ULB | iCite
You are here: Home \ Partners \ ULB | iCite

I. Description of ULB/ICITE

The International Centre for Innovation, Technology and Education Studies (iCite) of the Solvay Brussels School of Economics and Management at Universite Libre de Bruxelles, aims at better understanding the drivers of innovation and welfare in our society. It gathers academics who perform multidisciplinary research and training services. Theoretical and empirical analyses aim at better understanding the economics, management and history of innovation, knowledge generation and knowledge diffusion. Based on the outcomes of its research and on the expertise of its members, iCite also provides advices and recommendations to policy makers and business leaders. The IT Management Education within Solvay Brussels School of Economics and Management has been active in delivering education since 2003 in the domains of IT and Information Security Management (solvay.edu/IT). Research activities are mainly conducted within the ISACA and ITGI research foundations (isaca.org and itgi.org) since 2004.

II. Key persons in the project
Professor Nicolas van Zeebroeck started his career as an IT consultant at Capgemini. He has been appointed a full‐time professor at Solvay Brussels School of Economics and Management (SBS‐EM) at Universite libre de Bruxelles (ULB) in 2011, where he teaches innovation, information systems and the economics of digitization. He holds of a Master in Business Engineering (SBS-EM, 2001) and a PhD in Economics and Management (ULB, 2008), and has spent 2 years as a research fellow at IRIDIA, working on data and text mining problems in the team of Hugues Bersini. He has been a postdoctoral researcher at FNRS from 2009 to 2011 and a visiting scholar at the Georgia Institute of Technology, where he still maintains several active scientific collaborations. His research and teachings focus on the economics and strategy of innovation and digitization. He looks more specifically at digital innovation (i.e. the use of computers to innovate), including the impact of information and communication technology on industries, organizations, business processes and business models. His research has appeared in international scientific journals such as Management Science, Research Policy, Economics of Innovation and New Technology, Information Economics and Policy and Pattern Recognition, and has been presented at over 30 international conferences.
Professor Georges Ataya founded and is academic director of IT Management Education and Information Security Management Education within the Executive Education group at SBS‐EM. His research activity included COBIT 4.1, the IT Governance framework (2004), Value Governance of IT Enabled investment (Valit, 2007). He participated in the creation of the body of knowledge for Information Systems Management certificate (CISM, 2002) with more than 25000 certified professional worldwide. He also produced the first review manual for preparing examination for the Certificate in the Governance of Enterprise IT (CGEIT, 2008) with more than 6000 certified professionals worldwide.

II. Contributions

PART 1:

  • Topic: Introduction to Cloud Security Management
  • Structured overview:
    • Introduction to Cloud Computing
    • Introduction to Cloud Security
    • Significance of security in the Cloud
    • Traditional and Cloud information system
    • Disparities arising from the underlying technology
    • Disparities arising from the service delivery model
    • Disparities arising from the deployment model
    • Disparities arising from the key characteristics
  • Short abstract: In this deliverable, we introduce the notion of Cloud computing technology through related technologies and through the Cloud Architecture. We compare both on-premise infrastructure and Cloud computing infrastructure. We argue that applications processed in the cloud have similar security implications for the business as traditional outsourcing. Nevertheless, we also argue that Cloud Computing generates additional risks. The distributed and multi-tenant nature of cloud computing, the prevalence of remote access to cloud computing services and the number of entities involved in each process make cloud computing inherently more vulnerable to both internal and external security threats than other paradigms. Cloud security is a complex security matter that contains numerous dimensions related to the model architecture, virtualization, multi-tenancy, elasticity, and layers dependency stack.
  • Volume: 16207 words
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269720

PART 2:

  • Topic: Cloud risk Management process, Security Requirements and Asset Identification
  • Structured overview:
    • Risk Management Process
      • Architecting and Establishing the Risk Management Program (PLAN)
      • Implement and Operate (Do)
      • Monitoring and Review (Check, Act)
    • Cloud Security Requirements
      • Confidentiality requirement
      • Integrity requirement
      • Availability requirement
      • Scalability requirement
      • Accountability requirement
      • Maintainability requirement
      • Compliance requirement
      • Transparency requirement
      • Isolation requirement
      • Intervenability requirement
      • Portability requirement
      • Privacy requirement
    • Asset Identification
  • Short abstract: The first part of this deliverable is dedicated to designing a Risk Management methodology. The framework that has been conceived is centered around a standard quality management (or Plan, Do, Check, Act) cycle of continuous improvement. The methodology has been specifically designed for Cloud technologies. It is composed of seven processes: Processes-selecting relevant critical areas, Strategy and planning, Risk identification, Risk assessment, Risk mitigation, Assessing and monitoring program, and Risk management review. The second part of this deliverable focuses on the identification of security requirements or objectives dedicated to a distributed system such as the Cloud. Security in general, is related to the important aspects of confidentiality, integrity and availability. These three aspects thus become building blocks to be used in designing secure systems. Moreover, due to the specificities of the Cloud computing, other system requirements and aspects have to be covered, such as scalability, accountability, maintainability, compliance, transparency, isolation, intervenability, portability and privacy. Lastly, the third part of this deliverable is motivated by the identification of Cloud assets, along with their classification in terms of criticality and sensitivity.
  • Volume: 17102 words
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269723

PART 3:

  • Topic: Processes-selecting relevant Security Critical Areas
  • Structured overview:
    • Compliance Security Area
    • Governance Security Area
    • Network Security Area
    • Virtualization Security Area
    • Web services and API Security Area
    • Software development Security Area
    • Identity and Access management Security Area
    • Key management Security Area
    • Service scaling Security Area
    • Service availability Security Area
    • Legal and privacy Security Area
    • Data Security Area
    • Multi-Cloud Security Area
    • Underlying infrastructure Security Area
  • Short abstract: Conceiving and defining a plan for an effective information security risk management in a Cloud environment arises through two major processes. First, the selection of relevant critical areas. Second, the definition of a strategy and the design of a planning. In this deliverable, we identify 14 domains which are considered to be critical concern areas associated with Cloud technology. They address both strategic and tactical security pain points within Cloud environment. Those domains cover the following areas: compliance, governance, network, virtualization, web services and API, software development, identity and access management, key management, service scaling, service availability, legal and privacy, data, multi-cloud environment and underlying infrastructure and operations.
  • Volume: 48126 words
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269729

PART 4 :

  • Topic: Review of Cloud standards and frameworks
  • Structured overview:
    • Risk analysis methodology
      • Generic risk assessment standards
      • Generic risk assessment tools
    • Cloud standards and compliance control
      • The ISO/IEC standards; National Institute of Standards and Technology; Cloud Security Alliance; European Union Agency for Network and Information Security; COBIT; ITIL; FedRAMP; FISMA; AICPA; COC; SAS-70; PCI DSS; NERC – Critical Infrastructure Protection; Distributed Management Task Force (DMTF); Cloud Infrastructure Management Interface (CIMI); Cloud Auditing Data Federation (CADF); OWASP
    • Cloud certification schemes
  • Short abstract: This section discusses security standards, frameworks, regulations and guidelines that are generally accepted for implementing information security management, as well as the ones that are or could be associated with Cloud technology. These standards have been adopted over the years by organisations to define the governance activities that will address information security to achieve their business goals. In this deliverable, we review generic risk assessment standards, such as ISO 31000, NIST SP 800-30, etc as well as generic risk assessment tools such as EBIOS, OCTAVE, MEHARI, OPENGroup Fair, etc. Furthermore, we also review standards and compliance controls associated with Cloud technology. To mention some of these, we review, ISO/IEC 19000, 20000 and 27000 standards, as well as NIST, CSA, ENISA, COBIT, ITIL, FISMA, AICPA, COSO, NERC, DMTF, CIMI, etc
  • Volume: 13402 words
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269738

PART 5 :

  • Topic: Cloud Service Provider Security Assessment
  • Structured overview:
    • Compliance Security Assessment
    • Governance Security Assessment
    • Network Security Assessment
    • Virtualization Security Assessment
    • Web services and API Security Assessment
    • Software development Security Assessment
    • Identity and Access management Security Assessment
    • Key management Security Assessment
    • Service scaling Security Assessment
    • Service availability Security Assessment
    • Legal and privacy Security Assessment
    • Data Security Assessment
    • Multi-Cloud environment Security Assessment
    • Underlying infrastructure Security Assessment
  • Short abstract: The goal of this evaluation form is for a person (called assessor) to assess the security level of a cloud service offered by a Cloud Service Provider (CSP) according to 14 main criteria: Compliance, Governance, Network, Virtualization, Web services and API, Software development, Identity and Access management, Key management, Service scaling, Service availability, Legal and privacy, Data, Multi-Cloud environment, Underlying infrastructure. This assessment is composed of 264 questions and assignment answers. It has been designed to cover of 14 areas of concerns in accordance with their weights.
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269744

PART 6 :

  • Topic: Cloud Security Risk Mitigation Strategy
  • Structured overview:
    • Compliance Security Risk Mitigation Strategy
    • Governance Security Risk Mitigation Strategy
    • Network Security Risk Mitigation Strategy
    • Virtualization Security Risk Mitigation Strategy
    • Web services and API Security Risk Mitigation Strategy
    • Software development Security Risk Mitigation Strategy
    • Identity and Access management Security Risk Mitigation Strategy
    • Key management Security Risk Mitigation Strategy
    • Service scaling Security Risk Mitigation Strategy
    • Service availability Security Risk Mitigation Strategy
    • Legal and privacy Security Risk Mitigation Strategy
    • Data Security Risk Mitigation Strategy
    • Multi-Cloud environment Security Risk Mitigation Strategy
    • Underlying infrastructure Security Risk Mitigation Strategy
  • Short abstract: This deliverable contains Security Risk Mitigation Actions that have to be implemented in the Risk Treatment Plan. These actions are designed to raise the security bar of a cloud Service provided by a Cloud Service Provider (CSP). We identified 170 risk treatment actions which cover the full spectrum of a Cloud Service security. These actions have been designed to cover the 14 areas of concerns in accordance with their weights. These Risk Treatment Actions respectively cover the Compliance, Governance, Network, Virtualization, Web services and API, Software development, Identity and Access management, Key management, Service scaling, Service availability, Legal and privacy, Data, Multi-Cloud environment and the Underlying infrastructure.
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269747

PART 7 :

  • Topic: Cloud Implementation Project Management
  • Structured overview:
    • Project Management approach to Cloud technology
    • Organizational changes (Strategy, Systems, Structure, Vision, Staff, Style, Skills)
    • Cloud implementation process modelling
      • Graphic representation of the model
      • Description of the steps of the model
        • Pre-project phase
        • Pre-working phase
        • Analysis phase
        • Planning phase
        • Architecture selection phase
        • Adoption phase
        • Implementation phase
        • Change management phase
      • Short abstract: Cloud Computing is too often discussed from a technological point of view, whereas it is first and foremost a computer project as a whole. In this deliverable, we therefore consider the Cloud migration process from a project management perspective. The first section of this deliverable is intended to take into consideration certain elements which are proved of high importance before embarking on the migration or the implementation of a Cloud solution. The second section is intended for the actual study of this migration and the implementation of an adoption model oriented more strongly on the business and project management elements than its technological components.
      • Volume: 14918 words
      • Link: https://owncloud.ulb.ac.be/index.php/f/27274748

PART 8 :

  • Topic: Cloud Security Expert – Education landscape analysis
  • Structured overview:
    • Aligned ISO standards
    • Trainings and workshops offered by Vendors
    • Trainings and workshops offered by Non-vendors
    • Education provided in the Academic world
    • Job offers from the Professional world
  • Short abstract: This deliverable is dedicated to the identification of the core skills required in order to be defined as a Cloud security expert. This identification is based on four sources. Firstly, we assessed the existing ISO norms related to the cloud. Secondly, we examined the workshops and trainings proposed by several vendors and non-vendors institutions. Thirdly, we investigated the education offered by academic institutions. Lastly, to deepen our scheme of what a cloud security expert should do through the analyzis of job offers from the industry.
  • Link: https://owncloud.ulb.ac.be/index.php/f/27269750

Institute: Université Libre de Bruxelles

Research unit: iCite

Project: SeCloud