A unified framework for cloud security transparency and audit

HIghlights

• We provide a Security Transparency and Audit Framework(STAF) to support users for continuous monitoring for their migrated data and application to the cloud. The framework includes a methodical process which supports assurance of security transparency through a comprehensive set of activities.

• We develop a security transparency and audit tool (STAT) which automatically enable the collection and assessment of evidences regarding CSPs conformance to predefined set of organisational requirements, imposing remedial actions to address flaws and for tracking how identified flaws are being remedied.

• The validity and acceptability of STAF, its process and STAT is done through real-world use cases. Stakeholders feedback and opinion regarding STAF and STAT are collected and analyzed based on important criterion derived from technology acceptance model (TAM).

Abstract

The paradigm of cloud computing has elevated IT to new heights by offering the elasticity to match customer needs, while also reducing capital expenditure on procuring IT infrastructure. Despite the apparent benefits provided by cloud computing, organisations are slow in embracing the technology due to numerous issues that are associated with the lack of security transparency such as trust and accountability. Several contributions have been proposed to address these issues. However, most of the contributions have not provided a definite method by which security transparency can be achieved based on user requirements, and particularly, by probing or auditing cloud service providers. In this paper, we propose a framework for addressing a pressing challenge of cloud security transparency. Our approach includes a process and a supporting auditing tool for vetting cloud service providers and enabling security transparency based on predefined user requirements. The paper builds on our previous work on security transparency framework by incorporating an implementation process. In addition, we have developed a Security Transparency and Audit Tool through which users can collect and analyze evidence from cloud service providers for determining conformity to requirements, as well as for the specification of remedial actions. The tool is designed to be a supplementary component of the proposed framework that enables continuous probing and vetting of cloud provider meets user requirements, thereby enhancing security transparency. The work is novel in its approach because it consolidates various elements to provide a simplified method for organizations to attain security transparency. We also believe that the contributions are significant towards solving the issues and challenges of cloud security transparency in general.

Introduction

The cloud computing (CC) industry has witnessed a healthy expansion in recent years, and research has shown an increase in sales, adoption and business acceptance of the technology [1]. Yet, the transition of mission-critical data and workloads to the cloud require user trust [2]. Security transparency and audit are two essential factors that must be considered to increase user trust particularly because companies expanding the use of cloud services have consistently expressed concerns over the commitment of cloud service providers (CSPs) to guarantee adequate fulfilment of specific assets requirements [3]. Security transparency refers to a process by which information about the security practices and procedures for protecting customer assets are made available, accessible, and visible to customers, which promotes assurance and accountability. Security auditing, on the other hand, is the process of tracking and logging of significant events that take place during system run-time. It helps in the analysis, verification and validation of security measures to achieve overall security objectives in a system.

The uncertainty and doubts surrounding CSP services as a result of lack of security transparency and audit thwart the wide adoption of cloud services [4], [5], [6]. In particular, issues such as compromise of user security requirements, unavailability of vetting and probing of cloud services will continue to forestall businesses’ desire to extend cloud usage. The absence of security audit techniques based on specific needs and requirements is another aspect of the pressing problems. The auditing of CSP security practices according to predefined requirements is essential because businesses rely on critical assets, their protection and control to complete key business processes.

Several contributions have been proposed in the current state-of-the-art to address the problem such as industry best practices and standards, security and accountability audits, SLA management, security incident management, virtual machine introspection, etc. For example, virtual machine introspection considers deploying monitoring agents inside virtual machines and the collection of evidence for determining security incidents and breaches. However, these approaches have not considered the need to collect evidence from other sources and aspects of CSP operations such as disaster recovery and business continuity plans. Also, other initiatives such as CSA STAR [7] only support organisations to consider CSP assertions but does not support evidence-based vetting and probing of CSPs.

Therefore, given the challenges mentioned above, the novelty of this work is three folds. Firstly, we proposed a unified framework, namely Security Transparency and Audit Framework (STAF) for ensuring security transparency using audit. The STAF adopts a multi-tiered approach and considered essential concepts for security such as transparency (accessibility to information), and audit (assessment of evidence), and integrated these concepts to develop a unified framework. The framework includes a systematic process which supports assurance of security transparency through a comprehensive set of activities. Secondly, we proposed security transparency and audit tool (STAT) that is designed to support organizations in performing a security audit. STAT has unique features for enabling the collection and assessment of evidence regarding CSPs conformance to a predefined set of organisational requirements, imposing remedial actions to address flaws and for tracking the implementation of remedial actions. The last contribution is the evaluation of the proposed framework, which assesses the validity and acceptability of STAF, its process and STAT to real-world use cases. Stakeholders feedback and opinion regarding STAF and STAT are collected and analyzed based on important criterion derived from technology acceptance model [8], and perceived usefulness, perceived ease of use and user acceptance of information technology [9]. The evaluation results produced encouraging findings that manifest the relevance, validity and acceptability of the proposed STAF among organizations. Our approach has proven to be simplistic in terms of implementation and applicable to different contexts. The participants expressed optimism about the proposed STAF and its potentiality in addressing the current and emerging security transparency issues in cloud computing.

The paper is structured as follows: Section 2 discusses the related in the domain of security transparency and audit in cloud computing. Section 3 provides the methodology used in our approach. Section 4 introduces the integrated cloud security transparency and audit framework and the conceptual view of STAF. The section also covers the basics of security transparency in the cloud, including a formal representation of concepts using an ontology, and a systematic process for implementing the framework. In Section 5, the architecture of STAT, including its features and dashboards, are presented. In Section 6, the deployment architecture of the proposed framework that is designed based on secure multi-agent systems (MAS). It shows the secure interaction between CSPs, CSUs and the role of an independent auditor. Section 7 introduces the validation approach of our work using a case study, including the implementation process of activities in the framework and assessment of stakeholder perception. Section 8 provides the general findings, limitations and comparison of our works to existing works, and a summary of future works. Finally, Section 9 concludes the paper.