+7 925 966 4690, 9am6pm (GMT+3), Monday – Friday
ИД «Финансы и кредит»

JOURNALS

  

FOR AUTHORS

  

SUBSCRIBE

    
Digest Finance
 

Method of measurement of information security risk of cloud infrastructure of an organization

Vol. 20, Iss. 1, MARCH 2015

PDF  Article PDF Version

Available online: 19 February 2015

Subject Heading: THREATS AND SECURITY

JEL Classification: 

Pages: 56-67

Tsaregorodtsev A.V. Financial University under Government of Russian Federation, Moscow, Russian Federation
AVTsaregorodtsev@fa.ru

Makarenko E.V. Bauman Moscow State Technical University, Moscow, Russian Federation
e_makarenko@yandex.ru

Almost all of the technologies that are now part of the cloud paradigm existed before, but so far the market was lacking the proposals that bring together emerging technologies in a single commercially attractive solution. Only in the last decade, there appeared cloud services open to public, through which these technologies, on the one hand, became available to developer, and on the other hand, they were clear to business community. But many of the features that make cloud computing attractive, may be in conflict with the traditional models of ensuring the information security. Due to the fact that cloud computing brings new challenges in the field of information security, it is imperative to organizations to control the information risk management process in the cloud environment. On the basis of common vulnerability scoring system, which allows determining the qualitative indicator of exposure to information systems vulnerabilities, and taking into account the environmental factors, we propose a method of risk assessment for different types of cloud environment deployment. Information risk management, defining of the cloud services applicability for an organization is impossible without understanding the context in which organization operates, and also the consequences of the possible types of threats that it may face as a result of their activities. Our paper proposes a risk assessment approach that is used for choosing the most appropriate configuration options of cloud computing environment from the point of view of safety requirements. The risk assessment technique application for different types of cloud environment deployment will enable to reveal the ratio of countering of possible attacks and to correlate the amount of damage to the total cost of ownership of entire IT infrastructure of an organization. The proposed approach to analysis and risk management allows the cloud security assessment, operating under the impact of various classes of threats, as well as the effectiveness of set of measures and means to counter those threats. Based on this assessment, it is possible to find an optimal configuration option of cloud computing environment.

Keywords: cloud computing, information, security, threats, risk analysis, management, methods, requirements

References:

  1. Astakhov A. Osobennosti obespecheniya bezopasnosti virtual'nykh sred [Specifics of ensuring the security of virtual environment]. Available at: Link. (In Russ.)
  2. Vasil'ev V. Bezopasnost' oblachnykh sred [Security of cloud environment]. Available at: Link. (In Russ.)
  3. Vdovin I. KOBIT 4.1 [COBIT 4.1]. Moscow, Audit i kontrol' informatsionnykh sistem Publ., 2008, 240 p.
  4. Verner O. “Oblaka”, virtual'naya infrastruktura i bezopasnost' informatsii [Clouds, virtual infrastructure and information security]. Available at: Link. (In Russ.)
  5. Vlasov A. Obzor sredstv zashchity v virtual'nykh sredakh [Review of protection means in virtual environment]. Jet Info, 2012, no. 3.
  6. Zashchita “oblakov” [Securing clouds]. Available at: Link. (In Russ.)
  7. Kak obespechit' bezopasnost' v oblachnykh khranilishchakh [How to ensure the security in cloud storages]. Available at: Link. (In Russ.)
  8. Problemy bezopasnosti oblachnykh sred [Security challenges of cloud environment]. Available at: Link. (In Russ.)
  9. Radin P.K., Zubarev I.V. Osnovnye ugrozy bezopasnosti informatsii v virtual'nykh sredakh i oblachnykh platformakh [The main threats to information security in virtual environment and cloud platforms]. Voprosy kiberbezopasnosti – Issues of cybersecurity, 2014, no. 2 (3).
  10. Samoilenko A. Zashchita oblachnykh infrastruktur servis-provaiderov s pomoshch'yu VGATE R2 [Protection of cloud infrastructure of service providers using VGATE R2]. Available at: Link. (In Russ.)
  11. Sidorova M. Protivorechivye “oblaka” [Controversial clouds]. Available at: Link. (In Russ.)
  12. Ugrozy oblachnykh vychislenii i metody ikh zashchity [Threats to cloud computing and the ways to protect it]. Available at: Link. (In Russ.)
  13. Winkler W. Oblachnye vychisleniya: voprosy bezopasnosti v virtual'nykh oblakakh [Cloud computing: security issues in the virtual clouds]. Available at: Link. (In Russ.)
  14. Tsaregorodtsev A.V. Analiz riskov bezopasnosti dannykh v korporativnykh setyakh kreditno-finansovykh organizatsii na osnove oblachnykh vychislenii [Risk analysis of data safety in corporate networks of credit and financial organizations based on cloud computing]. Natsional'nye interesy: prioritety i bezopasnost' – National interests: priorities and security, 2013, no. 39, pp. 35–44.
  15. Tsaregorodtsev A.V., Kachko A.K. Obespechenie informatsionnoi bezopasnosti na oblachnoi arkhitekture organizatsii [Ensuring the information security in cloud-based architecture of an organization]. Natsional'naya bezopasnost' – National security, 2011, no. 5, pp. 25–34.
  16. Tsaregorodtsev A.V., Kachko A.K. Odin iz podkhodov k upravleniyu informatsionnoi bezopasnost'yu pri razrabotke informatsionnoi infrastruktury organizatsii [An approach to information security management in the information infrastructure development]. Natsional'naya bezopasnost' – National security, 2012, no. 1, pp. 46–59.
  17. Accorsi R., Wonnemann C. Auditing Workflow Execution against Dataflow Policies. In Proc. BIS, 2010, pp. 207–217.
  18. Bell D.E., LaPadula L.J. Secure Computer System: Unified Exposition and Multics Interpretation. Tech report ESD-TR-75-306. Mitre Corp., Bedford, Ma, 1976.
  19. Bishop M. Computer Security: Art and Science. Addison Wesley Publ., 2002, 1084 p.
  20. Mell P., Grance T. The NIST Definition of Cloud Computing, Version 15, September, 2011. Available at: Link.
  21. NVD Common Vulnerability Scoring System Support, vol. 2. Available at: Link.
  22. Trope R.L., Power E.M., Polley V.I., Morley B.C. A Coherent Strategy for Data Security through Data Governance. IEEE Security & Privacy, 2007, vol. 5, no. 3, pp. 32–39.

View all articles of issue

 

ISSN 2311-9438 (Online)
ISSN 2073-8005 (Print)

Journal current issue

Vol. 29, Iss. 1
March 2024

Archive