Content uploaded by Shadi A Aljawarneh
Author content
All content in this area was uploaded by Shadi A Aljawarneh on Nov 27, 2016
Content may be subject to copyright.
DOI: 10.4018/IJIIT.2016040102
Copyright © 2016, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Volume 12 • Issue 2 • April-June 2016
Shadi A. Aljawarneh, Jordan University of Science and Technology, Irbid, Jordan
Muneer Bani Yassein, Jordan University of Science and Technology, Irbid, Jordan
In this article, perspectives from Cloud computing practitioners are shown in order to address clients
concerns and bring about awareness of the measures that put in place to ensure software security of
the client services running in the Cloud. In addition, the authors have investigated the impacts of a
number of the existing approaches and techniques to put a systematic survey of the current software
security issues in the Cloud environment. Based on such perspectives and survey, a generic framework
conceptually is designed to outline the possible current solutions of software security issues in
the Cloud and to present a preferred software security approach to investigate the Cloud research
community. As a potential enhancement on the proposed Cloud software security framework, the
concepts of fuzzy systems might be used to solve a large numbers of issues in the Cloud security on
different framework levels.
Availability, Cloud Computing, Encryption, Fuzzy Systems, PAAS, SAAS, Software Security
Cloud computing is a new concept in the era of technology. This concept adds new paradigms,
techniques and approaches to computing science. In Cloud, software and its data are created and
maintained virtually for the users and only accessible via a particular Cloud’s software, platform or
infrastructure (Aljawarneh, 2011). Before 2005, clients imagined renting resources, information and
software in order to operate, run and enhance their devices and programs. Currently, it is possible to
rent whatever resources you like so that this dream is now realized. In general, Cloud has four basic
characteristics:
1. Scalability: Cloud opts to use scalable architecture. Scalability means that hardware units are
added to bring more resources to the Cloud system (David, et al., 2015). However, this feature is
in trade-off with the software security. Therefore, scalability might ease to depict the Cloud and
it might increase criminals who would access the Cloud storage and Datacenters illegitimately
(Aljawarneh, 2011). Vaquero et al (Vaquero, et al., 2012) aimed to make the reader’s acquaintance
with this problem in distributed systems: user-oriented service-level scalability. Scalability issues
are analysed from the Infrastructure as a Service (IaaS) and the Platform as a Service (PaaS)
point of view, as they deal with different functions and abstraction levels (Vaquero, et al., 2012).
2. Availability: The services, platform and data are accessible at any time and place. Cloud exposes
potentially to greater software security threats, principally when the Cloud is based on the Internet
rather than an organization’s own platform (David, et al., 2015).
3. Automatic Backup: Day after day, a lot of manufacturers of electronic devices rely on the model
of Cloud computing and they are progressively more including this paradigm in their products
12
Volume 12 • Issue 2 • April-June 2016
13
since it brings the characteristics of communication and automatic backup of the information
(Sessions, 2009).
4. Adding value and additional services to the user such as the ability to synchronise among friends
on social networking sites such as Facebook and friends on phones registered the same names
in the Palm phones (Aljawarneh, 2011).
Currently, academic world requires sharing, distributing, integrating and changing information,
linking applications and other resources within and among organizations (Wang, Zhang, & Cao,
2009). Due to openness, virtualization and distribution interconnection, software security becomes
a crucial challenge in order to ensure the integrity, confidentially and authenticity of digitized data
in Clouds (Aljawarneh, et al., 2010; Aljawarneh, et al., 2015).
In this paper, we have attempted to put the readers in the current state of software security
issues and levels in Cloud by presenting a generic framework that might assist in the protection of
their Cloud services and Datacenters. This paper provides a survey of software security tools and
techniques in the area of Cloud Computing. It analyses the major vendors solutions and practitioners
approaches, and then provides a general layered framework aimed at providing organizations with a
roadmap of the different perspectives from which software security issues in Cloud-based systems
can be faced. Such paper contribution plays an unquestionable central role in the adoption of Cloud-
based solutions by organizations.
Software security is the main issue that might be faced the practitioners of Cloud applications
and systems. The owners of data might be concerned because the data and coupled with software
are not under their control but rather possessed by the Cloud. In addition, the data owner may not be
aware of where the data is geographically located at any particular time. So our research statement
in this study is to question how to secure the data contained in the Cloud (Aljawarneh, et al., 2015).
The rest of the paper is organized as follows. Section 2 states six reasons of increasing client’s
suspicions during the use of Cloud services and describes the current Cloud software security tools.
Section 3 describes the scenarios of the Cloud threats. In Section 4, we have conceptually presented
a generic framework consisting of components and levels in the Clouds. Thus we have reviewed the
existing solutions and discussed a number of practitioners’ perspectives correlated to the client’s
suspicions against using Cloud software security. A case study about the health software security has
been discussed in Section 5. Finally, we have drawn the conclusions and future work.
This section describes a number of common reasons that led to raise the concerns among the clients
who use Cloud services and applications. The frequent reasons are as follows:
1. Some clients question about this: what happens if someone (such as manager, owner, maintainer
and others) halt organization’s servers for work or they faced foremost problems preventing
them from working? But the legitimacy is that regardless of the capacity and capabilities of
the organization that manages these servers, the potential collapse of the system is taken place
in everywhere and at any moment, and then this meltdown happens (Sessions, 2009). Thus,
the second question, could the Cloud computing fail? The answer of this question is outside of
the scope of this paper. This answer involves more systematic studies from different views and
perspectives.
Volume 12 • Issue 2 • April-June 2016
14
2. Reputable organizations attempted to mitigate client concerns by confirming that the Cloud model
is secure, the Cloud services are protected, the information in Datacenters and hosted servers are
encrypted and the communication channel between the client and the Cloud resources is secure
and then it is protected from any sort of attack. However, some criminals claimed that the Cloud
resources are penetrated much more easily than the non-Cloud environment (Aljawarneh, 2011).
Sony company claimed that the level of encryption is not strong enough (Armerding, 2012).
3. Should the Cloud software security threats and vulnerabilities be predictable? It would be effective,
but often clients and software security practitioners cannot predict what the next vulnerability
will be. Once it is possible to predict the software security vulnerabilities, the practitioners can
control and prevent the threats.
4. Due to a lack of control over Cloud services, platform and/or infrastructure, academics and
practitioners stated that software security is a major challenge in the Cloud. In Cloud computing,
the data will be virtualized across different host machines and accessed on the Web (Yan, et
al., 2015; Wang, et al., 2015). From business point of view, the Cloud provides a channel to the
service or platform in which it could operate (David, et al., 2015). Arthur (Arthur, 2010) renamed
the Cloud computing as a ‘Careless Computing’ because the Cloud clients will not control their
own data and software and then there is no monitoring over the Cloud providers and subsequently
the data owner and maintainer may not recognize where data is geographically located at any
particular time.
However, several organizations have adopted and used Cloud applications and services including
Microsoft Azure Services Platform, Web Services, Google and open source Cloud systems such as
Sun Open Cloud Platform for academics, clients and administrative purposes (David, et al., 2015).
Yet, some organizations have not realized the substantial software security issues of Cloud. Some of
these organizations adopted some readily available software security and protection tools to secure
their systems, services and platforms.
Today, Amazon uses Cloud platform for introducing a number of web services for clients. Amazon
constructed a platform called Amazon Web Services (AWS) in order to secure the access for web
services (Aljawarneh, 2011). The AWS presented a protection level to face the traditional software
security issues in the Cloud (Rimal, 2009). In the meanwhile, physical access to AWS Datacenters
is limited controlled since the data owner may be aware of where the data is geographically located
at any particular time. Authorised staff has to log-in in two authentication phases with restricted
number of times for accessing AWS and AWS Datacenters at maximum (Rimal, 2009). Note that
Amazon only offers restricted Datacenter access and information to people who have an officially
authorized business need for these privileges. If the business need for these privileges is revoked,
then the access is stopped, even though if employees continue to be an employee in Amazon or AWS
(Rimal, 2009). However, one of the weaknesses of the AWS is the dynamic data, which is generated
from the AWS, and could be listened to and penetrated by users.
Microsoft presented a new secure system, which includes five main services forming the core
of the operating system: (i) Windows Azure, which is the main part of the system and is specialised
for hosting services and data storage; (ii) Microsoft SQL Services, which is a part of the relevant
databases for these services developed and hosted by the system; (iii) Microsoft. NET Services, which
is an application framework; (iv) Live Services, share photos and synchronize with computers and
portable devices; and (v) Microsoft SharePoint Services and Microsoft Dynamics CRM Services for
business content management (Calder, 2011).
Fiore and Aloisio (Fiore, & Aloisio, 2011) proposed a new Cloud software security technique
to measure the legitimacy of Cloud resources and the trustiness or trustworthiness in Cloud database
management using the metadata and privilege-based access control. Such technique has several
benefits to ensure integrity and trustworthy of Cloud resources by using everything-as-a-service
(XaaS) mechanism.
Volume 12 • Issue 2 • April-June 2016
15
In support of XaaS, there are a variety of operating systems (e.g., Unix and Windows), software
packages (e.g., DBMS and SAP), and Cloud resources existing in such platforms (Kotiyal, et al., 2012).
Each such platform has diverse mechanisms of authentication and authorization. In the range of Cloud
infrastructures, packages, and platforms, a Cloud resource accessed prior in one platform cannot be
accessed by means of the same user in another platform, and vice versa. Cloud Datacenters facilitated
by the features stated above validate that the resource feeder is in the Cloud servers. Even though the
authentication service checks the authenticity of feeder, this does not ensure that a resource posted
by the feeder is free from authentication spoofing, virus attacks, or plagiarism. It is widespread that
an information gap exists between the creator and the feeder of a Cloud resource (Yan, et al., 2015).
Arshad et al (Arshad, et al., 2012) presented efforts to address one of the significant issues with
respect to software security of Clouds, i.e., intrusion detection and severity analysis. An abstract model
for integrated intrusion detection and severity analysis for Clouds is proposed to facilitate minimal
intrusion response time while preserving the overall software security of the Cloud infrastructures.
Basically there are six fields of software security vulnerabilities in Cloud computing: (a) data at
end-to-end points, (b) data in the communication channel, (c) authentication, (d) separation between
clients, (e) legal issues, and (f) incident response (Takabi, Joshi, & Ahn, 2010).
One scenario of Cloud threats is that software security principles in the Cloud can be lost
(Cappelli, Trzeciak, & Moore, 2006); for example, criminals might penetrate the Cloud in many
forms. An insider adversary, who gains physical access to Datacenters, is able to destroy any type
of static content in the root of a web server. It is not only physical access to Datacenter that can
corrupt data, but malicious web manipulation tool can penetrate servers and Datacenter machines.
Once they are installed malicious tool can monitor, intercept, and tamper online transactions in a
trusted organization. The result naturally allows a criminal full root access to Datacenter and web
server applications. As soon as such access has been established, the integrity of data or software is
in question (Aljawarneh, 2011; Virvilis, 2015).
There are several software security products (e.g. Antivirus, Firewalls, gateways, and scanners)
to add extra level of software security for Cloud applications and systems but they are not sufficient
as each one of them has only specific purpose and hence, they are called ad-hoc software security
tools. For example, Network firewalls provide protection only at the host and network level (Jiang, et
al., 2013). There are, however, five reasons for why these software security defenses cannot be only
used to secure systems (Jiang, et al., 2013):
1. They cannot prevent malicious attacks that perform illegitimate transactions, because they are
designed to prevent vulnerabilities of signatures and specific ports.
2. They cannot manipulate form operations such as asking the user to submit certain information
or validate false data because they cannot distinguish between the original request-response
conversation and the tampered conversation.
3. They do not track conversations and do not secure the session information. For example, they
cannot track when session information in cookies is exchanged over an HTTP request-response
model.
4. They provide no protection against web application/services attacks since these are launched
on port 80 (default for web sites) which has to remain open to allow normal operations of the
business.
5. Previously, a firewall could suppose that an adversary could only be on the outside. Currently, with
Cloud, an attack might originate from the inside as well, where firewall can offer no protection.
Volume 12 • Issue 2 • April-June 2016
16
Figure 1 illustrates the data storage and Datacenters, which are possibly targeted by the criminals.
According to the computer forensics, the distrusted servers and Datacenters are the target of crime
(Wang, et al., 2015). Therefore, the question that needs to be answered is that whether or not data
is safe and secure?
Data confidentiality might be compromised either from insider user threats or outsider user
threats (Zhang, et al., 2010). For instance, insider user threats might maliciously come from: Cloud
operator/provider, Cloud client, or malicious third party. The threat of insiders accessing client data take
place within the Cloud is larger as each models can offer the need for multiple users: i) SaaS – Cloud
clients and administrators, ii) PaaS – Application developers and iii) IaaS – Third party consultants
In this section, we have outlined the proposed generic framework that can act like maps that give
coherence to empirical inquiry. Because conceptual frameworks are potentially so close to empirical
inquiry, they take different forms depending upon the research question that indicated in this article.
The proposed framework consists of three elements as shown in Figure 2:
Figure 1. Cloud Computing Software security
Volume 12 • Issue 2 • April-June 2016
17
1. A survey of the existing solutions to identify the some common software security issues, solutions,
and their strengths, weaknesses and limitations.
2. A number of perspectives come from Cloud software security practitioners to explain the key
Cloud software security issues in the firms around world.
3. A classification of Cloud software security levels which are based on the survey and the
perspectives.
Thus, we survey a number of the current solutions in the Cloud software security to outline a
coherence framework. This section includes the existing solutions and their strengths, processes and
weaknesses.
An approach was introduced in (Kotiyal, et al., 2012) suggested the use of five level securities;
which is based on authentication, confidentiality, and integrity to the data stored and accessed by
the cloud user at Datacenters. Authenticity is provided by encryption/ decryption of MAC code and
generation/comparison of hashed password. Use of hashed password limits the requirement of securing
password at all the components and over the network. The authenticity of Datacenter is provided
through the encrypted e-mail carrying the password. The confidentiality and integrity is provided
through hashed password and MD5 digest, which make login process to Datacenters through five
levels. The authentication scheme is based on hashed password storage between cloud provider and
cloud client. Furthermore, the data confidentiality and integrity is provided through MD5 cryptosystem
hash technique. However, the authentication schema limited the access to predefined IP or MAC
address of cloud client, which make the access to the data is restricted to one location. In addition,
the cloud client can access to the Datacenter only from one location.
The authors in (Naik, & Sanyal, 2013) presented a wide variety of methods that can be included
to protect and secure the cloud computing. To secure connection between CC and CP, an encryption
algorithms, and if the connection is through wireless devices, the connection can be secured using
Wired Equivalent privacy (WEP), SSID for each access point and MAC address filtering. In the
meanwhile, there were no any implementation or performance results of efficiency WEP OR SSID
through wireless devices.
In (Nimje, 2013) an approach was adopted through using DNA cryptographic for the optimization
of data software security in cloud software security. DNA encryption is based on Micro array
Figure 2. Components of the proposed framework
Volume 12 • Issue 2 • April-June 2016
18
technology as follows: (i) DNA structure has two strands by taking one or more input DNA strands
it can be considered to be the plaintext message; (ii) appending to them one or more randomly
constructed “secret key” strands; and (iii) resulting “tagged plaintext” DNA strands are hidden by
mixing them within many other additional “distracter” DNA strands which might also be constructed
by random assembly. On the other hand, the decryption process (Recovery of plaintext from cipher
text) includes the following steps: (i) given knowledge of the “secret key” strands; and (ii) resolution
of DNA strands can be decrypted by a number of possible known recombinant DNA separation
methods: Plaintext message strands may be separated out by hybridization with the complements of
the “secret key” strands might be placed in solid support on magnetic beads or on a prepared surface.
The DNA cryptography approach is not constraint to specific encryption and decryption algorithms.
However, such approach is still mostly a theoretical concept and still not implemented.
In (Fremantle, & Scott, 2015), the authors proposed an approach that is based on three
cryptographic techniques (such as Key Policy Attribute-based, Encryption, Proxy Re-Encryption,
and Lazy re-encryption) to secure data in cloud Datacenters. Such approach is based on Key Policy
Attribute-Based Encryption to secure the connection between cloud client and provider based on
combination of four algorithms (namely: Setup Attributes, Encryption, Secret key generation, and
Decryption). The Proxy Re-Encryption (PRE) is a cryptographic primitive in which a semi-trusted,
A PRE scheme allows the proxy, given the proxy re-encryption key to translate cipher texts under
public key into cipher texts under public key and vise versa. Finally the lazy re-encryption technique
and allowing Cloud Servers to aggregate computation tasks of multiple operations such as updating
secret keys and updating cloud clients attributes. However, the implications of KP-ABE scheme may
not be entirely realistic, because the approach assumes the existence of a single trusted party who
monitors all attributes and issuing all decryption keys between cloud client and provider.
In (Mathew, 2012), the authors introduced a framework to a secure client cloud environment
through the use of VPN to access network of cloud provider. The proposed framework allows cloud
providers to check for cloud client’s authentication, make sure that clients are authorized. Once the
cloud providers are confident about the clients’ credentials their data will be encrypted and stored.
The whole framework is based on agreed software security policy between cloud clients and providers
to be implemented through use of VPN.
In (Bugiel, 2011) architecture was proposed, which consists of two clouds (twins), a Trusted Cloud
and a Commodity Cloud, where software security-critical operations are performed by the Trusted
Cloud. However, who certify the cloud provider to be trusted in order to be used by cloud client?
The authors in (Suresh, & Prasad, 2012) presented set of software security algorithms, which
can be implemented to overcome software security issues and software security attacks in cloud
computing. In order to protect data transmission between cloud client and provider is by encrypting
data using RSA. Messages between CC and CP is encrypted with the public key can only be decrypted
using the private key. User data include encryption prior to storage, user authentication procedures
prior to storage or retrieval, and building secure channels for data transmission. Authors also describe
how MD5 and AES algorithms in order to secure Datacenters. However, the need for a third party
in important to distribute keys between CC and CP. There is no implementation model that proves
or justify that the three algorithms can calm the fears of cloud clients.
The authors in (Porwal, et al., 2012) presented an approach to secure data in private cloud without
distressing the network layers and protecting the data from illegal users into the server. The data is
secured in server based on users’ choice of software security method so that data is given high secure
priority. Meanwhile, such model suggested the transferred data in private cloud must encrypt in the
on top of the transport layer instead of using IPSec or SSL. This layer is used to encrypt and decrypt
data between client and servers. Accordingly, each time a data is transferred by the cloud client it
is first secured by definite authentication protocols and saved at the server end. Therefore, the data
will be stored in a secured manner at server end. Those who want to gain the data they should be
connected or have access through same framework to view the data.
Volume 12 • Issue 2 • April-June 2016
19
To present a more reliable generic framework, we present a number of perspectives by Cloud
software security practitioners to calm clients’ concerns about Cloud Computing.
First Perspective: Keeping information assurance architectures secure and confidential such as details
of how the model-driven software security policies should be enforced in the Cloud systems.
For Instance, the UK Cabinet office published a number of Government Cloud documents but
did not publish the Information Assurance documents. However, Lang (Lang, & Schreiner,
2009) stated that the governments Cloud documents should publish the Information Assurance
documents for the following reasons:
◦There is no need to create a public Cloud if the documents are confidential and sensitive
and creating a public Government Cloud will not make sense.
◦Building public or even private Government Cloud is highly expensive. This involves many
servers, Datacenters, services and human powers.
Second Perspective: To date, financial organizations are not willing to adopt public Cloud, because
it would be risky as explained before. But it is possible to use the private Cloud in the financial
organizations.
Third Perspective: The Cloud is a long term consideration so that it needs to know who clients
are dealing with. Therefore, a vendor should understand the client organization and then the
organization realizes the solution under consideration (Subashini, & Kavitha, 2011). For example,
if the proposed applications and services access any sensitive information at any point of the
client’s experience, then the information and the application should be protected. Martin Fisher,
Director of Information Software security at WellStar Health System, explained that “The key
thing when you start talking about private Cloud or whoever, is making sure that in whatever
contract you have, you one: have a right to audit; and two: that the vendor or provider has an
obligation to respond in the event of a declared incident,” (Subashini, & Kavitha, 2011).
Mestas (Software Architect at 3DEV Business & Consulting SAC, USA) forum stated that the
current big picture is mixed of IT infrastructures, including Cloud and non-Cloud systems, for many
companies for many years. Mestas further expounded (Greenhow, Robelia, & Hughes, 2009):
• “Talking about the Cloud space, public Clouds versus private Clouds, many organizations will
likely end up with a mixed IT environment that includes both types of Cloud as well as non-
Cloud systems and applications, in this approach Hybrid Clouds will be the more widely model
adopted for many enterprises, considering that not all assets can be placed in public Clouds.”
• “The private portion of the Hybrid Cloud must be compliance with the Software security
Standards of the organization and fulfil the interns SLAs, establish software security mechanism
(federation, infrastructure hardening) to integrate with the public portion of the Cloud under
an integration approach or establish a matrix for classify the information that can be published
into the public space.”
In all these study cases, the Hybrid Cloud software security may be little less than other. It is
an accurate that Cloud adoption will widely start from Hybrid unless software security controls and
DR of a Cloud service is proven.
Based on the Cloud system practitioners, researchers and the existing solutions, the proposed
generic framework classifies the Cloud software security issues into the following categories as
illustrated in Figure 3.
Figure 3 shows the levels of Cloud software security that should be considered in the current
and future solutions. In addition, we have to distinguish between these levels and so each level
could have different approach or technique targeted for each level. In other words, the solution of
Volume 12 • Issue 2 • April-June 2016
20
level 1 could not be fitted to other levels. For example, the software security settings of Datacenters
are different from the software security settings of Data transmission. In addition, this framework
addresses another software security level which is not normally considered in the academia, namely
the software security of the Internet Service Provider (ISP). This level is specialized in issues of web
hosting software security and ISP gateways issues.
In addition, there is a difference in the protocol that might be used in each level. These levels
are divided into two types of levels: physical and logical levels. Consequently, the communication
between them needs a way that can understand the data flow between them.
As shown in Figure 3, much research has concentrated to some levels such as remote system
software security, application software security, data transmission software security. Many Cloud
software security tools are developed to add extra level of protection to these levels. However, some
levels are taken a little attention in research such as Datacenter software security level and Hypervisor
software security level. It should be noted that the research attention has been indicated in relation
to the academic survey and Cloud software security practitioners.
As a potential enhancement on the proposed Cloud software security framework, the concepts
of fuzzy systems might be used to solve a large numbers of issues in the Cloud software security on
different levels. However, this requires publishing the source code that associated with the software
security levels’ proposals on the proposed framework (Alcala-Fdez, & Alonso, 2015). Nowadays,
it is possible to facilitate the use of fuzzy systems because the software of software security tools is
commercially distributed but most software is available as free and open source software, reducing such
issues and providing several benefits such as faster error detection, and the innovative applications.
In the proposed framework, we could add the type of software security tools’ software such as
type, library, toolbox, and suite. In addition, the fuzzy languages of software security tools should
be considered in such framework in order to improve the reusability of the developed fuzzy cloud
software security framework.
We have employed the fuzzy based analyzer to distinguish between trusted and malicious
behavior of transaction by distributing the certificates only to the trusted transaction and avoiding
the untrusted transaction. As a note the fuzzy logic based functions are not exact results. Fuzzy logic
variables could have trust values between 0 and 1. In the presented framework, trust decision is based
Figure 3. The proposed framework elements and Cloud software security categories
Volume 12 • Issue 2 • April-June 2016
21
on fuzzy logic. If the evaluated trust is greater than or equal to the threshold trust, then that particular
transaction is called as a trustworthy, else it will be treated as untrustworthy and excluded from all
future transaction operations.
E-Health software security is a vital problem to be overcome if the web is to develop further. So
that the understanding how to secure healthcare data and communication is the first step in truly
building a connected network, Cloud and/or Cloudlet and inspiring confidence between patients and
healthcare centers. Currently health caregivers, health institutions, healthcare centers and insurance
companies have all had to share information (such as patient registration form, health history with
any trusted provider, and digital health images) related to a patient’s care. This sharing was often
unsecure. For example patients, nurses, doctors, technicians and health organizations might notice
the illegal alteration or illegal copying of confidential digital objects (such as audio, images, video,
documents and others) after the authentication scheme has been performed. However at this stage,
the destruction of objects has already taken place.
In this case study, the proposed framework, which assists to ensure the health information and
communication, is secure, is applied on healthcare centers in Australia and Jordan. Note that there are
number of approaches to professional development, including consultation, coaching, lesson study,
mentoring, reflective supervision and technical assistance. In such study, the mentoring approach
is recommended because a number of proposed experiments will be conducted and so healthcare
information that are distributed through Cloud storages and repositories between the health centers in
Jordan and Australia will be monitored to check any illegal alteration on digital objects is occurred.
A consultation approach might be used in order to assist an individual or group to address immediate
concerns by following a systematic problem-solving process. Furthermore, a workshop could be
suggested to discuss the results and evaluation this type of professional development either the target
clients in Australia or Jordan.
There are many more challenges in Jordanian Health Development such as e-health software
security that need to be solved not only by the government but also community. Therefore, this case
study has been considered into account.
Based on the proposed framework, use of seven level securities; which are relied on authentication,
confidentiality, and integrity to the health information stored and accessed by the users of the health
centers such as Doctors, Nurses, Health officers, government officers, technicians and patients in
Australia and Jordan at the Datacenters. The secure Datacenters are geography distributed between
Cloud Database Servers in Jordan and Australia. Authenticity is offered by the encryption/ decryption
of MAC code and generation/comparison of hashed password. Use of hashed password limits the
requirement of securing password at all the components and over the Cloud. The authenticity of Health
Datacenter is provided through the encrypted e-mail carrying the password. The confidentiality and
integrity is provided through hashed password and SHA-256 digest, which make login process to
Datacenters through seven levels. The authentication scheme is based on hashed password storage
between Cloud Service Provider (CSP) and Cloud Client. Furthermore, the data confidentiality and
integrity is provided through SHA-256 cryptosystem hash technique. This process is recommended to
be applied for the seven level securities from top level of the proposed framework to the down level.
As a result, the patients can virtually receive the health services in a secure manner with high
quality.
Volume 12 • Issue 2 • April-June 2016
22
The existing Cloud services might face various software security issues at the Cloud models level.
One main challenge is that the lack of control over the Cloud Datacenters. Furthermore, software
security is not integrated into the service development process.
Indeed, the traditional software security tools alone would not be able to resolve the recent
software security issues and so it will be helpful to incorporate software security components upfront
into the development methodology of Cloud system. In this paper, a number of Cloud practitioners’
perspectives are presented to calm the clients’ fears against the Cloud concerns. We present a
conceptual framework of three components that assist to indicate the levels of Cloud software security
that should be taken into account by researchers and practitioners. This paper has faced an important
issue, and provided a wide analysis of available solutions, as well as a useful fuzzy framework, helping
readers to orient themselves in the field of Cloud software security.
Consequently, it is recommended that the governments should keep their information assurance
architectures secure and confidential. Moreover, financial organizations are not willing to adopt public
Cloud because it will be risky. However, such organizations may adopt the use of the private Cloud
instead. As a part of future work, we will reveal/validate the effectiveness of proposed system via
some case studies or available date sets. Also we will include details about the performance analysis/
implementation of proposed work with existing studies. Finally the proposed framework could be more
secure, reliable and aids to add extra level of software security in military and financial operations
Volume 12 • Issue 2 • April-June 2016
23
Alcala-Fdez, J., & Alonso, J. (2015). A Survey of Fuzzy Systems Software: Taxonomy. Current Research Trends
and Prospects.
Aljawarneh, S. (2011). Cloud Security Engineering: Avoiding Security Threats the Right Way. International
Journal of Cloud Applications and Computing, 1(2), 64–70. doi:10.4018/ijcac.2011040105
Aljawarneh, S., Alkhateeb, F., & Al Maghayreh, E. (2010). A semantic data validation service for web
applications. Journal of Theoretical and Applied Electronic Commerce Research, 5(1), 39–55. doi:10.4067/
S0718-18762010000100005
Aljawarneh, S., Alshargabi, B., Hayajneh, M. A., & Imam, A. (2015). Integration of E-learning and Cloud
Computing Platform Through Software Engineering. Recent Patents on Computer Science, 8(2), 100–105. doi
:10.2174/2213275908666150706174305
Armerding, T. (2012). The 15 worst data security breaches of the 21st Century. COS Security and Risk.
Arshad, J., Townend, P., & Xu, J. (2012). An abstract model for integrated intrusion detection and severity
analysis for clouds. Cloud Computing Advancements in Design, Implementation, and Technologies, 1.
Arthur, C. (2010). Google’s ChromeOS means losing control of data, warns GNU founder Richard Stallman.
The Guardian Tuesday, 14.
Bugiel, S., Nürnberger, S., Sadeghi, A. R., & Schneider, T. (2011, January). Twin clouds: Secure cloud computing
with low latency. In Communications and Multimedia Security (pp. 32–44). Springer Berlin Heidelberg.
doi:10.1007/978-3-642-24712-5_3
Calder, B., Wang, J., Ogus, A., Nilakantan, N., Skjolsvold, A., McKelvie, S., & Haridas, J. et al. (2011,
October). Windows Azure Storage: a highly available cloud storage service with strong consistency.
Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (pp. 143-157). ACM.
doi:10.1145/2043556.2043571
Cappelli, D. M., Trzeciak, R. F., & Moore, A. B. (2006). Insider Threats in the SLDC: Lessons Learned From
Actual Incidents of Fraud: Theft of Sensitive Information, and IT Sabotage (Presentation).
David, G., & Anbuselvi, R. (2015, February). An architecture for Cloud computing in Higher Education.
Proceedings of the 2015 International Conference on Soft-Computing and Networks Security (ICSNS) (pp. 1-6).
IEEE. doi:10.1109/ICSNS.2015.7292432
Fiore, S., & Aloisio, G. (2011). Grid and cloud database management. Springer Science & Business Media.
doi:10.1007/978-3-642-20045-8
Fremantle, P., & Scott, P. (2015). A security survey of middleware for the Internet of Things. PeerJ PrePrints,
3, e1521.
Greenhow, C., Robelia, B., & Hughes, J. E. (2009). Learning, teaching, and scholarship in a digital age
Web 2.0 and classroom research: What path should we take now? Educational Researcher, 38(4), 246–259.
doi:10.3102/0013189X09336671
Jadeja, Y., & Modi, K. (2012, March). Cloud computing-concepts, architecture and challenges. Proceedings
of the 2012 International Conference on Computing, Electronics and Electrical Technologies (ICCEET) (pp.
877-880). IEEE. doi:10.1109/ICCEET.2012.6203873
Janssen, M., & Joha, A. (2011). Challenges for adopting cloud-based software as a service (saas) in the public
sector. In ECIS.
Jiang, W., Li, Z., Jia, J., & Liu, D. (2013, September). Evaluating E-Commerce System Security Using Fuzzy
Multi-criterion Decision-Making. Proceedings of the 2013 IEEE Seventh International Conference on Semantic
Computing (ICSC) (pp. 438-443). IEEE.
Kotiyal, B., Saxena, P., Goudar, R. H., & Jogdand, R. M. (2012). A 5-Level Security Approach for Data Storage
in Cloud. International Journal of Computer Applications, 54, 29-34.
Volume 12 • Issue 2 • April-June 2016
24
Lang, R. S. U., & Schreiner, R. (2009). Top SOA Security Concerns & OpenPMF Model-Driven Security.
ObjectSecurity white-paper.
Mathew, A. (2012). Security And Privacy Issues Of Cloud Computing; Solutions And Secure Framework.
International Journal of Multidisciplinary Research, 2(4).
Naik, P., & Sanyal, S. (2013). Increasing Security in Cloud Environment. arXiv preprint arXiv:1301.0315.
Nimje, A. R. (2013). Cryptography. In Cloud-Security Using DNA (Genetic). Techniques.
Porwal, A., Maheshwari, R., Pal, B. L., & Kakhani, G. (2012). An Approach for Secure Data Transmission in
Private Cloud. International Journal of Soft Computing and Engineering.
Rimal, B. P., Choi, E., & Lumb, I. (2009, August). A taxonomy and survey of cloud computing systems.
Proceedings of the Fifth International Joint Conference on INC, IMS and IDC NCM’09 (pp. 44-51). IEEE.
doi:10.1109/NCM.2009.218
Sessions, L. F. (2009). “You Looked Better on MySpace”: Deception and authenticity on the Web 2.0. First
Monday, 14(7). doi:10.5210/fm.v14i7.2539
Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing.
Journal of Network and Computer Applications, 34(1), 1–11. doi:10.1016/j.jnca.2010.07.006
Suresh, K. S., & Prasad, K. V. (2012). Security issues and Security algorithms in Cloud Computing. International
Journal of Advanced Research in Computer Science and Software Engineering, 2(10).
Takabi, H., Joshi, J. B., & Ahn, G. J. (2010). Security and privacy challenges in cloud computing environments.
IEEE Security and Privacy, 8(6), 24–31. doi:10.1109/MSP.2010.186
Vaquero, L. M., Cáceres, J., & Morán, D. (2012). The challenge of service level scalability for the cloud. Cloud
Computing Advancements in Design, Implementation, and Technologies, 37.
Virvilis, N., Mylonas, A., Tsalis, N., & Gritzalis, D. (2015). Security Busters: Web browser security vs. rogue
sites. Computers & Security, 52, 90–105. doi:10.1016/j.cose.2015.04.009
Wang, B., Zheng, Y., Lou, W., & Hou, Y. T. (2015). DDoS attack protection in the era of cloud computing and
Software-Defined Networking. Computer Networks, 81, 308–319. doi:10.1016/j.comnet.2015.02.026
Wang, H., Zhang, Y., & Cao, J. (2009). Effective collaboration with information sharing in virtual universities.
IEEE Transactions on Knowledge and Data Engineering, 21(6), 840–853.
Yan, Z., Li, X., & Kantola, R. (2015). Controlling Cloud Data Access Based on Reputation. Mobile Networks
and Applications, 2015, 1–12.
Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for
the cloud computing environments. Proceedings of the 2010 IEEE 10th International Conference on Computer
and Information Technology (CIT) (pp. 1328-1334). IEEE. doi:10.1109/CIT.2010.501
