MEASURING SECURITY AND RESILIENCE IN CLOUD OUTSOURCING FOR DATA-DRIVEN RISK MANAGEMENT
Yasir Haq is a PhD student in the Department of Industrial Engineering & Business Information Systems. (Co)Promotors are prof.dr.ir. L.J.M. Nieuwenhuis and dr. A. Abhishta from the Faculty of Behavioural, Management and Social Sciences.
The growing reliance on the Internet over the past two decades has spurred the development of new technologies, including cloud computing. As Internet access became more widespread and affordable, increasingly complex activities moved online. We now use the Internet not only for communication and entertainment but also for critical business operations and even remote medical treatment.
These demands require larger, faster, and more reliable computing infrastructures, which typically involve significant upfront and operational costs. Cloud computing addresses this challenge by using virtualization technology to turn large physical infrastructures into smaller, virtual ones that can be offered to consumers as services. This model provides many benefits, including affordability, flexibility, and reliability, making cloud services essential for businesses and integral to the global economy.
However, the benefits of cloud services often overshadow their associated risks. Past incidents have demonstrated that cloud infrastructures are not immune to cyberattacks. In fact, attacks targeting cloud services can have a widespread impact, potentially disrupting large portions of the Internet ecosystem. Moreover, like other outsourcing models, cloud outsourcing introduces unique risks—such as legal and political risks—that traditional on-premise models do not face. Despite these challenges, our reliance on cloud services continues to grow, leading to a concentrated, oligopolistic market dominated by a few major cloud providers. Only giant providers have the resources to leverage economies of scale, i.e., building advanced infrastructures and lowering costs, allowing them to offer quality services at competitive prices and dominate the market. Given this centralization and the critical role of cloud services, it is essential to evaluate the security and resilience of the cloud outsourcing ecosystem.
In Chapter 1, we elaborate on the key issues that motivate this research. We define the main research question, which is further broken down into sub-questions. We also outline the approach taken to address each sub-question and specify in which chapter the discussions take place. The main research question is as follows: “How secure and resilient is the cloud outsourcing ecosystem?” Our approach to answering this question focuses on assessing the risks inherent in cloud outsourcing and evaluating the strategies employed to manage these risks.
Our first contribution is characterizing the state-of-the-art in risks and risk management techniques for cloud consumers. In Chapter 2, we conduct a systematic review to summarize and categorize the risks associated with cloud outsourcing as discussed in the literature. Additionally, we survey various risk management techniques, focusing specifically on those applicable to cloud consumers. Since cloud consumers have limited control over cloud infrastructures, not all risk management techniques are relevant or feasible for them. This review helps to identify which techniques are most suitable for their unique circumstances.
Our second contribution is measuring risk in cloud outsourcing by estimating the magnitude of two relevant cyber risks using empirical data. In Chapter 3, we assess the risk of malware infection by evaluating the detection performance of cloud-based malware scanners. We analyze how effective these scanners are at identifying malware and explore whether using multiple scanners can enhance detection. In Chapter 4, we focus on the risk of DDoS attacks by examining how the industry sector and popularity of a target influence DDoS victimization. By profiling DDoS targets recorded by a network telescope over five years, we identify industry sectors facing higher DDoS threats. Our findings demonstrate that a cloud provider’s customer portfolio significantly impacts the likelihood of DDoS attacks.
Our third contribution is measuring the strategies adopted by cloud consumers. We utilize Internet measurement data to analyze the reactive and proactive strategies cloud consumers use to enhance the security, resilience, and sovereignty of their networks. In Chapter 5, we examine the reactions of Dyn customers following a DDoS attack that disrupted both the provider’s services and those of its consumers. We profile the customers to reveal how different industry sectors influenced their reactive strategies after the downtime. In Chapter 6, we investigate how network operators in Russia and Ukraine anticipated disruptions caused by the armed conflict. We discover that certain proactive measures were taken well before the conflict began, likely motivated by concerns over security, resilience, or sovereignty.
As cloud consumers, organizations remain responsible for managing certain risks that are not transferred to the providers. Our research demonstrates that using empirical data from network and Internet measurements can assist cloud consumers in addressing complex risk management tasks, particularly risk assessment, which often depends on expert opinions. For instance, consumers can leverage our findings to estimate risks based on their industry sectors, helping them determine the appropriate investment in security solutions. However, there are many other risks that cloud consumers must manage, and the techniques applicable to them are still limited. Therefore, we propose extending our methodology to empirically measure additional risks while also developing more solutions to help cloud consumers mitigate these risks effectively.
