research-article

Threat Assessment in the Cloud Environment: A Quantitative Approach for Security Pattern Selection

Authors:

Hyoungshick Kim,

Eunhyun KimAuthors Info & Claims

IMCOM '16: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication

Article No.: 5, Pages 1 - 8

https://doi.org/10.1145/2857546.2857552

Published: 04 January 2016 Publication History

Abstract

Cloud computing has emerged as a fast-growing technology in the past few years. It provides a great flexibility for storing, sharing and delivering data over the Internet without investing on new technology or resources. In spite of the development and wide array of cloud usage, security perspective of cloud computing still remains its infancy. Security challenges faced by cloud environment becomes more complicated when we include various stakeholders' perspectives. In a cloud environment, security perspectives and requirements are usually designed by software engineers or security experts. Sometimes clients' requirements are either ignored or given a very high importance. In order to implement cloud security by providing equal importance to client organizations, software engineers and security experts, we propose a new methodology in this paper. We use Microsoft's STRIDE-DREAD model to assess threats existing in the cloud environment and also to measure its consequences. Our aim is to rank the threats based on the nature of its severity, and also giving a significant importance for clients' requirements on security perspective. Our methodology would act as a guiding tool for security experts and software engineers to proceed with securing process especially for a private or a hybrid cloud. Once threats are ranked, we provide a link to a well-known security pattern classification. Although we have some security pattern classification schemes in the literature, we need a methodology to select a particular category of patterns. In this paper, we provide a novel methodology to select a set of security patterns for securing a cloud software. This methodology could aid a security expert or a software professional to assess the current vulnerability condition and prioritize by also including client's security requirements in a cloud environment.

References

[1]

Cve details. http://www.cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html.

[2]

B. Arief and D. Besnard. Technical and human issues in computer-based systems security. Technical Report Series-University of Newcastle upon Tyne Computing Science, 2003.

[3]

T. Aven. A unified framework for risk and vulnerability analysis covering both safety and security. Reliability Engineering & System Safety, 2007.

[4]

P. L. Bannerman. Risk and risk management in software projects: A reassessment. Journal of Systems and Software, 2008.

Digital Library

[5]

P. T. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In Proceedings of the Conference on the Future of Software Engineering. ACM, 2000.

Digital Library

[6]

D. D. et al. Characterizing the 'security vulnerability likelihood' of software functions. In Proceedings International Conference on Software Maintenance. IEEE, 2003.

Digital Library

[7]

F. F. et al. Managing vulnerabilities of information systems to security incidents. In Proceeding of the 5th international conference on Electronic commerce, ACM, 2003.

Digital Library

[8]

P. C. et al. Documenting Software Architectures: Views and Beyond. Pearson Education, 2002.

Digital Library

[9]

E. B. Fernandez. A methodology for secure software design. In Proceedings of the International Conference on Software Engineering Research and Practice, 2004.

[10]

M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, 2002.

Digital Library

[11]

S. Kaplan. Risk assessment and risk management-basic concepts and terminology. Risk Management: Expanding Horizons In Nuclear Power and Other Indurstries, 1991.

[12]

S. Kaplan. The words of risk analysis. Risk analysis, 1997.

[13]

S. Kaplan and B. J. Garrick. On the quantitative definition of risk. Risk analysis, 1981.

[14]

I. Lioupras and E. Manthou. Don't let my Heart bleed!: An event study methodology in Heartbleed vulnerability case. Informatik Student Paper Master (INFSPM), 2014.

[15]

W. W. Lowrance. Of Acceptable Risk: Science and the Determination of Safety. William Kaufmann, 1976.

[16]

G. McGraw. Software Security. IEEE Security & Privacy, 2004.

Digital Library

[17]

P. A. Munawar Hafiz and R. E. Johnson. Organizing security patterns. Software, IEEE, 2007.

Digital Library

[18]

M. D. Ryan. Cloud computing security: The scientific challenge, and a survey of solutions. In Journal of Systems and Software, 2013.

Digital Library

[19]

N. S. Telecommunications and I. S. Security. National training standars for information systems security (infosec) professionals. www.cnss.gov/Assets/pdf/nstissi_4011.pdf, June 1994.

[20]

M. Whitman and H. Mattord. Principles of information security. Cengage Learning, 2011.

Digital Library

[21]

H. Zhang. A redefinition of the project risk process: Using vulnerability to open up the event-consequence link. International Journal of Project Management, 2007.

[22]

E. Zio. An introduction to the basics of reliability and risk analysis. World scientific, 2007.

Cited By

Chimuco FSequeiros JSimōes TFreire MInácio P(2024)Expediting the design and development of secure cloud-based mobile appsInternational Journal of Information Security10.1007/s10207-024-00880-623:4(3043-3064)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00880-6
Khan HAli FNazir S(2022)Systematic analysis of software development in cloud computing perceptionsJournal of Software: Evolution and Process10.1002/smr.2485Online publication date: 29-Jun-2022
https://doi.org/10.1002/smr.2485
Washizaki HXia TKamata NFukazawa YKanuka HKato TYoshino MOkubo TOgata SKaiya HHazeyama ATanaka TYoshioka NPriyalakshmi G(2021)Systematic Literature Review of Security Pattern ResearchInformation10.3390/info1201003612:1(36)Online publication date: 16-Jan-2021
https://doi.org/10.3390/info12010036
Show More Cited By

Index Terms

Threat Assessment in the Cloud Environment: A Quantitative Approach for Security Pattern Selection
1. General and reference
  1. Cross-computing tools and techniques
    1. Metrics
2. Information systems
  1. Information systems applications

Recommendations

Security risk assessment framework for cloud computing environments

Cloud computing has become today's most common technology buzzword. Despite the promises of cloud computing to decrease computing implementation costs and deliver computing as a service, which allows clients to pay only for what they need and use, cloud ...
A Threat Table Based Assessment of Information Security in Telemedicine

Information security within healthcare is paramount and telemedicine applications present unique security challenges. Technology is giving rise to new and advanced telemedicine applications and understanding the security threats to these applications is ...
A security reference architecture for cloud systems
WICSA '14 Companion: Proceedings of the WICSA 2014 Companion Volume

Security is a fundamental concern in clouds and several cloud vendors provide Security Reference Architectures (SRAs) to describe the security level of their services. A SRA is an abstract architecture without implementation details showing a conceptual ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMCOM '16: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication

January 2016

658 pages

ISBN:9781450341424

DOI:10.1145/2857546

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing
SKKU: SUNGKYUNKWAN UNIVERSITY

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 January 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

IMCOM '16

Sponsor:

SIGAPP
SKKU

IMCOM '16: The 10th International Conference on Ubiquitous Information Management and Communication

January 4 - 6, 2016

Danang, Viet Nam

Acceptance Rates

Overall Acceptance Rate 213 of 621 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
415
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chimuco FSequeiros JSimōes TFreire MInácio P(2024)Expediting the design and development of secure cloud-based mobile appsInternational Journal of Information Security10.1007/s10207-024-00880-623:4(3043-3064)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00880-6
Khan HAli FNazir S(2022)Systematic analysis of software development in cloud computing perceptionsJournal of Software: Evolution and Process10.1002/smr.2485Online publication date: 29-Jun-2022
https://doi.org/10.1002/smr.2485
Washizaki HXia TKamata NFukazawa YKanuka HKato TYoshino MOkubo TOgata SKaiya HHazeyama ATanaka TYoshioka NPriyalakshmi G(2021)Systematic Literature Review of Security Pattern ResearchInformation10.3390/info1201003612:1(36)Online publication date: 16-Jan-2021
https://doi.org/10.3390/info12010036
Zhang LTaal ACushing Rde Laat CGrosso P(2021)A risk-level assessment system based on the STRIDE/DREAD model for digital data marketplacesInternational Journal of Information Security10.1007/s10207-021-00566-321:3(509-525)Online publication date: 14-Sep-2021
https://doi.org/10.1007/s10207-021-00566-3
Cho GChoi JKim HHyun SRyoo J(2019)Threat Modeling and Analysis of Voice Assistant ApplicationsG Protein-Coupled Receptor Signaling10.1007/978-3-030-17982-3_16(197-209)Online publication date: 12-Apr-2019
https://doi.org/10.1007/978-3-030-17982-3_16
Ali AAhmed MKhan AIlyas MRazzaq M(2017)A trust management system model for cloud2017 International Symposium on Networks, Computers and Communications (ISNCC)10.1109/ISNCC.2017.8072029(1-6)Online publication date: May-2017
https://doi.org/10.1109/ISNCC.2017.8072029
Ringmann SLangweg H(2017)Determining security requirements for cloud-supported routing of physical goods2017 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2017.8228691(514-521)Online publication date: Oct-2017
https://doi.org/10.1109/CNS.2017.8228691

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten