Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

Manel Medhioub,Mohamed Hamdi,Tai-Hoon Kim

DOI: https://doi.org/10.1109/AINA.2017.143

2017-01-01

Abstract:Cloud computing is an emerging economic model that provides a broad network access to services with many benefits to many tenants at the same time. Although it creates a large potential to develop new online services the evolution of cloud computing has been accompanied by the proliferation of various attacks against the services on the cloud infrastructures. The importance of risk management in cloud computing is mainly motivated by the dynamic context in which the services and applications are implemented. In fact, the intrinsic characteristics of cloud infrastructures prevent the use of previously developed process of traditional frameworks. The goal of this paper is to present a new risk management framework for better considering context parameters of cloud computing environment. An examle is considered in which the risk treatment process in this framework proposes how to dynamically balance between the security and performance degradation due to the implementation of security mechanism.

Ahmed E. Youssef

DOI: https://doi.org/10.48550/arXiv.2001.08993

2020-01-13

Cryptography and Security

Abstract:Security is considered one of the top ranked risks of Cloud Computing (CC) due to the outsourcing of sensitive data onto a third party. In addition, the complexity of the cloud model results in a large number of heterogeneous security controls that must be consistently managed. Hence, no matter how strongly the cloud model is secured, organizations continue suffering from lack of trust on CC and remain uncertain about its security risk consequences. Traditional risk management frameworks do not consider the impact of CC security risks on the business objectives of the organizations. In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting CC identify, analyze, evaluate, and mitigate security risks in their Cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives. In essence, it is designed to address impacts of cloud-specific security risks into business objectives in a given organization. Consequently, organizations are able to conduct a cost-value analysis regarding the adoption of CC technology and gain an adequate level of confidence in Cloud technology. On the other hand, Cloud Service Providers (CSP) are able to improve productivity and profitability by managing cloud-related risks. The proposed framework has been validated and evaluated through a use-case scenario.

Xuan ZHU,Ping PAN,Xin-yue MAO

DOI: https://doi.org/10.3969/j.issn.1002-0802.2016.12.023

2016-01-01

Abstract:In respect to the traditional information systems, cloud service is characterized by virtualization, mobility, fuzzy boundary and so on, thus its security evaluation becomes one of the most concerned problems. With cloud service security architecture as the research content, the main threat forms aganist of cloud service are analyzed, the evaluation system based on the analysis of the current cloud service security risk assessment system further modified and improved. Cloud service security risk assessment, based on their own situation, may choose the appropriate risk assessment model, thus to be further suitable for risk assessment practice, improve cloud-service security, risk management ability and business continuity.

Xue-mei XIE,Yu-xi ZHAO

DOI: https://doi.org/10.1016/s1005-8885(13)60211-3

2013-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:This paper reviews the literature about cloud computing, and establishes a framework for industry chain of personal cloud computing which is based on the current cloud industry chain in China. Then it summarizes the potential risks of personal cloud from the angle of user perception, including risk identification, qualitative evaluation, and risk handling strategy. Finally, according to the existing related policy or regulation scheme, this paper proposes some suggestions and optimization strategies about the personal cloud computing.

Nasir Raza,Imran Rashid,Fazeel Ali Awan

DOI: https://doi.org/10.1007/s12243-017-0567-6

2017-02-10

Annals of Telecommunications

Abstract:Cloud computing has attained tremendous popularity recently, leading to its fast and rapid deployment. However, privacy and security concerns have also increased in the same ratio. The adoption of cloud model has revealed new dimensions of attack, demanding major reconsideration and reevaluation of traditional security mechanisms. If an organization is operating in cloud environment without adopting essential security measures, it may face catastrophic consequences including loss of valuable data, financial damages, or reputation loss etc. Any organization in cloud architecture faces severe security threats and challenges for which a comprehensive security framework is needed. Certain frameworks exist in literature which focus deeply on specific cloud security issues; however, there is a dire need of comprehensive framework encompassing both security-related and management-related issues. This paper initially reviews security challenges and threats to data/applications in cloud environment. Furthermore, a comprehensive security and management framework is proposed for an organization operating in cloud environment. Proposed framework has been implemented in virtualized cloud environment to validate the efficacy of certain features of the model. The data center has been setup in virtualized environment through virtual machines on VMware ESXi-6 hypervisor layer. VMware vCloud-6 has been installed on top of it for provision of services to the users. The proposed framework is a set of guidelines that will adequately secure the organization’s data and applications. The framework incorporates a layered security architecture to achieve utmost level of security for nullifying the impact of threats.

telecommunications

Masky Mackita,Soo-Young Shin,Tae-Young Choe

DOI: https://doi.org/10.3390/fi11090195

2019-09-10

Future Internet

Abstract:Many companies are adapting cloud computing technology because moving to the cloud has an array of benefits. During decision-making, having processed for adopting cloud computing, the importance of risk management is progressively recognized. However, traditional risk management methods cannot be applied directly to cloud computing when data are transmitted and processed by external providers. When they are directly applied, risk management processes can fail by ignoring the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix this backdrop, this paper introduces a new risk management method, Enterprise Risk Management for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management methods by combining each component with another processes for comprehensive perception of risks. In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives and strategies, critical assets, and risk measurement criteria.

Karim Djemame,Django J. Armstrong,Mariam Kiran,Ming Jiang

2011-01-01

Abstract:As the realization of Cloud computing environments advances from a simple and single private Cloud towards a more complex Cloud Service Ecosystem consisting of multiple coexisting public or hybrid Clouds, there are emerging high level concerns such as risk, trust, ecological, security, cost and legal factors that underpin the non-functional properties of the ecosystem. These concerns are beyond the traditional focus of providing functionalities at levels close to a single Cloud infrastructure such as hardware resource virtualization. In this paper we present ongoing research work to analyze and address the risk factor in such a Cloud Service Ecosystem for the purpose of optimizing Cloud service. The main contributions of the work are the design and implementation of an effective and efficient risk assessment framework (methodologies of risk identification, evaluation, mitigation and monitoring) for Cloud service provision. Together with the corresponding mitigation strategies, the framework provides technological assurance that will lead to a higher confidence of Cloud service consumers on one side and a cost-effective and reliable productivity of Cloud Service Provider (SP) and resources organized by individual Infrastructure Provider (IP) on the other side. The design of the risk assessment framework and its software toolkit implementation is part of the research and development work of the OPTIMIS (Optimized Infrastructure Services) project whose objective is to enable an open and dependable Cloud Service Ecosystem that delivers IT services that are adaptable, reliable, auditable and sustainable both ecologically and economically.

Yu Huiqun,Fan Guisheng

DOI: https://doi.org/10.3969/j.issn.1007-757X.2013.01.001

2013-01-01

Abstract:Security problem is one of the most concerned issues in cloud computing application.Features of cloud computing such as resource virtualization,distributed locations,behavioral dynamics,make its security a challenging problem.This paper addresses security models and management in cloud computing.Characteristics of cloud computing architectures are analyzed.A security framework of cloud computing and its components are proposed.Three phases of security management mode in cloud computing,i.e.,protection,monitoring and response,are presented.A sticky cloud data security policy model and its management mechanisms are articulated as well.

Jianhua Che,Yamin Duan,Tao Zhang,Jie Fan

DOI: https://doi.org/10.1016/j.proeng.2011.11.2551

2011-01-01

Procedia Engineering

Abstract:Cloud computing is introducing many huge changes to people's lifestyle and working pattern recently for its multitudinous benefits. However, the security of cloud computing is always the focus of numerous potential cloud customers, and a big barrier for its widespread applications. In this paper, to facilitate customers to understand the security status quo of cloud computing and contribute some efforts to improving the security level of cloud computing, we surveyed the existing popular security models of cloud computing, e.g. multiple-tenancy model, risk accumulation model, cube model of cloud computing, and summarized the main security risks of cloud computing deriving from different organizations. Finally, we gave some security strategies from the perspective of construction, operation and security incident response to relieve the common security issues of cloud computing.

English Else

Karim Djemame,Afnan Ullah Khan,Manuel Oriol,Ming Jiang,Mariam Kiran

DOI: https://doi.org/10.1109/CloudCom.2012.6427574

2012-01-01

Abstract:Cloud computing provides outsourcing of resources bringing economic benefits. The outsourcing however does not allow data owners to outsource the responsibility of confidentiality, integrity and access control, as it still is the responsibility of the data owner. As cloud computing is transparent to both the programmers and the users, it induces challenges that were not present in previous forms of distributed computing. Furthermore, cloud computing enables its users to abstract away from low-level configuration such as configuring IP addresses and routers. It creates an illusion that this entire configuration is automated. This illusion is also true for security services, for instance automating security policies and access control in cloud, so that individuals or end-users using the cloud only perform very high-level (business oriented) configuration. This paper investigates the security challenges posed by the transparency of distribution, abstraction of configuration and automation of services by performing a detailed threat analysis of cloud computing across its different deployment scenarios (private, bursting, federation or multi-clouds). This paper also presents a risk inventory which documents the security threats identified in terms of availability, integrity and confidentiality for cloud infrastructures in detail for future security risks. We also propose a methodology for performing security risk assessment for cloud computing architectures presenting some of the initial results.

Mohemed Almorsy,John Grundy,Amani S. Ibrahim

DOI: https://doi.org/10.1109/cloud.2011.9

2011-07-01

Abstract:Although the cloud computing model is considered to be a very promising internet-based computing platform, it results in a loss of security control over the cloud-hosted assets. This is due to the outsourcing of enterprise IT assets hosted on third-party cloud computing platforms. Moreover, the lack of security constraints in the Service Level Agreements between the cloud providers and consumers results in a loss of trust as well. Obtaining a security certificate such as ISO 27000 or NIST-FISMA would help cloud providers improve consumers trust in their cloud platforms' security. However, such standards are still far from covering the full complexity of the cloud computing model. We introduce a new cloud security management framework based on aligning the FISMA standard to fit with the cloud computing model, enabling cloud providers and consumers to be security certified. Our framework is based on improving collaboration between cloud providers, service providers and service consumers in managing the security of the cloud platform and the hosted services. It is built on top of a number of security standards that assist in automating the security management process. We have developed a proof of concept of our framework using. NET and deployed it on a testbed cloud platform. We evaluated the framework by managing the security of a multi-tenant SaaS application exemplar.

Carlos Bendicho

DOI: https://doi.org/10.1007/978-3-030-80119-9_28

2021-06-19

Abstract:The present paper shows a proposal of the characteristics Cloud Risk Assessment Models should have and presents the review of the literature considering those characteristics in order to identify current gaps. This work shows a ranking of Cloud RA models and their degree of compliance with the theoretical reference Cloud Risk Assessment model. The review of literature shows that RA approaches leveraging CSA (Cloud Security Alliance) STAR Registry that have into account organizations security requirements present higher degree of compliance, but they still lack risk economic quantification. The myriad of conceptual models, methodologies and frameworks although based on current NIST SP 800:30, ISO 27001, ISO 27005, ISO 30001, ENISA standards could be enhanced by the use of techno-economic models like UTEM, created by the author, in order to conceive more simplified models for effective Risk Assessment and Mitigation closer to the theoretical reference model for Cloud Risk Assessment, available for all cloud models (IaaS, PaaS, SaaS) and easy to use for all stakeholders.

Networking and Internet Architecture,Cryptography and Security

Tarek Ali,Mohammed Al-Khalidi,Rabab Al-Zaidi

DOI: https://doi.org/10.1080/08874417.2024.2329985

2024-03-31

Journal of Computer Information Systems

Abstract:Cloud computing faces more security threats, requiring better security measures. This paper examines the various classification and categorization schemes for cloud computing security issues, including the widely known CIA trinity (confidentiality, integrity, and availability), by considering critical aspects of the cloud, such as service models, deployment models, and involved parties. A comprehensive comparison of cloud security classifications constructs an exhaustive taxonomy. ISO27005, NIST SP 800–30, CRAMM, CORAS, OCTAVE Allegro, and COBIT 5 are rigorously compared based on their applicability, adaptability, and suitability within a cloud-based hosting methodology. The findings of this research recommend OCTAVE Allegro as the preferred cloud hosting paradigm. With many security models available in management studies, it is imperative to identify those suitable for the rapidly expanding and dynamically evolving cloud environment. This study underscores the significant methods for securing data on cloud-hosting platforms, thereby contributing to establishing a robust cloud security taxonomy and hosting methodology.

computer science, information systems

liangliang huang,yongjun shen,guidong zhang,huixia luo

DOI: https://doi.org/10.1109/ICEIEC.2015.7284476

2015-01-01

Abstract:Nowadays, information system security is faced with some serious problems which suffer increasing threats, the increasingly complicated environment and more and more uncertain factors. Moreover, there are some uncertainty, randomness and fuzziness in transforming between qualitative concepts and their quantitative expressions in the process of information security risk assessment. In order to improve objectivity and accuracy of information security risk assessment, information system security risk assessment based on multidimensional cloud model and the entropy theory is proposed in this paper.

Qisi Liu,Liudong Xing,Chaonan Wang

DOI: https://doi.org/10.1109/dsc.2017.35

2017-01-01

Abstract:With advances and globalization of information technology such as big data and cloud computing, topics about potential risks with security vulnerabilities have been brought to the forefront. Considerable efforts have been made to estimate network security risk with an unlimited cycle of disclosed vulnerabilities in the form of threats or attacks and managements to migrate these risks. On the other hand, reliability is often considered as one of the most vital factors that affect functions of critical computing systems. In this work, we explore a framework for considering both security and reliability risks, where their causes and effects are investigated. Risk assessment considering both security and reliability is then demonstrated through a case study, where a cloud RAID (redundant array of independent disks) storage system under DoS (denial-of-service) attacks is modeled and analyzed using an analytical method integrating Markov chains and binary decision diagrams.

Fan Lin,Jianbin Xiahou,Wenhua Zeng

DOI: https://doi.org/10.6138/jit.2015.16.7.20151103e

2015-01-01

Abstract:Virtualization asks for safer and better quality to service-oriented cloud computing system suppliers. Most of the traditional researching is focus on the risk assessment of the information system and DDoS, but lacking of researching on cloud computing in deep. So that the service-oriented cloud computing system risk evaluation researching is very essential. In this paper, we build a service-oriented cloud computing system risk assessment framework that using distributed dynamic status monitoring of virtual machine system and making risk prediction value to summarizing the final risk assessment level of the system as a whole. The model can be used in monitoring, identifying, predicting and evaluating for cloud computing security risk that is having effect on the risk evaluation of virtual machine node and whole cloud system. First we proposed a new method to identifying risk named LSA-GCC that used LSA for analyzing log files and cluster for classifying. The method doing the feed forward risk identification by collecting the log of the operating system and Web Service that are on VM node level,and the LSA-SAM method can improved the detecting accuracy for abnormal events. Then the risk predictiton method had been proposed that combined with RBFNN(Radial Basis Function Neural Network) and AHP. This method build a risk predicting model by AHP(Analytic Hierarchy Process) that consists of four indicators, that are P (performance), T (Time), A (event statistics) and R (risk identification). Each indicator include some monitoring parameters that can compute the risk indicator value by weight matrix. Experimental results show that MRPGA-RBF risk prediction method can predictive risk value accurately.

Victor Chang,Yen-Hung Kuo,Muthu Ramachandran

DOI: https://doi.org/10.1016/j.future.2015.09.031

IF: 7.307

2016-04-01

Future Generation Computer Systems

Abstract:This article presents a cloud computing adoption framework (CCAF) security suitable for business clouds. CCAF multilayered security is based on the development and integration of three major security technologies: firewall, identity management, and encryption based on the development of enterprise file sync and share technologies. This article presents the vision, related works, and views on security framework. Core technologies have been explained in detail, and experiments were designed to demonstrate the robustness of the CCAF multilayered security. In penetration testing, CCAF multilayered security could detect and block 99.95% viruses and trojans, and could achieve ≥85% of blocking for 100 h of continuous attack. Detection and blocking took <0.012s/trojan or virus. A full CCAF multilayered security protection could block all SQL (structured query language) injection, providing real protection to data. CCAF multilayered security did not report any false alarm. All F-measures for CCAF test results were ≥99.75%. The mechanism of blending of CCAF multilayered security with policy, real services, and business activities has been illustrated. Research contributions have been justified and CCAF multilayered security can be beneficial for volume, velocity, and veracity of big data services operated in the cloud.

Mariam Kiran,Ming Jiang,Django Armstrong,Karim Djemame

DOI: https://doi.org/10.1109/dasc.2011.89

2011-01-01

Abstract:The principles of risk management have been introduced in grid computing to help document and anticipate certain risks and manage them to ensure job executions are successful. Clouds are more complex environments with further concerns like risk, trust, eco-efficiency, green, security or cost. In this paper we present ongoing research work to analyze and address the risk factor in clouds with the aim of optimizing cloud services. The main contribution of this work is the presentation of a methodology for performing risk assessment in cloud environments including the target use cases, risk identification, mitigation and monitoring. Together with the corresponding mitigation strategies, the methodology provides technological assurance that will lead to a high confidence of Cloud service consumers on one side, and a cost effective and reliable productivity of cloud Service/Infrastructure Providers on the other side. The design of the risk assessment framework and its software toolkit implementation are part of the research and development work of the OPTIMIS (Optimized Infrastructure Services) project whose objective is to enable an open and dependable Cloud Service Ecosystem that delivers IT services that are adaptable, reliable, auditable and sustainable both ecologically and economically. The paper presents some preliminary results on the risk assessment of a Service/Infrastructure Provider at the cloud service deployment stage.

Yufu Wang,Mingwei Zhu,Jiaqiang Yuan,Guanghui Wang,Hong Zhou

2024-04-15

Abstract:Cloud computing (cloud computing) is a kind of distributed computing, referring to the network "cloud" will be a huge data calculation and processing program into countless small programs, and then, through the system composed of multiple servers to process and analyze these small programs to get the results and return to the user. This report explores the intersection of cloud computing and financial information processing, identifying risks and challenges faced by financial institutions in adopting cloud technology. It discusses the need for intelligent solutions to enhance data processing efficiency and accuracy while addressing security and privacy concerns. Drawing on regulatory frameworks, the report proposes policy recommendations to mitigate concentration risks associated with cloud computing in the financial industry. By combining intelligent forecasting and evaluation technologies with cloud computing models, the study aims to provide effective solutions for financial data processing and management, facilitating the industry's transition towards digital transformation.

Distributed, Parallel, and Cluster Computing,Artificial Intelligence