Network Structure and Security Risks Terrence August Rady School of Management UC San Diego Joint with Marius Florin Niculescu and Hyoduk Shin Georgia Tech amp UC San Diego NSF Grant 0954234 ID: 361419
Download Presentation The PPT/PDF document "Cloud Implications on Software" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cloud Implications on SoftwareNetwork Structure and Security Risks
Terrence
August
Rady School of Management,
UC San Diego
Joint with Marius Florin Niculescu and Hyoduk Shin
(Georgia Tech &
UC San Diego)
NSF Grant: 0954234Slide2Slide3
Software Liability
Loss liability is a strictly dominated policy for most software security environmentsSlide4
On-premises
Browsers: IE, Firefox, Chrome
A/V: Sophos, Avira, Symantec Webservers: IIS, Apache HTTP Server Doc Readers: Acrobat Reader, YAP App Servers: Websphere, JBoss
, etc.SaaS
Enterprise: Salesforce CRM, Netsuite ERP, CRM Productivity: Google Docs Rev. Mgmt: IBM DemandTec Social: LinkedIn, Facebook
On-Premises and
SaaS
Software
On-premises
and SaaS Microsoft Office and Office 365 Microsoft Dynamics CRM On-premises / Online SAP Business All-in-One / SAP Business One OnDemand Oracle Siebel CRM / Oracle CRM OnDemand
Where are
we heading??Slide5
When to use On-Premises
Require solution that meets the unique needs of your company (extensive customization)
Require certain level of security and control over data Have a dedicated IT staff Do not want access to data to depend on Internet availability and speed On-site hardware maintenance
When to use SaaS Want to get up and running as quickly as possible
Require minimal customization (less integrated solution)
Have limited IT support and resources Do not want to invest in hardware or pay upfront licensing fees
Diverse Consumer PreferencesSlide6
SAPSlide7
Cloud Computing Market
Gartner estimates the cloud computing industry will grow to $149 Billion by 2015
U.S. Government championing the Federal Cloud Computing Initiative
Encourage agencies to use cloud computing solutions$80 Billion federal IT budget SaaS applications will play an increasing role in firms’ IT strategiesSlide8
Security Risk comes in two forms:
Undirected:
Self-replicating attack such as a worm
Intent is to spread and distribute payloadExamples: Code Red, Slammer, Sasser
, Stuxnet, AutoCad worm
Security AttacksSlide9
Worm
Date
Vulnerability
Notice
Code Red
7.19.2001
1 month
Slammer
1.25.2003
6 months
Blaster
8.11.2003
1 month
Sasser
5.1.2004
2 weeks
Zotob
8.13.2005
4 days
Undirected RiskSlide10
Security Risk comes in two forms:
Undirected:
Self-replicating attack such as a worm
Intent is to spread and distribute payloadExamples: Code Red, Slammer, Sasser
, Stuxnet, AutoCad worm
Directed:
Targeted attack such as a hacker infiltrationIntent is to penetrate a particular organization for either an economic or political objectiveExamples: distribute.IT, Office 365 token management vulnerability
Security AttacksSlide11
Sony PlayStation Network Outage (April, 2011)
77 million user accounts compromised including date of birth, address, password information
Outage lasted 3 weeksTargeted AttackSlide12
Both variants are affected by
undirected and directed security attacks On-Premises Characterized by a large network of servers, each running distinct instances of the software Heterogeneous users make independent patching decisions
Undirected risk SaaS
Characterized by a centralized server or bank of servers
Acts more a single, large node Directed risk
Risk Profile: On-Premises vs.
SaaSSlide13
Research questions
What are the benefits of developing
SaaS
versions of on-premises software products, focusing on how the joint offering affects the security risk properties of the software?How does the effect on security of having both on-premises and SaaS variants relate to the classic information good versioning problem? Who
should the firm target to use SaaS versions?
Compared to benchmark levels of vendor profits and social welfare, what is the impact of jointly offering
SaaS versions?How will the security risk faced by users be affected?Slide14
Literature Review
Software Patching
Beattie et al. (2002)
August and Tunca (2006) Arora et al. (2006) Choi et al. (2007)
Software Diversification Deswarte et al. (1999)
Schneider and Birman (2009)
Jackson et al. (2011) Chen et al. (2011)SaaS Choudhary (2007) Ma and Seidmann (2008)
Zhang and
Seidmann
(2010) Xin (2011)Versioning Bhargava and Choudhary (2001, 2008)
Wei and Nault (2011) Jones and Medelson (2011) Chellappa and Jia (2011) Chellappa and Mehra (2013)Slide15
Consumer valuation space:
Cost of patching:
Money and effort exerted to verify, test, and roll-out patched versions of existing systems
On-premises
SaaS
(On-demand)
Valuation
Security Losses
Price
ModelSlide16
Consumer Strategy
Buy
On-premises
Patch / Not Patch
Model
Buy SaaS /
Not BuySlide17
Population of potential users
On-premises ModelSlide18
Non-users
Patched users
Unpatched
usersPopulation of potential users
Don’t contribute to undirected risk
Contribute to undirected risk
Protect network from undirected risk
On-premises ModelSlide19
On-premises and
SaaS
ModelsSlide20
On-premises and
SaaS
Models
Contribute to directed risk Slide21
Security Costs
where:
ModelSlide22
Consumer Market Equilibrium Structure
Unpatched
On-premises
Users
Patched
On-premises
Users
Non-users
Threshold structure (2 possible orderings)
SaaS
UsersSlide23
Unpatched
On-premises
Users
Patched
On-premises
Users
Non-users
SaaS
Users
Equilibrium EquationsSlide24
Consumer Market Equilibrium Structure
Other ordering
Unpatched
On-premises
Users
Patched
On-premises
Users
Non-users
SaaS
UsersSlide25
Vendor’s Problem
Security
Losses
Social
WelfareSlide26
Proposition
In equilibrium, there are always some on-premises users who remain unpatched
Cause a large externality under high security risk
Under
SaaS, they will face directed risk Segmenting usage across on-premises and
SaaS
diversifies this security riskHigh Security-Loss EnvironmentsSlide27
Proposition
Low patching costs
strong incentives to patch
Vendor can charge high price because relatively small
unpatched population set low SaaS price to
version at low end while limiting
cannibalizationWhere should SaaS be targeted?Slide28
Security Loss Factor:
Optimal pricing
and the consumer marketSlide29
Proposition
High patching costs
still strong incentives to patch
Patching populations fall overall usage declines in the face of high security risk
Reduce price of on-premises to increase purchasing and patching populations Strategically target SaaS at middle tier to reduce security risk
Where should
SaaS be targeted?Slide30
Security Loss
Factor:
Optimal pricing
and the consumer marketSlide31
Proposition
Welfare ImplicationsSlide32
Benchmark Case
Only an on-premises offering (or can set )
In a high security-loss environment, patched and unpatched populations exist in equilibrium under optimal price Use measures of profit, security losses, consumer surplus, and social welfare as benchmarksSlide33
Proposition
Comparison to BenchmarksSlide34
Proposition
Comparison to BenchmarksSlide35
Proposition
Low Security-Loss Environments
Uniform valuations and no security externality
Don’t version
Uniform valuations and idiosyncratic risk
Version
Even if the strength of the losses becomes smallSlide36
Proposition
Comparison to BenchmarksSlide37
Relative Profit ImprovementSlide38
Proposition
Low Security-Loss EnvironmentsSlide39
Summary TableSlide40
Invest to reduce attack likelihood
Security Investment
Undirected
Directed
Effort
Cost of Effort
LikelihoodSlide41
Proposition
Investment Comparative Statics
Low security-loss environment Security investments in on-premises and SaaS
both increase as the loss factor increases High security-loss environment
Security investment in on-premises can increase while it can decrease in
SaaS as the loss factor increasesSlide42
Security InvestmentSlide43
Summary
Model of security risk that includes:
On-premises and
SaaS versions of software Security externalities stemming from usage and patching Software vendor always versions
SaaS can be geared to either the middle or lower tiers sometimes splitting on-premises user populations Average per-user security losses can increase when patching costs are
low
SaaS targeted to middle tier maintains under security investment