Real Time Risk Management in Cloud Computation

The rise of Cloud Computing represents one of the most significant shifts in Information technology in the last 5 years and promises to revolutionise how we view the availability and consumption of computing storage and processing resources. However, it is well-known that along with the benefits of Cloud Computing, it also presents a number of security issues that have restricted its deployment to date. This chapter reviews the potential vulnerabilities of Cloud-based architectures and uses this as the foundation to define a set of requirements for reassessing risk management in Cloud Computing. To fulfill these requirements, the authors propose a new scheme for the real-time assessment and auditing of risk in cloud-based applications and explore this with the use case of a triage application.

A Goal-Driven Risk Management Approach to Support Security and Privacy Analysis of Cloud-Based System

Cloud Computing is a rapidly evolving paradigm that is radically changing the way humans use their computers. Despite the many advantages, such as economic benefit, a rapid elastic resource pool, and on-demand service, the paradigm also creates challenges for both users and providers. There are issues, such as unauthorized access, loss of privacy, data replication, and regulatory violation that require adequate attention. A lack of appropriate solutions to such challenges might cause risks, which may outweigh the expected benefits of using the paradigm. In order to address the challenges and associated risks, a systematic risk management practice is necessary that guides users to analyze both benefits and risks related to cloud based systems. In this chapter the authors propose a goal-driven risk management modeling (GSRM) framework to assess and manage risks that supports analysis from the early stages of the cloud-based systems development. The approach explicitly identifies the goals that the system must fulfill and the potential risk factors that obstruct the goals so that suitable control actions can be identified to control such risks. The authors provide an illustrative example of the application of the proposed approach in an industrial case study where a cloud service is deployed to share data amongst project partners.

A Software Tool to support Risks Analysis about what Should or Should Not go to the Cloud

This chapter proposes a software prototype called 2thecloud, programmed in HTML and PHP under free software guidelines, whose main objective is to allow end users to be aware of imminent cloud dangers. To do this, the user must undergo a metacognitive process of basic risk analysis, which suggested result would be to what cloud the object should go. Through the use of this tool is expected that he / she can develop a risk analysis capability, so that in this way he/she is the one who makes the final decision about selecting between different cloud models (public, private, hybrid, and community) where the object will be placed. An important aspect is that the user has to understand that different cloud models provide different levels of security and this will allow him/her to question safety in other settings, given that it is a work that goes beyond simply encrypting and filtering information. It also presented 2thecloud functions and a description of each step that indicate how it operates. Finally, the authors propose four alternatives in risk analysis calculation, which are plausibly adapted to 2thecloud and if they are implemented they will provide different advantages.

Security Risks in Cloud Computing

Any software system is exposed to potential attack. The recent and continuous appearance of vulnerabilities in software systems makes security a vital issue if these systems are to succeed. The detection of potential vulnerabilities thus signifies that a set of policies can be established to minimize their impact. This therefore implies identifying the risks and data to be protected, and the design of an action plan with which to manage incidents and recovery. The purpose of this chapter is to provide an analysis of the most common vulnerabilities in recent years, focusing on those vulnerabilities which are specific to cloud computing. These specific vulnerabilities need to be identified in order to avoid them by providing prevention mechanisms, and the following questions have therefore been posed: What kinds of vulnerabilities are increasing? Has any kind of vulnerability been reduced in recent years? What is the evolution of their severity?

Three Misuse Patterns for Cloud Computing

Cloud computing is a new computing model that allows providers to deliver services on demand by means of virtualization. One of the main concerns in cloud computing is security. In particular, the authors describe some attacks in the form of misuse patterns, where a misuse pattern describes how an attack is performed from the point of view of the attacker. Specially, they describe three misuse patterns: Resource Usage Monitoring Inference, Malicious Virtual Machine Creation, and Malicious Virtual Machine Migration Process.

The SeCA Model

Security issues are paramount when considering adoption of any cloud technology. This chapter outlines the Secure Cloud Architecture (SeCA) model on the basis of data classifications, which defines a properly secure cloud architecture by testing the cloud environment on eight attributes. The SeCA model is developed using a literature review and a Delphi study with seventeen experts, consisting of three rounds. The authors integrate the CI3A —an extension on the CIA-triad— to create a basic framework for testing the classification inputted. The data classification is then tested on regional, geo-spatial, delivery, deployment, governance & compliance, network, and premise attributes. After this testing has been executed, a specification for a secure cloud architecture is outputted. The SeCA model is detailed with two example cases on the usage of the model in practice.

Hardware-Based Security for Ensuring Data Privacy in the Cloud

In this chapter, the authors present a set of hardware-based security mechanisms for ensuring the privacy, integrity, and legal compliance of customer data as it is stored and processed in the cloud. The presented security system leverages the tamper-proof capabilities of cryptographic coprocessors to establish a secure execution domain in the computing cloud that is physically and logically protected from unauthorized access. The main design goal is to maximize users’ control in managing the various aspects related to the privacy of sensitive data by implementing user-configurable software protection and data privacy categorization mechanisms. Moreover, the proposed system provides a privacy feedback protocol to inform users of the different privacy operations applied on their data and to make them aware of any data leaks or risks that may jeopardize the confidentiality of their sensitive information. Providing a secure privacy feedback protocol increases the users’ trust in the cloud computing services, relieves their privacy concerns, and supports a set of accountable auditing services required to achieve legal compliance and certification.

Dynamic Security Properties Monitoring Architecture for Cloud Computing

In this chapter, the authors provide an overview of the importance of the monitoring of security properties in cloud computing scenarios. They then present an approach based on monitoring security properties in cloud systems based on a diagnosis framework that supports the specification and monitoring of properties expressed in Event Calculus (EC) as rules as the basis. The provision of diagnosis information is based on the generation of alternative explanations for the events that are involved in the violations of rules. This approach is based on Virtualization Architectures that presents several threats identified in the instrumentation of Virtualized Environments. The monitoring model presented in this chapter focuses on runtime supervision of applications, allowing the detection of problems in the operation of individual instances of applications and supporting the automated reconfiguration of these applications. This infrastructure has been recently designed as part of the PASSIVE project. To the best of the authors’ knowledge, there is not any other infrastructure providing the same features as the one presented in this chapter. For this reason, not much directly related previous work is found in the literature.

Policy Management in Cloud

Cloud computing paradigm is still an evolving paradigm but has recently gained tremendous momentum due to its potential for significant cost reduction and increased operating efficiencies in computing. However, its unique aspects exacerbate security and privacy challenges that pose as the key roadblock to its fast adoption. Cloud computing has already become very popular, and practitioners need to provide security mechanisms to ensure its secure adoption. In this chapter, the authors discuss access control systems and policy management in cloud computing environments. The cloud computing environments may not allow use of a single access control system, single policy language, or single management tool for the various cloud services that it offers. Currently, users must use diverse access control solutions available for each cloud service provider to secure data. Access control policies may be composed in incompatible ways because of diverse policy languages that are maintained separately at every cloud provider. Heterogeneity and distribution of these policies pose problems in managing access policy rules for a cloud environment. In this chapter, the authors discuss challenges of policy management and introduce a cloud based policy management framework that is designed to give users a unified control point for managing access policies to control access to their resources no matter where they are stored.

Securing Cloud Storage

Data storage appears as a central component of the problematic associated with the move of processes and resources in the cloud. Whether it is a simple storage externalization for backup purposes, use of hosted software services or virtualization in a third-party provider of the company computing infrastructure, data security is crucial. This security declines according to three axes: data availability, integrity and confidentiality. Numerous techniques targeting these three issues exist, but none presents the combined guarantees that would allow a practical implementation. The authors’ solution relies on the integration of these techniques to a virtualization middleware. Quality of service definition allows specifying the nature of the security to implement with a seamless access.