Secure Cloud-Edge Deployments, with Trust

Assessing the security level of IoT applications to be deployed to heterogeneous Cloud-Edge infrastructures operated by different providers is a non-trivial task. In this article, we present a methodology that permits to express security requirements for IoT applications, as well as infrastructure security capabilities, in a simple and declarative manner, and to automatically obtain an explainable assessment of the security level of the possible application deployments. The methodology also considers the impact of trust relations among different stakeholders using or managing Cloud-Edge infrastructures. A lifelike example is used to showcase the prototyped implementation of the methodology

Best practices in cloud-based Penetration Testing

This thesis addresses and defines best practices in cloud-based penetration testing. The aim of this thesis is to give guidance for penetration testers how cloud-based penetration testing differs from traditional penetration testing and how certain aspects are limited compared to traditional penetration testing. In addition, this thesis gives adequate level of knowledge to reader what are the most important topics to consider when organisation is ordering a penetration test of their cloud-based systems or applications. The focus on this thesis is the three major cloud service providers (Microsoft Azure, Amazon AWS, and Google Cloud Platform). The purpose of this research is to fill the gap in scientific literature about guidance for cloud-based penetration testing for testers and organisations ordering penetration testing. This thesis contains both theoretical and empirical methods. The result of this thesis is focused collection of best practices for penetration tester, who is conducting penetration testing for cloud-based systems. The lists consist of topics focused on planning and execution of penetration testing activities

Challenges and complexities in application of LCA approaches in the case of ICT for a sustainable future

In this work, three of many ICT-specific challenges of LCA are discussed. First, the inconsistency versus uncertainty is reviewed with regard to the meta-technological nature of ICT. As an example, the semiconductor technologies are used to highlight the complexities especially with respect to energy and water consumption. The need for specific representations and metric to separately assess products and technologies is discussed. It is highlighted that applying product-oriented approaches would result in abandoning or disfavoring of new technologies that could otherwise help toward a better world. Second, several believed-untouchable hot spots are highlighted to emphasize on their importance and footprint. The list includes, but not limited to, i) User Computer-Interfaces (UCIs), especially screens and displays, ii) Network-Computer Interlaces (NCIs), such as electronic and optical ports, and iii) electricity power interfaces. In addition, considering cross-regional social and economic impacts, and also taking into account the marketing nature of the need for many ICT's product and services in both forms of hardware and software, the complexity of End of Life (EoL) stage of ICT products, technologies, and services is explored. Finally, the impact of smart management and intelligence, and in general software, in ICT solutions and products is highlighted. In particular, it is observed that, even using the same technology, the significance of software could be highly variable depending on the level of intelligence and awareness deployed. With examples from an interconnected network of data centers managed using Dynamic Voltage and Frequency Scaling (DVFS) technology and smart cooling systems, it is shown that the unadjusted assessments could be highly uncertain, and even inconsistent, in calculating the management component's significance on the ICT impacts.Comment: 10 pages. Preprint/Accepted of a paper submitted to the ICT4S Conferenc

Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Assessing home office cyber risks in the oil & gas industry A comparative study of risk assessment methods

Home Office has become a necessity nowadays, as it is part of the business continuity plan for many companies and organizations worldwide, ever since the COVID-19 outbreak made its presence in 2020. Even though it is not new as a concept, it has had a rapid growth, and it is now heavily used even within business areas that preferred to have all employees working from corporate offices. The oil and gas industry is such an example, since companies with a presence in that area, would always prefer to have their employees on-site, rather than working remotely. The aggressive introduction of “Work from Home” solutions though, comes with significant cyber risks that are not to be taken lightly. The aim of this thesis is to analyze a set of common risk assessment methodologies that are used in information security and test their effectiveness in terms of assessing cybersecurity risks related to the home office implementation in the oil and gas industry. The methodologies under investigation are IRAM2, ISO 27005:2018, Octave Allegro, FAIR and NIST SP800-30. According to the findings, there are specific strengths and limitations that risk analysts, decision-makers and other relevant stakeholders need to consider while using one or more of these methods for this specific use-case. The most important factor is time, which causes significant impediments for all involved parties and limits the options that can be considered, for reacting to the rationality of the situation. There are also more generic learnings though which are applicable even if companies had more time for properly assessing cyber risks before introducing remote worker solutions. The outcome of the research leans towards the use of two or more different risk assessment methodologies, which can be combined depending on the company’s needs and the project in scope. The learnings of this thesis can be useful for future potential incidents of a similar nature

Cloud Computing Providers’ Unrealistic Optimism regarding IT Security Risks: A Threat to Users?

Despite providers’ constant promises of high IT security levels in the Cloud, various serious security incidents have taken place in the last years. By drawing on the psychological theory of ‘unrealistic optimism’ we add a new perspective to the stream of IT security research which allows us to shed light on the nature of providers’ IT security risk perceptions and their lack of motivation to invest in countermeasures. Based on a longitudinal mixed-methods study, we reveal that Cloud providers suffer from ‘unrealistic optimism’ and therefore significantly underestimate their services’ exposure to IT security risks, which in turn reduces the propensity to implement necessary IT security measures in the Cloud. We also found that providers’ overconfidence concerning their company’s control over IT security risks is a major factor to determine unrealistic optimism in the Cloud. We discuss implications for research and practice