How to utilize the IaaS cloud safely? Developing cloud security for cloud adoption in the Middle East

Table of Contents

Abstract

Table of Contents

List of tables

Keywords

1.0 Chapter 1: Introduction
1.1 Aims and Objectives
1.2 Brief Outline

2.0 Chapter 2: Literature Review
2.1 Cloud definition and Characteristics
2.2 Cloud service models
2.3 Cloud deployments model
2.4 Cloud benefits
2.5 Risk Management Framework for Cloud Ecosystem
2.6 Cloud Associated Risks
2.7 IaaS Security
2.7.1 VM Security
2.7.2 Hypervisor Security
2.7.3 Datacenter Security
2.8 Countermeasures
2.9 Service level of Agreement (SLA)
2.10 Conclusion

3.0 Chapter 3: Research Methodology
3.1 Observation Research Methods
3.2Interviews Research method
3.3 Surveys Research method
3.3.1 Open-ended questions:
3.3.2 Closed-ended questions:
3.4 Methodological triangulation validation

4.0 Chapter 4: Observation
4.1 Observation Findings and data analysis
4.1.1 Expected growth:
4.1.2 Responsibilities of parties:
4.1.3 Cloud Protection Scheme
4.1.4 Threat Model
4.1.5 Governance & Compliance
4.1.6 Controls Used
4.2 Table summary

5.0 Chapter 5: Experts Interviews & Data Analysis
5.1 Introduction
5.2 Data Analysis
5.2.1 Expected Growth
5.2.2 Responsibility distribution and protection scheme
5.2.3 Threat Landscape, Practices and Controls used
5.2.4 Governance and compliance
5.3 Table summary
5.4 triangular validation and confirmation

6.0 chapter 6: Discussions
6.1 Low-risk appetite template
6.2 High-risk appetite template

Chapter 7: Data Collection & Analysis
7.1 Introduction
7.2 Data Analysis

Chapter 8: Summary
8.1 Summary
8.2 Conclusion
8.3 Recommendations

References
Appendix 1 – Research Work Flow
Appendix 2 – Interview Questions
Appendix 3 – Interviews transcript
Interview1
Interview2
Interview3
Interview4
Interview5
Appendix 4 – Surveys Questions

List of tables

Table 1 - Threats affecting the VM during its life cycle

Table 2- Cloud Reference architecture model (Gonzales et al., 2015,p526)

Table 3 - Method Objective Matrix

Table 4 - Observation finding summary

Table 5- Participants in the interviews

Table 6 - Interview’s collected data

Table 7 - IS3 controls

Table 8 - CSP cloud management zone components (VMware, 2018)

Table 9 - Data classification Severities and terminologies (Simorjay, 2014, p. 7)

Table 10 - Cloud deployment model disadvantage (Srilakshmi, et al., 2013)

Table 11 - Suggested type of data for different deployment models in low risk template

Table 12 - Suggested type of data for different deployment models in High risk template

Abstract

Information Security is very important to business and national security of any country. In the Middle East, especially with the current geopolitical tensions and unbalance situation resulting from terrorism raising, cyber security is very important to protect nation’s economy and security. This research investigates with a deep look inside hybrid cloud security deployments, which is new to Middle East region with focusing on Infrastructure as a service security (IaaS). Besides, it assesses the current practice when it comes to cloud data adoption in an IaaS environment. whether it is on-premises or hosted by a third party, dedicated or shared across multitenant. This research is to develop two templates to be followed by IT professionals whether they had the required expertise for cloud adoption or not to guide them through the whole data cloud adoption process. According to the risk appetite of the organization and their acceptable risk level, the template is chosen. These templates contain a guide to design the cloud security infrastructures, the placement of information in different IaaS deployment models (e.g. private IaaS, public IaaS, community IaaS, etc.), and what controls recommended to establish controls and governance in the cloud realm. These templates were developed based on the recommendation and guidelines National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA), and European Union Agency for Network and Information Security (ENISA).

Keywords

Cloud Computing; Cloud Security; Private Cloud; Public Cloud; Cloud Security Strategy; Infrastructure as a Service security; IaaS; hybrid Cloud

1.0 Chapter 1: Introduction

Cloud computing is a new terminology that has been noticed in the IT World recently. It is considered as a new trend of emerging technologies that invade the world in general. However, There is a potential for growth in utilizing cloud services. Furthermore, business is becoming agiler than ever, which means that the ability of business to respond quickly to market changes efficiently (VMware, 2011). Cloud Computing gives IT the required agility for business to perform better to market changes. According to Cisco Global Cloud Index (2016), the Middle East and Africa cloud traffic are expected to be in growth from 69 Exabyte in 2015 to 304 Exabyte in 2020. In fact, everybody uses cloud computing technology with knowledge or without knowledge. People are using cloud services through their smartphones daily. For example, if a mobile application is downloaded from internet store to a smartphone, then a user starts taking a photo, editing them and storing them, so these are cloud services that have been used. Furthermore, over 120 hours of video is being uploaded every min; emails are daily exchanged by millions. These are considered examples of Cloud services too that became available to the public during the past decade (Mint, 2016). It is considered an approach for providing IT services from a third party whether it resides on-site or off-site customer premises with opportunity for a broad, scalable, and broad Network Access (Mell and Grance, 2011). It's most important benefit is offering its services by the low cost that is affordable and easy to access (Ruboczki and Rajnai, 2015). It can be described as offering on-demand IT services that are used by individuals, enterprises and governments over the internet with automatically provisioning resources. Famous examples are Microsoft Online, Gmail, Online CRM, Google Apps, 3Tera AppLogic, Amazon EC2, Skype for Business, OneDrive, etc. (Alali and Yeh, 2012). The first thing to think about when adopting data in the cloud is how much this data is protected in the cloud space.

However, not all cloud consumers are aware of the risks associated with data cloud adoption, But still using it as users upload thousands of gigabyte per day to cloud (Mint, 2016). Robinson et al (2011) argue that one of these risks might be a loss of governance on the data and application that resides on a third party network by which cloud consumers do not have full control over it, and this will have a direct impact on Security triad confidentiality, integrity and availability. Furthermore, the risk associated with cloud security adoption is higher in the Middle East Countries, a senior information security consultant Suleman (2016) argues that the geopolitical tensions and chaos status in the region bring more security challenges to the cloud adoption in these countries, therefore their data in cloud will become valuable targets of cyber-attacks from cyber criminals, terrorists and government. Besides, there is a risk associated with adopting data in the cloud as the resources are shared with the public that which brings privacy challenges, and clients have no controls over the infrastructure (Gaurav and Shuchi, 2016).

1.1 Aims and Objectives

The main aim of this paper is guiding the information technology (IT) professionals in the region to utilize infrastructure as a service (IaaS) cloud’s benefit in a hybrid deployment model through a safer approach that will be achieved by working on the following objectives:

Objective 1:

Critically evaluate existing literature review related to cloud architecture and its security infrastructure including all publications from National Institute of Technology (NIST), European Union Agency for Network and Information Security (ENISA), and Cloud Security Agency (CSA) with concentration over (IaaS) service model.

Objective 2:

Conducting user engagement approach in the Middle East countries to identify current cloud security posture for cloud consumers in the Middle East by getting their thoughts about their state of cloud adoption and identify risks associated it.

Objective 3:

Prepare a template for designing IaaS cloud security infrastructure especially for IaaS. These templates will help in guiding IT professionals to utilize cloud services, set the design for cloud security infrastructure and select the security defences to protect data in the cloud.

Objective 4:

Offering the template to a sample of IT Professionals to check their feedback on how their confidence in cloud computing is affected if they use this strategy.

In this research, Only two template has will be developed, one for the low-risk appetite organizations that accept a low level of risk, and the other one is for high-risk appetite organization that accepts a high level of risks. The organizations that can accept a level of risk in between are not the audience of this research.

1.2 Brief Outline

This paper will begin with a critical evaluation of existing literature review related to cloud computing and IaaS security. This will help in the understanding of the research’s topic and latest research findings. Following that, research methods that are used in this paper will be discussed, and how these methods will be used. These methods are a literature review, observations, interviews, and surveys. Data collected through all of these methods was used through a methodological triangulation validation method to validate and confirm the findings of different stages of the research. Chapter 4 discussed the observations of the author about the research topic. However, experts interviews were discussed in chapter 5. Based on the data collected through literature review and observations, confirming and validating the results will be from data collected through the interviews methods. In chapter 6, the organizations was classified based on their risk appetite. Following that, the template was derived to guide these organization to guide in the cloud security adoption.

In chapter 7, a survey was conducted to assess, validate and confirm chapter 6 findings. And finally, the last chapter was summarized the research activity and tries to link the market future with the research finding.

2.0 Chapter 2: Literature Review

Information technology (IT) professionals try every day finding a new way to serve business objectives. In today world, there are needs to business that IT is trying to match. For examples, delivery of IT services with lower running cost, interact with dynamic needs of business, and availability. Cloud computing is a new terminology that is raised in the hall of IT recently that can satisfy these needs. It is a new model or method of delivering IT resources over the internet; it is a resource that varies from storage, computing power to application and software (Haeberlen and Dupre, 2012). Even home users start to use it with knowledge or without their knowledge of the term cloud computing, and they post videos and photos to YouTube, Flicker, and Facebook (LaGesse, 2009).

2.1 Cloud definition and Characteristics

Mell and Grance (2011) state that Cloud Computing is a model of enabling convenient on-demand access to a shared pool of self-managed configurable resources such as Network, servers, storage, and applications that are rapidly provisioned, accessed broadly and can be measured. It has main characteristics such as the following:

- On-demand Self-service: cloud user can get cloud benefits based on his needs without human interaction, for example, the consumer can schedule provisioning of the resources within their peak time only and de-provision them later automatically (Krutz and Vines, 2010).
- Broad Network access: Cloud services are available from anywhere over a different kind of links whether these links are internet or WAN or fibre or Microwave (Mell and Grance, 2011).
- Rapid Elasticity: or in another word, quickly scalable based on demand up and down (Krutz and Vines, 2010).
- Resource Pooling: the cloud computing whether it is physical and virtual resources are shared across multi-cloud users that dynamic assigned based on the cloud user needs (Mell and Grance, 2011).
- Measured service: the resources of that are used by the tenants are changing with time; however, it is monitored, metered, controlled and reported in a transparent manner (Krutz and Vines, 2010).

The mentioned characteristics can be restated in more critic way by saying that it is the technology that enables the consumer to lower their starting cost. This lowering of cost is achieved due to one of cloud’s main characteristics which is resource sharing. The concept of sharing IaaS resource allows the consumer to get the benefit of high tech technology, starts quickly and procuring cloud computing with the minimum possible amount of investment. Cloud computing is built upon a software of virtualization that gives consumers the ability to have on-demand control over the resources within the shared resources without the need of interacting of a third party that increases the level of trust and decrease the time taken for adding more resources when compared with traditional IT. Also, cloud computing has a broad access feature that indicates that the location of the provided services is not important except for monitoring the legal risk in the services provided country. Besides, it is an independent platform by which it can be accessed through mobile, laptop, windows platform, Unix platform, etc. Finally, the provided services is controled, monitored and measured. For example, the used resources (e.g. storage) by a consumer are dynamically changed with time on-demand. The used storage is monitored and based on the occupied space on the storage consumer will pay or pay as you use payment model.

2.2 Cloud service models

A cloud infrastructure is considered as a collection of hardware and software that provides the previously mentioned characteristics of cloud computing. Cloud services are available through three services model. First, Software as a Service (SaaS) is providing cloud consumer (CS) applications that are running on the cloud infrastructures. CS uses thin clients or web browsers to access these applications. Furthermore, CS does not have control over the underlying infrastructure such as storage, servers, OS, etc. (Haeberlen and Dupre, 2012).

Second, Platform as a Service (PaaS) is providing the CS with the ability to deploy his application based on languages, libraries, and tools supported by the CSP, nevertheless, CS does not control the underlying infrastructure of networks, servers, storages, other network resources and of course securing all of this component (Mell and Grance, 2011). Finally, Infrastructure as a service (IaaS) is providing the CS the abilities to self-provision processing, storage, network, servers (e.g. Virtual Machines.) which can make him able to run applications from the cloud. Furthermore, unlike the previously mentioned service models, IaaS consumer is responsible for all the underlying infrastructure from storage, servers, operating systems, etc. (Haeberlen and Dupre, 2012).

However, Blokland et al (2013) statues that there are four main building blocks that build cloud-computing space.

- Application: Software/application that runs in the cloud (e.g. CRM, OneDrive, Gmail)
- Platform: Runtime environments that depend on tools, programming languages and libraries (e.g. dotNet, PHP, ASP, etc.)
- Virtualization: Virtual copy of device whether it is network or servers gives the ability to provide multiple version of the device that is quickly provisioned on demand (VMware servers, virtual firewalls, virtual intrusion prevention, etc.)
- Hardwareis the physical elements that will carry the virtual environments that are the backbone cloud computing capabilities (e.g. blade servers, cables, racks, firewalls, switches, etc.) Abbildung in dieser Leseprobe nicht enthalten

Figure 1 - Four main building blocks of cloud computing (IaaS responsibility distribution)

Blokland, et al (2013) state that the responsibility of the management of these blocks (See Figure 1, Page 12) is shared between providers and consumers. In IaaS, CSP has the responsibility of managing the low-level infrastructure (Hardware & Virtualization) and their security. CSP has the physical security responsibility including building fences, managing gates, air condition, CCTV, an environmental monitor, access control to the datacenter etc. Besides, visualization components that include as an example hypervisor, network manager security, etc. While the CS has the responsibility of managing and securing platforms (e.g. Windows servers,) and the applications running on top of it. Consumer security measure includes patch management, vulnerability management, secure coding of custom applications, etc.

2.3 Cloud deployments model

According to Mell and Grance (2011), there is four deployment model that cloud consumers use when thinking to adopt their data to the cloud.

- Private Cloud: the entire cloud infrastructure is reserved exclusively for single cloud tenant that is managed by the consumer or a third party. It might be located on or off premises
- Public Cloud: Cloud infrastructure is shared among multi-tenants (business, academic, governments, etc.). it is located in the cloud provider premises.
- Community Cloud: Cloud infrastructure is shared among tenants shared same concerns. It can be located on or off premises.
- Hybrid Cloud: it is a combination of public, private and community cloud computing.

Most of the consumers are using a combination of these deployment model. Organizations has to select the suitable deployment model for each type of data they own. For example, an insurance company that has an enterprise-owned datacenter can have a backup site (disaster recovery site) that is hosted on a cloud provider (Private cloud). besides, its development team can use some development machines that are hosted on Mircosoft Azure (Public). Because of regulations, all healthcare sector must share medical records the government through a datacenter hosted in a government facility (Community cloud), All of this can be considered a pure example of hybrid cloud deployment model.

2.4 Cloud benefits

Cloud computing gives Infinite computing resources available that are on-demand and quickly provisioned enough to follow load surges. Besides, business can start small and increase hardware & software when they have business growth. CS can release when the resources are no longer in use. In addition, it is considered as a way to convert capital expenses to operating expenses. In fact, it plays important role in decreasing the information technology cost, and it decreases the risk of over-provisioning or under-provisioning.

Usually, CSP has a large scale cloud network infrastructure, so the same amount of investment in security and can provide better protection for the consumer. In addition, CSP can offer to hire the required expertise that can work on and manage specific security situations and have better threat management capabilities, therefore CSP can provide consumers with the latest better security technology by lower prices (Haeberlen and Dupre, 2012). Besides, Cloud computing market is considered as a cutting-edge market by which CSP is doing their best to have a good reputation in the market and attracting more consumers, therefore they are more than welcome to have the latest security controls and be the best market differentiator (Alassafi et al., 2017). CSP can quickly reallocate resources for filtering, bandwidth management, encryption and other security controls to support mitigation of attacks such as distributed denial of service DDOS. Besides, multiple consumers are using cloud resources for the same CSP which give him the visibility about the latest market attacks trends (e.g. Phishing campaign, malware outbreak, etc.), that will help him better protecting his consumer. In addition, the consumer can have the right to audit that can be written in a service level agreement to enhance risk management (Haeberlen and Dupre, 2012).

2.5 Risk Management Framework for Cloud Ecosystem

However, adopting data in the cloud is assosiating with many risks. In general, risk is a function of the probability that negative outcomes occurred and the value of this outcome (Iorga and Karmel, 2015). Managing these risks requires a framework ( See Figure 2, Page 22) that will discipline the activities that are integrated to all aspects of the organization from planning system development life cycle SDLC to security & privacy controls allocation, operation and monitoring (ISACA, 2011). In this Framework, Cloud Consumer (CS) needs to perform risk assessments that will assess the information processed, transmitted and stored based on business impact analysis to identify and analyze the risks associated with cloud adoption. Besides, CS identifies the security requirements for cloud-based services and he prepares risk treatment plan. Following that, he selects risk-adjusted security and privacy controls or asking for customizing controls in the CSP infrastructure. For example, CS is responsible for securing data in the cloud echo system until the hypervisor level (see Figure 1, Page 17). Besides, CS must identify the best suitable cloud-based architecture, identify security and privacy controls that are needed. In addition, CS must select the cloud partner, analyze his security posture, define and negotiate cloud-based SLA as well as (See Figure 2, Page 22) implement CS controls and authorize the cloud-based information system to operate. Finally, CS must monitor the effectiveness of the controls implemented (Iorga and Karmel, 2015).

2.6 Cloud Associated Risks

Haeberlen and Dupre (2012); Armbrust et al (2010); Alassafi et al (2017); Vaquero et al (2011) help in identifying risks by stating that some these risks¹ can be illustrated in the following point.

Threat 1. Data Lock-in: data cannot be extracted and migrated to another vendor CSP that increase the risks to the price increases.

Threat 2. Loss of Governance: CS will lose control over the underlying infrastructure as he will host his data to a third party (e.g. CSP), so it has direct impact on confidentiality, availability and integrity

Threat 3. Malicious insider: CSP employees have responsibility That is completely separate from CS (e.g. CSP system administrator), so they have high privilege on CS infrastructure

Threat 4. Insecure data deletion and shared resources issues: the resources are scaling up and down, so it has a high probability of data exposure due to ineffective data deletion.

Threat 5. Issue raising due to sharing the resources: it is unauthorized access to information due to share of resources

Threat 6. Management interface compromises or account Hijacking: it is internet accessible and it is subjected to vast of attacks from hackers that might use any known or unknown vulnerability to have unauthorized access.

Threat 7. Abuse use of cloud computing: using IaaS for hosting botnets, Trojans, etc.

Threat 8. Insecure APIs: API can manage and interact with the cloud services.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2 - Risk Management Framework for cloud Echo-system

2.7 IaaS Security

Infrastructure as a service (IaaS) is the ability to provide the consumer with the required processing, storage, networks, and other fundamental computing resources (Mell and Grance, 2011). IaaS cloud has the same security concern as traditional it and more due to sharing the resources with other tenants. IaaS consumer does not share only the physical host, also it shares the network resources links and network interfaces by virtualization(Vaquero, et al., 2011). Furthermore, CSP has no control over the hypervisor level (See Figure 1, Page 17), so once the VM is infected, VM share the same physical host can attack each other(Gordon, 2015). Gonzales et al (2015) state that a trust zone must be created. Trust zone (TZ) (See Figure 3, Page 17) is a collection of network segmentation and identity access management (IAM) servers that use usernames, access control list (ACL) and active directory to control access to cloud resources. A TZ is dedicated to a single tenant, and its Security can be enhanced by only permitting preconfigured MAC address and IP address to connect to IAM servers. The security depends on the right configuration of the firewall, switches, active directory, etc. if it is misconfigured then it is introducing a vulnerability.

Abbildung in dieser Leseprobe nicht enthalten

Figure 3 - an example of separation between trust zones (Gonzales et al., 2015, p 524)

However, the cloud infrastructure management traffic, security-monitoring traffic, IAM server and VM traffic are not separated, so the surface of infection increase risk (e.g. VM to VM, VM to the hypervisor, etc. ) which is categorized as collocation attack(Gordon, 2015).

Gonzales et al ( 2015) introduce, based on Defense information system agency (DISA) recommendations, a new reference architecture model and that completely separate (See Figure 4, Page 24) the cloud management traffic from VM cloud for each tenant. CSP Management traffic is filtered and isolated through CSP TZ firewall, while CSP security and monitoring servers are isolated and monitored through CSP Enclave firewall. Besides, CS security and monitoring servers are isolated by firewall as well.

Abbildung in dieser Leseprobe nicht enthalten

Figure 4 - enhanced security cloud reference architecture model (Gonzales et al., 2015, p525)

Through the previously mentioned architecture model, all management, security and monitoring traffic of different cloud actors acting on the cloud are isolated through firewalls.

2.7.1 VM Security

As mentioned, the backbone of the cloud technology is visualization, and it is subjected to the threats that were mentioned earlier (See Table 1, Page 19). Therefore, securing the VM in all its life cycle plays an important rule for securing cloud IaaS. Vaquero et al (2011) state that VM image files should be encrypted in transit or storage. In fact, it is protected by using HTTPS, SSH, TLS with mutual authentication between the VM and its controller (hypervisor) that will work on adapting the VM to its future environment. Trusted based mandatory access control technology will be used to block any abnormal behaviour from its expected baseline (Raj and Schwan, 2009 cited inVaquero, et al., 2011).

Abbildung in dieser Leseprobe nicht enthalten

Table 1 - Threats affecting the VM during its life cycle

2.7.2 Hypervisor Security

Virtual Machine Monitor (VMM) or hypervisor main purpose is to monitor and manage the VM that it is running on the hypervisor. Obasuyi and Sari (2015) state that the visualization layer or the host operating system level is separating (See Figure 5, Page 20) the hardware resources from the VM. Vaquero et al (2011) state that the fact of the guest machine is a VM should be hidden from attacker detection. Normally, attackers detect that he is in a VM environment by detecting the host and guest OS, Communication channel detection, or memory differences as the location of the Interrupt, global and local distributor table varies between host OS and VM OS.

Abbildung in dieser Leseprobe nicht enthalten

Figure 5 - Virtualization Architecture (Obasuyi and Sari, 2015, p261)

2.7.3 Datacenter Security

It depends on the secure platform (e.g. Trusted Platform Module TPM) which is a combination of hardware and software, and its main objective is to provide isolation of the process. TPM is not designed to be accessed by multiple devices in the same time, so IBM introduced virtual TPM that allow all guest VMs can communicate to have its own separated TPM(Vaquero, et al., 2011).

2.8 Countermeasures

In addition, Gonzales et al (2015) state four cloud arch model with different security controls to be introduced to enhance IaaS cloud infrastructure (See Table 2, Page 21) such as VM image encryption at rest, multi-factor authentication for the CSP IAM servers, VM Isolation and Tenant IAM servers authentication type. In addition, Signed Hypervisor and signed BOIS is used for mutual authentication between the VM and its hypervisor. Furthermore, the isolation is implemented on many layers such as VM Isolation, Network Isolation, CSP monitoring, management, and security traffic network isolation (See Figure 5, Page 18) and CS management, monitor and security traffic network isolation.

Abbildung in dieser Leseprobe nicht enthalten

Table 2- Cloud Reference architecture model (Gonzales et al., 2015,p526)

He et al (2014) argue that the firewall can be placed like traditional IT. Information Security specialists have three option to place the firewall within the cloud (See Figure 6, Page 21).

Abbildung in dieser Leseprobe nicht enthalten

Figure 6 - Firewall deployment options (He, et al., 2014, p. 118)

First, one virtual firewall inside the hypervisor (See Figure 6a, Page 27) which will consume hypervisor’s resources. However, if any virtual machine VM infected, it can attack another machine hosted behind the firewall. Second, a dedicated virtual firewall (See Figure 6b, Page 27) is introduced for each VM. In such scenario, the security level increases as protection and logical isolation are provided for each VM, but it consumes huge resources from the hypervisor. Finally, one virtual firewall for all VMs (See Figure 6c, Page 27) so that the firewall protect and logically isolate all VM, so it will provide protection and consume fewer resources.

2.9 Service level of Agreement (SLA)

It is very important for the cloud adoption process, and typical one is a contract between the service provider and a consumer to define a description service provided, responsibility of each one of the two parties, cost, monitoring, reporting of the service level and penalties of not meeting the SLA(PaloAlto Network, 2017). However, Cloud SLA is deferent; there are more parameters to be added to the SLA such as data protection policies that will include how data will be protected, preserved, accessed, transferred, processed and purge(Gordon, 2015). Furthermore, an agreement of transparency in case of security breach notifications. Finally, disaster recovery and what is the incident response steps and responsibilities and the associated disruption (Hausman, et al., 2013).

2.10 Conclusion

Cloud Computing has many benefits that will help facilitate information technology work in enterprise now a day, but, it adds different kinds of risks on the top of what traditional IT has.

These risks can be managed in a systematic approach or a framework, which is published by the national institute of standard and Technology (NIST) under a name of risk management framework for cloud echo system (RMF4CE). RMF4CE has the following steps

- Risk Assessment: it is based on business impact analysis for the information created, processed, transmitted, stored, and destroyed.
- Risk Treatment: Assess CSP Infrastructure and choose controls and implemented for cloud consumer (CS)
- Risk control: monitor all controls and SLA.

Infrastructure as a service (IaaS) is one of the cloud service models that can be protected by separating the cloud service provider (CSP) from CS traffic. In addition, separate CS management, security, and monitoring traffic from normal VM traffic. On the other hand, the same is applied for CSP.

Gonzales et al (2015) worked hard to set a cloud architecture reference model that cover all the weak points when utilizing IaaS service model. However, their paper talked about IaaS’s security apart from the deployment model used (e.g. Public IaaS, Private IaaS, hybrid IaaS, community IaaS). Besides, there is no information about the recommended security and monitoring controls to be used in the different kind of deployment models.

3.0 Chapter 3: Research Methodology

In this paper, a combination of research methods such as literature review, observations, interviews, surveys and methodological triangulation validation will be used to answer research questions. They will be used in a sequence (See Figure 7, Page 30) to validate the finding of the research findings and develop the adopting strategy. The method will select to achieve the previously mentioned objective (See Table 3, Page 23).

Abbildung in dieser Leseprobe nicht enthalten

Table 3 - Method Objective Matrix

Abbildung in dieser Leseprobe nicht enthalten

Figure 7 - Methodological triangulation validation sequence

3.1 Observation Research Methods.

First, observation research method is considered as a qualitative research method that is used for data collection without interacting with the research environment (Williamson, 2000 citied in Baker, 2006). It permits the researchers to study phenomena or an environment and its surrounding media by recording their observation about the observed topic in a systematic approach (Groman and Clayton, 2005 citied in Baker, 2006). In our scenario, observation method will enable the researcher to observe and record the threat model associated with cloud adoption. In another word, it will record what the cloud adoption’s threats, current practice mitigating controls, and administrative controls are. Furthermore. Observation will be conducted based on literature reviews and experience in the field.

3.2Interviews Research method

Second, Interview is a qualitative research method, which is a dialogue between two or more persons with the aim to collect information relative to a research topic. It enables the researcher to work directly with the participants to get more clarity on answering the research questions(Wilson, 2012). It will be used within this paper for validation of the findings from the observation research method by asking open-ended questions to give the participants to express the reason behind their answers when validating the observation results (Alassafi et al., 2017). However, Beck & Manuel (2008) state that the following steps should be performed in order to have successful interviews

- Identify the participants: a participant is considered as an expert if he has five years of experience or more in the information technology field. The participant are selected from different working field such as insurance, government, IT, etc. The interviews will be conducted for five information technology experts from the Middle East countries.
- Select the interview type (personally, by telephone, Skype, etc.) and the type will be selected based on my reachability to them and their time and availability.
- Select the location to conduct the interview in
- Test the devices that will be used to conduct the interview with (Such as recorders, smart phone, PC, etc.).
- Design the interview questions and its schedule
- Obtain a formal consent.
- Conduct the interview.
- Write its transcript

3.3 Surveys Research method.

Third, Surveys are a quantitative research method used for gathering information from entities and to identify aspects of the research topic by asking questions on the sample and record their answers for further analysis. Groves et al (2009) state that open-end and closed-end questions are the most common type of questions used in this research method.

3.3.1 Open-ended questions:

- All participant are asked to express their answers in their own words.
- It is usually to identify and explain the reasons behind the experts.

3.3.2 Closed-ended questions:

- Participants are choosing their answers from predefined choices.
- Answers should include all possible answers and meaning should not overlap.

The order of the questions presented should be considered, and sensitive questions (e.g. income, gender, etc.) should not be included. Beside, double-barreled questions which are asking two questions in one and biased words should not be used. It will be conducted through electronic (e.g. Google analytics) or paper surveys

In this research, it will be used to confirm the strategy developed from the other research methods. In addition, linking the research with the market to validate its effectiveness.

3.4 Methodological triangulation validation

Methodological triangulation research method is the use of research method collections (more than 1) to study a research topic, for example, data can be collected by observation method and open-ended interviews (Casey and Murphy, 2009 citied in Bekhet & Zauszniewski, 2012). it is normally used for providing validation and confirmation of data, and it provides more comprehensive data that will help in enhancing understanding the topic(Bekhet & Zauszniewski, 2012). In addition, it is used to decrease the disadvantages of a method and strengthen the finding of the research (Denzin, 1978 citied in Bekhet & Zauszniewski, 2012). It will be used in this research (See Figure 7, Page 30) to validate the finding of the Literature review and observation by conducting expert’s interviews as a first step. Then, information from the last step and Literature review interview will be validated and confirmed with Surveys.

4.0 Chapter 4: Observation

4.1 Observation Findings and data analysis.

As known, observation is recording of all the factors affecting the research topic and it will be done based on literature review and personal experience in the field.

4.1.1 Expected growth:

- Cloud datacenter growth is expected to be in growth (See Figure 8, Page 32) from (21% 259) in 2015 to (47% 485) in 2020(Cisco, 2015, p. 4).
- The dependency on traditional datacenter will be declined (See Figure 9, Page 35) from 60.9% to 46.2% (Cloud Security Alliance, 2017a, p. 8).
- All type of cloud deployment model is expected to be in growth (See Figure 9, Page 35) (Cloud Security Alliance, 2017a, p. 8).
- Scaling up & down is the first motive behind cloud adoption (See Figure 10, Page 27), Then, and cost saving (Cloud Security Alliance, 2017a, p. 9).

Abbildung in dieser Leseprobe nicht enthalten

Figure 8 - Cisco Global Cloud Index(Cisco, 2015, p. 4).

[...]

---

¹ Threat n will be used later during the literature review and discussion