簡易檢索 / 詳目顯示

研究生: 溫建宇
Wen, Jiann-Yu
論文名稱: 雲端IaaS服務安全保障模型之設計與實作
Design and Implementation of a Service Security Assurance Model for Cloud IaaS
指導教授: 黃光渠
Huang, Kuang-Chiu
學位類別: 碩士
Master
系所名稱: 管理學院 - 電信管理研究所
Institute of Telecommunications Management
論文出版年: 2013
畢業學年度: 101
語文別: 英文
論文頁數: 88
中文關鍵詞: 公有雲IaaS服務雲端安全產物保險成本效益分析
外文關鍵詞: cloud IaaS, cloud security, property insurance, cost-benefit analysis
相關次數: 點閱:101下載:3
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 台灣以中小企業為主之產業結構,是發展「公有雲IaaS服務」之有利基礎,然而產業環境對雲端資訊安全風險之疑慮,卻阻礙了雲端服務的推行,本研究針對此問題,提出一個整合「風險損失評估」、「成本效益分析」與「費率計算」之雲端IaaS服務安全保障模型,並透過系統實作加以驗證。

    在風險損失評估方面,透過風險確認、分析與量化之程序,建立公式化之風險量化模組,透過風險資料的輸入,計算預期風險損失分佈;成本效益分析方面,量化了雲端服務之固定與變動成本項目,並引入雲端需求變動特性,建立成本效益評估模型,透過所評估之用戶需求,計算出服務保障模型所能創造之效益;費率計算部分,有別於傳統產物保險,本研究將預期損失分佈與模型效益同時納入費率計算原則之中,在考量總體效用最大化之條件下制定適合的費率,以建立出符合效用原則之服務保障商業模式。

    實驗結果指出,藉由轉移用戶之安全風險,此模型可達到雲端服務推廣之目的,另外,藉由漸進地擴建雲端規模,服務提供者可減輕擴建之風險,並隨雲端規模提升獲取更大之利潤,創造出費率調降的空間以吸引顧客,為雲端產業創造良性循環,擴大整體產業之規模。

    The proportion of SMEs composes more than 97% of enterprises in Taiwan that is a niche of pubic cloud service development. However, cloud security with potential risk is an issue to deter progress of cloud service adoption. This paper focuses on the issue and proposes a service security assurance model for cloud IaaS. By borrowing basic concepts of property insurance, we integrate essential elements of loss estimation, cost-benefit analysis and premium calculation to construct the model, and implement it for validity verification with empirical data.

    In loss estimation, a formulistic estimation module is built through those procedures of identification, analysis and quantification for cloud risks. A distribution of expected loss is obtained by applying relevant statistics into the module. In cost-benefit analysis, we construct a cost-benefit analysis module for cloud service provider, with concepts of total cost of ownership (TCO) and elastic utilization. The assurance benefit is estimated by inputting the results of demand estimation. Especially, the above expected loss and assurance benefit are applied as the basis of premium calculation module. Suitable premiums are calculated to meet social welfare based on different loss distributions and various pricing strategies. Thus, a utility business model of cloud security assurance is developed.

    The results of experiments indicate that our model could shift security risks from users to service provider for expanding cloud customer base, and achieve the economies of scale of cloud service with an incremental cloud deployment strategy. It implicates that if our model could be applied into practice, a benign cycle would be created to promote cloud industry by providing security assurance service.

    Abstract I 摘要 II List of Contents IV List of Figures VI List of Tables VIII Chapter 1. Introduction 1 1.1 Research Background 1 1.2 Research Motivations 6 1.3 Research Objectives 6 1.4 Research Architecture 7 Chapter 2. Related Information and Literature Review 11 2.1 Related Information of Cloud Computing 11 2.1.1 Definition of cloud computing 11 2.1.2 Industry environment of public cloud IaaS 14 2.1.3 Introduction of CHT hicloud CaaS 16 2.2 Literature Review 18 2.2.1 Loss estimation 18 2.2.2 Cost-benefit analysis 20 2.2.3 Premium calculation 20 2.3 Research Methods 22 Chapter 3. Cloud Risks 24 3.1 Risk Identification and Analysis of Cloud IaaS 24 3.1.1 Risk identification 24 3.1.2 Risk analysis 29 3.2 Loss Estimation Module 32 Chapter 4. Proposed Service Security Assurance Model 41 4.1 IaaS Cost-Benefit Analysis Module 41 4.2 Premium Calculation Module 48 Chapter 5. Implementation and Experiments 55 5.1 Estimation of User Demands 55 5.2 Experimental Parameters 59 5.2.1 Parameters of loss estimation module 59 5.2.2 The parameters of IaaS cost-benefit analysis module 61 5.3 Results of Implementation and Experiment 62 5.3.1 The results of loss estimation 62 5.3.2 The results of IaaS cost-benefit analysis 67 5.3.3 The results of premium calculation 70 Chapter 6. Conclusions and Future Works 75 References 77 Appendix:Notation Table 87

    [Chinese references]
    [1] 經濟部中小企業處,100年度台灣中小企業數統計資料,經濟部中小企業處官方網站統計資料,2012年5月。
    [2] 行政院主計處,99年度電腦應用概況報告,行政院主計處電子處理資料中心,2011年9月。
    [3] 行政院主計處,100年度電腦應用概況報告,行政院主計處電子處理資料中心,2012年10月。
    [4] 中央社,個資法上路 影響行業多,中央社即時新聞資料,2012年9月25日。
    http://udn.com/news/breakingnews/breakingnews6/7386648.shtml
    [5] 台灣電腦網路危機處理暨協調中心,網路安全研究報告,網路資料取自:
    http://www.cert.org.tw/
    [6] 國家通訊傳播委員會,資安宣導網站:資安統計資料查詢,網路資料取自:
    http://ise.ncc.gov.tw/NccGIP/wSite/sp?xdUrl=/wSite/securityStatistics/statistics.jsp&ctNode=12
    [7] 凌氤寶、康裕民、陳森松,保險學:理論與實務(第七版),華泰文化事業股份有限公司,2012年1月。
    [8] 潘天佑,資訊安全概論與實務(第二版),碁峰資訊股份有限公司,2011年1月。
    [9] 行政院主計處,政府機構資通安全執行概況調查報告,中華民國統計資訊網政府機關資訊通報資料,2010年5月。
    [10] 吳怡芳,Bonet/DDoS的緊急應變分享,中華電信數據分公司-資安辦公室主任 簡報資料,2010年1月。
    http://www.icst.org.tw/docs/Fup/2010012003.pdf
    [11] 彭兆弘,混合損失模型及右尾缺失情況下之保險純保費估計,逢甲大學統計與精算研究所碩士論文,2003年6月。
    [12] 陳飛躍,免賠額和賠償限額情況下純保費的計算問題,中國保險管理幹部學院學報2003年第2期,2003年。
    [13] 財團法人資訊工業策進會FIND,科技化服務價值鏈研究與推動計畫,財團法人資訊工業策進會/經濟部技術處合作計畫,2011年。
    http://www.find.org.tw/find/home.aspx?page=many&id=299
    [14] CHT hicloud CaaS http://hicloud.hinet.net/caas/products.html
    [15] 中華民國全國中小企業總會-臺灣中小企業認定標準。資料來源:
    http://www.nasme.org.tw/front/bin/ptdetail.phtml?Part=ray3
    [16] IBM線上產品報價。資料來源:http://www-03.ibm.com/systems/tw/promotion/hot/system.html
    [17] 微軟大量授權方案。資料來源:http://www.microsoft.com/taiwan/licensing/default.aspx
    [18] VMware server。資料來源:http://www.vmware.com/products/vsphere/pricing.html
    [19] 中華電信固接專線服務訂價。資料來源:http://www.cht.com.tw/BusinessCat.php?CatID=1111&Module=Fee,Describe
    [20] 台灣工業用地供給與服務資訊網。資料來源:
    http://idbpark.moeaidb.gov.tw
    [21] 台灣電力公司。資料來源:http://www.taipower.com.tw/left_bar/QnA/electrical_bill_idea.htm

    [English references]
    [22] G. Bensinger, “Netflix Hit by Outage, Blames Amazon,” The Article from Wall Street Journal, December 25, 2012.
    http://online.wsj.com/article/SB10001424127887324660404578200383908151240.html
    [23] Wikipedia Knowledge http://en.wikipedia.org/wiki/Cloud_computing
    [24] P. Mell and T. Grance, “The NIST Definition of Cloud Computing,” National Institute of Standards and Technology, Information Technology Laboratory, Version 15, 2010.
    www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf
    [25] Amazon AWS http://aws.amazon.com/
    [26] Google Compute Engine https://cloud.google.com/products/compute-engine
    [27] IBM Smart Cloud http://www.ibm.com/cloud-computing/us/en/iaas.html
    [28] RackSpaceCloud http://www.rackspace.com/cloud/
    [29] W. D. Lin, “A Firewall Approach to Personal Knowledge System,” IEEE Symposium on Computer-Based Medical Systems , p.295–300, June 2003.
    [30] Q. P. Ge, L. Feng, and L. Yang, “Probe into E-Commerce Security Technology,” IEEE International Forum on Computer Science-Technology and Applications (IFCSTA), p.245-248, Dec. 2009.
    [31] S. Tanimoto, M. Hiramoto, M. Iwashita, H. Sato and A. Kanai, “Risk Management on the Security Problem in Cloud Computing,” IEEE First ACIS/JNU International Conference on Computers, Networks, Systems and Industrial Engineering (CNSI), 2011.
    [32] M. Carroll, Alta van der Merwe, and P. Kotzé, “Secure Cloud Computing: Benefits, Risks and Controls,” Information Security South Africa (ISSA), 2011.
    [33] Cloud Security Alliance(CSA), “The Notorious Nine: Cloud Computing, Top Threats in 2013 ,” Feb. 2013.
    https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
    [34] K. Ren, C. Wang and Q.Wang, “Security Challenges for the Public Cloud,” IEEE Internet Computing, p.69-73, 2012.
    [35] P. Arora, R. C. Wadhawan and Er. S.P. Ahuja, “Cloud Computing Security Issues in Infrastructure as a Service,” International Journal of Advanced Research in Computer Science and Software Engineering, vol.2, Jan. 2012.
    [36] Symantec.com, “Symantec Intelligence Report: June 2012,” The Statistics Report of Symantec.com, June 2012.
    http://news.in.gr/files/1/2012/07/18/b-intelligence_report_06_2012.en-us.pdf
    [37] Verizon Business, “Data Breach Investigations Report” A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service, 2012.
    http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf
    [38] Positive Technologies, “Vulnerability statistics for 2011,” The Whitepaper of Positive Technologies, 2012.
    http://www.ptsecurity.com/download/Vulnerability-Statistics-for-2011.pdf
    [39] WhiteHat Security, “WhiteHat website security statistic report 11th edition,” The Statistics Report of WhiteHat Security, 2011.
    https://www.whitehatsec.com/assets/WPstats_winter11_11th.pdf?doc=WPstats_fall10_10th
    [40] A. Hopkins, “Web Application Vulnerability Statistics 2010-2011,” The Whitepaper of Context Information Security, Feb. 2012.
    http://www.contextis.com/research/white-papers/WebApplicationVulnerabilityStatistics2010-2011/Context-Web_Application_Vulnerability_Statistics_2010-11-Whitepaper.pdf
    [41] National Vulnerability Database (NVD)
    http://nvd.nist.gov/
    [42] Ponemon Institute, “Calculating the Cost of Data Center Outages,” Conducted by Ponemon Institute and Sponsored by Emerson Network Power, Feb. 2011.
    [43] Ponemon Institute, “Cost of Data Breach Study: United States,” Conducted by Ponemon Institute and Sponsored by Symantec, March 2012.
    [44] F. Harmantzis and M. Malek “Security risk analysis and evaluation,” IEEE International Conference on Communications, vol.4, p.1897-1901, June 2004.
    [45] A. Ross, and T. Moore, “The economics of information security,” Science (314), pp.610–613, Oct. 27, 2006.
    [46] T. Moore, C. Richard and A. Ross, “The Economics of Online Crime,” The Journal of Economic Perspectives, vol.23, no.3, p.3-20 (18), 2009.
    [47] K. Campbell, L. Gordon, M. Loeb, and L. Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” International Journal of Computer Security, vol.11 (3), p.431-448, 2003.
    [48] B. Rok, J.-B. Borka, “An Economic Modelling Approach to Information Security Risk Management,” International Journal of Information Management, vol.28 (5), p.413-422, Oct. 2008.
    [49] R. Hasan and W. Yurcik, “A Statistical Analysis of Disclosed Storage Security Breaches,” Proceedings of the second ACM workshop on Storage security and survivability, p.1-8, 2006.
    [50] W. H. Park, “Risk Analysis and Damage Assessment of Financial Institutions in Cyber Attacks between Nations,” An International Journal on Mathematical and Computer Modeling, June 2012.
    [51] T. Dubendorfer, A. Wagner and B. Plattner, “An Economic Damage Model for Large-Scale Internet Attacks,” IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises(WET ICE 2004), June 2004.
    [52] D. Kondo, B. Javadi, P. Malecot, F. Cappello and D.P. Anderson, “Cost-Benefit Analysis of Cloud Computing versus Desktop Grids,” IEEE International Symposium on Parallel & Distributed, 2009.
    [53] IBM, “The Benefits of Cloud Computing,” Dynamic Infrastructure and Copyright IBM Corporation, 2009.
    [54] R. Neil, “Calculating Total Cooling Requirements for Data Centers,” American Power Conversion, 2003.
    [55] G. Anthes, “Data Centers Get a Makeover,” Computerworld News Article, 2005.
    [56] S.G. Kim, H. Han, H. Eorn and H.Y. Yeorn, “Toward a Cost-effective Cloud Storage Service,” IEEE International conference on ICACT2010, p.7-10, 2010.
    [57] M.A. Vouk, “Cloud Computing - Issues, research and implementations,” IEEE International Conference on Information Technology Interfaces 30th, p.31-40, June, 2008.
    [58] A. Greenberg, J. Hamilton, D.A. Maltz and P. Patel, “The Cost of a Cloud: Research Problems in Data Center Networks,” ACM SIGCOMM Computer Communication Review, vol. 39 (1), 2009.
    [59] X. Li, Y. Li, T.Liu, J. Qiu and F.Wang, “The Method and Tool of Cost Analysis for Cloud Computing,” IEEE International Conference on Cloud Computing, 2009.
    [60] P. N. Mezhuev, “Calculation of Property Insurance Premiums from Statistical Data,” Computational Mathematics and Modeling, vol.12, no.1, p.73-78 (6), Jan. 2001.
    [61] R. J. A. Laeven and M. J. Goovaerts, “Premium Calculation and Insurance Pricing (third edition),” Encyclopedia of Quantitative Risk Analysis and Assessment, John Wiley & Sons, Chisester, July 2011.
    [62] E. Furman, and R. Zitikis, “Weighted Premium Calculation Principles,” Insurance: Mathematics and Economics, vol.42 (1), p.459–465, Feb. 2008.
    [63] L. Gordon, M. Loeba and T. Sohail, “A Framework for Using Insurance for Cyber-Risk Management,” Communications of the ACM, vol.46 (3), p.81-86, March 2003.
    [64] L. Costas, G.Stefanos, H. Petros, Y. Athanasios N. and K. Sokratis. “A Formal Model for Pricing Information Systems Insurance Contracts,” Computer Standards and Interfaces, vol.27, no.5, p.521-532, June 2005.
    [65] R. Pal, L. Golubchik, and K. Psounis, “A Novel Cyber-Insurance Model for Internet Security,” ArXiv.org e-Print archive, 2011.
    [66] A. Mukhopadhyay, S. Chatterjee, R. Roy, D. Saha, A. Mahanti, and S. K Sadhukhan, “Insuring Big Losses due to Security Breaches Through Insurance: a Business Model,” IEEE International Conference on System Sciences (HICSS ) 40th Annual Hawaii, 2007.
    [67] J. Bolot, and M. Lelarge, “Cyber Insurance as an Incentive for Internet Security,” In Proceedings of the Workshop on Economics of Information Security (WEIS), 2008.
    [68] R. Bohme, and G. Schwartz “Modeling Cyber-Insurance: Towards a Unifying Framework,” In Proceedings of the Workshop on the Economics of Information Security (WEIS), 2010.
    [69] D. K. Saini, I. Azad, N. B. Raut, and L. A. Hadimani, “Utility Implementation for Cyber Risk Insurance Modeling,” In Proceedings of the World Congress on Engineering(WCE), vol.1, July 2011.
    [70] S. Gritzalis, A. N. Yannacopoulos, C. Lambrinoudakis, P. Hatzopoulos and S. K. Katsikas, “A Probabilistic Model for Optimal Insurance Contracts Against Security Risks and Privacy Violations in IT Outsourcing Environments,” International Journal of Information Security, vol.6, p.197–211, 2007.
    [71] M. Luo, L.J. Zhang and F. Lei, “An Insurance Model for Guaranteeing Service Assurance, Integrity and QoS in Cloud Computing,” IEEE International Conference on Web Services, p.584-591, 2010.
    [72] C. Zhang, and M. Yan, “Insurance-Based Cloud Computing-Architecture, Risk Analysis and Experiment,” IEEE International Conference on Computational Intelligence and Software Engineering (CiSE), p.1-4, 2010.
    [73] A. R. Ghatak, “Cloud Insurance for Ramping Up Cloud Adoption,” The News Information from TechRepublic.com, June 22, 2012.
    http://m.techrepublic.com/blog/datacenter/cloud-insurance-for-ramping-up-cloud-adoption/5606
    [74] Alert Logic Inc., “Removing the cloud of Insecurity: State of Cloud Security Report,” 2012.
    http://c179631.r31.cf0.rackcdn.com/Alert%20Logic%20Cloud%20Security%20Report,%20Spring%202012.pdf
    [75] V. Khare, Q. Ju and B. Zhang, “Concurrent Prefix Hijacks: Occurrence and Impacts,” In Proceedings of Internet Measurement Conference (IMC), 2012.
    [76] L. Martin, “Finding Patterns in Data Breaches,” Voltage Security Survey, 2010.
    http://www.csoonline.com/article/501584/data-breaches-patterns-and-their-implications
    [77] V. Cerulloa and M. J. Cerulloa, “Business Continuity Planning: A Comprehensive Approach,” Information Systems Management, vol.21 (3), 2004.
    [78] Symantec.com, “Symantec Intelligence Quarterly: June 2010,” The Statistics Report of Symantec.com, June 2010.
    [79] W. Wang, L.M. Wen and Y. Zhang, “Comparisons among Credibility Estimators under Esscher Premium Principle,” Journal of East China Normal University (Natural Science), May 2010.
    [80] A. Michael, F. Armando, G. Rean, D. J. Anthony, K. Randy, K. Andy, L. Gunho, P. David, R. Ariel, S. Ion, and Z. Matei, “A View of Cloud Computing,” ACM Journal on Computing and Cultural Heritage, vol.53, no.4, p.50-58, 2009.
    [81] EconPort, “Decision-Making Under Uncertainty - Advanced Topics,” EconPort Handbook Information from Experimental Economics Center, 2006.
    http://www.econport.org/econport/request?page=man_ru_advanced_riskaversion

    下載圖示 校內:2015-08-12公開
    校外:2015-08-12公開
    QR CODE