Jan 13, 2015 - there are concerns regarding Security, Privacy and Trust (SPT) that ..... develop trusted cloud applications, platforms, and infrastructures that ...
i
TRUSTED CLOUD COMPUTING FRAMEWORK IN CRITICAL INDUSTRIAL APPLICATION
MERVAT ADIB BAMIAH
UNIVERSITI TEKNOLOGI MALAYSIA
ii PSZ 19:16 (Pind. 1/07)
MERVAT ADIB BAMIAH 15 FEBRUARY 1967 TRUSTED CLOUD COMPUTING FRAMEWORK 15 FEBRUARY 1967 IN CRITICAL INDUSTRIAL APPLICATION TRUSTED CLOUD COMPUTING FRAMEWORK 2014/15-1 2014/15-1
13 JANUARY 2015
13 JANUARY 2015
Dr Suriayati Chuprat 13 JANUARY 2015
13 JANUARY 2015
iii
iv
i
TRUSTED CLOUD COMPUTING FRAMEWORK IN CRITICAL INDUSTRIAL APPLICATION
MERVAT ADIB BAMIAH
A thesis submitted in fulfilment of the requirements for the award of the degree of Doctor of Software Engineering
Advanced Informatics School Universiti Teknologi Malaysia
JANUARY 2015
ii
I declare that this thesis entitled “Trusted Cloud Computing Framework in Critical Industrial Application” is the result of my own research except as cited in the references. The thesis has not been accepted for any degree and is not concurrently submitted in candidature of any other degree.
Signature
:
……………………………………….
Name of Candidate
:
Mervat Adib Bamiah
Date
:
13 January 2015
iii
This research is dedicated to my beloved family and Dr. Mohammad Imran Bamiah.
iv
ACKNOWLEDGEMENT
I would like to express my utmost gratitude to ALLAH (SWT), the God Almighty, for granting me health, knowledge, strength, ability, and patience to accomplish this research. I wish to express my sincere appreciation to my main supervisor, Dr. Suriayati Chuprat for her continuous support and valuable feedbacks that enabled me to achieve the research milestones within the required time-frame. I am thankful also to my external research industry supervisor Dr. Jamalul-lail Ab Manan for his continuous support and valuable feedbacks in reviewing, improving and evaluating my research. I am extremely thankful to Dr. Mohammad Imran Bamiah for his financial and caring support. Also I am grateful to every member of my family who stood by me with kind and love during the PhD journey.
v
ABSTRACT
Cloud computing facilitates instant online unlimited access to data and computing resources, ubiquitously and pervasively through its various service delivery and deployment models. Despite the significant advantages of cloud computing, still there are concerns regarding Security, Privacy and Trust (SPT) that resulted from consumers’ loss of control over their confidential data since they outsource it to cloud with no knowledge of storage location or who is accessing and maintaining it. This raises the risks of insider and outsider threats besides the data breach and misuse. A Trusted Cloud Computing Framework (TCCF) is designed to overcome these SPT concerns. TCCF proposes the use of Trusted Computing Group (TCG) technologies including, Trusted Platform Module (TPM), Virtual Trusted Platform Module (VTPM), Self-Encrypting Drives (SEDs), Trusted Network Connect (TNC) and Trusted Software Stack (TSS) to initiate a trusted cloud computing platform. In addition, a Multi-Factor Authentication Single Sign on Role Base Access Control (MFA-SSO-RBAC) prototype was developed using a strict security controls. Furthermore, an additional context for cloud Service Level Agreement (SLA) was proposed to support the framework and to ensure the trustworthiness of the cloud computing services to be adopted in critical information industries specifically healthcare sector. TCCF was evaluated by developing a prototype, comprehensive comparison with previous work, compliance with standards and a survey from cloud computing, healthcare and IT security experts. Feedbacks of experts were satisfactory and they agreed with 94% on the overall security techniques used to secure the TCCF three layers. The evaluation proves that TCCF assists in optimizing the trust on cloud computing to be adopted in healthcare sector for best practices.
vi
ABSTRAK
Pengkomputeran awan memudahkan akses dalam talian segera tanpa had terhadap data dan sumber pengkomputeran secara merata dan merebak melalui pelbagai tawaran penyampaian perkhidmatan dan model penempatan. Walaupun pengkomputeran awan mempunyai kelebihan yang signifikan, masih terdapat beberapa isu berkaitan Keselamatan, Kerahsiaan dan Kepercayaan (SPT) disebabkan oleh kehilangan kawalan terhadap data sulit pengguna itu sendiri. Keadaan ini berlaku kerana mereka menggunakan khidmat penyumberan luar awan tanpa mengetahui sebarang maklumat tentang lokasi sebenar data dan juga siapa yang mencapai dan menguruskan maklumat tersebut. Ini akan meningkatkan risiko ancaman dalaman dan luaran selain kebocoran dan penyalahgunaan data. Rangka Kerja Pengkomputeran Awan Dipercayai (TCCF) direka bentuk untuk mengatasi kebimbangan SPT. TCCF mencadangkan penggunaan Teknologi Pengkomputeran Kumpulan Dipercayai (TCG) termasuk Modul Platform Dipercayai (TPM), Modul Platform Dipercayai Maya (VTPM), Pemacu Penyulitan Diri (SEDs), Rangkaian Sambung Dipercayai (TNC) dan Perisian Timbunan Dipercayai (TSS) untuk memulakan platform pengkomputeran awan yang dipercayai. Di samping itu, prototaip Pengesahan Tandatangan Tunggal Pelbagai-Faktor pada Kawalan Akses Berasaskan Peranan (MFA-SSO-RBAC) dibangunkan menggunakan kawalan keselamatan yang ketat. Seterusnya, konteks tambalan untuk Perjanjian Tahap Perkhidmatan (SLA) awan dicadangkan untuk menyokong rangka kerja dan memastikan kebolehpercayaan perkhidmatan awan yang akan diterima pakai dalam industri maklumat kritikal khususnya sektor penjagaan kesihatan. TCCF telah dinilai dengan membangunkan prototaip, perbandingan komprehensif dengan kerja sebelumnya, kepatuhan kepada standard dan kaji selidik daripada pakar-pakar pengkomputeran awan, penjagaan kesihatan, dan keselamatan IT. Maklum balas daripada pakar adalah memuaskan hati dan setuju secara purata 94% daripada keseluruhan teknik keselamatan yang digunakan untuk memelihara tiga lapisan TCCF. Penilaian tersebut membuktikan bahawa TCCF dapat membantu meningkatkan keyakinan terhadap amalan terbaik dalam pengkomputeran awan untuk digunakan dalam sektor penjagaan kesihatan.
vii
TABLE OF CONTENTS
CHAPTER
1
TITLE
PAGE
DECLARATION
ii
DEDEICATION
iii
ACKNOWLEDGEMENT
iv
ABSTRACT
v
ABSTRAK
vi
TABLE OF CONTENTS
vii
LIST OF TABLES
xii
LIST OF FIGURES
xiii
LIST OF ABBREVIATIONS
xv
LIST OF APPENDICES
xix
INTRODUCTION
1
1.1
Overview
1
1.2
Problem Background
2
1.3
Problem Statement
3
1.4
Research Aims and Objectives
3
1.5
Scope of Research
4
1.6
Significance of Research
5
1.7
Research Contributions
6
1.8
Thesis Organization
8
1.9
Summary
9
viii 2
LITERATURE REVIEW
10
2.1
Introduction
10
2.2
Cloud Computing Definition
11
2.3
Cloud Computing Service Deployment Models
12
2.3.1
Private Cloud
12
2.3.2
Public Cloud
13
2.3.3
Hybrid Cloud
13
2.3.4
Community Cloud
13
2.4
2.5
Cloud Computing Service Delivery Models
14
2.4.1
Software as a Service
14
2.4.2
Platform as a Service
15
2.4.3
Infrastructure as a Service
15
Cloud Computing Concerns
15
2.5.1
Security
16
2.5.2
Privacy
17
2.5.3
Trust
17
2.5.4
Compliance
17
2.6
Cloud Computing SPT Standards
18
2.7
Cloud Computing Trust Aspects
19
2.7.1
Security
22
2.7.2
Privacy
27
2.7.3
Availability
27
2.7.4
Accountability and Auditability
28
2.7.5
Incidents Preparedness and Response
28
2.8
Trusted Computing Group
29
2.8.1
Trusted Platform Module
29
2.8.2
Trusted Software Stack
35
2.8.3
Trusted Network Connect
36
2.8.4
Trusted Storage
36
2.8.5
Virtual Trusted Platform Module
38
2.9
Identity and Access Management
39
2.10
Cloud Service Level Agreement
41
2.11
Cloud SLA Status in Healthcare
42
2.12
Healthcare Sector as a Case Study
42
ix
3
2.13
Health Insurance Portability and Accountability Act
44
2.14
Healthcare Cloud Computing Trust Requirements
45
2.15
Healthcare Security and Privacy Requirements
46
2.16
Cloud Computing Related Work
48
2.16.1
Security on Demand Framework
49
2.16.2
Trusted Cloud Computing Infrastructure
51
2.16.3
A Framework for Secure Clouds
52
2.16.4
ABE Framework for Secure Sharing PHRs
54
2.16.5
Secure Electronic Healthcare in Cloud
55
2.17
Gap Analysis of Current Cloud Implementations
57
2.18
Research Roadmap
60
2.19
Summary
61
RESEARCH METHODOLOGY
62
3.1
Introduction
62
3.2
Cloud Computing and Software Engineering
63
3.3
Research Activities and Outcomes
64
3.4
Research Methodology
66
3.4.1
Literature Review
67
3.4.2
Analysis
68
3.4.3
Design
76
3.4.4
Development
77
3.4.5
Evaluation
77
3.5
Documentation
77
3.6
Research Limitations
77
3.7
Research Planning and Schedule
78
3.7.1
Phase 1
78
3.7.2
Phase 2
78
3.7.3
Phase 3
79
3.8
Summary
79
x 4
TRUSTED CLOUD COMPUTING FRAMEWORK DESIGN
80
4.1
Introduction
80
4.2
Research Design Assumptions
81
4.3
TCCF-Trust Definition
83
4.4
TCG Technologies
84
4.5
Customized Cloud SLA for Healthcare
85
4.6
Compliance with HIPAA Requirements
88
4.7
TCCF-Multi-Factor Authentication
88
4.8
TCCF-Data Security
88
4.8.1
Data Creation Security
89
4.8.2
Data Transfer (in Transmit) Security
90
4.8.3
Data in Use Security
91
4.8.4
Data Sharing Security
92
4.8.5
Data Storage Security
92
4.8.6
Data Backup Security
92
4.8.7
Data Archive Security
93
4.8.8
Data Destruction Security
93
4.9
5
Trusted Cloud Computing Framework (TCCF)
94
4.9.1
Physical Layer Security
97
4.9.2
Virtualization Layer Security
100
4.9.3
Application Layer Security
107
4.9.4
Middleware Security
109
4.10
TCCF-Password Policy
109
4.11
HTCCF-MFA-SSO-RBAC System Architecture
110
4.12
HTCCF-MFA-SSO-RBAC Prototype Use Case Diagrams
121
4.13
Summary
126
PROTOTYPE DEVELOPMENT
126
5.1
Introduction
126
5.2
Research Development Assumptions
127
5.3
HTCCF-MFA-SSO-RBAC System Development Process
127
5.3.1
129
5.4
Prototype, Screenshots and Code Snippets
Summary
145
xi 6
7
EVALUATING TRUSTED CLOUD COMPUTING FRAMEWORK
146
6.1
Introduction
146
6.2
Compliance with ONC Security Requirements
147
6.3
Compliance with HIPAA
149
6.4
Cloud Computing Threats Mitigations
151
6.5
Comparison with Related Work Evaluation
154
6.6
Trust Evaluation
158
6.7
TCCF - Survey Evaluation
160
6.8
Summary
168
CONCLUSION AND FUTURE WORK
169
7.1
Introduction
169
7.2
Contributions and Significance
171
7.3
Limitations and Future Direction of Research
172
7.3.1
Implementation
172
7.3.2
Inter Cloud
172
7.3.3
Performance
172
7.3.4
SLA
173
7.3.5
Security Controls
173
7.4
Summary
174
REFERENCES
175
Appendices A-D
204-211
xii
LIST OF TABLES
TABLE NO.
TITLE
PAGE
2.1
Gap Analysis of Current Cloud Implementations
57
3.1
Research Activities and Outcomes
64
3.2
LinkedIn Use Examples
70
3.3
Survey Distribution
72
3.4
Respondents Locations
75
3.5
Respondents Specializations
76
3.6
Thesis Timeline Planning
79
4.1
SLA Security Controls
87
4.2
Hypervisors Comparison
106
6.1
Compliance with ONC Security Guidelines
147
6.2
Compliance with HIPAA requirements
149
6.3
CSA Threats Mitigations
152
6.4
TCCF - Comparison with Related Work Evaluation
157
6.5
TCCF - Trust Evaluation
159
6.6
Survey Security Statistics
165
6.7
Data Scaling Physical Layer
166
6.8
Data Scaling Virtualization Layer
166
6.9
Data Scaling Application Layer
167
6.10
Weighted Average Range Interpretation
167
xiii
LIST OF FIGURES
FIGURE NO.
TITLE
PAGE
1.1
Top Cloud Computing Concerns
2
2.1
Cloud Computing Deployment Models
12
2.2
Cloud Service Delivery Models
14
2.3
TPM Components
31
2.4
Chain of Trust
34
2.5
vTPM Building Blocks Architecture
39
2.6
Security on Demand Framework
49
2.7
Cloud Computing Security Model
52
2.8
Cloud Computing Security Model
53
2.9
Patient-centric Framework
54
2.10
Privacy Domains in E-Health
56
2.11
Research Road Map
60
3.1
Research Methodology Phases
66
3.2
Survey Monkey Expert Feedback
71
3.3
Kwiksurvey Expert Feedback
72
3.4
Survey Expert 1 Feedback
73
3.5
Survey Expert 2 Feedback
74
4.1
TCCF-Cloud Data life Cycle
89
4.2
TCCF-layered Architecture
96
4.3
TCCF-Physical Layer
97
4.4
TCCF-Virtualization Layer
101
4.5
TCCF-Application Layer
107
4.6
Prototype Authentication Processes
112
4.7
Users P1-MFA Activity Diagram
113
xiv 4.8
CSA Authentication Activity Diagram
115
4.9
HSP Authentication Activity Diagram
117
4.10
Patient/User Authentication Activity Diagram
119
4.11
CSA Authentication Use Case Diagram
122
4,12
Healthcare Authentication Use Case Diagram
123
4.13
Patient /User Authentication Use Case Diagram
124
5.1
Prototype Home Page
128
5.2
Registration Page
129
5.3
CSA Registration Form
132
5.4
Healthcare Professional Registration Form
134
5.5
Patient/User Registration Form
136
5.6
Sign-in Main Menu
137
5.7
Biometric Authentication Process
138
5.8
Access Denied Message
138
5.9
Smart Card login Process
140
5.10
Username and Email Verification
140
5.11
Password Verification
143
5.12
Invalid Password Verification
143
5.13
Secret Question Challenge
144
5.14
Image Based Authentication
144
5.15
OTP Verification
145
6.1
TCCF - Physical Layer Evaluation
161
6.2
TCCF - Virtualization Layer Evaluation
162
6.3
TCCF- Application Layer Respondents Number
163
6.4
TCCF - Overall Evaluation Results
164
7.1
TCCF- Contributions, Publications and Certificates
174
xv
LIST OF ABBREVIATIONS
AAs
-
Attribute Authorities
ABE
-
Attribute Based Encryption
AES
-
Advanced Encryption Standard
AIK
-
Attestation Identity Key
API
-
Application Programming Interface
BIOS
-
Basic Input Output System
BYOD
-
Bring Your Own Device
CA
-
Certificate Authority
CASE
-
Cloud Aided Software Engineering
CRTM
-
Core Root of Trust for Measurement
CSA
-
Cloud Service Administrator, Cloud Security Alliance
CSCC
-
Cloud Standards Customer Council
CSP
-
Cloud Service Provider
CSU
-
Cloud Service User
DDOS
-
Distributed Denial of Service
DLC
-
Data Life Cycle
DOS
-
Denial of Service
EAL4+
-
Evaluation Assurance Level 4+
E-Health
-
Electronic Health
EHRs
-
Electronic Health Records
EK
-
Endorsement Key
EMRs
-
Electronic Medical Records
FISMA
-
Federal Information Security and Management Act
HHS
-
Health and Human Services
HIPAA
-
Health Insurance Portability and Accountability Act
HIT
-
Health Information Technology
xvi HITECH
-
Health Information Technology for Economic and Clinical Health
HSP
-
Healthcare Service Provider
HTCCF
-
Healthcare Trusted Cloud Computing Framework
HTTPS
-
Hypertext Transfer Protocol Secure
IaaS
-
Infrastructure as a Service
IAM
-
Identity and Access Management
IDPS
-
Intrusion Detection and Prevention Systems
IDS
-
Intrusion Detection systems
IEC
-
International Electro-technical Commission
IF-MAP
-
Interface for Metadata Access Points
IOT
-
Internet of Things
IPS
-
Intrusion Prevention Systems
IPSec
-
Internet Protocol Security
ISO
-
International Organization for Standardization
IT
-
Information Technology
ITSG-33
-
Information Technology Security Guidance
KVM
-
Kernel-based Virtual Machines
MA-ABE
-
Multi Authority Attribute Based Encryption
MFA
-
Multi-Factor Authentication
ML
-
Measurement List
NAC
-
Network Access Control
NGFW
-
Next Generation Firewalls
NIST
-
National Institute of Standards and Technology
OCR
-
Office for Civil Rights
ONC
-
Office of National Coordinator
OS
-
Operating System
OTP
-
One-Time PIN
P1-MFA
-
Policy (1) Multi-Factor Authentication
PaaS
-
Platform as a Service
PCI
-
Payment Card Industry
PCM
-
Platform Configuration Measurements
PCRs
-
Platform Configuration Registers
PDA
-
Personal Digital Assistant
PHI
-
Personal Health Information
xvii PHRs
-
Personal Health Records
PKI
-
Public Key Infrastructure
PVI
-
Private Virtual Infrastructure
QoS
-
Quality of Service
RBAC
-
Role Base Access Control
RFID
-
Radio Frequency Identification
RNG
-
Random Number Generator
RSA
-
Rivest, Shamir, and Adelman
RTM
-
Root of Trust for Measurement
RTR
-
Root of Trust for Reporting
RTS
-
Root of Trust for Storage
SaaS
-
Software as a Service
SAML
-
Security Assertion Markup Language
SDLC
-
Software Development Life Cycle
SED
-
Self-Encrypting Drives
SFTP
-
Secure File Transfer Protocol
SHA
-
Secure Hash Algorithm
SLA
-
Service Level Agreement
SLR
-
Systematic Literature Review
SML
-
Stored Measurement Log
SOA
-
Service Oriented Architecture
SoD
-
Security on Demand
SPT
-
Security, Privacy and Trust
SRK
-
Storage Root Key
SSH
-
Secure Shell
SSO
-
Single Sign On
SSL
-
Secure Sockets Layer
TC
-
Trusted Computing/Trusted Coordinator
TCB
-
Trusted Computing Base
TCCF
-
Trusted Cloud Computing Framework
TCCP
-
Trusted Cloud Computing Platform
TCCI
-
Trusted Cloud Computing Infrastructure
TCG
-
Trusted Computing Group
TCP
-
Trusted Computing Platform
xviii TEE
-
Trusted Execution Environment
TLS
-
Transport Layer Security
TNC
-
Trusted Network Connect
TOS
-
Trusted Operating System
TP
-
Trusted Platform
TPM
-
Trusted Platform Module
TM
-
Trust Monitor
TSS
-
Trusted Software Stack
TVCCE
-
Trusted Virtual Cloud Computing Environment
TVD
-
Trusted Virtual Domain
TVDc
-
Trusted Virtual Data Center
TVEM
-
Trusted Virtual Environment Module
TVMM
-
Trusted Virtual Machine Monitor
US
-
United States
USD
-
United States Dollar
UTE
-
User Trusted Entity
VDc
-
Virtual Data Center
VF
-
Virtual Firewall
VLAN
-
Virtual Local Area Network
VM
-
Virtual Machine
VMM
-
Virtual Machine Monitor
VPN
-
Virtual Private Network
VTN
-
Virtual Trust Network
vTPM
-
Virtual Trusted Platform Module
xix
LIST OF APPENDICES
APPENDIX
TITLE
PAGE
Publications during author’s candidature
204
Certificates during author’s candidature
207
C
TCCF-Evaluation survey
208
D
Current cloud computing SLAs
211
A B
1
CHAPTER 1
INTRODUCTION
1.1
Overview
Cloud computing has emerged as a business IT solution that provides a new way to manage and deliver automated computing services to consumers via the Internet (Shawish and Salama, 2014). It has evolved from various technologies such as Distributed, Grid, Utility computing and Service Oriented Architecture (SOA), by combining pool of abstracted, dynamic scalable, managed computing IT resources (Chen and Hoang, 2011). Cloud computing reduces capital expenditure and provides availability of real time services on pay-per-use basis (Mahmood and Saeed, 2013). Businesses including government, banking and healthcare require industry specific cloud computing structure to fulfill their IT needs. Each industry has its own rules and regulations. For example, healthcare sector is regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) that are not encountered in standard public cloud frameworks. Healthcare as one of the critical information industries requires a trusted cloud computing solution which provides increased information security, flexibility and accessibility (Smith, 2013). This conducted research focuses on designing a Trusted Cloud Computing Framework (TCCF) to be adopted in critical information industries mainly healthcare sector for improving its Quality of Services (QoSs), just-in-time, in a cost effective manner.
2 1.2
Problem Background
Despite the numerous benefits of cloud computing in terms of scalability, resilience, adaptability, connectivity, virtualization and high performance, still there are several Security, Privacy and Trust (SPT) concerns that made critical information industries reluctant to deploy cloud computing for best business practices (Thilakanathan et al., 2013; Hsing, 2012; Servos, 2012; Shini et al., 2012; Khatua et al., 2011; Pearson and Benameur, 2010; Takabi et al., 2010). These SPT concerns resulted from the loss of’ consumers direct control on their confidential data and computing resources when they outsource them to a remote third Cloud Service Provider (CSP) who facilitates the IT infrastructure, applications and management as services per demands. Since consumers’ data are at cloud storage, they do not know who is managing or accessing their data and where their storage locations are, which may cause a threat of data breach or misuse (Taeho et al., 2013; Ermakova and Fabian, 2013). Figure 1.1 demonstrates that data privacy and security are consumers’ top concerns with 41% which necessitate a trusted cloud solution that overcomes these concerns over deploying cloud computing.
Figure 1.1: Top Cloud Computing Concerns (ffoulkes, 2014)
3 1.3
Problem Statement
Consumers need to be assured that their privacy is preserved and their data are secured besides complying with rules and regulations. The problem statement that needs to be addressed is as follows How to design a TCCF that maintains the security and privacy of consumers’ confidential data as well as complies with rules and regulations in order to be trusted and deployed in critical information industries such as healthcare sector?
Designing a trusted cloud solution and solving the research problem statement will be achieved by answering the following research questions:
i.
What are the current cloud computing security and privacy concerns that prevent critical information industries from trusting and adopting cloud computing?
ii.
How to design a cloud computing framework that can fulfill the security and privacy concerns as well as assist in increasing the trust on cloud computing to be adopted in critical information industries?
iii.
How to evaluate and ensure that the designed cloud computing framework will assist in overcoming the security and privacy concerns as well as increases the trust on cloud computing to be adopted critical information industries?
1.4
Research Aims and Objectives
According to Trusted Computing Group (TCG) (Donovan and Visnyak 2011), “There is no comprehensive framework exists to describe the business/mission needs and validate compliance of the entire solution set in compliance with open standards”. The aim of this study is to design a TCCF that overcomes the SPT concerns to be implemented in critical information industries specifically healthcare sector for best
4 business practices. In order to achieve the research aim, the following objectives should be accomplished.
i.
To identify and critically analyze the current cloud computing security and privacy concerns that prevent critical information industries from trusting and adopting cloud computing.
ii.
To design a cloud computing framework that can fulfill the security and privacy concerns as well as assist in increasing the trust on cloud computing to be adopted in critical information industries.
iii.
To evaluate and ensure that the designed cloud computing framework will assist in overcoming the security and privacy concerns as well as increases the trust on cloud computing to be adopted critical information industries.
1.5
Scope of Research
The scope of this research focuses on designing TCCF for critical information industries specifically healthcare sector as a case study. It proposes secures cloud computing infrastructure based on TCG international standards technologies including Trusted Platform Module (TPM), Trusted Software Stack (TSS), virtual Trusted Platform Module (vTPM), Trusted Network Connect (TNC) and Self Encrypting Drives (SEDs) to initiate a trusted cloud computing platform taking into consideration HIPAA security and privacy rules and regulations as well as the National Institute of Standards and Technology (NIST) Special Publication 800-144 Guidelines (Jansen and Grance, 2011). Moreover, this study proposes a customized cloud Service level Agreement (SLA) by including additional context to it regarding healthcare requirements to support the framework and to make it more trustworthy. However, due to resource and time limitations, TCCF was designed and only the authentication part was implemented.
5 1.6
Significance of Research
This research contributes to software engineering, public and scientific fields as well as to the body of knowledge as follows:
i.
In software engineering field, this research contributes in understanding the cloud computing critical industries requirements. The TCCF contributes in overcoming the SPT concerns and providing trusted cloud services based on secure by design hardware and software execution environment as per experts expectations. Taking into consideration the trust aspects (security, privacy, accountability, and availability) (Muppala et al., 2012). Furthermore, by using cloud computing platform, software developers and programmers will be provided with the latest IT tools as a service on-demand that will accelerate the innovation of next generation smart devices, beside facilitating software development and delivery which enables software engineering researchers to study distributed multilateral software development (Østerlie, 2009).
ii.
In public field, this research proposes a TCCF that overcomes the SPT concerns to be deployed in critical information industries specifically healthcare sector by providing secure cloud services on demand just-in-time in a cost effective manner that will enhance the QoSs provided to public.
iii.
This research adds to science and technology fields as it is based on the usage of the software engineering methodology in gathering user requirements, designing, developing, implementing and testing the systems beside documentation (Bourque and Fairley, 2014). Moreover, providing an agile way of sharing the information in secure and trusted manner ubiquitously and pervasively through the use of cloud computing. In addition, also to addressing the challenge in designing a secure and trusted cloud computing framework for critical information industries including healthcare sector.
iv.
This study adds to the body of knowledge through publications in journals and conferences for global recognition. Also, the thesis documentation will assist other researchers in both fields’ software engineering and IT.
6 1.7
Research Contributions
Cloud computing facilitates consumers, users and software engineers the use of computing, storage and other resources over the network. It accelerates real time communication in software development projects that are scattered across the globe in cost effective manner (Munch, 2013). Cloud computing dynamic virtualized multitenant nature has raised enormous challenges for software engineers to design and develop trusted cloud applications, platforms, and infrastructures that provide secure services to critical information industries focusing on healthcare sector. In the domain of software engineering, a new term has emerged specifically to cloud computing which is named Cloud Aided Software Engineering (CASE 2.0) that applies the Software Development Life Cycle (SDLC) according to cloud specification’s starting with requirements gathering and analysis until development and deployment phases (Zingham and Saqib, 2013).
The Healthcare Trusted Cloud Computing Framework Multi Factor Authentication Single Sign on Role Base Access Control (HTCCF-MFA-SSO-RBAC) prototype is conducted based on the CASE 2.0. software engineering development process Therefore, this research contributes in the field of software engineering by providing a TCCF which secure the overall cloud infrastructure, data, communication and access, bounded by a customized SLA and complies with standards. This research has several contributions to overcome the SPT concerns in order to optimize the trust of consumers to adopt cloud computing as follows:
Contribution 1: TCCF proposes security by design multi-layered, defense-in-depth approach that covers all cloud layers in addition to access and data. It utilizes the latest security standards and mechanisms for virtual, physical and application layers, as well as TCCF considers robust security controls such as firewalls, anti-malware, anti-virus and Intrusion Detection and Prevention Systems (IDPSs).
7 Contribution 2: TCCF proposes the integration of TCG technologies for enhanced security, privacy and interoperability. TCG’s Trusted Computing Platform (TCP) will be used to perform authentication, also to ensure confidentiality and integrity in cloud computing environment.
Contribution 3: TCCF proposes an additional context to be added to SLA according to healthcare requirements as a critical information industry which has its own requirements, rules and regulations that need to be guaranteed in the SLA.
Contribution 4: TCCF proposes the compliance with HIPAA data security and privacy rules and regulations.
Contribution 5: TCCF enforces data encryption in SLA at rest, while in the process and in transmit with the latest efficient encryption mechanisms in order to provide optimized level of data confidentiality besides complying with rules and regulations. Furthermore, TCCF also includes data backup in SLA and in the design as a separate phase for securing data availability and disaster recovery.
Contribution 6: TCCF proposes a robust password policy for usage and storage.
Contribution 7: TCCF offers a Multi-Factor Authentication Single Sign on Role Base Access Control (MFA-SSO-RBAC) prototype for critical information industries specifically healthcare sector that will secure the access against illegal and malicious threats and complies with Healthcare Insurance Portability and Accountability Act (HIPAA) for various types of users’ access based on their roles and organizations’ policy with least privileges.
8 1.8
Thesis Organization
This thesis focuses on maintaining SPT in the TCCF to be used in healthcare sector. Complete research is organized into six chapters as follows:
Chapter 1 Introduction: This chapter explores the background of the problem which is about consumers’ lack of trust in cloud computing. Research questions, aims, and objectives were formulated as a guide for further studies in the following chapters in order to design and evaluate TCCF. The scope of the research has been identified as to conduct the research within the resources and time frame available. The rest of the chapter discusses the significance and contributions of the study.
Chapter 2 Literature Review: This chapter discusses cloud computing definition and concerns as well as the cloud current standards which the research will be based on. It provides an overview literature review of the research topic in relation to the existing cloud implementations in healthcare sector as a case study with more justification on the problems related to these projects. In addition to discussing cloud computing and TCG technologies that are going to be implemented in the research framework, beside the identification of the cloud SLA current status, in order to customize it regarding healthcare specifications. Moreover, HIPAA will also be discussed for designing the framework compliance requirements.
Chapter 3 Research Methodology: This chapter discusses the research activities and outcomes, research methodology guidelines, study population sampling methods, data collection methods, research limitation as well as planning and schedule.
Chapter 4 Trusted Cloud Computing Framework Design: This chapter introduces the components and designing stages of TCCF for critical information industries. The multi-layered security by design TCCF integrates TCG technologies and other security controls for overcoming the SPT concerns of cloud computing. Cloud Data Life Cycle security is also discussed in this chapter.
9 Chapter 5 Development of the Multi-Factor Authentication SSO Role Based Access Control Prototype: This chapter discusses the development process of the TCCF evaluation MFA prototype based on the CASE 2.0 approach.
Chapter 6 Evaluation of Trusted Cloud Computing Framework: This chapter introduces the evaluation methods of TCCF that include literature review comparison, a questionnaire survey based on experts’ feedbacks, and the compliance with HIPAA and CSA standards. The rest of the chapter presents a critical analysis of the survey and other evaluation methods results.
Chapter 7 Conclusion and Future Work: This chapter summarizes the whole study based on data analysis and interpretation. It discusses detailed research contributions, limitations, and future work directions.
1.9
Summary
The increasing demands of industries for enhanced technology solutions including healthcare sector as a case study for critical information industries, and the increasing advent of advanced smart technologies with limited healthcare resources raised the need to balance the limited healthcare resources and unlimited growth of the healthcare needs. Cloud computing improves the delivery of healthcare services and enables effective and efficient achievement of coordination of healthcare medication services in agile cost effective way. In spite of cloud benefits, still there are some issues related to security and privacy that acts as a barrier against trusting and deploying cloud computing in healthcare sector for best business practices. Throughout this chapter, critical discussion on problem background, research questions, objectives, scope and significance have been conducted.
10
CHAPTER 2
LITERATURE REVIEW
2.1
Introduction
This chapter explores cloud computing and its current implementations’ status in general and in healthcare sector in order to locate the SPT gaps to be mitigated in TCCF design. Through this chapter research map will be presented, research questions will be discussed and answered to achieve the research objectives and fulfill the research aim. Section 2.2 describes cloud computing definition and offerings for healthcare sector according to industry standards.
Section 2.5 discusses cloud
computing concerns. Section 2.6 presents cloud computing standards. Section 2.7 identifies cloud computing trust aspects. Section 2.8 discusses TCG technologies. Section 2.9 identifies the identity and access management components that should be included in TCCF. Sections 2.10 and 2.11 describe the cloud SLA and its current status in healthcare. Section 2.12 presents healthcare sector as a case study. Section 2.13 discusses healthcare insurance interoperability and accountability act. Section 2.14 and 2.15 present healthcare cloud trust, security and privacy requirements. Section 2.16 and 2.17 describe the current cloud computing related work and their limitations to be addressed in the research design. Section 2.18 presents the research roadmap followed by summary of the chapter.
11 2.2
Cloud Computing Definition
The National Institute of Standards and Technology (NIST) described cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction" (Mell and Grance, 2011). According to NIST definition cloud computing has five features as follows:
i.
On-demand self-services that enable Cloud Service Users (CSUs) to provision their required computing capabilities automatically without any human interaction with CSPs.
ii.
Broad network access which facilitates the access to cloud computing services capabilities, online, ubiquitously and pervasively from a variety of standard mechanisms and devices such as mobile phones, laptops, and Personal Digital Assistants (PDAs).
iii.
Resource pooling which provides computing capabilities to serve numerous CSUs with various physical and virtual computing resources such as storage, memory, network bandwidth, and Virtual Machines (VMs) dynamically assigned and reassigned according to their demands.
iv.
Rapid elasticity that enables CSUs to provision additional levels of cloud services according to their needs using unlimited computing and storage capabilities at any time.
v.
Measured Services which are managed by CSP who leverages a metering capability appropriate to the type of required services, such as storing and processing data, besides activating users’ accounts. Cloud resources usage are monitored, controlled, and reported, to provide transparency for of the utilized cloud services (Mell and Grance, 2011).
12 2.3
Cloud Computing Service Deployment Models
There are four service deployment models according to NIST (Badger et al., 2012) which are illustrated in Figure 2.1 that will be described in details onwards in the following paragraphs.
Figure 2.1: Cloud Computing Deployment Models (Mell and Grance, 2011)
2.3.1
Private Cloud
A Private cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple CSUs (Zhang and Liu, 2010). Private cloud can be owned or leased (Savu, 2011). It may be managed by the organization, CSPs, or both and may exist on premises or off premises. Private cloud is more expensive but more secure when compared to Public cloud (Metri and Sarote, 2011). It is more suitable for organizations with critical data such as banks and healthcare. Organizations utilizing Private cloud have their services, data, and processes managed within the organization and behind its firewalls. Through using a Private cloud, CSPs and organizations have optimized security since user access and networks used are restricted (Padhy et al., 2011; Wang and Tan, 2010).
13 2.3.2
Public Cloud
Public cloud infrastructure is offered to the general public via the Internet. It provides an elastic, cost effective way to deploy IT business solutions for its consumers. Public cloud computing infrastructure is hosted by CSPs at their premises. Consumers have no control over their data and computing resources as well as no visibility where their sensitive data are hosted. Public cloud is a multi-tenant shared infrastructure which raises the need for advanced SPT and isolation mechanisms especially for critical information industries such as healthcare and banking. Public cloud also requires additional security considerations on rules, regulations and legal requirements (Metri and Sarote, 2011).
2.3.3
Hybrid Cloud
Hybrid cloud is a combination of two or more of cloud service deployment models. Consumers may host their sensitive data in Private cloud and data with less security concerns in Public cloud without investing more in buying additional IT resources. Hybrid cloud facilitates instant expansion of computing capabilities for scaling and cost saving purposes, while at the same time critical information organizations can maintain their sensitive data on premises or on private cloud (Metri and Sarote, 2011).
2.3.4
Community Cloud
Community cloud is a shared infrastructure between several organizations and supports a specific community that has shared mission, security requirements, policy, and compliance considerations. It may be managed by the organizations or CSPs and may exist on premise or off premise. Community cloud provides more privacy, security, and/or policy compliance (Zhang and Liu, 2010).
14 2.4
Cloud Computing Service Delivery Models This Section discusses current cloud computing service delivery models’
offerings based on NIST (Badger et al., 2012) as shown in Figure 2.2.
Figure 2.2: Cloud Service Delivery Models (Mell and Grance, 2011)
2.4.1
Software as a Service
Software as a Service (SaaS) provides capabilities for organizations to use the CSPs applications running on the cloud infrastructure ubiquitously and pervasively from various digital devices via the Internet as a service on-demand, on pay-per-use basis. For example, in healthcare industry, SaaS facilitates single-point of access to fully integrated applications and data as well as sharing of medical information, drug supply, and financial management. Furthermore, in SaaS consumers rely on the CSP to secure their data, applications and computing resources (Zhang and Liu, 2010).
15 2.4.2
Platform as a Service
Platform as a Service (PaaS) offers computing capabilities for developers to deploy their applications using the IT tools that are provided by the CSP. Consumers have control over the deployed applications and possibly application hosting environment configurations (Wang and Tan, 2010). In PaaS, security is a shared responsibility between the CSP and the CSUs. The CSP is responsible to secure the computing platform and development environment, while CSUs are responsible to secure their applications themselves (Zhang and Liu, 2010).
2.4.3
Infrastructure as a Service
Infrastructure as a Service (IaaS) facilitates the computing capabilities to consumers to deploy and run arbitrary software that includes Operating Systems (OSs) and applications (Yang and Chen, 2010). IaaS delivers a platform virtualization environment as a service on-demand. Consumers have more control over memory, CPU, IP addresses, OSs, storage, deployed applications, and limited control over selected networking components such as host firewalls (Liu et al., 2011).
2.5
Cloud Computing Concerns
As stated in Chapter 1 Section 1.2 problem background that there are SPT concerns in cloud computing resulted from the loss of consumers control over their data and computing resources when they outsource them to CSP platform. Consumers are anxious about the security and privacy of their resources since one illegal access can cause huge damage to numerous numbers of users due to the multi-tenant nature of cloud computing (Benkhelifa and Dayan, 2014; AlZain et al., 2012). Next Section will discuss cloud computing SPT concerns as follows:
16 2.5.1
Security
Cloud computing consists of several service delivery and deployment models that have their own security strengths and limitations with no current standards. These cloud service delivery and deployment models require new mechanisms for security, privacy and trust for each model type depending on the information sensitivity and the consumers’ requirements (Hwang and Li, 2010).
Multi-tenancy feature of cloud delivers one IT infrastructure to multiple users. This raises the possibility of one organization’s data can be stored at the same server as their competitors, which may lead to security and privacy concerns such as malicious access and data breach (Tianfield, 2012; Takahashi et al., 2012). For example, in healthcare if a hacker managed to access medical records, he can change patient’s dosage, obtain medications under someone else identity, or make false insurance claims. Moreover, records breaches can be used by criminals requesting large ransoms from stolen information (El Emam et al., 2011).
In cloud computing environment, consumers do not manage or control the underlying cloud infrastructure including network, servers, OSs, storage, or even their individual application capabilities (Zhang and Liu, 2010). Loss of consumers’ control over their data and computing resources can impact data confidentiality, integrity and availability which raise SPT concerns about consumers’ data being lost or misused (Mo et al., 2012; Behl and Behl, 2012; Khan and Malluhi, 2010).
Cloud computing is like an opaque object, whereby neither technology nor processes are visible to the end users on how CSPs secure their services, or how they grant their personnel access to consumers physical and virtual assets, and how they monitor them (Chen and Hoang, 2011). Lack of CSP’s process transparency may lead to SPT concerns over consumers’ confidential data being lost or misused beside the risk of insider threats (Chen and Hoang 2011a; Pearson and Benameur, 2010; Popovic and Hocenski, 2010).
17 2.5.2
Privacy Privacy refers to the protection of the consumers’ personal information against
exposure or leakage (Ko et al., 2011). Sharing sensitive information process is complex and involves multiple entities which may lead to privacy concerns especially in multi-tenant cloud environment that requires highest degree of isolation between the consumers VMs. In critical information industries such as healthcare, maintaining the security and privacy of health records are vital, since it is a requirement of HIPAA in which if violated can cause a huge amount of money. For example, two healthcare organizations paid $4,800,000 USD because of violation of HIPAA privacy and security rules by failing to secure thousands of patients’ electronic protected health information held in their network databases (HHS.gov, 2014).
2.5.3
Trust According to TCG (Donovan and Visnyak, 2011), “There is a need for
solutions that addresses trust and security derived from combining dedicated and shared infrastructures”. A key barrier to the wide spread of cloud computing is the lack of trust of potential consumers in clouds (Ayad et al., 2012; Hsing, 2012; Ko et al., 2011). Consumers lack control over their outsourced data, they are not allowed to audit their data and they are left with no knowledge of data storage location and who is accessing their confidential data. All of these factors lead to trust concerns over consumers’ data being lost or misused (Chen and Hoang, 2011a). Moreover, lack of security constraints in the SLA between CSPs and consumers also decreases their trust in using cloud services (Almorsy et al., 2011).
2.5.4
Compliance
Lack of consumers knowledge about their data storage locations may violate the compliance with rules and regulations (Galav and Ghosh, 2014; Bamiah et al.,
18 2013) since the servers which hosts consumer data can be located in multiple datacenters within different jurisdictions, that makes it difficult to know where the data actually resides, and what regulations applies on it. The consumers’ knowledge of data location zone is vital as some regulations restrict the locations for data to be stored locally within the country boundaries (CSA, 2012).
2.6
Cloud Computing SPT Standards
There are several standards that provide recommendations and guidelines for security and privacy in cloud computing (Youssef, 2012). The conducted research contribution is based on the following standards:
i.
National Institute of Standards and Technology (NIST) is a non-regulatory United States (US), federal agency that has provided various initiatives including the NIST definition of cloud computing (SP 800-145) as discussed in Section 2.1-2.3, as well as the cloud computing synopsis and recommendations (SP 800-146), also the guidelines for security and privacy in public cloud computing (SP 800-144), and the NIST cloud computing reference architecture (SP 500-292) which describes a generic high-level conceptual model for
discussing the requirements,
interoperability,
performance, portability, security, structures and operations of cloud computing (Jansen and Grance, 2011).
ii.
Cloud Security Alliance (CSA) is a non-profit organization that provides security assurance within cloud computing. CSA facilitates security guidelines for critical areas of focus in cloud computing. The guideline offers secure baseline for cloud operations as well as a road map that emphasize on security, stability and privacy in a multi-tenant environment, also it identifies the top threats to cloud computing and a hypervisor or Virtual Machine Monitor (VMM) vs Host based security (CSA, 2011).
19 iii.
Trusted Computing Group (TCG) is a non-profit international group that consists of more than 130 members, formed to improve trustworthiness on information systems by defining, developing, and promoting open industry standards which supports hardware root of trust across multiple platforms, peripherals, and devices (TCG, 2013a; 2013b). TCG specifications enables more secure computing environments without compromising the functionality, integrity, privacy, or individual rights by protecting users information assets (data, passwords, keys, etc.) from external software attacks and physical theft (Cryptomathic, 2014). TCCF proposes the use of TCG technologies that will be discussed furthermore in Section 2.8.
iv.
The United States Department of Health and Human Services (HHS) has issued the healthcare sector Privacy Rule Standards to implement the requirement of HIPAA in 1996 which addresses the rights and the disclosure of individuals’ health information by organizations subject to the Privacy Rule (HHS.gov, 2013). The Office for Civil Rights enforces the privacy, security and the breach notification as well as the patient safety rules to protect the individual healthcare records against any threat or illegal access.
TCCF takes into
consideration HHS standards as will be discussed furthermore in Section 2.13.
2.7
Cloud Computing Trust Aspects
In order to design TCCF for healthcare sector, trust has to be defined and integrated in TCCF. The current previous work shows that there is lack of consumers trust on cloud computing. This lack of trust does not rely on the technology itself, it resulted from lack of cloud computing transparency, loss of consumers control over their critical data, and unclear CSP security assurances (Khan and Malluhi, 2010; Tian et al., 2010). Several researchers have defined trust in cloud computing as follows:
20 Fan et al. (2012) discussed trust and divided it to three types that have to be secured to fulfil cloud computing environment trust requirements as follows:
Hard trust, which refers to the set of mechanisms including security and functions that guarantee the underlying infrastructure.
Virtualization trust, that refers to a set of trust evidence based on the trustworthiness of the cloud virtual environment including VMs, virtual server security and the isolation mechanism on the virtual hosts.
Entity trust, which refers to the trust of users, based on the measurement of the behaviour records of the entities accessing the cloud services.
Yeluri et al. (2012) stated that trust is the assurance and confidence that people, data, entities, information, and processes will function or behave as expected. They classified trust as follows:
Trust between human to human (e.g. doctor and a patient).
Trust between machines to machine (e.g. handshake protocols negotiated within certain protocols).
Trust between human to machine (e.g. when a consumer reviews a digital signature advisory notice on a website).
Trust between machine to human (robots and smart devices dealing with humans).
Sun et al. (2011) classified trust as direct trust and trust relations as follows:
Direct Trust which refers to the level of subjective probability hold by two network nodes within direct observation nature and/or recommendations from
21 trusted entities that depends on multi-dimensional performances of a node to fulfil a particular service.
Direct Trust Relation which evolves from direct interaction experience between two joining nodes belonging to the same intro-domain or interdomains of the network between CSP (trustor) and the consumer (trustee).
Ko et al. (2011) stated that trust represents the consumers’ level of confidence in using cloud computing services. While Achemlal et al., (2011) proposed TCG security mechanisms TPM and vTPM for building trust in cloud computing. Abbadi et al. (2011) provided a trusted middleware services for the cloud. Krautheim et al. (2010) introduced Private Virtual Infrastructure (PVI) cloud trust model to IaaS with Trusted Virtual Environment Module (TVEM) and Virtual Trust Network (VTN) for rooting trust in cloud. They discussed the trust relationships where an information owner creates and runs a virtual environment on a platform owned by a CSP. Their mechanism is to implement TVEM which is a software appliance that provides enhanced features for cloud virtual environments over existing vTPM virtualization techniques that consist of an improved Application Programming Interface (API), cryptographic algorithm flexibility, and a configurable modular architecture.
These all definitions, studies and projects discussed trust from various perspectives to improve the cloud infrastructure security and privacy for the consumers in order to trust cloud computing. However, they did not include the assurance for consumers that their rights are protected under SLA or that the CSP is certified or under HIPAA compliance. In order to achieve trust in cloud computing, CSP must evaluate and manage the trust of the devices, the user behaviour and identity to enforce strict security policies (Ahmad and Mohamed, 2011). Next Section will identify the four main aspects of trust e.g. security, privacy, accountability and availability (Muppala et al., 2012) that have to be fulfilled and considered in TCCF design to initiate a trusted cloud computing environment as follows:
22 2.7.1 Security
According to NIST, information security refers to the process of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (Nemati, 2011). The security will be achieved by fulfilling the following procedures.
i.
Maintaining integrity to secure the cloud platform and consumers’ data against improper information modification,
destruction, non-repudiation and
authenticity. It is the process of ensuring that the data received are same as generated, also that the cloud systems are protected against tampering (Ghatage and Rewadkar, 2013). Not only must consumers and CSPs control who has access to data but also they should maintain the integrity of data and protect it from exploiting, as well as inspecting files, systems, and registry for changes, besides real-time monitoring of critical OSs and applications for detection of any compromise of virtual and cloud computing resources.
ii.
Preserving confidentiality by restricting the access and disclosure only to authorized entities, besides protecting personal privacy and proprietary information. Each CSP and HSP personnel as well as other work devices have to be registered in the system with all identification information. Emphasizing on who is authorized to access the consumers sensitive data and computing resources with least privileges to prevent and protect from insider threats and malicious access.
iii.
Maintaining data and computing resources availability to ensure timely and reliable access to information by providing backups and contingency plans also by enforcing the service availability in the SLA terms and conditions.
In cloud computing not only does the information need to be protected, but also computing resources and services that are provided to the consumers. Security is a cross-cutting aspect of the cloud architecture that spans across all layers of the reference model, ranging from physical, virtual to application security (Liu et al.,
23 2011). Cloud computing systems need to address the security requirements such as authentication, authorization, availability, confidentiality, identity management, integrity, audit, security monitoring, incident response, and security policy management. Within cloud commuting each cloud service delivery and deployment model requires a different security mechanism that has to be considered when designing the TCCF. For example, SaaS provides consumers with accessibility of cloud service offerings via the Internet using a web browser which necessitates considering the Web browser security. While CSUs of IaaS use VMs that are executed on a hypervisor which is piece of computer software, firmware or hardware that is responsible for creating and running the VMs, therefore, the hypervisor security should be considered in TCCF for achieving the VMs isolation. Moreover, security audit is also vital to measure how well cloud computing systems conform to a set of established security criteria (Rong et al., 2013). In order to achieve the trust components in the cloud, TCCF must consider the following security controls in the design (Sarwar et al., 2013).
2.7.1.1 Security Controls
Security controls refer to the measures that are taken to safeguard an information system from attacks against the confidentiality, integrity, and availability based on the risks assessment process which identifies system threats and vulnerabilities, to mitigate these risks. These security controls includes physical, technical, operational, virtualized and management controls that will be discussed as follows (Purcell, 2013).
Physical Security Controls: Refer to the devices and means that control physical access to sensitive information and protects the availability of the information such as physical access systems (e.g. guards), physical intrusion detection systems (e.g. alarm system), and physical protection systems (e.g. fire alarms, backup generator etc.). CSP must ensure highest level of security for the cloud environment with more focus on data centers’ to protect them from insider and outsider threats (Purcell, 2013).
24 Technical Security Controls: Refer to the logical controls which include devices, processes, protocols, and other measures that are used to protect the confidentiality, integrity, and availability of sensitive data, such as logical access control, encryptions systems, audit and accountability, antivirus systems, firewalls, and intrusion detection systems (Purcell, 2013). The implementation of technical controls requires significant operational considerations and should be consistent with the management of security within the organization (NIST, 2012).
Operational Security Controls: Address the controls that are implemented and executed by people to improve the security of system/s such as configuration management, contingency planning, and system and information integrity. They rely on management activities beside technical controls (Purcell, 2013).
Virtualized Security Controls: Refer to the physical security controls that are virtualized such as Virtual Firewall (VF) and Virtual Private Network (VPN) which performs the same functionality as a physical firewall and physical network, but have been virtualized to work with the hypervisor. According to Gartner analyst Neil MacDonald, 40% of security controls in the data centres will be virtualized by 2015 (Messmer, 2012). It is vital to implement the virtualized security controls such as VF and VPN, virtual domains and so on that will assist in shielding the virtualized environment in TCCF for enhanced security and privacy.
Management Security Controls: Controls that are essential for managing the IT security and its security risks which are required to be implemented in cloud computing environment (Batchu et al., 2013) as follows:
A. Deterrent security controls provide warning messages to CSUs and reduces the probability of considered attack. These controls attempt to prevent malicious activity before it occurs such as logon warning messages.
B. Preventive security controls are used to mitigate the occurrence of an action from continuing or taking place at all. They should be applied at every layer in cloud
25 computing platform to maximize the security.
Preventive security controls
include risk analysis, decision support tools, policy enforcement, trust assessment and identity management (Rani et al., 2013). Preventive controls depend on the use of:
i.
Policies that prohibit unauthorized network connections.
ii.
Intrusion Prevention systems (IPS) that detect logs, reports malicious behaviour, and take immediate action, to prevent or reduce the malicious software from intentional or unintentional disclosure and misuse of sensitive data (Ubhale and Sahu, 2013; Honan, 2011)
iii.
Next-generation firewalls that block unauthorized network connections and decrease the attack surface of virtualized servers in a cloud computing environment, as well as perform VM isolation, fine-grained filtering (source and destination addresses, ports) coverage of all IP-based protocols and frame types, beside the prevention of Denial of Service (DOS) attacks via fine-grained network filtering prevention (Gonzalez et al., 2011), as well as the ability to design policies per network interface, detection of reconnaissance scans on cloud computing servers. Moreover, the bidirectional dynamic packet filtering firewall, deployed on individual VM, can provide centralized management of server firewall policy (Trend Micro, 2010).
iv.
Encryption techniques that decrease the attack surface of virtualized servers in cloud computing and block all malicious access activities (Purcell, 2013).
v.
Anti-malware that has to be up to date to prevent the latest versions of malware from attacking the systems.
vi.
Operating Systems and systems continuous updates with the latest software releases and patches to secure them from attacks. In addition to system hardening that involves removing default user accounts and passwords,
26 also removing unnecessary services, besides adjusting permissions and access rights. Moreover, conducting personnel training to aware of the risks and threats posed against the systems and critical information.
C. Detective security controls are hardware and/or software mechanisms that detect, log and report malicious activity at the VM level, and provide timely protection for applications and OSs against known and zero day attacks. They detect any illegal users or unauthorized access to minimize the impact or damage. Detective controls such as Integrity Monitoring and Intrusion Detection Systems (IDS) as well as log inspection detection control provides visibility to the security events captured into log files in cloud computing resources (Moffa, 2012). In addition to actively monitoring for unauthorized changes on key systems to detect a potential weakness or attack. Also monitoring the log files for unusual entries or certain security events and regular vulnerability testing of security controls is a critical step in securing cloud computing and CSUs systems (Honan, 2011).
D. Corrective security controls refer to real time corrective actions to resolve security attack or damage that is taking place. It reduces further damage from an attack such as the procedures to clean a virus from an infected system as well as updating firewall rules to block an attacking IP address. Corrective security controls use several methods such as IDS that detects and block the attack within the OS besides cleaning the infected system from malware. As well as, the use of Sandbox software to limit the malicious access process to enter the kernel using a software replacement for all system calls and access methods to the kernel. Another method for corrective security controls is by using Microvirtualization for securing against advanced malware threats (Bromium, 2013).
E. Recovery security controls are those controls that recover the system back into production after an incident such as disaster recovery activities. Backup and recovery policies and procedures must be well planned and maintained taking into consideration compliance with rules and regulation beside safety of information and data storage places.
27 2.7.2
Privacy
Privacy refers to the protection against the exposure or leakage of personal or confidential data (Ko et al., 2011). While privacy for organizations refers to the management of application of laws, policies, standards and processes of individuals (Begum et al., 2012). Achieving privacy in cloud computing for healthcare sector as a critical information industry varies from the traditional computing model. In cloud computing environment, users’ personal data are distributed across various cloud Virtual Data Centres (VDc) that may result in violation of data privacy protection, which can be under different laws and legal systems (Chen and Zhao, 2012). As discussed previously in Section 2.5.2, there are several privacy concerns which needs to be considered to initiate the trust of healthcare and protect its sensitive data from threats and data breach. To mitigate these concerns, TCCF has to imbed “Privacy by Design” approach (Guilloteau and Mauree, 2012) that incorporate built-in privacy requirements such as encryption of data through its life cycle, as well as ensuring only authorized entities are allowed to access the cloud, besides providing a combination of privacy policies and SLA strict terms. The research contribution TCCF security and privacy preserving techniques are described in details in Chapter 4.
2.7.3
Availability
CSPs have to facilitate the required services 24/7 hours/day especially in case of healthcare which needs instant access and just-in-time communication. They need to guarantee that information and information processing are available to healthcare CSUs just in time as per their demands (Zissis and Lekkas, 2012). Information and resource availability are vital for healthcare to face any emergency or other incidents. Furthermore, in order to prevent being under laws and regulations violation, CSPs must ensure that the availability of data storage zones are within the local boundaries of the data owners’ countries or under compliance with other laws. This has to be stated clearly in the TCCF-SLA.
28 2.7.4
Accountability and Auditability
Accountability assists in optimizing the consumers’ trust, since it verifies who is responsible in case of poor cloud computing service or violation (Begum et al., 2012; Ko. et al., 2011). Accountability and auditability are interrelated in the sense that without appropriate and complete accountability mechanisms audit cannot be properly done.
Both internal and external audits are crucial in establishing trust and
transparency in cloud computing services. Audit enables monitoring and tracking where the data has been outsourced, who processed it and for what purpose. Federal Information Security and Management Act (FISMA) requires that audit/transaction records should be unmodified, available online to authorized personnel in read only mode; and securely backed up (CIO.gov, 2012). Audit schedule checks and mechanisms have to be included in TCCF-SLA.
2.7.5
Incidents Preparedness and Response
Incidents preparedness and response refers to the policies, procedures and actions taken before incidents occur such as contingency plans (Gilmer, 2013). CSPs should perform risk assessments on their infrastructure. Any vulnerability or data breach discovered should be documented and reported to consumers else CSPs and HSPs can be under huge fine which may cost them their reputation beside financial loss that can reach up to $1.5 million USD per violation (Ouellette, 2013). Reporting the incident is vital to all parties (CSUs, CSPs and HSPs) for more transparency and for guaranteeing each part the decision of how they can determine if the risks associated are acceptable or how to address the vulnerabilities. CSPs must provide off-site accurate data backups that can meet the availability requirements against any sudden incident as well as access to audit logs, since this is the first step in attack analysis and incident response.
29 2.8
Trusted Computing Group
In cloud computing there is a need to initiate a Trusted Platform (TP) computing environment that has trusted components, which are used to create a foundation of trust for software processes. TCG-TP components consists of three main parts; the Trusted Computing Platform (TCP) hardware part and the Trusted Operating System (TOS) software part which is being used for communicating with the TCP and the TSS that facilitates non-critical functionalities and provides standard interfaces for high-level applications (Schellekens, 2012; Basit, 2009). TCG has developed the trusted computing specifications and technologies to facilitate and extend common computing platforms with trusted components in both software and hardware.
Trusted Computing (TC) is a set of technologies that provides hardware and software support for secure storage and software integrity protection (Danev et al., 2011). TC is built on the concept of transitive trust that delegates initial trust in a hardware module to other system components. The TC is based on the TPM and its remote attestation feature that enables the establishment of Trusted Execution Environments (TEE) in cloud infrastructures. In the TC environment a combination of hardware and software constitutes the root of trust for the whole computing system by the usage of TPM and TCG other technologies to initiate a TCP. The TCCF is proposing the use of TCG technologies for securing the physical and virtualization layer in the design as will be discussed furthermore in Chapter 4, Section 4.9.
2.8.1
Trusted Platform Module
TPM is the first hardware core component of TCP. TPM is a tamper resistant cryptographic microcontroller developed by TCG (Schellekens, 2012). It is a cost effective hardware security integrated circuit which can be built into computer-based products that resembles the hardware root of trust for the systems using it. The TPM specification is an International Organization for Standardization (ISO) standard. Both ISO and International Electro-technical Commission (IEC) have accepted and published TPM specification Version 1.2 as ISO/IEC standard 11889 (ISO, 2009).
30 TPM is a microcontroller that is capable of secure storage for keys, passwords and digital certificates which are affixed to the motherboard, in addition to machine authentication, hardware encryption, signing and attestation.
It can perform
cryptographic operations including key generation (Cooper et al. 2011). The trust of TPM is based on its capabilities such as the secure key management and reporting of Platform Configuration Measurements (PCMs) (Patel and Kumar, 2013). When TPM is activated by the user, it will securely store, manage keys and passwords as well as encrypts files, folders and emails. It allows Multi Factor Authentication (MFA) to be based on hardware such as fingerprint readers, public key infrastructure (PKI), certificates and smart cards (Patidar et al., 2012). TPM ensures that the information stored is more secure from external software attack and physical theft.
TPM can be integrated into other components in a system.
It provides
capabilities that executes within the hardware chip which can only provide input and output to TPM. The TPM enables the integrity measurement of the platform's software stack at boot time besides the secure reporting of these measurements to a remote party. It achieves verifiability and transparency of a trusted platform's software state (Patidar et al., 2012). TPM allows remote validation of its hardware and software through the use of cryptographically secure integrity measurement and attestation protocols. The TPM is under the control of its producer and cannot be altered, once it has been configured and issued by the owner or the administrator. Figure 2.3 illustrates TPM components that enable secure computing operation as follows:
A. TPM cryptographic processor consists of (Palmer, 2012):
i.
RSA engine which is used to execute the RSA algorithm that creates onetime symmetric keys up to 2048 bits. It enables asymmetric encryption and decryption, and it is used during key binding operations, digital signing, and encrypting large blocks of data.
ii.
Random Number Generator (RNG) which is used for random keys and nonce generation.
31
Figure 2.3: TPM Components (Palmer, 2012)
iii.
An Encryption-Decryption engine which provides the functions for encryption/decryption of data or signing Platform Configuration Registers (PCR) values.
iv.
Secure Hash Algorithm-1 (SHA-1) engine which uses algorithms for generating, getting, measuring and analysing hash values including boot process. These hashed values are stored in PCRs.
B. The persistent storage memory (Non-Volatile Memory) in TPM contains hardware-protected root of trust data necessary to execute and assure boot path measurements (Palmer, 2012). It holds two keys: the endorsement key and the storage root key as discussed in the following paragraphs.
i.
Endorsement Key (EK) is a 2048-bit RSA asymmetric key pair unique to each TPM that has been generated by the manufacturer and hard encoded onto the chip. EK is generated on the first activation of the TPM and
32 remains immutable for TPM lifetime. EK is used to verify the authenticity of a TPM. The private key decrypts information sent to the TPM during owner installation and other protected initialization processes (Olzak, 2011). ii.
Storage Root Key (SRK) is also a 2048-bit private RSA key generated at time of activation or upon reset of the TPM by the user and used thereafter or until the TPM is cleared. Before using a TPM chip, users need to take the ownership of the chip and create a SRK (Palmer, 2012). SRK is used to encrypt other keys stored outside the TPM. It is required to open up the block for use by application software.
iii.
Both EK and SRK are RSA key pairs, they are protected by storing their private keys always in the TPM chip. When a key is created inside the TPM, it is encrypted with the SRK’s public key and stored on disk; it must be decrypted with the SRK inside the TPM (Uppal, 2010). Other RSA keys are created under a parent key. Their private keys are always used within TPM and when released outside TPM they are encrypted with their parent keys. TPM stores measurements in a set of PCRs which is updated by hashing the concatenation of its current value with a new measurement. These measurements stored in PCRs are signed with a key in the TPM when reporting the integrity of a system for remote attestation.
C. The versatile memory (Volatile Memory) inside the TPM is used to store PCMs, such as hash values (SHA-1) and private/public keys in PCRs for integrity measurements (Palmer, 2012). PCRs cannot be written directly; data are stored by a process called extending the PCR to add the new value to the current value of a PCR, computes (SHA-1) of the concatenated value, and replaces the current value in the PCR with the output of the hash operation.
PCR: = SHA-1(PCR + measurement) (Dinh and Ryan, 2006) SHA-1 hash is a cryptographically secure algorithm software measurement that can be stored inside the TPM without revealing the actual measurement values.
33 The output of a SHA-1 hash is a 20 byte value. Any change in the measurement value will result in a different hash. Moreover, versatile memory also contains storage for Attestation Identity Key (AIK) and other storage keys. The AIK is bound to the platform on where TPM resides. It is an asymmetric key pair that attests to the validity of the platform’s identity and configuration. AIKs are generated by TPM during use i.e. signature key pairs (Du et al., 2011). TPM has a limited non-volatile memory and only one key SRK that is permanently stored inside the TPM. Other keys are encrypted and maintained outside the TPM by the TSS, which stores the keys on hard disk (Schellekens, 2012).
Trusted Computing Base (TCB) refers to security primitives that are composed of hardware, firmware and/or software which provide a set of trusted, security-critical functions that behaves as expected (Chen et al., 2012). TCB is based on the usage of TPM and supports hardware-based root of trust, integrity measurement and reporting. It uses EK to certify other keys including AIKs measurements. TPM “Extend” function takes a SHA1 hash of arbitrary data and updates one of the TPM’s PCRs with this hash of the measurement and current PCR value. The system will measure security critical code and data starting from the Basic Input Output System (BIOS) followed by each step of the boot process up to runtime operations at the application level. These measurements are reported using the TPM “Quote” operation that takes a nonce from a remote party and forms a statement containing the PCRs and the nonce signed by an AIK. This quote along with the Measurement List (ML) forms an attestation of the system’s state (Ruan and Martin, 2011; Schiffman et al., 2010).
To establish trust in cloud environment, peer systems must provide their integrity to each other through attestation process which allows a remote system to verify that the TSS running on a local system has not been modified. Secure attestation is made by TPM which is resistant to software attacks. TPM acts as a root of trust and enables secure remote attestation by providing secure storage as well as cryptographic primitives such as hashes and signatures (Kim et al., 2010). TPM uses privacy Certificate Authority (CA) and a protocol designed to securely present measurements to a verification server that would attest the state of the system (Uppal, 2010).
34 2.8.1.1 Trusted Platform Module Root of Trust
Hardware roots of trust are preferred over the software due to their immutability, reliability and reduced attack surface. In order to support the device integrity, isolation, and protected storage, devices should implement the Root of Trust for Storage (RTS), Root of Trust for Measurements (RTM) and Root of Trust for Reporting (RTR) (Teo, 2009) that will be discussed as follows:
Root of Trust for Measurement (RTM): Refers to the process of obtaining metrics of platform characteristics that affect the integrity measurement of a platform, stores the digest of those metrics in PCRs (Regenscheid and Scarfone, 2011; TCG, 2007). The starting point of measurement is RTM, the computing engine platform controlled by Core Root of Trust for Measurement (CRTM) which is the first code entity that runs on a TP providing trust relationships to hardware parts and application layers. When the system starts, the device begins executing the CRTM which sends values that indicate its identity to the RTS in order to establish the starting point for a chain of trust as shown in Figure 2.4.
Figure 2.4: Chain of Trust (FIDIS, 2009)
35 This process extends the measurements of the platform into PCR inside TPM. Hence, when the BIOS start booting, CRTM measures the state of the system before the OS is loaded or some malicious codes become functional. Measuring is done by hashing the entity with a SHA function (FIDIS, 2009). The results will be stored in a Stored Measurement Log (SML) which resides in the hard drive (outside the TPM) stressing that any change or manipulation of the software state can be discovered immediately, since malicious software cannot hide themselves by manipulating PCR values or the SML. The CRTM measures the system environment and passes control to RTM that generates reliable integrity measurements and reports them to TPM.
Root of Trust for Reporting (RTR): Refers to the collection of the capabilities that must be trusted if reports of integrity measurements which represents the platform state are to be trusted. It reports the data held by the RTS.
Roots of Trust for Storage (RTS): Refers to the computing engine that maintains an accurate summary of integrity measurements made by the RTM (Regenscheid and Scarfone, 2011).
2.8.2
Trusted Software Stack
Trusted Software Stack (TSS) is a software specification which is comprised of TPM device drivers; and the TSS service provider (Baaskar and Gomathi, 2012). TSS utilizes the standard APIs cryptographic methods for assessing the TPM functionalities. TSS defines the architecture required to correctly measure and store the software stack running on a machine. TSS provides the infrastructure required to manage keys and credentials, serialization of commands and context to the TPM, beside event and audit management. Together TPM and TSS provide optimized levels of trust and security that can be applied to existing applications and can be utilized with new developments to create TC environment (Palmer, 2012).
36 2.8.3 Trusted Network Connect
Securing the network and communication channel is vital in cloud computing since cloud is a multi-tenant infrastructure that can have a risk of an adversary who can access the cloud infrastructure and cause damage or misuse the data and computing resources. TCG-TNC architecture provides an open industry standard approach to network security and Network Access Control (NAC) which basis the network access decisions on security state information gathered from a wide variety of sensors across a multi-vendor environment (Patidar et al., 2012; TCG, 2013; 2013d; 2011a). The TNC architecture enables network operators to enforce policies regarding to endpoint integrity at/or after network connection. TNC ensures multi-vendor interoperability across a wide variety of endpoints, network technologies, and policies. Integrity measurement and reporting is core to the value proposition of TNC. It enables CSAs to control the network access based on the user identity and the device health while observing the performance of the network and responding immediately to issues as they occur. TNC provides strong user authentication and blocks any unauthorized access.
It can include IP phones, printers and other coordinating devices. By
implementing TNC on CSP network, strong security is added to the communication channel and the end points (Baaskar and Gomathi, 2012; TCG, 2012; 2011).
2.8.4 Trusted Storage TCG’s trusted storage specification provides Self Encrypting Drives (SEDs) manageable, full-disk encryption using an imbedded hardware in the drive to protect against internal and external threats. SEDs meet compliance criteria for government agencies in the US and around the world (TCG, 2013c). SEDs benefits over other encryption techniques are discussed in the following paragraphs.
Significant Performance Improvement: The encryption hardware integrated into the drive controller, allows the drive to operate at full data rate without decreasing performance. SED can be easily and quickly sanitized using “Crypto Erase” feature (cryptographic disk erase instantly) which is supported by SCSI and SATA standards
37 and recommended in NIST Special Publication 800-88 (Kissel et al., 2012). Standardized SEDs encrypts everything written to them automatically, as well as prevents threat of cracking the data encryption keys by eliminating any access to data until the drive is authenticated. Cipher text is never visible in SEDs. However, the only way to view it would be through the use of destructive methods such as a spin stand. SED provides increased performance beside scalability since every drive contains its own encryption engine (TCG, 2013c; Ashford, 2011).
Optimized Security: SEDs have all the data, applications, and drivers encrypted internally to the drive and the key management is an integral part of the design. SEDs take advantage of the TPM and do not require any user intervention nor do they impact system performance. They have unified, and standards-based key management within the drive controller. These encrypted encryption keys are generated in the drive itself and never leave it. Data encryption keys on SEDs are secured because each drive holds only an encrypted version of the encryption key, and not the key itself. There are no clear text secrets stored anywhere on the drive to protect from malicious access. The SEDs prevent software and rootkits attacks to retrieve the encryption keys since there is no exposure of encryption keys. Encryption algorithms are based on the NIST FIPS 197-AES standards including AES-128 and AES-256 (TCG, 2013c). In addition these keys are stored in a location known to the drive logic, by deleting/replacing the on board key permanently removes it, so the encrypted data are unreadable and the drive can be reformatted and used for other purposes. The drive is not destroyed.
Efficient Key Management: Is performed by available software from suppliers that have consumers and enterprise versions. The encryption key is generated in SED during manufacture and never leaves the drive; the user does not have to manage the encryption keys at all. The encryption on the drive is always on in order to comply with regulatory compliance requirements since user authentication is performed by the drive before it unlocks at pre-boot authentication, which is independent of the OS. SEDs have increased efficiencies due to ease of deployment and use; encryption is transparent to both users and software beside saving time and effort in a cost effective way, there is no need for complex infrastructure to manage encryption keys, or modifications to the OS, applications or tools (TCG, 2013c).
38 2.8.5
Virtual Trusted Platform Module
To support virtualization environment the TPM was virtualized through device emulation so that the physical TPM secure storage and cryptographic functions can be used by the OSs or applications running inside VMs. The TPM was extended by adding specific commands to support virtualization of TPM as follows:
Management commands for the creation and deletion of vTPM instances.
Migration commands for the creation of EKs, adding boot measurements.
Utility commands for locking an unlocking vTPM instances, transport instances securely over the network to another platform.
Moreover, protocols were developed to re-establish trust after a VM is migrated to another platform. The entire trust chain is achieved by tightly binding a VM to its corresponding vTPM instance and binding the vTPM instances to the TPM. Figure 2.5 describes the vTPM building blocks and their relationship. VTPM system consists of a vTPM Manager and several vTPM Instances where each vTPM instance implements full TPM specification. Every VM must associate with a unique vTPM instance. VMs communicate with the vTPM using a split driver model where a client driver runs inside each VM that wants to access a vTPM instance and the server-side driver runs in the VM hosting vTPM instance (Danev et al., 2011).
Figure 2.5: vTPM Building Blocks Architecture (Berger et al., 2006)
39 After identifying the TCG international standard technologies in Section 2.8 that are proposed in TCCF for initiating a trusted base platform, and after acknowledging the security controls for preserving the security and privacy of consumers data and computing resources in Section 2.6 and the trust aspects in Section 2.7. In-depth discussion will be performed next Section on the accesses control and authentication mechanisms which are used in TCCF in order to secure the framework from illegal accesses and threats.
2.9
Identity and Access Management
Identity and Access Management (IAM) refers to the security discipline that enables the right individuals to access the right resources at the right time for the right reasons (Gartner, 2013). IAM ensures appropriate access to cloud resources across physical and virtual environment under compliance requirements. When consumers migrates to cloud, they find it hard to maintain multiple accounts for different applications and on each sign in (Doddavula and Saxena, 2011). Therefore, federated authorization is recommended which is a combination of externalized authorization and federated access control techniques whereby the consumers’ access control policies can be evaluated at the consumers’ side using their local data (Decat, et al. 2012). The access controls in cloud computing environment necessitate sophisticated access management to enforce customized security policies beyond traditional work of healthcare organizations offices and clinics boundaries.
IAM should grant least privileged access and determine who has the access to data (Narayanan and Gunes, 2011) and which type of accesses are allowed, what functions are provided, under which conditions, and for what duration. Access control solutions must guarantee that the access to sensitive information is limited only to those who have a legitimate need-to-know in order to avoid insider threats (Wu et al., 2012).
Efficient access control involves authorization, authentication, account
management and auditing of users who are accessing the cloud services to ensure integrity, confidentiality and availability (Decat et al., 2012; Zissis and Lekkas, 2012) which will be discussed in the following paragraphs.
40 Account management: Refers to the mechanism that keeps the CSUs accounts synchronized within the existing enterprise systems and tracks the personnel for deprovisioning process when they leave the organization; beside scheduling for account removal to be sure no internal threat can occur (Butler, 2010).
Authentication: Refers to the process of verification of the identity of the entities and the integrity of the data which the involved party generates (Kim et al., 2011). It is about identifying a legitimate entity regarding to the proof of his/her identity which can be password or PIN, smart card, biometrics, or a combination of any of these access techniques.
Authorization: Refers to the process of granting or denying permission to an authenticated user to perform certain operations on a resource, based on security policies (Kim et al., 2011). Authorization involves assigning access control privileges and creating boundaries for entities. CSP must consider keeping personnel records up to date to prevent any internal threat by fired or transferred employees who do not have their access privileges any more. For example, “Authorization Creep” occurs when an employee moves from one department to another and be assigned new access rights without the old permissions being reviewed and removed (Harris, 2011).
Auditing and Reporting: Refers to the processes that provide information about the actions done in the system (Decat et al., 2012). It is about tracking and logging the actions performed by a CSU within the system such as failed login attempts and authentication issues. Both CSPs and consumers need to agree on access-auditing procedures. HIPAA and HITECH regulations require regular reviews of records for information system activities such as audit logs, access reports, and security incidents for detecting any illegal disclosure of healthcare records, also auditing and monitoring of consumers data deletion. Proof of retrieve-ability also has to be provided via real time remote data integrity verification (Li et al., 2013).
Efficient auditing and
reporting mechanisms are important as not to violate SPT regulations. For example, 32,500 patients had their records exposed on Google for one year and two months violating HIPAA rules, resulting in the exposure of patients records (McGee, 2013b).
41 2.10
Cloud Service Level Agreement
Currently there is no standard terminology to define public cloud service agreements (Baudoin et al., 2013; Hon et al., 2012). According to Gartner cloud security expert Jay Heiser, that cloud SLAs not only lack of standard terminology but also it is still weak in terms of addressing security, business continuity and assessment of security controls (Butler, 2012). There is a need for a significant SLAs between the CSPs and consumers to reassure them that their sensitive data and computing resources are available and protected against failures, disaster or being misused by malicious activity (Chi et al., 2011). Various definitions of cloud SLA have been proposed as follows: i.
SLA refers to a service contract whereby the level of service, delivery time and performance are defined on pay-per-use basis (Wieder et al., 2011). It is a document that includes a description of the agreed service functions and service level parameters which involves descriptions of QoSs, guarantees, billings information that includes service charges and payment methods as well as compensations for all cases of violations (Pan, 2011). SLA is an agreement between CSP and consumers that describes cloud computing services, documents service level targets, and specifies the responsibilities of both the CSP and the CSUs (Rak et al., 2011).
ii.
SLA implements a mediated policy. It performs role mapping of local role to a role in cloud and grants access to the entire mapped role’s permissions. It specifies isolation constraints for cloud resource sharing as negotiated beside QoS parameters, beside billing and auditing functions (Almutairi et al., 2012).
iii.
SLA defines the parameters for the delivery of cloud services, for the benefit of both parties CSP and consumers as well. It must be transparent, complete, comprehensive and accurate in its coverage. It has various stages starting from contract definition, negotiation, monitoring, and enforcement. SLA contract definition and negotiation stage determine the benefits and responsibilities of each party, while monitoring and enforcing SLA stage is towards building the trust between CSP and consumers (Arora et al., 2012).
42 2.11
Cloud SLA Status in Healthcare
The Cloud Standards Customer Council (CSCC) has published the Practical Guide to SLAs which acts as a starting point to understand the responsibilities of both the consumer and the CSP (Diaz, 2012). Current SLAs are made as a standard detailed document based on one-size-fits-all paradigm, which is agreed upon from the CSPs and their CSUs (Myerson, 2013). Implementations of those agreements are generally audited by a third party. Moreover, there is no specific SLA’s and privacy audits for healthcare sector which may raise the risk of non-compliance when storing and processing medical and patient information in cloud (Alley et al., 2012). The next Section presents healthcare as a case study to gather its requirement in order to develop the research contribution as will be discussed in Chapter 4 and 5.
2.12
Healthcare Sector as a Case Study
Healthcare sector consists of various service aspects that involve people, organizations, clinical research, and healthcare delivery. Each Healthcare Service Provider (HSP) who implements Electronic Health (E-Health) for saving papers and storage space, store their Electronic Medical Records (EMRs) into their own databases. Electronic Health Records (EHRs) refer to the sharing of E-health records among diverse EMR systems (Parakala and Udhas, 2011). Despite the benefits of sharing EHRs among various EMRs, still there are several issues in current healthcare IT systems that need an advanced technology solution which are described as follows:
i.
The accelerating growth in healthcare IT market is expected to increase from $99.6 billion in 2010 to $162.2 billion USD in 2015 (Demirkan, 2013; Markets and Markets, 2011) that requires massive storage and processing capabilities which are not available in current EHR systems.
ii.
Healthcare EHRs, EMRs and Personal Healthcare Records (PHRs) have several issues such as slow performance, high cost and poor usability beside
43 the complexity of fulfilling the requirements of both healthcare consumers and IT professionals (Zhang and Liu, 2010).
iii.
The shift in the disease burden from acute to chronic globally, raised the need for more resources, people, materials, and IT infrastructure requirements that also increased healthcare provisioning costs (Parakala and Udhas, 2011).
iv.
Healthcare consumers such as doctors and patients among others are demanding higher levels of IT interaction; instant online access to information, products and services through their computers and smart mobiles to ensure real-time diagnosis and high quality treatment which requires advanced technologies (Radwan et al., 2012).
v.
Healthcare personnel and professionals are accessing through their own mobile devices known as “Bring Your Own Device (BYOD)” which possess vital threats on data security and privacy (Lofgren, 2013).
vi.
Massive increase in global population ageing that may rise from 600 million in 2002 to 2 billion by 2050 which requires advanced and cost-effective technology (Parakala and Udhas, 2011).
vii.
Massive increase in generation of large amounts of healthcare data that requires enormous processing, IT storage infrastructure and backup solutions (Govpub, 2013).
Cloud computing has emerged as a new way of delivering automated computing services to Healthcare Information Technology (HIT), that caters the existing E-health issues, besides providing seamless management and access to EHRs, in order to facilitate the provisioning of healthcare products and services ubiquitously and pervasively to patients located in remote areas and those who have limited access to medical services (Parakala and Udhas, 2011). Cloud computing have high potential to maximize the efficiency and quality of healthcare services through its various service delivery and deployment models as follows:
44 i.
Cloud computing reduces EHRs cost in terms of ownership and IT maintenance burdens (Wu et al., 2012). It manages massive EHRs processing, storage, transmission, retrieval, modification and printing more efficiently with minimum costs (Parakala and Udhas, 2011).
ii.
Cloud computing delivers automated, smart, and sustainable healthcare services through emergent mobile solutions such as bio-sensors, wearable devices, and intelligent software agents (Demirkan, 2013). It enables EHRs and PHRs sharing, integration and management ubiquitously and pervasively just-in-time via the Internet, besides tracking patients and diseases more efficiently and effectively during lifetime (Ratnam and Dominic, 2012).
2.13
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare sector has various systems including medical systems which deals with EHRs, EMRs and PHRs must comply with strict local laws governing the use, transmission and storage of health information. This requires that the consumers’ data should be encrypted and protected from view by any unauthorized third party including CSP. Various countries around the world have initiated their own rules and regulations for protecting healthcare critical data privacy. They have common requirements e.g. protecting the privacy of all types of medical records. The HHS has issued the Privacy Rule Standards to implement the requirement of HIPAA that addresses the rights and the disclosure of individuals’ health information by organizations subject to the Privacy Rule, considering the voluntary compliance activities and civil money penalties (HHS.gov, 2013).
In 2013, the HHS issued HIPAA-Omnibus which was mandated by the Health Information Technology (HIT) for Economic and Clinical Health (HITECH) Act to modify HIPAA’s privacy, security, and enforcement rules, as well as to strengthen the privacy and security protection for individuals’ health information, besides providing breach notification fine for businesses not complying with HIPPA that can reach up to $1.5 million USD per violation (Leyva, 2013; McGee, 2013). The European data
45 protection regulation draft also has extended the data protection law rules to healthcare organizations. The European convention on human rights applies to any EHR system that interferes with family and private life. The European framework starts with detailed considerations about how patient’s information is collected, shared and protected (Proofpoint, 2012). CSPs must assure that the provided cloud services comply with the rules and regulations standards that fulfil healthcare requirements to avoid huge loss of money as a fine. For example, The Office of Civil Rights stated a $1.7 million USD fine for Alaska’s Medicaid agency, because of the loss of a hard drive that contained Personal Health Information (PHI) for 501 patients, since Alaska Medicaid agency failed to conduct risk assessment and did not implement adequate encryption and other security controls for data and media (Monticello, 2012).
2.14
Healthcare Cloud Computing Trust Requirements
Healthcare sector deals with various electronic medical and smart mobile devices. If any of these devices are compromised, then they can be used to launch any type of attacks that may harm patients, access their data or spread malware to the systems within the network/cloud, among other vital impacts. Healthcare should be proactive for security and compliance to trust and prevent the costly damage of sensitive data breach (Proofpoint, 2013). Healthcare organizations or individuals who acquire cloud services need to be assured of the SPT of their data and computing resources in order to use the cloud services.
It is essential that the CSP provides a cloud computing certificate from an independent security certification authority which certifies cloud services in terms of their security properties and capabilities. This certificate will act as a quality stamp, since guaranteeing secure services will ensure that the CSP security implementation matches the published security profiles which will boost CSUs’ confidence in cloud computing services (Khan and Malluhi, 2010). Organizations such as the Cloud Security Alliance (CSA) incorporate with The Health Information Trust Alliance can provide these certificates. The joint collaboration between them addresses cloud security initiatives related to improve the state of security and compliance in healthcare
46 industry. This collaboration resulted in the release of the cloud controls matrix, which is a tool that maps security practices for the cloud with traditional security regulations and standards, such as Payment Card Industry (PCI), HIPAA and ISO 27000 (Hall and Nachbar, 2010). There is a need for mutual trust between the CSP and healthcare. From the healthcare as a consumer of cloud services side, lack of their controllability of data and computing resources may lead to several risks such as:
Data disclosure, leakage, loss, misuse and breaches risks.
Storage location security risks.
Service interruptions risks.
CSP running out of business risk.
On the other hand within cloud computing environment, CSUs directly use the CSP’s IT resources such as software, OSs, and network infrastructure. If a malicious consumer gains access to cloud storage, VM or data, the impact and destruction for the software and hardware resources is vital to the CSP and to other CSUs. Therefore, CSP must evaluate and manage the trust of user behaviour and identity to enforce strict security policies requiring additional trust in the users (Ahmad and Mohamed, 2011). In order to achieve trust in cloud environment, trust component must be guaranteed as discussed previously in Section 2.7 that identifies the four main trust aspects e.g. security, privacy, accountability and availability (Muppala et al., 2012). Next Section identifies the cloud computing security and privacy requirements for health care sector in order to be considered in the research contribution design.
2.15
Healthcare Security and Privacy Requirements
The HHS Office for Civil Rights (OCR) enforces HIPAA security and privacy rules that protect health information from improper use, disclosures, and the confidentiality provisions of individuals (patients) safety rules. The HIPAA privacy rule requires CSPs to implement the policies and procedures which provide federal protections for PHRs and assign patients’ rights with respect to that information. The
47 HIPAA security rule specifies a series of administrative, physical and technical safeguards to ensure the confidentiality, integrity, and availability of PHRs. Third part beside the HIPAA privacy and security rules is the enforcement rule that states the actions which must be taken by the HHS to guarantee compliance and accountability under the HIPAA, including the process for reviewing complaints and assessing fines (Leyva, 2013; Wu et al., 2012a).
The research scope focuses on HIPAA technical safeguards for covered entities to guarantee the confidentiality, integrity, and availability of protected PHRs. CSPs must comply with HIPAA security, privacy and enforcement rules to assure consumers that they can trust the cloud environment and that their data are safe. CSPs must provide evidence of their reliability. The healthcare electronic records must be protected and assured compliance, security, privacy and confidentiality during storage, exchange, and sharing (Li et al., 2011). Ensuring the security of patients’ data covered under the HIPAA security rule can be achieved by conducting the following security controls requirements which were discussed in Section 2.7.1 (Holtzman et al., 2013).
i.
Implement security management, mitigation and evaluation processes, as well as risk analysis, besides training their personnel on safeguarding PHIs.
ii.
Provide contingency plans and disaster recovery as well as create and maintain retrievable accurate copies of data. Also provide policy/procedures for system activity review and audit.
iii.
Provide physical safeguards for resources and devices.
iv.
Ensure confidentiality, integrity, and availability of PHIs to guarantee service security and privacy. As well as ensure strict password policy.
v.
Ensure that data and computing resources are only accessible by authorized entities throughout robust access and identity management. Also ensure that the data are stored and processed on systems are strictly controlled and backed up with accurate system and environment configuration.
48 vi.
Ensure that all activities associated with the regulated data and systems are subject to audit to guarantee service transparency.
vii.
Ensure that the data are monitored during all access procedures and that it’s encrypted in rest, process and while transmitted on insecure networks (Mackey, 2012; Nissany, 2013).
As well as ensure that the cloud key
management systems are automated to prevent insider threats.
viii.
Ensure secure data transition by enabling Hypertext Transfer Protocol Secure -SSL (HTTPS) and deploy an Internet Protocol Security (IPsec) tunnel between the cloud and consumers.
ix.
Ensure that the documentation of all policies, procedures, and processes are done by CSP as well as ensure the availability of these documentations to workforce members responsible for implementing it.
x.
Covered entities and consumers must revise and update the documentation to ensure confidentiality, integrity, and availability of PHI. Also perform HIPAA security and privacy training for the CSP personnel as well as performs continues detailed risk analysis.
2.16
Cloud Computing Related Work
Consumers vary in their security requirements regarding to their data sensitivity. Some of them insists on guaranteeing the confidentiality of their data, while others requires verification of the integrity of their programs and computed results. Others demands data and computing resources availability beside protection from threats and malicious attacks (Jamkhedkar et al., 2013). In the following Section five current clouds computing solutions are analysed in order to investigate the gaps that prevents full implementation of cloud computing in critical information industries regarding to the SPT concerns.
49
2.16.1 Security on Demand Framework in Cloud Computing
Jamkhedkar et al., (2013) proposed a Security on Demand (SoD) framework for cloud IaaS in order to provide the required level of security to the consumers according to their threat models, since the existing CSPs are using the same security standards to protect consumers’ data and computing resources as shown in Figure 2.6. In SoD, CSP offers a mechanism for managing trust in the cloud servers based on the hardware and/or software security. As well as a mechanism for requesting diverse types of VMs security based on different underlying threat models which vary according to the criticality of the consumers’ information.
Figure 2.6: Security on Demand Framework (Jamkhedkar et al., 2013)
SoD framework focuses on IaaS layer in which VMs are leased to cloud computing consumers who initially requests a VM along with a security policy, which defines the desired level of security requested for the VM. Once the VM is deployed on an appropriate server, it enters a security lifecycle, which ensures that the requested VM security is always maintained while the VM is running. As illustrated in Figure 2.6 SoD lifecycle process operates in four steps as follows:
50 1. The CSP as a Trust Monitor (TM) selects the appropriate type of secure server that satisfies the security options selected by the consumer. 2. The TM translates the collected servers’ security properties into welldefined, meaningful security capabilities.
3. The capabilities of each server are provided to a Policy Validation module which is responsible for the validation of a VM’s requested security policies against these capabilities.
4. Finally, if there is a change in the security requirements of the VM, or the server on which the VM is deployed is no longer trustworthy, a response mechanism is triggered to relocate the VM to a suitable server which is capable of satisfying the security requirements of the VM.
This framework main advantages that it enables the cloud consumers to demand for security based on their specific requirements, and modify the type of requested security, as the requirements change. It allows cloud providers to charge the consumers based on the type of security service they acquire with the concept of payper-use billing pattern. Also, SoD allows vendors and researchers to determine various types of customer security requirements, and to get their existing architectures as well as the products which are deployed in real cloud environments.
In spite of the advantages of this framework, it only focuses on securing IaaS not PaaS or SaaS which can make the cloud environment vulnerable to threats of attacks on PaaS and/or SaaS. It requires consumers’ previous technical knowledge of threat models in order for them to choose the required level of security which is impractical since not all the consumers have such knowledge. Moreover, the authors based their solution on potential attacks or a threat model, however attacks are dynamic and continually changing (FireEye, Inc, 2013). There is a need for a solution which focuses on security by design that covers all layers of cloud, access and complies with rules and regulations. The security level options are done by the CSP cannot fulfill the diverse security of consumers’ requirements, and there is no encryption mechanism
51 for data which can violate the confidentiality and impact the privacy. Furthermore, there is no identified access control mechanism for protecting against malicious access. The proposed on-demand security framework is expensive and in some cases it sounds unfeasible to be implemented in complex cloud computing environments. Finally this model discussed only security and did not discuss privacy and trust concerns beside it depends on policies not on trusted technologies.
2.16.2 Trusted Cloud Computing Infrastructure
Banirostam et al. (2013) proposed a Trusted Cloud Computing Infrastructure (TCCI) by developing User Trusted Entity (UTE) a closed execution environment to ensure confidentiality, data accuracy and integrity of consumers VMs. UTE enables the consumer to verify if the cloud IaaS is trusted or not, depending on the Trusted VM Monitor (TVMM) and the Trusted Coordinator (TC) as shown in Figure 2.7. CSP administrators are not authorised to access UTE since it is kept with third agent party.
Figure 2.7: Cloud Computing Security Model (Banirostam et al., 2013)
52 UTE allows users to authenticate IaaS server and determine the security of cloud service before start-up of VMs. This model limits the VM execution into a secure IaaS environment since the CSP managers have no privilege within UTE to protect it from insider threat. Therefore they cannot interfere in TC functionality. It has been assumed that the UTE should be kept by a third agent without any incentives to collude with IaaS services and it is highly trusted to ensure confidential execution of guest VMs. However, this proposed infrastructure model relied on third party that can poses risks of malicious access, insider threat and data misuse or breach. Moreover, TCCI enables the trusted VMs but it did not include trusted technologies for servers, network or storage. It did not ensure that the system administrator with any access permit cannot enter host VM via remote connection and consequently gains access to consumers’ memory with their access permit or run computing on their behalf. Therefore, this model did not fulfill the SPT requirements and did not implement trusted TPM and relied on third party.
2.16.3 A Framework for Secure Clouds
Youssef and Alageel (2012) have developed a framework that identifies the security and privacy requirements, attacks, threats, concerns and risks associated with the deployment of cloud computing. Moreover, they proposed guidelines to achieve the security and privacy requirements to mitigate the risks, threats and attacks concerns. Cloud security model four units are discussed in Figure 2.8 as follows:
1. The Verification and Validation Unit that is responsible for authenticating the users and ensuring the correctness of data and services on the cloud by using appropriate signature algorithms and One-Time PIN (OTP) beside two factor authentication process.
2. The Data Protection Unit that provides secure storage servers. The authors recommend using encryption techniques.
53 3. The Privilege Control Unit that controls the cloud usage and protects users’ privacy, also ensures the data integrity and confidentiality by applying a collection of rules and policies that control the users’ access.
4. Attacks Detection/Prevention Unit that is responsible to protect cloud resources from various anomalies. The authors recommend using next generation intrusion detection systems and firewalls in order to protect the data and computing resources from intruders, viruses and malware.
The authors have proposed a framework that identifies security and privacy challenges in cloud computing. Their framework highlights cloud-specific attacks, risks and clarifies their mitigations and countermeasures. Also they proposed a generic cloud computing security model to protect the cloud against various vulnerabilities. The proposed framework and model act as guidelines to advice on security and privacy considerations that should be taken and solutions when using the cloud environment by individuals and organizations.
Figure 2.8: Cloud Computing Security Model (Youssef and Alageel, 2012)
54 However, this framework and model are general and not specific for any industry. They are not implemented yet and do not involve all the threats and risks in cloud computing environment.
Moreover, the model is based on two factor
authentication which needs optimization by adding physical biometric security for the CSP administrators to prevent any illegal access to the consumers VMs. The authors considered the authentication and authorization security beside data protection but did not include the physical layer security and did not provide robust mechanism for solving all SPT concerns only general recommendation and guidelines.
2.16.4 ABE Framework for Secure Sharing of PHRs
Attribute Based Encryption (ABE) framework is based on dividing the system into Public domains (professional roles) and Personal domains (patients) according to the users’ data access requirements as shown in Figure 2.9.
Figure 2.9: Patient-centric Framework (Li et al., 2012)
55 This framework assumes that patient’s privacy is guaranteed by exploiting Multi-Authority Attribute Based Encryption (MA-ABE) and by enabling dynamic modification of access policies or file attributes that supports efficient on-demand user/attribute revocation and break-glass access under emergency scenarios. Users in Public domains obtain their attribute-based secret keys from multiple Attribute Authorities (AAs) without directly interacting with patients who specify role-based fine-grained access policies for their PHR files with no prior knowledge of who are the authorized users when performing their encryption (Li et al., 2012).
This framework discusses the privacy of patients’ data through encrypting it before outsourcing to cloud; but did not mention any cloud security mechanisms (Li et al., 2012). Although it covers PHR it did not cover EMRs or EHRs. Moreover, by using ABE and MA-ABE, the framework enhances the system privacy and scalability. However, still there are some limitations in the practicality of using them in building PHR systems. For example, in workflow-based access control scenarios, the data access rights are given based on users’ identities rather than their attributes, while in this model ABE does not handle this matter efficiently, and the encryption’s access policy is limited by MA-ABE’s, since it only supports the related policy across multiple AAs. In addition, the framework did not address any security and trust mechanisms for protecting cloud physical and virtualization computing resources.
2.16.5 Secure Electronic Health in Cloud
Secure E-Health model identifies the general entities of healthcare infrastructures and outlines three main problem areas for security and privacy such as data storage, processing and management of E-Health infrastructures as well as usability aspects of end users. It also presents security architecture that extends the protection of privacy of sensitive data from centrally managed secure networks to the consumers’ platforms. A separate privacy domain is established and enforced locally on each application platform area to protect from unauthorized access as illustrated in Figure 2.10 (Lohr et al., 2010) which demonstrates that for each application one privacy domain is established in the cloud and enforced on the consumers’ platforms
56 of the HSPs. This model constructs privacy domains for the patients' medical data as a technical measurement to support the enforcement of privacy and data protection policies in order to enable partition execution environments for applications into separate domains that are isolated from each other.
Figure 2.10: Privacy Domains in E-Health Cloud (Lohr et al., 2010)
The E-Health structure consists of both the consumer’s Trusted Virtual Domain (TVD) platform and the master TVD (server for the management of the TVD infrastructure) for each domain. On the consumer side, a security kernel is running on top of the hardware which has TPM. This security kernel provides isolated VMs as per required. Moreover, there is a TVD proxy that manages the TVDs and configures the security kernel according to the TVD policy. This model allows for mutual device authentication based on TPM that enables a trusted channel to the central E-Health infrastructure to access data of the related privacy domain. However, this model did not provide any security techniques for middleware or proxy to protect them from malicious attacks, also there is no SLA mentioned which is necessary for maintaining trust in cloud computing environment.
57 2.17
Gap Analysis of Current Cloud Implementations
The current literature study conducted on cloud computing includes previous work in general and in healthcare, showed that none of the related work projects has the approach of securing by design the overall cloud computing infrastructure, applications and access taking into consideration the compliance with HIPAA security and privacy rules and regulations beside fulfilling all the SPT requirements’, also none of the projects discussed specific cloud SLA for healthcare sector. Table 2.1 demonstrates related work limitations.
Table 2.1: Gap Analysis of Current Cloud Implementations
Authors
Model
Contribution
Limitation
Depends on policies not trusted hardware (TPM). Focuses only on securing IaaS not PaaS or SaaS. Requires consumers’
(Jamkhedkar et al., 2013)
SoD framework
previous knowledge of
Security on
secures the cloud
threat models.
Demand
IaaS as per
Based on a threat model,
Framework
consumers’ threat
however attacks are
models.
continually changing (FireEye, Inc, 2013). There is no encryption mechanism for data. Discusses only security not privacy and trust.
58
TCCI model relies on third party that can poses risks of malicious access, insider threat and data misuse or breach. They proposed a TCCI model by
TCCI enables a trusted VMs but it did not include
Trusted
developing UTE to
(Banirostam
Cloud
ensure
et al., 2013)
Computing
confidentiality,
Infrastructure
data accuracy and
It did not ensure that the
integrity of
system administrator with
consumers VMs.
any access permit cannot
trust in physical cloud layer.
enter host VM via remote connection
and
access
clients’ memory with their access
permit
or
run
computing on their behalf. A framework for
(Youssef and Alageel, 2012)
A Framework for Secure Clouds
This framework and model
identifying the
are general and are not
security, privacy
specific for any industry.
requirements,
They are not implemented
attacks and threats
and do not involve all the
beside concerns
threats and risks in cloud
and risks
environment.
associated to the
The model is based on two
deployment of
factor authentication which
cloud computing.
requires another factor such
They proposed
as biometric security for the
security and
CSP administrators to
privacy guidelines
prevent any illegal access to
to mitigate the
the consumers VMs.
59 risks, threats and
The authors considered data
attacks concerns
protection but did not include the physical layer security or covered all SPT requirements. It did not discuss any
ABE Framework (Li et al., 2012)
for Secure Sharing of PHRs in cloud
physical or virtualization It proposes an
security and trust
ABE framework
mechanisms.
for sharing of
ABE and MA-ABE have
PHRs in cloud.
some limitations in using them in building PHR
computing
systems. It provides secured architecture based
It did not provide any
(Lohr et al.,
Secure E-
on TVD for
security technique for
2010)
Health Cloud
privacy domains
middleware. Also there is
that involve CSUs
no SLA.
and CSP platforms.
From the previous discussions, it has been identified that the previous related work models have SPT concerns that need to be addressed. In order to initiate a TCCF for critical information industries, a holistic security and privacy preserving approach has to be conducted on cloud infrastructure, data and access, as well as including the compliance of rules and regulations. TCCF will consider the advantages of the previous projects and will extend their work by using TNC for securing the network and SEDs for securing data storage besides securing the access to ensure the safety of overall cloud environment for healthcare to trust and deploy. Detailed TCCF design will be described further in Chapter 4.
60 2.18
Research Roadmap
The research roadmap illustrated in Figure 2.11 shows the steps of conducting the research by identifying the cloud computing paradigm and its offerings. In addition to identification of the cloud computing related standards including NIST, CSA, TCG and HIPAA. This research also investigates the current five implementation cloud computing projects and their SPT limitations.
Figure 2.11: Research Road Map
61 The research contribution is towards solving the SPT concerns to gain consumers trust on cloud computing. Main aim of the research is to secure the overall cloud infrastructure, access, data and network. As not to reinvent the weal this study considers the advantages of previous work and extends them by adding more security controls and proposing the usage of TCG technologies to safeguard the hardware, network and data storage. Furthermore, securing the access with robust MFA-SSORBAC, and taking into consideration compliance with HIPAA privacy and security rules. Other research contribution is providing a customized SLA for healthcare sector. By impeding security in design TCCF will overcome the SPT concerns discovered in the previous work to gain the healthcare and consumers trust in cloud computing for best business practices.
2.19
Summary
Throughout this chapter in-depth literature on cloud computing offerings for industries including healthcare and current its implementation status have been conducted, as well as a description of holistic security and privacy preserving approaches’ based on TCG technologies and compliance with HIPAA, with appropriate identification of cloud computing SLA requirements for healthcare sector. Current projects gaps have been identified and critically analysed in order to fulfil the SPT and HIPAA requirements in designing the TCCF and developing a robust MFA technique for verifying the entity who wants to access healthcare records and to eliminate the risks of insider and outsider threats, which will be discussed furthermore in Chapter 4 and 5.
62
CHAPTER 3
RESEARCH METHODOLOGY
3.1
Introduction
This chapter provides an overall view about the methodology of conducting this study step by step to avoid any gaps and make it error free. Mix mode of quantitative and qualitative studies were used whereby quantitative study was selected which employs deductive logic that starts with a hypothesis (research questions), and data gathering to confirm or disprove these hypothesis (Salim et al., 2010; Williams, 2007). Quantitative studies are easier to distribute and execute than qualitative studies. To elaborate more on the methodologies used, this chapter is organized as follows: Section 3.2 presents cloud computing relation with software engineering. Section 3.3 discusses research activities and outcomes. Section 3.4 outlines research methodology phases. Section 3.5 views research documentation. Section 3.6 describes research limitations. Section 3.7 discusses the research planning and schedule. Finally Section 3.8 presents the summary of this chapter.
63 3.2
Cloud Computing and Software Engineering
Cloud computing relies on outsourcing and transferring the IT management and computing resources to consumers as a service on-demand on pay-per-use basis. It focuses on cost effective delivery of services to multiple users through flexible and scalable resource virtualization and load balancing (Yau and .An, 2011). It enables rapid development of large-scale distributed applications in various industries areas such as: Healthcare, Education, Banking and Military. Cloud computing is towards a centralized computing model that is supported by huge datacenters containing tens of thousands united servers as a single entity, which is maintained by special software layers, including virtualization technologies and distributed data storages (Harmana et al., 2013). Cloud is presented as a layered architecture that is different from traditional on premises computing model. Moreover, cloud computing software and applications are provided to consumers, updated and backed up without their intervention.
Software engineering has embraced cloud computing as a multi-disciplinary field that interacts with various social and technological boundaries, which considers people behavior at the individual and organizational levels when designing and developing new software and technologies. Cloud computing does not only provide services to consumers, also it facilitates software engineers and developers the required tools and platforms to develop specific programs and applications. However, due to the virtualized nature of cloud, new software and hardware requirements have evolved which need more software requirement engineering on consumers and technology.
Combining services and cloud computing in software engineering framework can assist application developers and service providers to meet individual requirements of each services and cloud paradigm emphasizing on improving software engineering challenges. For example, a major challenge in software engineering is how to manage the runtime QoS of loosely coupled services involving distributed service providers. Cloud meets this challenge through resource allocation and virtualization (Yau and An., 2011).
64 This study aims to leverage cloud computing to be implemented in healthcare sector. It is about establishing a trusted, practical and reliable cloud framework that involves creating and sharing computing resources, processes and services by following the software engineering development steps. Each cloud service model has an independent software entity with a well-defined standard interface that provides certain functions over the networks. In order to design and develop the TCCF, security is built-in throughout all the design and development process (Adebiyi et al., 2012). In this research, the focus is to analyze the SPT requirements of healthcare sector and apply the required SPT controls into the design and develop the TCCF, then evaluate it and document the results.
3.3
Research Activities and Outcomes
In order to fulfil the research objectives, the research questions must be answered. Table 3.1 illustrates how each objective is matched to answer a specific question, using an appropriate methodology to achieve the expected outcomes.
Table 3.1: Research Activities and Outcomes
No
Questions
Objectives
Methodology
To identify and What
are
current
1
concerns prevent
prevent
critical critical information information industries trusting adopting
Reviewed work of
the critically analyze cloud the current cloud
computing SPT SPT concerns that that
from industries and trusting
from and
cloud adopting cloud computing? computing.
Deliverables
(Jamkhedkar al., Literature review study.
Documentation
et
2013;
Banirostam et al., 2013;
Youssef
and
Alageel,
2012; Li et al., 2012; Lohr et al., 2010). Identified concerns.
SPT
65
How to design a cloud computing framework that can fulfill the security
and
privacy concerns 2
as well as assist in increasing the trust on cloud computing to be adopted
in
that
can
the Designing
fulfill
security
the
and proposed
Trusted
Cloud
privacy concerns framework to be Computing as well as assist implemented
in Framework
in increasing the healthcare sector trust
on
cloud as a case study
computing to be adopted
Authentication Prototype
in Documentation
industries.
industries? How to evaluate and ensure that designed
cloud computing framework will assist
in
overcoming the security
and
privacy concerns as
framework
information
information
3
computing
critical
critical
the
To design a cloud
well
increases
as the
trust on cloud computing to be adopted critical information industries
How to evaluate D e v e l o p i n g a and ensure that P r o t o t y p e the
designed
The framework
cloud computing Survey framework assist
from
will experts in
overcoming security
the Comparison with Survey results and related work
privacy concerns as
The prototype
well
Evaluation results
as Compliance with
increases the trust standards on
Thesis
cloud
computing to be Threat Mitigation Publications adopted critical information industries.
Documentation
66 3.4
Research Methodology
The conducted research methodology is based on systematic mix mode research build theory. It uses inductive reasoning (Cohen et al., 2011) to identify the research problem and the research questions, as well as to conduct in-depth literature review in order to critically analyze the current studies and their limitation, and to determine the methods of data gathering and evaluation, also to consider the ethical implications regarding to confidentiality and sensitivity of consumers data. The use of induction and deduction mix methods is to overcome their weaknesses when they are used alone. The study begins with stating the hypotheses, the logical development of these hypotheses, and the clarification as well as the interpretation of the findings and their synthesis into a conceptual framework. This research is to be performed throughout several continuous dependent phases. Initial phase is to gather the accurate and relevant literature, analyze, design and develop the framework. The second phase is to evaluate the framework, finally is to document and publish the results with consideration to refining each step of the research to ensure the correctness of the process achieved, within the resources, budget, and time available. Figure 3.1 presents the research methodology five phases (literature review, analysis, design, development and evaluation) that will be discussed thoroughly as follows:
Figure 3.1: Research Methodology Phases
67 3.4.1
Literature Review
In software engineering, Systematic Literature Review (SLR) is conducted to identify and discuss the existing models and techniques used by researchers and industries (Sulayman, 2007). SLR includes identification of the research questions to be investigated from primary and secondary resources to acknowledge the relevant literature; and extract the data from selected studies to analyse the identified gaps. SLR in this study involves exploring the technology, people, industry, rules and regulations that govern the data and processes. SLR will be done through five steps in order to achieve quality results as follows: i.
Identification of cloud computing definition and its service delivery and deployment models.
Also identification of the related cloud computing
industry standards to be considered in the research contribution.
ii.
Identification of the five current implementation of cloud computing in general focusing on healthcare sector to detect the SPT concerns and gaps that needs to be solved in order to gain consumers trust to adopt cloud computing for best business practices.
iii.
Identification of trust definition and its aspect for the cloud beside discussion on TCG technologies (TPM, SED, TSS, TNC and vTPM) that are proposed in the design which will empower trust in physical, virtualization and application layers of cloud environment beside securing the network and data storage.
iv.
Identification of the SLA as an important trust factor that describes the terms, conditions and fines, which sets boundaries between CSP and consumers. The research scope is to customise the SLA for healthcare sector to gain their trust to deploy cloud computing for best practices.
v.
Identification of HIPAA requirements to be deployed in TCCF as well as a description of the required security controls and IAM to be also considered in the framework. Finally the research road map based on the literature review is provided as well as the planning and duration of the study.
68 3.4.2 Analysis
In software engineering, gathering data from primary resources (interviews) and secondary resources (books, online databases such as IEEE, ACM, Springer, Web of Science…) is the first step to identify the research problem and constrains in order to plan how to solve the research problem within these constraints, then deciding the research design based on the analysis of these gathered data. In this study data for literature review is gathered from primary and secondary resources to gain more knowledge about latest trends in cloud computing. After conducting in-depth literature review and defining the research problem, next is performing critical analysis on current researches, models and frameworks done by other researchers to identify the gaps related to SPT in order to formulate the TCCF, taking into consideration health care environment, requirements, policies, rules and regulation as well as SLAs.
The identified research problem is in the form of several SPT concerns (Thilakanathan et al., 2013; Servos, 2012; Shini et al., 2012; Khatua et al., 2011; Takabi et al., 2010a; Pearson and Benameur, 2010). This study aims to overcome these SPT concerns by designing a secure cloud computing framework to gain the consumers trust in cloud computing and benefit from its advantages. In order to achieve the research aim, several research questions have to be answered and tested with exploratory mix mode survey research approach as well as implementation of the framework. The survey was selected since there were several limitations on doing experimental and observation approaches which is discussed as follows:
3.4.2.1 Survey Design
TCCF is composed of three layers (physical, virtualization and application layer), the appropriate way to evaluate TCCF is to verify the experts’ acceptance of the techniques used to secure each layer since the framework was not fully implemented only the authentication part. TCCF is based on NIST and CSA cloud security reference architecture. The security controls proposed for each layer have to be evaluated. Following are the factors that contributed in designing the survey.
69 Design of the Survey: The survey is designed in two sections as follows:
1. The introduction part that states the purpose of the survey and the ethics which guarantees the respondents privacy and confidentiality rights, followed by the framework figure for the experts to understand it and its components.
2. The question part which is in the form of close ended one matrix question that consists of three sub questions to evaluate the techniques used to secure each layer of cloud infrastructure, applications and access. Moreover by answering these three sub-questions the overall TCCF security will be rated as illustrated in the survey in Appendix C.
Purpose of the Survey: To investigate the proposed framework design and to gain experts feedbacks in diverse locations globally who are specialist in cloud computing, healthcare IT and information security on the TCCF and to ensure the reliability and trust-ability of the techniques used to secure each layer of the TCCF. Also to ensure that these security techniques are acceptable to overcome the SPT concerns of critical information industries including healthcare sector. In order to refine the design and verify the reliability of the framework, mixed methods are performed which combines quantitative and qualitative studies for empirical data collection.
Survey Distribution Medium: The study method for distributing the survey resembles a new trend of using social media professional groups to conduct the survey and gather expertise feedbacks within short time duration in cost effective manner via the Internet. It does not require any previous relation or knowledge of the experts. Other method like Delphi is time-consuming and expensive to conduct. It is quite challenging to locate experts across the globe who combines healthcare and cloud computing security skills. The survey was distributed using the LinkedIn network as a trustworthy global medium used by experts and professionals (PR Newswire, 2014; Friedman and Savio, 2013; Forrester, 2012) that enables appropriate and authentic responses from academia as well as industry professionals.
70 The Survey Sample: The targeted experts were in the field of software engineering, cloud computing security and healthcare. Since cloud computing is in its initial, there is no identified number of experts in both cloud security and healthcare (Creative Research Systems, 2012). As a result the survey ignores the population size and the sample size is limited to as much response that can be collected within the time frame of three months. Only possible way to conduct the survey was by reaching the global professional network and distribute it in related professional groups in cloud computing, healthcare and information security. Respondents were selected by analyzing their profiles, background records and activities to ensure the validity of their displayed information in order to avoid spammers. However, the response rate was low only (52) respondent from the distributed professional groups due to less number of experts in the domain of cloud security, healthcare, and in TCG technologies.
Other method used for gathering the experts feedbacks was via
qualitative open ended interviews in attended conferences and summits such as CLOUDSEC Conference 2013, HP Software Forum Next Generation Big Data Analytics for IT Management, HP Converged Cloud Summit. Discussion upon the framework design was made with information security cloud experts to investigate current cloud security technologies for improving the framework design and for evaluating the proposed security and privacy preserving techniques. However, there was a privacy limitation that prevented including these interviews in this research study. Table 3.2 lists some examples how LinkedIn is used from other PhD students and researchers as a scholar media to conduct surveys (Angelov et al., 2014).
Table 3.2: LinkedIn Use Examples
Title PhD Survey Support Group
Link https://www.linkedin.com/groups/PhD-SurveySupport-Group-1893323
PhD Research Survey -
https://www.linkedin.com/pulse/article/20140721
What do you think of using
140259-205349777-phd-research-survey-what-do-
Social Software for work
you-think-of-using-social-software-for-work-
communication?
communication
71 Pilot-Test Stage One: The survey was done through performing a Pilot-Test survey to ensure that the instructions, questions and scale items of the survey were clear. Sample survey was distributed to two experts’ to guarantee their understanding of the survey items and that their responds were appropriately answered. First Pilot-Test achieved was using Survey monkey tool, needed refinement, since one respondent was not able to access the survey as illustrated in Figure 3.2. Other respondent was confused because the survey was not having any diagrams and the security techniques of the framework questions were complex to answer and time consuming.
Figure 3.2: Survey Monkey Expert Feedback
72 Pilot-Test Stage Two: Second stage of the survey design, was conducted through performing a second Pilot-Test survey again using Kwiksurvey1 tool since it ranked as the top second online survey tool according to Survey Software Reviews, (2012). It is easy to design and to distribute, also it uses SPSS for data analysis. The Pilot-Test stage two was done to gain the experts feedback on the usability and acceptance of the survey. The respondents’ feedbacks were satisfactory as shown in Figure 3.3
Figure 3.3: Kwiksurvey Expert Feedback (Bamiah, 2013)
When ensuring experts acceptance of the survey, it was distributed online to experts in cloud computing, information security and healthcare IT to provide their valuable feedbacks as shown in Table 3.3.
Table 3.3: Survey Distribution
No
Experts Group
1.
Cloud Computing Architects
2.
3.
1
Link https://www.linkedin.com/groups?search= &answerCategory=myq&gid=3114090
Cloud Security Alliance, Health https://www.linkedin.com/groups?search= Information Management Cloud Security for Enterprises
&answerCategory=myq&gid=4325391 https://www.linkedin.com/groups?search= &answerCategory=myq&gid=4028043
http://kwiksurveys.com/s.asp?sid=naq7jr4wc7n3q9x229056
73
4.
5.
6.
Computer and Software Engineering Professionals
https://www.linkedin.com/groups?mostRec ent=&gid=2768947&trk=my_groups-bgrp-dsc
CSA Cloud Data Governance
https://www.linkedin.com/groups?gid=405
Working Group
4159&trk=my_groups-b-grp-v
Scientific Cloud Computing
https://www.linkedin.com/groups?search= &answerCategory=myq&gid=3342879
Figure 3.4 and 3.5 presents some of the respondents who gave their feedbacks on the framework publicly to prevent any violation of the ethics of the survey. Total valid survey responses after auditing and filtering are (52) experts’ responses that will be further analyzed more in Chapter 6.
Figure 3.4: Survey Expert 1 Feedback (Bamiah, 2013a)
74
Figure 3.5: Survey Expert 2 Feedback (Bamiah, 2013a)
Table 3.4 shows respondents location and response rate, which indicates that there is no previous personal knowledge or relationship between the author and respondents or between respondents themselves. They share rating of the survey only. While, Table 3.5 lists respondents’ specializations.
75 Table 3.4: Respondents Locations
Country
Respondents
Argentina
1
Belgium
1
Canada
2
Hungary
1
India
9
Indonesia
1
Iran
1
Italy
1
Kenya
1
Malaysia
5
Mauritius
1
Palestine
1
Poland
1
Qatar
3
Saudi Arabia
3
South Africa
1
Spain
2
Tunisia
1
United Arab Emirates
2
United States
13
Vietnam
1
Total Responses
52
76 Table 3.5: Respondents Specializations
Specialization
3.4.3
Number
Cloud Computing
11
Cloud Computing and Healthcare
2
Computer and Network Security
10
Computer and Software Engineering Professionals
4
Healthcare Tech Industry
4
Information Security and Privacy
15
Trust
6
Total Responses
52
Design
The proposed framework (TCCF) is applying the software engineering design and development process taking into consideration the reference architecture of CSA which secures the three layers of cloud service models (IaaS, PaaS and SaaS) (CSA, 2011) and NIST cloud computing reference architecture which is also same as CSA secures the three layers of cloud service delivery models (Liu et al., 2011). TCCF proposes the use of TCG technologies to initiate chain root of trust and to empower security through utilizing TPM for secure physical layer and vTPM for secure virtualization layer, as well as SED for secure storage and TNC for secure network to ensure trusted cloud computing execution environment, emphasizing on the use of strong access control with a federated SSO that considers the dynamic real time multitenant nature of cloud computing and the confidentiality of consumers data; by authenticating once and gaining access to the heterogeneous cloud resources and services (Revar and Bhavsar, 2011). All of the above-mentioned security mechanisms will be achieved considering HIPAA security and privacy rules and regulations that are discussed furthermore in Chapter 4.
77 3.4.4
Development
Cloud software engineering development and implementation refer to the development and testing of the proposed system. The authentication part of the TCCF is developed as a prototype initially to test the proposed solution under certain conditions. The construction activity encompasses a set of coding and testing tasks that lead to an operational software which is ready for delivery to the customer or end user. The development of the TCCF prototype is discussed furthermore in Chapter 5.
3.4.5. Evaluation
For evaluating the framework design, several methods were used which involve comparison with previous work, survey, compliance with CSA and HIPAA standards, as well as compliance with the Office of the National Coordinator (ONC) for HIT security guidelines beside the TCCF prototype.
3.5
Documentation
Documentation started from the beginning of the research and is refined throughout all the study period along with overall publications on the contributions of this study as listed in Appendix A. The final and complete documentation is compiled in this thesis in order to share the knowledge gained with others.
3.6
Research Limitations Several limitations formed as obstacles against performing the research such
as limited real implementation of cloud in healthcare sector in Malaysia. It was very hard to locate experts since cloud computing is a new emerging paradigm. The only solution was to seek experts through their group domains and valid profiles via social
78 media, most appropriate was LinkedIn as discussed in Section 3.4.2. The responses of experts were few due to their busy schedule, privacy barriers and/or no interest. Furthermore, the survey was distributed all over the world since cloud implementation in healthcare still in its initial stages and experts can be located in developed countries such as USA, UK, etc. Not only limited numbers of experts in both cloud security and healthcare but also limited computing resources of TCG technologies such as TPM and SED, vTPM and TNC that needs to be tested and verified.
3.7
Research Planning and Schedule
This research is achieved through three phases that are dependent on each other and needs refining to ensure that it meets the research objectives as follows:
3.7.1
Phase 1
Phase one was achieved in the first year by conducting in-depth literature review on the research topic area to identify the research problem, objectives and methodology. Throughout phase 1 an assistant research courses were attended., Journal papers based on the literature have been published as listed in Appendix A and conferences related to security, cloud and healthcare have been attended to verify the latest methods applied regarding to the field of research.
3.7.2
Phase 2
Phase 2 was achieved in the second year with data gathering and writing the research proposal for defense which is based on submission of three chapters and the associated progress report. After the first assessment defense the research was refined and TCCF design started, beside documentation and writing more publications.
79 3.7.3
Phase 3
Phase 3 was achieved in the final third year by conducting a survey and developing a prototype for evaluating the framework and refining it, then documenting the research and giving to proofreaders for refining, also preparing for the final research defense. Moreover, through third year, TCCF was reviewed by experts for refining and evaluation. Table 3.6 illustrates the thesis milestones time planning.
Table 3.6: Thesis Timeline Planning
2011
Year/Activity Q1
Q2
Q3
2012 Q4
Q1
Q2
Q3
2013 Q4
Q1
Q2
Q3
2014 Q4
Q1
Problem definition Literature review Analysis Designing Framework Developing Prototype Evaluating Framework Documentation Writing Articles Proofreading Submitting Thesis Viva Voce
3.8
Summary
Throughout this chapter, the methodology of achieving the research objectives and the techniques used according to software engineering process such as literature review, analysis, design, and evaluation were discussed. Research activities and outcomes were presented to critically analyse the methods of answering the research questions, data gathering and distribution were also presented. The documentation process was conducted in parallel with the completion of each study milestone.
Q2
80
CHAPTER 4
TRUSTED CLOUD COMPUTING FRAMEWORK DESIGN
4.1
Introduction
Cloud computing is a complex multi-tenant architecture that has the traditional hardware and software components beside additional virtual components which require extra layers of security for network, storage and data privacy preserving. Cloud computing involves heterogeneous entities that need to be protected against risks, vulnerabilities, and threats. The CSP is responsible for protecting the services, applications and the hosting physical platform.
The computing platform and
configuration state have to be measured by trust measurement indicators such as TPM in order to be trusted by the consumers (Achemlal et al., 2011).
The TCCF extends the trust definitions discussed in Chapter 2, Section 2.7 and takes into consideration the standards such as NIST, CSA, TCG and HIPAA in designing the TCCF according to software engineering design steps that were discussed in Chapter 3, Section 3.4. The TCCF design considers healthcare SPT requirements and aims to secure the cloud execution environment (technology, data, the communication channel, devices, as well as people access). Moreover, the design ensures that TCCF is compiled with respect to legal rules, policies and procedures of HIPAA and HITECH. Also, TCCF provides a customized SLA which preserves the service availability, data safety, and privacy. It considers the multi-tenant dynamic nature of cloud computing that needs to be secured from each perspective to gain trust and acceptability in the market.
81 The new trend of mobility in healthcare environment, Internet of Things (IOT) and Bring-Your-Own-Device (BYOD) have raised additional burden to enforce data protection and re-approach the network security infrastructure. It is recommended that each mobile activity is monitored and logged to detect any suspicious activity involving the access to healthcare data or applications. The core aim of TCCF is to secure the cloud computing physical, logical and virtualized environment, in addition to preserving privacy, integrity, confidentiality, and data protection to emphasize trust of healthcare and critical data industries to deploy cloud computing. This chapter focuses on designing TCCF based on the findings of the literature review and the results of the research study survey experts’ feedbacks.
4.2
Research Design Assumptions
Physical Security: CSP is implementing advanced physical security controls and his cloud environment including human guards, CCTV cameras, and on-site security systems with key cards, biometric scanners for human physical access authentication in order to prevent from illegal physical access and for auditing purposes.
Need to Know Basis: The location of cloud Data Centres is only known to the people who needs to know to prevent from insider and outsider threats.
Several Redundancies: The CSP’s physical security controls facilities provides a reliable physical infrastructure with many layers of redundancy for power, cooling, and connectivity to assist in ensuring cloud services availability.
Limited Direct Access: Access to data is guaranteed to only those needing access on per device basis besides documenting user access permissions. Furthermore, unauthorised login attempts must be logged and monitored.
82 Secure Cloud Computing Infrastructure: Secure cloud infrastructure is built on a solid hardware, virtualization, and software stacks. In addition to OSs are continually managed and patched to ensure security against possible threats and malware.
Secure Communication Channel: Sensitive data and applications are encrypted and transmitted over secure encrypted network protocols such as HTTPS by default.
Single CSP: The study is for a single cloud not multiple or InterCloud. This is because requirements change when implementing multi clouds from various CSPs who differ in their offerings of cloud service delivery and deployment models.
Cloud Device Detection: CSP has a mechanism of scanning any device or system which attempts to access the service in order to block any virus or malicious activity.
Cloud Data Inputs: Healthcare sector has various data input resources such as sensors, Radio Frequency Identification (RFIDs), mobiles, body sensing smart devices and so on for monitoring patients’ health parameters in real time and for a long duration that needs high security, service availability and accuracy.
Data Encryption: The data are encrypted by default in the design with the latest, efficient, reliable encryption techniques. Data at rest is encrypted with TCG-SED and in transmit over an encrypted secured communication channel that enables SSL (HTTPS) and TLS; as well as an IPsec tunnelling between application servers and consumers. Furthermore, data are encrypted while in process with fully homomorphic encryption that allows processing of encrypted data without the need to decrypt it first to preserve the privacy of PHRs and EHRS (Messmer, 2013).
Data Auditing: The audit trails of data and logs are secured and encrypted in safe place whereby it cannot be located on the same host or hypervisor as the components generating the audit logs (Ahmed, 2012).
83 4.3
TCCF-Trust Definition
TCCF extends the trust definition of (Fan et al., 2012; Ko et al., 2011; Khan and Malluhi, 2010) to include healthcare consumers’ trust requirements on cloud computing. Healthcare trust in cloud computing can be achieved when they are confident of the following factors:
i.
Consumers’ data and computing resources are available, secure and are under their control with known data storage location.
ii.
Consumers’ can audit CSP processes to ensure that their sensitive data and applications are highly protected from unauthorized access, data breach and malicious attacks from insiders or outsider attacks, as well as ensuring that CSP has applied robust security and privacy controls with compliance to HIPAA.
iii.
Consumers’ privacy and rights are protected by SLA, and they are assured that the CSP is certified and complies with rules, regulation, and standards. Consumers’ have the right to change the CSP on poor service and the right to retain all their data with continuous well-maintained integrity.
iv.
Consumers’ have to be assured that their data are destroyed in a proper way.
CSP has to achieve all trust factors (security, privacy, availability, accountability and auditability) regarding to human behaviour, reputation, security of infrastructure, devices, data, systems, applications and processes, beside considering compliance with rules, regulations and standards. Healthcare sector can trust cloud computing when all of the above-discussed constraints and security controls are achieved. TCCF’s contributions for achieving healthcare trust in implementing cloud computing are as follows:
i.
TCCF secures the physical, virtualization, and application layers by implementing TCG technologies and strong IAM.
84 ii.
TCCF preserves data privacy and ensures that there is no disclosure of healthcare confidential records to unauthorized party by MFA and strong IAM. In addition to data encryption in transit, while in the process and at rest.
iii.
TCCF ensures efficient key management by securing its storage with TPM and SED.
iv.
TCCF provides a customised SLA which preserves consumers’ rights for auditing and various levels of security regarding the data sensitivity.
v.
TCCF ensures a maximum rate of security, availability, privacy and confidentiality of data and computing resources in the cloud by implementing robust SPT controls and providing data backups.
vi.
TCCF ensures that the CSP is providing transparency of his security mechanisms’ and the location of data storage zone emphasising that he complies with healthcare rules and regulations enforced by the SLA.
4.4
TCG Technologies
TCCF proposes the use of TCG technologies for more interoperability and enhanced performance of trusted components such as TPM, TSS, vTPM, TNC and SEDs. These trusted technology standards initiate root of trust for both hardware and software beside communication channel and data storage in a cloud computing environment in order to protect the physical and virtualization environment beside the data against attacks. This will optimize the trust of healthcare as a sensitive data industry to adopt cloud computing and benefit from its promising cost effective features. According to Aberdeen survey analysis of 41 companies that implemented TCG technologies such as TPM and SEDs have made a significant cost saving, compared to 86 companies who did not include TCG technologies (Brink, 2012)
85 4.5
Customized Cloud SLA for Healthcare
The main contribution in this part is proposing an addition context to SLA that should be customised according to healthcare requirements as follows:
i.
The SLA should specify the location of data within the border of CSU’s country or CSUs should be able to choose the country where they allow the provider to locate, circulate and/or manage their data from operational data to backups (European CIO Association, 2012).
ii.
The SLA should specify levels of security and/or isolation needed for virtualized and/or physical resources (Rutkowski and Mahmud, 2012).
iii.
The SLA should specify that the location of data storage, backup and archive complies with the rules and regulations (Rutkowski and Mahmud, 2012).
iv.
The SLA should describe e-discovery policies and disaster recovery plan to maintain data availability for best business practises (Anderson, 2011).
v.
The SLA should specify the mechanism of deleting the data and if there is any data backup provided. Also, retrieval of data backup if needed has to be accurate and in real time. When deletion, there has to be assurance that data are fully deleted from the storage and backups (Renda et al., 2012).
vi.
The SLA must include SPT requirements including data encryption mechanisms, data integrity checks, detailed access log, personnel background checks, data failure and disaster management as well as accurate working security policy (Renda et al., 2012).
vii.
The SLA should specify an Exit Plan mechanism with expectations on the provider to ensure a smooth transition of accurate complete data and proof of deletion of all data after transition is done (Renda et al., 2012).
86 viii.
ix.
The SLA should define protecting data mechanisms in all its life cycle.
The CSP must schedule auditability dates for consumers to satisfy them regarding to the service provided without impacting performance. If there is any update or change to the service, then the consumer must be notified as well as reassessing the SLA after every change (Renda et al., 2012).
x.
Penalties for violating the SLA from both sides have to be specified as well as termination terms and conditions (Renda et al., 2012).
xi.
The CSP must provide proof of regulatory and compliance with rules and regulations (Bamiah et al., 2013).
xii.
The CSP must be transparent and proactive by notifying the consumers when there is a breach in SLA terms. This includes infrastructure issues like outages, performance problems and security incidents (Renda et al., 2012).
xiii.
The CSP must keep his certificates up to date for maintaining his credibility and reputation (CSA, 2011).
xiv.
Intellectual property must be clearly defined and protected in the SLA to ensure that the CSP will use the CSUs’ data for his own purposes (Lehman and Vajpayee, 2011; Schnjakin et al., 2010).
For efficient SLA, these security controls have been added based on (Myerson, 2013; Butler, 2012) as shown in Table 4.1.
87 Table 4.1: SLA Security Controls (Myerson, 2013; Butler, 2012)
Security Control
Description Service availability that indicates the probability at which the service is usable (E.g. 99.99% and appropriate backup).
Availability Average recovery time and time of data recovery point as well as service suspension time. Privacy
Audit
How the CSP isolates data and applications. Consumer must have the ability to check the security, privacy and the architecture of the CSP system. CSP must provide:
Data
-
Deletion proof when service not in use or exit plan.
-
Data encryption to ensure security and privacy.
-
Verification of data location consistent with local legislation.
-
Data Backup for disaster recovery.
Down Time
CSP must specify in SLA the mechanism of managing
Penalties
downtime and any subcontracts beside consumer refunds.
Evaluations
Service Failure
Exit Plan
CSP must provide a certificate that verifies his security controls. Reports of any security breach that CSP is responsible for. Details of the exit process that includes the responsibilities of the CSP and the consumer when SLA terminates.
Customer service To identify problems and solve it in real time.
88 4.6
Compliance with HIPAA Requirements
In TCCF achieving compliance with HIPAA is accomplished by built-in overall system and infrastructure security as well as maintenance of data security and privacy combined with robust access control through strong authentication and authorization methods. In addition to encrypting consumers data at rest, while in process and in transit. TCCF ensures that each access to PHRs and EHRs is authorized by providing detailed reports on all systems and user logs, including when, who and what information has been accessed. The reporting process combined with remote user provisioning aims to comply with HIPAA and protect CSUs privacy (HealthIT.gov, 2012). Furthermore, TCCF considers strict enforcement of CSU information access policies; detection and auditing of malicious activity also it maintains physical and logical security mechanisms to protect against data loss or misuse, beside meeting compliance and privacy standards by ensuring full activity logging, reporting and auditing in order to demonstrate to regulators that TCCF-IT systems are properly protected.
4.7
TCCF-Multi-Factor Authentication
TCCF has specified strict identity and access control policy to protect from malicious access and insider threat. It provides federated SSO MFA to achieve SPT beside productivity while decreasing cost, downtime, and repetitive tasks. Several scenarios of users MFA will be discussed furthermore in Chapter 5.
4.8
TCCF-Data Security
Securing consumers sensitive data against malicious access, misuse, breach and leakage is vital in multi-tenant cloud environment. Consumers have no control over their data and computing resources when it is move from on-premises to cloud off-premises location (Rong et al., 2013; Redd, 2011). CSPs facilitate SaaS service
89 delivery model as centralized hosted web application to healthcare. Thus, in healthcare cloud consumers collaborate with CSP in their own authoritative and administrative domains, which require a federated architecture and raise the necessity for robust security and access control mechanism to protect sensitive data at the CSP side using their policies and user profile information. All access control policies are evaluated at the CSP side who distributes the consumers’ policies over their required applications. However, since the consumers’ data are under the control of CSP, this can raise the risk of data exploitation. To prevent this risk, TCCF secures the Data Life Cycle (DLC) by encryption and isolation techniques in order to comply with HIPAA security rules and regulations also to protect data from possible threats.
In TCCF it is
mandatory that all records and logs when stored are encrypted using TCG-SED full disk encryption for more safety and trustworthiness. Furthermore, data security methods are extended from the work of (Chen and Zhao, 2012; CSA, 2011; Yu and Wen, 2010) who included data backup in storage and archive stage. TCCF separates backup as a phase itself that have to be secured and maintained to ensure data availability. Figure 4.1 illustrates TCCF contribution in cloud data security.
Figure 4.1: TCCF-Cloud Data life Cycle
4.8.1 Data Creation Security
Data creation refers to the process of generating new digital content (CSA, 2011). When data are created in the consumer's device, HSP’s applications, or in CSPVMs, it is assumed that the consumer device is trusted or at least secured. Consumers
90 are responsible for the safety of their data, applications and computing resources at the device and application level. They must ensure that their resources will not impact or harm the CSP’s cloud computing environment. CSP must secure the VMs against threats and malicious access as to safeguard consumers’ data in the cloud environment.
4.8.2
Data Transfer (in Transmit) Security
Protecting data during transfer is a core requirement for HIPAA data protection regulations. In TCCF securing data in transfer refers to protecting CSU data while transferring between cloud and consumer and vice versa, or transferring the data between cloud structure components, also securing the end points that data are transmitted from and to, which requires strict transfer mechanism. In TCCF the CSP uses network standard and best practices techniques and protocols for securing data transfer communication channel and end points are described as follows:
i.
Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) are used for secure data logging, authentication and secure sharing data with a remote computer transmission. SFTP encrypts the file and securely transfers data using SSH for protecting data privacy as well as for identifying the device which is receiving the data if it is trusted.
SSH tunnelling focuses on
establishing an encrypted tunnel between the device and the cloud. SFTP uses port 22 which is same as the SSH protocol so it eliminates the need for tunnelling another port in the firewall (Indiana University, 2013; Redd, 2011).
ii.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are used for strong network traffic encryption. SSL/TLS provides server and client authentication beside encryption of communications to protect user’s data during transfer between servers in the cloud or between server and browser in order to prevent any unauthorized access to the data (Subashini and Kavitha, 2011; Tracy et al., 2007).
SSL is the standard for establishing trusted
exchanges of information over the Internet. Furthermore, by using SSL-AES 256-bit based encryption in cloud computing will protect data privacy. An SSL
91 certificate verifies the identity of any server or endpoint receiving the data, which can securely move between servers or between servers and browsers. In addition to SSL, device authentication identifies the identity of each device involved in the transaction, before the transferring of data process begins, keeping untrusted devices from accessing sensitive data.
iii.
All data transit are done over Hyper Text Transfer Protocol Secure (HTTPS) which is an HTTP over SSL/TLS with server certificate authentication to secure the communication between the consumer and the cloud to ensure only appropriate and approved cryptographic algorithms are employed to protect sensitive data and meet compliance requirements. Automatic encryption of data is provided through a user-friendly API. HTTPS enables cloud to decrypt, analyse, and re-encrypt content between SSL secured websites and an enduser’s browser (Bamiah et al., 2013).
iv.
In TCCF endpoints (network nodes and servers) are secured by TNC before data are transferred in order to protect the cloud from worms, viruses or malicious attacks. TNC performs several operations, it blocks unauthorized users/devices, enables endpoint authentication, performs automatic platform integrity measurement and integrates security systems.
It also inspects
endpoints for compliance with security policies before allowing them on the protected network (TCG, 2011c).
4.8.3
Data in Use Security
The data in use process refers to data being viewed, processed or used in some activity. In cloud shared environment there is a need for strong data isolation and protection mechanism.
Protecting data in TCCF starts from authenticating and
attesting the end point using TCG technologies and secure data transfer over a secure communication channel.
Furthermore, the data are protected while application
services are still running, within the application and middleware layer.
92 4.8.4
Data Sharing Security
Data sharing refers to the process of distributing and sharing the data to other parties. For example, a patient is sharing online data with her doctor or family. Maintaining data privacy is critical in healthcare to protect from misuse or breach. In TCCF sharing data is done under strict efficient policies that are granted from the patients to HSP and from HSP to CSP. Data are isolated and encrypted while sharing with the same policies that applies on securing data while transfer and in use. Log files and activity monitoring are considered in TCCF for tracking any malicious access.
4.8.5
Data Storage Security Data storing refers to the process of placing the data in a “drive” on the local
device, another computer, or online in the cloud. Storing data on cloud raises the risk of losing the data if natural disaster happens or the risk of internal and external threats. TCCF uses TCG-SED full disk encryption drives to protect from data breach, malicious access as well as from some types of application abuse. SEDs provide automated encryption with minimal cost or performance impact. In TCCF there is a strict policy that only personnel who are maintaining the data centres must know their location and can access them to protect from malicious insider.
4.8.6
Data Backup Security
Data backup is the process of making a copy of data or files and storing it as “backup” in case the first copy is corrupted, destroyed, lost, or compromised. For critical systems it is recommended to have a two-tiered system, where one backup copy remains onsite for immediate restores of critical data, and a secondary backup stays on the cloud repository if the first backup is destroyed. Data backup is an important phase for recovering data that guarantees availability and continuity of
93 consumer’s data which is very critical in healthcare that requires service availability 100%. Securing data backup starts by efficient scheduling and updating. In addition to encrypting data backup is done using SEDs and using strict access policy with least to know privileges.
4.8.7
Data Archive Security
Data archive is the process of keeping data for long-term storage. Data archive differs from data backup whereby the existence of an archive file is independent of the existence of the file from which it was copied; a backup copy is dependent on the existence of the file on the local computer or the CSUs VMs. Data backup occurs continuously since files are constantly changing. For example, data backup can be once a day, or many times per hour. Moreover, backups keep several diverse versions of the files in case one of the more recent copies becomes corrupted. Data archiving occurs only once. In TCCF data archive security is the same as data storage security by using SEDs and strict access policy with least to know privileges.
4.8.8
Data Destruction Security
Data destroy refers to the process of deleting and permanently destroying the data using physical or digital means. CSUs should never be able nor have the opportunity to access the previous consumers’ data that is not fully deleted from their VMs. This is very critical in healthcare sector. In TCCF deterrent security controls are included which provides more visibility to CSUs by giving a message that if they want to terminate the service with CSP and exit, then their all data will be deleted from their VMs. When a cloud service is terminated for normal end of service duration or for any other reason, the CSP must ensure that entire consumers’ data are deleted from the cloud storage. Data deletion mechanism and retention period is enforced by TCCF - SLA and negotiated with and agreed from CSUs.
94 4.9 Trusted Cloud Computing Framework (TCCF) Design
Trusted Cloud Computing Framework (TCCF) has various functionalities as follows: i.
TCCF ensures that only authorized users/systems access the information in order to preserve the privacy and integrity while communicating with remote systems. The aim of TCCF is to secure the cloud platform through layered architecture that imbeds TCG technologies (TPM, TSS, TNC, SED and vTPM) to establish trust within the healthcare cloud systems.
ii.
TCCF secures the communication channel between end to end points, dedicated processes, CSUs and execution services.
The CSUs data are
transmitted through the secured channel and used in computations running in an isolated environment while the outcome is rendered only to a dedicated user or process.
iii.
Healthcare trust requirements have been discussed in Section 4.3. The next step is to identify the entities of TCCF in order to determine proper security, privacy and trust mechanisms for these entities.
iv.
Securing consumers’ data and computing resources security are vital since internal threat can have a huge impact on violating peoples’ privacy and may cause data breach or misuse. In TCCF every type of CSUs is guaranteed a Multi-Factor access control regarding to his/her role and organization’s policy.
v.
TCCF secures cloud computing service delivery and deployment models against insider and outsider threats, emphasising on deploying “Security by Design” for the IaaS, PaaS and SaaS based on industry best practices TCG technologies, security controls in addition to enforcing strict policies for password and data.
95 vi.
Data security and privacy are important aspects in TCCF since it is a major requirement of HIPAA to preserve consumers’ data privacy and security. TCCF secures data at rest, while process and in transit. In addition to data are encrypted by default in the design.
vii.
The main feature of TCCF framework is the considerations of mission critical applications that necessitate the ability of CSUs to have control over their data location, isolation, compliance and integrity to overcome the trust issue. To ensure that this is included in the framework, attestation process will have to cater for changes in hardware configuration or updates in the software that runs in the VMs. TCCF ensures that TPM is used as the hardware root of trust throughout the platform components in cloud system including the hypervisors.
TCCF design approach is to embed SPT controls into every phase of the framework without impacting functionality and usability of it. TCCF extends the work of (Lohr et al., 2010) that used TPM and TVDs in their models to secure E-health cloud infrastructure. TCCF adds more SPT aspects into the framework taking into consideration Information Technology Security Guidance (ITSG-33) (Moffa, 2012). TCCF consists of three vertical layers (Physical, Virtual, and Application Layers). Each layer of the framework represents cloud’s resources that share common characteristics, and is offered as a service on-demand for CSUs. For example, application layer services are offered for SaaS and PaaS users, while virtualization and physical layer are offered for IaaS users.
Layering architecture assists in
understanding the relations and interactions amongst cloud computing resources. A vertical layer is specified by the nature of the resource (i.e. physical, virtual, or application) as shown in Figure 4.2.
A horizontal layer is specified by the function of the resource (i.e. server, network, or storage). Each horizontal layer contains domains that represent related resources which enforce a domain defined policy for the targeted cloud service delivery model. The policy employed at each layer of the TCCF architecture is based on several factors including infrastructure and user properties. The intermediate
96 between these vertical layers are middleware layers, which glues cloud computing resources together by providing a set of automated self-managed services that consider users’ SPT requirements by design that provides a set of trustworthy automated management services (Abbadi, 2011a TCCF procedures start by securing the physical layer with TPM to build chains of trust moving up by adding more appropriate security controls for the top layers to secure the overall cloud environment as follows:
Figure 4.2: TCCF-layered Architecture
97 4.9.1
Physical Layer Security This layer represents the initial point that contains CSP’s physical
infrastructure (servers, storage, and network components) and their interactions as described in Figure 4.3. The physical layer resources are consolidated to serve the virtual layer.
Figure 4.3: TCCF-Physical Layer
Securing TCCF physical layer is done by integrating TCG-TCP into cloud systems for performing authentication, confidentiality and integrity. TCG-TCP improves the performance of processing cryptographic computation and cloud computing security without adding complexity to users (Naruchitparames, 2011; Celesti et al., 2011; Ivanov et al., 2010). In TCCF gathering evidence is the only way to verify that the computing system has not been changed or modified to establish trust. In order to achieve this, a baseline measurement must be established. By comparing a baseline integrity measurement against the integrity measurement taken every time the computing platform is powered on, the decision of trust becomes an evaluation of the evidence.
98 These measurements can be encrypted and stored separately from its encryption and decryption keys. If the actual and current measurements are equal then the system is started and the entity can gain access, else access is denied and the system is returned to the previous state. The current hardware standard for performing these integrity measurements is the TPM that has the capabilities for measuring the system status, encrypting data and storing keys among other capabilities that are discussed in Chapter 2, Section 2.8.1. In TCCF, TPM is embedded inside each processing platform in the cloud that allows the identification of the servers, devices as well as users. TPM provides mechanisms for creating unique cryptographic identities, and for attesting a system’s state using the TSS and signed binary SHA-1 hashes of files. TPM and TSS checks what is installed on each device and verifies the device’s health and proper performance.
TPM is the only standardized physical device to measure trust indicators in open platforms (Achemlal et al., 2011). Once TPM is activated by CSA on the cloud computing platform its functionality starts by improving the cloud services security and trust. Initiating root of trust process begins with the CRTM, measuring its own integrity and the integrity of the BIOS, the master boot record, the kernel, OS and isolated processes. The CRTM establishes secure authenticated boot, which allows loading only a known set of applications, as well as loading codes while securely recording measurement status.
Each component measures the integrity of its successor before loading it and stores the hash value in the PCR. TPM verifies the integrity of each of these entities in a sequential manner and protects internal data structures to prevent its computations from being subverted by the host system or CSAs. TPM ensures that the system is booted into a trusted OS that adheres to some specified security policies and strong isolation to prevent the system from being compromised after it has been booted and to prevent applications from tampering with each other, as well as TPM ensures remote attestation to certify the authenticity of hardware and software being run by a remote party.
99 For maintaining confidentiality of communications between TCCF system components, TPM uses its cryptographic mechanisms capabilities such as RNG, RSA key generator, SHA-1 hash generator, and encryption/decryption signature engines, to encrypt and decrypt messages. These features will prevent eavesdropping of the host system as well as within the communication channel. TPM facilitates blind processing by encrypting data transmitted over the cloud and by providing a safe execution environment for each user process, protecting resources from unauthorized access since decryption keys are concealed in the TPM.
TPM provides stronger authentication than username and passwords (Kulkarni et al., 2012; Yeluri et al., 2012). TCG’s IF-MAP (Metadata Access Protocol) specification enables the integration of different security systems and provides realtime notification of incidents and of user misbehavior. For example, when a CSA is fired or reassigned the identity management system sends notification just-in-time so that the user’s cloud access can be modified or revoked within seconds. If the fired user is logged into the cloud, they can be immediately disconnected. By implementing TPM, TCCF optimizes cloud computing platform security that resists tampering and software attacks, strong device authentication through remote attestation, trusted and secure boot. Furthermore, TPM strengthens security of applications and services through secure key storage, cryptographic functions and integrity checking. Once hardware platform is secured by the TPM, next is to secure TCCF network infrastructure with TNC and data storage with SEDs.
Cloud infrastructure and services are accessed by heterogeneous devices and shares computing resources upon various users which require robust security and strict access controls. Secure communication requires authenticating the identity and state of the remote system to be identified and accepted on the same cloud server (Harris and Hill, 2011). In order to secure the network and endpoints, TCCF proposes TCGTNC standard for authenticating and enforcing security policies on cloud users’ devices that connect to the cloud. TNC performs end points integrity checks and enables CSAs to set rules to manage and restrict network access to devices, depending on their security status (TCG, 2011b; 2011c).
100 TNC assists CSAs to control the network access based on CSUs’ identity and device health while observing the performance of the network and responding immediately to issues as they occur. TNC ensures that the remote devices which are trying to connect to TCCF are not infected with malware, virus or any type of codes that can infect clean devices on the network when they are allowed to connect. TNC provides strong user authentication and blocks any unauthorized or malicious access. It integrates user authentication with network access to manage who can access the network and what they are authorized to do. This strengthens user authentication and blocks any unauthorized or malicious access. TNC detects network issues and acts by restricting access to a device or server. By implementing TNC interoperability between TPM and TNC is guaranteed since both are TCG technologies which will not impact the performance of TCCF. TNC ensures that endpoint devices have the correct anti-virus software, firewall and other security controls are installed before granting them access to TCCF network.
TCCF deploys SEDs to secure data at rest in cloud storage. SEDs encrypts data continuously using an encrypted key which is sealed to the hardware and cannot be accessed by other parts of the cloud, thus ensuring CSUs highest level of data protection. Since disk encryption is handled in the drive, overall TCCF system performance is not affected and is not subject to attacks targeting other components of the system. Moreover, backup servers are also secured with TPM and SED full encryption devices for robust security and privacy preserving.
4.9.2
Virtualization Layer Security
This layer represents the virtual resources that host consumers’ applications. It consists of VMs, VMM or Hypervisor, virtual network, and virtual storage as shown in Figure 4.4. In cloud multi-tenant environment it is vital to separate between CSUs (who may be regular users, competitor or hackers) VMs to avoid unintentional or intentional access to sensitive information (Hao et al., 2010).
101
Figure 4.4: TCCF-Virtualization Layer
Virtual TPM (vTPM) is the virtual version of TPM, which simulates the interface and functionality of the hardware TPM and enables its functionality for vTPM for VMs, as well as reusing existing software such as TPM drivers, TSS and other applications.
The integration of TCG technologies into virtualized cloud
computing environments enables the hardware-based protection of critical data and the detection of malicious software. In order to initiate a Trusted Virtual Cloud Computing Environment (TVCCE), TCCF considers NIST SP 800-125 guidelines (Scarfone et al., 2011), that recommends securing all elements of cloud virtualization environment. TCCF provides significant security improvements for VM and virtual network separation as follows:
i.
It secures each component of the virtualization layer from the hypervisor and host OS (if applicable) to guest OSs, applications, and storage.
ii.
It recommends that CSP keeps software up-to-date with security patches, using secure configuration baselines, and host-based firewalls, antivirus software, or other appropriate mechanisms to detect and stop attacks.
iii.
It restricts CSAs’ access to the virtualization components as well as ensures that the VMs and hypervisor are properly secured.
102 4.9.2.1 Virtual Machine Security
CSP has to secure the VM from each perspective against threats to provide a trusted VM that CSUs can rely on and deploy. In TCCF TCG technologies beside other security controls are integrated with each CSU’s VM as follows:
A. Virtual Trusted Platform Module
The TCG- Trusted Cloud Computing Platform (TCCP) provides a closed box execution environment for IaaS services. It guarantees confidential execution of guest VMs. TCCP enables consumers to attest to the IaaS CSP and to determine if the service is secure before their VMs are launched into the cloud, emphasizing on the use of TPM that provides hardware-based verification of hypervisor and VM integrity (Xiao and Xiao, 2013). Moreover, by virtualizing the TPM through extending the standard TPM command set to support vTPM lifecycle management trust establishment in the virtualized environment is enabled. Every vTPM is associated with its VM and is provisioned with IP network addresses that are accessible through the Internet. This will allow the applications in the VM to use the vTPM for secure boot, storage and reporting platform integrity.
Deploying vTPM on VMs shields newly discovered vulnerabilities in their applications and OSs, to protect against VMs exploiting (Krautheim et al., 2010). VTPM is an embedded function in TCCF that works with the hypervisor. Before executing any command vTPM guarantees the integrity of the OS kernel as each VM boots. The boot image that resides on disk is cryptographically measured, besides the booting of the kernel, the loading of device drivers, and the user-specified applications. All of these measurements are signed with a private key inside the vTPM. Through remote attestation, these signed measurements attest to the integrity of the entire system. For- example Trusted Execution )e.g. IBM – AIX) (Buecker et al., 2013) stores metrics in the vTPM and provides a complete trust checking from the kernel through the OS and application.
103 B. Virtual Firewall
In order to secure the virtual network between the VMs in TCCF, a VF which is a virtualized hardware firewall, is used to provide packet filtering and monitoring similarly as a physical firewall intercepts network traffic from the source origin to the destination. VF decides the action to be taken on the packet, if the packet is allowed to pass, rejected, forwarded or mirrored to some other device.
C. Virtual Private Network / Trusted Virtual Domain
Healthcare involves several domains that have to be secured and isolated from other tenants on the cloud. A virtual private network (VPN) is a network that uses Internet, to provide remote users with secure access to their organization's or cloud network. VPN maintains privacy through security procedures and tunneling protocols, by encrypting data at the sending end and decrypting it at the receiving end, also encrypting the originating and receiving network addresses in order to facilitate data integrity and authentication. Data encryption is performed to assure confidentiality of the packets sent over the Internet (Santos, 2007). The network communication over the VPN is encrypted prior to transmitting from either the HSP network or CSP network and decrypted upon receipt at either end, thus allowing for secure communication of data.
VP.N protects cloud system and data while in transit against sniffing, spoofing, man-in-the-middle and side-channel attacks (Gonzalez et al., 2011). When the VPN is established in cloud computing environment for the consumer account, a single private VLAN is also assigned for the account, which provides an additional layer of network isolation for VMs which are assigned to it (Jones et al., 2012; Vernier and Jones, 2011). Offering VLANs functionality to consumers will allow creating a completely isolated private network between their selected virtual servers. VPN is configured via a gateway in HSP organization’s network to a private VLAN in the cloud. This is termed a site-to-site connection (Rokosz, 2011). The VM on the cloud private network are not visible from the Internet but can only be accessed either via the VPN or via another VM on the VLAN.
104 TVD is a technique that enables groups of related VMs running on separate physical servers, into a single network domain with a unified security policy to ensure privacy in multi-tenant cloud computing infrastructure.
The TVDs isolation
mechanism is performed using Virtual Local Area Networks (VLAN) and VPN (Tupakula and Varadharajan, 2011). Trusted VPN enforce TVD policies through connected VLANs. It is a security domain that enforces an isolation policy across its members which specifies which VMs can access which resources and which VMs are allowed to communicate with each other. TCCF enables TVDs over a VPN that provides an IPSec-based, point-to-point communication channel between the HSP organization’s network and one of CSP Trusted Virtual Datacenters (TVDc).
D. TNC and Patch Management
Another aspect for securing VMs in TCCF is the usage of TNC together with patch management to detect any malicious activity and ensure the compliance with the established patch policies. When TNC integrates with patch management it ensures that all cloud computing systems are at the proper software and patch levels. It also provides an alerting mechanism if a back-level virtual system is added to the network or if a security patch is issued and if it affects the systems in TCCF environment.
E. Intrusion Detection and Prevention Systems
TCCF implements IDPSs which inspect all network traffic that has passed through frontline security devices and block attacks as it occurs. IDPS, are used for detecting the issues with security policies, documenting existing threats, and reporting them in real time besides preventing individuals from violating these security policies (Mell and Scarfone, 2012). IDPSs shield vulnerabilities in cloud OSs and applications until they can be patched, to achieve timely protection against known and zero-day attacks and to provide protection against exploits attempting to compromise VMs.
105 F. Incident Response
In TCCF design the CSP is responsible to perform automated incident response activities, including incident detection and verification, attack analysis, as well as tracking data collection and preservation, problem remediation, and service maintenance beside reporting to decision makers and consumers when required, also providing a disaster recovery plan and backups to ensure availability of cloud services.
4.9.2.2 Hypervisor Security
A Hypervisor (Virtual Machines Monitor) acts as a controlling agent for everything within the virtualization environment. It can reach and affect the performance of the VMs running within the virtual layer. The hypervisor is used as a layer of abstraction to isolate the virtual environment from the hardware underneath (Scarfone et al., 2011). A hypervisor controls all the access between the guests’ OSs and the shared hardware underside. However, if an attacker managed to take control over the hypervisor, he/she will gain full control over all VMs and the consumers’ data within the hypervisor’s territory.
Since there is just one hypervisor in the virtualization layer, the system face a risk of becoming single point-of-failure, if it crashes due to an overload or successful attack, which will impact all the systems and VMs. Another security concern evolves from the fact that the security of the virtual infrastructure relies on the security of the virtualization management system that controls the hypervisor and allows CSA to start and create new VMs, beside other actions. This could lead to insider threat which can take over VMs and exploit the data. In order to mitigate above stated security issues TCCF utilizes these security controls on the hypervisor as follows:
i.
It restricts the access to the hypervisor to authorized administrators only with least privileges over encrypted consumers’ data to protect it from loss and misuse.
106 ii.
It deploys firewalls to protect from malicious access, also installing antiviruses and virtualization-aware malware protection that leverages hypervisor introspection APIs to secure both active and inactive VMs as well as defends against viruses, spyware, Trojans and detecting malware in real time besides incorporating clean up capabilities to remove malicious code and repair any system damage caused by the malware.
iii.
It protects the communication channel by integrating IPsec and SSL-VPN features with firewall capabilities to secure against malicious attacks.
For hardened security and cost effectiveness TCCF recommends the use of open-source Kernel-based Virtual Machines (KVM) Hypervisor. It enables secure and open virtualization environments for multi-tenant cloud computing environments. KVM security includes a multi-layer set of protections, from the kernel layer through to the hypervisor, VM security, hardware isolation, and networking safeguards (Doyle, 2013). There are two types of hypervisors closed-source (VMWare and Hyper-V) and open source (Xen and KVM). Closed source hypervisors are costly with higher storage space compared to open source hypervisors. TCCF integrates KVM since it is more flexible than Xen. Table 4.2 presents a comparison between various hypervisors and it shows that KVM has fulfilled all the factors which make it more appropriate to deploy in TCCF.
Table 4.2: Hypervisors Comparison (Wilson et al., 2011)
Factor
KVM
VMWare
Hyper-V
Xen
✓
✓
✓
✓
Common Criteria Certified
✓EAL4+
✓EAL4+
Common Criteria Test Suite
✓
X
X
X
Disk Encryption
✓
✓
✓
✓
FIPS 140-2 Validated
✓
✓
✓
X
Audit Trail
Freely Available
Cryptographic Modules
✓EAL4+ ✓EAL4+
107 Flexible Authentication
✓
✓
✓
✓
Mac Isolation by Default
✓
X
X
X
Process Isolation
✓
✓
✓
✓
RBAC
✓
✓
✓
✓
Resource Control
✓
✓
✓
✓
Source Code Available
✓
X
X
✓
Type1 Hypervisor
✓
✓
✓
✓
4.9.3
Application Layer Security
Application layer as shown in Figure 4.5 has the cloud consumers’ applications, which are hosted using resources in the virtual layer. Application layer facilitates SaaS and PaaS over the Internet as a service on-demand, to reduce the cost, effort and the need to install and run the applications on the customer’s own devices. In TCCF, the CSP must ensure that these applications are free from bugs and prevented from being used as a tool to launch attacks. Application layer depends on physical layer which is designed with root of trust chain. Securing the application layer is about ensuring CSU security and privacy requirements are maintained by the environment surrounding the application which includes securing the access to the cloud application with robust least privilege access control methods.
Figure 4.5: TCCF-Application Layer
108 SaaS-Platform connects users to various cloud computing services on pay-peruse, while providing basic functions such as enabling secure communication, authentication, authorization, access control and data storage. Numerous types of telemedical and e-health solutions can be easily hosted by SaaS which can be accessed through a web browser via the Internet that needs to be secured against any possible attack. However, the application layer does not only involve SaaS, it also involves PaaS that offers a complete development environment in which application developers can create and deploy their code. This will ease and cut the cost for healthcare developers to build a server environment and installing a development environment to create applications on that server, they can directly connect to a PaaS cloud provider and by using its tool, start creating applications which can be deployed worldwide without any delay. TCCF secures the application layer by conducting the following procedures for both SaaS and PaaS.
i.
TCCF implements strong security password technique to protect against illegal access as discussed in Section 4.10.
ii.
TCCF secures consumers data while in transmit and in process as mentioned in Section 4.8 beside securing it at rest in safe storage using TCG SED technology.
iii.
TCCF secures the communication channel between the cloud server and the consumer by using SSL/TLS over HTTPS that ensures all communications are encrypted and protected from interception. HTTPS guaranties a lightweight security for interfacing with several numbers of medical software and EHRs (Bamiah et al., 2013).
iv.
TCCF deploys security controls such as, firewall, antivirus and anti-malware protection, as well as the latest OSs and Web browser updates.
v.
TCCF secures the cloud physical infrastructure with TPM and TNC as discussed in Section 4.9.1. Also it secures the cloud virtual infrastructure with vTPM and related security controls as discussed in Section 4.9.2.
109 vi.
TCCF guarantees disaster recovery plan and secure encrypted data backup under the regulation and compliance of the consumer's location.
vii.
TCCF ensures that the application runs at a pre-agreed geographical location and data is stored at pre-agreed geographical location enforced by SLA.
viii.
TCCF ensures that the additional context for the SLA guarantees SPT and availability, also complies with HIPAA requirements as discussed in Sections 4.5 and 4.6.
4.9.4
Middleware Security
Middleware are used to abstract the differences between heterogeneous systems and display a unified interface. It is a set of software that executes between OS and application to solve stated problems.
Middleware services support the
application and not the application itself. The advantages include unified interface, scalable and transparent abilities (Fan and Wu, 2012). In TCCF, middleware layers exist between physical and virtual layer as well as application and virtual layer. It provides infrastructure transparent services to virtual layer. While the middleware between application and virtual layer provides transparent management services to applications (Abbadi, 2011). These middleware are transparent to CSUs with and have the same security techniques as the application layer.
4.10
TCCF-Password Policy
The main concern of using weak passwords is that it raises vital CSUs and patients’ safety issues by allowing unauthorized users to access and tamper with their data and devices, including potentially changing settings.
For example, to
increase/decrease a drug dose or reprogramming a device to deliver unsafe radiation percentage to patients’ causing severe impacts that can threaten their lives (McGee,
110 2013; El Emam et al., 2011). In order to overcome passwords concerns, TCCF designs strict policy as follows:
i.
CSU enters a valid user name that can be an email or a name.
ii.
CSU enters a valid alphanumeric password that is hard to detect which includes capital and small letters, as well as numbers beside special symbols with a minimum amount of eight characteristics (e.g. Mervat12#).
iii.
Number of attempts trying to input user name and password is restricted to three times or else, user account will be blocked, and notification will be sent to the user by email and mobile phone for verification.
iv.
Passwords must appear encrypted in the database as hashes and in transparent colour, so if anyone tries to access the records they cannot see the passwords and if he tries to colour it, then it appears as hashes and encrypted.
4.11
HTCCF-MFA-SSO-RBAC System Architecture
The open nature of Internet has inherited several security flaws that can lead to the risk of illegal users’ access which may exploit CSUs accounts and misuse their critical information. Furthermore, strong user authentication and authorization have not yet been extended into the cloud (Choudhury et al., 2011) which might create an issue of malicious access threat. In the TCCF, when healthcare (organizations or individuals) subscribes to a certain cloud service, they need to send their data and associated access control policies (if any) to the CSP who has been granted access rights, such as read, write, and copy, on the data for authorization purposes. According to (Sundareswaran and Squicciarini, 2012; Olden, 2011) that strict authentication and authorization are required to protect the CSUs from malicious insiders user residing in the same cloud infrastructure and from malicious outsiders who want to gain access and misuse cloud systems. In order to mitigate this issue, TCCF has a strict log policy
111 which enables the users log processes documentation for auditing and tracking the usage as follows: Decentralize: User’s and data owners log should be decentralized in order to adapt to the dynamic nature of the cloud.
Automatic logging:
Every access to the CSUs data should be accurate and
automatically logged in. Emphasizing on authenticating the entity that accesses the data, verifying, and recording the actual processes of the data and accessed time.
Tightly Bounded to User: Log files should be tightly bounded with the user’s data with minimal infrastructural support from any server. They should be reliable and tamper proof to avoid illegal insertion, deletion, and modification by malicious parties.
Periodic Log Report: Log files should be reported to their data owners’ periodical review of the current usage of their data, and should be retrievable by them when needed regardless of their locations. Recovery mechanisms are required to restore damaged log files caused by technical problems.
Log Administrator: All logs must be monitored by authorized administrator only and documented in safe locations, as not to be tampered with, for tracking who accessed what.
In TCCF, Multi-Factor physical and logical authentications steps are required to protect against unauthorized/malicious access for more optimized security. Three scenario's will be discussed and analyzed for various user types starting with Cloud administrator (CSA), Healthcare provider (HSP) and patient since each one of these types require different authentication method as shown in Figure 4.6. TCCF deploys Security Assentation Markup Language (SAML) which is the basic building block of Federated SSO protocol that allows multiple systems for distributed access control while maintaining the confidentiality of user credentials without needing to remember a load of different passwords (CSA, 2010). SAML virtually shares the corporate
112 CSUs’ identities and authorizations across the cloud in a secure and controlled manner. First authentication step, is entering valid user name and password. Second step, is to answer a challenge question. Third step, user has to enter an SMS code that is received on his/her mobile phone or by email, after validating accurate username, password combination and right answer for the challenge question. Once user enters the correct One Time PIN (OTP) he/she will gain access to the system. If a failure to enter the verification code, the account owner will be notified by email of a correct username/password submission but no correct code.
Figure 4.6: Prototype Authentication Processes
113 TCCF specifies strict identity and access control policy to protect from malicious access and insider threat. It provides the federated SSO MFA to accomplish SPT requirements beside productivity while decreasing cost, downtime, and repetitive tasks. All cloud users’ types share the Policy (1) Multi-Factor Authentication (P1MFA) process as shown in Figure 4.7, the only difference between them is that a HSP and CSA may require additional authentication and authorization steps including OTP and others, to prevent the risk of insider threats.
Access Granted Yes
Enter Name / Email
Access Denied
Validate
No Validate Yes Enter Password
No
Access Denied
No
Access Denied
Enter OTP Yes
Access Denied
No Validate Yes
Answer Challenge Question
Validate
Verify User Defined Image
Figure 4.7: Users P1-MFA Activity Diagram
P1-MFA process has to be performed by conducting the following steps:
i.
CSU enters valid user name and password.
ii.
CSU answers a challenge question or verifies a pre-defined image.
114 iii.
CSU enters OTP SMS code that is received by mobile phone or email.
In TCCF, failure to achieve authentication processes situations is controlled securely as follows:
iv.
If CSU fails to enter the correct password for three times, then access is blocked and incident log is reported for further audit analysis.
v.
If CSU forgets his/her password, then he/she clicks forget password and system will automatically notify him/her by email of changing password submission but no correct code. CSU has to change the password by entering the right code received from his mobile.
vi.
If CSU fails to answer the challenge question or verify the pre-defined user image then access is blocked and incident log is reported.
vii.
If CSU fails to enter the accurate OTP code, then access is blocked and incident log is reported.
Several scenarios for users’ MFA as described in Figure 4.6. Hereafter, three authentication scenarios will be discussed specifically CSA, doctor and patient based on their roles and organizations policy in compliance with HIPAA requirements.
A. Cloud Service Provider Administrator Authentication In cloud computing environment, administrators of the consumer VMs, who are monitoring and accessing their sensitive data, must be tracked to prevent any internal threat or misuse of consumer's resources. No unauthorized employee can enter in this shielded area. CSAs must have robust access control mechanisms. In our design Multi-Factor physical and logical authentications steps, are required to protect against unauthorized/malicious access for more optimized security. In addition to, all logs are monitored and documented in safe location, as not to be tampered with, for tracking who accessed what. All records and logs when stored are encrypted using
115 TCG-SED full disk encryption for more safety and reliability. All procedures are using SAML performed as a SSO; also CSA must logout after finishing their working hours. Since, CSAs access and monitors CSUs-VMs, data and computing resources which possess vital risk of insider threat causing data breach or misuse. In order to overcome the risk of insider threat in TCCF, a strict policy was initiated which states that “least access privileges are given to only those who needs to know and access”, in addition to eliminating unauthorized personnel access to logical and physical CSP and CSU computing resources and data. CSA authentication is illustrated in Figure 4.8 as follows:
Figure 4.8: CSA Authentication Activity Diagram
116 1) Step One – Physical Authentication i.
CSA verifies himself/herself with biometric access control such as (Fingerprint, Iris Scan, Voice Print, etc.). If CSA passes successfully with biometric scanning then he/she has to enter an access card for identity verification and time stamping.
ii.
When CSA passes physical authentication successfully, then he/she can enter the office which also is secured with CCTV camera. If CSA did not pass any of the authentication method steps, then deny access.
2) Step Two - Logical Authentication (P1-MFA) iii.
CSA enters a valid user name and password
iv.
CSA answers a challenge question or verifies a pre-defined image.
v.
CSA enters the OTP code that is received by mobile phone or email.
vi.
If CSA passes successfully step one and two Multi-Factor physical and logical authentication steps, then access is granted and access activity is logged for further auditing analysis.
vii.
If CSA fails to enter the accurate password for three times, then access is blocked and incident log is reported for further auditing.
viii.
If CSA forgets his/her password then the system will automatically notify him/her by email of changing password submission but no correct code. CSA has to change the password by entering the right code received on his /her mobile.
ix.
If CSA enters wrong OTP or fails to answer the challenge question or verify the pre-defined user image, then access is denied, user is blocked and incident log is reported.
117 B. Healthcare Service Providers Authentication In healthcare sector, various organizations such as hospitals, pharmacies, insurance companies among others are accessing the Internet. They all provide healthcare services to the community and patients. Assuming that these healthcare organizations are implementing cloud computing and a doctor needs to access a patient record. Also assuming that there are meaningful policies that grant least access privileges made by patient and HSP and agreed upon with CSP in the SLA. Figure 4.9 illustrates TCCF authentication mechanism for a doctor as follows:
Figure 4.9: HSP Authentication Activity Diagram
118 In order to protect from malicious access, insider and outsider threats and preserve privacy, TCCF has strict MFA access control policy for HSP. For example, in this scenario HSP professional is a female doctor wants to access the cloud health system. She must perform TCCF (P1-MFA) in addition to other verification processes as follows:
i.
Doctor enters valid user name and password.
ii.
Doctor answers a challenge question or verifies a pre-defined image.
iii.
Doctor enters an OTP code that is received by mobile phone or email.
iv.
Doctor chooses domain and enters her identification number.
v.
If doctor passes all the steps mentioned above then the system grants access and logs incident for further auditing analysis.
vi.
If doctor fails to enter a correct password for three times, then the system blocks the access and report the incident log for auditing.
vii.
If doctor forgets her password then the system will automatically notify her by email of changing password submission but no correct code. Doctor has to change the password by entering right code received on her mobile. If doctor enters wrong OTP then the system will deny access, block and report incident.
viii.
If doctor fails to answer the challenge question or verify the pre-defined user image then the system will deny access, blocks the user and reports the incident.
ix.
If doctor fails to enter the accurate OTP code then the system will deny access, blocks the user and reports the incident.
x.
If doctor fails to enter the accurate domain and the identification number then the system will deny access, blocks the user and reports the incident.
119 C. Patient and User Authentication
A patient is registering to the cloud, accessing, using cloud applications, and storing his data from various devices (sensors attached to his body, mobile, etc.) and from different places (home, office, car, etc.). He needs to be assured that his critical PHRs are not tampered with and secured. Figure 4.10 illustrates patient's authentication process.
Patient / User
Access Granted Yes
Validate
No Access Denied
Enter Name / Email Enter OTP Access Denied Access Denied No
Validate Yes
No Yes
Enter Password
Validate Yes
Answer Challenge Question
Validate
No Access Denied
Verify User Defined Image Figure 4.10: Patient/User Authentication Activity Diagram
120 The patient in this scenario is assumed to be a male and must perform TCCF (P1-MFA) in addition to other verification processes as follows:
i.
Patient enters valid user name and password.
ii.
Patient answers a challenge question or verifies a pre-defined image.
iii.
Patient enters the OTP code that is received by his/her mobile phone or email.
iv.
If patient successfully performs all the steps mentioned above, then access is granted and incident is logged for further auditing analysis.
v.
If patient fails to enter the correct password for three times, then user is blocked, access is denied and incident log is reported for further auditing analysis.
vi.
If patient forgets his/her password, then the system will automatically notify him/her by email of changing password submission but no correct code. He/she has to change the password by entering the right OTP code received on his/her mobile. If he/she enters wrong OTP code, then access is denied and incident log is reported.
vii.
If patient fails to answer the challenge question or verify the pre-defined user image, then access is denied, user is blocked and incident is reported.
viii.
If patient fails to enter the accurate OTP code, access is denied, user is blocked and incident is reported.
121 D. Device Authentication
Healthcare sector and cloud computing interacts with heterogeneous massive amount of devices, systems and applications that need to be secured in order to maintain users' privacy, data and resource protection. TCCF utilizes TPM which provides chain of trust relations to the entire cloud computing platform. TPM includes capabilities such as machine authentication, hardware encryption, signing, secure key storage, and attestation. For device authentication, TCCF system uses trust based device authentication TPM with associated components TSS that monitors software as it loads and provides integrity reports to verify whether what is running on the machine are trusted or otherwise (Yadav, 2013). When it detects a problem, TNC immediately restricts access to the device or server.
4.12
HTCCF-MFA-SSO-RBAC Prototype Use Case Diagrams After gathering the users’ requirements and designing the system to illuminate
malicious access and achieve the SPT requirements by using MFA and more verifications user’s methods. Furthermore, after analyzing the users’ requirements and the system building blocks, next step is to implement the design.
In software
engineering the use of Unified Modelling Language (UML) diagrams assists in visualizing the design of the HTCCF-MFA-SSO-RBAC system in order to facilitate developing it. Following are three Use Case Diagrams regarding to CSA, HSP and patient/user as shown in Figures 4.11-4.13.
122
Figure 4.11: CSA Authentication Use Case Diagram
123
Figure 4.12: Healthcare Professional Authentication Use Case Diagram
124
Figure 4.13: Patient / User Authentication Use Case Diagram
125 4.13
Summary
This chapter discusses trust components and trust relationships in the cloud computing environment. The TCCF was designed for securing the cloud infrastructure through resource isolation mechanisms and high standard trusted security techniques such as TCG standards well known trusted technologies beside using strict security controls. Moreover, TCCF secures people access through robust access controls and MFA. It also caters for securing data through its life cycle. Furthermore, enabling auditing, documenting and reporting is a basic component of the framework design. Additionally, TCCF caters for compliance within HIPAA security and privacy rules and regulation. Also TCCF includes an additional context to be added to the cloud SLA in order to customize it specifically to healthcare sector as a critical information industry. All these proposed security controls in TCCF are to secure the infrastructure, data and communication channel as well as the endpoints to ensure that the SPT requirements are achieved within the TCCF to be adopted in critical information industries specifically healthcare sector. This chapter included also the prototype activity and use case diagrams in order to implement and develop the proposed prototype that will be discussed in Chapter 5.
126
CHAPTER 5
PROTOTYPE DEVELOPMENT
5.1
Introduction Software Engineering involves the identification and structuring of system
specification, hardware and software that can overcome the industry problems requirements (Hall et al., 2007). Currently there is no software development process model for cloud computing platform has been suggested yet (Mahmood and Saeed, 2013). There is a need to apply software security techniques to cloud computing services in order to develop them with built-in security. CASE 2.0 is a cloud-driven approach to software engineering that requires gathering CSPs requirements beside consumers’ requirements since CSPs supply the computing infrastructure to the consumers and maintains them too.
Software design and implementation involves one or more computer programmers to develop software systems using various tools, techniques, applications, and programming languages. This chapter focusses on the development process of the TCCF prototype in order to ensure that it guarantees the consumers robust access to overcome their SPT concerns in adopting cloud computing. In this chapter, Section 5.2 describes the assumptions involved in the development of TCCF. Section 5.3 describes development process together with the system workflow snapshots. Section 5.4 presents the summary of this chapter.
127 5.2
Research Development Assumptions
The implementation of the TCCF framework focusses on the user authentication process due to limitations of the time and resources required for developing the overall framework. The TCCF development is based on the following assumption.
Physical and Virtualization Security: The prototype is running on secure physical layer with TPM and virtualization layer with vTPM beside the other security controls discussed in Sections 4.9.1 and 4.9.2 of Chapter 4..
Healthcare Role Base Access: The prototype is implemented according to HSPs organizational policies for authorization as per the users’ roles. For example, doctor’s role is guaranteed access privileges different than the nurse or pharmacist.
Cloud Implementation: In real-life scenarios, TCCF prototype is running on the cloud platform and the users are registering and signing into the system using the link http://94.77.226.142/HTCCF/registration.aspx.
Moreover, it is assumed that the
prototype is implemented on the public cloud computing platform. The process for CSA physical authentication access and biometric devices are outside the office premises. CSA has to validate his/her identity before entering the office, after successfully passing the physical authentication then he/she can perform the logical authentication process by logging online into the TCCF system in order to gain access to consumers VM, data and computing resources.
5.3
HTCCF-MFA-SSO-RBAC System Development Process
The development of prototype is an essential task to examine its practical functionality, strengths and to determine that it achieves its goal effectively. TCCF is developed on Intel® Core™ i7-4510U CPU @ 2.00Hz 2.60GHz computing platform using Windows 8.1.operating system. The programming languages and development
128 platforms used in the implementation process of the system include Microsoft Visual Studio 2013, ASP.net, C#, and XHTML. The system workflow demonstrates each activity performed by the users. Furthermore, the system snapshots are presented for deep understanding and analysis. First screen of the system is the homepage which specifies the purpose of the system as shown in Figure 5.1.
Figure 5.1: Prototype Home Page
129 5.3.1 Prototype Registration Process, Screenshots and Code Snippets
This section discusses the registration process for the CSA, the healthcare professionals such as the doctors and the patients or the users. From registration page each cloud user has to select his/her own registration form according to his/her role. Users have to register with their accurate and valid information. As for CSA he/she has to verify his/her biometric feature that will be registered in the database and his/her smart card number which is given by the organization beside other registration fields. User name is the email or the name given by the cloud organization and the password has to be under the TCCF policy. There are two options for registering the challenge question, either it is given by default from the organization in the form of list or registered by the CSA or by the users own question and answer. Figure 5.2 shows the system registration page and its implementation using the following code snippet.
Code for User Registration Type
130
Figure 5.2: Registration Page
Follwing section discusses the registration process for the CSA, the healthcare professional (Doctor) and the patient or user. From registration page each cloud user has his/her own registration form according to their type. They have to register with accurate and valid information. As for CSA he/she has to verify his/her biometric feature that will be registered in the database and his smart card no. given by organization beside other registration fields. User name is the email or the name given by the cloud organization and the password has to be under the TCCF policy. There are two options for challenge question, either it is given by default from the organization in the form of list or registered by the CSA. Figure 5.3 illustrates CSA registration form and it is implementation using the following code snippet.
131 Code for CSA Registration
132
Figure 5.3: CSA Registration Form
Healthcare professionals have to verify their domain (job title) and identification numbers to them given by the healthcare organization in order to be guaranteed the privileges according to their roles and organizations policy. User name is the email or the name given by the healthcare organization and the password has to
133 be under the TCCF policy. There are two options for challenge question, either it is given by default from the organization in the form of list or registered by the healthcare professionals themselves. Figure 5.4 illustrates healthcare professional registration form and it is implementation using the following code snippet.
Code for Healthcare Professional Registration
134
Figure 5.4: Healthcare Professional Registration Form
135 The patients and regular users have to register with valid information to protect from the hackers and the malicious access. This includes their passports, national identification cards, car license number, insurance card number and other mandatory factors to ensure the validity of the users who are logged-in and accessing the system. The challenge question is also regarding to the CSP policy, either he will provide a list of challenge questions or the user will assign a question and answer. Figure 5.5 illustrates the patient/user registration form and it is implementation using the following code snippet.
Code for Patient/User Registration
136
Figure 5.5: Patient/User Registration Form
Next section discusses the sign in process for the CSA, the healthcare professional (Doctor) and the patient or user as shown in Figure 3.6. From sign in page each cloud user has his/her own sign in procedures to conduct according to their type. They have to sign in with their accurate and valid information.
137
Figure 5.6: Sign-in Main Menu
As for CSA he/she has to verify his/her biometric feature and his/her smart card number before signing in to the cloud system. Figures 5.7 illustrates a simulation of physical verifications of CSA biometric feature and its implementation code snippet. Figure 5.9 smart card number. If successfully passed the validation of these two verifications techniques then he/she can proceed with the logical authentication else access is denied as shown in Figure 5.8.
138
Figure 5.7: Biometric Authentication Process
Figure 5.8: Access Denied Message
139 Code for CSA Sign in Type
140
Figure 5.9: Smart Card login Process
Figure 5.10: Username and Email Verification
141 Code for Smart Card Verification
After successfully passing the first authentication step by verifying the username and email as shown in Figure 5.10. Next is validating the password according to TCCF policy and its implementation code snippets as shown in Figure 5.11 and 5.12. If user name and password sign in process passed successfully then CSA has to answer the challenge question and select the correct image as shown in Figures 5.13 and 5.14.
If challenge question and image verification passed
successfully then CSA must enter the OTP. Figure 5.15 and if pass successfully then the CSA will be granted access to the cloud systems and applications. If not then CSA will be denied access. Same procedures will go for healthcare professional and patient. Each will sign regarding to his/her own sign in type in order to be granted access to the system according to their roles and organization policy.
142 Code for Username and Email Verification
143
Figure 5.11: Password Verification
Figure 5.12: Invalid Password Verification
144
Figure 5.13: Secret Question Challenge
Figure 5.14: Image Based Authentication
145
Figure 5.15: OTP Verification
5.4
Summary
The TCCF prototype simulates the authentication part of the aggregate solution proposed by this research. In real life scenarios, when TCCF is fully developed and provided from the CSPs at the industry level and adopted by an organization dealing with confidential data such as healthcare sector, it will support the full security and privacy approaches as well as procedures proposed by this research. Moreover, HTCCF-MFA-SSO-RBAC prototype is in compliance to HIPAA and the designed SLA. The prototype will provide a sense of trust to the healthcare users such as patients, doctors and other professional that their confidential records are protected from the threats of malicious users using strong security controls and regulatory standards. It is assumed by the this research that in real life implementations, the developed system will facilitate an easy to use interface where users can accomplish their tasks within short time intervals while security and privacy of their data as well as applications remains preserved.
146
CHAPTER 6
EVALUATING TRUSTED CLOUD COMPUTING FRAMEWORK
6.1
Introduction
Evaluation and testing processes are complex and time consuming (Munch, 2013). They are conducted as part of software engineering methodology to validate and verify that the TCCF meets the business and technical SPT requirements; and that it works as expected; also it can be implemented with the same characteristics. Evaluation and testing are necessary to ensure the trustworthiness of the framework design and to expose any vulnerability in its components. Various evaluation methods are accomplished throughout the study including survey, literature review comparison with previous work, compliance with standards and as well as testing the TCCF ability to overcome the threats verified by CSA.
Chapter 6 is organized as follows; Section 6.2 discussed TCCF compliance with HHS-ONC security and privacy requirements. Section 6.3 identifies the TCCF compliance with HIPAA security requirements. Section 6.4 presents TCCF cloud computing threats mitigations.
Section 6.5 previews the evaluation of TCCF
compared to previous identified literature work. Section 6.6 defines the HTCCF trust evaluation. Section 6.7 describes the survey evaluation of the security techniques proposed for each HTCCF layer and the overall framework.
147 6.2
Compliance with ONC Security Requirements
The existing trend of critical information industries such as healthcare organizations to migrate to cloud computing requires a cloud-specific security approach for these sensitive information industries and the cloud. Moreover, some countries who are advanced in healthcare technology like the United States through its Office of the National Coordinator for Health Information Technology (ONC) is putting a significant effort to support the adoption of healthcare information technology and the promotion of nationwide health information exchange to improve healthcare. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS). ONC has recommended best practices guidelines for security and privacy requirements to be followed in healthcare (HealthIT.gov, 2013). Table 6.1 illustrated the compliance of TCCF with ONC security and privacy guidelines as a first method of the evaluation process.
Table 6.1: Compliance with ONC Security Guidelines (HealthIT.gov, 2013a)
Requirements
Description
TCCF-SPT Compliance
At least 8 characters including Include user name and password upper and lower case letters, at policy that applies all the least one number and one guidelines in Chapter 4, Section Strong Password
special character.
4.10.
Change on a regular basis. Use MFA
Includes a developed MFA-SSO-
Password recovery built-in tool RBAC system Anti-Virus Firewall
Use of Anti-Virus Software Use
of
Next
Firewalls (NGFW)
Proposed in the TCCF
Generation VF are embedded in design and NGFW are recommended
148
CSP must comply with the Implemented with MFA policies
Access
HIPAA security rules.
Controls
Grant least access privileges to only authorized persons.
and least privilege need to know access based on the role and task as discussed in Chapter 5.
Use RBAC Implemented
with
physical
Securing devices and data by access control policy, security limiting
access
only
Physical
authorized persons.
User’s Access
Adding
physical
verifications
to biometric
and
smart
card
authentication. identity The CSA who manages the VMs
such
as does not know where their
biometrics, smart cards, RFIDs. locations
are
and
cannot
physically access them. Data should be encrypted over the network.
Data are encrypted by default while process, in transit and at storage.
Limiting access to authorized Network
devices and persons only.
Access
Installing approved software
Full Homomorphic encryption is recommended.
and applications only.
Devices are authenticated with TPM,
Configuring licensed software and original hardware only.
while
users
are
authenticated with MFA-SS0RBAC system.
Create encrypted and secure Backup is enforced in the data backups which complies with life cycle and it’s encrypted by
Plan for the
HIPAA regulations with limited SED with limited access to access to authorized persons authorized persons only.
Unexpected
only.
Backup location is known only to
Backup location is known only related people with least access to related people with least privileges. access privileges’.
149
Having a sound recovery plan Disaster
recovery
plan
is
addition
to
to face any emergency or discussed in SLA. disaster. Protect mobile devices with passwords. Mobile
Encrypt Data and hard drive.
Devices
Encrypt between
the
Implemented
in
connections securing by TPM, TNC and SED.
authorized
mobile
devices and EHRs.
6.3
Compliance with HIPAA
After evaluating the compliance of TCCF with the security and privacy guidelines of ONC, next is to insure that it achieves the healthcare standards security and privacy requirements. Table 6.2 demonstrates TCCF accomplishment of HIPAA security and privacy requirements (Department Of Health And Human Services, 2013; McGee, 2013a; Seddon and Currie, 2013).
Table 6.2: Compliance with HIPAA Security and Privacy Requirements
Requirements
TCCF- SPT Compliance
Disaster
Encrypted backup in various locations within consumer’s
Recovery
country boundaries. Also specified in SLA. Negotiated with consumer on the mechanism and the schedule.
Audit Rights
Done by the consumer or trusted and certified third party. Report CSP systems and protocols, both as documented and as implemented. Also specified in SLA.
150
Negotiated SLA according to healthcare requirements. Privacy and Confidentiality
Auditing and reporting rights to healthcare consumers. Secures the cloud environment and infrastructure against malicious access, insiders and outsider threats by embedding security in design and using TCG technologies. Robust IAM and AAAA mechanisms. Applies strong access control and identity management based on CSUs Role. Limits access to health information to authorized users only. Applies audit controls and procedures that record and analyze activity and logs. Integrity checks by TPM. MFA with SSO. Secure transmission over encrypted channel. Technical
Implements MFA access control to protect from unauthorized access to EHRs.
Security Proposes TCG technologies to secure
Controls
hardware, network and storage. Secure passwords. Backs-up data in multiple locations within the consumer’s country boundaries. Virus checks. Data encryption. Strict Access Control and Biometric Access CCTV Camera Security. Physical
Security Guards. Limited Data Center location knowledge to only who needs to know.
151
Encryption at rest, while process and in transit. Data
Secure MFA access. SED trusted storage. Secure encrypted backup. Continues activity monitoring. TNC, Firewall, IDPS
Network
Anti-Malware and Patch Management SSL/TLS, TVD/VPN Training, documentation, MFA process, strict
Administrative
AAAA. Auditing and log monitoring. Strong password policy.
Breach
Auditing and reporting.
Notification Business Customized SLA.
Associate Contracts Regulatory compliance
6.4
Data storage and backups are placed within the boundaries of the consumers’ country location.
Cloud Computing Threats Mitigations
To initiate consumers trust in using cloud computing services, they have to be assured that their resources are safe against threats which can impact their QoSs acquired. In the current implementation of cloud computing in healthcare. Consumers are not allowed to control the infrastructure of the cloud, they cannot even implement intrusion detection or security monitoring systems. Also, they may not be aware of CSP's detailed security-incidents, or malware reports which creates transparency issue (Modi et al., 2012). Table 6.3 describes the threats that may lead to a misuse of
152 information or resources (Hashizume et al., 2013) and the mitigation techniques of TCCF. The ability of TCCF to overcome the identified threats by CSA will also provide another evaluation mechanism for TCCF beside others including comparison with previous literature review work and experts survey to ensure its reliability and trust-ability to be implemented in healthcare sector.
Table 6.3: CSA Threats Mitigations
Threat
Impact
TCCF- Mitigations Data encryption at rest, while in the process and in transit.
Violates the confidentiality of Robust
data.
identity
and
access
controls with MFA. Data Breaches
Side channel attacks (Samson, Resilient VM isolation using 2013; Tripathi and Mishra, 2011) TVD and VPN. vTPM, IDPS and Firewall. Complies with HIPAA. Physical and logical security. Data encryption at rest, while Loss of reputation, loss of CSUs
Data Loss
process and in transit.
trust and exploitation of their Data backup and retention strategies, system availability data. assurance
are
specified
HTTCF-SLA, as well as MFA Unauthorized access to critical IAM. Account
areas of cloud services, violating MFA.
Hijacking
confidentiality,
integrity
availability of those services.
and Robust password policy. Separation of duties.
in
153
MFA
and
Robust
password
Confidentiality,
integrity, policy. availability and accountability Data encryption.
Insecure
issues.
APIs
XML
Security by design.
Wrapping Network filtering. attacks (Somorovsky et al., 2011) Application security DOS
and
Distributed Denial
of
Service
Signature
Cloud system resources are being Security by design. overloaded by an attacker causes Network monitoring. service
outage
(Singh
and Strong authentication and access
Shrivastava, 2012).
controls.
(DDOS)
Malicious Insiders
Abuse
Specifying healthcare Misuse of data and IT resources requirements in SLA. caused by CSA (CSA, 2013; Data Encryption. Robust IAM Bamiah and Brohi, 2011).
of
Cloud
and password policy.
Malicious access and misuse of Strong MFA. data.
Uses IDPS.
Services Insufficient Due
Healthcare
systems
are
incompatible with cloud systems.
SLA. Auditing and reporting. Proof of data deletion.
Diligence
VM Escape by exploiting a VM Security by design. and interacting with the host OS Shared Technology Issues
Data Encryption.
taking over other VMs (Trend Micro, 2012). Attack Vector which has legal
Strict IAM with MFA and robust password policy.
users misusing the cloud services Monitoring network by filtering, and lunching side channel attacks IDPS, firewall and web browser on other CSUs.
patching.
154 6.5
Comparison with Related Work Evaluation
In healthcare sector, security standards such as HIPAA aim to protect individuals’ PHRs information. CSPs and HSPs must comply with HIPAA security and privacy rules and have the appropriate safeguards to ensure the confidentiality, integrity, and security of the ePHI (HHS.gov, 2013; 2013a; CMS, 2007). In contrast with previous work TCCF complies with HIPAA via its security and privacy preserving techniques. Also this compliance is assured in the SLA between the CSP and the consumer. Current introduced security and privacy-enhancing mechanisms for the use of cloud in healthcare are aimed to improve access control but did not apply any trusted secure hardware and software mechanisms for physical and virtual cloud layers (Narayanan and Gunes, 2011; Zhang and Liu 2010; Narayan et al., 2010; Mohammed et al., 2010; Wang et al., 2010; Le et al., 2010). Others implemented security trusted hardware mechanism such as TPM but did not mention virtualization protection (Lohr et al., 2010).
TCCF approach is toward securing the overall cloud computing infrastructure by implementing security and privacy by design, as well as integrating TCG technologies to initiate the root of trust in cloud services. Since cloud infrastructure is composed of several entities that include hardware, software, applications, data, network, storage, people (administrators and other users), access to these entities have to be strictly secured with MFA techniques as well as robust access control mechanisms and polices to shield the cloud computing environment from threats of malicious access whether it’s from insider or outsider attacks either from humans, machines or systems. Each entity in TCCF has its own security aspects that have to be fulfilled and bounded with standards compliance and specified SLA. TCCF is evaluated against the previous work by critical comparison to test its reliability as follows:
155 In comparison with Jamkhedkar et al. (2013) who proposed SoD framework to secure the cloud IaaS as per consumers’ threat models. This framework did not solve all SPT concerns. It only focuses on securing IaaS not PaaS or SaaS which can make the cloud environment vulnerable to threats of attacks on PaaS and/or SaaS. It requires consumers’ previous technical knowledge of threat models in order for them to choose the required level of security which is impractical since not all the consumers have such knowledge. The authors based their solution on potential attacks or a threat model, however attacks are dynamic and continually changing (FireEye, Inc, 2013). Moreover, there is no identified access control mechanism for protecting against malicious access. Finally this model discussed only security and did not discuss privacy and trust concerns beside it depends on policies not trusted technologies. TCCF focuses on security by design that covers all layers of cloud, access and complies with rules and regulations. Also TCCF overcome the SPT concerns by proposing secure infrastructure with TCG technologies in addition to preserving privacy by data encryption and secure MFA access.
Furthermore TCCF complies
with standards and builds trust by robust customized SLA.
In comparison with Banirostam et al. (2013) who proposed a TCCI model by developing UTE to ensure confidentiality, data accuracy and integrity of consumers VMs. This model limits the VM execution into a secure IaaS environment since the CSP managers have no privilege within UTE to protect it from insider threat. This proposed infrastructure model relied on third party that can poses risks of malicious access, insider threat and data misuse or breach. Moreover, TCCI enables the trusted VMs but it did not include trusted technologies for servers, network or storage. It did not ensure that the system administrator with any access permit cannot enter host VM via remote connection and consequently gains access to consumers’ memory with their access permit or run computing on their behalf. Therefore, this model did not fulfill the SPT requirements and did not implement trusted TPM and relied on third party. While TCCF have fulfilled this gap by proposing the use of TCG technologies for securing the physical and virtualization infrastructure. Also TCCF does not rely on third party. TCCF preserves privacy by data encryption and trust by customized SLA. In addition to compliance with standards.
156 In comparison with Youssef and Alageel (2012) who proposed a framework for identifying the security, privacy requirements, attacks and threats beside concerns and risks associated to the deployment of cloud computing. They proposed security and privacy guidelines to mitigate the risks, threats and attacks concerns. However, this framework and model are general and not specific for any industry. They are not implemented and do not involve all the threats and risks in cloud environment. Moreover, the model is based on two factor authentication which needs optimization by adding physical biometric security for the CSP administrators to prevent any illegal access to the consumers VMs.
The authors considered the authentication and
authorization security beside data protection but did not include the physical layer security and did not provide robust mechanism for solving all SPT concerns only general recommendation and guidelines.
In comparison with Li et al. (2012) who proposed ABE framework for secure sharing of PHRs in cloud computing. This patient centric framework used MA-ABE to improve the security. However, patient centric ABE framework did not address any physical or virtualization security mechanisms. In addition to ABE and MA-ABE have some limitations when using them in building PHR systems. In contrast, TCCF provides data encryption at rest, in transit and while process via secure communication channel as well as secure end points. It did not only focus on PHRs but included all types of healthcare records. Moreover, TCCF mitigated the gaps of this framework by adding more security controls to physical, virtual and application layers in order to overcome the SPT concerns and gain consumers trust on cloud.
In comparison with Lohr et al. (2010) who proposed secure E-Health cloud that provides secure architecture based on TVD for privacy domains in e-health systems which involved CSUs and CSP platforms. However, E-Health cloud did not offer any security technique for middleware and there is no SLA which is necessary for maintaining trust. TCCF extends the work of Lohr by adding TCG- TNC and SED as well as by adding more security controls and compliance with HIPAA in order to overcome the SPT concerns on the cloud to be implemented in critical information industries.
157 All the discussed previous studies did not mention the SLA which is required to ensure trust, the QoS and the rights of consumers. Also these models did not involve HIPAA compliance which is vital in healthcare sector. Table 6.4 illustrates TCCF fulfilling the gaps of previous studies beside complying with HIPAA and adding a specific customized context for healthcare sector specific SLA.
Table 6.4: TCCF - Comparison with Related Work Evaluation
Authors
Model
Contribution
(Jamkhe Security dkar
et Demand
TCCF Mitigations
on SoD framework secures the TCCF overcome the limitation of cloud IaaS as per consumers’ previous work by adding security
al., 2013) Framework
threat models.
by design for physical, virtual and application layers and providing
(Baniros tam
et
al., 2013)
Trusted Cloud
They proposed a TCCI model MFA access control. by developing UTE to ensure
Computing
confidentiality, data accuracy TCCF proposes data encryption
Infrastructure
and integrity of VMs.
while process, in transit and at storage over a secured encrypted
(Youssef and Alageel, 2012)
A Framework for
Secure
Clouds
A framework and a guideline communication channel. It did not for identifying the security, rely on third party and used TPM privacy requirements, attacks for initiating root of trust and threats beside concerns and . risks
associated
deployment of cloud
to
the TCCF
proposes
for
achieving trust on the cloud infrastructure
by
TPM
for
It proposes an ABE framework hardware also TNC for secure
(Li et al., ABE 2012)
TCG
for secure sharing of PHRs in network and SED for secure
Framework
cloud.
storage.
It provides secured architecture TCCF takes into consideration (Lohr et Secure
E- based on TVD for privacy HIPAA, NIST and CSA standards,
al., 2010) Health Cloud
domains that involve CSUs and also proposes a customized SLA CSP platforms.
for healthcare sector.
158 6.6
Trust Evaluation
This Section discusses the evaluation of TCCF by its achievement of trust components (security, privacy, accountability and availability) (Muppala et al., 2012) as follows:
A. Security
i.
TCCF provides security by design for physical, virtualization and application layers components, as well as firewalls and IDPS.
ii.
TCCF provides data security by encryption at rest, while process, in transits over a secured communication channel.
iii.
TCCF provides secure access based on the organization policy and CSU’s role, in addition to MFA process to prevent any unauthorized access.
B. Privacy
i.
TCCF provides secure limited access to only authorized CSU’s with the need to know least privileges. In case of emergency healthcare professionals can access based on SLA negotiated agreement terms and logs the people’s activity with only need to know portion.
ii.
TCCF integrates SED that provides full encrypted storage.
iii.
TCCF provides TVD, VPN and secures VM with vTPM.
C. Accountability
i.
TCCF provides external and internal auditing besides reporting features for CSUs based on negotiated SLA for the mechanism and schedule.
159 ii.
TCCF provides the compliance with rules and regulation that the consumers’ data are stored within the country boundaries as per the SLA.
iii.
TCCF provides IDPS and other security control to safeguard the cloud against threats and undesirable events from occurring in the future and are used as a protective step to ensure overall security and trust.
D. Availability
i.
TCCF provides disaster recovery and backup that is guaranteed by SLA.
ii.
TCCF integrates traditional data security and privacy protection as well as other security controls to safeguard overall cloud infrastructure Security and privacy controls are embedded in the design also involved in every stage of the data life cycle. All of these security controls are to ensure service availability and to protect from threats and malicious access. Table 6.5 presents trust components (Muppala et al., 2012) and TCCF achievement of them.
iii. Table 6.5: TCCF - Trust Evaluation
Trust Component
TCCF Mitigation Technique
Security
Physical Security, Firewalls, IDPS, TCG- Technologies MFA is based on CSUs roles and organization policy,
Privacy
VM isolation, Data encryption. SLA, HIPAA Compliance, log monitoring, internal and
Accountability Availability
external audits SLA, data backup and disaster recovery plan
160 6.7
Survey Evaluation
The purpose of this close ended questionnaire survey as discussed previously in Chapter 3, Section 3.4.2 is to evaluate the TCCF security from cloud computing, security and healthcare IT experts, in order to fulfil the aim of the research and answer the research question. The survey was designed using Kwiksurvey tool and was distributed over the professional related groups using LinkedIn media. Targeted number of experts were as much as can be possible within limited three months duration time frame since there were no approximate statistics of cloud and healthcare security experts.
Total appropriate feedbacks were (52) response.
The survey
preserves the ethics that guarantees the respondents privacy and confidentiality.
A brief introduction to TCCF is to give an idea on the proposed solution and to ensure compliance with ethics by preserving the anonymity and confidentiality of the respondents. The second part of the introduction is to acknowledge the security techniques used for securing the access to the cloud services.
More over the
customized SLA components were listed also. Third part of the survey includes the close ended question inform of matrix that presents the framework security techniques proposed for each layer, and a brief discussion about securing the access and SLA added components. The question need only experts’ approval or rejection about the SPT techniques used to secure the physical, virtualization and application cloud services layers. The survey rating scale of the security mechanisms of each layer is either agree, disagree or neutral. Agree is given the weightage of 3, neutral 2 and disagree 1.
By rating all the three layers security techniques used, the overall
framework security evaluation will be done. Following are the description of the survey and the experts’ feedbacks.
A. Physical Layer Security Evaluation
The first part of the survey question is about testing the physical layer security techniques as shown Figures 6.1 the security techniques were using TPM for protecting the hardware and initiating root of trust. TNC for securing the network and SED for securing the data storage and for preserving privacy with self-encryption
161 technique beside efficient key storage. Whereby 42 out of 52 expert responded with 81% agreed on the techniques used to secure the physical layer, while only 2% disagreed and 17% remained neutral which indicates that the security techniques used in physical layer can overcome the SPT concerns and can protect from malicious attacks since it proposes the use of TCG trusted technologies.
Physical Layer Security (TPM, TNC, SED)
45
40
35
Number of Experts
30
25
20
15
10
5
0 Physical Layer Security (TPM, TNC, SED)
Agree
Nuetral
Disagree
42
9
1
Figure 6.1: TCCF - Physical Layer Evaluation
162 B. Virtualization Layer Security Evaluation
The second part of evaluating TCCF security question was about testing virtualization layer security techniques as shown in Figure 6.2, whereby 45 out of 52 expert responded with 86% agreed on the techniques used to secure the virtualization layer, while only 2% disagreed and 12% remained neutral. This rate is satisfactory and indicates that the security techniques used to secure the virtualization layer can overcome the SPT concerns regarding to that layer.
Virtualization Layer Security (vTPM, TVD, VPN, IDPS, Firewall, Anti-Virus and Anti-Malware)
Number of Experts
45 40 35 30 25 20 15 10 5 0 Virtualization Layer Security (vTPM, TVD, VPN, IDPS, Firewall, Anti-Virus and AntiMalware)
Agree
Nuetral
Disagree
45
6
1
Figure 6.2: TCCF - Virtualization Layer Evaluation
163 C. Application Layer Security Evaluation
Third part of evaluating TCCF security question was about testing application layer security techniques (IAM, SLA, Data Encryption and Backup) as shown in Figure 6.3, where 85% respondents agreed on the techniques used to secure the physical layer, while only 3% disagreed and 12% remained neutral which also indicates that this layer passed the evaluation successfully and that the techniques used can overcome the SPT concerns of the consumers’..
Application Layer Security (IAM, SLA, Data Encryption and Backup)
Number of Experts
45 40 35 30 25 20 15 10 5 0 Application Layer Security (IAM, SLA, Data Encryption and Backup)
Agree
Nuetral
Disagree
44
6
2
Figure 6.3: TCCF- Application Layer Respondents Number
164 D. TCCF Security Survey Evaluation
The final part of evaluating TCCF security question was about testing the overall framework security techniques that involve the three layers (Physical, Virtualization and Application layers) as shown in Figures 6.4.
45 40
Number of Experts
35 30 25 20 15 10 5 0 Agree Nuetral Disagree Agree
Nuetral
Disagree
Physical Layer Security (TPM,TNC, SED)
42
9
1
Virtualization Layer Security (vTPM, TVD, VPN, IDPS, Firewall , Anti-Virus, Anti-Malware)
45
6
1
Application Layer Security (IAM, SLA, Data Encryption and Backup)
44
6
2
Figure 6.4: TCCF - Overall Evaluation Results
165 Table 6.6: Survey Security Statistics
Physical
Layer
Security
(TPM,TNC,
Agree
Neutral
Disagree
Responses
Average
42 (81%)
9 (17%)
1 (2%)
52
2.79
45 (86%)
6 (12%)
1 (2%)
52
2.85
44 (85%)
6 (12%)
2 (3%)
52
2.81
SED) Virtualization Layer Security (vTPM, TVD, VPN, IDPS, Firewall , Anti-Virus, AntiMalware) Application
Layer
Security (IAM, SLA, Data Encryption and Backup)
2.82
Table 6.6 presents the statistic experts feedbacks in the form of percentage and numbers.
The overall framework security will be rated through rating the sub
questions. As shown in the table that 81% respondents agreed on physical layer security techniques which include TPM, TNC and SED while very less percentage 2% disagreed which makes this layer results pass the testing and evaluation. Same applies for the virtualization layer, where 86% agreed and 2% disagreed which shows that the techniques used are suitable. As for the application layer, 85% respondents agreed on the techniques used to secure application layer and 4% disagreed which also indicate the acceptance of the methods used to secure this layer including robust IAM with MFA, data encryption and customized SLA. TCCF overcomes the SPT concerns according to the experts feedbacks regarding to their acceptance of the framework SPT techniques used. Moreover, Tables 6.7, 6.8 and 6.9 present the calculated averages of respondents’ rating 3 point scale for each TCCF layer.
166 Table 6.7: Data Scaling Physical Layer
Scale
Rating Score
No. of Responses
Rating Score * No. of Responses
Disagree
1
1
1
Neutral
2
9
18
Agree
3
42
126
52
145
Total Average
145/52 = 2.79
Table 6.8: Data Scaling Virtualization Layer
Scale
Rating Score
No. of Responses
Rating Score * No. of Responses
Disagree
1
1
1
Neutral
2
6
12
Agree
3
45
135
52
148
Total Average
148/52 = 2.85
167 Table 6.9: Data Scaling Application Layer
Scale
Rating Score
No. of Responses Rating Score * No. of Responses
Disagree
1
2
2
Neutral
2
6
12
Agree
3
44
132
52
146
Total Average
146/52 = 2.81
Scale rating of the framework is determined by the following formula:
x1w1 + x2w2 + x3w3 ... xnwn Average
= Total
8.45 TCCF Average =
= 2.82 3
Table 6.10: Weighted Average Range Interpretation
Range (1-3)
Weighted Average Equivalence
2.1 - 3
Strong
1.1 - 2
Satisfactory
0
- 1
TCCF Average
Weak
2.1 < 2.82 < 3 Strong
168 E. Survey Evaluation Results
Overall evaluation of TCCF security demonstrated that TCCF is feasible to achieve security through its TCG technologies, security controls and secure communication. In addition to achieving privacy through data encryption and robust access control with MFA mechanism based on the policy of the organization and the roles of users, beside using strict password policy. Moreover, trust is achieved by giving more control to the CSUs, through auditing and reporting, availability of service, and robust SLA that guarantees compliance with HIPAA security and privacy rules and regulations as required by healthcare. TCCF presented high acceptance rate with average weight 2.82 over 3 that equals to 94% which is a satisfactory percentage that indicates the framework reliability can be trusted by healthcare sector.
6.8 Summary
The most critical work after problem definition, initiating the hypothesis of the research questions and designing the framework, was conducting a deductive quantitative survey for evaluating and refining the proposed TCCF. Emphasizing on finding the experts in relation to the field of study and taking their feedback to evaluate TCCF design in order to be refined against the experts’ feedback and to make sure that it is trustworthy to be introduced for CSPs to provide it for implementation in healthcare sector. For more practicality, TCCF was evaluated by comparison with the related previous work which showed that TCCF adopted the advantages and mitigated the gaps to produce an overall secure cloud by design solution. Evaluating HTCC framework was also done by complying with HIPAA security and privacy requirements. TCCF was also evaluated by its ability to overcome possible threats which were identified by CSA.
169
CHAPTER 7
CONCLUSION AND FUTURE WORK
7.1
Introduction
As discussed previously in Chapter 1, critical information industries including healthcare sector consist of various entities that have massive information loads which rely heavily on data and computing resources. Managing massive data and computing resources need significant capital expenditure for sourcing and maintaining the IT infrastructure required for storing, transferring, retrieving, modifying or printing data and reports. Cloud computing caters all of this more efficiently and at minimum costs. By considering the current implementation of cloud computing as discussed in Chapter 2, it has been identified that there are several SPT concerns which acted as a barrier against full adoption of cloud computing in healthcare sector. Some of the investigated models did not implement any security or privacy mechanisms.
Other models
provided data encryption and diverse access control methods to preserve the privacy and protect from unauthorized access. Few models implemented TPM and TVD for security, but did not consider HIPAA requirements, which if violated will cost a huge amount of money. None of the models have mentioned the usage of SLA for achieving trust in multi-tenant cloud computing environment. TCCF was designed and evaluated to ensure strict SPT and compliance with HIPAA to be trusted and deployed in critical information industries specifically healthcare sector.
170 7.2
Contributions and Significance
TCCF has several novel aspects, as per the current investigation through indepth literature that TCCF is the first framework to provide a holistic security for cloud infrastructure in relation with healthcare requirements and standards. It integrates TCG technologies which are based on secure hardware elements TPM to initiate a trusted platform beside other significant contributions that are achieved through accomplishing the research objectives as follows:
i.
This study has investigated current cloud computing implementation in healthcare sector. Five models have been reviewed and critically analysed in order to allocate the gaps (Jamkhedkar et al., 2013; Banirostam et al., 2013; Youssef and Alageel, 2012; Li et al., 2012; Lohr et al., 2010). The identified models have indicated that there are significant SPT concerns which have to be solved in order to initiate healthcare trust in adopting cloud computing. TCCF is designed to overcome the identified SPT concerns (Thilakanathan et al., 2013; Hsing, 2012; Servos, 2012; Shini et al., 2012; Khatua et al., 2011; Takabi et al., 2010a; Pearson and Benameur, 2010) and to assist in enhancing the level of trust on cloud computing to be adopted in healthcare sector.
ii.
TCCF proposes security by design multi-layered, defence in-depth approach that covers physical, virtualization and application layers to protect the overall cloud infrastructure against threats and prevent malicious attacks as discussed in Chapter 4 Section 4.9. TCCF secures data by design in transit, while in the process and at rest as discussed in Chapter 4 Sections 4.8.3 - 4.8.5. Moreover, data backup is enforced in SLA and in design for preserving data availability and disaster recovery. Also, TCCF secures the access to data by strict policy for password use and storage to protect consumers’ data and computing resources from insider and outsider threat.
iii.
Trust definition for TCCF has been identified through investigating current trust definition for healthcare and cloud computing as discussed in Chapter 2 Section 2.7 and Chapter 4 Section 4.3. TCCF describes trust factors that should be accomplished to gain healthcare trust in implementing cloud computing.
171 CSP has to achieve the trust terms and conditions regarding to human behavior, reputation, security of infrastructure, devices, data, systems, applications and processes, beside considering compliance with rules, regulations and standards that are related to critical information industry.
iv.
TCCF proposes TCG international standard technologies that are identified for ensuring SPT and interoperability. TCG-TCCP is used for maintaining authentication, confidentiality and integrity in a cloud computing environment through its various technologies which are discussed in Chapter 2 Section 2.8 and Chapter 4 Section 4.4.
v.
TCCF proposes an additional context to SLA according to healthcare requirements, since it has been identified that there were no specific cloud computing SLA for healthcare sector (Alley et al., 2012) as discussed in Chapter 2 Section 2.10 and Chapter 4 Section 4.5.
vi.
It has been found out through the investigation on current implementation of cloud computing in healthcare previous work that none of the models were proposing compliance with HIPAA which is if violated can lead to huge fine $100-50,000 USD per violation (LYNN, 2013). TCCF proposes compliance with HIPAA data security and privacy requirements as discussed in Chapter 2 Section 2.13 and Chapter 4 Section 4.6.
vii.
TCCF was evaluated by several methods including survey, and comparison with related work, compliance with standards and by developing a MFA prototype to secure the access against any malicious or illegal attacks. The evaluation results were analysed and proved that TCCF can be trusted and implemented by healthcare sector.
172 7.3
Limitations and Future Direction of Research
TCCF has been evaluated through various methods which proved that it can be trusted and can be applied in healthcare sector for improving quality of medical services best practices. However, TCCF covers only the research scope. There are certain limitations that can be addressed in the future work as follows:
7.3.1 Implementation
Due to resource and time limitations TCCF was designed but not implemented. The future direction of this study is to implement the design in a selected CSP and few hospitals as a simulation to test the design until it can be implemented fully.
7.3.2
Inter Cloud
TCCF focuses on one cloud with a single CSP and does not include various CSPs who resemble multiple independent clouds used by a consumer or a service which is known as “Inter Clouds” or “Cloud of Clouds” (Grozev and Buyya, 2012). TCCF is towards offering an IT business solution for healthcare; since some CSP’s do not apply strict security or they do not consider critical information industries in their SLA or services. The future direction is to form community cloud of clouds that is specific for healthcare industry.
7.3.3
Performance
TCCF addressed SPT concerns and did not include performance. The future direction is to experiment, analyze and evaluate the performance and include it in SLA.
173 7.3.4
SLA
The research study contributes in recommending additional contexts to the existing SLA such as the requirements of healthcare sector and the SPT aspects. However, the limitation is that there are various CSPs with heterogeneous types of SLAs which makes it very complex to apply this since still there is a need to for a standardized template SLA for healthcare that can be monitored by legal authority which enforces the proper terms and conditions of the SLA and the appropriate fine cost for both consumers and CSPs in case of violation. To mitigate this limitation in this study an additional context is to be added to the selected by consumer SLA that will be according to healthcare requirements assuming that the consumer is from healthcare sector. Future direction is to initiate a cloud SLA and a business level agreement which is standardized and specified for healthcare sector.
7.3.5
Security Controls
TCCF is an IT business solution offered for healthcare sector organizations not for individuals. It propose the use of firewalls, anti-virus, anti-malware and IDPS as silos systems. However, TCCF recommends the use of Next Generation Firewalls (NGFW) and Unified Threat Management (UTM). Furthermore, TCCF secures the cloud infrastructure, communication and data but it did provide any security to consumers’ devices or home base medical devices and wireless body sensors.
Figure 7.1 summarises and illustrates the contributions and the list of publications as well as the certificates obtained at each stage of the conducted study.
174
Start
Cloud Computing Critical Information Industry (Healthcare) Standards (NIST, CSA, TCG and HIPAA)
( Jamkhedkar et al., 2013; Banirostam et al., 2013; Youssef and Alageel, 2012; Li et al ., 2012; Lohr et al., 2010)
Security Privacy Trust
Design TCCF (Bamiah et al., 2012a; Bamiah and Brohi, 2011a; Brohi and Bamiah, 2011)
(Bamiah et al., 2012; 2012b; Brohi et al., 2013; 2012; 2012a; Brohi and Bamiah, 2011a)
Develop Prototype
Survey IBM Certified Cloud Solution Architect (2012) IBM Certified Cloud Solution Advisor (2011) Rackspace Certified Cloud (2011)
CSA Certified Cloud Computing Security Knowledge (CCSK) (2012) EC- Council Certified Ethical Hacker (2012)
Evaluate TCCF
(Bamiah et al., 2013)
End
Health Informatics in the Cloud (2013)
Figure 7.1: TCCF- Contributions, Publications and Certificates
7.4
Summary
This research aims to provide a secure TCCF through the integration of TCG technologies, data encryption, secure communication channel and end points, bounded by a customized SLA, under the compliance of HIPAA to be implemented by healthcare sector.
175 REFERENCES
Abbadi, I., Deng, M., Nalin, M., Martin, A., Petkovic, A. and Baroni, I. (2011). Trustworthy Middleware Services in the Cloud. In Proceedings of the 2011 third international workshop on Cloud data management (CloudDB '11). ACM, 33-40. DOI: 10.1145/2064085.2064094. Abbadi, I. (2011a). Middleware Services at Cloud Application Layer. Proceedings of the 2011 Second International Workshop on Trust Management in P2P Systems (IWTMP2PS ’11). Lecture Notes in Computer Science. Springer-Verlag, Berlin, 557-571. DOI: 10.1007/978-3-642-22726-4_58. Achemlal, M., Gharout S., and Gaber, C. (2011). Trusted Platform Module as an Enabler for Security in Cloud Computing. Proceedings of the 2011 Network and Information Systems Security (SAR-SSI). 18-21 May 2011. La Rochelle: IEEE, 1–6. DOI: 10.1109/SAR-SSI.2011.5931361. Adebiyi, A., Arreymbi, J. and Imafidon, C. (2012). Security Assessment of Software Design using Neural Network, International Journal of Advanced Research in Artificial Intelligence, 1 (4: 1-7. SAI Publications. Ahmad, B. and Mohamed, S. (2011). Implementation of Trusted Computing Technologies in Cloud Computing. International Journal of Research and Reviews in Information Sciences (IJRIS). 1(1):1-3. Science Academy Publisher. Ahmed, A. (2012). Meeting PCI DSS When Using a Cloud Service Provider. ISACA Journal 5:1-30.
176 Alley, D., Ahmed, T., Androvich, J., Archibald, S., Andrew S., Fultz, N., Heusser, S., Keahey, R., Krogue, K., Menon, R., Morgenthal, J., Rice, A., Roberts, D., Ryan, C., Ulmer, S., Wheeler, H. and Wilson, K. (2012). The Cloud Computing Guide for Healthcare. Focus Research. Microsoft, 1-22. Almorsy, M., Grundy, J. and Ibrahim, S. (2011). Collaboration-Based Cloud Computing Security Management Framework. Proceedings of the 2011 Cloud Computing (CLOUD). 4-9 July 2011. Washington, DC. IEEE, 364-371. DOI: 10.1109/CLOUD.2011.9. Almutairi, A., Sarfraz, M., Basalamah, S., Aref, W. and Ghafoor, A. (2012). A Distributed Access Control Architecture for Cloud Computing. Proceedings of the 2012 Software. 20 February 2012. IEEE Computer Society. 29(2): 36 – 44. DOI: 10.1109/MS.2011.153. Alshehri, S., Radziszowski, S. and Raj, R. (2012). Secure Access for Healthcare Data in the Cloud Using Ciphertext-Policy Attribute-Based Encryption. Proceedings of the 2012 Data Engineering Workshops (ICDEW), 2012 IEEE 28th International Conference on. 1-5 April 2012. Arlington, VA. IEEE, 143-146. DOI: 10.1109/ICDEW.2012.68. AlZain, M., Pardede, E., Soh, B. and Thom, J. (2012). Cloud Computing Security: From Single to Multi-clouds. Proceedings of the 2012 45th Hawaii International Conference on. System Science (HICSS). 4-7 January. 2012. Maui, HI. IEEE, 5490– 5499. DOI: 10.1109/HICSS.2012.153. Anderson, J. (2011). The Top 10 Strategic Considerations to Address in a Government Solicitation for Cloud Computing Services. Retrieved on January 13, 2014, from http://safegov.org/2011/12/12/the-top-10-strategic-considerations-to-address-in-agovernment-solicitation-for-cloud-computing-services Angelov, S., Trienekens, J. and Kusters, R. (2014). A survey on design and usage of Software
Reference
Architectures.
Retrieved
October
23,
2014,
from
http://purl.tue.nl/24821036841001.pdf Arora, P., Wadhawan, R. and Ahuja, S. (2012). Cloud Computing Security Issues in Infrastructure as a Service. International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE). 2 (1), January 2012. ISSN: 2277 128X.
177 Ashford (2011). Self-encrypting drives: SED the best-kept secret in hard drive encryption security. Computer Weekly Retrieved on November 18, 2013, from http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-bestkept-secret-in-hard-drive-encryption-security Ayad, M., Rodriguez, H. and Squire, J. (2012). Addressing HIPAA Security and Privacy Requirements in the Microsoft Cloud. Retrieved on December 23, 2013, fromhttp://smb.blob.core.windows.net/smbstaging/Content/Microsoft_Cloud_Heal thcare_HIPAA_Security_Privacy.pdf Baaskar, R. and Gomathi, A. (2012). A Framework for Security Based Cloud by using Trusted Computing. International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE). 2:36-40. December – 2012. ISSN: 2277 128X. Badger, L., Grance, T., Patt-Corner, R. and Voas, J. (2012). Cloud Computing Synopsis and Recommendations. National Institute of Standards and Technology (NIST). Special Publication 800-146, Computer Security Division, 1-81. Bamiah, M., Brohi, S., Chuprat, S. and Ab Manan, J. (2013). Trusted Cloud Computing Framework for Healthcare Sector. Journal of Computer Science. 10 (2):240-250. DOI: 10.3844/jcssp.2014.240.250. Science Publications. Bamiah, M. (2013a) Evaluating Trusted Cloud Computing Framework for Healthcare. LinkedIn.
Retrieved
on
October
8,
2014,
from
https://www.linkedin.com/nhome/updates?topic=5810666560951848960. Bamiah, M., Brohi, S., Chuprat, S., and Brohi, M. (2012). Cloud Implementation Security Challenges. Proceedings of the 2012 Cloud Computing Technologies, Applications and Management (ICCCTAM). 8-10 December. 2012. Dubai. IEEE, 174–178. DOI:10.1109/ICCCTAM.2012.6488093. Bamiah, M., Brohi, S., Chuprat, S. and Ab Manan, J. (2012a). A Study on Significance of Adopting Cloud Computing Paradigm in Healthcare Sector. Proceedings of the 2012 Cloud Computing Technologies, Applications and Management (ICCCTAM). 8-10
December,
2012.
DOI:10.1109/ICCCTAM.2012.6488073.
Dubai.
IEEE,
65–68.
178 Bamiah, M., Brohi, S. and Chuprat, S. (2012b). Using Virtual Machine Monitors To Overcome The Challenges Of Monitoring And Managing Virtualized Cloud Infrastructures. Proc. SPIE 8349, Proceedings of the 2012 Fourth International Conference on Machine Vision (ICMV 2011). Machine Vision; Image Processing, and Pattern Analysis, 83491M. 11 January, 2012. DOI:10.1117/12.920880. Bamiah, M. and Brohi, S. (2011a). Exploring the Cloud Deployment and Service Delivery Models. International Journal of Research and Reviews in Information Sciences (IJRRIS). 1 (3):77- 80. September 2011, Science Academy Publisher. ISSN: 2046-6439. Banirostam, H., Hedayati, A., Zadeh, A. and Shamsinezhad, E. (2013). A Trust Based Approach for Increasing Security in Cloud Computing Infrastructure. Proceedings of the 2013 Computer Modelling and Simulation (UKSim). 10-12 April 2013. Cambridge. IEEE, 717 – 721. DOI:10.1109/UKSim.2013.39. Barua, M., Liang, X., Lu, R. and Shen, X. (2011). ESPAC: Enabling Security and Patient-centric Access Control for e-Health in Cloud Computing. International Journal of Security and Networks (IJSN). 6 (2/3):67–76. Inderscience Publishers. Basit, A. (2009). Guide To Trusted, Computing. Approaches for Attesting Virtualized Environments. Master Thesis. Royal Institute of Technology, Sweden. Batchu, S., Chaitanya, J., Sagar. N. and Patnala, E. (2013). A study on Security Issues Associated with Public Clouds in Cloud Computing. International Journal of Advanced Computer Technology (IJACT). 2(2):28-38. ISSN: 2319-7900. Baudoin, C., Flynn, J., McDonald, J., Meegan, J., Salsburg, M. and Woodward, S. (2013). Public Cloud Service Agreements: What to Expect and What to Negotiate. Cloud Standards Customer Council. Begum, R., Kumar, R. and Kishore, V. (2012). Data Confidentiality Scalability and Accountability (DCSA). International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE).2(11):200-206, November 2012. ISSN: 2277 128X. Behl, k. and Behl, A. (2012). An Analysis of Cloud Computing Security Issues. Proceedings of the 2012 Information and Communication Technologies (WICT), 2012 World Congress on. October. 30 2012-November. 2 2012. Trivandrum. IEEE, 109 – 114. DOI: 10.1109/WICT.2012.6409059.
179 Benkhelifa, E. and Dayan, F. (2014). On a Real World Implementation of Advanced Authentication Mechanism in a Multi-Tenant Cloud Service Delivery Platform. Proceeding of the 2014 5th International Conference on Information and Communication
Systems
(ICICS).
1-3
April
2014.
Irbid.
IEEE,
1-6.
DOI:10.1109/IACS.2014.6841944. Berger, S., C´aceres, R., Goldman, K., Perez, R., Sailer, R. and Doorn, L. (2006). VTPM: Virtualizing The Trusted Platform Module. In Proceedings of the 15th conference on USENIX Security Symposium (USENIX-SS'06), 15(21):187- 196. USENIX Association, ACM. Botero, D. (2013). Pwnetizer: Improving Availability in Cloud Computing through Fast Cloning and I/O Randomization. Master Thesis. Princeton University. Bourque, P. and Fairley, R.E (2014). Guide to the Software Engineering Body of Knowledge, Version 3.0, IEEE Computer Society, 2014; www.swebok.org. Bowman, D. (2013). Cloud adoption slower in healthcare than in other industries. Health Information Technology Fierce Health IT. Retrieved on December 2, 2013, from http://www.fiercehealthit.com/story/cloud-adoption-slower-healthcare-otherindustries/2013-02-15 Brink, D. (2012). End Point Security. Hardware Root of Trust. Aberdeen Group, Inc. Retrieved
on
November
15,
2013,
from
http://www.trustedcomputinggroup.org/files/static_page_files/E8B61748-1A4BB294-D0BD6A4ACA7E04FC/0331-7080-RB-HWRoT-DB-02-NSP.pdf Brohi, S., Bamiah, A., Chuprat, S. and Ab Manan, J. (2013), Design And Implementation of Privacy Preserved Off-Premises Cloud Storage. Journal of Computer Science. 10 (2): 210-223. DOI: 10.3844/jcssp.2014.210.223. Brohi, S.; Bamiah, M.; Brohi, M. and Kamran, R. (2012). Identifying and Analysing Security Threats to Virtualized Cloud Computing Infrastructures. Proceedings of the 2012 Cloud Computing Technologies, Applications and Management (ICCCTAM). 8-10
December.
2012.
Dubai.
IEEE,
151–155.
DOI:10.1109/ICCCTAM.2012.6488089. Brohi, S. Bamiah, M.; Chuprat, S. and Ab Manan, J. (2012a). Towards an Efficient and Secure Educational Platform on Cloud Infrastructure. Proceedings of the 2012 Cloud Computing Technologies, Applications and Management (ICCCTAM). 8-10 December. 2012. Dubai. IEEE, 145–150. DOI:10.1109/ICCCTAM.2012.6488088.
180 Brohi, S. and Bamiah, M. (2011). Challenges and Benefits for Adopting the Paradigm of Cloud Computing. International Journal of Advanced Engineering Sciences and Technologies (IJAEST’11). 8 (2): 286 – 290. 2011. ISSN: 2230-7818. Bromium (2013). Understanding Bromium® Micro-virtualization for Security Architects.
Retrieved
on
November
30,
2013,
from
http://www.bromium.com/sites/default/files/Bromium%20Microvirtualization%20 for%20the%20Security%20Architect_0.pdf Buecker, A., Costa, F., Davidson, R., Matteotti, E., North, G., Sherwood, D. and Zaccak, S. (2013). Managing Security and Compliance in Cloud or Virtualized Data Centers Using IBM PowerSC. International Technical Support Organization. IBM. Red Books. (January 2013), 1-319. Butler, B. (2012). Nine security controls to look for in cloud contracts. Network World. Retrieved
on
November
17,
2013,
from
http://www.networkworld.com/news/2012/111412-gartner-cloud-contracts264270.html?page=1 Butler, J. (2010). Adding Enterprise Access Management to Identity Management. SANS
Institute.
Retrieved
on
November
17,
2013,
from
http://www.sans.org/reading-room/whitepapers/analyst/adding-enterprise-accessmanagement-identity-management-35075 Celesti, A., Salici, A., Villar, M. and Puliafito, A. (2011). A Remote Attestation Approach for a Secure Virtual Machine Migration in Federated Cloud Environments. Proceedings of the 2011 Network Cloud Computing and Applications (NCCA), 2011 First International Symposium on. 21-23 November. 2011. Toulouse. IEEE, 99–106. DOI: 10.1109/NCCA.2011.23. Chen, D. and Zhao, H. (2012). Data Security and Privacy Protection Issues in Cloud Computing. Proceedings of the 2012 International Conference on Computer Science and Electronics Engineering (CSEE). 23-25 March 2012. Hangzhou. IEEE, 647-651. DOI:10.1109/ICCSEE.2012.193. Chen, L. and Hoang, D. (2011). Novel Data Protection Model in Healthcare Cloud. Proceedings of the 2011 High Performance Computing and Communications (HPCC), 2011 IEEE 13th International Conference on. 2-4 September 2011. Banff, AB. IEEE, 550–555. DOI: 10.1109/HPCC.2011.148.
181 Chen, L. and Hoang, D. (2011a). Towards Scalable, Fine-Grained, Intrusion-Tolerant Data Protection Models for Healthcare Cloud. Proceedings of the 2011 Trust, Security and Privacy in Computing and Communications (TrustCom). 16-18 November. 2011. Changsha. IEEE, 126–133. DOI: 10.1109/TrustCom.2011.19. Chen, L., Franklin, J. and Regenscheid, A. (2012). Guidelines on Hardware-Rooted Security in Mobile Devices: Recommendations of the National Institute of Standards and Technology (NIST). NIST Special Publication 800-164 (Draft), 26. Chi, Y., Moon, H. and Hacigümüş, H. (2011). ICBS: Incremental Cost-Based Scheduling under Piecewise Linear SLAs. Journal Proceedings of the VLDB Endowment. In VLDB Endowment Homepage archive. ACM. 4 (9):563-574. Choudhury, A., Kumar, P., Sain, M., Lim, H. and Jae-Lee, H. (2011). A Strong User Authentication Framework for Cloud Computing. Proceedings of the 2011 Services Computing Conference (APSCC), 2011 IEEE Asia-Pacific on. 12-15 Dec. 2011. Jeju Island. IEEE, 110–115. DOI:10.1109/APSCC.2011.14. CIO.gov (2012). Creating Effective Cloud Computing Contracts for the Federal Government. Best Practices for Acquiring IT as a Service. A joint publication of the Chief Acquisition Officers Council and Federal Cloud Compliance Committee. CMS (2007). HIPAA Security Series. Security Standards: Technical Safeguards. Department of Health and Human Services USA. Centers for Medicare and Medicaid Services (CMS). 2(4):1-17. Cohen, L., Manion, L. and Morrison, K. (2011). Research Methods in Education. Routledge, 7th Ed. Routledge 2011 -762. Cooper, D., Polk, W., Regenscheid, A. and Souppaya, M. (2011). BIOS Protection Guidelines. NIST Special Publication 800-147. Retrieved on November 15, 2013, from-http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147April2011.pdf Creative Research Systems (2012). The Survey System. Retrieved on October, 2014, from http://www.surveysystem.com/sscalc.htm#one Cryptomathic (2014). Industry Standards. Retrieved on September 23, 2014, from http://www.cryptomathic.com/company/industry-standards
182 CSA (2013). The Notorious Nine Cloud Computing Top Threats in 2013. Cloud Security
Alliance
(CSA).
Retrieved
on
November
28,
2013,
from
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_ Nine_Cloud_Computing_Top_Threats_in_2013.pdf CSA (2012). Top Ten Big Data Security and Privacy Challenges. Cloud Security Alliance
(CSA)
Retrieved
on
May
28,
2013,
from
https://cloudsecurityalliance.org/download/top-ten-big-data-security-and-privacychallenges/ CSA (2011). Security Guidance For Critical Areas Of Focus In Cloud Computing V3.0. Cloud
Security
Alliance.
Retrieved
on
May
28,
2013,
from
https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf CSA (2010). Domain 12: Guidance for Identity and Access Management V2.1. 2010 Cloud Security Alliance (CSA). Retrieved on November 15, 2013, from https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf Danev, B., Masti, R., Karame, G. and Capkun, S. (2011). Enabling Secure VM-vTPM Migration in private clouds. Proceedings of the 2011 Annual computer Security Applications
conference
(ACSAC).
New
York,
USA.
ACM,
187-
196.DOI:10.1145/2076732.2076759. Decat, M., Lagaisse, B. and Joosen, W. (2012). Federated Authorization for SaaS Applications. In International Symposium on Engineering Secure Software and Systems, 2012 ESSoS Doctoral Symposium 2012. First Doctoral Symposium on Engineering Secure Software and Systems. ESSoS-DS’12, 53-59. Demirkan, H. (2013). A Smart Healthcare Systems Framework. Proceedings of the 2013 IT Professional. 10 October 2013. IEEE Computer Society. 15(5): 38-45. DOI: 10.1109/MITP.2013.35. Department Of Health And Human Services (2013). Modifications to the HIPAA Privacy, Security, Enforcement, and Breach; Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Non-discrimination Act; Other Modifications to the HIPAA Rules. Office for Civil Rights, Department of Health and Human Services, 1-534. RIN: 0945-AA03.
183 Diaz, A. (2012). Cloud SLAs: What You Don’t Know Can Hurt You. IBM. Thoughts. IBM_THOUGHTSONCLOUD. Retrieved on November 17, 2013, from http://www.wired.com/insights/2012/05/cloud-slas/ Dinh, T. and Ryan, M. (2006). Trusted Computing: TCG proposals. Trusted Computing Group
(TCG)
Retrieved
on
November
15,
2013,
from
http://www.cs.bham.ac.uk/~mdr/teaching/modules/security/lectures/TrustedCompu tingTCG.html Doddavula, S. and Saxena, V. (2011). Implementation of a Secure Genome Sequence Search Platform on Public Cloud: Leveraging Open Source Solutions. Proceedings of the 2011 Cloud Computing Technology and Science (CloudCom). July 2012. Springer-Verlag, 205–212. DOI:10.1109/CloudCom.2011.36. Donovan, M. and Visnyak, E. (2011). The Case for a Reference Framework for Trusted Multi-Tenant
Infrastructure
Retrieved
on
April
30,
2013,
from
https://www.ncsi.com/nsatc11/presentations/tuesday/research/donovan_visnyak.pd f Doyle, K. (2013). KVM Security in The Cloud: A Choice That Matters. Retrieved on January
30,
2014,
from
http://www.globalknowledge.co.uk/content/files/documents/640774/640819/kvmsecurity Du, Z., Li, X. and Shen, K. (2011). Ensemble of Trusted Firmware Services based on TPM. International Journal of Digital Content Technology and its Applications (JDCTA). 5(3): 175-184. El Emam, K., Moreau, K. and Jonker, E. (2011). How strong are passwords used to protect personal health information in clinical trials? Multimedia Appendix 1: Background.
Journal
Med
Internet
Res
2011;
13
(1):e18
DOI:
doi:10.2196/jmir.1335. http://www.jmir.org/2011/1/e18/ Ermakova, T. and Fabian, B. (2013). Secret Sharing for Health Data in Multi Provider Clouds. Proceedings of the Business Informatics (CBI), 2013 IEEE 15th Conference on. 2013 IEEE International Conference on Business Informatics. 15-18 July 2013. Vienna. IEEE, 93–100. DOI:10.1109/CBI.2013.22.
184 European CIO Association (2012). Users Recommendations From The European CIO Association For The Success Of The Cloud Computing In Europe. Retrieved on January
13,
2014,
from
http://ec.europa.eu/information_society/activities/cloudcomputing/docs/consolidat ed_list_of_recommendations_users_%20perspective.pdf%5B1%5D.pdf Fan, W., Yang, S., Pei, J. and Luo, H. (2012). Building trust into cloud. International Journal of Cloud Computing and Services Science (IJ-CLOSER). 1(3):115-122. DOI: 10.11591/closer.v1i3.742. Fan, Y. and Wu, J. (2012). Middleware Software for Embedded Systems. Proceedings of the 2012 26th Advanced Information Networking and Applications Workshops (WAINA).
26-29
March
2012.
Fukuoka.
IEEE,
61-65.
DOI:
10.1109/WAINA.2012.88. Ffoulkes, P. (2014). Securing the cloud: What are the top concerns? 451 Research LLC. Retrieved on July 30, 2014, from https://451research.com/biography?eid=581 FIDIS (2009). Chain of Trust. FIDIS Deliverables: Privacy and legal-social content. D14.3: Study on the Suitability of Trusted Computing to support Privacy in Business Processes.
Retrieved
on
November
17,
2013,
from
http://www.fidis.net/resources/deliverables/privacy-and-legal-social-content/d143study-on-the-suitability-of-trusted-computing-to-support-privacy-in-businessprocesses/doc/19/ FireEye, Inc, 2013. FireEye Advanced Threat Report. Retrieved September 25 , 2014, from
http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-
2013.pdf Forrester (2012). IT Purchasing Goes Social. Forrester Consulting and Research Now. Retrieved
October
23,
2013,
from
http://www.iab.net/media/file/IT_Purchasing_Goes_Social Best_Practices_Final.pdf Friedman, E. and Savio, C. (2013). Influencing the Mass Affluent: Building Relationship on Social Media. LinkedIn Corporation. Retrieved October 23, 2013, from http://marketing.linkedin.com/sites/default/files/attachment/MassAffluentWhitepa per.pdf
185 Galav, D. and Ghosh, S. (2014). An Identification of Framework for Secure Cloud Computing. International Journal of Science and Research (IJSR). 3(5): 269-272 ISSN (Online): 2319-7064. Impact Factor (2012): 3.358. Gartner (2013). Identity and Access Management (IAM). Retrieved on November 17, 2013, from http://www.gartner.com/it-glossary/identity-and-access-managementiam/ Ghatage, S. and Rewadkar, D. (2013). Secure Cloud Storage System Incorporating Privacy-Preserving Third Party Audit. International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE). 3(11):126-129. November 2013. ISSN: 2277 128X. Gilmer, E. (2013). Privacy And Security Of Patient Data In The Cloud. IBM. Developer Works
Retrieved
on
January
9,
2014,
from
http://www.ibm.com/developerworks/library/cl-hipaa/ Gonzalez, N., Miers, C., Redígolo, F., Carvalho, T., Simplicio, M., Näslund, M. and Pourzandi, M. (2011). A quantitative analysis of current security concerns and solutions for cloud computing. Proceedings of the 2011 Cloud Computing Technology and Science (CloudCom). November.29-December.1 2011. Athens. IEEE, 231-238. DOI: 10.1109/CloudCom.2011.39. Govpub (2013). Healthcare 2030: The road to wellness – Draft. Western Cape Government.
Retrieved
on
January
2,
2014,
from
http://www.westerncape.gov.za/text/2013/October/health-care-2030-9-oct2013.pdf Grozev, N. and Buyya, R. (2012). Inter-Cloud Architectures and Application Brokering: Taxonomy and Survey. Software Practice And Experience. Wiley InterScience, 1-22. DOI: 10.1002/spe. Guilloteau, S. and Mauree, V. (2012). Privacy in Cloud Computing. ITU-T Technology Watch
Report
March
2012.
Retrieved
on
January
8,
2014,
from
http://www.itu.int/dms_pub/itu-t/oth/23/01/T23010000160001PDFE.pdf Hall, J., Rapanotti, L. and Jackson, M. (2007). Problem Oriented Software Engineering: A design-theoretic framework for software engineering. Proceedings of Fifth IEEE International Conference on Software Engineering and Formal Methods. 10-14 September. 2007. London, IEEE, 15-24. DOI:10.1109/SEFM.2007.29.
186 Hall, M. and Nachbar, R. (2010). Cloud Security Alliance Announces Collaboration with HITRUST. Proceedings of the 2010 Infosecurity Europe Conference, London, UK 27 April, 2010. London, UK. Hao, F., Lakshman, T., Mukherjee, S. and Song, H. (2010). Secure cloud computing with a virtualized network infrastructure. Proceedings of the 2010 HotCloud'10 Proceedings of the 2nd USENIX conference on Hot topics in cloud computing (HotCloud'10). USENIX Association, ACM, 1-7. Harmana, M., Lakhotiaa, K., Singerb, J., Whiteb, D. and Yooa, S. (2013). Cloud Engineering is Search Based Software Engineering too. Journal of Systems and Software, September 2013, 86(9): 2225-2241. DOI: 10.1016/j.jss.2012.10.027 Harris, J. and Hill, R. (2011). StaticTrust: A Practical Framework for Trusted Networked Devices. Proceedings of the 44th Hawaii International Conference on System Sciences (HICSS). 4-7 January. 2011. Kauai, HI. IEEE, 1-10. DOI: 10.1109/HICSS.2011.384. Hashizume, K., Rosado, D., Medina, E. and Fernandez, E. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications (JISA).4(1):1-13. DOI: 10.1186/1869-0238-4-5. HealthIT.gov (2012). Guide to Privacy and Security of Health Information Retrieved on December 28, 2013, from http://www.healthit.gov/sites/default/files/pdf/privacy/privacyand-security-guide.pdf HHS.gov (2014). Data breach results in $4.8 million HIPAA settlements. U.S. Department of Health and Human Services. Retrieved on September 23, 2014, from http://www.hhs.gov/news/press/2014pres/05/20140507b.html HHS.gov (2013). New rule protects patient privacy, secures health information. U.S. Department of Health and Human Services. Retrieved on November 19, 2013, from http://www.hhs.gov/news/press/2013pres/01/20130117b.html HHS.gov (2013a). Cyber Security. Retrieved on December 28, 2013, from http://www.healthit.gov/providers-professionals/cybersecurity Holtzman, D., Koenig, J. and LeSueur, T. (2013). HITECH and The Cloud: Control and Accessibility of Data Downstream. Proceedings of the 2013 NIST/OCR HIPAA Security Assurance Conference. 21 May, 2013.
187 Hon, W., Millard, C. and Walden, I. (2012). Negotiating Cloud Contracts: Looking At Clouds From Both Sides Now. Stanford Technology Law Review. 16 (1):80-125. 16 Stan. Tech. L. Rev. 79 (2012). Honan, B. (2011). Layered Security Protecting Your Data In Today’s Threat Landscape. Tripwire Take Control. IT’ Security And Compliance Automation Solutions.
Retrieved
on
November
30,
2013,
from
http://www.tripwire.com/linkservid/28A1C99D-DCBC-A3390115D05A9EAB543E/showMeta/2/ Hsing, K. (2012). A Healthcare Cloud Computing Strategic Planning Model. Computer Science and Convergence. Lecture Notes in Electrical Engineering 114:769-775. DOI: 10.1007/978-94-007-2792-2_76. Hwang, K. and Li, D. (2010). Trusted Cloud Computing with Secure Resources and Data Colouring. Proceedings of the 2010 Internet Computing. September.-October. 2010. IEEE Computer Society. 14(5): 14–22. DOI: 10.1109/MIC.2010.86. Indiana University (2013). Secure File Transfer Alternatives. Retrieved on October 14, 2013, from http://protect.iu.edu/cybersecurity/secure-file-transfer-alternatives ISO (2009). ISO/IEC 11889-1:2009 Information technology-Trusted Platform ModulePart
1:
Overview.
Retrieved
on
November
16,
2013,
from
http://www.iso.org/iso/catalogue_detail.htm?csnumber=50970 Ivanov, V., Yu, P. and Baras, J. (2010). Securing the communication of medical information using local biometric authentication and commercial wireless links. Health Informatics Journal. 16(3):211–223. DOI: 10.1177/1460458210377482. Jamkhedkar, P., Szefer, J., Botero, D., Zhang, T., Triolo, G. and Lee, R.B. (2013). A Framework for Realizing Security on Demand in Cloud Computing. Proceedings of the 2013 Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on, 2-5 Dec. 2013. Bristol. IEEE. 1: 371-378. DOI:10.1109/CloudCom.2013.55. Jansen, W. and Grance, T. (2011). Guidelines on Security and Privacy in Public Cloud Computing. National Institute of Standards and Technology (NIST), Special Publication 800-144. COMPUTER SECURITY. Gaithersburg, MD 20899-8930, 170.
188 Jones, A., DeKeyrel, M., Lobbes, M. and Ling, J. (2012). SmartCloud tip: Build multiple VPNs and VLANs VPN and VLAN features and capabilities in IBM SmartCloud Enterprise 2.0. IBM. DeveloperWorks. Retrieved on December 6, 2013, from http://www.ibm.com/developerworks/cloud/library/cl-multiplevlans/ Khan, M. and Malluhi, Q. (2010). Establishing Trust in Cloud Computing. Proceedings of the 2010 IT Professional. September.-October. 2010. IEEE Computer Society, 12(5):20–27. DOI:10.1109/MITP.2010.128. Khatua, S., Mukherjee, N. and Chaki, N. (2011). A New Agent Based Security Framework For Collaborative Cloud Environment. In Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW '11), ACM, 76:1-4. DOI: 10.1145/2179298.2179385. Kim, M., Ju, H., Kim, Y., Park, J. and Park, Y. (2010). Design And Implementation of Mobile Trusted Module for Trusted Mobile Computing. Proceedings of the 2010 Consumer Electronics. 9-13 January. 2010. Las Vegas, NV. IEEE Consumer Electronics Society, 56(1):134 -140. DOI: 10.1109/TCE.2010.5439136. Kim, T., Adeli, H., Fang, W., Villalba, J., Arnett, K. and Khan, M. (2011). Security Technology. Proceedings of the 2011 International Conference, SecTech 2011, Held as Part of the Future Generation Information Technology Conference, FGIT 2011, in Conjunction with GDC 201. 8-10 Dec. 2011. Jeju Island, Korea. Springer, 11–20. Kissel, R., Scholl, M., Skolochenko, S. and Li, X. (2012). Guidelines for Media Sanitization Revision 1. National Institute of Standards and Technology (NIST). Retrieved on July 2, 2014, from http://www.disa.mil/Services/DoD-CloudBroker/~/media/Files/DISA/Services/Cloud-Broker/sp800_88_r1_draft.pdf Ko, R., Jagadpramana, P., Mowbray, M., Pearson, S., Kirchberg, M., Liang, Q. and Lee, B. (2011). TrustCloud: A Framework for Accountability and Trust in Cloud Computing. Proceedings of the 2011 Services (SERVICES). 2011 IEEE World Congress on. 4-9 July 2011. Washington, DC. IEEE, 584–588. DOI: 10.1109/SERVICES.2011.91. Krautheim, F., Phatak, D. and Sherman, A. (2010). Introducing the trusted virtual environment module: a new mechanism for rooting trust in cloud computing. Proceedings of the 3rd international conference on Trust and trustworthy computing (TRUST'10). Springer-Verlag, Berlin, Heidelberg, 211-227. DOI: 10.1007/978-3642-13869-0_14.
189 Kulkarni, G., Gambhir, J., Patil, T. and Dongare, A. (2012). A security aspects in cloud computing. Proceedings of the 2012 Software Engineering and Service Science (ICSESS), 2012 IEEE 3rd International Conference on. 22-24 June 2012. Beijing, 547 – 550. DOI: 10.1109/ICSESS.2012.6269525. Le, X., Sankar, R. and Khalid. M. (2010). Public Key Cryptography-Based Security Scheme For Wireless Sensor Networks In Healthcare. Proceedings of the 2010 4th International
Conference
on
Ubiquitous
Information
Management
and
Communication (ICUIMC '10). ACM, 5-7. DOI=10.1145/2108616.2108623. Lehman, T., and Vajpayee, S. (2011). We’ve Looked at Clouds from Both Sides Now. Proceedings of the 2011 SRII Global Conference (SRII), 2011 Annual on. March 29 2011-April 2 2011. San Jose, CA. IEEE, 342–348. DOI: 10.1109/SRII.2011.46. Leyva, C. (2013). HIPAA Omnibus Rule. Retrieved on December 25, 2013, from http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php Li, J., Tan, X., Chen, X. and Wong, D. (2013). An Efficient Proof of Retrieve-ability with Public Auditing in Cloud Computing. Proceedings of the 2013 Intelligent Networking and Collaborative Systems (INCoS), 2013 5th International Conference on. 9-11 September. 2013. Xi'an. IEEE, 93-98. DOI: 10.1109/INCoS.2013.185. Li, Z, Chang, C., Huang, K. and Lai, F. (2011). A secure electronic medical record sharing mechanism in the cloud computing platform. Proceedings of the 2011 Consumer Electronics (ISCE), 2011 IEEE 15th International Symposium on. 14-17 June 2011. Singapore. IEEE, 98–103. DOI: 10.1109/ISCE.2011.5973792. Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L. and Leaf, D. (2011). NIST Cloud Computing Reference Architecture. Cloud Computing Program Information Technology Laboratory. National Institute of Standards and Technology (NIST). Gaithersburg, MD 20899-8930. NIST Special Publication 500-292, 1-28. Lofgren, A. (2013). What's the healthcare industry doing about BYOD? Health Management
Technology.
Retrieved
on
January
2,
2014,
from
http://www.healthmgttech.com/online-only/whats-the-healthcare-industry-doingabout-byod.php Lohr, H., Sadeghi, A. and Winandy, M. (2010). Securing the e-health cloud. In Proceedings of the 2010 1st ACM International Health Informatics Symposium (IHI '10), Tiffany Veinot (Ed.). ACM, 220-229. DOI:10.1145/1882992.1883024.
190 Lynn, J. (2013). The HIPAA Final Rule and Staying Compliant in the Cloud. Retrieved on January 4, 2014, from http://www.porticor.com/2013/09/hipaa-compliantchecklist/ Mackey, R. (2012). HIPAA cloud computing advice: Ensuring cloud computing compliance.
Retrieved
on
December
27,
2013,
from
http://searchcloudsecurity.techtarget.com/tutorial/HIPAA-cloud-computingadvice-Ensuring-cloud-computing-compliance Mahmood, Z. and Saeed, S. (2013). Software Engineering Frameworks for the Cloud Computing Paradigm. Computer Communications and Networks. Springer London Heidelberg New York Dordrecht (2013).1-361. DOI: 10.1007/978-1-4471-5031-2 Markets and Markets (2011). World Healthcare IT (Provider and Payor) Market Clinical (EMR, PACS, RIS, CPOE, LIS) and Non-Clinical (RCM, Billing, Claims). Retrieved on October 16, 2013, from http://www.marketsandmarkets.com/MarketReports/healthcare-information-technology-market-136.html McGee, M. (2013). Medical Device Vulnerability Alert Issued. Homeland Security Warns of Password Problems. Healthcare Info Security. Information Security Media Group
(ISMG)
Retrieved
on
November
24,
2013,
from
http://www.databreachtoday.com/medical-device-vulnerability-alert-issued-a-5847 McGee, M. (2013a). HIPAA Omnibus: Impact on Breach Notices. Experts Assess What the Final Rule Means. Data Breach Today.com. Information Security Media Group,
Corp
(ISMG).
Retrieved
on
November
19,
2013,
from
http://www.databreachtoday.com/hipaa-omnibus-impact-on-breach-notices-a-5436 McGee, M. (2013b). Patient Information Exposed on Google Business Associate Blamed for Security Lapse. Healthcare Info Security. Retrieved on December 21, 2013, from http://www.healthcareinfosecurity.com/patient-information-exposedon-google-a-6303 Mell, P. and Grance, T. (Eds) (2011). The NIST Definition of Cloud Computing. National Institute of Standards and Technology (NIST), Special Publication 800145. COMPUTER SECURITY. Gaithersburg, MD 20899-8930, 1-3. Mell, P. and Scarfone, K. (2012). Guide to Intrusion Detection and Prevention Systems (IDPS). Recommendations of the National Institute of Standards and Technology (NIST). Special Publication 800-94 Revision 1 (Draft). COMPUTER SECURITY. Gaithersburg, MD, 1-99.
191 Messmer, E. (2013). IBM earns patent for 'encrypted blobs' IBM researchers invented 'fully homomorphic encryption' that allows for processing of encrypted data without having to decrypt it first. Network World. Retrieved on December 31, 2013, from http://www.networkworld.com/news/2013/121913-ibm-patent-277118.html Messmer, E. (2012). Gartner: Network virtualization will lead to security control changes.
Network
World.
Retrieved
on
November
30,
2013,
from
http://www.cio.com/article/708302/Gartner_Network_Virtualization_Will_Lead_t o_Security_Control_Changes?taxonomyId=3112 Metri, P. and Sarote, G. (2011). Privacy Issues and Challenges in Cloud computing. International Journal of Advanced Engineering Sciences and Technologies (IJAEST). 5(1):1-6. ISSN: 2230-7818. Mo, Z., Zhou, Y. and Chen, S. (2012). A Dynamic Proof of Irretrievability (PoR) Scheme with O (logn) Complexity. Proceedings of the 2012 Communications (ICC), 2012 IEEE International Conference on. 10-15 June 2012. Ottawa, ON. IEEE, 912 – 916. DOI: 10.1109/ICC.2012.6364056. Modi, C., Patel, D., Borisaniya, B., Patel, A and Rajarajan, M. (2012). A survey on security issues and solutions at different layers of Cloud computing. The Journal of Supercomputing. Springer US. 63(2):561-592. DOI: 10.1007/s11227-012-0831-5. Moffa, T. (2012). IT. Security Risk Management: A Lifecycle Approach (ITSG-33) Overview. Communications Security Establishment Canada, Security Control Catalogue ITSG-33 – Annex 3, 1-16. Mohammed, S., Servos, D. and Fiaidhi, J. (2010). HCX: A Distributed OSGi Based Web Interaction System for Sharing Health Records in the Cloud. Web Intelligence and Intelligent Agent Technology (WI-IAT), 2010 IEEE/WIC/ACM. International Conference on. August. 31 2010-September. 3 2010. Toronto, ON. IEEE, 3:102– 107. DOI: 10.1109/WI-IAT.2010.26. Monticello, K. (2012). The $1.7 Million Flash drive Alaska Medicaid Settles HIPAA Violations. Attorneys at Oscislawski llc. Retrieved on November 19, 2013, from http://www.legalhie.com/security-breaches/the-17-million-flashdrivealaskamedicaid-settles-hipaa-violations/
192 Mu-Hsing, K. (2012). A Healthcare Cloud Computing Strategic Planning Model. Computer Science and Convergence. CSA 2011 and WCC 2011 Proceedings, 2012, Lecture Notes in Electrical Engineering. 1l4(6):769-775. DOI: 10.1007/978-94-0072792-2_76. Munch, J. (2013). Cloud-Based Software Engineering. Proceedings Of The Seminar No.
58312107.
Retrieved
on
October
12,
2014,
from
https://tuhat.halvi.helsinki.fi/portal/files/28513674/cbse13_proceedings.pdf Muppala, J., Shukla1, D., Mondal, S. and Patil, P. (2012). Establishing Trust in Public Clouds.
Information
Technology
and
Software
Engineering.
2(4):1-3.
DOI:10.4172/2165-7866.1000e107. Myerson, J. (2013). Best practices to develop SLAs for cloud computing. Develop a standard way to create service level agreements that multiple partners can use. IBM. Developer
Works.
Retrieved
on
November
17,
2013,
from
http://www.ibm.com/developerworks/cloud/library/cl-slastandards/ Narayan, S., Gagné, M. and Naini, R. (2010). Privacy preserving EHR system using attribute-based infrastructure. Proceedings of the 2010 ACM workshop on Cloud computing
security
workshop
(CCSW
'10).
ACM,
47-52.
DOI:10.1145/1866835.1866845. Narayanan, H. and Gunes, M. (2011). Ensuring access control in cloud provisioned healthcare systems. Proceedings of the 2011 Consumer Communications and Networking Conference (CCNC). 9-12 Jan. 2011. Las Vegas, NV. IEEE, 247–251. DOI:10.1109/CCNC.2011.5766466. Naruchitparames, J. (2011). Enhancing the Privacy of Data Communications within Information Sensitive Systems. ProQuest LLC1-91. UMI Number: 1494258. Nemati, H. (2011). Pervasive Information Security and Privacy Developments. IGI Global Snippet, 2011, 1- 428. ISBN: 9781616920012. Nissany, G. (2013). HIPAA and the Cloud: Securing Patient Data. Retrieved on April 4, 2013, from http://www.thesecurityadvocate.com/2013/09/17/hipaa-and-thecloud-securing-patient-data/ NIST (2012). Special Publication 800-12: An Introduction To Computer Security: The NIST Handbook Section I: Introduction and Overview. Chapter 1. National Institute of Standards and Technology (NIST). Retrieved on August 3, 2014, from http://www.davidsalomon.name/CompSec/auxiliary/handbook.pdf
193 Olden, E. (2011). Architecting a Cloud-Scale Identity Fabric. Proceedings of the 2011 Computer. 17 March 2011.
IEEE Computer Society. 44(3):52–59. DOI:
10.1109/MC.2011.60. Olzak, T. (2011). UEFI and the TPM: Building a foundation for platform trust. InfoSec Institute Resources. Management, Compliance, and Auditing. Chapter 8, 2011. Østerlie, T. (2009). Cloud computing: Impact on Software Engineering Research and Practice. Norwegian University of Science and Technology (NTNU). Retrieved on August
3,
2014,
from
http://www.idi.ntnu.no/grupper/su/publ/phd/osterlie-
triallecture09.pdf Ouellette, P. (2013). Reviewing the HIPAA omnibus four data breach risk factors. Retrieved
on
January
9,
2014,
from
http://healthitsecurity.com/2013/09/05/reviewing-the-hipaa-omnibus-four-databreach-risk-factors/ Padhy, R., Patra, M. and Satapathy, S. (2011). Cloud Computing: Security Issues and Research Challenges. IRACST - International Journal of Computer Science and Information Technology and Security (IJCSITS). 1(2):136-146. ISSN: 2249-9555. Palmer, D. (2012). Understanding Trusted Computing From The Ground Up. Electronic Design Magazine. Retrieved on November 25, 2013, from http://electronicdesign.com/microprocessors/understanding-trusted-computingground Pan, L. (2011). Towards a framework for automated service negotiation in cloud computing. Proceedings of the 2011 Cloud Computing and Intelligence Systems (CCIS), 2011 IEEE International Conference on. 15-17 September. 2011. Beijing. IEEE, 364–36. DOI: 10.1109/CCIS.2011.6045091. Parakala, K. and Udhas, P. (2011). The Cloud Changing the Business Ecosystem. KPMG.
Retrieved
on
December
12,
2013,
from
http://www.kpmg.com/IN/en/IssuesAndInsights/ThoughtLeadership/The_Cloud_C hanging_the_Business_Ecosystem.pdf Patel, A. and Kumar, M. (2013). A Proposed Model for Data Security of Cloud Storage Using Trusted Platform Module. International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE). 3(4):862-866. April 2013. ISSN: 2277 128X.
194 Patidar, K., Gupta, R., Singh, G., Jain, M. and Shrivastava, P. (2012). Integrating the Trusted Computing Platform into the Security of Cloud Computing System. International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE). 2(2):1-5. February 2012. Pearson, S. and Benameur, A. (2010). Privacy, Security and Trust Issues Arising from Cloud Computing. Proceedings of the 2010 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom), 2010 IEEE Second International Conference on. Nov. 30 - Dec. 3 2010. Indianapolis, IN. IEEE, 693 – 702. DOI: 10.1109/CloudCom.2010.66. Popovic, K. and Hocenski, Z. (2010). Cloud Computing Security Issues And Challenges. In MIPRO, 2010 Proceedings of the 33rd International Convention, 2428 May 2010. Opatija, Croatia. IEEE. 344 - 349. ISBN: 978-1-4244-7763-0. PR Newswire Association (2014). Retrieved on September 22, 2014, from http://www.prnewswire.com/news-releases/linkedin-study-cnp-credential-key-tononprofit-career-advancement-276385931.html Proofpoint (2012). Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and
Mobile
Security.
Retrieved
on
November
19,
2013,
from
http://healthsystemcio.com/whitepapers/proofpoint-hippa-compliance.pdf Proofpoint (2013). Experts urge healthcare to be proactive for security and compliance. Retrieved on November 11, 2013, from http://www.proofpoint.com/aboutus/security-compliance-and-cloud-news/articles/experts-urge-healthcare-to-beproactive-for-security-and-compliance-440291 Purcell, J. (2013). Security Control Types and Operational Security. Retrieved on November 29, 2013, from http://www.giac.org/cissp-papers/207.pdf Radwan, A., Abdel-Hamid, A. and Hanafy, Y. (2012). Cloud-based Service for Secure Electronic Medical Record Exchange. Proceedings of the 2012 Computer Theory and Applications (ICCTA), 2012 22nd International Conference on. 13-15 October. 2012. Alexandria. IEEE, 94-103. DOI: 10.1109/ICCTA.2012.6523553. Rak, M., Liccardo, L. and Aversa, R. (2011). A SLA-Based Interface for Security Management in Cloud and GRID Integrations. Proceedings of the 2011 Information Assurance and Security (IAS), 2011 7th International Conference on. 5-8 December. 2011. Melaka. IEEE, 378–38. DOI: 10.1109/ISIAS.2011.6122783.
195 Rani, P., Sangeeta, V. and Babu, P. (2013). Achieving Information Accountability In Cloud Computing Environment. International Journal of Computer and Electronics Research (IJCER). 2(2):169-172. April 2013. Ratnam, K. and Dominic, P. (2012). Cloud services - Enhancing the Malaysian healthcare sector. Proceedings of the 2012 Computer and Information Science (ICCIS), 2012 International Conference on. 12-14 June 2012. Kuala Lumpur. IEEE, 2: 604-608. DOI:10.1109/ICCISci.2012.6297101. Redd, B. (2011). Implement secure SSH access to IBM Cloud. Learn the basics of secure
cloud
access.
Retrieved
on
December
9,
2013,
from
http://www.ibm.com/developerworks/cloud/library/cl-sshaccessibmcloud/ Regenscheid, A. and Scarfone, K. (2011). BIOS Integrity Measurement Guidelines (Draft). Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology (NIST) .Special Publication 800155. Gaithersburg, MD 20899-8930. Renda, S., Goodrich, M., Stanton, A., Cantor, J., Cramer, J. and the Federal Cloud Compliance Committee (2012). Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service. A joint publication of the Chief Acquisition Officers Council In coordination with Federal Cloud
Compliance
Committee.
Retrieved
on
January 14,
2014,
from
http://www.gsa.gov/portal/mediaId/164011/fileName/cloudbestpractices.action Revar, A. and Bhavsar, M. (2011). Securing User Authentication using Single SignOn in Cloud Computing. Proceedings of the 2011 Engineering (NUiCONE), 2011 Nirma University International Conference on. 8-10 Dec. 2011. Ahmedabad, Gujarat. IEEE, 1-4. DOI: 10.1109/NUiConE.2011.6153227. Rokosz, V. (2011). Extend your corporate network with the IBM Cloud See how the IBM Cloud can become a seamless extension of your network. IBM Developer Works
Retrieved
on
December
5,
2013,
from
http://
http://www.ibm.com/developerworks/cloud/library/cl-extendnetworkcloud/ Rong, C., Nguyen, S. and Jaatun, M. (2013). Beyond lightning: A survey on security challenges in cloud computing. Computers and Electrical Engineering. 39(1):4754, January 2013, ISSN 0045-7906.
196 Ruan, A. and Martin, A. (2011). RepCloud: achieving fine-grained cloud TCB attestation with reputation systems. In Proceedings of the sixth ACM workshop on Scalable
trusted
computing
(STC
'11).
ACM,
3-14.
DOI:
10.1145/2046582.2046586. Rutkowski, M. and Mahmud, S. (2012).Security for Cloud Computing 10 Steps to Ensure Success. Cloud Standards Customer Council. Retrieved on January 13, 2014, from http://www.cloudstandardscustomercouncil.org/Security_for_Cloud_ComputingFinal_080912.pdf Salim, N., Mariyam, S., Safaai, D., Rose, A., Subariah, I., Roselina, S., Siti, Z., Azizah, R., Dayang, J., Nor, Z. and Juhana, S. (2010). Handbook of Research Methods in Computing. (1st Edition). Faculty of Computer Science and Information System. Universiti Teknologi Malaysia, Johor Malaysia. Samson, T. (2013). 9 top threats to cloud computing security. Data breaches and cloud service abuse rank among the greatest cloud security threats, according to Cloud Security
Alliance.
InfoWorld.
Retrieved
on
November
23,
2013,
fromhttp://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computingsecurity-213428 Santos, O. (2007). End-to-End Network Security Defence-in-Depth. Best practices for assessing and improving network defences and responding to security incidents. Cisco Press; ISBN-13: 978-1587053320 | Edition: 1(September 3, 2007). Sarwar, A., Naeem, M. and Khan, A. (2013). A Review of Trust Aspects in Cloud Computing Security. International Journal of Cloud Computing and Services Science (IJ-CLOSER). 2(2):116-122. April 2013. ISSN: 2089-3337. Savu, L. (2011). Cloud Computing: Deployment Models, Delivery Models, Risks and Research Challenges. Proceedings of the 2011 Computer and Management (CAMAN), 2011 International Conference on. 19-21 May 2011. Wuhan. IEEE, 1-4. DOI: 10.1109/CAMAN.2011.5778816. Scarfone, K., Souppaya, M. and Hoffman, P. (2011). Guide to Security for Full Virtualization. Recommendations of the National Institute of Standards and Technology (NIST). NIST Special Publication 800-125 Technologies.
197 Schellekens, D. (2012). Design and Analysis of Trusted Computing Platforms. PhD Thesis, Katholieke Universiteit Leuven, Faculty of Engineering Science Kasteelpark Arenberg 10, B-3001 Heverlee. Schiffman, J., Moyer, T., Vijayakumar, H., Jaeger, T. and McDaniel, P. (2010). Seeding clouds with trust anchors. In Proceedings of the 2010 ACM workshop, on Cloud computing security workshop (CCSW '10). ACM, New York, NY, USA, 4346. DOI:10.1145/1866835.1866843. Schnjakin, M., Alnemr, R. and Meinel, C. (2010). Contract-based cloud architecture. Proceedings of the 2010 second international workshop on Cloud data management (CloudDB '10). ACM, 33-40. DOI:10.1145/1871929.1871936. Seddon, J. and Currie, W. (2013). Cloud Computing And Trans-Border Health Data: Unpacking U.S. And EU Healthcare Regulation And Compliance. Health Policy and
Technology
(2013).
Elsevier.
2(4):229-241.
DOI:
doi:10.1016/j.hlpt.2013.09.003. Servos, D. (2012). A Role and Attribute Based Encryption Approach to Privacy and Security in Cloud Based Health Services. Master of Science in Computer Science. Lakehead University, 1-223. Shawish, A. and Salama M. (2014). Cloud Computing: Paradigms and Technologies Inter-cooperative Collective Intelligence: Techniques and Applications Studies in Computational Intelligence 495: 39-67. DOI: 10.1007/978-3-642-35016-0_2 Shen, Z., Li, L., Yan, F. and Wu, X. (2010). Cloud Computing System Based on Trusted Computing Platform. Proceedings of the 2010 Intelligent Computation Technology and Automation (ICICTA), 2010 International Conference on. 11-12 May 2010. Changsha. IEEE, 1: 942-945. DOI: 10.1109/ICICTA.2010.724. Shini, S., Thomas, T. and Chithraranjan, K. (2012). Cloud Based Medical Image Exchange-Security Challenges. Procedia Engineering 38, Elsevier Ltd, 3454 – 18777058. DOI: 10.1016/j.proeng.2012.06.399. Singh, A. and Shrivastava, M. (2012). Overview of Attacks on Cloud Computing. International Journal of Engineering and Innovative Technology (IJEIT). 1(4):321323. April 2012, ISSN: 2277-3754. Smith, D. (2013). Cloud computing and HIPAA: Achieving compliance. Retrieved on July 30, 2014, from http://techpageone.dell.com/technology/cloud-computinghipaa-achieving-compliance/#.U9lZIuPoRHW
198 Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. and Iacono, L. (2011). All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop (CCSW 2011).ACM, 3-13. DOI:10.1145/2046660.2046664. Subashini, S. and Kavitha, V. (2011). A Survey On Security Issues In Service Delivery Models Of Cloud Computing. Journal of Network and Computer Applications, ACM. 34(1):1-11. DOI:10.1016/j.jnca.2010.07.006. Sulayman, M. (2007). A Systematic Literature Review of Software Process Improvement for Small and Medium Web Companies. PhD Thesis. Department of Computer Science. The University of Auckland Sun, X., Chang, G. and Li, F. (2011). A Trust Management Model to Enhance Security of Cloud Computing Environments. Proceedings of the 2011 Networking and Distributed Computing (ICNDC), 2011 Second International Conference on. 21-24 September. 2011. Beijing. IEEE, 244–248. DOI: 10.1109/ICNDC.2011.56. Sundareswaran S. and Squicciarini, A. (2012). Ensuring Distributed Accountability for Data Sharing in the Cloud. IEEE Transactions on Dependable and Secure Computing, IEEE Computer Society. 9(4):1-13. DOI: 10.1109/TDSC.2012.26. Survey Software Reviews (2012). Top 10 promising online survey tools. Retrieved on July 30, 2014, from http://www.survey-reviews.net/index.php/2012/02/top-10promising-online-survey-tools/ Taeho, J., Li, X., Wan, Z. and Wan, M. (2013). Privacy Preserving Cloud Data Access with Multi-Authorities. Proceedings of 2013 IEEE INFOCOM. 14-19 April 2013. Turin, 2625-2633. Takabi, H., Joshi, D. and Ahn G. (2010a). SecureCloud: To-wards a Comprehensive Security Framework for Cloud Computing Environments. Proceedings of the 2010 34th Annual IEEE Computer Software and Applications Conference Workshops (COMPSACW).
19-23
July
2010.
Seoul.
IEEE,
393-398.
DOI:
10.1109/COMPSACW.2010.74. Takabi, H., Joshi, D. and Ahn, G. (2010). Security and Privacy Challenges in Cloud Computing Environments. Security and Privacy, IEEE Computer Society. 8(6):24– 31. DOI: 10.1109/MSP.2010.186.
199 Takahashi, T., Blancy, G., Kadobayashiy, Y., Fally, D., Hazeyamay, H. and Matsuo, S. (2012). Enabling Secure Multi-Tenancy In Cloud Computing: Challenges And Approaches. Future Internet Communications (BCFIC), 2012 2nd Baltic Congress on, 72–79. TCG (2007). TCG Specification Architecture Overview. Trusted Computing Group (TCG) Specification Revision1.4, August 2007. TCG (2011). Mobile Trusted Module 2.0 Use Cases. Trusted Computing Group (TCG). Specification
Version
1.0.
Retrieved
on
January
12,
2014,
from
http://www.trustedcomputinggroup.org/resources/tpm_mobile_with_trusted_execu tion_environment_for_comprehensive_mobile_device_security. TCG (2011a). Network Security Automation Standards: TNC and SCAP. Trusted Computing
Group
(TCG)
Retrieved
on
November
17,
2013,
from
http://scap.nist.gov/events/2011/saddsp/presentations/TCG-TNC_and_SCAP.pdf TCG (2011b). Trusted Computing Group’s Trusted Network Connect Technology Standards Development for Network Security Interoperability. Trusted Computing Group
(TCG)
Retrieved
on
December
5,
2013,
from
http://www.nist.gov/standardsgov/upload/TCG.pdf TCG (2011c). Trusted Network Connect (TNC) Open Standards for Integrity-based Network Access Control and Coordinated Network Security. Trusted Computing Group
(TCG)
Retrieved
on
December
5,
2013,
from
http://www.trustedcomputinggroup.org/files/resource_files/758321DC-1A4BB294-D07BB912754041F8/TNC_OpenStandards_April2011.pdf TCG (2012). Trusted Network Connect. Trusted Computing Group (TCG) Retrieved on
November
17,
2013,
from
http://www.trustedcomputinggroup.org/files/resource_files/2884F884-1A4BB294-D001FAE2E17EA3EB/TNC_Architecture_v1_5_r3-1.pdf TCG (2013). Trusted Network Connect Standards for Network Security Retrieved on November
17,
2013,
from
http://www.trustedcomputinggroup.org/files/resource_files/DEDFD151-1A4BB294-D0D0358910297C19/TNC%20Briefing%202013-12-10.pdf TCG (2013a). About TCG. Trusted Computing Group (TCG) Retrieved on November 15, 2013, from http://www.trustedcomputinggroup.org/about_tcg
200 TCG (2013b). Architect’s Guide: Cyber Security. Trusted Computing Group (TCG) Retrieved
on
December
6,
2013,
from
http://www.trustedcomputinggroup.org/resources/architects_guide_ics_security_us ing_tnc_technology TCG (2013c). Architect’s Guide: Data Security Using TCG Self-Encrypting Drive Technology. Trusted Computing Group (TCG) Retrieved on November 16, 2013, from http://www.trustedcomputinggroup.org/. TCG (2013d). Architect’s Guide: ICS Security Using TNC Technology. Trusted Computing
Group
(TCG)
Retrieved
on
December
6,
2013,
from
http://www.trustedcomputinggroup.org/resources/architects_guide_ics_security_us ing_tnc_technology Teo, J. (2009). Features and benefits of trusted computing. Proceedings of the 2009 Information Security Curriculum Development Conference (InfoSecCD '09). ACM, 67-71. DOI: 10.1145/1940976.1940990. Thilakanathan, D., Chen, S., Nepal, S., Calvo, R., Alem, L. (2013). A platform for secure monitoring and sharing of generic health data in the Cloud. Future Generation
Computer
Systems
(2013),
35:
102-113.
DOI:
10.1016/j.future.2013.09.011. Tian, L., Lin, C. and Ni, Y. (2010). Evaluation of user behaviour trust in cloud computing. Proceedings of the 2010 Computer Application and System Modelling (ICCASM), 2010 International Conference on. 22-24 October. 2010. Taiyuan. IEEE, 7: 567-572. DOI: 10.1109/ICCASM.2010.5620636. Tianfield, H. (2012). Security Issues In Cloud Computing. Proceedings of the 2012 Systems, Man, and Cybernetics (SMC), 2012 IEEE International Conference on, October.
14-17,
2012,
COEX,
Seoul,
Korea.
IEEE,
108-1089.
DOI:10.1109/ICSMC.2012.6377874. Tracy, M., Jansen, W., Scarfone, K, and Winograd, T. (2007). Guidelines on Securing Public Web Servers. Special Publication 800-44 .Version 2 National Institute of Standards and Technology (NIST). Retrieved on December 7, 2013, from http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
201 Trend Micro (2010). Cloud Computing Security, Server Security: Making Virtual Machines
Cloud-Ready.
Retrieved
on
December
7,
2013,
from
http://www.securecloud.com/cloud-content/us/pdfs/business/whitepapers/wp_cloudsecurity-unlock-opportunities.pdf Trend Micro (2012). Security Threats To Evolving Data Centres. Virtualization and Cloud
Computing.
Retrieved
on
November
23,
2013,
from
http://la.trendmicro.com/media/report/virtualization-and-cloud-security-reporten.pdf Trend Micro (2013). Deep Security 9. Comprehensive security platform for physical, virtual,
and
cloud
servers.
Retrieved
on
November
23,
2013,
from
http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/ds_deepsecurity.pdf Tripathi, A. and Mishra, A. (2011). Cloud computing security considerations. Proceedings of the 2011 Signal Processing, Communications and Computing (ICSPCC), 2011 IEEE International Conference on. 14-16 September. 2011. Xi'an. IEEE, 1–5. DOI: 10.1109/ICSPCC.2011.6061557. Tupakula, U. and Varadharajan, V. (2011). TVDSEC: Trusted Virtual Domain Security. Proceedings of the 2011 Fourth IEEE International Conference on Utility and Cloud Computing. 2011 International conference on. 5-8 Dec. 2011. Victoria, NSW. IEEE, 57- 64. DOI: 10.1109/UCC.2011.18. Ubhale, P. and Sahu, A. (2013). Securing Cloud Computing Environment by means of Intrusion Detection and Prevention System (IDPS). International Journal of Computer Science and Management Research (IJCSMR). 2(5):2430-2436. May 2013. Uppal, H. (2010). Enabling Trusted Distributed Control with Remote Attestation. Bachelor Thesis. Computer Science and Engineering University of Washington. Vernier, D. and Jones, A. (2011). SmartCloud tip: Span virtual local area networks Provision and configure an instance that spans a public and private VLAN. IBM DeveloperWorks
Retrieved
on
December
5,
2013,
http://www.ibm.com/developerworks/cloud/library/cl-multiplevlans/.
from
http:
202 Wang, X. and Tan, Y. (2010). Application of Cloud Computing in the Health Information System. In Computer Application and System Modelling (ICCASM), 2010 International Conference on. 22-24 October. Taiyuan. 2010. IEEE, 1:179-182. DOI: 10.1109/ICCASM.2010.5619051. Wieder, P., Butler, J., Theilmann, W. and Yahyapour, R. (2011). Service Level Agreements for Cloud Computing. Springer New York Dordrecht Heidelberg London, 2011. ISBN: 978-1-4614-1613-5 (Print) 978-1-4614-1614-2. Williams, C. (2007). Research Methods. Journal of Business and Economic Research. 5(3):65-71. Wilson, G, Day, M. and Taylor, B. (2011). KVM: Hypervisor Security You Can Depend On. IBM Linux Technology Centre. Retrieved on January 3, 2014, from ftp://public.dhe.ibm.com/linux/pdfs/LXW03004-USEN-00.pdf Wu, R., Ahn, G. and Hu, H. (2012). Secure Sharing of Electronic Health Records in Clouds. Proceedings of the 2012 Collaborative Computing: Networking, Applications and Work sharing (CollaborateCom), 2012 8th International Conference on, 14-17 October. 2012, Pittsburgh. IEEE, 711-718. Wu, R., Ahn, G. and Hu, H. (2012a). Towards HIPAA-compliant Healthcare Systems. Proceedings of the 2012 2nd ACM SIGHIT International Health Informatics Symposium (IHI '12). ACM, 593-602. DOI:10.1145/2110363.2110429. Xiao, Z. and Xiao, Y. (2013). Security and Privacy in Cloud Computing. Proceedings of the 2013 IEEE Communications Surveys and Tutorials, 2 May 2013, IEEE Communications
Society.
15
(2):
843
–
859.
DOI:
10.1109/SURV.2012.060912.00182. Yadav, P. (2013). Review of Trusted Framework for Cloud Computing. International Journal of Computational Science, Engineering and Technology (IJCSET). I (II): 36-38. March 2013. Yang, J. and Chen, Z (2010). Cloud Computing Research and Security Issues. Proceedings of the 2010 Computational Intelligence and Software Engineering (CiSE), 2010 International Conference on. 10-12 Dec. 2010. Wuhan. IEEE, 1-3. DOI: 10.1109/CISE.2010.5677076.
203 Yau, S. and An, H. (2011). Software Engineering Meets Services and Cloud Computing. Proceedings of the 2011 Computer. 44(10):47-53 IEEE Computer Society, DOI:10.1109/MC.2011.267. Yeluri, R., Castro-Leon, E., Harmon, R. and Greene, J. (2012). Building Trust and Compliance in the Cloud for Services. Proceedings of the 2012 SRII Global Conference (SRII), 2012 Annual. 24-27 July 2012. San Jose, CA. IEEE, 379 – 390. DOI: 10.1109/SRII.2012.49. Youssef, A. (2012). Exploring Cloud Computing Services and Applications. Journal of Emerging Trends in Computing and Information Sciences. 3(6, no.3):838-847. Youssef, A. and Alageel, M. (2012). A Framework for Secure Cloud Computing. International Journal of Computer Science Issues (IJCSI), 9: (4), No 3, July 2012. ISSN (Online): 1694-0814. www.IJCSI.org Yu, X. and Wen, Q. (2010). A View about Cloud Data Security from Data Life Cycle. Proceedings of the 2010 Computational Intelligence and Software Engineering (CiSE), 2010 International Conference on. 10-12 December. 2010. Wuhan. IEEE, 1 – 4. DOI: 10.1109/CISE.2010.5676895. Zhang, R. and Liu, L. (2010). Security Models and Requirements for Healthcare Application Clouds. Proceedings of the 2010 Cloud Computing (CLOUD), IEEE 3rd International Conference on. 5-10 July 2010. Miami, FL. IEEE, 268-275. DOI: 10.1109/CLOUD.2010.62. Zingham, M. and Saqib, S. (2013). Software Engineering Frameworks for Cloud Computing Paradigm. (1st Edition). Springer-Verlag. Springer London Heidelberg New York Dordrecht. Zissis, D. and Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation
Computer
10.1016/j.future.2010.12.006.
System.
Elsevier,
583–592.
DOI:
204
APPENDIX A
PUBLICATIONS DURING AUTHOR’S CANDIDATURE
Impact Factor Journal
Mervat Adib Bamiah, Sarfraz Nawaz Brohi, Suriayati Chuprat, Jamalul-lail Ab Manan, Trusted cloud computing framework for healthcare sector, 2013, Journal of Computer Science. 10(2):240-250. DOI:10.3844/jcssp.2014.240.250.
Sarfraz Nawaz Brohi, Mervat Adib Bamiah, Suriayati Chuprat, Jamalul-lail Ab Manan, Design And Implementation of a Privacy Preserved Off-Premises Cloud Storage,
2013,
Journal
of
Computer
Science.
10(2):210-223.
DOI:
10.3844/jcssp.2014.210.223.
IEEE Xplore
Mervat Bamiah, Sarfraz Brohi, Suriayati Chuprat, and Jamalul-lail Ab Manan. 2012. A Study on Significance of Adopting Cloud Computing Paradigm in Healthcare Sector. Cloud (ICCCTAM),
Computing Technologies, 2012
International
DOI:10.1109/ICCCTAM.2012.6488073.
Applications Conference
and Management on,
65–68.
205 Mervat Bamiah, Sarfraz Brohi, Suriayati Chuprat, and Muhammad Nawaz Brohi. 2012. Cloud Implementation Security Challenges. Cloud Computing Technologies, Applications and Management (ICCCTAM), 2012 International Conference on, 174–178. DOI:10.1109/ICCCTAM.2012.6488093.
Sarfraz Nawaz Brohi, Mervat Adib Bamiah, Muhammad Nawaz Brohi, and Rukshanda Kamran. 2012. Identifying and Analyzing Security Threats to Virtualized Cloud Computing Infrastructures. Cloud Computing Technologies, Applications and Management (ICCCTAM), 2012 International Conference on, 151–155. DOI:10.1109/ICCCTAM.2012.6488089.
Sarfraz Nawaz Brohi, Mervat Adib Bamiah, Suriayati Chuprat, and Jamalul-lail Ab Manan. 2012. Towards an Efficient and Secure Educational Platform on Cloud Infrastructure. Cloud Computing Technologies, Applications and Management (ICCCTAM),
2012
International
Conference
on,
145–150.
DOI:10.1109/ICCCTAM.2012.6488088.
Indexed by SPIE
Mervat Adib Bamiah, Sarfraz Nawaz Brohi and Suriayati Chuprat. Using Virtual Machine Monitors to Overcome The Challenges of Monitoring and Managing Virtualized Cloud Infrastructures, Proc. SPIE 8349, Fourth International Conference on Machine Vision (ICMV 2011). Machine Vision, Image Processing, and Pattern Analysis, 83491M (January 11, 2012); DOI:10.1117/12.920880.
Journals
Mervat Adib Bamiah, Sarfraz Nawaz Brohi. Exploring the Cloud Deployment and Service Delivery Models. International Journal of Research and Reviews in Information Sciences (IJRRIS), Vol. 1, no. 03. September 2011, Science Academy Publisher, 77-80. ISSN: 2046-6439.
206 Mervat Adib Bamiah, Sarfraz Nawaz Brohi. Seven Deadly Threats and Vulnerabilities in Cloud Computing. International Journal of Advanced Engineering Sciences and Technologies (IJAEST’11), Vol. 9. no.1, 2011. 87-90. ISSN: 2230-7818.
Sarfraz Nawaz Brohi, Mervat Adib Bamiah. Challenges and Benefits for Adopting the Paradigm of Cloud Computing. International Journal of Advanced Engineering Sciences and Technologies (IJAEST’11), Vol. 8, no.2. 2011. 286 – 290. ISSN: 2230-7818.
Sarfraz Nawaz Brohi, Mervat Adib Bamiah. Exploit of Open Source Hypervisors for Managing the Virtual Machines. Cloud International Journal of Advanced Engineering Sciences and Technologies (IJAEST), Vol. 9, no.1. 55 – 60. ISSN: 2230-7818.
Postgraduate Annual Research on Informatics Seminar
Mervat Bamiah, Sarfraz Brohi, Suriayati Chuprat, 2012. Emerging Security Concerns for Implementing Cloud Computing in Healthcare Sector. Postgraduate Annual Research on Informatics Seminar (PARIS 2012-2).
Mervat Bamiah, Sarfraz Brohi, Suriayati, Chuprat, S., 2011. Cloud Computing: A Key Enabler for Smart Healthcare. In Postgraduate Annual Research on Informatics Seminar (PARIS).
Sarfraz Brohi, Mervat Bamiah, Suriayati Chuprat, 2011. Designing a Trustable Security Protocol for Implementing a Smart Educational Platform on Cloud Infrastructure. In Postgraduate Annual Research on Informatics Seminar (PARIS).
Sarfraz Nawaz Brohi, Mervat Adib Bamiah, Suriayati Chuprat, Jamalul-lail Ab Manan, 2012. Towards a Secure Cloud Computing Infrastructure. In Postgraduate Annual Research on Informatics Seminar (PARIS 2012-2).
207
APPENDIX B
CERTIFICATES DURING AUTHOR’S CANDIDATURE
Certificates
IBM Certified Solution Advisor - Cloud Computing Architecture Version-1.
IBM Certified Solution Architect - Cloud Computing Infrastructure Version1.
CSA Certified Cloud Computing Security Knowledge (CCSK).
Certified CloudU from Rackspace Hosting (CLOUDU).
EC-Council Certified Ethical Hacker Version-7 (CEH v7).
Health Informatics in Cloud Certified from Georgia Institute of Technology, USA.
208
APPENDIX C
TCCF EVALUATION SURVEY
209
210
211
APPENDIX D
CURRENT CLOUD COMPUTING SLAs
Listed below is some of the existing CSPs’ SLAs as follows:
Windows Azure Cloud Services, Virtual Machines, and Virtual Network Service Level Agreement: http://www.microsoft.com/windowsazure/sla/
Amazon EC2 Service Level Agreement: http://aws.amazon.com/ec2-sla/
Google Cloud Storage, Google Prediction API, and Google BigQuery SLA: https://developers.google.com/storage/sla
Service Level Agreement for HP Cloud Compute Service Commitment: http://www.hpcloud.com/sla/compute
Service Level Agreement for VMware vCloud® Hybrid Service™ : http://www.vmware.com/in/support/vcloud-hybrid-service/sla.html
Go Grid Service Level Agreement: level-agreement-sla
http://www.gogrid.com/legal/service-
