Probabilistic Security Quanti cation in Infrastructure as a Service Cloud Computing

Doudou Fall (1151133)

Cloud Computing is an information technology model that provides scalability, resilience, flexibility, efficiency and economic benefits. However, despite all the benefits, users are still reluctant to adopt Cloud Computing because of its security issues, which range from loss of control to multi-tenancy. It is that inherent multi-tenancy aspect of Cloud Computing that dissuades most consumers from utilizing it. As they have concerns about attackers exploiting multi-tenancy related vulnerabilities to put their data at risk. In this thesis, we explore the fact that any kind of attack that can arise in the cloud is the result of exploited vulnerabilities. In practice, many vulnerabilities may still remain in a cloud environment after they are discovered, due to environmental factors (latency in releasing vulnerability patches), cost factors (such as money and administrative efforts required for deploying patches), or mission factors (organizational preference for availability and usability over security). We propose a probabilistic security quantification method for Infrastructure as a Service Cloud Computing, which allows both consumers and Cloud Service Providers to measure the security of a given cloud environment. Our security quantification consists of representing a vulnerable IaaS system as a Boolean vulnerability tree. And from the analysis of the vulnerability tree we can then extract the quantification formula. Besides this main contribution, we have some subsidiary contributions regarding how to quantify multiple vulnerabilities in one specific component. Throughout the experiment, we were able to quantify the security level of different types of IaaS environments. Additionally, we were able to demonstrate how a cloud administrator can use this model to prioritize vulnerability patches. We also show how a consumer can evaluate the security of an IaaS provider by simulating plausible vulnerabilities in the system.