A Quantitative Methodology for Cloud Security Risk Assessment

Srijita Basu, Anirban Sengupta, Chandan Mazumdar

Abstract

Assets of Cloud stakeholders (Service Providers, Consumers and Third Parties) are the essential elements required to carry out necessary functions / services of the cloud system. Assets usually contain vulnerabilities that may be exploited by threats to jeopardize the functioning of the cloud system. Therefore a proper risk assessment methodology is required to determine the asset-specific and stakeholder-specific risks so as to be able to control them. Existing methodologies fail to comprehensively evaluate various risk elements like asset value, vulnerabilities and threats. This paper is an attempt to quantitatively model all risk elements and devise a methodology to assess risks to assets and stakeholders of a cloud system.

References

  1. Bell, D.E., and LaPadula, L.J., 1976 "Secure Computer Systems: Unified Exposition and Multics Interpretation", ESD-TR-75-306, MTR 2997 Rev. I, Mitre Corporation, Bedford, Massachusetts, USA, 1976.
  2. Bhattacharjee, J., Sengupta, A., and Mazumdar, M., 2013. “A Formal Methodology for Enterprise Information Security Risk Assessment”. In International Conference on Risks and Security of Internet and Systems (CRiSIS). France: IEEE, pp. 1-9.
  3. Casola V., et.al. 2005. “A Reference Model for Security Level Evaluation: Policy and Fuzzy Techniques.” In Journal of Universal Computer Science. 11(1), pp. 150-174.
  4. Cayirci, E., Garaga, A., Santana, A., and Roudier, Y., 2014. “A Coud Adoption Risk Assessment Model”. In 7th International Conference on Utility and Cloud Computing. London: IEEE, pp. 908-913.
  5. CSA. (2014), The Notorious Nine Cloud Computing Top Threats in 2013, [online] Available at https://downloads.cloudsecurityalliance.org/initiatives/ top_threats/The_Notorious_Nine_Cloud_Computing_ Top_Threats_in_2013.pdf. [Accessed 16 November 2016]
  6. Djemame, K., Armstrong D., Guitart J., and Macias M., 2016. “A Risk Assessment Framework for Cloud Computing”. In IEEE Transactions on Cloud Computing. 4(3), pp. 265-278.
  7. ENISA, “Cloud Computing; Benefits, Risks and Recommendations for Information Security,” 2009 Edition, Place: Available at http://www.enisa.europe.eu, [Accessed 16 November 2016]
  8. Hashizume, K. Rosado, D.G., Fernández-Medina, E., and Fernandez, E.B., 2013 “An analysis of security issues for cloud computing”, In J. Int. Serv. App. vol. 4(5), . pp. 1-13.
  9. “ISO/lEC 27005:2005,” Information technology - Security techniques - Code of practice for information security management”, Switzerland, 1st Edition.
  10. “ISO/lEC 27005:2011, “Information technology - Security techniques Information security risk management”, Switzerland, 1st Edition.
  11. “ISO/ lEC 17789:2014(E), Information technology - Cloud Computing - Reference Architecture”, Switzerland, 1st Edition.
  12. Jansen, W. and Grance, T., 2011. “Guidelines on Security & Privacy in Public Cloud Computing”. In Computer Security Publications from the National Institute of Standards and Technology (NIST) SP 800-144. Gaithersburg: National Institute of Standards & Technology.
  13. Kaplan, S., and Garrick B.J., 1981. “On The Quantitative Definition of Risk,” In the Journal of Risk Analysis 1(1), pp. 11-27.
  14. Luna, J. L., Langenberg, R., and Suri, N. 2012. “Benchmarking cloud security level agreements using quantitative policy trees”. Cloud Computing Security Workshop, 103. doi:10.1145/2381913.2381932.
  15. Mell, P. M., and T. Grance., 2011. “The NIST Definition of Cloud Computing.” In Computer Security Publications from the National Institute of Standards and Technology (NIST) SP 800-145. Gaithersburg: National Institute of Standards & Technology.
  16. Mell, P., Scarfone, K., and Romanosky, S., 2007 “CVSS - A Complete Guide to the Common Vulnerability Scoring System Version 2.0”.
  17. Sengupta, A., Mazumdar, C., and Bagchi, A., 2009. “A Formal Methodology for Detection of Vulnerabilities in an Enterprise Information System”, In Proceedings of the Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), 2009, France:IEEE, 74-81.
Download


Paper Citation


in Harvard Style

Basu S., Sengupta A. and Mazumdar C. (2017). A Quantitative Methodology for Cloud Security Risk Assessment . In Proceedings of the 7th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-243-1, pages 120-131. DOI: 10.5220/0006294401200131


in Bibtex Style

@conference{closer17,
author={Srijita Basu and Anirban Sengupta and Chandan Mazumdar},
title={A Quantitative Methodology for Cloud Security Risk Assessment},
booktitle={Proceedings of the 7th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2017},
pages={120-131},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006294401200131},
isbn={978-989-758-243-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 7th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - A Quantitative Methodology for Cloud Security Risk Assessment
SN - 978-989-758-243-1
AU - Basu S.
AU - Sengupta A.
AU - Mazumdar C.
PY - 2017
SP - 120
EP - 131
DO - 10.5220/0006294401200131