My research interests covers the quantitative security risk assessment for distributed/networked computing systems with the focus on Cloud computing.
While the Cloud is pervasively used, the lack of security guarantees continues to remain an impediment for the Cloud’s use as a trusted platform. From the customer’s perspective, the need is of measurable and actionable assurance on the security measures (access control, levels of data integrity etc). From the service provider’s perspective, providing security assurance is a non-trivial issue given the multitude of threats surfaces and service chain elements to consider. As Cloud services are typically delivered over the classical Internet protocols, thus the attack surfaces also need to include threats at the level of the Internet (as a communication/services conduit) as well as those introduced by the multi-customer resource sharing and management paradigms such as virtualization.
One of the methods to provide security assurance is by evaluating the system for vulnerabilities that can be exploited by adversaries. Consequently, we conduct (currently at the IaaS level) threat analysis to (a) systematically identity system weaknesses, and (b) develop associated techniques to mitigate risks that can undermine the desired security goals. This is currently conducted with a customer-centric viewpoint and also involves proposing customer measurable security quantifiers to assess the risk levels. An additional objective is to explore the cascading effect of threats i.e., threats that can be induced by vulnerable interactions amongst the services and propagate across the system.