Cloud Security Alliance Research Articles

Comparative Security and Compliance Analysis of Serverless Computing Platforms: AWS Lambda, Azure Functions, and Google Cloud Functions

Serverless computing has revolutionized cloud services by abstracting infrastructure management, enabling developers to focus on application logic. This research examines the security and compliance features of three major serverless platforms: AWS Lambda, Azure Functions, and Google Cloud Functions. By evaluating authentication mechanisms, data encryption practices, vulnerability management, and compliance certifications, we aim to provide a comparative analysis that informs businesses and developers on the most secure and compliant platform for their needs. Keywords: Serverless Computing, Security, Compliance, AWS Lambda, Azure Functions, Google Cloud Functions, Cloud Security Alliance, Cloud Controls Matrix

Post-Quantum Security Overview of the Public Key Infrastructure

Recently, there has been an increasing focus on the investigation of quantum-safe solutions for a variety of applications. One of the pressing issues that needs to be made quantum secure is the TLS (Transport Layer Security) protocol. Proposals for its implementation have been discussed in several articles. The TLS protocol is based on PKI (Public Key Infrastructure). In addition, there are many other PKI applications that are used every day in both private and enterprise environments, so securing their use is essential. The methods currently developed to ensure adequate security will become obsolete with the advent of quantum computers. According to the Cloud Security Alliance, by around 2030, the performance of quantum computers will increase to the point where the risk of vulnerability of traditionally encrypted data will be very high. It is therefore important to make the right preparations in time to ensure that we can transform our solutions into quantum secure solutions by the time quantum computing becomes a real threat. In this paper, we present an analysis to this end, presenting quantum-safe solutions already in use and, in comparison, proposing new, well-performing solutions for a quantum-resistant PKI.

An Analysis of Cloud Security Frameworks, Problems and Proposed Solutions

The rapidly growing use of cloud computing raises security concerns. This study paper seeks to examine cloud security frameworks, addressing cloud-associated issues and suggesting solutions. This research provides greater knowledge of the various frameworks, assisting in making educated decisions about selecting and implementing suitable security measures for cloud-based systems. The study begins with introducing cloud technology, its issues and frameworks to secure infrastructure, and an examination of the various cloud security frameworks available in the industry. A full comparison is performed to assess the framework’s focus, scope, approach, strength, limitations, implementation steps and tools required in the implementation process. The frameworks focused on in the paper are COBIT5, NIST (National Institute of Standards and Technology), ISO (International Organization for Standardization), CSA (Cloud Security Alliance) STAR and AWS (Amazon Web Services) well-architected framework. Later, the study digs into identifying and analyzing prevalent cloud security issues. This contains attack vectors that are inherent in cloud settings. Plus, this part includes the risk factor of top cloud security threats and their effect on cloud platforms. Also, it presents ideas and countermeasures to reduce the observed difficulties.

Cloud Computing Security: Threats and Countermeasures

Cloud computing has revolutionized the way IT organizations and IT teams manage their internal digital assets and workloads. One of the major drawbacks or limitations of cloud computing is security. Cloud computing comes with various threats and vulnerabilities, and new threats and vulnerabilities are discovered all the time. Every year, small to large security incidents are reported around the world. To our knowledge, there are no recent research articles covering recent advances in cloud computing security. To address this issue, this paper provides an analysis of recent cloud computing security literature. Expanding on the threats proposed by the Cloud Security Alliance, a taxonomy related to cloud computing threats and vulnerabilities is provided to educate cloud users and guide the cloud. providers to strengthen or review their security policies and practices. can do. In conclusion, we also provide a taxonomy of state-of-the-art countermeasures and solutions to protect the cloud from various threats.

Suitable Scalability Management Model for Software-Defined Perimeter Based on Zero-Trust Model

The software-defined perimeter (SDP), a zero-trust model developed by the Cloud Security Alliance, has been attracting attention in the technological industry since its introduction to a world adapting to digital transformation. Many trust models have been introduced to meet the growing demands for cyber security, such as the public key infrastructure, soft-ware-defined network, and virtual private network. SDP has particularly gained importance as a zero-trust model because no one in the digital world can be trusted. With the introduction of new models and technical devices, there is now a need to improve newly introduced technology on various grounds when customers adapt to devices. In this work, we discuss how to overcome the current issues of SDP relating to scalability, reliability, usability, etc. As the number of organizations that share information online continues to expand, there is a need for scalable and reliable SDP models that are both easy to maintain and cost efficient for evolving organizations. To meet this need, we proposed several scalable SDP models that enable easier installation management of real networks of organizations with different organizational structures. Specifically, we propose hierarchical, bridge, hybrid, and mesh models. The results of qualitative and quantitative evaluations showed that the bridge model is the most suitable of the four as an extension of SDP.

Edge-cloud resource federation for sustainable cities

As cloud computing becomes the dominant mechanism for delivery of electronic services, significant recent effort has focused on certifying cloud services to ensure their compliance with security and privacy standards (such as GDPR). Assessing the benefit of using a particular cloud service, especially if such a service is being offered by providers that may be new to the cloud marketplace, remains a challenge. Cloud Security Alliance (CSA) provides a certification approach that associates a ranking to providers based on their capability assessment using a “cloud control matrix”. A provider can make a self-assessment, or an assessment can be undertaken by a third party. The intention is to increase user trust in a provider based on their rating using this methodology. This work investigates whether a similar certification methodology can be applied to edge resources, especially if these edge resources are combined with cloud services in a “smart cities” context. Can a CSA-like approach also be used to increase trust in use of edge resources? How would the CSA methodology need to change to support this type of assessment, and how useful is such an approach likely to be in practice? We propose a risk assessment methodology that can be used to address these concerns, and evaluate it in a practical application using both edge and cloud computing resources. • “ Smartainability ” - a strategy to assess how sustainable smart cities are as a result of smart technology. • Smart services must ensure their compliance with security and privacy standards (such as GDPR). • Cloud-Edge-IoT resources differ in their capability, security and availability profiles — making reliance on them risk prone. • Trust can be established across an ensemble of “smart” devices and clouds to support “risk-informed” interventions.

Methodologies for Resolving Data Security and Privacy Protection Issues in Cloud Computing Technology

Because of its accessibility and flexibility, cloud technology is among the most notable innovations in today's world. Having many service platforms, such as GoogleApps by Google, Amazon, Apple, and so on, is well accepted by large enterprises. Distributed cloud computing is a concept for enabling every-time, convenient, on-demand network access to processing resources including servers, storage devices, networks, and services that may be mutually configured. The major security risks for cloud computing as identified by the Cloud security alliance (CSA) have been examined in this study. Also, methods for resolving issues with cloud computing technology's data security and privacy protection were systematically examined.

Aggregated Capability Assessment (AgCA) For CAIQ Enabled Cross-cloud Federation

Cross-Cloud Federation (CCF) enables resource exchange among multiple, heterogeneous Cloud Service Providers (CSPs) to support the composition of services (workflow) hosted by different providers. CCF participation can either be fixed, or the types of services that can be used are limited to reduce the potential risk of service failure or secure access. Although many service selection approaches have been proposed in literature for cloud computing, their applicability to CCF i.e., cloud-to-cloud interaction, has not been adequately investigated. A key component of this cloud-to-cloud paradigm involves assessing the combined capability of contributing participants within a federation and their connectivity. A novel Aggregated Capability Assessment ( <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">AgCA</i> ) approach based on using the Consensus Assessment Initiative Questionnaire from Cloud Security Alliance is proposed for CCF. The proposed mechanism is implemented as a component of a centralized broker to enhance the quality of the selection process for participants within a federation. Our experimental results show that <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">AgCA</i> is a useful tool for partner selection in a dynamic, heterogeneous and multilevel cloud federation.

Hybrid-cloud management in secure multi-domain environments

In this paper, we've proposed a secure multi-domain deduplication scheme supporting data deduplication, both intra-deduplication & inter-deduplication by generating a random convergent key and therefore a random tag, which supports a bilinear pairing technique to make sure of data confidentiality. It must produce a series of random cipher-texts to make sure that the outsourced encrypted data are often correctly decrypted by users with ownership. Concerning the safety issues existing on clouds described by the cloud security alliance to avoid an equivalent, we have applied several security enforcements. CoT paradigm provides managing VMs and containers in both Edge and Cloud layers in a secure and versatile fashion becomes very compelling. To provide security, convergent encryption is employed which permits the deduplication of encrypted data, secure cross-domain deduplication schemes are also evaluated. We have followed CSA guidance by which we will ensure security, privacy, availability of services, resource access control, vulnerability mitigation, and privacy of the audited user data.

Computational and Statistical Analysis of Security and Privacy Parameters of Cloud Computing in Information Technology

Information Technology has transformed the way cloud computing itself can help to manage, consume and improve cost efficiencies, accelerate innovation, provide faster time to the market and develop the ability to scale applications on demands and services. In this research work, we present recent developments and some statistical analysis techniques used in cloud computing development with challenges related to the security and privacy in information technology. The ultimate goal in this research is to detect relevant factors that are more likely to affect security and privacy in cloud computing services. Moreover, we identify the security risks and the threats that have already been recognized by cloud security alliance as vital components of those challenges. Finally, the solutions we found in this study will efficiently help private and governmental organizations to resolve some of the important security challenges. Although the suggested solutions still remain at the Service level agreements contracted between the cloud provider and consumer, it will secure the cloud users and earn their satisfactions in cloud computing services.

Security-as-a-service: a literature review

Purpose This study aims to identify the level of security from existing work, analyze categories of security as a service (SECaaS) and classify them into a meaningful set of groups. Further, the report will advise commercial applications and advice of SECaaS as an extended context to help firms make decisions. Design/methodology/approach This paper compares the SECaaS categories in Cloud Security Alliance (CSA) with the security clauses in ISO/IEC 27002:2013 to give a comprehensive analysis of those SECaaS categories. Reviewed from a number of related literature, this paper analyzes and categorizes SECaaS into three major groups including protective, detective and reactive based on security control perspectives. This study has discussed the three groups and their interplay to identify the key characteristics and problems that they aim to address. Findings This paper also adds new evidence to support a better understanding of the current and future challenges and directions for SECaaS. Also, the study reveals both the positive and negative aspects of SECaaS along with business cases. It advises on various sizes and domains of organizations to consider SECaaS as one of their potential security approaches. Originality/value SECaaS has been demonstrated to be one of the increasingly popular ways to address security problems in Cloud computing. As a new concept, SECaaS could be treated as integrated security means and delivered as a service module in the Cloud. However, it is still in infancy and not very widely investigated. Recent studies suggest that SECaaS is an efficient solution for Cloud and real industries. However, shortcomings of SECaaS have not been well-studied and documented. Moreover, reviewing the existing research, researchers did not classify the SECaaS-related categories.

Selecting a Secure Cloud Provider—An Empirical Study and Multi Criteria Approach

Security has become one of the primary factors that cloud customers consider when they select a cloud provider for migrating their data and applications into the Cloud. To this end, the Cloud Security Alliance (CSA) has provided the Consensus Assessment Questionnaire (CAIQ), which consists of a set of questions that providers should answer to document which security controls their cloud offerings support. In this paper, we adopted an empirical approach to investigate whether the CAIQ facilitates the comparison and ranking of the security offered by competitive cloud providers. We conducted an empirical study to investigate if comparing and ranking the security posture of a cloud provider based on CAIQ’s answers is feasible in practice. Since the study revealed that manually comparing and ranking cloud providers based on the CAIQ is too time-consuming, we designed an approach that semi-automates the selection of cloud providers based on CAIQ. The approach uses the providers’ answers to the CAIQ to assign a value to the different security capabilities of cloud providers. Tenants have to prioritize their security requirements. With that input, our approach uses an Analytical Hierarchy Process (AHP) to rank the providers’ security based on their capabilities and the tenants’ requirements. Our implementation shows that this approach is computationally feasible and once the providers’ answers to the CAIQ are assessed, they can be used for multiple CSP selections. To the best of our knowledge this is the first approach for cloud provider selection that provides a way to assess the security posture of a cloud provider in practice.

Research on SDP Software Defined Perimeter Initiating Host Protocol Configuration Algorithm

With the popularity of digital and cloud services, the demand for network security products and solutions is increasing day by day. At the same time, the network security problems are becoming more and more serious. The network security architecture and platform are far from meeting the challenges brought by the current situation. As a new generation network security solution concept, the Software Definition Perimeter was first proposed by the Cloud Security Alliance in 2013. The whole central idea is to build a virtual enterprise boundary in the mobile + cloud era through software. The use of identity-based access control is to cope with the problem of coarse control and poor validity caused by boundary fuzziness, so as to achieve the purpose of protecting data security. This paper mainly changes the infrastructure of the Software Defined Perimeter SDP, and adds the message queue, which mainly stores the control information in the message queue to solve the peak congestion and network congestion problem.

Federating Cloud Systems for Collaborative Construction and Engineering

The construction industry has undergone a transformation in the use of data to drive its processes and outcomes, especially with the use of Building Information Modelling (BIM). In particular, project collaboration in the construction industry can involve multiple stakeholders (architects, engineers, consultants) that exchange data at different project stages. Therefore, the use of Cloud computing in construction projects has continued to increase, primarily due to the ease of access, availability and scalability in data storage and analysis available through such platforms. Federation of cloud systems can provide greater flexibility in choosing a Cloud provider, enabling different members of the construction project to select a provider based on their cost to benefit requirements. When multiple construction disciplines collaborate online, the risk associated with project failure increases as the capability of a provider to deliver on the project cannot be assessed apriori. In such uncontrolled industrial environments, “trust” can be an efficacious mechanism for more informed decision making adaptive to the evolving nature of such multi-organisation dynamic collaborations in construction. This paper presents a trust based Cooperation Value Estimation (CoVE) approach to enable and sustain collaboration among disciplines in construction projects mainly focusing on data privacy, security and performance. The proposed approach is demonstrated with data and processes from a real highway bridge construction project describing the entire selection process of a cloud provider. The selection process uses the audit and assessment process of the Cloud Security Alliance (CSA) and real world performance data from the construction industry workloads. Other application domains can also make use of this proposed approach by adapting it to their respective specifications. Experimental evaluation has shown that the proposed approach ensures on-time completion of projects and enhanced...

CLOUD COMPUTING AND ANALYSIS FEATURES OF CLOUD INFORMATION SECURITY

The article discusses the current state of application and development of cloud computing, the main advantages and disadvantages of their use in the states, enterprises and in scientific activity. The standards, regulations and guidance documents in the field of cloud computing information security are developed and analyzed, developed by the Cloud Security Alliance (CSA), the European Network and Information Security Agency (ENISA) and the National Institute of Standards and Technology (NIST), and the results of a detailed analysis of the issues information security in the cloud.

Accomplishment of New Protocol for Stupendous Security in Cloud Environment

Cloud is that the rising and thirst area of analysis and advantageous in all the fields. However security is the main disquiet for not espouse cloud for each application. Mainly of the security crisis are connected by authentication with data protection by the respect to cloud security alliance (CSA). The projected New (Biometric encoding and Biometric authentication) protocol can conquer every safety crisis in cloud adjacent. In NEW protocol biometric encryption has been provided for the cloud consumer’s valuable information and identity verification has been utilized in a unique way to scale back the problems associated with authentication and authorization. In NEW protocol Identity verification in cloud environment has been joint by pattern security in coincidence with four entirely dissimilar and influential encryption algorithms for accumulated safety. This protocol improves biometric template protection by the combination of RSA and AES encryption algorithms in proper locations and 3DES, Blowfish has been utilized in information security and solution safety supervision. By implementing such technique can vanish out the un trustiness of adopting cloud, specifically public and hybrid clouds. Since all the users information are hold on in off premise. Adopting this protocol has given nice results when examining with existing work and all the vulnerable places has been considered for improved security.

Cloud based DDoS attack detection and defense system using statistical approach

In the recent era, business and IT domain rely on the cloud as it has evolved as the potential service model and lots of people jumped on the bandwagon to seek profit out of the cloud computing environment. The cloud is highly vulnerable and its risk associated with unpatched machines is exposed to distributed denial of service (DDoS) attacks. According to cloud security alliance group DDoS is the major security attack in the cloud and the impact and effects on virtual machines is much unexplored. Despite numerous DDoS solutions, there is a need for 'a dish fit for gods' in cloud. Hence, the proposed system defends the DDoS attacks in cloud by monitoring the performance distortion, detecting multilayer attacks using statistical method. Based on the attack variances with normal using chi-square statistics, DDoS attack sources are enlisted and communicated to the defence system to filter attack traffic and protect the cloud.

An approach for the secure management of hybrid cloud–edge environments

The Cloud-of-Things (CoT) paradigm is a challenging approach to manage IoT applications exploiting Cloud resources and services. In order to avoid latency in Cloud–IoT communications, the management of time-sensitive services has to be moved to the edge of the CoT. To this aim, a secure Cloud-to-Edge environment for seamless management of IoT applications is necessary. The realization of a performing and secure Cloud-to-Edge middleware solution is a very strategic goal for future business CoT services. Thus, it needs to be deeply investigated, as highlighted by the Cloud Security Alliance (CSA). A valuable approach to develop an efficient Cloud-to-Edge system is based on an instant-message communication solution. In current Cloud environments, a Message Oriented Middleware (MOM) based on an Instant Message Protocol (IMP) provides good performance, but overlook security requirements. In this paper, we aim at overcoming such a gap following the CSA guidelines. In particular, we discuss the involved issues for improving such a kind of Cloud-to-Edge system in order to achieve data confidentiality, integrity, authenticity and non-repudiation. Moreover, we analyze a real case of study considering a MOM architectural model. Experimental results performed on a real testbed show how the introduced secure capabilities do not affect the overall performances of the whole middleware.

Securing cloud by mitigating insider data theft attacks with decoy technology using Hadoop

Cloud Computing has been intrinsically changing the way we utilize computers to keep and retrieve our personal &amp; business data. With the advent of this emerging paradigm of computing, it arises the new security challenges. Existent cryptographic data security techniques i.e., encryption deteriorated in preventing data theft attacks once the key is compromised, especially those perpetrated by insiders. Cloud Security Alliance reckoned this threat as a significant danger of Cloud Computing. Although the majority of Cloud users are very much known of this risk, they are leftover with the only choice of trusting the cloud service provider, regards to their data protection. In this paper, we propose an alternate way to secure data on the cloud which is more efficient and secure by the concoction of user profile mapping using Hadoop framework and offensive decoy technology.

User-Level Runtime Security Auditing for the Cloud

In this chapter, we present an efficient user-level runtime security auditing framework in a multi-domain cloud environment. The multi-tenancy and ever-changing nature of clouds usually implies significant design and operational complexity, which may prepare the floor for misconfigurations and vulnerabilities leading to violations of security properties. Runtime security auditing may increase cloud tenants’ trust in the service providers by providing assurance on the compliance with security properties mainly derived from the applicable laws, regulations, policies, and standards. Evidently, the Cloud Security Alliance has recently introduced the Security, Trust and Assurance Registry (STAR) for security assurance in clouds, which defines three levels of certifications (self-auditing, third-party auditing, and continuous, near real-time verification of security compliance).