Is Security Realistic in Cloud Computing?

Cloud computing is rapidly emerging as an attractive IT option for businesses. As a concept cloud computing is well received because of the benefits it offers but many users are not clear about the scope of security in cloud computing. Many surveys point out that security in the cloud remains the top concern for many businesses in their decision making consideration in spite of the cost advantages it offers. In order to identify the security concerns we analyzed over 50 research articles and industry white papers published over the past five years. In this paper we focus on the question “Is security realistic in cloud computing?” In presenting the justification that it is possible to expect adequate security features in the cloud we address several related issues. In this context we first briefly describe the three types of cloud services – SaaS, PaaS and IaaS. Then we focus on the security aspects that businesses must pay attention to in order to succeed. Next, we consider the importance of trust in the service providers and how they could build customer trust in their services. This discussion leads to service reliability in the cloud and what the cloud providers have learned from cloud outages in order to build trust. Also, we highlight how the security features offered in the cloud support compliance requirements. We conclude the paper with some relevant information on the legal aspects related to cloud computing

Conservation of Limited Resources: Design Principles for Security and Usability on Mobile Devices

Mobile devices have evolved from an accessory to the primary computing device for an increasing portion of the general population. Not only is mobile the primary device, consumers on average have multiple Internet-connected devices. The trend towards mobile has resulted in a shift to “mobile-first” strategies for delivering information and services in business organizations, universities, and government agencies. Though principles for good security design exist, those principles were formulated based upon the traditional workstation configuration instead of the mobile platform. Security design needs to follow the shift to a “mobile-first” emphasis to ensure the usability of the security interface. The mobile platform has constraints on resources that can adversely impact the usability of security. This research sought to identify design principles for usable security for mobile devices that address the constraints of the mobile platform. Security and usability have been seen as mutually exclusive. To accurately identify design principles, the relationship between principles for good security design and usability design must be understood. The constraints for the mobile environment must also be identified, and then evaluated for their impact on the interaction of a consumer with a security interface. To understand how the application of the proposed mobile security design principles is perceived by users, an artifact was built to instantiate the principles. Through a series of guided interactions, the importance of proposed design principles was measured in a simulation, in human-computer interaction, and in user perception. The measures showed a resounding difference between the usability of the same security design delivered on mobile vs. workstation platform. It also reveals that acknowledging the constraints of an environment and compensating for the constraints yields mobile security that is both usable and secure. Finally, the hidden cost of security design choices that distract the user from the surrounding environment were examined from both the security perspective and public safety perspective

Raclouds: modelo para análise de risco em clouds no contexto de ativos de informações

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Ciência da Computação, Florianópolis, 2015.A computação em nuvem oferece benefícios em termos de disponibilidade e custo, porém afasta a gerência de segurança da informação do cliente da nuvem, transferindo-a para o provedor de serviços em nuvem. Com isto, o cliente perde o controle sobre a segurança de suas informações e serviços. Este fator tem desmotivado a migração para a computação em nuvem entre muitos clientes em potencial. Os esforços atualmente empreendidos para segurança da informação em nuvem são em sua maioria gerenciados pelo próprio provedor de serviços em nuvem, deixando o cliente novamente à margem da gerência de segurança de suas próprias informações e serviços. A análise de risco é uma importante ferramenta de gerenciamento de segurança da informação, que permite identificar as principais vulnerabilidades, ameaças e impactos em um ambiente de tecnologia da informação. Esta tese de doutorado apresenta um modelo de análise de risco para ambientes de computação em nuvem, no qual o provedor dos serviços de nuvem não seja o único responsável por todas as etapas da análise de risco. No modelo proposto o cliente da nuvem poderá realizar análises de risco em seu provedor de nuvem de modo abrangente, aderente e independente. O modelo proposto estabelece responsabilidades compartilhadas entre três entidades: Cliente, Provedor e Laboratório de Segurança, além de propor uma linguagem para representação do risco e um modelo para correlação entre os elementos integrantes da análise de risco (ameaças, vulnerabilidades e ativos de informação). A inclusão do agente demoninado de Laboratório de Segurança oferece mais credibilidade à análise de risco, tornando os resultados mais consistentes para o cliente da nuvem. Para realização de experimentos simulados foi desenvolvido um protótipo do modelo de análise de risco proposto, validando as características de abrangência, aderência e independência desejadas na análise de risco em nuvem.Abstract : Cloud computing offers benefits in terms of availability and cost, but away from the security management of the cloud customer information, transferring it to the cloud service provider. With this, the client loses control over the security of their information and services. This factor has discouraged migration to cloud computing among many potential customers. Efforts currently undertaken to cloud information security are mostly managed by own cloud services provider, leaving the client again on the margins of safety management of their own information and services. Risk analysis is an important information security management tool that enables you to identify the main vulnerabilities, threats and impacts in an information technology environment. This doctoral thesis presents a risk analysis model for cloud computing environments in which the provider of cloud services is not solely responsible for all risk analysis stages. In the model proposed the cloud customer can perform risk analysis on your cloud provider in a comprehensive way, bonded and independent. The proposed model establishes shared responsibilities among three entities: Customer, Provider and Security Laboratory, in addition to proposing a language for risk representation and a model to correlate the risk analysis integral elements (threats, vulnerabilities and information assets). The inclusion of the Security Laboratory agent provides more credibility to the risk analysis, making the most consistent results for the cloud customer. To perform simulated experiments it developed a prototype of the proposed risk analysis model, validating the completeness of features, grip and independence desired in cloud risk analysis

The role of transparency and trust in the selection of cloud service providers

PhD ThesisPotential customers started to adopt cloud computing because of the promised benefits such as the flexibility of resources and most importantly cost reduction. In spite of the benefits that could flow from its adoption, cloud computing brings new challenges associated with its potential lack of transparency, trust and loss of controls. In the shadow of these challenges, the number of cloud service providers in the marketplace is growing, making the comparison and selection process very difficult for potential customers and requiring methods for selecting trustworthy and transparent providers. This thesis discusses the existing tools, methods and frameworks that promote the adoption of cloud computing models, and the selection of trustworthy cloud service providers. A set of customer assurance requirements has been proposed as a basis for comparative evaluation, and is applied to several popular tools (Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR), CloudTrust Protocol (CTP), Complete, Auditable, and Reportable Approach (C.A.RE) and Cloud Provider Transparency Scorecard (CPTS)). In addition, a questionnaire-based survey has been developed and launched where by respondents evaluate the extent to which these tools have been used, and assess their usefulness. The majority of respondents agreed on the importance of using the tools to assist migration to the cloud and, although most respondents have not used the tools, those who have used them reported them to be helpful. It has been noticed that there might be a relationship between a tool’s compliance to the proposed requirements and the popularity of using these tools, and these results should encourage cloud providers to address customers’ assurance requirements. Some previous studies have focused on comparing cloud providers based on trustworthiness measurement and others focused only on transparency measurement. In this thesis, a framework (called CloudAdvisor) is proposed that couples both of these features. CloudAdvisor aims to provide potential cloud customers with a way to assess trustworthiness based on the history of the cloud provider and to measure transparency based on the Cloud Controls Matrix (CCM) framework. The reason for choosing CCM is because it aims to promote transparency in cloud computing by adopting the best industry standards. The selection process is based on a set of assurance requirements that, if met by the cloud provider or if it has been considered in a tool, could bring assurance and confidence to cloud customers. Two possible approaches (Questionnaire-based and Simulation-based approach) are proposed in order to evaluate the CloudAdvisor framework.Ministry of Higher and Education in Saudi Arabi