- Email: [email protected]
Editorial of special issue on security and privacy in cloud computing
journal of information security and applications 27-28 (2016) 1–2
Available online at www.sciencedirect.com
ScienceDirect j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / j i s a
Editorial of special issue on security and privacy in cloud computing
This special issue of Journal of Information Security and Applications is on “security and privacy in cloud computing”. Cloud computing reflects the latest trends in business to deliver software and services over the Internet. Gartner predicts that nearly half of large enterprises will have cloud deployments by the end of 2017. However, practical adoption of cloud technologies may be greatly impeded if security and privacy issues are not adequately addressed. As the cloud is an open platform, it can be subjected to malicious attacks from both insiders and outsiders; the need to protect the security and privacy of the data in the cloud becomes critical. This special issue is intended to focus on practical aspects of security and privacy in cloud computing. Original and unpublished contributions on novel attacks, defences and security applications in cloud computing were solicited. In total, we received 22 submissions, among which 7 papers were accepted (32% acceptance rate). Most papers have received at least 2 independent reviews, and have undergone two rounds of revisions before they are accepted for publication in this special issue. The first paper, “An evaluation of recent secure deduplication proposals”, by Vladimir Rabotka and Mohammad Mannan, presents a methodical analysis on secure deduplication techniques proposed for the cloud in terms of privacy-gain, deployment and bandwidth costs. The authors compare several recent proposals and analyse their limitations. They conclude that none of the existing methods can be ranked secure enough to prevent all attack vectors. Given that duplication has been widely used by the cloud storage providers to save costs, this paper calls for more attention from the security community on the security and privacy issues on data duplication. The second paper, “An Investigation of the Challenges and Issues Influencing the Adoption of Cloud Computing in Australian Regional Municipal Governments”, by Omar Ali, Jeffrey Soar, Hoda McClymont and Jianming Yong, performs a systematic literature review on challenges and issues in the extant literature and also conducts interviews with IT managers in Australian local governments. Gaps between the research problems that have been studied in the academic literature and those that have been concerned by municipal governments while deciding the adoption of cloud computing are highlighted. The third paper, “The Austrian eID Ecosystem in the Public Cloud: How to Obtain Privacy While Preserving Practicality”, by Bernd Zwattendorfer and Daniel Slamanig, proposes to move the complete Australian eID system into a public cloud in a
privacy-preserving manner. The Australian eID system, being a main pillar within the Australian e-Government strategy, supports three main use cases: (1) identification and authentication of Australian citizens, (2) electronic representation and (3) foreign citizen authentication at Austrian public sector applications. The approach presented in the paper aims to build a cloud-based eID system that supports the same use cases without disclosing sensitive data to the cloud provider. The fourth paper, “Secure Image Deduplication through Image Compression”, by Fatema Rashid, Ali Miri and Isaac Woungang, proposes an image compression scheme to support secure deduplication of images in the cloud storage. The scheme combines partial encryption to ensure the security against a semi-honest Cloud Storage Provider (CSP) and an imaging hashing algorithm for classifying the identical compressed and encrypted images so duplication can be performed. Given that images are among the most common shared types of data stored in the cloud, the proposed technique can be useful in reducing the storage of duplicate images while preserving the data privacy. The fifth paper, “Multi-tenant Attribute-based Access Control for Cloud Infrastructure Services”, by Canh Ngo, Yuri Demchenko and Cees de Laat, proposes a multi-tenant attribute-based access control (MT-ABAC) model for a single cloud service, which can support multiple levels of delegations with flexibility to facilitate inter-tenant collaborations. The MT-ABAC model is then extended to support multiple cloud providers by enabling exchange of tokens between providers. A prototype of the system is built with performance measurements presented in the paper. The sixth paper, “IGOD: Identification of Geolocation of Cloud Datacenters”, by Chetan Jaiswal and Vijay Kumar, aims to identify physical geolocation of data stored in the cloud. The cloud provider often migrates data between various data centres for the purpose of load balancing or guarantees on data availability. However, data owners sometimes require the storage of data to be confined to certain physical regions. The authors present an Identification of Geolocation of Cloud Datacenters (IGOD), which identifies the geolocation by measuring the communication latency with selected landmarks. The algorithm is implemented and evaluated using the PlanetLab test bed. It is also used to geolocate one of the Amazon S3 data centres. The final paper, “Formal Verification of Secure Information Flow in Cloud Computing”, by Wen Zeng, Maciej Koutny,
2
journal of information security and applications 27-28 (2016) 1–2
Paul Watson and Vasileios Germanos, presents a dynamic flowsensitive security model to model the information flow in federated cloud systems (FCSs). An FCS combines private and public clouds of varying levels of security, which makes it challenging to ensure rules in a formal Bell–LaPadula model are correctly followed. The authors show how to use Petri nets and the associated formal verification techniques to analyse the security of information flow in a complex federated cloud system. It has been a great privilege for us to be able to serve this special issue as guest editors. We would like to take this opportunity to thank Professor Anthony Ho, the Editor-in-Chief of Journal of Information Security and Applications, for approving our initial proposal on having a special issue on this subject, and his constant support and encouragement. We have also received great assistance from the Elsevier staff, especially Adil Ahmed Noor, Yanhong Zhai, Hilda Xu and Priyadharsini Muthukumar. They work tirelessly behind the scene to make the publication of this special issue as smooth as possible. Last
but not least, we thank all the voluntary reviewers who spend time and efforts to provide constructive comments to the authors. They have made great contributions towards making this special issue a success, although their names shall remain anonymous. Feng Hao School of Computing Science, Newcastle University, UK Xun Yi School of Science, RMIT University, Australia Elisa Bertino Department of Computer Science, Purdue University, USA Available online http://dx.doi.org/10.1016/j.jisa.2016.04.003 2214-2126/© 2016 Published by Elsevier Ltd.
Available online at www.sciencedirect.com
ScienceDirect j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / j i s a
Editorial of special issue on security and privacy in cloud computing
This special issue of Journal of Information Security and Applications is on “security and privacy in cloud computing”. Cloud computing reflects the latest trends in business to deliver software and services over the Internet. Gartner predicts that nearly half of large enterprises will have cloud deployments by the end of 2017. However, practical adoption of cloud technologies may be greatly impeded if security and privacy issues are not adequately addressed. As the cloud is an open platform, it can be subjected to malicious attacks from both insiders and outsiders; the need to protect the security and privacy of the data in the cloud becomes critical. This special issue is intended to focus on practical aspects of security and privacy in cloud computing. Original and unpublished contributions on novel attacks, defences and security applications in cloud computing were solicited. In total, we received 22 submissions, among which 7 papers were accepted (32% acceptance rate). Most papers have received at least 2 independent reviews, and have undergone two rounds of revisions before they are accepted for publication in this special issue. The first paper, “An evaluation of recent secure deduplication proposals”, by Vladimir Rabotka and Mohammad Mannan, presents a methodical analysis on secure deduplication techniques proposed for the cloud in terms of privacy-gain, deployment and bandwidth costs. The authors compare several recent proposals and analyse their limitations. They conclude that none of the existing methods can be ranked secure enough to prevent all attack vectors. Given that duplication has been widely used by the cloud storage providers to save costs, this paper calls for more attention from the security community on the security and privacy issues on data duplication. The second paper, “An Investigation of the Challenges and Issues Influencing the Adoption of Cloud Computing in Australian Regional Municipal Governments”, by Omar Ali, Jeffrey Soar, Hoda McClymont and Jianming Yong, performs a systematic literature review on challenges and issues in the extant literature and also conducts interviews with IT managers in Australian local governments. Gaps between the research problems that have been studied in the academic literature and those that have been concerned by municipal governments while deciding the adoption of cloud computing are highlighted. The third paper, “The Austrian eID Ecosystem in the Public Cloud: How to Obtain Privacy While Preserving Practicality”, by Bernd Zwattendorfer and Daniel Slamanig, proposes to move the complete Australian eID system into a public cloud in a
privacy-preserving manner. The Australian eID system, being a main pillar within the Australian e-Government strategy, supports three main use cases: (1) identification and authentication of Australian citizens, (2) electronic representation and (3) foreign citizen authentication at Austrian public sector applications. The approach presented in the paper aims to build a cloud-based eID system that supports the same use cases without disclosing sensitive data to the cloud provider. The fourth paper, “Secure Image Deduplication through Image Compression”, by Fatema Rashid, Ali Miri and Isaac Woungang, proposes an image compression scheme to support secure deduplication of images in the cloud storage. The scheme combines partial encryption to ensure the security against a semi-honest Cloud Storage Provider (CSP) and an imaging hashing algorithm for classifying the identical compressed and encrypted images so duplication can be performed. Given that images are among the most common shared types of data stored in the cloud, the proposed technique can be useful in reducing the storage of duplicate images while preserving the data privacy. The fifth paper, “Multi-tenant Attribute-based Access Control for Cloud Infrastructure Services”, by Canh Ngo, Yuri Demchenko and Cees de Laat, proposes a multi-tenant attribute-based access control (MT-ABAC) model for a single cloud service, which can support multiple levels of delegations with flexibility to facilitate inter-tenant collaborations. The MT-ABAC model is then extended to support multiple cloud providers by enabling exchange of tokens between providers. A prototype of the system is built with performance measurements presented in the paper. The sixth paper, “IGOD: Identification of Geolocation of Cloud Datacenters”, by Chetan Jaiswal and Vijay Kumar, aims to identify physical geolocation of data stored in the cloud. The cloud provider often migrates data between various data centres for the purpose of load balancing or guarantees on data availability. However, data owners sometimes require the storage of data to be confined to certain physical regions. The authors present an Identification of Geolocation of Cloud Datacenters (IGOD), which identifies the geolocation by measuring the communication latency with selected landmarks. The algorithm is implemented and evaluated using the PlanetLab test bed. It is also used to geolocate one of the Amazon S3 data centres. The final paper, “Formal Verification of Secure Information Flow in Cloud Computing”, by Wen Zeng, Maciej Koutny,
2
journal of information security and applications 27-28 (2016) 1–2
Paul Watson and Vasileios Germanos, presents a dynamic flowsensitive security model to model the information flow in federated cloud systems (FCSs). An FCS combines private and public clouds of varying levels of security, which makes it challenging to ensure rules in a formal Bell–LaPadula model are correctly followed. The authors show how to use Petri nets and the associated formal verification techniques to analyse the security of information flow in a complex federated cloud system. It has been a great privilege for us to be able to serve this special issue as guest editors. We would like to take this opportunity to thank Professor Anthony Ho, the Editor-in-Chief of Journal of Information Security and Applications, for approving our initial proposal on having a special issue on this subject, and his constant support and encouragement. We have also received great assistance from the Elsevier staff, especially Adil Ahmed Noor, Yanhong Zhai, Hilda Xu and Priyadharsini Muthukumar. They work tirelessly behind the scene to make the publication of this special issue as smooth as possible. Last
but not least, we thank all the voluntary reviewers who spend time and efforts to provide constructive comments to the authors. They have made great contributions towards making this special issue a success, although their names shall remain anonymous. Feng Hao School of Computing Science, Newcastle University, UK Xun Yi School of Science, RMIT University, Australia Elisa Bertino Department of Computer Science, Purdue University, USA Available online http://dx.doi.org/10.1016/j.jisa.2016.04.003 2214-2126/© 2016 Published by Elsevier Ltd.