Security Metrics, Secure Elements, and Operational Measurement Trust in Cloud Environments

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9331)


Operational security assurance evaluation requires building security metrics models to express the expected security status of the system, and collecting data from the operational system to express the current state against these models. Many factors impact the confidence we can have in these metrics and their reported status. One major factor is the trust we can put in the provided measurement data. This paper describes the properties of a trusted measurement base, use of secure element functions and different probe form factors, and their impact on defining confidence levels for the measurement data. A way of quantifying this confidence level and using it as part of security metrics models is defined. Cloud computing is used as a domain to illustrate these concepts and the process of their application. The cloud environment is especially challenging for this type of assurance due to mixed ownership and potentially limited visibility into the infrastructure.


Security assurance Security metrics Secure element Measurement trust Confidence 


  1. 1.
    Amazon, AWS CloudHSM. Accessed May 2015
  2. 2.
    Berger, S., Cáceres, R., Goldman, K., Perez, R., Sailer, R., van Doorn, L.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th USENIX Security Symposium (2006)Google Scholar
  3. 3.
    Berger, S., et al.: Scalable attestation: a step toward secure and trusted clouds. In: IEEE International Conference on Cloud Engineering (2015)Google Scholar
  4. 4.
    Chen, C., Raj, H., Saroiu, S., Wolman, A.: cTPM: a cloud TPM for cross-device trusted applications. In: Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI) (2014)Google Scholar
  5. 5.
    Haddad, S., Hecker, A., Marquet, B., Dubus, S., Kanstrén, T., Savola, R.: Operational security assurance evaluation in open infrastructures. In: 6th IEEE International Conference on Risk and Security of Internet and Systems (CRISIS), Timisoara, Romania, 26–28 September 2011Google Scholar
  6. 6.
    ISO/IEC Guide 99:2007, International vocabulary of metrology e basic and general concepts and associated terms (VIM), International Organization for Standardization and the International Electrotechnical Commission (2007)Google Scholar
  7. 7.
    Kanstrén, T., Lehtonen, S., Savola, R., Kukkohovi, H., Hatonen, K.: Architecture for high confidence cloud security monitoring. In: Proceedings of IEEE International Conference on Cloud Engineering (IC2E) (2015)Google Scholar
  8. 8.
    Kanstrén, T., Lehtonen, S., Kukkohovi, H.: Opportunities in using a secure element to increase confidence in cloud security monitoring. In: Proceedings of the 8th IEEE International Conference on Cloud Computing (CLOUD) (2015)Google Scholar
  9. 9.
    Latvala, O-M., et al.: A tool for security metrics modeling and visualization. In: Proceedings of the European Conference on Software Architecture Workshops (2014)Google Scholar
  10. 10.
    Ouedraogo, M., et al.: Appraisal and reporting of security assurance at operational systems level. J. Syst. Softw. 8(1), 193–208 (2012)CrossRefGoogle Scholar
  11. 11.
    Ouedraogo, M., et al.: Taxonomy of quality metrics for assessing assurance of security correctness. Softw. Qual. J. 21, 67–97 (2013)CrossRefGoogle Scholar
  12. 12.
    Savola, R.: A security taxonomization model for software-intensive systems. J. Inf. Process. Syst. 5(4), 197–206 (2009)CrossRefGoogle Scholar
  13. 13.
    Savola, R.: Quality of security metrics and measurements. Comput. Secur. 37, 78–90 (2013)CrossRefGoogle Scholar
  14. 14.
    Schryen, G., Volkamer, M., Ries, S., Habib, S.-M.: A formal approach towards measuring trust in distributed systems. In: Proceedings of the ACM Symposium on Applied Computing, (SAC) (2011)Google Scholar
  15. 15.
    Tomlinson, A.: Introduction to the TPM. In: Smart Cards, Tokens, Security and Applications, pp. 155–172. Springer, Heidelberg (2008)Google Scholar
  16. 16.
    Trusted Computing Group, TPM Main Specification Version 1.2 Level 2, Revision 116 (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.VTTOuluFinland

Personalised recommendations