Development and Evaluation of a Dynamic Security Evaluation System for the Cloud System Operation

Because of today's sophisticated cyberattacks, IT systems are required to take security into special consideration from the design stage to the operational stage. Therefore, industry organizations as well as governments recommend that IT systems comply with the security standards. It is necessary for the system operator of an IT system to comprehend these security standards and to verify that specific security functions for the proper system configuration are selected and implemented appropriately. The operator is expected to perform corresponding work for the cloud system, where the system configuration can be changed flexibly and quickly when necessary. However, the verification method of security functions based on the security standards depends on the system configuration. Because each of the flexible changes of the cloud system configuration needs specific security functions and verification of installations, it is difficult for the system operator to take full advantage of the cloud infrastructure and it may result in burden of the system operator. Therefore, in order to maintain security functions by taking advantage of the cloud infrastructure, we propose a security evaluation method to verify security functions automatically based on the modeled system configuration and the security standards by tracking the log analysis of an IT system in operation constructed on the cloud infrastructure. We developed a support tool to ensure that the system complies with the security standard. Moreover, we show the effectiveness of the proposed method by an experimental evaluation on the cloud infrastructure.