基于标准准则的云it组件安全评估方法

Q3 Mathematics
I. Livshitz
{"title":"基于标准准则的云it组件安全评估方法","authors":"I. Livshitz","doi":"10.15622/sp.2020.19.2.6","DOIUrl":null,"url":null,"abstract":"The analysis of well-known methods for ensuring IT-security is presented, methods for evaluating security of IT-components and Cloud services in general are considered. \nAn attempt to analyze cloud services not from a commercial position of a popular marketing product, but from a position of system analysis is made. The previously introduced procedure for IT-components evaluation is not stable, since the end user has not a 100% guarantee of access to all IT-components, and even more so to the remote and uncontrolled Cloud service. A number of reviews point at increased efforts to create a secure network architecture and ability to continuously monitor deviations from established business goals. In contrast to the Zero Trust and Zero Trust eXtended models, according to which additional security functions are superimposed on existing IT-components, it is proposed to consider the set of IT-components as a new entity – an Information Processing System. This will allow to move to formal processes for assessing the degree of compliance with the criteria of standards for both existing and prospective IT-components while ensuring security of Cloud services. \nA new method for evaluation which is based on the previously developed hybrid methodology using formal procedures based on two systems of criteria - assessment of the degree of compliance of Management systems (based on ISO/IEC 27001 series) and assessment of functional safety requirements (based on IEC 61508 series and ISO/IEC 15408 series) is proposed. This method provides reproducible and objective assessments of security risks of Cloud-based IT‑components that can be presented to an independent group of evaluators for verification. The results obtained can be applied in the independent assessment, including critical information infrastructure objects.","PeriodicalId":53447,"journal":{"name":"SPIIRAS Proceedings","volume":"52 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2020-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Method for Evaluating Security of Cloud IT-Components based on Estandards Criteria\",\"authors\":\"I. Livshitz\",\"doi\":\"10.15622/sp.2020.19.2.6\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The analysis of well-known methods for ensuring IT-security is presented, methods for evaluating security of IT-components and Cloud services in general are considered. \\nAn attempt to analyze cloud services not from a commercial position of a popular marketing product, but from a position of system analysis is made. The previously introduced procedure for IT-components evaluation is not stable, since the end user has not a 100% guarantee of access to all IT-components, and even more so to the remote and uncontrolled Cloud service. A number of reviews point at increased efforts to create a secure network architecture and ability to continuously monitor deviations from established business goals. In contrast to the Zero Trust and Zero Trust eXtended models, according to which additional security functions are superimposed on existing IT-components, it is proposed to consider the set of IT-components as a new entity – an Information Processing System. This will allow to move to formal processes for assessing the degree of compliance with the criteria of standards for both existing and prospective IT-components while ensuring security of Cloud services. \\nA new method for evaluation which is based on the previously developed hybrid methodology using formal procedures based on two systems of criteria - assessment of the degree of compliance of Management systems (based on ISO/IEC 27001 series) and assessment of functional safety requirements (based on IEC 61508 series and ISO/IEC 15408 series) is proposed. This method provides reproducible and objective assessments of security risks of Cloud-based IT‑components that can be presented to an independent group of evaluators for verification. The results obtained can be applied in the independent assessment, including critical information infrastructure objects.\",\"PeriodicalId\":53447,\"journal\":{\"name\":\"SPIIRAS Proceedings\",\"volume\":\"52 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-04-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"SPIIRAS Proceedings\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.15622/sp.2020.19.2.6\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"Mathematics\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"SPIIRAS Proceedings","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.15622/sp.2020.19.2.6","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Mathematics","Score":null,"Total":0}
引用次数: 1

摘要

分析了公认的确保it安全的方法,并考虑了评估it组件和云服务安全性的一般方法。本文试图从系统分析的角度,而不是从流行营销产品的商业角度来分析云服务。前面介绍的用于it组件评估的过程并不稳定,因为最终用户不能100%保证访问所有it组件,对远程和不受控制的云服务更是如此。许多评论指出,为创建安全的网络体系结构和持续监控偏离既定业务目标的能力而增加的努力。与零信任和零信任扩展模型(在现有it组件上叠加额外的安全功能)不同,本文提出将it组件集视为一个新的实体——信息处理系统。这将允许采用正式流程,在确保云服务安全性的同时,评估现有和未来it组件对标准标准的遵从程度。提出了一种新的评估方法,该方法基于先前开发的混合方法,使用基于两个标准系统的正式程序-管理系统合规性评估(基于ISO/IEC 27001系列)和功能安全要求评估(基于IEC 61508系列和ISO/IEC 15408系列)。该方法可对基于云计算的IT组件的安全风险进行可重复和客观的评估,并可提交给独立的评估小组进行验证。所得结果可应用于包括关键信息基础设施对象在内的独立评估。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Method for Evaluating Security of Cloud IT-Components based on Estandards Criteria
The analysis of well-known methods for ensuring IT-security is presented, methods for evaluating security of IT-components and Cloud services in general are considered. An attempt to analyze cloud services not from a commercial position of a popular marketing product, but from a position of system analysis is made. The previously introduced procedure for IT-components evaluation is not stable, since the end user has not a 100% guarantee of access to all IT-components, and even more so to the remote and uncontrolled Cloud service. A number of reviews point at increased efforts to create a secure network architecture and ability to continuously monitor deviations from established business goals. In contrast to the Zero Trust and Zero Trust eXtended models, according to which additional security functions are superimposed on existing IT-components, it is proposed to consider the set of IT-components as a new entity – an Information Processing System. This will allow to move to formal processes for assessing the degree of compliance with the criteria of standards for both existing and prospective IT-components while ensuring security of Cloud services. A new method for evaluation which is based on the previously developed hybrid methodology using formal procedures based on two systems of criteria - assessment of the degree of compliance of Management systems (based on ISO/IEC 27001 series) and assessment of functional safety requirements (based on IEC 61508 series and ISO/IEC 15408 series) is proposed. This method provides reproducible and objective assessments of security risks of Cloud-based IT‑components that can be presented to an independent group of evaluators for verification. The results obtained can be applied in the independent assessment, including critical information infrastructure objects.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
SPIIRAS Proceedings
SPIIRAS Proceedings Mathematics-Applied Mathematics
CiteScore
1.90
自引率
0.00%
发文量
0
审稿时长
14 weeks
期刊介绍: The SPIIRAS Proceedings journal publishes scientific, scientific-educational, scientific-popular papers relating to computer science, automation, applied mathematics, interdisciplinary research, as well as information technology, the theoretical foundations of computer science (such as mathematical and related to other scientific disciplines), information security and information protection, decision making and artificial intelligence, mathematical modeling, informatization.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信