Jesus Luna, Hamza Ghani, Daniel Germanus, Neeraj Suri


Cloud computing is redefining the on-demand usage of remotely-located, and highly available computing resources to the user. Unfortunately, while the many economic and technological advantages are apparent, the migration of key sector applications to the Cloud has been limited due to a major show-stopper: the paucity of quantifiable metrics to evaluate the tradeoffs (features, problems and the economics) of security. Despite the obvious value ofmetrics in different scenarios to evaluate such tradeoffs, a formal and standard-based approach for the addressing of security metrics in the Cloud is a much harder and very much an open issue. This paper presents our views on the importance and challenges for developing a security metrics framework for the Cloud, also taking into account our ongoing research with organizations like the Cloud Security Alliance and European projects like ABC4Trust, CoMiFin and INSPIRE. This paper also introduces the basic building blocks of a proposed security metrics framework for elements such as a Cloud provider’s security assessment, taking into account the different service and deployment models of the Cloud.


  1. ABC4Trust (2011). ABC4Trust FP7. http://www.abc4trust.eu/.
  2. Antonopoulos, A. (2011). Dark cloud computing. Online: http://www.networkworld.com/columnists/2009/051209- antonopoulos.html.
  3. Arshad, J., Townend, P., and Xu, J. (2010). Quantification of Security for Compute Intensive Workloads in Clouds. In Parallel and Distributed Systems (ICPADS), 2009 15th International Conference on, pages 479-486. IEEE.
  4. Brunette, G., Mogull, R., et al. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing V2. 1. CSA (Cloud Security Alliance), USA. Online: http://www. cloudsecurityalliance. org/guidance/csaguide. v2, 1.
  5. CAMM (2010). Common Assurance Maturity Model. Online: http://common-assurance.com/.
  6. Casola, V., Luna, J., Manso, O., Mazzocca, N., Medina, M., and Rak, M. (2007). Interoperable grid pkis among untrusted domains: An architectural proposal. In Cérin, C. and Li, K., editors, GPC, volume 4459 of Lecture Notes in Computer Science, pages 39-51. Springer.
  7. Casola, V., Preziosi, R., Rak, M., and Troiano, L. (2005). A Reference Model for Security Level Evaluation: Policy and Fuzzy Techniques. J. UCS, 11(1):150-174.
  8. Casola, V., Rak, M., and Villano, U. (2010). Identity Federation in Cloud Computing. In Sixth International Conference on Information Assurance and Security (IAS), pages 253-259. IEEE.
  9. Catteddu, D. et al. (2011). Security & Resilience in Governmental Clouds. European Network and Information Security Agency (ENISA).
  10. Catteddu, D. and Hogben, G. (2009). Cloud Computing Risk Assessment. European Network and Information Security Agency (ENISA).
  11. Catteddu, D., Hogben, G., et al. (2009). Cloud Computing Information Assurance Framework. European Network and Information Security Agency (ENISA).
  12. CCM (2011). Cloud Control Matrix. Online: http://www.cloudsecurityalliance.org/cm.html.
  13. Center for Internet Security (2010). The CIS security metrics. Technical Report 28, Center for Internet Security.
  14. Chaum, D. (1985). Security without identification, card computers to make big brother obsolete. Original Version appeared in: Communications of the ACM, 28(10):1030-1044.
  15. Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., and Robinson, W. (2008). Performance measurement guide for information security. Technical Report July, National Institute of Standards and Technology.
  16. CloudAudit (2011). CloudAudit. Online: http://cloudaudit.googlecode.com/svn/trunk/docs/drafthoff-cloudaudit.txt.
  17. CoMiFin (2011). Communication Middleware for Monitoring Financial Critical Infrastructure. Online: http://www.comifin.eu/.
  18. CSA (2011). Cloud Security Alliance. Online: http://www.cloudsecurityalliance.org.
  19. D'Antonio, S., Romano, L., Khelil, A., and Suri, N. (2008). INcreasing Security and Protection through Infrastructure REsilience: the INSPIRE Project. In Proceedings of The 3rd International Workshop on Critical Information Infrastructures Security (CRITIS'08).
  20. ENISA (2011). European Network and Information Security Agency. Online: http://www.enisa.europa.eu.
  21. Ghani, H., Khelil, A., Suri, N., Csertn, G., Gnczy, L., Urbanics, G., and Clarke, J. (2010). Assessing the Security of Internet Connected Critical Infrastructures (The CoMiFin Project Approach). In Proceedings of the Workshop on Security of the Internet of Things (SecIoT 2010).
  22. Grobauer, B. and Walloschek, T. (2010). Understanding cloud-computing vulnerabilities. IEEE Security and Privacy, pages 1-14.
  23. Hogben, G. (2011). ENISA Cloud Computing Strategy. Online: http://www.terena.org/activities/tfcsirt/meeting30.
  24. IGTF (2011). The International Grid Trust Federation. Online: http://www.igtf.net/.
  25. INSPIRE (2011). INcreasing Security and Protection through Infrastructure REsilience. Online: http://www.inspire-strep.eu/.
  26. ISO27001 (2005). Information Security Management System (ISMS) standard. Online: http://www.27000.org/iso-27001.htm.
  27. Luna, J., Dikaiakos, M. D., Marazakis, M., and Kyprianou, T. (2010). Data-centric privacy protocol for intensive care grids. IEEE Transactions on Information Technology in Biomedicine, 14(6):1327-1337.
  28. Luna, J., Flouris, M., Marazakis, M., and Bilas, A. (2008). Providing security to the Desktop Data Grid. pages 1-8.
  29. Mell, P. and Grance, T. (2009). The NIST Definition of Cloud Computing. National Institute of Standards and Technology (NIST).
  30. Rochwerger, B., Breitgand, D., Levy, E., Galis, A., Nagin, K., Llorente, I., Montero, R., Wolfsthal, Y., Elmroth, E., and Caceres, J. (2010). The Reservoir Model and Architecture for Open Federated Cloud Computing. IBM Journal of Research and Development, 53(4):4.
  31. Samson, T. (2011). Amazon EC2 Enables Brute-force Attacks on the Cheap. Online: http://infoworld.com/t/data-security/amazon-ec2- enables-brute-force-attacks-the-cheap-447.
  32. Savola, R., Juhola, A., and Uusitalo, I. (2010). Towards Wider Cloud Service Applicability by Security, Privacy and Trust Measurements. In 4th International Conference on Application of Information and Communication Technologies (AICT), pages 1-6. IEEE.
  33. Schryen, G., Volkamer, M., Ries, S., and Habib, S. (2011). A formal approach towards measuring trust in distributed systems. In ACM Symp. on Applied Computing, pages 1739-1745.
  34. Seddigh, N., Pieda, P., Matrawy, A., Nandy, B., Lambadaris, J., and Hatfield, A. (2004). Current trends and advances in information assurance metrics. In Proceeding of the Second Annual Conference on Privacy, Security and Trust, pages 197-205.
  35. Tan, J. (2001). Forensic Readiness. Technical report, @Stake Organization.
  36. Travis, D. and Annie, I. (2008). Analyzing Regulatory Rules for Privacy and Security Requirements. IEEE Trans. Software Eng., 34(1):5-20.
  37. Trimintzios, P. (2011). Survey on Resilience Metrics. European Network and Information Security Agency (ENISA).
  38. Wang, J. (2005). Information Security Models and Metrics. In Guimara˜es, M., editor, ACM Southeast Regional Conference, volume 2, pages 178-184. ACM.

Paper Citation

in Harvard Style

Luna J., Ghani H., Germanus D. and Suri N. (2011). A SECURITY METRICS FRAMEWORK FOR THE CLOUD . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 245-250. DOI: 10.5220/0003446902450250

in Bibtex Style

author={Jesus Luna and Hamza Ghani and Daniel Germanus and Neeraj Suri},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
SN - 978-989-8425-71-3
AU - Luna J.
AU - Ghani H.
AU - Germanus D.
AU - Suri N.
PY - 2011
SP - 245
EP - 250
DO - 10.5220/0003446902450250