Tool-based Risk Assessment of Cloud Infrastructures as Socio-Technical Systems

TitleTool-based Risk Assessment of Cloud Infrastructures as Socio-Technical Systems
Publication TypeBook Chapter
Year of Publication2015
AuthorsNidd M., Ivanova M.G, Probst C.W, Tanner A.
EditorKo R., Choo R.
Book TitleThe Cloud Security Ecosystem
Series TitleElsevier Science Direct
PublisherElsevier, Syngress
Keywordsattack trees, cloud computing, Risk Assessment, system models

Assessing risk in cloud infrastructures is difficult. Typical cloud infrastructures contain potentially thousands of nodes that are highly interconnected and dynamic. Another important component is the set of human actors who get access to data and computing infrastructure. The cloud infrastructure therefore constitutes a socio-technical system. Attacks on socio-technical systems are still mostly identified through expert brainstorming. However, formal risk assessment for systems including human actors requires modeling human behavior, which is difficult at best. In this chapter, we present a modeling exercise for cloud infrastructures using the socio-technical model developed in the TRESPASS project; after showing how to model typical components of a cloud infrastructure, we show how attacks are identified on this model and discuss their connection to risk assessment. The technical part of the model is extracted automatically from the configuration of the cloud infrastructure, which is especially important for systems so dynamic and complex.