TY - GEN
T1 - An Adjustable Risk Assessment Method for a Cloud System
AU - Chih, Chi An
AU - Huang, Yu-Lun
PY - 2015/11/6
Y1 - 2015/11/6
N2 - Although cloud computing technologies provide many advantages for organizations, security is still a barrier for wide-spread adoption to the public. Many cloud systems suffer from various attacks, including unauthorized data modification, denial of service, etc. The existing researches use risk assessments to evaluate the security of a cloud environment either from a CSP's viewpoint or from a user's point of view. The results of these works may not be precise enough, nor can they satisfy both CSP's and user's security requirements. We propose an Adjustable Cloud Risk Assessment systeM (ACRAM) for Cloud Service Providers (CSPs) and users to assess the cloud security. ACRAM consists of a risk assessment module running at two modes (Offline or Online mode) with the help of Security Service Level Agreement (SecSLA) signed by the CSP and the cloud user. The Offline mode is used for assessing the risk of a cloud based on the historical software vulnerabilities, while the Online mode is for assessing the risk of a cloud system at RUNTIME. To explain how ACRAM works for altering the potential threats in a cloud system, we conduct an experiment using different weights in Confidentiality (C), Integrity (I) and Availability (A). The results show that 1) CSP can protect future users from being co-located with a possible attacker, 2) CSP can take some risk mitigation to meet a user's requirements and keep the user from being attacked.
AB - Although cloud computing technologies provide many advantages for organizations, security is still a barrier for wide-spread adoption to the public. Many cloud systems suffer from various attacks, including unauthorized data modification, denial of service, etc. The existing researches use risk assessments to evaluate the security of a cloud environment either from a CSP's viewpoint or from a user's point of view. The results of these works may not be precise enough, nor can they satisfy both CSP's and user's security requirements. We propose an Adjustable Cloud Risk Assessment systeM (ACRAM) for Cloud Service Providers (CSPs) and users to assess the cloud security. ACRAM consists of a risk assessment module running at two modes (Offline or Online mode) with the help of Security Service Level Agreement (SecSLA) signed by the CSP and the cloud user. The Offline mode is used for assessing the risk of a cloud based on the historical software vulnerabilities, while the Online mode is for assessing the risk of a cloud system at RUNTIME. To explain how ACRAM works for altering the potential threats in a cloud system, we conduct an experiment using different weights in Confidentiality (C), Integrity (I) and Availability (A). The results show that 1) CSP can protect future users from being co-located with a possible attacker, 2) CSP can take some risk mitigation to meet a user's requirements and keep the user from being attacked.
KW - Cloud Risk Assessment
KW - Cloud Security
UR - http://www.scopus.com/inward/record.url?scp=84963603764&partnerID=8YFLogxK
U2 - 10.1109/QRS-C.2015.27
DO - 10.1109/QRS-C.2015.27
M3 - Conference contribution
AN - SCOPUS:84963603764
T3 - Proceedings - 2015 IEEE International Conference on Software Quality, Reliability and Security-Companion, QRS-C 2015
SP - 115
EP - 120
BT - Proceedings - 2015 IEEE International Conference on Software Quality, Reliability and Security-Companion, QRS-C 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - IEEE International Conference on Software Quality, Reliability and Security-Companion, QRS-C 2015
Y2 - 3 August 2015 through 5 August 2015
ER -