Cloud Computing Security
Content
Cloud Computing Security
A new Direction
Student members:
No.
Student number
Name
Email
1
12200832
Truong Son Vu
[email protected]
2
11854801
Pengjian Zhang
[email protected]
3
11624614
Hui Zhang
[email protected]
4
11510841
Ricardo Salvo
[email protected]
1
Table of contents
Executive Summary .................................................................................................................................... 3
1.
Introduction ......................................................................................................................................... 3
2.
Research Aims and Objectives........................................................................................................... 4
2.1
Research Aims ............................................................................................................................. 4
2.2
Research Objectives .................................................................................................................... 4
3.
Background ......................................................................................................................................... 5
4.
Research Significance and invocation ............................................................................................... 6
5.
Research Methodologies ..................................................................................................................... 8
6.
Conclusion ......................................................................................................................................... 10
Reference: .................................................................................................................................................. 11
2
Executive Summary
Growing as one of the fastest developments in IT world, Cloud Computing is a model for
providing an omnipresent, convenient and on-demand network access to groups of computing
resources such as networking devices, servers, storage, applications and services. Due to many
advantages it provides, many organizations have been transferring their data to cloud environment.
However, storing data on the cloud where hardware infrastructure is outsourced to a third party
forms an important security question. Using their in-house infrastructure, organizations can define
and control their own security standards, but how can they know what type of security protocols
are being used by cloud providers and how well they are performing? Cloud industry itself is also
finding a solution for this question. There are existing range of standards provided by Cloud
Security Alliance (CSA), the U.S. National Institute of Standards and Technology (NIST), Institute
of Electrical and Electronics Engineers (IEEE) and the European Network and Information
Security Agency (ENISA), however applying all these standards to Cloud Computing security
only makes the situation worse.
Our aim is to find a standard for Cloud Computing security. By building up an only one
standard, every provider, developer can follow the same structure to build a united cloud
environment which can make security level in Cloud Computing stronger than ever.
1. Introduction
Cloud computing can be defined as “a parallel and distributed computing system consisting
of a collection of inter-connected and virtualized computers that are dynamically provisioned and
presented as one or more unified computing resources based on service-level agreements (SLA)
established through negotiation between the service provider and consumers”. In Cloud
Computing, the variety of resources provided depends on the request of consumers, it would be
increased when the requirement for service is rising and reduced when clients need less (Liu 2012).
However, since cloud computing essentially puts data outside of the control of the data owner, it
leads to security issues too.
Security, in particular, is one of the biggest issues in the Cloud Computing field and is the
cornerstone of Cloud development. Security concerns prevent organizations and customers from
fully adopting cloud environment, many business look at Cloud providers and refuse cloud
services because of the lack of trust in security standard being used. Cloud computing providers
claim that users’ data stored on the system is secure and protected from attacks, but there are still
so many potential risks of losing data on the cloud. At the moment, when providing a new cloud
service, providers can define their own standard or follow a set of standards created by CSA, NIST,
IEEE or ENISA. By doing that, we are creating a disorganized industry where its parts could not
work together. From customers’ perspectives, we do have no idea about security level of providers,
and so many security methods only make us confused. On behalf of researchers, Cloud computing
is determining the future of IT industry, but the lack of an agreement standard is having significant
impact on cloud computing's development. As a result, finding a new standard in security if the
urgent need of Cloud Computing development. By following only one standard, we can establish
3
a newly united cloud environment which is stronger and more effectively protect users’ data from
attacks. A new standard could also take the advantages of current technologies and combine them
together to enhance the level of security in Cloud Computing. An important finding is that a single
security could not protect data stored on the cloud from attacks effectively, but applying many
technologies at the same time could deteriorate the future expansion of Cloud Computing. Hence,
following only one standard can be a possible solution for Cloud Computing security.
The project proposal is divided into six parts. The first section of this paper is to provide a
brief picture of Cloud Computing in general and its security standards. Research Aims and
Objectives will be discussed in section two. We also highlight the Background and the Gap in
current research in section three. Section four is about Research Significance and Innovation.
Based on that, in section five, some proposed methodologies are given. Finally, section six
summarizes the main finding and gives some suggestions for future research.
2. Research Aims and Objectives
2.1 Research Aims
To begin with, we want to precisely state that the only aim of our research is to find a new
standard for security in Cloud Computing. As mentioned before, cloud environment at the moment
is quite chaotic due to so many standards being adopted and Cloud Computing itself is getting lost
in finding the way to develop. Therefore, following only one standard could resolve this situation.
There are two realistic rationales for the need of applying a new standard in Cloud Computing
security.
Firstly, Cloud Computing is a newly designed system, which is the combination of many
different technologies such as network, storage, computer, information technology, so it requires
a completely new technology which is different from current methods being used. Almost all
current security methods were developed before the dawn of Cloud industry. In the dedicated
server background, users can occupy an entire system and they do not have to share their resource
with anyone else that allows them to have full control over the server, including operating system,
hardware, and so on. Security methods those can work effectively in previous infrastructure might
not accomplish full of their performance in cloud environments.
Secondly, there are also many security methods being used in security for Cloud
Computing, but most of cloud providers only choose one of them to protect data on their cloud.
However, Rong, Nguyen & Jaatun (2012) point out that a single security approach of cloud
computing is not competent to build a safe guard against advanced cyber-attacks. Cloud providers
need to combine different techniques in the same system in order to reinforce the level of security
in Cloud Computing. By combining them together, a vulnerability of one security technique can
be supported by the strengths of other methods. Thus, we can provide a long-lasting wall against
potential attacks.
2.2 Research Objectives
4
In order to achieve the main aim, we will follow three objectives namely analyzing current
security techniques, researching on a new software named Zyber and conducting a comparison of
Zyber and security methods being used.
The first step is to examine some popular security techniques used by cloud providers to
safeguard customers’ data. This objective is expected to provide a full picture of security in Cloud
Computing. According to the result, we will be able to recognize the strengths of existing security
approaches and the reasons why cloud providers have chosen them to build their systems. It could
also highlight some weaknesses in security methods, so we can avoid these drawbacks when
building up a new standard for security in Cloud Computing.
Next objective is to target on Zyber which is a completely new software in Cloud
Computing. Zyber is being developed and supported by Canadian Government. We also want to
re-evaluate the possible performance of Zyber by focusing on its features for example, how it
works, what kind of encryption technique used, how much it costs to provide a better solution for
security compare to current techniques and so on. Additionally, its strengths and weaknesses will
also be discussed.
Finally, based on the results of two first objectives, we want to conduct a comparison
between Zyber and current security methods. This comparison will concentrate on possible
advantages and potential drawbacks of these techniques as well as some overpowering
characteristics of Zyber. The main outcome is to answer the question: “Can Zyber become a new
standard for security in Cloud Computing?”
3. Background
The disorganized development of Cloud Computing at the moment does not only weaken
its competitive position in IT industry, but also could lead to many threats in Cloud Computing
security. This viewpoint is supported by Martinez & Pulier (2012) who state that although making
use of cloud computing could bring lots of advantages to enterprises, many business are currently
refuse to use cloud infrastructure because the computing capacity provided by cloud provider are
lack of security, control and manageability. In addition, (Zissis & Lekkas 2012) describes in detail
that there are three main categories security risks are necessary to be secured which are data
confidentiality, integrity and availability.
The first issue is data confidentiality, Ryan (2013) highlight that data exist on cloud server
make those administrators vulnerable to bribery. The resolve of administrators may gradually
erode when they are in situations of interest conflict. The cloud computing is a shared-tenant
environment, so the data stored in the cloud database may be available to more people than data
owners such as hackers or employees from the third parties. Rong, Nguyen & Jaatun (2012) argue
that most of the IT infrastructure and data storage are shifted to third-party providers and that leads
to two critical consequences. Firstly, there is only limited control on the IT infrastructure for data
owners due to the remote location of cloud server, therefore it is essential for cloud provider to
establish a standard for their security policies to ensure the confidentiality of data. The second is
5
that the providers of cloud service have extensive control and unauthorized access to users' data
and application. These make users always worry about the confidentiality of their data and
decrease the trust level of cloud provider, particularly for users in business model which has high
level of security requirement.
The second security challenge figured out by past researcher is the integrity risk in cloud
computing. Gogna (2012) emphasis that the data which is stored in the cloud server can be
modified in the process of transmission. Even though the infrastructure provided by cloud provider
is more powerful than personal device, cloud provider still have to face risks of data loss. Rong,
Nguyen & Jaatun (2012) argue that the critical data stored in the provider's infrastructure is able
to modify without the consensus of user. The integrity and authenticity of data is very essential for
users and it needs to be guaranteed. However, there is no standard can be used to constrain those
cloud providers in cloud industry. According to Wang et al. (2010), some providers of cloud
service even reclaim storage through discarding data which is rarely used for gaining higher profit.
Finally, data availability is the third main concern in security for Cloud Computing. Users
of cloud service are unable to access to data if the server is down or a hard drive fails and they
don't really have direct access to be able to work this out. (Rao & Selvamani 2015) claim that
availability is a big concern which cloud providers have to face due to the data is distribute in
cloud servers at remote and different locations. If the server of cloud is disrupted, it will have a
negative influence on more users than in the traditional model (Rong, Nguyen & Jaatun 2012).
As mentioned above, there are probably potential drawbacks when transferring to the cloud
environment, however other research have suggested some approaches to eliminate the
disadvantages of Cloud Computing. Firstly, CSA (2013) and Rong, Nguyen & Jaatun (2012)
suggest that cloud computing users should use a stronger encryption. By doing this, data will not
be exposed to its clear text information to both cloud providers and other unauthorized users before
it is receipted by the authorized users (Rong, Nguyen & Jaatun 2012). Additionally, Sun at el.
(2014) suggest that the foundation of cloud storage should be based on the reliability of hard-drive
that means to investigate more on infrastructure. Choo (2010) also recommends that cloud service
providers should build their storage centers in different locations.
In a number of studies in current research, there are many possible solutions have been
suggested to reduce the negative impacts when we are moving to cloud computing. They all try to
make the best efforts to provide the highest level of data security in Cloud Computing. However,
none of them found that the thing we need is to create a new cloud environment by establishing a
new model which everyone can follow. That is also the gap in current research.
4. Research Significance and invocation
The significance and importance of this research will drastically change how cloud
computing is perceived. Cloud computing offers both unique advantages and challenges. The
advantages are well known: greater efficiency, economy and flexibility that can help organisations
meet rapidly changing computing needs quickly and cheaply while being environment friendly.
6
Among the challenges, security is the most commonly-sited concern in moving mission-critical
services or sensitive information to cloud (NIST 2013). When organisations implement cloud
computing, there is always a hesitation in regards to security. After researching through surveys,
case studies, public forums and word of mouth this is partly down to not knowing exactly where
their data is going to be stored, where exactly is this cloud that everyone talks about, many still is
do not completely understand the concept of cloud computing. It does not give the same closure,
for instance if data was to be stored locally on a personal computer or a laptop. Another issue that
is cause for concern is not knowing if the IT admins who take care of the data centres are actually
in fact browsing through everyone’s data. This is where following only one standard can make
differences.
This research is beneficial for both organizations and individuals as it offers possibilities
to strengthen security level for sensitive data. From organizations’ perspective, by doing this
research, they can have a brief look at security methods they are using, it provides a precise
description of the vulnerabilities of these methods. The research also suggests a better security
software to cloud providers that can make them more competitive to others. In addition, applying
one requirement will help and allow organisations to follow a set of rules when implementing
Cloud Computing. At the moment, there is no definite solution or guidelines to follow. This would
drastically improve security issues. With an official standard organisations wanting to implement
Cloud Computing would need to follow these strict set of rules and guidelines in order to be cloud
security certified. For individual users, all the advantages of cloud technology can be obtained as
well as enhancement of user experience. By evaluate certificated cloud providers, customers can
make a right choice when choosing who they can trust to store their private information.
Furthermore, they can also keep their data from rogue cloud service providers who cannot obtain
verified standard.
Based on analyzing of current research, the significant problem in current research is that
all of them pay no attention to build a united cloud industry and instead focus on a single approach
this could result in building up a chaotic cloud environment. In other words, the gap which needs
to be bridged is that there is no standard at all. Therefore, the result of this research cloud fill the
gap, driving Cloud Computing to a new direction.
A survey which was conducted by the IEEE and Cloud Security Alliance. IEEE is a
professional association for the advancement of technology, they nurture the development of IT
standards and Cloud Security Alliance, a non-profit group created to promote the use of best
practices for cloud security. The results of a survey of IT professionals which reveals
overwhelming agreement on the importance and urgency of cloud computing security standards
(ProQuest n.d.).
Building up a standard is also reinforced by Jim Reavis, founder and executive director of
the Cloud Security Alliance, who states that “It's clear from the survey's findings that enterprises
across sectors are eager to adopt cloud computing, but that security standards are needed both to
accelerate cloud adoption on a wide scale and to respond to regulatory drivers, cloud computing
is shaping the future of IT, but, as this study shows in a variety of ways, the absence of a
compliance environment is having dramatic impact on cloud computing's growth.”(ProQuest n.d.).
7
Hundreds of IT professionals participated in the joint IEEE/CSA survey, many of whom
are actively involved in implementing cloud-related projects. There are 93 percent of respondents
believed the need for cloud computing security standards is important and 82 percent said the need
is urgent (ProQuest n.d.). Moreover, 44 percent of respondents claimed that they are at present
involved in development of cloud computing standards, and 81 percent of them are to some extent
or very probable to participate in development of cloud security standards in the next 12 months
(ProQuest n.d.).
Judy Gorman, managing director, IEEE-SA said. "The Cloud Security Alliance, as the
world's leading organization focused on cloud security, and IEEE, as a global leader in standards
development across an unmatched range of industries, are the obvious partners to establish the
baseline on the current and intended usage of cloud computing services, as well as the needs,
attitudes and behaviors around cloud security standards. The insights revealed in this survey will
prove valuable in informing how the cloud community moves forward."(ProQuest n.d.)
Cloud Security Alliance proposes a sequences of ten steps that cloud service customers
should take to evaluate and manage the security of their cloud environment with the goal of
mitigating risk and providing an appropriate level of support. These 10 steps are not standardised
as of yet but are in the process. The final official standards will be similar in comparison.
Organisations wanting to integrate cloud into their organisation and want to follow proven
guidelines and rules which have been tested by all the authorities and experts in cloud security
should take these 10 steps into consideration.
- Step 1: Ensure effective governance, risk and compliance processes exist
- Step 2: Audit operational and business processes
- Step 3: Manage people, roles and identities
- Step 4: Ensure proper protection of data and information
- Step 5: Enforce privacy policies
- Step 6: Assess the security provisions for cloud applications
- Step 7: Ensure cloud networks and connections are secure
- Step 8: Evaluate security controls on physical infrastructure and facilities
- Step 9: Manage security terms in the cloud SLA
- Step 10: Understand the security requirements of the exit process
5. Research Methodologies
As Warfield (2010) argues that the results are more validate by using combination of
quantitative and qualitative research methodologies rather than a single research approach. In order
to reach the highlighted research aim and achieve the proposed objectives, a mix of research
8
methodologies including quantitative and qualitative approaches are conducted. In detail, online
survey method is chosen from quantitative approaches and comparative research, evaluation
research and interview are chosen from qualitative approaches.
These chosen research methods have strong links toward our research aim and objectives as each
of them is selected for specific phase of the research.
Our research followed a framework introduced by Cao et al. (2006) which consist with
four major activities and we modified them to match our research. Those modified activities are
theory building, observation, evaluation and justify. First of all, the theory supporting phase. The
expected outcome of this phase is to gathering facts and statistics and also analyzes them. As a
result, online survey can be one of the essential methods. This may include discussion forum and
online questionnaires. Timothy & Levy (2009) emphasize the importance of research questions as
its represents the areas where the projects want to explore. Timothy & Levy (2009) further state
that questionnaires for quantitative data should be in confirmatory and predictive manner. Thus,
our sample questions in the context of cloud computing could include:
-
Question 1: Discussion forum – How strong is an end – to – end encryption during data
transferring? ( Confirmatory)
Question 2: General Users – How will cloud computing effect your study/work/social life
if there is a significant improvement in security? ( Predictive)
However, it is important to notice that data validity is a potential issue needs to be
overcome during the research process. In conclusion, the findings of this phase are critical to
support our research aim theoretically.
Secondly, observations phase. In this phase, case studies method is highly recommended
if a research question demands a deeper answer of specific social phenomenon. As a results, our
research use case studies for comparative research and also use literature reviews as supporting
method. Literature reviews are based on reviewing large variety of academic literatures. The
focusing topic includes security issues and current solutions. The results of this part play an
important role to support next step as case studies are conducted based on the finding solutions.
According to Wynn & Williams (2012), a case study should be focused on events that are occurring
in single structure, for instance, single company. Hence, we will conduct case studies that
concentrates on analyzing current solutions and comparing the strength and weakness of those
solutions based on events of single organization. Overall, this phase provides great assistance to
formulate hypotheses to be tested in experimental phase.
Finally, evaluation and justify phase. Cao et al. (2006) point out that several common
methods can be used for system evaluation such as interviews. Moreover, Cao et al. (2006) further
state that a comprehensive understanding of an IT artifact can be achieved only by combining
system evaluation activities and theory testing activities. Thus, we issued an evaluation research
on an under-development technology called Zyber for theory testing as well as interviews. This is
also the core part of our research methods as the previous research shows that Zyber guaranteed
an outstanding improvement toward cloud computing security. The initial plan is testing Zyber
after the first release or during beta. To access the utility of Zyber, we will be measuring following
9
quality attributes: functionality, performance, usability, consistency, availability, reliability as well
as testing their security level. Besides, interviews will also be held; our target could be CEO and
develop team of Zyber. In conclusion, evaluation results can be used to justify our proposal theory.
Refers to the three main objectives we introduced, a success measurement process need to
be taken after each research phase. The process includes analyzing finding data and evaluating
phase results and then match with introduced the objectives. Moreover, it is necessary to mention
that the chosen research methods are not phase-exclusive and mandatory, which means that there
will be a mix of methods or could be more flexible choices used if needed.
6. Conclusion
To sum up, as cloud computing is current and future trend of technology, there is a distinct
increasing in popularity and large amount of enterprises are shifting their infrastructure into cloudbased. However, security issues remain a major threat to cloud services users. Three major issues
become barriers for cloud adopting which is data confidentiality, integrity, data availability
respectively. The overall research aim is to find a new standard that is secure enough and able to
adopt by both organizations and individual users. To reach our aim, several objectives need to be
accomplished. These objectives includes: evaluating existing solutions, testing new technology
and comparing them. The importance of the research needs to be highlighted as the research results
have possibilities that leads to revolution of cloud computing. More users could embrace the
benefits offered by cloud computing. Furthermore, statistics from previous research provides
strong support to our proposed theory. Our research team has selected major research methods that
involving online survey, literature reviews, case studies, interviews and also focusing on an overall
method which is evaluate Zyber technology. Ultimately, by following an overall framework and
guideline, also embed principles into research method as well as using current research
technologies, critical and accurate research results are promising.
10
Reference:
Choo, R.K. 2010, Cloud computing: Challenges and future directions, Australian Institute of
Criminology, Canberra, viewed 8 September 2015,
<http://aic.gov.au/publications/current%20series/tandi/381-400/tandi400.html>
Gogna, M. 2013, ‘A survey on security challenges of Cloud Computing’, International Journal
of Computer Science & Communication, vol. 4, no. 1, pp. 21-23.
Grance, T. & Mell, P. 2011, Recommendations of the National Institute of Standards and
Technology, 800-145, National Institute of Standards and Technology (NIST) Special
Publication 800-145, U.S. Department of Commerce, the United State.
Martinez F. R. & Pulier E. 2012, ‘System and method for a cloud computing abstraction layer with
security zone facilities’, U.S. Patent Application Publication, no. 13/354,275.
Rao, R.V. & Selvamani, K. 2015, ‘Data Security Challenges and Its Solutions in Cloud
Computing’, Procedia Computer Science, vol 48, pp. 204-209.
Robert, K.Y. 2013, Case Study Research: Design and methods, 5th edn, Sage publications,
London.
Rong, C., Nguyen, S.T. & Jaatun, M.G 2012, ‘Beyond lightning: A survey on security challenges
in cloud computing’, Computers and Electrical Engineering, vol. 39, no. 1, pp. 47-54.
Ryan M.D. 2013, 'Cloud computing security: The scientific challenge, and a survey of solutions' ,
Journal of Systems and Software, vol. 86, no. 9, pp. 2263-2268.
Timothy, J.E & Levy, Y. 2009, ‘Towards a Guide for Novice Researchers on Research
Methodology: Review and Proposed Methods’, Issues in Informing Science & Information
Technology, vol. 6, pp. 323.
Top Threats Working Group 2013, The Notorious Nine Cloud Computing Top Threats in 2013,
Cloud Security Alliance (CSA).
Wang C, Chow, S. S. M. , Wang Q, Ren K, Lou W. 2010, 'Privacy-preserving public auditing for
data storage security in cloud computing//INFOCOM' , Proceedings IEEE, San Diego, CA, pp.
1-9.
Warfield, D. 2010, ‘Information Systems (IS) and Information Technology (IT) research: A
research methodologies review’, Journal of Theoretical & Applied Information Technology, vol.
13, pp. 28-25.
Wynn, J.D. & Williams, C.K. 2012, ‘Principle for conducting critical realist case study research
in information system’, MIS Quarterly, vol. 36, pp. 787.
Zissis, D. & Lekkas, D. 2010, ‘Addressing cloud computing security issues’, Future Generation
Computer Systems, vol. 28, no. 3, pp. 583-592.
11
Cao, J. Crews, J.M., Lin, M., Deokar, A., Burgoon, J.K., Jay, F. & Nunamaker, Jr. 2006, ‘Journal
of Management Information Systems’, Crossing Boundaries in Information Systems Research,
vol. 22, no. 4, pp. 207-235.
12
A new Direction
Student members:
No.
Student number
Name
1
12200832
Truong Son Vu
[email protected]
2
11854801
Pengjian Zhang
[email protected]
3
11624614
Hui Zhang
[email protected]
4
11510841
Ricardo Salvo
[email protected]
1
Table of contents
Executive Summary .................................................................................................................................... 3
1.
Introduction ......................................................................................................................................... 3
2.
Research Aims and Objectives........................................................................................................... 4
2.1
Research Aims ............................................................................................................................. 4
2.2
Research Objectives .................................................................................................................... 4
3.
Background ......................................................................................................................................... 5
4.
Research Significance and invocation ............................................................................................... 6
5.
Research Methodologies ..................................................................................................................... 8
6.
Conclusion ......................................................................................................................................... 10
Reference: .................................................................................................................................................. 11
2
Executive Summary
Growing as one of the fastest developments in IT world, Cloud Computing is a model for
providing an omnipresent, convenient and on-demand network access to groups of computing
resources such as networking devices, servers, storage, applications and services. Due to many
advantages it provides, many organizations have been transferring their data to cloud environment.
However, storing data on the cloud where hardware infrastructure is outsourced to a third party
forms an important security question. Using their in-house infrastructure, organizations can define
and control their own security standards, but how can they know what type of security protocols
are being used by cloud providers and how well they are performing? Cloud industry itself is also
finding a solution for this question. There are existing range of standards provided by Cloud
Security Alliance (CSA), the U.S. National Institute of Standards and Technology (NIST), Institute
of Electrical and Electronics Engineers (IEEE) and the European Network and Information
Security Agency (ENISA), however applying all these standards to Cloud Computing security
only makes the situation worse.
Our aim is to find a standard for Cloud Computing security. By building up an only one
standard, every provider, developer can follow the same structure to build a united cloud
environment which can make security level in Cloud Computing stronger than ever.
1. Introduction
Cloud computing can be defined as “a parallel and distributed computing system consisting
of a collection of inter-connected and virtualized computers that are dynamically provisioned and
presented as one or more unified computing resources based on service-level agreements (SLA)
established through negotiation between the service provider and consumers”. In Cloud
Computing, the variety of resources provided depends on the request of consumers, it would be
increased when the requirement for service is rising and reduced when clients need less (Liu 2012).
However, since cloud computing essentially puts data outside of the control of the data owner, it
leads to security issues too.
Security, in particular, is one of the biggest issues in the Cloud Computing field and is the
cornerstone of Cloud development. Security concerns prevent organizations and customers from
fully adopting cloud environment, many business look at Cloud providers and refuse cloud
services because of the lack of trust in security standard being used. Cloud computing providers
claim that users’ data stored on the system is secure and protected from attacks, but there are still
so many potential risks of losing data on the cloud. At the moment, when providing a new cloud
service, providers can define their own standard or follow a set of standards created by CSA, NIST,
IEEE or ENISA. By doing that, we are creating a disorganized industry where its parts could not
work together. From customers’ perspectives, we do have no idea about security level of providers,
and so many security methods only make us confused. On behalf of researchers, Cloud computing
is determining the future of IT industry, but the lack of an agreement standard is having significant
impact on cloud computing's development. As a result, finding a new standard in security if the
urgent need of Cloud Computing development. By following only one standard, we can establish
3
a newly united cloud environment which is stronger and more effectively protect users’ data from
attacks. A new standard could also take the advantages of current technologies and combine them
together to enhance the level of security in Cloud Computing. An important finding is that a single
security could not protect data stored on the cloud from attacks effectively, but applying many
technologies at the same time could deteriorate the future expansion of Cloud Computing. Hence,
following only one standard can be a possible solution for Cloud Computing security.
The project proposal is divided into six parts. The first section of this paper is to provide a
brief picture of Cloud Computing in general and its security standards. Research Aims and
Objectives will be discussed in section two. We also highlight the Background and the Gap in
current research in section three. Section four is about Research Significance and Innovation.
Based on that, in section five, some proposed methodologies are given. Finally, section six
summarizes the main finding and gives some suggestions for future research.
2. Research Aims and Objectives
2.1 Research Aims
To begin with, we want to precisely state that the only aim of our research is to find a new
standard for security in Cloud Computing. As mentioned before, cloud environment at the moment
is quite chaotic due to so many standards being adopted and Cloud Computing itself is getting lost
in finding the way to develop. Therefore, following only one standard could resolve this situation.
There are two realistic rationales for the need of applying a new standard in Cloud Computing
security.
Firstly, Cloud Computing is a newly designed system, which is the combination of many
different technologies such as network, storage, computer, information technology, so it requires
a completely new technology which is different from current methods being used. Almost all
current security methods were developed before the dawn of Cloud industry. In the dedicated
server background, users can occupy an entire system and they do not have to share their resource
with anyone else that allows them to have full control over the server, including operating system,
hardware, and so on. Security methods those can work effectively in previous infrastructure might
not accomplish full of their performance in cloud environments.
Secondly, there are also many security methods being used in security for Cloud
Computing, but most of cloud providers only choose one of them to protect data on their cloud.
However, Rong, Nguyen & Jaatun (2012) point out that a single security approach of cloud
computing is not competent to build a safe guard against advanced cyber-attacks. Cloud providers
need to combine different techniques in the same system in order to reinforce the level of security
in Cloud Computing. By combining them together, a vulnerability of one security technique can
be supported by the strengths of other methods. Thus, we can provide a long-lasting wall against
potential attacks.
2.2 Research Objectives
4
In order to achieve the main aim, we will follow three objectives namely analyzing current
security techniques, researching on a new software named Zyber and conducting a comparison of
Zyber and security methods being used.
The first step is to examine some popular security techniques used by cloud providers to
safeguard customers’ data. This objective is expected to provide a full picture of security in Cloud
Computing. According to the result, we will be able to recognize the strengths of existing security
approaches and the reasons why cloud providers have chosen them to build their systems. It could
also highlight some weaknesses in security methods, so we can avoid these drawbacks when
building up a new standard for security in Cloud Computing.
Next objective is to target on Zyber which is a completely new software in Cloud
Computing. Zyber is being developed and supported by Canadian Government. We also want to
re-evaluate the possible performance of Zyber by focusing on its features for example, how it
works, what kind of encryption technique used, how much it costs to provide a better solution for
security compare to current techniques and so on. Additionally, its strengths and weaknesses will
also be discussed.
Finally, based on the results of two first objectives, we want to conduct a comparison
between Zyber and current security methods. This comparison will concentrate on possible
advantages and potential drawbacks of these techniques as well as some overpowering
characteristics of Zyber. The main outcome is to answer the question: “Can Zyber become a new
standard for security in Cloud Computing?”
3. Background
The disorganized development of Cloud Computing at the moment does not only weaken
its competitive position in IT industry, but also could lead to many threats in Cloud Computing
security. This viewpoint is supported by Martinez & Pulier (2012) who state that although making
use of cloud computing could bring lots of advantages to enterprises, many business are currently
refuse to use cloud infrastructure because the computing capacity provided by cloud provider are
lack of security, control and manageability. In addition, (Zissis & Lekkas 2012) describes in detail
that there are three main categories security risks are necessary to be secured which are data
confidentiality, integrity and availability.
The first issue is data confidentiality, Ryan (2013) highlight that data exist on cloud server
make those administrators vulnerable to bribery. The resolve of administrators may gradually
erode when they are in situations of interest conflict. The cloud computing is a shared-tenant
environment, so the data stored in the cloud database may be available to more people than data
owners such as hackers or employees from the third parties. Rong, Nguyen & Jaatun (2012) argue
that most of the IT infrastructure and data storage are shifted to third-party providers and that leads
to two critical consequences. Firstly, there is only limited control on the IT infrastructure for data
owners due to the remote location of cloud server, therefore it is essential for cloud provider to
establish a standard for their security policies to ensure the confidentiality of data. The second is
5
that the providers of cloud service have extensive control and unauthorized access to users' data
and application. These make users always worry about the confidentiality of their data and
decrease the trust level of cloud provider, particularly for users in business model which has high
level of security requirement.
The second security challenge figured out by past researcher is the integrity risk in cloud
computing. Gogna (2012) emphasis that the data which is stored in the cloud server can be
modified in the process of transmission. Even though the infrastructure provided by cloud provider
is more powerful than personal device, cloud provider still have to face risks of data loss. Rong,
Nguyen & Jaatun (2012) argue that the critical data stored in the provider's infrastructure is able
to modify without the consensus of user. The integrity and authenticity of data is very essential for
users and it needs to be guaranteed. However, there is no standard can be used to constrain those
cloud providers in cloud industry. According to Wang et al. (2010), some providers of cloud
service even reclaim storage through discarding data which is rarely used for gaining higher profit.
Finally, data availability is the third main concern in security for Cloud Computing. Users
of cloud service are unable to access to data if the server is down or a hard drive fails and they
don't really have direct access to be able to work this out. (Rao & Selvamani 2015) claim that
availability is a big concern which cloud providers have to face due to the data is distribute in
cloud servers at remote and different locations. If the server of cloud is disrupted, it will have a
negative influence on more users than in the traditional model (Rong, Nguyen & Jaatun 2012).
As mentioned above, there are probably potential drawbacks when transferring to the cloud
environment, however other research have suggested some approaches to eliminate the
disadvantages of Cloud Computing. Firstly, CSA (2013) and Rong, Nguyen & Jaatun (2012)
suggest that cloud computing users should use a stronger encryption. By doing this, data will not
be exposed to its clear text information to both cloud providers and other unauthorized users before
it is receipted by the authorized users (Rong, Nguyen & Jaatun 2012). Additionally, Sun at el.
(2014) suggest that the foundation of cloud storage should be based on the reliability of hard-drive
that means to investigate more on infrastructure. Choo (2010) also recommends that cloud service
providers should build their storage centers in different locations.
In a number of studies in current research, there are many possible solutions have been
suggested to reduce the negative impacts when we are moving to cloud computing. They all try to
make the best efforts to provide the highest level of data security in Cloud Computing. However,
none of them found that the thing we need is to create a new cloud environment by establishing a
new model which everyone can follow. That is also the gap in current research.
4. Research Significance and invocation
The significance and importance of this research will drastically change how cloud
computing is perceived. Cloud computing offers both unique advantages and challenges. The
advantages are well known: greater efficiency, economy and flexibility that can help organisations
meet rapidly changing computing needs quickly and cheaply while being environment friendly.
6
Among the challenges, security is the most commonly-sited concern in moving mission-critical
services or sensitive information to cloud (NIST 2013). When organisations implement cloud
computing, there is always a hesitation in regards to security. After researching through surveys,
case studies, public forums and word of mouth this is partly down to not knowing exactly where
their data is going to be stored, where exactly is this cloud that everyone talks about, many still is
do not completely understand the concept of cloud computing. It does not give the same closure,
for instance if data was to be stored locally on a personal computer or a laptop. Another issue that
is cause for concern is not knowing if the IT admins who take care of the data centres are actually
in fact browsing through everyone’s data. This is where following only one standard can make
differences.
This research is beneficial for both organizations and individuals as it offers possibilities
to strengthen security level for sensitive data. From organizations’ perspective, by doing this
research, they can have a brief look at security methods they are using, it provides a precise
description of the vulnerabilities of these methods. The research also suggests a better security
software to cloud providers that can make them more competitive to others. In addition, applying
one requirement will help and allow organisations to follow a set of rules when implementing
Cloud Computing. At the moment, there is no definite solution or guidelines to follow. This would
drastically improve security issues. With an official standard organisations wanting to implement
Cloud Computing would need to follow these strict set of rules and guidelines in order to be cloud
security certified. For individual users, all the advantages of cloud technology can be obtained as
well as enhancement of user experience. By evaluate certificated cloud providers, customers can
make a right choice when choosing who they can trust to store their private information.
Furthermore, they can also keep their data from rogue cloud service providers who cannot obtain
verified standard.
Based on analyzing of current research, the significant problem in current research is that
all of them pay no attention to build a united cloud industry and instead focus on a single approach
this could result in building up a chaotic cloud environment. In other words, the gap which needs
to be bridged is that there is no standard at all. Therefore, the result of this research cloud fill the
gap, driving Cloud Computing to a new direction.
A survey which was conducted by the IEEE and Cloud Security Alliance. IEEE is a
professional association for the advancement of technology, they nurture the development of IT
standards and Cloud Security Alliance, a non-profit group created to promote the use of best
practices for cloud security. The results of a survey of IT professionals which reveals
overwhelming agreement on the importance and urgency of cloud computing security standards
(ProQuest n.d.).
Building up a standard is also reinforced by Jim Reavis, founder and executive director of
the Cloud Security Alliance, who states that “It's clear from the survey's findings that enterprises
across sectors are eager to adopt cloud computing, but that security standards are needed both to
accelerate cloud adoption on a wide scale and to respond to regulatory drivers, cloud computing
is shaping the future of IT, but, as this study shows in a variety of ways, the absence of a
compliance environment is having dramatic impact on cloud computing's growth.”(ProQuest n.d.).
7
Hundreds of IT professionals participated in the joint IEEE/CSA survey, many of whom
are actively involved in implementing cloud-related projects. There are 93 percent of respondents
believed the need for cloud computing security standards is important and 82 percent said the need
is urgent (ProQuest n.d.). Moreover, 44 percent of respondents claimed that they are at present
involved in development of cloud computing standards, and 81 percent of them are to some extent
or very probable to participate in development of cloud security standards in the next 12 months
(ProQuest n.d.).
Judy Gorman, managing director, IEEE-SA said. "The Cloud Security Alliance, as the
world's leading organization focused on cloud security, and IEEE, as a global leader in standards
development across an unmatched range of industries, are the obvious partners to establish the
baseline on the current and intended usage of cloud computing services, as well as the needs,
attitudes and behaviors around cloud security standards. The insights revealed in this survey will
prove valuable in informing how the cloud community moves forward."(ProQuest n.d.)
Cloud Security Alliance proposes a sequences of ten steps that cloud service customers
should take to evaluate and manage the security of their cloud environment with the goal of
mitigating risk and providing an appropriate level of support. These 10 steps are not standardised
as of yet but are in the process. The final official standards will be similar in comparison.
Organisations wanting to integrate cloud into their organisation and want to follow proven
guidelines and rules which have been tested by all the authorities and experts in cloud security
should take these 10 steps into consideration.
- Step 1: Ensure effective governance, risk and compliance processes exist
- Step 2: Audit operational and business processes
- Step 3: Manage people, roles and identities
- Step 4: Ensure proper protection of data and information
- Step 5: Enforce privacy policies
- Step 6: Assess the security provisions for cloud applications
- Step 7: Ensure cloud networks and connections are secure
- Step 8: Evaluate security controls on physical infrastructure and facilities
- Step 9: Manage security terms in the cloud SLA
- Step 10: Understand the security requirements of the exit process
5. Research Methodologies
As Warfield (2010) argues that the results are more validate by using combination of
quantitative and qualitative research methodologies rather than a single research approach. In order
to reach the highlighted research aim and achieve the proposed objectives, a mix of research
8
methodologies including quantitative and qualitative approaches are conducted. In detail, online
survey method is chosen from quantitative approaches and comparative research, evaluation
research and interview are chosen from qualitative approaches.
These chosen research methods have strong links toward our research aim and objectives as each
of them is selected for specific phase of the research.
Our research followed a framework introduced by Cao et al. (2006) which consist with
four major activities and we modified them to match our research. Those modified activities are
theory building, observation, evaluation and justify. First of all, the theory supporting phase. The
expected outcome of this phase is to gathering facts and statistics and also analyzes them. As a
result, online survey can be one of the essential methods. This may include discussion forum and
online questionnaires. Timothy & Levy (2009) emphasize the importance of research questions as
its represents the areas where the projects want to explore. Timothy & Levy (2009) further state
that questionnaires for quantitative data should be in confirmatory and predictive manner. Thus,
our sample questions in the context of cloud computing could include:
-
Question 1: Discussion forum – How strong is an end – to – end encryption during data
transferring? ( Confirmatory)
Question 2: General Users – How will cloud computing effect your study/work/social life
if there is a significant improvement in security? ( Predictive)
However, it is important to notice that data validity is a potential issue needs to be
overcome during the research process. In conclusion, the findings of this phase are critical to
support our research aim theoretically.
Secondly, observations phase. In this phase, case studies method is highly recommended
if a research question demands a deeper answer of specific social phenomenon. As a results, our
research use case studies for comparative research and also use literature reviews as supporting
method. Literature reviews are based on reviewing large variety of academic literatures. The
focusing topic includes security issues and current solutions. The results of this part play an
important role to support next step as case studies are conducted based on the finding solutions.
According to Wynn & Williams (2012), a case study should be focused on events that are occurring
in single structure, for instance, single company. Hence, we will conduct case studies that
concentrates on analyzing current solutions and comparing the strength and weakness of those
solutions based on events of single organization. Overall, this phase provides great assistance to
formulate hypotheses to be tested in experimental phase.
Finally, evaluation and justify phase. Cao et al. (2006) point out that several common
methods can be used for system evaluation such as interviews. Moreover, Cao et al. (2006) further
state that a comprehensive understanding of an IT artifact can be achieved only by combining
system evaluation activities and theory testing activities. Thus, we issued an evaluation research
on an under-development technology called Zyber for theory testing as well as interviews. This is
also the core part of our research methods as the previous research shows that Zyber guaranteed
an outstanding improvement toward cloud computing security. The initial plan is testing Zyber
after the first release or during beta. To access the utility of Zyber, we will be measuring following
9
quality attributes: functionality, performance, usability, consistency, availability, reliability as well
as testing their security level. Besides, interviews will also be held; our target could be CEO and
develop team of Zyber. In conclusion, evaluation results can be used to justify our proposal theory.
Refers to the three main objectives we introduced, a success measurement process need to
be taken after each research phase. The process includes analyzing finding data and evaluating
phase results and then match with introduced the objectives. Moreover, it is necessary to mention
that the chosen research methods are not phase-exclusive and mandatory, which means that there
will be a mix of methods or could be more flexible choices used if needed.
6. Conclusion
To sum up, as cloud computing is current and future trend of technology, there is a distinct
increasing in popularity and large amount of enterprises are shifting their infrastructure into cloudbased. However, security issues remain a major threat to cloud services users. Three major issues
become barriers for cloud adopting which is data confidentiality, integrity, data availability
respectively. The overall research aim is to find a new standard that is secure enough and able to
adopt by both organizations and individual users. To reach our aim, several objectives need to be
accomplished. These objectives includes: evaluating existing solutions, testing new technology
and comparing them. The importance of the research needs to be highlighted as the research results
have possibilities that leads to revolution of cloud computing. More users could embrace the
benefits offered by cloud computing. Furthermore, statistics from previous research provides
strong support to our proposed theory. Our research team has selected major research methods that
involving online survey, literature reviews, case studies, interviews and also focusing on an overall
method which is evaluate Zyber technology. Ultimately, by following an overall framework and
guideline, also embed principles into research method as well as using current research
technologies, critical and accurate research results are promising.
10
Reference:
Choo, R.K. 2010, Cloud computing: Challenges and future directions, Australian Institute of
Criminology, Canberra, viewed 8 September 2015,
<http://aic.gov.au/publications/current%20series/tandi/381-400/tandi400.html>
Gogna, M. 2013, ‘A survey on security challenges of Cloud Computing’, International Journal
of Computer Science & Communication, vol. 4, no. 1, pp. 21-23.
Grance, T. & Mell, P. 2011, Recommendations of the National Institute of Standards and
Technology, 800-145, National Institute of Standards and Technology (NIST) Special
Publication 800-145, U.S. Department of Commerce, the United State.
Martinez F. R. & Pulier E. 2012, ‘System and method for a cloud computing abstraction layer with
security zone facilities’, U.S. Patent Application Publication, no. 13/354,275.
Rao, R.V. & Selvamani, K. 2015, ‘Data Security Challenges and Its Solutions in Cloud
Computing’, Procedia Computer Science, vol 48, pp. 204-209.
Robert, K.Y. 2013, Case Study Research: Design and methods, 5th edn, Sage publications,
London.
Rong, C., Nguyen, S.T. & Jaatun, M.G 2012, ‘Beyond lightning: A survey on security challenges
in cloud computing’, Computers and Electrical Engineering, vol. 39, no. 1, pp. 47-54.
Ryan M.D. 2013, 'Cloud computing security: The scientific challenge, and a survey of solutions' ,
Journal of Systems and Software, vol. 86, no. 9, pp. 2263-2268.
Timothy, J.E & Levy, Y. 2009, ‘Towards a Guide for Novice Researchers on Research
Methodology: Review and Proposed Methods’, Issues in Informing Science & Information
Technology, vol. 6, pp. 323.
Top Threats Working Group 2013, The Notorious Nine Cloud Computing Top Threats in 2013,
Cloud Security Alliance (CSA).
Wang C, Chow, S. S. M. , Wang Q, Ren K, Lou W. 2010, 'Privacy-preserving public auditing for
data storage security in cloud computing//INFOCOM' , Proceedings IEEE, San Diego, CA, pp.
1-9.
Warfield, D. 2010, ‘Information Systems (IS) and Information Technology (IT) research: A
research methodologies review’, Journal of Theoretical & Applied Information Technology, vol.
13, pp. 28-25.
Wynn, J.D. & Williams, C.K. 2012, ‘Principle for conducting critical realist case study research
in information system’, MIS Quarterly, vol. 36, pp. 787.
Zissis, D. & Lekkas, D. 2010, ‘Addressing cloud computing security issues’, Future Generation
Computer Systems, vol. 28, no. 3, pp. 583-592.
11
Cao, J. Crews, J.M., Lin, M., Deokar, A., Burgoon, J.K., Jay, F. & Nunamaker, Jr. 2006, ‘Journal
of Management Information Systems’, Crossing Boundaries in Information Systems Research,
vol. 22, no. 4, pp. 207-235.
12
