21,427 research outputs found
Secure Cloud-Edge Deployments, with Trust
Assessing the security level of IoT applications to be deployed to
heterogeneous Cloud-Edge infrastructures operated by different providers is a
non-trivial task. In this article, we present a methodology that permits to
express security requirements for IoT applications, as well as infrastructure
security capabilities, in a simple and declarative manner, and to automatically
obtain an explainable assessment of the security level of the possible
application deployments. The methodology also considers the impact of trust
relations among different stakeholders using or managing Cloud-Edge
infrastructures. A lifelike example is used to showcase the prototyped
implementation of the methodology
Best practices in cloud-based Penetration Testing
This thesis addresses and defines best practices in cloud-based penetration testing. The aim of this thesis is to give guidance for penetration testers how cloud-based penetration testing differs from traditional penetration testing and how certain aspects are limited compared to traditional penetration testing. In addition, this thesis gives adequate level of knowledge to reader what are the most important topics to consider when organisation is ordering a penetration test of their cloud-based systems or applications. The focus on this thesis is the three major cloud service providers (Microsoft Azure, Amazon AWS, and Google Cloud Platform). The purpose of this research is to fill the gap in scientific literature about guidance for cloud-based penetration testing for testers and organisations ordering penetration testing. This thesis contains both theoretical and empirical methods. The result of this thesis is focused collection of best practices for penetration tester, who is conducting penetration testing for cloud-based systems. The lists consist of topics focused on planning and execution of penetration testing activities
Challenges and complexities in application of LCA approaches in the case of ICT for a sustainable future
In this work, three of many ICT-specific challenges of LCA are discussed.
First, the inconsistency versus uncertainty is reviewed with regard to the
meta-technological nature of ICT. As an example, the semiconductor technologies
are used to highlight the complexities especially with respect to energy and
water consumption. The need for specific representations and metric to
separately assess products and technologies is discussed. It is highlighted
that applying product-oriented approaches would result in abandoning or
disfavoring of new technologies that could otherwise help toward a better
world. Second, several believed-untouchable hot spots are highlighted to
emphasize on their importance and footprint. The list includes, but not limited
to, i) User Computer-Interfaces (UCIs), especially screens and displays, ii)
Network-Computer Interlaces (NCIs), such as electronic and optical ports, and
iii) electricity power interfaces. In addition, considering cross-regional
social and economic impacts, and also taking into account the marketing nature
of the need for many ICT's product and services in both forms of hardware and
software, the complexity of End of Life (EoL) stage of ICT products,
technologies, and services is explored. Finally, the impact of smart management
and intelligence, and in general software, in ICT solutions and products is
highlighted. In particular, it is observed that, even using the same
technology, the significance of software could be highly variable depending on
the level of intelligence and awareness deployed. With examples from an
interconnected network of data centers managed using Dynamic Voltage and
Frequency Scaling (DVFS) technology and smart cooling systems, it is shown that
the unadjusted assessments could be highly uncertain, and even inconsistent, in
calculating the management component's significance on the ICT impacts.Comment: 10 pages. Preprint/Accepted of a paper submitted to the ICT4S
Conferenc
Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems
Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security
assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security
mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps
framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include
the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any)
and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security
level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received
funding from the European Unionâs Horizon 2020 research
and innovation programme under grant agreement No 644429
and No 780351, MUSA project and ENACT project,
respectively. We would also like to acknowledge all the
members of the MUSA Consortium and ENACT Consortium
for their valuable help
Assessing home office cyber risks in the oil & gas industry A comparative study of risk assessment methods
Home Office has become a necessity nowadays, as it is part of the business continuity plan for many companies and organizations worldwide, ever since the COVID-19 outbreak made its presence in 2020. Even though it is not new as a concept, it has had a rapid growth, and it is now heavily used even within business areas that preferred to have all employees working from corporate offices. The oil and gas industry is such an example, since companies with a presence in that area, would always prefer to have their employees on-site, rather than working remotely. The aggressive introduction of âWork from Homeâ solutions though, comes with significant cyber risks that are not to be taken lightly.
The aim of this thesis is to analyze a set of common risk assessment methodologies that are used in information security and test their effectiveness in terms of assessing cybersecurity risks related to the home office implementation in the oil and gas industry. The methodologies under investigation are IRAM2, ISO 27005:2018, Octave Allegro, FAIR and NIST SP800-30. According to the findings, there are specific strengths and limitations that risk analysts, decision-makers and other relevant stakeholders need to consider while using one or more of these methods for this specific use-case. The most important factor is time, which causes significant impediments for all involved parties and limits the options that can be considered, for reacting to the rationality of the situation. There are also more generic learnings though which are applicable even if companies had more time for properly assessing cyber risks before introducing remote worker solutions. The outcome of the research leans towards the use of two or more different risk assessment methodologies, which can be combined depending on the companyâs needs and the project in scope. The learnings of this thesis can be useful for future potential incidents of a similar nature
Cloud Computing Providersâ Unrealistic Optimism regarding IT Security Risks: A Threat to Users?
Despite providersâ constant promises of high IT security levels in the Cloud, various serious security incidents have taken place in the last years. By drawing on the psychological theory of âunrealistic optimismâ we add a new perspective to the stream of IT security research which allows us to shed light on the nature of providersâ IT security risk perceptions and their lack of motivation to invest in countermeasures. Based on a longitudinal mixed-methods study, we reveal that Cloud providers suffer from âunrealistic optimismâ and therefore significantly underestimate their servicesâ exposure to IT security risks, which in turn reduces the propensity to implement necessary IT security measures in the Cloud. We also found that providersâ overconfidence concerning their companyâs control over IT security risks is a major factor to determine unrealistic optimism in the Cloud. We discuss implications for research and practice
- âŠ