When the attributes of a cloud service (or cloud entity) are used as evidence to make trust judgment on the service (or entity), the sources of attribute assessment must be trustworthy, and those attributes need to be distributed in a trustworthy way. In the following, we first discuss the source of attribute assertions and then we discuss attribute certification as a formal approach to deliver cloud attributes.
Sources of cloud attribute assessment
Assessment of attributes may come from several sources: the cloud user, other peer users, the service provider, cloud auditor/accrediator, and cloud broker. We discuss each of them in turn.
Cloud user observation
If a cloud user has already interacted with a cloud service or a cloud service provider, then the experience will be the user’s direct basis for cloud attribute assessment. Experience is a fundamental factor of trust, and this kind of trust, called “interpersonal trust”, has long been studied in both social sciences and computing science.
The advantage of using direct interaction experience is that the data used are first-hand and may be most relevant; the disadvantage is that the data accumulated are limited with respect to the sample size and the range of the usage of the cloud service. A specific user’s experience is just one piece of the information revealing the trustworthiness of a cloud service.
Opinions of other peer users
When a cloud user has only limited direct experience with a cloud service (or none at all), other peer users’ opinions could be an important source of cloud attribute assessment. The major issues are: can those peer reviewers be trusted with respect to their opinions on the cloud service? and how can those different opinions be aggregated?
There are at least two basic approaches to solving the problem: social network based and reputation based.
Social network based approach
A cloud user takes one or more trusted friends’ opinions, and combines them with that user’s personal trust in each of those friends. That user may not have a direct trust relation with a “popular” reviewer, but the user may derive an indirect trust relation with that reviewer through a trust network [17, 36], which is a specific form of social networks, comprising of only trust relations. The social network based approach is an analogue of how a person initially trusts an entity, unknown before in the real world. Models in this category are heuristic. Typically, one asks only a small number of trusted friends for their opinions. When a large number of peer users’ opinions are involved, the approach becomes reputation based.
Reputation based approach
A typical methodology is to aggregate a large number of peer user’s ratings, often seen in e-commerce product/service ratings. The advantage is that the data used for assessment may cover many more situations and have a wider time-window of observations; this approach can have a much wider view on the cloud service (or its provider) than a single user does. On the other hand, some weaknesses exist: a large number of raters are required for meaningful and objective ratings; the raters and users should have a common understanding of the attribute semantics and the corresponding measurement; this approach is suitable for the purpose of overall rating, or is limited to rating a small number of attributes; the trustworthiness of individual voter are rarely taken into account; usually, as in e-commerce, the reputation of product/service is calculated by an organization in a centralized manner, so the organization may manipulate the calculation, and the calculating service may become a single point of attack.
Statements from cloud service provider
Some cloud service attributes may be specified, promised, or revealed by its provider. In “service specification” and advertisements, a service provider will specify the featured attributes of a cloud service; the attributes of the service stated in a SLA are the promises of that service provider to that user. Through the CloudTrust Protocol (CTP) [26], cloud users can request and get a response from the provider about “the elements of transparency”, the information concerning the compliance, security, privacy, integrity, and operational security history.
However, information about the attributes of a service given by the service provider are usually not directly believed by the first-time users. Sometimes a user may believe a service provider’s statements or promises, based on the brand name or reputation of that service provider, or based on the user’s past experience of interaction. In any case, the stated attributes are an important part of the watch-list in cloud service monitoring, and they are used to verify whether the service provider behaves as trusted. The conclusion of the verification will be used by the users to build or revise their trust in that service provider.
In general, the statements or promises about the attributes of a cloud service given by a cloud service provider itself need to be verified before used for decision making, and cloud attribute assertions from third party independent professional organizations are expected, which we discuss in the following subsections ‘Assessment of cloud auditor/accreditor’ and ‘Observation of cloud brokers’.
Assessment of cloud auditor/accreditor
NIST identifies a cloud auditor as “a party that can conduct independent assessment of cloud services, information system operations, performance, and security of a cloud implementation. A cloud auditor can evaluate the services provided by a cloud provider in terms of security controls, privacy impact, performance, etc.” [14]. Obviously, cloud audit is an important channel of cloud attribute assessment. A limitation of cloud auditing is that the trust assessment reflects only the state at the time of the audit. Trust changes dynamically, as a function of dynamic monitoring of behavior.
A cloud auditor’s assessment is usually regarded as a reliable information source for trust judgment. To some cloud users, a cloud auditor as a third-party professional organization may be a satisfactory trust root. However, to some others, the trustworthiness of a cloud auditor also needs to be evaluated by looking into the auditor’s attributes and/or policies. Since cloud audit is an important mechanism to ensure trustworthiness of clouds, each cloud auditor should be periodically audited and/or accredited by a professional association such as Auditing Standards Board of AICPA.
In formal accreditation, an entity who provides a professional service is assessed against official standards, and is issued with certification of its competency, authority, or credibility. The certification is provided by an accreditor, who is a third party independent authorized accreditation organization, and who is also accredited by a national standard body or professional association. If formal accreditation is applied to clouds, the cloud attribute assessment from a formal accreditation will be another important information source for cloud trust judgment.
Accreditation is somewhat similar to audit. In both cases an entity is assessed by an independent third party; however, there are subtle differences. First, they may have different focusing aspects of assessment. Accreditation focuses on the qualification of the accredited entity with respect to conducting a specific type of professional services; audit focuses on assessing the performance of the audited entity with respect to the common requirements of a society and/or the professional standards of a professional community. Secondly, audit typically takes place annually or once per half year; accreditation takes place in a longer period (e.g. every 5 years).
In summary, in context of cloud computing, the assessments by audit and accreditation are objective and “formal”, but they are not real-time information as from real-time monitoring.
Observation of cloud brokers
Cloud brokers play an important role. By the NIST definition [14], a cloud broker is “an entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between Cloud Providers and Cloud Consumers.” A cloud broker may provide services in three categories [14]: (1) service intermediation: for a given cloud service, to provide value-added additional services such as performance monitoring and security management; (2) service aggregation: to provide an integrated service by aggregating several cloud services from different providers; (3) service arbitrage: to select proper cloud services in an integrated service, based on the quantified evaluation of the alternative cloud services. The observation of a cloud broker can be an important source of cloud attribute assessment.
The advantages of broker observation include: real-time cloud service performance monitoring; feedback from many peer users; an ability to monitor and evaluate a collection of the same category of cloud services from different providers. A cloud broker potentially has a relatively complete picture of a cloud service.
However, again the question arises whether a cloud broker can be trusted with respect to assessing cloud attributes. This depends on the relationship between broker and providers, and between broker and users. A tight business relation with some cloud providers may make the brokers’ opinion be not as objective as the one made in formal audit or accreditation.
From the perspective of cloud market mechanism we imagine that if a cloud broker represents a cloud provider, then the cloud broker may provide information which favors that cloud provider; however, if a broker is independent, and its business depends on the trust relations with users, the broker is more motivated to find and provide information being truly helpful for cloud users. This situation may occur when a cloud broker serves as a gateway for a large number of cloud users in the cloud market. Consistent with the above view, we further imagine that if a cloud broker is highly trusted by some cloud users (especially, end cloud users), the broker may become those cloud users’ trust anchor, taking care of trust management for those cloud users.
In order to ensure that a cloud broker behaves as a trustworthy cloud entity, cloud users will expect to learn how a cloud broker works, whether the broker is neutral, what policies the broker follows, and whether the broker has certain attributes that can be used as evidence to judge its trustworthiness. Therefore, essentially a cloud broker is also expected to be formally audited and/or accredited either.
Attribute certification
In addition to X.509 identity (public key) certification, there also exists X.509 attribute certification[37]. Public key certification is used in authentication; attribute certification is used for both authentication and authorization. An attribute certificate (AC) is a statement digitally signed by the AC issuer to certify that the AC holder has a set of specified attributes. The certified attributes can be access identity, authentication information (e.g. username/password pairs), group membership, role, and security clearance [37]. An AC mainly contains the following fields: unique AC identifier, AC holder, AC issuer, attribute-value pairs, valid period, the Id of the algorithm used to verify the signature of the AC, and extensions, which mainly include AC targeting – a list of specified servers or services where the AC can be used, and CRL (Certificate Revocation List) distribution points.
The current IETF X.509 AC standard [37] might be considered for use in cloud attribute certification, but it has several limitations.
First, the standard does not include important attributes needed in the cloud context. Extensions are possible to deal with this, but still no standards regarding service performance, security, and privacy. Second, with respect to attribute certification, the real authority behind attribute assertion is the entity who really knows the certified entity. For example, with respect to the role or membership of an entity in a specific organization, that organization is naturally the authority to state that attribute. From this point of view, we should discern the difference between “attribute assertion authority” (AAA) and attribute certification authority (ACA, i.e. AC issuer). We use AA (Attribute Authority) to refer to an entity who is both AAA and ACA. In the context of clouds, who plays the role of AA? From our earlier discussion, it is obvious that the most reliable sources for attribute assertion/assessment are independent third-party professional organizations such as cloud auditors and accreditors, and even cloud brokers.
Finally, current IETF X.509 AC standard [37] adopts a simple trust structure where “one authority issues all of the ACs for a particular set of attributes”. In cloud applications (except for small scale private clouds) an AC issuer may be frequently outside the trust boundary of an AC user. Therefore, mechanisms for cross-domain attribute certification and validation are necessary for both hybrid cloud and public cloud.