Threat-Specific Security Risk Evaluation in the Cloud

Existing security risk evaluation approaches (e.g., asset-based) do not consider specific security requirements of individual cloud computing clients in the security risk evaluation. In this paper, we propose a threat-specific risk evaluation approach that uses various security attributes of the cloud (e.g., vulnerability information, the probability of an attack, and the impact of each attack associated with the identified threat(s)) as well as the client-specific security requirements in the cloud. Our approach allows a security administrator of the cloud provider to make fine-grained decisions for selecting mitigation strategies in order to protect the outsourced computing assets of individual clients based on their specific security needs against specific threats. This is different from the existing asset-based approaches where they do not have the functionalities to provide the security evaluation of the cloud with respect to specific threats. On the other hand, the proposed approach enables security administrators to compute a range of more effective client-specific countermeasures with respect to the importance of security requirements and threats. The experimental evaluation results demonstrate that effective security solutions vary due to specific threats prioritized by different clients for an application in the cloud. Further, the proposed approach is not limited to only the cloud-based systems, but can easily be adopted to other networked systems. We have also developed a software tool to support the proposed approach.

[1]  Junjie Lv,et al.  Virtualisation security risk assessment for enterprise cloud services based on stochastic game nets model , 2017, IET Inf. Secur..

[2]  Arif Ghafoor,et al.  Risk-Aware Virtual Resource Management for Multitenant Cloud Datacenters , 2014, IEEE Cloud Computing.

[3]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[4]  Sanjay Kumar Madria,et al.  Offline Risk Assessment of Cloud Service Providers , 2015, IEEE Cloud Computing.

[5]  Karim Djemame,et al.  A Risk Assessment Framework for Cloud Computing , 2016, IEEE Transactions on Cloud Computing.

[6]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[7]  Daniele Sgandurra,et al.  Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems , 2016, ACM Comput. Surv..

[8]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[9]  Sanjay Kumar Madria,et al.  Risk Assessment in a Sensor Cloud Framework Using Attack Graphs , 2017, IEEE Transactions on Services Computing.

[10]  Muttukrishnan Rajarajan,et al.  A survey on security issues and solutions at different layers of Cloud computing , 2013, The Journal of Supercomputing.

[11]  Elisa Bertino,et al.  Interdependent Security Risk Analysis of Hosts and Flows , 2015, IEEE Transactions on Information Forensics and Security.

[12]  Haralambos Mouratidis,et al.  Assurance of Security and Privacy Requirements for Cloud Deployment Models , 2018, IEEE Transactions on Cloud Computing.

[13]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[14]  Jeremy M. Kaplan,et al.  Cloud-Trust—a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds , 2017, IEEE Transactions on Cloud Computing.

[15]  Sajal K. Das,et al.  SelCSP: A Framework to Facilitate Selection of Cloud Service Providers , 2015, IEEE Transactions on Cloud Computing.

[16]  Haralambos Mouratidis,et al.  Online Analysis of Security Risks in Elastic Cloud Applications , 2016, IEEE Cloud Computing.

[17]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[18]  Alexander Chatzigeorgiou,et al.  Architectural Risk Analysis of Software Systems Based on Security Patterns , 2008, IEEE Transactions on Dependable and Secure Computing.

[19]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[20]  Ernesto Damiani,et al.  Toward Economic-Aware Risk Assessment on the Cloud , 2015, IEEE Security & Privacy.

[21]  Sven Türpe,et al.  The Trouble with Security Requirements , 2017, 2017 IEEE 25th International Requirements Engineering Conference (RE).

[22]  Arif Ghafoor,et al.  Risk-Aware Management of Virtual Resources in Access Controlled Service-Oriented Cloud Datacenters , 2018, IEEE Transactions on Cloud Computing.

[23]  Yuval Cohen,et al.  Defining Network Exposure Metrics in Security Risk Scoring Models , 2018 .

[24]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[25]  Jin B. Hong,et al.  Security Modelling and Analysis of Dynamic Enterprise Networks , 2016, 2016 IEEE International Conference on Computer and Information Technology (CIT).

[26]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[27]  Kamal Dahbur,et al.  A survey of risks, threats and vulnerabilities in cloud computing , 2011, ISWSA '11.

[28]  Xuejie Zhang,et al.  Information Security Risk Management Framework for the Cloud Computing Environments , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[29]  Carla Merkle Westphall,et al.  A framework and risk assessment approaches for risk-based access control in the cloud , 2016, J. Netw. Comput. Appl..

[30]  Roman L. Lysecky,et al.  Probabilistic Threat Detection for Risk Management in Cyber-physical Medical Systems , 2017, IEEE Software.

[31]  Abdelkarim Erradi,et al.  Addressing security compatibility for multi-tenant cloud services , 2013, Int. J. Comput. Appl. Technol..

[32]  Neeraj Suri,et al.  Leveraging the Potential of Cloud Security Service-Level Agreements through Standards , 2015, IEEE Cloud Computing.

[33]  Gang Chen,et al.  SafeStack: Automatically Patching Stack-Based Buffer Overflow Vulnerabilities , 2013, IEEE Transactions on Dependable and Secure Computing.

[34]  Yuval Cohen,et al.  Security Risk Assessment of Cloud Computing Services in a Networked Environment , 2016 .

[35]  Jin B. Hong,et al.  Discovering and Mitigating New Attack Paths Using Graphical Security Models , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).