Scholarly article on topic 'Utilizing Third Party Auditing to Manage Trust in the Cloud'

Utilizing Third Party Auditing to Manage Trust in the Cloud Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Computer Science
OECD Field of science
Keywords
{"Cloud computing" / trust / "security validation" / "third party auditor" / "cloud service provider (CSP)" / "cloud service user (CSU)"}

Abstract of research paper on Computer and information sciences, author of scientific article — Syed Rizvi, Kelsey Karpinski, Brennen Kelly, Taryn Walker

Abstract Recent trends within the IT industry have led to a tectonic shift in the way organizations utilize information systems to yield maximum efficiency. Cloud computing is the cornerstone of the aforementioned paradigm permutation. Information security, however, continues to dominate discussion on how organizations can utilize the efficiency of the cloud, while simultaneously maintaining end-user privacy and trust. The advent of cloud computing has likewise brought with it a multitude of new and exciting concepts that can complicate security demands exponentially. These security demands must be met to ensure user trust. Multi-tenancy is a cloud computing concept that is at the forefront of information security concerns in the 21st century computing environment. Current Multi-tenancy models fail to provide adequate security measures by blindly multiplexing various unknown users, whose intentions can be hostile, with reputable cloud service users. In this paper, we propose a novel security auditing framework to establish the user trust by (a) allowing the cloud service users (CSUs) to provide their security preferences with the desired cloud services, (b) providing a conceptual mechanism to validate the security controls and internal security policies of cloud service providers (CSPs) published in the CSA's (Cloud Security Alliance) Security Trust and Assurance Registry (STAR) database, and (c) maintaining a database of CSPs along with their responses to the Consensus Assessments Initiative Questionnaire (CAIQ) as well as the certificates issued by the certificate authorities. Thus, our proposed framework facilitates the CSUs in choosing a trustworthy CSP by empowering them to select an appropriate security preferences and services.

Academic research paper on topic "Utilizing Third Party Auditing to Manage Trust in the Cloud"

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedia Computer Science 61 (2015) 191 - 197

Complex Adaptive Systems, Publication 5 Cihan H. Dagli, Editor in Chief Conference Organized by Missouri University of Science and Technology

2015-San Jose, CA

Utilizing Third Party Auditing to Manage Trust in the Cloud

Syed Rizvi*, Kelsey Karpinski, Brennen Kelly, Taryn Walker

Department of Imformation Sciences and Technology, Penn State University, Altoona PA, 16601, USA

Abstract

Recent trends within the IT industry have led to a tectonic shift in the way organizations utilize information systems to yield maximum efficiency. Cloud computing is the cornerstone of the aforementioned paradigm permutation. Information security, however, continues to dominate discussion on how organizations can utilize the efficiency of the cloud, while simultaneously maintaining end-user privacy and trust. The advent of cloud computing has likewise brought with it a multitude of new and exciting concepts that can complicate security demands exponentially. These security demands must be met to ensure user trust. Multi-tenancy is a cloud computing concept that is at the forefront of information security concerns in the 21st century computing environment. Current Multi-tenancy models fail to provide adequate security measures by blindly multiplexing various unknown users, whose intentions can be hostile, with reputable cloud service users. In this paper, we propose a novel security auditing framework to establish the user trust by (a) allowing the cloud service users (CSUs) to provide their security preferences with the desired cloud services, (b) providing a conceptual mechanism to validate the security controls and internal security policies of cloud service providers (CSPs) published in the CSA's (Cloud Security Alliance) Security Trust and Assurance Registry (STAR) database, and (c) maintaining a database of CSPs along with their responses to the Consensus Assessments Initiative Questionnaire (CAIQ) as well as the certificates issued by the certificate authorities. Thus, our proposed framework facilitates the CSUs in choosing a trustworthy CSP by empowering them to select an appropriate security preferences and services.

© 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-reviewunderresponsibilityof scientificcommitteeofMissouriUniversityofScienceand Technology

Keywords: Cloud computing; trust; security validation; third party auditor; cloud service provider (CSP); cloud service user (CSU)

1. Introduction

In recent years, cloud computing has become synonymous with efficiency, the internet, automation, and

* Syed Rizvi. Tel.: +1-814-949-5292 E-mail address: srizvi@psu.edu

1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of scientific committee of Missouri University of Science and Technology doi:10.1016/j.procs.2015.09.192

informational security threats within the IT community. The cloud's dynamically adaptive framework provides a centralized pool of configurable computing resources and outsourcing mechanisms that improve cost-effectiveness when compared to consumption of resources [1]. These systems offer vast advantages over traditional methods that include: minimal Capital Expense (CapEx), high availability, massive scalability, agility, and tremendous fault tolerance capability [2] [3]. Current cloud computing architecture encompasses three distinct layers: (i) Software as Service (SaaS), a model that provides the consumer with the ability to use provider's applications from various devices without managing or controlling the infrastructure; (ii) Platform as Service (PaaS), a model that allows the consumer to create and control those applications without managing or controlling the infrastructure; and (iii) Infrastructure as Service (IaaS), a model where the consumer runs and controls the operating systems, but does not manage the infrastructure [4]. Generally, the deployment of a cloud follows one of four models: (a) public cloud, where the physical infrastructure is owned and managed by a service provider; (b) community cloud, where the physical infrastructure is owned and managed by a consortium of organizations; (c) private cloud, where the infrastructure is owned and managed by a specific organization; and (d) hybrid cloud ,which is a combination of the aforementioned models [3].

To achieve lower cost, easy management, and better performance, cloud providers implement automated resource allocation techniques, which commonly result in having two or more Virtual Machines (VMs) belonging to different customers who are computing within the same physical server [4]. This practice is known as Multi-Tenancy. Multi-Tenancy has been widely considered one of the clouds greatest economic benefits while simultaneously being one of its greatest security flaws. When two or more CSUs are sharing the same hardware resources, specific privacy and security concerns need to be addressed to instill consumer trust. For example, in the Multi-Tenant environment, an attacker is very capable of launching side channel attacks in an attempt to extract victim's data. A side channel attack is incapable of being detected by either the hypervisor or the operating system, making traditional controls to face these vulnerabilities inept [6]. Since there are no current solutions to completely mitigate the risks associated with VMs and multi-tenancy, identifying and allocating trustworthy CSUs together is paramount.

According to a 2012 survey conducted by IDG Enterprise, 70% of small businesses admit that security is a major barrier toward implementation of cloud computing. Concerns with information access (40%) and worries with information governance (37%) were also significant impediments toward cloud adoption. [7] Present privacy and trust issues can be partially attributed to cloud developers and users focusing primarily on developing technologies that accommodate user convenience and savings over user security. [5] Until the consumers trust their data in the cloud, universal acceptance will be nominal.

2. Third Party Auditor Based Trust

A TPA is required to obtain an objective trust model. The role of the auditor is to total the predetermined criteria that is relevant to the CSP to establish trust. Key stakeholders of cloud computing, such as CSU, CSP and a TPA are involved to establish a trust model. If a CSP requests to enter the clouding computing market it must provide a set of information for registration into a TPA. This information would include basic material of services that the CSP can offer the CSUs. Not all of the services required by the CSU may be available from a given CSP [8].

Author in [9] proposed an analysis of problems that may arise for CSU using a CSP. The first problem posed was the protection of data integrity. The data must be monitored so that CSU's data is not read or leaked and no new threats will be introduced to the data during auditing. To insure data integrity, one method that can be used is message authentication with a cryptographic technique of Message Authentication Code (MAC). Second presented problem is dynamic data support; data that is added, deleted or updated at any given time. The solution is implementing provable data possession (PDP). Support for access control is the third problem posed in [9]. This is permitting the CSU to have access to its resources and the TPA is able to verify identify of the CSU. The Trusted Computer System Evaluation Criteria is the accepted criterion that resolves the third problem. The fourth is support for batch auditing. The solution to this problem is called batch-processing mechanism. The final problem outlined by [9] is to minimize the cost of auditing. There has not been a definite solution found to this drawback of cloud computing.

A TPA is needed to protect the integrity of the data a user is storing in the cloud. A TPA should audit and log the user and CPS's behaviour [10]. A process was proposed in [10] to build a trusted and practical TPA. This process is called Trust Enhanced Third Party Auditor (TETPA). To implement this method certain requirements are necessary:

Trust identification, Strict storage security, and Active challenging and notifying.

To identify trust the TETPA needs to know which CSP is being audited, to guard against a man-in-middle attack. It is vital that strict security over the clouds storage space is maintained. A unique log file must be kept on individual user-CSP relationship by using proper log updating mechanisms. Transparency mechanisms are needed to alert the CSP of a problem so that is able to detect and notify the user for attention actively. To build a trusted and practical TPA a few key features are essential [10]. A summary of the key features include: To enable remote attestation the TPM-compatible USBKey for Cloud users is used to prevent cheating attacks. To avoid malevolent tamper comprehensive, procedures should be proposed to protect the TPA. Also make certain the logs' security and the audit's authority and justice. Trusted Computing technology needs to be merged into TPA to ensure the CSPs are not cheated and the TPA is trustworthy in its self.

Shah et al. [11] considers Third party auditing to be an accepted method to determine trust between involved parties. So that a customer is able to wisely select a service, auditors need to assess and expose risk. Auditing over time reduces risk to customers. External auditing is the evaluation of services provided through third parties to determine whether or not to trust the host. Internal auditing evaluates that a host is able to provide and continue to provide its services to customers. Since external auditing can only offer past glitches, internal auditing is vital to predict future problems and assess risk exposures.

3. Proposed Framework

Cloud Security Alliance (CSA) group has recently designed a comprehensive self-assessment questionnaire for allowing service providers to evaluate themselves. This self-assessment questionnaire is referred as Consensus Assessments Initiative Questionnaire (CAIQ), which consists of sixteen security domains each one containing a varying numbers of security controls. An illustration of sixteen security domains along with specific security controls is shown in Fig. 1. The service providers can evaluate themselves for cloud services they offer with respect to the proposed CAIQ. This clearly provides an opportunity to CSPs to demonstrate their security strength and efficiencies for the services they offer to the cloud users.

lüfll Ui ■É^l Efll mm 1 ■ÉS 1 mm\ m" il nTiii ■ÉHB 1 Ha

l-Ul -tai -ISÜ -va* -..a

-MsM -to* -SB ~ê¿O* -ièàlÀ

-4 -m niÉsM g isa -fcSiiâ -iUti*

_ . _ -sais tai -àsm,à

tsâià -(âû -yjj^j

-.'■'-•A -1äi^i'Jt -J.iL» -iajöi

-m "tel naiüi

-ItjjM.i -J-j.Jj..

~êiILM -t- i»

-Uü -tei iâHià -iHIt'i..

-iau -ea

-6QB -alii

Fig.1. Illustration of CAIQ with sixteen top-level security domains (TLSD) and varying number of security controls

In other words, CSP can use CAIQ not only to publicize their cloud services but also show their internal

security controls and policies for each of the offered services. The responses of CAIQ from the CSPs are stored in Security, Trust and Assurance Registry (STAR), which is managed by CSA group [12]. On the other hand, this allows the cloud users to carefully examine (1) the cloud services being offered by one or more service providers, (2) how secure these services are, (3) what security guarantees the CSP is providing, and (4) how compliant the internal security policies and procedures are etc.

However, we believe there are few problems with the existing system that need to be addressed in order to make CSA's efforts a success.

• First, not all cloud users are assumed to have sufficient knowledge and skills to examine and compare CSPs, cloud services, and the respective security controls and policies being offered.

• Second, it is relatively time consuming to navigate through multiple CSPs, compare their service level agreements (SLAs), search for the desired services that best match customer's requirements and satisfy their security and privacy concerns.

• Third, even if cloud user chooses one specific CSP that offers the desired cloud service, it is unrealistic to assume that the claimed security controls and policies are indeed legitimate and have the capabilities to address the specific security problems for which they were originally designed. That is, there should be a well-defined mechanism to validate all security controls and policies published or claimed by service providers in their response to CAIQ. Currently, the cloud users can access the responses of service providers (i.e., the CAIQs) in the STAR database. However, there is no mechanism exist that cloud users can apply to validate the security controls and policies published in STAR. Consequently, could users are hesitant to trust service providers.

Taking this into account, we propose a third party based validation and trust framework which facilitates the CSU in choosing the trustworthy CSP. The proposed model (1) allows the CSUs to provide their security preferences with the desired cloud services they are looking for, (2) provides a conceptual mechanism to validate the security controls and internal security policies of CSPs published in the STAR, and (3) maintains a database of CSPs along with their responses to CAIQ as well as the certificates issued by the certificate authorities. The proposed framework is shown in Fig. 2. The proposed framework is divided into four modules around the TPA. First module shows the role of CSA in collecting the CAIQs from CSPs and maintaining them into STAR database. The second module is the TPA database that shows the security readiness of a CSP in terms of its security controls and the trust value, if any. The third module is the security controls validation (SCV) that provides several validation mechanisms to evaluate and verify the security claims of a CSP. Finally, the fourth module contains CSUs that can compare and analyse the security strength of the available service providers through TPA. The role of each module will be discussed in detail in the subsequent sections.

3.1. The Role Of CSA

In our proposed framework, we adopted the CAIQ which allows the CSPs to publish their security strength by choosing the appropriate security controls within each security domain. The CAIQ defines sixteen different security factors where each one has a varying numbers of security controls. We consider these security factors as top-level security domains (TLSD) as shown in Fig. 2. The TLSD covers a variety of different security, privacy, management, and auditing aspects ranging from applications security to threats and vulnerability management. The description of TLSD and the specific security controls are given in Appendix A. The role of CSA in our proposed framework is to regulate the collection and storage of the CSP's responses. A CSP that wants to publish its security information contacts the CSA to request for the CAIQ. Once the response of the CAIQ is received from one particular CSP, it will be stored in the STAR database, maintained by the CSA. Thus, the STAR database contains the information of non-validated security controls and policies of the CSPs.

Securlty Controls Validations (SCV) Mechanisms

1 1 v 1 1 1

Cloud Compliance and Hardware Software Independent Risk

Auditor Regulation Vendors Vendors Experts Experts

(CA) Authorities (CRA) (HV) (SV) (¡E) (RE)

Fig 2. Proposed TPA based Framework and four working modules

3.2. The Validation Process

The validation process will be performed at the top-level security domains (TLSD) of the CAIQ response. To address different aspects of the TLSD (e.g., data security and privacy, cloud auditing, threat assessment), we introduce several different security controls validation (SCV) mechanisms under the TPA. Each SCV mechanism is mapped to one or more TLSD of CAIQ. For instance, an independent cloud auditor can serve as one of the SCV mechanisms to validate all specific types of security controls under the Audit Assurance & Compliance security domain. In other words, depending on the type of the TLSD, the appropriate SCV mechanism will be selected and utilized by the TPA to validate the security controls claimed by the CSP. As an example, if TLSD is D2, then it should be forwarded to the cloud auditor (i.e., SCV1) and Compliance and Regulation Authorities (i.e., SCV2). On the other hand, if TLSD is D11, then it can be forwarded to the following two SCV mechanisms: Independent Security Expert (ISE) & Hardware Vendor (HV).

3.3. Mapping between TLSD and SCV Mechanisms

In this sub-section, we discuss how the mapping will be done between various TLSDs and SCV mechanisms. The one-to-one or one-to-many mapping will be used as part of our proposed framework to validate the CSPs security controls through the TPA by choosing appropriate one or more SCV mechanisms. In proposed framework, we pre-determined the SCV mechanism(s) based on our analysis and evaluation of what specific security controls each TLSD has. An illustration of this one-to-one or one-to-many mapping between the TLSDs and the SCV mechanisms is shown in Fig. 3. An appropriate SCV mechanism(s) will be selected by the TPA for a given TLSD with respect to the predetermined/predefined mapping. A total of sixteen security domains are shown in Fig. 3 that will be audited by a total of six SCV mechanisms. For instance, the security validation of domain 2 (D2) will be performed by SCV 2 (i.e., Compliance and Regulation Authorities) and SCV 3 (i.e., Hardware Vendor). It should be noted that D2 corresponds to the Audit Assurance & Compliance in the CAIQ published by the CSA. Similarly, D4 (i.e., Change Control & Configuration Management) will be audited by SCV 5 (i.e., independent expert). As shown in Fig. 1, both D2 and D4 have three and five specific security controls, respectively. Each of these specific security controls may need different types of auditing skills, which justify why multiple SCV mechanisms are needed to audit the TLSDs.

Fig. 3. A closed view of one-to-one or one-to-many mapping between SCV mechanisms and the top-level security domains (TLSD)

3.4. Running Example of the Proposed Scheme

Fig. 4 shows a running example of the proposed scheme. From the TPA perspective, the first step is to retrieve the CAIQ of a CSP from the STAR database. The extracted CAIQ will be stored in the TPA database and all the relevant fields will be updated (step 2, Fig 4). The TPA initiates the auditing process by carefully analyzing each TLSD (step 3, Fig 4). An appropriate SCV mechanism(s) will be selected and the auditing request is sent by the TPA. The selected SCV mechanism performs the auditing of CSP's security control using its own skill sets and techniques. Once auditing is done, a security validation certificate (SVC) is sent back to the TPA (step 6, Fig 4). The TPA makes necessary changes in its database (step 7, Fig 4) to update the security status of a CSP according to the received SVC. Finally, the validation entry field is updated by the TPA to reflect all time stamps relevant to the changes made in the TPA database for a given CSP.

5) Prepare security validation certificate (SVC)

Fig. 4. A running example of the proposed scheme

4. Conclusion

In this paper, we presented a framework to validate the security controls of a CSP published in the STAR database in the form of a CAIQ-response. To perform the security validation, we adopted a TPA, which is assumed to be a trusted entity between the CSUs and the CSPs. The validation of security controls is done by multiple auditors working under the TPA. We discussed that the TPA is responsible to initiate the auditing process by analyzing the CAIQ-responses to determine which of the security controls need to be validated. To facilitate the TPA in the auditing process, we provided a predetermined/predefined method for selecting an appropriate SCV mechanism(s). Although the CSA has been very effective in introducing the concept of CAIQ and maintaining the STAR database with the CAIQ-responses, the end-user (i.e., the CSUs) cannot be benefited with this initiative unless a trusted entity (i.e., a TPA) verifies and validates all the security strengths claimed by the service providers. Our research work, therefore, will play a critical role in assisting a CSU in selecting one or more appropriate CSPs using a TPA based on its desired cloud services and their respective security requirements. As part of our future research, we intend to develop a complete set of algorithms to automate the auditor selection process as well as develop a method to take the CSU feedback into account to promote objectivity in the proposed framework.

References

1. I. Khalil, A. Khreishah and, M. Azeem, "Cloud computing security: a survey," Computers, vol. 3, 2014, pp. 2-3.

2. M. Leandro, T. Nascimento, D. dos Santos, C. M. Westphall, and C. B. Westphall, "Multi-tenancy authorization system with federated identity for cloud-based environments using shibboleth," in proceedings of The Eleventh International Conference on Networks, Florianopolis, Brazil, 2012, pp. 88-93.

3. M. Zhou, R. Zhang, D. Zeng, and W. Qian, "Services in the cloud computing era: a survey," in proceedings of International Universal Communication Symposium (IUCS), Beijing, China, 2010, pp. 40-46.

4. P. Mell and T. Grance, "The NIST definition of cloud computing," National Institute of Standards and Technology, Gaithersburg, Maryland, 2011, pp. 2-3.

5. H. Sato, A. Kanai, and S. Tanimoto, "A cloud trust model in a security aware cloud," in proceedings of 10th Annual IEEE/IPSJ International Symposium on Applications and the Internet (SAINT), Seoul, South Korea, 2010, pp. 121-124.

6. H. AlJahdali, P. Townend, and J. Xu, "Enhancing multi-tenancy security in the cloud IaaS model over public deployment," in proceedings of Seventh International Symposium on Service-Oriented System Engineering, Redwood City, 2013, pp. 385-390.

7. "2012 Cloud Computing: Key Trends and Future Effects," IDG Enterprise, 2012, pp. 6. http://marketing.idgenterprise.com/pdf/IDGE_Cloud_preso_2012_sample.pdf

8. S. Rizvi, J. Ryoo, Y. Liu, D. Zazworsky, ,and A. Cappeta., "A centralized trust model approach for cloud computing," in proceedings of 2014 23rd Wireless and Optical Communication Conference, Newark, NJ, 2014, pp. 1-6.

9. L. Li, L. Xu, J. Li, and C. Zhang, "Study on the third-party audit in cloud storage service," in proceedings of 2011 International Conference on Cloud and Service Computing (ISCOS), Hong Kong, China, 2011, pp. 220-227.

10. S. Mei, C. Liu, Y. Cheng, J. Wu, and Z. Wang, "TETPA: A case for trusted third party auditor in cloud environment," in proceedings of IEEE Conference on Anthology, China, 2013, pp. 1-4.

11. M. Shah, M. Baker, J. Mogul, R. Swaminathan, "Auditing to keep online storage services honest," in proceedings of the 11th USENIX workshop on Hot topics in operating systems, San Diego, CA, 2007, pp.1-6.

12. CSA Security, Trust & Assurance Registry (STAR) [Online]. Available: https://cloudsecurityalliance.org/star/#_overview