Towards Model-Based Security Assessment of Cloud Applications
Security issues are still posing limitations to the full exploitation of the potential of the cloud computing paradigm, and cloud developers are more and more required to take security into account from the very beginning of the development process. Unfortunately, the application of classical security best practices may be not enough due to the involvement of cloud services provided by third-parties and out of the control of the developer. In this paper, to overcome this issue, we introduce and discuss a model-based process for the security assessment of cloud applications. In particular, we suggest a complete process that can be executed within the lifecycle of a cloud application, from the requirement elicitation up to the validation (both static and dynamic through the generation and execution of suitable test cases) of the final deployment against security requirements. In this work, we sketch the process main phases and illustrate the high-level modelling languages that have been defined to describe an application at different levels of abstraction and to formalize both security requirements of applications and security features offered by existing cloud services. A running example involving the assessment of a simple yet realistic cloud application is used throughout the paper to better illustrate the proposal and to demonstrate its feasibility and effectiveness.
KeywordsModel-based security assessment Secure cloud applications Cloud security
This research is partially supported by the project MUSA (Grant Agreement no. 644429) funded by the European Commission within call H2020-ICT-2014-1.
- 1.Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224. ACM (2002)Google Scholar
- 5.Cloud Security Alliance. Cloud Control Matrix v3.0.1, June 2016. https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/
- 6.Cloud Security Alliance. Consensus Assessments Initiative Questionnaire v3.0.1, May 2016. https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1/
- 7.Drago, A., Marrone, S., Mazzocca, N., Nardone, R., Tedesco, A., Vittorini, V.: A model-driven approach for vulnerability evaluation of modern physical protection systems. Softw. Syst. Model., 1–34 (2016). doi: 10.1007/s10270-016-0572-7
- 8.Ferry, N., Song, H., Rossini, A., Chauvel, F., Solberg, A.: CloudMF: applying MDE to tame the complexity of managing multi-cloud applications. In: IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC), pp. 269–277. IEEE (2014)Google Scholar
- 9.International Organization for Standardization. ISO/IEC 27001: Information technology Security techniques Information security management systems Requirements (2013)Google Scholar
- 10.International Organization for Standardization: ISO/IEC 27002:2013 Information Technology. Security Techniques, Code of Practice for Information Security Management (2013)Google Scholar
- 13.Liu, Y., Man, H.: Network vulnerability assessment using Bayesian networks. In: Defense and Security, pp. 61–71. International Society for Optics and Photonics (2005)Google Scholar
- 14.National Institute of Standards Technology. NIST SP-800-53: Recommended Security Controls for Federal Information Systems (2013)Google Scholar