Information security, privacy, and compliance models for cloud computing services




Alruwaili, Fahad F.

Journal Title

Journal ISSN

Volume Title



The recent emergence and rapid advancement of Cloud Computing (CC) infrastructure and services have made outsourcing Information Technology (IT) and digital services to Cloud Providers (CPs) attractive. Cloud offerings enable reduction in IT resources (hardware, software, services, support, and staffing), and provide flexibility and agility in resource allocation, data and resource delivery, fault-tolerance, and scalability. However, the current standards and guidelines adopted by many CPs are tailored to address functionality (such as availability, speed, and utilization) and design requirements (such as integration), rather than protection against cyber-attacks and associated security issues. In order to achieve sustainable trust for cloud services with minimal risks and impact on cloud customers, appropriate cloud information security models are required. The research described in this dissertation details the processes adopted for the development and implementation of an integrated information security cloud based approach to cloud service models. This involves detailed investigation into the inherent information security deficiencies identified in the existing cloud service models, service agreements, and compliance issues. The research conducted was a multidisciplinary in nature, with detailed investigations on factors such as people, technology, security, privacy, and compliance involved in cloud risk assessment to ensure all aspects are addressed in holistic and well-structured models. The primary research objectives for this dissertation are investigated through a series of scientific papers centered on these key research disciplines. The assessment of information security, privacy, and compliance implementations in a cloud environment is described in Chapters two, three, four, and five. Paper 1 (CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services) outlines a framework for detecting and preventing known and zero-day threats targeting cloud computing networks. This framework forms the basis for implementing enhanced threat detection and prevention via behavioral and anomaly data analysis. Paper 2 (A Trusted CCIPS Framework) extends the work of cooperative intrusion detection and prevention to enable trusted delivery of cloud services. The trusted CCIPS model details and justifies the multi-layer approach to enhance the performance and efficiency of detecting and preventing cloud threats. Paper 3 (SOCaaS: Security Operations Center as a Service for Cloud Computing Environments) describes the need for a trusted third party to perform real-time monitoring of cloud services to ensure compliance with security requirements by suggesting a security operations center system architecture. Paper 4 (SecSLA: A Proactive and Secure Service Level Agreement Framework for Cloud Services) identifies the necessary cloud security and privacy controls that need to be addressed in the contractual agreements, i.e. service level agreements (SLAs), between CPs and their customers. Papers five, six, seven, and eight (Chapters 6 – 9) focus on addressing and reducing the risk issues resulting from poor assessment to the adoption of cloud services and the factors that influence such as migration. The investigation of cloud-specific information security risk management and migration readiness frameworks, detailed in Paper 5 (An Effective Risk Management Framework for Cloud Computing Services) and Paper 6 (Information Security, Privacy, and Compliance Readiness Model) was achieved through extensive consideration of all possible factors obtained from different studies. An analysis of the results indicates that several key factors, including risk tolerance, can significantly influence the migration decision to cloud technology. An additional issue found during this research in assessing the readiness of an organization to move to the cloud is the necessity to ensure that the cloud service provider is actually with information security, privacy, and compliance (ISPC) requirements. This investigation is extended in Paper 7 (A Practical Life Cycle Approach for Cloud based Information Security) to include the six phases of creating proactive cloud information security systems beginning with initial design, through the development, implementation, operations and maintenance. The inherent difficulty in identifying ISPC compliant cloud technology is resolved by employing a tracking method, namely the eligibility and verification system presented in Paper 8 (Cloud Services Information Security and Privacy Eligibility and Verification System). Finally, Paper 9 (A Case Study of Migration to a Compliant Cloud Technology) describes the actual implementation of the proposed frameworks and models to help the decision making process faced by the Saudi financial agency in migrating their IT services to the cloud. Together these models and frameworks suggest that the threats and risks associated with cloud services are continuously changing and more importantly, increasing in complexity and sophistication. They contribute to making stronger cloud based information security, privacy, and compliance technological frameworks. The outcomes obtained significantly contribute to best practices in ensuring information security controls are addressed, monitoring, enforced, and compliant with relevant regulations.



Cloud Computing, Intrusion Prevention, Cyber Attacks/Threats, Security Incident and Event Management (SIEM), Security Operations Centre (SOC), Service Level Agreement (SLA), Cloud Security Services, Cloud Governance, Cloud Compliance, Cloud Forensics, Cloud Community, Risk Management, Eligibility and Verification, Trust, Monitoring, Virtualization