Authors: Shin-Jer Yang, Ya-Hui Yeh
A "Cloud Platform" is resource sharing through Internet access that supports users’ on-demand computing resources based on the service types provided by the Cloud Service Provider (CSP). Hence, the security issues derived from cloud platforms are more serious, and this identifiable vulnerability risk classifies the threats path and identifies and assesses the possible attack path. Therefore, this paper utilizes the basis of Extended Attack Tree (EAT) Analysis and further proposes the Novel Attack Tree (NAT) Analysis scheme to calculate the threats and vulnerability events that affect the Cloud Platform Service Security incidents through the characteristics of the NAT Analysis to defend and detect these security events. This paper takes software as a service (SaaS) as an example to analyze the security threat and obtains the security risk assessment level. Also, the NAT Analysis proves that it can effectively assess the risk value on the cloud platform. According to threat report of the Cloud Security Alliance (CSA), after it simulates the risk factors of the cloud platform to obtain the threat path, then performs quantitative analysis on the impact of assets with the NAT Analysis, and finally, obtains the weight of the risk value and sorts the level according to the value. Also, we further illustrate the comparison with the EAT Analysis, the NAT Analysis can improve an information security risk analysis that the EAT Analysis cannot fulfill, and it can also increase the availability of risk assessment and expects to bring a more secure cloud services on the Cloud platform.
Keywords: Novel Attack Tree Analysis; Cloud Security Risk Analysis; Information Security; Cloud Platform