Managing Cyber Risk and Security In Cloud Computing
Abstract
Cloud computing provides outsourcing of resources bringing economic benefits. The outsourcing however does not allow data owners to outsource the responsibility of confidentiality, integrity and access control, as it still is the responsibility of the data owner. As cloud computing is transparent to both the programmers and the users, it induces challenges that were not present in previous forms of distributed computing. Furthermore, cloud computing enables its users to abstract away from low-level configuration such as configuring IP addresses and routers. It creates an illusion that this entire configuration is automated. This illusion is also true for security services, for instance automating security policies and access control in cloud, so that individuals or end-users using the cloud only perform very high-level (business oriented) configuration. This paper investigates the security challenges posed by the transparency of distribution, abstraction of configuration and automation of services by performing a detailed threat analysis of cloud computing across its different deployment scenarios (private, bursting, federation or multi-clouds). This paper also presents a risk inventory which documents the security threats identified in terms of availability, integrity and confidentiality for cloud infrastructures in detail for future security risks. We also propose a methodology for performing security risk assessment for cloud computing architectures presenting some of the initial results.
Downloads
References
[2] Derek Brink, Security and cloud best practices July 2011, Aberdeen
[3] The Coras Model-based method for security risk analysis, Folker den Braber, GyrdBrændeland, Heidi E. I. Dahl, Iselin Engan, Ida Hogganvik, Mass S. Lund, BjørnarSolhaug, KetilStølen, Fredrik Vraalsen, SINTEF, Oslo September 2006
[4] R. Buyya, C. S. Yeo, S. Venugopal, Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as
Computing Utilities, Keynote Paper, Proceedings of the 10th IEEE International Conference on High Performance Computing and Communications, pp. 5-13, 2008
[5] Cloud Computing: Special theme, European research consortium for Informatics and mathematics (ERCIM), ISSN 0926-4981
[6] A. Juan Ferrer, F. Hernandez, J. Tordsson, E. Elmroth, C. Zsigri, R. Sirvent, J. Guitart, R.M. Badia, K. Djemame, W. Ziegler, T. Dimitrakos, S.K. Nair, G. Kousiouris, K. Konstanteli, T. Varvarigou, B. Hudzia, A. Kipp, S. Wesner, M. Corrales, N. Forgo, T. Sharif, and C. Sheridan, OPTIMIS: a Holistic Approach to Cloud Service Provisioning, Proceedings of 1st International Conference on Utility and Cloud Computing (UCC 2010), Chennai, India, December 2010.
[7] R. Buyya, C.S Yeo, S. Venugopal, J. Broberg, I. Brandic, Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th utility. Future Generation Computer Systems, 25, 599 – 616, 2008
[8] R. Sandhu, J. Park, Usage Control: A Vision for Next Generation Access Control Lecture Notes in Computer Science, 2003, Volume 2776/2003, 17-31, DOI: 10.1007/978-3-540-45215-7_2
[9] Information risk analysis methodology (IRAM), Information Security Forum (ISF), Available at: https://www.securityforum.org/iram
[10] Virtual Data Centre (VDC) – A New Concept in Service Delivery, BT, Available at http://globalservices.bt.com/LeafAction.do?Record= Virtual_Data_Centre_products_uk_en-gbLast Accessed November 2010
[11] I. Foster, Y. Zhao, I. Raicu, S Lu. Cloud Computing and Grid Computing 360-Degree Compared. In GCE ’08: Grid Computing Environments Workshop, pages 1–10. IEEE, November 2008
[12] P. Mell and T. Grance, The NIST Definition of Cloud Computing, National Institute of Standards and Technology, October 2009
[13] R. Buyya, K. Bubendorfer. “Market Oriented Grid and Utility Computing”, Wiley Press, New York, USA, 2008.
[14] R. Sailer, T. Jaeger, E. Valdez, Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor. Proceeding ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
[15] Vmwarenat networking buffer overflow vulnerability. [Online]. Available: http://secunia.com/advisories/18162/
[16] M. Carpenter, T. Liston, and E. Skoudis, Hiding virtualization from attackers and malware, IEEE Security and Privacy, vol. 5, no. 3, pp. 62–65, 2007
[17] C. Cifuentes, A. Fraboulet, Intra procedural static slicing of binary executables, Proceedings of the International Conference on Software Maintenance, Bari, Italy, Oct 1997, pages 188–195, IEEE-CS Press
[18] J. Bergeron, M. Debbabi, J. Desharnais, M. M. Erhioui, Y. Lavoie, N. Tawbi, Static detection of malicious code in executable programs, Int. J. of Req. Eng. (2001)
[19] P. Saripalli and B. Walters, QUIRC: A Quantitative Impact and Risk assessment framework for Cloud security, pgs:280-288, Proceedings of IEEE 3rd International Conference on Cloud Computing, 2010
[20] SAS 70 Type 2 Audit, SAS 70, Website Available at http://sas70.com/sas70_overview.html
[21] U. Bayer, A. Moser, C. Kruegel, E. Kirda, Dynamic Analysis of
Malicious Code, EICAR 2006 Special Issue
[22] Afnan Ullah Khan1,2, Manuel Oriol2,3, Mariam Kiran, Ming Jiang, Karim Djemame,” Security Risks and their Management in Cloud Computing”IEEE,2012