ABSTRACT
Our devices and interactions in a world where physical and digital realities are more and more blended, generate a continuum of multimedia data that needs to be stored, shared and processed to provide services that enrich our daily lives. Cloud computing plays a key role in these tasks, dissolving resource allocation and computational boundaries, but it also requires advanced security mechanisms to protect the data and provide privacy guarantees. Therefore, security assurance must be evaluated before offloading tasks to a cloud provider, a process which is currently manual, complex and inadequate for dynamic scenarios. However, though there are many tools for evaluating cloud providers according to quality of service criteria, automated categorization and selection based on risk metrics is still challenging. To address this gap, we present FRiCS, a Framework for Risk-driven Cloud Selection, which contributes with: 1) a set of cloud security metrics and risk-based weighting policies, 2) distributed components for metric extraction and aggregation, and 3) decision-making plugins for ranking and selection. We have implemented the whole system and conducted a case-study validation based on public cloud providers' security data, showing the benefits of the proposed approach.
- José Mar'ia del Álamo Ramiro, Rubén Trapero Burgos, Yod Samuel Mart'in Garc'ia, Juan Carlos Yelmo Garcia, and Neeraj Suri. 2015. Quantitative assessment and comparison of cloud service providers' privacy practices. In Proceedings of the VII Congreso Iberoamericano de Telemática (CITA 2015). 165--172.Google Scholar
- Cloud Security Alliance. 2014. Cloud Control Matrix v3.0.1 . https://cloudsecurityalliance.org/group/cloud-controls-matrix/Google Scholar
- Mohemed Almorsy, John Grundy, and Amani S Ibrahim. 2011. Collaboration-based cloud computing security management framework. In Proceedings of the International Conference on Cloud Computing (CLOUD 2011). IEEE, 364--371. Google ScholarDigital Library
- Patricia Arias-Cabarcos, Florina Almenárez-Mendoza, Andrés Mar'in-López, Daniel D'iaz-Sánchez, and Rosa Sánchez-Guerrero. 2012. A metric-based approach to assess risk for on cloud federated identity management. Journal of network and systems management , Vol. 20, 4 (2012), 513--533. Google ScholarDigital Library
- Flavio Bonomi, Rodolfo Milito, Jiang Zhu, and Sateesh Addepalli. 2012. Fog computing and its role in the internet of things. In Proceedings of the first edition of the MCC workshop on Mobile cloud computing (MCC'12). ACM, 13--16. Google ScholarDigital Library
- Matteo Brunelli. 2014. Introduction to the analytic hierarchy process .Springer.Google Scholar
- Scott Cantor, Jahan Moreh, Rob Philpott, and Eve Maler. 2005. Metadata for the OASIS security assertion markup language (SAML) V2. 0.Google Scholar
- Victor Chang, Yen-Hung Kuo, and Muthu Ramachandran. 2015. Cloud computing adoption framework: A security framework for business clouds. , Vol. 57 (2015), 24--41. Google ScholarDigital Library
- Cloud Standard Customer Council. 2013. Cloud security standards: what to expect & what to negotiate.Google Scholar
- Christian Esposito, Massimo Ficco, Francesco Palmieri, and Aniello Castiglione. 2016. Smart cloud storage service selection based on fuzzy logic, theory of evidence and game theory. IEEE Transactions on computers , Vol. 65, 8 (2016), 2348--2362.Google ScholarCross Ref
- Saurabh Kumar Garg, Steve Versteeg, and Rajkumar Buyya. 2011. Smicloud: A framework for comparing and ranking cloud services. In Proceedings of the Fourth IEEE International Conference on Utility and Cloud Computing (UCC'11). IEEE, 210--218. Google ScholarDigital Library
- Top Threats Working Group. 2013. The notorious nine cloud computing top threats in 2013. (2013). Retrieved August 21, 2018 from https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf.Google Scholar
- Top Threats Working Group. 2017. The Treacherous 12: Cloud Computing Top Threats in 2016. (2017). Retrieved August 21, 2018 from https://downloads. cloudsecurityalliance. org/assets/research/topthreats/Treacherous12_CloudComputing_TopThreats.pdf.Google Scholar
- Patrick P Gunn, Allen M Fremont, Melissa Bottrell, Lisa R Shugarman, Jolene Galegher, and Tora Bikson. 2004. The health insurance portability and accountability act privacy rule: a practical guide for researchers. Medical care (2004), 321--327.Google Scholar
- Alessio Ishizaka and Philippe Nemery. 2013. Multi-criteria decision analysis: methods and software .John Wiley & Sons.Google Scholar
- Wayne Jansen. 2010. Directions in security metrics research .Diane Publishing.Google Scholar
- Ralph L Keeney and Howard Raiffa. 1993. Decisions with multiple objectives: preferences and value trade-offs .Cambridge university press.Google Scholar
- Ang Li, Xiaowei Yang, Srikanth Kandula, and Ming Zhang. 2010. CloudCmp: comparing public cloud providers. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement (IMC'10). ACM, 1--14. Google ScholarDigital Library
- Dan Liao, Gang Sun, Hui Li, Hongfang Yu, and Victor Chang. 2017. The framework and algorithm for preserving user trajectory while using location-based services in IoT-cloud systems. Cluster Computing , Vol. 20, 3 (2017), 2283--2297. Google ScholarDigital Library
- Jesus Luna, Ahmed Taha, Ruben Trapero, and Neeraj Suri. 2015. Quantitative reasoning about cloud security using service level agreements. IEEE Transactions on Cloud Computing 1 (2015), 1--1.Google Scholar
- Benedikt Martens and Frank Teuteberg. 2012. Decision-making in cloud computing environments: A cost and risk based approach. Information Systems Frontiers , Vol. 14, 4 (2012), 871--893.Google ScholarCross Ref
- Jolanda Modic, Ruben Trapero, Ahmed Taha, Jesus Luna, Miha Stopar, and Neeraj Suri. 2016. Novel efficient techniques for real-time cloud security assessment. Computers & Security , Vol. 62 (2016), 1--18.Google ScholarCross Ref
- Natalya Fridman Noy, Monica Crubézy, Ray W Fergerson, Holger Knublauch, Samson W Tu, Jennifer Vendetti, and Mark A Musen. 2003. Protégé-2000: an open-source ontology-development and knowledge-acquisition environment.. In In Proceedings of the AMIA Annual Symposium 2003 . American Medical Informatics Association, 953--953.Google Scholar
- Cesare Pautasso. 2014. RESTful web services: principles, patterns, emerging technologies. In Web Services Foundations . Springer, 31--51.Google Scholar
- José Romero-Mariona, Roger Hallman, Megan Kline, Geancarlo Palavicini, Josiah Bryan, John San Miguel, Lawrence Kerr, Maxine Major, and Jorge Alvarez. 2017. An approach to organizational cybersecurity. Lecture Notes in Computer Science , Vol. 10131, 203--222.Google ScholarCross Ref
- Thomas L Saaty. 1990. How to make a decision: the analytic hierarchy process. Vol. 48. Elsevier. 9--26 pages.Google Scholar
- Amandeep Singh Sohal, Rajinder Sandhu, Sandeep K. Sood, and Victor Chang. 2018. A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things environments. Computers & Security , Vol. 74 (2018), 340--354. Google ScholarDigital Library
- Le Sun, Hai Dong, Farookh Khadeer Hussain, Omar Khadeer Hussain, and Elizabeth Chang. 2014. Cloud service selection: State-of-the-art and future research directions. Journal of Network and Computer Applications , Vol. 45 (2014), 134--150. Google ScholarDigital Library
- Ahmed Taha, Ruben Trapero, Jesus Luna, and Neeraj Suri. 2014. AHP-based quantitative approach for assessing and comparing cloud security. In Proceedings of the 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom'14),. IEEE, 284--291. Google ScholarDigital Library
- Evangelos Triantaphyllou. 2000. Multi-criteria decision making methods. In Multi-criteria decision making methods: A comparative study. Springer, 5--21.Google ScholarCross Ref
Index Terms
- FRiCS: A Framework for Risk-driven Cloud Selection
Recommendations
A Security Risk Management Metric for Cloud Computing Systems
Cloud computing is a growing technology used by several organizations because it presents a cost effective policy to manage and control Information Technology (IT). It delivers computing services as a public utility rather than a personal one. However, ...
A security evaluation framework for cloud security auditing
Cloud computing is clearly one of today's most enticing technologies due to its scalable, flexible, and cost-efficient access to infrastructure and application services. Despite these benefits, cloud service users (CSUs) have serious concerns about the ...
Definition of Security Metrics for the Cloud Computing and Security-Aware Virtual Machine Placement Algorithms
CYBERC '13: Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge DiscoveryNowadays, Cloud Computing is becoming a key factor in computer science. Besides the great benefits it brought to the information technology and to the economy, Cloud Computing shows some weakness when looking at the security. An IaaS client should be ...
Comments