D32035052

Chaitanya Dwivedula, Anusha Choday / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.035-052
Research on preserving User Confidentiality in Cloud Computing
– Design of a Confidentiality Framework

Chaitanya Dwivedula1, Anusha Choday1
1
M.Sc- in Software Engineering,
Blekinge Institute of Technology (BTH), Karlskrona, Sweden

I.
GROUP MEMBERS‟ PARTICIPATION the ability to store and dynamically allocate space
to the resources that occur for storage periodically
Group Member Idea Creation Report Writing [15]. Virtualization technology [6] in Cloud
Group Member 1 45 % 65% Computing paradigm renders the ability to run
Group Member 2 55 % 35% resources that dynamically scale the user's necessity
and share the resources available to support the
need [15]. Similarly, there are many other
Abstract technologies that contribute to Cloud Computing.
Cloud Computing creates a dynamic The data storage mechanisms by Resources Pooling
resource sharing platform that provides data occur in Data-Centers [8] [15] which indirectly act
analytically to the proficient users who are at like a CLOUD. On the other hand, the concept of
demand to access data present in the cloud. As „provisioning services in a timely (near on instant),
this data is stored outside the data owner's on-demand manner, to allow the scaling up and
boundaries, they are skeptical for utilizing down of resources‟ generates a virtualization
cloud technology in order to store or access mechanism which pretends to be COMPUTING
their data from those external cloud [15]. Hence, CLOUD COMPUTING deserves to be
providers who are outside their own control a collective term of several technologies that
environment. There are many issues for these interrupt effectively for dynamic
active clients (companies or individuals) to be allocation/de-allocation of resources [15]. The
petrified at the thought of using cloud generally accepted standard definition [15] of
computing paradigm. Some of the main issues Cloud Computing is published with efforts from
that make the clients swear against Cloud National Institute of Standards and Technology
Computing are generated from three (NIST). Their published1 definition is used in our
important security aspects: Research Report for analysis about Cloud
Confidentiality, Integrity, and Availability. Computing.
In this Research, we focused only on security In short, to describe NIST definition [15], we
models that relate Confidentiality issues. understood that, the 'convenient and Ubiquitous
We performed a literature Review for network access' creates a moderate effort to the
analyzing the existing confidentiality cloud clients to establish their resources on to the
frameworks and security models. We then Cloud. The 'shared pool of configurable computing
designed a new theoretical framework for resources' contribute an Instant allocation/de-
confidentiality in Cloud computing by allocation of resources that occur for on-demand
extracting this literature. We expect this data access [15] The 'rapid provisioning' provides a
Framework when implemented practically in flexible operation of cloud for the cloud
the cloud computing paradigm, may generate providers to scale the resources with
huge successful results that motivate the clients assigning and releasing resources from time to time
to transform their businesses on to Cloud. when they are required elsewhere [15].
As the technologies keep intruding
Keywords: Cloud Computing, into Cloud Computing paradigm, there is no
Confidentiality, Security, Framework. means to say cloud computing is exhaustive.
Cloud Computing key- characteristics,
II. INTRODUCTION models and implementations are more extensively
Cloud Computing evolves to be a discussed in Section-III. The discovery of cloud
consistent term with collaboration of various IT
computing generated a reported progress 2 of
technologies involved in it [15]. Resource pooling
Software Industry and its services to the
technology in Cloud Computing paradigm renders

35 | P a g e

companies worldwide; but along with it, the service models (such as SAAS; PAAS; IAAS;)
security issues kept eroding to change [2]. This which when left unsolved might cause 'lack of
resulted in The Client's View about Cloud proficient security (CIA)' [2] [7]. One of the main
Computing as that it lacks in confidentiality for reasons for Cloud Computing to be inconsistent in
moving their resources onto cloud [10]. Potential confidentiality is due to differences in Cloud
clients are now waiting for the answers about models that are getting deployed [2]. The three
how, why and by what means the security is deployment models (Public Cloud; Private Cloud;
provided to Cloud computing [2]. & Hybrid cloud;) generate a multiple framework
The Problem is distinct as the security issues occur activity that has to be satisfied with
frequently in parallel to the Cloud development. confidentiality [7].
The environment of Cloud Computing is vast This SLR has also been understood as a proven
making it more vulnerable to threats [2]. Hence, we theory when we re-reviewed the NIST definition for
decided to focus on the most eminent security a several times.
issues that significantly standardize the The definition is supported by five key cloud
Confidentiality of Cloud Computing to a better characteristics, three delivery models and four
extent. In our Systematic literature review made deployment models [15]. We understood this
before our research proposal, we analyzed that definition as of three interlinking properties of a
Confidentiality alone can specify approximately Cloud: key Characteristics of a cloud, delivery
50% of the security issues that when satisfied- models and deployment models. Our
cloud computing can emphasis to more interesting understandings on this definition are presented in
software development. the Figure-3.1.
The data behind the Cloud is technically said to be
off- premise and is never under the boundaries of
the data owners [8]. These data that are stored
in Cloud are beyond the control of data owners
which may converge with loss of confidentiality
[2]. We believe that, Most of the effective
customers condemn the use of cloud computing
because they are aware of the ethics beneath cloud
technologies that are unclear or unknown to them.
The goal of this Research is to
generate a successive framework for Cloud
Computing that can predict sufficient
Confidentiality gain in this particular Cloud
environment. Hence, this Framework will be an
extension to our understandings of Frameworks
analyzed from Systematic literature review (SLR)
that is done at the time of our research.
Our Research Questions relate this main objective Figure-3. 1: Our understandings on NIST
mentioned above and are detailed to study from definition [15]
section-IV. The study process, data collection &
analysis methods involved for this research are The key characteristics describe the operations
discussed to detail in the section-V and section-VI. performed in a cloud computing environment. The
The problems (that may generate during the key characteristics such as On-demand resource
implementation of the resulted framework), the sharing; Resource Pooling;
limitations and the sustainable arguments to our
study are brought-up to note in section-VII. Our Rapid elasticity; monitoring resource
final research results that are concerned with our allocation; Wide network access; service
research goals are presented to acknowledge our provisioning; has elaborated the Cloud technology
study in conclusions part (section VIII). in detail [15]. The Cloud service Models such as
Software-as-a-service (SAAS); Platform-as-a-
III. BACKGROUND AND MOTIVATION Service (PAAS); infrastructure-as-a-Service
The consistent approach of our previous (IAAS); are said to be general classifications of the
SLR (PRE-SLR) lead us to a clear understanding of Cloud [15]. Regardless of the service models that
security issues present in Cloud Computing. are classified, there exist 3 basic deployment
Mainly, the security issues such as Confidentiality; models of Cloud such as Public Cloud; Private
Integrity; Availability; are indefinitely implemented Cloud; and Hybrid Cloud. “Hence, the key
to reach the efforts constraining to Healthy on- characteristics of Cloud when applied (to
demand network access [2]. Thus, these efforts deployment models) provide data (or) services to
when indistinct may route to problems in Cloud its Clients.”

36 | P a g e

Here, we also analyzed that Confidentiality is -„if we unite all the confidentiality issues in
issues underlie the challenges in finding answers to common, then we can easily map them onto our
questions like: framework that is going to be generated.‟
How will Cloud provisioning occur to act? We hope the companies will need a unique frame
What are Cloud security requirements? work like this and future researchers might not fail
 How will Data storage occur in Cloud to be stimulated by the ideas presented by us. While
Computing? this is a diving cause for the need that encompasses
 How reliable is Security architecture of the cloud computing, if we can't find the solution for
Cloud? this research, the implications of not solving this
How reliable are the Cloud Services offered? problem might be the same as explained above:
So, indirectly we understood that “gaining The confidentiality that lacks behind will generate a
knowledge fear for the clients (companies, organizations,
about Cloud technology improves half of the individuals, etc) to share/store their resources (or)
Confidentiality levels in the Clients”. Hence, these to transform their businesses on to the Cloud
above questions have worked as partial hypothesis environment.
for us.
We are focused to propose a unique framework that IV. RESEARCH DEFINITION AND
can produce a single architecture which allows PLAN
combination of required security goals; along with A. Research objective:
all the reliable policies, procedures for all Cloud The goal of this Research is “To generate
deployment models in common. So, we further a sufficient security model-framework for the
continued our research on classifying the security extent possible, which when implemented: can
issues that are analyzed from our PRE-SLR results. moderate the activities (that occur for security
With the understandings we have - upon the found threats or implicating risks) that are indeed capable
security issues, we now classified them as the of reducing Confidentiality of the Cloud and its
issues that relate to Confidentiality with one among environment.”
the three, they are: This Research objective focused our aims onto:
Classifying Security Issues in Common  Specifying the security issues that
Technical issues relate to
Organizational issues Confidentiality in Cloud Computing.
Legal issues.  Understanding the possible research
results of the effective security models presented by
The entire list of Security issues are the previous researchers.
generalized into these three issues in common.  Proposing a more extensive security
This Complete list of Security issues obtained in model- framework that can uniquely state the
PRE-SLR is presented in Appendix-C. province of all service and deployment models in
collaboration.
Our reasoning for the above classification is as
follows: B. Research Questions:
Technical issues: All the security issues like The interpretation of the above objective is
„Shared extensively scrutinized, with the need for the
Technology Vulnerabilities‟, „network security‟ necessary knowledge that has to be obtained in
and many others collaboration with the new framework to be
that can find solutions framing security goals in generated. These following research questions 3
technical area are analyzed as Technical issues. (R.Q‟s) will guide our research:
Organizational issues: All the security issues
like R.Q.1: What are the Security issues that sufficiently
„Malicious Insiders‟, „data location transparency‟ support Confidentiality -inducible in security
and many Framework of Cloud Computing?
others that can find solutions by framing security The Question has been framed in such a way that
goals in organizational area are analyzed as all the issues found in our PRE-SLR are
Organizational issues. now to be
Legal issues: All the security issues like „policy brought out to analysis where we can know how
based or procedural based problems‟ and many the security issues collide with the security models
others can get the solutions by framing security framed. For this, we need to know how actually a
goals in this area are sorted to be legal issues. security model in Cloud Computing is exists.
The basis of this classification is just to unite all the Hence, R.Q.1.1 is framed for
security issues relevant to confidentiality in Cloud this analysis. Interpreting the solutions
Computing. The main idea besides this type of occurred for
classification R.Q.1.1 will relevance the solutions to be found for

37 | P a g e

R.Q.1.  Analyzing the inconsistent results found
in the literature from other researchers.
R.Q.1.1: How are these Confidentiality issues  Analyzing ideas that are firmly achieved
classified to indulge with consistent security by the others in this field of study.
operations in Cloud Computing?  Applying their models more
extensively by clubbing the ideas; to generate new
framework with the current security issues that
3 These R.Q‟s are re-framed for „adequacy need‟ enhance Confidentiality in Cloud.
for this report (as commented by our professor With experiences from PRE-SLR, We now choose
{proposal evaluator}) but comply with same top journals refereed from several good
research meaning as that of research proposal publications. In our first step, the Journal
R.Q‟s framed earlier. This R.Q. is generated in Ranking is collected from an International
such a way that we can understand several Research Group4 by name: "Association of
constrains for security issues getting involved in the Information Systems (AIS)". We have only
security operations. This question needs a though selected these Top ranked Journal Publications in
analysis of security models presents in the which again through filters we were able to analyze
literature. Hence, SLR is conducted to extract the that only few occur for Cloud Computing study.
results. The task of finding a search engine had been easier
for us than finding best journal publications; as
R.Q.2: How to uniquely frame Confidentiality most of the search engines are available through
within the boundaries of all Cloud security our BTH University 'Find database' library
models/Architectures in common? portal. We only focused on the search engines that
Our entire research concept is to find a unique can especially present these Top ranked journal
framework for confidentiality in cloud publications. We then filtered our keywords again
computing and this questions serves the purpose of and again for a proficient search refinement
our scope. on „Confidentiality frameworks and
security models in Cloud Computing‟. The
C. Research Methodology: complete operation of POST-SLR in presented in
Our research is originated by the below data collection & analysis methods.
understanding Cloud Computing as a start and  Data Collection method:
then conceived with an objective of what needs to The Qualitative analysis of literature amends with
be done. The R.Q.s are framed with the basic the use of SLR. However, if the distillation process
understanding from the PRE-SLR results and by of extracting literature fails, the quality might
reading several: research news articles, websites reduce its heights. Hence, opting for highly
regarding Cloud service offerings, and soon. As, qualitative journal publications, selecting effective
Our research has to provide solutions with search databases and framing the search strings for
analysis of various security models or the search operations are said to be the three main
confidentiality frameworks in Cloud Computing, aspects of SLR.
we observed that qualitative form of extracting a) Step1: Journal selection: we required papers
information is an SLR. that present studies of all forms such as Empirical
Hence, we conduct an SLR again but now with studies, Case- studies, research findings, and all
focus on extracting Security models. For clarity, other available literature; but we restricted our
the SLR that has to be performed now is named as search only to the peer-reviewed Journal articles.
POST-SLR. The difference between these two The list of Journal Publications that attracted
SLRs is as shown in Appendix-A. us in our study (on security models in Cloud
A Review methodology of this type (SLR) is Computing) are presented below. These top
helpful to generate sufficient solutions for our ranked journals are sorted with searches made for
R.Qs. In addition, our ideas with reference to the our Cloud Computing study. The original ranking
issues found in PRE-SLR will be presented for list of Top Journals as described above are sent to
qualitative elaboration in the Framework being Appendix-B inorder to make it clear.
generated.
 Systematic Literature Review: (POST-SLR): Journal Articles (Scrutinized)
To gain knowledge in Security Models and MIS Quarterly (MISQ)
previous researchers' works on Security Framework Communications of the ACM (CACM)
activity in cloud computing, we choose SLR as our IEEE Transactions (various)
best means to obtain it. Some of the sufficient Journal of Computer and System Sciences (JCSS)
reasons for relying only upon SLR are as follows: Information Systems Journal (ISJ)
 Database for Advances of Information Systems (DATABASE)
Analyzing the generally accepted security models in cloud environment.
 Analyzing the future work that remains unfurnished in the Systems (DSS) models in
Decision Support previous security
Cloud Computing. b) Step2: Database selection:

38 | P a g e

Our experience upon the search engine mattered for OR SRCTITLE("IEEE")
a while as this selection is a priority for major OR SRCTITLE("Journal of Computer and System
papers to be found. Hence, we limited our search Sciences") OR SRCTITLE("Information Systems
within databases where almost all the top ranked Journal")
Journals can be found. The analysis list of most OR SRCTITLE("DATABASE")
prominent Search databases that cover all the OR SRCTITLE("Decision Support Systems"))
ranked Journals in relation to Cloud Computing AND PUBYEAR > 2004
Findings in their search Query; are presented The search strings framed are directly inserted into
below: this formula for results in our research area. A
Search Databases (scrutinized) complete list of search strings along with the
SCOPUS Strings that even found no results are presented in
Engineering village (INSPEC; COMPENDEX;) Appendix –B in order to make it clear.
All the keywords that extracted exciting results
The search operation designed below is applied - when applied to search strings framed under this
with one of these two databases at a time; For above search formula are presented below:
example, if we can‟t find the relevantly interesting
data in „Scopus‟ then, for clarification, we Keywords (scrutinized)
followed the same search query in Cloud Computing Security and privacy
„Engineering Village‟ database. Security model Confidentiality Framework
c) Step3: Search operation: Privacy Policy(s) Grid Computing
The Search operation of finding relevant data Virtualization Security Architecture
for our search has been the basic task for our … …
research operation. We now focused on framing In the search operation made, we got 11 research
the search strings, extracting results, stimulating articles that are firmly relevant to our study. The
search results with the scope and refining the process of analyzing these articles is presented
search strings if relevant data is not found. The below.
below figure-4.2 demonstrates our search  Data Analysis Method:
operation. For data analysis, consistent tracking of search
results is the ultimate task which dissolves the
barriers between knowledge gain and its
implementation. The Quality of the search results is
assessed with include/Exclude Criteria, as
described below:
d) Include Criteria:
 Only Peer reviewed Articles
(available) from
Journals or Conference papers.
 Articles should be written in English
language.
 The article has to be published during
or after the year 2005.
 Articles that found relevance
with Cloud
Computing security models in their Abstracts.
Figure-4. 1: Search Operation All the other articles that do not meet the include
As almost all the papers are published online, we criteria are said to be excluded.
have selected Online Databases over the internet In order to validate our Research Methodology, we
and did not use any library or other external have also cross-checked our SLR with two
sources for our data search. other SLRs [17] & [18] in which one is a Thesis
We developed a General Search Query baseline paper [18].
for generating our search in such a way that by
inserting keywords into this formula may give V. RESEARCH OPERATION
desired results for our Research Area. This idea is The Scope of this Research is to elaborate
originally developed from the idea behind search the unconditional use of Confidentiality framework
interface present in the research database: that can peers all the service and Deployment
„Scopus‟. The Search Query we adopted in models present in the cloud. Hence, our major tasks
“Scopus” -„Advanced search‟ interface is as below: constitute the operations contributing with the
(TITLE-ABS-KEY("SEARCH STRING") AND minimal tasks of analyzing security issues,
SRCTITLE("ACM") generating a framework that architects all the
OR SRC TITLE("MIS Quarterly") security solutions for the issues generated and soon.

39 | P a g e

To achieve our research objective, we started
with PRE-SLR for analyzing all the possible
security issues and then specifying them
to predictable general classifications
(such as Technical, organizational, legal issues) as
shown in the Section-III. As we can‟t detail each
and every Security issue in the framework and also
as we can't map all the issues directly into the
framework, we choose this way to generalize them.
We believe that most part of the R.Q.1 can be
addressed to solutions 'by analyzing security issues
found in PRE-SLR' and rest of R.Q.1 is 'to analyze
how these security issues indulge into the
framework being generated'.
For solving this remaining part of R.Q.1, again
R.Q.1.1 is framed. Now, the research analysis
(from POST-SLR) has shown the path for
implementing a new framework. The Found
Figure-5. 1: Classifications of grid computing
literatures that solved R.Q1.1 for the concept
Security [4]
of"finding Confidentiality requirements
that are classified to indulge with security As they focused on grid computing, the
operations in Cloud computing" are presented security issues resulted to solutions in their
below:
framework will lead to grid environment's security
province but as they interlinked these security
A. Literature Analysis: issues to grid Deployment models (computational
In Engineering privacy [10], the authors generated
grid; data grid; service grid;) and as the same
a three sphere models (User Sphere; Joint Sphere; security issues (like intrusion detection) can be
and Recipient Sphere;)that occur for user
found in Cloud deployment models, their
privacy concerns. they relate all the Confidentiality framework helped us in our Cloud
issues to these three spheres. We analyze these Computing-Confidentiality
models as operations that obscure privacy views. framework initiation. Their classification
They also generated some architectural
framework also presented the solutions to the
mechanisms that can also partially generate issues area-wise (system solutions, Behavioral
confidentiality in Cloud Computing
solutions, Hybrid Solutions ;). In the same way we
area. These mechanisms are as below:
focused our solutions to the Confidentiality issues
 Privacy-by-policy: Based on policy generation
area-wise; they are named as: Technical solutions,
which results in Fair Information Practices (FIP). Organizational solutions, Legal solutions.
This FIP was contributed to
European Legislation privacy [10]. In 'Cloud Security Issues' article [2]; B. R.
 Privacy-by-architecture: Based on anonymizing Kandukuri et al. described several Service Level
information which results in little or no personal Agreements (SLAs) for generating notion to
data detection by third parties [10]. different levels of security. According to them
 Hybrid approach: Based on the combination
SLAs are documents that define relationship
of above two approaches where policies collide between two parties: the cloud Provider and the
with technical mechanisms (architecture), they
Customer (recipient). Even they have immensely
then enforce privacy enhancements [10]. guided us for our research as their concept of
These policy centric architectures have given a indulging Security Risks in the SLA has given a
start to our security framework idea being complete understanding of what needs to be done
generated. in our frame work. The simple analysis of SLA and
In [4], the authors developed security its contents are like these:
classification framework which sorted the
 Definition of services
presence of our research idea for R.Q.1.1 towards  Performance management
a solution. They classified the security issues for  Problem management
Grid Computing environment also with  Customer duties and responsibilities
decentralized data control over its architecture. The
 Warranties and remedies
Figure 5.1 presents their framework:
We analyzed that these contents when applied into
action can generate answers for the partial
research
hypothesis presented above in the Background

40 | P a g e

Section. We took steps forward in that means of in the open risk taxonomy [1].
approach.
As we are about to conclude our literature review
To be consciously readying about analysis, even though we are unable to completely
Encryption concepts in many literatures [5] [11] find a security framework or security model or
saying that they have generated a mechanism architecture, we felt that we are satisfied with the
for confidentiality is not trust-worthy for us. They solutions that are obtained to R.Q.1. & R.Q.1.1.
have generated some encryption key-mechanisms, This Review has shown the relevant security
encryption algorithms, Cryptography methods and threats or risks or issues that are interlinked with
soon which can be sorted like a solution for “data the security models; but for complete solution of
privacy” alone but not to entire confidentiality R.Q.1 & R.Q.1.1, we also considered a few
measures in security framework. We believe that NIST drafts that enabled the Risk analysis process
only a key generation concept might not itself or frameworks consistent with cloud environment.
provide confidentiality to the user. We can support The below are the knowledge gained concepts
this analysis, as said by S. Spiekermann et al from different drafts of NIST.
[10], the user is out of the boundaries of the
organizational sphere where these keys get In NIST Draft SP800-30 [12], Risk Assessment
generated, and so, even though the key is set Methodology Flowchart is presented where we
private to the users themselves, we can‟t find any have successively understood each and every
proof to say that these consistent key encryption concept beneath the Risk taxonomy and its control
mechanisms alone can stabilize flow. The seven steps that determine this
confidentiality requirement in Cloud sequential flow are as follows [12]:
environment. Step1: System Characterization
Step2: Threat Identification
A new concept said to be RAIN (Redundant Array Step3: Vulnerability Identification
of Independent Net-storages) [9] has been Step4: Control Analysis
analyzed from the literature. According to the Step5: Likelihood Determination
authors of this article [9], they used a divide and Step6: Impact Analysis
conquer method for the data passing through the Step7: Risk Determination
clouds. They have also presented their Step8: Control recommendations
background work of deploying 5 Cloud service Step9: Results Documentation
models. They are as shown below: With elaboration, NIST Draft SP800-37 [13] has
 Separation model: separates data further presented a Risk Management Framework
storage from data processing [9]. which became the key to our Research for
 Availability model: separates stored confidentiality on
data from data providers during the time of cloud. This framework is as shown in Figure-5.2
processing [9]. below.
 Migration model: describes the data
migration from one storage provider to another
other storage provider [9].
 Tunnel model: describes data tunneling
service between data processing service and data
storage service [9].
 Cryptography model: describes data
encryption that is also not intelligible even to the
storage provider [9].
Their procedural implementation gave us an idea
for the framework that implements process
activities one- onto-one presenting itself as security
control-flow architecture.

In another paper named „understanding Cloud
Vulnerabilities‟ [1], the authors have generated a Figure-5. 2: Risk Assessment Framework (NIST
framework mitigating the Risk factors into two SP80037) [13]
kinds, “loss event frequency” and “probable loss In NIST draft SP800-125 [14], the architecture of
magnitude”, all the rest are classified into those Virtualization technologies is enabled with
two risk factors. This can be seen as of a hypervisors that have played a major role for
relevance to our security issues generalization providing security to the Cloud Computing
concept; for mapping them into the framework that environment. The security controls when operated
can give solutions to any kind of issues that occur in the hypervisors (virtual machine managers for

41 | P a g e

monitoring multiple hosts) that are placed just before above the
the frameworks, models and other security
cloud offering applications can implemen
concepts that are found in the above literature. The
Even though deployment models exist, a general framework that satisfies our R.Q.2 is contributed to
scope and control flow of the service models in effect from the FIGURE-6.1 below:
cloud computing with the views of both consumer This Framework is done in such a way that cloud
and cloud provider are presented in Draft SP800- providers and their customers have a generalized
144 [16]. This Scope in terms of control flow is view on the security operations in their cloud. The
thus also implemented by us where the cloud framework
provider‟s view and the customer‟s view on has also shown the difference between the
the framework being generated are extracted to operations
act. that are carried for stepwise flow. We used
Hence, R.Q.1 is completely fulfilled with orange, blue green and red colors for
knowledge base of security issues as shown above differentiating and clubbing several operations
with relevance to security models that are deployed carried in the cloud. All the orange boxes denote
to eradicate trouble caused by these issues. the general tasks by the cloud provider or their
customers. All the blue boxes denote the original
VI. DATA ANALYSIS AND security operational flow in the framework. Green
INTERPRETATION and red denote the organizational and technical
Even though there are many other security models issues/tasks respectively. The description of this
or frameworks, we presented only the important tasks and operations will refer back to the POST-
articles. As the knowledge for relevant data models SLR review made in Section- V. If anything is
got its place for our idea creation from among unclear, all the rest including Security concepts
these articles, hence, we concluded the literature and other keywords used in the below framework
review for analysis. Here in this section, we are clearly elaborated in Appendix-D.
present a Data Framework activity by analyzing all

Figure 6. 1: Confidentiality Framework for Cloud Computing (our research solution)

VII. DISCUSSIONS in any Cloud based company that indeed can
A. Contributions & limitations : satisfy the cloud customers. Even though just an
The framework has deployed a risk SLR can't deal with the entire problem area and
management activity for security provisioning in also as there is no proof that our research analysis
cloud environment. We are sure that results can work in the real time industry, we had no
generated by us are completely involved with all other choice as time is our major constraint rather
the levels of security issues and their solutions in than just implementing a Framework only based
all kinds of users‟ views; and hence, will provide a on SLR. This framework is limited to the general
constant baseline for drawing security architecture activities without concise on any further
clarifications on the inside elements such as

42 | P a g e

cryptography and soon. Challenges,” Journal of Network and
Computer Applications, vol. 3, no. 5,
B. General proceedings(future work): pp. 247-255, Dec. 2011.
As of now this model needs to be scrutinized. [8]. M. Armbrust, I. Stoica, M. Zaharia, A.
This model needs to be briefly elaborated Fox, R. Griffith, A. D. Joseph, R. Katz,
deriving each and every activity in the framework A. Konwinski, G. Lee, D. Patterson, and
analytically with real-time proofs. If we get a A. Rabkin, “A view of cloud
chance in thesis, then we are sure that we can get a computing,” Communications of the
clear scrutinized security model along with the ACM, vol. 53, no. 4, p. 50, Apr. 2010.
suggestions made by the professors and real time [9]. M. G. Jaatun, G. Zhao, and S. Alapnes,
industry people with the surveys and experiments “A Cryptographic Protocol for
conducted. Communication in a Redundant Array
of Independent Net-storages,” 2011, pp.
VIII. CONCLUSION 172–179.
Confidentiality for Cloud Computing [10]. S. Spiekermann and L. F. Cranor,
deals with the emerging cloud architectures that “Engineering Privacy,” IEEE
evolve with time. This continuous evolution Transactions on Software Engineering,
process might necessitate to with stand a baseline vol. 35, no. 1, pp. 67–82, Jan. 2009.
framework activity. We enabled a framework [11]. S. Yu, C. Wang, K. Ren, and W. Lou,
activity with reference to general security models “Achieving Secure, Scalable, and Fine-
and patterns. We expect this framework to be a grained Data Access Control in Cloud
consistent approach to trigger any kind of security Computing,” 2010, pp. 1–9.
mechanism in Cloud Computing. As the views on
this model are focused to analysis with both Cloud NIST Special Publication (SP) Drafts:
provider and the customer, we hope that [Online](Available:
organizations can be at ease to implement their http://csrc.nist.gov/publications/PubsDraft
operations directly on to this framework without s.html)
further discussions. [12]. S. Gary, G. Alice, and F. Alexis, “SP:
Risk Management Guide for
REFERENCES Information Technology Systems,”
[1]. B. Grobauer, T. Walloschek, and E. National Institute of Standards and
Stocker, “Understanding Cloud Technology (NIST), CSRC-SP800-30,
Computing Vulnerabilities,” IEEE July. 2002.
Security & Privacy Magazine, vol. 9, no. [13]. “SP: Guide for Applying the Risk
2, pp. 50–57, Mar. 2011. Management Framework to Federal
[2]. B. R. Kandukuri, R. Paturi. V., and Information Systems,” National
A. Rakshit, “Cloud Security Issues,” Institute of Standards and Technology
2009, pp. 517–520. (NIST), CSRC-SP 800-37(Rev-1), Feb.
[3]. C. Chapman, W. Emmerich, F. G. 2010.
Márquez, S. Clayman, and A. Galis, [14]. S. Karen, S. Murugiah and H. Paul, “SP:
“Software architecture definition for on- Guide to Security for Full Virtualization
demand cloud provisioning,” Cluster Technologies,” National Institute of
Computing, vol. 15, no. 2, pp. 79–100, Standards and Technology (NIST),
Feb. 2011. CSRC-SP 800-125, Jan. 2011.
[4]. E. Cody, R. Sharman, R. H. Rao, and [15]. M. Peter and G. Timothy, “NIST
S. Upadhyaya, “Security in grid Definition of Cloud Computing,”
computing: A review and synthesis,” National Institute of standards and
Decision Support Systems, vol. 44, no. 4, Technology (NIST), CSRC-SP 800-145,
pp. 749–764, Mar. 2008. Sept. 2011.
[5]. G. Zhao, C. Rong, J. Li, F. Zhang, and [16]. J. Wayne and G. Timothy, “SP:
Y. Tang, “Trusted Data Sharing over Guidelines on Security and Privacy in
Untrusted Cloud Storage Providers,” Public Cloud Computing,” National
2010, pp. 97–103. Institute of Standards and Technology
[6]. K. Riemer and N. Vehring, “Virtual or (NIST), CSRC-SP 800-144, Dec. 2011.
vague? a literature review exposing
conceptual differences in defining SLR model review references:
virtual organizations in IS research,” [17]. S. Jalali and C. Wohlin, „Agile practices
Electronic Markets, May 2012. in global software engineering - a
[7]. K. 'Shade O, I. Frank and A. Oludele, systematic map‟, in 2010 Fifth IEEE
“Cloud Computing Security Issues and International Conference Global

43 | P a g e

Software Engineering (ICGSE 2010), this research operation performed now.
23-26 Aug. 2010, Los Alamitos, CA, A Review methodology of this type (SLR)
USA, 2010, pp. 45–54. has already been conducted in our previous
[18]. Guido Kok, “Cloud computing & assignment (asst-1). The results of that PRE-SLR
confidentiality,” M.S. thesis, Dept. obtained, have been utilized in background
Comp. Sci. Eng., University of Section-III. As shown in below Figure-A, we name
Twente., Enschede-Noord, Nederland, this SLR (made in the research operation) as
May.24.2010.[Online] (Available: 'POST-SLR' in order to differentiate from the SLR
http://purl.utwente.nl/essays/61039) that is done before our proposal (assignment-1)
(For clarity, we name this previous SLR as 'PRE-
SLR').
APPENDIX A
A. Differentiating Our Previous works from

Figure A: Figure-4. 2: Differentiating our work from the past.

APPENDIX B – SEARCH OPERATION publications that publish topics in concern to
The Journal Publication ranking with relevance to Cloud computing. We found only 7 top
“CLOUD COMPUTING” is roughly analysed for Publications that gave unique results with the rest
search in every Top ranked public ation with basic left behind with the same search result (as that of
keywords as „Cloud Computing' AND the previous publications‟ search) or no search
'Confidentiality'. The main motive behind this result at all. The Table-A shows top ranked
search is to analyse all the top ranked journal publications list and cloud findings in them.

44 | P a g e

Table A: Top ranked journal publication selection from AIS-Journal ranking5 with relevance to cloud
computing.

Resulted Search Research Area Search operated
Serial TOP JOURNALS (AIS-MIS Journal Ranking Sequence)
Articles relevance through:
1. MIS Quarterly Management Information Systems (MISQ) 2681 EBSCOhost
2. Information Systems Research (ISR) 2681 EBSCOhost
3. Communications of the ACM (CACM) 168 ACM Dl library
4. Management Science (MS) 2681 EBSCOhost
5. Journal of Management Information Systems (JMIS) 2681 EBSCOhost
6. Artificial Intelligence (AI) 3(X) ScienceDirect
7. Data Sciences (DSI) -NA- ---
8. Harvard Business Review (HBR) 2681 EBSCOhost
9. IEEE Transactions (various) 7 IEEE Explore
10. AI Magazine 2(X) AI Magazine
11. European Journal of Information Systems (EJIS) -NA- ---
12. Decision Support Systems (DSS) 17 ScienceDirect
13. IEEE Software (IEEESw) 7 IEEE Explore
14. Information and Management (I&M) -NA- ---
15. ACM Transactions on Database Systems (ACMTDS) 168 ACM Dl library
16. IEEE Transactions on Software Engineering (IEEETSE) 7 IEEE Explore
17. ACM Transactions (ACMTrans) 168 ACM Dl library
18. Journal of Computer and System Sciences (JCSS) 10 ScienceDirect
19. Sloan Management review (SMR) 2681 EBSCOhost
20. Communications of AIS (CAIS) 168 ACM Dl library
IEEE Transactions on Systems, Man & Cybernetics
21. 7 IEEE Explore
(IEEETSMC)
22. ACM Computing Surveys (ACMCS) 168 ACM Dl library
23. Journal on Computing (JCOMP) 168 ACM Dl library
24. Academy of Management Journal 2681 EBSCOhost
25. International Journal of Electronic Commerce 2681 EBSCOhost
26. Journal of the AIS -NA- ---
27. IEEE Transactions on Computers (IEEETC) 7 IEEE Explore
28. Information Systems Frontiers (ISF) -NA- ---
29. Journal of Management Systems 2681 EBSCOhost
30. Organisation Science (OS) -NA- ---
31. IEEE Computer (IEEEComp) 7 IEEE Explore
WILEY online
32. Information Systems Journal (ISJ) 135
Library
33. Administrative Science Quarterly 129(X) SAGE Journals
34. Journal of Global Information Management (JGIM) -NA- ---
The Database for Advances of Information Systems
35. 1066 EBSCOhost
(DATABASE)
36. Journal of Database Management (JDM) 2681 EBSCOhost
37. Information Systems (IS) 11 ScienceDirect
… … … …

45 | P a g e

After finding these top 7 journals, the search string
NOTE: The top ranked Cloud computing formula is generated (in section IV) for finding the
publications are marked with three colours: Green, papers relevant to our research area in Cloud
Yellow and Red. The Green colour shows unique computing. We analyzed that most of the Journals
search result at the start before finding the same from IEEE and ACM publications defer in name
result in other publications. The Yellow represents but gave same results. So we sorted them just to be
the Publications which carry Cloud papers but “IEEE” and “ACM” in our search formula
show same result (-repeat-) as that of previous generated. The idea behind this is to grab as much
publications and hence neglected. The Red shows as many resu lts from all the publications of IEEE,
that the publications are unavailable (-NA-) or no ACM and all the rest of the 7 unique journals.
results found with relevance to Cloud computing The below table-B presents the search strings
topic. The (X) mark besides the search result framed that are applied into that search formula
denotes the papers found irrelevant to the cloud generated in the report.
computing research area technically.

Table B: Search strings framed and (number of) results obtained.

Search String Search Relevant Very well
Iteration [IN (Title, Abstract, Keywords)] Results and guided
available
1 “Cloud Computing” AND “Confidentiality” AND 23 12 2
(“framework” OR “model” OR “architecture”)
2 “Cloud Computing” AND “Security” AND (“model” OR 266 8 2
“Framework” OR “Architecture”)
3 “Cloud Computing” AND “Privacy policy*” 29 -Repeat- 0
4 “Cloud Computing” AND “Risk management” 15 -Repeat- 0
5 “Cloud Computing” AND “Security requirement*” 89 3 1
6 “Cloud Computing” AND “Security management” 153 -Repeat- 0
7 “Grid Computing” AND “Security” AND (“model” OR 225 1 1
“framework” OR “Architecture”)
8 “Virtualization” AND “Security” AND (“model” OR 146 2 0
“Framework” OR “Architecture”)
… … … … …
… … … … …

We started with the initial search string-Iteration1 computing (our analyzed research solution). Also,
to get initial idea on the search results. All the among these 11 finally
rest of the iterations follow the search made in extracted papers, we found that 6 papers guided us
order to find the results for “cloud computing and very well for our research conclusion. All these 11
confidentiality frameworks”. Inclusion of articles are listed as references in the research
synonyms and similar wo rds occurred for refining report. All the rest excluding these 11 articles
the searches strings framed. Singular and plurals also helped us in gaining some additional
were included in the search and hence „*‟ was knowledge and hence presented in Appendix-E.
included in the search strings above to represent
the same. As we involved synonyms, we included
OR operator in the search strings framed.
APPENDIX C –SECUIRTY ISSUES
When the above framed 8 search strings are GENERALISATION (FROM PRE-SLR)
inserted into the search formula we got 26 relevant The security issues that relate to confidentiality
and available articles. Even though, these are presented here with analysis from our
26 articles are found only through analysis on Title previous studies (PRE -SLR, Assignment-1). As
relevance and (then if needed) abstract readings, said in the research report, these issues are focused
we further made a thorough review on these papers to generalize them into 3 main categories such as
and found that only 11 support our Research area Technical, Organizational, Legal issues; as shown
firmly. We made use of these 11 articles in our in the Table –A below.
research operation and also refereed them to final
Confidentiality framework design in cloud

46 | P a g e

Table C: Security issues found in PRE-SLR and our view of generalizing them to 3 main issues

Issues found from Issues can Relate to
Security Issues
PRE-SLR (references) Confidentiality as :-
Abuse and Nefarious Use of Cloud Computing [R7], [R12] Technical issue
Account, Service and Traffic Hijacking [R7], [R12] Technical issue
Authentication and authorization [R17] Technical issue
Cost and Limited availability of technical personals [R1] Organizational issue
Customer Isolation and Information Flow. [R 15] Technical issue
Cloud Integrity and Binding Issues [R10] Organizational issue
Cloud Security vulnerabilities and Security Attacks [R2], [R10] Technical issue
Cloud Governance [R16], [R18] Legal Issue
Data access and Control [R17] Technical issue
Data back-up and recovery [R2], [R14], [R20] Technical issue
Data breaches (controlling XML signatures and soon) [R17] Technical issue
Data location [R14] Organizational issue
Data protection (Loss/Leakage) [R7], [R12], [R21] Technical issue
Data provisioning (Audits, etc) [R2], [R10], [R15] Technical issue
Data segregation [R17] Technical issue
Ensuring user rights (End user Trust) [R18], [R21] Legal issue
Federation and Secure Composition [R15] Legal issue
Identity/Key management (Encryptions) [R20] Technical issue
Insecure Application Programming Interfaces (web [R7], [R12] Technical issue
application security)
Integrity for user's dynamic changes [R21] Organizational issue
Investigative support (data forensics and soon) [R2], [R16] Technical issue
legal, policy based and commercial problems [R18] Legal issue
Long-term viability (End user trust) [R2], [R16] Organizational issue
Malicious Insiders [R7], [R12], [R15] Organizational issue
Multi-Compliance Clouds [R15] Technical issue
Network security [R17], [R21] Technical issue
Non-Repudiation [R16] Organizational Issue
Privileged user access [R14] Organizational issue
Regulatory Compliance [R16] Legal issue
Reliability [R8], [R20] Organizational issue
Risk/Threat Management [R2] Technical issue
Security assurance to cloud users [R10] Organizational issue
Security Integration & Transparency. [R15] Technical issue
Shared Technology Vulnerabilities [R7], [R12] Technical issue
undefined cloud boundaries [R21] Legal issue
Unknown Risk Profile (lack of transparency) [R12] Organizational issue
Virtualization vulnerability [R2], [R17] Technical issue

APPENDIX D –KEYWORDS USED (IN THE
NOTE: The references “[R]” refer to the PRE-SLR RESEARCH REPORT)
references. These references are presented in Cloud Computing & confidentiality (As it is):
Appendix-E. Cloud computing (NIST definition)
“Cloud computing is a model for enabling
All the security issues presented above ubiquitous, convenient, on-demand network access
that are generalized into these 3 issues are only to a shared pool of configurable computing
through our understandings upon them. As we resources (e.g., networks, servers, storage,
cannot elaborate our analysis on each and every applications, and services) that can be rapidly
issue in this RM research report, the referenced provisioned and released with minimal
papers besides the issue (in the above table) can management effort or service provider interaction.
show what exactly each and every issue is. Along This cloud model is composed of five essential
with these issues in our hand, in the same way, the characteristics, three service models, and four
further issues that evolve with time or any other deployment models.” [15]
issues that are not sighted by us can also be set into
on e of these 3 issues in the future. Confidentiality (NIST definition-FIPS PUB 199)
[S15]
“Preserving authorized restrictions on information

47 | P a g e

access and disclosure, including means for The grid that offers services to its clients is said
protecting personal privacy and proprietary to be Service grid. This grid is designed with
information.” mechanisms of provisioning customer
requirements and offering services they require.
Integrity (NIST definition-FIPS PUB 199) [S15]
“Guarding against improper information Cloud deployment models
modification or destruction, and includes ensuring Private Cloud [15]
information non-repudiation and authenticity.” the services offered are monitored by the
organization itself where its services are not
Availability (NIST definition-FIPS PUB 199) [S15] shared to be monitored by outsiders for any other
“Ensuring timely and reliable access to and use purposes, i.e., the physical infrastructure (cloud)
information.” may or may not be owned by the organization and
might be on-premise or off-premise but will
Cloud service models contain a designated service provider (employees
Software as a service (SaaS) [15] or entities) for its cloud computations.
The SaaS service model is defined to services that
render software applications to the cloud Public cloud [15]
customers. Here, if needed, the Cloud provider can The cloud is provisioned to use by any source that
also operate these applications instead of customers is in need, this source can be an individual, an
like application management (updates), storage organization, or some other entity. This cloud is
backups, infrastructure and soon. generally maintained by ordinary cloud provider
and mechanisms where low-level security is
Platform as a service (PaaS) [15] provided for usage.
The PaaS service model is derived to offer
interfaces such as operational platforms to the
cloud customer. These platforms ar e helpful to the Hybrid cloud [15]
customer in order to build some new applications It is a combination of public or private or any
that are supported on cloud based technologies. other deployment cloud (such as community
Here, the operations such as network management, clouds) that is designed into single cloud
storage, and operating systems are managed by the architecture. The user may vary according to the
cloud provider itself and hence the customer can be organizational needs and hence the security may
relieved to work only for their application also vary with it.
development but not in other matters of cloud
maintenance. Cloud key characteristics
On-demand resource sharing [15]
Infrastructure as a service (IaaS) [15] The provisioning of services offered can leverage
The IaaS service model is derived from the concept a concept of 'On-demand resource sharing'. This
for reducing costs to the customer. IaaS is is automated process that enables the control
structured to provide the capabilities of cloud mechanism of reducing human efforts for enabling
provisioning, storage management and other services to the right users.
fundamental needs to the customer for making
them to use cloud technologies. Here, the customer Resource Pooling [15]
is application or file management is indirectly As delivered to our research report above from
controlled by the cloud provider. NIST, Resource pooling technology in Cloud
Computing Paradigm renders the ability to store
Grid Deployment models and dynamically allocate space to the resources to
Computational grid [4] occur for storage periodically.
The concept of separating resources for setting
them aside in order to automate the computational Rapid elasticity [15]
works that can reduce compu tational power and The rapid elasticity is derived as: provisioning
man-power is said to be Computational grid. services with capabilities to automatically scale the
exact user-demand. The resource is set to use for
Data grid [4] the demand and this service is reverted back when
The information and data are stored or retrieved to the customer is not in need of that resource.
analysis from this data grid. This data grid is
modeled in such a way that large volumes of data Wide network access [15]
are accessed from single Cloud data centre at a time The ability to control or mange large area
by several users (or companies or organizations). networks is delivered to output by this wide
network access. With this characteristic we can be
Service grid [4] access data or information or service even through

48 | P a g e

mobile devices. Organizational solutions in our research report for
our confidentiality framework.
Cloud Spheres models
User Sphere: [10] Hybrid solutions [4]
The user sphere is a technical domain name which These solutions denote the category that
seems to be encompassing a user's device. This combines all kinds of issues for sorting them
sphere has to enable a full access control to the to gain hybrid solutions. Here, trust is the
users who own it. The data is set to privacy and is fundamental for solving any kind of issue. We
accessible to entities present in external did not use this kind of solutions in our framework
boundaries only with th e data owner's but instead as trust occurs better with policies and
permissions. Additionally, user sphere models laws, we involved legal issues in our research
are trumped with respect to owner's physical framework.
privacy and hence, will wait for their
interruption to change their access setting when Some other keywords from literature
needed. RAIN (Redundant Array of Independent Net-
storages) [9]
Recipient Sphere: [10] All the deployment models are split to several
In the same way as that of user sphere above, the independent (non-colluding) storage providers
recipient sphere is a company centric sphere where that pretend to be Redundant Array of
the organization is responsible for its complete Independent Net-storages (RAIN). In authors view
access controls. As the control is within the a single chunk of data doesn't comprise
organization itself, the risk is low when Confidentiality and hence they derive that the data
compared to user sphere and so can potentially should be stored using one or several cloud storage
minimizes the risk of privacy breaches. providers.

Joint Sphere [10] Open risk taxonomy [1]
The joint sphere is also a technical domain term of Open risk taxonomy is nothing but generalizing
cloud spheres where this sphere can derive the the issues (factors contributing) into much similar
complete cloud to its privacy by setting the generalized issue categories. In this paper [1], the
controls completely within the organization and risk focus is divided mainly into two types „loss
also involving its customers with some limitations event frequency‟, „probable loss magnitude‟ with
to access them. we analyzed that this kind of model all the rest of the factors that occur for risk must be
is not impossible to see in the real world, as we falling into one of these categories.
can see social networking sites where the users has
given free of charge for using data storage, email
services and many other features but the users Hypervisors [14]
should indirectly need to know that the full Cloud Computing evaluates a Concept of
control of these services is withheld with the „provisioning services in a timely (near on
company (social networking site) itself but not instant), on-demand manner, to allow the scaling
with the user. Hence the privacy control is derived up and down of resources‟. This approach of
with the complete understandings of the making computing a utility in cloud environment
organizations and its customers involved in joint provides an Opportunity to dynamically scale the
sphere. computing resource that are shared among
customers using virtualization technology.
Classification of types of Solutions for issues found Allocating / de-allocating these resources
in grid computing efficiently, is an open challenge that is solved by
System solutions [4] Hypervisors. They allocation and de-allocation
The system based solutions approach is a concept mechanisms are automated through these
where the technical issues are to be analyzed for hypervisors. In addition, we have analyzed that at
solutions and rectifications. Issues such as present: VMware, XEN systems (using XEN
accessing grid information, auditing grid functions hypervisors), Kernel-based Virtual Machine
and soon are set to solutions here. We named (KVM); implementing their services pretend to be
them to be technical solutions in our research Hypervisors in the real-time cloud computing
report for our confidentiality framework world.

Behavioural solutions [4] Keywords that occurred in our Confidentiality
The Behavioral solutions denotes the category Framework
where solutions for issues like Immediate job (Clear and extra explanation of each and every
execution, advanced scheduling, job control are word used in our Framework)
sorted out for answers. We named them as

49 | P a g e

Cloud system analysis and design come under general security limitations concept.
The system analysis and design is the initial step
where we choose the Cloud deployment model Cloud offerings
[15] and designing the tasks that work upon that The cloud offering is the final step where we
model that is chosen. choose the Cloud service model [15] and designing
the tasks that work upon that model that is chosen.
Cloud security requirements
The general security requirements like key APPENDIX E –INCLUDED STUDIES
encryptions [5] [11], data storage privacy [8], and POST-SLR EXTRA HELPFUL REFERENCES6
many other fundamental requirements should be ([S])
analyzed before implementing every cloud model. [S1]. C. Alcaraz, I. Agudo, D. Nunez, and
This helps in reducing the risk of cloud failure in
J. Lopez, “Managing Incidents in
security matters. This general loo k- up what of Smart Grids a` la Cloud,” in 2011
security requirements needed will somewhat IEEE Third International Conference on
increase the confidentiality in the cloud customers. Cloud Computing Technology and Science
(CloudCom), 2011, pp. 527 –531.
Data Location Dimension
[S2]. C. I. Dalton, D. Plaquin, W. Weidner, D.
Cloud confidentiality fails due to lack of cloud Kuhlmann, B. Balacheff, and R. Brown,
transparency to the customers. Customers are “Trusted virtual platforms,” ACM
reluctant to transform their businesses on to cloud SIGOPS Operating Systems Review, vol.
as they can‟t see where their data is located and 43, no. 1, p. 36, Jan. 2009.
hence, data location dimension distinguishes the [S3]. D. W. Chadwick and K. Fatema, “A
data location in data owner's perspective rather
privacy preserving authorisation system
than data provider's perspective [10].
for the cloud,” Journal of Computer and
System Sciences, vol. 78, no. 5, pp. 1359–
System security control structure
1373, Sep. 2012.
The original security model that is designed to [S4]. H. Takabi, J. B. D. Joshi, and G.-J. Ahn,
operations for cloud security requirements found
“Security and Privacy Challenges in
earlier is developed here in security control Cloud Computing Environments,” IEEE
structure. All the security issues are analyzed here Security & Privacy Magazine, vol. 8, no.
and further classified into 3 major chunks 6, pp. 24–31, Nov. 2010.
(technical, organizational, legal) and are sent to be [S5]. J. Li, B. Stephenson, H. R. Motahari-
solved by those different departments that are Nezhad, and S. Singhal, “GEODAC: A
responsible for solving them [4].
Data Assurance Policy Specification
and Enforcement Framework for
Access controls
Outsourced Services,” IEEE Transactions
The Cloud sphere models [10] such as recipient on Services Computing, vol. 4, no. 4, pp.
sphere, user sphere, hybrid sphere occur in access 340–354, Oct. 2011.
control criteria and will work as the same by [S6]. J. Hao and W. Cai, “Trusted Block as a
transforming their responsibilities and concepts in Service: Towards Sensitive Applications
access controls functions. These access controls on the Cloud,” in 2011 IEEE 10th
even though arose from that sphere concept, the International Conference on Trust,
main duty is to preserve confidentiality for the Security and Privacy in Computing and
data that is being processed in-and-out of the Communications (TrustCom), 2011, pp.
cloud. As soon as we set the access control to one
73 –82.
of these sphere, the cloud will adhere the [S7]. L. M. Kaufman, “Data Security in the
responsibilities of those sphere that is set and will World of Cloud Computing,” IEEE
work for the same. Security & Privacy Magazine, vol. 7, no.
4, pp. 61–64, Jul. 2009.
General security limitations [S8]. P. Angin, B. Bhargava, R. Ranchal, N.
The general security limitations occur from the
Singh, M. Linderman, L. Ben Othmane,
concept of data provisioning and security controls and L. Lilien, “An Entity-Centric
that are limited to them in NIST draft SP800-125 Approach for Privacy and Identity
[14] and NIST Draft SP800-30 [12] respectively. Management in Cloud Computing,” in
The general security limitations such as enabling 2010 29th IEEE Symposium on Reliable
encryption techniques; implementation of virtual
Distributed Systems, 2010, pp. 177 –183.
private networks; implementation of security [S9]. R. Padilha and F. Pedone, “Belisarius:
settings that suit the service level agreements [2]
BFT Storage with Confidentiality,” in
(that render to organizational standards);
2011 10th IEEE International
generating security assurance criteria and soon

50 | P a g e

Symposium on Network Computing and 2011, Los Alamitos, CA, USA, 2011, pp.
Applications (NCA), 2011, pp. 9 –16. 11.
[S10]. R. K. L. Ko, P. Jagadpramana, M. [R2]. F. B. Shaikh and S. Haider, “Security
Mowbray, S. Pearson, M. Kirchberg, Q. threats in cloud computing,” in 2011 6th
Liang, and B. S. Lee, “TrustCloud: A International Conference for Internet
Framework for Accountability and Trust Technology and Secured Transactions
in Cloud Computing,” in 2011 IEEE (ICITST), 11-14 Dec. 2011, Piscataway,
World Congress on Services (SERVICES), NJ, USA, 2011, p. 214–19.
2011, pp. 584 –588. [R3]. Hao Sun and K. Aida, “A Hybrid and
[S11]. R. Seiger, S. Gross, and A. Schill, Secure Mechanism to Execute Parameter
“SecCSIE: A Secure Cloud Storage Survey Applications on Local and Public
Integrator for Enterprises,” in 2011 IEEE Cloud Resources,” in 2010 IEEE 2nd
13th Conference on Commerce and International Conference on Cloud
Enterprise Computing (CEC), 2011, pp. Computing Technology and Science
252 –255. (CloudCom 2010), 30 Nov.-3 Dec. 2010,
[S12]. S. Pearson and A. Benameur, “Privacy, Los Alamitos, CA, USA, 2010, p. 118–26.
Security and Trust Issues Arising from [R4]. Jen-Sheng Wang, Che-Hung Liu, and G.
Cloud Computing,” in 2010 IEEE T. R. Lin, “How to manage information
Second International Conference on security in cloud computing,” in 2011
Cloud Computing Technology and Science IEEE International Conference on
(CloudCom), 2010, pp. 693 –702. Systems, Man and Cybernetics, 9-12 Oct.
[S13]. U. Greveler, B. Justus, and D. Loehr, “A 2011, Piscataway, NJ, USA, 2011, p.
Privacy Preserving System for Cloud 1405–10.
Computing,” in 2011 IEEE 11th [R5]. J. C. Roberts II and W. Al-Hamdani,
International Conference on Computer “Who can you trust in the cloud? A review
and Information Technology (CIT), 2011, of security issues within cloud
pp. 648 –653. computing,” in 2011 Information Security
[S14]. X. Zhang, N. Wuwong, H. Li, and X. Curriculum Development Conference,
Zhang, "Information security risk InfoSecCD’11, September 30, 2011 -
management framework for the cloud October 1, 2011, Kennesaw, GA, United
computing environments", Proceedings - states, 2011, pp. 15–19.
10th IEEE International Conference on [R6]. K. Dahbur, B. Mohammad, and A. B.
Computer and Information Technology, Tarakji, “A survey of risks, threats and
CIT-2010, 7th IEEE International vulnerabilities in cloud computing,” in
Conference on Embedded Software and 2nd International Conference on
Systems, ICESS-2010, ScalCom-2010, pp. Intelligent Semantic Web-Services and
1328. Applications, ISWSA 2011, April 18, 2011
[S15]. "Standards for Security Categorization of - April 20, 2011, Amman, Jordan, 2011, p.
Federal Information and Information The Isra University.
Systems," National Institute of Standards [R7]. L. M. Vaquero, L. Rodero-Merino, and D.
and Technology (NIST), FIPS Pub. 199, Moran, “Locking the sky: a survey on
Feb. 2004. IaaS cloud security,” Computing, vol. 91,
no. 1, pp. 93–118, Jan. 2011.
We found 26 relevant and available papers in [R8]. L. Sumter, “Cloud computing: Security
which only 11 supported our study relating risk,” in 48th Annual Southeast Regional
Confidentiality framework. Here, some extra Conference, ACM SE’10, April 15, 2010 –
references (excluding those 11references that are April 17, 2010, Oxford, MS, United states,
presented in the research report). Those that did 2010.
not support for our Framework in any kind but [R9]. Minqi Zhou, Rong Zhang, Wei Xie,
helped us in gaining some extra knowledge are Weining Qian, and Aoying Zhou,
presented here. “Security and Privacy in Cloud
Computing: A Survey,” in 2010 Sixth
PRE-SLR (ASSIGNMENT-1 SLR) - International Conference on Semantics
REFERENCES ([R]) Knowledge and Grid (SKG 2010), 1-3
[R1]. D. Carrell, “A Strategy for Deploying Nov. 2010, Los Alamitos, CA, USA, 2010,
Secure Cloud-Based Natural Language p. 105–12.
Processing Systems for Applied Research [R10]. M. Jensen, J. Schwenk, N. Gruschka, and
Involving Clinical Text,” in 2011 44th L. L. Iacono, “On technical security issues
Hawaii International Conference on in cloud computing,” in 2009 IEEE
System Sciences (HICSS 2011), 4-7 Jan. International Conference on Cloud

51 | P a g e

Computing (CLOUD), 21-25 Sept. 2009, Science and Engineering (ICSSE), 8-10
Piscataway, NJ, USA, 2009, p. 109–16. June 2011, Piscataway, NJ, USA, 2011, p.
[R11]. M. Townsend, “Managing a security 582–7.
program in a cloud computing [R20]. Xin Yang, Qingni Shen, Yahui Yang, and
environment,” in 2009 Information Sihan Qing, “A Way of Key Management
Security Curriculum Development Annual in Cloud Storage Based on Trusted
Conference, InfoSecCD’09, September 25, Computing,” in Network and Parallel
2009 - September 26, 2009, Kennesaw, Computing. 8th IFIP International
GA, United states, 2009, pp. 128–133. Conference, NPC 2011, 21-23 Oct. 2011,
[R12]. M. T. Khorshed, A. B. M. Shawkat Ali, Berlin, Germany, 2011, p. 135–45.
and S. A. Wasimi, “Trust issues that create [R21]. Xue Jing and Zhang Jian-jun, “A brief
threats for cyber attacks in cloud computin survey on the security model of cloud
g,” in 2011 17th IEEE International computing,” in 2010 Ninth International
Conference on Parallel and Distributed Symposium on Distributed Computing and
Systems, ICPADS 2011, December 7, Applications to Business, Engineering and
2011 – December 9, 2011, Tainan, Science (DCABES 2010), 10-12 Aug.
Taiwan, 2011, pp. 900–905. 2010, Los Alamitos, CA, USA, 2010, p.
[R13]. M. T. Khorshed, A. B. M. S. Ali, and S. 475–8.
A. Wasimi, “A survey on gaps, threat [R22]. X. Lin, “Survey on cloud based mobile
remediation challenges and some thoughts security and a new framework for
for proactive attack detection in cloud improvement,” in 2011 International
computing,” P.O. Box 211, Amsterdam, Conference on Information and
1000 AE, Netherlands, 2012, vol. 28, pp. Automation, ICIA 2011, June 6, 2011 -
833–851. June 8, 2011, Shenzhen, China, 2011, pp.
[R14]. P. Jain, D. Rane, and S. Patidar, “A survey 710–715.
and analysis of cloud model-based
security for computing secure cloud
bursting and aggregation in renal
environment,” in 2011 World Congress on
Information and Communication
Technologies (WICT), 11-14 Dec. 2011,
Piscataway, NJ, USA, 2011, p. 456–61.
[R15]. R. Glott, E. Husmann, A.-R. Sadeghi, and
M. Schunter, “Trustworthy Clouds
Underpinning the Future Internet,” in The
Future Internet, Berlin, Germany:
Springer Verlag, 2011, p. 209–21.
[R16]. S. Ramgovind, M. M. Eloff, and E. Smith,
“The management of security in Cloud
computing,” in 2010 Information Security
for South Africa (ISSA 2010), 2-4 Aug.
2010, Piscataway, NJ, USA, 2010, p. 7 pp.
[R17]. S. Subashini and V. Kavitha, “A survey on
security issues in service delivery models
of cloud computing,” Journal of Network
and Computer Applications, vol. 34, no. 1,
pp. 1–11, Jan. 2011.
[R18].S. Tabet and M. Pohlman, “Cloud
Computing: Combining Governance,
Compliance, and Trust Standards with
Declarative Rule- Based Frameworks,” in
Rule-Based Modeling and Computing on
the Semantic Web. 5th International
Symposium, RuleML 2011 - America, 3-5
Nov. 2011, Berlin, Germany, 2011, p.
230–6.
[R19]. Tsung-Hui Lu, Li-Yun Chang, and Zhe-
Jung Lee, “Integrating Security
Certification with IT Education,” in 2011
International Conference on System

52 | P a g e

D32035052

More Related Content

What's hot

Viewers also liked

Similar to D32035052

Recently uploaded

D32035052