Decision support system with data mining
Mike9295
IS541SurveyReportSample.docxsecurity governance in cloud and its evaluation
Supervised by:
Dr. Mohammad Mehedi Hassan
Table of Contents Introduction: 1 Cloud computer: 2 Information security governance (ISG): 3 Information security governance on cloud(ISGcloud): 4 Survey: 6 Discussion: 14 List of papers and their resources 19 Future work: 20 References: 21
List of figure:
Figure 1:analysis parameter 7
Figure 2the systematic mapping process 8
Figure 3:search results on digital librairies 9
Figure 4:classificatio schema 10
Figure 7:Typical Concerns when using Public 12
Introduction:
The massive growth of the cloud computing drew the attention of many companies and individuals. Enterprises using cloud computing for their businesses report economic savings of up to 30%, because Its provide a lot of benefits like: shared pool of computing resources that can be rapidly provisioned and released with minimal management effort, more effective mobile working and so on. On the other hand, the many features provided by Cloud Computing model are also accompanied with new risks. For this reason, the A information security governance (ISG) function was need to be established for the management levels, with a clear security strategy.
In this research, we will focus on the information security governance on cloud(ISGcloud) and describe it in different aspects. Also, present a related survey to provide some statistical results.
Cloud computer:
The concept of cloud computing is proposed by the US National Institute of Standards and Technology (NIST). “Cloud computing is defined as a model that the user can access a computing resource through this model, consists mainly of the networks, servers, storage devices, applications and other resources, and able to provide a good and fast pathway”.
Essential Characteristics of a Cloud:
· On-demand Self-service: Computing services (e.g., server time, storage) are provisioned to meet the dynamically changing needs of the consumers.
· Broad Network Access: Services are available over the network and can be accessed from heterogeneous platforms (e.g., laptops, cell phones, and PDA’s) through standard interfaces.
· Resource Pooling: Service providers’ physical and virtual resources are dynamically allocated and de-allocated to the clients according to their changing need in a location independent manner.
· Rapid Elasticity: Computing capabilities can be rapidly provisioned to quickly scale out and rapidly released as well to quickly scale in.
· Measured Service: Resource usage is monitored and measured, therefore, users pay only for the services they use. (1)(2)
Information security governance (ISG):
the organizations environment need Information security which is a set of actions performed to minimize the negative impacts and the damages of the security threats and protect business and IT assets from different threat sources, these threats aim to compromise the confidentiality, integrity, and availability (CIA) of the IT assets. The ISG is a system with a multi-dimensional perspective ( e.g. risks, policies, measurement, organizational management) responsible of guarantying the CIA of the organization’s assets. ISG defined as:” the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility all in an effort to manage risk”. The effective information security governance should result in six outcomes, including:
· Strategic alignment —aligning security activities with business strategy to support organizational objectives
· Risk management —executing appropriate measures to manage risks and potential impacts to an acceptable level
· Business process assurance/convergence —integrating all relevant assurance processes to maximize the effectiveness and efficiency of security activities
· Value delivery —optimizing investments in support of business objectives
· Resource management —using organizational resources efficiently and effectively
· Performance measurement —monitoring and reporting on security processes to ensure that business objectives are achieved (3)(4)(5)
Information security governance on cloud(ISGcloud):
After described the cloud computing and how can provide many features to the users, now tack these advantages are hindered by security issues, which is the main drawback that prevent organizations from adopting Cloud Computing. As with any new technology, Cloud Computing creates new risks and opportunities. Moving services or applications to the cloud may generate new opportunities for the business, its security and its IT departments owing to the re-architecting of applications, but this simultaneously creates threats to security. Using cloud computing by enterprises need, a clear governance strategy and management plan must be developed to tack the advantages under security environment. So, we have proposed ISGcloud, a security governance framework to tackle cloud security matters in a comprehensive manner whilst being aligned with an enterprise’s strategy. ISGcloud framework is process oriented developed to improve the security governance structure supporting a cloud computing service. It is based on a set of activities closely related to the cloud service lifecycle, which is based on 6 stages: 1. Planning/ Strategy Definition; 2. Cloud Security Analysis; 3. Cloud Security Design; 4. Cloud Implementation/Migration; 5. Secure Cloud Operation; and 6. Cloud Service Termination. ISGcloud includes four core governance processes:
· evaluate the current and future use of IT;
· direct preparation and implementation of plans and policies to ensure that the use of IT meets business objectives;
· monitor conformance to policies, and performance against the plans; and
· communicate the knowledge and policies that are required in ISG.
A general overview of our framework’s activities and tasks is represented in the diagram:
implement ISGcloud framework activities and tasks during the cloud service deployment and operation will guaranteeing that a security governance structure exists around the cloud service and that all relevant aspects of security are taken into consideration. And this is the main goal of ISGcloud. (6)
Survey:
Adopting Information Security Techniques for Cloud Computing–A Survey
Parameters for examination are chosen and are constrained by the extent of the exploration papers under review. Add up to 12 parameters have been picked and investigation is done in view of them as spoken to in Table I. Examination is spoken to in Table II and the graphical investigation on premise of the chose parameters in introduced in the (figure 1)
This study is unequivocally with respect to the methods that are talked about in various papers to secure information, to have secrecy of information, honesty of information. Client validation and control get to is as yet a highlighted calculate distributed computing. Essentially for any association the thing that matter is security of information. To keep information spare from any hacking due to delicate and vital information. Information hacking is presently turned out to be extremely normal. Consequently, information privacy is a vital element of distributed computing. So to secure them encryption procedures are talked about in this review as step by step innovation is getting to be noticeably progress and information is should have been secure. Encryption just is not that effective to secure information to have greater security paper proposes encryption with lack of clarity .
Security Governance in a Multi-Cloud Environment: A systematic Mapping Study
In this paper, the researcher use the systematic analysis to gives an overview of the security state in multi-cloud environments. The systematic mapping study provides a global view of a given research field using systematic mapping process steps (Figure 2)
Figure 2the systematic mapping process
The systematic mapping process relies on five steps: the first step is to define the research questions which are developed in order to define the scope. The next two steps include searching and selecting primary studies by screening the articles found. In the fourth step, the data are then extracted and synthesized. Finally, the review results are obtained and the research questions are answered
As aforementioned, the main goal of this study is to analyze previous publications related to the security in multi-cloud environments and refine to the multi-cloud security governance shown in (figure 3) below. This overall goal is defined in four research questions (RQ) summarized with their underlying motivations.
Figure 3:search results on digital librairies
In this paper exhibit in the passages bellow the three held aspects and their measurements considered in our classification schema depicted in the (Figure 4).
Empirical evaluation of a cloud computing information security governance framework
Cloud Governance - The Relevance of Cloud Brokers
This commitment gives an outline of cloud administration angles in view of an agent overview of patterns in the recognition, evaluation and appropriation of Cloud Computing inside the undertaking. The study was led through a two-overlap explore approach furthermore, consolidated a meta-investigation of existing and distributed observational reviews with a possess experimental review inside an agent gathering of European and International undertakings. We consider administration through the crystal of appropriation drivers and concentrate on the part of cloud agents and cloud commercial centers more particularly.
Figure 6:Expected or Required Contract Elements
Figure 7:Typical Concerns when using Public
Figure8: Governance Expectations for Cloud
A Comparison Study of Information Security Risk Management Frameworks in Cloud Computing
The following Table II represents a summary of the comparison of the previous information security risk management frameworks
Discussion:
|
Special Feature
|
Paper focus |
Paper Title
|
|
cloud computing security challenges: 1- Deployment model issue: · Authentication and identity management · Reproduction and resource pooling 2- Service model issue: · Back up and storage · Shared technology issue 3- Network issue: · Browser security · Incomplete data deletion Suggest solution: · the cloud vender must provide secure and reliable service to consumer and protect consumer data and resources. · The cloud provider must solve multi tental architecture by apply the isolation and segmentation. · The cloud provider must solve DDOS by apply honey pot system. · The cloud provider must provide high quality of service to ensure that must apply service level agreement (SLG).
|
This paper focused on Cloud Computing Security challenge and suggest solution.
|
Cloud Computing Security Analysis: Challenges and Possible Solutions |
|
· the author talk about AHP approach it used to identify and rank the issue of information security cloud environment, AHP grouped into six categories: organizational , environment contingency management, security policy, internal control, and information and risk management.
· The AHP approach make easier the development of an ISM framework by identifying relevant and important metrics. · Author recommended: · Top management must support security program by provide budget or any recourse to provide security · Must there is collaboration between IT and business also IT must understand business process of organization · Oversight of the top management by · The security team must ensure they document and periodically publish security reports.
|
This paper identify the Information Security Management Issues on cloud computing and give some recommended.
|
Information Security Management Issues in a Cloud-based environment
|
|
There are five phases in cloud SSDLC: initiation, development, implementation, operation, and destruction. In each phase must integrate critical cloud security domains and corresponding risks.
Cloud SSDLC: Cloud Security Governance Deployment Framework: 1- Initiation: · Initiate security planning · Categorize the information system · Assess business impact · Ensure secure processes 2- Development: · Assess risk to system · Design security architecture 3- Implementation: · Integrate security into established system · Assess system security 4- Operation: · Perform configuration management and control · Conduct continuous monitoring 5- Destroy. |
The paper talk about provide framework to connect SDLC and cloud environment to secure cloud application.
|
Cloud SSDLC: Cloud Security Governance Deployment Framework in Secure System Development Life Cycle
|
|
· Must use standard and reference model in the domain. · Must integration between IT risk and IT strategy to better lifecycle from planning to testing · The IT risk must take key stakeholder from the view point
|
In this paper the author talk about the integration between IT governance and risk management.
|
Integration of IT Governance and Security Risk Management: a Systematic Literature Review
|
|
ISGcloud process: 1- planning/strategy definition · establish information security governance structure · define information security program 2- cloud security analysis · define Information security requirements · analysis of available cloud options · cloud risk analysis 3- cloud security design · define SLAs and legal contracts · establish information security roles and responsibilities · specify cloud service monitoring and auditing · define applicable security controls 4- cloud implementation/migration · secure cloud implementation · educate and train staff 5- secure cloud operation · cloud security operation · communicate information security inside the organization ISGcloud benefit: · Alignment of ISG and business strategy · ISG contributes to optimal value delivery · Ensure security risk optimization · Information security resources are optimized · Information security communication is effective
|
This paper focus on how ISGcloud framework help in cloud security and evaluate it.
|
Empirical evaluation of a cloud computing information security governance framework
|
|
The cloud service delivery models: · Infrastructure-as-a-service · Platform-as-a-service · Software-as-a-service
Security issue based on cloud characteristic
Cloud computing security enablers
The categories of cloud security Concerns and its implications based on delivery model.
The security requirement of each stakeholder
|
In this paper the author present a detailed investigation of the cloud security issue. From the cloud architecture point of view |
An Analysis of the Cloud Computing Security Problem |
|
The paper cite the popular IT governance frameworks: · COSO · CobiT · ITIL · ISO 27001/9000
The relationship between the different frameworks
The paper discus each framework in details
The cloud risk management
Practical Application of IT Governance to Cloud Deployment
Identify IT governance domain objectives and deliverables . · How will it be delivered?
· How will it be deployed?
· Determine the cloud formation.
· Cloud governance
|
This paper review Several popular IT Governance Standards and Frameworks |
IT Controls and Governance in Cloud Computing |
|
The different types of security frameworks
Listing the EFSS security issues: · Employee Privacy · Share Link · Cloud File Synchronization · Enterprise Directory Integration
Describe An integrated security approach
Provide Architecture and Design of the Integrated Security Approach
Describe the multilayered security approach for the CCAF security framework
|
This paper presents a cloud computing adoption framework (CCAF) security suitable for business cloud |
Cloud computing adoption framework: A security framework for business clouds |
|
Identify IT governance structures for managing the cloud computing services . Evaluate the effectiveness of the IT governance structures.
Suggest four governance structures for managing the cloud computing services:
· a cloud management committee · a chief cloud officer · a cloud service facilitation centre · a cloud relationship centre
|
This paper suggests information technology (IT) governance structures to manage the cloud computing services |
On governance structures for the cloud computing services and assessing their effectiveness |
|
A comprehensive security and management framework is proposed for an organization operating in cloud environment.
Proposed framework has been implemented in virtualized cloud environment to validate the efficacy of certain features of the model.
The framework incorporates a layered security architecture to achieve utmost level of security for nullifying the impact of threats.
|
This paper initially reviews security challenges and threats to data/applications in cloud environment |
Security and management framework for an organization operating in cloud environment |
List of papers and their resources
|
Resource |
Paper name |
|
Electronics Science Technology and Application, vol. 03, no. 01, pp. 42-55, 2016.
|
1. Research on Information Security in Cloud Computing Environment". |
|
Int. J. Next-Gener. Comput 7.1 (2016). |
2. A classification and characterization of security threats in cloud computing. |
|
Springer International Publishing Switzerland, pp. 220–235, 2016. |
3. Information Security Governance: Valuation of Dependencies Between IT Solution Architectures". |
|
Journal of Universal Computer Science, vol. 18, no. 06, pp. 798-815, 2012. |
4. A Systematic Review of Information Security Governance Frameworks in the Cloud Computing Environment". |
|
E-book. John Wiley & Sons, 2009. |
5. Information security governance: A practical development and implementation approach. |
|
Information and Software Technology, pp. 44–57, 2015. |
6. Empirical evaluation of a cloud computing information security governance framework.
|
|
Mahboob, Tahira, Maryam Zahid, and Gulnoor Ahmad. "Adopting information security techniques for cloud computing—A survey." Information Technology, Information Systems and Electrical Engineering (ICITISEE), International Conference on. IEEE, 2016. |
7. Adopting Information Security Techniques for Cloud Computing–A Survey |
|
Witti, Hamad, et al. "Security Governance in Multi-cloud Environment: A Systematic Mapping Study." Services (SERVICES), 2016 IEEE World Congress on. IEEE, 2016. |
8. Security Governance in a Multi-Cloud Environment: A systematic Mapping Study |
|
Information and Software Technology, pp. 44–57, 2015. |
9. Empirical evaluation of a cloud computing information security governance framework
|
|
Stantchev, Vladimir, and Gerrit Tamm. "Cloud Governance-The Relevance of Cloud Brokers." Parallel and Distributed Systems (ICPADS), 2013 International Conference on. IEEE, 2013. |
10. Cloud Governance - The Relevance of Cloud Brokers
|
|
Alnuem, Mohammed, Hala Alrumaih, and Halah Al-Alshaikh. "A Comparison Study of Information Security Risk Management Frameworks in Cloud Computing." CLOUD COMPUTING 2015 (2015): 118. |
11. A Comparison Study of Information Security Risk Management Frameworks in Cloud Computing |
|
Information and Software Technology”.vol58,pp44,2015.
|
12. Empirical evaluation of a cloud computing information security governance framework |
|
“International Conference on Information Society”. VOL 978,PP 908, 2016 |
13. Integration of IT Governance and Security Risk Management: a Systematic Literature Review |
|
“International Conference on Electrical”, VOL785,pp56,2016 |
14. Cloud Computing Security Analysis: Challenges and Possible Solutions |
|
“International Conference on Modelling and Simulation ”,VOL 978,pp |
15. Information Security Management Issues in a Cloud-based environment |
|
“ International Conference on Trust, Security and Privacy in Computing and Communications”.VOL104,PP1109, 2012 |
16. Cloud SSDLC: Cloud Security Governance Deployment Framework in Secure System Development Life Cycle(2012)
|
|
arXiv preprint arXiv:1609.01107 (2016)
|
17. An analysis of the cloud computing security problem |
|
Proceedings of the Twentieth Americas Conference on Information Systems (AMCIS ‘14). 2014 |
18. IT Controls and Governance in Cloud Computing |
|
Future Generation Computer Systems 57 (2016): 24-41 |
19. Cloud computing adoption framework: A security framework for business clouds |
|
International Journal of Accounting Information Systems 15.4 (2014): 335-356
|
20. On governance structures for the cloud computing services and assessing their effectiveness |
|
Annals of Telecommunications (2017): 1-9
|
21. Security and management framework for an organization operating in cloud environment |
Future work:
will focus on improving ISGcloud framework in relation to the limitations identified, and to other possible drawbacks that may also emerge. We plan to research the details of the framework’s tasks and steps in greater depth, especially those that this case study has highlighted as needing more effort on the part of the organization. We are additionally working to review existing tools that could be used to support our process and be included in the framework guidelines. (6)
References:
1. Q. Ren and H. Gao, "Research on Information Security in Cloud Computing Environment", Electronics Science Technology and Application, vol. 03, no. 01, pp. 42-55, 2016.
2. T.Islam, D. Manivannan, and S. Zeadally. "A classification and characterization of security threats in cloud computing." Int. J. Next-Gener. Comput 7.1 (2016).
3. O. Gonz´alez-Rojas, L. Ochoa-Venegas and G. Molina-Le´on, "Information Security Governance: Valuation of Dependencies Between IT Solution Architectures", Springer International Publishing Switzerland, pp. 220–235, 2016.
4. O. Rebollo, D. Mellado and E. Fernández-Medina, "A Systematic Review of Information Security Governance Frameworks in the Cloud Computing Environment", Journal of Universal Computer Science, vol. 18, no. 06, pp. 798-815, 2012.
5. Brotby, Krag. Information security governance: A practical development and implementation approach. Vol. 53. John Wiley & Sons, 2009.
6. O. Rebollo, D. Mellado, E. Fernández-Medina and H. Mouratidis, "Empirical evaluation of a cloud computing information security governance framework", Information and Software Technology, pp. 44–57, 2015.
7. Mahboob, Tahira, Maryam Zahid, and Gulnoor Ahmad. "Adopting information security techniques for cloud computing—A survey." Information Technology, Information Systems and Electrical Engineering (ICITISEE), International Conference on. IEEE, 2016.
8. Witti, Hamad, et al. "Security Governance in Multi-cloud Environment: A Systematic Mapping Study." Services (SERVICES), 2016 IEEE World Congress on. IEEE, 2016.
9. Information and Software Technology, pp. 44–57, 2015.
10. Stantchev, Vladimir, and Gerrit Tamm. "Cloud Governance-The Relevance of Cloud Brokers." Parallel and Distributed Systems (ICPADS), 2013 International Conference on. IEEE, 2013.
11. Alnuem, Mohammed, Hala Alrumaih, and Halah Al-Alshaikh. "A Comparison Study of Information Security Risk Management Frameworks in Cloud Computing." CLOUD COMPUTING 2015 (2015): 118.
12. O.Rebollo ,D.Mellado, E.Fernández-Medina and H.Mouratidis ,” Empirical evaluation of a cloud computing information security governance framework”,” Information and Software Technology”.vol58,pp44,2015.
13. D.SmeT and N.Mayer, “Integration of IT Governance and Security Risk Management: a Systematic Literature Review”, “International Conference on Information Society”.VOL 978,PP 908, 2016
14. C.Prakash and S.Dasgupta, “Cloud Computing Security Analysis: Challenges and possible solution ”, “International Conference on Electrical”, VOL785,pp56,2016
15. M. Moeti and K.Sigama , “Information Security Management Issues in a Cloud-based environment ”, “International Conference on Modelling and Simulation ”,VOL 978,pp 4799,2015.
16. T.Cheu Kao, C.Hao Mao, C.Yu Chang and K. Chi Chang, “Cloud SSDLC: Cloud Security Governance Deployment Framework in Secure System Development Life Cycle”, “ International Conference on Trust, Security and Privacy in Computing and Communications”.VOL104,PP1109, 2012
17. Almorsy, Mohamed, John Grundy, and Ingo Müller. "An analysis of the cloud computing security problem." arXiv preprint arXiv:1609.01107 (2016)
18. Becker, Jack D., and Elana Bailey. "IT Controls and Governance in Cloud Computing." Proceedings of the Twentieth Americas Conference on Information Systems (AMCIS ‘14). 2014.
19. Chang, Victor, Yen-Hung Kuo, and Muthu Ramachandran. "Cloud computing adoption framework: A security framework for business clouds." Future Generation Computer Systems 57 (2016): 24-41.
20. Prasad, Acklesh, Peter Green, and Jon Heales. "On governance structures for the cloud computing services and assessing their effectiveness." International Journal of Accounting Information Systems 15.4 (2014): 335-356
21. Raza, Nasir, Imran Rashid, and Fazeel Ali Awan. "Security and management framework for an organization operating in cloud environment." Annals of Telecommunications (2017): 1-9
7 | Page
