1. 1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

2. 2 Research Problem Risk of cloud computing can be mitigated via preventative controls for privacy and security such as encryption and access control Cloud consumers are still worried about the transparency, governance and accountability of the cloud service providers. Despite auditability being a crucial component of improving trust, current prominent providers are still not providing full transparency and capabilities for the tracking and auditing of the file access history and data provenance of both the physical and virtual servers utilized.

3. 3 Literature review Major cloud service providers start offering certifications and accreditation such as PCI-DSS and HIPPA. For example, Amazon Web Services has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0 [7]. PCI Security Standard Council has published PCI DSS Virtualization and Cloud Computing Guidelines for specific compliance criteria and audit requirements [6].

4. 4 Literature review (continued) However, the desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns [4]. The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing [4].

5. 5 Literature review (continued) Despite auditability being a crucial component of improving trust, current prominent providers such as Amazon EC2 and Microsoft Azure are still not providing full transparency and capabilities for the tracking and auditing of the file access history and data provenance of both the physical and virtual servers utilized [1]. Currently, users can at best monitor the virtual hardware performance metrics and the system event logs of the services they engage [1].

6. 6 Problem description A a lack of transparency of the linkages between the virtual and physical operating systems, relationships between virtual locations and physical static server locations, and how the files are written into both virtual and physical memory addresses [1]. These information are currently not available as a single-point-of-view for the customers [1]. Achieving auditability via methods such as continuous auditing within a highly virtualized environment is a very difficult and complex task [1].

7. 7 Planned methodology The Security Content Automation Protocol (SCAP) [5] and the CloudTrust Protocol (CTP) [4] may be able to use real time continuous auditing including physical layer transparency. The planned methodology is to use CTP client specific models as the first step to check the reality of physical layer transparency [4].

8. 8 Planned methodology - SCAP SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content [5].

9. 9 Planned methodology - CTP Cloud service consumers ask for and receive information about the elements of transparency CTP is to generate evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, and nothing else. A way to find out important pieces of information concerning the compliance, security, privacy, integrity, and operational security history of service elements being performed in the cloud.

10. 10 Planned methodology - CTP Specify and ask about the configuration, vulnerability, access, authorization, policy, accountability, anchoring, and operating status conditions Enterprises can choose to implement the CTP themselves implemented version, or to receive the TaaS function in a Software-as-a-Service model. In the case of a client-specific deployment, the cloud provider need not be involved in the operation of TaaS, provided the TaaS “application” deployed on behalf of the user is accommodated by the provider’s standard service model [4].

11. 11 Google AppEngine and CTP In our study, we could choose Google AppEngine as a public cloud service provider. We will build a simple social network application using AppEngine Eclipse plug-in. The tool, CTP, will become part of the CSA’s Governance, Risk and Compliance stack, an integrated suite of tools for assessing cloud computing services against industry best practices and standards. Like the rest of the GRC stack, the CTP will be available for free download [8].

12. 12 Google AppEngine and CTP The possible steps are as follows. 1)Subscribe Google AppEngine 2)Install Eclipse API of Google AppEngine 3)Build a simple Social Network application in Eclipse and publish it on the Internet. 4)Add Cloud Trust Protocol (CTP) functionality. 5)Collect the data from CTP responses. 6)Analyze the responses. CTP provides different types of information but the study may focus more on physical layer transparency.

13. 13 Audience and contribution Cloud service consumers who have concern over the accountability and auditability of the cloud services. The study promotes transparency of cloud services. This study also contributes to software developers and system integrators to provide Software as a Service to promote their offerings with transparency built in it.

14. 14 References [1] R. K. L. Ko et al., “TrustCloud: A Framework for Accountability and Trust in Cloud Computing,” in Services (SERVICES), 2011 IEEE World Congress on, 2011, pp. 584–588. http://www.hpl.hp.com/techreports/2011/HPL-2011-38.pdfhttp://www.hpl.hp.com/techreports/2011/HPL-2011-38.pdf [2] W. Jansen and T. Grance, “Guidelines on security and privacy in public cloud computing,” Draft Special Publication, pp. 800–144, 2011. http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud- computing.pdf http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud- computing.pdf [3] CSA, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 https://cloudsecurityalliance.org/csaguide.pdf [4] CSC, A Precis For The CloudTrust Protocol (V2.0), 2010 https://cloudsecurityalliance.org/wp- content/uploads/2011/05/cloudtrustprotocolprecis_073010.pdf [5] D. Waltermire, S. Quinn, K. Scarfone, and A. Halbardier, “The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1,” NIST Special Publication, vol. 800, p. 126, 2011. http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf

15. 15 References [6] PCI Security Standards Council, “PCI Data Security Standard (PCI DSS) 2.0,” 2011 https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf [7] Amazon Web Services: Risk and Compliance, May 2011 http://d36cz9buwru1tt.cloudfront.net/pdf/aws-risk-and-compliance-whitepaper.pdf [8] CSA licenses cloud transparency tool from CSC, July 2011 http://searchcloudsecurity.techtarget.com/news/2240037780/CSA-licenses-cloud- transparency-tool-from-CSC http://d36cz9buwru1tt.cloudfront.net/pdf/aws-risk-and-compliance-whitepaper.pdf