學術產出-學位論文
文章檢視/開啟
書目匯出
-
題名 雲端服務風險評估模式建立之研究
A study on developing a cloud service risk assessment model作者 羅邵晏
Lo, Shao Yen貢獻者 林我聰
羅邵晏
Lo, Shao Yen關鍵詞 雲端運算
雲端服務風險
風險評估
服務商評選
皮爾森相關
Cloud Computing
Cloud Service Risk,
Risk Assessment
Service Provider Selection
Pearson Correlation日期 2012 上傳時間 1-三月-2013 09:24:53 (UTC+8) 摘要 「雲端運算」(Cloud Computing)及其相關應用服務受到業界相當重視。同時各國政府也相繼推出國家型計劃發展雲端運算產業。然而許多文獻告訴我們,雲端運算在資訊安全議題上也需要被重視。在雲端運算架構下的資訊安全又與過去有些許不同,值得被提出來研究。歐洲網路與資訊安全機構(European Network and Information Security Agency, ENISA)在2009年已經提出一份雲端服務風險評估報告(CCSRA, Cloud Computing Security Risk Assessment),此份報告也被推出業界第一套雲端服務風險標準(CCSK, Certificate of Cloud Security Knowledge)的雲端安全聯盟(CSA, Cloud Security Alliance)所引用。這份評估報告已經相當完整定義各風險和其前因後果,但卻沒有完整的量化模式供組織進行量化評估、或預測整個雲端服務風險系統運作。因此本研究目的如下:1.建立一個量化模式,預測雲端服務風險相關風險,供企業主及早採取因應措施。2.以皮爾森相關係數法(Pearson Correlation Coefficient)分析各個風險、弱點、和資產間因果影響程度,讓組織在分配資源時作為參考。
“Cloud Computing” and its application services are considered important by industries. Governments have also launched plans to develop the cloud computing industry. However, the literature tells us that cloud computing security issues also need to be noticed. Security issues in the cloud computing architecture are different from those in traditional information system, so they are worth to be studied. In2009, European Network and Information Security Agency(ENISA) has announced a report named "Cloud Computing Security Risk Assessment", and this report was referenced by Cloud Security Alliance(CSA). The report is quite complete for the definition of each risk, its causes and effects. But there does not exist a complete quantitative model for the organization to assess or predict its cloud service risk. Therefore, the purposes of this study are as follows: 1. developing a cloud service risk assessment model to predict cloud service risks, 2. use Pearson Correlation Coefficient to analyze the impact between risks, vulnerabilities and assets for allocation of resources.參考文獻 林育震(2010),『掌控風險 發揮雲端效益』,Communications of the CCISA,16卷4期,138~149頁張春雄、林顯達、黃新宗、劉美芳(2003),『風險管理』,吉田出版社陳瑞&周林毅(2007),『風險評估與決策管理』,五南圖書出版公司黃清賢(2003),『危害分析與風險評估操作手冊』,新文京開發出版股份有限公司 蔡一郎(2010),『雲端運算與雲端服務風險架構』,Communications of the CCISA,16卷4期,84~93頁賴世培、詹志禹(2011),『應用統計(全)』,中華電視股份有限公司A.Avizienis, J.Laprie, B.Randell.(2000), ‘Fundamental concepts of dependability’, In Proceedings of the 3rd Information Survivability WorkshopA.Rosenthal, P.Mork, M.H.Li, J.Stanford, D.Koester, P.Reynolds(2010), ‘A new business paradigm for biomedical information sharing’, Journal of Biomedical Informatics(43:2), pp.324-353.IBM(2009), ‘Red Book ─ Cloud Security Guidance ─ IBM Recommendations for the Implementation of Cloud Security’, IBMC.S.Yoo(2011), ‘Cloud Computing: Architectural and Policy Implications’, Rev Ind Organ(38:4), pp.405-421.CSA(2010), ‘Top Threats To Cloud Computing’, Cloud Security AllianceENISA(2009), ‘Cloud Computing Security Risk Assessment’, European Network and Information Security AgencyD.Zissis & D.Lekkas(2011), ‘Securing e-Government and e-Voting with an open cloud computing architecture’, Government Information Quarterly(28), pp.239-251.European Parliament(1995), ‘Directive 95/46/EC of the European Parliament’, European ParliamentL.Iuga(2010), ‘The Analysis Of The Correlation Between The Level Of The Bank Fees For Cards And The Number Of Active Cards, Conducted With The Help Of The Pearson Coefficient’, Annales Universitatis Apulensis Series Oeconomica(12:1), pp.397-404.L.Egghe, L.Leydesdorff(2009), ‘The Relation Between Pearson`s Correlation Coefficient r and Salton`s Cosine Measure." Journal Of The American Society For Information Science And Technology(60:5), pp.1027-1036.L.M.Vaquero, L.Rodero-Merino, D.Morán(2011), ‘Locking the sky: a survey on IaaS cloud Security’ Computing(91:1), pp.93-118.L.M.Vaquero, L.Rodero-Merino, J.Caceres, M.Lindner(2009), ‘A Break in the Clouds: Towards a Cloud Definition’, ACM SIGCOMM Computer Communication Review(39:1), 2009, pp.50-55.N.Mayer, P.Heymans, R.Matulevičius(2007), ‘Design of a Modelling Language for Information System Security Risk Management’, Proceedings of the 1st International Conference on Research Challenges in Information Science(RCIS 2007), Ouarzazate, Morocco, AprilNIST SAJACC and BUC Working Groups(2011), ‘NIST US Government Cloud Computing Technology Roadmap Volume III - Technical Considerations for USG Cloud Computer Deployment Decisions’, National Institute of Standards and TechnologyOWASP Cloud Top Ten Project(2012), ‘Cloud Top 10 Security Risks", The Open Web Application Security ProjectNIST(2011), ‘NIST Definition of Cloud Computing’, National Institute of Standard and TechnologyG.Purdy(2010), ‘ISO 31000:2009—Setting a New Standard for Risk Management." Risk Analysis(30:6), pp.881-886R.K.Chellappa & A.Gupta(2002), ‘Managing computing resources in active intranets’, International Journal Of Network Management(12:2), pp.117-128.S.Paquette, P.T.Jaeger, S.C.Wilson(2010), ‘Identifying the security risks associated with governmental use of cloud computing’, Government Information Quarterly(27:3), pp.245-253.T.Schoenherr(2009), ‘LOGISTICS AND SUPPLY CHAIN MANAGEMENT APPLICATIONS WITHIN A GLOBAL CONTEXT: AN OVERVIEW’, Journal of Business Logistics(30:2), pp.1-IVV.Y.C.Stamatiou, E.Henriksen, M.S.Lund, E.Mantzouranis, M.Psarros, E.Skipenes, N.Stathiakis, K.Stølen(2002), ‘Experiences from using model-based risk assessment to evaluate the security of a telemedicine application’, Proceedings of Telemedicine in Care Delivery(TICD)L.O.Yusuf, O.Folorunso, A.Akinwale,I.A.Adejumobi(2011), ‘Visualizing and Assessing a Compositional Approach to Service-Oriented Business Process Design Using Unified Modelling Language(UML) ‘, Computer and Information Science(4:3), pp.43-59. 描述 碩士
國立政治大學
資訊管理研究所
98356027
101資料來源 http://thesis.lib.nccu.edu.tw/record/#G0983560271 資料類型 thesis dc.contributor.advisor 林我聰 zh_TW dc.contributor.author (作者) 羅邵晏 zh_TW dc.contributor.author (作者) Lo, Shao Yen en_US dc.creator (作者) 羅邵晏 zh_TW dc.creator (作者) Lo, Shao Yen en_US dc.date (日期) 2012 en_US dc.date.accessioned 1-三月-2013 09:24:53 (UTC+8) - dc.date.available 1-三月-2013 09:24:53 (UTC+8) - dc.date.issued (上傳時間) 1-三月-2013 09:24:53 (UTC+8) - dc.identifier (其他 識別碼) G0983560271 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/57045 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊管理研究所 zh_TW dc.description (描述) 98356027 zh_TW dc.description (描述) 101 zh_TW dc.description.abstract (摘要) 「雲端運算」(Cloud Computing)及其相關應用服務受到業界相當重視。同時各國政府也相繼推出國家型計劃發展雲端運算產業。然而許多文獻告訴我們,雲端運算在資訊安全議題上也需要被重視。在雲端運算架構下的資訊安全又與過去有些許不同,值得被提出來研究。歐洲網路與資訊安全機構(European Network and Information Security Agency, ENISA)在2009年已經提出一份雲端服務風險評估報告(CCSRA, Cloud Computing Security Risk Assessment),此份報告也被推出業界第一套雲端服務風險標準(CCSK, Certificate of Cloud Security Knowledge)的雲端安全聯盟(CSA, Cloud Security Alliance)所引用。這份評估報告已經相當完整定義各風險和其前因後果,但卻沒有完整的量化模式供組織進行量化評估、或預測整個雲端服務風險系統運作。因此本研究目的如下:1.建立一個量化模式,預測雲端服務風險相關風險,供企業主及早採取因應措施。2.以皮爾森相關係數法(Pearson Correlation Coefficient)分析各個風險、弱點、和資產間因果影響程度,讓組織在分配資源時作為參考。 zh_TW dc.description.abstract (摘要) “Cloud Computing” and its application services are considered important by industries. Governments have also launched plans to develop the cloud computing industry. However, the literature tells us that cloud computing security issues also need to be noticed. Security issues in the cloud computing architecture are different from those in traditional information system, so they are worth to be studied. In2009, European Network and Information Security Agency(ENISA) has announced a report named "Cloud Computing Security Risk Assessment", and this report was referenced by Cloud Security Alliance(CSA). The report is quite complete for the definition of each risk, its causes and effects. But there does not exist a complete quantitative model for the organization to assess or predict its cloud service risk. Therefore, the purposes of this study are as follows: 1. developing a cloud service risk assessment model to predict cloud service risks, 2. use Pearson Correlation Coefficient to analyze the impact between risks, vulnerabilities and assets for allocation of resources. en_US dc.description.tableofcontents 致謝 1摘要 2Abstract 3目錄 4圖目錄 6表目錄 7一、緒論 1.1研究背景 81.2研究動機 91.3研究目的 9二、文獻探討 2.1雲端服務模式 10 2.1.1雲端運算的定義 10 2.1.2雲端運算的服務模式 102.2風險管理之概念與程序 12 2.2.1風險管理的定義 12 2.2.2風險管理的步驟 132.3資訊安全風險管理概念與目標 14 2.3.1風險管理概念 142.3.2受保護資產應該符合的準則 162.4雲端服務風險 17 2.4.1雲端服務風險 17 2.4.2雲端服務高等級風險 18三、研究方法 3.1研究流程 263.2研究限制及預設推論 273.3研究問卷設計 273.4風險評估模式建立方法 29 3.4.1皮爾森相關 30 3.4.2研究模式圖 31四、風險評估模式建立 4.1尋找弱點、風險、資產 32 4.2基本資料分析 37 4.3模式建立 374.4本模式與OWASP模式比較 44 4.4.1比較組廠商排名之計算 44 4.4.2實驗組與比較組廠商排名比較 464.5模式應用 504.6管理意涵探討 55五、結論與未來研究方向 5.1結論 58 5.2未來研究方向 58參考文獻 60附錄(問卷) 62 zh_TW dc.language.iso en_US - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0983560271 en_US dc.subject (關鍵詞) 雲端運算 zh_TW dc.subject (關鍵詞) 雲端服務風險 zh_TW dc.subject (關鍵詞) 風險評估 zh_TW dc.subject (關鍵詞) 服務商評選 zh_TW dc.subject (關鍵詞) 皮爾森相關 zh_TW dc.subject (關鍵詞) Cloud Computing en_US dc.subject (關鍵詞) Cloud Service Risk, en_US dc.subject (關鍵詞) Risk Assessment en_US dc.subject (關鍵詞) Service Provider Selection en_US dc.subject (關鍵詞) Pearson Correlation en_US dc.title (題名) 雲端服務風險評估模式建立之研究 zh_TW dc.title (題名) A study on developing a cloud service risk assessment model en_US dc.type (資料類型) thesis en dc.relation.reference (參考文獻) 林育震(2010),『掌控風險 發揮雲端效益』,Communications of the CCISA,16卷4期,138~149頁張春雄、林顯達、黃新宗、劉美芳(2003),『風險管理』,吉田出版社陳瑞&周林毅(2007),『風險評估與決策管理』,五南圖書出版公司黃清賢(2003),『危害分析與風險評估操作手冊』,新文京開發出版股份有限公司 蔡一郎(2010),『雲端運算與雲端服務風險架構』,Communications of the CCISA,16卷4期,84~93頁賴世培、詹志禹(2011),『應用統計(全)』,中華電視股份有限公司A.Avizienis, J.Laprie, B.Randell.(2000), ‘Fundamental concepts of dependability’, In Proceedings of the 3rd Information Survivability WorkshopA.Rosenthal, P.Mork, M.H.Li, J.Stanford, D.Koester, P.Reynolds(2010), ‘A new business paradigm for biomedical information sharing’, Journal of Biomedical Informatics(43:2), pp.324-353.IBM(2009), ‘Red Book ─ Cloud Security Guidance ─ IBM Recommendations for the Implementation of Cloud Security’, IBMC.S.Yoo(2011), ‘Cloud Computing: Architectural and Policy Implications’, Rev Ind Organ(38:4), pp.405-421.CSA(2010), ‘Top Threats To Cloud Computing’, Cloud Security AllianceENISA(2009), ‘Cloud Computing Security Risk Assessment’, European Network and Information Security AgencyD.Zissis & D.Lekkas(2011), ‘Securing e-Government and e-Voting with an open cloud computing architecture’, Government Information Quarterly(28), pp.239-251.European Parliament(1995), ‘Directive 95/46/EC of the European Parliament’, European ParliamentL.Iuga(2010), ‘The Analysis Of The Correlation Between The Level Of The Bank Fees For Cards And The Number Of Active Cards, Conducted With The Help Of The Pearson Coefficient’, Annales Universitatis Apulensis Series Oeconomica(12:1), pp.397-404.L.Egghe, L.Leydesdorff(2009), ‘The Relation Between Pearson`s Correlation Coefficient r and Salton`s Cosine Measure." Journal Of The American Society For Information Science And Technology(60:5), pp.1027-1036.L.M.Vaquero, L.Rodero-Merino, D.Morán(2011), ‘Locking the sky: a survey on IaaS cloud Security’ Computing(91:1), pp.93-118.L.M.Vaquero, L.Rodero-Merino, J.Caceres, M.Lindner(2009), ‘A Break in the Clouds: Towards a Cloud Definition’, ACM SIGCOMM Computer Communication Review(39:1), 2009, pp.50-55.N.Mayer, P.Heymans, R.Matulevičius(2007), ‘Design of a Modelling Language for Information System Security Risk Management’, Proceedings of the 1st International Conference on Research Challenges in Information Science(RCIS 2007), Ouarzazate, Morocco, AprilNIST SAJACC and BUC Working Groups(2011), ‘NIST US Government Cloud Computing Technology Roadmap Volume III - Technical Considerations for USG Cloud Computer Deployment Decisions’, National Institute of Standards and TechnologyOWASP Cloud Top Ten Project(2012), ‘Cloud Top 10 Security Risks", The Open Web Application Security ProjectNIST(2011), ‘NIST Definition of Cloud Computing’, National Institute of Standard and TechnologyG.Purdy(2010), ‘ISO 31000:2009—Setting a New Standard for Risk Management." Risk Analysis(30:6), pp.881-886R.K.Chellappa & A.Gupta(2002), ‘Managing computing resources in active intranets’, International Journal Of Network Management(12:2), pp.117-128.S.Paquette, P.T.Jaeger, S.C.Wilson(2010), ‘Identifying the security risks associated with governmental use of cloud computing’, Government Information Quarterly(27:3), pp.245-253.T.Schoenherr(2009), ‘LOGISTICS AND SUPPLY CHAIN MANAGEMENT APPLICATIONS WITHIN A GLOBAL CONTEXT: AN OVERVIEW’, Journal of Business Logistics(30:2), pp.1-IVV.Y.C.Stamatiou, E.Henriksen, M.S.Lund, E.Mantzouranis, M.Psarros, E.Skipenes, N.Stathiakis, K.Stølen(2002), ‘Experiences from using model-based risk assessment to evaluate the security of a telemedicine application’, Proceedings of Telemedicine in Care Delivery(TICD)L.O.Yusuf, O.Folorunso, A.Akinwale,I.A.Adejumobi(2011), ‘Visualizing and Assessing a Compositional Approach to Service-Oriented Business Process Design Using Unified Modelling Language(UML) ‘, Computer and Information Science(4:3), pp.43-59. zh_TW