Transparency is an essential means for strengthening information disclosure and enhances users’ trust in using cloud services. It is one of the fundamental aspects of operations that ensure visibility regarding some important areas such as performance, configuration, billing, and workload (Aslam, 2014, Kalloniatis et al., 2013). Transparency in the past was particularly used to imply cloud customers’ need for visibility on matters such as pricing models, but a broad range of interests such as security, service delivery and performance are now associated with the term. Security transparency, among all other spectrums, has prevailed as the most censorious necessity due to the complex chain of interactions between multiple actors, which fundamentally calls for the need to know how security and compliance measures are being applied to protect sensitive assets (Pauley, 2010).
4.3.1 Definition of Cloud Security Transparency
Considering the apparent definitions and connotations of transparency as attempted by researchers from different spheres of activities, for this research, cloud security transparency is defined as the disclosure
of information relating to the security practices and management of virtual and application resources in the cloud to help customers in monitoring, verifying and tracking their data across cloud infrastructure. Cloud security transparency establishes the trustworthiness of the operations of the cloud service provider by enabling security monitoring, incident detection, reporting and management from the customer side. It has the potentials to establish trust and help customers to make
informed decisions, achieve security goals, and operate in compliance with requirements.
4.3.2 Areas of Focus for Security Transparency in Cloud Environment
The cloud environment is composed of complex domains and resources that make achieving complete security transparency an enormous task. Visibility in every domain of the cloud cannot be efficiently and reliably provided due to certain restrictions or controls that may require the CSP to conceal particular security or configuration information. However, from the context of this research, some of the cloud domains where security transparency is achieved include:
Authentication: Cloud security transparency makes possible the establishment and sharing
of information regarding how end users are authenticated, granted or denied access to data and applications.
Access Roles and Duties: Organisations usually define roles, layers, responsibilities and
security levels associated with assets. Based on these specifications, information is shared and logged within an organisation in a manner that shows every task or activity executed against a particular asset.
User Account: By security transparency, access attempts to authorised user accounts are
consistently tracked, monitored and the information shared with an organisation to ensure every system access reported.
36
Security Policies: Security policies are part of the control objectives that define how an
organization’s assets are used and make the provisioning of cloud service under the business and security requirements. An organisation establishes appropriate security policies that are enforced throughout the contract lifecycle. Violation of security policies ought to be transparently shared or communised with the organisation.
Infrastructure Security and Location: Security transparency enables the sharing of the
physical access, security and location of infrastructure that host or process organizational data such as data centres, servers, network tools etc.
Data Security: Information relating to the implemented tools and processes designed to
protect sensitive data is shared with an organisation employing security transparency. Transparency in this aspect mainly focuses on information relating to a user without the risk of compromising the data of other users.
Security Standards: Standards usually allow an organisation to follow consistent
stipulations for ensuring the safety of IT infrastructure and assets. Security transparency also enhances the sharing of information in this regard by enabling CSPs to share information on compliance with the regulatory bodies that regulate apply to their operations.
4.3.3 Why Security Transparency in the Cloud?
One of the most considerable obstacles to successful cloud migration is the management of security that is relatively aggravated by the non-transparent nature of CSPs to disclose security-related information associated with their offerings (Pauley, 2010). Users are driven by the fear of undisclosed security events cognate to on-going provider control procedures, and they always endeavour to make informed decisions by relying on disclosures to achieve optimum security goals and operate in compliance with requirements. Successful adoption of cloud technology by corporate users, businesses and organisations require a clear-cut disclosure of the security policies, designs and practices of CSPs, including on-going visibility of relevant security measures. These requisites for transparency constitute the pathway for users to assess the possible risks of cloud computing and its potential impact on assets. For example, a CSP may choose to outline the policies and procedures being employed to ensure the availability of user data by disclosing information on the architectural setup of backup plans, business continuity and redundancy strategies that provide continuous data availability. Security transparency in public clouds is considered as demanding a substantial magnitude of interest in comparison to other deployment models, due to its characteristics of being open to the public and serving a broad customer base. In contrast, other deployment models such as private clouds are designed explicitly for individual organisations, thereby offering customised functionalities that do not necessitate transparent operations.
4.3.4 How Security Transparency can Support Businesses
The ability of any organisation to recognize and adequately manage risks plays an important part, and the value of services and operations delivered to customers and other stakeholders. Security
37
transparency enables an organisation to identify their current and future requirements as well as providing a roadmap for aligning such requirements with cloud services. A broad spectrum of security solutions that support the core business processes and operations can be quickly established, including the identification of platforms and solutions that support the data security strategy of a business venture. By following a successful security transparency approach, an organisation can overcome the burden that often exists between information security strategy and business strategy objectives by directly aligning businesses processes and the security requirements that protect data. Also, the effective management of the risks associated with business data residing in the cloud requires the understanding of the level of risks, identification and prioritisation of sensitive data. In this direction, security transparency supports comprehensive classification efforts within organizational function or line of business, by leveraging automated tools that track data across cloud repositories including databases and applications.
Another notable point that highlights the essentiality of security transparency to business is the role it plays in the assessment and definition of realistic, attainable business strategies and performance goals. Organizational strategies outline how objectives are achievable, while goals express objectives to a perceptible and possible level. Factors such as technological posture, operations and organizational culture determine the objectives of an organisation and those that can be reasonably accomplished. As such, security transparency allows an in-depth understanding of an organisation’s objectives and goals hierarchy, by directly establishing risk-based plans to support the monitoring of assets, as well as improvement opportunities concerning designing and operating an effective control process that is most consistent with their goals. Such improvement opportunities can take various forms including maintaining a robust control environment to support organizational initiatives that in return improve security; identification of focal risks that meet the organisation’s risks appetite, including operational risks, business risks, technology risks and many other areas that pose significant risks of concern. In general, security transparency supports these processes through evaluation, recommendations to management, and reporting of incidents to relevant organizational stakeholders.