Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Glitches in cloud trust protocol architecture and trust evaluation
1. Glitches in Cloud Trust Protocol Architecture and Trust Evaluation
By Sucheta Mandal
Description
Now a day’s cloud technology is becoming the most used architecture in the industry. But according to
recent surveys done by CSA (Cloud Security Alliance), still 73% of survey participant hold them back to
use cloud technology because of its data vulnerability. Reliability of cloud service providers and
transparency is really crucial to the cloud business. For developing trust over consumers and providers
several approaches have been introduced. One of them is Cloud Trust Protocol, a set of rules and
process to establish digital trust among cloud users. [1]
Cloud trust protocol is built on transparency, dynamic request, response based on trust value. But still
there are many more flaws, which are needed to be improved to make CTP a vastly used protocol in the
industry. Cloud trust management base, central storage location, lacks encryption and proper
automation. This module is responsible for storing user authentication data, request- response
history.[5][6]
But it is accessible for all cloud consumers, who are using this same protocol. If one of those
consumers able to hacks those data, then this could prompt an immense information rupture. Hence
this component should be divided into different domain per consumer and every domain would be
encrypted with a private key. On the other hand entry and management in this section should be
automated, otherwise in manual processes this storage location might be exposed to wrong hands.
More robust trust value calculation algorithm should be included for deciding probable threat and
trustworthiness of both service providers and consumers. Trust evaluation is two – way mechanism. It
helps consumer to determine which provider is best for his business and other way around it helps cloud
provider to distinguish safe and trustworthy consumers. Hence, if it is not evaluated properly then Cloud
users can be trapped in a wrong and vulnerable cloud server and also cloud providers will be opened to
data loss threats. [7]
For determining trust value of cloud provider, cloud consumers should track cloud
providers past history, reputation and level of transparency in service. On the second level, cloud
providers also should use consumer’s behavioral approach towards other services. Those surveys need
to be done in regular basis, otherwise it may happen that cloud users at first maintained a good trust
value and after getting a good trust value, it chooses to misuse the trust. But, if a cloud user is new in
the market, then it is really tough for them to get a good trust value. For those cases, a trial trust value
and period should be introduced and then their trust value can be graded according to trust parameter
matrix.
As many cloud users will be using CTP protocol via CTP response engine, sometimes it may cause long
waiting time for a user to get its required response. To solve this privilege escalation problem, CTP
engine should process evidence access request s based on their trust value. If anything malicious thing
happens then there trust value should be decreased. In this way trustworthy client will have fast access.
An automated on the fly trust value evaluation system based on each transaction can be used to get
updated accurate trust value. In first step, automated system will take already stored trust vale (which is
calculated based on direct trust, recommended trust, preference trust etc) .Secondly, it will determine
transactional trust value depending on its operation mode, type of query, symptoms of attacking other
web services etc. Then it will update the final trust value and return it back to CTP engine. If its trust
value is decreased, then CTP engine will further check the cause of this sudden change and afterwards
can block the user from cloud services. If the trust value is increased then the request will be processed
quickly. In this way trustworthy client will have fast access.
2. Previous Work and Criticism
Several trust modeling mechanisms has been cited for improvement of this protocol.
• Some of them are using fuzzy comprehensive logic theory along side with direct and reputation based
trust to determine optimum trust value. [3]
• Service Level Assignment based trust level. It is basically an agreement between the service provider
and consumer for monitoring quality of service and service level violation if any. But this approach only
focuses on visible elements and totally ignores invisible elements like transparency, privacy etc. [4]
• Reputation based approach. In this approach a new company will always suffer to get good trust
value. [9][2]
• D-S Evidence theory and sliding window approach. In this process, the model only considers the
evidence from interaction between that particular CSP and User. They did not consider any other trust
value factor. [8]
• There are no special works accessible for tackling CTP engine’s special privilege acceleration problem.
References
[1] Acquiring forensic evidence from infrastructure-as-a-service cloud computing available at
http://www.sciencedirect.com/science/article/pii/S1742287612000266
[2] A Survey Study on Reputation-Based Trust Management in P2P Networks, available at
http://www.comp.nus.edu.sg/~cs6203/guidelines/topic7/survey-trust-reputation.pdf
[3] A Method for Trust Quantification in Cloud Computing Environments at
http://dsn.sagepub.com/content/12/2/5052614.full
[4] SLA-Based Trust Model for Cloud Computing available at
http://ieeexplore.ieee.org/document/5636125/
[5] Cloud Trust - a security assessment model for IaaS Clouds at
https://www.computer.org/csdl/trans/cc/preprint/07072526.pdf
[6] Cloud Audit and Cloud Trust Protocol available at http://www.issa-
dv.org/meetings/presentations/2011-12-09/2011-12-09_Presentation_01_Lingenfelter.pdf
[7] Trust Model for Measuring Security Strength of Cloud Computing Service available at http://ac.els-
cdn.com/S1877050915004081/1-s2.0-S1877050915004081-main.pdf?_tid=e4e1e0a0-7ed3-11e6-b843-
00000aacb35d&acdnat=1474336102_d8afa8db53d844660bf8387f1dc42de4
[8] Research in Cloud Security and Privacy available at
https://www.cs.purdue.edu/homes/bb/cloud/cloud-complete.ppt
[9] A Trust Evaluation Model for Cloud Computing, available at
http://www.sciencedirect.com/science/article/pii/S1877050913002822