Improving tenants' trust in SaaS applications using dynamic security monitors

Mohamed Almorsy Abdelrazek; John Grundy; Amani S. Ibrahim

doi:10.1109/ICECCS.2015.18

Improving tenants' trust in SaaS applications using dynamic security monitors

Mohamed Almorsy Abdelrazek
, John Grundy
, Amani S. Ibrahim

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

1 Citation (Scopus)

Abstract

It is almost impossible to prove that a given software system achieves an absolute security level. This becomes more complicated when addressing multi-tenant cloud-based SaaS applications. Developing practical security properties and metrics to monitor, verify, and assess the behavior of such software systems is a feasible alternative to such problem. However, existing efforts focus either on verifying security properties or security metrics but not both. Moreover, they are either hard to adopt, in terms of usability, or require design-time preparation to support monitoring of such security metrics and properties which is not feasible for SaaS applications. In this paper, we introduce, to the best of our knowledge, the first unified monitoring platform that enables SaaS application tenants to specify, at run-time, security metrics and properties without design-time preparation and hence increases tenants' trust of their cloud-assets security. The platform automatically converts security metrics and properties specifications into security probes and integrates them with the target SaaS application at run-time. Probes-generated measurements are fed into an analysis component that verifies the specified properties and calculates security metrics' values using aggregation functions. This is then reported to SaaS tenants and cloud platform security engineers. We evaluated our platform expressiveness and usability, soundness, and performance overhead.

Original language	English
Title of host publication	Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015
Editors	Yuan-Fang Li
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	70-79
Number of pages	10
ISBN (Electronic)	9781467385817
DOIs	https://doi.org/10.1109/ICECCS.2015.18
Publication status	Published - 2015
Externally published	Yes
Event	IEEE International Conference on Engineering of Complex Computer Systems 2015 - Gold Coast, Australia Duration: 9 Dec 2015 → 11 Dec 2015 Conference number: 20th http://iceccs2015.monash.edu.au/2015/index.jsp https://ieeexplore.ieee.org/xpl/conhome/7381588/proceeding (Proceedings)

Conference

Conference	IEEE International Conference on Engineering of Complex Computer Systems 2015
Abbreviated title	ICECCS 2015
Country/Territory	Australia
City	Gold Coast
Period	9/12/15 → 11/12/15
Internet address	http://iceccs2015.monash.edu.au/2015/index.jsp https://ieeexplore.ieee.org/xpl/conhome/7381588/proceeding (Proceedings)

Keywords

Cloud computing monitoring
run-time verification
security metrics
Security monitoring

Access to Document

10.1109/ICECCS.2015.18

Cite this

Abdelrazek, M. A., Grundy, J., & Ibrahim, A. S. (2015). Improving tenants' trust in SaaS applications using dynamic security monitors. In Y.-F. Li (Ed.), Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015 (pp. 70-79). Article 7384231 IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICECCS.2015.18

@inproceedings{b2db0d8dfe5e435baf2d002d241ab9cf,

title = "Improving tenants' trust in SaaS applications using dynamic security monitors",

abstract = "It is almost impossible to prove that a given software system achieves an absolute security level. This becomes more complicated when addressing multi-tenant cloud-based SaaS applications. Developing practical security properties and metrics to monitor, verify, and assess the behavior of such software systems is a feasible alternative to such problem. However, existing efforts focus either on verifying security properties or security metrics but not both. Moreover, they are either hard to adopt, in terms of usability, or require design-time preparation to support monitoring of such security metrics and properties which is not feasible for SaaS applications. In this paper, we introduce, to the best of our knowledge, the first unified monitoring platform that enables SaaS application tenants to specify, at run-time, security metrics and properties without design-time preparation and hence increases tenants' trust of their cloud-assets security. The platform automatically converts security metrics and properties specifications into security probes and integrates them with the target SaaS application at run-time. Probes-generated measurements are fed into an analysis component that verifies the specified properties and calculates security metrics' values using aggregation functions. This is then reported to SaaS tenants and cloud platform security engineers. We evaluated our platform expressiveness and usability, soundness, and performance overhead.",

keywords = "Cloud computing monitoring, run-time verification, security metrics, Security monitoring",

author = "Abdelrazek, \{Mohamed Almorsy\} and John Grundy and Ibrahim, \{Amani S.\}",

year = "2015",

doi = "10.1109/ICECCS.2015.18",

language = "English",

pages = "70--79",

editor = "Yuan-Fang Li",

booktitle = "Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "IEEE International Conference on Engineering of Complex Computer Systems 2015, ICECCS 2015 ; Conference date: 09-12-2015 Through 11-12-2015",

url = "http://iceccs2015.monash.edu.au/2015/index.jsp, https://ieeexplore.ieee.org/xpl/conhome/7381588/proceeding",

}

Abdelrazek, MA, Grundy, J & Ibrahim, AS 2015, Improving tenants' trust in SaaS applications using dynamic security monitors. in Y-F Li (ed.), Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015., 7384231, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 70-79, IEEE International Conference on Engineering of Complex Computer Systems 2015, Gold Coast, Queensland, Australia, 9/12/15. https://doi.org/10.1109/ICECCS.2015.18

Improving tenants' trust in SaaS applications using dynamic security monitors. / Abdelrazek, Mohamed Almorsy; Grundy, John; Ibrahim, Amani S.
Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015. ed. / Yuan-Fang Li. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2015. p. 70-79 7384231.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Improving tenants' trust in SaaS applications using dynamic security monitors

AU - Abdelrazek, Mohamed Almorsy

AU - Grundy, John

AU - Ibrahim, Amani S.

N1 - Conference code: 20th

PY - 2015

Y1 - 2015

N2 - It is almost impossible to prove that a given software system achieves an absolute security level. This becomes more complicated when addressing multi-tenant cloud-based SaaS applications. Developing practical security properties and metrics to monitor, verify, and assess the behavior of such software systems is a feasible alternative to such problem. However, existing efforts focus either on verifying security properties or security metrics but not both. Moreover, they are either hard to adopt, in terms of usability, or require design-time preparation to support monitoring of such security metrics and properties which is not feasible for SaaS applications. In this paper, we introduce, to the best of our knowledge, the first unified monitoring platform that enables SaaS application tenants to specify, at run-time, security metrics and properties without design-time preparation and hence increases tenants' trust of their cloud-assets security. The platform automatically converts security metrics and properties specifications into security probes and integrates them with the target SaaS application at run-time. Probes-generated measurements are fed into an analysis component that verifies the specified properties and calculates security metrics' values using aggregation functions. This is then reported to SaaS tenants and cloud platform security engineers. We evaluated our platform expressiveness and usability, soundness, and performance overhead.

AB - It is almost impossible to prove that a given software system achieves an absolute security level. This becomes more complicated when addressing multi-tenant cloud-based SaaS applications. Developing practical security properties and metrics to monitor, verify, and assess the behavior of such software systems is a feasible alternative to such problem. However, existing efforts focus either on verifying security properties or security metrics but not both. Moreover, they are either hard to adopt, in terms of usability, or require design-time preparation to support monitoring of such security metrics and properties which is not feasible for SaaS applications. In this paper, we introduce, to the best of our knowledge, the first unified monitoring platform that enables SaaS application tenants to specify, at run-time, security metrics and properties without design-time preparation and hence increases tenants' trust of their cloud-assets security. The platform automatically converts security metrics and properties specifications into security probes and integrates them with the target SaaS application at run-time. Probes-generated measurements are fed into an analysis component that verifies the specified properties and calculates security metrics' values using aggregation functions. This is then reported to SaaS tenants and cloud platform security engineers. We evaluated our platform expressiveness and usability, soundness, and performance overhead.

KW - Cloud computing monitoring

KW - run-time verification

KW - security metrics

KW - Security monitoring

UR - https://www.scopus.com/pages/publications/84964898422

U2 - 10.1109/ICECCS.2015.18

DO - 10.1109/ICECCS.2015.18

M3 - Conference Paper

SP - 70

EP - 79

BT - Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015

A2 - Li, Yuan-Fang

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - IEEE International Conference on Engineering of Complex Computer Systems 2015

Y2 - 9 December 2015 through 11 December 2015

ER -

Improving tenants' trust in SaaS applications using dynamic security monitors

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this