Security risk assessment in cloud computing domains

Cyber security is one of the primary concerns persistent across any computing platform. While addressing the apprehensions about security risks, an infinite amount of resources cannot be invested in mitigation measures since organizations operate under budgetary constraints. Therefore the task of performing security risk assessment is imperative to designing optimal mitigation measures, as it provides insight about the strengths and weaknesses of different assets affiliated to a computing platform. The objective of the research presented in this dissertation is to improve upon existing risk assessment frameworks and guidelines associated to different key assets of Cloud computing domains - infrastructure, applications, and users. The dissertation presents various informal approaches of performing security risk assessment which will help to identify the security risks confronted by the aforementioned assets, and utilize the results to carry out the required cost-benefit tradeoff analyses. This will be beneficial to organizations by aiding them in better comprehending the security risks their assets are exposed to and thereafter secure them by designing cost-optimal mitigation measures --Abstract, page iv

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems

Evaluation of Efficiency of Cybersecurity

Uurimistöö eesmärgiks on uurida, kuidas tõhus küberjulgeolek on olnud edukas. Uurimistöö kasutab parima võimaliku tulemuse saamiseks mitmesuguseid uurimismeetodeid ja kirjanduse ülevaade on süstemaatiline. Kuid uurimistöö järeldus on see, et uuring ei suuda kinnitada või tagasi lükata peamist töö hüpoteesi. Uuring ei õnnestunud, sest puuduvad korralikud teooriad, mis näitavad ohutuse ja küberjulgeoleku nähtusi ning puuduvad head näitajad, mis annaksid küberohutuse tõhususe kohta kehtivaid ja ratsionaalseid tulemusi, kui hästi on küberkuritegevuse abil õnnestunud küberkuritegevuse tõhusaks võitmiseks ja küberkuritegude tõhusaks vähendamiseks. Seepärast on küberjulgeoleku teadusteooria ja julgeoleku teadusteooria vähearenenud 2018. aastal. Uuringud on teinud küberjulgeoleku ja turvalisuse arendamise põhilisi avastusi. Edasiste põhiuuringute suund on luua üldine turbeteooria, mis kirjeldab ohtlike muutujate ohtlike muutujate kavatsust, ressursse, pädevust ja edusamme ohtlike muutujate ja aksioomide puhul, kus ohtlike muutujate mõõtmisel saab teha selle sisse loodetavas ja teooria kirjeldab, millised on tõhusad meetmed, et vältida ja leevendada ning millised ei ole ja lõpuks kehtestada nõuetekohased mõõdikud, et mõõta turvalisuse ja küberjulgeoleku tõhusust loodetavus ja kehtivusega.The purpose of the thesis is to research how effectively cybersecurity has succeeded on its mission. The thesis used multiple research methods to get best possible answer and the literature review has been systematic. However, the conclusion of the research was that the study is unable to either confirm or reject the main working hypothesis. The study is unable to do it because of the lack of proper theories to describe what are the phenomena in secu-rity and cybersecurity and the lack of proper metrics to give valid and sound conclusion about the effective of cybersecurity and how well have cybersecurity succeed on its mis-sion to effectively prevent and mitigate cybercrime. Therefore, the science of security and science of cybersecurity are underdeveloped in 2018. The research has made basic discov-eries of development of cybersecurity and security. A direction of further basic research is to establish a general theory of security which describes threat variables, threat variables intention, resources, competence and progress of the threat variables and axioms where measurement of threat variables can be made with reliability and the theory would describe which are effective measures to prevent and mitigate and which are not and finally, estab-lish proper metrics to measure efficiency of security and cybersecurity with reliability and validity

Exploring the Implementation of Cloud Security to Minimize Electronic Health Records Cyberattacks

Health care leaders lack the strategies to implement cloud security for electronic medical records to prevent a breach of patient data. The purpose of this qualitative case study was to explore strategies senior information technology leaders in the healthcare industry use to implement cloud security to minimize electronic health record cyberattacks. The theory supporting this study was routine activities theory. Routine activities theory is a theory of criminal events that can be applied to technology. The study\u27s population consisted of senior information technology leaders from a medical facility in a large northeastern city. Data collection included semistructured interviews, phone interviews, and analysis of organizational documents. The use of member checking and methodological triangulation increased the validity of this study\u27s findings among all participants. There were 5 major themes that emerged from the study (a) requirement of coordination with the electronic health record vendor and the private cloud vendor, (b) protection of the organization, (c) requirements based on government and organizational regulations, (d) access management, (e) a focus on continuous improvement. The results of this study may create awareness of the necessity to secure electronic health records in the cloud to minimize cyberattacks. Cloud security is essential because of its social impact on the ability to protect confidential data and information. The results of this study will further serve as a foundation for positive social change by increasing awareness in support of the implementation of electronic health record cloud security

Cloud Computing Adoption in Afghanistan: A Quantitative Study Based on the Technology Acceptance Model

Cloud computing emerged as an alternative to traditional in-house data centers that businesses can leverage to increase the operation agility and employees\u27 productivity. IT solution architects are tasked with presenting to IT managers some analysis reflecting cloud computing adoption critical barriers and challenges. This quantitative correlational study established an enhanced technology acceptance model (TAM) with four external variables: perceived security (PeS), perceived privacy (PeP), perceived connectedness (PeN), and perceived complexity (PeC) as antecedents of perceived usefulness (PU) and perceived ease of use (PEoU) in a cloud computing context. Data collected from 125 participants, who responded to the invitation through an online survey focusing on Afghanistan\u27s main cities Kabul, Mazar, and Herat. The analysis showed that PEoU was a predictor of the behavioral intention of cloud computing adoption, which is consistent with the TAM; PEoU with an R2 = .15 had a stronger influence than PU with an R2 = .023 on cloud computing behavior intention of adoption and use. PeN, PeS, and PeP significantly influenced the behavioral intentions of IT architects to adopt and use the technology. This study showed that PeC was not a significant barrier to cloud computing adoption in Afghanistan. By adopting cloud services, employees can have access to various tools that can help increase business productivity and contribute to improving the work environment. Cloud services, as an alternative solution to home data centers, can help businesses reduce power consumption and consecutively decrease in carbon dioxide emissions due to less power demand

Novel efficient techniques for real-time cloud security assessment

Cloud computing offers multiple benefits to users by offloading them of the tasks of setting up complex infrastructure and costly services. However, these benefits come with a price, namely that the Cloud Service Customers (CSCs) need to trust the Cloud Service Providers (CSPs) with their data, and additionally being exposed to integrity and confidentiality related incidents on the CSPs. Thus, it is important for CSCs to know what security assurances the CSPs are able to guarantee by being able to quantitatively or qualitatively compare CSPs offers with respect to their own needs. On the other hand, it is also important for CSPs to assess their own offers by comparing them to the competition and with the CSCs needs, to consequently improve their offers and to gain better trust. Thus there is a basic need for techniques that address the Cloud security assessment problem. Although a few assessment methodologies have recently been proposed, their value comes only if they can be efficiently executed to support actual decisions at run time. For an assessment methodology to be practical, it should be efficient enough to allow CSCs to adjust their preferences while observing on the fly the current evaluation of CSPs’ offers based on the preferences that are being chosen. Furthermore, for an assessment methodology to be useful in real-world applications, it should be efficient enough to support many requests in parallel, taking into account the growing number of CSPs and the variety of requirements that CSCs might have. In this paper, we develop a novel Cloud security assessment technique called Moving Intervals Process (MIP) that possesses all these qualities. Unlike the existing complex approaches (e.g., Quantitative Hierarchical Process – QHP) that are computationally too expensive to be deployed for the needed on-line real-time assessment, MIP offers both accuracy and high computational efficiency. Additionally, we also show how to make the existing QHP competitively efficient