SPECIAL SECTION ON INTERNET-OF-THINGS (IOT) BIG DATA TRUST MANAGEMENT

Received August 23, 2018, accepted September 16, 2018, date of publication October 16, 2018, date of current version October 31, 2018.
Digital Object Identifier 10.1109/ACCESS.2018.2873812

A Framework for Orchestrating Secure and

Dynamic Access of IoT Services in
Multi-Cloud Environments
MUHAMMAD KAZIM , LU LIU , (Member, IEEE), AND SHAO YING ZHU, (Member IEEE)
College of Engineering and Technology, University of Derby, Derby DE22 1GB, U.K.
Corresponding authors: Muhammad Kazim ([email protected]), Lu Liu ([email protected]),
and Shao Ying Zhu ([email protected])

ABSTRACT IoT devices have complex requirements but their limitations in terms of storage, network,
computing, data analytics, scalability, and big data management require it to be used it with a technology
like cloud computing. IoT backend with cloud computing can present new ways to offer services that are
massively scalable, can be dynamically configured, and delivered on demand with large scale infrastructure
resources. However, a single cloud infrastructure might be unable to deal with the increasing demand
of cloud services in which hundreds of users might be accessing cloud resources, leading to a big data
problem and the need for efficient frameworks to handle a large number of user requests for IoT services.
These challenges require new functional elements and provisioning schemes. To this end, we propose the
usage of multi-clouds with IoT which can optimize the user requirements by allowing them to choose best
IoT services from many services hosted in various cloud platforms and provide them with more infrastructure
and platform resources to meet their requirements. This paper presents a novel framework for dynamic
and secure IoT services access across multi-clouds using the cloud on-demand model. To facilitate multi-
cloud collaboration, novel protocols are designed and implemented on cloud platforms. The various stages
involved in the framework for allowing users access to IoT services in multi-clouds are service matchmaking
(i.e., to choose the best service matching user requirements), authentication (i.e., a lightweight mechanism
to authenticate users at runtime before granting them service access), and SLA management (including,
SLA negotiation, enforcement, and monitoring). SLA management offers benefits like negotiating required
service parameters, enforcing mechanisms to ensure that service execution in the external cloud is according
to the agreed SLAs and monitoring to verify that the cloud provider complies with those SLAs. The detailed
system design to establish secure multi-cloud collaboration has been presented. Moreover, the designed
protocols are empirically implemented on two different clouds, including OpenStack and Amazon AWS.
Experiments indicate that the proposed system is scalable, authentication protocols result only in a limited
overhead compared to standard authentication protocols, and any SLA violation by a cloud provider could
be recorded and reported back to the user.

INDEX TERMS Authentication, IoT, IoT services, multi-clouds, security, secure collaboration, service level
agreement, service matchmaking.

I. INTRODUCTION capture information from physical objects and send it as data

The Internet of Things (IoT) paradigm has revolutionized the
IT industry by bringing together technologies such as Radio
Frequency Identification (RFID), Wireless Sensor and Actor
Networks (WSANs) and ubiquitous computing domains.
Internet of Things (IoT) connects billions of devices over
the Internet. The heterogeneous IoT objects are provided
with sensing and actuation capabilities, that enable them to
streams [1]. Moreover, IoT objects directly co-operate with
physical and virtual resources over the internet to deliver data
and functionalities to end users and applications. IoT has
played a critical role in advancing human lives by bringing
applications with usage in the real world. From users per-
spective, IoT plays a critical role in application scenarios
such as smart homes, healthcare, vehicular networks, and

2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. 58619
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
enhanced learning. While from the business viewpoint,
the major applications of IoT are in the areas of logistics,
transportation, agriculture, retail and smart cities. It is pre-
dicted that the growth of the global IoT services market will
be at a compound annual growth rate (CAGR) of 24 percent
until 2021 [2]. As the number of IoT devices increases and
they generate large volumes of big data, it brings forwards the
challenges related to data collection, analysis, management,
and storage.
Cloud computing has been proposed as a solution that can
potentially solve the problem of managing big data in IoT [3].
Some key advantages cloud computing offers are that: it is
massively scalable, can be dynamically configured, deliv-
ers on-demand services and provides users with immediate
access to hardware resources without capital investments [4].
Different companies using cloud have infrastructures that
scale over several data centres and cloud also has a sim-
ple pricing model that lets you pay as you go and only
for the services they are being used. Due to these advan-
tages, cloud vendors including Google (Google Cloud IoT),
Amazon (AWS IoT) and Microsoft (Azure IoT Solution
Accelerators) are offering services to support IoT devices and
services in terms of computing, storage, resource elasticity
and data analytics. Despite the benefits offered by the cloud
to IoT sector, the variety and proliferation of services offered
by the cloud provider raise some challenges relevant to cloud
environment. These challenges include portability issues of
IoT services on various IaaS and PaaS platforms, interoper-
ability of distributed IoT applications on various cloud plat-
forms, PaaS dealing with the heterogeneity of cloud protocols
to support IoT service interactions, and the requirement of
geo-diverse platforms [5].
The multi-cloud architecture can provide a solution to
these challenges. Multi-cloud environment is dependent on
multiple clouds, and a user can be reliant on multiple cloud
service providers such as Amazon, Microsoft, or OpenStack
which are communicating. IoT applications can benefit from
the adoption of multi-clouds from their abilities to run work-
loads on best-suited platforms, avoiding the need to migrate
legacy IoT applications and creating redundancy to avoid
vendor lock-in [6]. Multi-cloud providers are increasingly in
demand. In a survey by 451-Microsoft, around 50% compa-
nies’ representatives were looking for providers that could
provide one-stop-shopping from various cloud providers and
establish contracts with different providers for additional ser-
vices on their behalf [7].
Multi-clouds provide an increased level of efficiency to
cloud providers by enabling them to share their services
for improving revenues. In terms of IoT, the services to be
shared between multi-clouds can include SaaS, PaaS or IaaS
service while the clients using these services can be other
clouds, organizations or a single user. Other factors driving
the adoption of multi-clouds for cloud provider can vary from
dealing with a peak in service requests, having backup servers
to diminish downtime scenarios and enhancing its own offers
to get a market competitive edge.
58620
In a multi-cloud environment, users access services across
multiple cloud providers which changes the traditional cloud
landscape. However, a very limited research has been done
to support IoT services deployment and access across multi-
clouds. Therefore, advanced development frameworks are
required that can offer IoT services orchestration across
multi-clouds and reduce companies time-to-market to keep
cloud services running smoothly. Along with the service
orchestration issues in multi-clouds, many security concerns
are also related to their adoption and application. The basic
authentication solutions that exist for traditional networks
fail to meet the need of a dynamic collaboration of clouds
and services (such as IoT services) in multi-clouds. Consider
a scenario in which a cloud (local cloud) user is accessing
IoT service located in another cloud (foreign cloud). That
cloud user would have no mechanism to verify that the service
being used is trustworthy and neither do they have insights on
what is happening with their data being handled by services.
In order to trust the cloud services, users depend on their
assurances given by the cloud provider. Cloud providers give
very limited evidence or accountability to users which offers
them the ability to hide some behavior of the service.
In order to address these challenges, we propose a
novel framework named called Multi-cloud Collaboration
for IoT (MC-IoT) in this paper that can facilitate multi-
cloud collaboration and provide guarantees to the user that
the software or service (such as IoT service) running on a
foreign cloud node is secure and the agreed service level
agreements (SLAs) are not being violated. The key challenge
in designing this framework is to develop solutions for multi-
cloud that can support efficient authentication, authorization
of large number of cloud users, enable the users to select most
suitable service in foreign cloud according to their require-
ments as well as to ensure that services in foreign cloud are
compliant with the service level agreement (SLA) between
user and cloud provider. The proposed framework is based
on NIST cloud computing security architecture standard [8].
It satisfies the following conditions: i) rapid provisioning by
automated service deployment; ii) mapping authenticated and
authorised data and tasks onto VMs; iii) monitoring the cloud
resources, operations and performance; iv) metering active
user accounts to guarantee that security policies are always
enforced; v) maintaining the service level agreement (SLA)
established between customers and service providers.
In an IoT based multi-cloud architecture, hundreds of
cloud users might be using thousands of IoT services across
multi-clouds. The basic authentication solutions that exist
for traditional networks fail to meet the need for a dynamic
collaboration of clouds and services in multi-cloud. There-
fore, this paper provides a lightweight and novel technique
for the dynamic authentication which provides single sign-
on to users trying to connect to the foreign cloud. The pro-
posed authentication solution achieves better performance
than traditional authentication protocols like SAML and Ker-
beros while maintaining security. Next, we provide a ser-
vice selection algorithm to select the best IoT service from
VOLUME 6, 2018
M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
multiple cloud providers that best match user quality of
service requirements (QoS). In the next stage, service level
agreements (SLAs) are used to ensure security and handle ser-
vice execution in the foreign cloud. The usage of SLA mech-
anisms ensures that QoS parameters including the functional
(CPU, RAM, memory etc.) and non-functional requirements
(bandwidth, latency, availability, reliability etc.) of users for
a particular IoT service are negotiated and secure collabora-
tion between multi-clouds is setup. The multi-cloud handling
user requests will be responsible to enforce mechanisms that
fulfill the QoS requirements agreed in the SLA. While the
monitoring phase in SLA involves monitoring the IoT service
execution in the foreign cloud to check its compliance with
the SLA and report it back to the user.
MC-IoT has been designed with the goal to enhance secure
multi-cloud collaboration in which cloud providers can easily
apply their business model to achieve extended functionali-
ties. The proposed model is based on an architectural solution
that can be used to setup multi-cloud collaboration between
any clouds irrespective of their underlying implementation.
Experiments indicate that the proposed approach supports
collaboration among a large number of IoT services across
multi-clouds and incurs a minor overhead.
The major contributions of this paper are the following:
• A novel framework is proposed for providing users
secure dynamic collaboration and access to IoT services
in multi-clouds. The protocols to support the framework
and the functionalities of its components responsible for
multi-cloud collaboration are presented.
• Dynamic and lightweight authentication protocol to
setup single sign-on (SSO) between multi-clouds has
been presented.
• A service selection algorithm is proposed that achieves
high accuracy by providing distance correlation weight-
ing mechanism among large number of IoT services
QoS parameters.
• Mechanisms to setup service level agreements (SLAs)
for multi-cloud collaboration have been presented. The
various stages in setting up SLA include negotiation,
enforcement and monitoring. They help in negotiating
QoS parameters for IoT services between the user and
foreign cloud provider, enforce a mechanism to comply
with the agreed SLAs, monitor client usage of IoT ser-
vice in the foreign cloud and report back any violation
of SLA.
• Business and use cases have been presented to discuss
how the proposed framework can be used in various
applications
This paper has been organized as follows: Section 2
presents the background of this work and section 3 presents
framework design with the detailed description of various
protocols for authentication, service selection and SLA man-
agement. In section 4 the workflow of system components
has been presented. Experimental results of our system have
been given in section 5. Section 6 provides the use cases of
this work and section 7 details the literature review related to
VOLUME 6, 2018
the area of multi-clouds, and IoT based cloud systems. In the
end, the conclusion of the paper is presented.
II. BACKGROUND
Multiple clouds have two delivery models which are fed-
erated cloud and multi-cloud. In federated clouds, there is
an agreement between different providers that want to col-
laborate, and also the user is not aware of the fact if the
resources are being used from another cloud. However, multi-
clouds provide a way for dynamic collaboration between
various clouds as there is no former agreement between par-
ticipating clouds and collaboration is established at runtime
according to requirements. Moreover, in multi-clouds user
has the knowledge of all connected clouds and is directly
responsible to the provisioning of services from multiple
clouds which can be more beneficial from customers and
organizations perspective. Therefore, this work focuses on
multi-clouds so that users and organizations can dynami-
cally access IoT services across various cloud providers. The
multi-cloud communication scenario that provides access
of IoT services to users across multi-clouds is shown
in figure 1.
In a multi-cloud environment, the user’s access IoT ser-
vices across multiple cloud providers which changes the
traditional cloud landscape. Multi-clouds offer greater agility,
innovation and more intense collaboration and they can be
predicted to become an industry norm to handle IoT big
data and their associated applications, however, managing
service orchestration is still an open issue. Advanced devel-
opment frameworks are required that can reduce companies
time-to-market.
Along with the service orchestration issues in multi-clouds,
multi-clouds bring many security concerns as well. The tra-
ditional authentication solutions that exist for networks fail
to meet the need of a dynamic collaboration of users and
services in multi-cloud due to performance overhead and/or
difference of underlying authentication mechanisms across
different clouds. Along with authentication problems, secure
service orchestration is also a challenge. Once a service
from a foreign cloud is being used, the cloud users have
no mechanism to verify that the service they are using is
trustworthy and depend on that provider to ensure service
execution. As a user is accessing services in the foreign cloud,
the interaction with malicious or faulty service can lead to
the manipulation of data processing results, failure to provide
advertised services, violation of the security properties such
as confidentiality, integrity and availability, and other mali-
cious activities without user consent.
The general mechanisms described in the literature on
service security in cloud are based on having a guarantee that
the software or service running on a cloud node is similar
to its original implementation and it cannot be modified at
runtime at foreign cloud. However, cloud customers cannot
know if the service functionality has been altered when using
services to the foreign cloud. Therefore, advanced mech-
anisms are required that can support efficient IoT service
58621
 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments

FIGURE 1. Multi-cloud collaboration scenario where user U1 made a request to MC-IoT in local cloud to access service S3 in
foreign cloud. The multi-cloud collaboration is setup using MC-IoT after which U1 can directly access service S3 .

FIGURE 2. Proposed framework MC-IoT for multi-cloud collaboration.

selection according to client functional and non-functional
QoS requirements, provide efficient and secure authentica-
tion, and enable service level agreement (SLA) management
to ensure that proper mechanisms are implemented to comply
with agreed SLA parameters, and monitor the service exe-
cution to guarantee that foreign cloud always complies with
those parameters.
III. PROPOSED FRAMEWORK (MC-IoT)
Based on heterogeneous requirements of multi-clouds and
IoT services, we propose a novel framework named
MC-IoT that can enable dynamic collaboration between
users and services in multi-clouds. The architecture of
MC-IoT involves various components that have been imple-
mented in each participating cloud to achieve the secure

58622 VOLUME 6, 2018

M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments

multi-cloud authentication. These components involved Algorithm 1 System Initialization ()

in system design are authenticator for managing iden- 1. BEGIN: Boot the required services to enable multi-
tity and authorization, controller to manage user requests cloud collaboration
and communication with external clouds (functionality 2. while (the system is running)
mentioned in section 4), matchmaker to select suitable 3. For i = 1 to n:
IoT service meeting user specifications and SLA coor- 4. LC (Auth_service) -> Check (Cert)
dinator for managing SLA negotiation, enforcement and // Checking client’s cert
authorization. 5. if Valid (Cert):
Figure 1 displays various components in a local cloud 6. goto 17
to communicate and collaborate with foreign clouds. All 7. else: // Request a new certificate to TP
the system components serve different functions which are 8. Auth_service -> Send_request
described below. In this paper, the communicating clouds (Cert, ID) -> TP
are referred to as local cloud (in which user is located) and 9. LC -> Mapping_data(LC) -> TPi
foreign cloud (to which user needs access and collaboration 10. TPi -> Publish(Cert)
has to be established). 11. TPi -> Send_certificate (Cert) ->
LC
12. LC (Auth_service) -> Receive
A. COLLABORATION OBJECTIVE
(Cert)
The objective of multi-cloud collaboration is the maximum 13. end if
number of user requests from local cloud to be handled and 14. LC (Auth_service) -> Check (Cert)
successfully granted access to services in foreign cloud. The 15. if Valid (Cert):
overall objective for multi-cloud collaboration for M cloud 16. wait (Request)
users (j = 1, 2 . . . M) in local cloud, with requests of S 17. else:
IoT services (i = 1, 2 . . . N) in a foreign cloud can be 18. goto 7
formally defined as: 19. end if
XN XM 20. end for
O(i, j) = Max (Rij − Cij ) (1) 21. END
i=1 j=1

In the above equation, N and M are the numbers of

services requested and a number of users making requests
respectively. Rij is the required number of user’s requests for
IoT services to be granted while Cij is the number of
IoT services that were actually granted.
B. INITIALIZATION PROTOCOL
The initialization protocol is the first step that is used to set
up the system services, parameters and attributes required
for multi-cloud collaboration. When the required services
are booted in MC-IoT, and user request for multi-cloud
access is received, authentication service in the Authen-
ticator component establishes if it has the certificate for
that user that can be used for authentication with foreign
clouds. If the certificate does not exist in the cloud, Authen-
ticator which is a RESTful web service submits a request
on behalf of its cloud to Trusted Party (TP) for certificate
generation.
A feature of TP is to generate a certificate for cloud Trusted
Party (TP) after receiving a request and cloud parameters and
to use a function to map a certificate to client ID which is
returned to the requesting cloud. The Authentication Service
of cloud receives the certificate and stores it to be used
for communication with foreign clouds. Similarly, it is the
responsibility of Authenticator component to ensure that the
certificate obtained from TP is valid and to get a new cer-
tificate if the existing one is revoked or rejected by foreign
cloud.
C. AUTHENTICATION PROTOCOL
This protocol describes how multi-cloud authentication is
setup between participating clouds. In a distributed environ-
ment usually a large number of clouds are present with each
cloud having tens of users, which makes credential manage-
ment a big challenge. Moreover, in a dynamic communication
setup between multi-clouds, each cloud might have different
authentication mechanisms. This raises a need to develop a
single sign-on (SSO) authentication mechanism by which any
cloud user in the local cloud can authenticate itself with the
foreign cloud, and access required resources. In our case,
we use a Trusted Party (TP) which acts as an identity provider
on which a requesting user must hold a digital identity, based
on which TP grants a digital certificate to that user that it can
use to authenticate with the foreign cloud. Since the foreign
cloud also trusts TP, the user is able to authenticate itself and
access resources based on that certificate.
We assume that the local cloud’s request is composed
of two parts namely the certificate and the required cloud
service. Initially, a certificate is sent by the local cloud (LC) to
the foreign cloud (FC) for proving its identity. This certificate
contains a set of attributes including the cloud identifier,
digital signature, and validity period of the certificate. This
message is encrypted by the public key of FC.
FC checks the validity of the certificate sent by LC.
If the certificate is valid, FC then sends a response message

VOLUME 6, 2018 58623

 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments

to LC that it is authenticated. However, if the certificate is Algorithm 2 Authentication and Authorization ()

invalid, FC sends the message of failed authentication to LC 1. BEGIN
and waits for a new certificate. This message is encrypted 2. Data: request: Communication request received by
with the public key of LC. In case the message received from cloud controller
FC is that authentication certificate was invalid, LC sends 3. LC -> Send_request (authentication) -> FC //Secured
a message with its credentials to the Trusted Party (TP) to using SSL
generate a new certificate. TP generates a new certificate and 4. for j = 1 to n do:
sends it to the LC which is sent from LC to FC. 5. FC -> Verify (Cert, ID)
FC checks the new certificate received from LC. If the 6. if Verify (Cert, ID):
certificate is invalid again, the authentication request is ter- 7. goto 17
minated. If authentication of LC is successful, both FC and 8. else:
LC exchange nonce messages to agree on a session key using 9. FC -> Send_request (New_Cert) ->
Diffie-Hellman (DH) algorithm [9]. Since DH key exchange LC
is performed after certificate exchange, it is called authenti- 10. end if
cated DH which is more secure compared to usual DH. 11. LC -> Send_request ((Cert), Profile) -> TP
After cloud authentication, LC sends a message to 12. TP -> Send (Cert) ->CC //Generates updated
FC containing client authorization details as well as resources certificate for LC and sends to LC]
required from FC. As FC receives details of IoT services 13. LC -> Send_msg (Cert) -> FC
which are to be accessed and required resources message, 14. if Not_valid (Cert):
it locally computes if the tasks from LC have the authorization 15. End
to access the required services. The corresponding FC com- 16. else:
putes the status of the IoT services associated to the request. 17. FC -> Send_msg(n) -> LC
The status is computed due to the fact that users on a local 18. end if
cloud can have the different status of privileges that can affect 19. FC -> Wait (response) -> LC
their level of access to resources. For example, only doctors 20. if no_resp():
might have access to some expensive IoT services and other 21. End
hospital staff might not have access to them. The return result 22. else:
is one of the following possible statuses: 23. LC -> Send_msg(n+1) -> FC
• Privileged encrypted using LC- FC session key generated
• Non-privileged by DH
If the result returned is privileged users are granted access to 24. FC -> Send_msg(request_authori-
services, otherwise they are not granted access. zation) -> LC encrypted using LC-FC session
key
D. SERVICE MATCHMAKING 25. LC-> Send_msg(Send_LCAutho-
The cloud services states can change dynamically during rization_level) -> FC encrypted using LC-FC
runtime. Moreover, the dynamic collaboration between users session key
in multi-clouds can make service automatic detection compli- 26. FC -> compute_local_level (LC)
cated. Cloud customers can have varying requirements and 27. if compute_local_level = True:
in multi-cloud scenarios best services that can meet their 28. FC->Authentication_local
required quality of service (QoS) need to be selected from (LC,FC,+)
various providers. 29. else:
To select the most suitable services, the first goal is the FC ->Authentication_local
efficient discovery according to the characteristics of ser- (LC,FC,-)
vices. Service discovery for dynamic multi-cloud collabo- 30. end if
ration could be hard due to requirements such as satisfying 31. end if
service QoS, functionalities and other metrics. Moreover, 27. end for
lack of central repositories for cloud services makes service 28. END
selection a challenging task.
There might be cases when a single service would be able
to satisfy all user requirements and the service that matches
most requirements might need to be selected. This leads to selection is an extension of our previous work on partial web
partial matchmaking where the service that matches most service selection for disaster services [10].
required QoS criteria will be selected. In this section, we pro- The proposed protocol has three essential characteristics.
pose an efficient and dynamic algorithm for selection of cloud • Firstly, the proposed protocol provides service selection
services in multi-cloud scenarios based on partial or closest among all services in a dynamic decentralized environ-
matching of service QoS attributes. This protocol for service ment of multi-clouds with high accuracy.

58624 VOLUME 6, 2018

M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments

• Secondly, different QoS requirements of services can Requirement matrix, R can be defined as:
be supported. In case, there is no exact match of user
 RQ1 RQ2 . . . RQn 
QoS requirements with available services, services
S1 r11 r12 . . . r1n
matching the most requirements are selected using par-
S2 
 r21 r22 . . . r2n 
tial matching.
..  . . . ... ... ... 

• And thirdly, the protocol is able to support a
Sm rm1 rm2 . . . rmn
large number of services and by using distance
co-relation weighting mechanism it can support various A service not satisfying the mandatory QoS requirements
IoT services QoS requirements such as response time, RQ is removed from the selection process.
availability, reliability, cost, energy, throughput, latency
and best practices. 3) ACCURACY MATRIX CONSTRUCTION (PHASE 3)
Once a cloud controller receives a response from various The calculation of accuracy matrix, A, is dependent on the
foreign clouds that can deliver required services, it communi- tendency of QoS parameters. The tendency which describes
cates with service matchmaking module to select the required how the numeric value of a service QoS parameters changes
service. for a service to be observed as better. It indicates whether
high or low values of a QoS parameter are preferred in
1) USER REQUEST AND SERVICE QOS ANALYSIS (PHASE 1) an ideal case. For example, an ideal service will require
The process of service selection starts with the cloud con- availability and throughput parameters to be high while its
troller passing the requirements to service matchmaking response time and latency should be low.
module which includes the required service and desired QoS. Using the user described QoS range and service QoS
Such as a user might require high throughput compared to offered, elements of the accuracy matrix is calculated using
cost saving while it might be opposite for another user. More- case dependent formulae as mentioned in equations below:
over, the module collects the results of available services in For values with high tendency:
the foreign cloud from the controller component. Qij
Here we represent various denotations for request types: when Qij < Q1
• RQ represents a set of user functional QoS requirements,
Q1
RQ = {q1 , q2 , q3 , . . . ., qn }, where n ε N Qij − Q1
+α
• S is a set of available services with similar functionality, Qh − Q1
S = {s1 , s2 , s3 . . . sm }, where m ε N Qij + β
when Qij > Qh
• Each service S has QS property matrices, QS = {QS1 , Qmax
QS2 , QS3 . . . QSi }, where QSi = {qi1 , qi2 , qi3 . . . .qij }, i,
For values with low tendency:
j ε N. QSi represents quality matrices for service i.
Qh
when Qij > Qh
2) REQUIREMENT MATRIX CONSTRUCTION (PHASE 2) Qij
Once the QoS requirements have been gathered, the mod- Qh − Qij + α
ule collects all possible service offers and their associated when Q1 ≤ Qij ≤ Qh
Qh − Q1
QoS parameters. These are used to construct an accuracy Qmin
matrix and for the calculation of offers ranks. + β when Qij < Q1
Qij
In an ideal scenario, user QoS requirements QR must be
similar to the service QoS parameters mentioned in QSi . In the above equations, Qij is the value of ith QoS property
In other words, an ideal service for user request can be of jth service, Q1 is the lower limit of user requirements for
represented as, an attribute, Qh is the highest limit of user requirements for
an attribute. Qmax and Qmin are respectively the maximum
RQ = QSi
and minimum values of a QoS property being offered by a
However, in real case scenario that user requirements RQ service. α and β belong to {1, 2, 3, . . . } where α < β.
and the number of quality matrices QSi will be different. The results from the above equations are normalized in the
Therefore, RQ is taken as a baseline and quality matrices range [0, 1].
could be arranged in the following way: α and β are used to differentiate between loose range,
• If the quality service matrix QSi lacks in user QR , it is preferred range and tight range. The preferred range for any
removed and QR is assigned 0 service is between Q1 and Qh . If a value falls in this range,
To construct accuracy matrix, n consumer requests RQ are α is added to normalize the value so that results are in range
identified along with m available services that can satisfy (α, α+1). The values in the loose range (between Qmin and Q1
user requirements, an m∗ n matrix is constructed which is for high tendency parameters, and between Qh and Qmax for
called R. The columns in the matrix represent QoS parameters low tendency parameters) are normalized between 0 and 1.
RQ while each available service is represented in a row for the While the values in the tight range (between Qh and Qmax
selection process. for high tendency parameters, and between Qmin and Q1 for

VOLUME 6, 2018 58625

 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments

low tendency parameters) are normalized by adding β so that viewpoint, SLAs define the mechanisms to securely access
results are in the range (β, β +1). Therefore, for all the values services while the SLAs are utilized by cloud administra-
in accuracy matrix lie between (0, β + 1) which helps in tors to manage the mechanisms to offer cloud services.
consistency. Moreover, β > α which always guarantees that SLA-coordinator negotiates the SLAs on behalf of the user
higher range always has a higher value in accuracy matrix if there is full match of QoS requirements in the stated SLAs.
than other two ranges. However, as described earlier there might be a partial
The results of these equations are used to calculate the match after which user can have the ability to negotiate
accuracy matrix, A. It shows how precisely each service SLAs itself. Therefore, SLA coordinator component
matches the user requirements. After constructing the accu- in MC-IoT offers added features to customers such as nego-
racy matrix, the rank of each service can be calculated in the tiating an SLA or switching to a new provider in a multi-
following way: cloud scenario if selected provider and user cannot agree on
Xn an SLA.
Ri = Aij ∗ Wj (2) As discussed earlier, the matchmaking component checks
j=1
the service specs like base service, features, cost and recom-
In the above equation, Ri represents the rank of service i,
mends them to the user. SLA Negotiation involves agreeing
Aij represents the accuracy value of the jth QoS property of
to the service terms for SLA and QoS parameters, measur-
service i, and Wj represents the weight of the jth QoS property.
ing metrics (service level objectives) and defining how the
metrics will be measured. While service providers also check
Algorithm 3 Service Matchmaking () if they can provide requested service and perform basic risk
1. BEGIN evaluation in case. As provider reputation is on a stake if it
2. Data: Input: <Client functional and non-functional QoS fails to provide the service agreed in SLA.
requirements (CR)>, Integrating the security parameters within SLAs is a novel
<List of services (LS)> problem and a very limited research has been done in this
3. Service LS = {1, 2, . . . ., n}; // Total list of available area. For the case of secure multi-cloud collaboration, we pro-
services pose a service level objective (SLO) called service identity
4. <Service,CR> ServiceContenderList (SCL) = NULL which can help customers to negotiate the SLAs for secure
//List of services satisfying requirements service execution on the foreign cloud.
5. Service S=NULL // Single service instance
6. CR Q=NULL //Single QoS requirement 1) SERVICE IDENTITY
7. <Service, CR> O=NULL; Service identity as an important property to maintain strong
8. For each S in LS do: IoT service security and compliance in the foreign cloud.
9. if (Satisfy(S ,CR)) //Add to SCL all appropri- A set j services Fj deployed on a single cloud platform with
ate services matching user requirements functional properties Funci and non-functional properties
10. SCL.add (S,CR) NFunci can be defined as:
11. end if
12. end for Fi = {Funci , NFunci } 1≤i≤j
13. For each O in SCL do: During service execution in the foreign cloud, both func-
14. for each Q in O.CR do: tional and non-functional properties of service instances
15. Normalize (AccuracyMatrix being used by users must be maintained. Functional proper-
(Max(Q),Min(Q) )) //Generate accuracy matrix ties of instances that could be violated include a change in the
16. end for code or implementation of service to make it do certain other
17. end for activities affecting the original behavior of service. While a
18. For each O in SCL: few non-functional issues can include service taking more
19. Score = Calculate_Score(O.Service) processing time, charging more cost than agreed or remaining
// Calculate score of each service unavailable during required times.
20. end for If F is the original service deployed by the service provider
21. SCL.sort(Score) // Rank all services in SCL in cloud after agreeing SLAs and F’ is the instance of that ser-
22. Return SCL vice running in cloud that is being used by client, the service
23. END identity can be satisfied only if F = F’ holds true for that
particular instance of F running in the cloud during the entire
lifecycle of F from deployment to decommissioning. The
E. SLA NEGOTIATION service identity can be described by the following equation:
The SLA coordinator receives user requirements and SLA’s
F ≡ F0 (a)
from the foreign cloud and negotiates a dynamic SLA
between them. These SLAs exist within the customer domain In order for functional properties of a service instance F’
that wants to access foreign cloud resources. From the client to hold, its functional properties must be the same as

58626 VOLUME 6, 2018

M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
original instance. While the case for non-functional proper-
ties is more complex as the service states can change dynami-
cally during runtime. Moreover, each user will have different
QoS requirements from a service. As an example, users X
and Y using different instances of F’ of same service F can
have varying availability, and cost requirements. Therefore,
we define a threshold value for non-functional parameters
of a service instance that it must maintain to ensure service
identity.
The non-functional parameters of a service agreed in the
SLA can be defined as a tuple:
NFunc = {Mini , Maxi , Wi } 0≤i≤l
i is the QoS parameter, Min and Max show the accepted
boundaries or threshold values for that parameter, and
W denotes the weight assigned to a particular parameter by a
user which shows the importance given to that parameter by
a user. The range of W is [0, 1] with the higher value showing
that parameter is important for the user and it will have a
larger impact on service quality, and vice versa for the lower
value. In case a user does not define i, medium importance is
given to that parameter and for that purpose a medium value
is chosen in the range of W which is 0.5. For non-functional
properties to hold true in an instance, the following condition
must be satisfied at all times:
Mini ≤ NFunci ≤ Maxi
To comply with functional requirements such as security
different techniques can be agreed in the SLA which can
ensure that functional behavior of service instances F’ will
not change. For example, to maintain service identity trusted
platform module (TPM) mechanism could be used. The func-
tional property of a service could be defined as:
F − F0 = Ø
If both equations (b) and (c) hold than equation (a) will
hold. However, in case if service security is compromised
than the equation will become F’ ⊃ F meaning that service
identity does not hold.
Meanwhile, various authors have proposed definitions
of other functional and non-functional metrics (SLOs) for
IoT services that can be agreed between customer and
provider during SLA negotiation. These parameters include
request latency, availability, accessibility, service throughput,
completion time, and mean times to repair and failure, energy
cost and financial cost.
The proposed system uses WSDL to express the func-
tional security requirements and non-functional require-
ments. The XML data structures are generated on the basis of
WSDL document, the service interface definition and its
implementation. Therefore, QoS tags are associated with a
new category to recognize security and other properties. The
protocols for SLA management are implemented in the form
of a REST based service and API.
VOLUME 6, 2018
F. SLA ENFORCEMENT
Once a user is authorized to access cloud resources, next stage
is the enforcement of security mechanisms by the provider.
In this stage, mechanisms are implemented that can guarantee
SLA assurances. The enforcement of agreed SLA is done
in two stages. The first stage involves implementing the
software modules that can be activated for the acquisition of
resources for enforcing security policies and second stages
involve dynamic reconfiguration of the resources after a secu-
rity alert is generated.
This paper focuses on the implementation of mechanisms
for non-functional properties of IoT services to ensure that
service complies with the defined SLA policy. The enforce-
ment of policies for SLA enforcement is done by foreign
cloud in its infrastructure by acquiring enough resources
for service execution and employing required mechanisms.
QoS parameters mentioned in SLAs are measured by main-
taining current system configuration information and runtime
information of parameters that are part of SLOs (measurable
metrics). Depending on the client requirements some or all
SLA parameters could be measured, and SLOs such as
request latency or service throughput could be measured by
retrieving resource metrics.
Development of mechanisms for maintaining functional
property is not in the scope of this paper. We discuss var-
ious mechanisms that exist in the literature that could be
(b) deployed for secure service execution such as trusted comput-
ing. Trusted computing is a paradigm used to enforce trust-
worthy behavior of computing platforms. It is based on using
a hardware crypto-processor module named Trusted Platform
Module (TPM) [11]. This feature can be used to run services
on only those cloud nodes whose fingerprints are trusted [12].
Various mechanisms for cloud computing based on TPM have
been proposed that are used for security of services, data
and other resources. Excalibur [12] is a system that can be
(c) used to design trusted computing services for cloud. It uses
policy sealed data (data encrypted according to customer
policy) that can only be unsealed (decrypted) by nodes whose
configuration match the node policy. Excalibur uses Attribute
Based Encryption to bind policies and attributes to node con-
figurations. A mechanism that uses a hardened hypervisor to
attest that the image of the VM running on a cloud node is the
same as the one uploaded originally by the service provider
and initiated by cloud was proposed by Bouchenak et al. [13].
It confines the execution of VM to secure nodes inside the
cloud and guarantees that even the system admin with root
privileges cannot tamper with the VM memory. Some other
recommendations provided by NIST for hardening the hyper-
visor include maintaining proper isolation, separating the
duties of administrative functions and restricting administra-
tor access to security checks [14].
G. SLA MONITORING
Currently, no solutions exist to check for SLA compliance for
user support. However, researchers have recommended using
the monitoring mechanisms to check for SLA compliance on
58627
 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
FIGURE 3. Workflow of MC-IoT.
the cloud provider which involves, i). verifying that SLAs are
followed through infrastructure access, and ii). generating an
alert notification if the SLAs are violated to take corrective
steps.
Monitoring could either be performed by the client from
data received from cloud provider or by the cloud provider
at the infrastructure level which is the focus of this paper.
The input to monitoring component provided by tbe cloud
provider is the formal requirements to be monitored in a for-
mal language such as XML. The monitoring component than
derives the pattern of events that could occur during service
execution and imply SLA violation. In the proposed system
uses event-driven modules to collect all generated events
and performs required filtration operations before analyzing
them. The description of event captors and monitor is used to
monitor SLA parameter.
The analysis is performed based on captured events to
check if any generated events show an SLA violation. If a
security violation is reported by the monitoring component,
it logs the event and estimates the current status of service.
Monitor also reports to the user if the foreign cloud is com-
pliant with the signed SLA or not. In case of SLA violations,
user can enforce penalties on the provider.
IV. WORKFLOW
This section explains the workflow for the overall system and
the details of various components. A user request to connect
to the foreign cloud for accessing an IoT service is received by
cloud controller that advertises request to connect to multiple
foreign clouds and receives their responses. Service Match-
maker selects the best provider based on user QoS require-
ments. The authenticator is responsible for authentication
while the SLA coordinator is responsible for SLA manage-
ment. Workflow of the proposed system is shown in figure 3.
A. CLOUD CONTROLLER
This is the major component responsible to handle the multi-
cloud communication and authentication. The controller is
58628
implemented as RESTful web service in cloud and its respon-
sibilities are two folds. First in the local cloud when it wants
to access a foreign cloud and second in a foreign cloud when
a connection request is received.
When a user in the local cloud needs to access service
in a foreign cloud, it is the responsibility of a controller to
establish a connection with the other foreign cloud. Before
sending a message to the foreign cloud, it communicates with
the local authenticator component to get the certificate. After
sending an authentication request, on behalf of local cloud
it establishes the communication channel by sharing session
keys.
In a foreign cloud, requests for communication from the
local cloud are received by cloud controller. Cloud controller
is then responsible to check whether, (a) the requested service
is available in the foreign cloud, (b) the connecting local
cloud is trustworthy, and (c) respond to the foreign clouds
request.
B. AUTHENTICATOR
Authenticator component is responsible to manage the
authentication of multi-clouds. Once the communication
request from the local cloud reaches the foreign cloud, cloud
Controller of the foreign cloud connects with the authen-
ticator to verify if the connecting user (of local cloud) is
trusted or not. When the authenticator component receives
the message containing the identity of local cloud and its
digital certificate, it checks whether the certificate is valid
and responds to controller component. Based on the response
from the authenticator, cloud controller of the foreign cloud
responds to the cloud controller of the local cloud.
In a local cloud, when a collaboration request is to be
sent to foreign cloud authenticator is responsible to contact
trusted party (TP) which generates the certificate for the local
cloud, signs it and returns it to the local cloud. Before sending
a communication request to the foreign cloud, local cloud
controller gets its certificate from the authenticator.
C. TRUSTED PARTY
Trusted party (TP) is the identity provider responsible to
handle the authentication among multi-clouds. It has list
of trusted cloud providers, and before establishing session
the connecting clouds communicate with it to acquire their
certificate. After receiving a certificate request, it generates
a certificate, signs it with its private key and returns it to
the requesting cloud. Any cloud registered with a TP receiv-
ing a certificate signed with a private key of that particular
TP considers it true.
D. SLA COORDINATOR
This component is responsible to manage SLA’s in the pro-
posed framework. It has features including adaptability and
rapid response. It initially selects the suitable service for a
client in local cloud based on his requirements using nego-
tiation. Once a foreign cloud provider has been selected,
security and QoS parameters are negotiated. The enforcement
VOLUME 6, 2018
M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments

component is responsible to ensure that service execution in

the foreign cloud is according to the QoS parameters agreed
in the SLA. Moreover, the monitor is responsible to ensure
that the service used by the cloud provider complies with the
SLA and in case there is a violation of SLA it reports that
violation to the service provider.

V. EXPERIMENTS AND RESULTS

To examine the feasibility of the proposed design empirically,
it was implemented on two different clouds. The experiments
were conducted to assess the, (i) scalability of the proposed
system and (ii) runtime overheads of the system during a FIGURE 4. Authentication time for various instances.
collaboration between multi-clouds.
The prototype was tested on two different cloud infras-
tructures. One of the cloud infrastructures was an OpenStack
cloud based in University of Derby. This setup consists of
six server machines. Each machine has 12 cores with two
6-core Intel Xeon processors running at 2.4 GHz with 32 GB
RAM and 2 TB storage capacity. The cloud nodes on which
the experiments were performed had 4 VCPUs running at
2.4 GHz each, 8 GB RAM, and data storage of 100 GB per
node. The second cloud was also based on Amazon AWS.
The cloud nodes on this machine had 4 VCPUs, 8 GB RAM
and 100 GB storage.
Both the Cloud Controller and Cloud Authenticator are
employed as web services which help in avoiding tightly
bound security. While WS-Agreement was used to implement
the SLA components. To enable the interaction among com-
ponents in the prototype according to the proposed system,
FIGURE 5. Performance comaprison of proposed authentication scheme
cloud controller of local cloud submits requests for resources in multi-cloud scenario.
to other foreign clouds. When the foreign cloud controller
initializes and receives a request for available services from
a local cloud, it shares exchange information about available
services and their characteristics.
In the experiments, to check the scalability of the system
initially a large number of service requests were created in the
local cloud so that they can be connected to multiple instances
in the foreign cloud. To start the communication, cloud con-
troller from a local cloud invokes the cloud controller in the
foreign cloud. This is then followed by various operations
in the foreign cloud including checking the availability of
the required services, verifying if the local cloud user that
wants to connect is authorized and SLA negotiation to agree
the functional and non-functional requirements of services
that need to be satisfied. After performing authentication and
communication among multiple instances, a large number
of users from local cloud were able to request for multi- FIGURE 6. Precision of Accuracy matrix for service selection.

cloud collaboration and access service instances in the for-

eign cloud, and those instances were generated according to
negotiated SLA parameters.
To evaluate the overhead caused by protocol, the time taken
by different operations was calculated. The time taken by
different instances during authentication of instances in the
foreign cloud using the proposed system is shown in figure 4.
To assess the effectiveness of our proposed proto-
type, we compared the results with other commonly used
authentication protocols like SAML [15] and Kerberos [16].
Figure 5 shows that the proposed authentication protocol is
very efficient compared to other protocols. 2. The proposed
authentication protocol has better performance than tradi-
tional protocols like SAML and Kerberos as it is designed
specifically for heterogeneous multi-cloud scenarios. Ker-
beros is a centralized protocol and distributes tickets to all
communicating parties which increases its processing time.

VOLUME 6, 2018 58629

 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
FIGURE 7. UI of client side showing SLA parameters compliance in foreign cloud (Red color shows SLA violations while green shows SLA
compliance).
Although SAML is a distributed authentication protocol,
it does not support heterogeneous client attributes, and when
used in a secure way (in conjunction with SSL) it takes longer
than proposed protocol to perform authentication of multiple
clients.
To check the accuracy of the service selection algorithm,
service selection requests were made from a large number of
services instances, and the algorithm was successfully able
to select the service with the highest match of QoS properties
using accuracy matrix compared to SPSE and simple additive
weighting (SAW) technique [17]. Precision measured as the
ratio of a total number of correctly returned services to a
total number of returned services of using accuracy matrix
compared to SPSE and SAW is shown in figure 6.
To measure the performance SLA co-ordinator and effec-
tiveness of monitoring we did experiments to measure the
accuracy monitoring component during service execution
in the foreign cloud. A basic user interface (UI) was cre-
ated on the client side to report any SLA violations of the
SLA metrics. Figure 7 shows the client UI after accessing
a few services in the foreign cloud. The boxes in red are
SLA violations that were captured while green boxes indicate
the SLA parameters that were successfully implemented and
followed.
To measure the delay caused by monitoring, the average
time taken to make a decision about the events captured
and violations recorded. It is used to measure the difference
between the time at which the event leading to the violation
of SLA occurred and the time taken by the monitor to decide
that a violation has been recorded. The average delay in
measuring 1000 events was found out to be 123.34 ms and it
remained stable as the number of events increased. Therefore,
it can be said that monitoring of SLA parameters take a small
amount of time to detect and record violations which can be
reported to the foreign cloud so that these violations could be
decreased.
VI. USE CASES
IoT has brought revolutionary changes by having applica-
tions varying from manufacturing, transport to healthcare
58630
and smart homes. The proposed framework MC-IoT offers
various advantages and use cases for IoT. Among these is
the usage of MC-IoT in e-Healthcare, smart cities, vehicular
networks and smart retail. In this section, we present how
the proposed framework can be used in e-Healthcare and
improving supply chains.
A. E-HEALTHCARE
Healthcare IoT devices such as sensors including implantable,
bio-sensors, micro-electromechanical silicon and nano-
sensors can potentially bring huge benefits to e-Healthcare
industry in the coming years. Some of the benefits offered to
patients include remote monitoring of patients with chronic
illness, helping in the treatment of diseases, and monitoring
of health statistics by patients themselves can help them to
steps to improve their health. With the significant advantages
offered by using sensor data in health care, the challenge
arises with storing huge amount of data generated by sensors.
Moreover, e-Healthcare requires data processing, storage and
analytics that can be potentially be used by collaborative
healthcare entities and applications.
e-Healthcare solutions enable the delivery of health care
services at any required time however, its deployment also
raises several challenges. The world population is increas-
ing with the passage of time and more healthcare chal-
lenges can be expected in the future. Due to the rise
in healthcare cost, more sophisticated procedures such as
e-Healthcare are required. Sensor based e-Healthcare systems
can monitor patient’s health remotely and the doctor can view
patients health using e-Health applications without the need
of patients visiting a doctor. This ubiquitous monitoring has
been predicted as the future of modern healthcare.
Multi-cloud system can provide a service based and
application-oriented infrastructure that can be suitable for
sensor based e-Healthcare system due to many reasons
including the following: sensors generate a large amount of
data, number of patient’s records being managed is very large,
healthcare workers need inter-organizational and collabora-
tive data sharing, some e-Health services need a specific plat-
form to run, healthcare workers might need to use an e-Health
VOLUME 6, 2018
M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
service being run on remote platform only for a limited period
that will be economically inefficient to be purchased for a
long time, and performing data analytics on large datasets of
healthcare needs more resources than traditional infrastruc-
ture. Based on heterogeneous requirements of multi-cloud
and e-Healthcare services, this work proposed framework can
enable dynamic collaboration between e-Health services in
multi-clouds.
Using MC-IoT based healthcare system, users including
patients and healthcare workers will only need to get authen-
ticated by their local cloud and the proposed system will
enable them to use services in foreign clouds according to
requirement. The proposed system design can revolutionize
the healthcare by providing key benefits such as ability to use
multiple e-Health services on various platforms, scale com-
puting resources such as storage according to requirements
and share collaborative data with health care workers from
other clouds.
B. BUSINESS CASE
As described earlier, MC-IoT can be used to enable users of a
cloud platform to access services in another cloud. There are
many other business cases of this framework that can help to
improve the business supply chain.
Consider a case in which an organization named
E-Packagers is using cloud resources and services on a cloud
service provider. The company needs cloud resources during
peak times between 9 am to 5 pm on working days and
usage of these resources and their services on weekends is
close to none. In this scenario, E-Packagers will have to pay
for the time when the usage of their allocated resources is
really low. However, using MC-IoT the company can further
lease its services to be used by users from other clouds who
can directly contact E-Packagers and use their services for
a certain time without cloud provider interaction. This can
help the company to generate additional revenues and users
to access services with lesser conditions in less time.
VII. RELATED WORK
Delivery models for multiple clouds can be classified into
two types which are federated cloud and multi-cloud. These
models contrast in the level of co-operation between the
included Clouds and the way that the client communicates
with them [18].
Celesti et al. abridge the prerequisites of identity manage-
ment across clouds in two classifications [19]:
1). Single Sign-On (SSO) authentication, where a Cloud
must have the capacity to verify itself to access the
assets gave by federated foreign Clouds having a place
to a similar trust setting without further identity checks.
2). Digital identities and third parties, where a cloud must
be considered as a subject particularly distinguished by
credentials and each cloud must have the capacity to
confirm itself with outside clouds utilizing its digital
identity.
VOLUME 6, 2018
To address the authentication issues in multi-clouds dif-
ferent architectures were proposed. Xu et al. [20] proposed
an architecture by which different organizations can collab-
orate to use business services. The proposed methodology
coordinates security pre-requisites in SOA-based business
forms and presents techniques for authentication of services
from various domains for SOA-based business forms at run-
time. Their architecture requires neither credential exchange
nor foundation of any validation for creating a business
session. The accuracy of the convention is formally broke
down and demonstrated, and an observational review is
performed utilizing two creation quality Grid frameworks,
Globus 4 and CROWN.
Celesti et al. [21] propose a design to empower cloud
federation in view of a three-stage model. These stages
are named as discovery, matchmaking and authentication.
The design includes a matchmaking agent which facilitates
brokering, given by a match-production operator, whose
errand is picking the more helpful Cloud(s) wherewith to
set up an organization in view of data gathered both at the
IaaS layer (e.g., CPU or RAM memory) and higher layers
(e.g., QoS level). The proposed inter-cloud identity manage-
ment infrastructure extends from XMPP, and XACML to
SAML [22].
Bohli et al. [23] give a study of security and protection
arrangements that expand on the idea of the synchronous use
of multiple clouds. Pearson [24] talk about how the ideas
of privacy, security, and trust develop with the emergence
of cloud, and propose conceivable ways to deal with their
insurance and administration.
Al-Aqrabi [25] developed an authentication scheme that
can be used to build up certain trust connections among
these business intelligence service instances and clients by
sharing a typical session key to all members of a session. The
distribution and generation of secret keys were managed by
a central authority called session authority. The correctness
of the protocol was verified and performance overhead was
evaluated using a trusted third party.
The concept of IoT backed by cloud was introduced as the
advantages of cloud including unlimited storage and process-
ing can significantly improve IoT performance. IoT based
clouds have introduced concepts such as smart things, things
as a service and sensor as a service (SenaaS) [26]. Due to
benefits offered by cloud in IoT, several new concepts were
proposed.
The idea of cloud federation using IoT has been presented
by authors in three stages [27]. The first stage includes
embedded devices to be connected to IoT cloud systems,
the second stage includes cloud providers leveraging IoT as
a service while the third stage includes federation of IoT
providers to extend their services and achieve more flexibility.
Leitner et al. [28] have proposed a dynamic data-driven
architecture that is able enough to ensure service provision-
ing in cloud federation with minimum violations of service
level agreement (SLAs). The author provided the simulation
studies to validate the proposed approach. Rak et al. [29]
58631
 M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
has introduced a novel approach named SPECS. The SPECS
approach helps to offer various mechanisms to access security
features that have been offered by CSPs, specify security
requirements and to integrate the security services with cloud
services to form security as a service approach.
Despite the considerable amount of research in multi-
clouds, establishing dynamic communication to access ser-
vices (particularly IoT services) in heterogeneous clouds is
still an open research problem. Current work lacks the pro-
tocols and frameworks that can be used for dynamic multi-
cloud service collaboration and this research aims to solve
this problem.
VIII. CONCLUSION
Multi-clouds offer a promising solution to efficiently deliver
IoT services, but their adoption also raises challenges due
to lack of supporting frameworks. This paper provides a
novel framework to establish secure collaboration across
multi-clouds to access services running in the foreign cloud.
An authentication scheme is presented by which communi-
cating clouds can authenticate each other dynamically. Ser-
vice matchmaking technique is proposed to select the best
IoT service matching user requirements among multiple for-
eign clouds, and SLA approach is used to ensure service
execution in the foreign cloud is according to the agreed
SLA parameters between the user and the provider. Moreover,
we also present the detailed system design to implement these
protocols and framework. The experiments are performed on
two cloud systems based on OpenStack and Amazon AWS
and the results show that our protocols only result in a limited
overhead. Furthermore, the use case scenarios are presented
to show applications of the proposed framework.
REFERENCES
[1] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, ‘‘Internet of Things
(IoT): A vision, architectural elements, and future directions,’’ Future
Gener. Comput. Syst., vol. 29, no. 7, pp. 1645–1660, 2013.
[2] (2017). Roundup Of Internet Of Things Forecasts. Accessed:
Aug. 4, 2018. [Online]. Available: https://www.forbes.com/
sites/louiscolumbus/2017/12/10/2017-roundup-of-internet-of-things-
forecasts/#3a4c69321480
[3] A. Botta, W. De Donato, V. Persico, and A. Pescapé, ‘‘On the integration
of cloud computing and Internet of Things,’’ in Proc. Int. Conf. Future
Internet Things Cloud (FiCloud), Aug. 2014, pp. 23–30.
[4] R. Buyya, C. S. Yeo, and S. Venugopal, ‘‘Market-oriented cloud com-
puting: Vision, hype, and reality for delivering it services as computing
utilities,’’ in Proc. 10th IEEE Int. Conf. High Perform. Comput. Commun.,
Vancouver, BC, Canada, Sep. 2008, p. 1.
[5] F. Paraiso, N. Haderer, P. Merle, R. Rouvoy, and L. Seinturier, ‘‘A federated
multi-cloud PaaS infrastructure,’’ in Proc. IEEE 5th Int. Conf. Cloud
Comput., Jun. 2012, pp. 392–399.
[6] N. Ferry, A. Rossini, F. Chauvel, B. Morin, and A. Solberg, ‘‘Towards
model-driven provisioning, deployment, monitoring, and adaptation of
multi-cloud systems,’’ in Proc. IEEE 6th Int. Conf. Cloud Comput.,
Jun./Jul. 2017, pp. 887–894.
[7] 451 Research. Accessed: Aug. 15, 2018. [Online]. Available:
https://451research.com/images/Marketing/press_releases/Pre_Re-
Invent_2018_press_release_final_11_22.pdf
[8] F. Liu et al., NIST Cloud Computing Reference Architecture, vol. 500,
no. 2011. Gaithersburg, MD, USA: NIST, 2011, pp. 1–28.
[9] E. Bresson, O. Chevassut, D. Pointcheval, and J. J. Quisquater, ‘‘Provably
authenticated group Diffie-Hellman key exchange,’’ in Proc. 8th ACM
Conf. Comput. Commun. Secur., Nov. 2001, pp. 255–264.
58632
[10] M. Ahmed, L. Liu, B. Yuan, M. Trovati, and J. Hardy, ‘‘Context-aware ser-
vice discovery and selection in decentralized environments,’’ in Proc. IEEE
Int. Conf. Comput. Inf. Technol., Ubiquitous Comput. Commun., Depend-
able, Autonomic Secure Comput., Pervasive Intell. Comput., Oct. 2015,
pp. 2224–2231.
[11] A. Awad, S. Kadry, B. Lee, and S. Zhang, ‘‘Property based attestation for a
secure cloud monitoring system,’’ in Proc. EEE/ACM 7th Int. Conf. Utility
Cloud Comput., Dec. 2014, pp. 934–940.
[12] N. Santos, R. Rodrigues, K. P. Gummadi, and S. Saroiu, ‘‘Policy-sealed
data: A new abstraction for building trusted cloud services,’’ in Proc.
USENIX Secur. Symp., Aug. 2012.
[13] S. Bouchenak, G. Chockler, H. Chockler, G. Gheorghe, N. Santos, and
A. Shraer, ‘‘Verifying cloud services: Present and future,’’ACM SIGOPS
Operating Systems Review, 2013.
[14] M. Kazim and S. Y. Zhu, ‘‘Virtualization security in cloud computing,’’ in
Guide to Security Assurance for Cloud Computing. Springer, 2015.
[15] SAML. Accessed: Aug. 26, 2018. [Online]. Available: https://developers.
onelogin.com/saml
[16] Kerberos. Accessed: Jul. 16, 2018. [Online]. Available: http://web.mit.
edu/kerberos/
[17] A. Afshari, M. Mojahed, and R. M. Yusuff, ‘‘Simple additive weighting
approach to personnel selection problem,’’ Int. J. Innov., Manage. Technol.,
vol. 1, no. 5, pp. 511–515, 2010.
[18] D. Petcu, ‘‘Multi-Cloud: Expectations and current approaches,’’ in Proc.
Int. Workshop Multi-Cloud Appl. Federated Clouds, Apr. 2013, pp. 1–6.
[19] A. Celesti, F. Tusa, M. Villari, and A. Puliafito, ‘‘How to enhance cloud
architectures to enable cross-federation,’’ in Proc. IEEE 3rd Int. Conf.
Cloud Comput., Jul. 2010, pp. 337–345.
[20] J. Xu, D. Zhang, L. Liu, and X. Li, ‘‘Dynamic authentication for cross-
realm SOA-based business processes,’’ IEEE Trans. Services Comput.,
vol. 5, no. 1, pp. 20–32, Jan./Mar. 2012.
[21] A. Celesti, F. Tusa, M. Villari, and A. Puliafito, ‘‘Three-phase cross-cloud
federation model: The cloud SSO authentication,’’ in Proc. 2nd Int. Conf.
Adv. Future Internet (AFIN), Jul. 2010, pp. 94–101.
[22] A. Celesti, F. Tusa, M. Villari, and A. Puliafito, ‘‘Security and cloud
computing: Intercloud identity management infrastructure,’’ in Proc. 19th
IEEE Int. Workshops Enabling Technol., Infrastruct. Collaborative Enter-
prises (WETICE), Jun. 2010, pp. 263–265.
[23] J.-M. Bohli, N. Gruschka, M. Jensen, L. L. Iacono, and N. Marnau,
‘‘Security and privacy-enhancing multicloud architectures,’’ IEEE Trans.
Dependable Secure Comput., vol. 10, no. 4, pp. 212–224, Jul./Aug. 2013.
[24] S. Pearson, ‘‘Privacy, security and trust in cloud computing,’’ in Pri-
vacy and Security for Cloud Computing. London, U.K.: Springer, 2013,
pp. 3–42.
[25] H. Al-Aqrabi, ‘‘Cloud BI: A multi-party authentication framework
for securing business intelligence on the cloud,’’ Ph.D. dissertation,
2016.
[26] E. Cavalcante et al., ‘‘On the interplay of Internet of Things and
cloud computing: A systematic mapping study,’’ Comput. Commun.,
vols. 89–90, pp. 17–33, Sep. 2016.
[27] A. Celesti, M. Fazio, M. Giacobbe, A. Puliafito, and M. Villari, ‘‘Charac-
terizing cloud federation in IoT,’’ in Proc. 30th Int. Conf. Adv. Inf. Netw.
Appl. Workshops (WAINA), Mar. 2016, pp. 93–98.
[28] P. Leitner, J. Ferner, W. Hummer, and S. Dustdar, ‘‘Data-driven and auto-
mated prediction of service level agreement violations in service composi-
tions,’’ Distrib. Parallel Databases, vol. 31, no. 3, pp. 447–470, Sep. 2013.
[29] M. Rak, N. Suri, J. Luna, D. Petcu, V. Casola, and U. Villano, ‘‘Security
as a service using an SLA-based approach via SPECS,’’ in Proc. IEEE 5th
Int. Conf. Cloud Comput. Technol. Sci. (CloudCom), Vol. 2, Dec. 2013,
pp. 1–6.
MUHAMMAD KAZIM received the bachelor’s
degree in computer engineering and the master’s
degree in computer security from the National
University of Sciences and Technology, Pakistan.
He is currently pursuing the Ph.D. degree in com-
puter science at the University of Derby, U.K. He
has worked at various academic positions at the
University of Derby including, as an Associate
Academic and a Graduate Teaching Assistant. His
research interests include cloud security, IoT, IoT
security, networks security, and distributed systems.
VOLUME 6, 2018
M. Kazim et al.: Framework for Orchestrating Secure and Dynamic Access of IoT Services in Multi-Cloud Environments
LU LIU (M’07) received the M.Sc. degree in data
communication systems from Brunel University
and the Ph.D. degree from the University of Surrey
(funded by DIF DTC). He is currently a Professor
of distributed computing with the University of
Derby, an Adjunct Professor with Jiangsu Univer-
sity, and a Visiting Research Fellow with Tongji
University. He has secured many research projects,
which are supported by U.K. Research Councils,
BIS and RLTF, and industrial research partners. He
has authored over 100 scientific publications in reputable journals, academic
books, and international conferences. His research interests are in the areas
of cloud computing, service computing, peer-to-peer computing, virtual
computing, and system of systems engineering. He is a member of BCS.
He was recognized as a promising Researcher by the University of Derby
in 2011. He received the BCL Faculty Research Award in 2012. He has
chaired many international conference and workshops and has served as an
editorial board member for several international computing journals.
VOLUME 6, 2018
SHAO YING ZHU is currently a Senior Lecturer
in computing at the University of Derby, U.K.
She is the Programme Leader for M.Sc. Advanced
Computer Networks and B.Sc. (Honors) Computer
Networks and Security. She has published many
peer-reviewed conference and journal papers on a
wide range of topics, such as image processing,
E-learning, computer networks, and cloud secu-
rity. She has edited a number of books for
Springer’s Computer Communications and Net-
works Series and organized many IEEE workshops in network security
subject areas. She has also served as a technical programme committee
member for many conferences in networking area.
58633