MASCOT - MeAsuring Security in Cloud OuTsourcing

Over the past decade, the trend in both the public sector and industry has been to outsource ICT to the cloud. While cost savings are often used as a rationale for outsourcing, another argument that is frequently used is that the cloud improves security. The reasoning behind this is twofold. First, cloud service providers are typically thought to have skilled staff trained in good security practices. Second, cloud providers often have a vastly distributed, highly connected network infrastructure, making them more resilient in the face of outages and denial-of-service attacks. Yet many examples of cloud outages, often due to attacks, call into question whether outsourcing to the cloud does improve security.

In this project our goal therefore is to answer two questions:

1. Did the cloud make use more secure?
2. Can we provide specific security guidance to support cloud outsourcing strategies?

We will approach these questions in a multi-disciplinary fashion from a technical angle and from a business and management perspective. On the technical side, the project will focus on providing comprehensive insight into the attack surface at the network level of cloud providers and their users. We will use a measurement-based approach, leveraging large scale datasets about the Internet, both our own data (e.g. OpenINTEL, a large- scale dataset of active DNS measurements) and datasets from our long-term collaborators, such as CAIDA in the US (BGPStream, Network Telescope) and Saarland University in Germany (AmpPot). We will use this data to study the network infrastructure outside and within cloud environments to structurally map vulnerabilities to attacks as well as to identify security anti-patterns, where the way cloud services are managed or used introduce a weak point that attackers can target. From a business point of view, we will investigate outsourcing strategies for both the cloud providers and their customers. For guaranteeing 100% availability, cloud service providers have to maintain additional capacity at all times. They also need to forecast capacity requirements continuously for financially profitable decisions. If the forecast is lower than the capacity needed, then the cloud is not able to deliver 100% availability in case of an attack. Conversely, if the forecast is substantially higher, the cloud service provider might not be able to make desired profits. We therefore propose to assess the risk profiles of cloud providers (how likely it is a cloud provider is under attack at a given time given the nature of its customers) using available attack data to improve the provider resilience to future attacks. From the costumer perspective, we will investigate how we can support cloud outsourcing by taking into consideration business and technical constraints. Decision to choose a cloud service provider is typically based on multiple criteria depending upon the companyâ??s needs (security and operational). We will develop decision support systems that will help in mapping companiesâ?? needs to cloud service providersâ?? offers.