Abstract
Assessing the security of data stored in cloud storage can be carried out by developing goal-based measurement items. The measurement items can be utilized to construct a security assessment model based on practical needs. The measurement items can assist in acquiring support decision making on the implementation of a security frameworks. This paper discusses the Goal-Question-Metrics (GQM) approach and its application towards constructing measurement items for a security metric. It also attempts to provide practical guidance and example of measurements using GQM. An application of the GQM paradigm towards the development of a security metric is presented. The metrics obtained will assist organizations to meet their requirements for a cloud storage security framework.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Al-sabri, H.M., Al-saleem, S.M.: Building a cloud storage encryption (CSE) architecture for enhancing cloud security. IJCSI Int. J. Comput. Sci. 10(2), 259–266 (2013)
ASD: Top four mitigation strategies to protect your ICT system. Australian Signals Directorate (ASD) (2012). http://www.asd.gov.au/publications/protect/Top_4_Mitigations.pdf. Accessed 22 Aug 2014
ASD: Australian Government Information Security Manual Controls. Australian Signals Directorate (ASD), Australian Signals Directorate (2014a). http://www.asd.gov.au/publications/Information_Security_Manual_2014_Principles.pdf. Accessed 12 Oct 2014
ASD: Strategies to mitigate targeted cyber intrusions - mitigation details. Australian Signals Directorate (ASD). Australian Signals Directorate (2014b). www.asd.gov.au/publications/Mitigation_Strategies_2011.pdf. Accessed 16 Aug 2014
Baldwin, D.: The concept of security. Rev. Int. Stud. 23(01), 5–26 (1997)
Basili, V.R.: Software Modeling And Measurement: The Goal/Question/Metric Paradigm. Quality (1992)
Basili, V.R.: Applying the Goal/Question/Metric Paradigm in the Experience Factory. Software Quality Assurance and Measurement A Worldwide Perspective (1993)
Basili, V.R., Caldiera, G., Rombach, H.D.: Goal Question Metric Paradigm. Encyclopedia of Software Engineering. Wiley, New York (1994). doi:10.1002/0471028959.sof142
Brock, M., Goscinski, A.: Toward a framework for cloud security. In: Hsu, C.H., Yang, L.T., Park, J.H., Yeo, S.S. (eds.) Algorithms and Architectures for Parallel Processing. ICA3PP 2010. LNCS, vol. 6082, pp. 254–263. Springer, Heidelberg (2010)
Buglione, L., Abran, A.: Balanced scorecards and GQM: what are the differences? In: 3rd European Software Measurement Conference, FESMA-AEMES 2000, pp. 18–20 (2000)
Calero, J.M.A., Edwards, N., Kirschnik, J., Wilcock, L., Wray, M.: Toward a multi-tenancy authorization system for cloud services. Secur. Priv. IEEE 8(6), 48–55 (2010)
Catteddu, D., Hogben, G.: Cloud computing: benefits, risks and recommendations for information security. White Paper. European Network and Information Security Agency (ENISA) (2009)
Chang, V., Ramachandran, M.: Towards achieving data security with the cloud computing adoption framework. IEEE Trans. Serv. Comput. 9(1), 138–151 (2016). doi:10.1109/TSC.2015.2491281
Cisco: Cisco Global Cloud Index : Forecast and Methodology, 2011–2016. White Paper, 1–41 (2014). http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns1175/Cloud_Index_White_Paper.html#wp9000816
Colobran, M.: Modeling human perceived security: a conceptual framework and its application to health. Comput. Hum. Behav. 62, 1–8 (2016). doi:10.1016/j.chb.2016.03.050
CPNI: Reducing the cyber risk in 10 critical areas. White Paper, Centre for the Protection of National Infrastructure (CPNI) (2014a). https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/395716/10_steps_ten_critical_areas.pdf. Accessed 22 Aug 2014
CPNI: The critical security controls for effective cyber defense V5.0 report. Centre for the Protection of National Infrastructure (CPNI) (2014b). http://www.cpni.gov.uk/documents/publications/2014/2014-04-11-critical-security-controls.pdf?epslanguage=en-gb. Accessed 22 Aug 2014
CSA: Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, White Paper. Cloud Security Alliance (CSA) (2009). doi:10.1016/S1353-4858(99)90042-9
CSA: Top Threats to Cloud Computing V1.0 Report. Cloud Security Alliance (CSA) (2010). https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf. Accessed 22 Aug 2014
CSA: Cloud computing vulnerability incidents : a statistical overview report. Cloud Security Alliance (CSA) (2013a). https://cloudsecurityalliance.org/download/cloud-computing-vulnerability-incidents-a-statistical-overview/. Accessed 22 Aug 2014
CSA: The Cloud Control Matrix V3.0.1. White Paper, Cloud Security Alliance (CSA) (2013b). https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1. Accessed 22 Aug 2014
CSA: The Notorious Nine: Cloud Computing Top Threats in 2013 Report. Cloud Security Alliance (CSA) (2013c). https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf. Accessed 22 Aug 2014
Cyra, L., Górski, J.: Extending GQM by arguement structures. In: CEE-SET 2007, vol. 44(5), pp. 26–39 (2008). doi:10.1016/j.ipm.2008.03.002
Firesmith, D.: Specifying reusable security requirements. J. Object Technol. 3(1), 61–75 (2004). doi:10.5381/jot.2004.3.1.c6
Gonzales, D., Kaplan, J., Saltzman, E., Winkelman, Z., Woods, D.: Cloud-trust - a security assessment model for infrastructure as a service (IaaS) clouds. IEEE Trans. Cloud Comput. 14 (2015). doi:10.1109/TCC.2015.2415794
Granneman, J.: IT security frameworks and standards: Choosing the right one (2013). http://searchsecurity.techtarget.com/tip/IT-security-frameworks-and-standards-Choosing-the-right-one. Accessed 12 Aug 2015
GTISC and GTRI (2013): Emerging cyber threats report 2014. Georgia Tech Information Security Center (GTISC) and Georgia Tech Research Institute (GTRI), Georgia Tech Cyber Security Summit (2013). https://www.gtisc.gatech.edu/pdf/Threats_Report_2014.pdf. Accessed 22 Aug 2014
Honan, M.: Kill the password: why a string of characters can’t protect us anymore. WIRED, pp. 9–16 (2012)
Honer, P.: Cloud computing security requirements and solutions: a systematic literature review. In: 19th Twente Student Conference on IT, Enshede, The Netherlands (2013). doi:10.1007/978-3-642-40861-8_42
Hubbard, D.W.: How to Measure Anything: Finding the Value of Intangibles in Business. Wiley, New York (2014)
ISECOM: ISECOM - Open Source Security Testing Methodology Manual (OSSTMM). Institute for Security and Open Methodologies (ISECOM) (2001). http://www.isecom.org/mirror/OSSTMM.3.pdf. Accessed 22 Aug 2014
Islam, S., Falcarin, P.: Measuring security requirements for software security. In: IEEE 10th International Conference in Cybernetic Intelligent System (CIS), pp. 70–75 (2011). doi:10.1109/CIS.2011.6169137
Jahedi, S., Méndez, F.: On the advantages and disadvantages of subjective measures. J. Econ. Behav. Organ. 98, 97–114 (2014). doi:10.1016/j.jebo.2013.12.016
Jones, M.T.: Anatomy of a cloud storage infrastructure: models, features, and internals. White Paper. Developer Works, IBM Corporation 2010. http://www.ibm.com/developerworks/cloud/library/cl-cloudstorage/cl-cloudstorage-pdf.pdf. Accessed 8 Sept 2014
Ju, J., Wu, J., Fu, J., Lin, Z.: A survey on cloud storage. J. Comput. 6(8), 1764–1771 (2011). doi:10.4304/jcp.6.8.1764-1771
Kamara, S., Papamanthou, C., Roeder, T.: CS2 : a searchable cryptographic cloud storage system. Microsoft Research, pp. 1–25 (2011)
Kassou, M., Kjiri, L.: A goal question metric approach for evaluating security in a service oriented architecture context. Int. J. Comput. Sci. Issues 9, 1–12 (2012)
Mapp, G., Aiash, M., Ondiege, B., Clarke, M.: Exploring a new security framework for cloud storage using capabilities. In: Proceedings of IEEE 8th International Symposium on Service Oriented System Engineering (SOSE), pp. 484–489 (2014). doi:10.1109/SOSE.2014.69
Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. International Journal of Policy and Administration. O’Reilly Media Inc., Sebastopol (2009)
Microsoft: Security Threats. Microsoft Developer Network (MSDN) (2015). https://msdn.microsoft.com/en-us/library/cc723507.aspx. Accessed 22 Apr 2015
NIST: Standards for Security Categorization of Federal Information and Information Systems. National Institute of Standards and Technology (NIST), Special Publication FIPS 199 (2004)
NIST: Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards and Technology (NIST), Special Publication 800-53 Revision 4 (2013)
Payne, S.C.: A Guide to Security Metrics. SANS Institute (2006)
Pendleton, M., Garcia-Lebron, R., Xu, S.: A Survey on Security Metrics (2016). arXiv Preprint arXiv:1601.05792
Rouse, M.: What is storage? TechTarget (2005). http://searchstorage.techtarget.com/definition/storage. Accessed 12 Mar 2015
Ryan, M.D.: Cloud computing security: the scientific challenge, and a survey of solutions. J. Syst. Softw. 86(9), 2263–2268 (2013). doi:10.1016/j.jss.2012.12.025
Sabahi, F.: Cloud computing security threats and responses. In: 2011 IEEE 3rd International Conference on Communication Software and Networks, pp. 245–249 (2011). doi:10.1109/ICCSN.2011.6014715
Shaikh, F.B., Haider, S.: Security threats in cloud computing. In: 6th International Conference on Internet Technology and Secured Transactions, Abu Dhabi, UAE, 11–14 December 2011
Singh, R., Kumar, S., Agrahari, S.K.: Ensuring data storage security in cloud computing. IOSR J. Eng. 2(12), 17–21 (2012)
Srinivasan, M.K., Rodrigues, P.: State-of-the-art cloud computing security taxonomies - a classification of security challenges in the present cloud. In: ICACCI 2012, pp. 470–476 (2012)
Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011). doi:10.1016/j.jnca.2010.07.006
Suntharam, V.S., Reddy, K.V., Puspalatha, N.: Data storage security in cloud computing and verification of metadata by encryption. Int. J. Comput. Sci. Electron. Eng. 2(3), 1–9 (2013)
Takabi, H., Joshi, J.B.D., Ahn, G.J.: SecureCloud: towards a comprehensive security framework for cloud computing environments. In: Proceedings of International Computer Software and Applications Conference, pp. 393–398 (2010). doi:10.1109/COMPSACW.2010.74
Torkhani, F., Wang, K., Chassery, J.M.: Perceptual quality assessment of 3D dynamic meshes: subjective and objective studies. Signal Process. Image Commun. 31, 185–204 (2015). doi:10.1016/j.image.2014.12.008
Wang, C., Wang, Q., Ren, K., Cao, N., Lou, W.: Toward secure and dependable storage services in cloud computing. IEEE Trans. Serv. Comput. 5, 220–232 (2012). doi:10.1109/TSC.2011.24
Wu, J., Ping, L., Ge, X., Ya, W., Fu, J.: Cloud storage as the infrastructure of cloud computing. In: Proceedings of 2010 International Conference on Intelligent Computing and Cognitive Informatics, ICICCI 2010, pp. 380–383 (2010). doi:10.1109/ICICCI.2010.119
Yahya, F., Chang, V., Walters, R.J., Wills, G.B.: Security challenges in cloud storage. In: 6th IEEE International Conference on Cloud Computing Technology and Science. Enterprise Security 2014, pp. 1051–1056 (2014). doi:10.1109/CloudCom.2014.171
Yahya, F., Walters, R.J., Wills, G.B.: Modelling threats with security requirements in cloud storage. Int. J. Inf. Secur. Res. (IJISR) 5(2), 551–558 (2015)
Zarandioon, S., Yao, D(., Ganapathy, V.: K2C: cryptographic cloud storage with lazy revocation and anonymous access. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICSSITE, vol. 96, pp. 59–76. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31909-9_4
Zhang, R., Chen, P.: A dynamic cryptographic access control scheme in cloud storage services. In: Proceedings of 2012 8th International Conference on Computing and Networking Technology (INC, ICCIS and ICMIC), ICCNT 2012, pp. 50–55 (2012). doi:10.4156/ijipm.vol4.issue1.13
Zhao, R., Yue, C.: Toward a secure and usable cloud-based password manager for web browsers. Comput. Secur. 46, 32–47 (2014). doi:10.1016/j.cose.2014.07.003
Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener. Comput. Syst. 28(3), 583–592 (2012). doi:10.1016/j.future.2010.12.006
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Yahya, F., Walters, R.J., Wills, G.B. (2017). Using Goal-Question-Metric (GQM) Approach to Assess Security in Cloud Storage. In: Chang, V., Ramachandran, M., Walters, R., Wills, G. (eds) Enterprise Security. ES 2015. Lecture Notes in Computer Science(), vol 10131. Springer, Cham. https://doi.org/10.1007/978-3-319-54380-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-54380-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54379-6
Online ISBN: 978-3-319-54380-2
eBook Packages: Computer ScienceComputer Science (R0)