Determining the security posture of containerized mission-critical systems is difficult given the vast number of parameters that determine a system's ability to withstand cyber-attacks. In many cases, technical audits can be performed to determine a system's security posture and to evaluate how well they are configured to protect against known cyber-threats. Properly configuring systems can lead to higher security, however, the configuration and auditing process can be time-consuming and error-prone. In addition, the results obtained from these audits can be difficult to summarize into one meaningful metric that accurately characterizes system's security posture as guided by customer needs. In this work, we propose an approach for computing a security-posture metric for containerized systems that supports operators during the sense-making process that follows traditional security audits. The results of this work can be used on a per-deployment case, taking into account what matters to operators of containerized mission-critical systems.
[1]
Shirley C. Payne,et al.
A Guide to Security Metrics
,
2007
.
[2]
Neeraj Suri,et al.
Benchmarking cloud security level agreements using quantitative policy trees
,
2012,
CCSW '12.
[3]
Andrew Jaquith.
Security Metrics: Replacing Fear, Uncertainty, and Doubt
,
2007
.
[4]
Margaret J. Robertson,et al.
Design and Analysis of Experiments
,
2006,
Handbook of statistics.
[5]
Jeremy M. Kaplan,et al.
Cloud-Trust—a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds
,
2017,
IEEE Transactions on Cloud Computing.
[6]
Thanh Bui,et al.
Analysis of Docker Security
,
2015,
ArXiv.
[7]
G. Derringer,et al.
Simultaneous Optimization of Several Response Variables
,
1980
.
[8]
Neeraj Suri,et al.
A security metrics framework for the Cloud
,
2011,
Proceedings of the International Conference on Security and Cryptography.