key: cord-0842268-g5p7hf3z
authors: Ahmad, Shahnawaz; Mehfuz, Shabana; Mebarek-Oudina, Fateh; Beg, Javed
title: RSM analysis based cloud access security broker: a systematic literature review
date: 2022-05-11
journal: Cluster Comput
DOI: 10.1007/s10586-022-03598-z
sha: 01770eb01cb27b36991ee1fc5b542835fe782c29
doc_id: 842268
cord_uid: g5p7hf3z

A Cloud Access Security Broker (CASB) is a security enforcement point or cloud-based software that is placed between cloud service users and cloud applications of cloud computing (CC) which is used to run the dimensionality, heterogeneity, and ambiguity correlated with cloud services. They permit the organization to amplify the reach of their security approaches past their claim framework to third-party computer programs and storage. In contrast to other systematic literature reviews (SLR), this one is directed at the client setting. To identify and evaluate methods to understand CASB, the SLR discusses the literature, citing a comprehension of the state-of-the-art and innovative characterization to describe. An SLR was performed to compile CASB related experiments and analyze how CASBs are designed and formed. These studies are then analyzed from different contexts, like motivation, usefulness, building approach, and decision method. The SLR has discussed the contrasts present between the studies and implementations, with planning accomplishments conducted with combinations of market-based courses of action, simulation tools, middleware’s, etc. Search words with the keywords, which were extracted from the Research Questions (RQs), were utilized to recognize the essential consideration from the journal papers, conference papers, workshops, and symposiums. This SLR has distinguished 20 particular studies distributed from 2011 to 2021. Chosen studies were evaluated concurring to the defined RQs for their eminence and scope to particular CASB in this way recognizing a few gaps within the literature. Unlike other studies, this one concentrates on the customer's viewpoint. The survey uses a systematic analysis of the literature to discover and classify techniques for realizing CASB, resulting in a comprehensive grasp of the state-of-the-art and a novel taxonomy to describe CASBs. To assemble studies relating to CASB and investigate how CASB are engineered, a systematic literature review was done. These investigations are then evaluated from a variety of angles, including motivation, functionality, engineering approach, and methodology. Engineering efforts were directed at a combination of “market-based solutions”, “middlewares”, “toolkits”, “algorithms”, “semantic frameworks”, and “conceptual frameworks”, according to the study, which noted disparities in the studies’ implementations. For further understanding, the different independent parameters influencing the CASB are studied using PCA (Principal Component Analysis). The outcome of their analysis was the identification of five parameters influencing the PCA analysis. The experimental results were used as input for Research Surface Methodology (RSM) to obtain an empirical model. For this, five-level coding was employed for developing the model and considered three dependent parameters and four center values. For more understanding of these independent variables' influence, on the CASB study, RSM analysis was employed. It was observed from the CCD (Central Composite Design) model that the actual values show significant influence with R(2) = 0.90. This wide investigation reveals that CASB is still in a formative state. Even though vital advancement has been carried out in this zone, obvious challenges stay to be tended to, which have been highlighted in this paper.

Cloud Computing (CC) has emerged as the need of every enterprise in recent times and is turning into an integral part of all other technologies such as IoT, Big data, and Quantum computing [1] . Technology Review followed the coinage of the term ''Cloud Computing'' (CC) back twodecade earlier, to November 14 0 1996, and an office park outside Houston by ''George Favaloro'' and ''Sean O'Sullivan'' [2] . Indeed even though numerous individuals accept that CC may be a quite newborn marvel, it has its roots within the thoughts expected in the 1960s. J.C.R. Licklider of ARPANET is generally described as the primary one to present the thought of an ''intergalactic computer network'' in 1969, a machine that can be accessed from any place within the world. But even before him, in 1961, John McCarthy floated the thought of computation being given as open benefit just like any other benefit, a concept he named as ''utility computing'' [3] , and in numerous ways, typically completely what CC is these days. Over the 1960s and'70 s, expansive banks of computers included so-called ''time-sharing'' services to nearby and inaccessible partners. In the 1980s and early 90 s, expansive scattered data centers were installed by huge enterprises. There was not an earth-shattering breakthrough until the Web got to be very common and effortlessly available. In the year 1999, Saalesforce.com was the primary company that was supplying the working application through the web to the clients. In the year 2002, Amazon Web Services (AWS) aws.amazon.com emerged and provided a heap of cloud services such as capacity and computing. Later in 2006, Elastic Compute Cloud (EC2) also known as EC2 clusters, was introduced by Amazon which helped in setting up small and medium companies and let people rentout their servers for performing pointed computation. In the very same year, Simple Storage Service (S3) was also launched by Amazon which enabled people to use the cloud for storing their information online. After this many tech industries jumped into the business of different cloud services. Google in the year 2009, introduced ''Google Apps'' compatible with its chrome browser which helped engineers to develop their items and also permits them to host them on Google servers as a web application. Simultaneously Microsoft and Apple pushed their cloud capacity items too, i.e. OneDrive and ICloud respectively. Meanwhile, Microsoft started Microsoft Azure too to be utilized by the buyers to fulfill a variety of objectives from online capacity to databases, web APIs to full-grown web applications to fully presented Linux and Windows VM. As time passed, many stakeholders kept entering this field, and cloud computing technology is expected to be more reasonable easily accessible, and useful in the future, particularly by techstartups and administrators [4] . To share imaginative thoughts and developments in this cloud computing field, a premier conference was started in 2009 with the name ''International conference on cloud computing'' (ICCC). The effectiveness of the cloud lies in its boundless supply of services such as servers, the storage of information, and anything as a benefit (XaaS) is conceivable [5] . Cloud computing is a live field. This image remained the toast of conferences and gatherings in the IT spaces these days and we have found boosting clues of its services and acknowledgment within the ventures as well as the scholarly community [6] . Another conference named ''International Conference on Parallel, Distributed and Grid Computing (PDGC -2010)'' has been started in 2010, due to the emerging importance of cloud computing. The ICCC and PDGC conferences emerged as the platform to share the ideas of the academicians and analysts of the zone of cloud computing. Besides these conferences, a separate journal dedicated to cloud computing was introduced to share the ideas within the said field by the name of ''Journal of Cloud Computing: Advances Systems and Applications'', published by Springer. But despite all its buildup and utilization, the ideaof CCis pretty elusive and its definitionis still very unclear. In over simplified terms, the cloud gives further computing and capacity services from a pool of shared assets to its customers. A much more accurate definition is given in Table 1 .

Distinctive cloud computing services have been created to demonstrate CC which is, SaaS, IaaS, PaaS, CaaS, DaaS, BaaS, NaaS, OaaS, FaaS, HaaS, and XaaS [7] . Table 2 shows the list of CC services alongside its existing field.

Several systematic literature reviews (SLR) in different areas of CC have been performed to synthesize the available research on different topics. For example, [33] presented an SLR on the ''Cloud Brokerage: A Systematic Survey''. Hibatullah Alzhrani et al. [34] performed ''A Brief Survey of Cloud Computing'' to recognize the research gap in the field of cloud computing. As per the audit [35] , a requirement of a study is present which includes recognition, evaluation, and interpretation of the CASB strategies and also provides guidance for the research work to be carried out in the future. Afterward, an SLR on CASB is shown by taking into account the rules of the cloud environment [33] , to address the above saidsearched problem.In Sect. 4, this may be the essential consideration which appears the SLR on CASB with the point to address the RQs.

The cloud services market is flooded with a large number of heterogeneous cloud solutions, making cloud service selection a difficult undertaking for the Cloud Services Customer (CSC) [36] [37] [38] . Furthermore, because each CSP exposes its API, designing and developing an application so that it can be deployed on a specific CSP Definition of Cloud Computing NIST [8] ''Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., network, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction'' [9] ''Cloud Computing, in which not just our data but even our software resides within the cloud, and we access everything not only through our PCs but also cloud-friendly devices, such as smartphones, PDAs…the mega computer enabled by virtualization and software as a service… this is utility computing powered by massive utility data centers'' [10] ''Cloud Computing is a style of computing where scalable and elastic IT capabilities are provided as a service to multiple external customers using Internet technologies'' [11] ''Cloud Computing is a complex infrastructure of software, hardware, processing, and storage, all of which are available as a service'' [12] ''Cloud Computing is a type of parallel and distributed system consisting of a collection of interconnected and virtualized computers that are dynamically provisioned and present as one or more unified computing resource based on service-level agreements established through negotiation between the service provider and customers'' [13] ''a Cloud is a pool of virtualized computer resources'' [14] ''Cloud computing is a delivery of extremely scalable IT-related facilities as a service through the internet to multiple clients'' [15] ''Cloud computing heralds the shift to an asset-free IT provisioning model where highly scalable hardware, software, and data resources are available over a network'' [16] ''a network solution for providing inexpensive, reliable, easy and simple access to IT resources'' [17] ''Cloud computing as the name suggests is a technology through will exchange of information and software management could be done through virtual means'' [18] ''Cloud computing simply involves the provision of information technology (IT) solutions as a service rather than as a product through the Internet'' [19] ''a parallel and distributed computing system consisting of a collection of inter-connected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources based on service-level agreements established through negotiation between the service provider and consumers'' [20] ''A style of computing where massively scalable IT-related capabilities are provided as a service across the Internet to multiple external customers'' [21] ''A pool of abstracted, highly scalable, and managed infrastructure capable of hosting end-customer applications and billed by consumption'' [22] ''The illusion of infinite computing resources available on-demand, the elimination of up-front commitments by cloud users, and the ability to pay for use of computing resources on a short-term basis as needed'' [23] ''Cloud computing embraces cyber-infrastructure, and builds on virtualization, distributed computing, grid computing, utility computing, networking, and Web and software services.'' [24] ''A type of parallel and distributed system consisting of a collection of interconnected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources based on service level agreements established through negotiation between the service provider and consumers'' [25] ''A large pool of easily usable and accessible virtualized resources (such as hardware, development platforms, and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in which guarantees are offered by the infrastructure provider using customized SLAs'' [26, 27] ''Cloud Computing is primarily a new business paradigm that enables on-demand access, elasticity, pay-per-use, connectivity, resource pooling, and abstracted infrastructure'' [28] ''a style of computing in which massively scalable IT-related capabilities are provided as a service using Internet technologies to multiple external customers'' [29] ''a service model that combines a general organizing principle for IT delivery, infrastructure components, an architectural approach, and an economic model-basically, a confluence of grid computing, virtualization, utility computing, hosting and software as a service (SaaS)'' [30] ''an emerging IT development, deployment, and delivery model enabling real-time delivery of products, services, and solutions over the Internet (i.e., enabling cloud services)'' Merrill Lynch, 2008

''The idea of delivering personal (e.g., email, word processing, presentations.) and business productivity applications (e.g., sales force automation, customer service, accounting) from centralized servers'' [31, 32] ''Cloud Computing is the dynamic provisioning of computing capabilities (hardware, software or services) provided by a third party via the network''

Cluster Computing does little to reduce the development effort required to move the application to the selected CSP, for example, if it performs poorly. To fill in the gaps mentioned above, the cloud community has long advocated for CASB to act as a middleman between CSCs and CSPs, reducing the risk of choosing the wrong CSP. A CASB is a middleman between CSCs and CSPs who helps CSCs make decisions and improve service delivery (Barker et al. 2015 ) [39] . The range of difficulties surrounding CASB has prompted so much study that it is necessary to evaluate suggested solutions methodically. Few studies have looked into CASB research initiatives such as methodologies of selection of cloud services [40] , cloud portability and interoperability [41] , and different mechanisms of resource allocation [42] , enhancing the security of cloud environmentwith CASB [43] , different CASB policies [43] , and Fuzzy CASB for requirements negotiation and prioritization [44] . They have discussed CASB from the perspective of a CSP, with a focus on portability and interoperability between CSP cloud services (i.e., IaaS, SaaS, PaaS, etc.). Furthermore, to our knowledge, no SLR on RSM Analysisbased CASB has been conducted, which is essential to assess progress in this subject and recommend dimensions for future research. This article presents the findings of an SLR conducted on the topic of RSM Analysis based CASB. An SLR distinguishes, categories, and changes comparative suggestions of the current research and centers on information exchange within the research community [45] . Moreover, for this article, an SLR was carried out, with the essential aim to make out, taxonomically categorize, and methodically compare the existing research, based on arranging, implementation, and approving the relocation of bequest frameworks for CASB-based programs.

In this regard, the contribution of this article is to examine and evaluate existing solutions in terms of:

• researching methods for designing and implementing CASB; • providing a thorough overview of existing CASB strategies, as well as how they have been applied to a cloud computing environment; • having a fundamental understanding of the functions performed by CASB; • highlighting areas for a future study where improvements can be made and recognizing the fundamental limits of present solutions; • investigating the reasons behind the demand for CASB;

More particularly, the article endeavors to answer the following questions, through conducting a methodological review of existing research:

1. What are the driving strengths behind CASB for cloudsecurity? 2. What are the current assignments, strategies, and processes to fortify CASB of legacy on-premise software to cloud environment? Additionally,What is the relevant existing research themes? 3. What measures ought to be taken in arrange to create future research direction about measurements in legacy to-cloud CASB? The motive behind this workis to uniformly distinguish and categorize available resources on encryption and decryption of CASB [46] . Thereafter, correspondingly providing comparative analysis and foundations of the current research work.

The remainder of this article consists of seven sections: Sect. 2 present the related work. Section 3, defines the details of the CASB for the disciplined working of CC. Section 4 presents an understanding of the research process. Section 5 demonstrates the vulnerabılıty. Section 6 shows the outcomes of this SLR and deliberates the solutions of the RQs. Section 7 represents the RSM anaylsıs usıng CCD model for the CASB system. Section 8 analyzes the open challenges, issues,and future directions. Finally, Sect. 9 presents the conclusion and future research directions.

2 Related work CASB is a big but fragmented area, with significant differences in contributions and the terminology used to describe them in academic papers. To our knowledge, this is the first survey that addresses this discrepancy and, in doing so, provides a full review of the state-of-the-art as well as precise and well-supported recommendations for future work. Table 3 shows the related previous work.

Although the proposed approach is comparable to theirs in some ways, the proposed analysis is from the standpoint of the CSC (i.e., how the CASB benefits the CSCs), whereas theirs is from the perspective of the CSP (i.e., the interoperability and collaboration between the CSPs). Other aspects of CC have been studied, including design [57] , resource management [58] and [59] , monitoring [60] , migration [61] , service composition [62] , and security [63] and [64] .

Cloud is the new place to store data, applications, and resources nowadays butthe cloud providers are not able to ensure the secure experience of using the cloud.CASB could be a preclude educate inside the field of CC whose aim is to recognize and survey all the cloud applications in use, give dealing with sensitive data, encrypt or tokenize sensitive substance to uphold the privacy, security, and workable make use of cloud organizations over a few cloud platforms [35] . CASB may be a colossal but ambiguous field. There is a critical conflict between commitments and the expression utilized to depict them in investigation papers. In [35] , Gartner envisions the CASB as a course of activity of four interconnected columns, i.e., ''visibility'', ''compliance'', ''data security'', and ''threatprotection'' as depictedin Fig. 1 . CASBs are a data-key arrangement for securing data end-to-end, from any application to any gadget. Whereas early cloud security solutions were centered on SaaS security, CASBs have advanced into wide stages that ensure information over SaaS, IaaS, and private cloud applications. CASB works as a tool that sits between an organization's-premises framework and a cloud provider's framework. As per the demand of organizations, which are transiting from internal bound-based applications to the cloud, deep visibility over corporate data as well as IT administrators' granular control over data access is provided by CASBs by intermediating or ''proxying'' traffic between cloud applications and end-user devices. The movement of ''packets'' between users and applications essentially changes the strength of cloud and mobility. This has raised a necessity to adjust the list and the expenditure preferences in security controls for exhausting cloud services by any organization. By 2022 (Strategic Planning Assumptions) 60% of tremendous wanders will utilize a cloud CASB arrange for their cloud organizations, which is up from less than 20% these days [65] . Even though 2023, at the smallest 99% of cloud security disillusionments will be the customer's fault [65] . The applications of CC and the encouragement to CASB are portrayed in Table 4 .

In the SLR carried out, we have laid down (as shown by Table 5 ) various challenges within the CASB development and have attempted to reply to RQ2 by listing out different challenges that enterprises face, while adopting the CASB. Figure 2 shows the ten major categories of best practices for CASB in cloud computing.

Cloud computing faces two main challenges Security and Reliability. As any other client can access the client's data in the cloud, this raises security issues in the cloud.

Hackers could attempt to steal client data by authenticating using authorized user names and passwords, modifying the data, and making changes. So many techniques are available to achieve security in the cloud, such as Encryption, Authorization, and Authentication. Cloud security risks can be categorized into cloud users and cloud service providers. Some of the cloud security risks are Data leakage, Data breaches, and loss, Hacking, Denial of Service, malicious Cluster Computing insiders attack, and some shared technology issues. Authentication, authorization, data protection, etc., are some of the security aspects that cloud service providers must cover and basic security goals that need to constitute basic security principles, and it became more crucial as data move to the cloud. Trust of the cloud service provider (CSP) and its services is among the principal drivers of a customer deciding to migrate to a cloud platform or conform to the legacy framework [67] . Trust relies upon deciding whether the provider is responsible for all risks such as data protection, VM security, and other regulatory concerns. ''Confidentiality, Integrity and Availability '' are the three considerations considered during the cloud system security review (CIA) [68] . This section's primary objective is to generalize security requirements for the modern cloud infrastructure since the CIA domain is the commonly used method for defining security vulnerabilities in the conventional information system. Figure 3 Many IT organizations miss the mark to frequently include executive staff and business units when developing a cloud approach, identifying business-critical cloud apps in use, mitigating cloud risk, and educating cloud users 2 Many enterprises are not conscious of all the cloud services and data in use all over the organization. Most have 20 timesmore apps in use than they would estimate 3 Most enterprises cannot identify, classify, granularly control access to, and manage toencrypt/decrypt handling of sensitive data, compliance-related data in these apps, even when cloud services are known 4

CASBs provide a combination of user-centric and threat-centric capabilities as well as a range of deployment options, increasing the complexity of evaluation 5 Many enterprises have no way to detect cloud threats such as malware, account compromises, data destruction, data theft, and account compromises 6 Most organizations apply the same controls to all cloud-sensitive data, compliance requirements (FRs and NFRs), regardless of data type, or data sensitivity 7

Focusing disproportionately on the prevention of cloud data loss, risky user behavior, and account compromise, many organizations manage the sensitive need for threat detection, post-incident response, and continuous monitoring Cluster Computing depicts the essential features of data security in cloud computing, as well as potential risks and defense techniques [69] .

The security of some business properties from exposing unauthorized users implies secrecy. Consumers like unauthorized access to data stored in the same database in a cloud world as the CSP data may be clients. The CSP itself can even include unethical or nefarious representatives who may access or even tamper with confidential, sensitive consumer data. Besides client info, the network of virtual computers, virtual pictures, etc., ultimately need secrecy. Certain confidentiality concerns related to cloud data include:

• A variety of cloud storage services send content to customer data-containing web folders. • Another aspect that impacts data security is the whole geographical area of the client's information.

Cloud services are believed to be reliable but odd in some cases. They want to hear more about the details of personal data files and user privilege data. They want to hear more about the contents of user data files and user privilege data. The owners should formulate appropriate access management procedures to prevent specific scenarios.

The security of information systems, according to (Dukes 2015) [70] , is characterized as ''the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity, and availability''. There are three main security services:

Integrity applies to an asset's security property that ensures that it has not been changed by third-party employees who are not allowed to do so. Consequently, the accuracy and correctness of the asset concerning its owner are ensured by this property. Typically, inserting, removing, or modifying operations are assumed to alter the integrity of any support. With the user accessing cloud resources through web browsers, all web attacks in the cloud environment are widespread, causing user file contents, database, virtualized storage, or, indeed, WSDL files to be changed [71] [72] [73] [74] [75] . The following problems of data security were addressed here under the separate integrity specifications of the public cloud: Fig. 2 Best practices for CASB [110] Cluster Computing

The outsourcing of data at the CSP end constitutes a direct challenge to its credibility. CSP will be able to erase any legitimate consumer data tuples, which the customer could never create.

The web developer has used the insecure API from Obscure sources for a lot of time, where the API key can lead to the attacker.

A collision attack is an operation that can merge several copies of media or other files to create a new copy. The tasks that include, but are not limited to, are data averaging, substitution, linear data mix, etc.

İs another common network attack that is naturally extremely likely to occur for cloud systems. The text and signature are duplicated and sent to the server as an authentic user during SOAP translation in TLS (Transport Layer service) layer.

Demand is one of the most critical protection factors to be maintained by a CSP. Multiple business organizations who utilize cloud-based technology to support their consumers should guarantee that these services remain available as a minor downtime will result in a significant irrecoverable financial loss. A standard service-level agreement lays out what the supplier has promised to supply and respond to demand. For, e.g., the service level could state that 99.999 percent of the time, if more than 80% of the support given is used, the programs will be utilizable, and more resources will be dynamically available.

In terms of responsibilities and roles, the reference architecture identifies five main actors (as shown by Fig. 4) . Cloud consumers, cloud providers, cloud auditors, cloud brokers, and cloud carriers are among the actors [76, 77] .

Cloud consumer Who (person/organization) maintains business relationships with Cloud Providers and uses their services?

Cloud provider A (person/organization/entity) guarantees that a service is available to those who are interested.

Cloud broker A third party that can estimate cloud services, performance, information system operations, and security of cloud installation separately.

Cloud carrier An intermediary that provides cloud service connectivity and transmission (from CPS to Cloud Consumers).

Once a person is familiar with the cloud security workflow and cloud security lifecycle [see Figs. 5 and 6], one can adopt CASB and other cloud security solutions to provide full coverage for cloud applications usage [66] .

Enterprise CASB management portal should plan to integrate with their existing identity sources such as compute, 

In the SLR work, various use cases in the CASB process have been identified (refer to Table 6 ).

In this SLR work, various sensitive cloud data processes have been identified (refer to Table 7) . Cluster Computing

To distinguish the research gaps with the help of a literature survey of the CASB; we have applied the steps proposed by Kitchenham and Charters [79] . The steps include ''research questions'' (RQs), ''search strategy'', ''study selection'', and ''data synthesis''. These steps form the backbone of our review protocol.

The objective of this study is to get how different CASB frameworks were developed from the beginning of the state charts to cloud services and to identify an area for further research by considering the strength and weaknesses of the existing services. To achieve this objective, the following research questions (RQs) were formulated (Table 8 ):

We have figured out the subsequent search string to extract the essential studies from five electronic database assets, i.e., ''IEEE Xplore'', ''ACM Digital Library'', ''Springer'', ''Science Direct'', and ''Google Scholar'', based on the RQs given in literature review OR survey OR journey OR literature mapping OR systematic literature mapping OR state-ofthe-art)). The succeeding SSas shown by Table10 issuitably intended by using keywords, which are resulting from RQs through the PICO method. These SS are constructed by using Boolean ORs and ANDs.

This plan works in satisfying the queries related to key research questions successfully. SS was developed by using keywords. SSis structured by finding outsubstitutes and different orthographic studies for each of the query components and connecting them by using the Boolean OR and Boolean AND. Keywords are determine dusing the Population Intervention Comparison Outcomes (PICO) process [79] as shown by Table 8 and are used to make. The basics components of PICO are listed as under:

1) Population: The population could be any of the particular part, application, and the state of CASB.

• Population -cloud computing.

2) Intervention: The intervention is the tool innovation or method that addresses a particular issue.

• Intervention -CASB.

3) Evaluation Usually a device or innovation or strategy with which intercession is being compared.

• Evaluation -Legacy on-premises application.

Results should co-relate to factors of ranks to practitioners such as improved security, consistency, and cost assistance. All results ought to be indicated.

• Results -Encrypt/Decryptframework for CASB, better performance, cost asset, applications, upgraded security features, methods, and tools.

We also evaluated the pertinence, reliability, and applicability of the selected studies through some QA questions that include. Figure 8 shows the determination procedure for the same. In the first stage of the process, we have Identify overexposed data Security administrators need to identify which cloud data is at the highest risk of leakage outside of the organization-either unintentionally due to user fault, hacker activity, or malicious use [78] 4 Spread on-prem DLP to the cloud IT departments with on-prem DLP (Data Loss Prevention) often need to extendattention to the cloud in a non-disruptive way that will enable them to use consistent dictionaries, policies, and workflowson-prem and in the cloud Protect data All enterprises need to protect the organization's data, but different methods and degrees of protection should be used to protect different types of data. Sensitive regulated data may need to be controlled and in many cases encrypted or tokenized, depending on compliance requirements and potential impacts on app performance 8 Guarantee compliance and information security

The compliance officer may need to continuously screen how information is being obtained and shared by the organization and person divisions to form beyond any doubt they meet compliance prerequisites 9

Detect threats and monitor cloud usage Security directors ought to tediously watch information utilization for plausible approach destructions, information spillage, malware assaults, and client get to unauthorized websites that may posture a hazard to cloud accounts and information 10 Remediate incidents IT organizations need the capability to organize post-event examinations to remediate the topic and to provide an audit trail for all the employees.Files are infected with malware, or data is lost or stolen from cloud accounts if cloud accounts are negotiated • Gambling

• Violence

Define content risk security profile Apply a risk severity rating to all data types that would be most damaging if leaked:

• High (H)

• Medium (M)

• Low (L)

• Critical

Classify cloud data Classify data as:

• Computing

• Business

• Secure code

• Engineering

• Health

• Design

Identify risk types Identification of sensitive compliance data like as:

Identify over-exposed sensitive data

The category of sensitive/risky data as:

• Internally exposed data •Externally exposed data • Publicly exposed data Determine user risk Based on cloud use behavior and file sharing, categorize the user as:

• High risk Some of these selected studies were found to be redundant and irrelevant after being scrutinized based on the title and thus were removed from the SLR. Consequently, 82 primary studies were short listed. In the next phase, the selected papers were further reviewed based on abstract and conclusion. Thus, after this phase, 41 studies were shortlisted. Further in the selection process, quality assessment (QA) criteria were employed on the selected studies. Finally, 20 studies were identified and selected after the study selection process. These selected studies, grouped as primary studies, are used to answer the formulated RQs. We also 

What is the motivation for designing CASB?

The goal is to determine which aspects of cloud security have been investigated and which aspects have not

What are the functionalities of a CASB have?

The idea is to identify the way over which any explicit security issue has been determined in its ongoing research

What are the approaches for engineering CASB?

The goal of the ongoing research is to determine the current methodologies in cloud security frameworks, as well as the true reason for organizations not implementing CASB and how it has been allocated

What are the simulation tools available for CC research?

The idea is to exchanging authentication and authorization data between parties (service and identity providers), ''unauthorized redistribution of digital media'', ''continuous data monitoring'', ''investigate and response to exceptions'', ''business process modeling'', and ''threat protection'' 

The excluded existing research articlesthat did not meet the prerequisites expressed as appeared in Table 5 and the  listedconstraints: • studies with no-peer reviewed • abstracts and editorials • articles shorter than six pages

The purpose of data synthesis is to abbreviate confirmation from the selected studies to verify the responses of the RQs. In this article,selectedstudies were created and implemented in the following ways:

• Informationassociated with RQ-1 has been presented by bar charts. • RQ-2, RQ-3, and RQ-4 and RQ-5have appeared in Pie charts which show the dıscussıons as well as experımental results.

Based on the strategies for searching, as per the previous discussions that contained different databases selecting criteria and quality criteria, studies were chosen to perform the SLR. Some possibilities still lie in missing studies as it is not practically possible to extract all the studies by only the usage of terms that appears in the RQs. To overcome this problem, extracted studies need to be scrutinized physically so that studies can be identified which were missed while searching initially. Besides the previous searches, articles from CC and CASB were also taken into consideration to figure out those studies that were not identified during the exploring procedure. To reduce the incorrectness of redundant data, a self-sufficient valuation is done by the author on the extracted studies based on the QA questions.

Based on our SLR, we have distinguished ten unmistakable studies distributed from 2011 to 2021, as shown in Figs. 9 and 10. Within the chosen articles, there are five journal articles, three conference articles, and 2 other articles.

6.1 RQ-1: how to assess CASB with their functionalities?

The following objectives shows the CASB functionalities: RQ-2 focuses to identify the requirements i.e., functional requirements (FRs) and non-functional requirements (NFRs) that have motivatedthe research and advancement of CASB. The purpose of this RQ is to find the dares inside the CC degree that moved the assurance for CASBs. It has been established that CASBs are encouragedby the necessities to address the following five key challenges [35] :

1. Moreenterprises' insufficiency a completeunderstanding of the cloud managements they retain and threats they achieve, which makes similarity and security tough.

2. Although cloud administrations are known, numerous companies endeavor to reliably confirm the secured approach of exact information interior and over these divergent services. 3. Enterprises have no calculated way to uncover whether (and when) compromised unmanaged gadgets are utilized to urge cloud organizations. 4. The CASB gives an arrangement of access-centric and threat-centric efficiencies, creating the complexity of a decision. 5. Several enterprises have entered the CASB advertise with a wide extent of competencies and gets to, complicating likely enterprises and obscuring use cases. 6.5 RQ-5: which cloud simulators are available for CC research?

The CC simulators [35] have been created for diverse sorts of modeling. For illustration, CC simulators have been created to bolster taking after documentations: the ''SAML (Security Assertion Markup Language)'' for trading verification and approval information between organizations (personality supplier and a benefit supplier), ''DRM (Digital rights management)'' for the illegal redeployment of computerized media, ''Cloud DLP (Data loss prevention)'' for incessant information observing, ''SIEM (Security Information and Event Management)'' for explore and react to special cases, ''IAM (Identity and Access Management)'' for trade handle modeling, and ''IPSs (Intrusion Prevention Systems)'' for risk security [35] . In expansion to the CASB-Simulators, we have distinguished 46 clouds simulators based on comparison which has been proposed for the modeling of highly sensitive data as shown by Table 12 .

The experimental results were used as input for Research Surface Methodology (RSM) to obtain an empirical model. RMS is used to conduct many research works as [104] . For this, the five-level coding was employed for developing the model, three dependent parameters and four center values were considered. A model was developed that predicts vendor outcomes. The said model was seen on a polynomial equation obtained in terms of coded factors as shown in Table 13 . The equations are developed to findthe outcome for the vendor when the dependent and independent variables show correlation with each other. The predicted value of each can be depicted by Eq. 1. The equations developed for predicting the outcome for the vendor is as follows:

Outcome for Vendors ¼ þ63:51 þ 0:3114 A þ 0:2890B þ 0:8522C þ 0:2901D þ 1:69E À 0:5719AB þ 1:62 AC À 1:34AD À 0:5469AE À 2:04BC þ 0:5594BD À 0:4219BE À 0:9344CD À 0:6031CE À 0:1656DE þ 0:0074 A 2 þ 0:3786B 2 þ 0:3786C 2 þ 0:0869D 2 þ 0:7233E 2

The condition in terms of coded components can be utilized to form desires nearly the reaction for given levels of each calculation. By default, the tall levels of the factors are coded as ? 1 and the moo levels are coded as -1. The coded condition is valuable for recognizing the relative influence of the components by comparing the figure coefficients. The values predicted from the model as well as actual values can easily be seen from Fig. 10 . The principal component analysis (PCA) was used to assess the most influential parameters for vendors outcomes. This PCA has been done using Statistical Package for the Social Sciences (SPSS). The five components namely Vendor profile, Visibility and Governance, Compliance, Threat Protection, Office 365 security, IaaS, and custom apps security and data security were considered for the analysis. In terms of eigenvalue being greater than one, variance has been extracted as shown in Table 14 . Component 1 i.e., Vendor profile explains about 52.13% of the variance in terms Cluster Computing of the Outcome needed for the Vendor. The variance can be best explained by using the criteria having a cumulative percentage greater than 90, the 6 variables that emerged to be influential are Vendor profile, visibility and governance, compliance, threat protection, and data security have a cumulative percentage of 91.677%. The vendor outcome is predicted from Central Composite Design (CCD) using research surface methodology. The model was randomized so that the best and most appropriate polynomial model can be judged. The model was analyzed using 50 randomized field outputs that were collected from a field study (Fig. 11) . The scree plot (as shown by Fig. 12) is a graphical representation of the component with its eigenvalue. The contribution of a componentis assessed by its eigenvalue. The more the eigenvalue, the more is the contribution of that component in the vendor's outcome. As shown in Fig. 11 , there appears to be a strong contribution of the Vendor profile, visibility and governance, compliance, threat protection, and data security on vendors outcome out of six factors considered for the study. SaaS (software as a service) is becoming popular among businesses. Companies' IT teams must oversee the safety of a potentially huge number of apps that handle sensitive data. Customers are responsible for protecting their data, even while the service provider has a robust security system in place (the provider does not understand the data semantics). The CASB is a newly developed system software type that can coordinate this form of security management (CASB). In addition to limiting application users' access to resources, CASB guards against malicious code infiltrating the system. This system's design pattern. In cloud ecosystems, they play a critical role (Fig. 13) .

The KMO and Bartlett's test has been considered for statistical analysis. KMO and Bartlett's test also found some significant results. The Kaiser-Meyer-Olkin Degree of Sampling Adequacy came out to be 0.67. KMO test results of greater than 0.500 signify acceptable results. The foremost component examination requires that the likelihood related to Bartlett's test of Sphericity be less than the level of 

Color points by value of manage a wide range of access scenarios, including mobile devices like smartphones, tablets, and laptops, as well as granting temporary access to cloud apps for certain users. It is also crucial to have CASBs as part of your cloud infrastructure. Software product line extension to encompass systems other than the product itself and their interactions with it is known as an ecosystem. As part of cloud ecosystems, the CASB offers network functionalities for cloud reference architecture. When a software product line architecture expands to incorporate systems outside the product, it is called an ''ecosystem''. This ecosystem is defined by the Cloud Security Reference Architecture (SRA).

To determine the suitability of the models, Analysis of variance (ANOVA) and the statistical analysis including coefficient of determination, F value, and p value for each Vendors' outcome have been done and are listed in Table 15 . Agreeing to ANOVA examination, for the more prominent values of F and P-value less than 0.05, it can be concluded that the models are factually critical. The tall values of the relationship coefficients moreover speak to the accuracy of the models to anticipate the reactions. The graphs of the 3D space model are as shown in Fig. 14 . The graphs show the independence of variables and the outcome of the model space. The independent variable chosen from the PCA analysis was quite a significant influencing factor on the model and its outcomes. Within the same vein, the need fora fit test was not measurably noteworthy (p [ 0.05) which demonstrated the tall wellness of the models. Concurring to the ANOVA test, a quadratic polynomial demonstration is measurably noteworthy to speak to the genuine relationship between reactions and the factors. Show F values of 13.32 with a little p value (\ 0.0001) for all three reactions demonstrated the exactness of the show. A tall coefficient of assurance (R 2 = 0.90) demonstratedthe capacity of anticipating the relationship between dependent and free variables. This design pattern explains how to protect a key component of a cloud ecosystem by allowing users to decide which cloud services they have access to. It will be validated as a pattern when designers implement it into their systems. The reaction surface plots were created for diverse intuition of any two independent factors, whereas keeping the esteem of the other variable consistent. The contour graph of the predicted model is as shown in Fig. 13 , employing the range of space and independent variable locations.

The important CASB research concerns that have not yet been fully and properly studied as future research directions are described in this section. No support for multiple cloud service architectures (i.e., public, private, community, and hybrid cloud)and no ideal support for QoS features are common challenges for all CASBs. The CASB issues must be identified to assist future CASB designers in making them effective. In addition, some specific CASB in CC challenges are included below.

• To achieve zero execution time • Reduced VM and data center costs, as well as data transfer processing time. • Introduced multi-user-multi-key scenario typical at the cloud-scale for AWS. • The CASB assists in the understanding of the person's intended outcomes and assists in the organization of resources and assistance needed to attain these outcomes.

This study assists in building an understanding of numerous results in the sprout field of CASB. Thus, we proceed with an SLR to guarantee an exact investigation of such answers. We focusedoncorrectlycharacterizing the ongoingstate-of-art in CASB and recognizing key accomplishments and challenges with different aspects of any enterprise. To perform the search, twenty main papers were considered for the SLR of CASB. The search was conducted using seven major publication databases. We examined 173 papers from which we have considered 36 outlining worthy significance to the study topic.Understanding the different independent parameters influencing the CASB is studied using PCA. It was agreed that five parameters were influencing PCA analysis. For more understanding of these independent variables' influence, on the CASB study, RSM analysis was employed. It was observed from the CCD model that the actual values showed significant influence with R 2 = 0.90. In this review paper, we have identified some studies which focus on the services of CASB [105] . In expansion to this, CC services [106] , cloud service choice for CASB [106] , and CASB columns [107] are the dynamic states which have gotten consideration by the CC society for modeling with RSM and PCA analysis. The CC Simulators have been created for modeling the ''SAML'', ''DRM'', ''Cloud DLP'', ''SIEM'', ''IAM'' and ''IPSs'' etc. We have distinguished 36 supportive simulators for modeling the security prerequisites [34, . In [35] , it was pointed out that SLR within the state of CASB is disregarded cloud computingstate by SLR. The applications, use cases, best practices, identifying and protecting sensitive cloud data/information of the continuous CASB have moreover been distinguished. Hence, in this article, a challenge has been made to fulfill this research gap. The major findings reveal that CASB has arisen as a crosscloud model, driven by the heterogeneity and dimensionality of present cloud computing services, as well as the singlecloud paradigm's inability to meet the needs of clients. The proposed CASB will be responsible for a variety of functions, including ''assisting clients with decision-making'', ''application deployment'', ''SLA negotiations'', and ''resource monitoring''. Our extensive meta-analysis reveals that CASB is still in its infancy. Even though tremendous progress has been made in this subject, significant challenges remain, which are also noted in this survey. We have identifiedseveral prospective avenues in the field of CASB based on our analysis and reflection:

• More work is needed in this area to aid CSCs in defining their applications' requirements, adapting them, and intelligent decision-making approach about cloud providers (i.e., AWS, Microsoft AZURE, and Google Cloud Compute) and services (SaaS, IaaS, and PaaS). • To create the CASBs system for the effective working of the Key Management System(KMS) is required [108] . • Outlining the important areas in which further research on the application of load balancing techniques in the CASB process can be developed [109] . • Examining future CC difficulties and the role that load balancing and CASB can play. • No CASBs system has been coordinating with KMS. It is a critical issue how to integrate CASB with KMS. • KMS has been broadly utilized in the cloud environment for safeguarding delicate data on the cloud [5] . More work is required to check the fittingness of the CASB system with KMS. • Employing the RSM analysis for the CASB system, it can be understood that, the different influencing variables can be analyzed separately. The independent variables havea future scope of deep research and understanding their interrelationship with each other and on the system.

Author contribution SA, SM, FM-O and JB have the same contribution.

Funding None.

Data availability All data generated or analysed during this study are included in this published article.

Conflict of interest All authors declares that they have no conflict of interest.

Informed consent None. 

A Cloud Access Security Broker Approach for Encrypted Data Search and Sharing

Brokering in interconnected cloud computing environments: A survey

Cloud Brokerage: A Systematic Survey

PuLSaR: preference-based cloud service selection for cloud service broker

Distributed Cloud Federation Brokerage: A Live Analysis

Cloud Computing Brokering Service: A Trust Framework

Cloud computing services: taxonomy and comparison

Information and Communication Technology for Competitive Strategies (ICTCS 2020)

Securely Work from Home with CASB Policies under COVID-19 Pandemic: A Short Review

Fuzzy Cloud Access Security Broker for Requirements Negotiation and Prioritization

Elasticity in cloud computing: State of the art and research challenges

Cloud computing using load balancing and service broker policy for IT service: a taxonomy and survey

Interoperability and portability approach in interconnected clouds: A review

An intrusion detection and prevention system in cloud computing: A systematic review

Cloud computing service composition: A systematic literature review

Cloud computing security requirements: A systematic review

Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing

A Blockchain-Based Cloud Integrated IoT Architecture Using a Hybrid Design

A Brief Survey of Cloud Computing

Survey on the Key Management for Securing the Cloud

Distributed Cloud Federation Brokerage: A Live Analysis

Cloud computing services: taxonomy and comparison

Cloud brokerage: a systematic survey

Commonly used simulation tools for cloud computing research

Gartner report: how to evaluate and operate a cloud access security broker

CSC Phase 2: cloud computing users needs-analysis, conclusions and recommendations from a public survey

Same same, but different: a descriptive differentiation of intracloud IaaS services

Price and performance of cloud-hosted virtual network functions: Analysis and future challenges

Cloud services brokerage: a survey and research roadmap

Trends and directions in cloud service selection

Cloud computing interoperability: The state of play

Auction-based resource allocation mechanisms in the cloud environments: a review of the literature and reflection on future challenges

Information and Communication Technology for Competitive Strategies (ICTCS 2020)

Securely Work from Home with CASB Policies under COVID-19 Pandemic: A Short Review

Lessons from applying the systematic literature review process within the software engineering domain

Security, and detection mechanism in IoT-based cloud computing using a hybrid approach

Cloud computing: State-ofthe-art and research challenges

Resource management for infrastructure as a service (IaaS) in cloud computing: a survey

Cloud computing resource scheduling and a survey of its evolutionary approaches

Cloud monitoring: a survey

Cloud migration research: a systematic review

Cloud computing service composition: a systematic literature review

Cloud computing security requirements: a systematic review

An intrusion detection and prevention system in cloud computing: a systematic review

Magic quadrant for cloud access security brokers

A genetic algorithm based key management approach for enhancing data security in cloud environment

Computational ıntelligence in cloud computing

Security and privacy in cloud computing

Committee on national security systems (CNSS) glossary

Federated learning enables intelligent reflecting surface in fog-cloud enabled cellular network

Mobile-fog-cloud assisted deep reinforcement learning and blockchain-enabled IoMT system for healthcare workflows

Cost-efficient mobility offloading and task scheduling for microservices IoVT applications in container-based fog cloud network

Smart-contract aware ethereum and client-fog-cloud healthcare system

Deep neural network-based application partitioning and scheduling for hospitals and medical enterprises using IoT assisted mobile fog cloud

Cryptography and network security principles and practice

NIST cloud computing reference architecture. Recommendations of the National Institute of Standards and Technology

CASB Best practices guide, ensuring secure and compliant cloud app use with symantec

Guidelines for performing systematic literature reviews in software engineering

Bio-inspired robotics enabled schemes in blockchain-fogcloud assisted IoMT environment

Sensitivity analysis for Walters' B nanoliquid flow over a radiative Riga surface by RSM

Cloud computing brokering service: a trust framework

PuLSaR: preference-based cloud service selection for cloud service broker

CDOSim: Simulating cloud deployment options for software migration support, In: IEEE 6th International Workshop on the Maintenance and Evolution of Service-Oriented and Cloud-Based Systems

TeachCloud: a cloud computing educational toolkit

DartCSim: an enhanced user-friendly cloud simulation system based on CloudSim with better performance

DartCSim?: enhanced CloudSim with the power and network models integrated

ElasticSim: a toolkit for simulating workflows with cloud resource runtime auto-scaling and stochastic task execution times

Feder-atedCloudSim: an SLA-aware federated cloud simulation framework

FTCloudSim: a simulation tool for cloud service reliability enhancement Cluster Computing mechanisms

WorkflowSim: a toolkit for simulating scientific workflows in distributed environments

CloudReports: an extensible simulation tool for energy-aware cloud computing environments. Cloud Comput

CEPSim: a simulator for cloud-based complex event processing

DynamicCloudSim: Simulating heterogeneity in computational clouds

CloudExp: a comprehensive cloud computing experimental framework

CM Cloud simulator: a cost model simulator module for Cloudsim

MR-CloudSim: designing and implementing MapReduce computing model on CloudSim

UCloud: a simulated Hybrid Cloud for a university environment

GDCSim: a tool for analyzing green data center design and resource management techniques

CloudNetSim -simulation of realtime cloud computing applications

CloudNetSim??: a toolkit for data center simulations in OMNET??, In 11th Annual High Capacity Optical Networks and Emerging/Enabling Technologies

secCloudSim: secure cloud simulator

A toolkit for modeling and simulation of real-time virtual machine allocation in a cloud data center

SimIC: Designing a new inter-cloud simulation platform for integrating large-scale resource management

SCORE: simulator for cloud optimization of resources and energy consumption

GAME-SCORE: game-based energy-aware cloud scheduler and simulator for computational clouds

DISSECT-CF: a simulator to foster energyaware scheduling in infrastructure clouds

A cloud access security broker approach for encrypted data search and sharing. ınternational conference on computing, and networking and communications (ICNC): Cloud Computing and Big Data

Load balancing of energy cloud using winddriven and firefly algorithms in the internet of everything

Amazon EC2 Beta

Brokering in interconnected cloud computing environments: a survey

AppDirect SMB cloud service adoption report

The definition of cloud computing

Understanding the determinants of cloud computing adoption

Cloud computing confusion leads to opportunity

Identification of a company's suitability for the adoption of cloud computing and modeling its corresponding return on investment

Cloud Computing: Principles and Paradigms

IBM high-performance on-demand solutions

Choosing a deployment strategy that fits

From the client-server architecture to the information service architecture

Cloud computing basics

Market ınsight by arun chandrasekaran and mayank Kapoor

Preliminary insight into cloud computing adoption in a developing country

Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility

Five refining attributes of public and private cloud computing

Is cloud computing ready for the enterprise?

Above the clouds: a berkeley view of cloud computing

Cloud Computing-Issues, Research, And Implementations

Cloud computing and emerging ıt platforms: vision, hype, and reality for delivering computing as the 5th utility

A break in the clouds: towards a cloud definition

Cloud computing: a new business paradigm for biomedical information sharingk

Why cloud computing will never be freek

Gartner says contrasting views on cloud computing are creating confusion

Partly Cloudy -Blue-Sky thinking about cloud computing

Defining ''Cloud Services'' and ''Cloud Computing

Study of security risk and vulnerabilities of cloud computing

Cloud service selection: state-of-the-art and future research directions

Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing

Inter-cloud architectures and application brokering: taxonomy and survey

A survey on cloud federation architectures: ıdentifying functional and non-functional properties

Elasticity in cloud computing: state of the art and research challenges

A survey on cloud interoperability: taxonomies, standards, and practice. SIGMETRICS Perform

Interoperability and portability approach in interconnected clouds: a review

Cloud computing using load balancing and service broker policy for IT service: a taxonomy and survey

plan and manage successful CASB deployment. Match security with agility and elasticity of the cloud

See Tables 16, 17 .