Risk and trust modeling from cloud computing per-
spective has attracted researchers recently [19,20], and
“trust as a service” is introduced to the cloud business model. Standardized trust models are needed for verifi- cation and assurance of accountability, but none of the large number of existing trust models to date is ade-
quate for the cloud environment [21]. There are many
trust models that strive to accommodate some of the
factors defined by Marsh [22] and Banerjee et al. [23],
and there are many trust assessment mechanisms that aim to measure them.
Definition of trust can be a starting point for model-
ing it. In Mayer et al. [24] and Rousseau et al. [2], trust
is defined as “the willingness of a party to be vulnerable to the action of another party based on the expectation that the other will perform a particular action important to the trusting party, irrespective of the ability to moni- tor or control the trusted party.” This definition does not fully capture all the dynamics of trust, such as the prob- abilities that the trustee will perform a particular action
and will not engage in opportunistic behavior [19].
There are also hard and soft aspects of trust [25–27]. The
such as authentication and encryption, and soft trust is based on aspects like brand loyalty and reputation. In
Ryan et al. [28], the authors introduce not only security
but also accountability and auditability as elements that impact CC trust in cloud computing, and show that they can be listed among the hard aspects. In Kandukuri
et al. [29], an SLA is identified as the only way that the
accountability and auditability of a CSP is clarified and therefore a CSP can encourage CCs to trust them. The conclusion is that “trust” is a complex notion to define.
In Rashidi and Movahhedinia [20], the CC’s trust of a
CSP is related to the following parameters:
• Data location: CCs know where their data are actually located.
• Investigation: CCs can investigate the status and location of their data.
• Data segregation: Data of each CC are separated from the others.
• Availability: CCs can access services and their data at any time.
• Privileged CC access: The privileged CCs, such as system administrators, are trustworthy.
• Backup and recovery: The CSP has mechanisms and capacity to recover from catastrophic failures and is not susceptible to disasters.
• Regulatory compliance: The CSP complies with security regulations, is certified for them, and is open for audits.
• Long-term viability: The CSP has been performing above the required standards for a long time. The authors statistically analyze the results of a ques- tionnaire answered by 72 CCs to investigate the percep- tion of the CCs on the importance of the parameters above. According to this analysis, backup and recov- ery produces the strongest impact on CCs’ trust in cloud computing followed by availability, privileged CC access, regulatory compliance, long-term viability, and data location. Their survey showed that data segregation and investigation have a weak impact on CCs’ trust of cloud computing.
Khan and Malluhi [30] propose giving controls to CCs,
so they can monitor the parameters explained above [20].
They categorize these controls into five broad classes: controls on data stored, data during processing, software, regulatory compliance, and billing. The techniques that need to be developed for these controls include remote monitoring, prevention of access to residual data, secure outsourcing, data scrambling, machine readable regula- tions and SLA, automatic reasoning about compliance, automatic collection of real-time consumption data, and the capability of the CC to control their own usage/bill. Although these are techniques that have already been
Maximum
Significant
Limited
Negligible
Negligible Limited Significant Maximum Likelihood
Severity Illegitimate access Unavailable legal process Unwanted change Change in processing Disappeared data
developed for both cloud computing and other purposes, many CSPs still need time for their implementation, deployment, and maturity. They also require quite an effort and expertise by CCs. Moreover, using these con- trols for all the services in a cloud service mash-up may not always be practical.
In Audun and Presti [31], risk is modeled in relation
to trust. Reliability trust is defined as the probability of success and included in the risk-based decision-making
process for a transaction. In Yudistira et al. [32], the
authors introduce trust for assessing risks on the basis of the organizational setting of a system. The trustwor- thiness of actors that the success of a system depends on impacts on the probability of a risk scenario, and this
relation is addressed [32].
The cloud adoption risk assessment model
(CARAM) [5] is a model developed and implemented
by A4Cloud recently. A4Cloud stands for Accountability for Cloud and Other Future Internet Services, and it is a European Union Seventh Framework Project. CARAM is a qualitative model that adapts the methodology and assessments made by ENISA and CNIL to assess the risk for a given CSP–CC pair. For adapting the like- lihood and impact assessments made in an ENISA report to a CSP and a CC, CARAM uses the informa- tion about the CSP available in STAR and assets owned by the CC, respectively. It is a decision support tool designed to help CCs in selecting a CSP that best fits their risk profile.
The JRTM [4,33] is another model developed by
A4Cloud. It is a quantitative risk assessment model that computes the probability of security, privacy, and service risks according to the CSP performance data. It calculates the probability that an event occurs and the probability that an event is eliminated before it becomes an inci- dent, and subtracts the latter from the former. For per- formance data, JRTM relies on the incident reports given by CSPs, and it has a penalty scheme for the CSPs that do not report accurately. Regular audits, monitoring tools similar to the ones used for monitoring as a service such
as Amazon Cloud Watch [34], Paraleap AzureWatch [35],
RackSpace CloudKick [36], Ganglia [37], Nagios [38],
Zabbix [39], MonALISA [40], and GridICE [41], and
incident reporting frameworks such as ENISA Cloud
Security Incident Reporting Framework [42] are relied on
for encouraging the CSPs to report timely and accurately. Several frameworks have been proposed to assist users in service selection based on a variety of criteria
such as QoS performance [43,44], trust and reputation
level [45–49], and privacy [50]. CARAM and JRTM can
also be used as a service selection tool. Multicriteria decision-making with a posterior articulation of user preferences approach has been introduced to be used
with both CARAM [5] and JRTM [33].
6.6 SUMMARY
Risk and trust are critical issues for cloud services and are closely related to each other. In the literature, trust is stated as the main barrier for potential customers before they embrace cloud services. For realization of cloud computing, the trust relationship between the CC and the CSP has to be established. This requires an in-depth understanding of cloud risks. Therefore, various orga- nizations such as CSA, ENISA, and CNIL carried out studies to gain better insight into them.
CSA have run surveys among the stakeholders in cloud ecosystems on the top threats twice so far, in 2010 and 2013. The results of these surveys are available in a report titled The Notorious Nine, which elaborates the top nine threats. CSA also maintains a database of ques- tionnaires called STAR. Many CSPs answered the CAIQ and registered their answers in STAR. Both the notori- ous nine and STAR are important resources for cloud risk assessment.
In 2009, ENISA also conducted a cloud risk assess- ment, which is a qualitative study on the likelihood and consequences of 35 incident scenarios. Its study covers security, privacy, and service risks, and clarifies the vul- nerabilities and assets related to each scenario. In 2011, CNIL also assessed the privacy risks associated with the cloud. In its report, CNIL introduces some measures to reduce the privacy risks. Both ENISA’s and CNIL’s risk assessments are generic and do not differentiate the CSPs or CCs.
There are other risk and trust models like CARAM and JRTM, that assess the risks of a CSP for a CC. CARAM is a qualitative model based on ENISA’s risk assessment and STAR. JRTM is a quantitative model that calculates the probability of security, privacy, and service risks according to the incident reports given by CSPs. Various risk and trust-based service selec- tion schemes that use models like CARAM and JRTM are available for supporting CCs in finding the cloud services that fit their risk landscape best in the litera- ture. Our paper provides a survey on these models and schemes.
ACKNOWLEDGMENTS
This work is conducted as part of the EU-funded FP7 project titled Accountability for Cloud and Other Future Internet Services (A4Cloud), which introduces an accountability-based approach for risk and trust man- agement in cloud ecosystems.
FURTHER READING
E. Cayirci. Modelling and simulation as a service: A survey. In
Proceedings of the 2013 Winter Simulation Conference,
edited by R. Pasupathy, S.-H. Kim, A. Tolk, R. Hill, and M. E. Kuhl. Piscataway, NJ: Institute of Electrical and Electronics Engineers, Inc., 2013, pp. 389–400.
REFERENCES
1. EU. Opinion 05/2012 on Cloud Computing. 2012. Available at http://ec.europa.eu/justice/data-protection/ article-29/documentation/opinion-recommendation/ files/2012/wp196_en.pdf.
2. D. Rousseau, S. Sitkin, R. Burt, and C. Camerer. Not so different after all: A cross- discipline view of trust.
Academy of Management Review 23(3): 393–404, 1998.
3. S. Kaplan and B. J. Garrick. On the quantitative defini- tion of risk. Risk Analysis 1(1): 11–27, 1981.
4. E. Cayirci. A joint trust and risk model for MSaaS Mashups. In Proceedings of the 2013 Winter Simulation
Conference, edited by R. Pasupathy, S.-H. Kim, A. Tolk,
R. Hill, and M. E. Kuhl. Piscataway, NJ: Institute of Electrical and Electronics Engineers, Inc., 2013, pp. 1347–1358.
5. E. Cayirci, A. Garaga, A. S. Oliveira, and Y. Roudier. Cloud adopted risk assessment model. In Proceedings
of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC ‘14), IEEE Computer
Society, Washington, DC, pp. 908–913.
6. W. Jansen and T. Grance. Guidelines on Security &
Privacy. Draft Special Publication 800-144 NIST, US
Department of Commerce, 2011.
7. F. Massacci, J. Mylopoulos, and N. Zannone. Hierarchical hippocratic databases with minimal dis- closure for virtual organizations. The VLDB Journal 15(4): 370–387, 2006.
8. S. Pearson and A. Charlesworth. Accountability as a way forward for privacy protection in the cloud. In Proceedings of the 2009 Cloud Com, edited by M. G. Jaatun, G. Zhao, and C. Rong. New York: Springer- Verlag, 2009, pp. 131–144.
9. D. Cooper, P. Bosnich, S. Grey, G. Purdy, G. Raymond, P. Walker, and M. Wood. Project Risk Management
Guidelines: Managing Risk with ISO 31000 and IEC 62198. Wiley, Second Edition, ISBN 978-1-118-84913-2,
2014.
10. DHS. DHS Risk Lexicon. Department of Homeland Security, 2008.
11. B. C. Ezell, S. P. Bennet, D. Von Winterfeldt, J. Sokolowski, and A. J. Collins. Probabilistic risk analysis and terrorism risk. Risk Analysis 30(4): 575–589, 2010.
12. CSA. The Notorious Nine Cloud Computing Top
Threats in 2013. 2014. Available at https://downloads.
cloudsecurityalliance.org/initiatives/top_threats/The_ Notorious_Nine_Cloud_Computing_Top_Threats_ in_2013.pdf.
13. CSA. Consensus Assessment Initiative Questionnaire. 2014. Available at https://cloudsecurityalliance.org/ research/cai/.
14. CSA. Security, Trust & Assurance Registry (STAR). 2014. Available at https://cloudsecurityalliance.org/ star/#_registry.
15. ISACA. COBIT 5: A Business Framework for the
Governance and Management of Enterprise IT. 2014.
Available at http://www.isaca.org/cobit/pages/default. aspx.
16. ISO/IEC 31010. Risk Management-Risk Assessment Techniques (2009 Edition). 2014. Available at https:// www.iso.org/obp/ui/#iso:std:iso-iec:31010:ed-1:v1:en.
17. ENISA. Cloud Computing; Benefits, Risks and
Recommendations for Information Security. 2009
Edition. 2014. Available at http://www.enisa.europe.eu.
18. CNIL. Methodology for Privacy Risk Management: How
to Implement the Data Protection Act. 2012 Edition, 2014.
Available at http://www.cnil.fr/english/publications/ guidelines/.
19. S. Pearson. Privacy, security and trust in cloud com- puting. In Privacy and Security for Cloud Computing,
Computer Communications and Networks, edited by
S. Pearson and G. Yee. New York: Springer-Verlag, 2012, pp. 3–42.
20. A. Rashidi and N. Movahhedinia. A model for user trust in cloud computing. International Journal on
Cloud Computing: Services and Architecture (IJCCSA)
2(2): 1–8, 2012.
21. W. Li and L. Ping. Trust model to enhance security and interoperability of cloud environment. Cloud
Computing, Lecture Notes in Computer Science 5931:
69–79, 2009.
22. S. Marsh. Formalising Trust as a Computational Concept. Doctoral dissertation, University of Stirling, 1994.
23. S. Banerjee, C. Mattmann, N. Medvidovic, and L. Golubchik. Leveraging architectural models to inject trust into software systems. In Proc. SESS ‘05, ACM, New York, pp. 1–7, 2005.
24. R. C. Mayer, J. H. Davis, and F. D. Schoorman. An inte- grative model of organizational trust. The Academy of
Management Review 20(3): 709–734, 1995.
25. D. Osterwalder. Trust through evaluation and certifi- cation. Social Science Computer Review 19(1): 32–46, 2001.
26. S. Singh and C. Morley. Young Australians’ privacy, security and trust in internet banking. In Proceedings of
the 21st Annual Conference of the Australian Computer- Human interaction Special interest Group: Design: Open 24/7, 2009.
27. Y. Wang and K.-J. Lin. Reputation-oriented trustwor- thy computing in e-commerce environments. Internet
Computing 12(4): 55–59, 2008.
28. K. L. K. Ryan, P. Jagadpramana, M. Mowbray, S. Pearson, M. Kirchberg, Q. Liang, and B. S. Lee. TrustCloud: A framework for accountability and trust in cloud computing. In 2nd IEEE Cloud Forum for Practitioners
(ICFP), 2011.
29. B. R. Kandukuri, R. Paturi, and V. A. Rakshit. Cloud security issues. In IEEE International Conference on
Services Computing, 2009.
30. K. Khan and Q. Malluhi. Trust in cloud services: Providing more controls to clients. IEEE Computer 46(7): 94–96, 2013.
31. J. Audun and S. L. Presti. Analysing the Relationship
between Risk and Trust. iTrust, 2004, pp. 135–145.
32. A. Yudistira, P. Giorgini, F. Massacci, and N. Zannone. From trust to dependability through risk analysis. In
ARES, 2007, pp. 19–26.
33. E. Cayirci and A. S. Oliviera. Modelling trust and risk for cloud services. IEEE Transactions on Cloud
Computing (submitted).
34. Amazon Cloud Watch. Available at http://aws.amazon. com/cloudwatch/.
35. Paraleap AzureWatch. Available at https://www. paraleap.com/AzureWatch.
36. RackSpace Cloud Monitor. Available at http://www. rackspace.com/cloud/monitoring/.
37. M. L. Massie, B. N. Chun, and D. E. Culler. The ganglia distributed monitoring system: Design, implementation and experience. Parallel Computing 30: 817–840, 2004.
38. Nagios. Available at http://www.nagios.org/.
39. Zabbix. Available at http://www.zabbix.com/.
40. H. B. Newman, I. C. Legrand, P. Galvez, R. Voicu, and C. Cirstoiu. Monalisa: A distributed monitoring service architecture. In Proceedings of CHEP03, San Diego, CA, 2003.
41. S. Andreozzi, N. De Bortoli, S. Fantinel, A. Ghiselli, G. L. Rubini, G. Tortone, and M. C. Vistoli. Gridice: A monitoring service for grid systems. Future
Generation Computer Systems 21(4): 559–571, 2005.
42. ENISA. Cloud Security Incident Reporting: Framework
for Reporting about Major Cloud Security Incidents.
ENISA, 2013.
43. W. X. Tran and H. Tsuji. QoS based ranking for web services: Fuzzy approaches. In Proceedings of the 2008
4th International Conference on Next Generation Web Services Practices (NWESP ‘08). Washington, DC: IEEE
Computer Society, pp. 77–82.
44. P. Wang, K.-M. Chao, C.-C. Lo, C.-L. Huang, and Y. Li. A fuzzy model for selection of QoS-aware web services. In Proceedings of the IEEE International Conference on
e-Business Engineering (ICEBE ‘06). Washington, DC:
IEEE Computer Society, pp. 585–593.
45. M. Maximilien and M. P. Singh. Toward autonomic web services trust and selection. In Proceedings of the 2nd
International Conference on Service Oriented Computing (ICSOC ‘04). ACM, New York, NY, pp. 212–221.
46. S. Paradesi, P. Doshi, and S. Swaika. Integrating behav- ioral trust in web service compositions. In ICWS, 2009, pp. 453–460.
47. L.-H. Vu, M. Hauswirth, and K. Aberer. QoS-based service selection and ranking with trust and reputation management. In Proceedings of the 2005 Confederated
International Conference on the Move to Meaningful Internet Systems (OTM’05), Berlin: Springer-Verlag,
pp. 466–483.
48. P. Wang, K.-M. Chao, C.-C. Lo, R. Farmer, and P.-T. Kuo. A reputation-based service selection scheme, e-business engineering. In IEEE International Conference on
ICEBE ‘09, 2009, pp. 501–506.
49. Z. Xu, P. Martin, W. Powley, and F. Zulkernine. Reputation-enhanced QoS-based web services discov- ery. In IEEE International Conference on ICWS 2007, Web Services, 2007, pp. 249–256.
50. E. Costante, F. Paci, and N. Zannone. Privacy-aware web service composition and ranking. In ICWS, 2013, pp. 131–138.
79