[目的/意义]近年来个人云存储服务的技术安全问题屡见不鲜,严重影响了个人云存储服务用户持续使用率。识别和分析使用云存储服务的技术安全风险的关键影响因素,对于个人云存储服务提供商提供安全云存储服务、提高个人云存储服务用户粘性具有重要实践意义。[方法/过程]基于文献调研、专家访谈、云计算安全报告(Gartner)、云计算安全架构与标准(ENISA、CSA、FedRAMP、MTCS),构建个人云存储服务的技术安全风险影响因素指标体系。通过专家问卷调查得出个人云存储服务的技术安全风险评估体系中各影响因素之间的直接影响矩阵,运用Fuzzy-DEMATEL方法对个人云存储服务技术安全风险影响因素的因果关系及重要程度进行分析,揭示个人云存储服务技术安全风险关键影响因素。[结果/结论]个人云存储服务技术安全风险关键影响因素包括:访问控制、服务/账户劫持、软件安全风险、虚拟化漏洞、数据传输安全。最后,依据实证研究结论,为个人云存储服务提供商构建安全云存储服务提供可行的技术建议。本研究丰富了个人云存储服务安全风险理论研究成果,为个人云存储服务提供商保障用户数据安全提供实践参考。
[Purpose/significance] In recent years, the technical security problems of personal cloud storage service are common, which severely hinders users' continuous usage of personal cloud storage service. It is of great practical significance to identify and analyze the key factors that affect the technical security risk of personal cloud storage service for personal cloud storage service providers to offer secure cloud storage service as well as increase user engagement with personal cloud storage service.[Method/process] Based on literature surveys, expert interviews, cloud computing security reports put forward by Gartner, and cloud computing security frameworks and standards (ENISA, CSA, FedRAMP, MTCS), the technical security risk factors indicator system of personal cloud storage service is constructed. The direct influence matrix between the influencing factors of technical security risk evaluation indicator system of personal cloud storage service is obtained through questionnaire survey with experts. This paper analyzes the causal category and the degree of importance of the influencing factors of personal cloud storage service technical security risks by applying Fuzzy-DEMATEL method, and identifies the key influencing factors of personal cloud storage service technical security risk.[Result/conclusion] The critical influencing factors of personal cloud storage service technical security risk are:access control, service/account hijacking, software security risk, virtualization vulnerability, and data transmission security. Finally, according to the empirical conclusions, it provides feasible technical advice for building a secure cloud storage service for personal cloud storage service providers. This study enriches the theoretical research results of personal cloud storage service security risk, and provides practical references for the personal cloud storage service providers to guarantee user data security.
[1] HASHIZUME K, ROSADO D G, FERNÁNDEZ-MEDINA E, et al. An analysis of security issues for cloud computing[J]. Journal of internet services & applications,2013,4(1):1-13.
[2] 艾媒咨询.2016年中国个人云盘行业研究报告[EB/OL].[2018-07-05].http://www.iimedia.cn/45865.html.
[3] ENISA. Cloud computing benefits, risks and recommendations for information security:cloud computing security risk assessment[EB/OL].[2018-07-17].https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment.
[4] ZISSIS D, LEKKAS D. Addressing cloud computing security issues[J].Future generation computer systems,2012,28(3):583-592.
[5] SINGH A, CHATTERJEE K. Cloud security issues and challenges:a survey[J]. Journal of network & computer applications,2017,79(2):88-115.
[6] Gartner Group. Assessing the security risks of cloud computing[EB/OL].[2018-07-17]. https://s3.amazonaws.com/academia.edu.documents/33355553/Gartner_Security_Risks_of_Cloud.pdf?AWSAccessKeyId=AKIAIWOWYYGZ2Y53UL3A&Expires=1531800717&Signature=9iWiV8np8Hv%2BSVw5cvl8sRGqzVw%3D&response-content-disposition=inline%3B%20filename%3DAssessing_the_Security_Risks_of_Cloud_Co.pdf.
[7] CSA. ‘The treacherous twelve’ cloud computing top threats in 2016[EB/OL].[2018-07-05]. https://www.prnewswire.com/news-releases/cloud-security-alliance-releases-the-treacherous-twelve-cloud-computing-top-threats-in-2016-300227806.html.
[8] KHAN N, AL-YASIRI A. Identifying cloud security threats to strengthen cloud computing adoption framework[J]. Procedia computer science,2016,94:485-490.
[9] RAMACHANDRA G, IFTIKHAR M, KHAN F A. A comprehensive survey on security in cloud computing[J]. Procedia computer science,2017,110:465-472.
[10] SHAMELI-SENDI A, CHERIET M. Cloud computing:a risk assessment model[C]//IEEE International Conference on Cloud Engineering. Washington:IEEE, 2014:147-152.
[11] LIU J, GUO Z. Research on cloud security risk assessment based on fuzzy entropy weight model[J]. Electrics, electronics, and computer science,2016,139:390-395.
[12] LIN G T R, LIN C C, CHOU C J, et al. Fuzzy modeling for information security management issues in cloud computing[J]. International journal of fuzzy systems,2014,16(4):529-540.
[13] LIN F, ZENG W, YANG L, et al. Cloud computing system risk estimation and service selection approach based on cloud focus theory[J]. Neural computing and applications,2017,28(1):1863-1876.
[14] ISO/IEC 27017, Code of practice for information security controls based on ISO/IEC 27002 for cloud services[EB/OL].[2018-07-17]. https://www.iso.org/standard/43757.html.
[15] BSI Group. ISO/IEC 27017, Extending ISO/IEC 27001 into the Cloud[EB/OL].[2018-07-17]. https://www.bsigroup.com/LocalFiles/EN-AU/_Brochures/ISO%2027017%20Whitepaper-JULY2016.pdf.
[16] FedRAMP. Security assessment framework[EB/OL].[2018-07-17]. https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/482/2015/01/FedRAMP-Security-Assessment-Framework-v2-1.pdf.
[17] Singapore MTCS. SS584(2016), Specification for multi-tiered cloud computing security[EB/OL].[2018-07-17]. https://www.singaporestandardseshop.sg/Product/Product.aspx?id=88be024c-cead-4a59-801d-9fcedbbab88f.
[18] CSA. Security guidance for critical areas of focus in cloud computingV2.1[EB/OL].[2018-07-17]. https://www.rationalsurvivability.com/blog/2009/12/cloud-security-alliance-v2-1-security-guidance-for-critical-areas-of-focus-in-cloud-computing-available/.
[19] ENISA. A guide to monitoring of security level in cloud contracts[EB/OL].[2018-07-17]. https://www.enisa.europa.eu/publications/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts.
[20] SHAHZAD F. State-of-the-art survey on cloud computing security challenges, approaches and solutions[J]. Procedia computer science,2014,37:357-362.
[21] SHIRVANI M H, RAHMANI A M, SAHAFI A. An iterative mathematical decision model for cloud migration:a cost and security risk approach[J]. Software practice & experience, 2018,48(6):449-485.
[22] MACKAY M, BAKER T, AL-YASIRI A. Security-oriented cloud computing platform for critical infrastructures[J]. Computer law & security review the international journal of technology & practice,2012,28(6):679-686.
[23] KANG W M, DONG-LEE J, JEONG Y S, et al. VCC-SSF:service-oriented security framework for vehicular cloud computing[J].Sustainability,2015,7(2):2028-2044.
[24] WALTERBUSCH M, FIETZ A, TEUTEBERG F. Missing cloud security awareness:investigating risk exposure in shadow IT[J]. Journal of enterprise information management,2017,30(4):644-665.
[25] 姜茸,杨明,马自飞,等.云计算安全风险度量评估与管理[M].北京:科学出版社,2016.
[26] COPPOLINO L, D'ANTONIO S, MAZZEO G, et al. Cloud security:emerging threats and current solutions[J]. Computers & electrical engineering,2017,59:126-140.
[27] CHOI M, LEE C. Information security management as a bridge in cloud systems from private to public organizations[J]. Sustainability,2015,7(9):12032-12051.
[28] SINGH S, JEONG Y S, PARK J H. A survey on cloud computing security:issues, threats, and solutions[J]. Journal of network & computer applications,2016,75(9):200-222.
[29] 阮树骅,瓮俊昊,毛麾,等.云安全风险评估度量模型[J].山东大学学报:理学版,2018,53(3):71-76.
[30] RONG C, NGUYEN S T, JAATUN M G. Beyond lightning:a survey on security challenges in cloud computing[J]. Computers & electrical engineering,2013,39(1):47-54.
[31] BRENDER N, MARKOV I. Risk perception and risk management in cloud computing:results from a case study of Swiss companies[J]. International journal of information management, 2013,33(5):726-733.
[32] LIN R J. Using fuzzy dematel to evaluate the green supply chain management practice[J]. Journal of cleaner production,2013,40(7):32-39.
[33] OPRICOVIC S, TZENG G H. Defuzzification within a multi-criteria decision model[J]. Uncertain fuzzy,2003,11(5):635-652.
[34] GUEST G, BUNCE A, JOHNSON L. How many interviews are enough?:an experiment with data saturation and variability[J]. Field methods,2006,18(18):59-82.
[35] GHAFFARI K, LAGZIAN M. Exploring users' experiences of using personal cloud storage services:a phenomenological study[J]. Behaviour & information technology,2018,37(3):295-309.
