DOI QR코드

DOI QR Code

가상화 환경 위험도 관리체계화를 위한 취약점 분석

The Vulnerability Analysis for Virtualization Environment Risk Model Management Systematization

  • 투고 : 2013.02.13
  • 심사 : 2013.06.03
  • 발행 : 2013.06.30

초록

최근 IT분야에서 클라우드 컴퓨팅 기술은 유연성, 효율성, 비용절감이라는 특징을 갖고 있어 현 사회에 빠르게 보급되고 있다. 그러나 클라우드 컴퓨팅 시스템은 보안의 취약점을 크게 갖고 있다. 본 연구에서는 클라우드 컴퓨팅 시스템 보안의 취약점 해결을 위해, 가상머신의 취약점에 대한 유형 및 영향분석 타입(impact type)을 정하고, 가상머신의 취약점에 대한 위험도 평가에 따른 우선순위를 정하였다. 취약점 분석을 위해서는 오픈프레임워크인 CVSS2.0을 기반으로 취약점에 대한 위험도 측정 기준을 정의하고 해당 취약점마다 점수를 매겨 위험도 측정을 체계화하였다. 제시된 취약점 위험도 기준은 취약점의 근본적인 특징을 제시하고 취약점에 대한 위험도를 제공하여 취약점 최소화를 위한 기술적 가이드를 작성하는 데에 활용 가능할 것으로 판단된다. 또한 제시된 취약점 위험도 기준은 연구내용 자체로 의미가 있으며 향후 추진될 기술 정책프로젝트에서 활용될 수 있다.

Recently in the field of IT, cloud computing technology has been deployed rapidly in the current society because of its flexibility, efficiency and cost savings features. However, cloud computing system has a big problem of vulnerability in security. In order to solve the vulnerability of cloud computing systems security in this study, impact types of virtual machine about the vulnerability were determined and the priorities were determined according to the risk evaluation of virtual machine's vulnerability. For analyzing the vulnerability, risk measurement standards about the vulnerability were defined based on CVSS2.0, which is an open frame work; and the risk measurement was systematized by scoring for relevant vulnerabilities. Vulnerability risk standards are considered to suggest fundamental characteristics of vulnerability and to provide the degree of risks and consequently to be applicable to technical guides to minimize the vulnerability. Additionally, suggested risk standard of vulnerability is meaningful as the study content itself and could be used in technology policy project which is to be conducted in the future.

키워드

참고문헌

  1. Jay Heiser and Mark Nicolett, "Assessing the Security Risks of Cloud Computing"', Research Gartner, June 2008.
  2. C.S Lim, "Cloud Computing Security Technology", Institute of Information Security and Cryptology, Vol.19, No.3. pp.14-17, 2009.
  3. J.I lim, "'A Study on Technological Development and Policy for Privacy Protection", Research Report, National Information Society Agency, 2004
  4. T.S Kim, H.J Jun, "Analysis on Information Security Manpower Policy by the Analytic Hierarchy Process", Institute of Communications and Information Sciences, Vol.31, No.5B, pp. 486-493, 2006.
  5. J.Y Na, "Use and Protection of Personal Information in Ubiquitous Computing Environment", Research Report, Korea Internet & Security Agency, 2009.
  6. E.J Yu, M.Y Yun, "'Cyber Security Strategies and Implications of Major Nation", CIO Report Vol.15, National Information Society Agency, 2009.
  7. K.C Kim, O. Heo, S.J Kim, "A Security Evaluation Criteria for Korean Cloud Computing Service", Institute of Information Security and Cryptology, Vol. 23, No. 2, pp.1-17, 2013.
  8. S.Y Shin, S.H Song, "A Priority Study for Applying Public Cloud Services in Korea by Mapping the SRM with Overseas Cloud Services in the Public Sector", Internet and Information Security, Vol.3, No. 3, pp.67-89, 2012
  9. K.Y kim, H.M Na, "The Job Analysis for Information Security Manager", Institute of Information Security and Cryptology, Vol. 10, No. 3, pp. 63-74, 2000.
  10. CSA(Cloud Security Alliance), "Top Threats to Cloud Computing V1.0", March 2010.
  11. CVE, http://cve.mitre.org/cve/index.html
  12. D.J Kim, S.J Cho, "An Analysis of Domestic and Foreign Security Vulnerability Management Systems based on a National Vulnerability Database", Internet and Information Security, Vol. 2, No.2, pp.130-147, 2010.
  13. CWE, http://cwe.mitre.org
  14. FIRST(Forum of Incident Response & Security Teams), http://www.first.org/cvss/cvss-guide.html
  15. Peter Mell, Sasha Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0", 2007
  16. K.T Jho. 'Analytic Hierarchy Process', Published Dong-hyen. 2003.
  17. Joel Kirch, "Virtual Machine Security Guidelines", The Center for Internet Security, September 2007
  18. J.Y Kim, "The Virtualization Technology Vulnerability Analysis of Cloud Computing Environment", Institute of Information Security and Cryptology, Vol. 19, No. 4, pp.72-77, 2009.
  19. Expertchoice Manuak. http://www.expertchoice.co.kr.