A trust-aware framework for evaluating security controls of service providers in cloud marketplaces

Sheikh Mahbub Habib; Vijay Varadharajan; Max Mühlhäuser

doi:10.1109/TrustCom.2013.58

A trust-aware framework for evaluating security controls of service providers in cloud marketplaces

Sheikh Mahbub Habib, Vijay Varadharajan, Max Mühlhäuser

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

26 Citations (Scopus)

Abstract

Trustworthy selection of cloud services has become a significant issue in emerging cloud marketplaces. As a consequence, the Cloud Security Alliance (CSA) has formulated a self-assessment framework for cloud providers to publish their cloud platform's security controls and capabilities. This framework enables consumers to select a cloud service based on the capabilities and controls published by the providers. However, a fundamental question that arises is, how can consumers trust that the security controls are satisfied as claimed by the providers and are compliant with consumers' requirements. This paper proposes a trust-aware framework to verify and evaluate these security controls considering consumers' requirements. First, we model the security controls in the form of trust properties. Then, we introduce a taxonomy of these properties based on their semantics and identify the authorities who can validate the properties. The taxonomy of these properties is the basis of trust formalisation in our proposed framework. The framework rests on the notion of hybrid trust that combines hard and soft trust mechanisms for verifying the trust properties. Furthermore, a decision model is proposed as an integral part of the framework in order to empower consumers to determine trustworthiness of cloud providers. Finally, we demonstrate that the proposed trust-aware security evaluation framework could be potentially useful in practice for consumers to determine trustworthy cloud providers in a competitive marketplace.

Original language	English
Title of host publication	TrustCom 2013
Subtitle of host publication	TrustCom 2013 : 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications : proceedings : 16-18 July 2013, Melbourne, Victoria, Australia
Place of Publication	Piscataway, NJ
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Pages	459-468
Number of pages	10
ISBN (Print)	9780769550220
DOIs	https://doi.org/10.1109/TrustCom.2013.58
Publication status	Published - 2013
Event	12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013 - Melbourne, VIC, Australia Duration: 16 Jul 2013 → 18 Jul 2013

Other

Other	12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013
Country/Territory	Australia
City	Melbourne, VIC
Period	16/07/13 → 18/07/13

Access to Document

10.1109/TrustCom.2013.58

Cite this

Habib, S. M., Varadharajan, V., & Mühlhäuser, M. (2013). A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. In TrustCom 2013: TrustCom 2013 : 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications : proceedings : 16-18 July 2013, Melbourne, Victoria, Australia (pp. 459-468). Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/TrustCom.2013.58

Habib, Sheikh Mahbub ; Varadharajan, Vijay ; Mühlhäuser, Max. / A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. TrustCom 2013: TrustCom 2013 : 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications : proceedings : 16-18 July 2013, Melbourne, Victoria, Australia. Piscataway, NJ : Institute of Electrical and Electronics Engineers (IEEE), 2013. pp. 459-468

@inproceedings{b08e2d28003b49dbb05ef17c8b7c4a2a,

title = "A trust-aware framework for evaluating security controls of service providers in cloud marketplaces",

abstract = "Trustworthy selection of cloud services has become a significant issue in emerging cloud marketplaces. As a consequence, the Cloud Security Alliance (CSA) has formulated a self-assessment framework for cloud providers to publish their cloud platform's security controls and capabilities. This framework enables consumers to select a cloud service based on the capabilities and controls published by the providers. However, a fundamental question that arises is, how can consumers trust that the security controls are satisfied as claimed by the providers and are compliant with consumers' requirements. This paper proposes a trust-aware framework to verify and evaluate these security controls considering consumers' requirements. First, we model the security controls in the form of trust properties. Then, we introduce a taxonomy of these properties based on their semantics and identify the authorities who can validate the properties. The taxonomy of these properties is the basis of trust formalisation in our proposed framework. The framework rests on the notion of hybrid trust that combines hard and soft trust mechanisms for verifying the trust properties. Furthermore, a decision model is proposed as an integral part of the framework in order to empower consumers to determine trustworthiness of cloud providers. Finally, we demonstrate that the proposed trust-aware security evaluation framework could be potentially useful in practice for consumers to determine trustworthy cloud providers in a competitive marketplace.",

author = "Habib, {Sheikh Mahbub} and Vijay Varadharajan and Max M{\"u}hlh{\"a}user",

year = "2013",

doi = "10.1109/TrustCom.2013.58",

language = "English",

isbn = "9780769550220",

pages = "459--468",

booktitle = "TrustCom 2013",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

address = "United States",

note = "12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013 ; Conference date: 16-07-2013 Through 18-07-2013",

}

Habib, SM, Varadharajan, V & Mühlhäuser, M 2013, A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. in TrustCom 2013: TrustCom 2013 : 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications : proceedings : 16-18 July 2013, Melbourne, Victoria, Australia. Institute of Electrical and Electronics Engineers (IEEE), Piscataway, NJ, pp. 459-468, 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013, Melbourne, VIC, Australia, 16/07/13. https://doi.org/10.1109/TrustCom.2013.58

A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. / Habib, Sheikh Mahbub; Varadharajan, Vijay; Mühlhäuser, Max.

TrustCom 2013: TrustCom 2013 : 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications : proceedings : 16-18 July 2013, Melbourne, Victoria, Australia. Piscataway, NJ : Institute of Electrical and Electronics Engineers (IEEE), 2013. p. 459-468.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - A trust-aware framework for evaluating security controls of service providers in cloud marketplaces

AU - Habib, Sheikh Mahbub

AU - Varadharajan, Vijay

AU - Mühlhäuser, Max

PY - 2013

Y1 - 2013

N2 - Trustworthy selection of cloud services has become a significant issue in emerging cloud marketplaces. As a consequence, the Cloud Security Alliance (CSA) has formulated a self-assessment framework for cloud providers to publish their cloud platform's security controls and capabilities. This framework enables consumers to select a cloud service based on the capabilities and controls published by the providers. However, a fundamental question that arises is, how can consumers trust that the security controls are satisfied as claimed by the providers and are compliant with consumers' requirements. This paper proposes a trust-aware framework to verify and evaluate these security controls considering consumers' requirements. First, we model the security controls in the form of trust properties. Then, we introduce a taxonomy of these properties based on their semantics and identify the authorities who can validate the properties. The taxonomy of these properties is the basis of trust formalisation in our proposed framework. The framework rests on the notion of hybrid trust that combines hard and soft trust mechanisms for verifying the trust properties. Furthermore, a decision model is proposed as an integral part of the framework in order to empower consumers to determine trustworthiness of cloud providers. Finally, we demonstrate that the proposed trust-aware security evaluation framework could be potentially useful in practice for consumers to determine trustworthy cloud providers in a competitive marketplace.

AB - Trustworthy selection of cloud services has become a significant issue in emerging cloud marketplaces. As a consequence, the Cloud Security Alliance (CSA) has formulated a self-assessment framework for cloud providers to publish their cloud platform's security controls and capabilities. This framework enables consumers to select a cloud service based on the capabilities and controls published by the providers. However, a fundamental question that arises is, how can consumers trust that the security controls are satisfied as claimed by the providers and are compliant with consumers' requirements. This paper proposes a trust-aware framework to verify and evaluate these security controls considering consumers' requirements. First, we model the security controls in the form of trust properties. Then, we introduce a taxonomy of these properties based on their semantics and identify the authorities who can validate the properties. The taxonomy of these properties is the basis of trust formalisation in our proposed framework. The framework rests on the notion of hybrid trust that combines hard and soft trust mechanisms for verifying the trust properties. Furthermore, a decision model is proposed as an integral part of the framework in order to empower consumers to determine trustworthiness of cloud providers. Finally, we demonstrate that the proposed trust-aware security evaluation framework could be potentially useful in practice for consumers to determine trustworthy cloud providers in a competitive marketplace.

UR - http://www.scopus.com/inward/record.url?scp=84893454271&partnerID=8YFLogxK

U2 - 10.1109/TrustCom.2013.58

DO - 10.1109/TrustCom.2013.58

M3 - Conference proceeding contribution

AN - SCOPUS:84893454271

SN - 9780769550220

SP - 459

EP - 468

BT - TrustCom 2013

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Piscataway, NJ

T2 - 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013

Y2 - 16 July 2013 through 18 July 2013

ER -

Habib SM, Varadharajan V, Mühlhäuser M. A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. In TrustCom 2013: TrustCom 2013 : 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications : proceedings : 16-18 July 2013, Melbourne, Victoria, Australia. Piscataway, NJ: Institute of Electrical and Electronics Engineers (IEEE). 2013. p. 459-468 https://doi.org/10.1109/TrustCom.2013.58

A trust-aware framework for evaluating security controls of service providers in cloud marketplaces

Abstract

Other

Access to Document

Other files and links

Fingerprint

Cite this