Quality Assurance Survey Report

Abstract

This article focuses on inadequacies in the current security-centric approaches organizations take to meet the business mission as a whole and service agreement with business in particular. It emphasizes that the gap can be bridged by shifting the perspective from security-centric to survivability-centric approaches and implementations. Perceptively, in turn, this means reorganizing the elements in the security triad (CIA — confidentiality, integrity, and availability). Managed security services providers (MSSPs) are recommended as a tactical solution. However, strategic solutions should move toward adaptive and autonomic systems to achieve the business mission, amidst unanticipated threats.     

Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government

Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.     

A secure re‐encryption scheme for data services in a cloud computing environment

Cloud computing as a promising technology and paradigm can provide various data services, such as data sharing and distribution, which allows users to derive benefits without the need for deep knowledge about them. However, the popular cloud data services also bring forth many new data security and privacy challenges. Cloud service provider untrusted, outsourced data security, hence collusion attacks from cloud service providers and data users become extremely challenging issues. To resolve these issues, we design the basic parts of secure re‐encryption scheme for data services in a cloud computing environment, and further propose an efficient and secure re‐encryption algorithm based on the EIGamal algorithm, to satisfy basic security requirements. The proposed scheme not only makes full use of the powerful processing ability of cloud computing but also can effectively ensure cloud data security. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security model. Copyright © 2015 John Wiley & Sons, Ltd.     

Chargeback for cloud services

With pay-per-use pricing models, elastic scaling of resources, and the use of shared virtualized infrastructures, cloud computing offers more efficient use of capital and agility. To leverage the advantages of cloud computing, organizations have to introduce cloud-specific chargeback practices. Organizations have to allocate IT service costs to business users in a way that reflects service consumption. To help organizations become effective users of cloud services, this article provides an overview of the factors that influence chargeback in the cloud services. This is an initial work that determines the factors influencing the chargeback in the cloud services. The findings of this research facilitate organizations to realize the implications of the cloud for their chargeback.     

Speculations on the science of web user security

There appears to be consensus among seasoned cyber security researchers that there is substantial disconnect between the research community’s priorities and the real world—notwithstanding numerous intellectual advances in the theory and practice of cyber security over the past four decades. This is in part manifested by recent recurring calls for dramatic shifts in cyber security research paradigms, including so called game-changing approaches that go beyond the typical computer science and engineering perspectives. This article focusses on a specially important piece of cyber security called web user security where the prime concern is security for the ordinary consumer of web application services. The proliferation of web services and their enthusiastic reception by the ordinary citizen attests to the tremendous practical success of these technologies. As such it is prima facie evident that the current web is “secure enough” for mass adoption. Now, one certain prediction about the web is that it will continue to evolve rapidly. This article gives the author’s personal perspective on what web user security science might be developed to address the need to be “secure enough” in light of continued evolution. To this end the article begins by considering what happened in evolution of the web in the past and how much of it, if any, was guided by “science.” The article identifies some security principles that can be abstracted from this short but eventful history. The article then speculates on what directions the science of web user security should take.     

An iterative mathematical decision model for cloud migration: A cost and security risk approach

This paper presents an iterative mathematical decision model for organizations to evaluate whether to invest in establishing information technology (IT) infrastructure on‐premises or outsourcing IT services on a multicloud environment. This is because a single cloud cannot cover all types of users’ functional/nonfunctional requirements, in addition to several drawbacks such as resource limitation, vendor lock‐in, and prone to failure. On the other hand, multicloud brings several merits such as vendor lock‐in avoidance, system fault tolerance, cost reduction, and better quality of service. The biggest challenge is in selecting an optimal web service composition in the ever increasing multicloud market in which each provider has its own pricing schemes and delivers variation in the service security level. In this regard, we embed a module in the cloud broker to log service downtime and different attacks to measure the security risk. If security tenets, namely, security service level agreement, such as availability, integrity, and confidentiality for mission‐critical applications, are targeted by cybersecurity attacks, it causes disruption in business continuity, leading to financial losses or even business failure. To address this issue, our decision model extends the cost model by using the cost present value concept and the risk model by using the advanced mean failure cost concept, which are derived from the embedded module to quantify cloud competencies. Then, the cloud economic problem is transformed into a bioptimization problem, which minimizes cost and security risks simultaneously. To deal with the combinatorial problem, we extended a genetic algorithm to find a Pareto set of optimal solutions. To reach a concrete result and to illustrate the effectiveness of the decision model, we conducted different scenarios and a small‐to‐medium business IT development for a 5‐year investment as a case study. The result of different implementation shows that multicloud is a promising and reliable solution against IT on‐premises deployment.     

Adaptive security architecture for protecting RESTful web services in enterprise computing environment

In this modern era of enterprise computing, the enterprise application integration (EAI) is a well-known industry-recognized architectural principle that is built based on loosely coupled application architecture, where service-oriented architecture (SOA) is the architectural pattern for the implementation of EAI, whose computational elements are called as “services.” Though SOA can be implemented in a wide range of technologies, the web services implementation of SOA becomes the current selective choice due to its simplicity that works on basic Internet protocols. Web service technology defines several supporting protocols and specifications such as SOAP and WSDL for communication with client and server for data interchange. A new architectural paradigm has emerged in SOA in recent years called REpresentational State Transfer (REST) that is also used to integrate loosely coupled service components, named RESTful web services, by system integration consortiums. This SOA implementation does not possess adequate security solutions within it, and its security is completely dependent on network/transport layer security that is obsolete owing to latest web technologies such as Web 2.0 and its upgraded version, Web 3.0. Vendor security products have major implementation constraints such as they need secured organizational environment and breach to SOA specifications, hence introducing new vulnerabilities. Herein, we examine the security vulnerabilities of RESTful web services in the view of popular OWASP rating methodologies and analyze the gaps in the existing security solutions. We hence propose an adaptive security solution for REST that uses public key infrastructure techniques to enhance the security architecture. The proposed security architecture is constructed as an adaptive way-forward Internet-of-Things (IoT) friendly security solution that is comprised of three cyclic parts: learn, predict and prevent. A novel security component named “intelligent security engine” is introduced which learns the possible occurrences of security threats on SOA using artificial neural networks learning algorithms, then it predicts the potential attacks on SOA based on obtained results by the developed theoretical security model, and the written algorithms as part of security solution prevent the SOA attacks. This paper is written to present one of such algorithms to prevent SOA attacks on RESTful web services along the discussion on the obtained results of the conducted proof-of-concept on the real-time SOA environment. A comparison of the proposed system with other competing solutions demonstrates its superiority.     

安全Web Services体系结构的研究

目前已有的Web Services安全规范只是制定了要实现某一安全需求应该遵循的规范协议,尚没有一个被广泛接受的安全体系结构.有很多学者和组织对安全Web Services体系结构做了有益的探索,并提出了一些方案与产品,各自有不同的特点并依据不同的安全规范.基于业界主导公司所推出的WS-*规范提出了一个基于安全令牌服务器的安全Web Services体系结构,并对它的工作机制做了研究.     

Model-based services convergence and multi-clouds integration

With the development of cloud computing, IT users (individuals, enterprises and even public services providers) are transferring their jobs or businesses to public online services provided by professional information service companies. These information service companies provide applications as public resources to support the business operation of their customers. However, no cloud computing service vendor (CCSV) can satisfy the full functional information system requirements of its customers. As a result, its customers often have to simultaneously use services distributed in different clouds and do some connectivity jobs manually. Services convergence and multi-clouds integration will lead to new business models and trigger new integration technologies that provide solutions to satisfy IT users’ complicated requirements. This paper firstly reviews the development of cloud computing from business and technical viewpoints and then discusses requirements and challenges of services convergence and multi-clouds integrations. Thirdly, a model based architecture of multi-clouds integration is provided. Business logic modelling for cross-organizational collaboration, service modelling and operation modelling methods with relative model mapping technology are discussed in detail. Some key enabling technologies are also developed. At last, case studies are presented to illustrate the implementation of the technologies developed in the paper.     

CloRExPa: Cloud resilience via execution path analysis

Despite the increasing interest around cloud concepts, current cloud technologies and services related to security are not mature enough to enable a more widespread industrial acceptance of cloud systems. Providing an adequate level of resilience to cloud services is a challenging problem due to the complexity of the environment as well as the need for efficient solutions that could preserve cloud benefits over other solutions. In this paper we provide the architectural design, implementation details, and performance results for a customizable resilience service solution for cloud guests. This solution leverages execution path analysis. In particular, we propose an architecture that can trace, analyze and control live virtual machine activity as well as intervened code and data modifications—possibly due to either malicious attacks or software faults. Execution path analysis allows the virtual machine manager (VMM) to trace the VM state and to prevent such a guest from reaching faulty states. We evaluated the effectiveness and performance trade-off of our prototype on a real cloud test bed. Experimental results support the viability of the proposed solution.     

基于TrustZone的可信移动终端云服务安全接入方案

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全. 然而在移动云计算高速发展的今天, 仍然没有移动终端接入可信云服务的安全解决方案. 针对上述问题, 提出了一种可信移动终端云服务安全接入方案, 方案充分考虑了移动云计算应用背景, 利用ARM TrustZone硬件隔离技术构建可信移动终端, 保护云服务客户端及安全敏感操作在移动终端的安全执行, 结合物理不可克隆函数技术, 给出了移动终端密钥与敏感数据管理机制. 在此基础之上, 借鉴可信计算技术思想, 设计了云服务安全接入协议, 协议兼容可信云架构, 提供云服务端与移动客户端间的端到端认证. 分析了方案具备的6种安全属性, 给出了基于方案的移动云存储应用实例, 实现了方案的原型系统. 实验结果表明, 可信移动终端TCB较小, 方案具有良好的可扩展性和安全可控性, 整体运行效率较高.     

MASHED: Security and privacy-aware mutual authentication scheme for heterogeneous and distributed mobile cloud computing services

ABSTRACT

Rapid development in mobile devices and cloud computing technologies has increased the number of mobile services from different vendors on the cloud platform. However, users of these services are facing different security and access control challenges due to the nonexistence of security solutions capable of providing secure access to these services, which are from different vendors, using a single key. An effective security solution for heterogeneous Mobile Cloud Computing (MCC) services should be able to guarantee confidentiality and integrity through single key-based authentication scheme. Meanwhile, a few of the existing authentication schemes for MCC services require different keys to access different services from different vendors on a cloud platform, thus increases complexity and overhead incurred through generation and storage of different keys for different services.

In this paper, an efficient mutual authentication scheme for accessing heterogeneous MCC services is proposed. The proposed scheme combines the user’s voice signature with cryptography operations to evolve efficient mutual authentication scheme devoid of key escrow problem and allows authorized users to use single key to access the heterogeneous MCC services at a reduced cost.     

A survey on security challenges in cloud computing: issues,threats, and solutions

Cloud computing has gained huge attention over the past decades because of continuously increasing demands. There are several advantages to organizations moving toward cloud-based data storage solutions. These include simplified IT infrastructure and management, remote access from effectively anywhere in the world with a stable Internet connection and the cost efficiencies that cloud computing can bring. The associated security and privacy challenges in cloud require further exploration. Researchers from academia, industry, and standards organizations have provided potential solutions to these challenges in the previously published studies. The narrative review presented in this survey provides cloud security issues and requirements, identified threats, and known vulnerabilities. In fact, this work aims to analyze the different components of cloud computing as well as present security and privacy problems that these systems face. Moreover, this work presents new classification of recent security solutions that exist in this area. Additionally, this survey introduced various types of security threats which are threatening cloud computing services and also discussed open issues and propose future directions. This paper will focus and explore a detailed knowledge about the security challenges that are faced by cloud entities such as cloud service provider, the data owner, and cloud user.

     

Adaptable,model-driven security engineering for SaaS cloud-based applications

Software-as-a-service (SaaS) multi-tenancy in cloud-based applications helps service providers to save cost, improve resource utilization, and reduce service customization and maintenance time. This is achieved by sharing of resources and service instances among multiple “tenants” of the cloud-hosted application. However, supporting multi-tenancy adds more complexity to SaaS applications required capabilities. Security is one of these key requirements that must be addressed when engineering multi-tenant SaaS applications. The sharing of resources among tenants—i.e. multi-tenancy—increases tenants’ concerns about the security of their cloud-hosted assets. Compounding this, existing traditional security engineering approaches do not fit well with the multi-tenancy application model where tenants and their security requirements often emerge after the applications and services were first developed. The resultant applications do not usually support diverse security capabilities based on different tenants’ needs, some of which may change at run-time i.e. after cloud application deployment. We introduce a novel model-driven security engineering approach for multi-tenant, cloud-hosted SaaS applications. Our approach is based on externalizing security from the underlying SaaS application, allowing both application/service and security to evolve at runtime. Multiple security sets can be enforced on the same application instance based on different tenants’ security requirements. We use abstract models to capture service provider and multiple tenants’ security requirements and then generate security integration and configurations at runtime. We use dependency injection and dynamic weaving via Aspect-Oriented Programming (AOP) to integrate security within critical application/service entities at runtime. We explain our approach, architecture and implementation details, discuss a usage example, and present an evaluation of our approach on a set of open source web applications.     

4CaaSt marketplace: An advanced business environment for trading cloud services

As Clouds mature and become ubiquitous, marketplace environments are developed facilitating the provision of services in a manner that emphasizes on the modular composition of individual services across different providers that crosscut the cloud service stack layers (i.e. composition of XaaS) to fulfil customers’ requirements. Besides acting as intermediaries for the search, selection and trading of services, such marketplaces should also support the complete service lifecycle and the consolidation of offerings from different providers with varying and often contradicting business goals. In this paper we present a one-stop cloud marketplace solution that addresses the aforementioned challenges while enabling the simulation of different business cases to optimize service offerings according to a wide and dynamic set of parameters. Moreover, the proposed solution introduces advanced aggregated price models and integrates a new resolution approach that incorporates business intelligence into the search and selection processes. We also demonstrate the operation of the implemented approach and evaluate its effectiveness using a real-world scenario, based on a taxi fleet management application.     

Cloud services selection: A systematic review and future research directions

Cloud computing has developed in popularity as a large-scale computing paradigm that offers a range of computing resources as a service through the internet on a pay-as-you-go basis. The expansion in demand and commercial availability of cloud services brings new challenges to cloud services selection. Several research studies have been conducted to develop enhanced methodologies to assist service consumers in selecting appropriate services. In this paper, 105 primary studies published during January, 2011 to May, 2022 has been selected using a multi-stage scrutinizing approach. The selected preliminary studies were further classified based on various variables to answer the research questions stated for this work. A systematic review of existing cloud service selection approaches is performed, which are analyzed along eight dimensions: decision-making methods, context, purposes, cloud service performance parameters, simulation/language tools, domain, datasets, and experiment/validation methods. After a thorough review and comparison of these approaches across the above-mentioned dimensions, several open research issues in the current literature have been identified. The contribution of this research is fourfold: focusing on state-of-the-art cloud services selection approaches, highlighting the benefits and drawbacks of various cloud services selection methodologies and their future directions, offering a taxonomy based on a thorough literature study, and identifying nine critical challenges in cloud services selection that require further investigation. This systematic review study is anticipated to benefit both academics and business experts.     

Conflict resolution in business services outsourcing relationships

Many organizations source administrative business services like information technology, human resources, procurement, legal, financial and accounting services through external service providers, a practice known as Business Services Outsourcing (BSO). Many of these relationships are strategic, in the sense that they are large, underpin clients’ business strategies, and the client can become highly dependent on service provider capabilities and performance. The BSO market is over $1 trillion in size and has been growing for two decades. Despite the size and maturity, up to 50% of BSO relationships result in poor outcomes, partly because partners cannot resolve conflicts. Based on interviews with client and provider leads from 13 BSO relationships, we answered the research question: “What types of inter-organizational conflicts arise in BSO relationships and how do partners resolve them?” We extended the prior literature on inter-organizational conflict frameworks by conceptualizing three types of conflicts specific to BSO: commercial conflicts, service conflicts, and relationship conflicts. Conflicts as we study them here are not minor disagreements, but have a strategic dimension. Commercial conflicts were the most serious because outsourcing relationships are firstly commercial transactions—a provider must earn a profit and a client must meet its economic business case to be viable. Theoretically, we found Thomas and Kilmann’s typology of conflict resolution styles to be robust enough to characterize the BSO conflict cases, provided a switched style category was included. In our data, we found that only the collaborative and switched-to-collaborative styles resolved conflicts to the satisfaction of both partners, which is consistent with theory. Novel findings that extend or contest prior theory are identified as part of a future research agenda. For practitioners, we also identified five effective conflict resolution behaviors.     

Security and Control in the Cloud

ABSTRACT

Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how today's generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing.

This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.     

A visual language and environment for enterprise system modelling and automation

ObjectiveWe want to support enterprise service modelling and generation using a more end user-friendly metaphor than current approaches, which fail to scale to large organisations with key issues of “cobweb” and “labyrinth” problems and large numbers of hidden dependencies.MethodWe present and evaluate an integrated visual approach for business process modelling using a novel tree-based overlay structure that effectively mitigate complexity problems. A tree-overlay based visual notation (EML) and its integrated support environment (MaramaEML) supplement and integrate with existing solutions. Complex business architectures are represented as service trees and business processes are modelled as process overlay sequences on the service trees.ResultsMaramaEML integrates EML and BPMN to provide complementary, high-level business service modelling and supports automatic BPEL code generation from the graphical representations to realise web services implementing the specified processes. It facilitates generated service validation using an integrated LTSA checker and provides a distortion-based fisheye and zooming function to enhance complex diagram navigation. Evaluations of EML show its effectiveness.ConclusionsWe have successfully developed and evaluated a novel tree-based metaphor for business process modelling and enterprise service generation. Practice implications: a more user-friendly modelling approach and support tool for business end users.