Abstract: Cloud computing is a computing paradigm that involvesoutsourcing of computing resources with the capabilities of expendableresource scalability, on -demand provisioning with little or no sincereIT infrastructure investment costs. This paper discusses to which degreethis is justified, by presenting the Cloud Computing ConfidentialityModel (CCCM). The CCCM is a step-by-step model that creates mapping fromdata sensitivity onto the most suitable cloud computing architecture. Toachieve this, the CCCM determines first of all the security mechanismsrequired for each data sensitivity level, secondly which of thesesecurity controls may not be supported in certain computingenvironments, and finally which solutions can be used to manage with theidentified security limitations of cloud computing. The most systematicsecurity controls needed to protect the most sensitive data may not beguaranteed in public cloud computing architectures, while they can berealized in private cloud computing architectures. In this thesis ISuggests hybrid cloud model. Keywords: cloud computing, cloud model, problems, confidentiality, security.

Confidentiality for cloudcomputing

VIBHA SAHU1, PRAVEEN SHRIVASTAV2,, DIPTI CHHATRI3 ,Dr. S.M. GHOSH4 1Dr.C.V.RAMAN UNIVERSITY,BILASPUR,INDIA

PHD SCHOLAR pihusahu.vibha8@gmail.com

2DR.C.V.RAMAN UNIVERSITY, BILASPUR,INDIA PHD SCHOLAR praveen_shrivastav@yahoo.com

1. INTRODUCTION

Cloud computing is a new term inthe computing world. Cloudcomputing is the collective termfor a group of IT technologieswhich in collaboration are changingthe landscape of how IT servicesare provided, accessed and paidfor. Definition of cloud computingis (NIST 2009a)- “ Cloud computingis a model for enabling convenient,on-demand network access to ashared pool of configurablecomputing resources (e.g.,networks, servers, storage,applications, services) that can berapidly provisioned and releasedwith minimal management effort orservice provider interaction”.1.1 Cloud service models Software-as-a-Service (SaaS): TheSaaS service model offers theservices as applications to theconsumer, using standardizedinterfaces. The consumer can onlycontrol some of the user-specificapplication configuration settings.Platform-as-a-Service (PaaS): ThePaaS service model offers theservices as operation anddevelopment platforms to theconsumer. “The consumer does notmanage or control the underlyingcloud infrastructure includingnetwork, servers, operatingsystems, or storage, but hascontrol over the deployedapplications and possiblyapplication hosting environmentconfigurations” Infrastructure-as-a-Service (IaaS):The IaaS service model offerinfrastructure resources as a service, such as raw data storage,processing power and networkcapacity. The consumer can use IaaS

based service offerings to deployhis own operating Systems and applications. “Theconsumer does not manage or controlthe underlying cloud infrastructurebut has control over operatingsystems, storage, deployedapplications, and possibly limitedcontrol of select networkingcomponents.1.2 Cloud deployment models:-Public clouds: In public cloudcomputing the infrastructure islocated on the premises of theprovider, who also owns and managesthe cloud infrastructure. Publiccloud users are considered to beuntrusted, which means they are nottied to the organization asemployees and that the user has nocontractual agreements with theprovider. Private clouds: Private clouds runin service of a singleorganization, where resources arenot shared by other entities.Private cloud users are consideredas trusted by the organization, inwhich they are either employees, orhave contractual agreements withthe organization.Hybrid clouds: Hybrid clouds are acombination of public, privateclouds. Hybrid clouds leverage thecapabilities of each clouddeployment model. Each part of ahybrid cloud is connected to theother by a gateway, controlling theapplications and data that flowfrom each part to the other. Whereprivate and public clouds aremanaged, owned, and located on eitherorganization or third party providerside per characteristic. The usersof hybrid clouds can be consideredas trusted and untrusted. Untrusted

users are prevented to access theresources of the private andcommunity parts of the hybridcloud.2. PURPOSE OF RESEARCH: - Manyorganizations are uncomfortablewith the idea of having their dataand applications on systems they donot control. There is a lack ofknowledge on how cloud computingimpacts the confidentiality of datastored, processed and transmittedin cloud computing environments.The goal of this thesis is tocreate a Model that clarifies theimpact of cloud computing onconfidentiality preservation, bymaking stepwise recommendations on;How data can classified onconfidentiality

How data classifications relate tothe security controls needed topreserve the confidentiality ofdata

How the process of securitycontrol selection is negativelyinfluenced in cloud computingenvironments How to cope with the negativeinfluences of cloud computing onthe protection of dataconfidentialityWe know how the current processesof IT risk management, data &system classification, andsecurity control selection; willidentify security problems incloud environments. With theidentified security problems, theCCCF presents a mapping from dataclassifications to appropriatecloud architectures, and show howthe security problems can beanticipated. 3. CLOUD COMPUTING CONFIDENTIALITYMODEL: - we will present the Cloud

Computing Confidentiality Model(CCCM), which will enable companiesto review the possibilities toengage in cloud based services,based on the confidentiality of thedata used within the company.

Figure: Cloud ComputingConfidentiality Model The goal of the model is toexplain the differences betweensecurity in cloud computingenvironments, and the security inpresent-day information securitypractices. The gray boxes aredescribed strategic goals of thebusiness. They are considered to beoutside the scope of this researchbecause these processes have nodirect relation to cloud computingand are identical in both cloudenvironments and traditionalenvironments. The blue boxesrepresent the present-dayinformation security practices, inthe form of recommendationsconcerning data classification andcontrol selection. The greenrectangles represent importantvariables in our Model. Thesevariables either have their effecton the control selection or onidentification of cloud controllimitations. The possible solutionsfor the cloud control limitations

will be presented in Cloud securitysolutions. We will present thelimitations, which spanned multiplebaseline and optional controls. Itis important to abstract fromlimitations on the technicalsecurity control level, present thecommon problems on a higher level.Data & system classification The main step in our framework isthe classification of data and theinformation systems handling thedata. The goal of theclassification process is toidentify what needs to be securedand how valuable the data andinformation systems are. When thedata and systems are classified,the appropriate security controlscan be selected to protect theseassets. The process in the securitycategorization is to select thesecurity impact levels for theidentified information types. “Theprovisional impact levels are theoriginal impact levels assigned tothe security objectives of aninformation type before anyadjustments are made” (NIST 2008a).Impact levels for information typesrange from Not Applicable to High. SECURITYOBJECTIVE

POTENTIAL IMPACT

LOW MODERATE HIGH

Confidentiality Preservingauthorizedrestrictions oninformationaccess anddisclosure,includingmeans forprotectingpersonalprivacy andproprietary

Theunauthorizeddisclosure ofinformationcould beexpectedto havealimitedadverseeffecton

Theunauthorizeddisclosureofinformationcould beexpected tohave aseriousadverseeffect onorganizationaloperations,

Theunauthorizeddisclosureofinformation could beexpectedto have asevere orcatastrophic adverseeffect onorganizational

information organizationaloperations,organizationalassets,orindividuals.

organizational assets,orindividuals.

operations,organizationalassets, orindividuals.

Table: FIPS 199 Categorization ofFederal Information and InformationSystems on confidentiality (NIST 2004a) There are a wide range of otherfactors that may influence theoverall system securityconfidentiality impact level. Thesefactors are:

Aggregation: Aggregatedinformation can be more sensitivethan every piece of information inisolation. Critical system functionality:Although a system compromise maybe low impact in isolation,dependencies of other systems onthe compromised system may haveexacerbating effect on overallsystem impact. Privacy information: When asystem handles information that isprotected by privacy regulations,such as Personal IdentifiableInformation (PII), system securitycategorization must be adjustedaccordingly. The confidentialityimpact level should generally fallin the moderate level. Trade Secrets: There are severallaws in the United States thatprohibit the unauthorizeddisclosure of trade secrets.Systems that store, process orcommunicate trade secrets shouldgenerally be assigned at least amoderate level of confidentialityimpact level.

System security controlselection:-The control selection proceduredescribed in this section is basedon the NIST SP 800-53, whichrecommends security controls forFederal Organizations in the USA(NIST 2009b). Security controls,when used correctly, can prevent,limit or deter threat-source damageto organization. Security controlscan be placed into three classes: Technical security controls Technical controls can be used toprotect against specific types ofthreats. These controls can rangefrom simple to complex measures andconsist of a mix of software,hardware and firmware. Next tostandalone controls, technicalcontrols also support themanagement and operational controlsdescribed below. Management security controls Management security controls areimplemented to manage and reducerisks for the organization and toprotect an organization’s mission.Management security controls can beconsidered of the highest level ofcontrols, focusing on thestipulation of policies, standardsand guidelines, which are carriedout by operational procedures tofulfill the organization’s goalsand missions. Operational security controls Operational security controls areused to correct operationaldeficiencies that might beexploited by potential attackers.These controls are implementedfollowing good industry practicesand a base set of requirements inthe form of technical controls.Physical protection procedures and

mechanisms are examples ofoperational security controls.Cloud control limitations This presentation willdiscuss these problems on a moregeneral level. This generalizedlevel is interesting for readerswho are not that interested inproblems on the control level, butwho want to understand what themore general security issues are oncloud computing, when cloudcomputing is looked upon from aconfidentiality point of view. Thisgeneralization of limitations isdepicted.

Figure: Control limitationgeneralization

We identified three problem areasthat have their roots in multipletechnical controls, and deservefurther attention. These threeproblem areas are:1. Access related limitations:The first problem area we want todiscuss, are the access limitationsthat occur when the informationsystems are placed in a cloudcomputing environment. A veryimportant distinction is thedifference between accesses byexternal or internal networks. Ifthe infrastructure used to accessan information system, is not underthe control of the informationsystem owner, the security of thetransmissions over suchinfrastructure cannot be guaranteed

and as such, it is marked as anexternal network. There are threeoptions available: 1. Prohibit access to informationsystems with Moderate or Highimpact levels and only allowaccess to Low impact informationsystems.

2. Facilitate encryption to protectthe confidentiality and integrityof the information transmitted.

3. Facilitate the implementation ofVirtual Private Network (VPN)technology that not only protectsthe confidentiality and integrityof the transmissions, but alsorequires organization controlledend-points of the connection.

These options have a veryrestrictive manner; both moderateand high impact systems areprohibited, or this requirementproduces no limitation on the finalanswer. The central issue in cloudcomputing security is the amount ofsupport for encryption and whetherboth end-points are organizationcontrolled or not. This leads us tothe following access relatedlimitation: If the cloud service isaccessed via external networks, andno transmission encryption issupported, then cloud computing islimited to low impact and publicaccess systems.2. Security assurance limitations:If organizations want to useinformation systems hosted by acloud provider, they want “theassurance that the risk from usingthe external systems is at anacceptable level, which depends onthe level of trust the organizationplaces in the external serviceprovider” (NIST 2009b). The levelof trust can depend on two factors:

The degree of direct control anorganization has on the externalprovider with regard to theemployment of security controlsand the effectiveness of thesecontrols.

The security assurance thatselected security controls areimplemented and are effective inuse.

The degree of direct control istraditionally established in theservice level agreement with theservice provider. The other factorthat creates trust of anorganization in the security of asystem is security assurance, whichis the confidence that securitycontrols implemented in aninformation system are effective intheir operation. Organizationsinterested in cloud services shouldplace security assurancerequirements on cloud serviceproviders in order to gain trust inthe cloud provider.3. System separation limitations:The usage of virtualization incloud computing makes it possibleto run development and productionsystems on the same physicalsystem, while logical separation isperformed on the host level indomains. The interesting result ofthe introduction of virtualizationin cloud computing is thatdemanding physical separation isnot as standard as it is intraditional systems. When the NISTrecommendations on physicalseparation of systems and/orcomponents are used as guideline ina cloud environment, there are twooptions available: Demand physical separation ofsystems by the cloud provider.Although physical separation of

systems is not part of thestandard offerings of cloudproviders, the customer demandsthat the cloud provider supportsand implements physical separationof the systems of the costumer.This requirement does involve thesecurity assurance problemsdescribed earlier in thissubsection, with the possibilitythat the provider is unwilling orunable to support the physicalseparation of systems.

Denote the physical separationrequirement as obsolete. Therequired physical separation ofsystems was designed as a securitymechanism in a time it was notperceived that virtualizationwould become so popular andinfluential. As a result,recommendations such as physicalseparation can be seen asstandards and regulations that areout of date and not realistic withrespect to the fast-paceddevelopments in science andtechnology.

4. CLOUD SECURITY SOLUTIONS: In theprevious section we discussed thelimitations that arise within thesecurity controls and on a moregeneral level, when an informationsystem is hosted in a cloudenvironment. The goal of thissection is to describe thesolutions and choices available toeither counter these limitations,or accept the limitations. Privateclouds are considered to be in thedata owner sphere, where there isfull control by organization onhow the data belonging to theorganization is handled. Publiccloud can be placed in the jointand recipient sphere, where theremay be some, or no control at all.

This perception is depicted inFigure:

Figure: The common perception ofcloud computing

If the additional controls demandedby the organization can beimplemented by the cloud provider,the public cloud environment of theprovider meets the securityrequirements set by theorganization. In this case, “Publiccloud” may be a confusing term,because public is often associatedwith public access while that isstrictly controlled now by both thecloud provider and the organizationowning the data.

Figure: Perception of public cloudwhen meeting the securityrequirements of the data owner

However, if the security gapbetween what controls theorganization requires and what thecloud provider supports cannot beclosed by additional controls orsupplementing controls, the riskinvolved must be mitigated by otherways than via contractualagreements.5. CONCLUSION: Cloud securityincludes many old and well-knownissues – such as network and other

infrastructural vulnerabilities,user access, authentication andprivacy – and also new concernsderived from new technologiesadopted to offer the sufficientresources (mainly virtualizedones), services and auxiliarytools. We use the NIST standardsand recommendations as main sourceof classification and securityrequirements information. The dataclassification used in thisresearch project consists of threesecurity objectives and three orfour impact levels. The threesecurity objectives areConfidentiality, Integrity, andAvailability (CIA), while theimpact levels of the data toorganizations are High, Moderate,or Low. The confidentialitysecurity objective of data can havethe fourth impact level NotApplicable, which relates to noimpact to the organization and assuch, there is no need forprotection of this class of data.The impact level of the wholeinformation system dictates thebaseline set of security controlsthat protect the system. Cloudarchitectures can be categorized byeither the service model or thedeployment model. The service models defined in thisthesis are Software-as-a-Service,Platform-of-a-Service, andInfrastructure-as-a-Service,depending on which level of thetechnology stack the cloud serviceis offered. The service models arenot used in this research. Cloudenvironments can also becategorized with the deploymentmodel, which describes first of all

which party owns theinfrastructure, secondly whichparty manages the infrastructure,and finally at whose location theinfrastructure is located.The security controls implementedin each deployment model differ percloud provider. The most commoncloud deployment models - privateand public clouds - are oftendescribed with respect to whichside of the organization’sprotective boundary they are.Private clouds are inside theorganization’s boundary (on-premise), while public clouds areseen as outside the organization’sboundary (off-premise).Construct the Cloud ComputingConfidentiality Model (CCCM, seechapter 3), which is a step-by-stepModel that creates the mapping fromdata to the most suitable cloudarchitecture as computingenvironment. This Model determineswhich security is required by thedata, which security cannot beguaranteed in which computingenvironments and which solutionsare available for theseshortcomings, via the followingsteps: 1) Identify the information systemsused within the organization 2) Identify the data types used ineach information system 3) Classify the data types and usethe data classifications toclassify the information system 4) Select and tailor the securitycontrols, based on theclassification of the informationsystem 5) Identify the problems that occurwhen these security controls are

required in cloud computingenvironments 6) Identify the cloud environmentthat supports the required securitycontrols and/or copes with thelimitations identified in step 5.6. RESULTS: - The security controlsneeded to protect data andinformation systems, havelimitations when applied inexternal cloud environments. Someof these security controllimitations are the foundation ofthe following three major problemareas: Information systems classified asmoderate or high impact level,require extensive securitycontrols that may not be part ofthe standard set of controlssupported by the cloud provider.This lack of supported controlslimits the possible informationsystems that can be run onexternal computing environmentssuch as public clouds.

Cloud providers have problemsgaining the trust of potentialcustomers, because providers arevery reluctant in offeringcustomized security plans, and donot offer detailed information onhow the security plans are exactlyimplemented. On the other hand,customers demand providertransparency on security beforethey denote a service offering astrustworthy and usable.

Security controls exist thatrequire a physical separation ofinformation systems and component,while the focus of cloud computingis on virtual usage ofinfrastructure, systems and data.It is unclear to which degree

public cloud providers support thephysical separation requirements.

If the public cloud provider cancomply with the securityrequirements of the data owner, thepublic cloud is considered to be injoint control of both the cloudprovider and the data owner. Thisis the most ideal situation, inwhich none of the above securitylimitations exist.7. FUTURE SCOPE: - Security is acrucial aspect for providing areliable environment and thenenables the use of applications inthe cloud and for moving data andbusiness processes to virtualizedinfrastructures. Only technical security controlswere analyzed in this thesis. Infuture research on the topic ofconfidentiality preservation incloud computing, the CloudComputing Confidentiality Modelpresented in this thesis can beextended by adding the analysis ofoperational and management securitycontrols. Such an investigationcould lead to supplemental controlsfor limitations that might occur incloud computing environments. As discussed in the previoussection, hybrid cloud computing is avery promising cloud deploymentmodel that can cope with thesecurity limitations occurring in apublic cloud environment, whilestill being able to support many ofthe economical advantages of publiccloud computing. Hybrid cloudsdepend heavily on the gatewaybetween the private part of thehybrid cloud and the public part ofthe hybrid cloud. The gatewaybetween the private and publicparts of a hybrid cloud is ainteresting point for further

research. To make this deploymentmodel successful, the followingresearch areas presented as furtherresearch: The gateway must preventinformation systems and data toflow from the private part to thepublic part, if the security forthose systems and data cannot beguaranteed by the public cloudpart provider. It is possible thatautomated information flowenforcement, in combination withsecurity attributes on data andinformation systems, is a vitalsecurity control combination for asecured gateway.

Internet bandwidth may become themajor bottleneck for the hybridcloud deployment model. Internetbandwidth does not growexponentially like computing powerand storage space, which is knownas Nielsen‟s Law (Nielsen 1998).Further research is needed on theimpact of this bottleneck and theoptimization of data transfers viathe hybrid cloud gateway.

8. REFERENCES: 1. Bardin, J., Callas, J., Chaput,S., Fusco, P., Gilbert, F. et al.(2009). Security Guidance forCritical Areas of Focus in CloudComputing v2.1, Retrieved January28, 2010, from Cloud SecurityAlliance, fromhttp://www.cloudsecurityalliance.org/guidance/2. Gartner (2008). Assessing theSecurity Risks of Cloud Computing,Retrieved December 5, 2009,http://www.gartner.com/DisplayDocument?3. Grandison, T., Bilger, M.,O'Connor, L., Graf, M., Swimmer, M.et al. (2007). Elevating the

Discussion on Security Management:The Data Centric Paradigm. InProceedings of 2nd IEEE/IFIP InternationalWorkshop, 84-93. 4. Hoff, C. (2009). IncompleteThought: The Crushing Costs ofComplying With Cloud Customer“Right To Audit” Clauses. RationalSurvivability, Retrieved September 20,2009, fromhttp://www.rationalsurvivability.com/blog/?p=877.5. NIST. (2004a). FIPS 199:Standards for SecurityCategorization of FederalInformation and InformationSystems. Retrieved August 28, 2009,fromhttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.6. NIST. (2004b). Guide for theSecurity Certification andAccreditation of FederalInformation Systems, SP 800-37.Retrieved January 30, 2010, fromhttp://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf.7. NIST. (2006). FIPS 200: MinimumSecurity Requirements for FederalInformation and InformationSystems. Retrieved December 1,2009, fromhttp://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf. 8. NIST. (2008a). Guide for MappingTypes of Information andInformation Systems to Security Categories, Volume I, SP 800-60Rev. 1. Retrieved August 27, 2009,fromhttp://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf. 9. NIST. (2008c). Guide forAssessing the Security Controls inFederal Information Systems, SP

800-53A. Retrieved November 11,2009, fromhttp://csrc.nist.gov/publications/PubsSPs.html. 10. NIST. (2009). NationalInstitute of Standards andTechnology, main website. fromhttp://www.nist.gov.NIST. (2009a).NIST Working Definition of CloudComputing v15. Retrieved October 7,2009, fromhttp://csrc.nist.gov/groups/SNS/cloud-computing/index.html.