SecSDLC: A Practical Life Cycle Approach for Cloud-based Information Security

Cloud computing services offer significant benefits to information technology (IT) systems such as reduced cost and shorter implementation time compared to traditional IT environments. However, the cloud multi-tenancy and web-enabled architecture creates a complex environment in which to develop and manage information security and compliance programs. At the enterprise level, risk and threat management can be an issue if it fails to protect cloud confidentiality, integrity, and availability (CIA). In this paper, a practical cloud security system development life cycle (SecSDLC) methodology is proposed to provide a holistic approach to effective and efficient cloud information security. The SecSDLC is based on industry best practices, and widely used and accepted methodologies such as waterfall SDLC, and NIST SP 800-64 revision 2 information security. Our previously developed solutions for cloud intrusion detection and prevention, security system monitoring, secure SLA, and compliance auditing are incorporated into the SecSDLC. A formal methodology is proposed to address concerns regarding cloud security and compliance requirements. The goal is to increase the probability of a successful information security program and reduce the likelihood of missing or inadequate components that may compromise cloud information security.

[1]  Jean-Henry Morin,et al.  Towards Cloud Computing SLA Risk Management: Issues and Challenges , 2012, 2012 45th Hawaii International Conference on System Sciences.

[2]  Gerard Conway,et al.  Managing Cloud Computing - A Life Cycle Approach , 2012, CLOSER.

[3]  Gerd Breiter,et al.  Life cycle and characteristics of services in the world of cloud computing , 2009, IBM J. Res. Dev..

[4]  Neil Stinchcombe Technology: Cloud computing in the spotlight , 2009 .

[5]  Lori M. Kaufman,et al.  Can Public-Cloud Security Meet Its Unique Challenges? , 2010, IEEE Security & Privacy.

[6]  Tien-Chun Chen,et al.  The Risk Management Strategy of Applying Cloud Computing , 2012 .

[7]  Richard Kissel,et al.  Security Considerations in the System Development Life Cycle , 2008 .

[8]  Effie Lai-Chong Law,et al.  Maturing Usability - Quality in Software, Interaction and Value , 2008, Human-Computer Interaction Series.

[9]  Paul T. Jaeger,et al.  Cloud Computing and Information Policy: Computing in a Policy Cloud? , 2008 .

[10]  T. Aaron Gulliver,et al.  Safeguarding the Cloud: An Effective Risk Management Framework for Cloud Computing Services , 2014 .

[11]  Nabil Ahmed Sultan,et al.  International Journal of Information Management , 2010 .

[12]  Muttukrishnan Rajarajan,et al.  Trust Model for Optimized Cloud Services , 2012, IFIPTM.

[13]  Lech J. Janczewski,et al.  Governance Life Cycle Framework for Managing Security in Public Cloud: From User Perspective , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[14]  Hiroyuki Sato,et al.  A Cloud Trust Model in a Security Aware Cloud , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[15]  Ching-Hao Mao,et al.  Cloud SSDLC: Cloud Security Governance Deployment Framework in Secure System Development Life Cycle , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[16]  Form 10-Q SECURITIES AND EXCHANGE COMMISSION , 1985 .

[17]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[18]  Jemal H. Abawajy,et al.  A Layered Security Approach for Cloud Computing Infrastructure , 2009, 2009 10th International Symposium on Pervasive Systems, Algorithms, and Networks.

[19]  André van Cleeff A risk management process for consumers: the next step in information security , 2010, NSPW '10.

[20]  T. Aaron Gulliver,et al.  ISPC: An Information Security, Privacy, and Compliance Readiness Model for Cloud Computing Services , 2014 .

[21]  Gerard Conway,et al.  Understanding Cloud Requirements - A Supply Chain Lifecycle Approach , 2011, CLOUD 2011.

[22]  T. Aaron Gulliver,et al.  SOCaaS: Security Operations Center as a Service for Cloud Computing Environments , 2014, CloudCom 2014.

[23]  T. Aaron Gulliver,et al.  CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services , 2014 .

[24]  S. Balaji,et al.  WATEERFALLVs V-MODEL Vs AGILE: A COMPARATIVE STUDY ON SDLC , 2012 .

[25]  Benoit Hudzia,et al.  Future Generation Computer Systems Optimis: a Holistic Approach to Cloud Service Provisioning , 2022 .