How to increase SME’s trust in Cloud Service Providers Kristjan Kivimaa
Submitted as part of the requirements for the degree of MSc in Cloud Computing at the School of Computing, National College of Ireland Dublin, Ireland.
November 2017
Supervisor Mr. Manuel Tova-Izquierdo
Abstract Different cloud computing models are attracting an ever increasing base of users business and private users alike. Software-as-a-Service (SaaS) is developing at an extraordinary speed. All major cloud providers come up with new service offerings almost on a weekly basis (Gartner, 2017). In 2015, in SANS Institute survey, 59% users said that they were using Software-as-aService (SaaS) models for cloud deployments, and under 30% were using Infrastructureas-a-Service (IaaS) and Platform-as-a-Service (PaaS).(SANS Institute,2016). Gartner, the world leading information technology research and advisory company, predicts that by 2020 there will be over 26 billion connected devices exchanging data and information over the Internet and most of them will be using cloud services to a certain extent (Gartner, 2013). However, lack of trust in cloud providers and their responsibilities complicates the move to the cloud. Organizations like education, government, and health-care incline towards private or community cloud solutions. It is not only because of the lack of responsibilities by the cloud provider but the customer’s inability to have a clear understanding of their security and privacy measures (CSCC, 2015). Underlying architecture and its security of cloud are a mystery to users, they are kept in the dark, with very limited ability to collect relevant evidence of a breach from their platforms. Cloud users must rely fully on the co-operation of the cloud provider to gather the relevant data or even to be aware of a breach. The research question for this thesis is How to increase SME (small and medium enterprise) trust in Cloud Service Providers (CSP). This dissertation was carried out to investigate one potential method of creating cloud security levels/metrics, which would give customers a higher degree of trust in vendors and an easily understandable way to compare vendors based on the security levels. Clearly understandable security levels should also make it easier to acquire cyber insurance and thus would be beneficial also to insurance companies. Much of research and models created till date have been dealing with risk based models and have focused on the security levels and not on the actual cost and efficiency of implanting those levels in a cloud providers environment. ii
I used a Graded Security Expert System to create a process model about IT SaaS. A model, that finds the efficiency of the information security system, based on the financial spendings and achieved security level (Ojamaa, Tyugu and Kivimaa, 2008). This model will allow insurance companies to gather efficiency level data and more importantly, mitigation rate information, from SME and CSP, add SME potential losses and easily calculate insurance premiums. Customer receiving cyber insurance and knowing that 3rd party (insurance company) has evaluated CSP security, will undoubtedly increase trust in the cloud service. I will be using the following efficiency equation to calculate overall efficiency of the system E = E SM E × E CSP Mitigation rate equation was deducted to be as follows
AL = ALE(1 − E) and mR = ALE/AL = 1/(1 − E)
In equations E stands for Efficiency AL stands for Annual Loss ALE stands for Annual Loss Expectancy mR stands for Mitigation Rate
With the European general data protection regulation (GDPR) set to come into effect on 25 May 2018, preventing cloud-based attacks is more urgent than ever for businesses with operations and data in the EU. The new law will impose heavier penalties and fines on businesses that: • Fail to protect data adequately - all required security measures are not implemented, or • Are subject to a breach. The purpose of GDPR is: • Enhanced personal privacy rights • Increased duty for protecting data • Mandatory breach reporting
iii
• Significant penalties for non-compliance • Measurably reduce the risk of data breach • Demonstrate regulatory compliance • Protect intellectual property • Protect brand equity • Controls and notifications for customers • Transparent policies • IT and training Minimum fines will be set at 12% of overall gross profit or 2-4% of gross revenue (subject to change). In addition to stiffer fines, the new regulation will include a provision for disclosure, in the name of the public interest, which will probably lead to many cybercrime victims losing additional revenue as their customers lose faith in their ability to protect their personal information (Dye, 2016). Customers have to realise that at this point, there is 50% year over year growth rate in electronic data and it is impossible to have an audit trail for that amount. Generally stated time-frame to detect a security infiltration is a whopping 229 days. (Marr, 2015) GDRP orders a customer to be informed maximum 72h after the breach, so that might mean 232 days after their data has leaked. Implementation of GDRP law will force the SMEs, CPSs and insurance companies to work together and find a simplified solution for cyber insurance and computer forensics as there is no such thing as 100% safe IT system. My contributions include: •
Creation of the expert system for SME and CSP with GSES to generate the mitigation rate and efficiency data.
• Examples of generating those figures based on a theoretical SME and CSP set-up and cost.
iv
Submission of Thesis and Dissertation National College of Ireland Research Students Declaration Form (Thesis/Author Declaration Form)
KRISTJAN KIVIMAA Name: __________________________________________________________
Student Number: _________________________________________________ 15009220 Degree for which thesis is submitted: ________________________________ MSc in Cloud Computing
Material submitted for award (a) I declare that the work has been composed by myself. (b) I declare that all verbatim extracts contained in the thesis have been distinguished by quotation marks and the sources of information specifically acknowledged. (c) My thesis will be included in electronic format in the College Institutional Repository TRAP (thesis reports and projects) (d) Either *I declare that no material contained in the thesis has been used in any other submission for an academic award. Or *I declare that the following material contained in the thesis formed part of a submission for the award of Master of Science in Cloud Computing awarded by QQI at level 9 on the NFQ
________________________________________________________________ (State the award and the awarding body and list the material below)
Signature of research student: _____________________________________ v
Date: _____________________ 14 August 2017
Acknowledgments This dissertation was completed in National College of Ireland, Cloud Competency Centre. Firstly, I would like to express my gratitude to my supervisor, Mr. Manuel Tova-Izquierdo, for his great support and advice during the writing period. I would also like to thank Dr. Jri Kivimaa from CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) for sharing his knowledge and helping to construct the working model. His motivation has helped me to successfully complete my research work and the dissertation. Special thanks also belong also to Enn Tyugu, Andres Ojamaa, Ando Saabas and Pavel Grigorenko from Institute of Cybernetics at Tallinn University of Technology, who have created a visual programming platform“CoCoViLa�
vi
Contents Abstract
ii
Acknowledgments
vi
1 Introduction
1
2 Background
5
2.1
Virtualization and Virtual Machines . . . . . . . . . . . . . . . . . . . .
5
2.2
Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.3
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
2.4
Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
2.5
Existing models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
2.5.1
CyberProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
2.5.2
CyberCIEGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
2.5.3
GSTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
3 Methodology
20
4 Design Specification
22
5 Implementation
26
6 Evaluation
29
6.1
On-Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
6.2
SME + CSP (SaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
7 Conclusions
39
Bibliography
41
Appendixes
46
7.1
Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii
46
7.2
List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii
51
List of Figures 1.1
The security cost function (Olovsson, 1992). . . . . . . . . . . . . . . . .
3
2.1
Cloud service models (NIST, 2011). . . . . . . . . . . . . . . . . . . . . .
6
2.2
Cloud deployment models (NIST, 2011). . . . . . . . . . . . . . . . . . .
7
2.3
Internal Stakeholder Roles, Verizon, (2017). . . . . . . . . . . . . . . . .
15
2.4
CyberProtect relevants. . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
2.5
CyberProtect measures. . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
2.6
CyberCIEGE components view. . . . . . . . . . . . . . . . . . . . . . . .
18
2.7
BSI baseline example. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
4.1
Business Model, SME model and CSP/On-site model. . . . . . . . . . .
23
4.2
Visual example of Schema- and Class Editor. . . . . . . . . . . . . . . .
25
6.1
SME On-Site setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
6.2
SME on-site delta Loss/delta Budget. . . . . . . . . . . . . . . . . . . .
31
6.3
Magnified SME on-site delta Loss/delta Budget. . . . . . . . . . . . . .
31
6.4
Exp Total Costs = IT Costs + Exp IT Losses. . . . . . . . . . . . . . .
32
6.5
Magnified Exp Total Costs = IT Costs + Exp IT Losses. . . . . . . . .
32
6.6
Rough estimate - on-site info-security optimal levels. . . . . . . . . . . .
33
6.7
SME + CSP model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
6.8
delta Loss / delta Costs meaningful if >1.
35
6.9
Meaningful part of delta Loss / delta Costs meaningful if >1 - magnified. 35
. . . . . . . . . . . . . . . .
6.10 Exp Total Costs = IT Costs + Exp IT Losses. . . . . . . . . . . . . . .
36
6.11 Magnified meaningful part of Total Cost. . . . . . . . . . . . . . . . . .
36
6.12 Rough estimate on information security optimal levels. . . . . . . . . . .
37
6.13 Figures IT Capex and Opex for IT 6.14 IT Capex and Opex for IT
On−Site
6.15 Figures IT Total Cost for IT
On−Site
vs SaaS. . . . . . . . . . . .
38
vs SaaS. . . . . . . . . . . . . . . . .
38
On−Site
vs SaaS. . . . . . . . . . . . . . . .
38
7.1
CoCoViLa download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
7.2
Loading the package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
ix
7.3
Loading the Scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
7.4
File selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
7.5
Selecting Java console. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
7.6
Java Console results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
7.7
Running the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
7.8
CoCoViLa graphical results. . . . . . . . . . . . . . . . . . . . . . . . . .
50
x
Chapter 1
Introduction The IT industry is rapidly transformed by cloud computing as it provides on-demand elasticity and scalability with pay-as-you-go payment method. No matter what cloud model or service the customer is using, the problem remains the same - cloud service providers (CSP) security processes and underlying infrastructure security are highly protected secrets. Service is lacking any metrics, besides availability, for customer to evaluate if their system and data is properly secured. What cannot be measured, cannot be controlled(Catmull and Wallace, 2014) This theory is quite a stretch, because much that can be measured is theoretical, while much that isn’t measured, plays a big part in an overall outcome. In general, it is applicable but having no figures presented by a CSP is a huge concern to most customers. We just cannot reply on CSP saying - don’t worry, trust us, your data is safe. I’am proposing one possible solution to the topic ”How to increase SME trust in CSP”. Data breaches are a fact of life and most common way to mitigate risk is transfer of risk purchasing cyber insurance (Latham & Watkins, 2014). Insurance company could use CSPs mitigation rate and efficiency levels and SMEs mitigation and efficiency level with small medium enterprises (SME) potential losses (provided by business side) for simplified calculation of insurance premiums. Having simplified method of obtaining insurance and having information of CSP security/efficiency metrics, would make it easier for customers to accept the inevitable risks that accompany information technology and especially cloud services, where data does not reside in-house. With the European general data protection regulation (GDPR) set to come into effect on 25 May 2018, preventing file-based attacks is more urgent than ever for businesses with operations in the EU (Dye, 2016). The new law will impose heavier penalties and fines on businesses that • Fail to protect data adequately 1
• Are subject to a breach This will probably lead to many concerns and even more trust issues as security breach could be CSP fault and SME will end up paying the heavy fines. This new law will make it imperative to have cyber insurance not only for SME, but also for CSPs. This law will force SMEs and CSPs to re-evaluate each other responsibilities as the fines will be substantial, and it must be easily discoverable who is to blame for the breach of security. The solution, I’m proposing, is to create a standardized security/confidence metrics, using graded security model that gives us concrete information about any given systems security efficiency and risk mitigation levels. There are thousands of risks, thousands of security measures, so I will just concentrate on 8-12 of the most important security areas and measures implemented for those areas. It is very hard to measure risks since its very hard to predict how an attacker will behave. Basically, it is only possible to appraise security measures implemented by CSP and SME. Threat, not covered by security measures, is a risk. The idea behind the graded security model - security goals, classes and measures as well as costs related to implementing the security measures with integrated security metrics represent the overall security of a system. A specified number of levels are introduced for each security goal. Security class/efficiency of the system is determined by security requirements that must be satisfied (Kivimaa, 2013). The purpose of this thesis is to offer CSP-s and SME-s a potential way to calculate optimal spending for required security/confidence levels, thus helping customers to make informed decisions and equally increase trust in cloud service providers’ capabilities. This method also offers insurance companies a simplified method of assessing risks associated with SME-s and with CSP-s and their individual services. This research will implement Graded Security Model (GSM) on java-based CoCoViLa graphical decision-making platform, developed by Institute of Cybernetics in Estonia (Kotkas et al, 2011). GSM describes information security as a business process, and was developed using a theoretical method. For GSMs optimum principles, the basic idea was taken from Tomas Olovsson (1992) - Expected IT Sec Total Cost = IT Sec Costs + Expected IT Sec Losses - as shown in Figure 1.1 GSES (Graded Security Expert System) is perfectly suited for my needs as the underlying algorithms have been created for brute force and evolutionary optimization, also, unlike most risk assessment and decision making models, it is freeware. In addition, the model has to be easy and relatively fast to use, as IT security experts are usually already overburdened with work. The main challenge of the model has to be just filling it in with the correct information.
2
Figure 1.1: The security cost function (Olovsson, 1992).
Business model of PEOPLE-PROCESSES-TECHNOLOGY will be used to describe the model. The main ideas include the use of metrics to determine information systems security requirements and use risk analysis (levels of security goals) as IT security metrics to achieve measurable security levels mitigation rate and security efficiency. As we and SME lack specific detail about CSP-s security processes/costs, this research will be theoretical, using most common security control areas and will be shown as a simplified approach. This research will adopt 10 security areas, while CSP-s will use significantly more fields (40+) (NIST, 2015). As an example, additional security areas might be as follows - security documentation, risk assessment and treatment, security accrediting, intrusion detection, segmentation, awareness training, personal working environment, information exchange policies and procedures, transaction integrity, data archiving, external regulations, audit capacity, audit trail, monitoring, business continuity management, redundancy, crisis management, asset management, power redundancy, physical security, patches, malware handling, access rights, network access rights etc. The model is also flexible in terms of how many security levels could be defined. For some organizations, it could be enough to have only three levels, for instance, low, medium and high. Others could require five or even more security levels. The metrics of the graded security approach are used to express the relations between security goals, security confidence and security costs. It requires specifying areas of security activities, security levels and also describe the security measures that should be implemented to achieve a specific security level and to define how much it will cost to implement the safeguards for each security level and to assign a security confidence to each security area and security level (Kivimaa, 2013). Expected Contributions The research question for this thesis is How to increase SMEs trust in CSPs. I’am proposing to use the help of a 3rd party insurance company to measure SMEs and CSP-s security efficiency and mitigation rates and offer cyber insurance based on the received information. Insurance companies are the perfect choice for a 3rd 3
party as CSPs already share their confidential information with their massive enterprise customers, standardization authorities and insurance companies. Private users’ don’t normally require high security and enterprise customers have much greater access to CSP confidential information about security measures. SME customers require high level security, don’t have the required information, thus are the most vulnerable customer. It is quite clear that banks (who have billions to lose) and SME (maybe millions to lose) might require different levels of security and CSP-s have not provided any numbers, regarding security levels, that would help customers to evaluate if the CSP security might be suitable for their needs. The most important benefits of the prototype are: • Allows calculation of the max security confidence/efficiency level for a given budget • Allows calculation of the security efficiency, mitigation rates and total IT risk • Provides clear results in the form of graphs that can be included in executive reports and are easily understandable. For research purposes, it will be reasonable to compare SME implemented security measures in an on-site configuration as against measures implemented in SME ’PEOPLE’ business model with CSP back-end confidence of 0.99. Results will be with costs/mitigation rate/efficiency optimality curve using security limitations. Results Since we can easily state that most SME-s lack the budget to have a high-end security measures in-house and CSPs implements same (very high) level security to all standard customers, we saw quite an increase in SME security efficiency and mitigation rates, with decreased budget, when using CSP SaaS services. We can see that for SMEs (On-Site vs. SaaS) provided much cheaper but higher information security levels - 0.963 vs. 0.914. Also the Annual Loss Expectancy dropped from 3434 euro to 1487 euro. It was quite clear that SaaS would be a perfect solution for small and medium enterprises, but as there is no comparable security levels and insurances in place, they are reluctant to make the move to the cloud.
4
Chapter 2
Background The background section will give a general overview of underlying technologies that are essential for cloud computing and will help us to evaluate the potential security risks and proposed solution. The sections will be classified under different headings and will provide an overview of how little information users have about security measures in the cloud. It will clearly show that the main constant measure of cloud service and security is up-time and how non-existent the responsibilities of the cloud service providers are. It shows that the only option for the user, at this point, is to relay on cyber insurance to transfer some of the risks to a third party. Yet again, the customer gets a quote but no real information about what statistical means were used to acquire the insurance premium. I will introduce 3 programs that come close to the concept I’m proposing (qualitative reliability theory based model).
2.1
Virtualization and Virtual Machines
In the 1960s, J.C.R. Licklider had a vision that everyone on the globe could be interconnected and accessing programs and data from anywhere - which sounds very much like what we now call cloud computing. The vision was fulfilled by IBM programmer, Jim Rymarczyk, who created CP-40 and CP-67 software (hypervisor), to enable multiple programs to be run on the mainframe at the same time (Sahani, Kumar and Kumar, 2012). This IBM’s partitioning concept eventually became a stepping stone for VMware, which brought virtualization to x86 servers in 1999. In virtualization, large pools of logical resources are created - CPU, disk, memory, networking, application and released to users as scalable, consolidated virtual machines or applications.
5
Virtualization allows to request for system resources without allowing access to the underlying hardware (Shawish and Salama, 2014). Virtualization is the most important underlying technology for cloud computing, which uses a physical resource, such as a server, and divides it into virtual resources called virtual machines. With server consolidation, many smaller physical servers can be replaced by a larger physical server, to increase the utilization of costly hardware resources such as CPU and RAM. Hardware is consolidated, but there will be many operating systems running on the same server (Gurav and Shaikh, 2010).
2.2
Cloud
Cloud Computing is an assembly of resources - application, hardware and operating systems - all provided as a service to the customers. Per National Institute of Standards and Technology (NIST), cloud model consists of five essential characteristics, three service models, and four deployment models (NIST, 2011). Main services/cloud models are IaaS (Infrastructure as a Service), PaaS (platform as a Service), SaaS (Software as a Service) and ever expanding XaaS (anything as a service) (Sinanc and Sagiroglu, 2013). Each comes with distinct levels of separations of duties as shown in Figure 2.1
Figure 2.1: Cloud service models (NIST, 2011).
Essential characteristics of a cloud are: on demand self-service, broad network access, resource pooling, rapid elasticity and measured service (Sinanc et al, 2013)
6
Cloud services can be deployed as public, private, community or hybrid - like shown in Figure 2.2.
Figure 2.2: Cloud deployment models (NIST, 2011).
For this research project, I will be concentrating on the SaaS model deployed in a public cloud. SaaS is the fastest growing cloud service after cloud marketing and will continue to grow steadily (Gartner, 2017). For my research, it is very suitable to use SaaS as big enterprises mostly can handle their information security on the level that no SME ever could, purely for financial reasons. In SaaS environment, CSP is almost fully in charge of security measures and SME will only be required to train their employees on online security awareness and keep their workstation properly secured and patched with latest updates. SaaS is very similar to the software provisioning model, where clients accesses software on a server but in this case, software is usually accessed via web browsers or the entire application resides in the cloud and is accessed via application shortcut on the clients workstation. SaaS is the most familiar form of cloud service for consumers, where the task of managing software and its deployment is the responsibility of a third-party services. Most recognizable SaaS applications are Salesforce, Google Apps, Dropbox and of course, Office 365. SaaS applications are very popular in SME set-up as they reduce the cost of software ownership by removing the need for personnel to install, manage, and upgrade software, and also reduces the cost of licensing software. In most cases using SaaS allows SMEs to retire many of their own serves, dedicated previously running those software’s.
2.3
Security
Like stated by Ahmed, N. M. (2017)- Cloud technologies significantly decreased the ability of data holders to control and enforce access to their data. Cloud service providers are responsible for ensuring security of data storage, transmission and processing, but data holders do not have the power to affect security provisioning they can only select
7
the service provider with highest security announced. Such announcement can be done in a form of a Service Level Agreement (SLA). The terms of the Quality of Service (QoS) to be provided and the economic conditions are established in a Service Level Agreement (SLA). The higher the QoS range, the higher the price. This is the traditional classification of services, which may not be in line with Business-Level (Macas and Guitart, 2012) (Macas and Guitart, 2012). I concluded that Client Classification policies in SLA negotiation rarely achieve their objectives, and the percentage of violated SLAs is lower for users to which there is high priority (not SMEs but rather big corporations) (Macas et al, 2012). Branco and Santos (2016) stated perfectly that there are no regulatory bodies in places to monitor the CSPs and CSPs mainly put only quality of service and availability to SLA and that is clearly not enough. It is clear that the contracts with CSPs have to be more transparent and more specific to clarify the issues regarding the security and to define the pertinent responsibilities in the business relationship with their clients. As there are no regulatory bodies or standards yet defined, then I concluded that insurance companies would be the best 3rd party to monitor security related issues as with new European General Data Protection regulation (GDPR) set to come into effect on 25 May 2018, should require all SMEs and CSPs to have cyber insurance to be able to afford the penalties if a breach occurs (Official Journal of the European Union, 2016). Some of the main challenges include data security and confidentiality, also lack of standardization and vendor lock-in (this is already improving on many services). Cloud service providers are mainly responsible for software licensing and service availability. With the new EU regulations (GDPR) set to come into effect on 25 May 2018, preventing cloud-based attacks is more urgent than ever for businesses with operations within the EU. There must be a clear SLA for security breaches/disclosure of breaches and cloud providers have to take responsibility as penalties for any data breach are severe - minimum fines will be set at 2-4 percent of global turnover, with maximum fines double that or flat sum on 20 million euro for SME(Official Journal of the European Union, 2016). It is impossible to guarantee that there will be no security breaches, even by implementing all the recommended security standards (mostly used for banking level security standards), rather it only diminishes the probability of a breach. CSP will at least be required to inform the customer about the breach within 72 hours. We must keep in mind that in SaaS environment the breach will not be obvious to a customer, only CSP can discover and confirm an attack. In many cases the customers have been informed about the security incident by third parties who have come across customers sensitive information online. According to massive survey done among almost 2000 cybersecurity specialists, the following security concerns emerged (Schulze, 2017) -
8
• Top three cloud security concerns were - protecting against data loss (57%), threats to data privacy (49%), and breaches of confidentiality (47%). • Traditional security tools and knowledge are not designed for the unique challenges cloud adoption presents (78%). • Visibility into cloud infrastructure (37%), Compliance (36%) and setting consistent security policies (33%). • Assumption that cloud security budgets to increase over the next 12 months (33%). There are multiple attack vectors aimed on SaaS services (Trump, 2016):
• SQL Injection; • Insecure Authorization; • Insecure Direct Object Reference; • Stored Cross-site Scripting; • Insecure Authentication; • Insecure Password Reset; • Guessed Password; • Default Credentials; • Single Factor Authentication, • Insecurely Configured Application Server. Attacks can be only detected and prevented by the CSP, most likely using the following methods (Trump, 2016): • Daily External Vulnerability Scan - Evolving into an external web application vulnerability scanner or an external open port based scanner this provides the an external attacker view of the infrastructure. • Daily External IP(s) Black List Check - Leverages the work being done to secure our SaaS infrastructure comparing customer IPs to a black list threat Intel feed would yield Indications of Compromise in customer networks and SaaS IoC (Intelligent Operations Center) at the load balancers.
9
According to SANS Institute (2016) other minimal security considerations have to be: • Anti-malware • Cloud access security brokers (CASBs) • DLP -data loss prevention - (host- or network-based) • Encryption and key management • Federated identity and access management • Firewalls • IDS/IPS • Multifactor authentication • Network access controls • VPN We can conclude that Cloud computing is not mature enough to be considered as a safe and competent computing model (mainly because of lack of information and standards), which was brought to the market prematurely. CSPs claim (and most likely have) bank level security (security efficiency 0.99, mitigation rate close to a 100) but at this point it has been not proven by a third party. For this, there is a need for a trusted 3rd party insurance company to evaluate both SME and CSP security levels as the overall security is only as safe as its weakest link (in most cases the SME). Insurance company is suitable partner as they already have cyber-security customers and they have high level access to information about CSP’s infrastructure and security measures. In Microsoft Ready event in 17-21 July 2017, in Las Vegas, it was claimed that even most security measures are not availed to general public, enterprise customer, accreditation auditors and insurance companies do have access to that information.
2.4
Insurance
Data breaches are a fact of life and most common way to mitigate risk is transfer of risk purchasing cyber insurance (Latham et al, 2014). Cyber insurance is the transfer of financial risk associated with network and computer incidents to a third party. It goes beyond traditional business interruption and crime insurances (although the line is vague) by covering, for instance, liability issues, property loss and theft, data damage, loss of income from network outage and
10
computer failures, or website defacement (Meland, Tondel and Solhaug, 2015). Like stated by Meland et al (2015), Cyberinsurances benefits go beyond receiving a claim payout in the case of a breach. Its in the insurance companies’ best interest to limit the number of payouts. For a business, buying the policy, it also means gaining an ally and, to some extent, access to this allys resources. For a SME to get any security information from CPS would be impossible, but insurance company having thousands of customers grouped together would have the backing to get access to CSP security processes and security rankings. With the new GDPR law coming to force in 2018, the CSP will have increased motivation to avail information to insurance companies (Official Journal of the European Union, 2016). Zhao, Xue and Whinston (2009) address issues with security spendings from the insurers point of view - customer has the finances and means but will use it on useless security activities. With information security we have to keep in mind that the overall security is only as strong as its weakest link. Cybersecurity is a new domain where both insurers and the insured face challenges. Without technical experience or actuarial data, insurers dont really know what to require from their customers (Meland et al, 2015). Businesses also struggle to implement (and document) security best practices that would ultimately avail them to a better premiums. Sadly, cyber security policies are still lacking standardized form, content, and vocabulary. For the insured, comparing offers and fully grasping coverage is no cakewalk (Meland et al, 2015). Cyber insurance policies cover both 1st and 3rd losses suffered as a result of a cybersecurity breach, but the scope of coverage is increasingly refined and can cover a variety of risk scenarios depending on the insurance type (Latham et al, 2014). Not only that, but insurance company must review the SMEs security solutions beforehand otherwise it could be like insuring a house, that is already on fire. Most cyber policies currently on the market offer a combination of two types of insurance coverage:
• First-party coverage: covers direct losses to the organization. • Third-party coverage: protects against claims against the organization by third parties, such as customers or partners. Besides financial coverage, insurers also provide risk management and post-breach services, including loss-prevention measures and remediation tools. Security risk assessment can, and perhaps should, serve as a tool for increasing our understanding of the economic aspects of security and risk. We need a functioning security model that also includes the financial side, which I’m proposing in this thesis.
11
It is in the insurance company’s best interest to limit the number of payouts. Thus, for a business, buying a policy also implies gaining an ally and, to some extent, access to these allies resources insurance company is interested in gaining CSPs co-operation. There can be multiple ways to calculate cyber security premiums in a insurance company one more complicated than the next. Mukhopadhyay, Chatterjee, Saha, Mahanti and Sadhukhan (2017) suggested a Gaussian Copula aided C-VA risk assessment approach and quantification equations. Martinelli and Yautsiukhin (2016) offer a simpler method with their formal simplistic model, but in this thesis I will concentrate on SME side and suggest to use a simple probability theory - Probable Annual Losses=ALmax/mR. The problem with all those approaches is that nobody can be exactly sure, how the actual breach probability and premiums are calculated in insurance companies - all approaches are just theoretical. We can assume that cyber insurance is no different from any other type of insurance and is calculated based on historical data - probability of occurrence and financial loss SMEs must keep in mind that annual probable losses are not only lost finances, but can also be lost of customer trust, lawsuits, fines implemented by the government/EU etc. and all those must be considered when informing an insurance company about their potential losses. Having trust in the provider is strongly linked to disclosure of information from all parties involved (Riek, Bohme and Moore, 2016). While the number of organizations investing in cyber insurance is slowly increasing year by year, it has not yet realized its potential and according to ENISA (European Union Agency for Network and Information Security), there is still a lack of empirical evidence as to the strength and maturity of the cyber insurance market (Biener, Bohme and Wirfs, 2015). Providing online services and insuring risks of e-commerce, CSP should be ready to the requirement of granting insurance protection. As CSP doesnt offer that service personally then they should be prepared that insurance companies will be necessarily carrying out an independent inspection if a breach happens. For example - Net Secure provides cyber cover for up to 200 Million dollars - included a policy of compensation for losses caused by failures in the network and the inaccessibility of the site even. Counter Security Inc. Lloyd’s policy offers an insurance guarantees for damages from hacker attacks with a premium of 20,000 dollars and a payment up to 1 million. With a premium pf 75,000 possible out-payment up to 10 million. We can safely say that cyber-attacks may be the biggest risk that global businesses are unprepared for. Record numbers of data breaches have driven large organizations to increase spending on security at twice the rate of other information technology during the past several years, according to market-growth studies by Gartner, IDC (Independent Directors Council) and others that predict growth of between 4.7 percent and 9.9
12
percent during the next five to seven years. (Filkins, 2016). We have seen the increase in every kind of attack, but mostly DDos attacks and ransomware are on the rise and they are extremely hard to safeguard against. It can be very difficult to prove/assume how much the loss would be and that they directly resulted from a cyber-attack as attackers are trying to remove the evidence that the attack ever occurred. Predicting risks for any online environment is very hard as we are lacking information for retrospective analysis and it present a challenge. The data simply does not exist to develop the models to calculate risk and set rates for predictable losses and exposure. Cyber Insurance Considerations (Filkins, 2016): • Select the correct level of coverage you need.Internal audit might be needed to determine the total value of your company’s data and future cost of a possible breach. • Check possible attack definitions and know what situations will trigger your coverage. • Make sure that policies also cover threats from the inside - which may be far more likely and more damaging. • Keep in mind that most cyber insurance policies do not cover nontechnical attacks like stealing on-premises. • Be careful when considering double cyber insurance as they could negate another. • Ensure that policies dont only cover more than just the immediate damage, but also possible litigation following a breach. It should cover all costs associated with an incident, investigation and remediation, as well as any court costs and penalties. • Use a broker you trust. Ask the broker to compare premiums from different insurance companies, the premiums can differ significantly. Why is all this extremely important? In 2011, Sonys PlayStation network was breached and attackers managed to compromise more than 77 million accounts, costing Sony an estimated 170 million dollars. Sony thought their general liability insurance policy covered the incident, but they were wrong. Sony took their insurers to court, but courts just confirmed Sonys policy didn’t cover the damages of the cyber breach. The breach was potentially one of the biggest ever into a store of credit cards - Sony PSN is one of the world’s biggest holders of credit cards (not as large as Amazon, eBay or PayPal). Sony was breached again in
13
2014, but they had an appropriate cyber insurance policy in place that experts predict will cover most, if not all, of their estimated 100 million dollars in losses. Sony learned to assess the risk a cyber-attack posed to their business and took steps to mitigate its potential impact(Quinn and Arthur, 2011). Thankfully we can see that cyber insurers are beginning to understand the need to differentiate themselves and price policies based on the actual risk of the insured. Till today, most insurers use the neighbor method. You sold Bank A a 500 million policy for 5 million, so logically that will work for Bank B. The issue with this is that the cyber security posture of Bank A could be wildly different than that of Bank B. Measuring cyber risk requires understanding how ALL the business assets are impacted by a cyber-attack. Assets must be prioritized. A system that makes money or could cost you money in fines if breached, is much different than a system with minimal business impact. Visibility into the risk exposure in dollars and cents provides the cyber insurance companies competitive advantages that allow them to differentiate policies for good cyber drivers and gain a competitive edge. Risk metrics allows for risk accumulation scenario analysis for data ex-filtration and cloud compromise across the portfolio of the cyber insurance company. Like stated by Skroupa (2017) the risk metrics demonstrate now how much cyber insurance is really needed by an organization From an SME perspective, acquiring a cyber insurance could be a lengthy process internally and could involve almost every department of the business as shown in Figure 2.3 .
14
Figure 2.3: Internal Stakeholder Roles, Verizon, (2017).
According to Frost & Sullivan (2017) 91% of IT decision-makers said they have, or plan to engage, a third-party expert for assistance in implementing their cloud strategies. Having a 3rd party, without any inside information, that only compares different CSP’s price plans and offers best solution, is not effective. I would imagine that insurance company with inside information would make a much better cloud broker for SME and they could also provide the insurance premium quote on the spot.
2.5
Existing models
The existing models section will give a general overview of 3 programs that have been helpful tools in developing my model as they are potentially able to calculate certain security levels and probability (mitigation rates and effectiveness), but cannot be modified with required data. There are countless programs that are able to do similar calculations with required data input, but would require thousand of man-hours to set-up and would be extremely complex and doesn’t give a mitigation rate that, I believe, should be the basis of IT security levels. Well known risk management tools are - FSR-Manager Tool, Strategic Thought and RiskNav. They are all very hard to use and are extremely expensive for SMEs. 15
Like stated by Garvey (2008) - many smaller programs utilize Microsoft Excel or Access customized risk management tools and those are very tedious to use and hard to understand. It is extremely important that the models value would be easily recognizable and model itself easily understandable by the business side as they are the ones approving the IT budget. It has to be easily modifiable if any changes are to be made due to security measures change.
2.5.1
CyberProtect
The simulation allows to purchase hardware and applications for information security countermeasures in the local area network environment (LAN), Internet (WAN) and companies’ other global sites (offices). Game takes place over 4 quarters, which can be considered as 4 years (approximately the expected lifespan of hardware). Each quarter, user needs to make decisions about what resources/countermeasures to purchase and to put in place. You will be allocated 40,20,20,20 purchase units (capex,opex) respectively over the four quarters. You will record those decisions on a form. After making the decisions for each four quarters, you set the simulation in motion. Environment will be subject to a variety of security attacks(O’Brien, 2013). As in real world situations, there is good and bad fortune associated with the simulation, so even very poorly allocated resources can have good fortune to be subjected to very few attacks, and therefore block the attack (O’Brien, 2013). The game implements three different levels of security - information security goals are often based on the CIA paradigm (Confidentiality, Integrity and Availability). For CSP level cyber-security, perhaps 6 categories may be more suitable. That would result in a realistic model with 4096 levels. For example, if these three categories are assigned 4 possible levels, then we get a model of 4x4x4=64 levels(high level SME-s perhaps). This game model gave me the idea of calculating security efficiency-effectiveness based on mitigation rate (called readiness rate in CyberProtect) and to optimize the spending’s per relevant.
16
Figure 2.4: CyberProtect relevants.
Figure 2.5: CyberProtect measures.
2.5.2
CyberCIEGE
The CyberCIEGE video game was designed to challenge players with computer security decisions within an office environment and it encourages experimentation, failure and reflection. The game includes over twenty scenarios that include various computer and network security concepts/challenges. CyberCIEGE also allows player to create and customize game scenarios (not to the extent that my model requires). The Naval Postgraduate School uses the game in introduction to Computer Security course, and it is used in hundreds of educational institutions worldwide (Cone, Irvine, Thompson 17
and Nguyen, 2007). This game model options were used as an example of security areas to consider and basic security measures to be taken to mitigate risks. Although many of the concepts included in cyber security awareness training were universal, still many areas needed to be tailored to address the policies and requirements of a cloud environment.
Figure 2.6: CyberCIEGE components view.
2.5.3
GSTool
Has been created by The Federal Office for Information Security (German: Bundesamt fyr Sicherheit in der Informationstechnik, abbreviated as BSI) - German Upper-level Federal agency in charge of managing computer and communication security for the German government. It includes the security of computer applications, critical infrastructure, Internet security, cryptography, counter eavesdropping, certification of security products and security accreditation (BSI, 2004). From GSTool I took the IT Baseline Protection Catalogs - appropriate personnel, technical, organizational and infrastructural security for a normal level of protection. Besides probability and potential damage, implementation costs are also considered. With the Baseline Protection Catalogs - costly security analyses by expert knowledge are no longer needed, since overall risks are stated in the beginning (Kouns and Minoli, 2011). I feel that using just the baseline recommendation is not anywhere close to the level information security should be nowadays, but it does give a good grasp on the areas and measures to concentrate on. The general principle of the model is good, but it doesn’t
18
allow for optimizing the use of resources, so the resources could easily be allocated to a security measure that doesn’t increase the overall security by much or at all. The tool has been improved over the years, but it still resembles the original Excel table form and it is very hard to understand. Business side in SME would need weeks, if not months, of training before being able to understand the model.
Figure 2.7: BSI baseline example.
19
Chapter 3
Methodology The main idea for the model comes from Olovsson T. (1992), – a structured approach to computer security an interesting basic idea about optimal IT Security Costs. Minimal Expected Total Cost = Security Costs (Capex + Opex) + expected Security Losses. The model will be based on a commonly used business model: People-ProcessTechnology/Governance. In my cloud model PEOPLE section will be the SME (mainly employees and their workstation), PROCESS can be frankly described as software solutions used and TECHNOLOGY will be the hardware used and those last two will fall under CSP responsibilities. This logic will only be applicable to SaaS model in the cloud. The selection of the right security measures is a complex problem, because multiple objectives need to be achieved at the same time. IT Security must assure required security levels and acceptable losses from security incidents within the available IT budget. SME wants to get the best security effectiveness for their money. That means Loss/Cost>1 or most simply put ROI (return on investment) >0 (ROI=( Loss/ Cost)/ Cost>0) It is very common that ROI (return on investment) is calculated for a specific security activity but it is important to elevate the entire security level, not only a specific activity. We need to be able to measure and calculate the total effectiveness of the entire information system both SME and CSP. We don’t only need to concentrate on one area but on the entire chain and to divide the existing and optional information security resources optimally between all security activities, to achieve the maximum total security effectiveness. Effectiveness must meet two requirements: • We must determine values for the effectiveness of all IT security activities. 20
• Theory for calculating the total effectiveness of the security system must be in place - information security is only effective if all important activities are effective. Model calculations will be based on Qualitative Reliability Theory. This project is theoretical and will be developed using a theoretical method and will concentrate on conceptual issues. I can state that information security highly depends on the specific requirements of the business and SME can have 1010 variations and CSP can have up to 1026 unique variations (Kivimaa, 2013). We would be able to collect case studies and other empirical evidence for SME with their co-operation, but not for CSP as their data is only available to enterprise customers, insurance companies and accreditation entities. I will be working with two assumptions:
• Forced assumption: We lack enough information regarding CSP security measures and finances, so the model will be lacking quality information regarding CSP. Separate research will be needed when this information will become available to the public or insurance companies. As I don’t have specific numbers for probability of attack, I will assume that any unprotected information will be attacked. • Rational assumption: The goal is to gain SME and CSP efficiency and mitigation rates using the model. People-Process-Technology and Governance business process model will be used. People-Process-Technology will be relevants and are represented in serial connection and security measures will be added to relevants as parallels for multi-level security. The weakest link in the chain logic applies to relevants (serial), but not to parallel (security measures implemented) - some parallel supporting security measures can fail but other parallel supporting activities can still keep the system safe i.e. multilevel security (Kivimaa, 2013).
21
Chapter 4
Design Specification This research will implement Graded Security Model (GSM) on java-based CoCoViLa graphical decision-making platform, developed by Institute of Cybernetics in Estonia (Kotkas et al, 2011). GSM for Cloud SaaS solution describes information security as a business process and was developed using a theoretical method. For GSMs principles, the basic idea was taken from Tomas Olovsson (1992) - Expected IT Sec Total Cost = IT Sec Costs + Expected IT Sec Losses. Commonly used business model of PEOPLE-PROCESSES-TECHNOLOGY // Governance in serial connection will be used to describe the model as shown in Figure 4.1. Serial connection means that if one link fails, the entire connection is broken and in our case information security will be ineffective (Kivimaa, 2013). Security measures will be added in parallel to serial (relevants) and if some of them fail, it doesn’t make the overall security of the system ineffective.
22
Figure 4.1: Business Model, SME model and CSP/On-site model.
There are many software products applicable for modelling and simulations in the market. They can be roughly divided into three categories: general purpose modelling and simulation software (Simulink and Scicos), model-based application development software (MetaEdit) and large-scale discrete event simulation software (OPNET Modeler, OMNet++). The common feature in all are tools for visual specification capability by drawing schemes from components and connecting them to each other. In CoCoViLa the resulting simulation is always compiled into a single program which provides good simulation performance (Kotkas et al, 2011). The CoCoViLa platform supports visual and model-based software development. I would like to refer to CoCoViLa as a decision making platform as CoCoViLa uses a structural elements in programs to translate declarative specifications of simulation problems into executable code. Rich components are an important concept of the work and are implemented as Java classes with modifiable elements, which include visual representations as well as daemons supporting interaction with the user during the simulation (when Java console opened). The platform is developed as an open-source software, and its extensions can be written in Java and included in simulation packages (Kotkas et al, 2011). In my model, I will make use of the simulation of results, in the form of a Pareto curve and resource distribution curves (Ojamaa, Tyugu and Kivimaa, 2008). Because optimization procedures are contained in rich components, the algorithm data used for a 23
computation is easy to change by just replacing a component or its data in the scheme. This makes GSES unique as a security expert can just describe (assemble) the model without any programming skills as all the underlying programming has been done by programmers and an expert can compile a program like putting together Lego’s. The CoCoViLa programming platform has a Schema editor and a Class editor (Kivimaa, 2013): • Class Editor for defining class properties and their visual representations; • Scheme Editor for visually drawing objects and presenting classes on schemes - setting values of object properties, defining relationships between object attributes, using expert tables and generating Java programs from schemes. Schema consists of: • The security measure groups (vertically aligned purple boxes), containing the investment costs, maintenance costs and deficiencies for each level of implementation. • MC or UF Monte Carlo sampling or Union-find cut set search algorithm is used to identify the MCSs of my coherent graph. • The super-class (blue box) for collecting all attribute values through the specification languages alias mechanism and containing all references to the hidden 23 classes containing the actual reliability calculations. • The optimizer (green box) collecting all the optimization results and containing the GSM cost and efficiency functions plus a reference to a hidden class with a slightly modified Evolutionary Algorithm • The security class (red box) containing all information about the security goals together with the losses calculation. (not covered in this paper) • A graph2D object allowing the representation of my optimization results in a 2D graph. The bindings between components allow to exchange of values between classes and super-class allows the selection of different efficiency levels (efficiency levels of the measure groups as required by the security goals) (Kivimaa, 2013). Business Model in series or parallel Figure 4.2: If a partial failure of security domain leads to the entire IT system becoming inoperable - part is considered to be relevant and is connected in serial. If failure of a part leads to the other parts becoming less secure/effective, but system
24
still remains operable - part is considered to be supporting and represented to be operating in parallel to the relevant part(s). Relevant measure groups are the edges of the graph connecting the circular nodes and represented as red boxes.The green boxes, connected to the relevant measure groups represent the supporting security measure groups.
Figure 4.2: Visual example of Schema- and Class Editor.
25
Chapter 5
Implementation As the basis, I used CompTIA ideas about minimal IT security areas described in Foundational Security Technology Package. In 2016 CompTIA identified and recommended and identified the key technologies required and is supported by UK Cyber Security Essentials, SANS institute and multiple best practice recommendations world wide (Trump, 2016). • Backup • Antivirus • Mail Scanning/Protection • Access Control • Patching and Updating • Secure Wireless • Control Physical Access As every business has individual and very specific IT set-up, they require a uniquely graded security model. My draft model for SMEs and SaaS CSPs: SME as Cloud SaaS customers Relevant IT activities: • People • Personal WorkStations Supporting IT Sec activities: 26
• AWT • Backup • Antimalware (incl Mail Scanning) • Access Rights Management (incl NAC) • Patching and Updating • Secure Configuration • Encryption + key management • Governance For SME’s, minimal IT/IT Sec model should have at least 10 activities. The model will be much more complicated for bigger and IT-critical institutions. As an example model for small Estonian bank (not really big, but IT critical) - 33 activities. For big and critical institutions around 60 or even more activities would be included in the model (Kivimaa, 2013). For every security activity, there will be described a possible implementation level for Cost-Effectiveness, and with risk analysis maximal Annual Loss Expectancy (max ALE) for IT. In my example, there is only 4 levels: zero, bad, medium and good. Cost values will be specified accordingly. Effectiveness will be based heavily on expert opinion and its accuracy will be +-20% (mainly because I don’t have correct statistical information about real security activities effectiveness’s) basic zero=0; bad=0,3; medium=0,6; good=0,9. I discovered, that the fault tolerance of the model was sufficient and achievable. Therefore, it is possible to get a sufficient expert assessment of the potential information security losses for SME and also for CSP. For this research, I was only able to add assumed SME figures as I don’t know CSP financial- and security activities details. For supporting information security activities must include Redundancy Coefficient (Rc) because security activities will not improve all IT Security problems: To eliminate hardware problems in computers, the following three activities are needed (simplified): • Find Defect. • Fix Defect. • Restart System. Let us assume that Restart happens very quickly and can, therefore, be ignored. As
27
example the information security solution Logging/Monitoring improves only to Find Defect and no to Fix Defect i.e. Rc=0,5. • Encryption improves problems from all security CIA (Confidentiality, Integrity, Availability) goals only in CI part i.e. Rc=0,67. • From business side risk analyses we will find out our (i.e. IT) max ALE i.e. IT risks without IT Security. Define and describe needed graphs for IT Costs optimization. Budget=Capex (Investment) and Opex (Maintenance). Basic examples of graphs that are of interest: • Effectiveness, E=f(Budget) • IT Costs=f(Budget) • Calculate mitigation rate mR=f(budget) based on E: mR=1/(1-E) • Calculate Expected Annual Loss=f(Budget): AL=maxALE/mR • Total Cost=IT Costs+IT Losses=f(Budget) optimal TC is minimal, • deltaLoss/deltaCost=f(Budget)
rational area for IT Security is where delt-
Loss/deltaCost >1 In my model, all relationships between measure groups are serial or parallel. More complicated models may include bridge, star and other topologies. The model is able to calculate the Effectiveness function for every possible graph (serial, parallel, star and bridge), by only using two formulas: the serial components availability formula and the parallel components availability formulas. The coherent graph can always be replaced by an equivalent series structure of its Minimal Cut Sets (MCSs). The MCSs search algorithm is based on the findings of Librizzi, Sansavini and Zio (2006). That methodology is based on a combination of Cellular Automata (CA), Monte Carlo (MC) sampling and Union-find cut set search algorithm - all used to identify the MCS’s in coherent graphs. In my Cloud GSES graph structure, I have placed the relevant measure groups at the edges of the graph, connecting the circular nodes and represented as red boxes. The nodes are considered to be fully reliable (E=1). The green boxes, connected to the relevant measure groups, represent the supporting security measures. To achieve fully redundant security activities the principle is: ”as long as not all of the supporting system components fail, the entire system is safe”.
28
Chapter 6
Evaluation In real life there are two ways of planning Information Systems security: • New Information System - meaning all relevant IT and IT Security supporting activities initial stage (iLvSit) is set to ”0” • Working Information System - inital stage (iLvSit) in most areas cannot be ”0” Comparison of on-site and cloud security measures will ensure the status of the new Information System.
29
6.1
On-Site
Figure 6.1: SME On-Site setup.
• Initializing Evolutionary Algorithm ... Budget = 4700.0 ... done [1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0] The initial state that excludes the possibility of relevant being ”0” = 0.20878753188802945 • Opt Initializing Evolutionary Algorithm ...
Budget = 7450.0 ...
done opt
TC=7450+3434=10884 [3, 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3] = 0.9141292481256358 I have to add relevant level ”1” to budget as there are expenses included when starting from square one (computers etc) real optimal is (Investment + Maintenance)= 7450+17400=24850 euro; because hardware and software life expectancy is chosen to be 5 years, so it would be correct to add 1/5 of 17400 - 3480euro, ending with Capex+Opex=7450+3480=10930 euro Optimal security profile: ITG=3 level, ITHRM=3 level, [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1], ITSM=3 level
30
Figure 6.2: SME on-site delta Loss/delta Budget.
The optimal part has been magnified.
Figure 6.3: Magnified SME on-site delta Loss/delta Budget.
We can see here that dLoss/dBudget<1 starts from 8200euro, so spending more than 8000 euro would be a waste.
31
Figure 6.4: Exp Total Costs = IT Costs + Exp IT Losses.
Optimal part has been magnified.
Figure 6.5: Magnified Exp Total Costs = IT Costs + Exp IT Losses.
We can see that optimal money-flow for IT Budget on the first year= 7450+17400=24850 euro (starting from zero); optimal expected IT losses=3434 euro; opt TC=10884+17400=28284 euro
32
Following years 2-5 optimal TC= approximately 7450+3434=10884 euro if we consider the life-expectancy of the hardware to be 5 years. IT
On−Site
IT
On−Site
Capex = IT
On−Site
Capex + IT Sec
On−Site
Capex :
Capex (including relevants 1st level Investments
ITHRM, PWS, SW,
Servers, LAN, WAN, ITG)=8000+2000+3000+4000+400=17400euro. IT Sec
On−Site
Capex (including supporting levels 1, 1, 1, 1, 1, 1, 1, ITSM 3) =
150+400+400+400+200+200+1500=3250 euro. IT On−Site Capex 1. lifecycle year = 17400+3250=20650 IT On−Site Capex 2-5. lifecycle years = 3250 IT
On−Site Opex
(including all Maintenance level;s 3, 3, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 3)=4200 IT
On−Site
Capex = IT
On−Site
Capex + IT Sec
On−Site
Capex
Figure 6.6: Rough estimate - on-site info-security optimal levels.
From the model we get the following: Optimal Efficiency (7450)=0,914; Optimal mitigation rate (7450)=11,65 SMEs optimal security levels is quite low as we can see -for example CSP and banks need mR atleast 100, because potential maxALE is only 40000euro (bank and CSP about 100 times higher). Similarly, as I just calculated SME optimal security profile,- effectiveness/mitigation rates/Total Cost- a CSP profile should be calculated. It obviously would magnitudes more complicated. As I don’t have the base data to do it, I will skip it for now. Also
33
worth mentioning - I use 1 box, many connections approach, but CSP will most likely use many boxes, many boxes, one connection approach, to gain more precise results.
6.2
SME + CSP (SaaS)
Figure 6.7: SME + CSP model.
CSP has been selected with four security levels: • Investment/Capex=0, Maintenance/Opex=0, Effectiveness=0 • Investment/Capex=0, Maintenance/Opex=3000, Effectiveness=0,9 • Investment/Capex=0, Maintenance/Opex=3500, Effectiveness=0,95 • Investment/Capex=0, Maintenance/Opex=4000, Effectiveness=0,99 As Opex example, for a SME of 20 users, I selected Office 365 premium package that also offers online collaboration tools + storage and which costs 12.50 per user per month. For annual bill we get 3000 euro. For effectiveness increase of 0.05 and 0.04 I chose 15% per annum (Microsoft, 2017). The assumption was made that CSP’s offer differently ranked services with different prices. Major enterprise customers and high paying customer vs small, low price paying customer. Significant simplification was made - as I was lacking the data from CSP Cost/Effectiveness values remain the same as On-Site->Cloud. In reality, the amount of work,
34
effectiveness and parallel coefficient will change, but this will give us a general understanding what and how will be affected with a move to Cloud.
Figure 6.8: delta Loss / delta Costs meaningful if >1.
Figure 6.9: Meaningful part of delta Loss / delta Costs meaningful if >1 - magnified.
Starting from 6000 dL/dC<1, so it is meaningless to spend over 6000.
35
Figure 6.10: Exp Total Costs = IT Costs + Exp IT Losses.
Figure 6.11: Magnified meaningful part of Total Cost.
Optimal budget for the first year=6000+8000=14000 euro (starting from square one Capex will be 8000 euro for 20 employees workstations); optimal Exp IT Losses=1487 euro; Optimal money-flow on year 1 TC=6000+1487+8000=15487 euro Years 2-5 optimal TC = approximately 6000+1487=7487 euro if hardware lifespan 5 years. 36
IT
SaaS
IT
On−Site
Capex = IT
SaaS
Capex + IT Sec
SaaS
Capex :
Capex (incl relevant Level 1 Investments ITHRM, PWS, CSP, ITG) =
8000 euro IT Sec
On−Site
Capex (incl supporting on levels 1, 1, 1, 1, 1, 1, 1) =
150+400+400+400+200+200+150=1900 euro IT
On−Site
Capex year 1 = 8000+1900=9900 euro
IT
On−Site
Capex years 2-5 = 1900 euro
IT
On−Site
Opex (on all Maintenance levels 1,3, 3, 1, 1, 1, 1, 1, 1, 1, 1) =4100 euro
Figure 6.12: Rough estimate on information security optimal levels.
From the Figure 6.12 we can see that optimal E(6000)=0,963; opt mR(5600)=27,6 SaaS optimal security levels provide SME already with much higher and reasonable information security. In the case of the current (very simplified) background data, Opex
On−Site
versus SaaS is practically the same but a very significant difference in
Capex - in year 1, 20650 euro vs. 9900 euro and between 2-5 and 3250 euro vs 1900 euro. Thus, for SMEs, compared to the On-Site, SaaS provides much cheaper but higher information security levels - 0.963 vs. 0.914. And, of course, with SaaS, considerably better Annual Loss Expectancy - 1487 euro vs. 3434 euro. Financial savings would therefore be:
37
Figure 6.13: Figures IT Capex and Opex for IT
Figure 6.14: IT Capex and Opex for IT
On−Site
Figure 6.15: Figures IT Total Cost for IT
38
On−Site
vs SaaS.
vs SaaS.
On−Site
vs SaaS.
Chapter 7
Conclusions I can say that the graded graphical graded decision support model, which has been described in this thesis, is a reasonably good solution to the problem of creating efficiency and mitigation levels based on information security cost optimization. The decision to base the method on the People-Process-Technology approach has proven justified. My expectation is - recording of more expert knowledge and statistical data will be collected when CSPâ&#x20AC;&#x2122;s start using the model and insurance companies start recording the security issues. As more information is collected, the required work for follow up modification decreases. It would be very useful if companies (both SME and CSP) would publish concrete and comparable Cost and Effectiveness values of their IT and information security solutions. This would considerably simplify expert information collection, as well as its accuracy. It is not enough for the customer to see CSP promotions but they need to know certain security levels for their own selection of CSP and for insurance purposes. It has been proven with this model that with relatively minimal work it is possible for insurance companies to calculate their premiums (using their own equations) based on GSM findings from SME and CSP and SME IT residual risk. I cannot be sure about other methodologies used as they are all classified - insurance companies and CSP. I firmly believe that fair cyber insurance premium (cost of insurance would depend and stimulate both SMEs and CSPs for better security) would significantly increase SME-s (and also insurance companies) trust in CSP security. Summary of the findings I have described and developed graph-based, graded security model, which is suitable for information security ranking, based on two ideas: â&#x20AC;˘ widely used People-Process-Technology Business Model 39
• relevant and redundant supporting IT and IT security activities. In order to describe IT ja IT Sec as a process, there are two very important basic ideas: • If all relevant activities are at a good level, the entire system will be in good standing. • Parallel supporting activities to relevant (serial) activities. In summary, I can say that the main goal of this project is completed: • I have developed a graphical IT security ranking model based on security efficiency and mitigation rate for SME and CSP. • The method has been tested theoretically. Future Directions for Research: • The probability of attacks should be included, but I do not have that information available. I assume that unprotected assets will be attacked. This merits further research with the help of CSPs. • Losses from security incidents should be included, but I don’t have that information. This need the co-operation of insurance companies and business side of SME. • CSP model should be created adding additional security goals (non-repudiation, mission criticality etc.). and financial information. • Include the hardware expected life-cycle into the model - every five years a new investment may be required for an activity and that year is likely different for different activities. • The model can be made more precise (by setting Rc individually for every shared security activity individually) with the use of many boxes, one connection approach; instead of one box, many connection used in this research.
40
Bibliography Ahmed, N. M. (2017) Ahmed, N. M. (2017) ’Measuring Cloud Security Risk by Mean Failure Cost’. Computational Intelligence (SSCI) IEEE Symposium Series, Athens, Greece, 13 February 2017, pp. 39-45. Biener, C., Eling, M. and Wirfs, J.H. (2015) Insurability of Cyber Risk: An empirical analysis, case, [Online] Available at: http://www.ivw.unisg.ch/ /media/internet/content/dateien/instituteundcenters/ivw/wps/wp151.pdf [Accessed 4 April 2017]. Branco, T and Santos, H. (2016) ’What is missing for trust in the Cloud Computing?’. 2016 ACM SIGMIS Conference on Computers and People Research, Alexandria, Virginia, USA, 2-4 June 2016, pp 27-28. BSI (Federal Office for Information Security ) (2004) The GSTOOL Manual [Online]
Available at:https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/GSTOOL/gstoolmanual pdf [Accessed 6 June 2017]. Catmull, E. & and Wallace, A. (2014) Creativity, Inc.: Overcoming the Unseen Forces That Stand in the Way of True Inspiration. (1st ed).New York City, New York, United States: Random House. Cone,
B.D.,
Irvine,
C.E.,
Thompson,
M.F and Nguyen,
T.D. (2007) A
videogame for cyber security training and awareness, case [Online] Available at:
https://www.academia.edu/8707118/A video game for cyber security training and awareness?auto=d [Accessed 6 June 2017]. CSCC (2015) Security for Cloud Computing Ten Steps to Ensure Success Version
41
2.0 [Online] Available at:http://www.cloud-council.org/deliverables/CSCC-Securityfor-Cloud-Computing-10-Steps-to-Ensure-Success.pdf [Accessed 11 July 2017]. Dye, C. (2016) SMEs move into cyber criminals crosshairs [Online] Available at: http://www.computerweekly.com/opinion/SMEs-move-into-cyber-criminalscrosshairs [Accessed 27 May 2017]. Filkins, B. (2016).
Quantifying Risk:
Closing the Chasm Between Cybersecu-
rity and Cyber Insurance [Online] Available at:
https://www.sans.org/reading-
room/whitepapers/leadership/quantifying-risk-closing-chasm-cybersecurity-cyberinsurance-36770 [Accessed 27 May 2017]. Frost & Sullivan (2017). The Rise of the Cloud Service Broker Model Helping IT Organizations Transform to Support Digital BusinessThe Rise of the Cloud Service Broker Model Helping IT Organizations Transform to Support Digital Business, [Online] Available at: http://frost.ly/1ix [Accessed 14 July 2017]. Humpert, F. (2005) IT-Grundschutz umsetzen mit GSTOOL. Anleitungen und Praxistipps fr den erfolgreichen Einsatz des BSI-Standards. at:
[Online] Available
http://www.beck-shop.de/fachbuch/leseprobe/9783446229846 Excerpt 002.pdf
[Accessed 6 June 2017]. Gartner Will
(2013)
Grow
to
Gartner 26
Says
Billion
the
Internet
Units
By
of
2020
Things [Online]
Installed Available
Base at:
http://www.gartner.com/newsroom/id/2636073 [Accessed 15 June 2017]. Gartner (2017) Gartner Says Worldwide Public Cloud Services Market to Grow 18 Percent in 2017 [Online] Available at: http://www.gartner.com/newsroom/id/3616417 [Accessed 2 July 2017]. Garvey, P.R., (2008). Analytical Methods for Risk Management: A Systems Engineering Perspective. Chapman-Hall/CRC-Press, Taylor&Francis Group (UK), Boca Raton, London, New York. Gurav, U. and Shaikh, R. (2010) â&#x20AC;&#x2122;Virtualization A key feature of cloud computingâ&#x20AC;&#x2122;, International Conference and Workshop on Emerging Trends in Technology, Mumbai, India, 26-27 Feb. 2010, pp. 227-229. Kivimaa, J. (2013) A cost optimization model for IT security. ness Administration thesis. Available at:
Tallinn:
PhD in Busi-
Estonian Business School.
[Online]
https://issuu.com/acpil/docs/kivimaa - dissertation june 2014 2 and
42
http://www.digar.ee/arhiiv/et/download/120067 [Accessed 15 April 2017]. Kotkas, V., Ojamaa, A.,Grigorenko, P., Maigre, R., Harf, M and Tyugu, E. (2011) ’CoCoViLa as a multifunctional simulation platform’, SIMUTools ’11 Proceedings of the 4th International ICST Conference on Simulation Tools and Techniques. Barcelona, Spain, 21-25 March 2011, pp. 198-205. Kouns, J. and Minoli, D. (2011) Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. John Wiley & Sons. Latham & Watkins.
(2014) Cyber Insurance:
When Technology Fails. able at:
A Last Line of Defense
Client Alert White Paper, (1675).
[Online] Avail-
https://www.lw.com/thoughtLeadership/lw-cybersecurity-insurance-policy-
coverage [Accessed 11 April 2017]. Librizzi M., Sansavini G. and Zio E. (2006) ’Determining the Minimal Cut Sets and Fussell-Vesely importance measures in binary networks by simulation’. Safety and Reliability for Managing Risk, 1: pp. 723-729. Macas, M. and Guitart, J. (2012) ’Client Classification Policies for SLA Enforcement in Shared Cloud Datacenters’.12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, Barcelona, Spain. February 2017, pp 460-472. Marciano, C. (2017) How much does Cyber/Data Breach Insurance Cost? line] Available at:
[On-
https://databreachinsurancequote.com/cyber-insurance/cyber-
insurance-data-breach-insurance-premiums/ [Accessed 28 May 2017]. Marr, B.(2015) Big Data: 20 Mind-Boggling Facts Everyone Must Read [Online] Available at:
https://www.forbes.com/sites/bernardmarr/2015/09/30/big-data-20-mind-
boggling-facts-everyone-must-read/24dc456217b1 [Accessed 8 July 2017]. Martinelli, F. and Yautsiukhin, A. (2016) ’Security by Insurance for Services’. 2016 IEEE International Conference on Software Quality, Reliability and Security Companion, Vienna, Austria, 1-3 August. Meland, P.H., Tondel, I.A. and Solhaug, B. (2015) ’Mitigating Risk with Cyberinsurance’. IEEE Security & Privacy, 13(6): pp. 38 43. Microsoft
(2017)
Office
365
Business
Premium
[Online]
https://products.office.com/en/business/office-365-business-premium
Available [Accessed
at: 8
May 2017]. Mukhopadhyay,A., Chatterjee, A., Saha, D., Mahanti, A. and Sadhukhan, S. K. (2017)
43
’Cyber-risk decision models: To insure IT or not?’ Decision Support Systems, 98: pp. 1-112, [Online] Available at: http://www.sciencedirect.com/science/journal/01679236 [Accessed 28 May 2017]. NIST
–
The
National
NIST
Institute
Definition
of
of
Cloud
Standards
and
Computing.
Technology
[Online]
(2011)
Available
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
at: [Ac-
cessed 15 April 2017]. NIST – National Institute of Standards and Technology (2015) Cloud Computing
Service
Metrics
line]
Available
at:
Description
Special
Publication
500-307
.
[On-
https://ofti.org/wp-content/uploads/2015/02/RATAX-
CloudServiceMetricsDescription-DRAFT-20141111.pdf] [Accessed 11 April 2017]. O’Brien, A. (2013) CyberProtect - Learning about System Security guide. [Online] Avail-
able at: http://commons.aaahq.org/files/d624b4bea3/AIS 340 CyberProtect AAAPOSTERS F12.doc [Accessed 7 June 2017]. Official tion
Journal
Regulation.
of
the
European
[Online]
Union
Available
at:
(2016)
General
Data
Protec-
http://ec.europa.eu/justice/data-
protection/reform/files/regulation oj en.pdf [Accessed 4 April 2017]. Ojamaa, A., Tyugu, E. and Kivimaa, J. (2008) ’Pareto-optimal situation analysis for selection of security measures’, Military Communications Conference (MILCOM 2008). IEEE. San Diego, CA, USA, 16-19 Nov. 2008, pp. 1-7. Ojamaa, A., Tyugu, E. and Kivimaa, J. (2009) ’Managing evolving security situations’, Military Communications Conference (MILCOM 2009). Boston, MA, USA, 8-21 Oct.
2009, pp.
1-7.
IEEE.
[Online] Available at:
http://ezproxy.ncirl.ie:2162/document/5380110/?reload=true [Accessed 10 July 2017]. Olovsson,
T.
curity.
(1992)
Technical
A
Structured
Report
No.
Approach 122
to
[Online]
http://publications.lib.chalmers.se/records/fulltext/local 166411.pdf
Computer
Se-
Available
at:
Accessed
12
April 2017] [Accessed 18 April 2017]. Quinn cess
and data
Arthur of
77
(2011) million
PlayStation users.
Network [Online]
hackers
ac-
Available
at:
https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackersdata [Accessed 1 July 2017]. Riek, M., Bohme, R. and Moore, T. (2016) ’Measuring the influence of perceived cybercrime risk on online service avoidance’ IEEE Transactions on Dependable and Secure
44
Computing 13 (2): pp. 261-273. Sahani, G. N., Kumar, J. and Kumar N. (2012) ’Cloud Computing: An Emerging Computing Paradigm for Delivering Computing Services’. International Journal of Computer Science and Information Technologies, 3 (6): pp, 397-399 SANS Institute (2016) Security and Accountability in the Cloud Data Center:
A SANS Survey.
[Online] Available at:
https://www.sans.org/reading-
room/whitepapers/analyst/security-accountability-cloud-data-center-survey-37327 Accessed 11 April 2017] Schulze, H. (2017) Cybersecurity Trends Report 2017, case, [Online] Available at: https://www.herjavecgroup.com/wp-content/uploads/2017/06/Cybersecurity-trends2017-survey-report.pdf[Accessed 14 July 2017]. Shawish, and
A.
and
Salama,
technologies’.
niques
and
M.
(2014).
Inter-cooperative
applications,
pp.
’Cloud collective
39-67,
computing:
paradigms
intelligence
Springer
[Online]
:
Tech-
Available
at:
http://www.springer.com/cda/content/document/cda downloaddocument/9783642350153c2.pdf?SGWID=0-0-45-1429336-p175276227 [Accessed 15 May 2017]. Sinanc, D. and Sagiroglu, S. (2013) ’A Review on Cloud Security’. SIN ’13 Proceedings of the 6th International Conference on Security of Information and Networks, Aksaray, Turkey, 26 28 November 2013, pp 321-325. Skroupa, Your
P.,
C.
Company
The
Cost
Should
Of
Cyber
Budget.
Breach
–
[Online]
How
Much
Available
at:
https://www.forbes.com/sites/christopherskroupa/2017/04/19/the-cost-of-cyberbreach-how-much-your-company-should-budget/3ed76c5ece74
[Accessed
10
May
Available
at:
2017]. Trump,
I.
(2016)
Cover
your
SaaS.
[Online]
https://deepsec.net/docs/Slides/2016/Cover Your SaaS Ian Thornton Trump.pdf [Accessed 10 May 2017]. Verizon.
(2017
Data
Breach
Digest
.
[Online]
Available
at:
http://www.verizonenterprise.com/resources/reports/rp data-breach-digest-2017perspective-is-reality xg en.pdf [Accessed 10 May 2017]. Zhao, X., Xue, L. and Whinston, A. B. (2009) ’Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements’. 30th International Conference on Information Systems, Phoenix, AZ, United States, 15-18 December 2009, paper 49.
45
Appendixes 7.1
Manual
In order to run CoCoVila on Windows platform, few mandatory underlying programs are required. CoCoViLa requires Java SE Runtime to generate graphical output - first user needs to make sure they have the latest version of Java installed. Navigate to URL - http://www.oracle.com/technetwork/java/javase/downloads/ jre7-downloads-1880261.html and download and install the latest version applicable to your computers operating system. CoCoViLa installation is a quite straightforward process - unless 3D graphics will be used, but for our model requirements only 2D will be used. Firstly, navigate to website- http://cocovila.github.io/ and download the latest release of CoCoViLa.
Figure 7.1: CoCoViLa download.
CoCoViLa package will be in .rar format, it must be unpacked using either WinRar or a free software called 7Zip - http://www.7-zip.org/download.html 46
In the download folder, there will be 2 .jar files needed to run CoCoViLa. File called ”cocovila-0.9.8.12.jar” needs to be executed in order to open the required CoCoViLa Schema Editor interface. To start the model: Start CoCoViLa Schema Editor and from the upper menu choose: 1. Package → Load → and select
Figure 7.2: Loading the package.
GSES/packages/SME SaaS/optimization.xml
This will open a chequered workspace with underlying pre-programmed commands and algorithms loaded. Next step is to load the Schema (the created model itself).
2. File → Load Scheme → (file name).syn
47
Figure 7.3: Loading the Scheme.
Figure 7.4: File selection.
3. Optional Java Console It is recommended to have a Java Console open to have a view of all different level variations calculated by the evolutionary algorithm.
48
Figure 7.5: Selecting Java console.
Java Console provides a good overview of used budget versus security levels.
Figure 7.6: Java Console results.
4. Scheme → Specification → Update from Scheme → Compute all → Compile & Run
49
Figure 7.7: Running the Schema.
The CoCoViLa will perform required calculation and will provide us with easy to read graphical results as shown in Figure 7.8
Figure 7.8: CoCoViLa graphical results.
50
7.2
List of Abbreviations
• ALE
Annual Loss Expectancy
• AWT
Awarness Training
• CA
Cellural Automata
• CFO
Chief Financial Officer
• CSP
Cloud Service Provider
• DLP
Data Loss Prevention
• E
Efficiency
• ENISA
European Union Agency for Network and Information Security
• GDPR
General Data Protection Regulation
• GS
Graded Security
• GSES
Graded Security Expert System
• GSM
Graded Security Model
• HW
Hardware
• IDC
Independent Directors Council
• IDS
Intrusion Detection System
• IaaS
Infrastructure as a Service
• iLvSit
Initial Level Situation
• IPS
Intrusion Prevention System
• IS
information System
• ISKE • ISO
Three-level IT baseline system International Organization for Standardization
• IT
Information Technology
• ITG
IT Governance
• ITHRM
IT Human Resources Management
51
• ITSM
IT Risk and Monitoring (Software Monitoring)
• LAN
Local Area Network
• MC
Monte Carlo
• MSC
Minimal Cut Set
• NIST
National Institute for Standards and Technology, US
• PaaS
Platform as a Service
• QoS
Quality of Service
• Rc
Redundancy coefficient
• ROI
Return on Investment
• SaaS
Software as a Service
• SLA
Service Level Agreement
• SME
Small and Medium Enterprise
• SW
Software
• VPN
Virtual Private Network
• WAN
Wide Area Network
• XaaS
Anything as a Service
52