- Research
- Open access
- Published:
Compliance and feedback based model to measure cloud trustworthiness for hosting digital twins
Journal of Cloud Computing volume 13, Article number: 132 (2024)
Abstract
Cloud-based digital twins use real-time data from various data sources to simulate the behavior and performance of their physical counterparts, enabling monitoring and analysis. However, one restraining factor in the use of cloud computing for digital twins is its users’ concerns about the security of their data. This data may be located anywhere in the cloud, with very limited control of the user to ensure its security. Cloud-based digital twins provide opportunities for researchers to collaborate yet security of such digital twins requires measures specific to cloud computing. To overcome this shortcoming, we need to devise a mechanism that not only ensures essential security safeguards but also computes a Trustworthiness value for Cloud Service Providers (CSP). This would give confidence to cloud users and enable them to choose the right CSP for their data-related interaction. This research proposes a solution, whereby the Trustworthiness of CSPs is calculated based on their Compliance with data security controls, User Feedback, and Auditor Rating. Two additional factors, Accuracy of Compliance Measurement and Control Significance Factor have been built in, to cater for other nonstandard conditions. Our implementation of Data Security Compliance Monitor and Data Trust as a Service, along with three CSPs, each with ten different settings, has supported our proposition through the devised formula. Experimental outcomes show changes in the trustworthiness value with changes in compliance level, user feedback and auditor rating. CSPs with better compliance have better trustworthiness values. However, if the Accuracy of Compliance Measurement and Control Significance Factor are low the trustworthiness is also proportionately less. This creates a balance and realism in our calculations. This model is unique and will help in creating users’ trust in cloud-based digital twins.
Introduction
Cloud computing is a convenient, cost-effective, and efficient solution for organizations as well as individuals to subscribe to or run their own IT services. Gartner forecasts worldwide public cloud end-user spending to reach nearly $679 billion in 2024. This is a growth of 20.4% compared with 2023 [1]. At the same time, as per ENISA [2] and Cloud Security Alliance [3] the rapid adoption of cloud computing has increased the attack surface and the opportunities for cybercriminals. An IDC survey [4] has revealed that the second biggest challenge of Chief Information Officers today is securing data and clouds. Thus, one factor restraining the use of cloud computing is its users’ concern about their data security due to an enhanced attack surface and lack of control by the actual data owners. These apprehensions have slowed down the growth of cloud computing despite its enormous benefits [5].
Digital twin technology, when integrated with cloud computing offers significant benefits but also faces several challenges. Digital twins often handle sensitive information necessitating stringent measures to prevent unauthorized access or data loss. Addressing these data security concerns requires a comprehensive approach involving advanced security technologies, strict access control mechanisms, robust data protection practices, and adherence to regulatory standards. Therefore, before deploying a digital twin on the cloud, researchers must ensure that the cloud service provider (CSP) has addressed data security concerns according to industry best practices. Achieving this requires insight into the internal operations of cloud providers, which may not be feasible. As an alternative, a mechanism should be developed to measure and communicate the trustworthiness of CSPs in handling data securely.
One reason for the lack of trust in cloud computing is the absence of a mature mechanism to establish this trust. Some researchers have proposed frameworks to measure the Trustworthiness of a CSP, but most of these trust models are oriented toward choosing a service on its performance and feedback. A better approach would be trust based on performance as well as the security strength of a service or its CSP. Thus, an all-inclusive mechanism is needed that could help Cloud Service Users (CSU) to choose a CSP that is trustworthy and satisfies user needs. This research aims to create and validate such a mechanism as an effective solution.
Various forums like Cloud Security Alliance (CSA) have introduced programs that maintain and share records of various CSPs along with their security ratings. The ‘Security, Trust & Assurance Registry (STAR)’ program [6] of CSA is a publicly accessible gratis registry that allows CSPs to publish self-assessments of their security measures, in either a ‘Consensus Assessments Initiative Questionnaire (CAIQ)’ or a ‘Cloud Controls Matrix (CCM)’, which embody CSA published best practices. The STAR program has two levels, based on self-assessment and third-party attestation respectively. This program lacks a mechanism where the security controls of a CSP are tested through automated means by an independent service. Furthermore, it also does not incorporate user feedback which can be a good source of first-hand knowledge about the CSPs.
The proposed model to calculate trustworthiness is all-inclusive and based on multiple factors. While it includes self-claimed compliance and cloud security auditor ratings, it also caters to user feedback and a compliance check through automated means, where possible. Self-claimed compliance could be based on any data security framework such as proposed by Akhtar et al. in [7]. Trustworthiness has been measured based on Total Compliance Value, User Feedback, and Auditor Rating, while Total Compliance Value has been calculated based on individual Control Compliance Value, Accuracy of Compliance Measurement, and Control Significance Factor. Two services, Data Security Compliance Monitor and Data Trust as a Service have been proposed and developed with their functions to measure Total Compliance Value and Trustworthiness. These services were then tested for three different cloud types with ten different settings. Our experimental analysis proves that our Trustworthiness model is not only valid but also contributes to building a trusted environment for cloud computing. Thus, the key contribution of this research is to measure and share the trustworthiness of CSPs. The proposed model provides a mechanism to secure cloud-based digital twins and addresses user concerns about the security of their data.
This paper further describes the proposed model, its implementation, experimental setting, test cases, their outcome, and analysis in the following sections. A compliance and feedback based trustworthiness model has been discussed and implemented in this paper along with its outcome. Background and related work are discussed in the next Section, while the proposed trust model with its uniqueness and theoretical constructs are described later. Our implementation of Data Trust as a Service and Data Security Compliance Monitor are subsequently covered. Experimental settings, test cases, and, results and their analysis are elucidated in the last two sections respectively. In the end, we have concluded with some suggestions for future research.
Background and related work
Numerous trust calculation frameworks have already been proposed by various researchers. Junejo et al. [8] proposed a multi-dimensional and multi-factor Trust Computation Framework for cloud services. This framework is based on user feedback which is ascertained by Quality of Service (QoS). To remove malicious and false feedback, the authors also evaluated the credibility of user feedback, based on multi-dimensional QoS attributes. This calculation of Trust does not see cloud services from a security perspective. Rather this trust is based on QoS which primarily revolves around node profile, average resource consumption, and performance. On the contrary, our hypothesis is based on data security concerns for cloud-based digital twins and calculates Trustworthiness from a data security perspective. Our trust calculations are not restricted to data security controls but also consider the performance parameters by incorporating user feedback.
A similar trust model based on behavior and feedback has been proposed by Mujawar et al. in [9]. Cumulative trust is calculated by considering different parameters from the Service Level Agreement (SLA) to compute the feedback trust value, and various QoS attributes to compute behavioral trust values. The proposed model includes a mechanism to judge the genuineness of feedback submitted by the users. This approach is quite similar to the approach in [8] as both largely depend on user feedback. Yet again this approach does not see Trust from a cyber security perspective. Another multi-attribute selection algorithm for users to choose a cloud service that can be trusted has been proposed in [10]. This model is based on user preferences and cloud attributes to calculate a trust value. This again is largely based on performance and users’ knowledge about what should they be considering to select a service. On the contrary, a better model could be one that checks the cloud parameters against an authentic security framework or a predefined standard.
Many other authors have described and implemented trust in the same context i.e. trust is the estimation of the ability of CSP to complete a task based on some criteria such as availability, reliability, and resource processing power [11]. In this paper, Hassan et al. have proposed a model that calculates the trust value which is updated dynamically at each transaction along with provider reputation history from user feedback ratings. Like earlier models, this model also largely revolves around performance and user feedback. Alam [12] and Kesarwani [13] have calculated trust values at the resource level. Fuzzy logic is applied based on parameters such as performance and elasticity to calculate trust [13]. This approach previews trust as performance and omits security as an important consideration.
Another similar research is by Ragavendiran et al. [14], who proposed a model to develop a trust score of a CSP by comparing Service Broker and Load Balancing policies, using the fuzzy inference system. Three Service Broker Policies and three Load Balancing Policies are considered when calculating the trust score. Policies operate on user input such as their region, which sends the request to a specific Data Centre. Fuzzy inference is carried out to determine factors from the Data Centers that are directly proportional to calculate the overall trust score. A shortfall in this approach is that cloud service configuration may vary from data center to data center, while the trust model assumes that all configurations across the regions are alike.
Few researchers have proposed Trust calculations based on security needs rather than performance. In [15] a trust model has been proposed that can assist cloud users to choose a CSP based on their security preferences. Fuzzy logic is used to process the abstract requirements of CSUs and obtain the most accurate results. This model fundamentally relies on users’ understanding of data security which may not be based on the latest challenges and best practices. Thus, the recommended CSP may not have the security strength that is actually desired. Likewise, in [16] a trust model has been devised which narrows down various parameters that are most critical while choosing a trustworthy service. Security requirements as selected by the CSU are analyzed and a trust value is calculated through a point-based system. This allows cloud users to choose cloud services as per their specified needs. As with the previous model, the shortcoming of this approach is its dependency on choices made by the cloud users who may not necessarily choose the CSP which is trustworthy for all their needs. Similar models have been proposed by a few other authors as well. In [17] a hybrid clustering algorithm has been developed that can categorize nodes based on their trustworthiness for edge computing devices. In [18] a consumer-centric trust assessment framework has been proposed that integrates governance, transparency, and security information to represent cybersecurity, manageability, and transparency of services under assessment.
Various Trust models have been created for cloud computing which enable 3rd party trust services to measure the trustworthiness of a cloud [19] proposed a trust mechanism that combines evidence-based trust, policy-based trust, and attribute certification, integrating various trust mechanisms to determine the chain of trust in the cloud. A Cloud Trust Protocol (CTP) has also been proposed whose primary purpose is to display evidence-based confidence that everything claimed to be happening in the cloud is actually happening as described [20]. Cloud Trust Authority (CTA) is a cloud service using CTP, through which users can request a CSP about “the elements of transparency” i.e. the information concerning security, privacy, integrity, and compliance.
Table 1 summarizes our background review of the trust calculations approach by various researchers. It shows various factors that have been suggested or considered to calculate trust. The papers in which they have been discussed are shown in the adjacent column. Many factors mentioned in the table are similar, like performance, quality of service, or behavior; it’s just that different authors have used different terminology for the same thing. To keep the originality of their research we have mentioned the terminologies as used by the authors.
Interesting to note is a wide variety of considerations, while no single approach has combined all essential factors to create one holistic model. We cannot trust an entity unless it covers all our concerns in that specific use case. All the proposed models as discussed earlier lack comprehensiveness. Many of the proposed models calculate trust to enable CSUs to choose a CSP based on its performance parameters. However, none have viewed the trust from a data security perspective. Thus, the model that we have proposed calculates trust for data security and is based on all relevant parameters which include security, performance, feedback, and auditor inspections. Moreover, our proposed model uses automated means to measure compliance as one of the factors.
Proposed cloud trust model
To overcome the trust issues in securing cloud-based digital twins and fill the voids in the existing trust models, this research proposes a multi-factor compliance and feedback based trust service. Our approach is to consider data security issues and incorporate all factors that can strengthen the trust value of a CSP for data-related interactions. Out of various factors that researchers have identified earlier, we have chosen the factors that are needed for data security. Moreover, we have considered other non-standard conditions like the varying significance of controls and the accuracy of compliance measurements to make the calculations more realistic. The ultimate purpose of the research is to create a mechanism that measures the trustworthiness of CSPs and shares it with CSUs, to enable them to choose the right CSP for data-related interactions.
The proposed model builds on compliance and feedback. We know compliance with a security framework can be ascertained through audits. However, with technologies used in Security Operations Centers, certain compliances can be ascertained through automated means. If both the above options are not possible, compliance can also be ascertained through CSPs’ commitments through a questionnaire. Thus, we measure compliance through three means namely, security audits, automated compliance checks, and self-claimed compliance. Since compliance measurement by any of these methods does not have the same level of reliance, therefore we have added another factor which is the Accuracy of Compliance Measurement. We have devised a mechanism to assign a value to this factor which is discussed subsequently.
Since our compliance is controls-based, we have included another factor which is the Control Significance Factor in our calculations. This factor adds intelligence to our calculations since controls that cover more probable and damaging threats get a higher value. Thus, compliance with such controls also gets a higher value. Besides compliance with data security controls, we also use user feedback to measure the Trustworthiness of CSPs. User feedback is an important tool to ascertain the performance and security strength of any CSP.
As part of our Trust calculations, we have also proposed an infrastructure that executes all this. To measure the Trustworthiness of CSPs we need to ascertain the level of compliance. For this, two services have been proposed which are responsible for measuring compliance and trustworthiness respectively. These services are Data Security Compliance Monitor (DSCM) and Data Trust as a Service (DTaaS). A high-level design showing the key components of the proposed model and how these components are linked is in Fig. 1. DSCM is deployed on CSPs’ sites while DTaaS is hosted independently.
DSCM measures each Control’s Compliance Value Ccv and Accuracy of Compliance Measurement Acm and passes them on to DTaaS. DTaaS measures Total Compliance Value TCV based on Ccv, Acm and Controls Significance Factor Csf. Acm and Csf have been added to incorporate important influencing factors while calculating compliance value. Thus, the proposed model also ascertains the accuracy of compliance measurement while measuring individual controls’ compliance. Similarly, all controls do not carry the same impact, since some controls block incidents that are fatal while other controls block incidents that are normal or less fatal. Therefore, in the proposed model each control has been assigned a Control Significance Factor which is derived from the incidents’ history and relevance of that specific control. Our calculation of TCV, based on the above-discussed variables, is done using Eq. (1), where n is the number of controls. In the equation, all factors for each control are added and divided by 3 to take their average. This is repeated for all controls (n in this case) and the outcome is summed up and divided by n to determine the TCV.
Trustworthiness TW is also calculated by DTaaS based on Total Compliance Value, User Feedback (UF), and Auditor Rating (AR). Thus, TW is a mix of what exists on the ground, what specialists (auditors) say about the CSP, and how end users have graded the service or CSP (feedback). TW is based on not just compliance but also other measures, which makes it all-inclusive and more authentic. The proposed model also assigns weights to these three factors. Compliance check being the most practical factor gets double the weight as compared to AR and UF. Thus, TW is calculated using Eq. (2), where TCV is out of 100 while AR and UF are out of 50; and the total value is divided by 200 to get the value of Trustworthiness between 0 and 1. Thus, the denominator of 200 includes total points of 100 for TCV and 50 each for UF and AR. Trustworthiness is based on three very dynamic and all-inclusive factors. To achieve high trust value a CSP must not only have good compliance but should also have good auditor ratings and good user feedback.
The proposed model has been validated by an experiment as a proof of concept. Both the services have been developed and three CSPs with different settings were integrated with them. The settings of each CSP were then changed to see the impact on TCV and TW values. As the CSPs are assigned different degrees of compliance and feedback, their values of Trustworthiness also alter. Clouds with less compliance and related values should have lower trust scores compared to cloud which have better compliance and feedback. A CSP can be termed trustworthy if it complies with proposed security controls, and has good user feedback and auditor rating.
Discussion on the number and type of controls is not part of this research. Any security framework can be chosen which recommends data security controls. Data security controls can be identified after an analysis covering all likely threats, based on existing vulnerabilities to user data. Various cloud use cases and their corresponding standards as identified in [21] can be kept in consideration to identify the vulnerabilities. As new threats emerge new controls can also be made part of the framework. Thus, discussions in this paper are more about the approach to establishing trustworthiness rather than the verification of individual controls.
The proposed model is applicable to numerous real-world scenarios in addition to digital twins. It can contribute towards achieving a cloud of clouds by standardizing the data security controls and creating a mechanism for sharing compliance. CSPs can use this model to ascertain the trustworthiness of other CSPs and decide on data related interactions. Similarly, in financial services, the various banking regulations mandate secure data sharing between banks and third-party providers, requiring robust trust models to manage customer consent and data protection. In healthcare, various health services require data trust models to securely share patient data between hospitals, clinics, and research institutions, ensuring compliance with regulations and maintaining patient confidentiality. Thus, the proposed data trust model can play a crucial role in ensuring the secure handling of sensitive data across various industries in cloud computing.
Implementation
The proposed model has been implemented and validated to prove that the chosen parameters to calculate Trustworthiness are logical and comprehensive. DSCM and DTaaS have been developed as a service, which are accessible through a web-based user interface. The DSCM service is run on each CSP, while DTaaS is hosted independently and is connected with DSCM of each CSP. Being cloud services DTaaS and DSCM are independent of any underlying cloud framework. Further description of these two services along with relevant screenshots is given in the following subsections.
Data Security Compliance Monitor (DSCM)
DSCM has been developed using PHP and JavaScript programming languages and runs on MySQL database. It provides features related to compliance checks, manual entry of values where provisioned, and viewing the outcome which is TCV and TW. Thus, features provided by DSCM are listed as under and shown in the screenshot in Fig. 2.
-
Questionnaire to enable CSPs to fill in their self-claimed compliance.
-
Module to enter Accuracy of Compliance Measurement. Although it is meant to be measured automatically, but due to research limitation it is entered manually.
-
Run automated compliance checks and where not possible due to experimental limitations, enter these values manually.
-
Show TCV of specific CSP.
-
Show TW of all CSPs.
DSCM is a cloud-specific service thus the screenshot in Fig. 2 shows the home page of Alpha Cloud. It shows values of different parameters related to only Alpha Cloud, yet trustworthiness value is shown for all clouds. One key function of DSCM is to ascertain compliance based on the self-claimed compliance commitments of CSP. For this purpose, a questionnaire is presented to CSPs to gather their responses mostly as yes or no. Screenshot in Fig. 3 is from the Self-claimed Compliance Check feature in which the questions are presented in seven major areas, with each area having multiple questions. The DSCM then interprets the answers and calculates compliance with various controls.
Data Trust as a Service (DTaaS)
DTaaS is based on PHP and JavaScript using MySQL as the database. It runs centrally while collaborating with DSCM service at respective CSPs to calculate Total Compliance Value and Trustworthiness. It provides features to manage the Threat Library and calculate the Control Significance Factor Csf based on security incidents and their impact, as entered in the Threat Library. DTaaS also enables the entry of User Feedback and Auditor Rating values (Fig. 4).
DTaaS’ Threat Library functionality, allows the threat analyst to enter the security incidents, evaluate their impact, and link them with controls that were supposed to check the incident. The impact is graded between No Damage to Severe by threat analysts on the four Parameters as in Table 2.
Threat Library screenshots in Fig. 5 show the entry form for cyber security incidents. The threat analyst enters the incident title and description, and then checks the security controls linked with it. At the end of the form threat analyst assigns the degree of damage caused by the incident, as per Table 2.
The scalability of a trust model refers to its ability to handle growth in terms of the number of users, interactions, and data without significant performance degradation. In the proposed trust model DSCM and DTaaS are scalable to any number of CSPs. DSCM operates at individual cloud level thus would always have a uniform load to check 20 data security controls. DTaaS may grow to handle a large number of CSPs as well as a huge threat library. However, the proposed model can handle any load by adding more instances of DTaaS. Different instances of DTaaS can then share their computed values. Moreover, being a simple model by design, it has linear time and space complexities, that can be represented as under:
-
Monitoring and analyzing compliance over time can have a time complexity proportional to the length of the observation period and the number of metrics analyzed, often (n⋅m) where n is the number of observations and m is the number of metrics.
-
Similarly storing logs of monitoring and compliance for analysis purposes can lead to high space requirements, often (n⋅m), where m is the number of metrics logged over n time periods.
Based on the input in Threat Library, DTaaS measures the Csf of all controls individually by simply adding the values and dividing them by the total value which is 40. Csf measured for a control due to a specific incident is then added with the earlier Csf values of that control, ensuring that the maximum value of Csf does not exceed 1. Algorithm 1 has been used to implement this feature to measure Csf.
DTaaS calculates Trustworthiness TW based on three factors which are Total Compliance Value, User Feedback value, and Auditor Rating value using the formulae discussed earlier. Positive and negative feedbacks are segregated and false feedbacks are removed to reach a final feedback value. A lot of research has already been done on User Feedback, therefore its calculation parameters are not discussed in this research. CSPs can view TW of other CSPs, which would assist them in making their collaboration decisions (Fig. 6).
Experimental setting
Validation of the proposed trust model is done by varying various parameters in the TCV and TW formula and observing the impact on the TCV and TW. As per the formula, the five variables should alter the values of TCV and TW conforming to their relationship or weightage. The Trustworthiness of a CSP is based on three parameters which are its Total Compliance Value TCV, its Auditor Rating, and its User Feedback. Similarly, the calculation of TCV is also dependent on three variables which are individual Control Compliance Value, Accuracy of Compliance Measurement, and Control Significance Factor. Thus, we validated the model by changing these variables and observing the outcome on Total Compliance Value and Trustworthiness. The controls in this model have been generalized as data security controls since digital twins also reside on a cloud as a data. Thus, securing the data is same as securing the digital twin.
The evaluation metrics for the proposed model have been selected to cover the security, performance, compliance, and trustworthiness aspects. Security metrics review the contributions of the model in achieving data security. Since it is a trust model, the performance metrics cover the accuracy and efficiency of the trust algorithm. Compliance metrics are parameters to measure the accuracy of compliance checks while trustworthiness metrics involve the parameters that this model has proposed to measure trustworthiness. The scalability and performance aspects of the model have already been discussed in the previous section. The compliance and trustworthiness metrics are calculated by carefully selecting initialization values and observing the changes in values in ten different test cases. The environmental values and changes in them validate the accuracy of trustworthiness values. The findings are discussed in detail in the Results and Analysis section. The proposed cloud-based services are independent of the underlying cloud framework adopted by any CSP and have no significant resource requirements.
Initialization
An environment consisting of three CSPs has been created on three Virtual Machines obtained from NUST [22]. CloudSIM [23] is used to simulate the environment and related parameters. Each CSP is initialized as per pre-defined values of compliance with 20 controls [7]. These three CSPs are initialized as trusted, moderate, and untrusted CSP. The compliance and other corresponding values of each CSP are adjusted as per its classification. As per our proposed model, compliance to various controls is measured through automated means, however, where not possible compliance is committed by the CSP by answering a questionnaire. Thus, the questionnaire presented through Self-claimed Compliance Check and the corresponding values assigned to each cloud for initialization purposes are as in Table 3.
Threat Library is also initialized with entry of 20 incidents initially. Later to ascertain the impact of incidents on the value of Csf and TCV, 10 more incidents are added. Incidents have been picked from actual incidents that took place in the past. As mentioned earlier, damage assessment is done by grading the damage based on four parameters which are Outage, Data Loss, Financial Loss, and Reputation Loss. Each one of these parameters is graded between 0–10 as per assessment by the Threat Analyst. The values of damage assessment for entered security incidents have been assigned on judgment based on available information about the swath and damage of these incidents.
Test cases
Our proposed calculations have seven variables as in Table 4. The last two variables are output, so the first five variables are changed in different ways as discussed later.
TW and TCV of three CSPs are calculated at 10 different experimental settings. Each setting manipulates/ varies the values of five variables in different ways/ permutations. The changes in variables in 10 different settings are managed as in Table 5.
In these settings, one variable is changed at one time and its impact is then seen on the TW and TCV values. Setting 1 is the initialization of all three CSPs to their selected values as per the experimental setting of trustworthy, moderate, and untrustworthy CSPs. In settings 2 and 3, only Control Compliance Values are changed to a positive and negative value respectively. In setting 4 and 5, Accuracy of Compliance Measurement is changed to a positive value and no value one by one. Setting 6 and 7 are about Control Significance Factor, where in setting 6 it is added while in setting 7 it is completely removed to ascertain its impact. Setting 8, 9, and 10 are about Auditor Rating and User Feedback. In setting 8 Auditor Rating is altered, in setting 9 User Feedback is increased, while in setting 10 both are changed to observe their impact on overall values. Results and their analysis are further discussed in the following section.
Results and analysis
Our proposed parameters to calculate trustworthiness of CSPs can be validated if changes in their values correspondingly change the values of TCV and TW. So, while we change each parameter one by one in the ten settings, we expect to see a change in TCV and TW according to the weightage of the parameter being considered. This would not only validate our trust model which is based on compliance and feedback but would also verify a functional approach through which it can be implemented. We start our trials by initializing three experimental CSPs (Alpha Cloud, Bravo Cloud, and Charlie Cloud) as per Setting 1 through DSCM service. It includes setting up self-claimed compliance values as in Table 3 for the three CSPs. Additionally, DTaaS was initialized by entering selected 20 incidents in the Threat Library. Subsequently, relevant parameters on DSCM and DTaaS were changed as per Settings 2 to 10. Based on the output and data captured during these 10 iterations, some relevant observations and conclusions are listed below.
-
The output TW and TCV values for each setting have been plotted in a line graph in Figs. 7 and 8 respectively. The graphs showing TW and TCV in Figs. 7 and 8 indicate corresponding changes in values as other parameters are changed. For example, as we switch from Setting 1 to Setting 2, where we increase Control Compliance Values Ccv, we see a corresponding increase in TW and TCV. Similarly, if we decrease Controls Compliance Values as in Setting 3, we see a corresponding decline in TW and TCV. Since TCV depends on two other factors as well which are Acm and Csf, thus change in Ccv has only a partial effect. This not only validates the concept and formula but also proves a more comprehensive approach to measuring Trustworthiness of CSPs.
-
Without entry of Acm, TCV is not a true reflection of compliance which otherwise might be higher or lower. So, to achieve a higher TCV, not only should the individual Ccv be high, but their measurement process Acm should also be more accurate. In the TCV Graph (Fig. 8), setting 4 includes positive Acm, while setting 5 does not include Acm. In the graph, it is visible that TCV sharply declines when Acm is removed. Thus, for a CSP to receive true compliance values, it must also have accurate and automated processes to measure compliance.
-
TW and TCV values of the three CSPs obtained from 10 different experimental settings can be evaluated with different perspectives to validate the concept and formula. The graph in Fig. 9 shows the relationship between TW and TCV values for one specific cloud, as its parameters are changed from Setting 1 to Setting 10.
-
Alpha Cloud graph shows TW and TCV together in Fig. 9. We generally see a similar trend in TW with an increase or decrease in TCV. Settings 1, 2, and 3 are initial, increased, and reduced Ccv. In all three settings TW and TCV first decrease and then increase indicating the rightful impact. TW in Settings 1–3 is 0.78, 0.79, 0.76 while TCV for the same Settings is 0.71, 0.72, and 0.67. It is worth noting that the overall variation in these three settings is much less, since in these settings only one value was altered while TW and TCV are based on multiple factors. So, to achieve a greater impact all factors have to play their due role.
-
The impact of TCV, UF, and AR on TW can also be evaluated using the graphical representation of these values in different settings. The graph in Fig. 10 is for Alpha Cloud showing the values at settings where TCV, UF, and AR change. The impact on TW is also visible in the last bar.
-
The impact of TCV, UF, and AR on TW specific to Alpha Cloud as visible in Fig. 10 shows the dominance of TCV despite that UF and AR are raised individually in settings 8 and 9. However, when both are raised together, in setting 10 the TW also rises indicating that despite compliance remaining the same, trustworthiness would rise if a CSP gets better user feedback and auditor rating. This shows the interplay of various variables and their realistic impact on the output.
-
Cloud Significance Factor Csf also impacts the value of TW and TCV, as visible in settings 1, 6, and 7. Setting 1 is with initial Csf values which are obtained by initializing Threat Library with 20 cyber security incidents. Setting 6 is with added Csf as more security incidents are entered in the Threat Library, resulting in greater details and comprehensive values of Csf for all controls. In Setting 7 all security incidents are removed from Threat Library thus bringing Csf to zero for all controls. We can see in Fig. 11. that assigning Csf values to all controls by adding more incidents enhances Trustworthiness values. On the contrary, removing all Csf remarkably reduces the TW value which signifies the role of Csf in calculating pragmatic Trustworthiness of CSPs.
-
Observations related to Audit Rating AR and User Feedback UF are obtained through settings 1, 8, 9, and 10. While setting 1 is the initial value of AR and UF, in setting 8 AR value is raised, in setting 9 UF value is raised, while in setting 10 both AR and UF, are changed to a higher value. As per the proposed formula, TW is calculated on three parameters which are TCV, AR, and UF, where the weightage of AR and UF is half of TCV. The same effect is visible in the graph in Fig. 12, where a raise in AR, UF, or both has a corresponding impact on TW. TW of Alpha Cloud, Bravo Cloud, and Charlie Cloud are 0.78, 0.61, and 0.44 at initial values. However, with a rise in both AR and UF, TW of the three CSPs raised to 0.84, 0.66, and 0.55 respectively. The impact is substantial, especially for Charlie Cloud which otherwise has low TW due to low TCV.
Effectiveness
The key strengths of the proposed model are that it is comprehensive and based on automated compliance checks as well as external factors in the form of Auditor Ratings and User Feedback. It also rationalizes the other non-standard conditions by incorporating the Accuracy of Compliance Measurement as well as the Control Significance Factor. Thus, the proposed concept and calculations are a very pragmatic and reliable measure of the trustworthiness of CSPs. The implementation approach through DSCM and DTaaS is both innovative and timely. Calculations and output by the implemented modules were crosschecked with manual calculations and found accurate and efficient. Outputs at various settings were plotted on the graph and compared with expected results. The outcome validated the expected behavior of various variables.
Various trust models or frameworks already proposed by researchers mostly revolve around QoS or performance to choose the right cloud service. They don’t consider calculating Trust based on the security needs of a CSU such as digital twins. Our proposed Trust model is unique in the sense that it caters for both performance as well as security needs. The five factors that it considers i.e. controls compliance, accuracy of compliance measurement, control significance factor, user feedback, and auditor rating enable it to measure trustworthiness covering performance, compliance, and security. Thus, our proposed model is comprehensive, implementable, and pragmatic.
Gaps and challenges
While the proposed trust model is multi-dimensional and wholesome, it has a few voids and challenges as well. The effectiveness of this model depends on how accurately and timely DSCM service measures compliance with proposed security controls. For this DSCM service would need access to data security controls to get live updates about their compliance status. Ascertaining these measurements would be a challenge for two reasons. One, many CSPs won’t like to give a 3rd party service access to their security measures since it unnecessarily exposes their defenses. Second, some security controls are procedural and not measurable through automated means; so, they would have to be estimated or audited. However, currently, most security tools like anti-malware, firewalls, IDS, etc. also provide agents that facilitate the integration of these tools with SIEM or SOC solutions. These agents can also facilitate the integration of cyber security tools with DSCM service.
Control Significance Factor has been added to the calculations as a balancing factor that assigns weight to controls as per the incidents’ history in the Threat Library. Total Compliance Value which is the essence of the proposed model, depends on control significance factor, individual control compliance values, and accuracy of measurement. The more accurate are these measurements the more reliable would be trustworthiness values. The current algorithm does not employ machine learning techniques to dynamically adjust values based on learning from security incidents. The use of machine learning techniques to ascertain Control Significance Factor can be researched and included in the model to make it even more effective.
Conclusion and future work
Cloud-based digital twins are transforming various industries by providing powerful tools for simulation, monitoring, and optimization, ultimately leading to improved and innovative solutions. However, such deployments on cloud require rigorous security measures to protect data generated by digital twins. Trusting a CSP is a critical decision that cloud users have to make while placing their data on the cloud. This trust is for the security of their data, its privacy, and availability. A formal mechanism to establish trustworthiness of CSPs can ease up this critical decision for cloud users and greatly overcome the impediments to the adoption of cloud computing. This research is an effort to enhance user confidence in cloud computing by setting up a formal mechanism to measure the trustworthiness of CSPs.
In the proposed model, two services, Data Security Compliance Monitor and Data Trust as a Service collaborate to ascertain the compliance of CSPs with the proposed data security controls and assign a Trustworthiness value to the CSP. These calculations are based on multiple factors which include not only compliance but also a measure of accuracy with which compliance has been measured. Control Significance Factor has been included in the formula to standardize the significance of various controls as per their likely impact. Moreover, Trustworthiness calculations also include user feedback and auditors’ ratings besides the compliance value. These parameters have made the proposed trust model very comprehensive and pragmatic.
Substantial research has already been done to establish trust in CSPs. Yet the proposed approach lays down a mechanism that is comprehensive and enhances reliability. It is based on industry best practices and emerging threats. Unlike many proposed trust models which are either performance-based or security-based, our proposed model caters to both security and performance needs. This model measures compliance to security controls and its related parameters which covers security aspects, while user feedback reflects on the performance or QoS of CSP. Auditor rating takes care of controls that are otherwise not measurable through automated means.
The model has been implemented and tested on ten different settings for three different clouds. Our findings indicate that Trustworthiness of CSPs as calculated using the proposed parameters is commensurate with the actual standing of the cloud. The individual parameters proportionately affect Trustworthiness and Total Compliance Value as per their assigned weightage. The changes revealed realistic TCV and TW values based on how the environmental values change.
Digital twins can also enhance data security by providing real-time monitoring and analysis of virtualized resources. They allow organizations to simulate and understand potential security threats, vulnerabilities, and breaches before they occur. By creating a virtual replica of the cloud environment, security teams can proactively identify and address weaknesses, implement robust access controls, and ensure compliance with security policies. This can contribute to a more resilient and secure cloud infrastructure.
AI-based cybersecurity and security assessments can minimize human interaction and thereby reduce potential loopholes. While many substantial security measures can be assessed automatically in real-time, further research is needed to enhance this capability. Research on advanced AI and machine learning techniques for dynamic threat assessment would add significant value to the proposed framework. AI can automate the analysis of vast amounts of threat intelligence data from various sources, such as threat libraries, security feeds, and forums. By analyzing historical data, AI models can predict future cyber threats, while machine learning algorithms can continuously learn and adapt to new data, improving the effectiveness of security measures over time. Machine learning can also be applied to measure the Control Significance Factor.
Future research can also be directed towards the use of AI to enhance the security of cloud-based digital twins through advanced techniques such as threat detection and prevention, automated incident response, and enhanced access control. AI can analyze vast amounts of data generated by digital twins to identify anomalies indicating security threats, predict potential threats through historical data analysis, and provide real-time monitoring to quickly respond to incidents. Research can be conducted on AI-powered systems that perform automated compliance audits, enforce security policies dynamically, and perform regular vulnerability scans. Privacy-preserving techniques like homomorphic encryption and differential privacy need further exploration to secure data processing.
Availability of data and materials
The data presented in this study are available on request.
Abbreviations
- Acm :
-
Accuracy of Compliance Measurement
- AR :
-
Auditor rating
- CSP:
-
Cloud Service Provider
- Ccv :
-
Control Compliance Value
- Csf :
-
Control Significance Factor
- DSCM:
-
Data Security Compliance Monitor
- DTaaS:
-
Data Trust as a Service
- QoS:
-
Quality of Service
- TCV :
-
Total Compliance Value
- RL:
-
Reinforcement Learning
- TW :
-
Trustworthiness
- UF :
-
Users’ feedback value
References
H. Singh, S. Upadhyay, Amarendra and V. Mehta, "Forecast: Public Cloud Services, Worldwide, 2022–2028, 1Q24 Update," Gartner Inc, Mar 2024. [Online]. Available: https://www.gartner.com/en/documents/5316263. [Accessed Jun 2024]
Lella, Ifigeneia; Tsekmezoglou, Eleni; Naydenov, Rossen Svetozarov; Ciobanu, Cosmin;, "European Union Agency for Cyber Security (ENISA) Threat Landscape," Jul 2022. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022. [Accessed Jul 2023]
J.-M. Brook, A. S. Getsin and M. Roza, "Top Threats to Cloud Computing Pandemic Eleven," Cloud Security Alliance (CSA), 2022. [Online]. Available: https://cloudsecurityalliance.org/research/working-groups/top-threats/. [Accessed Aug 2023]
T. Olvet, "Five Challenges Facing CIOs Today," International Data Corporation (IDC), 2022. [Online]. Available: https://www.idc.com/ca/blog/detail?id=43a380c83b9dcd7bf7e7. [Accessed Jul 2023]
Holger Schulze, "CheckPoint Cloud Security Report 2022," July 2022. Available: https://pages.checkpoint.com/2022-cloud-security-report.html. [Accessed Jul 2023]
Cloud Security Alliance, "Security, Trust, Assurance and Risk (STAR)," CSA,. Available: https://cloudsecurityalliance.org/star/. [Accessed Feb 2023]
S. I. Akhtar, A. Rauf, M. F. Amjad and H. Abbas, "Inter-Cloud Data Security Framework, Compliance and Trust," Research Square, Jul 2022. Available: https://assets.researchsquare.com/files/rs-1785015/v1_covered.pdf?c=1657038284. [Accessed Dec 2022]
Junejo AK, Jokhio IA, Jan T (1932) A Multi-Dimensional and Multi-Factor Trust Computation Framework for Cloud Services. Electronics 11:2022
T N Mujawar, L B Bhajantri (2020) Behavior and feedback based trust computation in cloud environment. Journal of King Saud University – Computer and Information Sciences. 34:4956–4967
Yang Y, Liu R, Chen Y, Li T, Tang Y (2018) Normal Cloud Model-Based Algorithm for Multi-Attribute Trusted Cloud Service Selection. IEEE Access 8:25
Hassan H, El-Desouky AI, Ibrahim AH, El-Kenawy E-SM, Arnous R (2020) Enhanced QoS-Based Model for Trust Assessment in Cloud Computing Environment. IEEE Access 8:43752–43763
Alam ABMB, Fadlullah ZM, Choudhury S (2021) A Resource Allocation Model Based on Trust Evaluation in Multi-Cloud Environments. IEEE Access 9:105577–105587
A. Kesarwani and P. M. Khilar, "Development of trust based access control models using fuzzy logic in cloud computing," Journal of King Saud University – Computer and Information Sciences, vol. 34, pp. 1958–1967, 2019
P. Ragavendiran, N. Sowmiya and P. Santhiya, "Analysis of Trust Score of CSPs by Comparing Service Broker Policies and Load Balancing Policies using Cloud Analyst and Fuzzy Inference System," International Journal of Engineering Research & Technology, vol. 7, no. 1, 2019
Rizvi S, Mitchell J, Razaque A, Rizvi MR, Williams I (2020) A fuzzy inference system (FIS) to evaluate the security readiness of cloud service providers. Journal of Cloud Computing: Advances, Systems and Applications 9(42):29
Rathi RS, Kolekar VK (2018) Trust model for computing security of cloud," in IEEE Fourth International conference on computing communication control and automation, Pune, p 1–5. https://doi.org/10.1109/ICCUBEA.2018.8697881
Lapegna M, Mele V, Romano D (2023) Clustering Algorithms for Enhanced Trustworthiness on High-Performance Edge-Computing Devices. Electronics 12(1689):1–13
A. Balcao-Filho, N. Ruiz, F. d. F. Rosa, R. Bonacin and M. Jino, "Applying a Consumer-Centric Framework for Trust Assessment of Cloud Computing Service Providers," IEEE Transactions on Services Computing, vol. 16, pp. 95–107, 2023
J. Huang and D. M. Nicol, "Trust Mechanisms for Cloud Computing," Journal of Cloud Computing: Advances, Systems and Applications , vol. 2, no. 9, 2013
A. Pannetrat, B. Jaegar, G. Hogben and J. Luna, "CloudTrust Protocol Data Model and API, rev. 2.13," 2015. [Online]. Available: https://cloudsecurityalliance.org/artifacts/cloudtrust-protocol-data-model-and-api/. [Accessed Nov 2022]
Akhtar SI, Rauf A, Abbas H, Amjad MF (2020) Inter cloud interoperability use cases and gaps in corresponding standards," in IEEE Intl Conf on Dependable, Autonomic and Secure Computing (DASC), Calgary, Canada, p 585-592, https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00103
"NUST Cloud Landing Page," National University of Science and Technology, 2023. [Online]. Available: https://cloud.nust.edu.pk/. [Accessed Jul 2023]
T. Goyal, A. Singh and A. Agrawal. (2012) "Cloudsim: simulator for cloud computing infrastructure and modeling", Procedia Engineering, volume 38, p 3566–3572. https://doi.org/10.1016/j.proeng.2012.06.412
RDF Working Group (2014) Resource description framework. [Online] Available: https://www.w3.org/RDF/. Accessed Jul 2024
Parák B, Šustr Z, Kimle M, Fernández PO, García AL (2016) Evolution of the open cloud computing interface," in Proceedings of the 6th International Conference on Cloud Computing and Services Science, Rome, volume 1 and 2, p 339–346. https://doi.org/10.5220/0005934103390346
Lloret J, Garcia M, Tomas J, Rodrigues JJ (2014) Architecture and protocol for intercloud communication. Inform Sci 258:434–451. https://doi.org/10.1016/j.ins.2013.05.003
Funding
This research received no external funding.
Author information
Authors and Affiliations
Contributions
All authors contributed to the conception, design, and analysis of the research project. Syed Imran Akhtar led the development of the method and wrote the main manuscript. Ifra Batool implemented the software. Syed Imran Akhtar conducted the experiments and analyzed the results. All authors approved the final version of the manuscript.
Authors’ information
Syed Imran Akhtar is a PhD scholar in Information Security at National University of Sciences and Technology, Islamabad, Pakistan. He completed M.Phil. in Public Policy and Strategic Security Management from National Defense University, Islamabad in 2014, Masters in Information Security and Privacy from Cardiff University, UK with Distinction in 2010 and BE in Software Engineering from NUST with Rector’s Gold Medal in 2002. He is an IT practitioner with around 25 years of experience in information technology. He has developed enterprise level IT solutions and managed large-scale IT infrastructure involving multiple data centers. He has been Chief Technology Officer of a government organization and currently providing IT consultancy service to an enterprise.
Dr. Abdul Rauf completed his BE degree in Electrical (Telecom) Engineering from NUST, in 1998 with distinction. He received his MSc degree from Technical University of Denmark (DTU) in 2004 and PhD from the University of Sheffield, UK in 2011. He is an academician, researcher, professional trainer, cybersecurity professional, industry professional / consultant and environmental activist with expertise and rich experience of more than thirty years in these fields. He is currently working as Associate Professor at the Department of Electrical Engineering, NUST, Pakistan. He is also a Senior Member of the IEEE, USA and Associate of the Higher Educations Academy, UK.
Dr Haider Abbas is serving as Director General/Head of National Cyber Emergency Response Team. He is a Cyber Security professional, academician, researcher and industry consultant who took professional trainings and certifications from Massachusetts Institute of Technology (MIT), United States, Stockholm University, Sweden, Stockholm School of Entrepreneurship, Sweden, IBM, USA and EC-Council. He received his MS and PhD in Information Security (2010) from KTH- Royal Institute of Technology, Sweden. He has been awarded Fellows of The Institution of Engineering and Technology (IET) UK; a Fellow of The British Computer Society (BCS), UK and a Fellow of The Institute of Science and Technology, UK. He has been appointed as 1st ACM distinguished speaker from Pakistan by ACM—Association for Computing Machinery, United States. He has been appointed as a Member of the Board of Governors for National Information Technology Board (NITB), headed by the President of Pakistan.
Dr. Muhammad Faisal Amjad is a senior member of the IEEE and Head of Department of Information Security, National University of Sciences and Technology (NUST), Pakistan. He is a Co-PI of the project titled National Cyber Security Auditing and Evaluation Lab (NCSAEL) and the Co-Founder and CTO of Lynx Information Security (Pvt) Ltd. Dr Faisal received his PhD degree in Computer Science from University of Central Florida USA in 2015. He has served as a Research Scientist at the University of Nevada Reno, USA. He has extensive experience of cyber security research as well as consultancy with the industry and government agencies. Dr. Faisal is recipient of President’s Gold Medal for Top honors in Masters’ program 2004 and NUST-MCS Best Researcher Award 2020.
Ifra Batool is currently pursuing bachelors in Computer Science from National University of Computer and Emerging Sciences, Islamabad, Pakistan. She has participated and organized university level coding events and also worked as teaching assistant. Her research interests include cloud computing, cyber security and software programming.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Akhtar, S.I., Rauf, A., Abbas, H. et al. Compliance and feedback based model to measure cloud trustworthiness for hosting digital twins. J Cloud Comp 13, 132 (2024). https://doi.org/10.1186/s13677-024-00690-0
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13677-024-00690-0