Metamodel for Handling Security and Privacy Knowledge in Cloud Service Development

Security and privacy in cloud systems are critical. To address security and privacy concerns, many security patterns, privacy patterns, and non-pattern-based knowledge have been reported. However, knowing which pattern or combination of patterns to use in a specific scenario is challenging due to the sheer volume of options and the layered cloud stack. To deal with security and privacy in cloud services, this study proposes the cloud security and privacy metamodel (CSPM). CSPM uses a consistent approach to classify and handle existing security and privacy patterns. In addition, CSPM is used to develop a security and privacy awareness process to develop cloud systems. The effectiveness and practicality of CSPM is demonstrated via several case studies.


INTRoDUCTIoN
Cloud service providers control remotely available services and data, which are often connected with other services. Consequently, ensuring security and privacy (S&P) in cloud services is critical. Many of the cloud security and privacy issues are also true for any kind of distributed system; however, cloud architectures bring new attacks (Fernandez, Monge & Hashizume, 2016). Besides, clouds may store large amounts of sensitive information such as users' personal information. Thus, the result of 3 similar to a commercial one using a conventional cloud platform, suggests that CSPM has practical applications in industrial development. Tools such as this metamodel should contribute to the ubiquity of patterns to develop secure systems.
The novel contributions of this paper are as follows: 1. We proposed CSPM, which is a metamodel as the basis for describing S&P-related knowledge over multiple cloud layers. To the best of our knowledge, CSPM is the first metamodel to uniformly handle security-related concepts as well as privacy-related ones over multiple layers. 2. We proposed a S&P awareness process by using CSPM for developing cloud services. 3. We conducted a controlled experiment and a case study based on the proposed process to evaluate the effectiveness of the problem analysis and solution design supported by CSPM.
The rest of this paper is organized as follows. Section 2 contains related work and problems addressed in this research. Section 3 proposes our metamodel and overviews our process for S&P development. Section 4 discusses our case studies and answers our RQs, and section 5 concludes this paper.
Cloud security is considered in several metamodels and abstract reference architectures (Hazeyama, 2012) (Chatziprimou, Lano & Zschaler, 2013) (Fernandez, Monge & Hashizume, 2016). However, cloud privacy along with security has yet to be considered. Due to their intertwined relationship, they should be addressed simultaneously.
One study surveyed software security knowledge and proposed a metamodel to model such knowledge (Hazeyama, 2012). Unlike that study, which did not include computing, our study incorporates such knowledge into our metamodel. Another study used a metamodel to model cloud services and resources (Chatziprimou, Lano & Zschaler, 2013), but neither security nor privacy were considered directly. A different study reported an abstract security reference architecture model to develop secure cloud services and systems (Fernandez, Monge & Hashizume, 2016). This study provided a basis to model multiple layers of the cloud in terms of the security at each layer. However, privacy was not addressed.
There are several modeling frameworks for cloud security that auditing mechanisms (Ismail & Islam, 2020) (Mouratidis, Shei & Delaney, 2020). Although these frameworks identify key securityrelated concepts, privacy-related concepts and the layered cloud stack were not addressed explicitly.
Some studies have focused on privacy engineering. One did a systematic literature mapping on privacy patterns research (Lenhard, Fritsch & Herold, 2017). However, this study did not consider a metamodel or security patterns. Another study proposed a metamodel for privacy engineering based on SEMDM, which is a metamodel for software and systems development methodologies (Martín & del Álamo, 2017). This study did not consider privacy patterns, security patterns, or cloud computing. A different study proposed a privacy engineering metamodel by extending SEMDM (Alamo, Martín & Caiza, 2017). Although it included privacy design strategies, privacy threats, and privacy design patterns as well as listed elements similar to our metamodel, relationships were not considered.
A study proposed a metamodel for General Data Protection Regulation (GDPR)-based privacy level agreements (PLAs) to support privacy management, based on analysis of privacy threats, vulnerabilities, and trust relationships in general information Systems (Diamantopoulou, Angelopoulos, Pavlidis, & Mouratidis, 2017). This study does not address patterns or cloud-specific concerns. By connecting our metamodel with the proposed one, we can consider incorporating GDPR-based PLAs in cloud service development.

Challenge
Often a developer who is inexperienced and not an expert in S&P is tasked to build a cloud application. As the developer is aware of her shortcomings, she searches for such documents on S&P. However, this leads to several problems: • Numerous S&P Patterns and Documents: Patterns are reusable solutions to recurring problems.
Because many S&P patterns (and other documentation) have been proposed, the search results are overwhelming. Selecting the appropriate pattern(s) when many are not applicable to cloud services (Fernandez, et al., 2010) (Fernández, et al., 2016) is difficult, especially for a novice developer. • Complex Relationships Between a Cloud Service and its Mechanism: A cloud is composed of three main layers: infrastructure, platform, and software. Although each service is provided from one layer from the users' viewpoint, a service may control data related to other layers (Subashini & Kavitha, 2011) (Fernández, Yoshioka & Washizaki, 2019). Consequently, selecting and utilizing the appropriate pattern(s) are challenging tasks. • Practical Metamodels for Cloud Development do not Exist: Existing metamodels (Kalloniatis, Kavakli & Gritzalis, 2008) consist of essential concepts when dealing with S&P issues. However, they cannot deal with real-world S&P issues in cloud development.

Design of the Metamodel
CSPM is a metamodel as the basis for describing S&P-related knowledge over multiple layers. Besides selecting and combining the appropriate patterns to address S&P issues, CSPM can be used to design architectures of cloud service systems effectively and efficiently. Figure 2 shows the overview of Cloud Security and Privacy Metamodel (CSPM) as a set of seven packages in the form of a UML class diagram. Table 1 outlines these packages by showing major concepts in them.  Figure 3 shows a simplified version of CSPM named Privacy View, which is a simplified metamodel that emphasizes privacy-related concepts (such as personal information) and their surrounding elements. As shown in Figure 3, the privacy-related concepts are related to the securityrelated concepts in CSPM. For example, an attacker may access personal information against its users' preferences via a misuse case. Such privacy threats can be mitigated by applying appropriate corresponding security patterns.
CSPM addresses the aforementioned challenge by having the following features: • Consistency Over Multiple Layers: The problem, bridge, and solution packages are fundamental in all layers. Not only do they provide concepts common between layers, but they also organize their relationships. Consequently, they uniformly handle S&P-related knowledge over different layers. • Convenience: Separating general concepts from specific ones (e.g., layers, cloud-specific knowledge, and cloud-independent knowledge) into packages makes the metamodel easy to access. • Compatibility With Existing Cloud Services and Security Metamodels: In addition to consistency, the packages include concepts according to the relationships deðned in existing reference architecture and metamodel (Fernandez, Monge & Hashizume, 2016) (Hazeyama, 2012). Hence, the proposed metamodel can work with existing metamodels. For example, the platform package and the infrastructure package of CSPM encapsulate concepts that are identified as PaaS-related and IaaS related respectively in the existing reference architecture (Fernandez, Monge & Hashizume, 2016).

Modeling Based on the Metamodel
CSPM can be a basis for modeling vulnerabilities from databases such as the Common Vulnerabilities and Exposures (CVE) (MITRE, 1999). For example, a vulnerability Cross-site Scripting (XSS) (MITRE, 2012) can be modeled in Figure 4. In the figure, elements related to the vulnerability are modeled with stereotypes specifying corresponding concepts in CSPM.
To identify problems and implement countermeasures easily, the model in the figure helps visualization of vulnerable elements. In addition, CSPM can help users to depict the pattern problem and solution ( Figure 5). In the figure, elements related to the Authenticator pattern (Schumacher, et al., 2006) are modeled with stereotypes specifying corresponding concepts in CSPM.

S&P Development Process
We propose a S&P awareness process by using CSPM for developing cloud services ( Figure 6). S&P development consists of four phases: analysis, design, implementation, and testing. Each phase is described below: 1. S&P Requirement Analysis: While analyzing the system requirements, the threats and S&P problems in the current system model are identified using a threat model such as STRIDE (Microsoft, 2002) (Jelacic, et al., 2017) together with concepts related to vulnerabilities organized in CSPM. 2. S&P Design: S&P patterns and other knowledge descriptions can be used to determine possible solutions. Concepts related to S&P patterns organized in CSPM can help select appropriate S&P patterns corresponding to the identified threats and problems from the knowledge base. 3. S&P Implementation: The system is implemented according to the determined solutions. 4. S&P Testing: The system is tested. If problems arise during the test, return to the phase (1).

eXPeRIMeNT AND CASe STUDy
To evaluate the effectiveness of the problem analysis and solution design supported by CSPM, we conducted an experiment and a case study.

experiment
A controlled experiment evaluated the impact of CSPM and investigated the RQs.

Experiment Setting
The experiment was designed to evaluate the impact of CSPM. The experiment involved two groups of college students, ranging from fourth year undergraduate to second year master's students. The groups were labeled as the experiment group (EG) and the control group (CG).
Regardless of the group, participants were asked to read the class diagram and use case explanation to determine the S&P issues in the system model. The system model was simplified from student work and contained several security threats. The participants were asked to resolve S&P issues on the model level. As a reference, we prepared some S&P patterns, but not all were applicable to this system. After the experiment, participants completed a questionnaire.
EG received additional support. They were given CSPM, a simplified version of CSPM named Pattern View, and a guideline showing how to apply a pattern with an example. The Pattern View is a simplified metamodel that emphasizes elements related to S&P patterns such as goals, threats, and solutions (Figure 7). Because it can analyze the requirements and threats to a system, applicable S&P patterns can be determined. It can depict the pattern problem and solution.

Experiment Results
The results for CG are shown in Table 2 and Table 3, while those of EG are shown in Table 4 and  Table 5. In Table 2 and Table 4, four variables (the total time to complete the assignment, number of problems identified in the system, number of problems solved by revising the model, and number of patterns used to solve problems) were measured. Also, Table 3 and Table 5 show what kind of problems were identified and solved by each participant in detail.  Some of the participants (C1 and C2) read all the reference patterns. C1 spent a long time on the assignment and used the patterns. However, C2 was confused about pattern use and did not use the reference patterns to complete the task. On the other hand, other participants (C3-C5) did not review the reference patterns. Due to previous development experience, C3 did not need the reference patterns to be successful. C4 and C5 finished quickly. Although they addressed the main S&P issues, they did not address minor problems.
The results of the EG group were similar. They solved a minimum number of principle problems with a greater emphasis on S&P patterns and revised the model correctly. Most completed the experiment in about an hour. Some issues not related to the reference patterns (e.g., DDoS attack) were not solved.
Although the difference between EG and CG to solve problems was not significantly different, EG was more proficient. Three or more main S&P issues were resolved by the EG participants, whereas the number of issues addressed fluctuated widely within the CG group. This difference is attributed to the S&P patterns.
Although we speculated that the EG group would complete the tasks faster than the CG group, the completion time between the two groups were statistically insignificant. This may be attributed to the time that the EG group spent reading the metamodel and guideline. Comparing C1, who used patterns for assignment, to the EG group indicates that applying our approach is less time consuming because C1 spent a lot of time reading the reference material.
All participants in the EG group provided similar responses to the questionnaire. All indicated that the Pattern View of the metamodel itself (Figure 7) is easy to understand, but it has low utility. On the other hand, the explanation and example in the guideline are very helpful, especially for applying patterns. Participants responded that the Pattern View structure of the S&P pattern is helpful, but it is preferable to use this in conjunction with a detailed description of the patterns.

Case Study: "Treasure-Hunting Game"
To evaluate the effectiveness of the problem analysis and solution design supported by CSPM, we conducted a case study for developing cloud service applications targeting an Android game that stores data in a cloud. The original unsecured version and that security enhanced by CSPM were used to evaluate.
To confirm the contribution of CSPM, a student work (the "Treasure-Hunting Game") was used. Similar to popular commercial games (e.g., Pokémon Go and Ingress), this game is an AR application where streets contain multiple spots, and one spot has the hidden treasure. The first author of this paper designed the initial structure and interface as shown in Figure 8. To begin, players input their names in order to manually save their data like hints and coins into the cloud and to check target player's data. In this case study, cloud functions were implemented on Amazon Web Service (AWS).
The STRIDE model was used in the S&P requirement analysis (Table 6). Because Android API and AWS API addressed the threats due to listening to transmissions or tampering with local data, the case study was concerned with the authentication problem and access right problem, as described below: • Authentication Problem: Because anyone can use this game, the identity spoofing risk is high, which may lead to data tampering in cloud storage. • Solution by Pattern: The Authenticator Pattern adds an authenticator to require a user to sign up and sign in before accessing the system. Other patterns like Password Design and Use may also provide support. • Access Right Problem: The original game only requires a user name to display user data on the screen. This feature may be designed so that friends' data can be checked, but anyone can check a user's information.   (Schumacher, et al., 2006) (Yoshioka, Washizaki & Maruyama, 2008) can limit access rights. Figure 9 shows use cases and misuse cases based on the requirement analysis. Figure 10 shows the results of our analysis of goals, problems, patterns, and solutions by referring to the STRIDE model as well as concepts in the Pattern View of CSPM. In Figure 10, we can confirm that how security problems imposed by misuse cases (e.g., "Use without permission") are characterized by concepts in the Problem package such as attacks and threats. We can also trace how these problems would be mitigated by solutions of specific security patterns (e.g., Authorization Pattern and RBAC Pattern). Then, the first author modified the design model to incorporate the identified solutions as shown in Figure 11. In these figures, elements related to the security patterns are modeled with stereotypes specifying corresponding concepts in the metamodel. We confirmed that the authentication problem and the access right problem are resolved, and the access controller works as intended.
In terms of multiple cloud layers, these solutions have been mainly achieved by the concepts in the platform package and supported by other underlying concepts in the software application and infrastructure packages. It shows how users of CSPM can handle S&P-related knowledge over different layers. Figure 10 and Figure 11 show that "SaaS" from the software application package and "Storage" from the infrastructure package have been utilized together with concepts in the platform package to address threats and attacks indirectly.
In terms of privacy, the player data is personal information while the Authorization Pattern is the applied security pattern to prevent players from accessing other players' data.
The ability of CSPM to revise the model was investigated via the case study. The proposed process was used in the case study, demonstrating that CSPM is applicable to S&P analysis and during cloud system development, respectively. The problems in the original target system are addressed in the revision. CSPM is effective, at least for a simplified system. However, not all the components of the cloud system were considered by CSPM in the case study. As a system becomes more complex, other issues may arise. Hence, the entire metamodel should be further evaluated in the future.

RQ1:
Can CSPM resolve S&P problems and help application of the corresponding patterns?
In the experiment, EG solved more problems than CG in the same or less time. EG participants selected and applied the appropriate pattern to revise the model due to the support of our approach.

Figure 9. Use cases and misuse cases of the Treasure-Hunting Game
Although the knowledge base in this study is small, the proposed method should provide improved results when dealing with more S&P patterns. Our approach, especially the Pattern View structure of the S&P pattern, can identify necessary patterns and improve pattern comprehension.
Unlike previous research, which used metamodels for security issues, this study used CSPM to combine security (i.e., authentication) and privacy (i.e., access right control). This study only considered simple combinations of S&P patterns, which were indicated previously (e.g., Authenticator Pattern with Single Access Point Pattern), due to the small scale of the target system. In the future, more complex systems should be evaluated.

RQ2:
Can CSPM improve the system by efficiently providing S&P solutions?
The ability of Pattern View of CSPM to revise the model was investigated via a case study. The problems in the original target system are addressed in the revision. CSPM is effective, at least for a simplified system. Not all the components of the cloud system were considered by CSPM in the case study. As a system becomes more complex, other issues may arise. Hence, the entire metamodel should be further evaluated in the future. The proposed process was used in the experiment and case study, demonstrating that CSPM is applicable to S&P analysis and during cloud system development, respectively. Both indicate that CSPM is practical in some situations. However, the participants in the experiment provided negative feedback about the metamodel's usefulness. They felt that the current guideline is more useful than the metamodel. Revising the guideline to provide more examples of CSPM usage should improve the practicality of our approach.

CoNCLUSIoN AND FUTURe woRK
CSPM, which deals with S&P in cloud services, can be used in software development. Its effectiveness and usability are confirmed via a case study and an experiment. The case study, which involves an application similar to a commercial one using a conventional cloud platform, suggests that CSPM has practical applications in industrial development.
There are several future directions. The first is to implement larger complex case studies such as a development of a cloud system with multiple services to evaluate the effectiveness of CSPM. The second is to apply concepts in CSPM semi-automatically to detect specific threats. The third is to develop a detailed framework to broaden the usage of CSPM.