Compliance and feedback based model to measure cloud trustworthiness for hosting digital twins

Cloud-based digital twins use real-time data from various data sources to simulate the behavior and performance of their physical counterparts, enabling monitoring and analysis. However, one restraining factor in the use of cloud computing for digital twins is its users’ concerns about the security of their data. This data may be located anywhere in the cloud, with very limited control of the user to ensure its security. Cloud-based digital twins provide opportunities for researchers to collaborate yet security of such digital twins requires measures specific to cloud computing. To overcome this shortcoming, we need to devise a mechanism that not only ensures essential security safeguards but also computes a Trustworthiness value for Cloud Service Providers (CSP). This would give confidence to cloud users and enable them to choose the right CSP for their data-related interaction. This research proposes a solu-tion, whereby the Trustworthiness of CSPs is calculated based on their Compliance with data security controls, User Feedback, and Auditor Rating. Two additional factors, Accuracy of Compliance Measurement and Control Significance Factor have been built in, to cater for other nonstandard conditions. Our implementation of Data Security Compliance Monitor and Data Trust as a Service, along with three CSPs, each with ten different settings, has supported our proposition through the devised formula. Experimental outcomes show changes in the trustworthiness value with changes in compliance level, user feedback and auditor rating. CSPs with better compliance have better trustworthiness values. However, if the Accuracy of Compliance Measurement and Control Significance Factor are low the trustworthiness is also proportionately less. This creates a balance and realism in our calculations. This model is unique and will help in creating users’ trust in cloud-based digital twins.


Introduction
Cloud computing is a convenient, cost-effective, and efficient solution for organizations as well as individuals to subscribe to or run their own IT services.Gartner forecasts worldwide public cloud end-user spending to reach nearly $679 billion in 2024.This is a growth of 20.4% compared with 2023 [1].At the same time, as per ENISA [2] and Cloud Security Alliance [3] the rapid adoption of cloud computing has increased the attack surface and the opportunities for cybercriminals.An IDC survey [4] has revealed that the second biggest challenge of Chief Information Officers today is securing data and clouds.Thus, one factor restraining the use of cloud computing is its users' concern about their data security due to an enhanced attack surface and lack of control by the actual data owners.These apprehensions have slowed down the growth of cloud computing despite its enormous benefits [5].
Digital twin technology, when integrated with cloud computing offers significant benefits but also faces several challenges.Digital twins often handle sensitive information necessitating stringent measures to prevent unauthorized access or data loss.Addressing these data security concerns requires a comprehensive approach involving advanced security technologies, strict access control mechanisms, robust data protection practices, and adherence to regulatory standards.Therefore, before deploying a digital twin on the cloud, researchers must ensure that the cloud service provider (CSP) has addressed data security concerns according to industry best practices.Achieving this requires insight into the internal operations of cloud providers, which may not be feasible.As an alternative, a mechanism should be developed to measure and communicate the trustworthiness of CSPs in handling data securely.
One reason for the lack of trust in cloud computing is the absence of a mature mechanism to establish this trust.Some researchers have proposed frameworks to measure the Trustworthiness of a CSP, but most of these trust models are oriented toward choosing a service on its performance and feedback.A better approach would be trust based on performance as well as the security strength of a service or its CSP.Thus, an all-inclusive mechanism is needed that could help Cloud Service Users (CSU) to choose a CSP that is trustworthy and satisfies user needs.This research aims to create and validate such a mechanism as an effective solution.
Various forums like Cloud Security Alliance (CSA) have introduced programs that maintain and share records of various CSPs along with their security ratings.The 'Security, Trust & Assurance Registry (STAR)' program [6] of CSA is a publicly accessible gratis registry that allows CSPs to publish self-assessments of their security measures, in either a 'Consensus Assessments Initiative Questionnaire (CAIQ)' or a 'Cloud Controls Matrix (CCM)' , which embody CSA published best practices.The STAR program has two levels, based on self-assessment and third-party attestation respectively.This program lacks a mechanism where the security controls of a CSP are tested through automated means by an independent service.Furthermore, it also does not incorporate user feedback which can be a good source of first-hand knowledge about the CSPs.
The proposed model to calculate trustworthiness is all-inclusive and based on multiple factors.While it includes self-claimed compliance and cloud security auditor ratings, it also caters to user feedback and a compliance check through automated means, where possible.Self-claimed compliance could be based on any data security framework such as proposed by Akhtar et al. in [7].Trustworthiness has been measured based on Total Compliance Value, User Feedback, and Auditor Rating, while Total Compliance Value has been calculated based on individual Control Compliance Value, Accuracy of Compliance Measurement, and Control Significance Factor.Two services, Data Security Compliance Monitor and Data Trust as a Service have been proposed and developed with their functions to measure Total Compliance Value and Trustworthiness.These services were then tested for three different cloud types with ten different settings.Our experimental analysis proves that our Trustworthiness model is not only valid but also contributes to building a trusted environment for cloud computing.Thus, the key contribution of this research is to measure and share the trustworthiness of CSPs.The proposed model provides a mechanism to secure cloudbased digital twins and addresses user concerns about the security of their data.
This paper further describes the proposed model, its implementation, experimental setting, test cases, their outcome, and analysis in the following sections.A compliance and feedback based trustworthiness model has been discussed and implemented in this paper along with its outcome.Background and related work are discussed in the next Section, while the proposed trust model with its uniqueness and theoretical constructs are described later.Our implementation of Data Trust as a Service and Data Security Compliance Monitor are subsequently covered.Experimental settings, test cases, and, results and their analysis are elucidated in the last two sections respectively.In the end, we have concluded with some suggestions for future research.

Background and related work
Numerous trust calculation frameworks have already been proposed by various researchers.Junejo et al. [8] proposed a multi-dimensional and multi-factor Trust Computation Framework for cloud services.This framework is based on user feedback which is ascertained by Quality of Service (QoS).To remove malicious and false feedback, the authors also evaluated the credibility of user feedback, based on multi-dimensional QoS attributes.This calculation of Trust does not see cloud services from a security perspective.Rather this trust is based on QoS which primarily revolves around node profile, average resource consumption, and performance.On the contrary, our hypothesis is based on data security concerns for cloud-based digital twins and calculates Trustworthiness from a data security perspective.Our trust calculations are not restricted to data security controls but also consider the performance parameters by incorporating user feedback.
A similar trust model based on behavior and feedback has been proposed by Mujawar et al. in [9].Cumulative trust is calculated by considering different parameters from the Service Level Agreement (SLA) to compute the feedback trust value, and various QoS attributes to compute behavioral trust values.The proposed model includes a mechanism to judge the genuineness of feedback submitted by the users.This approach is quite similar to the approach in [8] as both largely depend on user feedback.Yet again this approach does not see Trust from a cyber security perspective.Another multi-attribute selection algorithm for users to choose a cloud service that can be trusted has been proposed in [10].This model is based on user preferences and cloud attributes to calculate a trust value.This again is largely based on performance and users' knowledge about what should they be considering to select a service.On the contrary, a better model could be one that checks the cloud parameters against an authentic security framework or a predefined standard.
Many other authors have described and implemented trust in the same context i.e. trust is the estimation of the ability of CSP to complete a task based on some criteria such as availability, reliability, and resource processing power [11].In this paper, Hassan et al. have proposed a model that calculates the trust value which is updated dynamically at each transaction along with provider reputation history from user feedback ratings.Like earlier models, this model also largely revolves around performance and user feedback.Alam [12] and Kesarwani [13] have calculated trust values at the resource level.Fuzzy logic is applied based on parameters such as performance and elasticity to calculate trust [13].This approach previews trust as performance and omits security as an important consideration.
Another similar research is by Ragavendiran et al. [14], who proposed a model to develop a trust score of a CSP by comparing Service Broker and Load Balancing policies, using the fuzzy inference system.Three Service Broker Policies and three Load Balancing Policies are considered when calculating the trust score.Policies operate on user input such as their region, which sends the request to a specific Data Centre.Fuzzy inference is carried out to determine factors from the Data Centers that are directly proportional to calculate the overall trust score.A shortfall in this approach is that cloud service configuration may vary from data center to data center, while the trust model assumes that all configurations across the regions are alike.
Few researchers have proposed Trust calculations based on security needs rather than performance.In [15] a trust model has been proposed that can assist cloud users to choose a CSP based on their security preferences.Fuzzy logic is used to process the abstract requirements of CSUs and obtain the most accurate results.This model fundamentally relies on users' understanding of data security which may not be based on the latest challenges and best practices.Thus, the recommended CSP may not have the security strength that is actually desired.Likewise, in [16] a trust model has been devised which narrows down various parameters that are most critical while choosing a trustworthy service.Security requirements as selected by the CSU are analyzed and a trust value is calculated through a point-based system.This allows cloud users to choose cloud services as per their specified needs.As with the previous model, the shortcoming of this approach is its dependency on choices made by the cloud users who may not necessarily choose the CSP which is trustworthy for all their needs.Similar models have been proposed by a few other authors as well.In [17] a hybrid clustering algorithm has been developed that can categorize nodes based on their trustworthiness for edge computing devices.In [18] a consumer-centric trust assessment framework has been proposed that integrates governance, transparency, and security information to represent cybersecurity, manageability, and transparency of services under assessment.
Various Trust models have been created for cloud computing which enable 3rd party trust services to measure the trustworthiness of a cloud [19] proposed a trust mechanism that combines evidence-based trust, policybased trust, and attribute certification, integrating various trust mechanisms to determine the chain of trust in the cloud.A Cloud Trust Protocol (CTP) has also been proposed whose primary purpose is to display evidencebased confidence that everything claimed to be happening in the cloud is actually happening as described [20].Cloud Trust Authority (CTA) is a cloud service using CTP, through which users can request a CSP about "the elements of transparency" i.e. the information concerning security, privacy, integrity, and compliance.
Table 1 summarizes our background review of the trust calculations approach by various researchers.It shows various factors that have been suggested or considered to calculate trust.The papers in which they have been discussed are shown in the adjacent column.Many factors mentioned in the table are similar, like performance, quality of service, or behavior; it's just that different authors have used different terminology for the same thing.To keep the originality of their research we have mentioned the terminologies as used by the authors.
Interesting to note is a wide variety of considerations, while no single approach has combined all essential factors to create one holistic model.We cannot trust an entity unless it covers all our concerns in that specific use case.All the proposed models as discussed earlier lack comprehensiveness.Many of the proposed models calculate trust to enable CSUs to choose a CSP based on its performance parameters.However, none have viewed the trust from a data security perspective.Thus, the model that we have proposed calculates trust for data security and is based on all relevant parameters which include security, performance, feedback, and auditor inspections.Moreover, our proposed model uses automated means to measure compliance as one of the factors.

Proposed cloud trust model
To overcome the trust issues in securing cloud-based digital twins and fill the voids in the existing trust models, this research proposes a multi-factor compliance and feedback based trust service.Our approach is to consider data security issues and incorporate all factors that can strengthen the trust value of a CSP for data-related interactions.Out of various factors that researchers have identified earlier, we have chosen the factors that are needed for data security.Moreover, we have considered other non-standard conditions like the varying significance of controls and the accuracy of compliance measurements to make the calculations more realistic.The ultimate purpose of the research is to create a mechanism that measures the trustworthiness of CSPs and shares it with CSUs, to enable them to choose the right CSP for data-related interactions.
The proposed model builds on compliance and feedback.We know compliance with a security framework can be ascertained through audits.However, with technologies used in Security Operations Centers, certain compliances can be ascertained through automated means.If both the above options are not possible, compliance can also be ascertained through CSPs' commitments through a questionnaire.Thus, we measure compliance through three means namely, security audits, automated compliance checks, and self-claimed compliance.Since compliance measurement by any of these methods does not have the same level of reliance, therefore we have added another factor which is the Accuracy of Compliance Measurement.We have devised a mechanism to assign a value to this factor which is discussed subsequently.
Since our compliance is controls-based, we have included another factor which is the Control Significance Factor in our calculations.This factor adds intelligence to our calculations since controls that cover more probable and damaging threats get a higher value.Thus, compliance with such controls also gets a higher value.Besides compliance with data security controls, we also use user feedback to measure the Trustworthiness of CSPs.User feedback is an important tool to ascertain the performance and security strength of any CSP.
As part of our Trust calculations, we have also proposed an infrastructure that executes all this.To measure the Trustworthiness of CSPs we need to ascertain the level of compliance.For this, two services have been proposed which are responsible for measuring compliance and trustworthiness respectively.These services are Data Security Compliance Monitor (DSCM) and Data Trust as a Service (DTaaS).A high-level design showing the key components of the proposed model and how these components are linked is in Fig. 1.DSCM is deployed on CSPs' sites while DTaaS is hosted independently.
DSCM measures each Control's Compliance Value C cv and Accuracy of Compliance Measurement A cm and passes them on to DTaaS.DTaaS measures Total Compliance Value T CV based on C cv , A cm and Controls Significance Factor C sf .A cm and C sf have been added to incorporate important influencing factors while calculating compliance value.Thus, the proposed model also ascertains the accuracy of compliance measurement while measuring individual controls' compliance.Similarly, all controls do not carry the same impact, since some controls block incidents that are fatal while other controls block incidents that are normal or less fatal.Therefore, in the proposed model each control has been assigned a Control Significance Factor which is derived from the incidents' history and relevance of that specific control.Our calculation of T CV , based on the abovediscussed variables, is done using Eq. ( 1), where n is the number of controls.In the equation, all factors for each control are added and divided by 3 to take their average.This is repeated for all controls (n in this case) and the outcome is summed up and divided by n to determine the T CV .
Trustworthiness T W is also calculated by DTaaS based on Total Compliance Value, User Feedback (U F ), and Auditor Rating (A R ).Thus, T W is a mix of what exists on (1) the ground, what specialists (auditors) say about the CSP, and how end users have graded the service or CSP (feedback).T W is based on not just compliance but also other measures, which makes it all-inclusive and more authentic.The proposed model also assigns weights to these three factors.Compliance check being the most practical factor gets double the weight as compared to A R and U F .Thus, T W is calculated using Eq. ( 2), where T CV is out of 100 while A R and U F are out of 50; and the total value is divided by 200 to get the value of Trustworthiness between 0 and 1.Thus, the denominator of 200 includes total points of 100 for T CV and 50 each for U F and A R .
Trustworthiness is based on three very dynamic and allinclusive factors.To achieve high trust value a CSP must not only have good compliance but should also have good auditor ratings and good user feedback.
The proposed model has been validated by an experiment as a proof of concept.Both the services have been developed and three CSPs with different settings were integrated with them.The settings of each CSP were then changed to see the impact on T CV and T W values.As the CSPs are assigned different degrees of compliance and feedback, their values of Trustworthiness also alter.Clouds with less compliance and related values should have lower trust scores compared to cloud which have better compliance and feedback.A CSP can be termed trustworthy if it complies with proposed security controls, and has good user feedback and auditor rating.
Discussion on the number and type of controls is not part of this research.Any security framework can be chosen which recommends data security controls.Data (2) security controls can be identified after an analysis covering all likely threats, based on existing vulnerabilities to user data.Various cloud use cases and their corresponding standards as identified in [21] can be kept in consideration to identify the vulnerabilities.As new threats emerge new controls can also be made part of the framework.Thus, discussions in this paper are more about the approach to establishing trustworthiness rather than the verification of individual controls.
The proposed model is applicable to numerous realworld scenarios in addition to digital twins.It can contribute towards achieving a cloud of clouds by standardizing the data security controls and creating a mechanism for sharing compliance.CSPs can use this model to ascertain the trustworthiness of other CSPs and decide on data related interactions.Similarly, in financial services, the various banking regulations mandate secure data sharing between banks and third-party providers, requiring robust trust models to manage customer consent and data protection.In healthcare, various health services require data trust models to securely share patient data between hospitals, clinics, and research institutions, ensuring compliance with regulations and maintaining patient confidentiality.Thus, the proposed data trust model can play a crucial role in ensuring the secure handling of sensitive data across various industries in cloud computing.

Implementation
The proposed model has been implemented and validated to prove that the chosen parameters to calculate Trustworthiness are logical and comprehensive.DSCM and DTaaS have been developed as a service, which

Data Security Compliance Monitor (DSCM)
DSCM has been developed using PHP and JavaScript programming languages and runs on MySQL database.It provides features related to compliance checks, manual entry of values where provisioned, and viewing the outcome which is T CV and T W . Thus, features provided by DSCM are listed as under and shown in the screenshot in Fig. 2. DSCM is a cloud-specific service thus the screenshot in Fig. 2 shows the home page of Alpha Cloud.It shows values of different parameters related to only Alpha Cloud, yet trustworthiness value is shown for all clouds.One key function of DSCM is to ascertain compliance based on the self-claimed compliance commitments of CSP.For this purpose, a questionnaire is presented to CSPs to gather their responses mostly as yes or no.Screenshot in Fig. 3 is from the Self-claimed Compliance Check feature in which the questions are presented in seven major areas, with each area having multiple questions.The DSCM then interprets the answers and calculates compliance with various controls.

Data Trust as a Service (DTaaS)
DTaaS is based on PHP and JavaScript using MySQL as the database.It runs centrally while collaborating with DSCM service at respective CSPs to calculate Total Compliance Value and Trustworthiness.It provides features to manage the Threat Library and calculate the Control Significance Factor C sf based on security incidents and their impact, as entered in the Threat Library.DTaaS also enables the entry of User Feedback and Auditor Rating values (Fig. 4).
DTaaS' Threat Library functionality, allows the threat analyst to enter the security incidents, evaluate their impact, and link them with controls that were supposed to check the incident.The impact is graded between No Damage to Severe by threat analysts on the four Parameters as in Table 2.
Threat Library screenshots in Fig. 5 show the entry form for cyber security incidents.The threat analyst enters the incident title and description, and then checks  the security controls linked with it.At the end of the form threat analyst assigns the degree of damage caused by the incident, as per Table 2.
The scalability of a trust model refers to its ability to handle growth in terms of the number of users, interactions, and data without significant performance degradation.In the proposed trust model DSCM and DTaaS are scalable to any number of CSPs.DSCM operates at individual cloud level thus would always have a uniform load to check 20 data security controls.DTaaS may grow to handle a large number of CSPs as well as a huge threat library.However, the proposed model can handle any load by adding more instances of DTaaS.Different instances of DTaaS can then share their computed values.Moreover, being a simple model by design, it has linear time and space complexities, that can be represented as under: • Monitoring and analyzing compliance over time can have a time complexity proportional to the length of the observation period and the number of metrics analyzed, often (n⋅m) where n is the number of observations and m is the number of metrics.• Similarly storing logs of monitoring and compliance for analysis purposes can lead to high space requirements, often (n⋅m), where m is the number of metrics logged over n time periods.
Based on the input in Threat Library, DTaaS measures the C sf of all controls individually by simply adding the values and dividing them by the total value which is 40.C sf measured for a control due to a specific incident is then added with the earlier C sf values of that control, ensuring that the maximum value of C sf does not exceed 1. Algorithm 1 has been used to implement this feature to measure C sf .

Algorithm 1 Calculating C sf
DTaaS calculates Trustworthiness T W based on three factors which are Total Compliance Value, User Feedback value, and Auditor Rating value using the formulae discussed earlier.Positive and negative feedbacks are segregated and false feedbacks are removed to reach a final feedback value.A lot of research has already been done on User Feedback, therefore its calculation parameters are not discussed in this research.CSPs can view T W of other CSPs, which would assist them in making their collaboration decisions (Fig. 6).

Experimental setting
Validation of the proposed trust model is done by varying various parameters in the T CV and T W formula and observing the impact on the T CV and T W .As per the formula, the five variables should alter the values of T CV and T W conforming to their relationship or weightage.The Trustworthiness of a CSP is based on three parameters which are its Total Compliance Value T CV , its Auditor Rating, and its User Feedback.Similarly, the calculation of T CV is also dependent on three variables which are individual Control Compliance Value, Accuracy of Compliance Measurement, and Control Significance Factor.Thus, we validated the model by changing these variables and observing the outcome on Total Compliance Value and Trustworthiness.The controls in this model have been generalized as data security controls since digital twins also reside on a cloud as a data.Thus, securing the data is same as securing the digital twin.
The evaluation metrics for the proposed model have been selected to cover the security, performance, compliance, and trustworthiness aspects.Security metrics review the contributions of the model in achieving data security.Since it is a trust model, the performance metrics cover the accuracy and efficiency of the trust algorithm.Compliance metrics are parameters to measure the accuracy of compliance checks while trustworthiness metrics involve the parameters that this model has proposed to measure trustworthiness.The scalability and performance aspects of the model have already been discussed in the previous section.The compliance and trustworthiness metrics are calculated by carefully selecting initialization values and observing the changes in values in ten different test cases.The environmental values and changes in them validate the accuracy of trustworthiness values.The findings are discussed in detail in the Results and Analysis section.The proposed cloud-based services are independent of the underlying cloud framework adopted by any CSP and have no significant resource requirements.

Initialization
An environment consisting of three CSPs has been created on three Virtual Machines obtained from NUST [22].CloudSIM [23] is used to simulate the environment and related parameters.Each CSP is initialized as per pre-defined values of compliance with 20 controls [7].These three CSPs are initialized as trusted, moderate, and untrusted CSP.The compliance and other corresponding values of each CSP are adjusted as per its classification.As per our proposed model, compliance to various controls is measured through automated means, however, where not possible compliance is committed by the CSP by answering a questionnaire.Thus, the questionnaire presented through Self-claimed Compliance Check and the corresponding values assigned to each cloud for initialization purposes are as in Table 3.
Threat Library is also initialized with entry of 20 incidents initially.Later to ascertain the impact of incidents on the value of C sf and T CV , 10 more incidents are added.Incidents have been picked from actual incidents that took place in the past.As mentioned earlier, damage assessment is done by grading the damage based on four parameters which are Outage, Data Loss, Financial Loss, and Reputation Loss.Each one of these parameters is graded between 0-10 as per assessment by the Threat Analyst.The values of damage assessment for entered security incidents have been assigned on judgment based on available information about the swath and damage of these incidents.

Test cases
Our proposed calculations have seven variables as in Table 4.The last two variables are output, so the first five variables are changed in different ways as discussed later.
T W and T CV of three CSPs are calculated at 10 different experimental settings.Each setting manipulates/ varies the values of five variables in different ways/ permutations.The changes in variables in 10 different settings are managed as in Table 5.
In these settings, one variable is changed at one time and its impact is then seen on the T W and T CV values.Setting 1 is the initialization of all three CSPs to their selected values as per the experimental setting of trustworthy, moderate, and untrustworthy CSPs.In settings 2 and 3, only Control Compliance Values are changed to a positive and negative value respectively.In setting 4 and 5, Accuracy of Compliance Measurement is changed to a positive value and no value one by one.Setting 6 and 7 are about Control Significance Factor, where in setting 6 it is added while in setting 7 it is completely removed to ascertain its impact.Setting 8, 9, and 10 are about Auditor Rating and User Feedback.In setting 8 Auditor Rating is altered, in setting 9 User Feedback is increased, while in setting 10 both are changed to observe their impact on overall values.Results and their analysis are further discussed in the following section.

Results and analysis
Our proposed parameters to calculate trustworthiness of CSPs can be validated if changes in their values correspondingly change the values of T CV and T W . So, while we change each parameter one by one in the ten settings, we expect to see a change in T CV and T W according to the weightage of the parameter being considered.This would not only validate our trust model which is based on compliance and feedback but would also verify a functional approach through which it can be implemented.We start our trials by initializing three experimental CSPs (Alpha Cloud, Bravo Cloud, and Charlie Cloud) as per Setting 1 through DSCM service.It includes setting up self-claimed compliance values as in Table 3 for the three CSPs.Additionally, DTaaS was initialized by entering selected 20 incidents in the Threat Library.Subsequently, relevant parameters on DSCM and DTaaS were changed as per Settings 2 to 10.Based on the output and data captured during these 10  and formula but also proves a more comprehensive approach to measuring Trustworthiness of CSPs.• Without entry of A cm , T CV is not a true reflection of compliance which otherwise might be higher or lower.So, to achieve a higher T CV , not only should the individual C cv be high, but their measurement process A cm should also be more accurate.In the T CV Graph (Fig. 8), setting 4 includes positive A cm , while setting 5 does not include A cm .In the graph, it is visible that T CV sharply declines when A cm is removed.Thus, for a CSP to receive true compliance values, it must also have accurate and automated processes to measure compliance.• T W and T CV values of the three CSPs obtained from 10 different experimental settings can be evaluated with different perspectives to validate the concept and formula.The graph in Fig. 9 shows the relationship between T W and T CV values for one specific cloud, as its parameters are changed from Setting 1 to Setting 10. • Alpha Cloud graph shows T W and T CV together in Fig. 9.We generally see a similar trend in T W with an increase or decrease in T CV .Settings 1, 2, and 3 are initial, increased, and reduced C cv .In all three settings T W and T CV first decrease and then increase indicating the rightful impact.T W in Settings 1-3 is 0.78, 0.79, 0.76 while T CV for the same Settings is 0.71, 0.72, and 0.67.It is worth noting that the overall variation in these three settings is much less, since in these settings only one value was altered while T W and T CV are based on multiple factors.So, to achieve a greater impact all factors have to play their due role.• The impact of T CV , U F , and A R on T W can also be evaluated using the graphical representation of these values in different settings.The graph in Fig. 10 is for Alpha Cloud showing the values at settings where T CV , U F , and A R change.The impact on T W is also visible in the last bar.• The impact of T CV , U F , and A R on T W specific to Alpha Cloud as visible in Fig. 10 shows the dominance of T CV despite that U F and A R are raised individually in settings 8 and 9.However, when both are raised together, in setting 10 the T W also rises indicating that despite compliance remaining the same, trustworthiness would rise if a CSP gets better user  feedback and auditor rating.This shows the interplay of various variables and their realistic impact on the output.• Cloud Significance Factor C sf also impacts the value of T W and T CV , as visible in settings 1, 6, and 7. Setting 1 is with initial C sf values which are obtained by initializing Threat Library with 20 cyber security incidents.Setting 6 is with added C sf as more security incidents are entered in the Threat Library, resulting in greater details and comprehensive values of C sf for all controls.In Setting 7 all security incidents are removed from Threat Library thus bringing C sf to zero for all controls.We can see in

Effectiveness
The key strengths of the proposed model are that it is comprehensive and based on automated compliance checks as well as external factors in the form of Auditor Ratings and User Feedback.It also rationalizes the other non-standard conditions by incorporating the Accuracy of Compliance Measurement as well as the Control Significance Factor.Thus, the proposed concept and calculations are a very pragmatic and reliable measure of the trustworthiness of CSPs.The implementation approach Various trust models or frameworks already proposed by researchers mostly revolve around QoS or performance to choose the right cloud service.They don't consider calculating Trust based on the security needs of a CSU such as digital twins.Our proposed Trust model is unique in the sense that it caters for both performance as well as security needs.The five factors that it considers i.e. controls compliance, accuracy of compliance measurement, control significance factor, user feedback, and auditor rating enable it to measure trustworthiness covering performance, compliance, and security.Thus, our proposed model is comprehensive, implementable, and pragmatic.

Gaps and challenges
While the proposed trust model is multi-dimensional and wholesome, it has a few voids and challenges as well.The effectiveness of this model depends on how accurately and timely DSCM service measures compliance with proposed security controls.For this DSCM service would need access to data security controls to get live updates about their compliance status.Ascertaining these measurements would be a challenge for two reasons.One, many CSPs won't like to give a 3rd party service access to their security measures since it unnecessarily exposes their defenses.Second, some security controls are procedural and not measurable through automated means; so, they would have to be estimated or audited.However, currently, most security tools like anti-malware, firewalls, IDS, etc. also provide agents that facilitate the integration of these tools with SIEM or SOC solutions.These agents can also facilitate the integration of cyber security tools with DSCM service.
Control Significance Factor has been added to the calculations as a balancing factor that assigns weight to controls as per the incidents' history in the Threat Library.Total Compliance Value which is the essence of the proposed model, depends on control significance factor, individual control compliance values, and accuracy of measurement.The more accurate are these measurements the more reliable would be trustworthiness values.The current algorithm does not employ machine learning techniques to dynamically adjust values based on learning from security incidents.The use of machine learning techniques to ascertain Control Significance Factor can be researched and included in the model to make it even more effective.

Conclusion and future work
Cloud-based digital twins are transforming various industries by providing powerful tools for simulation, monitoring, and optimization, ultimately leading to improved and innovative solutions.However, such deployments on cloud require rigorous security measures to protect data generated by digital twins.Trusting a CSP is a critical decision that cloud users have to make while placing their data on the cloud.This trust is for the security of their data, its privacy, and availability.A formal mechanism to establish trustworthiness of CSPs can ease up this critical decision for cloud users and greatly overcome the impediments to the adoption of cloud computing.This research is an effort to enhance user confidence in cloud computing by setting up a formal mechanism to measure the trustworthiness of CSPs.
In the proposed model, two services, Data Security Compliance Monitor and Data Trust as a Service collaborate to ascertain the compliance of CSPs with the proposed data security controls and assign a Trustworthiness value to the CSP.These calculations are based on multiple factors which include not only compliance but also a measure of accuracy with which compliance has been measured.Control Significance Factor has been included in the formula to standardize the significance of various controls as per their likely impact.Moreover, Trustworthiness calculations also include user feedback and auditors' ratings besides the compliance value.These parameters have made the proposed trust model very comprehensive and pragmatic.Substantial research has already been done to establish trust in CSPs.Yet the proposed approach lays down a mechanism that is comprehensive and enhances reliability.It is based on industry best practices and emerging threats.Unlike many proposed trust models which are either performance-based or security-based, our proposed model caters to both security and performance needs.This model measures compliance to security controls and its related parameters which covers security aspects, while user feedback reflects on the performance or QoS of CSP.Auditor rating takes care of controls that are otherwise not measurable through automated means.
The model has been implemented and tested on ten different settings for three different clouds.Our findings indicate that Trustworthiness of CSPs as calculated using the proposed parameters is commensurate with the actual standing of the cloud.The individual parameters proportionately affect Trustworthiness and Total Compliance Value as per their assigned weightage.The changes revealed realistic T CV and T W values based on how the environmental values change.
Digital twins can also enhance data security by providing real-time monitoring and analysis of virtualized resources.They allow organizations to simulate and understand potential security threats, vulnerabilities, and breaches before they occur.By creating a virtual replica of the cloud environment, security teams can proactively identify and address weaknesses, implement robust access controls, and ensure compliance with security policies.This can contribute to a more resilient and secure cloud infrastructure.
AI-based cybersecurity and security assessments can minimize human interaction and thereby reduce potential loopholes.While many substantial security measures can be assessed automatically in real-time, further research is needed to enhance this capability.Research on advanced AI and machine learning techniques for dynamic threat assessment would add significant value to the proposed framework.AI can automate the analysis of vast amounts of threat intelligence data from various sources, such as threat libraries, security feeds, and forums.By analyzing historical data, AI models can predict future cyber threats, while machine learning algorithms can continuously learn and adapt to new data, improving the effectiveness of security measures over time.Machine learning can also be applied to measure the Control Significance Factor.
Future research can also be directed towards the use of AI to enhance the security of cloud-based digital twins through advanced techniques such as threat detection and prevention, automated incident response, and enhanced access control.AI can analyze vast amounts of data generated by digital twins to identify anomalies indicating security threats, predict potential threats through historical data analysis, and provide real-time monitoring to quickly respond to incidents.Research can be conducted on AIpowered systems that perform automated compliance audits, enforce security policies dynamically, and perform regular vulnerability scans.Privacy-preserving techniques like homomorphic encryption and differential privacy need further exploration to secure data processing.

•
Questionnaire to enable CSPs to fill in their selfclaimed compliance.• Module to enter Accuracy of Compliance Measurement.Although it is meant to be measured automatically, but due to research limitation it is entered manually.• Run automated compliance checks and where not possible due to experimental limitations, enter these values manually.• Show T CV of specific CSP.• Show T W of all CSPs.

Fig. 5
Fig. 5 Threat library incident reporting form

Fig. 11 .
Fig. 11. that assigning C sf values to all controls by adding more incidents enhances Trustworthiness values.On the contrary, removing all C sf remarkably reduces the T W value which signifies the role of C sf in calculating pragmatic Trustworthiness of CSPs.• Observations related to Audit Rating A R and UserFeedback U F are obtained through settings 1, 8, 9, and 10.While setting 1 is the initial value of A R and U F , in setting 8 A R value is raised, in setting 9 U F value is raised, while in setting 10 both A R and U F , are changed to a higher value.As per the proposed formula, T W is calculated on three parameters which are

Fig. 9 T
Fig. 9 T W and T CV values of Alpha Cloud

Fig. 11
Fig. 11 Impact of C sf on T W of CSPs

Table 1
Summary of parameters for trust calculations

Table 2
Incidents Impact Parameters

Table 3
Initialization values The output T W and T CV values for each setting have been plotted in a line graph in Figs.7 and 8 respectively.The graphs showing T W and T CV in Figs.7 and 8 indicate corresponding changes in values as other parameters are changed.For example, as we switch from Setting 1 to Setting 2, where we increase Control Compliance Values C cv , we see a corresponding increase in T W and T CV .Similarly, if we decrease Controls Compliance Values as in Setting 3, we see a corresponding decline in T W and T CV .Since T CV depends on two other factors as well which are A cm and C sf , thus change in C cv has only a partial effect.This not only validates the concept •

Table 4
Variables and their notations

Table 5
Settings for test cases