A New Shared and Comprehensive Tool of Cloud Computing Security Risk Assessment Saadia Drissi1, Siham Benhadou1, Hicham Medromi1 National High School of Electricity and Mechanics, ENSEM 8118, Casablanca, Morocco
[email protected]
Abstract. The cloud computing is a new trending paradigm that presents several benefits in achieving rapid and scalable resource provisioning capabilities to their users. Despite the fact that cloud computing offers many cost benefits for their cloud users, number of security risk are emerging in association with cloud usage that need to be assessed. Assessing risk in Cloud computing environment remains an open research issue. This paper presents a comprehensive and shared risk assessment method for cloud computing that will add a great help and assistance to both cloud consumers and cloud providers, which is also in compliance with all the specific characteristics of the Cloud Computing. An experimental result will be showed at the end to demonstrate the effectiveness of this new risk assessment model. Keywords: Cloud computing, security risk, comprehensive and shared risk assessment method, cloud consumers, cloud providers
1
Introduction
The cloud computing is a new model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources that introduces several changes in technology (shared resources, multi-domain, multitenancy) [6]. Cloud computing introduces several challenges regarding security risk assessment. These include the assessment of several cloud actors in cloud computing environment, as well as an unknown risk profile that is affected by new tenants and originates from multiple points (e.g., the provider, Cloud users, cloud organization, the technology itself, other cloud actors, etc.). In spite of the advancement in cloud technologies, cloud computing being a novel technology introduces new security risks that need to be assessed [1]. Therefore, assessment of security risks is essential [2]. The current risk assessment methods (EBIOS, OCTAVE, and MEHARI [3], [4], [5], have not been designed specifically for cloud computing environments. In traditional IT environments, everyone in the business has to go to the IT department to obtain IT related services. However, for cloud computing, the risk assessment becomes more complex; cloud computing environment is multi-location environment in which each location can use different security and potentially employ various
148
mechanisms. In addition of these classical methodologies, several risk assessment The framework defines risk as a combination of the probability of a security threat event and its severity, measured as its Impact. methods have been suggested in the literature and also the CSA and ENISA lead a number of ongoing research initiatives (security guidance, CCM and STAR). Despite all these methodologies and initiatives, currently no complete and concise methodology exists for assessing security risks of cloud based solutions. Thus, the adoption of cloud solutions in a number of industries is stopped. Most of the studies view the problem of assessing security risks either from cloud customer or cloud provider perspectives. As consequence, there is a need of new risk assessment model which considers all relevant aspects of information security risk assessment and mainly the specific characteristics of Cloud computing environment. This paper proposes a new tool of the cloud computing security risk assessment on the basis of the previous researches. The following section discusses the risk assessment for cloud computing in the literature. In section 3, we describe our proposed risk assessment model for cloud computing. In section 4 an experimental result will be showed. Finally, some concluding remarks are given at the end.
2
Related work
Several risk assessment approaches have been discussed in the literature. However, none of them takes into account the relevant and specific characteristic nature of cloud computing [12], [13], [14], [15]. 2.1
Risk assessment in the literature
Security as a service solutions have been suggested to provide and support security assessments in which a hosted cloud solution will make assessments and stores the resulting data. Actually, several tools for a number of security assessment areas have been implemented using the delivery model SecaaS [22], [24]. In the provision of SecaaS model, cloud consumers get the typical advantages of using cloud computing such as scalability and service on demand. [25] In [23], the risk assessment as a service is presented as a new paradigm for measuring real time risk by one or more entities in the cloud. A cloud provider can perform continuous self-assessments as a best practice by assessing its own execution environment. However, this work has not implemented such a service but rather offer it as a paradigm to be pursued. Risk assessment has analyzed security risk by using qualitative or quantitative or the both approach. In [12], a quantitative risk and impact assessment framework (QUIRC) is introduced to assess associated six key categories of security objectives (SO) (i.e., confidentiality, integrity, availability, multi- party trust, mutual audit ability and usability) in a cloud computing platform. The impact is determined by Subject 149
Matter Experts, the knowledgeable about the impact of threats on their particular type of business. In [26], a SEmi-quantitative BLO-driven Cloud Risk Assessment (SEBCRA) prioritizes and categorizes cloud risks according to their impact on different Business Level objectives in a given organization. The approach is designed for a Cloud Service Provider (CSP) to improve the achievement of a BLO, i.e., profit maximization, by managing, assessing, and treating Cloud risks. In an exemplary experimentation, the risk assessment approach demonstrates that it enables a CSP to maximize its profit by transferring risks of provisioning its private Cloud to third party providers of cloud infrastructures. However, a simple method for qualitative or quantitative analysis will lead to the inaccuracy and one-sidedness of the evaluation results. Therefore, several studies used an integrated method of qualitative and quantitative analysis to assess risk in cloud environment [27], [13], [28], [26]. Graphs and mathematical models can be used to address and calculate security risk in clouds by simulating attacker possibilities. In [29] they presented a mathematical model for threats that considers communication in order to identify security risk for individual entities, and then calculates it for a whole enterprise. The model is built by representing communications as a directed graph and then established a matrix to discover the risk. Furthermore, in [28] a hybrid risk-analysis method based on decision tree analysis (quantities) and risk matrix (qualitative) is proposed for risk assessment. In this method, risk factor from a user’s viewpoint is systematically extracted with the Risk Breakdown Structure (RBS) method then analyzed and evaluated. A detailed countermeasure and proposal are produced on the basis of these results. The risk matrix method is used to classify risk into four kinds (Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference) in accordance with the generation frequency and degree of incidence. In [13] a security risk assessment method has been introduced based on an Analytic Hierarchy Process (AHP) model. The assessment is carried out using the principles of: decomposition, pairwise comparison, and synthesis of weights. Thus, AHP has three layers of decomposition: formulating the problem of assessing cloud security risk in a hierarchical structure is the first step in AHP. Then, in level two, 8 major factors were identified for assessing. In level three, 39 factors were identified corresponding to higher levels and specific local conditions. The evaluation module uses the constructed AHP tree to assess the system with the help of the judgment matrix that is filled by the cloud's experts. Finally calculating the weighted vectors and getting the final risk order. In [30], a hierarchical framework is built to analyze the risk and set the goal for the assessment. After that, an indicator system is built under each principle and sub indicators are introduced for assessment. For example, the first indicator could be risk of cloud computing platform, risk of cloud storage, risk of cloud security and so on. Secondary indicators of cloud platform risk could then be risk of operating system, risk of application software and risk of availability. In [31], Trust Matrix is used for security risk analysis in cloud environments. Two variables, namely “data cost” and “provider’s history” are considered. In “data cost” users can assign a cost to data based on the data’s criticality whereas “Provider’s history” includes the record of the past services provided by the provider to consumers. Additionally, Cloud Control Matrix (CCM) has been released by CSA, as a baseline security control framework designed to help enterprises assess the risks
150
associated with a cloud provider. The CCM has included a risk management domain to ensure that formal risk assessments are aligned with the enterprise-wide framework, planned and scheduled at regular intervals determining the likelihood and impact of identified risks, using qualitative and quantitative methods. Thereby, it facilities transparency and increase trust level between the cloud customer and the cloud in order to make cloud a secure environment to the future of business [32]. 2.3
Discussion
After reviewing the literature, several risk assessment methodologies and frameworks have been reviewed and suggested. The risk assessment methods have been classified into five categories: assessment as a service, quantitative and qualitative, hierarchal, graph analysis and security matrix assessment. In addition to the risk assessment methods that have been reviewed, the CSA and ENISA lead a number of ongoing research initiatives (security guidance, CCM and STAR). Despite all these methodologies and initiatives, currently no complete and concise methodology exists for analyzing and evaluating security risks of cloud based solutions. A cloud-specific threats, vulnerabilities and risks have already been identified or assessed by numerous sources, but it still remains unclear how to assess risks basing on Information Risk Management frameworks or methods in the context of the Cloud. Thus, the adoption of cloud solutions in a number of industries is stopped. Most of the studies view the problem of assessing security risks either from cloud customer or cloud provider perspectives. The need for a comprehensive, shared, collaborative and intelligent risk assessment methodology that considers both customer and provider is recommended. Such as shared assessment enables the cloud provider to prove how the security risks have been managed and mitigated, as well as enabling the cloud consumer to determine the risk tolerance and define security requirements accordingly.
3
Research methodology
The risk assessment is not a very easy task to do regarding cloud computing, because of its complex nature. Therefore, in this part we will describe how to assess risk in cloud computing environment. Below the proposed risk assessment architecture that would be explained in detail in the next section.
151
Fig. 1.
3.1
Architecture of risk assessment model (RAMCC)
Identification of asset value
In cloud computing environment, there are several cloud actors and each one of them has their one security objectives and the risk assessment is purely based on decision making. Therefore, there is a need of model capable of dealing with such type of problems. To solve this problem, we will show up AHP in our work [17]-[18][19]. Such an asset assessment methodology incorporates a level of flexibility on the notion that several cloud actors can define their asset value in the same time. Thus, this paradigm can ensure the effectiveness, the flexibility and the automation to our proposed risk assessment model [21].
Fig. 2.
Decision tree of asset assesmment [20]
152
The asset value of each cloud actor is the average of the weight of confidentiality, availability and integrity. 3.2
Determination of vulnerability
Outsourcing services to cloud means been exposed to new vulnerabilities, thus, resulting in a modified identification of vulnerabilities and also means that the methodology used for conventional systems will be hard to use for cloud. To define vulnerabilities for each cloud actor, we require to define possible vulnerabilities in the cloud environment environment, determine the corresponding cloud actors to each vulnerability and finally, define the vulnerability value basing on the absence or ineffectiveness of controls. The following table demonstrates how to define vulnerabilities in cloud computing environment: TABLE I.
VULNERABILITIES IN CLOUD COMPUTING ENVIRONMENT
Vulnerabilities V1 V2 V3 V4 A5 …… Vn
3.3
Corresponding cloud actors Ac1 Ac2 Ac4 Ac2 Ac4 Ac6 Ac1 Ac8 Ac3 Ac7 Ac7 Ac8 Ac5 … Ac5 Ac4 Ac3
Vulnerability value v1 v2 v3 v4 v5 …. vh
Identification of threats
The main reason that threats are important elements of the information security risk assessment is that they help to determine the scope of the vulnerabilities of the system being assessed. In the cloud environment, each threats is mapped to indicative number of vulnerabilities and assets as mentionned in [33]. The following table demonstrates how to define threats in the cloud environment: TABLE II.
Threat T(R1) T(R2) T(R3) T(R4) T(5) …… T(Rn)
THREATS IN CLOUD COMPUTING ENVIRONMENT
Corresponding assets A1 A5 A6 A7 A1 A2 A3 A5 A6 A20 A1 A5 A6 A7 A9 A1 A2 A3 A9 A10 … …
153
Corresponding vulnerabilities
Threats value
V13 V46 V31 V34 V35 V25 V25 V6 V7 V5 V31 V46 V47 …. ….
t1 t2 t3 t4 t5 …. tn
The threat can be defined if there is at least one corresponding asset and vulnerability, and the threat value is product of probability of occurrence and the impact. 3.4
Determination of risks
For the fourth process of risk assessment, the measure of an IT risk can be determined as a product of threat, vulnerability and asset values: Risk = Threat * Vulnerability * Asset Threat= Impact*Probability Asset=max(Ai) + 0.05(m1-1)+ 0.04(m2-1)+ 0.03(m3-1)+0.02(m4-1)+ 0.01(m5-1)
(1) (2) (3)
Which m5 is the amounts of assets when the corresponding assets value between 0 and 0.2 Which m4 is the amounts of assets when the corresponding assets value between 0.2 and 0.4 Which m3 is the amounts of assets when the corresponding assets value between 0.4 and 0.6 Which m2 is the amounts of assets when the corresponding assets value between 0.6 and 0.8 Which m1 is the amounts of assets when the corresponding assets value between 0.8 and 1 Vulnerability= max(Vj) + 0.5(h1-1)+ 0.4(h2-1)+ 0.3(h3-1)+0.2(h4-1)+ 0.1(h5-1) Which h1 is the amounts of vulnerabilities is 5 Which h2 is the amounts vulnerabilities is 4 Which h3 is the amounts vulnerabilities is 3 Which h4 is the amounts vulnerabilities is 2 Which h5 is the amounts vulnerabilities is 1
(42)
vulnerabilities when the corresponding of vulnerabilities when corresponding of vulnerabilities when corresponding of vulnerabilities when corresponding of vulnerabilities when corresponding
At the end each cloud actors will be aware of the risks and vulnerabilities present in the cloud computing environment.
4
Experimentations We suppose the following scenario:
154
Fig. 3.
Cloud computing scenario
4.1 Asset value identification The asset identification table (Fig.4 and Fig.5) is as follow basing on preliminary analysis and assignment, in which each asset corresponds to one asset level and each defined asset can be assigned to one or more cloud actors:
Fig. 4.
Part of asset identification for the SaaS
155
Fig. 5.
Part of asset identification for the IaaS
4.2 Determination of vulnerability The following figure shows a part of cloud security management vulnerabilities of cloud organization, in which each vulnerability corresponds to one vulnerability level and each defined vulnerability can be assigned to one or more cloud actors.
Fig. 6.
vulnerabilities Determination in cloud computing environment
156
4.3 Identification of threats The following table shows threats on the basis of asset identification and vulnerability determination, in which each threat can be correspond to one or several assets and one or several vulnerabilities. And each threat can be calculated on the basis of the occurrence possibility and their possible impacts.
Fig. 7.
Part of threats identification
4.4 Identification of risks The following table shows all risks the present risk on cloud computing environment on the basis of the identification threats.
Fig. 8.
Risk variation for SaaS
Fig. 9.
Risk variation for IaaS
157
At the end each cloud actor will be aware of their corresponding risks as showen in the above figures (fig 8 and fig 9), the both figures are different, because each actor has their corresponding assets, their security objectives and their corresponding vulnerabilities.
5
Conclusion
In this paper, an use case have been performed in detail on the basis of the proposed web based solution, to demonstrate the effectiveness of this new comprehensive and shared risk assessment method for cloud computing that will add a great assistance and help to both cloud consumers and cloud providers. As consequence, with such an approach, the cloud consumers can be guaranteed data security and the cloud providers can win the trust of their consumers. As future work, the authors will show how they can benefit from multi-agent systems to improve the architecture and consolidate the security risk assessment for cloud computing. In addition, the authors will give primordial improvements of the proposed risk assessment method.
References 1.
Cloud Security Alliance (CSA): Top threats to cloud computing, version 1.0. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf, March 2010. 2. Burton S. Kaliski Jr. and Wayne Pauley,Toward Risk Assessment as a Service in Cloud Environment, EMC Corporation, Hopkinton, MA, USA, 2010. 3. EBIOS, Central Directorate for Information Systems Security, Version 2010 website. [Online]. Available: http://www.ssi.gouv.fr. 4. Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), Carnegie Mellon Software Engineering Institute, (1999). 5. Method Harmonized Risk Analysis (MEHARI) Principles and mechanisms CLUSIF, Issue 3, October 2004. 6. Mell P, Grance T. Perspectives on cloud computing and standards. National Institute of Standards and Technology (NIST). Information Technology Laboratory; 2009. 7. CSS, White paper on software and service architectures, Infrastructures and Engineering – Action Paper on the area for the future EU competitiveness Volume 2: Background information, Version 1.3,retrieved:15.08.2010,http://www.euecss.eu/contents/documentation/volume%20two_ECSS%20 White%20Paper.pdf 8. Miller, M. Cloud computing: Web-based applications that change the way you work and collaborate online. Indianapolis, 2008 9. Van Scoy, Roger L. Software Development Risk: Opportunity, Not Problem 10. R. Farrell, “Securing the cloud-governance, risk and compliance issues reign supreme,” Information Security Journal: A Global Perspective, 2010. 11. A. Sayouti, H. Medromi, Les Systèmes Multi-Agents : Application au Contrôle sur Internet, Auteurs Éditions universitaires européennes, Août 2012. 12. P. Saripalli and B. Walters, QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security, In the Proceedings of the IEEE 3rd International Conference on Cloud Computing, 2010, pp. 280-288.
158
13. Peiyu L., Dong L.. “The New Risk Assessment Model for Information System in Cloud Computing Environment”, Procedia Engineering 15 2011, pp. 3200 – 3204 . 14. Z. Xuan, N. Wuwong , et al., “Information Security Risk Management Framework for the Cloud Computing Environments,” in 2010 IEEE 10th International Conference on Computer and Information Technology (CIT), 2010. 15. Amit Sangroya, Saurabh Kumar, Jaideep Dhok, Vasudeva Varma, “Towards Analyzing Data Security Risks in Cloud Computing Environments”, International Conference on Information Systems, Technology, and Management (ICISTM), Bangkok, Thailand, 2010. 16. Drissi S., Houmani H., Medromi H., Survey: risk assessment for cloud computing, International Journal of Advanced Computer Science and Applications,2013, pp.143-148. 17. A. Altuzarra, J. M. Moreno-Jimnez and M. Salvador, A Bayesian prioritization procedure for AHPgroup decision making, European Journal of Operational Research, vol.182, no.1 , 2007, pp.367-382. 18. R. Ramanathan and L. S. Ganesh, Group preference aggregation methods employed in AHP: An evaluation and an intrinsic process for deriving members' weightages, European Journal of Operational Research, vol.79, no.2 , 1994, pp.249-265. 19. R. F. Dyer and E. H. Forman, Group decision support with the analytic hierarchy process, Decision Support Systems, vol.8, n.2, pp.99-124, 1992. 20. Sharman Lichtenstein Factors in the selection of a risk assessment method Information Management & Computer Security 4/4 [1996] 20–25 21. Drissi S and Medromi H, A new risk assessment approach for cloud consumer, Journal of Communication and Computer, 11 (2014 ), pp 52-58 22. Free Security Assessment by Trend Micro, Security Assessment Tool 23. Onwudebelu, U., Chukuka, B.: Will adoption of cloud computing put the enterprise at risk? In: 2012 IEEE 4th International Conference on Adaptive Science & Technology (ICAST), October 25-27, pp. 82–85 (2012) 24. Security Risk Assessment for Cloud and Web. Cenzic Cloud 25. SecaaS Category 5 Security Assessments Implementation Guidance. Cloud Security Alliance (September 2012) 26. Fito, J.O., Macias, M., Guitart, J.: Toward business-driven risk management for Cloud computing. In: 2010 International Conference on Network and Service Management (CNSM), October 25-29, pp. 238–241 (2010) 27. Djemame, K., et al.: A Risk Assessment Framework and Software Toolkit for Cloud Service Ecosystems. In: Cloud Computing 2011, The Second International Conference on Cloud Computing, GRIDs, and Virtualization (2011) 28. Tanimoto, S., Hiramoto, M., Iwashita, M., Sato, H., Kanai, A.: Risk Management on the Security Problem in Cloud Computing. In: 2011 First ACIS/JNU International Conference on Computers Networks, Systems and Industrial Engineering (CNSI), May 23-25, pp. 147–152 (2011) 29. Leitold, F., Hadarics, K.: Measuring security risk in the cloud-enabled enterprise. In: 2012 7th International Conference on Malicious and Unwanted Software (MALWARE), October 16-18, pp. 62–66 (2012) 30. Zhang, J., Sun, D., Zhai, D.: A research on the indicator system of Cloud Computing Security Risk Assessment. In: 2012 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), June 15-18, pp. 121–123 (2012) 31. Chandran, S., Angepat, M.: Cloud Computing: Analyzing the risk involved in cloud computing environments. In: Proceedings of Natural Sciences and Engineering, Sweden, pp. 2–4 (2010) 32. Cloud Security Alliance, Cloud Control Matri (September 26, 2013) 33. Catteddu, D., Hogben, G. (eds.): Cloud Computing: Benefits, risks and recommendations or information security. ENISA (2009)
159