A Design of an Econometric Model for Evaluating the Security in Cloud Computing Environment

ABSTRACT Cloud computing offers an innovative business model for all cloud enterprises to serve IT services with no need to have technical details. The extreme growth of cloud usage increases the probability of threats occurrence, which in turn leads to financial and other losses. So there is a need to use appropriate metrics to assess the failure cost among cloud stakeholders according to their different needs; we propose a measure called “Mean Failure Cost” (MFC) which quantifies the impact of failure (per unit of time) by representing the losses for each stakeholder as a result of possible security failure. This study investigates this MFC measure which has been adapted to cloud computing by proposing four innovative models: The main model is “The Abstract Representation Model” which is used as a generic model, and then the MFC metric is enriched by proposing three expanded models which are used to refine the MFC cyber-security measure, these new expanded models are: “Multi-dimensional MFC model” (M2FC), “Service Based MFC Model (SBMFCM)” and “The Hybrid Model”, these models are used to serve different cloud sectors. The MFC matrices are filled by empirical data with analytical reasoning, these data is used as a “Default Data” which leads to gain reasonable, accurate and precise results that are compliant with a disciplined “Probability Disruption Rule”, cloud experts can re-adjust these default data. Some of Verification and Validation (V&V) measures are used to reduce the failure cost; these models can be evaluated using an innovative cost/benefit analysis model by matching the deployment cost of these V&V measures against the benefit. These new expansions on MFC give us a clear refinement, accurate estimation and useful interpretation for security related decision-making. Moreover, all proposed models of the MFC provide a unified model of security concepts because security lacks a clear taxonomy of all MFC parameters which leads to the improvement of the system’s software quality. The overall aim of this study is to refine, investigate and adapt the MFC model with cloud computing systems by using cloud-specific knowledge. These aspects are supported by an automated tool which aim to fill all MFC matrices based on empirical data and analytical reasoning then evaluate the obtained results using economical based approaches that help the decision makers to decide whether the measure is worthwhile or not and expected results are achieved.

TABLE OF CONTENTS

DEDICATION ..........................................................................................................................ii

ACKNOWLEDGMENTS .......................................................................................................iii

PUBLICATION BASED ON THIS THESIS .........................................................................iv

ABSTRACT.............................................................................................................................. v

vi ............................................................................................................................... المستخلـــــــص

TABLE OF CONTENTS........................................................................................................vii

LIST OF TABLES.................................................................................................................... x

LIST OF FIGURES................................................................................................................xii

ABBREVIATION..................................................................................................................xiii

CHAPTER ONE....................................................................................................................... 1

CLOUD COMPUTING ISSUES.............................................................................................. 1

1.1. Introduction................................................................................................................ 2

1.2. Problem statement and it’s significance................................................................... 3

1.3. Research Scope........................................................................................................... 4

1.4. Research Question/Hypothesis/Philosophy ............................................................... 4

1.4.1. Research Question .................................................................................................................... 5

1.4.2. Research hypothesis.................................................................................................................. 5

1.4.3. Research Philosophy................................................................................................................. 6

1.5. Research aims and objectives .................................................................................... 6

.1.6 Data collection............................................................................................................ 7

1.7. Open Issues................................................................................................................. 7

1.8. Proposed Solution....................................................................................................... 8

1.9. Evaluation Technique ................................................................................................ 9

1.10. Expected outcomes................................................................................................... 10

1.11. Concept of Cloud Computing .................................................................................. 10

1.11.1. Essential Characteristics .........................................................................................................13

1.11.2. Cloud Service Models..............................................................................................................13

1. Software as a Service (SaaS) .......................................................................................................................................14

2. Platform as a Service (PaaS).......................................................................................................................................14

3. Infrastructure as a Service (IaaS)...............................................................................................................................14

1.11.3. Cloud Computing Security Challenges...................................................................................15

1.11.4. CSA Threat Model (CSA 2016)...............................................................................................16

1.11.5. Number of Incidents in some Cloud Companies.....................................................................17

1.11.6. Related Failure “Cost” in some companies.............................................................................22

1.11.7. Ponemon Institute Survey of Data Center Outages (January 2016) ......................................23

1.11.8. Cloud Failures “Cost and Impact” in a some cloud companies (From 2013 to 2016) ...........25

Summary................................................................................................................................. 29

CHAPTER TWO.................................................................................................................... 30

RISK ESTIMATION METRICS........................................................................................... 30

2.1. Introduction.............................................................................................................. 31

2.2. Cybersecurity Metrics: ............................................................................................ 31

2.2.1. Security risk management framework for cloud computing..................................................33

2.2.2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) .................34

2.2.3. CCTA Risk Analysis and Management Method (CRAMM)..................................................35

2.2.4. Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE):....................................36

2.2.5. CORAS ....................................................................................................................................38

2.2.6. Mean Time To x (MTTx).........................................................................................................39

viii

2.3. Mean Failure Cost (MFC)........................................................................................ 42

2.4. The MFC advantages:.............................................................................................. 43

2.5. Comparisons of security measures, methods and metrics:..................................... 43

Summary................................................................................................................................. 47

CHAPTER THREE................................................................................................................ 48

MFC AS AN ECONOMETRIC APPROACH ...................................................................... 48

3.1. Introduction.............................................................................................................. 49

3.2. MFC Metrics............................................................................................................ 49

3.3. MFC Metrics “Algebra Point of View”:.................................................................. 52

3.4. Generate and Fill Matrices Using Abstract MFC Model ....................................... 56

3.5. Rationale for Systematic Literature Review (SLR):............................................... 61

3.6. Summary of the MFC Metrics................................................................................. 61

3.7. MFC Features........................................................................................................... 62

3.8. Framework for Measurement of Cloud Security Risk by MFC............................. 62

3.9. Enhancement and Controlling Measures:............................................................... 64

3.10. Economic Approach................................................................................................. 64

3.10.1. Return On Investment (ROI) History:....................................................................................65

3.10.2. Net Present Value (NPV):........................................................................................................67

3.10.3. ROI Over Time with Enhancement Measures........................................................................68

3.10.4. Calculate Benefits in term of MFC Gain................................................................................69

3.10.5. Dispatching The Investment Cost Using Economical Based Approach:................................71

Summary................................................................................................................................. 78

CHAPTER FOUR .................................................................................................................. 79

ADAPTING MFC PARAMETERS WITH CLOUD COMPUTING ASPECTS................. 79

4.1. Introduction.............................................................................................................. 80

4.2. MFC Parameters...................................................................................................... 80

4.3. MFC Dimensions on Cloud Computing .................................................................. 80

4.3.1. Cloud Stakeholders.................................................................................................. 81

4.3.2. Cloud Security requirements (NIST 2013): ............................................................ 82

4.3.3. Cloud Component/Architecture of Cloud Computing (SATW, 2012).................. 85

4.3.4. Top Threats on Cloud Computing (CSA 2016)....................................................... 87

4.4. The Extraction of MFC Parameters with Cloud Computing Aspects ................... 96

Summary................................................................................................................................. 98

CHAPTER FIVE .................................................................................................................. 100

ADAPTING MFC PARAMETERS ON ALL CLOUD SERVICE MODELS................... 100

5.1. Introduction............................................................................................................ 101

5.2. Cloud Service Models............................................................................................. 101

5.2.1. Stakeholders on each Cloud Service Model:.........................................................................102

5.2.1.1. IaaS stakeholders............................................................................................................................................102

5.2.1.2. PaaS stakeholders ...........................................................................................................................................103

5.2.1.3. SaaS stakeholders............................................................................................................................................103

5.2.2. Security Requirement on Each Cloud Service Model...........................................................104

5.2.2.1. IaaS Security Requirement............................................................................................................................. 105

5.2.2.2. PaaS Security Requirement ............................................................................................................................ 105

5.2.2.3. SaaS Security Requirement ............................................................................................................................ 106

5.2.3. Components on each Cloud Service Model...........................................................................108

5.2.3.1. IaaS Components............................................................................................................................................108

5.2.3.2. PaaS Components ...........................................................................................................................................109

5.2.3.3. SaaS Components............................................................................................................................................109

5.2.4. Top Threats on each Cloud Service Model in 2016.............................................................................................. 111

5.2.4.1. IaaS Threat .....................................................................................................................................................112

5.2.4.2. PaaS Threat.....................................................................................................................................................112

ix

5.2.4.3. SaaS Threat.....................................................................................................................................................113

5.2.5. Structuring the MFC Metrics................................................................................................118

5.2.6. Advantages of Structuring and Re-structuring The MFC Matrices....................................119

5.2.7. Generate and Fill MFC Matrices using Service Base Model................................................120

5.2.7.1. Generate and Fill the MFC Matrices based on the “Position of Failure” aspect............................................121

5.2.7.2. Generate and Fill the MFC Matrices based on the “Scope of Control” Classification..................................124

5.2.8. Flowchart for adapting the MFC with Cloud Computing....................................................126

Summary............................................................................................................................... 128

CHAPTER SIX ...................................................................................................................... 129

MFC APPLICATION ON CLOUD COMPUTING, RESULTS, EVALUATION AND

RECOMMENDATION........................................................................................................ 129

6.1. Introduction............................................................................................................ 130

6.2. MFC Parameters On Cloud Computing ............................................................... 130

6.3. Result Generated Using the Proposed Filling Approach...................................... 131

6.3.1. Filling all MFC Matrices (ST, DP, TIM and TV).................................................................133

6.3.2. Compute Of MFC..................................................................................................................138

6.3.3. Estimating the effectiveness rate and decline rate of measurements ...................................139

6.3.4. Reflecting the enhanced values of measure to associate matrix ...........................................140

6.3.5. Recalculating the MFC in term of benefits...........................................................................141

6.3.6. Dispatching the Investment Cost C(w)..................................................................................141

6.3.7. MFC Results with NPV and ROI options.............................................................................142

6.3.8. Deploying Another Measure..................................................................................................144

6.4. MFC and ROI Model Premises and results with V&V aspects............................ 145

6.4.1. ROI and MFC Benchmark....................................................................................................146

6.5. Automated Tool...................................................................................................... 154

6.6. Generating and Filling MFC Matrices using Service Base Model ....................... 155

6.6.1. Option 1: Position of Security Failure...................................................................................155

6.6.2. Option 2: Scope of Control....................................................................................................156

6.7. Recommendations for acquiring Better Results for MFC and ROI .................... 157

Conclusion............................................................................................................................. 161

REFERENCES ......................................................................................................................... I

Appendix A ….……………………………………………………………………………….....A-1

Appendix B ………..…………………………………………………………………………....B-1