=Paper=
{{Paper
|id=Vol-1580/5
|storemode=property
|title=A Novel Framework for Ranking Cloud Service Providers Using Security Risk Approach
|pdfUrl=https://ceur-ws.org/Vol-1580/id5.pdf
|volume=Vol-1580
|authors=Jamal Talbi,Abdelkrim Haqiq
|dblpUrl=https://dblp.org/rec/conf/bdca/TalbiH15
}}
==A Novel Framework for Ranking Cloud Service Providers Using Security Risk Approach==
https://ceur-ws.org/Vol-1580/id5.pdf
Proceedings of the International Conference on Big Data Cloud and Applications
Tetuan, Morocco, May 25 - 26, 2015
A Novel Framework for Ranking Cloud Service
Providers Using Security Risk Approach
Jamal TALBI1, Abdelkrim HAQIQ1,2
1
Computer, Networks, Mobility and Modeling laboratory, Department of Mathematics and Computer,
FST, Hassan 1st University, Settat, Morocco
Emails: {talbi85@gmail.com, ahaqiq@gmail.com}
2
e-NGN Research group, Africa and Middle East
Abstract—Cloud computing is becoming a key factor in A secure computer system provides guarantees regarding
computer science. It represents a new paradigm of utility the confidentiality, integrity and availability of its objects (such
computing and enormously growing phenomenon in the present as data, processes or services). Security is related to
IT industry and economy hype. The cloud users (CUs) increase vulnerabilities in software, and these are hard to foresee or
and require secure, reliable and trustworthy cloud service
detect before an actual attack; security involves personal
providers (CSPs) from the market. It’s a challenge for a new
customer to choose the highly secure provider. In this paper, we aspects (e.g., user or operator issues) and aspects of the
propose a cloud broker that analyze and rank the cloud service operational environment that are often beyond the control of
providers based on measuring the risks of confidentiality, the development teams. Thus, it is necessary to assess and
integrity and availability. This model uses a CSP Rank contain risk using precautionary measures that are
Framework for the group of cloud providers by assessing commensurate. Accordingly, we have to dispose a system that
security metrics which make decision of the more secure provider measure and rank the secured cloud service providers and then,
among all providers and justify the business needs in terms of the cloud services can make a major impact and will craft a
security and reliability. healthy competition among cloud providers to satisfy their
Keywords—Cloud broker, Security Risk, Confidentiality,
Service Level Agreement (SLA) and improve their QoS and
Integrity, Availability. trustworthiness [3].
In this work, our aim is to help the new customer to find the
I. INTRODUCTION
most reliable and secured CP in terms of security and trust
Cloud computing [1] is an active research subject as the through a cloud broker that can define, analyze, measure and
information industry sees it as the new model. Many rank the cloud service providers based on a risk analysis
companies, enterprises and organizations outsource some of approach that calculate some metrics. Thus, the obtained
their information systems to benefit from the cloud services results make decision of the best option of CP and justify the
which are Platform as a Service (PaaS), Infrastructure as a business needs in terms of security and reliability.
Service (IaaS) and Software as a Service (SaaS). The main
interesting features of a cloud are the cost decrease and a faster The paper is organized as follows: the next section
time to market. Based on sharing resources, the cloud discusses related work, Section III introduces the proposed
computing changes the user concerns from managing an model. Section IV describes the CSP Rank Framework.
infrastructure to only focusing on their core business. Currently Section V presents an implementation of the model. Section VI
there are many numbers of providers, but finding the best cloud gives a conclusion.
service provider among the available cloud service providers is
difficult. Thus, it is a challenge for the users to choose the best II. RELATED WORK
secured cloud provider for fulfilling their requirements. Security metrics are one of criteria that play a major role in
Presently, there is a lack of frameworks that can permit ranking service providers. A cloud user may require an
customers to evaluate cloud offerings and rank them based on efficient, cost effective and basically more secure provider for
their ability to meet the user’s Quality of Service (QoS) and his application. Since there are many providers who will
security requirements. This is a major problem for every user, provide same type of services with different level of security,
especially those who are more concerned about data security so it will be a challenge for the user to select. Our motivation in
and privacy from CSP.
34
�this paper is to promote a novel approach for ranking providers III. THE CONCEPTUAL MODEL OF THE CSP RANK
based on measuring security metrics of cloud services. FRAMEWORK
We propose a broker which can act as a middleware
In the same context, many researchers have proposed different between customer and cloud service provider. It can get the
approaches to help customer in this mission to select the needed requirements from customer and help the customer by
appropriate cloud service. A collaborative filtering approach listing out suitable cloud providers. So our cloud broker has an
[2] rank the items based on similar users preferences. This important role to find out the secure cloud service providers
algorithm aggregates all the items purchased by the users and existing in the database of our cloud broker. The proposed
eliminate those items and ask users to rate the remaining model is described in the following, in terms of its architecture.
services. In [3], cloud rank approach proposed greedy
algorithm. It gives a method to rank cloud providers based on
existing customer’s feedback. It ranks component rather than
service of providers. But there is no guarantee that all explicitly
rated items by customers are ranked properly. But similar users
will experience the same with same cloud providers so for
them this approach will be helpful.
QoS-aware web by collaborative filtering [4] proposed a
collaborative approach to rank providers on the basis of its web
services. This method is useful for the customers who want to
get an appropriate cloud provider which provides suitable web
services. Thus, this method includes experience of users who
used the services already and a hybrid collaborative filtering
approach for evaluating web service QoS parameters.
Parveen Dhillon [5] proposed an effective and efficient method
to select best cloud service. In order to select the best provider,
Fig. 1. The structure of the proposed CSP Rank Framework Model
three parameters are considered. Instead of taking all three
parameters together applied. They made a ranking in where the
best provider obtained is selected. This system develops a model to find out the secured cloud
service providers based on a security risk assessment approach
Zibin Zheng [6] proposed an approach for ranking equivalent by determining the vulnerabilities and computing the risks
cloud service providers by providing the similar kind of related to cloud service providers list.
services which will help users to select suitable providers
without spending much time for it. This method uses some
A. Requirements requested
QoS parameters for predicting best provider.
The broker collects requirements from user. It may be
Deepak Kapgate [7] proposed a predictive broker algorithm infrastructure requirements, platform requirements or software
based on Weighted Moving Average Forecasting Model requirements.
(WMAFM). It proposes a new method to balance load on data
centers and also minimizes response time. So for end users, B. Vulnerability identification and risks assessment
they can get their requested service within few seconds.
All the registered cloud service providers give all the services
which they are providing. Cloud broker contains the level of
Subha [8] had done a survey on quality of service ranking
security of cloud providers. So the client gives requirements to
cloud computing. Here the author considered few quality of
broker, it checks the provider’s performance based on criteria
service parameters and ranked providers based on that.
that are risks computed.
Cloud Rank [9] approach measures and ranks cloud services
for the users. It takes the feedback or rating of users who had C. Ranking secured cloud systems
used the services already. The CSP Rank Framework using a broker provides optimal
cloud service provider selection from the more numbers of
An efficient approach [10] find the best cloud provider by CSPs based on security metrics, especially risks which
using a system for ranking cloud services based on QoS provides better selection of providers among many. Thus, we
parameters such as service response time, cost, interoperability proposed an architecture based on the evaluation of risks
and suitability. It uses a broker algorithm that classify the related to systems caused by vulnerabilities and threats for
existing providers and find out the more effective and efficient making a decision to rank and select the right provider in terms
provider. of reliability and security.
35
� IV. DESCRIPTION OF THE CSP RANK FRAMEWORK loss or harm [12]. The identification of these vulnerabilities has
Probably all cloud service providers have a Service Level been used by several approaches and researchers to estimate
Agreements (SLA), but most of these SLAs were written to risks of the systems.
protect the vendors as opposed to being customer-centric. That
has to change, and customers have to demand more with regard The Common Vulnerability Scoring System (CVSS) [13]
to service and the assurance of it. In the same time, cloud [14] framework allows to assess the severity level of IT
providers should protect their data or services from risk and vulnerabilities. It associates a severity score (CVSS score) to
harm. For this aim, the CSP Rank Framework will conduct each IT vulnerabilities, which ranges from 0.0 to 10.0. CVSS
vulnerability scans and security risk assessment. The obtained [15] is composed of three major metric groups: Base, Temporal
results were fed into the security ranking system that offer a list and Environmental.
ranked of the secure providers.
The Base metric represents the intrinsic characteristics of
Fig. 2 shows our approach for model construction of the cloud vulnerability, and is the only mandatory metric. The optional
broker for ranking secured CSPs taking into account some Environmental and Temporal metrics are used to augment the
conditions that should be considered [11]: Base metrics, and depend on the target system and changing
circumstances. The Base metrics include two sub-scores
The CSP Rank Framework must maintain the trust and termed exploitability and impact. In the last sub-group, we find
reliability. three metrics, representing the impact of the attack on the three
classical security properties: Confidentiality Impact, Integrity
The CSP Rank Framework has enough resources to
Impact and Availability Impact which we are interested in the
provide for processing and executing their own work.
next sub-section.
The broker must be maintained and regulated by strict
laws and transparent policies.
Risk is the potential that something will go wrong [16]. In
Both the broker and CSPs mutually agree before other words, risk is the possibility of the occurrence of a
executing the software penetration test. harmful event. Risk can be formally defined [17] in (1) as:
We consider that a CSP provide IaaS, PaaS and SaaS
of its own. Risk= Likelihood of an adverse event × Impact of the
The CSP Rank Framework is only the responsible of adverse event (1)
computing security metrics from sources and processes
these measures for ranking results. The likelihood of the exploitation of vulnerability depends
A new cloud user looking for security and reliability not only on the nature of the vulnerability but also how easy it
should pay to the cloud broker to see the ranked is to access the vulnerability. Researchers have developed a
results. stochastic model describing the life cycle of a single
vulnerability and containing state transitions [15] as shown is
Data Collection Fig. 3.
Vulnerability
Analysis
Transition
Probability Matrix
Security Risks
Assessment of CSPs
Total Risks of CSPs
List Ranked of
Secured CSPs
Fig. 2. Conceptual model of CSP Rank Framework
Fig. 3. Stochastic model representing the life cycle of a single vulnerability
A. Vulnerability analysis in CSPs
Vulnerability is a software defect or weakness in the security The vulnerability life cycle begins with State 0 in which the
system which might be exploited by a malicious user causing vulnerability is not yet discovered. State 1 represents the next
36
�state when the vulnerability is discovered but it is yet to be
disclosed. When the vulnerability is disclosed with the release
and application of the patch, it is said to be in State 2. State 4
represents scenario wherein the vulnerability is disclosed
without a patch. At State 5, the vulnerability is disclosed with
the patch, but the patch is not applied. In State 3, the (4)
vulnerability is being exploited. Thus, each vulnerability found
after the penetration test by using a scan process [15] on all
The CRVu represents the Confidentiality risk of the
providers, follows this model that contains 11 possible
vulnerability, IRVu is the Integrity risk of the Vulnerability and
transitions between the states.
ARVu refers to the Availability risk of the vulnerability.
Finally, the broker calculates the total risk for each cloud
B. Measuring security risk assessment service provider by summing the risks of the individual
The security risk can be measured using the risk definition in vulnerabilities detected in this provider. Thereby, the risks
(1), the model in Fig. 3 and based on the CVSS exploit and related to a cloud service provider j from n providers with m
impact scores taking into account that the vulnerability must be vulnerabilities are expressed in (5).
exploited. Hence, the cumulative risk [18] of a vulnerability
being exploited is the likelihood of vulnerability being in State
3.
We consider that Lh_3 as the likelihood of the vulnerability to
be in State 3. In this context, we based on Markov chain to
compute the Lh_3 for the vulnerability.
The process starts at State 0 for each vulnerability, thereby the
vector giving the initial probabilities is V1= [1 0 0 0 0 0]. We
define also for a single vulnerability, the state transition matrix
(5)
M as shown below:
Where CR_CSPj is the Confidentiality risk of a selected
provider j, IR_CSPj is the Integrity risk of a selected provider j
and AR_CSPj is the Availability risk of a selected provider j.
C. Final ranking of CSPs
Based on the calculation of the total risks CR_CSP, IR_CSP
Using the initial probabilities V1 and the state transition matrix and AR_CSP of each cloud service provider from all providers,
M, we obtained the state probabilities V3 after two steps as our framework provides a list ranked of the secure CSPs
calculated in (2). starting with the providers having the minimum security risks
in terms of confidentiality, integrity and availability.
2
V3 = V1 × M (2)
Thus, Lh_3 is the third element of the matrix V3 and represents V. IMPLEMENTATION OF THE CSP RANK
the cumulative risk of a vulnerability being exploited. FRAMEWORK
According to (1), we can assess the risk for a possible
vulnerability i as: We illustrate the use of our CSP Rank Framework ins a
practical application; we consider three cloud providers X, Y
and Z under a number of vulnerabilities.
(3)
After the data collection step, a vulnerability analysis
Next we compute Confidentiality risk, Integrity risk and quantified the vulnerabilities of our clouds by using the CVSS
Availability risk. According to the National Vulnerability framework and the NVD website as shown in TABLE I. These
Database (NVD) database, we used Confidentiality Impact, vulnerabilities are categorized into in four groups: High exploit
Integrity Impact and Availability Impact values of the and High impact, High exploit and Low impact, Low exploit
vulnerability as the impact of exploitation for the three types of and High impact, Low exploit and Low impact based on CVSS
risk. Based on (3), the risk expressions for a single exploit score and CVSS impact score that are qualified as Low
vulnerability are given in (4).
37
�if their score is less than or equal to 5.0 and High if this score is
greater than 5.0.
TABLE I. CLASSIFICATION OF VULNERABILITIES
Fig. 5. Comparison of Confidentiality Risk between the Clouds X, Y and Z
Hence, the obtained risks values as shown in TABLE II can be
grouped into three classes: High Risk (≥ 0.5), Medium Risk (≥
0.3 and < 0.5) and Low Risk (< 0.3).
TABLE II. THE LH_3 VALUES
Fig. 6. Comparison of Integrity Risk between the Clouds X, Y and Z
Fig.4 illustrates the comparison of the Availability risk for
the three clouds. We conclude that the high risk and medium VI. CONCLUSION
risk groups are dominated by the clouds X and Y whereas the
low risk group is dominated by the cloud Z.
Cloud Computing became an important technology for many
organizations to deliver different types of services. So, the
Fig. 5 and Fig. 6 show the Confidentiality risk and Integrity
multiple cloud service providers make a dilemma for a cloud
risk comparison respectively between the providers X, Y and
user to choose each provider which is more secured and has the
Z.
minimum security risk. Hence, in this paper, we propose an
Thus, we see that the providers X and Y dominate the High
effective and efficient cloud broker based on CSP Rank
risk and Medium risk categories where the cloud Z dominates
Framework that identifies vulnerabilities and measures the
the Low risk category.
security risks. This model represents a raking system helping
users to find out the best providers in terms of security and
trust, and also satisfy their requirements.
REFERENCES
[1] E. Caron, A. Duang Le, A. Lefray, and C. Toinard, "Definition of
Security Metrics for the Cloud Computing and Security-Aware
Virtual Machine Placement Algorithms", International Conference on
Cyber-Enabled Distributed Computing and Knowledge Discovery,
2013 IEEE.
[2] G. Linden, B. Smith and J. York, "Amazon.com Recommendations:
Item-to-Item Collaborative Filtering", IEEE Internet Computing, vol.
7, no. 1, pp. 76-80, Jan. /Feb. 2003.
[3] Z. Zibin, Z. Yilei, and M. R. Lyu, "Cloud Rank: A QoS-Driven
Fig. 4. Comparison of Availability Risk between the Clouds X, Y and Z Component Ranking Framework for Cloud Computing" in Reliable
Distributed Systems, 29th IEEE Symposium on 2010, pp. 184-193.
38
�[4] Z. Zheng, H. Ma, M. R. Lyu and I. King, "QoS- Aware Web Service [12] C. P. Pfleeger, S. L. Pfleeger, "Security in Computing, 3rd edition",
Recommendation by Collaborative Filtering", IEEE Trans. Service Prentice Hall PTR, 2003.
Computing, vol. 4, no. 2, pp. 140-152, Apr.-June 2011 [13] P. Mell, , K. Scarfne, and S. Romanosky, "A Complete Guide to the
[5] P. Dhillon, V. Arora, "A Compositional Approach of Reliable and Common Vulnerability Scoring System (CVSS) Version 2.0", Forum
Efficient Cloud Service Selection", Volume 2, Issue 8, August 2012 of Incident Response and Security Teams
ISSN: 2277 128X, International Journal of Advanced Research in (http://www.first.org/cvss/cvss-guide.html), June 2007.
Computer Science and Software Engineering. [14] L. Gallon, J-J. Bascou, "Using CVSS in attack graphs", Sixth
[6] Z. Zheng, X. Wu, Y. Zhang, M. R. Lyu, J. Wang, "QoS Ranking International Conference on Availability, Reliability and Security, 2011
Prediction for Cloud Services", Parallel and Distributed Systems, IEEE IEEE.
Transactions on, vol.24, no. 6,pp. 1213-1222,June 2013. [15] H. Joh, Y. K. Malaiya, "Defining and Assessing Quantitative Security
[7] D. Kapgate, "Weighted Moving Average Forecast Model based Risk Measures Using Vulnerability Lifecycle and CVSS Metrics",
Prediction for Service Broker Algorithm for Cloud Computing", International Conference n Security and Management (SAM’11), Las
International Journal of Computer Science and Mobile Computing, vol. Vegas, 2011.
3, Issue. 2, February 2014. [16] B. S. Blanchard, W. J. Fabrycky, "Systems Engineering and Analysis",
[8] M. Subha, M. U. Banu, "A Survey on QoS Ranking in Cloud Pearson Prentice Hall, 2006.
Computing", International Journal of Emerging Technology and [17] G. Stoneburner, A. Gorguen and A. Fertinga, "Risk Management Guide
Advanced Engineering, Volume 4, Issue 2, February 2014. for Information Technology Systems", in National Institute of
[9] R. Yuvarani, M. Sivalakshmi, "Achieve Ranking Accuracy Using Cloud Standards and Technology Special Publication, 2002.
Rank Framework for Cloud Services", International Journal of
Innovative Research in Computer and Communication Engineering,
Vol. 2, Special Issue 1, March 2014.
[10] K. Amrutha, B. Madhu, "An Efficient Approach to Find Best Cloud
Provider Using Broker", International Journal of Advanced Research in
Computer Science and Software Engineering 4(7), pp. 943-946, July
2014.
[11] M. Whaiduzzaman, A. Gani, "Measuring Security for Cloud Service
Provider: A Third Party Approach", International Conference on
Electrical Information and Communication Technology (EICT), pp. 1-
6, 2013 IEEE.
39
�