A Goal- Driven Security Framework for Cloud Storage: A Preliminary Study

Transcription

1 A Goal- Driven Security Framework for Cloud Storage: A Preliminary Study Fara Yahya [email protected] Electronic & Software Systems Electronics & Computer Science Faculty of Physical Sciences and Engineering University of Southampton (Cyber Security 2016), 13th - 14th June 2016, London United Kingdom

2 Introduction Background Preliminary Study Results & Discussion Conclusion & Future Work 2

3 3

4 Introduction According to Cisco Global Cloud Index, cloud storage users will store 1.6 Gigabytes data per month by 2019, compared to 992 megabytes data per month in Exabyte Year Cloud Storage Growth Per User Regional Cloud Storage Users by 2019 Region Internet Users in Millions (% of Population) Cloud Storage Users in Millions (% of Internet Users) Asia Pacific 2,022 (49%) 1,176 (58%) Central and Eastern Europe 321 (66%) 134 (42%) Latin America 355 (54%) 141 (40%) Middle East and Africa 401 (25%) 65 (16%) North America 311 (83%) 257 (83%) Western Europe 341 (80%) 272 (80%) 4

5 Cloud Security Concerns Cloud-related malware Insufficient due diligence Malicious Insiders Closure of Cloud Service Abuse of Cloud Service Data Loss Natural Disaster Insecure APIs Hardware failure Shared Technologies Vulnerabilities Denial of Service Account Hijacking Data Breach Inadequate Cloud Planning/Design 5

6 CIANA Threats STRIDE Confidentiality Integrity Data Breaches Data Loss Account/Service Hijacking Insecure APIs Denial of Service Spoofing Identity Tampering with Data Availability Non-repudiation Authenticity Malicious Insiders Abuse of Cloud Service Insufficient Due Diligence Shared Technology Vulnerability Hardware Failure Natural Disaster Closure of Cloud Service Cloud-related Malware Inadequate Cloud Planning/Design Repudiation Information Disclosure Denial of Service Elevation of Privilege 6

7 Approach What are the cloud storage elements? What are the security concerns? What are the existing international industry standards, best practices & guidelines? 7

8 Preliminary study A qualitative interview was carried out to explore the knowledge, opinions and values of individuals or groups who are experts in a particular field of knowledge. A survey was chosen to collect information to capture knowledge on cloud security. Questionnaires are data collection tool in which participants are requested to answer various predetermined questions. 8

9 Results of expert review The semi-structured interviews were conducted with 20 security experts in Malaysia and the United Kingdom. The security experts have more than five years of experience in information security. The aim of the expert interview was to review the security components identified by the literature review and to explore other components. 9

10 Thematic Analysis 10

11 Results of practitioners survey The quantitative data was collected using an online questionnaire. Overall, 34 were taken as the sample. All of the respondents are security practitioners, currently working in ICT and have at least two years experience in information security. The aim of the survey was to confirm the components in the proposed framework and other components obtained from the expert interviews. 11

12 Statistical Analysis Reliability Statistics Test of security components Components Number of Items Cronbach s alpha Value Reliability test Cronbach s alpha analysis Normality test A Shapiro-Wilk test, visual inspection of histograms, normal Q-Q plots, box plots, skewness and kurtosis Correlation test Pearson correlation Parametric test One sample t-test Confidentiality Integrity Availability Non-repudiation Authenticity Reliability Accountability Auditability Analysis of security components using one sample t-testª Component Mean t Sig. (2- tailed) Confidentiality Co <0.001** Co <0.001** Integrity In <0.001** In <0.001** Availability Av <0.001** Av <0.001** Non- repudiation Nr <0.002** Nr <0.001** Authenticity At <0.001** At <0.001** Reliability Re <0.001** Re <0.001** Accountability Ac <0.001** Ac <0.001** Auditability Au <0.001** ª df =33 ** p< Au <0.001** 12

13 Discussion All the components proposed, based on existing studies and suggested in the expert review, were deemed statistically significant. Confidentiality and Availability received the strongest consensus. This shows that although security protections are important, the availability of service and accessibility of data in the cloud is considered important too. 13

14 14

15 Conclusion A security framework to protect data in cloud storage is proposed based on security components and threats in the cloud. Literature syntheses identified six security components To review these components, expert reviews with security experts from UK and Malaysia was conducted Experts confirmed the identified components and mentioned two additional These components were confirmed via the questionnaire survey 15

16 Future Work An instrument to measure how much does an organisation follow the cloud storage security framework will be developed based on the goal-driven components identified and confirmed in this study The instrument is developed using Goal-Question- Metrics (GQM) approach. The instrument is a selfassessment tool, currently receiving 161 responses from IT security managers in Malaysia 16

17 17