Security measurement as a trust in cloud computing service selection and monitoring

With the increase in the number of cloud service offerings by the cloud service providers nowadays, selecting the appropriate service provider becomes difficult for customers. This is true since most of the cloud service providers offer almost similar services at different costs. Thus, making cloud service selection a tedious process for customers. The selection of the cloud services from the security standpoint needs a distinct consideration from both the academia and the industry. Security is an important factor in cloud computing. Thus, any exploited vulnerability will have a negative effect on cloud computing adoption by customers. Hence, little attention has been paid to cloud service monitoring and selection from a security perspective. To solve this issue, we propose a security measurement as a trust (SMaaT) in the cloud computing selection. Finally, we propose Analytical Hierarchical Process (AHP) for service selection from the customers’ perspective

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems

Security Certification As a Service Over Cloud

Now a day’s Cloud computing is the best solution for IT industry as the infrastructure and application services offerings are enabled on subscription basis. Because of this most of the enterprise level companies like Amazon, IBM, Google, and Microsoft are providing useful offering to their customers as Cloud services. There are multiple criteria on the basis of which the customers may decide the appropriate cloud service provider as there are many cloud service providers are there in the IT medium, Customers don't have any framework on which they can trust, so the idea of designing a framework which can unable trust between end customer and cloud service provider along with raking them according to different attacks like DDoS, brute force, file integrity etc., the framework or solution will be known as Third Party Auditor (TPA). DOI: 10.17762/ijritcc2321-8169.15074

CID Survey Report Satellite Imagery and Associated Services used by the JRC. Current Status and Future Needs

The Agriculture and Fisheries Unit (IPSC) together with the Informatics, Networks and Library Unit (ISD) has performed this inventory called the Community Image Data portal Survey (the CID Survey); 20 Actions from 4 different Institutes (ISD, IPSC, IES, and IHCP) were interviewed. The objectives of the survey were to make an inventory of existing satellite data and future requirements; to obtain an overview of how data is acquired, used and stored; to quantify human and financial resources engaged in this process; to quantify storage needs and to query the staff involved in image acquisition and management on their needs and ideas for improvements in view of defining a single JRC portal through which imaging requests could be addressed. Within the JRC there are (including 2006) more than 700 000 low resolution (LR) and 50 000 medium resolution (MR) images, with time series as far back as 1981 for the LR data. There are more than 10 000 high resolution (HR) images and over 500 000 km2 of very high resolution (VHR) images. For the LR and MR data, cyclic global or continental coverage dominates, while the majority of HR and VHR data is acquired over Europe. The expected data purchase in the future (2007, 2008) known which enables good planning. Most purchases of VHR and HR data are made using the established FCs with common licensing terms. Otherwise multiple types of licensing govern data usage which emphasizes the need for CID to establish adequate means of data access. The total amount of image data stored (2006 inclusive) is 55 TB, with an expected increase of 80% in 2 years. Most of the image data is stored on internal network storage inside the corporate network which implies that the data is accessible from JRC, but difficulties arise when access is to be made by external users via Internet. In principle current storage capacity in the JRC could be enough, but available space is fragmented between Actions which therefore implies that a deficit in storage could arise. One solution to this issue is the sharing of a central storage service. Data reception is dominated by FTP data transfer which therefore requires reliable and fast Internet transfer bandwidth. High total volume for backup requires thorough definition of backup strategy. The user groups at JRC are heterogeneous which places requirements on CID to provide flexible authentication mechanisms. There is a requirement for a detailed analysis of all metadata standards needed for reference in a catalogue. There is a priority interest for such Catalogue Service and also for a centralized storage. The services to implement for data hosted on central storage should be WCS, WMS, file system access. During the analysis of the results mentioned above, some major areas could be identified as a base for common services to be provided to interested Actions, such as: provision of a centralized data storage facility with file serving functionality including authentication service, image catalogue services, data visualization and dissemination services. Specialized data services that require highly customized functionality with respect to certain properties of the different image types will usually remain the sole responsibility of the individual Actions. An orthorectification service for semi-automated orthorectification of HR and VHR data will be provided to certain Actions. At the end of the report some priorities and an implementation schedule for the Community Image Data portal (CID) are given.JRC.G.3-Agricultur

Analysis of Cloud Security Controls in AWS, Azure, and Google Cloud

This research paper aims at solving the gap of information related to cloud security alliance top twenty critical controls. By reviewing the controls against the major cloud providers. Most organizations are adopting cloud for their business-critical applications. To make it secure, they need to understand the security controls they have access to and how they can perform cloud audits to assure the organization is secure in the cloud environment and complaint. To counter this predicament, Information technology professionals need to review the cloud security measures in AWS, Google Cloud, Azure against CIS top 20 controls, which will help security professionals identify the right cloud vendor for their business needs. This paper provides additional information to the reader who wants to understand the role of security controls in cloud environment and how they address the cloud security risk. Cloud users, cloud architects and cloud consumers will be able to understand how various cloud providers offer tools which assist in maintain the security controls. This research paper provides the base layer information and will help future research in cloud security controls

Optimization and Regulation of Performance for Computing Systems

The current demands of computing applications, the advent of technological advances related to hardware and software, the contractual relationship between users and cloud service providers and current ecological demands, require the re\ufb01nement of performance regulation on computing systems. Powerful mathematical tools such as control systems theory, discrete event systems (DES) and randomized algorithms (RAs) have o\ufb00ered improvements in e\ufb03ciency and performance in computer scenarios where the traditional approach has been the application of well founded common sense and heuristics. The comprehensive concept of computing systems is equally related to a microprocessor unit, a set of microprocessor units in a server, a set of servers interconnected in a data center or even a network of data centers forming a cloud of virtual resources. In this dissertation, we explore theoretical approaches in order to optimize and regulate performance measures in di\ufb00erent computing systems. In several cases, such as cloud services, this optimization would allow the fair negotiation of service level agreements (SLAs) between a user and a cloud service provider, that may be objectively measured for the bene\ufb01t of both negotiators. Although DES are known to be suitable for modeling computing systems, we still \ufb01nd that traditional control theory approaches, such as passivity analysis, may o\ufb00er solutions that are worth being explored. Moreover, as the size of the problem increases, so does its complexity. RAs o\ufb00er good alternatives to make decisions on the design of the solutions of such complex problems based on given values of con\ufb01dence and accuracy. In this dissertation, we propose the development of: a) a methodology to optimize performance on a many-core processor system, b) a methodology to optimize and regulate performance on a multitier server, c) some corrections to a previously proposed passivity analysis of a market-oriented cloud model, and d) a decentralized methodology to optimize cloud performance. In all the aforementioned systems, we are interested in developing optimization methods strongly supported on DES theory, speci\ufb01cally In\ufb01nitesimal Perturbation Analysis (IPA) and RAs based on sample complexity to guarantee that these computing systems will satisfy the required optimal performance on the average

Value focused assessment of cyber risks to gain benefits from security investments

Doutoramento em GestãoCom a multiplicação de dispositivos tecnológicos e com as suas complexas interacções, os ciber riscos não param de crescer. As entidades supervisoras estabelecem novos requisitos para forçar organizações a gerir os ciber riscos. Mesmo com estas crescentes ameaças e requisitos, decisões para a mitigação de ciber riscos continuam a não ser bem aceites pelas partes interessadas e os benefícios dos investimentos em segurança permanecem imperceptíveis para a gestão de topo. Esta investigação analisa o ciclo de vida da gestão de ciber risco identificando objectivos de mitigação de ciber risco, capturados de especialistas da área, prioritizando esses objectivos para criar um modelo de decisão para auxiliar gestores de risco tendo em conta vários cenários reais, desenvolvendo um conjunto de princípios de gestão de risco que possibilitam o estabelecimento de uma base para a estratégia de ciber risco aplicável e adaptável às organizações e finalmente a avaliação dos benefícios dos investimentos em segurança para mitigação dos ciber riscos seguindo uma abordagem de melhoria contínua. Duas frameworks teóricas são integradas para endereçar o ciclo de vida completo da gestão de ciber risco: o pensamento focado em valor guia o processo de decisão e a gestão de benefícios assegura que os benefícios para o negócio são realizados durante a implementação do projecto, depois de tomada a decisão para investir numa solução de segurança para mitigação do ciber risco.With the multiplication of technological devices and their multiple complex interactions, the cyber risks keep increasing. Supervision entities establish new compliance requirements to force organizations to manage cyber risks. Despite these growing threats and requirements, decisions in cyber risk minimization continue not to be accepted by stakeholders and the business benefits of security investments remain unnoticed to top management. This research analyzes the cyber risk management lifecycle by identifying cyber risk mitigation objectives captured from subject matter experts, prioritizing those objectives in a cyber risk management decision model to help risk managers in the decision process by taking into account multiple real scenarios, developing the baseline of cyber risk management principles to form a cyber risk strategy applicable and adaptable to current organizations and finally evaluating the business benefits of security investments to mitigate cyber risks in a continuous improvement approach. Two theoretical frameworks are combined to address the full cyber risk management lifecycle: value focused thinking guides the decision process and benefits management ensures that business benefits are realized during project implementation, after the decision is taken to invest in a security solution to mitigate cyber risk.info:eu-repo/semantics/publishedVersio