Security Metrics, Secure Elements, and Operational Measurement Trust in Cloud Environments
- 1 Citations
- 650 Downloads
Abstract
Operational security assurance evaluation requires building security metrics models to express the expected security status of the system, and collecting data from the operational system to express the current state against these models. Many factors impact the confidence we can have in these metrics and their reported status. One major factor is the trust we can put in the provided measurement data. This paper describes the properties of a trusted measurement base, use of secure element functions and different probe form factors, and their impact on defining confidence levels for the measurement data. A way of quantifying this confidence level and using it as part of security metrics models is defined. Cloud computing is used as a domain to illustrate these concepts and the process of their application. The cloud environment is especially challenging for this type of assurance due to mixed ownership and potentially limited visibility into the infrastructure.
Keywords
Security assurance Security metrics Secure element Measurement trust ConfidenceReferences
- 1.Amazon, AWS CloudHSM. http://aws.amazon.com/cloudhsm/. Accessed May 2015
- 2.Berger, S., Cáceres, R., Goldman, K., Perez, R., Sailer, R., van Doorn, L.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th USENIX Security Symposium (2006)Google Scholar
- 3.Berger, S., et al.: Scalable attestation: a step toward secure and trusted clouds. In: IEEE International Conference on Cloud Engineering (2015)Google Scholar
- 4.Chen, C., Raj, H., Saroiu, S., Wolman, A.: cTPM: a cloud TPM for cross-device trusted applications. In: Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI) (2014)Google Scholar
- 5.Haddad, S., Hecker, A., Marquet, B., Dubus, S., Kanstrén, T., Savola, R.: Operational security assurance evaluation in open infrastructures. In: 6th IEEE International Conference on Risk and Security of Internet and Systems (CRISIS), Timisoara, Romania, 26–28 September 2011Google Scholar
- 6.ISO/IEC Guide 99:2007, International vocabulary of metrology e basic and general concepts and associated terms (VIM), International Organization for Standardization and the International Electrotechnical Commission (2007)Google Scholar
- 7.Kanstrén, T., Lehtonen, S., Savola, R., Kukkohovi, H., Hatonen, K.: Architecture for high confidence cloud security monitoring. In: Proceedings of IEEE International Conference on Cloud Engineering (IC2E) (2015)Google Scholar
- 8.Kanstrén, T., Lehtonen, S., Kukkohovi, H.: Opportunities in using a secure element to increase confidence in cloud security monitoring. In: Proceedings of the 8th IEEE International Conference on Cloud Computing (CLOUD) (2015)Google Scholar
- 9.Latvala, O-M., et al.: A tool for security metrics modeling and visualization. In: Proceedings of the European Conference on Software Architecture Workshops (2014)Google Scholar
- 10.Ouedraogo, M., et al.: Appraisal and reporting of security assurance at operational systems level. J. Syst. Softw. 8(1), 193–208 (2012)CrossRefGoogle Scholar
- 11.Ouedraogo, M., et al.: Taxonomy of quality metrics for assessing assurance of security correctness. Softw. Qual. J. 21, 67–97 (2013)CrossRefGoogle Scholar
- 12.Savola, R.: A security taxonomization model for software-intensive systems. J. Inf. Process. Syst. 5(4), 197–206 (2009)CrossRefGoogle Scholar
- 13.Savola, R.: Quality of security metrics and measurements. Comput. Secur. 37, 78–90 (2013)CrossRefGoogle Scholar
- 14.Schryen, G., Volkamer, M., Ries, S., Habib, S.-M.: A formal approach towards measuring trust in distributed systems. In: Proceedings of the ACM Symposium on Applied Computing, (SAC) (2011)Google Scholar
- 15.Tomlinson, A.: Introduction to the TPM. In: Smart Cards, Tokens, Security and Applications, pp. 155–172. Springer, Heidelberg (2008)Google Scholar
- 16.Trusted Computing Group, TPM Main Specification Version 1.2 Level 2, Revision 116 (2011)Google Scholar