Ouedraogo et al. in (Ouedraogo et al., 2015b) proposed one of the first solutions for promoting security transparency in the cloud realm. Their contribution, which is event-driven, allows both CSU and CSP to make specifications to represent patterns of events, whose occurrence can be an evidence of a security anomaly or breach or merely a sign of nefarious use of the cloud infrastructure by some of its users. Casola et al. in (Casola et al., 2015) presented a monitoring architecture that integrates different security-related monitoring tools to provide continuous monitoring capabilities for SLA security parameters. The monitoring architecture put forward by the authors is built on and integrated with monitoring components belonging to SPECS framework, which also aims at designing and implementing a management framework of the SLA lifecycle.
Casola et al. in (Casola et al., 2014) also discussed a preliminary design and implementation of a security solution for PaaS based on SLA approach to address the issues related to the management of security requirements in the cloud. The work adopts a dedicated cloudware platform that is deployed over infrastructure resources. The platform supports end-users and CSPs to specify their security requirements using SLAs, evaluate security features offered by remote cloud security brokers, management of SLA lifecycle as well as the development and deployment of security services. Pauley (Pauley, 2010) developed an assessment scorecard that assesses the transparency worthiness of CSPs from three dimensions, namely: security, privacy, auditability and service level agreements. In Pauley’s contribution, a pre-assessment can be performed on CSPs based on three factors relating to the CSP and their business entity. The scorecard consists of a pre-assessment phase that is used to generate and assign values to a CSP, based on which threshold values are compared to determine if the CSP is eligible for another assessment at post-assessment phase. At the post-assessment stage, the transparency worthiness of a CSP is compared against a set of questions that have been formulated based on the four dimensions. The approach also considers several factors relating to a CSP to support organisations to perform the assessment. Such factors include CSPs’, years of business, published
19
security or privacy breaches, published data loss, profitable or public, similar customers, membership to standards etc. This approach serves as a guideline for organisations to evaluate CSPs transparency. However, it is quite complicated and does not appear to be useful for an organisation with a broad set of requirements.
Garg et al. (Garg et al., 2013) proposed a framework that enables cloud users to compare different cloud offerings based on specific user requirements using analytical hierarchy process (AHP) approach (Vaidya and Kumar, 2006). This particular framework utilizes specific cloud service measurement indexes such as accountability, agility, assurance, cost, performance, security and privacy, and stability. In addition, CloudHarmony (Leitner and Cito, 2016) developed an online cloud measurement tool that enables customers to evaluate the performance of CSPs. The platform consists of four major components: CloudSquare, CloudScores, CloudReports, and CloudMatch. Cloud customers can use CloudSquare to search and compare services provided by CSPs based on attributes such as price, performance, and geographical location. CloudScores provides customers with access to benchmarking metrics that evaluate the performance of cloud services based on memory, CPU, and network, while CloudReports provides analytical reports of CSPs performance. CloudMatch, on the other hand, allows customers to perform tests such as the speed of uploading and downloading large files and network latency across different geographical locations. However, this approach mainly focuses on the evaluation of CSPs based on certain variables but does not consider CSP security and compliance. In addition, Li et al. (Li et al., 2010) developed a framework that aims at assisting potential cloud customers in evaluating the performance and comparing the cost of CSSPs, based on a set of metrics including storage, memory and network. The framework consists of a tool called CloudCmp that is designed to perform this comparison. The tool is used to perform a study on the major cloud providers in the market. However, similar to CloudHarmony, the evaluation focused on specific attributes that are not security oriented
The works, as mentioned earlier, are associated with several limitations. For example, one problem deals with dynamicity, i.e. it does not mainly focus on the areas of security that are of significant importance to the cloud customer. The failure to appropriately harbour customer expectations amounts to ineffectiveness to dispense transparency unless otherwise done differently. Other transparency initiatives by the research community either serve to provide a pre-assessment metric that measures the transparency level of various CSPs before cloud services are adopted or provide a mechanism by which cloud users ask for and receive information about elements of transparency supported by a CSP. The need for continuous visibility and transparent probing of activities based on evidence is not considered. The works also failed to acknowledge the tendency of CSPs to generate a false representation of their services without continuous verification. Another limitation deals with the unfeasibility of attaining absolute transparency on all the clauses within an SLA, which could be ascribed to the security or legal
20
constraints that may restrain CSPs from making certain disclosures, as well as the enormity or otherwise practicality of all areas of cloud security that ought to be covered.