Martin Gilje Jaatun

Beyond lightning: A survey on security challenges in cloud computing

Cloud computing is a model to provide convenient, on-demand access to a shared pool configurable computing resources. In cloud computing, IT-related capabilities are provided as services, accessible without requiring detailed knowledge of the underlying technologies, and with minimal management effort. The great savings promised by the cloud are however offset by the perceived security threats feared by users. This paper gives an overview of cloud computing, and discusses related security challenges. We emphasize that although there are many technological approaches that can improve cloud security, there are currently no one-size-fits-all solutions, and future work has to tackle challenges such as service level agreements for security, as well as holistic mechanisms for ensuring accountability in the cloud.

Security SLAs for Federated Cloud Services

The federated Cloud paradigm aims to provide flexible and reliable services composed of a mixture of internal and external mini-clouds, but this heterogeneous nature is also fuelling the security concerns of the customers. To allay the fears and deal with the threats associated with outsourcing data and applications to the Cloud, new methods for security assurance are urgently needed. This paper presents current work on Cloud Security Service Level Agreements and our approach on how to manage this in the context of hybrid clouds. The purpose is to facilitate rapid service composition and agreements based on the necessary security requirements and establish trust between the customer and provider. We also show how this can be applied on a realistic case study related to a hybrid Unified Communication service.

Accountability for cloud and other future Internet services

Cloud and IT service providers should act as responsible stewards for the data of their customers and users. However, the current absence of accountability frameworks for distributed IT services makes it difficult for users to understand, influence and determine how their service providers honour their obligations. The A4Cloud project will create solutions to support users in deciding and tracking how their data is used by cloud service providers. By combining methods of risk analysis, policy enforcement, monitoring and compliance auditing with tailored IT mechanisms for security, assurance and redress, A4Cloud aims to extend accountability across entire cloud service value chains, covering personal and business sensitive information in the cloud.

Monitoring Intrusions and Security Breaches in Highly Distributed Cloud Environments

Cloud computing is a new computing model, and security is ranked first among its challenges. This paper reviews existing security monitoring mechanisms compared with new challenges which are caused by this new model. We highlight possible weaknesses in existing monitoring mechanisms, and propose approaches to mitigate them.

A Framework for Incident Response Management in the Petroleum Industry

Abstract Incident response is the process of responding to and handling security-related incidents involving information and communications technology (ICT) infrastructure and data. Incident response has traditionally been reactive in nature, focusing mainly on technical issues. This paper presents the Incident Response Management (IRMA) method, which combines traditional incident response with proactive learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the petroleum industry, but it is also applicable to other industries that rely on process control systems.

Information security incident management: Current practice as reported in the literature

This paper reports results of a systematic literature review on current practice and experiences with incident management, covering a wide variety of organisations. Identified practices are summarised according to the incident management phases of ISO/IEC 27035. The study shows that current practice and experience seem to be in line with the standard. We identify some inspirational examples that will be useful for organisations looking to improve their practices, and highlight which recommended practices generally are challenging to follow. We provide suggestions for addressing the challenges, and present identified research needs within information security incident management.

Cyber security challenges in Smart Grids

The introduction of telecommunication in the energy grid, leading the way towards Smart Grids, challenges the way safe operations have traditionally been assured in the energy sector. New cyber security challenges emerge, especially related to privacy, connectivity and security management, and these need to be properly addressed. Existing cyber security technology and good practice mainly come from the traditional telecommunication environment where the requirements on safety and availability are less strict. For Smart Grids, lessons can be learned from the oil and gas industry on how they have dealt with security challenges in their implementation of integrated operations. Still, Smart Grids face a slightly different reality, due to their extensive geographical distribution and the enormous number of end-users. The contribution of this paper is a survey of cyber security challenges for Smart Grids, together with a roadmap of how these challenges must be addressed in the near future.

Reference deployment models for eliminating user concerns on cloud security

Cloud computing has become a hot topic both in research and in industry, and when making decisions on deploying/adopting cloud computing related solutions, security has always been a major concern. This article summarizes security related issues in cloud computing and proposes five service deployment models to address these issues. The proposed models provide different security related features to address different requirements and scenarios and can serve as reference models for deployment.

Reusable Security Requirements for Healthcare Applications

Healthcare information systems are currently being migrated from paper based journals to fully digitalised information platforms. Protecting patient privacy is thus becoming an increasingly complex task, where several national and international legal requirements must be met. These legal requirements present only high-level goals for privacy protection, leaving the details of security requirements engineering to the developers of electronic healthcare systems. Our objective has been to map legal requirements for sensitive personal information to a set of reusable technical information security requirements. This paper presents examples of such requirements extracted from legislation applicable to the healthcare domain.

Security in Model Driven Development: A Survey

Model driven development (MDD) is considered a promising approach for software development. In this paper the results of a systematic survey is reported to identify the state-of-the-art within the topic of security in model driven development, with a special focus on finding empirical studies. We provide an introduction to the major secure MDD initiatives, but our survey shows that there is a lack of empirical work on the topic. We conclude that better standardisation initiatives and more empirical research in the field is necessary before it can be considered mature.