Spiral^SRA: A Threat-Specific Security Risk Assessment Framework for the Cloud

2018 IEEE International Conference on Software Quality, Reliability and Security (QRS) Pub Date : 2018-07-01 DOI:10.1109/QRS.2018.00049

A. Nhlabatsi, Jin B. Hong, Dong Seong Kim, Rachael Fernandez, Noora Fetais, K. Khan

{"title":"Spiral^SRA: A Threat-Specific Security Risk Assessment Framework for the Cloud","authors":"A. Nhlabatsi, Jin B. Hong, Dong Seong Kim, Rachael Fernandez, Noora Fetais, K. Khan","doi":"10.1109/QRS.2018.00049","DOIUrl":null,"url":null,"abstract":"Conventional security risk assessment approaches for cloud infrastructures do not explicitly consider risk with respect to specific threats. This is a challenge for a cloud provider because it may apply the same risk assessment approach in assessing the risk of all of its clients. In practice, the threats faced by each client may vary depending on their security requirements. The cloud provider may also apply generic mitigation strategies that are not guaranteed to be effective in thwarting specific threats for different clients. This paper proposes a threat-specific risk assessment framework which evaluates the risk with respect to specific threats by considering only those threats that are relevant to a particular cloud client. The risk assessment process is divided into three phases which have inter-related activities arranged in a spiral. Application of the framework to a cloud deployment case study shows that considering risk with respect to specific threats leads to a more accurate quantification of security risk. Although our framework is motivated by risk assessment challenges in the cloud it can be applied in any network environment.","PeriodicalId":114973,"journal":{"name":"2018 IEEE International Conference on Software Quality, Reliability and Security (QRS)","volume":"254 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Conference on Software Quality, Reliability and Security (QRS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/QRS.2018.00049","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Conventional security risk assessment approaches for cloud infrastructures do not explicitly consider risk with respect to specific threats. This is a challenge for a cloud provider because it may apply the same risk assessment approach in assessing the risk of all of its clients. In practice, the threats faced by each client may vary depending on their security requirements. The cloud provider may also apply generic mitigation strategies that are not guaranteed to be effective in thwarting specific threats for different clients. This paper proposes a threat-specific risk assessment framework which evaluates the risk with respect to specific threats by considering only those threats that are relevant to a particular cloud client. The risk assessment process is divided into three phases which have inter-related activities arranged in a spiral. Application of the framework to a cloud deployment case study shows that considering risk with respect to specific threats leads to a more accurate quantification of security risk. Although our framework is motivated by risk assessment challenges in the cloud it can be applied in any network environment.

查看原文本刊更多论文

螺旋^SRA:针对云的特定威胁的安全风险评估框架

传统的云基础设施安全风险评估方法并未明确考虑与特定威胁相关的风险。这对云提供商来说是一个挑战，因为它可能在评估所有客户的风险时应用相同的风险评估方法。在实践中，每个客户端面临的威胁可能因其安全需求而异。云提供商还可以应用通用缓解策略，这些策略不能保证有效地阻止针对不同客户的特定威胁。本文提出了一个特定于威胁的风险评估框架，该框架通过仅考虑与特定云客户端相关的威胁来评估与特定威胁相关的风险。风险评估过程分为三个阶段，每个阶段都有相互关联的活动以螺旋形排列。该框架在云部署案例研究中的应用表明，考虑与特定威胁相关的风险可以更准确地量化安全风险。尽管我们的框架是由云中的风险评估挑战驱动的，但它可以应用于任何网络环境。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE International Conference on Software Quality, Reliability and Security (QRS)

自引率

0.00%

发文量