Operational security assurance evaluation in open infrastructures

Haddad, Sammy; Dubus, Samuel; Hecker, Artur; Kanstrén, Teemu; Marquet, Bertrand; Savola, Reijo

doi:10.1109/crisis.2011.6061831

Cited by 18 publications

(9 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This should then be reflected in use of the monitoring information, such as security assurance metrics modelling. In [12] we have described a security metrics process using a single confidence value representing model completeness. However, in cloud environments with the TMB levels, there are now more aspects impacting this.…”

Section: Discussionmentioning

confidence: 99%

Opportunities in Using a Secure Element to Increase Confidence in Cloud Security Monitoring

Kanstrén

Lehtonen

Kukkohovi

2015

2015 IEEE 8th International Conference on Cloud Computing

Self Cite

View full text Add to dashboard Cite

In this paper we discuss applications of a secure element (SE) such as trusted platform module (TPM) for increasing confidence in cloud security monitoring from the cloud customer viewpoint. Monitoring security of cloud-based systems is similar in many ways to traditional in-house networks, but with the difference that the actual hardware is hosted by an external party and not under our control. This provides some unique challenges and opportunities for security monitoring. We discuss these challenges, identify related opportunities for SE use, and use these to present solutions to the identified challenges. This is based on three different use cases identified together with our industry partners. These are the monitoring of elements of the host infrastructure, monitoring our virtualized guest instances running on this infrastructure, and collecting and archiving log data for later external auditing of the cloud customer services. For each of these, we describe the problem area and different ways we have applied a TPM to increase trust and visibility.

show abstract

Section: Discussionmentioning

confidence: 99%

Opportunities in Using a Secure Element to Increase Confidence in Cloud Security Monitoring

Kanstrén

Lehtonen

Kukkohovi

2015

2015 IEEE 8th International Conference on Cloud Computing

Self Cite

View full text Add to dashboard Cite

show abstract

“…The different types of assurance metrics will be discussed in the next section. Similar to the methodologies defined in [Haddad et al 2011], the assurance process consists of five main activities: application modelling, metric selection and test case definition, test case execution and measurement collection, assurance metrics and level calculation, evaluation and monitoring.…”

Section: Security Assurance Evaluation (Sae) Processmentioning

confidence: 99%

“…BUGYO [Bulut et al 2007;Haddad et al 2011] can be cited as the first methodology and tool for continuous security assurance evaluation; security assurance evaluation in the context of BUGYO was aimed at probing the security of runtime systems rather than products. This work investigates a quantitative approach for defining security assurance metrics that provides an overall security assurance evaluation of a target of evaluation.…”

Section: Introductionmentioning

confidence: 99%

Quantitative security assurance metrics

Katt

Prasher

2018

Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings

View full text Add to dashboard Cite

Security assurance is the confidence that a system meets its security requirements based on specific evidences that an assurance technique provide. The notion of measuring security is complex and tricky. Existing approaches do not conisder the relevance of the different security requirements to the evaluated application context. Furthermore, they are mostly qualitative in nature and are heavily based on manual processing, which make them costly and time consuming. Therefore, they are not widely used and applied, especially by small and medium-sized enterprises (SME), which constitute the backbone of the Norwegian economy, In this paper, we propose a quantification method that aims at evaluating security assurance of systems by measuring (1) the level of confidence that the mechanisms fulfilling security requirements are present and (2) the vulnerabilities associated with possible security threats are absent. Additionally, an assurance evaluation process is proposed. Two case studies applying our method are presented. The case studies use our assurance method to evaluate the security level of two REST APIs developed by Statistics Norway, where one of the authors is employed. One of the REST APIs is public and the other is private. Analyzes show that the API with the most security mechanisms implemented got a slightly higher security assurance score. This was due to the fact that the vulnerabilities were considered more harmful in one of the cases as the security objectives diverged.

show abstract

“…Operational Security Assurance [22] provides the ground for confidence that deployed security mechanisms are running as expected. Some researches have been done to evaluate security assurance.…”

Section: Assurancementioning

confidence: 99%

Enforcing Security and Assurance Properties in Cloud Environment

Bousquet

Briffaut

Caron

et al. 2015

2015 IEEE/ACM 8th International Conference on Utility and Cloud Computing (UCC)

View full text Add to dashboard Cite

Before deploying their infrastructure (resources, data, communications, ...) on a Cloud computing platform, companies want to be sure that it will be properly secured. At deployment time, the company provides a security policy describing its security requirements through a set of properties. Once its infrastructure deployed, the company want to be assured that this policy is applied and enforced. But describing and enforcing security properties and getting strong evidences of it is a complex task.To address this issue, in [1], we have proposed a language that can be used to express both security and assurance properties on distributed resources. Then, we have shown how these global properties can be cut into a set of properties to be enforced locally. In this paper, we show how these local properties can be used to automatically configure security mechanisms. Our language is context-based which allows it to be easily adapted to any resource naming systems e.g., Linux and Android (with SELinux) or PostgreSQL. Moreover, by abstracting low-level functionalities (e.g., deny write to a file) through capabilities, our language remains independent from the security mechanisms. These capabilities can then be combined into security and assurance properties in order to provide high-level functionalities, such as confidentiality or integrity. Furthermore, we propose a global architecture that receives these properties and automatically configures the security and assurance mechanisms accordingly. Finally, we express the security and assurance policies of an industrial environment for a commercialized product and show how its security is enforced.

show abstract

Operational security assurance evaluation in open infrastructures

Cited by 18 publications

References 8 publications

Opportunities in Using a Secure Element to Increase Confidence in Cloud Security Monitoring

Opportunities in Using a Secure Element to Increase Confidence in Cloud Security Monitoring

Quantitative security assurance metrics

Enforcing Security and Assurance Properties in Cloud Environment

Contact Info

Product

Resources

About