Improvement of the Shared and Comprehensive Tool for Cloud Computing Security Risk Assessment Saadia Drissi, Siham Benhadou and Hicham Medromi Systems Architecture Team National High School of Electricity and Mechanics, ENSEM, University Hassan II 8118, Casablanca, Morocco
[email protected],
[email protected],
[email protected] Abstract— Major studies view the problem of risk assessment regarding cloud computing as one of the open researches in the literature. Adapting a current risk assessment tools to cloud computing is a very difficult task due to its several characteristics that challenge the effectiveness of risk assessment approaches. Recently, several risk assessment methodologies, models and initiatives based on information security have been proposed to assess the risk for cloud computing. Facing this complexity, we have been proposed a new shared and comprehensive risk assessment tool. In this paper, we will improve our proposed tool to be more efficient risk assessment tool. Keywords— Cloud Computing; security risk assessment,;shared; comprehensive; autonomous; collaborative;
I. INTRODUCTION Major studies view the problem of risk assessment regarding cloud computing as one of the open researches in the literature. The risk assessment methods have been classified into five categories: assessment as a service, quantitative, qualitative, semi-quantitative, hierarchal, graph analysis and security matrix assessment. In addition to the risk assessment methods that have been reviewed, the CSA and ENISA lead a number of ongoing research initiatives. Despite all these methodologies and frameworks and initiatives, currently no complete and concise methodology exists for analyzing and evaluating security risks of cloud based solutions. A cloud-specific threats, vulnerabilities and risks have already been identified or assessed by numerous sources, but it still remains unclear how to assess risks basing on Information Risk Management frameworks or methods in the context of the Cloud. Adapting a current risk assessment tools to cloud computing is a very difficult task due to its several characteristics that challenge the effectiveness of risk assessment approaches. In recent time, several risk assessment frameworks, methodologies and framworks based on information security have been proposed to assess the risk for cloud computing. Thus, the
adoption of cloud solutions in a number of industries is stopped. Most of the studies view the problem of assessing security risks either from cloud customer or cloud provider perspectives. The need for a comprehensive, shared, collaborative and intelligent risk assessment methodologies that considers both cloud customer and cloud provider is recommended. Such as shared assessment enables the cloud provider to prove how the security risks have been managed and mitigated, as well as enabling the cloud consumer to determine the risk tolerance and define security requirements accordingly. The second section reviews related work, the third section gives an overview of the proposed risk assessment model, the fourth section presents the approach in detail and the last one provides a conclusion. II. RELATED WORK In this section, we will explain the risk assessment for cloud computing in the literature: risk assessment as service, quantitative, qualitative, trust matrix, hierarchic, risk assessment based on graphs and semi-quantitative. Security as a service solutions have been presented to provide and support security assessments in which a hosted cloud solution will make assessments and stores the resulting data. Actually, several tools for a number of security assessment areas have been implemented using the delivery model SecaaS [1], [2]. In the provision of SecaaS model, cloud consumers get the typical advantages of using cloud computing such as service on demand and scalability [3]. In [4], the risk assessment as a service is presented as a new paradigm for measuring real time risk by one or more entities in the cloud. A cloud provider can perform continuous self-assessments as a best practice by assessing its own execution environment. However, this work has not implemented such a service but rather offer it as a paradigm to be pursued. In [19], a new approach is proposed to deploy
1
Risk-Assessment-as-a-Service (RAaaS) for both the cloud clients and the cloud provider. In [6], a SEmi-quantitative BLO-driven Cloud Risk Assessment (SEBCRA) prioritizes and categorizes cloud risks according to their impact on different Business Level objectives in a given organization. The approach is designed for a Cloud Service Provider (CSP) to improve the achievement of a BLO, i.e., profit maximization, by managing, assessing, and treating Cloud risks. In an exemplary experimentation, the risk assessment approach demonstrates that it enables a CSP to maximize its profit by transferring risks of provisioning its private Cloud to third party providers of cloud infrastructures. However, a simple method for qualitative or quantitative analysis will lead to the inaccuracy and one-sidedness of the evaluation results. Therefore, several studies used an integrated method of qualitative and quantitative analysis to assess risk in cloud environment [7], [8], [9], [10]. Graphs and mathematical models can be used to address and calculate security risk in clouds by simulating attacker possibilities. In [11], they presented a mathematical model for threats that considers communication in order to identify security risk for individual entities, and then calculates it for a whole enterprise. The model is built by representing communications as a directed graph and then established a matrix to discover the risk. Furthermore, in [12], a hybrid risk-analysis method based on decision tree analysis (quantities) and risk matrix (qualitative) is proposed for risk assessment. In this method, risk factor from a user’s viewpoint is systematically extracted with the Risk Breakdown Structure (RBS) method then analyzed and evaluated. A detailed countermeasure and proposal are produced on the basis of these results. The risk matrix method is used to classify risk into four kinds (Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference) in accordance with the generation frequency and degree of incidence In [13] a security risk assessment method has been introduced based on an Analytic Hierarchy Process (AHP) model. The assessment is carried out using the principles of: decomposition, pairwise comparison, and synthesis of weights. Thus, AHP has three layers of decomposition: formulating the problem of assessing cloud security risk in a hierarchical structure is the first step in AHP. Then, in level two, 8 major factors were identified for assessing. In level three, 39 factors were identified corresponding to higher levels and specific local conditions. The evaluation module uses the constructed AHP tree to assess the system with the help of the judgment matrix that is filled by the cloud's experts. Finally calculating the weighted vectors and getting the final risk order. In [14], a hierarchical framework is built to analyze the risk and set the goal for the assessment. After that, an indicator system is built under each principle and sub indicators are introduced for assessment. For example, the first indicator could be risk of cloud computing platform, risk of cloud storage, risk of cloud security and so on. Secondary indicators of cloud platform risk could then be
risk of operating system, risk of application software and risk of availability. In [15], Trust Matrix is used for security risk analysis in cloud environments. Two variables, namely “data cost” and “provider’s history” are considered. In “data cost” users can assign a cost to data based on the data’s criticality whereas “Provider’s history” includes the record of the past services provided by the provider to consumers. Additionally, Cloud Control Matrix (CCM) has been released by CSA, as a baseline security control framework designed to help enterprises assess the risks associated with a cloud provider. The CCM has included a risk management domain to ensure that formal risk assessments are aligned with the enterprisewide framework, planned and scheduled at regular intervals determining the likelihood and impact of identified risks, using qualitative and quantitative methods. Thereby, it facilities transparency and increase trust level between the cloud customer and the cloud in order to make cloud a secure environment to the future of business [16]. In [5], a quantitative risk and impact assessment framework (QUIRC) is introduced to assess associated six key categories of security objectives (SO) (i.e., confidentiality, integrity, availability, multi- party trust, mutual audit ability and usability) in a cloud computing platform. The impact is determined by Subject Matter Experts, the knowledgeable about the impact of threats on their particular type of business The European Network and Information Security Agency (ENISA) [6] has published a guide that allow an informed assessment of the security risks and benefits of using cloud computing. For the purposes of the risk assessment, a medium-sized company was used as a use case and the aim was to expose all possible information security risks. The risks identified in the assessment are classified into three categories: technical, legal and policy and organizational issues. Each risk is presented in a table which includes probability level, impact level, reference to vulnerabilities, reference to affected assets and level of risk. The estimation of risk levels is based on ISO/IEC 27005. III. ANALYSIS AND DESIGN OF CLOUD RISK ASSESSMENT MODEL This paper presented a new risk assessment model in cloud computing environments. The proposed model changes the generally current paradigm in research on cloud risk assessment, in which the CA entity is responsible for the specification of security requirements and analysis of these requirements in its own environment based on the decision of expert intelligent agents (intelligent, collaborative and transparent risk assessment model). To make the risk assessment more transparent in cloud computing environment, the proposed model includes two major entities
2
with active participation in risk assessment, the cloud actor and the risk manager. Major modules of the autonomous cloud risk assessment to ACRAM are: (a) identification of assets, (b) determination of vulnerabilities, (c) determination of threats, (d) identification of risks and (e) identification of measures as mentioned in the Fig.1.
The ACRAM provides a web interfaces for the risk manager to create the cloud organization environment and for cloud actors to choose first their one security objectives and second to have an idea about their risks and the vulnerabilities present in cloud computing environment [21], [24].
Fig. 1. The architecture of cloud risk assessment model
A. Identification of assets This first process is composed of four tasks, each one with their specific functionalities; their major functionality is to define the context of cloud computing environment (asset value) in which each cloud actor can consult and define their security objectives. Output: list of assets with the associated asset value.
Output: list of vulnerabilities with the associated vulnerability value. C. Determination of threats This third process is composed of four tasks; their major functionality is to define all the corresponding assets and vulnerabilities present in cloud computing environment based on expert agent in which each cloud actor can consult their threats presents in cloud environment. Output: list of the corresponding threats with the associated impact and probability of occurrence.
B. Determination of vulnerabilities This second process is composed of four tasks; each one with their specific functionalities; the first one can define all vulnerabilities in cloud computing environment and the second one makes the decision to define the adequate corresponding measures protection and vulnerability value. As consequence, each cloud actor can consult their vulnerabilities presents in cloud environment. After that the vulnerability can be generated automatically with the help of the fifth process.
D. Identification of risks The fourth process is composed for one task; its major functionalities are to determine the corresponding risks and to calculate their risks value for the cloud organization and all cloud actors in cloud environment with specific calculations as mentioned below [26]:
F(A)=max(Ai)+0.5(m1-1)+0.4(m2-1)+0.3(m3-1)+0.2(m41)+0.1(m5-1) (1)
3
IV. EVALUATION OF RISK ASSESSMENT MODEL TABLE I.
EVALUATION OF THE PROPOSED RISK ASSESMENT MODEL
[20]
Features
Current solutions
Support tool
No
Automation
Our solution
As future work, the authors are also working to benefit from the advantages of the system multi-agents in order to implement an autonomous cloud web service and we will show experimental results to demonstrate the effectiveness of the new approach. In addition, the authors will give primordial improvements of the proposed risk assessment method. REFERENCES
Yes [1] [2] [3]
No
No
Yes
Yes
Not all
Yes
[5]
Not all
Yes
[6]
Shared with the different actors in CCE
No
Yes
Before and after cloud adoption
No
efficiency
Adaptability
Comprensive
[4]
[7] Yes [8]
Collaboration
No
Yes [9]
Generally, risk assessment methods take a long time and processed slowly. Contrary to other methods, our method proposes a new comprehensive, collaborative, transparent and shared risk assessment method based on expert agents which we can assess risk before and after the adoption of cloud computing. Also using the history of the risk assessment before the cloud adoption, can help the risk manager to determine which assets will be attacked and all the presents’ vulnerabilities in cloud environment. Our model ensures fast assessment with specific calculations as mentioned in equation (1) and (2). To increase the efficiency of our proposed risk assessment method, we well show the multi-agent system in our future work.
[10]
[11]
[12]
[13]
[14]
V. CONCLUSION AND FUTURE WORK In this paper, the authors are evaluated the proposed work through a comparison made between the presented risk assessment methods and our proposed risk assessment model. Also, primordial improvements are showed in the last part.
[15]
[16]
Free Security Assessment by Trend Micro, Security Assessment Tool Security Risk Assessment for Cloud and Web. Cenzic Cloud SecaaS Category 5 Security Assessments Implementation Guidance. Cloud Security Alliance (September 2012) Onwudebelu, U., Chukuka, B.: Will adoption of cloud computing put the enterprise at risk? In: 2012 IEEE 4th International Conference on Adaptive Science & Technology (ICAST), October 25-27, pp. 82–85 (2012) Assessment Framework for Cloud Security, In the Proceedings of the IEEE 3rd International Conference on Cloud Computing, 2010, pp. 280-288. Fito, J.O., Macias, M., Guitart, J.: Toward business-driven risk management for Cloud computing. In: 2010 International Conference on Network and Service Management (CNSM), October 25-29, pp. 238–241 (2010) Djemame, K., et al.: A Risk Assessment Framework and Software Toolkit for Cloud Service Ecosystems. In: Cloud Computing 2011, The Second International Conference on Cloud Computing, GRIDs, and Virtualization (2011) Peiyu L., Dong L.. “The New Risk Assessment Model for Information System in Cloud Computing Environment”, Procedia Engineering 15 2011, pp. 3200 – 3204 . Tanimoto, S., Hiramoto, M., Iwashita, M., Sato, H., Kanai, A.: Risk Management on the Security Problem in Cloud Computing. In: 2011 First ACIS/JNU International Conference on Computers Networks, Systems and Industrial Engineering (CNSI), May 23-25, pp. 147–152 (2011) Fito, J.O., Macias, M., Guitart, J.: Toward business-driven risk management for Cloud computing. In: 2010 International Conference on Network and Service Management (CNSM), October 25-29, pp. 238–241 (2010) Tanimoto, S., Hiramoto, M., Iwashita, M., Sato, H., Kanai, A.: Risk Management on the Security Problem in Cloud Computing. In: 2011 First ACIS/JNU International Conference on Computers Networks, Systems and Industrial Engineering (CNSI), May 23-25, pp. 147–152 (2011) P. Saripalli and B. Walters, QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security, In the Proceedings of the IEEE 3rd International Conference on Cloud Computing, 2010, pp. 280-288. Leitold, F., Hadarics, K.: Measuring security risk in the cloud-enabled enterprise. In: 2012 7th International Conference on Malicious and Unwanted Software (MALWARE), October 16-18, pp. 62–66 (2012) Zhang, J., Sun, D., Zhai, D.: A research on the indicator system of Cloud Computing Security Risk Assessment. In: 2012 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), June 15-18, pp. 121–123 (2012) Chandran, S., Angepat, M.: Cloud Computing: Analyzing the risk involved in cloud computing environments. In: Proceedings of Natural Sciences and Engineering, Sweden, pp. 2–4 (2010) EBIOS, Central Directorate for Information Systems Security, Version 2010 website. [Online]. Available: http://www.ssi.gouv.fr.
4
[17] Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), Carnegie Mellon - Software Engineering Institute, (1999). [18] Method Harmonized Risk Analysis (MEHARI) Principles and mechanisms CLUSIF, Issue 3, October 2004 [19] Kaliski, B., Pauley, W.: Toward risk assessment as a service in cloud environments. In: Proc. of the 2nd USENIX Conference on Hot Topics in Cloud Computing (2010) [20] Sharman Lichtenstein, Factors in the selection of a risk assessment method, Information Management & Computer Security 4/4 [1996] 20–25 [21] S. Drissi, S. Benhadou and H. Medromi, “Toward a risk assessment model based on multi-agent system for cloud consumer”, International Journal of Computer, Information, Systems and Control Engineering Vol:8 No:6, 2014, pp 903-907
[22] Drissi S and Medromi H, A new risk assessment approach for cloud consumer, Journal of Communication and Computer, 11 (2014 ), pp 52-58 [23] Drissi S.,Houmani H. and Medromi H., Survey: risk assessment for cloud computing, International Journal of Advanced Computer Science and Applications, Vol. 4, No. 12, 2013 , pp 143- 148 [24] S. Drissi, S. Benhadou and H. Medromi, “Design of Risk Assessment Model for Cloud Computing”, Global Journal of Engineering Science and Researches , 2015, GJESR (ISSN- 2348 – 8034) [25] S. Drissi, S. Benhadou and H. Medromi,"A New Collaborative Risk Assessment Model for Cloud Computing",Revue Méditerranéenne des Télécommunications, Vol. 5, N° 2, June 2015, pp 137-141 [26] S. Drissi, S. Benhadou and H. Medromi,"A new shared and comprehensive tool of cloud computing security assessment", In the Proceedings of the Springer, vol: 366 , Advances in Ubiquitous Networking, UNET 2015, Casablanca, Morocco, pp 155-167
5
