Information security management in cloud computing:a case study

Abstract. Organizations are quickly adopting cloud computing in their daily operations. As a result, spending’s on cloud security solutions are increasing in conjunction with security threats redirecting to the cloud. Information security is a constant race against evolving security threats and it also needs to advance in order to accommodate the cloud computing adaptation. The aim of this thesis is to investigate the topics and issues that are related to information security management in cloud computing environments. Related information security management issues include risk management, security technology selection, security investment decision-making, employees’ security policy compliance, security policy development, and security training. By interviewing three different types of actors (normal employees, IT security specialists, and security managers) in a large ICT-oriented company, this study attempts to get different viewpoints related with the introduced issues and provide suggestions on how to improve information security management in cloud computing environments. This study contributes to the community by attempting to give a holistic perspective on information security management in the specific setting of cloud computing. Results of the research illustrate how investment decisions directly affect all other covered topics that in turn have an effect on one another, forming effective information security

Development of Security Risk Measurement Model within Misuse Cases and BPMN

Iga organisatsiooni kõige tähtsam ülesanne on oma vara kaitsta. Kuna mitte ühtegi süsteemi ei ole võimalik täielikult turvaliseks teha, seega rakendavad ettevõtted erinevaid kontrolle, et oma vara erinevate ohtude eest kaitsta. Riskianalüüs on üks oluline samm infosüsteemide (IS) turvalisuse tagamises ja tänaseks on välja töötatud erinevaid IS-de riskianalüüsi meetodeid, kuid need osutavad peamiselt üldisi suunised riskide hindamiseks. See dokument, aga käsitleb probleemi kuidas mõõta riski illustreerituna modelleerimiskeelte abist. Selleks on valitud kaks modelleerimise keelt: väärkasutamise juhtumid (Misuse Case) ja äriprotsesside modelleerimiskeel (BPMN). Praktilisest kogemustest on näha, et samad turvaaukudega seotud sündmused toimuvad perioodiliselt ning nende järel turvalisusega seotud riske ei maandata. Seda sellepärast, et ei ole näha turvaaukude korduvat kasutamist või riskide erinevaid tasemeid ja kaotused ei ole mõõdetud, mistõttu arvestatakse, et turvaaukudega kaasnevad probleemid on vähem tähtsad. Teadmata, kui palju kahju üks turvalisusega seotud sündmus teeb, ei saa juhtorgan otsustada, kas tegeleda riski maandamisega või mitte. Kui riskid oleksid mõõdetud ja nende väärtused oleksid nähtavad, oleks lihtsam teha õigeid otsuseid riskide maandamiseks. Selle töö eesmärk on aidata organisatsiooni juhtidel aru saada kui tõsised on turvalisusega seotud riskid, selleks visualiseerides meetrikaid ja tuues välja riskide kalkulatsioone. Et seda teha ka modelleerimiskeeltes, tuleb selleks visualiseerida riskidega seotud juhtumeid. Alles seejärel on võimalik mõõta turvalisusega seotud juhtumite tõsisust. Selle töö kirjutamise hetkel ei eksisteeri ühtegi mudelit mis suudaks visualiseerida mõõtmist koos juhtumi endaga. Selle töö tulemusena arendatakse mõõtmisemudel väärkasutamise juhtumite ja äriprotsesside modelleerimiskeele diagrammide piirides. Need mudelid hõlbustavad üldise riski hindamist jagades riski alam-osadeks ja mõõdavad eraldi vara väärtust, ohu potentsiaalsust ja haavatavust. Samuti annavad need teavet riskide kulukuse kohta ja toovad välja vastumeetmete rakendamise kasulikkuse. See tähendab, et riski meetrika ja tõsisus on koheselt nähtav. See aitab turvalisuse spetsialistil teha otsuseid, kas mõne konkreetse turvariski maandamiseks investeerimine on mõistlik või mitte. See peaks andma ka selge pildi ettevõtte kahjumist, kui riske kasutatakse ära ja aitab mõista, kas see on märkimisväärne kaotus või mitte. Kahe mudeli välja töötatamiseks kasutades nii teoreetilisi kui ka empiirilisi andmeid, seega turvalisusega seotud riskide mõõtmise mudelid annavad lahenduse probleemile, kuidas arvutada riske mis on võetud pärismaailmast, kasutades selleks väärkasutamise juhtumeid ja äriprotsesside modelleerimiskeelt. Lisaks uuritakse olemasolevaid hindamise meetoditeid ja standardeid koos erinevate modelleerimiskeeltega, ning töös kasutakse näiteid ühest töötavast organisatsioonist. Pärast mudelite välja töötamist need ka rakendatakse, et uurida väljapakutud meetrikate nähtavust. Valideerimise ajal võrreldakse kahte mudelit selgitamaks välja milline nendest annab parema ülevaate juurutatud meetrikatest.One of the most important tasks of any organization is to secure its assets. Since no system could be made completely secure, in order to prevent security flaws, companies apply controls to safeguard their assets from different threats. Therefore, risk analysis is an important step for the management of information systems security (ISS). Today various ISS risk analysis methods have been developed, but they mainly provide general guidelines to estimate the risk. The problem defined in the thesis is how to measure the risk illustrated with the help of a modeling languages. For that two modeling languages were chosen: misuse cases and BPMN. This is a problem, because we can see from a practical experience that the same security events are happening periodically, but the security risks are not treated. This may occur either because people do not see the repeated exploitation of vulnerabilities, the risk level and losses are not measured, considering the problems of a less importance. Without knowing exactly how much damage the security event makes, the management is not able to decide whether the risk should be fixed or not. If a risk is measured and values are visible, it is easier to do a proper decision about the risk mitigation. Our goal is to help understand the severity of the security risks by visualizing the metrics and calculations of a risk. For that in modeling languages a visualization of thread cases is needed. Then security cases need to be measured. Today there is no existing model that can visualize the measurement together with the case itself. The contribution of this thesis will be the development of measurement model within misuse case and BPMN diagrams. These models will facilitate the evaluation of an overall risk, by dividing the risk into sub-components and individually measuring the asset value, potentiality of thread, level of vulnerability. It will also give information about cost and benefit of implementation of countermeasures. This means that the metrics and the severity of a risk will be visible straight away. This will help the security specialist to make a decision whether the investment into a particular security flaw is reasonable or not. It should give a clear picture of the company's losses from exploitation of risk and will make it easier to understand whether it is a substantial loss or not. Two models will be developed using both theoretical and empirical data. Existing assessment approaches and standards together with different modeling languages will be studied. At the same moment the cases from the working organization will be taken. Two models will be developed and applied to investigate the visibility of metrics proposed. The developed security risk measurement models will give a solution how to calculate the risks taken from a real world example using misuse cases and BPMN. During validation we have tested our two models, which of them gives better visibility of the metrics introduced

Gerenciamento de nuvem computacional usando critérios de segurança

Orientador: Paulo Lício de GeusTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: A nuvem computacional introduziu novas tecnologias e arquiteturas, mudando a computação empresarial. Atualmente, um grande número de organizações optam por utilizar arquiteturas computacionais tradicionais por considerarem esta tecnologia não confiável, devido a problemas não resolvidos relacionados a segurança e privacidade. Em particular, quanto á contratação de um serviço na nuvem, um aspecto importante é a forma como as políticas de segurança serão aplicadas neste ambiente caracterizado pela virtualização e serviços em grande escala de multi-locação. Métricas de segurança podem ser vistas como ferramentas para fornecer informações sobre o estado do ambiente. Com o objetivo de melhorar a segurança na nuvem computacional, este trabalho apresenta uma metodologia para a gestão da nuvem computacional usando a segurança como um critério, através de uma arquitetura para monitoramento da segurança com base em acordos de níveis de serviço de segurança Security-SLA para serviços de IaaS, PaaS e SaaS, que usa métricas de segurançaAbstract: Cloud Computing has introduced new technology and architectures that changed enterprise computing. Currently, there is a large number of organizations that choose to stick to traditional architectures, since this technology is considered unreliable due to yet unsolved problems related to security and privacy. In particular, when hiring a service in the cloud, an important aspect is how security policies will be applied in this environment characterized by both virtualization and large-scale multi-tenancy service. Security metrics can be seen as tools to provide information about the status of the environment. Aimed at improving security in the Cloud Computing, this work presents a methodology for Cloud Computing management using security as a criterion, across an architecture for security monitoring based on Security-SLA for IaaS, PaaS and SaaS services using security metricsDoutoradoCiência da ComputaçãoDoutor em Ciência da Computação23/200.308/2009FUNDEC

Risk Management in Environment, Production and Economy

The term "risk" is very often associated with negative meanings. However, in most cases, many opportunities can present themselves to deal with the events and to develop new solutions which can convert a possible danger to an unforeseen, positive event. This book is a structured collection of papers dealing with the subject and stressing the importance of a relevant issue such as risk management. The aim is to present the problem in various fields of application of risk management theories, highlighting the approaches which can be found in literature

Information Security and Knowledge Management: Solutions Through Analogies?

Information Security Management and Knowledge Management show a couple of intriguing similarities. This paper identifies some of these similarities and highlights abstract problems arising from them in both areas. Those analogies motivate to look for possibilities to transfer solutions from one area to the other

Informacijos saugos reikalavimų harmonizavimo, analizės ir įvertinimo automatizavimas

The growing use of Information Technology (IT) in daily operations of enterprises requires an ever-increasing level of protection over organization’s assets and information from unauthorised access, data leakage or any other type of information security breach. Because of that, it becomes vital to ensure the necessary level of protection. One of the best ways to achieve this goal is to implement controls defined in Information security documents. The problems faced by different organizations are related to the fact that often, organizations are required to be aligned with multiple Information security documents and their requirements. Currently, the organization’s assets and information protection are based on Information security specialist’s knowledge, skills and experience. Lack of automated tools for multiple Information security documents and their requirements harmonization, analysis and visualization lead to the situation when Information security is implemented by organizations in ineffective ways, causing controls duplication or increased cost of security implementation. An automated approach for Information security documents analysis, mapping and visualization would contribute to solving this issue. The dissertation consists of an introduction, three main chapters and general conclusions. The first chapter introduces existing Information security regulatory documents, current harmonization techniques, information security implementation cost evaluation methods and ways to analyse Information security requirements by applying graph theory optimisation algorithms (Vertex cover and Graph isomorphism). The second chapter proposes ways to evaluate information security implementation and costs through a controls-based approach. The effectiveness of this method could be improved by implementing automated initial data gathering from Business processes diagrams. In the third chapter, adaptive mapping on the basis of Security ontology is introduced for harmonization of different security documents; such an approach also allows to apply visualization techniques for harmonization results presentation. Graph optimization algorithms (vertex cover algorithm and graph isomorphism algorithm) for Minimum Security Baseline identification and verification of achieved results against controls implemented in small and medium-sized enterprises were proposed. It was concluded that the proposed methods provide sufficient data for adjustment and verification of security controls applicable by multiple Information security documents.Dissertatio