Transcription
A Framework for Cloud Security AssessmentA Scenario-based, Stakeholder-Oriented ApproachAbdullah Abuhussein, Sajjan ShivaComputer Science DepartmentThe University of MemphisMemphis, TN{bhussein, sshiva}@memphis.eduAbstract— Cloud consumers are hesitant in choosing anappropriate cloud service as they are under the assumption thatclouds are not safe for their data and operations. This is due tothe presence of a trust gap between cloud service consumers andcloud service providers (CSP) as well as a lack of understandingamong consumers about what security and privacy (S&P)attributes best fit their requirements. In this paper, we propose aframework to assist consumers in making educated decisionswhen shopping for cloud S&P . First, the framework illustrates alist of potential S&P issues and recommends evaluative S&Pattributes. Second, it enables consumers to assess the degree ofsecurity in two or more cloud services against the recommendedattributes. Third, it enables consumers to compare theirassessments using various instructive graphs. The proposedframework improves S&P of clouds by following a scenariobased and a stakeholder-oriented approach to enable consumersto comprehend their interaction with the cloud for bettersecurity. With this tool, we aim to raise the bar for securityawareness in cloud computing (CC) and also form the basis forcloud S&P metrics against a standard benchmark in the future.Keywords— cloud computing, cloud computing security andprivacy, cloud taxonomy, cloud stakeholders, security and privacy,service computing, cloud economics, cloud metrics.I.INTRODUCTIONCloud computing (CC) has emerged as the computingmodel for providing utility-based, on-demand infrastructure,platform and software services for anyone, anywhere andanytime. Despite the potential gains achieved from CC, thesecurity of data and processing aspects is still questionable andimpacts CC adoption. Cloud security includes old and wellknown issues like the ones related to user access, networks,and authentication as well as emerging issues. Most of theemerging issues are tied to cloud stakeholders’ trustworthiness,accountability, and multi-tenancy. As a consequence, cloudadopters find themselves faced with concerns associated withloss of control, and lack of trust. While efforts to improve CCsecurity and privacy (S&P) have proliferated lately, progresstoward improvement has been frustratingly slow because: Many cloud adopters in their haste to reduce costs focus juston performance at the expense of security. Lack of a complete understanding of the Cloud ServiceProvider’s (CSP) environment, applications or services beingpushed to the cloud, and operational responsibilities The multidimensional nature of CC due to cloud servicescomposability, scalability, and elasticity. Lack of consensus among stakeholders on cloud S&P issues,S&P solutions, and accountability. The absence of transparency among CC stakeholders anddecline of healthy competitiveness among cloud serviceproviders (CSPs) as a result of the lack of consensus on CCstandards. Organizations have many different CC security objectives(e.g. different requirements, assets, exposure to public, andtolerances to security risks) Laws and regulations divergence among industries based indifferent geographical locations.Cloud consumers are often unable to evaluate allavailable alternatives in great depth. While shopping forcloud services, consumers are often using two-stageprocesses to reach their decisions. At the first stage,consumers typically screen a large set of available cloudS&P attributes to identify the necessary and sufficient onesfor a robust service. Subsequently, they evaluate the latter inmore depth, perform a comparison of CSPs on importantS&P attributes, and make a purchase decision.Given the different tasks to be performed, we aredeveloping a framework of three interactive tools thatprovide support to consumers in the following aspects:(1) Cloud Service Security Recommender (CSSR): supportscloud adopters in the initial screening of availablenecessary, and sufficient S&P attributes to determinewhich ones are worth considering further.(2) CSP Catalogue: supports cloud adopters in storing andviewing the description of cloud services in the form of anorganized and curated collection of S&P evaluativeattributes and then assessing the attributes readiness tosecure and deter by answering a set of polar questions thatcorrespond to each attribute.(3) Cloud Service Security Assessor (CSSA): supports cloudadopters in the in-depth comparison of multiple cloudservices, provisioned by multiple CSPs, before making theactual purchase decision.This paper is organized in the following way: We brieflysurvey the related work in Section II. We describe ourframework and its conceptual basis, as well as the toolsinfrastructure in Section III. In Section IV, we present theframework evaluation. Finally, in Section V, we present ourfuture work followed by the conclusion.
II. RELATED WORKIn a nutshell, considerable progress has been made inwalking customers through shopping for cloud services andquantitatively ranking cloud services [1,2, 3, 4, 5, 6 and 7 ].These efforts in cloud service selection are either: Geared towards selecting a service based on its qualities, itsnon-functional requirements, or QoS with minimal focus onsecurity. Focused on a particular cloud service model like softwareas-a-service (SaaS), platform-as-a-service (PaaS), orInfrastructure as a service (IaaS). Tailored to choose a service based on existing consumers’feedback only, future consumer’s requirements only, orneglecting customer participation. Designed to treat all selection criteria equally in terms oftheir importance. Focused on assessing risks, threats, or mean failure cost incloud platforms.In this paper, we present a framework to assist current orfuture cloud adopters in shopping for a cloud service by (1)assisting them in identifying the necessary and sufficient S&Pattributes for a safe cloud environment, (2) selecting pre-storedCSPs from a service catalog or entering new CSPs into theservice catalog and (3) finally comparatively assessing thedegree of security in the S&P attributes that each one of theCSPs offer in order to make a purchase decision.III. THE CLOUD SECURITY ASSESSMENT FRAMEWORKThis section presents the framework components shown inFig 1. The framework comprises three interactive tools that aredesigned to assist consumers in making a well-educateddecision. The three tools are illustrated in turn.Cloud Service SecurityRecommenderCSP 1.jFrameworkuserS&P Attributes 1.nCloud ServiceProvider Cataloguedefensive action(s) and corresponding (set of) securityattribute(s). To demonstrate how CSSR taxonomies can betraced to secure CC, consider the following use case: An(Application Developer) consumer wants to develop a SaaSapplication and deploy it on top of a public cloud infrastructurefor public to use. In this case, the developer consumes IaaS andPaaS. The developer is also a provider of SaaS that isconsumed by the end users. Our taxonomy represents everyscenario as:Scenario (Stakeholder, Service, Deployment)Example 1: Sc1 (Application Developer, IaaS, Public)Example 2: Sc2 (End User, SaaS, Public)Fig. 2. CSSR TaxonomiesCSSR [12] (i.e. php/mysql tool) accepts a consumptionscenario as an input and outputs a set of potential S&P issuesthat can compromise the scenario and a set of S&P attribute(s)that are required to safeguard the scenario from each issue.The tool landing page prompts CSSR user to select aservice model (e.g. SaaS, Pass, or IaaS), a deployment model(e.g. public, private, community, or hybrid) and identifyconsumer type (e.g. application developer, tester, deployers,application administrator, end user, organization, softwareadministrator, system administrator, third party softwareprovider/designer). Based on user input the tool retrieves theS&P issues and their corresponding S&P attributes as in Fig 3.Cloud Service SecurityAssessorCloud Security Assessment FrameworkFig. 1. Framework User interaction with the componentsA) Cloud Service Security Recommender (CSSR) [8]This component of the framework supports cloud adoptersin identifying the necessary and sufficient S&P attributes todetermine which ones are worth considering further. CSSR(Fig 2.) achieves this by using three taxonomies A, B and C.The three taxonomies enable stakeholders to comprehend theirCC model(s), identify potential security issues based onpossible attack surfaces and also educates stakeholders aboutthe potential security issues by listing each one's operationalimpact(s), informational impact(s), and then recommendsFig. 3. CSSR represents S&P issues (Attack Vector) and recommendedAttributes (Defense) for Scenario (End User, SaaS, Public)
EncryptionIR2?TABLE II. OUR LIST OF ATTRIBUTES AND THEIR CLASSIFICATIONSDetection?By visiting a CSP website, consumers can collect and logthe various security, privacy, and service-level policies andprocedures to answer the attribute questions. Then, consumersthemselves can recognize when security goals are met based ontheir requirements and the tool output. We developed an onlinetool [11] (php/mysql) that encompasses our list of attributesalong with their corresponding considerations. The tool enablesconsumers to save their entries for a CSP and view results invarious informative charts. All saved entries form a CSPcatalogue that benefits future cloud consumers.C) Cloud Services Security Assessor (CSSA)As illustrated earlier, properties of an attribute aredescribed using a list of considerations (polar questions).Every S&P attribute has its own set of considerations.FunctionPrevention?1. Is the data transferred to and from the cloud service encrypted bydefault?2. Is the data that resides on cloud servers encrypted by default?3. Does CSP have different offerings of encryption?4. Is data encrypted while in process?5. Do the CSP admins know the keys used to decrypt consumers’ data?6. Does CSP support encryption that happens on consumers’ computers(client-side)?7. Is data encrypted in the backup facility?8. Does CSP follow standards for encryption?9. If (8) is yes, does encryption comply with standards in the countrieswhere the service resides?10. If (8) is yes, does encryption comply with standards in the countrieswhere the service is consumed?Default?ConsiderationService Related?Fee Involved?A SAMPLE SECURITY ATTRIBUTE FOR CC.ServiceTangible?TABLE I.AttributeIaaSPaaSSaaSThis approach is stakeholder-oriented and scenario-basedsince the taxonomies perform a scenario analysis to identify theissues and recommend S&P attributes. This scenario analysisdepends on the type of stakeholder who interacts with thecloud.B) CSP Catalogue [9]A cloud service offered by a CSP comprises a set of S&Pchoices (i.e. S&P attributes) to secure and deter. The set ofattributes together specifies the S&P of service offered. A CSPmay have multiple offerings of the same S&P attribute (e.g.single factor authentication, multifactor authentication) or mayallow consumers to obtain an attribute from a third partyvendor. When obtaining a cloud service, hesitant consumersare left to decide on (1) the necessary S&P attributes and (2)the appropriateness of each S&P attribute in terms of thedegree of security it provides. We investigated and identified25 S&P attributes for the three standard cloud services (SaaS,PaaS, IaaS), that was generated through a thematic analysis ofthe services offered by real-world CSPs. We highlightedattribute aspects that should matter to consumers whenresearching different CSPs. We refer to these aspects asconsiderations. In this work context, the considerations consistof more than 200 polar questions (i.e. Yes/No questions) thatassess the degree of S&P in all attributes. These questionsenable cloud consumers to decide whether their goals for cloudS&P are met. This is widely known as the Goal QuestionsMetric (GQM) approach [10]. Table I depicts a sampleattributes (i.e. encryption) along with its considerations. A fulllist of attributes and their classifications shows in Table II.X X X Y Y Y Y XEncryptionX X X Y Y Y YBackupX X X Y Y Y Y XAuthentication andIdentity ManagementX XDedicated hardwareData IsolationDisaster RecoveryHypervisor SecurityClient SideProtection9) ServiceMonitoringAccess Control &Customizable profilesSecure Data CenterLocationStandards andCertificationsData SanitizationX YProtectability11 2 3 4 5 6 7 8X XXXXXXX XY YXXXX Y YYX X X Y Y Y YXXXX Y YYXXXY Y XXX X X YXX X X Y Y Y Y XX X X Y YY XX X XX XXX XXX X X X X X X X X XX X XY Y YXX X XYX X X X X X X X X XY XX X X XX X X Y Y Y YXX X XYY XX XX X XYYXX X XYYX X X X X X X X X XX X XYX X XX X XYYXXX X X XXX X X X X X X X X XService Self-healing X X X Y YXX XService AvailabilityX X XYXX X X X X X X X X XRisk ManagementX X XYXX X X X X X X X X XSecurity AwarenessX X XXX X X XXXX XXSLA Guarantee andConformitySecure ScalabilitySecure ServiceCompositionS/w and H/wProcurementInsider trustTechnology ChangeSecure NetworkinginfrastructureSecurity InsuranceX X Y YX X X X XX X X XXX X X YX X XX X X XX X XX X XXXX X X X X X X X XThese considerations decide the goodness of each attribute.CSSA relies on these considerations to quantify the degree ofS&P in an attribute provided by a CSP. Based on theconsiderations, each attribute of a CSP will receive a score. Ifthe answer to the consideration question is “Yes”, the attributereceives a score of 1, and 0 otherwise. The later denotes thateither the provider did not provide an answer to a considerationof an attribute or the answer is “No”. The attribute score issimply the weighted summation of all consideration scorevalues of an attribute normalized to a scale of 1-10 as follows:AttributeScore service i 1( 𝑛𝑗 ���𝑗 ) 10𝑛Protectability: attribute protects cloud environment from the following: 1 ClientSecurity, 2 Interface Issues, 3 Network Security, 4 VirtualizationSecurity, 5 Governance Security, 6 Compliance Security, 7 LegalIssues, 8 Data Security2IR: Incident Response
Fig. 4. CSSA operations flow to compute S&P AssessmentWe use a multi-criteria decision-making (MCDM) methodto compare, rank, and select from multiple alternatives (CSPs),each having multiple S&P attributes. Once all the attributescomposing a service provisioned by a CSP are scored in termsof the degree of S&P they have, a CSP is now ready forassessment tentatively as follows:𝑞Servicei S&P Assessment 𝑗 1 𝐴 ��𝑒 ij * WijWhere, AttributeScoreij denotes attribute score forattributes from 1 to q of CSPi, and Wij denotes the importanceweight for every attribute composing the scenario. A scenarioweights are represented by a fraction of 1 such that the sum ofall weights of attributes must equal 1. Attribute weights of ascenario are tentatively treated as of equal importance.Fig 4 shows how CSSA assesses the degree of S&P inmultiple services provided by multiple CSPs. Once CSSRrecommends S&P attributes for a particular scenario, CSPcatalogue retrieves all CSPs who offer a matching service.After this, the user chooses two or more CSPs from the list tocomparatively assess the degree of security in the S&Pattributes they offer.After computing S&P assessment for all the cloud servicesthat were chosen by the user, CSSA then sorts (i.e. ascending,descending) the services according to their degree of S&P inthe service according to the assessment. A service selectionalgorithm is presented in Fig 5.Fig. 5. CSSA service ranking algorithmIV. FRAMEWORK EVALUATIONMany organizations like National Institute of Standards andTechnology (NIST) and Cloud Security Alliance (CSA) havepublished S&P controls for cloud services [13 and 14]. Ourwork complements these standards by utilizing these securitycontrols and enabling CC consumers to understand and chooseamong security attributes from a pool of security attributes.To validate the correctness of framework output, we used areal-world example from recent publications. In late 2014,Code Spaces [16], a subversion and git (i.e. open sourcedistributed version control system) hosting provider forsoftware projects management and development was subjecteda DDoS attack [17]. That DDoS attack turned out to be asmokescreen for another attack that was aimed at gainingaccess to the target’s systems. Cyber security analystsdescribed the incident as a textbook case and caused thecompany to shut down. Code Spaces was hosted on anAmazon web services (AWS) infrastructure where the backingup of data is left entirely to the end user. Several vendors offersolutions to ease backup efforts from Elastic Compute Cloud(EC2), but at a cost. According to the proposed framework(CSSR, CSSA in particular), Code Space is a (System Admin)consumer of IaaS and should have obtained disaster recovery,backup attributes among others to maintain minimum S&Prequirements which it did not.The presented framework is extensible and updatable dueto its taxonomical nature. CSSR administrators keep track ofany emerged and/or obsolete technology or S&P issues whenCSSR lacks attribute(s) or over-recommends an attribute(s).Because CSSR ensures consistency, lack of redundancy (i.e.,complementarity), and internal completeness of the generatedscenarios, it can fully support user requirement variance towardfully meeting their CC needs. Also, the framework presentedenables S&P in clouds to become more quantifiable towardimproving security awareness and thus supports: (1) S&Passessment of a service offered by a CSP against “otherservices offered by other CSPs”. Given a consumption modeland, at least, two CSPs, a score can be computed for every CSPindividually to support selecting a particular service with theappropriate (e.g. maximum gain, minimum cost) securityfeatures. (2) This work also paves the way for cloud S&Pmetrics against “a standard benchmark” in the future.V. FUTURE WORK AND CONCLUSIONSecurity cannot be managed, if it cannot be measured. Yet,large CSPs are still finding themselves victims of security and
privacy incidents. Also, consumers of cloud services need tounderstand their security threats, responsibilities, and needs.They need to be able to make well-educated decisions in orderto take proactive measures against potential security issues andembrace the cloud with confidence. As such, this workprovides important tools that can help shape cloud stakeholdersunderstanding of their responsibilities and needs in the cloud.With the three components of the proposed framework we aimto increases cloud consumers’ awareness of the S&P issues;increases cloud consumers’ knowledge in the recent S&Psolutions that are available in market, increases the CSPwillingness to make these S&P solutions available for theirclients, increases transparency among consumers and CSPs,and encourages healthier competitiveness among CSPs.Unfortunately, CSPs cannot be forced to cooperate inentering their offerings details into the CSP catalogue tool, andwe do not anticipate that they will voluntarily make theirsecurity attributes publicly available. However, they aremotivated to cooperate with US-CERT and other entities thatcollect and disseminate the necessary (but possiblyinsufficient) information to keep our CSP catalogue current.Also, it is obvious how CC poses many challenges for U.S.law enforcement and national security agencies andcommercial organizations. These challenges are mainlysecurity challenges and technical challenges for digital crimefighters. This work aims to quickly and profoundly change theway the nation addresses growing national CC securitychallenges posed by the CC revolution and by the increasingglobal availability of sophisticated CC technologies. Itpromotes best practices in transparency, accountability, andcommitment in the cloud. It enables stakeholders to make welleducated decisions in terms of S&P features in cloudenvironments. Thus, this project aims to improve nationalsecurity.First and foremost, the goal of this work is to appropriatelysecure CC models. We will continue to enhance our frameworkand its three components and provide additional S&P attributesand additional capability. For instance, CSSA attributesweights are now treated equally in terms of importance. We arecurrently working on enabling cloud consumers to prioritizeweights so that they can increase the weight of the attributesthat are more important to them or decrease attribute’s weightif customers can tolerate their risks.ACKNOWLEDGMENTThis work is partially supported by The Cluster to Advancecyber Security & Testing (CAST) at the University ][11][12][13][14][15][16]Saripalli, Prasad, and Ben Walters. "Quirc: A quantitative impact andrisk assessment framework for cloud security." In Cloud Computing(CLOUD), 2010 IEEE 3rd International Conference on, pp. 280-288.Ieee, 2010.Ribas, M., Furtado, C. G., de Souza, J. N., Barroso, G. C., Moura, A.,Lima, A. S., & Sousa, F. R. (2015). A Petri net-based decision-makingframework for assessing cloud services adoption: The use of spotinstances for cost reduction. Journal of Network and ComputerApplications, 57, 102-118.Sun, L., Ma, J., Zhang, Y., Dong, H., & Hussain, F. K. (2016). CloudFuSeR: Fuzzy ontology and MCDM based cloud service selection.Future Generation Computer Systems, 57, 42-55.Steven, J., & Peterson, G. (2003). A Metrics Framework to DriveApplication Security Improvement. IEEE Security & Privacy, 1(4), 8891.Garg, S. K., Versteeg, S., & Buyya, R. (2013). A framework for rankingof cloud computing services. Future Generation Computer Systems,29(4), 1012-1023.Garg, S. K., Versteeg, S., & Buyya, R. (2011, December). SMICloud: aframework for comparing and ranking cloud services. In Utility andCloud Computing (UCC), 2011 Fourth IEEE International Conferenceon (pp. 210-218). IEEE.Alnemr, R., Pearson, S., Leenes, R., & Mhungu, R. (2014, December).Coat: cloud offerings advisory tool. In Cloud Computing Technologyand Science (CloudCom), 2014 IEEE 6th International Conference on(pp. 95-100). IEEE.Abdullah Abuhussein, Sajjan G. Shiva, and F.T Sheldon, CSSR: CloudServices Security Recommender, IEEE 11th World Congress onServices- Emerging Technology Track: Dependable and Secure Services(DSS 2016), San Francisco, USA, Jun2 26- July 3, 2016.A. Abuhussein, F. Alsubaei, S. Shiva, and F. Sheldon, “EvaluatingSecurity and Privacy in Cloud Services”, In the 2016 IEEE NATACOMPSAC Symposium on Novel Applications and TechnologyAdvances in Computing, the 40th Annual Computer Software andApplications Conference (COMPSAC), Atlanta, Georgia, USA - June10-14, 2016Van Solingen, R., Basili, V., Caldiera, G., & Rombach, H. D. (2002).Goal question metric (gqm) approach. Encyclopedia of softwareengineering.Evaluate A Service Provider, [online] Available: http://www.measurecloud-security.com/ (2016)CSSR, [online] Available: http://www.measure-cloud-security.com/(2016)CSA: Cloud Control Matrix. Cloud Security Alliance [online], CSACCM v3.0 (2013)DRAFT, F. P., Recommended security controls for federal informationsystems and organizations. NIST Special Publication, 800, 53. Chicago,2009Code Spaces, (2015), accessed from: http://www.codespaces.com/S., Ragan, Code Spaces forced to close its doors after security ident.html
security. With this tool, we aim to raise the bar for security awareness in cloud computing (CC) and also form the basis for cloud S&P metrics against a standard benchmark in the future. Keywords— cloud computing, cloud computing security and privacy,
