Quantitative risk assessment under multi-context environments

Zhang, Su

January 1900

Doctor of Philosophy / Department of Computing and Information Sciences / Xinming Ou / If you cannot measure it, you cannot improve it. Quantifying security with metrics is important not only because we want to have a scoring system to track our efforts in hardening cyber environments, but also because current labor resources cannot administrate the exponentially enlarged network without a feasible risk prioritization methodology. Unlike height, weight or temperature, risk from vulnerabilities is sophisticated to assess and the assessment is heavily context-dependent. Existing vulnerability assessment methodologies (e.g. CVSS scoring system, etc) mainly focus on the evaluation over intrinsic risk of individual vulnerabilities without taking their contexts into consideration. Vulnerability assessment over network usually output one aggregated metric indicating the security level of each host. However, none of these work captures the severity change of each individual vulnerabilities under different contexts. I have captured a number of such contexts for vulnerability assessment. For example, the correlation of vulnerabilities belonging to the same application should be considered while aggregating their risk scores. At system level, a vulnerability detected on a highly depended library code should be assigned with a higher risk metric than a vulnerability on a rarely used client side application, even when the two have the same intrinsic risk. Similarly at cloud environment, vulnerabilities with higher prevalences deserve more attention. Besides, zero-day vulnerabilities are largely utilized by attackers therefore should not be ignored while assessing the risks. Historical vulnerability information at application level can be used to predict underground risks. To assess vulnerability with a higher accuracy, feasibility, scalability and efficiency, I developed a systematic vulnerability assessment approach under each of these contexts. ​

Vulnerability assessment

Quantitative risk assessment

Cloud computing security

Zero-day vulnerability assessment

Software dependency risk assessment

Network security (attack graph)

Computer Science (0984)

Cost and security issues in implementing cloud computing by small and medium-sized enterprises in Pretoria

Twala, Andrian Wilby.

January 2016

M. Tech. Business Administration / The main objective of this study was to identify and quantify the issues in implementing cloud computing by small and medium business in Pretoria. The empirical data were collected using an online self-administrated questionnaire. The respondents were taken using a mere random sampling of 120 SMEs in Pretoria. A total of 102 usable responses was obtained. A quantitative approach was applied.

Dissertations, Academic -- South Africa.

Faktorer som påverkar en framgångsrik övergång från lokalt lagrade system till molnbaserade IT-system ur tre aktörers perspektiv : En intervjustudie ur kund-, projektgrupp- och systemimplementatörsperspektiv / Factors that Influence a Successful Transition from On-Premise to Cloud-based IT System, form the Perspective of Three Actors : An Interview Study from the Customer, Project Group and System Implementer Perspectives

Skystedt, Sebastian

January 2019

I takt med att världen digitaliseras och att allt fler företag börjar upptäcka fördelarna med molnbaserade IT-system, så misslyckas fortfarande hela 2/3 av alla IT-projekt trots att liknande projekt har gjorts många gånger förut. Denna kandidatuppsats har som syfte identifiera, beskriva och förklara de faktorer som påverkar en övergång från dagens lokalt lagrade system till molnbaserade IT-system, ur kund-, projektgrupp- och systemimplementatörsperspektiv. Primära empiriska data har samlats in genom kvalitativa intervjuer av fyra respondenter. Intervju-erna fokuserade på deras erfarenheter och uppfattningar om vilka faktorer som påverkar en övergång från lokalt lagrade system till molnbaserade IT-system. Respondenterna har olika perspektiv och har olika arbetsbakgrund, men gemensamt är att samtliga arbetar inom IT-området. Tre av dem har syste-mimplementatörsbakgrund och den fjärde arbetar som IT-chef hos ett kundföretag. En viktig slutsats från denna studie är att det inte finns lika stora risker vid en övergång till ett molnbaserat IT-system som marknaden upplever. De faktorer som har en hög påverkan på en fram-gångsrik övergång från lokalt till molnbaserade IT-system, Ur ett systemimplementatörsperspektiv är det individen och den individuella förmågan och kompetens. Ur ett projektgruppperspektiv är det att etablera en effektiv kommunikation.  Ur ett kundperspektiv är deras mognad och samsyn för projektet

information system

cloud computing

saas

iaas

paas

user resistance

migration

technology implementation

Cloud Computing Security

security

risks

success factors

molntjänst

Information Systems

Compliance Issues In Cloud Computing Systems

Unknown Date

Appealing features of cloud services such as elasticity, scalability, universal access, low entry cost, and flexible billing motivate consumers to migrate their core businesses into the cloud. However, there are challenges about security, privacy, and compliance. Building compliant systems is difficult because of the complex nature of regulations and cloud systems. In addition, the lack of complete, precise, vendor neutral, and platform independent software architectures makes compliance even harder. We have attempted to make regulations clearer and more precise with patterns and reference architectures (RAs). We have analyzed regulation policies, identified overlaps, and abstracted them as patterns to build compliant RAs. RAs should be complete, precise, abstract, vendor neutral, platform independent, and with no implementation details; however, their levels of detail and abstraction are still debatable and there is no commonly accepted definition about what an RA should contain. Existing approaches to build RAs lack structured templates and systematic procedures. In addition, most approaches do not take full advantage of patterns and best practices that promote architectural quality. We have developed a five-step approach by analyzing features from available approaches but refined and combined them in a new way. We consider an RA as a big compound pattern that can improve the quality of the concrete architectures derived from it and from which we can derive more specialized RAs for cloud systems. We have built an RA for HIPAA, a compliance RA (CRA), and a specialized compliance and security RA (CSRA) for cloud systems. These RAs take advantage of patterns and best practices that promote software quality. We evaluated the architecture by creating profiles. The proposed approach can be used to build RAs from scratch or to build new RAs by abstracting real RAs for a given context. We have also described an RA itself as a compound pattern by using a modified POSA template. Finally, we have built a concrete deployment and availability architecture derived from CSRA that can be used as a foundation to build compliance systems in the cloud. / Includes bibliography. / Dissertation (Ph.D.)--Florida Atlantic University, 2015. / FAU Electronic Theses and Dissertations Collection

Biometric identification

Cloud computing -- Security measures

Computational intelligence

Computer software -- Quality control

UM FRAMEWORK DE SEGURANÇA BASEADO EM ENGENHARIA DIRIGIDA POR MODELOS PARA PLATAFORMAS DE COMPUTAÇÃO EM NUVEM: Uma Abordagem para Modelos SaaS. / AN ENGINEERED SAFETY FRAMEWORK DIRECTED BY MODELS FOR COMPUTER PLATFORMS IN CLOUD: An approach to SaaS Models.

MATOS, Pablo Luís Castro de

31 August 2015

Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-24T11:52:22Z No. of bitstreams: 1 Pablo.pdf: 5598718 bytes, checksum: cce40776950abfd027f223d50cfca06c (MD5) / Made available in DSpace on 2017-08-24T11:52:22Z (GMT). No. of bitstreams: 1 Pablo.pdf: 5598718 bytes, checksum: cce40776950abfd027f223d50cfca06c (MD5) Previous issue date: 2015-08-31 / CAPES,CNPQ,FAPEMA / The development and use of software based on cloud computing have been highlighted more and more nowadays. Software as a Service (SaaS) has been considered as a trend for small, medium and large companies, subtly acquiring presence in personal computing too. This service popularizing brings with it many challenges concerning to information security handled by their suppliers and the vulnerability of their applications. In this work, we propose a SaaS development framework by combining the Model-Driven Engineering (MDE) with merging techniques of domain-security models and domainapplication model. This approach involves the use of MDE techniques for achieving such adaptation and assist in the software development process. By adopting the MDE approach, it is possible to combine elements of different models, from source models reaching a target model by using weaving techniques. A prototype implements the proposed framework and reuses the Mapping Tool for Model Driven Engineering (MT4MDE) and Semi-Automatic Matching Tool for Model Driven Engineering (SAMT4MDE) in order to demonstrate the used methodology. The results demonstrate the feasibility and benefits of combining several security aspects in the development process of SaaS. / O desenvolvimento e a utilização de softwares baseados em computação em nuvem têm conquistado cada vez mais destaque na atualidade. A oferta de SaaS (Software as a Service) se mostra uma tendência não apenas para as grandes empresas, mas também para as pequenas e médias, adquirindo espaço também na computação pessoal de forma transparente. Esta relativa popularização do serviço traz consigo muitos desafios no que se refere à segurança da informação manipulada pelos seus fornecedores e a vulnerabilidade de suas respectivas aplicações. Neste trabalho, propomos um framework de desenvolvimento de SaaS, fazendo uso da Engenharia Dirigida por Modelos (MDE) aliada a técnicas de fusão de modelos do domínio de segurança a modelos do domínio da aplicação. Esta abordagem envolve a utilização de técnicas de MDE para se alcançar tal adaptação e auxiliar na condução do processo de desenvolvimento do software. Através da adoção da abordagem MDE é possível realizar a junção de elementos de modelos diferentes, a partir de modelos fonte alcançando-se um modelo alvo pela utilização de técnicas de weaving. Um protótipo implementa o framework proposto e reutiliza as ferramentas Mapping Tool for Model Driven Engineering (MT4MDE) e Semi-Automatic Matching Tool for Model Driven Engineering (SAMT4MDE) na demonstração da metodologia usada. Os resultados demonstram a viabilidade e os benefícios da combinação de vários aspectos de segurança no processo de desenvolvimento de um SaaS.

Sistemas de Informação

Protecting security in cloud and distributed environments

He, Yijun, 何毅俊

January 2012

Encryption helps to ensure that information within a session is not compromised. Authentication and access control measures ensure legitimate and appropriate access to information, and prevent inappropriate access to such resources. While encryption, authentication and access control each has its own responsibility in securing a communication session, a combination of these three mechanisms can provide much better protection for information. This thesis addresses encryption, authentication and access control related problems in cloud and distributed environments, since these problems are very common in modern organization environment. The first one is a User-friendly Location-free Encryption System for Mobile Users (UFLE). It is an encryption and authentication system which provides maximum security to sensitive data in distributed environment: corporate, home and outdoors scenarios, but requires minimum user effort (i.e. no biometric entry, or possession of cryptographic tokens) to access the data. It makes users securely and easily access data any time and any place, as well as avoids data breach due to stolen/lost laptops and USB flash. The multi-factor authentication protocol provided in this scheme is also applicable to cloud storage. The second one is a Simple Privacy-Preserving Identity-Management for Cloud Environment (SPICE). It is the first digital identity management system that can satisfy “unlinkability”and “delegatable authentication” in addition to other desirable properties in cloud environment. Unlinkability ensures that none of the cloud service providers (CSPs), even if they collude, can link the transactions of the same user. On the other hand, delegatable authentication is unique to the cloud platform, in which several CSPs may join together to provide a packaged service, with one of them being the source provider which interacts with the clients and performs authentication, while the others are receiving CSPs which will be transparent to the clients. The authentication should be delegatable such that the receiving CSP can authenticate a user without a direct communication with either the user or the registrar, and without fully trusting the source CSP. The third one addresses re-encryption based access control issue in cloud and distributed storage. We propose the first non-transferable proxy re-encryption scheme [16] which successfully achieves the non-transferable property. Proxy re-encryption allows a third-party (the proxy) to re-encrypt a ciphertext which has been encrypted for one party without seeing the underlying plaintext so that it can be decrypted by another. A proxy re-encryption scheme is said to be non-transferable if the proxy and a set of colluding delegatees cannot re-delegate decryption rights to other parties. The scheme can be utilized for a content owner to delegate content decryption rights to users in the untrusted cloud storage. The advantages of using such scheme are: decryption keys are managed by the content owner, and plaintext is always hidden from cloud provider. / published_or_final_version / Computer Science / Doctoral / Doctor of Philosophy

Data encryption (Computer science)

Authentication.

Cloud computing - Security measures.

Cloud computing - Access control.

Ontology Based Security Threat Assessment and Mitigation for Cloud Systems

Kamongi, Patrick

12 1900

A malicious actor often relies on security vulnerabilities of IT systems to launch a cyber attack. Most cloud services are supported by an orchestration of large and complex systems which are prone to vulnerabilities, making threat assessment very challenging. In this research, I developed formal and practical ontology-based techniques that enable automated evaluation of a cloud system's security threats. I use an architecture for threat assessment of cloud systems that leverages a dynamically generated ontology knowledge base. I created an ontology model and represented the components of a cloud system. These ontologies are designed for a set of domains that covers some cloud's aspects and information technology products' cyber threat data. The inputs to our architecture are the configurations of cloud assets and components specification (which encompass the desired assessment procedures) and the outputs are actionable threat assessment results. The focus of this work is on ways of enumerating, assessing, and mitigating emerging cyber security threats. A research toolkit system has been developed to evaluate our architecture. We expect our techniques to be leveraged by any cloud provider or consumer in closing the gap of identifying and remediating known or impending security threats facing their cloud's assets.

Ontology

Cybersecurity

Cloud Computing

Vulnerability

Ranking

Threat

Risk

Prediction

Assessment

Mitigation

Systems

Computer networks -- Security measures.

Computer security.

Cloud computing -- Security measures.

Ontologies (Information retrieval)

Cybersecurity framework for cloud computing adoption in rural based tertiary institutions

Patala, Najiyabanu Noormohmed

18 May 2019

MCom (Business Information Systems) / Department of Business Information Systems / Although technology is being progressively used in supporting student learning and enhancing business processes within tertiary institutions, certain aspects are hindering the decisions of cloud usage. Among many challenges of utilizing cloud computing, cybersecurity has become a primary concern for the adoption. The main aim of the study was to investigate the effect of cloud cyber-security usage at rural based tertiary institutions in order to compare the usage with an urban-based institution and propose a cybersecurity framework for adoption of cloud computing cybersecurity. The research questions focused on determining the drivers for cloud cybersecurity usage; the current adoption issues; how cybersecurity challenges, benefits, and quality affects cloud usage; the adoption perceptions and awareness of key stakeholders and identifying a cloud cybersecurity adoption framework. A quantitative approach was applied with data collected from a simple random sample of students, lecturers, admin and IT staff within the tertiary institutions through structured questionnaires. The results suggested compliance with legal law as a critical driver for cloud cybersecurity adoption. The study also found a lack of physical control of data and harmful activities executed on the internet as challenges hampering the adoption. Prevention of identity fraud and cheaper security costs were identified as benefits of adoption. Respondents found cloud cybersecurity to be accurate and effective, although most of the students and employees have not used it. However, respondents were aware of the value of cybersecurity adoption and perceive for it to be useful and convenient, hence have shown the intention of adopting it. There were no significant elements identified to differentiate the perceptions of usage at rural and urban-based tertiary institutions. The results of the study are to be used for clarifying the cybersecurity aspects of cloud computing and forecasting the suitability cloud cybersecurity within the tertiary institutions. Recommendations were made on how tertiary institutions and management can promote cloud cybersecurity adoption and how students, lecturers, and staff can effectively use cloud cybersecurity. / NRF

Cloud computing adoption

Cloud computing security

Cloud cyber-security framework

005.57071168257

Computer networks -- Security measures.

Security system