Show simple item record

AuthorNhlabatsi, Armstrong
AuthorHussein, Alaa
AuthorFetais, Noora
AuthorKhan, Khaled M.
Available date2024-03-10T05:42:10Z
Publication Date2020
Publication Name2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies, ICIoT 2020
ResourceScopus
URIhttp://dx.doi.org/10.1109/ICIoT48696.2020.9089459
URIhttp://hdl.handle.net/10576/52820
AbstractSecurity threats posed to individual cloud computing clients vary depending on their specific security requirements. However, Cloud Providers apply generic security risk assessment approaches which result do not consider client-specific security requirements. This results into unrealistic and inaccurate security risk evaluation. In this paper, we describe the detailed design and implementation of a security risk assessment tool. The tool supports a threat-specific method to security risk evaluation. The threat-specific method enables Cloud Providers to evaluate the security risk of their tenants based tenant-specific threats as dictated by their particular security requirements. Evaluation shows that the tool is highly usable, but lacks in scaleability.
SponsorThis paper has described the detailed design and implementation of a threat-specific security risk evaluation tool, called ThreatRiskEvaluator. The tool enables security administrators of Cloud Providers to evaluate security risk from the perspective of different threats for their tenants. The approach is centered on the idea that Cloud tenants have different security requirements and hence they hence care about different threats. ThreatRiskEvaluator helps security administrators decide which threats to prioritize for each of their clients and to formulate more effective security solutions specific to the security requirements of particular clients. Evaluation of the tool shows that it is highly usable, but lacking in scaleability. In the current version of the tool, the user has to manually draw the network topology model. This is time-consumming and may lead to modelling errors, especially, when the network topology is large and complex. We plan to extend the tool to incorporate network scanners to scanner in order to build a more accurate network topology quickly. The evaluation of security risk is dependent on the general vulnerability information supplied by the National Vulnerability Database(NVD). This does not take account that, for a given instance of an Operating system, certain vulnerabilities may have already been patched. The consideration of such threats may lead to inaccurate risk evaluation. In order to address this limitation, we are extending the tool to incorporate a vulnerability scanner so that risk evauation is based only on the vulnerabilities that are not yet patched in a particular node, instead of all the vulnerabilities that are recorded in the NVD. We are in the process of reviewing and optimizing the design of the tool to make more scaleable. ACKNOWLEDGMENT This paper was made possible by Grant NPRP 8-531-1-111 from Qatar National Research Fund (QNRF). The statements made herein are solely the responsibility of the authors.
Languageen
PublisherInstitute of Electrical and Electronics Engineers Inc.
Subjectclass diagrams
Cloud computing
domain model
risk assessment
security objectives
security risk
security threats
use cases
vulnerability
TitleDesign and Implementation of a Threat-Specific Security Risk Assessment Tool
TypeConference Paper
Pagination511-518
dc.accessType Abstract Only


Files in this item

FilesSizeFormatView

There are no files associated with this item.

This item appears in the following Collection(s)

Show simple item record