of Things (IoT) and Cloud of Things (CoT) concepts especially confidentiality issue. ... National Institute of Standards and Technologies (NSIT)? did it - âa model for ..... Key goa alg. Sec ma con. 4. I dev oth the in t. Sec issu in C mo teei mu of u ...
Available online at www.sciencedirect.com
Available online at www.sciencedirect.com Available online at www.sciencedirect.com
International Conference on Knowledge Based and Intelligent Information and Engineering International Conference Knowledge Based and Intelligent Information Systems, on KES2017, 6-8 September 2017, Marseille, Franceand Engineering Systems, KES2017, 6-8 September 2017, Marseille, France
Privacy Privacy and and Security Security in in Internet-based Internet-based Computing: Computing: Cloud Cloud Computing, Internet of Things, Cloud of Things: a review Computing, Internet of Things, Cloud of Things: a review a b Syrine Syrine Sahmim* Sahmim*a ,, Hamza Hamza Gharsellaoui Gharsellaouib
a National School of Computer Science (ENSI), Manouba University, Tunisia, [email protected] a National School of Computer Science (ENSI), Manouba University, Tunisia, [email protected] b National Engineering School of Carthage, Carthage University, Tunisia, Al Jouf College of Technology, TVTC, b National Engineering School of Carthage, Carthage University, Tunisia, Al Jouf College of Technology, TVTC,
1. Introduction 1. Introduction It can be noticed that the way we use technologies is changing, a dramatic transformation is shaping the world from It can be noticed that the way we use technologies is changing, a dramatic transformation is shaping the world from isolated systems to ubiquitous Internet-based-enabled ’things’. These things are capable of communicating with each isolated systems to ubiquitous Internet-based-enabled ’things’. These things are capable of communicating with each other by sending data which contain valuable information. However, this new world built on the basis of Internet, other by sending data which contain valuable information. However, this new world built on the basis of Internet, contains numerous challenges as regard to the security and the privacy perspective. contains numerous challenges as regard to the security and the privacy perspective. ∗ ∗
1.1. Motivation In recent years, due to the fast development of new and more efficient computing methods, the interest of academics and practitioners has been shifting toward Internet-based Computing. Commonly known applications are Internet of Things (IoT), Cloud Computing (CC) and Cloud of Things (CoT). After a number of technology variants have appeared over the years, we found a need to classify those that can help secure computing. As a matter of fact, there is no review on which solutions are described as regard to these three points of views (i.e. IoT, CC and CoT). Besides, thousands of users of IoT, CC and CoT are communicating with each other, sharing ressources and exchanging high amount of sensitive data and information impose a great need of additional level of security especially to guaranty confidence in service providers as much as controlling the dissemination of personal data and to detect and eliminate vulnerabilities ? . Thus, in this article, the main challenges for privacy and security purposes are described along with an analyze of various constraints and the main techniques used to face one of them such as how to enable the users control over the dissemination of their attributes and data . 1.2. Context 1.2.1. Internet-based Computing Internet of Things. It is defined as a networked interconnection of devices in everyday use that are often equipped with ubiquitous mechanism. The Internet of Things (IoT) is based on processing of large amount of data in order to provide useful service. Along with physical objects, the IoT is composed of embedded software, electronics and sensors. This allows objects to be controlled remotely via the connected network infrastructure and facilitates direct integration between the physical world and computer communication networks. Therefore, it significantly contributes to improve robustness, accuracy, efficiency, and economic profits. This is why IoT has been widely applied in different applications such as environment monitoring, energy management, building automation, transportation, etc. ? . Cloud Computing. CC is a new computational paradigm which provides a novel business model for companies/organizations to adopt IT without large investment. CC also provides a new vision of internet-based, highly performance distributed computing systems in which computational resources are given as a service. It is common to define the cloud computing model just as the United States National Institute of Standards and Technologies (NSIT) ? did it - ”a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Two important aspects of the cloud model are Multi-tenancy and elasticity. The former allows the sharing of the same service instance with others tenants. Whereas the latter allows to scale up and down resources allocated to a service based on the current service demands. However, the improvement resource utilization, cost and service availability remains the target for both of them ? . Cloud of Things. Over the last years, IoT and CC have evolved gradually and continuously.They represent two of the most regarded Information and Communications Technology (ICT) concepts. As mentioned in many recent works, those different concepts can be integrated in order to create a new one called Cloud of Things (CoT) ? ? . Hence, CoT is a novel concept which has emerged from the consolidation of the IoT and CC concepts. Scientific estimations say that the IoT will grow to 35 billion items by 2020 ? ? . Such growth will make IoT one of the principal sources of Big Data of which the specificities could be the volume, heterogeneity, velocity, complexity, and value. Cloud computing is a more mature technology compared to IoT. It can offer virtually unlimited capabilities (e.g., storage and computation) to support IoT services and application that can exploit the data produced from IoT devices. It is not surprising that in recent years, a number of new CoT concepts arose from IoT such as Sensing-as-aService, Video-Surveillance-as-a-Service, Big Data Analytics-as-a-Service, Data-as-a-Service, Sensor-as-a-Service, etc. 1.2.2. Challenges The IoT is defined in ? as ” a global industry movement that brings together people, process, data, and things to make networked connections more relevant and valuable than ever before. Today, more than 99 percent of things in
the world are not connected. By 2020, it is estimated that 4.5 billion new people and 37 billion new things will have joined the Internet. In the near future, the growth and convergence of information, people, and things on the Internet will create unprecedented opportunity for countries, industries, and individuals”. The IoT is thus a kind of an intelligent system using a variety of connected devices, sensors and monitoring applications that operate over the internet. It is defined as a pervasive and ubiquitous network that enables control of the physical environment by gathering, processing and analyzing a mass of data captured and generated by sensors or smart devices and transmitted to the internet through a wireless communication systems (e.g. RFID, WiFi, 4G, IEEE 802.15.x) ? . IoT is a many-folded paradigm which embraces many different technologies, services and standards. It adopts different processing and communication architectures, technologies and design methodologies organized on their target ? . The work reported in ? , mentions that the IoT concept has three basic characteristics: comprehensive awareness, reliable transmission and intelligent processing. Firstly in IoT system, the comprehensive awblackareness using RFID, sensors and M2M terminal is to get information of intelligent objects in the neighborhood over time. Secondly, reliable transmission is to guarantee in real-time the security, communication, routing and encryption with high accuracy and with different networks protocols. Thirdly, intelligent processing which depends on intelligent computing technologies such as CC, fuzzy recognition, aims to analyze and pick up meaningful data collected from lots of users ? . In ? , the authors consider that each IoT system can be divided into three layers: perceptual layer, network layer and application layer. The perceptual layer, located in the lowest level of IoT model layout, includes wireless sensors, RFID and M2M terminal achieving a reliable sensing. The network layer involves different access methods (GSM, 3G, LTE, etc) and core exchange (IPv6, VPN, etc) of which the main task is to provide ubiquitous access, information transmission, processing and storage of the core business. The application layer analyzes and processes the received information to make good decisions. Due to the model layout, the mass of data, the different technologies, devices, the process management, the traffic, the distributed control, the constraints, the power, the energy and lifetime, a wide consensus is that the most challenging requirement is the security. Day after day the risk of malicious attacks grows. Hence, it is of critical importance to deal with security issues on IoT ? , ? , ? . CC provides four main categories of services such as Software as a Service SaaS, Platform as a Service PaaS, Network as a Service NaaS and Infrastructure as a Service IaaS ? . Firstly, Saas refers to the provider’s applications used by the consumer and running on a cloud infrastructure (network, servers, operating systems, storage, etc.) and accessible from various clients devices at different locations ? . Secondly, Paas is providing a platform to build applications and services using programming languages, libraries, services and tools supported by the cloud provider ? , ? . Thirdly, Naas, which can be heterogeneous ? , provides the virtual networks required by users. Finally, Iaas provides processing, computation, networks, and storage services on rental basis ? , ? . In CC two key issues have to be dealt with - computing and storage ? . It is common that the big amount of data is managed and stored in a data center. Therefore, it is impossible for the end user to find out where its data are geographically located. This means that people have no insights as to where their data are exactly stored. Besides, they don’t know by who and how they are manipulated. Moreover, in CC there are several models, the private one, the public one and the hybrid cloud one. The privacy requirement touches blackat different levels of each models. The public and hybrid cloud ones are accessible by all categories of users while the private clouds are controlled by an organization. blackNowadays, trying to tackle the difficulties above automatically raise important problems such as the security and privacy. The complexity of the IoT requires more efficient paradigms and solutions. Hence, the design of the new concept CoT is silently and gradually evolving with web computing since 2011. Therefore, it will be more data to store which will require more advanced technologies than conventional local or temporary storage. blackNew concepts have to be offered on a fair and equal basis to end users, therefore, just like the rental of storage space, processing and computation must follow the same scheme - a rental basis. This has to be applied not only to the IoT platform but also to the CC and their integration black(CoT) while considering security and privacy. The remainder of this paper is organized as follows: Section 2 resumes some works about security and privacy issues, In Section 3, some solutions are presented. In Section 4, some perspectives on current and future trends regarding the Internet-based computing is provided. Finally, Section 5 concludes the paper.
2. Security and privacy issues The security is defined as a set of mechanisms to protect sensitive data from vulnerable attacks and to guarantee confidentiality, integrity and authenticity of data. The privacy is defined as the guaranty that users maintain control over their sensitive data. This section deals with the most issues of security and privacy in the different internet-based computing domains. 2.1. Internet of Things Some of the main challenges for the application of the IoT encompass security issues. Those challenges will be mostly based on information security management systems as well as on legal foundations. When considering the legal framework of security and privacy of the IoT, it has to be determined which model of regulation should be applied. In Section 1, it has been discussed that the concept of IoT is based on mainly three layers or levels as shown in the literature. Discussions of security for each level and for the movement of data between levels and also for each device or system connected constitute the object of many papers for few years ago. And is said that security must pervade the entire model in order to face different type of threats. Amongst these types, one can find insecure Web/Cloud/Mobile Interface, insufficient authentication/ authorization, insecure network services, lack of transport encryption, privacy concerns, insufficient security configurability, insecure software/firmware and poor physical security. In IoT and In terms of user privacy, the issues include the following: (a) control of personal data, (b) improvement of privacy technologies and the relevant regulations, (c) standards techniques and softwares to manage the users and objects identity. In terms of confidentiality, some of the issues include the following: (a) the need for a easy to use exchange of critical, protected and confidential information and (b) confidentiality must be a integrated into the IoT design process. Lots of meta-data or temporary data required for the execution of services might be generated due to the management and processing of large quantities of data to guarantee useful information/service, confidentiality and integrity of data. These meta-data or temporary data could have the following characteristics: size, heterogeneity, etc. Application systems for IoT must provide efficient real time processing of data on demand (user requests). 2.2. Cloud Computing CC security challenges and issues have received loads of attention in the literature ? . As mentioned in ? , various risk factors exist in CC. They can be caused by multi-tenancy, hacking access, problem of backup recovery, no trust relationship between provider and consumer and auditing transaction without effecting integrity. The Cloud Computing Use Cases group ? discusses the different use case scenarios and related requirements that may exist in the cloud computing model. They consider use cases from different perspectives including customers, developers and security engineers. ENISA ? investigated the different security risks related to adopting cloud computing along with the affected assets, the risks likelihood, impacts, and vulnerabilities in cloud computing that may lead to such risks. Similar efforts discussed in “Top Threats to Cloud Computing ” by CSA ? . Balachandra et al ? discuss the security SLA’s specifications and objectives related to data locations, segregation and data recovery. Kresimir et al ? go into high level security concerns in the cloud computing model such as data integrity, payment, and privacy of sensitive information. Kresimir talked about different security management standards such as ITIL, ISO/IEC 27001 and Open Virtualization Format (OVF). Meiko et al ? review the technical security issues arising from adopting the cloud computing model such as XML-attacks, Browsers’ related attacks, and flooding attacks. Bernd et al ? deal with the security vulnerabilities existing in the cloud platform. The authors grouped the possible vulnerabilities into technology-related, cloud characteristics-related, security controls-related. Subashini et al ? consider the security challenges of the cloud service delivery model, focusing on the SaaS model. CSA ? discuss critical areas of cloud computing. They deliver a set of best practices for the cloud provider, consumers and security vendors to follow in each domain. CSA published a set of detailed reports examining for some of these domains. Privacy in the CC as in ? , denotes several types of private information such as: (a) Personally Identifiable Information (PII): Information that can identify an individual with certainty (key attributes : name, phone number, social security, national identity number,
emails, passwords. Quasi-identifier, zip code, date of birth, address) (b) Sensitive information: sensitive private date like membership, demography data, internet and habits, finance, health, hardware-id, etc. Handling such information without hard protection and laws is an extreme danger for all internet users. In Cloud computing system, the privacy is not guaranteed because of the misuse of the technology. Providers give an unlimited access of network and storage for a certain cost or sometimes for free. So, malicious insiders and provider employee’s will gain access over users data. Moreover, data proliferation and outsourcing to an external party is not controlled by owners. Therefore, several concerns must be pointed out to deal with the privacy issues: • • • • •
Who has access to data? Where is it stored? How many copies exist in a cloud? How to be sure that it was deleted when requested? Are laws and privacy policies respected by data actors?
2.3. Cloud of Things In ? , security issues and challenges are said to be linked with these areas: • • • • •
Heterogeneity: caused by a variety of devices, operating systems, platforms, services available Performance of communications, computations and storage aspects Reliability is needed for mission critical application Big data can cause problems of transportation, storage, access and processing Monitoring
Related to works reported in ? , the literature is concerned about CoT privacy issues. In the work reported in ? , it is presented an overview of privacy issues and open challenges, which are commonly used in the CoT. The paper ? discusses several critical privacy threats for the mobile crowd sensing concept which is a novel approach to ubiquitous computing become famous through IoT. Nine challenges and issues about privacy and security for the opportunistic sensing, an alternative to the participatory sensing in the crowd sensing paradigm, are analyzed in ? , along with conceptual solutions for each challenge. A security architecture for the CoT/IoT, is detailed in ? where security issues are identified by the authors at different CoT tiers. A similar approach is used in ? where a review of security features, requirements, and technologies for the IoT are provided. The authors focused on the importance of lightweight cryptographic protocols which have been recognized for reducing the energy consumption of devices. In ? , an analysis of security issues and possible attacks is given alongside promising approaches for specific challenges. The paper ? lists emerging security problems in the IoT and discusses possible measures to cope. Also, in ? , an IoT model layout from the security and privacy perspective is explained, with a brief overview of the EU (European) legislation in the privacy and security area. Finally, the work detailed in ? explains new regulatory approaches for privacy and security requirements in the IoT.
3. Privacy solutions: Confidentiality To tackle some of different issues described above such as confidentiality, many techniques are developed. Various classifications exist in the literature ? , ? ? . Basically, these classifications can be divided into two categories techniques and methodologies ? . For the techniques:
Encryption. To ensure data confidentiality, the process consists on using a cryptographic solution to encrypt data stored in a cloud by either the data owner, by the cloud service provider or by both of them. This technique is seen as a good solution but it presents some limitations such as the twitter and Google incident in 2010.
Processing Encrypted Data. it’s a technique used to overcome the limitations of the previous one. It ensures privacy and confidentiality but cannot be applicable in practice because its specific processing behavior. The cloud service provider doesn’t need to decrypt data for query execution and can execute queries directly on encrypted data. Obfuscation. it’ s a process of disseminating sensitive data before sending it to the cloud service provider using a secret key or method unknown by the latter. Comparing to encryption process the obfuscation is the weakest and it’s currently done by hand or semi-automated. Anonymization. Consists on eliminating personally identifiable information PII from data record before sending it to the cloud provider. Then, it can process with real data and preserving privacy of data owners. This process can be failed when using a linking attack. Sticky Policy. it allows to”attach privacy policies to data owners and drive access control decisions and policy enforcement ” ? . In ? , Trabelsi et al propose a privacy preserving solution as a service named SPACE and based on sticky policies. Trusted Platform Module. It is a hardware based solution that provides the ability to secure actions to protect user ’s data secrets but it is not intended to perform secure data processing. Data Segmentation. It consists on storing different segment of data in separate non-linkable fragments. It considers that private data is sensitive data and the association between data is also sensitive. Trusted Third Party Mediator. It is a mediator between customer and cloud provider to guarantee and check policy enforcement and carry out an auditing. Finally, these techniques cope with the privacy problem and there are also approaches that deal with the same issues in ? . For the methodologies: Identity & Access Management (IAM). It is part of the core of any security system. It allows the users, services, servers, clouds, and any other entities to be recognized. In order to do so, a set of information/data is associated with a specific entity. These data are depend on the context. The identity of an entity must not disclose the user privacy. Key Management. It represents a mean to handle encryption key management. As confidentiality is one of main goals of security, encryption which is the main solution to the confidentiality objective has to be efficient. Encryption algorithms have major problems related to: how to securely generate, access, store, and exchange secrete keys. Security Management. Given the number of the cloud users, the dependency stack, and the security controls, security management needs to function as a plug-in for CML to handle security requirements, policies specifications, security controls configurations (according to the policies specified), etc. 4. Insights and future trends IoT represents a new and interesting direction in the development of Internet. It models an unique identification of devices/objects and their representation in the structure of the Internet. Such devices might communicate with each other, provide information about themselves and receive information collected by other devices. Capabilities, such as the monitoring of changes in the surrounding environment or communication between devices, represent critical part in the development of IoT. Security and privacy are seen to be both a research challenges that have received lots of attentions but remain open issues where efforts are still required. While an important number of users are concerned about privacy and security in CC, since IoT and CoT brings data from the real world into the Cloud and triggers actions into, such concerns merit more attention. For privacy, providing properly designed authorization roles and policies while transparently guaranteeing that only authorized individuals have access to sensitive data is still a challenge, especially when data integrity must be ensured in response to authorized changes. Since, protection of privacy is one of the key constitutional rights of users, it is highly important that new technologies have to comply to privacy regulations and policies such as the
new European regulatory frameworks for data and privacy protection. Regarding security, it remains challenging to cope with different threats from hackers as malware can be injected into physical sensors to produce fake data. Raw or processed data can be stolen on the CC. Compromised gateways can cause security breaches in the CoT system etc. Similarly, specific attention must be paid to address a range of issues listed bellow: Intelligence . Researchers tend to centralize their decision-making capabilities into the Cloud to take into account real-time data coming from distinct devices. Although research studies have been conducted in this direction, there is still room for improvement. Integration methodology . The literature shows that CoT solutions have been already built for different applications, but little attention has been paid to define a common methodology to integrate CC and IoT. Several standardized work processes could be defined. Moreover, the integration of CC and IoT into CoT is not that easy and demands several challenges. These challenges encompass IoT device and service discovery, IoT device integration, cloud monitoring and orchestration for distributed IoT applications, mobility issues in cloud access, and SLA management for both CC and IoT. Network communications . Low latency exigence is a base in while dealing with data transmission. Yet, CoT must handle several heterogeneous network technologies which could decrease the performances. Scalability and flexibility . CoT requires efficient solutions to analyse collected data and information for applications and services. Designing such solutions while guaranteeing scalability with respect to other requirements is still considered an open issue. Standardization . Lots of researchers as still penelized by the lack of standards which is then actually considered as a big issue. Some devices are connected over Internet through web-based interfaces, which can help reducing the complexity for developing such applications. But, they are not well designed for machine-to-machine communications and thus can introduce overhead in terms of network load, data processing and congestion. Power and energy efficiency . It is common that CoT applications require regular and frequent data transmission between devices, which could quickly drains battery. Big data . In a previous section big data has been described as an important research topic when coupled with CoT even if several contributions have been provided in the literature as there is still some open issues. 5. Conclusion The rapid development of Internet-based computing allows numerous technologies to be developed to satisfy an increasing demand. However, the importance of security and privacy is still emerging. In this present paper, a comprehensive review of Internet-based computing has been presented. Particularly, the relationships and differences between IoT, CC, CoT have been clarified, along with their architectures and enabling technologies. In addition, to secure computing, potential privacy and security issues that could affect the effectiveness of the system. A focus on confidentiality issue and its potential solutions, have been presented. It has been shown that for IoT and CoT safety, the literature is in its primary stage. Laws, policies and regulations improving the global safety must be developed as current government regulations does not properly fit for such computing systems. Furthermore, several applications are presented to show how Internet-based computing could be implemented in realworld applications. In an effort to further ease the development of such technologies, this paper provided a clear, comprehensive, and deep understanding of these topics, and highlighted areas that have received little attention and remain unresolved.
