دانلود مقاله ترجمه شده سیستم عامل ابری و بازگشت سرمایه گذاری های امنیتی – مجله IEEE

فهرست مطالب:

چکیده
١.مقدمه
٢. پروسه ی تصمیم در خصوص انتقال
٣.معیار های امنیتی ابری
A.آسیب
B.هزینه ی کنترل
C.نرخ انتقال کنترل
D.آسیب وابسته
۴.معیار های ROSI
A.ارزیابی بازگشت سرمایه ی امنیتی (a-ROSI)
B.کنترل بازگشت سرمایه ی امنیتی (c-ROSI)
D.بازگشت سرمایه ی امنیتی (ROSI)
۵.سناریوی موردی
۶.فعالیت های مربوطه
٧.مباحث

بخشی از ترجمه:

مهاجرت به سمت سرویس های رایانش ابری را میتوان تصمیمی پیچیده دانست چرا که چندین پارامتر عمده وجود دارد که میتواند در تصمیم گیری شما در این خصوص نقش داشته باشد(مانند بودجه ی موجود، هزینه ها، کارائی و غیره). یکی از این پارامتر ها، امنیت اطلاعات و همچنین سرمایه ی مورد نیاز برای تضمین امنیت این اطلاعات میباشد. یک کلاینت نیاز داشته تا قابلیت های توسعه ی مختلفی که توسط سرویس دهندگان ابری (CSP) فراهم شده است را مورد ارزیابی قرار دهد. این مقاله، مجموعه ای از متریک ها را ارائه خواهیم داد که (بر حسب هزینه و جابجایی). بر روی ارزیابی کنترل های امنیتی در یک توسعه ی ابری متمرکز میباشدیک چنین روشی میتواند از کلاینت درباره ی این موضوع که آیا باید بخشی از سرویس ها، داده ها یا زیر ساهتار های خود را به یک CSP منتقل کند یا خیر، پشتیبانی کند.

بخشی از مقاله انگلیسی:

Abstract—Cloud migration is a complex decision because of the multiple parameters that contribute for or against it (e.g. available budget, costs, performance, etc.). One of these parameters is information security and the investment required in order to ensure it. A potential client needs to evaluate various deployment options and Cloud Service Providers (CSP). This paper proposes a set of metrics focused on the assessment of security controls of a cloud deployment, in terms of cost and mitigation. Such an approach can support the client to decide whether she selects to deploy part of her services, data or infrastructure to a CSP, or not. Keywords—cloud security; metrics; controls; Return on Investment (ROI); Return On Security Investment (ROSI); costbenefit analysis. I. INTRODUCTION A tenant decides to migrate part of his data, services, or infrastructure to a Cloud Service Provider (CSP) based on several parameters, such as expected benefits, adoption costs, performance, flexibility, business opportunities and others [1], [2], [3]. As in any new IT context, this decision requires a modified approach towards risk [4]. One deciding factor, not clearly depicted in existing literature, is whether the CSP offers security services and if so, the characteristics of these services, which signify both, varied levels of protection and cost. If the tenant anticipates higher probability of security events and/or substantial losses from potential security events, due to the lack of controls, she may not migrate to the cloud [2]. Each migration decision refers to a particular ‘deployment profile’, which is defined in the context of this paper to include four elements: deployed assets, cloud type (i.e. service model [5]), deployment model [4] and a specific CSP. Due to the varied level of tenant control of each profile, different security services are required by the CSP. Higher protection on the CSP side is expected to increase deployment fees, while lower protection translates to more controls (and cost) on the tenant’s side. This paper focuses on the security aspect of cloud migration and proposes security metrics which can be used in order to weigh benefits and costs of security for a particular deployment profile. The ultimate goal is to adequately assess whether migration of assets (e.g. data, services, applications, infrastructures, etc.) to the cloud is a beneficial decision or not, both from an economic and security perspective. This means that the tenant needs to evaluate both the level of security offered by the CSP and the cost that such controls introduce. We assume that the CSP is cooperating and reveals the security services offered. In this paper, we describe the logical process of such a decision (Section II), we define three categories of cloud security metrics (Section III), and we apply them on a comprehensive case scenario, described in Section IV. Section V compares our approach to other ones. The paper concludes with a discussion on limitations and future work. II. MIGRATION DECISION PROCESS The migration decision has two main inputs: the characteristics of the deployment profile and the required security and privacy controls [6], [7]. The latter can be either offered as a service by the CSP, or they may need to be implemented on the tenant side. Both options introduce migration costs, thus affecting the decision of the tenant. Essentially, the tenant has to answer to the following question: ‘Are the security controls offered adequate and efficient from an economic perspective?’’. The answer to this question may affect the decision to migrate to the cloud and it is usually co-examined with other business parameters [1]. The logical process of the decision follows four steps: 1. Define deployment profile. The tenant selects the migrated assets, the cloud type, and the deployment model, coupled with a CSP offering such a service. 2. Define set of controls, for the deployment profile. These may be offered by the CSP or implemented by the tenant (due to the cloud migration). 3. Evaluate benefit and cost metrics, for the assets of the deployment and for the implemented controls. 4. Evaluate Return on Security Investment (ROSI) for each combination of deployment profile-controls. The last step results in the evaluation of the ROSI of one or more profiles and the tenant deciding whether he will migrate or selecting the CSP, the model, and the type of cloud that is more beneficial. III. CLOUD SECURITY METRICS In order to assess ROSI for a deployment profile [6], we identify metrics for the deployed assets and respective controls. Damage cost refers to the potential damage inflicted in each deployed asset by a security incident (e.g. loss of availability), while control metrics evaluate (i) the level of protection provided, and (ii) the cost of implementing security 2013 IEEE International Conference on Cloud Computing Technology and Science 978-0-7695-5095-4/13 $31.00 © ۲۰۱۳ IEEE DOI 10.1109/CloudCom.2013.115 132 controls on the client side and/or acquiring security services by the CSP. A. Damage This metric quantifies the cost of a security incident, regardless of the presence of controls1 . The metric is assessed based on: (a) the value of the affected asset i, i.e. direct losses (service downtime, hardware replacement, etc.) or indirect losses (loss of reputation, non-compliance, etc.) depending on the type of the asset, (b) the cost of recovering the asset i to its initial status. Recovery costs may include the man-hours spent for recovering a service, maintenance or service cost for hardware or software, etc. However, in realistic conditions a more complex depiction of recovery costs may be required, as some costs may be dependent or difficult to estimate in advance.