簡易檢索 / 詳目顯示

研究生: 張騏鈞
Chang, Chi-Chun
論文名稱: 應用業務流程模型評估區塊鏈雲端服務的資訊安全風險
A Business Process Model for Information Security Risk Assessment in the Blockchain Cloud
指導教授: 沈宗緯
Shen, Chung-Wei
學位類別: 碩士
Master
系所名稱: 管理學院 - 電信管理研究所
Institute of Telecommunications Management
論文出版年: 2019
畢業學年度: 107
語文別: 中文
論文頁數: 45
中文關鍵詞: 資訊安全風險評估業務流程模型區塊鏈雲端
外文關鍵詞: Information Security, Risk Assessment, Business Process Model, Blockchain, Cloud
相關次數: 點閱:115下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  •   區塊鏈雲端服務(Blockchain-as-a-Service, BaaS)因協助企業降低運用區塊鏈技術的門檻,以更安全有效率的方式進行B2B交易,並在全球供應鏈追蹤貨物,近年來逐漸受到業界與學界的重視。區塊鏈技術結合雲端服務之研究多著重於效益層面,而對該服務之資訊安全風險則較少有系統性的討論。本研究針對企業部署業務流程於區塊鏈雲端服務前,必須考量不同服務之風險等級之需要,根據國際標準化組織編纂的風險管理原則及指導綱要ISO 31000:2018所定義,提出一種評估其資訊安全風險的方法,找出適當的風險評估指標,嘗試建構一套可供評估相異區塊鏈雲端服務中資訊安全的風險架構。
      為了驗證提出之區塊鏈雲端風險評估架構,以業者欲佈署電子商務之業務流程於區塊鏈雲端服務為例,先選取支援Hyperledger Fabric(超級帳本結構)之企業級區塊鏈框架的供應商名單,進而透過本研究提出之風險評估架構,比較各區塊鏈雲端服務供應商,部署電子商務業務流程的資安風險程度。研究結果顯示,本範例中風險程度最高的資安威脅為「不安全的使用介面與應用程式介面」,最低者為「惡意濫用服務」;而Amazon與Microsoft為較適合本研究電子商務範例的區塊鏈雲端服務供應商。

    Blockchain-as-a-Service (BaaS), which mainly facilitates B2B transactions for companies in a safer and more efficient way than other alternatives, is drawing increasingly more attention from industry and academics. It helps companies reduce the barriers to using blockchain technology and tracking goods in the global supply chain. In addition to the benefits of blockchain technology in cloud services, security issues around its use should be of equal concern. Therefore, in this study, a method is proposed for assessing the information security risks associated with the use of this technology before deploying business processes to blockchain cloud service providers based on the risk management principles compiled by the International Organization for Standardization and the guidelines outlined in ISO 31000:2018.
    In order to verify the feasibility of this assessment framework, we take the e-commerce logistics supply chain business process model as an example. Through the deployment of e-commerce logistics on different blockchain cloud service providers, the proposed framework was tested, and their security risk levels were compared. The research results showed that the greatest risky information security threat in our example was “Insecure Interfaces and APIs” and the lowest was “Malicious Insiders.” Amazon and Microsoft were found to be the most suitable examples of the e-commerce logistics supply chain.

    第一章 緒論 1 1.1 研究背景與動機 1 1.2 研究目的 4 1.3 研究架構與流程 4 第二章 文獻回顧 6 2.1 資訊安全風險管理 6 2.2 區塊鏈雲端服務的安全性 8 2.3 區塊鏈雲端資安風險管理 11 2.4 小結 12 第三章 研究方法 13 3.1 模型概念 13 3.2 模型建構 14 3.2.1 區塊鏈雲端服務消費者模型 14 3.2.2 區塊鏈雲端服務供應商模型 16 3.2.3 區塊鏈雲端服務代理商模型 18 3.3 研究流程及步驟 20 第四章 研究結果 24 4.1 資安威脅危害程度測試結果 24 4.2 資安威脅危害程度測試結果 25 4.2 供應商緩解涵蓋程度測試結果 26 4.3 資安威脅風險程度測試結果 27 4.3.1 資料洩漏威脅風險程度測試結果 27 4.3.2 資料遺失威脅風險程度測試結果 28 4.3.3 帳號挾持威脅風險程度測試結果 28 4.3.4 不安全介面威脅風險程度測試結果 29 4.3.5 阻斷服務攻擊威脅風險程度測試結果 29 4.3.6 惡意內部威脅風險程度測試結果 30 4.3.7 惡意濫用服務威脅風險程度測試結果 30 4.3.8 審慎評鑑不足威脅風險程度測試結果 31 4.3.9 共享技術的漏洞威脅風險程度測試結果 31 4.4 小結 32 第五章 結論及未來研究建議 34 5.1 結論 34 5.2 未來研究建議 34 參考文獻 35 附錄一 雲端控制矩陣對應資訊安全管理作業法規 38 附錄二 緩解資安威脅的資訊安全管理作業法規 43 附錄三 緩解資安威脅的雲端安全控制矩陣 44 附錄四 研究實作指南 45

    1. Bag, S., Ruj, S., & Sakurai, K. (2017). Bitcoin block withholding attack: Analysis and mitigation. IEEE Transactions on Information Forensics and Security, 12(8), 1967-1978.
    2. Bahack, L. (2013). Theoretical Bitcoin Attacks with less than Half of the Computational Power (draft). arXiv preprint arXiv:1312.7013.
    3. Brashear, J. P., & Jones, J. W. (2008). Risk analysis and management for critical asset protection (RAMCAP plus). Wiley handbook of science and technology for homeland security, 1-15.
    4. Catteddu, D. (2010). Cloud Computing: benefits, risks and recommendations for information security. In Web application security (pp. 17-17): Springer.
    5. Catteddu, D., & Hogben, G. (2009). Cloud computing information assurance framework. European Network and Information Security Agency (ENISA), 13, 14.
    6. Courtois, N. T., & Bahack, L. (2014). On subversive miner strategies and block withholding attack in bitcoin digital currency. arXiv preprint arXiv:1402.1718.
    7. Cox, J., Louis Anthony. (2008). Some limitations of “Risk= Threat× Vulnerability× Consequence” for risk analysis of terrorist attacks. Risk Analysis: An International Journal, 28(6), 1749-1761.
    8. CSA. (2014). Cloud Controls Matrix v3.0.1.
    9. Curtis, P., & Carey, M. (2012). Risk assessment in practice. Committee of Sponsoring Organizations of the Treadway Commission, 1-28.
    10. Eyal, I., & Sirer, E. G. (2018). Majority is not enough: Bitcoin mining is vulnerable. Communications of the ACM, 61(7), 95-102.
    11. Goettelmann, E., Dahman, K., Gateau, B., Dubois, E., & Godart, C. (2014). A security risk assessment model for business process deployment in the cloud. Paper presented at the Services Computing (SCC), 2014 IEEE International Conference on.
    12. Heilman, E., Kendler, A., & Zohar, A. (2015). Eclipse Attacks on Bitcoin's Peer-to-Peer Network.
    13. ISO. (2015). Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
    14. ISO, B. (2018). 31000,(2018) Risk management–Principles and guidelines. International Organization for Standardization, Geneva, Switzerland.
    15. Klipper, S. (2011). Information Security Risk Management. Verlag Vieweg+ Teubner. Wiesbaden.
    16. Knorr, K., & Röhrig, S. (2001). Security requirements of e-business processes. In Towards the E-Society (pp. 72-86): Springer.
    17. Koshy, P., Koshy, D., & McDaniel, P. (2014). An analysis of anonymity in bitcoin using p2p network traffic. Paper presented at the International Conference on Financial Cryptography and Data Security.
    18. Li, X., Jiang, P., Chen, T., Luo, X., & Wen, Q. (2017). A survey on the security of blockchain systems. Future Generation Computer Systems.
    19. Luu, L., Chu, D.-H., Olickel, H., Saxena, P., & Hobor, A. (2016). Making smart contracts smarter. Paper presented at the Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.
    20. Marcus, Y., Heilman, E., & Goldberg, S. (2018). Low-Resource Eclipse Attacks on Ethereum's Peer-to-Peer Network.
    21. Microsoft. (2009). The STRIDE Threat Model.
    22. Mosakheil, J. H. (2018). Security Threats Classification in Blockchains.
    23. Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system.
    24. Norta, A. (2015). Creation of smart-contracting collaborations for decentralized autonomous organizations. Paper presented at the International Conference on Business Informatics Research.
    25. Park, J., & Park, J. (2017). Blockchain security in cloud computing: Use cases, challenges, and solutions. Symmetry, 9(8), 164.
    26. Prasad, S., Shankar, R., Gupta, R., & Roy, S. (2018). A TISM modeling of critical success factors of blockchain based cloud services. Journal of Advances in Management Research, 15(4), 434-456.
    27. Rosenfeld, M. (2014). Analysis of hashrate-based double spending. arXiv preprint arXiv:1402.2009.
    28. Schneier, B. (2009). People Understand Risks–But do security staff understand people? The Guardian, The Sydney Morning Herald, and The Age.
    29. Sharma, P. K., Chen, M.-Y., & Park, J. H. (2017). A software defined fog node based distributed blockchain cloud architecture for IoT. IEEE Access, 6, 115-124.
    30. STAR, C. (2018). STAR Attestation.
    31. Tosh, D. K., Shetty, S., Liang, X., Kamhoua, C. A., Kwiat, K. A., & Njilla, L. (2017). Security implications of blockchain cloud with analysis of block withholding attack. Paper presented at the Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.
    32. Watson, P. (2012). A multi-level security model for partitioning workflows over federated clouds. Journal of Cloud Computing: Advances, Systems and Applications, 1(1), 15.
    33. Weber, I., Xu, X., Riveret, R., Governatori, G., Ponomarev, A., & Mendling, J. (2016). Untrusted business process monitoring and execution using blockchain. Paper presented at the International Conference on Business Process Management.
    34. Weiss, A. (2014). EuroCloud Star Audit. Datenschutz und Datensicherheit-DuD, 38(3), 170-174.
    35. Wenzel, S., Wessel, C., Humberg, T., & Jürjens, J. (2012). Securing Processes for Outsourcing into the Cloud. Paper presented at the CLOSER.
    36. Xia, Q., Sifah, E. B., Asamoah, K. O., Gao, J., Du, X., & Guizani, M. (2017). MeDShare: Trust-less medical data sharing among cloud service providers via blockchain. IEEE Access, 5, 14757-14767.
    37. Zamani, E., He, Y., & Phillips, M. (2018). On the Security Risks of the Blockchain. Journal of Computer Information Systems, 1-12.
    38. Zur Muehlen, M., & Recker, J. (2013). How much language is enough? Theoretical and practical use of the business process modeling notation. In Seminal Contributions to Information Systems Engineering (pp. 429-443): Springer.

    下載圖示 校內:2024-08-21公開
    校外:2024-08-21公開
    QR CODE