEE Explore 17. ACM Transactions (ACMTrans) 168 ACM Dl library 18. Journal of Computer and System Sciences (JCSS) 10 ScienceDirect 19. Sloan Management review (SMR) 2681 EBSCOhost 20. Communications of AIS (CAIS) 168 ACM Dl library IEEE Transactions on Systems, Man & Cybernetics 21. 7 IEEE Explore (IEEETSMC) 22. ACM Computing Surveys (ACMCS) 168 ACM Dl library 23. Journal on Computing (JCOMP) 168 ACM Dl library 24. Academy of Management Journal 2681 EBSCOhost 25. International Journal of Electronic Commerce 2681 EBSCOhost 26. Journal of the AIS -NA- --- 27. IEEE Transactions on Computers (IEEETC) 7 IEEE Explore 28. Information Systems Frontiers (ISF) -NA- --- 29. Journal of Management Systems 2681 EBSCOhost 30. Organisation Science (OS) -NA- --- 31. IEEE Computer (IEEEComp) 7 IEEE Explore WILEY online 32. Information Systems Journal (ISJ) 135 Library 33. Administrative Science Quarterly 129(X) SAGE Journals 34. Journal of Global Information Management (JGIM) -NA- --- The Database for Advances of Information Systems 35. 1066 EBSCOhost (DATABASE) 36. Journal of Database Management (JDM) 2681 EBSCOhost 37. Information Systems (IS) 11 ScienceDirect … … … … 45 | P a g e
  12. 12. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 After finding these top 7 journals, the search stringNOTE: The top ranked Cloud computing formula is generated (in section IV) for finding thepublications are marked with three colours: Green, papers relevant to our research area in CloudYellow and Red. The Green colour shows unique computing. We analyzed that most of the Journalssearch result at the start before finding the same from IEEE and ACM publications defer in nameresult in other publications. The Yellow represents but gave same results. So we sorted them just to bethe Publications which carry Cloud papers but “IEEE” and “ACM” in our search formulashow same result (-repeat-) as that of previous generated. The idea behind this is to grab as muchpublications and hence neglected. The Red shows as many resu lts from all the publications of IEEE,that the publications are unavailable (-NA-) or no ACM and all the rest of the 7 unique journals.results found with relevance to Cloud computing The below table-B presents the search stringstopic. The (X) mark besides the search result framed that are applied into that search formuladenotes the papers found irrelevant to the cloud generated in the report.computing research area technically. Table B: Search strings framed and (number of) results obtained. Search String Search Relevant Very well Iteration [IN (Title, Abstract, Keywords)] Results and guided available 1 “Cloud Computing” AND “Confidentiality” AND 23 12 2 (“framework” OR “model” OR “architecture”) 2 “Cloud Computing” AND “Security” AND (“model” OR 266 8 2 “Framework” OR “Architecture”) 3 “Cloud Computing” AND “Privacy policy*” 29 -Repeat- 0 4 “Cloud Computing” AND “Risk management” 15 -Repeat- 0 5 “Cloud Computing” AND “Security requirement*” 89 3 1 6 “Cloud Computing” AND “Security management” 153 -Repeat- 0 7 “Grid Computing” AND “Security” AND (“model” OR 225 1 1 “framework” OR “Architecture”) 8 “Virtualization” AND “Security” AND (“model” OR 146 2 0 “Framework” OR “Architecture”) … … … … … … … … … …We started with the initial search string-Iteration1 computing (our analyzed research solution). Also,to get initial idea on the search results. All the among these 11 finallyrest of the iterations follow the search made in extracted papers, we found that 6 papers guided usorder to find the results for “cloud computing and very well for our research conclusion. All these 11confidentiality frameworks”. Inclusion of articles are listed as references in the researchsynonyms and similar wo rds occurred for refining report. All the rest excluding these 11 articlesthe searches strings framed. Singular and plurals also helped us in gaining some additionalwere included in the search and hence „*‟ was knowledge and hence presented in Appendix-E.included in the search strings above to representthe same. As we involved synonyms, we includedOR operator in the search strings framed. APPENDIX C –SECUIRTY ISSUESWhen the above framed 8 search strings are GENERALISATION (FROM PRE-SLR)inserted into the search formula we got 26 relevant The security issues that relate to confidentialityand available articles. Even though, these are presented here with analysis from our26 articles are found only through analysis on Title previous studies (PRE -SLR, Assignment-1). Asrelevance and (then if needed) abstract readings, said in the research report, these issues are focusedwe further made a thorough review on these papers to generalize them into 3 main categories such asand found that only 11 support our Research area Technical, Organizational, Legal issues; as shownfirmly. We made use of these 11 articles in our in the Table –A below.research operation and also refereed them to finalConfidentiality framework design in cloud 46 | P a g e
  13. 13. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Table C: Security issues found in PRE-SLR and our view of generalizing them to 3 main issues Issues found from Issues can Relate to Security Issues PRE-SLR (references) Confidentiality as :- Abuse and Nefarious Use of Cloud Computing [R7], [R12] Technical issue Account, Service and Traffic Hijacking [R7], [R12] Technical issue Authentication and authorization [R17] Technical issue Cost and Limited availability of technical personals [R1] Organizational issue Customer Isolation and Information Flow. [R 15] Technical issue Cloud Integrity and Binding Issues [R10] Organizational issue Cloud Security vulnerabilities and Security Attacks [R2], [R10] Technical issue Cloud Governance [R16], [R18] Legal Issue Data access and Control [R17] Technical issue Data back-up and recovery [R2], [R14], [R20] Technical issue Data breaches (controlling XML signatures and soon) [R17] Technical issue Data location [R14] Organizational issue Data protection (Loss/Leakage) [R7], [R12], [R21] Technical issue Data provisioning (Audits, etc) [R2], [R10], [R15] Technical issue Data segregation [R17] Technical issue Ensuring user rights (End user Trust) [R18], [R21] Legal issue Federation and Secure Composition [R15] Legal issue Identity/Key management (Encryptions) [R20] Technical issue Insecure Application Programming Interfaces (web [R7], [R12] Technical issue application security) Integrity for users dynamic changes [R21] Organizational issue Investigative support (data forensics and soon) [R2], [R16] Technical issue legal, policy based and commercial problems [R18] Legal issue Long-term viability (End user trust) [R2], [R16] Organizational issue Malicious Insiders [R7], [R12], [R15] Organizational issue Multi-Compliance Clouds [R15] Technical issue Network security [R17], [R21] Technical issue Non-Repudiation [R16] Organizational Issue Privileged user access [R14] Organizational issue Regulatory Compliance [R16] Legal issue Reliability [R8], [R20] Organizational issue Risk/Threat Management [R2] Technical issue Security assurance to cloud users [R10] Organizational issue Security Integration & Transparency. [R15] Technical issue Shared Technology Vulnerabilities [R7], [R12] Technical issue undefined cloud boundaries [R21] Legal issue Unknown Risk Profile (lack of transparency) [R12] Organizational issue Virtualization vulnerability [R2], [R17] Technical issue APPENDIX D –KEYWORDS USED (IN THENOTE: The references “[R]” refer to the PRE-SLR RESEARCH REPORT)references. These references are presented in Cloud Computing & confidentiality (As it is):Appendix-E. Cloud computing (NIST definition) “Cloud computing is a model for enabling All the security issues presented above ubiquitous, convenient, on-demand network accessthat are generalized into these 3 issues are only to a shared pool of configurable computingthrough our understandings upon them. As we resources (e.g., networks, servers, storage,cannot elaborate our analysis on each and every applications, and services) that can be rapidlyissue in this RM research report, the referenced provisioned and released with minimalpapers besides the issue (in the above table) can management effort or service provider interaction.show what exactly each and every issue is. Along This cloud model is composed of five essentialwith these issues in our hand, in the same way, the characteristics, three service models, and fourfurther issues that evolve with time or any other deployment models.” [15]issues that are not sighted by us can also be set intoon e of these 3 issues in the future. Confidentiality (NIST definition-FIPS PUB 199) [S15] “Preserving authorized restrictions on information 47 | P a g e
  14. 14. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052access and disclosure, including means for The grid that offers services to its clients is saidprotecting personal privacy and proprietary to be Service grid. This grid is designed withinformation.” mechanisms of provisioning customer requirements and offering services they require.Integrity (NIST definition-FIPS PUB 199) [S15]“Guarding against improper information Cloud deployment modelsmodification or destruction, and includes ensuring Private Cloud [15]information non-repudiation and authenticity.” the services offered are monitored by the organization itself where its services are notAvailability (NIST definition-FIPS PUB 199) [S15] shared to be monitored by outsiders for any other“Ensuring timely and reliable access to and use purposes, i.e., the physical infrastructure (cloud)information.” may or may not be owned by the organization and might be on-premise or off-premise but willCloud service models contain a designated service provider (employeesSoftware as a service (SaaS) [15] or entities) for its cloud computations.The SaaS service model is defined to services thatrender software applications to the cloud Public cloud [15]customers. Here, if needed, the Cloud provider can The cloud is provisioned to use by any source thatalso operate these applications instead of customers is in need, this source can be an individual, anlike application management (updates), storage organization, or some other entity. This cloud isbackups, infrastructure and soon. generally maintained by ordinary cloud provider and mechanisms where low-level security isPlatform as a service (PaaS) [15] provided for usage.The PaaS service model is derived to offerinterfaces such as operational platforms to thecloud customer. These platforms ar e helpful to the Hybrid cloud [15]customer in order to build some new applications It is a combination of public or private or anythat are supported on cloud based technologies. other deployment cloud (such as communityHere, the operations such as network management, clouds) that is designed into single cloudstorage, and operating systems are managed by the architecture. The user may vary according to thecloud provider itself and hence the customer can be organizational needs and hence the security mayrelieved to work only for their application also vary with it.development but not in other matters of cloudmaintenance. Cloud key characteristics On-demand resource sharing [15]Infrastructure as a service (IaaS) [15] The provisioning of services offered can leverageThe IaaS service model is derived from the concept a concept of On-demand resource sharing. Thisfor reducing costs to the customer. IaaS is is automated process that enables the controlstructured to provide the capabilities of cloud mechanism of reducing human efforts for enablingprovisioning, storage management and other services to the right users.fundamental needs to the customer for makingthem to use cloud technologies. Here, the customer Resource Pooling [15]is application or file management is indirectly As delivered to our research report above fromcontrolled by the cloud provider. NIST, Resource pooling technology in Cloud Computing Paradigm renders the ability to storeGrid Deployment models and dynamically allocate space to the resources toComputational grid [4] occur for storage periodically.The concept of separating resources for settingthem aside in order to automate the computational Rapid elasticity [15]works that can reduce compu tational power and The rapid elasticity is derived as: provisioningman-power is said to be Computational grid. services with capabilities to automatically scale the exact user-demand. The resource is set to use forData grid [4] the demand and this service is reverted back whenThe information and data are stored or retrieved to the customer is not in need of that resource.analysis from this data grid. This data grid ismodeled in such a way that large volumes of data Wide network access [15]are accessed from single Cloud data centre at a time The ability to control or mange large areaby several users (or companies or organizations). networks is delivered to output by this wide network access. With this characteristic we can beService grid [4] access data or information or service even through 48 | P a g e
  15. 15. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052mobile devices. Organizational solutions in our research report for our confidentiality framework.Cloud Spheres modelsUser Sphere: [10] Hybrid solutions [4]The user sphere is a technical domain name which These solutions denote the category thatseems to be encompassing a users device. This combines all kinds of issues for sorting themsphere has to enable a full access control to the to gain hybrid solutions. Here, trust is theusers who own it. The data is set to privacy and is fundamental for solving any kind of issue. Weaccessible to entities present in external did not use this kind of solutions in our frameworkboundaries only with th e data owners but instead as trust occurs better with policies andpermissions. Additionally, user sphere models laws, we involved legal issues in our researchare trumped with respect to owners physical framework.privacy and hence, will wait for theirinterruption to change their access setting when Some other keywords from literatureneeded. RAIN (Redundant Array of Independent Net- storages) [9]Recipient Sphere: [10] All the deployment models are split to severalIn the same way as that of user sphere above, the independent (non-colluding) storage providersrecipient sphere is a company centric sphere where that pretend to be Redundant Array ofthe organization is responsible for its complete Independent Net-storages (RAIN). In authors viewaccess controls. As the control is within the a single chunk of data doesnt compriseorganization itself, the risk is low when Confidentiality and hence they derive that the datacompared to user sphere and so can potentially should be stored using one or several cloud storageminimizes the risk of privacy breaches. providers.Joint Sphere [10] Open risk taxonomy [1]The joint sphere is also a technical domain term of Open risk taxonomy is nothing but generalizingcloud spheres where this sphere can derive the the issues (factors contributing) into much similarcomplete cloud to its privacy by setting the generalized issue categories. In this paper [1], thecontrols completely within the organization and risk focus is divided mainly into two types „lossalso involving its customers with some limitations event frequency‟, „probable loss magnitude‟ withto access them. we analyzed that this kind of model all the rest of the factors that occur for risk must beis not impossible to see in the real world, as we falling into one of these categories.can see social networking sites where the users hasgiven free of charge for using data storage, emailservices and many other features but the users Hypervisors [14]should indirectly need to know that the full Cloud Computing evaluates a Concept ofcontrol of these services is withheld with the „provisioning services in a timely (near oncompany (social networking site) itself but not instant), on-demand manner, to allow the scalingwith the user. Hence the privacy control is derived up and down of resources‟. This approach ofwith the complete understandings of the making computing a utility in cloud environmentorganizations and its customers involved in joint provides an Opportunity to dynamically scale thesphere. computing resource that are shared among customers using virtualization technology.Classification of types of Solutions for issues found Allocating / de-allocating these resourcesin grid computing efficiently, is an open challenge that is solved bySystem solutions [4] Hypervisors. They allocation and de-allocationThe system based solutions approach is a concept mechanisms are automated through thesewhere the technical issues are to be analyzed for hypervisors. In addition, we have analyzed that atsolutions and rectifications. Issues such as present: VMware, XEN systems (using XENaccessing grid information, auditing grid functions hypervisors), Kernel-based Virtual Machineand soon are set to solutions here. We named (KVM); implementing their services pretend to bethem to be technical solutions in our research Hypervisors in the real-time cloud computingreport for our confidentiality framework world.Behavioural solutions [4] Keywords that occurred in our ConfidentialityThe Behavioral solutions denotes the category Frameworkwhere solutions for issues like Immediate job (Clear and extra explanation of each and everyexecution, advanced scheduling, job control are word used in our Framework)sorted out for answers. We named them as 49 | P a g e
  16. 16. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052Cloud system analysis and design come under general security limitations concept.The system analysis and design is the initial stepwhere we choose the Cloud deployment model Cloud offerings[15] and designing the tasks that work upon that The cloud offering is the final step where wemodel that is chosen. choose the Cloud service model [15] and designing the tasks that work upon that model that is chosen.Cloud security requirementsThe general security requirements like key APPENDIX E –INCLUDED STUDIESencryptions [5] [11], data storage privacy [8], and POST-SLR EXTRA HELPFUL REFERENCES6many other fundamental requirements should be ([S])analyzed before implementing every cloud model. [S1]. C. Alcaraz, I. Agudo, D. Nunez, andThis helps in reducing the risk of cloud failure in J. Lopez, “Managing Incidents insecurity matters. This general loo k- up what of Smart Grids a` la Cloud,” in 2011security requirements needed will somewhat IEEE Third International Conference onincrease the confidentiality in the cloud customers. Cloud Computing Technology and Science (CloudCom), 2011, pp. 527 –531.Data Location Dimension [S2]. C. I. Dalton, D. Plaquin, W. Weidner, D.Cloud confidentiality fails due to lack of cloud Kuhlmann, B. Balacheff, and R. Brown,transparency to the customers. Customers are “Trusted virtual platforms,” ACMreluctant to transform their businesses on to cloud SIGOPS Operating Systems Review, vol.as they can‟t see where their data is located and 43, no. 1, p. 36, Jan. 2009.hence, data location dimension distinguishes the [S3]. D. W. Chadwick and K. Fatema, “Adata location in data owners perspective rather privacy preserving authorisation systemthan data providers perspective [10]. for the cloud,” Journal of Computer and System Sciences, vol. 78, no. 5, pp. 1359–System security control structure 1373, Sep. 2012.The original security model that is designed to [S4]. H. Takabi, J. B. D. Joshi, and G.-J. Ahn,operations for cloud security requirements found “Security and Privacy Challenges inearlier is developed here in security control Cloud Computing Environments,” IEEEstructure. All the security issues are analyzed here Security & Privacy Magazine, vol. 8, no.and further classified into 3 major chunks 6, pp. 24–31, Nov. 2010.(technical, organizational, legal) and are sent to be [S5]. J. Li, B. Stephenson, H. R. Motahari-solved by those different departments that are Nezhad, and S. Singhal, “GEODAC: Aresponsible for solving them [4]. Data Assurance Policy Specification and Enforcement Framework forAccess controls Outsourced Services,” IEEE TransactionsThe Cloud sphere models [10] such as recipient on Services Computing, vol. 4, no. 4, pp.sphere, user sphere, hybrid sphere occur in access 340–354, Oct. 2011.control criteria and will work as the same by [S6]. J. Hao and W. Cai, “Trusted Block as atransforming their responsibilities and concepts in Service: Towards Sensitive Applicationsaccess controls functions. These access controls on the Cloud,” in 2011 IEEE 10theven though arose from that sphere concept, the International Conference on Trust,main duty is to preserve confidentiality for the Security and Privacy in Computing anddata that is being processed in-and-out of the Communications (TrustCom), 2011, pp.cloud. As soon as we set the access control to one 73 –82.of these sphere, the cloud will adhere the [S7]. L. M. Kaufman, “Data Security in theresponsibilities of those sphere that is set and will World of Cloud Computing,” IEEEwork for the same. Security & Privacy Magazine, vol. 7, no. 4, pp. 61–64, Jul. 2009.General security limitations [S8]. P. Angin, B. Bhargava, R. Ranchal, N.The general security limitations occur from the Singh, M. Linderman, L. Ben Othmane,concept of data provisioning and security controls and L. Lilien, “An Entity-Centricthat are limited to them in NIST draft SP800-125 Approach for Privacy and Identity[14] and NIST Draft SP800-30 [12] respectively. Management in Cloud Computing,” inThe general security limitations such as enabling 2010 29th IEEE Symposium on Reliableencryption techniques; implementation of virtual Distributed Systems, 2010, pp. 177 –183.private networks; implementation of security [S9]. R. Padilha and F. Pedone, “Belisarius:settings that suit the service level agreements [2] BFT Storage with Confidentiality,” in(that render to organizational standards); 2011 10th IEEE Internationalgenerating security assurance criteria and soon 50 | P a g e
  17. 17. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Symposium on Network Computing and 2011, Los Alamitos, CA, USA, 2011, pp. Applications (NCA), 2011, pp. 9 –16. 11. [S10]. R. K. L. Ko, P. Jagadpramana, M. [R2]. F. B. Shaikh and S. Haider, “Security Mowbray, S. Pearson, M. Kirchberg, Q. threats in cloud computing,” in 2011 6th Liang, and B. S. Lee, “TrustCloud: A International Conference for Internet Framework for Accountability and Trust Technology and Secured Transactions in Cloud Computing,” in 2011 IEEE (ICITST), 11-14 Dec. 2011, Piscataway, World Congress on Services (SERVICES), NJ, USA, 2011, p. 214–19. 2011, pp. 584 –588. [R3]. Hao Sun and K. Aida, “A Hybrid and [S11]. R. Seiger, S. Gross, and A. Schill, Secure Mechanism to Execute Parameter “SecCSIE: A Secure Cloud Storage Survey Applications on Local and Public Integrator for Enterprises,” in 2011 IEEE Cloud Resources,” in 2010 IEEE 2nd 13th Conference on Commerce and International Conference on Cloud Enterprise Computing (CEC), 2011, pp. Computing Technology and Science 252 –255. (CloudCom 2010), 30 Nov.-3 Dec. 2010, [S12]. S. Pearson and A. Benameur, “Privacy, Los Alamitos, CA, USA, 2010, p. 118–26. Security and Trust Issues Arising from [R4]. Jen-Sheng Wang, Che-Hung Liu, and G. Cloud Computing,” in 2010 IEEE T. R. Lin, “How to manage information Second International Conference on security in cloud computing,” in 2011 Cloud Computing Technology and Science IEEE International Conference on (CloudCom), 2010, pp. 693 –702. Systems, Man and Cybernetics, 9-12 Oct. [S13]. U. Greveler, B. Justus, and D. Loehr, “A 2011, Piscataway, NJ, USA, 2011, p. Privacy Preserving System for Cloud 1405–10. Computing,” in 2011 IEEE 11th [R5]. J. C. Roberts II and W. Al-Hamdani, International Conference on Computer “Who can you trust in the cloud? A review and Information Technology (CIT), 2011, of security issues within cloud pp. 648 –653. computing,” in 2011 Information Security [S14]. X. Zhang, N. Wuwong, H. Li, and X. Curriculum Development Conference, Zhang, "Information security risk InfoSecCD’11, September 30, 2011 - management framework for the cloud October 1, 2011, Kennesaw, GA, United computing environments", Proceedings - states, 2011, pp. 15–19. 10th IEEE International Conference on [R6]. K. Dahbur, B. Mohammad, and A. B. Computer and Information Technology, Tarakji, “A survey of risks, threats and CIT-2010, 7th IEEE International vulnerabilities in cloud computing,” in Conference on Embedded Software and 2nd International Conference on Systems, ICESS-2010, ScalCom-2010, pp. Intelligent Semantic Web-Services and 1328. Applications, ISWSA 2011, April 18, 2011 [S15]. "Standards for Security Categorization of - April 20, 2011, Amman, Jordan, 2011, p. Federal Information and Information The Isra University. Systems," National Institute of Standards [R7]. L. M. Vaquero, L. Rodero-Merino, and D. and Technology (NIST), FIPS Pub. 199, Moran, “Locking the sky: a survey on Feb. 2004. IaaS cloud security,” Computing, vol. 91, no. 1, pp. 93–118, Jan. 2011.We found 26 relevant and available papers in [R8]. L. Sumter, “Cloud computing: Securitywhich only 11 supported our study relating risk,” in 48th Annual Southeast RegionalConfidentiality framework. Here, some extra Conference, ACM SE’10, April 15, 2010 –references (excluding those 11references that are April 17, 2010, Oxford, MS, United states,presented in the research report). Those that did 2010.not support for our Framework in any kind but [R9]. Minqi Zhou, Rong Zhang, Wei Xie,helped us in gaining some extra knowledge are Weining Qian, and Aoying Zhou,presented here. “Security and Privacy in Cloud Computing: A Survey,” in 2010 SixthPRE-SLR (ASSIGNMENT-1 SLR) - International Conference on SemanticsREFERENCES ([R]) Knowledge and Grid (SKG 2010), 1-3 [R1]. D. Carrell, “A Strategy for Deploying Nov. 2010, Los Alamitos, CA, USA, 2010, Secure Cloud-Based Natural Language p. 105–12. Processing Systems for Applied Research [R10]. M. Jensen, J. Schwenk, N. Gruschka, and Involving Clinical Text,” in 2011 44th L. L. Iacono, “On technical security issues Hawaii International Conference on in cloud computing,” in 2009 IEEE System Sciences (HICSS 2011), 4-7 Jan. International Conference on Cloud 51 | P a g e
  18. 18. Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 3, Issue 2, March -April 2013, pp.035-052 Computing (CLOUD), 21-25 Sept. 2009, Science and Engineering (ICSSE), 8-10 Piscataway, NJ, USA, 2009, p. 109–16. June 2011, Piscataway, NJ, USA, 2011, p.[R11]. M. Townsend, “Managing a security 582–7. program in a cloud computing [R20]. Xin Yang, Qingni Shen, Yahui Yang, and environment,” in 2009 Information Sihan Qing, “A Way of Key Management Security Curriculum Development Annual in Cloud Storage Based on Trusted Conference, InfoSecCD’09, September 25, Computing,” in Network and Parallel 2009 - September 26, 2009, Kennesaw, Computing. 8th IFIP International GA, United states, 2009, pp. 128–133. Conference, NPC 2011, 21-23 Oct. 2011,[R12]. M. T. Khorshed, A. B. M. Shawkat Ali, Berlin, Germany, 2011, p. 135–45. and S. A. Wasimi, “Trust issues that create [R21]. Xue Jing and Zhang Jian-jun, “A brief threats for cyber attacks in cloud computin survey on the security model of cloud g,” in 2011 17th IEEE International computing,” in 2010 Ninth International Conference on Parallel and Distributed Symposium on Distributed Computing and Systems, ICPADS 2011, December 7, Applications to Business, Engineering and 2011 – December 9, 2011, Tainan, Science (DCABES 2010), 10-12 Aug. Taiwan, 2011, pp. 900–905. 2010, Los Alamitos, CA, USA, 2010, p.[R13]. M. T. Khorshed, A. B. M. S. Ali, and S. 475–8. A. Wasimi, “A survey on gaps, threat [R22]. X. Lin, “Survey on cloud based mobile remediation challenges and some thoughts security and a new framework for for proactive attack detection in cloud improvement,” in 2011 International computing,” P.O. Box 211, Amsterdam, Conference on Information and 1000 AE, Netherlands, 2012, vol. 28, pp. Automation, ICIA 2011, June 6, 2011 - 833–851. June 8, 2011, Shenzhen, China, 2011, pp.[R14]. P. Jain, D. Rane, and S. Patidar, “A survey 710–715. and analysis of cloud model-based security for computing secure cloud bursting and aggregation in renal environment,” in 2011 World Congress on Information and Communication Technologies (WICT), 11-14 Dec. 2011, Piscataway, NJ, USA, 2011, p. 456–61.[R15]. R. Glott, E. Husmann, A.-R. Sadeghi, and M. Schunter, “Trustworthy Clouds Underpinning the Future Internet,” in The Future Internet, Berlin, Germany: Springer Verlag, 2011, p. 209–21.[R16]. S. Ramgovind, M. M. Eloff, and E. Smith, “The management of security in Cloud computing,” in 2010 Information Security for South Africa (ISSA 2010), 2-4 Aug. 2010, Piscataway, NJ, USA, 2010, p. 7 pp.[R17]. S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications, vol. 34, no. 1, pp. 1–11, Jan. 2011. [R18].S. Tabet and M. Pohlman, “Cloud Computing: Combining Governance, Compliance, and Trust Standards with Declarative Rule- Based Frameworks,” in Rule-Based Modeling and Computing on the Semantic Web. 5th International Symposium, RuleML 2011 - America, 3-5 Nov. 2011, Berlin, Germany, 2011, p. 230–6.[R19]. Tsung-Hui Lu, Li-Yun Chang, and Zhe- Jung Lee, “Integrating Security Certification with IT Education,” in 2011 International Conference on System 52 | P a g e

×