File(s) under permanent embargo
Improving tenants' trust in SaaS applications using dynamic security monitors
conference contribution
posted on 2015-01-01, 00:00 authored by Mohamed AbdelrazekMohamed Abdelrazek, John Grundy, Amani IbrahimIt is almost impossible to prove that a given software system achieves an absolute security level. This becomes more complicated when addressing multi-tenant cloud-based SaaS applications. Developing practical security properties and metrics to monitor, verify, and assess the behavior of such software systems is a feasible alternative to such problem. However, existing efforts focus either on verifying security properties or security metrics but not both. Moreover, they are either hard to adopt, in terms of usability, or require design-time preparation to support monitoring of such security metrics and properties which is not feasible for SaaS applications. In this paper, we introduce, to the best of our knowledge, the first unified monitoring platform that enables SaaS application tenants to specify, at run-time, security metrics and properties without design-time preparation and hence increases tenants’ trust of their cloud-assets security. The platform automatically converts security metrics and properties specifications into security probes and integrates them with the target SaaS application at run-time. Probes-generated measurements are fed into an analysis component that verifies the specified properties and calculates security metrics’ values using aggregation functions. This is then reported to SaaS tenants and cloud platform security engineers. We evaluated our platform expressiveness and usability, soundness, and performance overhead.
History
Event
Engineering of Complex Computer Systems. International Conference (20th : 2015 : Gold Coast, Queensland)Pagination
70 - 79Publisher
IEEELocation
Gold Coast, QueenslandPlace of publication
Piscataway, N.J.Publisher DOI
Start date
2015-12-09End date
2015-12-12ISBN-13
9781467385817Language
engPublication classification
E Conference publication; E1 Full written paper - refereedCopyright notice
2015, IEEETitle of proceedings
ICECCS 2015 : Proceedings of the 20th International Conference on Engineering of Complex Computer SystemsUsage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC