Trust, Privacy and Security in Digital Business by Sokratis Katsikas Costas Lambrinoudakis & Steven Furnell

Author:Sokratis Katsikas, Costas Lambrinoudakis & Steven Furnell
Language: eng
Format: epub
Publisher: Springer International Publishing, Cham

Organisation Concepts: We describe the stakeholders on the organisation layer in the cloud environment model, identifying the direct and indirect stakeholders as actors through their relationship with cloud services. In our running example we have identified five actors; the A1: Patient is an end-user of the cloud service 1: Patient Details Service and cloud service 2: E-prescription Service, A2: Hospital manages cloud service 1 and they are a cloud service provider to A1: Patient and a cloud user to A5: CSP, A3: Pharmacy manages the cloud service 2 and is a cloud service provider to A1: Patient and a cloud user to A5: CSP, A5: CSP is a cloud service provider that manages both clouds services at all three service levels and A4: Malicious Actor is a malicious actor which poses a security threat Customer-data manipulation.

Application Concepts: This layer represents the abstract concepts for software and applications in the system-under-design, centring around cloud services, components interacting with cloud services and the security impacts. In our running example we model two cloud services, the security issues impacting them, the virtual resources they require and partial solutions for mitigation. The service and deployment models of each cloud service determines the actors that owns the cloud service, actors responsible for managing the cloud service, security issues and propagation of dependencies. For example the cloud service Patient Details Service uses a SaaS model and is deployed publicly, determining that the CSP actor A5: CSP is responsible for managing components on all three service model layers (SaaS, PaaS, IaaS) while the actor A2: Hospital manages the SaaS components. Customer-data manipulation is a cloud-specific threat impacting all three service model layers [15], therefore the actors responsible for the cloud services impacted by the threat will be held accountable for deploying security mechanisms in order to mitigate identified threats. In this case the Customer-data manipulation threat is realised through attacks Cross-site scripting and SQL injection which exploit the Insecure interface and APIs vulnerability, where the cloud security engineer modelling the system has identified a security mechanism Web application scanners to protect the vulnerability and thus mitigate the underlying threat.

Infrastructure Concepts: We define this layer to abstractly model physical components required to realise cloud computing services, which we capture as infrastructure nodes belonging to one or more physical infrastructure containers representing IT infrastructure. In our running example, we model a single physical infrastructure to represent one physical IT infrastructure owned and managed by the CSP A5: CSP. The compute capabilities are enabled through the abstract notions of a storage, compute and network entity, where they are multi-tenant and geographically located in the USA. From these attributes we can infer jurisdictional legislation such as the USA Patriot Act which applies to all virtual resources residing on infrastructure physically located in the USA, where multi-tenancy indicates that compute processes are physically shared with one or more unknown cloud service users thus also violating HIPAA compliance. In this scenario the cloud security engineer has a range of options for mitigating these

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.