Available online at www.sciencedirect.com Available online at www.sciencedirect.com
Procedia Engineering
Procedia Engineering Procedia Engineering 00 15 (2011) 000–000 3200 – 3204 www.elsevier.com/locate/procedia
Advanced in Control Engineeringand Information Science
The New Risk Assessment Model for Information System in Cloud Computing Environment LIU Peiyua, b, LIU Donga, b *a a
b
School of Information Science and Engineering, Shandong Normal University, Jinan Shandong 250014,China;
Shandong Provincial Key Laboratory for Distributed Computer Software Novel Technology, Jinan 250014,China
Abstract Focusing on the Internet information system faces more security risk problems in Cloud Computing Environment, this paper sums up 8 kinds of threats to security principles, and lists the corresponding factors. Combing with collaborative and virtualization of cloud computing technology and so on, adopting the theory of AHP and introducing the correlation coefficient to analyze the multiple objective decision, the paper proposes a new information security risk assessment model based on AHP in cloud computing environment. Finally getting the security risk assessment strategies of the information system in the cloud computing environment by this model.
© 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. Selection and/or peer-review under responsibility of [CEIS 2011] Keywords:
1.
cloud computing, risk assessment, analytic hierarchy process, information system
Introduction
Ever since Google CEO Eric Schmidt put forward the concept of cloud computing for the first time in 2006, it has gone through a rapid development and its related technology has gradually become the focus of academic research. By distributing the computing tasks in a resource pool which is composed of a large number of computers it enables users to get access to computing power, storage space and information services according to their demands, thus achieving a utility computing[1]. Cloud computing a
LIU Dong. Tel.: (+86)15165316401. E-mail address:
[email protected]
1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. doi:10.1016/j.proeng.2011.08.601
LIU Peiyu LIU Dong / Procedia Engineering 15 (2011) 3200 – 3204 LIU and Peiyu et al/ Procedia Engineering 00 (2011) 000–000
2
will form a future of being a giant globalized IT service network[2]with cloud infrastructure as the core and offer different kinds of services such as cloud based software and platform service and cloud application service. 2.
Cloud computing environment
To advance cloud computing, series of critical problems should be solved and security is a top priority. Internet information system under cloud computing environment faces numerous challenges: (1) No identical standard. The deployment of existing cloud computing platform is scattered, the major manufacturers have set up their own cloud platform, each with a strong computing power, but interactivity among systems is not accessible because there is no uniform standard. (2) Security risks in the cloud[3]. Potential security risks emerge simultaneously as users choose cloud computing service such as leak of privacy, invasion of information assets, security and auditability of data, credibility of the cloud services platform and errors of large-scale distributed system. (3) Security risks whose origins are traditional Internet. (4) The relevant policies and regulations are not sound. 3.
Information recurity risk assessment studies
Information security risk assessment is an assessment aimed to assess the threats. Impacts and vulnerability of information processing facilities and the likelihood of the three in accordance with the external and internal relative technology standards. Information security risk assessment is an integral part of information management[4]. Risk analysis methods are generally divided into qualitative analysis, quantitative analysis and synthesis analysis. A simple method for qualitative or quantitative analysis will lead to the inaccuracy and one-sidedness of the evaluation results. In the assessment of a complex information system, qualitative analysis and quantitative analysis should not be simply separated, on the contrary, the two methods should be integrated to form the method of integrated method[5]. In this paper, we take the integrated analysis method. An integrated method is the combination of qualitative analysis and quantitative analysis, use the expert experience and objective facts to perform a comprehensive risk assessment toward the information system. 4.
The risk assessment model in cloud computing environment be based on AHP
4.1. AHP Model In this paper we summarize 8 evaluation criterias and list the corresponding influencing factors as shown in Fig 1 .
Fig.1. (a) AHP model; (b) corresponding factors
3201
3202
LIU Peiyu Dong / Engineering Procedia Engineering (2011) 3200 – 3204 Peiyu and et alLIU / Procedia 00 (2011)15 000–000
There are three layers in this model :. Level one—Formulating the problem in a hierarchical structure is the first step in AHP. The top level, or focus of the problem, consists of the overall objective. In this model it corresponds to the overall assessment of cloud computing system platform. • Level two —It includes 8 attributes consisting of the major factors identified for assessing the Level one. • Level tree—The lowest level is for the concrete assessment factors in the decision framework. 39 factors were identified corresponding to higher levels and specific local conditions. The analytic hierarchy process (AHP) has been frequently used as an appropriate means of analysis in dealing with the dilemma. AHP is carried out using the following three principles: decomposition, pairwise comparison, and synthesis of weights[6]AHP has a number of advantages in the assessment of cloud computing system platform .First, it can effectively translate intricate problems into an orderly hierarchy, because of its strong capacity for solving multi-criteria decision problems. Secondly, the AHP approach is able to quantify the decision-maker’s experiential judgments, particularly when the objectives lacked quantifiable data[7]. •
4.2. Making Pairwise Comparison To make sure the rules to the weight of the goals by comparing, is called constructing evaluation matrices. Complex problem is decomposed into criteria, sub-criteria and alternatives from which choice is made[8-9]. The fundamental 1 to 9 scale can be used to rank the judgments as shown in Table 2. Following construction of the AHP model tree, it is extremely important that experts fill the judgment matrix forms faithfully[10]. Table2. A fundamental scale of 1 to 9 Number Rating
Verbal Judgment of Preferences
1
Equally
3
Moderately
5
Strongly
7
Very
9
Extremely
2, 4, 6, 8 indicate the medium value of above pairwise comparison.
4.3. Calculating Weight Vector For the given matrix M, we calculate its eigen value equation written as MW = λ max W , where W is non-zero vector called eigenvector, and λ max is a scalar called eigenvalue. After standardizing the eigenvector W, we regard the vector element of W as the local weight of each decision factor approximately. 4.4. Checking for consistency Next, it is necessary to execute a consistency validation for each hierarchy and for the framework as a whole for every judgment matrix form[11]. If the hierarchy hadn’t passed validation, experts were required to adjust their forms until they passed[12]. 5.
Strategies of assessment
3
3203
LIU Peiyu and LIU Dong / Procedia Engineering 15 (2011) 3200 – 3204 4
LIU Peiyu et al/ Procedia Engineering 00 (2011) 000–000
The paper collects samples through distribution in different area perceptions, and the data mainly from the clouds, the clients provide the feedback information of the assessment effect. Based on the collaborative computing and distributed processing during the process of the information processing, all the perceptions collect the sample information collaboratively, and the collected data then go into the sample collector. The collectors store samples and provide data source. They make full use of the virtualization in the cloud computing technology during the process of storing, and open up virtual space and increase the security. The evaluation module uses the AHP model to assess the system with the help of the data from the collectors. The cloud servers store a lot of expert evaluation set, and divide a security risk level .The judgment matrix is filled by the experts in the cloud computing service platform .Finally Λ ,ω n), and getting the final order. The results are obtained calculating the weighted vector(ω1,ω 2, by the clouds and input to the knowledge base .The knowledge base is controlled by the cloud computing platform, and it inputs the theoretical results to the clouds. If the result is reasonable , put it into join the knowledge base; If it is not reasonable ,it will inform the perception relied on new collect samples. The knowledge base contains three data sets: weight vector sets, risk hierarchies sets, security strategy sets. The whole process is as shown in Fig. 3. For grading the risk rating, the paper introduces a correlation coefficient as in Eq.(1)and analysis theirs correlation. The process is as follows: make correlation calculations between the hierarchical analysis model calculated weight vectors (called theory weight vectors) and the corresponding factors in knowledge base which have the same weight vector orders that calculated by the cloud computing system.
ρ =
ss R 1 2 3 K( n − n ) 12
Where
the ss R denotes the sum of deviation square of R as in ss R =
(1)
∑R
R )2 ( − ∑
,R is n the sum of the weight vector factors and K is the column number of the grade, in this paper it stands for the number of the factors in the weight vector. n is the number of comparative objects, we set n to2 in the paper. The t is the number of same weight values. In the paper we define ρ >0.7 as strong association, and the theoretical weight vector is in consistent with the weight vector in knowledge base, so we can grade the security level according to the result and input them to the cloud computing system, providing users with a targeted security policy, and issuing to users the security warnings timely. 6.
Conclusions
2
3204
LIU Peiyu Dong / Engineering Procedia Engineering (2011) 3200 – 3204 Peiyu and et alLIU / Procedia 00 (2011)15 000–000
The rise of cloud computing is pushing the assessment of information system into a new horizon. Cloud computing platforms can (in theory) scale infinitely, with the addition of more hardware units bringing more resources to the system. Many existing challenges are exacerbated in the Cloud. In this paper, we developed a novel algorithm AHP for assessing the information system in cloud computing environment. Analytical Hierarchy Process (AHP) is applied for optimal decision making. AHP is adopted to achieve weighting factors. In the future work , we may introduce a warning mechanism to information system for sensing the threats from the cloud computing environment. Acknowledgements This research was supported by the National Natural Science Foundation of China (No.60873247), High-tech self-innovation project of Shandong Province (No. 2008ZZ28), the Natural Science Foundation of Shandong Province of China (No. ZR2009GZ007) and the S&T plan projects of Shandong Provincial Department of Education (No. J09LG52). References [1] Zhang Jian Xun, Gu ZhiMin.Surey of research progress on cloud computing.Application Research of Computers,2010,27(2). 429-433. [2] FENG DengGuo, ZHANG Min,ZHANG Yan,XU Zhen.Study on Cloud Computing Security.Journal of Software,2011,22(1). 71-83. [3] Michael
Armbrust, Armando Fox,Rean Griffith.Above The Clouds:A Berkeley View of Cloud Computing .2009,2. EECS
Department University of California, Berkeley Technical Report No. UCB /EECS 200928.http: //www.eecs. erkeley.edu /Pubs /TechRpts /2009/EECS-2009-28.pdf. [4] Sun Qiang, Han Youtao, Dong Yuxin. Research on a Quantitative Information Security Risk Assessment Model. Journal of Computer Research and Development,2006,43. 594-598. [5] FENG Deng-guo, ZHANG Yang, ZHANG Yu-qing.Survey of information security risk assessment. JOURNAL OF CHINA INSTITUTE OF COMMUNICATIONS,2004,7(25). 10-18. [6] BysronN, Joseph A. Generating consensus priority interval vectors for group decision making in the AHP.Journal of MultiCrtieria Decision Analysis. 2000, 9(4):127-137 [7] Kassar. M, Kervella.B.
An overview of vertical handover decision strategies in heterogeneous wireless networks.
Computer Communications 31, 2607-2620 (2008). [8] Frair L, Matson J O, Matson J E.An undergraduate curriculum evaluation with the Analytic Hierarchy Process.IEEE Explore,1998(3):992-997. [9] Xu Z S, Wei C P. A consistency improving method in the Analytic Hierarchy Process.European Journal Operational Research,1999,116(2):443-449. [10] Saaty T L, Alexander J M. Thinking with Models[M].New York:Pergamon Press,1981. [11] WANG LianFen, XU ShuBo. The theory of analytic hierarchy process.Beijing:China Renmin University Press, 1989.11~260 (in Chinese). [12] LI Zhan, ZHOU Shiguo, WANG Ke..A Method for Constructing Perfectly Consistent Judgement Matrix in AHP. Zhengzhou Univ.(Nat.Sci.Ed.),2008,3(40).41-46.
5