A risk assessment model for selecting cloud service providers

Çayırcı, Erdal; Garaga, Alexandr; Oliveira, Anderson Santana de; Roudier, Yves

doi:10.1186/s13677-016-0064-x

Cited by 42 publications

(32 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Saripalli and Walters show a framework to evaluate the security of clouds based on the security impact for six security categories related to the cloud, including confidentiality, integrity, availability, multi-party trust, mutual auditability, and usability (CIAMAU), according to abstract levels of security impact as low, medium, and high [1]. Cayirci et al use risk assessment to help cloud tenants to choose cloud providers to meet his/her security requirements [50]. This model is based on the background information collected from tenants and cloud providers.…”

Section: Related Workmentioning

confidence: 99%

Threat Modeling for Cloud Infrastructures

Alhebaishi¹,

Wang²,

Singhal³

2019

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

Today's businesses are increasingly relying on the cloud as an alternative IT solution due to its flexibility and lower cost. Compared to traditional enterprise networks, a cloud infrastructure is typically much larger and more complex. Understanding the potential security threats in such infrastructures is naturally more challenging than in traditional networks. This is evidenced by the fact that there are limited efforts on threat modeling for cloud infrastructures. In this paper, we conduct comprehensive threat modeling exercises based on two representative cloud infrastructures using several popular threat modeling methods, including attack surface, attack trees, attack graphs, and security metrics based on attack trees and attack graphs, respectively. Those threat modeling efforts may provide cloud providers useful lessons toward better understanding and improving the security of their cloud infrastructures. In addition, we show how hardening solution can be applied based on the threat models and security metrics through extended exercises. Such results may not only benefit the cloud provider but also embed more confidence in cloud tenants by providing them a clearer picture of the potential threats and mitigation solutions.This section briefly reviews several popular threat models and existing security metrics that will be applied in this paper, including attack surface, attack tree, attack graph, attack tree-based metric (ATM), and Bayesian network (BN)-based metric.-Attack surface: Originally proposed as a metric for software security, an attack surface captures software components that may lead to potential vulnerabilities, including entry and exit points (i.e., methods in a software program that either take user inputs or generate outputs), communication channels (e.g., TCP or UDP), and untrusted data items (e.g., configuration files or registry keys read by the software) [7]. Since the attack surface requires examining the source code of a software, due to the complexity of such a task, most existing work applies the concept in a high-level and intuitive manner. For example, six attack surfaces are said to exist between an end user, the cloud provider, and cloud services [8], although the exact meaning of such attack surface is not specified.-Attack tree: While the attack surface focuses on what may provide attackers initial privileges or accesses to a system, attack trees demonstrate the possible attack paths which may be followed by the attacker to further infiltrate the system [9].

show abstract

Section: Related Workmentioning

confidence: 99%

Threat Modeling for Cloud Infrastructures

Alhebaishi¹,

Wang²,

Singhal³

2019

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

show abstract

“…However, the SP dynamic risk assessment is limited due to the lack of support for service consumer's side monitoring tools and the limited availability of shared monitored data from IPs. CARAM: is a qualitative and relative risk assessment model that helps CSC select CSP that fit their risk profile the best [9]. It consists of tools that complements the various recommendations of ENISA [33] and CSA [40].…”

Section: Related Workmentioning

confidence: 99%

A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations

Youssef¹

2019

IJACSA

View full text Add to dashboard Cite

Security is considered one of the top ranked risks of Cloud Computing (CC) due to the outsourcing of sensitive data onto a third party. In addition, the complexity of the cloud model results in a large number of heterogeneous security controls that must be consistently managed. Hence, no matter how strongly the cloud model is secured, organizations continue suffering from lack of trust on CC and remain uncertain about its security risk consequences. Traditional risk management frameworks do not consider the impact of CC security risks on the business objectives of the organizations. In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting CC identify, analyze, evaluate, and mitigate security risks in their Cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives. In essence, it is designed to address impacts of cloudspecific security risks into business objectives in a given organization. Consequently, organizations are able to conduct a cost-value analysis regarding the adoption of CC technology and gain an adequate level of confidence in Cloud technology. On the other hand, Cloud Service Providers (CSP) are able to improve productivity and profitability by managing cloud-related risks. The proposed framework has been validated and evaluated through a use-case scenario.

show abstract

“…So cloud security has become an important topic among the researchers, and they were always trying to find the different methods to secure the cloud. Some of the researchers mainly focused on the trustworthiness of cloud service providers, and they cover some of the parameters for selecting trusted cloud service providers (Cayirci et al, 2016;Tang and Liu, 2015;Hullermeier and Rifqi, 2009). Whereas our model covers many parameters as possible.…”

Section: Introductionmentioning

confidence: 99%

Development of trust based access control models using fuzzy logic in cloud computing

Kesarwani

Khilar

2022

Journal of King Saud University - Computer and Information Scie

View full text Add to dashboard Cite

a b s t r a c tCloud computing is the technology that provides different types of services as a useful resource on the Internet. Resource trust value will help the cloud users to select the services of a cloud provider for processing and storing their essential information. Also, service providers can give access to users based on trust value to secure cloud resources from malicious users. In this paper, trust models are proposed, which comes under the subjective trust model based on the behavior of user and service provider to calculate the trust values. The trust is fuzzy, which motivated us to apply fuzzy logic for calculating the trust values of the cloud users and service providers in the cloud environment. We use a Mamdani fuzzy method with gauss membership function for fuzzification and triangular membership function for defuzzification. Parameters such as performance and elasticity are taken for trust evaluation of the resource. The attributes for calculating performance are workload and response time. And for calculating elasticity, we have taken scalability, availability, security, and usability. The fuzzy C-means clustering is applied to parameters for evaluating the trust value of users such as bad requests, bogus requests, unauthorized requests, and total requests.

show abstract

A risk assessment model for selecting cloud service providers

Cited by 42 publications

References 10 publications

Threat Modeling for Cloud Infrastructures

Threat Modeling for Cloud Infrastructures

A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations

Development of trust based access control models using fuzzy logic in cloud computing

Contact Info

Product

Resources

About