The research of the threat model of the cloud key systems and protection proposals against them

Authors

DOI:

https://doi.org/10.15587/1729-4061.2015.50912

Keywords:

cloud, key management, intruder model, protection mechanisms, risk assessment.

Abstract

The threat and the intruder models of cloud services and key data management in the cloud were investigated. Based on existing standards, guidelines and publications, systematization of the main information security threats in the cloud was performed, and the formalized threat model and the intruder model for the cloud, which considers the threats to the DC support systems, hardware, hypervisor, virtualized environment, deployed cloud infrastructure, cloud resources, personnel were designed. To protect against emerging threats, it was proposed to use organizational, technical and cryptographic protection methods. In order to formalize the threat model construction process and analyze opportunities of the intruder, the intruder profile was developed. The profile includes the category of persons, the nature of their actions, the level of access and opportunities, the level of familiarization with the system, the methods and tools used and the purpose. The developed threat model of key data includes control elements of the key data in the cloud, connections between them, and the role of the user and the administrator of the cloud DC. As the main protection methods and means for the key data in the cloud, it was proposed to use secure media and cloud storages of keys, cryptographic services and HSM, secure communications, as well as secure cryptographic protocols and cryptographic algorithms. Taking into account the functioning features of the cloud as a method of a preliminary risk assessment and threat classification, it was proposed to use the threat analysis method (TAM). When carrying out a full risk analysis of the existing system, using the CHAZOP method for qualitative assessment and the Bayesian approach if necessary to obtain quantitative indicators is proposed. The research results of the threat and the intruder models may be used in the security and risk examination and assessment of cloud ITS.

Author Biography

Іван Федорович Аулов, Kharkiv National University of Radio Electronics 16 Lenina ave., Kharkiv, Ukraine, 61166

Postgraduate student

Department of Informational security

References

  1. Haeberlen, T., Dupré, L. (2012). Cloud Computing Benefits, risks and recommendations for information security. Available at: https://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport
  2. Jansen, W. (2011). Cloud Hooks: Security and Privacy Issues in Cloud Computing, 44th Hawaii International Conference on System Sciences (HICSS), 2011, Koloa, Hawaii, United States, 1–10. doi: 10.1109/hicss.2011.103
  3. Jansen, W., Grance, T., Mao, J., Bohn, R., Messina, J., Badger, L., Leaf, D. (2011). Guidelines on Security and Privacy in Public Cloud Computing. Available at: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
  4. Hashizume, K., Rosado, D., Fernández-Medina, E., Fernandez, E. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4 (5), 15–28. doi: 10.1186/1869-0238-4-5
  5. Chandramouli, R. (2014). Analysis of Protection Options for Virtualized Infrastructures in Infrastructure as a Service Cloud, Fifth International Conference on Cloud Computing, GRIDs, and Virtualization. Venice, Italy, 37–43.
  6. Chandramouli, R., Chokhani, S., Iorga, M. (2013). NIST Cryptographic Key Management Issues & Challenges in Cloud Services. National Institute of Standards and Technology, 31. doi: 10.6028/nist.ir.7956
  7. Luna, J., Suri, N., Iorga, M., Karmel, А. (2015). Leveraging the Potential of Cloud Security Service-Level Agreements through Standards, IEEE Cloud Computing, 2 (3), 32–40. doi: 10.1109/mcc.2015.52
  8. Choo, K. (2014). A Cloud Security Risk-Management Strategy. IEEE Cloud Computing, 1 (2), 52–56. doi: 0.1109/mcc.2014.27
  9. Zikartov, I., Odegov, S. (2012). Evaluation of information security to cloud computing based on the Bayesian approach. Scientific and Technical Gazette Information Technologies. Mechanics and Optics, 4 (80), 121–126.
  10. Juliadotter, N., Choo, K. (2015). Cloud Attack and Risk Assessment Taxonomy. IEEE Cloud Computing, 1 (2), 14–20. doi: 10.1109/mcc.2015.2
  11. Aulov, I., Gorbenko, I. (2014). Analysis of NIST formal cloud security model. Radiotechnik Ukraininan journal, 176, 131–137.

Downloads

Published

2015-10-21

How to Cite

Аулов, І. Ф. (2015). The research of the threat model of the cloud key systems and protection proposals against them. Eastern-European Journal of Enterprise Technologies, 5(2(77), 4–13. https://doi.org/10.15587/1729-4061.2015.50912

Issue

Vol. 5 No. 2(77) (2015): Information technology. Industry control systems

Section

Information technology

License

Copyright (c) 2015 Іван Федорович Аулов

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.

A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.