KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Derivation of Security Requirements for Cloud Managing Security Services System by Threat Modeling Analysis

위협 모델링 분석에 의한 클라우드 보안관제시스템 보안요구사항 도출

  • 장환 (한국방송통신대학교 정보과학과)
  • Received : 2020.07.03
  • Accepted : 2020.08.11
  • Published : 2021.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, the introduction of Cloud Managing Security Services System to respond to security threats in cloud computing environments is increasing. Accordingly, it is necessary to analyze the security requirements for the Cloud Managing Security Services System. However, the existing research has a problem that does not reflect the virtual environment of the cloud and the data flow of the Cloud Managing Security Services System in the process of deriving the requirements. To solve this problem, it is necessary to identify the information assets of the Cloud Managing Security Services System in the process of threat modeling analysis, visualize and display detailed components of the cloud virtual environment, and analyze the security threat by reflecting the data flow. Therefore, this paper intends to derive the security requirements of the Cloud Managing Security Services System through threat modeling analysis that is an improved existing research.

최근 클라우드 컴퓨팅 환경의 보안 위협에 대응하기 위한 클라우드 보안관제시스템 도입이 증가하고 있다. 이에 따라 클라우드 보안관제시스템에 대한 보안 요구 사항 분석이 필요하다. 하지만 기존의 연구는 요구사항을 도출하는 과정에서 클라우드의 가상환경과 보안관제시스템의 데이터 흐름 등을 반영하지 못한 문제점이 있다. 이를 해결하기 위해, 위협 모델링 분석과정에서 클라우드 보안관제시스템의 정보자산을 식별하여 클라우드 가상환경의 세부적인 구성요소를 시각화하고, 데이터 흐름을 반영하여 보안 위협을 분석하는 과정이 필요하다. 따라서 본 논문은 기존의 연구를 개선한 위협 모델링 분석을 통해, 클라우드 보안관제시스템의 보안 요구 사항을 도출한다.

Keywords

References

  1. National Institutes of Standards and Technology, "NIST Cloud Computing Standards Roadmap," Jul. 2013.
  2. Cloud Security Alliance, "Defined Categories of Security as a Service," 2016.
  3. Seung-Wan Son, Kwang-Seok Kim, Jung-Won Choi, and Gang-Soo Le, "Development of Managing Security Services System Protection Profile," Journal of Digital Contents Society, Vol.16 No.2, pp.345-353, 2015. https://doi.org/10.9728/dcs.2015.16.2.345
  4. Hye-Won KIM, Ho-Jun Yu, and Jae-Woo Lee, "Research on technical security threats of email cloud security service (E-mail SecaaS) Focusing on threat modeling techniques," Korea Institute of Information Security And Cryptology, pp.57-64(8). 2017.
  5. Jisoo Park and Seungjoo Kim, "Security Requirements Analysis on IP Camera via Threat Modeling and Common Criteria," Korea Information Processing Society, Vol.6, No.3 121-123. 2017.
  6. Korea Internet & Security Agency, "Casebook of Cloud Security Support Project," 2019.
  7. Jang Hwan, "Cloud SOC's forensic compliance reflects the shared responsibility model". Proc. Conference on Information Security and Cryptography, pp.41-44, 2020.
  8. Malik Nadeem Anwar, Mohammed Nazir, Adeeb, and Mansoor Ansari, "Modeling Security Threats for Smart Cities: A STRIDE-Based Approach," Proc. Smart Cities-Opportunities and Challenges, pp.387-396, 2020.
  9. In-Kyung Oh, Jae-Wan Seo, Min-Kyu Lee, Tae-Hoon Lee, Yu-Na Han, Ui-Seong Park, Han-Byeol Ji, Jong-Ho Lee, Kyu-Hyung Cho, and Kyounggon Kim, "Derivation of Security Requirements of Smart TV Based on STRIDE Threat Modeling," Journal of The Korea Institute of Information Security & Cryptology, Vol.30, No.2, pp.213-230, 2020. https://doi.org/10.13089/JKIISC.2020.30.2.213
  10. Eun-ju Park, Seung-joo Kim, "Derivation of Security Requirements of Smart Factory Based on STRIDE Threat Modeling," Journal of The Korea Institute of Information Security & Cryptology, Vol.27, No.6, pp.1467-1482, Dec. 2017. https://doi.org/10.13089/JKIISC.2017.27.6.1467
  11. Soo-young Kang and Seung-joo Kim, "Analysis of Security Requirements for Secure Update of IVI(In-Vehicle-Infotainment) Using Threat Modeling and Common Criteria," Journal of The Korea Institute of Information Security & Cryptology, Vol.29, No.3, pp.613-628, Jun. 2019. https://doi.org/10.13089/JKIISC.2019.29.3.613
  12. Jae-Ki Kim, Jeong-Hoon Shin, and Seung-Joo Kim, "Study on the Femtocell Vulnerability Analysis Using Threat Modeling," KIPS Transactions on Computer and Communication Systems, Vol.5, No.8 pp.197-210, Aug. 2016. https://doi.org/10.3745/KTCCS.2016.5.8.197
  13. Ye-Seul Cha and Seung-joo Kim, "A Study on Security Requirements of Electric Vehicle Charging Infrastructure Using Threat Modeling," Journal of The Korea Institute of Information Security & Cryptology, Vol.27, No.6, pp.1441-1455, Dec. 2017. https://doi.org/10.13089/JKIISC.2017.27.6.1441
  14. Hong Paul, Lee Sangmin, Park Minsu, and Kim Seungjoo, "Threat-Based Security Analysis for the Domestic Smart Home Appliance," KIPS Transactions on Computer and Communication Systems, Vol.6, No.3, pp.143-158, Mar. 2017. https://doi.org/10.3745/KTCCS.2017.6.3.143
  15. Tong Xin and Ban Xiaofang, "Online Banking Security Analysis based on STRIDE Threat Model," International Journal of Security and Its Applications, Vol.8, No.2, pp.271-282, 2014. https://doi.org/10.14257/ijsia.2014.8.2.28
  16. Seung-young Ma, Jung-ho Ju, and Jong-sub Moon, "The security requirements suggestion based on cloud computing security threats for server virtualization system," Journal of The Korea Institute of Information Security & Cryptology, Vol.25, No.1, pp.95-105, Feb. 2015. https://doi.org/10.13089/JKIISC.2015.25.1.95
  17. James Sanfilippo, Tamirat Abegaz, Bryson Payne, and Abi Salimi, "STRIDE-Based Threat Modeling for MySQL Databases," Proceedings of the Future Technologies Conference, pp.368-378, 2019.
  18. Jeong-Seok Jo and Jin Kwak, "STRIDE and HARM Based Cloud Network Vulnerability Detection Scheme," Journal of The Korea Institute of Information Security & Cryptology, VOL.29, NO.3, pp.599-612, Jun. 2019. https://doi.org/10.13089/JKIISC.2019.29.3.599
  19. The Open Web Application Security Project, "OWASP Top Ten Web Application Security Risks | OWASP" [Internet], https://owasp.org/www-project-top-ten.
  20. Telecommunications Technology Association, "TTA Inf ormation and Communication Glossary" [Internet], https://terms.tta.or.kr/main.do.