Academic literature on the topic 'Cloud security policies compliance'

Cloud computing has grown largely over the past three years and is widely popular amongst today's IT landscape. In a comparative study between 250 IT decision makers of UK companies they said, that they already use cloud services for 61% of their systems. Cloud vendors promise "infinite scalability and resources" combined with on-demand access from everywhere. This lets cloud users quickly forget, that there is still a real IT infrastructure behind a cloud. Due to virtualization and multi-tenancy the complexity of these infrastructures is even increased compared to traditional data centers, while it is hidden from the user and outside of his control. This makes management of service provisioning, monitoring, backup, disaster recovery and especially security more complicated. Due to this, and a number of severe security incidents at commercial providers in recent years there is a growing lack of trust in cloud infrastructures. This thesis presents research on cloud security challenges and how they can be addressed by cloud security audits. Security requirements of an Infrastructure as a Service (IaaS) cloud are identified and it is shown how they differ from traditional data centres. To address cloud specific security challenges, a new cloud audit criteria catalogue is developed. Subsequently, a novel cloud security audit system gets developed, which provides a flexible audit architecture for frequently changing cloud infrastructures. It is based on lightweight software agents, which monitor key events in a cloud and trigger specific targeted security audits on demand - on a customer and a cloud provider perspective. To enable these concurrent cloud audits, a Cloud Audit Policy Language is developed and integrated into the audit architecture. Furthermore, to address advanced cloud specific security challenges, an anomaly detection system based on machine learning technology is developed. By creating cloud usage profiles, a continuous evaluation of events - customer specific as well as customer overspanning - helps to detect anomalies within an IaaS cloud. The feasibility of the research is presented as a prototype and its functionality is presented in three demonstrations. Results prove, that the developed cloud audit architecture is able to mitigate cloud specific security challenges.

Security, especially security compliance, is a major concern that is slowing down the large scale adoption of cloud computing in the enterprise environment. Business requirements, governmental regulations and trust are among the reasons why the enterprises require certain levels of security compliance from cloud providers. So far, this security compliance or auditing information has been generated by security specialists manually. This process involves manual data collection and assessment which is slow and incurs a high cost. Thus, there is a need for an automated compliance tool to verify and express the compliance level of various cloud providers. Such a tool can reduce the human intervention and eventually reduce the cost and time by verifying the compliance automatically. Also, the tool will enable the cloud providers to share their security compliance information using a common framework. In turn, the common framework allows clients to compare various cloud providers based on their security needs. Having these goals in mind, we have developed an architecture to build an automated security compliance tool for a cloud computing platform. We have also outlined four possible approaches to achieve this automation. These possible four approaches refer to four design patterns to collect data from the cloud system and these are: API, vulnerability scanning, log analysis and manual entry. Finally, we have implemented a proof-of-concept prototype of this automated security compliance tool using the proposed architecture. This prototype implementation is integrated with OpenStack cloud platform, and the results are exposed to the users of the cloud following the CloudAudit API structure defined by Cloud Security Alliance.

Scania is currently in the process of migrating from an on-premise infrastructure to a cloud environment. In parallel, General Data Protection Regulation (GDPR) will come into effect in 2018 and the combination of migrating infrastructure and a new regulation resulted in a need for guidance in how to progress. This thesis' goal is to establish guidelines for the Connected Services department on how to conduct development in a cloud environment whilst complying with GDPR. The finalized versions of these guidelines are the result of several interviews with experts in the field along with a proof of concept on how to secure an example application in a cloud environment.

Target Corporation experienced an information security breach resulting in compromising customers' financial information. Management is responsible for implementing adequate information security policies that protect corporate data and minimize financial losses. The purpose of this experimental study was to examine the effect of a fear appeal communication on an individual's information security policy behavioral intention. The sample population involved information technology professionals randomly selected from the SurveyMonkey audience. A research model, developed using constructs from deterrence theory and protection motivation theory, became the structural model used for partial least squares-structural equation modeling (PLS-SEM) analysis of the survey response data, which indicated that self-efficacy was statistically significant. The remaining model variables, perceived threat vulnerability, perceived threat severity, response efficacy, informal sanction certainty, informal sanction severity, formal sanction certainty, and formal sanction severity, were not statistically significant. A statistically significant self-efficacy result could indicate confidence among the population to comply with information security policies. The nonsignificant results could indicate the fear appeal treatment did not motivate a change in behavior or information security policy awareness bias was introduced by selecting information technology professionals. Social change in information security could be achieved by developing an effective information security policy compliance fear appeal communication, which could change information security compliance behavior and contribute to securing the nation's critical cyber infrastructure and protecting data.

This research seeks to derive and examine a multidimensional definition of information security awareness, investigate its antecedents, and analyze its effects on compliance with organizational information security policies. The above research goals are tested through the theoretical lens of technology threat avoidance theory and protection motivation theory. Information security awareness is defined as a second-order construct composed of the elements of threat and coping appraisals supplemented by the responsibilities construct to account for organizational environment. The study is executed in two stages. First, the participants (employees of a municipality) are exposed to a series of phishing and spear-phishing messages to assess if there are any common characteristics shared by the phishing victims. The differences between the phished and the not phished group are assessed through multiple discriminant analysis. Second, the same individuals are asked to participate in a survey designed to examine their security awareness. The research model is tested using PLS-SEM approach. The results indicate that security awareness is in fact a second-order formative construct composed of six components. There are significant differences in security awareness levels between the victims of the phishing experiment and the employees who maintain compliance with security policies. The study extends the theory by proposing and validating a universal definition of security awareness. It provides practitioners with an instrument to examine awareness in a plethora of settings and design customized security training activities.

Many organizations have a problem with synchronizing individual values regarding information security with expectations set by the relevant security policy. Such discordance leads to failure in compliance or simply subversion of existing or imposed controls. The problem of the mismatch in understanding the security policies amongst individuals in an organization has devastating effect on security of the organization. Different individuals hold different understanding and knowledge about IS security, which is reflected on IS security policies design and practice (Vaast, 2007). Albrecthsen and Hovdena (2009) argue that users and managers practice IS security differently because they have different rationalities. This difference in rationalities may reflect the mismatch between the security policies and individuals’ values. In this research, we argue that occurrence of security breach can change individuals’ values in light of security policy of organization. These changes in the values can be reflected on the compliance between individuals’ norms and security rules and standards. Indeed, organizations need to guarantee the compliance between security policy and values of their employees. Thus, they can alleviate or prevent violations of security of organization. However, it is difficult to find a common method that all organizations can adopt to guarantee the synch between security rules and individuals’ norms. The main aim of this research is to investigate how people perceive information security policy and how their perceptions change in response to security breaches. Besides, this research aims to investigate the relationship between individuals’ values and security policy. Thus, organizations can have the intended level of compliance between individual norms and security rules and standards. With the aid of the Repertory Grid technique, this research examines how a security breach shapes people’s values with respect to security policy of an organization. To conduct the argument, this research offers an assessment mechanism that aids the organization to evaluate employees’ values in regard to security policy. Based on that evaluation, the organization can develop a proper mechanism to guarantee compliance between individuals’ norms and security rules. The results of this research show that employees in an organization hold different perceptions regarding the security policy. These perceptions change in response to security incident. This change in perceptions dose not necessarily result in better compliance with the security policy. Factors like the type of breach and people’s experience can affect the amount of change in the perceptions. Contributions, implications, and directions for future research of this study will be discussed.

Suite au développement des technologies de l'information, et en particulier au déploiement d'infrastructures telles que le Cloud Computing, de plus en plus d'applications et plateformes coopèrent en échangeant des données et des services. Cette tendance renforce l'importance de la gestion de la sécurité. Afin d'assurer la sécurité des données et de l'interaction de service une politique de sécurité doit être appliquée. Dans cette thèse, nous nous intéressons aux politiques de contrôle d'accès. Ce type de politique spécifie les privilèges de l'utilisation des ressources et est implémentée par différents modèles selon différents scénarios. Notre objectif ici est d'aider le client du service à bien exprimer ses exigences de sécurité et à choisir les fournisseurs de services qui peuvent la déployer. La première partie de cette thèse est dédiée à la sélection des fournisseurs de service. Dans le cas où les politiques de sécurité du fournisseur sont accessibles au client, nous proposons une méthode pour mesurer la similarité entre les politiques de sécurité. Dans le cas où les politiques de sécurité ne sont pas accessibles au client ou ne sont pas explicitement spécifiées, nous proposons un cadre à base de règles permettant la dérivation à partir des exigences de sécurité aux politiques de sécurité concrètes. La seconde partie de la thèse porte sur la négociation de politiques de sécurité. Nous étudions le processus permettant aux parties en négociation de parvenir à un accord par une série d'échanges d'offres et de contre-offres. Lorsque le résultat de la négociation est positif, un contrat incluant la politique de sécurité acceptée par les parties est généré<br>Security policy provides a way to define the constraints on behavior of the members belonging to a system, organization or other entities. With the development of IT technology such as Grid Computing and Cloud Computing, more and more applications and platforms exchange their data and services for cooperating. Toward this trend, security becomes an important issue and security policy has to be applied in order to ensure the safety of data and service interaction. In this thesis, we deal with one type of security policy: access control policy. Access control policy protects the privileges of resource's utilization and there exist different policy models for various scenarios. Our goal is to ensure that the service customer well expresses her security requirements and chooses the service providers that fit these requirements.The first part of this dissertation is dedicated to service provider selection. In case that the security policies of the service provider are accessible to the service customer, we provide a method for measuring the similarity between security policies. Another case is that security policies are not accessible to the service customer or not specified explicitly. Our solution is proposing a policy-based framework which enables the derivation from attribute-based security requirements to concrete security policies. The second part of the dissertation focuses on the security policy negotiation. We investigate the process of reaching agreement through bargaining process in which negotiators exchange their offers and counter offers step by step. The positive result of the negotiation generates a policy contract

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.

Submitted by Fabio Sobreira Campos da Costa (fabio.sobreira@ufpe.br) on 2017-04-19T15:09:08Z No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) tgr_thesis.pdf: 4801672 bytes, checksum: ce1d30377cfe8fad52dbfd02d55554e6 (MD5)<br>Made available in DSpace on 2017-04-19T15:09:08Z (GMT). No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) tgr_thesis.pdf: 4801672 bytes, checksum: ce1d30377cfe8fad52dbfd02d55554e6 (MD5) Previous issue date: 2016-09-08<br>The evolution of software service delivery has changed the way accountability is performed. The complexity related to cloud computing environments increases the difficulty in properly performing accountability, since the evidences are spread through the whole infrastructure, from different servers, in physical, virtualization and application layers. This complexity increases when the cloud federation is considered because besides the inherent complexity of the virtualized environment, the federation members may not implement the same security procedures and policies. The main objective of this thesis is to propose an accountability framework named CloudAcc, that supports audit, management, planning and billing process in federated cloud environments, increasing trust and transparency. Furthermore, CloudAcc considers the legal safeguard requirements presented in Brazilian Marco Civil da Internet. We confirm the CloudAcc effectiveness when some infrastructure elements were submitted against Denial of Service (DoS) and Brute Force attacks, and our framework was able to detect them. Facing the results obtained, we can conclude that CloudAcc contributes to the state-of-the-art once it provides the holistic vision of the cloud federated environment through the evidence collection considering the three layers, supporting audit, management, planning and billing process in federated cloud environments.<br>A maneira de realizar accountability tem variado à medida em que o modo de entrega de serviços de Tecnologia da Informação (TI) tem evoluído. Em ambientes de nuvem a complexidade de realizar accountability apropriadamente é alta porque as evidências devem ser coletadas considerando-se as camadas física, de virtualização e de aplicações, que estão espalhadas em diferentes servidores e elementos da infraestrutura. Esta complexidade é ampliada quando ocorre a federação das infraestruturas de nuvem porque além da complexidade inerente ao ambiente virtualizado, os membros da federação podem não ter os mesmos grupos de políticas e práticas de segurança. O principal objetivo desta tese é propor um framework de accountability, denominado CloudAcc, que suporte processos de auditoria, gerenciamento, planejamento e cobrança, em nuvens federadas, aumentando a confiança e a transparência. Além disso, o CloudAcc também considera os requisitos legais para a salvaguarda dos registros, conforme descrito no Marco Civil da Internet brasileira. A efetividade do CloudAcc foi confirmada quando alguns componentes da infraestrutura da nuvem foram submetidos a ataques de negação de serviço e de força bruta, e o framework foi capaz de detectá-los. Diante dos resultados obtidos, pode-se concluir que o CloudAcc contribui para o estado-da-arte, uma vez que fornece uma visão holística do ambiente de nuvem federada através da coleta de evidências em três camadas suportando os processos de auditoria, gerenciamento, planejamento e cobrança.