A Goal- Driven Security Framework for Cloud Storage: A Preliminary Study

Similar documents
Cloud Security and Managing Use Risks

Mobile Application Threat Analysis

ESKISP Conduct security testing, under supervision

Secure By Design: Security in the Software Development Lifecycle

Security and Privacy in Cloud Computing

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Survey about Cloud Computing Threats

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

External Supplier Control Requirements

Overview TECHIS Carry out security testing activities

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Requirements Engineering for SaaS Application Security in Cloud Using SQUARE Methodology

Development Processes (Lecture outline)

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

BCS Foundation Certificate in Information Security Management Principles

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Introduction to Information Security

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Threat Modeling. 1. Some Common Definition (RFC 2828)

Critical Controls for Cyber Security.

Committees Date: Subject: Public Report of: For Information Summary

Software Security Touchpoint: Architectural Risk Analysis

Cyber Security and the Board of Directors

Spambrella SaaS Support Terms & Conditions

Security Framework for Cloud Computing Environment: A Review Ayesha Malik, Muhammad Mohsin Nazir

Compliance and Cloud Computing

Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Information Security Team

Defending Against Attacks by Modeling Threat Behaviors

CHAPTER 7 PRESENTATION AND ANALYSIS OF THE RESEARCH FINDINGS

2015 Global Study on IT Security Spending & Investments

ISSECO Syllabus Public Version v1.0

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

External Supplier Control Requirements

Cloud Security Introduction and Overview

MarketsandMarkets. Publisher Sample

e-government Agency Delivering Secure, Public-Oriented e-government Facilities in Africa A Holistic Approach

Challenges of Software Security in Agile Software Development

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments

UNDERSTANDING THE INDEPENDENT-SAMPLES t TEST

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Security Issues in Cloud Computing

The Security Organization p. 1 Anecdote p. 2. Introduction

Network Infrastructure Virtualization: Transforming Telecommunications and Managed Services

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Anatomy of a Cloud Computing Data Breach

INFORMATION TECHNOLOGY SECURITY STANDARDS

Security Testing. How security testing is different Types of security attacks Threat modelling

Overview of computer and communications security

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

A view from the Cloud Security Alliance peephole

Cloud Computing Governance & Security. Security Risks in the Cloud

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

- This study provides an in-depth analysis of MSS market with current and future trends to elucidate the imminent investment pockets in the market.

IT Security Management Risk Analysis and Controls

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Web application testing

Unit 3 Cyber security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Cyber Security Assessment Framework: Case of Government Ministries in Kenya

Global Disaster Recovery Market Insights, Opportunity Analysis, Market Shares and Forecast

OWASP Cornucopia. Ecommerce Website Edition. The OWASP Foundation. OWASP London 3rd June 2013

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

REPORT. Next steps in cyber security

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Security Threats in Demo Steinkjer

Transcription:

A Goal- Driven Security Framework for Cloud Storage: A Preliminary Study Fara Yahya fara.yahya@soton.ac.uk Electronic & Software Systems Electronics & Computer Science Faculty of Physical Sciences and Engineering University of Southampton (Cyber Security 2016), 13th - 14th June 2016, London United Kingdom

Introduction Background Preliminary Study Results & Discussion Conclusion & Future Work 2

3

Introduction According to Cisco Global Cloud Index, cloud storage users will store 1.6 Gigabytes data per month by 2019, compared to 992 megabytes data per month in 2014. Exabyte 45 40 35 39 30 33 25 26 20 21 15 17 10 14 5 0 2014 2015 2016 2017 2018 2019 Year Cloud Storage Growth Per User Regional Cloud Storage Users by 2019 Region Internet Users in Millions (% of Population) Cloud Storage Users in Millions (% of Internet Users) Asia Pacific 2,022 (49%) 1,176 (58%) Central and Eastern Europe 321 (66%) 134 (42%) Latin America 355 (54%) 141 (40%) Middle East and Africa 401 (25%) 65 (16%) North America 311 (83%) 257 (83%) Western Europe 341 (80%) 272 (80%) 4

Cloud Security Concerns Cloud-related malware Insufficient due diligence Malicious Insiders Closure of Cloud Service Abuse of Cloud Service Data Loss Natural Disaster Insecure APIs Hardware failure Shared Technologies Vulnerabilities Denial of Service Account Hijacking Data Breach Inadequate Cloud Planning/Design 5

CIANA Threats STRIDE Confidentiality Integrity Data Breaches Data Loss Account/Service Hijacking Insecure APIs Denial of Service Spoofing Identity Tampering with Data Availability Non-repudiation Authenticity Malicious Insiders Abuse of Cloud Service Insufficient Due Diligence Shared Technology Vulnerability Hardware Failure Natural Disaster Closure of Cloud Service Cloud-related Malware Inadequate Cloud Planning/Design Repudiation Information Disclosure Denial of Service Elevation of Privilege 6

Approach What are the cloud storage elements? What are the security concerns? What are the existing international industry standards, best practices & guidelines? 7

Preliminary study A qualitative interview was carried out to explore the knowledge, opinions and values of individuals or groups who are experts in a particular field of knowledge. A survey was chosen to collect information to capture knowledge on cloud security. Questionnaires are data collection tool in which participants are requested to answer various predetermined questions. 8

Results of expert review The semi-structured interviews were conducted with 20 security experts in Malaysia and the United Kingdom. The security experts have more than five years of experience in information security. The aim of the expert interview was to review the security components identified by the literature review and to explore other components. 9

Thematic Analysis 10

Results of practitioners survey The quantitative data was collected using an online questionnaire. Overall, 34 were taken as the sample. All of the respondents are security practitioners, currently working in ICT and have at least two years experience in information security. The aim of the survey was to confirm the components in the proposed framework and other components obtained from the expert interviews. 11

Statistical Analysis Reliability Statistics Test of security components Components Number of Items Cronbach s alpha Value Reliability test Cronbach s alpha analysis Normality test A Shapiro-Wilk test, visual inspection of histograms, normal Q-Q plots, box plots, skewness and kurtosis Correlation test Pearson correlation Parametric test One sample t-test Confidentiality 2 0.720 Integrity 2 0.767 Availability 2 0.870 Non-repudiation 2 0.759 Authenticity 2 0.896 Reliability 2 0.878 Accountability 2 0.830 Auditability 2 0.980 Analysis of security components using one sample t-testª Component Mean t Sig. (2- tailed) Confidentiality Co1 1.65-6.426 <0.001** Co2 1.59-7.152 <0.001** Integrity In1 1.79-4.504 <0.001** In2 1.76-4.098 <0.001** Availability Av1 1.62-5.393 <0.001** Av2 1.76-4.217 <0.001** Non- repudiation Nr1 1.94-3.545 <0.002** Nr2 1.82-4.537 <0.001** Authenticity At1 1.79-4.504 <0.001** At2 1.68-5.698 <0.001** Reliability Re1 1.88-4.265 <0.001** Re2 1.85-5.386 <0.001** Accountability Ac1 1.88-4.095 <0.001** Ac2 1.74-4.400 <0.001** Auditability Au1 1.82-5.206 <0.001** ª df =33 ** p<0.0031 Au2 1.88-4.682 <0.001** 12

Discussion All the components proposed, based on existing studies and suggested in the expert review, were deemed statistically significant. Confidentiality and Availability received the strongest consensus. This shows that although security protections are important, the availability of service and accessibility of data in the cloud is considered important too. 13

14

Conclusion A security framework to protect data in cloud storage is proposed based on security components and threats in the cloud. Literature syntheses identified six security components To review these components, expert reviews with security experts from UK and Malaysia was conducted Experts confirmed the identified components and mentioned two additional These components were confirmed via the questionnaire survey 15

Future Work An instrument to measure how much does an organisation follow the cloud storage security framework will be developed based on the goal-driven components identified and confirmed in this study The instrument is developed using Goal-Question- Metrics (GQM) approach. The instrument is a selfassessment tool, currently receiving 161 responses from IT security managers in Malaysia 16

17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information