A systematic mapping study of security, trust and privacy in clouds

ABSTRACT

publication makes use of three facets, namely the topic, research, and contribution. The topic facet identifies vital topics in the area of cloud security and privacy; the research facet deals with the classification of research, and the contribution facet relates to issues like method. The need for more research in the areas of security, trust and privacy in cloud services, is the primary motivator for this work. Therefore, the challenge this study aims at addressing is the determination of the domains where a shortage of research exists, and highlighting them for upcoming researchers. This paper seeks to carry out a systematic mapping study of cloud computing security, privacy, and trust. The primary output of this review paper is the visual map that contains percentages showing the degree of research done in different research domains, for example, frameworks and models within this domain of study. Subsequent portions of this paper are arranged in the following manner. Section 2 looks at related work. Section 3 focuses on materials and methods. Section 4 presents the results and discussion, while section 5 is the conclusion with suggestions for further research.

2.
RELATED WORK K. Petersen, S. Vakkalanka, and L. Kuzniarz [14] proposes the need to assess how researchers attempt systematic mapping and decide the manner that the rules should be reviewed as informed by key takeaways from systematic maps and guidelines which exist for writing systematic literature review. The authors led a systematic mapping study of systematic maps while considering a few guidelines that govern the acts of systematic review papers. They found that in most of the conducted studies, numerous rules were used and consolidated. This approach prompted various methods of leading systematic mapping studies. T. Kosar, S. Bohra, and M. Mernik [15] focuses on the description of the rules that govern a systematic mapping study as associated with domain-specific languages (DSL). Their study focused on an upgraded understanding of the DSL area of study, along side an emphasis on research trends and future leanings. Their study ranges from July 2013 through October 2014, and laid emphasis on three rules for conducting a systematic review, which are planning the review process, conducting it, and communicating its result.
I. Odun-Ayo et al., [16] led a systematic mapping study of cloud policy languages and programming models. Their study used ideas from [11]. This mapping study gives six classes of study within the regions of accountability and reliability, framework, paradigms, privacy, security and survey. The consequences of the chosen studies were also implemented on the contribution facet, regarding tool, method, and model. Likewise, the chosen studies were applied to the research facet that addressed evaluation, validation, solution, experience and opinion research. C. R. Fernandez-Blanco et al., [17] conducted a power systems model mapping. They achieved this by providing a power systems model overview, and determining how such models are used by European organizations, in light of a review of their features, while identifying modelling gaps. Two hundred twenty-eight (228) questionnaires were sent out for elicitation of information from power experts, while eighty-two (82) surveys were responded to and used for the final mapping.
C. Griffo, J. P. A. Almeida, and G. Guizzardi [18] dealt with a systematic mapping of the legal core ontologies literature. The research was focused on "legal theory and concepts". Additionally, the studies utilized in the research were grouped as a result of their contributions concerning language, tool, method, and model. They also performed recognition of the legal theories that were used in the building process of legal core ontologies. Focus was determined with a specific advice on the use of two ontologies, alongside an assessment of all selected research for cogent deductions about legal and ontological research. I. Odun-Ayo et al., [19] is a systematic mapping review of cloud computing services with a focus on virtualization, containerization, composition, and orchestration. The classification scheme within this systematic mapping review was also examined, and six considerations in cloud computing services were identified. These considerations included virtualization, centralization, composition, orchestration, rationalization and deployment. The chosen studies were then used on the contribution facet with a focus on metrics, tool, method, and model. The chosen studies were additionally applied to the various categories of research such as experience, evaluation of opinion, solution research and validation.
M. Alavi and D. E. Leidner [20] presents an extensive assessment of knowledge management within an organization while focusing on the prospective part IT plays in knowledge management. Several vital matters that related to knowledge management processes, and the role Information Technology will play in driving and supporting these processes, were also discussed. Emphasis was also placed on the need to promote the formation, storage, transmission and utilization of knowledge in organizations. I. Odun-Ayo et al., [21] presents a systematic mapping study with a focus on the design and models of deployment of the cloud. The paper presents a classification scheme that addresses design and models of deployment by discussing design, service deployment, implementation, configuration, privacy and security. These chosen topics were administered to the contribution facet according to metrics, tools, methods, and models. Also, they were used for various research types concerning evaluation, experience, opinion validation and solution research. According to S. K. Boell and D. Cecez-Kecmanovic [22], in their paper addressed the usefulness of and constraints to Information System and Social Science Systematic Literature Review. The authors believe that the broad idea that a Systematic Literature Review provides a complete and exceptional method for literature review is both controversial and deplorable. In their critique and approval of this position, they resolved that care and restraint is employed in the process of systematic literature review selection, as an important undertaking with literature and the scholarly nature of academic work could be undercut. P. Brereton et al., [23] discussed the discoveries made from the application of the process of systematic literature review to the domain of software engineering. This review process, and also the quantity of reviews performed by the paper's authors and others, were extracted and discussed. Finally, the assessment of a number of lessons on how applicable this practice is to software engineering, was conducted.
Cloud related mobile application testing systematic mapping study was conducted in [24]. Security, compatibility, functional and GUI testings were discussed relative to cloud-based testing. The studies selected were then implemented on the contribution facet with a focus on metrics, tool, method, and model. They were also implemented on various aspects such as experience, opinion evaluation, validation and solution research. Finally, using some contribution category consideration, Testing-as-a-Service was examined. The author of H. M. Cooper [25], in his paper, examined how research reviews have to provide consideration to the detailed philosophy that is expected from a primary researcher. Research review was additionally conceptualized as a scientific and logical enquiry which consists of five phases that equal those primary researches specifically, problem formulation, collection of data, data point's evaluation, data analysis and their interpretations, and finally, the results presentation. Sources of variance, potential threats to validity and every other function pertaining to each stage was discussed.
Useful insights for the execution of a literature review were provided to researchers in [26]. The authors suggested the synthesis of trends and patterns during the preparatory stages of literature review writing. Some of these steps include the consideration of purpose and voice before the commencement of writing, the consideration of the reassembly of notes, and also the creation of topical outlines which trace literature review arguments. These should provide the requirements and steps used for the development of a detailed and concise literature review. B. Kitchenham et al.,[27], an assessment of systematic literature review impact was conducted. These impacts were the suggested software engineering methods which are evidence-based, for the aggregation of evidence. The authors utilized manual searches of ten Journals and four conference proceedings to conduct their assessment. Cumulatively, twenty studies were found to be relevant, eight of which dealt with research trends, and not evaluation of technique. Furthermore, seven systematic literature reviews dealt with estimation of cost. Out of all the systematic literature reviews that were assessed, three scored lower than 2 out of a maximum of 4. This scoring points to an acceptable overall quality of reviews.
I. Odun-Ayo et al., [28], a systematic mapping study of mobility and efficiency in cloud computing utilization, which was based on concepts from [11], was conducted. This study presented five topics of study in the areas of architecture, computation offload, efficient transmissions, allocations, collaborative mobile cloud, and fault tolerance and data storage regarding the aspects of the research selected. The chosen aspects were then implemented on the contribution facet with a focus on tool, method, and model. They were also implemented on the various categories of research such as experience, evaluation, opinion, validation and solutions research. J. Vom et al., [29] harped upon the significance of literature review to scientific enquiry. It further emphasized the importance of thorough literature searches as significant issues that can ensure that useful literature reviews will be discovered. The authors also stated the challenges of searching through literature within the continuously growing and fluid context of information system. They also made recommendations regarding how the challenges could be addressed. They suggested practical guidelines and checklists that researchers could utilize in planning and organizing their literature searches.
The work in S. M. Rosli, M. M. Rosli, and R. Nordin [30] is a recommender system mapping study for blood glucose levels in gestational diabetes mellitus patients. The search for primary studies focused on a defined method, data collection, recommender system for blood glucose, blood glucose and variables prediction models. Analysis of the blood glucose recommender system was carried out based on the topics of machine learning, context awareness, hybrid filtering, AI, rough set theory and data mining.
The work in Y. Yan, H. Xiahong and W. Wanjun [31] is about location-based services (LBS) and protection of privacy in mobile cloud computing (MCC). Location-based services are presently being utilized on moving objects in the areas of transportation and safety. The paper emphasized the need to provide location-based services, especially within cloud environments. The suggested framework can promote confidentiality under privacy protection, especially in the cloud mobile computing environment. The work in K. S. Gururaj and K. Thippeswamy [32] is a cloud-based secured framework for utilization in an online voting system. The paper examined the present trend of accessing information from remote locations, which has attendant challenges on data access, especially on the cloud. This publication introduced a technology- based infrastructure that can mitigate the challenges. The proposed secure cloud-based framework that can be used for online voting was implemented and also tested using some cryptographic algorithms.

RESEARCH METHOD 3.1. Review stage
Systematic mapping studies provide visual outlays of the outcomes of rigorous reviews of papers within domains of enquiry. The specifications on systematic mapping studies from [14], [27] were used to accomplish this study. A systematic study is a reproducible process for the extraction and interpretation of publications that are present and are on a particular research objective [33]. Although systematic mapping processes are not as rigorous as systematic literature reviews, however, it offers a more coarse-grained overview [14]. Figure 1 depicts some critical steps found within general systematic mapping studies. The first step in this process is the definition of questions that dictate the research scope. Next comes the search for primary studies for all papers available within the domain of study. Following that is the screening of all the papers, thereby determining those that are relevant to the study. A method of classification is then developed through the use of essential wording processes on abstracts from relevant publications. Finally, the data extraction process culminates in the form of a systematic map. These steps are utilized in this paper for the development of a systematic map for cloud security, trust and privacy.  Abstract  Keywording  Scheme of classification a. Articles b. Articles classification into the schemes c. Scheme update  Systematic map

Research questions definition
Systematic maps are meant for the provision of overviews of the quality and category of work that has been done within a selected domain of enquiry. They may also be necessary when determining where such work was done; challenges identified determine the type of research questions that will be used for a study. The research questions utilized in this study include: a. RQ 1: What aspects of security, trust and privacy in the cloud are identified, and how many publications deal with the various aspects? b. RQ 2: What categories of publications are made in those domains, and what evaluations and innovations do they provide? c. RQ3: What approaches to research do these studies utilize, and what improvements were provided?

Conduct of primary studies
Primary studies searches usually serves as the beginning of a review. This exploration for the primary study is done through the analysis of major digital libraries in the related field. This primary search then focuses on exploring literature that is relevant, from online repositories via search queries. Afterwards, a backward snowballing is utilized in enhancing the search process [34]. Occasionally manual searches can also be carried out on conference and journal materials. Publications utilized for this study were obtained through the exploration of major scientific digital repositories. However, primary studies from books and This study's search query was fashioned with regards to population intervention comparisons and their results. Exploration keywords were extracted from this study's title structure. The query utilized is as follows: (TITLE (security AND trust) OR TITLE (trust AND privacy) OR TITLE (privacy AND security) OR TITLE (privacy AND trust AND security)) AND TITLE (cloud).
The search for primary studies was conducted using the custom query above, for document metadata. For this study on security, trust, and privacy; all the search results out of the five chosen digital repositories relating to cloud computing and computer sciences were utilized. The criteria for selection for our papers, as depicted by the prerequisites of the research destination and questions, led to the consideration of 115 publications as relevant to this study, out of an introductory interest containing 1670 publications. This period covered in this study was from 2010 through 2018.

Screening of papers for inclusion and exclusion
The objective of the selection criteria was the location and inclusion of all publications which were necessary for the successful conduct of the study. Criteria for Inclusion and exclusion were utilized in the elimination of all articles that did not meet the focus of the study. Also, publications that were irrelevant to the search queries were eliminated. Some abstracts contained relevant but insufficient information, therefore, such were excluded. This study also omitted prefaces, presentation slides, tutorials, briefs, summaries, editorials and panel discussions. The focus of this study was security, trust and privacy; the inclusion and exclusion criteria are as indicated in Table 2. Table 2. Inclusion and exclusion criteria Criteria for inclusion Criteria for exclusion Abstract clearly discusses trust, privacy and security. Also, the discussion is in cloud computing or related field.
The abstract does not fall within the cloud computing domain. Cloud security, trust or privacy is not discussed by the abstract.

Abstracts keywording
Abstract keywording is a significant portion of a systematic mapping study. The keywording of abstracts improves the composition of the scheme for classification. The systematic mapping process is used for the development of this scheme. Keywording was critical in reducing the time used to evolve a classification scheme. An analysis of themes, which aimed at the identification, analyses and reporting of topics within the domain being considered, was used for the classification scheme building [35]. During the keywording of abstracts, concepts, main contributions and the domains of focus which showed the identified research questions, were identified from the abstracts of selected papers. A significant quantity of concepts and methods were identified during from the chosen studies that addressed cloud security, privacy and trust. Subsequently, keyword choice for the classification scheme preparation is enabled via this process. According to the thematic analysis approach which was utilized in the structuring of a significant degree of understanding of the research, a keyword combination was extracted from the various studies. The keywording process included examining the abstracts of primary studies to extricate ideas and keyword in line with the field of study. This also involved knowing the context of the study. After extracting the concepts and keywords, they were gathered to give needed understanding into the various categories and contribution of the articles. The process discussed above was utilized to evolve the scheme of classification for this study and the following categories used in this study.
However, it was sometimes necessary to go beyond the abstracts of the articles thereby looking at introductions and conclusions of such articles to guarantee the selection of reliable keywords for all attached papers. A keyword cluster was utilized to develop the classes of this study which was eventually used for the systematic map creation. Three facets were utilized for this paper on cloud security, trust and privacy. The first was the topic category; these are the topic extracted in the form of concepts and keywords with the classification process. The second was the contribution facet; these constitute the type of contribution to the study in the form of metrics, method, model, process and tool as enunciated in [10]. The third was related to the type of research that was carried out

Research facet with categories and description
The research facet made up the third category of this study. The classification of research approach discussed in [36] was used for the research facet. The approach includes the following categories and descriptions [36]. This research classification approach was determined to be sufficient and ideal for this study. It was relevant to the classification scheme. Therefore, all the primary studies were examined with respect to the various classes and depictions of the approaches to research classification. The result of these activities was used as the research class for this investigation.

Data extraction and mapping studies
As part of the systematic mapping process, appropriate publications are arranged according to classification schemes. This is a subset of the classification phase. This stage was utilized for data extraction from different articles added to the study. The extraction processes determined the results of the scheme of classification. New classes were included as a result of the process, some old ones were joined to form new ones, and those that were determined to be irrelevant, were expunged. This process was done using a Spreadsheet from Microsoft Excel. There was a table in the spreadsheet that contained every class within the scheme of classification. After that, the occurrences of publication topics within the spreadsheet tables were integrated into individual tables that contained either the topic/contribution or topic/research issues. The focus of the analyses was the presentation of paper frequencies as a result of the outcomes from the spreadsheet. The aim was to see the portions of security, trust and privacy in the cloud that had more emphasis placed on. This revealed gaps or shortages in publications, creating a focus on areas requiring further studies. Based on the result obtained on the spreadsheet tables, a systematic map was created using the occurrences presented via a bubbles plot. This map involved an x-y scatter plot with bubbles where the categories intersected. The coordinate values of the scatter plot had bubble sizes which corresponded to the volume of papers within individual classes. There were two quadrants because of the three facets that were utilized during this entire process. A visual map was provided within every category, as a result of the study's focus. These maps were as a result of the occurrences of various topic categories that fell under either the contribution or research categories; as a result, simultaneous consideration of the various facets was simplified. Also, there was an inclusion of statistics summary, thereby providing clarity. In summary, a glimpse into the entire happenings in security, trust, and privacy in the cloud, is provided by the systematic map.

RESULTS AND DISCUSSION
This systematic mapping study of cloud security, trust, and privacy focused on an analysis of themes and classification. Sometimes it may be necessary to identify publications. Gaps were identified from the analysis, by graphing using bubbles plots; this showed which aspect of the study had a shortage of publication. Also, the study showed areas that were covered adequately with regards to papers. In this systematic mapping study, various significant classifications were employed during the paper assessment. This assessment was then used to identify the frequencies of the paper categories and was then used for the map creation.

Topic and contribution facet
The contribution facet focuses on discussions within the following domains [24]:  Framework: This deals with a properly designed and itemized method that contains broad scope and purpose, and which focuses on several research questions or domains  Model: An abstraction view of a topic and challenges, instead of a concrete and distinct approach for solving the specific problem is provided  Tool: Concept evaluation using a particular tool is provided  Evaluation: A method for the empirical measurement of the proposed solution(s)  Metric: Frameworks for specific phenomena measurement is provided  Method: A specific objective with a restricted research question or purpose is focused on The main category of this study, the topics category, had the following topics extracted during the cloud computing security, trust and privacy classification scheme:  Privacy issues and challenges  Frameworks  Cloud trust  Techniques  Design  Data security The listing of primary studies which were utilized for topics checking purposes viz-a-viz the various categories of contributions is in Table 3. Additionally, Figure 2 is a chart of the percentage of topics in the contribution category. The contribution category or facet showed the various types of input made to the study's focus. The outcome showed that documents which reviewed models regarding cloud security, trust and privacy was 35.24% out of 105 papers within this category. Also, metric had 7.62%, tool had 19.05%, method had 18.1%, and process had 20%. Papers that discussed model contribution were 35.24% of the reviewed work in this facet. The distribution indicates that 10.48% of model contribution was on privacy issues and challenges. Another 10.48% was on the framework. Models contributed 0.95% each to cloud trust and techniques, models contributed 12.38% to the topics on design, and there was no contribution by model to data security.   Table 4 contains the primary studies list used for the examination of the various topics against the types of research. Figure 3 contains the chart showing the percentage of topics in the research category. The outcome of the research category performed on cloud computing security, trust and privacy, is found on the x-axis of the right quadrant of Figure 4. The outcome shows that papers that were based on evaluation research were 36.52% of 115 papers in this category. Furthermore, validation research had 27.83%; solution had 19.13%; philosophical had 6.96%; experience had 9.57%, and there were no opinions on this study.

Topic and research facet
The discussion of valuation research made up 36.52% of the publications on cloud computing security, trust and privacy that were reviewed. The rundown indicates that 10.35% of the discussion on evaluation research focused on privacy issues and challenges, 6.96% considered framework, 5.09% was on cloud trust, 5.22% focused on techniques, 7.83% dealt with design and there were no papers on data security. Figure 4 shows the aspects of the various research topics and facets that are remaining.

Main findings
Two x-y scatter plots containing bubbles where the intersections of the topic and contribution facets lie, are contained within the first quadrant in Figure 4. The second quadrant of Figure 4 displays a visual representation of the topic and research facet intersection, via a two x-y scatter plot containing bubbles. As mentioned earlier, an identification of which category had been emphasized more during the study is made possible via the analysis.  at 0.87%, and the lowest number of design in solution research was 0.87%. Also, no publications were found on data security with respect to evaluation research; there were no publications identified on frameworks, cloud trust, techniques and data security in terms of philosophical research. No papers were seen on privacy issues and challenges and techniques on experience research. There were no opinions on all aspect of the study on security, trust and privacy in clouds. d. Furthermore, there were no publications on frameworks, cloud, trust and techniques in the area of metric.
No articles were identified regarding data security with respect to tool and model. Also, no articles were identified for framework and data security. Finally, no papers were published on cloud trust and design in the area of process. The aesthetics of systematic maps makes them signifies their usefulness, and they can quickly pique readers' interests. This usefulness is because the systematic maps help to summarize result and offer them to researchers by combining the categories on the systematic map. Also, it allows simultaneous views of both sides of the map. Gaps within domains of interest are easily identified when a systematic mapping study is combined alongside a successive systematic literature review. However, standalone systematic mapping studies are unique in their own rights.
The systematic map is useful because researchers at all levels and practitioners in various industries can utilize the information presented as a Launchpad for further research. Cloud Computing security, trust and privacy related topic classes considering privacy issues and challenges, frameworks, cloud trust, and data security were provided by this study. Furthermore, a discussion of these study classes can be reviewed based on either tool, model, method, metric, and process, or evaluation, validation, solution, philosophical, or opinion research. Therefore, further research is recommended on them. The primary studies list that is provided can further guide future researchers. This study shows the inexhaustible and continuous nature of research work.

CONCLUSION
Cloud computing is evolving at a dynamic rate. More resources are being made available to the users by the cloud providers. This rate of evolution, in turn, is encouraging more individuals and organization alike to utilize cloud resources. Such kind of interactions will require adequate security, privacy and trust on the part of CSPs. This has informed lots of research in privacy, security and trust in the cloud. Despite the numerous publications available, there are shortages in some areas pointed out with the use of bubble plots; hence revealing some research gaps in this field of study. Some aspects, where inadequate emphasis had been placed on previously, regarding cloud security, privacy and trust, were identified by this study as a result of the classifications used within the scheme. This paper contributes to knowledge through its indication of the various portions of the study where shortcomings were found. These identified gaps and shortcomings indicate the need for further research. They should serve as a general signpost for topics where more research can be conducted on, in areas of security, privacy and trust in the cloud. This study could also be further validated, and contradictory items resolved through additional research. In conclusion, a systematic map of cloud security, privacy and trust, which could be of immense benefits to the cloud community is created via this study. The study should support researchers in unveiling the major shortcomings of cloud security, privacy and trust that previous researchers have not had the opportunity of exploring. Thus, contributing to cloud computing knowledge.