A Conceptual Security Framework for Cloud Computing ... - IGI Global

International Journal of Intelligent Information Technologies Volume 12 • Issue 2 • April-June 2016

A Conceptual Security Framework for Cloud Computing Issues Shadi A. Aljawarneh, Jordan University of Science and Technology, Irbid, Jordan Muneer Bani Yassein, Jordan University of Science and Technology, Irbid, Jordan

ABSTRACT In this article, perspectives from Cloud computing practitioners are shown in order to address clients concerns and bring about awareness of the measures that put in place to ensure software security of the client services running in the Cloud. In addition, the authors have investigated the impacts of a number of the existing approaches and techniques to put a systematic survey of the current software security issues in the Cloud environment. Based on such perspectives and survey, a generic framework conceptually is designed to outline the possible current solutions of software security issues in the Cloud and to present a preferred software security approach to investigate the Cloud research community. As a potential enhancement on the proposed Cloud software security framework, the concepts of fuzzy systems might be used to solve a large numbers of issues in the Cloud security on different framework levels. Keywords Availability, Cloud Computing, Encryption, Fuzzy Systems, PAAS, SAAS, Software Security

1. INTRODUCTION Cloud computing is a new concept in the era of technology. This concept adds new paradigms, techniques and approaches to computing science. In Cloud, software and its data are created and maintained virtually for the users and only accessible via a particular Cloud’s software, platform or infrastructure (Aljawarneh, 2011). Before 2005, clients imagined renting resources, information and software in order to operate, run and enhance their devices and programs. Currently, it is possible to rent whatever resources you like so that this dream is now realized. In general, Cloud has four basic characteristics: 1. Scalability: Cloud opts to use scalable architecture. Scalability means that hardware units are added to bring more resources to the Cloud system (David, et al., 2015). However, this feature is in trade-off with the software security. Therefore, scalability might ease to depict the Cloud and it might increase criminals who would access the Cloud storage and Datacenters illegitimately (Aljawarneh, 2011). Vaquero et al (Vaquero, et al., 2012) aimed to make the reader’s acquaintance with this problem in distributed systems: user-oriented service-level scalability. Scalability issues are analysed from the Infrastructure as a Service (IaaS) and the Platform as a Service (PaaS) point of view, as they deal with different functions and abstraction levels (Vaquero, et al., 2012). 2. Availability: The services, platform and data are accessible at any time and place. Cloud exposes potentially to greater software security threats, principally when the Cloud is based on the Internet rather than an organization’s own platform (David, et al., 2015). 3. Automatic Backup: Day after day, a lot of manufacturers of electronic devices rely on the model of Cloud computing and they are progressively more including this paradigm in their products DOI: 10.4018/IJIIT.2016040102 Copyright © 2016, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

12


since it brings the characteristics of communication and automatic backup of the information (Sessions, 2009). 4. Adding value and additional services to the user such as the ability to synchronise among friends on social networking sites such as Facebook and friends on phones registered the same names in the Palm phones (Aljawarneh, 2011). Currently, academic world requires sharing, distributing, integrating and changing information, linking applications and other resources within and among organizations (Wang, Zhang, & Cao, 2009). Due to openness, virtualization and distribution interconnection, software security becomes a crucial challenge in order to ensure the integrity, confidentially and authenticity of digitized data in Clouds (Aljawarneh, et al., 2010; Aljawarneh, et al., 2015). In this paper, we have attempted to put the readers in the current state of software security issues and levels in Cloud by presenting a generic framework that might assist in the protection of their Cloud services and Datacenters. This paper provides a survey of software security tools and techniques in the area of Cloud Computing. It analyses the major vendors solutions and practitioners approaches, and then provides a general layered framework aimed at providing organizations with a roadmap of the different perspectives from which software security issues in Cloud-based systems can be faced. Such paper contribution plays an unquestionable central role in the adoption of Cloudbased solutions by organizations. Software security is the main issue that might be faced the practitioners of Cloud applications and systems. The owners of data might be concerned because the data and coupled with software are not under their control but rather possessed by the Cloud. In addition, the data owner may not be aware of where the data is geographically located at any particular time. So our research statement in this study is to question how to secure the data contained in the Cloud (Aljawarneh, et al., 2015). The rest of the paper is organized as follows. Section 2 states six reasons of increasing client’s suspicions during the use of Cloud services and describes the current Cloud software security tools. Section 3 describes the scenarios of the Cloud threats. In Section 4, we have conceptually presented a generic framework consisting of components and levels in the Clouds. Thus we have reviewed the existing solutions and discussed a number of practitioners’ perspectives correlated to the client’s suspicions against using Cloud software security. A case study about the health software security has been discussed in Section 5. Finally, we have drawn the conclusions and future work. 2. REASONS BEHIND CLOUD’S CLIENTS CONCERNS This section describes a number of common reasons that led to raise the concerns among the clients who use Cloud services and applications. The frequent reasons are as follows: 1. Some clients question about this: what happens if someone (such as manager, owner, maintainer and others) halt organization’s servers for work or they faced foremost problems preventing them from working? But the legitimacy is that regardless of the capacity and capabilities of the organization that manages these servers, the potential collapse of the system is taken place in everywhere and at any moment, and then this meltdown happens (Sessions, 2009). Thus, the second question, could the Cloud computing fail? The answer of this question is outside of the scope of this paper. This answer involves more systematic studies from different views and perspectives.

13


2. Reputable organizations attempted to mitigate client concerns by confirming that the Cloud model is secure, the Cloud services are protected, the information in Datacenters and hosted servers are encrypted and the communication channel between the client and the Cloud resources is secure and then it is protected from any sort of attack. However, some criminals claimed that the Cloud resources are penetrated much more easily than the non-Cloud environment (Aljawarneh, 2011). Sony company claimed that the level of encryption is not strong enough (Armerding, 2012). 3. Should the Cloud software security threats and vulnerabilities be predictable? It would be effective, but often clients and software security practitioners cannot predict what the next vulnerability will be. Once it is possible to predict the software security vulnerabilities, the practitioners can control and prevent the threats. 4. Due to a lack of control over Cloud services, platform and/or infrastructure, academics and practitioners stated that software security is a major challenge in the Cloud. In Cloud computing, the data will be virtualized across different host machines and accessed on the Web (Yan, et al., 2015; Wang, et al., 2015). From business point of view, the Cloud provides a channel to the service or platform in which it could operate (David, et al., 2015). Arthur (Arthur, 2010) renamed the Cloud computing as a ‘Careless Computing’ because the Cloud clients will not control their own data and software and then there is no monitoring over the Cloud providers and subsequently the data owner and maintainer may not recognize where data is geographically located at any particular time. However, several organizations have adopted and used Cloud applications and services including Microsoft Azure Services Platform, Web Services, Google and open source Cloud systems such as Sun Open Cloud Platform for academics, clients and administrative purposes (David, et al., 2015). Yet, some organizations have not realized the substantial software security issues of Cloud. Some of these organizations adopted some readily available software security and protection tools to secure their systems, services and platforms. Today, Amazon uses Cloud platform for introducing a number of web services for clients. Amazon constructed a platform called Amazon Web Services (AWS) in order to secure the access for web services (Aljawarneh, 2011). The AWS presented a protection level to face the traditional software security issues in the Cloud (Rimal, 2009). In the meanwhile, physical access to AWS Datacenters is limited controlled since the data owner may be aware of where the data is geographically located at any particular time. Authorised staff has to log-in in two authentication phases with restricted number of times for accessing AWS and AWS Datacenters at maximum (Rimal, 2009). Note that Amazon only offers restricted Datacenter access and information to people who have an officially authorized business need for these privileges. If the business need for these privileges is revoked, then the access is stopped, even though if employees continue to be an employee in Amazon or AWS (Rimal, 2009). However, one of the weaknesses of the AWS is the dynamic data, which is generated from the AWS, and could be listened to and penetrated by users. Microsoft presented a new secure system, which includes five main services forming the core of the operating system: (i) Windows Azure, which is the main part of the system and is specialised for hosting services and data storage; (ii) Microsoft SQL Services, which is a part of the relevant databases for these services developed and hosted by the system; (iii) Microsoft. NET Services, which is an application framework; (iv) Live Services, share photos and synchronize with computers and portable devices; and (v) Microsoft SharePoint Services and Microsoft Dynamics CRM Services for business content management (Calder, 2011). Fiore and Aloisio (Fiore, & Aloisio, 2011) proposed a new Cloud software security technique to measure the legitimacy of Cloud resources and the trustiness or trustworthiness in Cloud database management using the metadata and privilege-based access control. Such technique has several benefits to ensure integrity and trustworthy of Cloud resources by using everything-as-a-service (XaaS) mechanism. 14


In support of XaaS, there are a variety of operating systems (e.g., Unix and Windows), software packages (e.g., DBMS and SAP), and Cloud resources existing in such platforms (Kotiyal, et al., 2012). Each such platform has diverse mechanisms of authentication and authorization. In the range of Cloud infrastructures, packages, and platforms, a Cloud resource accessed prior in one platform cannot be accessed by means of the same user in another platform, and vice versa. Cloud Datacenters facilitated by the features stated above validate that the resource feeder is in the Cloud servers. Even though the authentication service checks the authenticity of feeder, this does not ensure that a resource posted by the feeder is free from authentication spoofing, virus attacks, or plagiarism. It is widespread that an information gap exists between the creator and the feeder of a Cloud resource (Yan, et al., 2015). Arshad et al (Arshad, et al., 2012) presented efforts to address one of the significant issues with respect to software security of Clouds, i.e., intrusion detection and severity analysis. An abstract model for integrated intrusion detection and severity analysis for Clouds is proposed to facilitate minimal intrusion response time while preserving the overall software security of the Cloud infrastructures. 3. SCENARIO OF CLOUD THREATS Basically there are six fields of software security vulnerabilities in Cloud computing: (a) data at end-to-end points, (b) data in the communication channel, (c) authentication, (d) separation between clients, (e) legal issues, and (f) incident response (Takabi, Joshi, & Ahn, 2010). One scenario of Cloud threats is that software security principles in the Cloud can be lost (Cappelli, Trzeciak, & Moore, 2006); for example, criminals might penetrate the Cloud in many forms. An insider adversary, who gains physical access to Datacenters, is able to destroy any type of static content in the root of a web server. It is not only physical access to Datacenter that can corrupt data, but malicious web manipulation tool can penetrate servers and Datacenter machines. Once they are installed malicious tool can monitor, intercept, and tamper online transactions in a trusted organization. The result naturally allows a criminal full root access to Datacenter and web server applications. As soon as such access has been established, the integrity of data or software is in question (Aljawarneh, 2011; Virvilis, 2015). There are several software security products (e.g. Antivirus, Firewalls, gateways, and scanners) to add extra level of software security for Cloud applications and systems but they are not sufficient as each one of them has only specific purpose and hence, they are called ad-hoc software security tools. For example, Network firewalls provide protection only at the host and network level (Jiang, et al., 2013). There are, however, five reasons for why these software security defenses cannot be only used to secure systems (Jiang, et al., 2013): 1. They cannot prevent malicious attacks that perform illegitimate transactions, because they are designed to prevent vulnerabilities of signatures and specific ports. 2. They cannot manipulate form operations such as asking the user to submit certain information or validate false data because they cannot distinguish between the original request-response conversation and the tampered conversation. 3. They do not track conversations and do not secure the session information. For example, they cannot track when session information in cookies is exchanged over an HTTP request-response model. 4. They provide no protection against web application/services attacks since these are launched on port 80 (default for web sites) which has to remain open to allow normal operations of the business. 5. Previously, a firewall could suppose that an adversary could only be on the outside. Currently, with Cloud, an attack might originate from the inside as well, where firewall can offer no protection.

15


Figure 1. Cloud Computing Software security

Figure 1 illustrates the data storage and Datacenters, which are possibly targeted by the criminals. According to the computer forensics, the distrusted servers and Datacenters are the target of crime (Wang, et al., 2015). Therefore, the question that needs to be answered is that whether or not data is safe and secure? Data confidentiality might be compromised either from insider user threats or outsider user threats (Zhang, et al., 2010). For instance, insider user threats might maliciously come from: Cloud operator/provider, Cloud client, or malicious third party. The threat of insiders accessing client data take place within the Cloud is larger as each models can offer the need for multiple users: i) SaaS – Cloud clients and administrators, ii) PaaS – Application developers and iii) IaaS – Third party consultants 4. THE PROPOSED GENERIC FRAMEWORK In this section, we have outlined the proposed generic framework that can act like maps that give coherence to empirical inquiry. Because conceptual frameworks are potentially so close to empirical inquiry, they take different forms depending upon the research question that indicated in this article. The proposed framework consists of three elements as shown in Figure 2:

16


Figure 2. Components of the proposed framework

1. A survey of the existing solutions to identify the some common software security issues, solutions, and their strengths, weaknesses and limitations. 2. A number of perspectives come from Cloud software security practitioners to explain the key Cloud software security issues in the firms around world. 3. A classification of Cloud software security levels which are based on the survey and the perspectives. Thus, we survey a number of the current solutions in the Cloud software security to outline a coherence framework. This section includes the existing solutions and their strengths, processes and weaknesses. An approach was introduced in (Kotiyal, et al., 2012) suggested the use of five level securities; which is based on authentication, confidentiality, and integrity to the data stored and accessed by the cloud user at Datacenters. Authenticity is provided by encryption/ decryption of MAC code and generation/comparison of hashed password. Use of hashed password limits the requirement of securing password at all the components and over the network. The authenticity of Datacenter is provided through the encrypted e-mail carrying the password. The confidentiality and integrity is provided through hashed password and MD5 digest, which make login process to Datacenters through five levels. The authentication scheme is based on hashed password storage between cloud provider and cloud client. Furthermore, the data confidentiality and integrity is provided through MD5 cryptosystem hash technique. However, the authentication schema limited the access to predefined IP or MAC address of cloud client, which make the access to the data is restricted to one location. In addition, the cloud client can access to the Datacenter only from one location. The authors in (Naik, & Sanyal, 2013) presented a wide variety of methods that can be included to protect and secure the cloud computing. To secure connection between CC and CP, an encryption algorithms, and if the connection is through wireless devices, the connection can be secured using Wired Equivalent privacy (WEP), SSID for each access point and MAC address filtering. In the meanwhile, there were no any implementation or performance results of efficiency WEP OR SSID through wireless devices. In (Nimje, 2013) an approach was adopted through using DNA cryptographic for the optimization of data software security in cloud software security. DNA encryption is based on Micro array 17


technology as follows: (i) DNA structure has two strands by taking one or more input DNA strands it can be considered to be the plaintext message; (ii) appending to them one or more randomly constructed “secret key” strands; and (iii) resulting “tagged plaintext” DNA strands are hidden by mixing them within many other additional “distracter” DNA strands which might also be constructed by random assembly. On the other hand, the decryption process (Recovery of plaintext from cipher text) includes the following steps: (i) given knowledge of the “secret key” strands; and (ii) resolution of DNA strands can be decrypted by a number of possible known recombinant DNA separation methods: Plaintext message strands may be separated out by hybridization with the complements of the “secret key” strands might be placed in solid support on magnetic beads or on a prepared surface. The DNA cryptography approach is not constraint to specific encryption and decryption algorithms. However, such approach is still mostly a theoretical concept and still not implemented. In (Fremantle, & Scott, 2015), the authors proposed an approach that is based on three cryptographic techniques (such as Key Policy Attribute-based, Encryption, Proxy Re-Encryption, and Lazy re-encryption) to secure data in cloud Datacenters. Such approach is based on Key Policy Attribute-Based Encryption to secure the connection between cloud client and provider based on combination of four algorithms (namely: Setup Attributes, Encryption, Secret key generation, and Decryption). The Proxy Re-Encryption (PRE) is a cryptographic primitive in which a semi-trusted, A PRE scheme allows the proxy, given the proxy re-encryption key to translate cipher texts under public key into cipher texts under public key and vise versa. Finally the lazy re-encryption technique and allowing Cloud Servers to aggregate computation tasks of multiple operations such as updating secret keys and updating cloud clients attributes. However, the implications of KP-ABE scheme may not be entirely realistic, because the approach assumes the existence of a single trusted party who monitors all attributes and issuing all decryption keys between cloud client and provider. In (Mathew, 2012), the authors introduced a framework to a secure client cloud environment through the use of VPN to access network of cloud provider. The proposed framework allows cloud providers to check for cloud client’s authentication, make sure that clients are authorized. Once the cloud providers are confident about the clients’ credentials their data will be encrypted and stored. The whole framework is based on agreed software security policy between cloud clients and providers to be implemented through use of VPN. In (Bugiel, 2011) architecture was proposed, which consists of two clouds (twins), a Trusted Cloud and a Commodity Cloud, where software security-critical operations are performed by the Trusted Cloud. However, who certify the cloud provider to be trusted in order to be used by cloud client? The authors in (Suresh, & Prasad, 2012) presented set of software security algorithms, which can be implemented to overcome software security issues and software security attacks in cloud computing. In order to protect data transmission between cloud client and provider is by encrypting data using RSA. Messages between CC and CP is encrypted with the public key can only be decrypted using the private key. User data include encryption prior to storage, user authentication procedures prior to storage or retrieval, and building secure channels for data transmission. Authors also describe how MD5 and AES algorithms in order to secure Datacenters. However, the need for a third party in important to distribute keys between CC and CP. There is no implementation model that proves or justify that the three algorithms can calm the fears of cloud clients. The authors in (Porwal, et al., 2012) presented an approach to secure data in private cloud without distressing the network layers and protecting the data from illegal users into the server. The data is secured in server based on users’ choice of software security method so that data is given high secure priority. Meanwhile, such model suggested the transferred data in private cloud must encrypt in the on top of the transport layer instead of using IPSec or SSL. This layer is used to encrypt and decrypt data between client and servers. Accordingly, each time a data is transferred by the cloud client it is first secured by definite authentication protocols and saved at the server end. Therefore, the data will be stored in a secured manner at server end. Those who want to gain the data they should be connected or have access through same framework to view the data. 18


To present a more reliable generic framework, we present a number of perspectives by Cloud software security practitioners to calm clients’ concerns about Cloud Computing. First Perspective: Keeping information assurance architectures secure and confidential such as details of how the model-driven software security policies should be enforced in the Cloud systems. For Instance, the UK Cabinet office published a number of Government Cloud documents but did not publish the Information Assurance documents. However, Lang (Lang, & Schreiner, 2009) stated that the governments Cloud documents should publish the Information Assurance documents for the following reasons: ◦◦ There is no need to create a public Cloud if the documents are confidential and sensitive and creating a public Government Cloud will not make sense. ◦◦ Building public or even private Government Cloud is highly expensive. This involves many servers, Datacenters, services and human powers. Second Perspective: To date, financial organizations are not willing to adopt public Cloud, because it would be risky as explained before. But it is possible to use the private Cloud in the financial organizations. Third Perspective: The Cloud is a long term consideration so that it needs to know who clients are dealing with. Therefore, a vendor should understand the client organization and then the organization realizes the solution under consideration (Subashini, & Kavitha, 2011). For example, if the proposed applications and services access any sensitive information at any point of the client’s experience, then the information and the application should be protected. Martin Fisher, Director of Information Software security at WellStar Health System, explained that “The key thing when you start talking about private Cloud or whoever, is making sure that in whatever contract you have, you one: have a right to audit; and two: that the vendor or provider has an obligation to respond in the event of a declared incident,” (Subashini, & Kavitha, 2011). Mestas (Software Architect at 3DEV Business & Consulting SAC, USA) forum stated that the current big picture is mixed of IT infrastructures, including Cloud and non-Cloud systems, for many companies for many years. Mestas further expounded (Greenhow, Robelia, & Hughes, 2009): •

•

“Talking about the Cloud space, public Clouds versus private Clouds, many organizations will likely end up with a mixed IT environment that includes both types of Cloud as well as nonCloud systems and applications, in this approach Hybrid Clouds will be the more widely model adopted for many enterprises, considering that not all assets can be placed in public Clouds.” “The private portion of the Hybrid Cloud must be compliance with the Software security Standards of the organization and fulfil the interns SLAs, establish software security mechanism (federation, infrastructure hardening) to integrate with the public portion of the Cloud under an integration approach or establish a matrix for classify the information that can be published into the public space.”

In all these study cases, the Hybrid Cloud software security may be little less than other. It is an accurate that Cloud adoption will widely start from Hybrid unless software security controls and DR of a Cloud service is proven. Based on the Cloud system practitioners, researchers and the existing solutions, the proposed generic framework classifies the Cloud software security issues into the following categories as illustrated in Figure 3. Figure 3 shows the levels of Cloud software security that should be considered in the current and future solutions. In addition, we have to distinguish between these levels and so each level could have different approach or technique targeted for each level. In other words, the solution of 19


Figure 3. The proposed framework elements and Cloud software security categories

level 1 could not be fitted to other levels. For example, the software security settings of Datacenters are different from the software security settings of Data transmission. In addition, this framework addresses another software security level which is not normally considered in the academia, namely the software security of the Internet Service Provider (ISP). This level is specialized in issues of web hosting software security and ISP gateways issues. In addition, there is a difference in the protocol that might be used in each level. These levels are divided into two types of levels: physical and logical levels. Consequently, the communication between them needs a way that can understand the data flow between them. As shown in Figure 3, much research has concentrated to some levels such as remote system software security, application software security, data transmission software security. Many Cloud software security tools are developed to add extra level of protection to these levels. However, some levels are taken a little attention in research such as Datacenter software security level and Hypervisor software security level. It should be noted that the research attention has been indicated in relation to the academic survey and Cloud software security practitioners. As a potential enhancement on the proposed Cloud software security framework, the concepts of fuzzy systems might be used to solve a large numbers of issues in the Cloud software security on different levels. However, this requires publishing the source code that associated with the software security levels’ proposals on the proposed framework (Alcala-Fdez, & Alonso, 2015). Nowadays, it is possible to facilitate the use of fuzzy systems because the software of software security tools is commercially distributed but most software is available as free and open source software, reducing such issues and providing several benefits such as faster error detection, and the innovative applications. In the proposed framework, we could add the type of software security tools’ software such as type, library, toolbox, and suite. In addition, the fuzzy languages of software security tools should be considered in such framework in order to improve the reusability of the developed fuzzy cloud software security framework. We have employed the fuzzy based analyzer to distinguish between trusted and malicious behavior of transaction by distributing the certificates only to the trusted transaction and avoiding the untrusted transaction. As a note the fuzzy logic based functions are not exact results. Fuzzy logic variables could have trust values between 0 and 1. In the presented framework, trust decision is based 20


on fuzzy logic. If the evaluated trust is greater than or equal to the threshold trust, then that particular transaction is called as a trustworthy, else it will be treated as untrustworthy and excluded from all future transaction operations. 5. CASE STUDY: LINKING THE MEDICAL CENTERS BETWEEN JORDAN AND AUSTRALIA E-Health software security is a vital problem to be overcome if the web is to develop further. So that the understanding how to secure healthcare data and communication is the first step in truly building a connected network, Cloud and/or Cloudlet and inspiring confidence between patients and healthcare centers. Currently health caregivers, health institutions, healthcare centers and insurance companies have all had to share information (such as patient registration form, health history with any trusted provider, and digital health images) related to a patient’s care. This sharing was often unsecure. For example patients, nurses, doctors, technicians and health organizations might notice the illegal alteration or illegal copying of confidential digital objects (such as audio, images, video, documents and others) after the authentication scheme has been performed. However at this stage, the destruction of objects has already taken place. In this case study, the proposed framework, which assists to ensure the health information and communication, is secure, is applied on healthcare centers in Australia and Jordan. Note that there are number of approaches to professional development, including consultation, coaching, lesson study, mentoring, reflective supervision and technical assistance. In such study, the mentoring approach is recommended because a number of proposed experiments will be conducted and so healthcare information that are distributed through Cloud storages and repositories between the health centers in Jordan and Australia will be monitored to check any illegal alteration on digital objects is occurred. A consultation approach might be used in order to assist an individual or group to address immediate concerns by following a systematic problem-solving process. Furthermore, a workshop could be suggested to discuss the results and evaluation this type of professional development either the target clients in Australia or Jordan. There are many more challenges in Jordanian Health Development such as e-health software security that need to be solved not only by the government but also community. Therefore, this case study has been considered into account. Based on the proposed framework, use of seven level securities; which are relied on authentication, confidentiality, and integrity to the health information stored and accessed by the users of the health centers such as Doctors, Nurses, Health officers, government officers, technicians and patients in Australia and Jordan at the Datacenters. The secure Datacenters are geography distributed between Cloud Database Servers in Jordan and Australia. Authenticity is offered by the encryption/ decryption of MAC code and generation/comparison of hashed password. Use of hashed password limits the requirement of securing password at all the components and over the Cloud. The authenticity of Health Datacenter is provided through the encrypted e-mail carrying the password. The confidentiality and integrity is provided through hashed password and SHA-256 digest, which make login process to Datacenters through seven levels. The authentication scheme is based on hashed password storage between Cloud Service Provider (CSP) and Cloud Client. Furthermore, the data confidentiality and integrity is provided through SHA-256 cryptosystem hash technique. This process is recommended to be applied for the seven level securities from top level of the proposed framework to the down level. As a result, the patients can virtually receive the health services in a secure manner with high quality.

21


6. CONCLUSION The existing Cloud services might face various software security issues at the Cloud models level. One main challenge is that the lack of control over the Cloud Datacenters. Furthermore, software security is not integrated into the service development process. Indeed, the traditional software security tools alone would not be able to resolve the recent software security issues and so it will be helpful to incorporate software security components upfront into the development methodology of Cloud system. In this paper, a number of Cloud practitioners’ perspectives are presented to calm the clients’ fears against the Cloud concerns. We present a conceptual framework of three components that assist to indicate the levels of Cloud software security that should be taken into account by researchers and practitioners. This paper has faced an important issue, and provided a wide analysis of available solutions, as well as a useful fuzzy framework, helping readers to orient themselves in the field of Cloud software security. Consequently, it is recommended that the governments should keep their information assurance architectures secure and confidential. Moreover, financial organizations are not willing to adopt public Cloud because it will be risky. However, such organizations may adopt the use of the private Cloud instead. As a part of future work, we will reveal/validate the effectiveness of proposed system via some case studies or available date sets. Also we will include details about the performance analysis/ implementation of proposed work with existing studies. Finally the proposed framework could be more secure, reliable and aids to add extra level of software security in military and financial operations

22


REFERENCES Alcala-Fdez, J., & Alonso, J. (2015). A Survey of Fuzzy Systems Software: Taxonomy. Current Research Trends and Prospects. Aljawarneh, S. (2011). Cloud Security Engineering: Avoiding Security Threats the Right Way. International Journal of Cloud Applications and Computing, 1(2), 64–70. doi:10.4018/ijcac.2011040105 Aljawarneh, S., Alkhateeb, F., & Al Maghayreh, E. (2010). A semantic data validation service for web applications. Journal of Theoretical and Applied Electronic Commerce Research, 5(1), 39–55. doi:10.4067/ S0718-18762010000100005 Aljawarneh, S., Alshargabi, B., Hayajneh, M. A., & Imam, A. (2015). Integration of E-learning and Cloud Computing Platform Through Software Engineering. Recent Patents on Computer Science, 8(2), 100–105. doi :10.2174/2213275908666150706174305 Armerding, T. (2012). The 15 worst data security breaches of the 21st Century. COS Security and Risk. Arshad, J., Townend, P., & Xu, J. (2012). An abstract model for integrated intrusion detection and severity analysis for clouds. Cloud Computing Advancements in Design, Implementation, and Technologies, 1. Arthur, C. (2010). Google’s ChromeOS means losing control of data, warns GNU founder Richard Stallman. The Guardian Tuesday, 14. Bugiel, S., Nürnberger, S., Sadeghi, A. R., & Schneider, T. (2011, January). Twin clouds: Secure cloud computing with low latency. In Communications and Multimedia Security (pp. 32–44). Springer Berlin Heidelberg. doi:10.1007/978-3-642-24712-5_3 Calder, B., Wang, J., Ogus, A., Nilakantan, N., Skjolsvold, A., McKelvie, S., & Haridas, J. et al. (2011, October). Windows Azure Storage: a highly available cloud storage service with strong consistency. Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (pp. 143-157). ACM. doi:10.1145/2043556.2043571 Cappelli, D. M., Trzeciak, R. F., & Moore, A. B. (2006). Insider Threats in the SLDC: Lessons Learned From Actual Incidents of Fraud: Theft of Sensitive Information, and IT Sabotage (Presentation). David, G., & Anbuselvi, R. (2015, February). An architecture for Cloud computing in Higher Education. Proceedings of the 2015 International Conference on Soft-Computing and Networks Security (ICSNS) (pp. 1-6). IEEE. doi:10.1109/ICSNS.2015.7292432 Fiore, S., & Aloisio, G. (2011). Grid and cloud database management. Springer Science & Business Media. doi:10.1007/978-3-642-20045-8 Fremantle, P., & Scott, P. (2015). A security survey of middleware for the Internet of Things. PeerJ PrePrints, 3, e1521. Greenhow, C., Robelia, B., & Hughes, J. E. (2009). Learning, teaching, and scholarship in a digital age Web 2.0 and classroom research: What path should we take now? Educational Researcher, 38(4), 246–259. doi:10.3102/0013189X09336671 Jadeja, Y., & Modi, K. (2012, March). Cloud computing-concepts, architecture and challenges. Proceedings of the 2012 International Conference on Computing, Electronics and Electrical Technologies (ICCEET) (pp. 877-880). IEEE. doi:10.1109/ICCEET.2012.6203873 Janssen, M., & Joha, A. (2011). Challenges for adopting cloud-based software as a service (saas) in the public sector. In ECIS. Jiang, W., Li, Z., Jia, J., & Liu, D. (2013, September). Evaluating E-Commerce System Security Using Fuzzy Multi-criterion Decision-Making. Proceedings of the 2013 IEEE Seventh International Conference on Semantic Computing (ICSC) (pp. 438-443). IEEE. Kotiyal, B., Saxena, P., Goudar, R. H., & Jogdand, R. M. (2012). A 5-Level Security Approach for Data Storage in Cloud. International Journal of Computer Applications, 54, 29-34.

23


Lang, R. S. U., & Schreiner, R. (2009). Top SOA Security Concerns & OpenPMF Model-Driven Security. ObjectSecurity white-paper. Mathew, A. (2012). Security And Privacy Issues Of Cloud Computing; Solutions And Secure Framework. International Journal of Multidisciplinary Research, 2(4). Naik, P., & Sanyal, S. (2013). Increasing Security in Cloud Environment. arXiv preprint arXiv:1301.0315. Nimje, A. R. (2013). Cryptography. In Cloud-Security Using DNA (Genetic). Techniques. Porwal, A., Maheshwari, R., Pal, B. L., & Kakhani, G. (2012). An Approach for Secure Data Transmission in Private Cloud. International Journal of Soft Computing and Engineering. Rimal, B. P., Choi, E., & Lumb, I. (2009, August). A taxonomy and survey of cloud computing systems. Proceedings of the Fifth International Joint Conference on INC, IMS and IDC NCM’09 (pp. 44-51). IEEE. doi:10.1109/NCM.2009.218 Sessions, L. F. (2009). “You Looked Better on MySpace”: Deception and authenticity on the Web 2.0. First Monday, 14(7). doi:10.5210/fm.v14i7.2539 Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1–11. doi:10.1016/j.jnca.2010.07.006 Suresh, K. S., & Prasad, K. V. (2012). Security issues and Security algorithms in Cloud Computing. International Journal of Advanced Research in Computer Science and Software Engineering, 2(10). Takabi, H., Joshi, J. B., & Ahn, G. J. (2010). Security and privacy challenges in cloud computing environments. IEEE Security and Privacy, 8(6), 24–31. doi:10.1109/MSP.2010.186 Vaquero, L. M., Cáceres, J., & Morán, D. (2012). The challenge of service level scalability for the cloud. Cloud Computing Advancements in Design, Implementation, and Technologies, 37. Virvilis, N., Mylonas, A., Tsalis, N., & Gritzalis, D. (2015). Security Busters: Web browser security vs. rogue sites. Computers & Security, 52, 90–105. doi:10.1016/j.cose.2015.04.009 Wang, B., Zheng, Y., Lou, W., & Hou, Y. T. (2015). DDoS attack protection in the era of cloud computing and Software-Defined Networking. Computer Networks, 81, 308–319. doi:10.1016/j.comnet.2015.02.026 Wang, H., Zhang, Y., & Cao, J. (2009). Effective collaboration with information sharing in virtual universities. IEEE Transactions on Knowledge and Data Engineering, 21(6), 840–853. Yan, Z., Li, X., & Kantola, R. (2015). Controlling Cloud Data Access Based on Reputation. Mobile Networks and Applications, 2015, 1–12. Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. Proceedings of the 2010 IEEE 10th International Conference on Computer and Information Technology (CIT) (pp. 1328-1334). IEEE. doi:10.1109/CIT.2010.501

24