D2.5 Risk and Threat Analysis with Security Requirements

Contributing Partners 

CEA

Executive Summary

Absolute security does not exist and, in any system, security definition has first to start with a threat analysis (attacker profiling) and a definition of the information to protect (and against what), second, to define security policies (how to protect the assets, which part of the system is in charge of protecting what) and third, to identify the security limitation of each component or subsystem and to implement counter measures at the component level or at the system level (adding security features at one upper level to counter weaknesses of the lower levels).

There are various methods supporting this kind of analysis, EBIOS at the system level (identifying risks) [1] [2], Common Criteria at the component level (rating the effective resistance) [3] [4]. The objective of this deliverable is to perform a risk analysis of two use cases which are typical of the cloud based services and then define security requirements to mitigate the identified risks. In the first one an application is hosted by a cloud service provider and sensitive personal data may be manipulated by a third party and in the second scenario the cloud service provider is the same entity that manages the application offered to customers. These risk analysis studies have been reported in deliverable D2.4 [1], which also proposes security requirements based on ISO/IEC standards. In this deliverable, security requirements are formalized in the language of Common Criteria standard [4][5][6] which will ease a future security evaluation.

Chapter 2: Smart Cities – European disable badge for public parking areas
The first use case is named “European Disable Badge for public parking areas”. It offers a service helping disable persons to find dedicated park places in a city. It is based on a badge which can be read by a smartphone with the NFC technology. The badge ID is used to connect to the centralized application which is hosted by a cloud service provider [2]. The security of this service relies on the security of the implementation of the application in the smartphone and on the security of the cloud infrastructure provided by a third party. The implementation of this service should prevent illegal use of a badge and also must not leak personal data. The risk analysis detailed in [1] identifies high risk level related to the availability, disclosure or modification of sensitive data. Security requirements are derived according to the Common Criteria methodology. It consists first in defining a Target of Evaluation (TOE), which clearly states what will be evaluated and certified. Then the security objectives for this TOE are defined, based on the outcomes of the risk analysis study. Eventually, security requirements that will mitigate these risks are formalized in the pre-defined structured language proposed by the Common Criteria standard. Finally, Security requirements implemented by PRISMACLOUD services are highlighted.

Chapter 3: E-Government
The second use case is named “E-Government”. It implements a cloud service for public bodies in the Lombardia region [2]. The security of this service relies mainly on the security offered by the infrastructure controlled by LISPA. There is thus a difference compared to the previous use case, the cloud provider is also the service provider. The conclusions of the risk analysis detailed in [1] are analogue to those derived for the European disable badge use case. Security requirements are proposed for this use case.

Full Version

The full version will be made available after the deliverable has been accepted by the European Commission.