Exchange of Security Incident Information in the context of Cloud Services
MetadataShow full item record
In recent years, the use of cloud computing has increased significantly. More and more organizations are moving their services to the cloud as there are rather compelling benefits from using cloud computing. Some of these include reduced costs, better agility, and improved reliability. Less attention has been paid to the lack of solutions to well known incident handling problems. While some research have been published in the later years related to security incidents in the cloud, much of this have been focused around digital forensics rather than a practical approach to exchanging security incident information. Sharing security incident information is becoming increasingly important, as attacks becomes more sophisticated, widespread and frequent. Additionally, new laws place new requirements on cloud service providers with regard to notification of both end users and competent authorities. To further complicate the matter Cloud Service Providers (CSPs) use services from other CSPs, creating Cloud Provider Chains. This means that a CSP used by an end user or another CSP could rely on any number of CSPs in a simple chain or a more complex network. Literature study and interviews from the prestudy, and a literature study on incident formats were used to create a specification for an incident exchange interface as well as an incident representation format. Based on this interface and format, a prototype was constructed to act as a catalyst during interviews about incident sharing. Focused interviews, catalyzed by the prototype and a scenario, were used to validate the interface and the format. The approach was also validated against literature. The interviews, as well as the validation against literature, indicates the importance of the solution being agnostic to the tool used in the organization. The usefulness of being able to exchange incident information was confirmed. The prototype presented to the participants did not fit well with their current workflow, but the interface and format is integrable with current tools and workflows. There are challenges related to both legal matters and public relations to take into consideration when sharing incident information. This thesis shows the need for exchanging security incident information and contributes toward achieving this goal by suggesting a way to do this by means of an interface and an incident format. A subscription-based interface between a provider and a subscriber would allow the provider to push security incident information to the subscriber in a timely manner, while still leaving the provider in control of which information is shared and when it is shared. The most prominent non-technical challenge is one of trust. It is expected that this, at least to some degree, can be accomplished by means of contracts and SLAs. Sharing of security incident information is further complicated by privacy laws, placing restrictions on the information that might be shared. Public perception of a company is another challenge. Sharing of security incident information in a professional way might improve the image of a company, while unprofessional sharing might harm it. Adoption is a major challenge as the solution will only be useful when in use. This thesis has identified three drivers for adoption of such a solution: reduced costs, increased revenue and legal requirements. Email are currently heavily used in organizations for exchange of security incident information. The solution presented in this thesis could replace email as the channel of incident information exchange without much impact on how the incident handlers work. The interviews incident handlers did point out that if the underlying interface and format were integrated into their current tooling, it would be a useful solution.