Conference PaperPDF Available

Abstract and Figures

Cloud computing offers benefits in terms of availability and cost, but transfers the responsibility of information security management for the cloud service provider. Thus, the consumer loses control over the security of their information and services. This factor has prevented the migration to cloud computing in many businesses. This paper proposes a model where the cloud consumer can perform risk analysis on providers before and after contracting the service. The proposed model establishes the responsibilities of three actors: Consumer, Provider and Security Labs. The inclusion of actor Security Labs provides more credibility to risk analysis making the results more consistent for the consumer.
Content may be subject to copyright.
A preview of the PDF is not available
... The proposed model establishes the responsibilities of three actors: Consumer, Provider and Security Labs. The inclusion of actor Security Labs provides more credibility to risk analysis making the results more consistent for the consumer [2]. ...
... Then the ISL specifies how to quantify threats and vulnerabilities. Figure 3. Risk specification phase [2]. ...
Article
Full-text available
This paper presents some scope, context, proposals and solutions related with the following topics: Decision- Theoretic Planning for Cloud Computing; An Architecture for Risk Analysis in Cloud; Risk-based Dynamic Access Control for a Highly Scalable Cloud Federation; Challenges of Operationalizing PACS on Cloud Over Wireless Networks; Environment, Services and Network Management for Green Clouds; Provisioning and Resource Allocation for Green Clouds; and Optimizing Green Clouds through Legacy Network Infrastructure Management.
... [23] Security architecture for introducing environmental SLAs into basic platform service network monitori ng [24] According to the Trusted platform modules (TPM) cloud monitoring host and client virtual machine architecture [25] The network security factors are introduced into the basis of the host and guest housing structure, to achieve high credibility, high availability monitoring capabilities [26] The use of HW based TPM to achieve remote control security Risk analysis [27] The security model of risk analysis is constructed by introducing the traditional CC and CSP into ISP agent. ...
... In [218], Silva et al. proposed an architecture for risk analysis in cloud environments. Specifically, they propose a model in which the cloud consumer (CC) can perform risk analysis on a cloud service provider (CSP) before and after contracting the service. ...
Article
Internet outages are inevitable, frequent, opaque, and expensive. To make things worse, they are poorly understood, while a deep understanding of them is essential for strengthening the role of the Internet as the world's communication substrate. The importance of research on Internet outages is demonstrated by the large body of literature focusing on this topic. Unfortunately, we have found this literature rather scattered, since many different and equally important aspects can be investigated, and researchers typically focused only on a subset of them. And, to the best of out knowledge, no paper in literature provides an extensive view on this important research topic. To fill this gap, we analyze all the relevant facets of this important research topic, stepping from the critical review of the available literature. Our work sheds light on several obscure aspects such as, for example, the different challenges considered in the literature, the techniques, tools, and methodologies used, the contributions provided towards different goals (e.g., outage analysis and detection, impact evaluation, risk assessment, countermeasures, etc.), the issues that are still open, etc. Moreover, it provides several innovative contributions achieved analyzing the wide and scattered literature on Internet outages (e.g., characterization of the main causes of outages, general approach for implementing outages detection systems, systematic classification of definitions and metrics for network resilience, etc.). We believe that this work represents an important and missing starting point for academy and industry to understand and contribute to this wide and articulate research area.
... The risk analysis performed by RAClouds [13] [14] is based on concepts defined by ISO 27001. In this context, threats exploit vulnerabilities that impact on information assets. ...
Article
Full-text available
Cloud computing offers benefits in terms of availability and cost, but transfers the responsibility of information security management for the cloud service provider. Thus the consumer loses control over the security of their information and services. This factor has prevented the migration to cloud computing in many businesses. This paper proposes a model where the cloud consumer can perform risk analysis on providers before and after contracting the service. The proposed model establishes the responsibilities of three actors: Consumer, Provider and Security Labs. The inclusion of actor Security Labs provides more credibility to risk analysis making the results more consistent for the consumer.
Book
Full-text available
Os principais problemas associados à implementação e uso da gerência de redes e serviços ocorrem devido à grande quantidade de proposições, padrões e de diferentes produtos oferecidos no mercado, dificultando consideravelmente a tomada de decisão no que se refere a utilização da abordagem de gerência de redes e serviços mais adequada. Além disso, novas tendências na área de gerência de redes e serviços vêm sendo pesquisadas, entre estas destacam-se atualmente: gerência de redes sem fio, de sensores, óticas, futura internet, internet das coisas, internet espacial...; áreas funcionais de segurança, configuração, desempenho, contabilidade...; gerência de serviços de multimídia, data centers, grid, cloud, fog, edge virtualização...; e gerência centralizada, autonômica, distribuída, auto-gerência, baseada em políticas... Estas novas tendências vêm sendo pesquisadas no Laboratório de Redes e Gerência (LRG) da UFSC e a partir deste projeto as mesmas poderão ser aperfeiçoadas através das seguintes atividades deste projeto: A - Aperfeiçoamentos na Gerência Autonômica para Fog e IoT; B - Aperfeiçoamentos na Qualidade de Serviço para Aplicações de Tempo Real em IoT e Fog; C Aperfeiçoamentos na Segurança para Fog e IoT; D - Aperfeiçoamentos no Sistema de Resposta de Intrusão Autonômica em Cloud e IoT; E - Aperfeiçoamentos na Privacidade em Gerência de Identidade para Federações Dinâmicas em Cloud e IoT; e F - Aperfeiçoamentos no Controle de Acesso Dinâmico Baseado em Risco para uma Federação de Nuvem e IoT..
Book
Full-text available
The Eighth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2014), held between November 16-20, 2014 in Lisbon, Portugal, continued a series of events covering related topics on theory and practice on security, cryptography, secure protocols, trust, privacy, confidentiality, vulnerability, intrusion detection and other areas related to low enforcement, security data mining, malware models, etc. Security, defined for ensuring protected communication among terminals and user applications across public and private networks, is the core for guaranteeing confidentiality, privacy, and data protection. Security affects business and individuals, raises the business risk, and requires a corporate and individual culture. In the open business space offered by Internet, it is a need to improve defenses against hackers, disgruntled employees, and commercial rivals. There is a required balance between the effort and resources spent on security versus security achievements. Some vulnerability can be addressed using the rule of 80:20, meaning 80% of the vulnerabilities can be addressed for 20% of the costs. Other technical aspects are related to the communication speed versus complex and time consuming cryptography/security mechanisms and protocols. Digital Ecosystem is defined as an open decentralized information infrastructure where different networked agents, such as enterprises (especially SMEs), intermediate actors, public bodies and end users, cooperate and compete enabling the creation of new complex structures. In digital ecosystems, the actors, their products and services can be seen as different organisms and species that are able to evolve and adapt dynamically to changing market conditions. Digital Ecosystems lie at the intersection between different disciplines and fields: industry, business, social sciences, biology, and cutting edge ICT and its application driven research. They are supported by several underlying technologies such as semantic web and ontology-based knowledge sharing, self-organizing intelligent agents, peer-to-peer overlay networks, web services-based information platforms, and recommender systems. We take here the opportunity to warmly thank all the members of the SECURWARE 2014 Technical Program Committee, as well as the numerous reviewers. The creation of such a high quality conference program would not have been possible without their involvement. We also kindly thank all the authors who dedicated much of their time and efforts to contribute to SECURWARE 2014. We truly believe that, thanks to all these efforts, the final conference program consisted of top quality contributions. Also, this event could not have been a reality without the support of many individuals, organizations, and sponsors. We are grateful to the members of the SECURWARE 2014 organizing committee for their help in handling the logistics and for their work to make this professional meeting a success. We hope that SECURWARE 2014 was a successful international forum for the exchange of ideas and results between academia and industry and for the promotion of progress in emerging security information, systems and technologies. We are convinced that the participants found the event useful and communications very open. We hope Lisbon provided a pleasant environment during the conference and everyone saved some time for exploring this beautiful city.
Presentation
Full-text available
Cloud computing is becoming increasingly more popular and telecommunications companies perceive the cloud as an alternative to their service deployment models, one that brings them new possibilities. But to ensure the successful use of this new model there are security and management challenges that still need to be faced. There are numerous threats and vulnerabilities that become more and more important as the use of the cloud increases, as well as concerns with stored data and its availability, confidentiality and integrity. This situation creates the need for monitoring tools and services, which provide a way for administrators to define and evaluate security metrics for their systems. In this paper, we propose a cloud computing security monitoring tool based on our previous works on both security and management for cloud computing.
Conference Paper
Full-text available
Cloud computing is becoming increasingly more pop-ular and telecommunications companies perceive the cloud as an alternative to their service deployment models, one that brings them new possibilities. But to ensure the successful use of this new model there are security and management challenges that still need to be faced. There are numerous threats and vulnerabilities that become more and more important as the use of the cloud increases, as well as concerns with stored data and its availability, confidentiality and integrity. This situation creates the need for monitoring tools and services, which provide a way for administrators to define and evaluate security metrics for their systems. In this paper, we propose a cloud computing security monitoring tool based on our previous works on both security and management for cloud computing.
Conference Paper
Full-text available
The existing attack trees and attack graphs schemes focused on depicting the possible intrusions by presenting the suspected attack profiles, not for interactions between threats and defenses. Consequently, it limits the adoption of the safeguards with which the effective defensive strategies be selected. In the proposed approach, Attack–Defense Trees (ADT) is employed to threat risk analysis based on a consideration of both the attack cost and defense cost. The performance of the proposed scheme is evaluated by a set of metrics toward new type of network threat, like APT attacks. Finally, an illustration case of threat risk analysis of cloud security is given to demonstrate our approach. From numerical illustrations, our approach provides an effective means of reconstructing the attack profiles and evaluating the countermeasures for cloud security.
Conference Paper
Full-text available
In recent years Cloud computing became one of the most aggressively emerging computer paradigms resulting in a growing rate of application in the area of IT outsourcing. However, as recent studies have shown, security most of the time is the one requirement, neglected at all. Yet, especially because of the nature of usage of Cloud computing, security is inevitable. Unfortunately, assuring the security of a Cloud computing environment is not a one time task, it is a task to be performed during the complete lifespan of the Cloud. This is motivated by the fact that Clouds undergo daily changes in terms of newly deployed applications and offered services. Based on this assumption, in this paper, we propose a novel model -- based, change -- driven approach, employing risk analysis, to test the security of a Cloud computing environment among all layers. As a main intrusion point, our approach exploits the public service interfaces, as they are a major source of newly introduced vulnerabilities, possibly leading to severe security incidents.
Conference Paper
Full-text available
By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.
Article
Full-text available
Cloud Computing has become mainstream technology offering a commoditized approach to software, platform and infrastructure as a service over the Internet on a global scale. This raises important new security issues beyond traditional perimeter based approaches. This paper attempts to identify these issues and their corresponding challenges, proposing to use risk and Service Level Agreement (SLA) management as the basis for a service level framework to improve governance, risk and compliance in cloud computing environments.
Conference Paper
Cloud Computing recently emerged as a promising solution to information technology (IT) management. IT managers look to cloud computing as a means to maintain a flexible and scalable IT infrastructure that enables business agility. In this paper Cloud Computing services including data storage service, cloud computing operating system and software as a service will be introduced, Cloud Computing security challenges will be discussed and Cisco Secure Cloud Data Center Framework will be presented.
Conference Paper
This paper analyzes the importance of conducting Cloud Computing Security Risk Assessment and the main factors affecting the cloud computing security. Furthermore, we establish an assessment indicator system and put forward basic methods of risk evaluation.
Article
An architecture that differentiates security according to service-specific characteristics avoids an unnecessary drain on IT resources by protecting a variety of cloud computing services at just the right level.
Conference Paper
Cloud computing has taken center stage in the present business scenario due to its pay-as-you-use nature, where users need not bother about buying resources like hardware, software, infrastructure, etc. permanently. As much as the technological benefits, cloud computing also has risks involved. By looking at its financial benefits, customers who cannot afford initial investments, choose cloud by compromising on the security concerns. At the same time due to its risks, customers – relatively majority in number, avoid migration towards cloud. This paper analyzes the current security challenges in cloud computing environment based on state-of-the-art cloud computing security taxonomies under technological and process-related aspects
Conference Paper
Cloud service providers (CSPs) and cloud customers (CCs) are not only exposed to existing security risks but to new risks introduced by clouds, like multi-tenancy, virtualization and data outsourcing. Several international and industrial standards target information security and their conformity with cloud computing security challenges. We give an overview of these standards and evaluate their completeness. As a result we propose a new extension to the ISO 27001:2005 standard including a new control objective about virtualization applicable for cloud systems. We also define a new quantitative metric and evaluate the importance of existing ISO 27001:2005 control objectives if customer services are hosted on-premise or in cloud. Our conclusion is that obtaining the ISO 27001:2005 certificate is not enough for CSP and CC information security systems, especially in business continuity detriment that cloud computing produces and propose new solutions that mitigate the risks.
Article
The current discourse about cloud computing security issues makes a well-founded assessment of cloud computing's security impact difficult for two primary reasons. First, as is true for many discussions about risk, basic vocabulary such as "risk," "threat," and "vulnerability" are often used as if they were interchangeable, without regard to their respective definitions. Second, not every issue that's raised is really specific to cloud computing. We can achieve an accurate understanding of the security issue "delta" that cloud computing really adds by analyzing how cloud computing influences each risk factor. One important factor concerns vulnerabilities: cloud computing makes certain well-understood vulnerabilities more significant and adds new vulnerabilities. Here, the authors define four indicators of cloud-specific vulnerabilities, introduce a security-specific cloud reference architecture, and provide examples of cloud-specific vulnerabilities for each architectural component.