Conference Paper

An Insight into Decisive Factors in Cloud Provider Selection with a Focus on Security

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT outsourcing. We investigate how these concerns manifest as a decisive factor in cloud provider selection by interviews with eight practitioners from German companies. As only a moderate interest is discovered, it is further examined why this is the case. Additionally, we compared the results from a systematic literature survey on cloud security assurance to cloud customers' verification of their providers' security measures. This paper provides a qualitative in-depth examination of companies' attitudes towards security in the cloud. The results of the analysed sample show that security is not necessarily decisive in cloud provider selection. Nevertheless, providers are required to guarantee security and comply. Traditional forms of assurance techniques play a role in assessing cloud providers and verifying their security measures. Moreover, compliance is identified as a strong driver to pursue security and assurance.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by the lack of transparency and accountability, which has traditionally been ensured through security auditing techniques. Auditing in cloud poses many unique challenges in data collection and processing (e.g., data format inconsistency and lack of correlation due to the heterogeneity of cloud infrastructures), and in verification (e.g., prohibitive performance overhead due to the sheer scale of cloud infrastructures and need of runtime verification for the dynamic nature of cloud). To this end, existing runtime auditing techniques do not offer a practical response time to verify a wide-range of user-level security properties for a large cloud. In this paper, we propose a runtime security auditing framework for the cloud with special focus on the user-level including common access control and authentication mechanisms e.g., RBAC, ABAC, SSO, and we implement and evaluate the framework based on OpenStack, a widely deployed cloud management system. The main idea towards reducing the response time to a practical level is to perform the costly operations for only once, which is followed by significantly more efficient incremental runtime verification. Our experimental results show that runtime security auditing in large cloud environment is realistic under our approach (e.g., our solution performs runtime auditing of 100,000 users within 500 milliseconds).
Article
Full-text available
As part of the research project "Secure information networks of small- and medium-sized energy providers" (SIDATE), a survey about the IT security status of German energy providers was conducted. The project itself is focused on the IT security of small- and medium-sized energy providers. In August 2016, 881 companies listed by the Federal Network Agency were approached. Between, September 1 st 2016 and October 15 th 2016, 61 (6.9%) of the companies replied. The questionnaire focuses on the implementation of the regulatory requirements and on the implementation of an information security management system (ISMS). Additionally, questions about the energy control system, the network structure, processes, organisational structures, and the IT department were asked. Questions were asked in German, so all questions and answers are translated for this report. ----- Innerhalb des Forschungsprojektes "Sichere Informationsnetze bei kleinen und mittleren Energieversorgern" (SIDATE) wurde eine Umfrage zum Stand der IT-Sicherheit bei deutschen Stromnetzbetreibern durchgef\"uhrt. Das Projekt selbst besch\"aftigt sich mit der nformations-Sicherheit bei kleinen und mittleren Energieversorgern. Zur Durchf\"uhrung der Umfrage wurden alle 881 im August 2016 bei der Bundesnetzagentur gelisteten Betreiber angeschrieben. In dem Umfragezeitraum vom 1. September 2016 bis zum 15. Oktober 2016 antworten 61 (6.9%) der Betreiber. Der Fragebogen fokussiert die Umsetzung der rechtlichen Anforderungen und die Implementierung eines Informationssicherheitsmanagementsystems (ISMS). Weiterhin wurden Fragen zu dem Leitsystem, Netzaufbau, Prozessen, organisatorischen Strukturen und der B\"uro-IT gestellt.
Conference Paper
Full-text available
Cloud computing and the future Internet concept highlight new requirements for the software engineering phases including testing and validation of modular web services. A major reason is because cloud applications are developed by services belonging to different providers, thus making software testing a really challenging issue. In this work, we propose a testing methodology that includes two fold testing actions; a unit testing of cloud service APIs following white and black box techniques and an integration testing strategy by identifying services that could interface with each other. In addition, we present the Elvior TestCast T3 (TTCN-3) testing tool for automation of use case testing. We demonstrate the results of the methodology when applied to different cloud services and we present a discussion of our conclusions for a real world use case, in which we applied this methodology.
Conference Paper
Full-text available
Despite their increasing proliferation and technical variety, existing cloud storage technologies by design lack support for enforcing compliance with regulatory, organizational, or contractual data handling requirements. However, with legislation responding to rising privacy concerns, this becomes a crucial technical capability for cloud storage systems. In this paper, we introduce PRADA, a practical approach to enforce data compliance in key-value based cloud storage systems. To this end, PRADA introduces a transparent data handling layer which enables clients to specify data handling requirements and provides operators with the technical means to adhere to them. The evaluation of our prototype shows that the modest overheads for supporting data handling requirements in cloud storage systems are practical for real-world deployments.
Conference Paper
Full-text available
With the rapid increase in uptake of cloud services, issues of data management are becoming increasingly prominent. There is a clear, outstanding need for the ability for specified policy to control and track data as it flows throughout cloud infrastructure, to ensure that those responsible for data are meeting their obligations. This paper introduces Information Flow Audit, an approach for tracking information flows within cloud infrastructure. This builds upon CamFlow (Cambridge Flow Control Architecture), a prototype implementation of our model for data-centric security in PaaS clouds. CamFlow enforces Information Flow Control policy both intra-machine at the kernel-level, and inter-machine, on message exchange. Here we demonstrate how CamFlow can be extended to provide data-centric audit logs akin to provenance metadata in a format in which analyses can easily be automated through the use of standard graph processing tools. This allows detailed understanding of the overall system. Combining a continuously enforced data-centric security mechanism with meaningful audit empowers tenants and providers to both meet and demonstrate compliance with their data management obligations.
Conference Paper
Full-text available
Certification has been proved as an essential mechanism for achieving different security properties in new systems. However, it has important advantages; among which we highlighted the increasing in users trust by means of attesting security properties, but it is important to consider that in most of cases the system that is subject of certification is considered to be monolithic, and this feature implies that existing certification schemes do not provide support for dynamic changes of components as required in Cloud Computing running systems. One issue that has special importance of current certification schemes is that these refer to a particular version of the product or system, which derives that changes in the system structure require a process of recertification. This paper presents a solution based on a combination of software certification and hardware-based certification techniques. As a key element in our model we make use of the Trusted Computing functionalities as secure element to provide mechanisms for the hardware certification part. Likewise, our main goal is bringing the gap existing between the software certification and the means for hardware certification, in order to provide a solution for the whole system certification using Trusted Computing technology.
Conference Paper
Full-text available
Cloud service certifications attempt to assure a high level of security and compliance. However, considering that cloud services are part of an ever-changing environment, multi-year validity periods may put in doubt the reliability of such certifications. We argue that continuous auditing of selected certification criteria is required to assure continuously reliable and secure cloud services and thereby increase the trustworthiness of certifications. Continuous auditing of cloud services is still in its infancy, thus, we performed a systematic literature review to identify automated auditing methods that are applicable in the context of cloud computing. Our study yields a set of automated methods for continuous auditing in six clusters. We discuss the identified methods in terms of their applicability to address major concerns about cloud computing and how the methods can aid to continuously audit cloud environments. We thereby provide paths for future research to implement continuous auditing in cloud service contexts.
Article
Full-text available
Cloud Computing has been envisioned as the next-generation architecture of IT Enterprise. Cloud storage moves the user's data to large data centers, which are remotely located, on which user does not have any control. However, this unique paradigm of the cloud poses many new security challenges which need to be clearly understood and resolved. This work studies the problem of ensuring the integrity of data storage in Cloud Computing. The Cloud Server provides a platform for the Cloud Client to manage their documents. In particular, we consider the task of allowing a third party auditor (TPA), on behalf of the cloud client, to verify the integrity of the dynamic data stored in the cloud. The introduction of TPA eliminates the involvement of the client through the auditing of whether his data stored in the cloud are indeed intact, which can be important in achieving economies of scale for Cloud Computing.
Article
Full-text available
Despite the undisputed advantages of cloud computing, customers-in particular, small and medium enterprises (SMEs)-still need meaningful understanding of the security and risk-management changes that the cloud entails so they can assess whether this new computing paradigm meets their security requirements. This article presents a fresh view on this problem by surveying and analyzing, from the standardization and risk assessment perspective, the specification of security in cloud service-level agreements (secSLA) as a promising approach to empower customers in assessing and understanding cloud security. Apart from analyzing the proposed risk-based approach and surveying the relevant landscape, this article presents a real-world scenario to support the creation and adoption of secSLAs as enablers for negotiating, assessing, and monitoring the achieved security levels in cloud services.
Article
Full-text available
IT auditors collect information on an organization's information systems, practices, and operations and critically analyze the information for improvement. One of the primary goals of an IT audit is to determine if the information system and its maintainers are meeting both the legal expectations of protecting customer data and the company standards of achieving financial success against various security threats. These goals are still relevant in the newly emerging cloud computing model of business, but they need customization. There are clear differences between cloud and traditional IT security auditing. In this article, the authors explore potential challenges unique to cloud security auditing; examine additional challenges specific to particular cloud computing domains such as banking, medical, and government sectors; and present emerging cloud-specific security auditing approaches and provide critical analysis.
Conference Paper
Full-text available
As its name suggests, cloud testing is a form of software testing which uses cloud infrastructure. Its effective unlimited storage, quick availability of the infrastructure with scalability, flexibility and availability of distributed testing environment translate to reducing the execution time of testing of large applications and hence lead to cost-effective solutions. In cloud testing, Testing-as-a-Service (TaaS) is a new model to effectively provide testing capabilities and on-demand testing to end users. There are many studies and solutions to support TaaS service. And security testing is the most suitable form for TaaS service. To leverage the features of TaaS, we propose a framework of TaaS for security testing. We implement the prototype system, Security TaaS (abbrev. S-TaaS) based on our proposed framework. The experiments are conducted to evaluate the performance of our framework and prototype system. The experiment results indicate that our prototype system can provide quality and stable service.
Conference Paper
Full-text available
Numerous cloud service certifications (CSCs) are emerging in practice. However, in their striving to establish the market standard, CSC initiatives proceed independently, resulting in a disparate collection of CSCs that are predominantly proprietary, based on various standards, and differ in terms of scope, audit process, and underlying certification schemes. Although literature suggests that a certification's design influences its effectiveness, research on CSC design is lacking and there are no commonly agreed structural characteristics of CSCs. Informed by data from 13 expert interviews and 7 cloud computing standards, this paper delineates and structures CSC knowledge by developing a taxonomy for criteria to be assessed in a CSC. The taxonomy consists of 6 dimensions with 28 subordinate characteristics and classifies 328 criteria, thereby building foundations for future research to systematically develop and investigate the efficacy of CSC designs as well as providing a knowledge base for certifiers, cloud providers, and users.
Conference Paper
Full-text available
Cloud computing is becoming more and more popular, but security concerns overshadow its technical and economic benefits. In particular, insider attacks and malicious insiders are considered as one of the major threats and risks in cloud computing. As physical boundaries disappear and a variety of parties are involved in cloud services, it is becoming harder to define a security perimeter that divides insiders from outsiders, therefore making security assessments by cloud customers more difficult. In this paper, we propose a model that combines a comprehensive system model of infrastructure clouds with a security model that captures security requirements of cloud customers as well as characteristics of attackers. This combination provides a powerful tool for systematically analyzing attacks in cloud environments, supporting cloud customers in their security assessment by providing a better understanding of existing attacks and threats. Furthermore, we use the model to construct "what-if" scenarios that could possible lead to new attacks and to raise concerns about unknown threats among cloud customers.
Article
The world is witnessing a phenomenal growth in the cloud enabled services and is expected to grow further with the improved technological innovations. However, the associated security and privacy challenges inhibit its widespread adoption, and therefore require further exploration. Researchers from academia, industry, and standards organizations have provided potential solutions to these challenges in the previously published studies. The narrative review presented in this survey, however, provides an integrationist end-to-end mapping of cloud security requirements, identified threats, known vulnerabilities, and recommended countermeasures, which seems to be not presented before at one place. Additionally, this study contributes towards identifying a unified taxonomy for security requirements, threats, vulnerabilities and countermeasures to carry out the proposed end-to-end mapping. Further, it highlights security challenges in other related areas like trust based security models, cloud-enabled applications of Big Data, Internet of Things (IoT), Software Defined Network (SDN) and Network Function Virtualization (NFV).
Article
Cloud computing has been instrumental in transforming the way we store, access and process data. With mobility being the primary objective of the current market, cloud computing offers exactly that. Cloud offers convenient access to a shared pool of computing resources that can be configured and deployed with minimal effort which is used to deliver computing services over the internet. Exercising these advantages come with a plethora of security risks that need to be addressed. The security issues in cloud are complex due to the nature of implementation and regulations that govern them. In this article, we examine existing research on cloud risk and the various frameworks to manage risk. The objective is to map the risk with the audit control and technology that will help in mitigating the risk. We analysed the various cloud security solutions and came up with a list that best help in the effective management of the cloud risk and security issues.
Conference Paper
Cloud computing is a revolutionary breakthrough in computing technology. It allows businesses to supply their customers with a seemingly endless amount of resources on demand, so long as they are willing to pay for it. From a business perspective, cloud computing is revolutionizing profitability. From a security standpoint, cloud computing presents an alarming amount of risk to customer data. When customers make purchases, they transfer data to a Cloud Service Provider (CSP), but are unable to evaluate which CSP has sufficient security controls to protect their sensitive data. The Cloud Security Alliance (CSA) is an organization whose mission is to suggest best practice security controls and guidelines for CSPs to follow. The CSA provides a questionnaire or risk assessment, known as the Consensus Assessment Initiative Questionnaire (CAIQ) for CSPs to fill out in order to gauge their level of security within their organization. The CSPs access these questionnaires from the CSA's STAR (Security Trust and Assurance Registry) database. This allows for CSUs to base their level of trust in a specific organization on these assessments. However, there is no way for the CSA to validate that the CSP's responses to the questionnaire are accurate. This paper presents a framework that uses a third-party auditor (TPA) to review, audit, and validate the CAIQ responses stored in the STAR repository. Our framework provides a specific group of auditors that can be used to evaluate and validate the security controls of CSPs. Therefore, the primary objective of this research is to formulate the mechanism by which the appropriate auditor(s) can be chosen by the TPA and create a verification system in which CSUs may finally put their trust in.
Conference Paper
This paper presents a novel framework that enables practical event-driven monitoring for untrusted virtual machine monitors (VMMs) in cloud computing. Unlike previous approaches for VMM monitoring, our framework neither relies on a higher privilege level nor requires any special hardware support. Instead, we place the trusted monitor at the same privilege level and in the same address space with the untrusted VMM to achieve superior efficiency, while proposing a unique mutual-protection mechanism to ensure the integrity of the monitor. Our security analysis demonstrates that our framework can provide high-assurance for event-driven VMM monitoring, even if the highest-privilege VMM is fully compromised. The experimental results show that our framework only incurs trivial performance overhead for enforcing event-driven monitoring policies, exhibiting tremendous performance improvement on previous approaches.
Conference Paper
Cloud computing offers storage as a service to users where data is maintained, managed, backed up remotely. It is also made available to users over the internet. The data integrity of the stored data at cloud is the main concern of the users, because it is possible that the stored data on a cloud can be attacked, modified or damaged by outside attackers or hackers. Data auditing is a new concept introduced to perform the data integrity check using an entity called Third Party Auditor (TPA). The main goal of this work is to develop a secure and efficient auditing scheme with the capabilities such as privacy preservation, confidentiality, and data integrity. In the proposed system, cloud server is used only to save the encrypted blocks of files. No additional burden of verification computing is provided on it. All the task for the scheme is performed by the TPA and data owner. The proposed auditing scheme is evaluated considering different parameters. The proposed method satisfies all the requirements as well as it reduces cloud server burden. In future, data dynamics operations such as updation, deletion and insertion of data would be performed.
Conference Paper
Cloud computing, often referred to as simply “the cloud,” is the delivery of on-demand computing resources; everything from applications to data centers over the Internet. Cloud is used not only for storing data, but also the stored data can be shared by multiple users. Due to this, the integrity of cloud data is subject to doubt. Every time it is not possible for user to download all data and verify integrity, so proposed system contain Third Party Auditor (TPA) to verify the integrity of shared data. During auditing, the shared data is kept private from public verifiers, who are able to verify shared data integrity without downloading or retrieving the entire data file. Group signature is used to preserve identity privacy of group members from third party auditor. Privacy preserving is done to ensure that the TPA cannot derive user's data content from the information collected during the auditing process.
Conference Paper
Inadvertent exposure of sensitive data is a major concern for potential cloud customers. Much focus has been on other data leakage vectors, such as side channel attacks, while issues of data disposal and assured deletion have not received enough attention to date. However, data that is not properly destroyed may lead to unintended disclosures, in turn, resulting in heavy financial penalties and reputational damage. In non-cloud contexts, issues of incomplete deletion are well understood. To the best of our knowledge, to date, there has been no systematic analysis of assured deletion challenges in public clouds. In this paper, we aim to address this gap by analysing assured deletion requirements for the cloud, identifying cloud features that pose a threat to assured deletion, and describing various assured deletion challenges. Based on this discussion, we identify future challenges for research in this area and propose an initial assured deletion architecture for cloud settings. Altogether, our work offers a systematization of requirements and challenges of assured deletion in the cloud, and a well-founded reference point for future research in developing new solutions to assured deletion.
Conference Paper
Cloud storage is a one of the services of cloud computing. The data owners move their data from local systems to the cloud servers provided by cloud service providers. By this, users get high quality and on-demand data storage services and user is free from the maintenance load. Beside all these benefits, there are several matters about cloud storage security. Most of the cloud service providers are not completely trustworthy. The actual concern of the cloud users is whether the information stored on cloud is intact. Therefore, it is of great importance for users to know whether their data is kept intact or not, in this paper Improved Remote Data Possession Checking protocol based on homomorphic hash algorithm is proposed. This proposed system supports secure and efficient dynamic operations at block level. Dynamic opreation includes insert, delete, update, and modify. To find the location of each data Merkle Hash Tree is used. A third party auditor can also be called as trusted party auditor checks the user's data stored in cloud storage for its correctness and accuracy. A third party ensures correctness of user's data. Many times verification is allowed without the requiring the verifier to compare against the original data. They incur less computation and communication cost. Enhanced security and performance analysis shows that the proposed scheme is more efficient and strong against replace attack launched by malicious server.
Article
Although intended to ensure cloud service providers' security, reliability, and legal compliance, current cloud service certifications are quickly outdated. Dynamic certification, on the other hand, provides automated monitoring and auditing to verify cloud service providers' ongoing adherence to certification requirements.
Article
Cloud service certifications (CSC) attempt to assure a high level of security and compliance. However, considering that cloud services are part of an ever-changing environment, multi-year validity periods may put in doubt reliability of such certifications. We argue that continuous auditing (CA) of selected certification criteria is required to assure continuously reliable and secure cloud services, and thereby increase trustworthiness of certifications. CA of cloud services is still in its infancy, thus, we conducted a thorough literature review, interviews, and workshops with practitioners to conceptualize an architecture for continuous cloud service auditing. Our study shows that various criteria should be continuously audited. Yet, we reveal that most of existing methodologies are not applicable for third party auditing purposes. Therefore, we propose a conceptual CA architecture, and highlight important components and processes that have to be implemented. Finally, we discuss benefits and challenges that have to be tackled to diffuse the concept of continuous cloud service auditing. We contribute to knowledge and practice by providing applicable internal and third party auditing methodologies for auditors and providers, linked together in a conceptual architecture. Further on, we provide groundings for future research to implement CA in cloud service contexts.
Article
Cloud is an innovative service platform. In this computing standard it delivers all the resources such as both hardware and software as a service over the Internet. Since the information are outsourced on the server of cloud and maintained at an anonymous place, there is the possibility of alteration or modification on the data because of any of the failures or because of the fraudulence of the mischievous server. To achieve the data integrity, there is a need of employing some of the data verification and auditing techniques. The proposed work is to perform the dynamic auditing for integrity verification and data dynamics in cloud storage with lower computation and communication cost, using techniques such as tagging, hash tag table and arbitrary sampling. It also supports timely anomaly detection and updates to outsourced data.
Conference Paper
In this paper, we introduce a hybrid approach for certifying security properties of cloud services that combines monitoring and testing data. The paper argues about the need for hybrid certification and examines some basic characteristics of hybrid certification models.
Conference Paper
Cloud computing is a revolutionary new approach to how computing services are produced and consumed. It is an abstraction of the concept of pooling resources and presenting them as virtual resources. Using cloud computing resources, data, computations, and services can be shared over scalable network of nodes; these nodes may represent the datacenters, end user computers and web services. On the same note cloud storage refers to storing the data on a remote storage located at other organization's infrastructure. The data storage is maintained and managed by the organization; the user will pay for the storage space which is used. Outsourcing data ultimately relinquishes the control of data from user and the fate of data is in control of the cloud server. As the data is stored on cloud server, the storage correctness of data is put on risk. The cloud server is managed by cloud service provider which is a different administrative entity, so ensuring the data integrity is of prime importance. This article studies the problems of ensuring data storage correctness and proposes an efficient and secure method to address these issues. A third party auditor is introduced securely, who will on behalf of users request will periodically verify the data integrity of the data stored on cloud server. There will not be any online burden on user and security of data will be maintained as the data will not be shared directly with the third party auditor. A homomorphic encryption scheme is used to encrypt the data which will be shared with the TPA. The results can be further extended to enable the third party auditor to do multiple auditing.
Article
Operational security assurance of a networked system requires providing constant and up-to-date evidence of its operational state. In a cloud-based environment we deploy our services as virtual guests running on external hosts. As this environment is not under our full control, we have to find ways to provide assurance that the security information provided from this environment is accurate, and our software is running in the expected environment. In this paper, we present an architecture for providing increased confidence in measurements of such cloud-based deployments. The architecture is based on a set of deployed measurement probes and trusted platform modules (TPM) across both the host infrastructure and guest virtual machines. The TPM are used to verify the integrity of the probes and measurements they provide. This allows us to ensure that the system is running in the expected environment, the monitoring probes have not been tampered with, and the integrity of measurement data provided is maintained. Overall this gives us a basis for increased confidence in the security of running parts of our system in an external cloud-based environment.
Article
Our research shows that SMEs are getting great economic and business value from cloud services, including cost avoidance, cost savings, rapid deployment, scalability, management simplicity, and better security and resiliency compared to in-house IT provision. Based on four cases, we identify the challenges SMEs face as they adopt cloud services and the practices they use to overcome the challenges.
Article
Cloud computing is a service oriented paradigm that aims at sharing resources among a massive number of tenants and users. This sharing facility that it provides coupled with the sheer number of users make cloud environments susceptible to major security risks. Hence, security and auditing of cloud systems is of great relevance. Provenance is a meta-data history of objects which aid in verifiability, accountability and lineage tracking. Incorporating provenance to cloud systems can help in fault detection. This paper proposes a framework which aims at performing secure provenance audit of clouds across applications and multiple guest operating systems. For integrity preservation and verification, we use established cryptographic techniques. We look at it from the cloud service providers' perspective as improving cloud security can result in better trust relations with customers.
Conference Paper
Cloud users and service providers are increasingly concerned about the management of their data and the behavior of the applications they use/own once stored/deployed in the cloud. They therefore ask for enhanced assurance solutions, which partially mitigate the new risks and threats they are facing. Among existing solutions, certification has been widely adopted as a preferable approach to increase trust in the cloud. In this paper, after briefly discussing our test-based certification scheme for the cloud, we show a real certification process aimed to certify Open Stack, an open source IaaS solution for managing infrastructure resources. In particular, we first describe the testing activities executed to certify Open Stack for security and performance properties. We then illustrate the obtained results and the outcomes of the certification process.
Article
The advent of the cloud computing makes storage outsourcing become a rising trend, which promotes the secure remote data auditing a hot topic that appeared in the research literature. Recently some research consider the problemof secure and efficient public data integrity auditing for shared dynamic data. However, these schemes are still not secure against the collusion of cloud storage server and revoked group users during user revocation in practical cloud storage system. In this paper, we figure out the collusion attack in the exiting scheme and provide an efficient public integrity auditing scheme with secure group user revocation based on vector commitment and verifier-local revocation group signature. We design a concrete scheme based on the our scheme definition. Our scheme supports the public checking and efficient user revocation and also some nice properties, such as confidently, efficiency, countability and traceability of secure group user revocation. Finally, the security and experimental analysis show that, compared with its relevant schemes our scheme is also secure and efficient.
Conference Paper
Maintaining security and privacy in the Cloud is a complex task. The task is made even more challenging as the number of vulnerabilities associated with the cloud infrastructure and applications are increasing very rapidly. Understanding the security service level agreements (SSLAs) and privacy policies offered by service and infrastructure providers is critical for consumers to assess the risks of the Cloud before they consider migrating their IT operations to the Cloud. To address these concerns relative to the assessment of security and privacy risks of the Cloud, we have developed ontologies for representing security SLAs (SSLA) in this paper. Our ontologies for SSLAs can be used to understand the security agreements of a provider, to negotiate desired security levels, and to audit the compliance of a provider with respect to federal regulations (such as HIPAA).
Article
Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.