Technical Report on Deploying a highly secured OpenStack Cloud Infrastructure using BradStack as a Case Study

Cloud computing has emerged as a popular paradigm and an attractive model for providing a reliable distributed computing model.it is increasing attracting huge attention both in academic research and industrial initiatives. Cloud deployments are paramount for institution and organizations of all scales. The availability of a flexible, free open source cloud platform designed with no propriety software and the ability of its integration with legacy systems and third-party applications are fundamental. Open stack is a free and opensource software released under the terms of Apache license with a fragmented and distributed architecture making it highly flexible. This project was initiated and aimed at designing a secured cloud infrastructure called BradStack, which is built on OpenStack in the Computing Laboratory at the University of Bradford. In this report, we present and discuss the steps required in deploying a secured BradStack Multi-node cloud infrastructure and conducting Penetration testing on OpenStack Services to validate the effectiveness of the security controls on the BradStack platform. This report serves as a practical guideline, focusing on security and practical infrastructure related issues. It also serves as a reference for institutions looking at the possibilities of implementing a secured cloud solution.Comment: 38 pages, 19 figures

MEASURING AND INDICATING THE LEVEL OF INFORMATION SECURITY – AN ANALYSIS OF CURRENT APPROACHES

In times of increasing digitalization of processes in companies the topic of information security has become relevant for every industry. For this, a standardization of information security with normative standards such as ISO/IEC 27001:2022 has been established to define requirements and to assess at regular intervals the conformity of the management systems. However, practice shows that companies are fulfilling the requirements only at a minimum level and don’t have a real overview of their security level and the impact of existing risks. This paper evaluates how decision makers in companies currently interpret their security level using metrics. Regarding this, the relationship with effectiveness and conformity of their information security measures are shown and analyzed. Furthermore, in this paper a selection of the most common used practices and frameworks for measuring and certifying information security systems has been analyzed. The results of this research show that there is a need for on overall security perspective and include a proposal on how a structured approach should be defined

A Comparison between Business Process Management and Information Security Management

Information Security Standards such as NIST SP 800-39 and ISO/IEC 27005:2011 are turning their scope towards business process security. And rightly so, as introducing an information security control into a business-processing environment is likely to affect business process flow, while redesigning a business process will most certainly have security implications. Hence, in this paper, we investigate the similarities and differences between Business Process Management (BPM) and Information Security Management (ISM), and explore the obstacles and opportunities for integrating the two concepts. We compare three levels of abstraction common for both approaches; top-level implementation strategies, organizational risk views & associated tasks, and domains. With some minor differences, the comparisons shows that there is a strong similarity in the implementation strategies, organizational views and tasks of both methods. The domain comparison shows that ISM maps to the BPM domains; however, some of the BPM domains have only limited support in ISM