Cloud Security

Cloud Security
Software quality problems, wide impact vulnerabilities, phishing, botnets and criminal enterprise have proven that software and system security is not just an add-on despite past focus of the security industry. Cloud computing introduces a whole ecosystem of clients, services and infrastructure, where trust boundaries are moved even further into components, where physical location or even ownership is unknown. Add-on security therefore becomes more futile than it ever was. There is no place where these add-on components would reside.

Security, trust, dependability and privacy are issues that have to be considered over the whole life-cycle of the system and software development from gathering requirements to deploying the system and service in practice. Doing this does not only make us safer and secure but improves overall system quality and development efficiency. The Security Development Life-cycle (SDL) has only recently been recognized as the way forward, replacing ineffective point solutions. A benchmark for these efforts, the Building Security In Life-cycle Maturity Model (BSIMM) has just been launched to set standards for security initiatives. Building a mature security initiative is not cheap - the most mature one, Microsoft SDL required spending billions of dollars to implement. Smaller vendors, especially in the SME sector, cannot afford the same luxury of time and money to develop their own security initiatives and may lose their competitive edge.

Many of recent security initiatives have been relatively open and can be leveraged to help the Finnish Industry and to initiate new business. Finland has pioneered research in Security Metrics, Vulnerability, Managing Complexity, Security as a Quality Aspect and Software Robustness areas. This research can therefore be applied directly to be a part of new, improved SDLs. There is a desire to improve software and system development life-cycle efficiency so those efforts can drive security and security can support them.

The main objectives of the Cloud Security Theme are to develop:
  • A feasible Secure Development Lifecycle methodology supporting agile and lean SW development, and
  • Vulnerability, complexity and robustness management and risk-driven security metrics methodologies and tools that help developers to achieve adequate security, trust, dependability and privacy goals cloud computing environment.

Juha Röning
Oulu University Secure Programming Group

Reijo Savola
Senior Research Scientist