A Goal- Driven Security Framework for Cloud Storage: A Preliminary Study

(1)

A Goal- Driven Security

Framework for Cloud

Storage: A Preliminary Study

Fara Yahya

[email protected]

(2)

Introduction

Background

Preliminary Study

Results & Discussion

(3)

(4)



According to Cisco Global Cloud Index, cloud storage users will

store 1.6 Gigabytes data per month by 2019, compared to 992

megabytes data per month in 2014.

Region

Internet

Users in

Millions

(% of

Population)

Cloud Storage

Users in

Millions

(% of Internet

Users)

Asia Pacific

_{2,022 (49%)}

_{1,176 (58%)}

Central and Eastern Europe

_{321 (66%)}

_{134 (42%)}

Latin America

_{355 (54%)}

_{141 (40%)}

Middle East and Africa

_{401 (25%)}

_{65 (16%)}

North America

_{311 (83%)}

_{257 (83%)}

Western Europe

_{341 (80%)}

_{272 (80%)}

Regional Cloud Storage Users by 2019

39

33

26

21

17

14

0

5

10

15

20

25

30

35

40

45 2014

2015

2016

2017

2018

2019

Year Exabyte

Cloud Storage Growth Per User

(5)

Cloud Security Concerns

Insecure APIs

Account Hijacking

Denial of Service

Data Loss

Shared Technologies

Vulnerabilities

Malicious Insiders

Abuse of Cloud Service

Insufficient due diligence

Data Breach

Hardware failure

Natural Disaster

Closure of Cloud Service

Cloud-related malware

(6)

STRIDE

Spoofing Identity

Tampering with Data

Repudiation Information Disclosure Denial of Service Elevation of Privilege

CIANA

Confidentiality Integrity Availability Non-repudiation Authenticity

Threats

Denial of Service Malicious Insiders Abuse of Cloud Service Insufficient Due Diligence Insecure APIs Account/Service Hijacking Data Loss Data Breaches Shared Technology Vulnerability Hardware Failure Natural Disaster Closure of Cloud Service Cloud-related Malware Inadequate Cloud Planning/Design

(7)

Approach



What are the cloud

storage elements?



What are the security

concerns?



What are the existing

international industry

standards, best practices

& guidelines?

(8)

Preliminary study



A qualitative interview was carried out to explore the

knowledge, opinions and values of individuals or groups

who are experts in a particular field of knowledge.



A survey was chosen to collect information to capture

knowledge on cloud security. Questionnaires are data

collection tool in which participants are requested to

answer various predetermined questions.

(9)

Results of expert review



The semi-structured interviews were conducted with

20 security experts in Malaysia and the United

Kingdom. The security experts have more than five

years of experience in information security.



The aim of the expert interview was to review the

security components identified by the literature review

and to explore other components.

(10)

(11)

Results of practitioners survey



The quantitative data was collected using an online

questionnaire. Overall, 34 were taken as the sample.

All of the respondents are security practitioners,

currently working in ICT and have at least two years’

experience in information security.



The aim of the survey was to confirm the components

in the proposed framework and other components

(12)

Statistical Analysis

Component Mean t Sig. (2- tailed) Confidentiality Co1 1.65 -6.426 <0.001** Co2 1.59 -7.152 <0.001** Integrity In1 1.79 -4.504 <0.001** In2 1.76 -4.098 <0.001** Availability Av1 1.62 -5.393 <0.001** Av2 1.76 -4.217 <0.001** Non- repudiation Nr1 1.94 -3.545 <0.002** Nr2 1.82 -4.537 <0.001** Authenticity At1 1.79 -4.504 <0.001** At2 1.68 -5.698 <0.001** Reliability Re1 1.88 -4.265 <0.001** Re2 1.85 -5.386 <0.001** Accountability Ac1 1.88 -4.095 <0.001** Ac2 1.74 -4.400 <0.001** Components Number of Items Cronbach’s alpha Value Confidentiality 2 0.720 Integrity 2 0.767 Availability 2 0.870 Non-repudiation 2 0.759 Authenticity 2 0.896 Reliability 2 0.878 Accountability 2 0.830 Auditability 2 0.980

Analysis of security components using one sample t-testª Reliability Statistics Test of security components



Reliability test

–

Cronbach’s alpha analysis



Normality test

–

A Shapiro-Wilk test, visual inspection

of histograms, normal Q-Q plots, box

plots, skewness and kurtosis



Correlation test

–

Pearson correlation



Parametric test

(13)

Discussion



All the components proposed, based on existing

studies and suggested in the expert review, were

deemed statistically significant.



Confidentiality and Availability received the strongest

consensus.



This shows that although security protections are

important, the availability of service and accessibility

of data in the cloud is considered important too.

(14)

(15)

Conclusion

• A security framework to protect data in cloud storage

is proposed based on security components and

threats in the cloud. Literature syntheses identified

six security components



To review these components, expert reviews with

security experts from UK and Malaysia was conducted

–

Experts confirmed the identified components and

(16)

Future Work



An instrument to measure how much does an

organisation follow the cloud storage security

framework will be developed based on the goal-driven

components identified and confirmed in this study



The instrument is developed using

Goal-Question-Metrics (GQM) approach. The instrument is a

self-assessment tool, currently receiving 161 responses

from IT security managers in Malaysia

(17)