/
Cloud Implications on Software Cloud Implications on Software

Cloud Implications on Software - PowerPoint Presentation

celsa-spraggs
celsa-spraggs . @celsa-spraggs
Follow
392 views
Uploaded On 2016-06-14

Cloud Implications on Software - PPT Presentation

Network Structure and Security Risks Terrence August Rady School of Management UC San Diego Joint with Marius Florin Niculescu and Hyoduk Shin Georgia Tech amp UC San Diego NSF Grant 0954234 ID: 361419

saas security users premises security saas premises users risk loss software proposition patching undirected consumer unpatched 2011 high model patched versions attack

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Cloud Implications on Software" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Cloud Implications on SoftwareNetwork Structure and Security Risks

Terrence

August

Rady School of Management,

UC San Diego

Joint with Marius Florin Niculescu and Hyoduk Shin

(Georgia Tech &

UC San Diego)

NSF Grant: 0954234Slide2
Slide3

Software Liability

Loss liability is a strictly dominated policy for most software security environmentsSlide4

On-premises

Browsers: IE, Firefox, Chrome

A/V: Sophos, Avira, Symantec Webservers: IIS, Apache HTTP Server Doc Readers: Acrobat Reader, YAP App Servers: Websphere, JBoss

, etc.SaaS

Enterprise: Salesforce CRM, Netsuite ERP, CRM Productivity: Google Docs Rev. Mgmt: IBM DemandTec Social: LinkedIn, Facebook

On-Premises and

SaaS

Software

On-premises

and SaaS Microsoft Office and Office 365 Microsoft Dynamics CRM On-premises / Online SAP Business All-in-One / SAP Business One OnDemand Oracle Siebel CRM / Oracle CRM OnDemand

Where are

we heading??Slide5

When to use On-Premises

Require solution that meets the unique needs of your company (extensive customization)

Require certain level of security and control over data Have a dedicated IT staff Do not want access to data to depend on Internet availability and speed On-site hardware maintenance

When to use SaaS Want to get up and running as quickly as possible

Require minimal customization (less integrated solution)

Have limited IT support and resources Do not want to invest in hardware or pay upfront licensing fees

Diverse Consumer PreferencesSlide6

SAPSlide7

Cloud Computing Market

Gartner estimates the cloud computing industry will grow to $149 Billion by 2015

U.S. Government championing the Federal Cloud Computing Initiative

Encourage agencies to use cloud computing solutions$80 Billion federal IT budget SaaS applications will play an increasing role in firms’ IT strategiesSlide8

Security Risk comes in two forms:

Undirected:

Self-replicating attack such as a worm

Intent is to spread and distribute payloadExamples: Code Red, Slammer, Sasser

, Stuxnet, AutoCad worm

Security AttacksSlide9

Worm

Date

Vulnerability

Notice

Code Red

7.19.2001

1 month

Slammer

1.25.2003

6 months

Blaster

8.11.2003

1 month

Sasser

5.1.2004

2 weeks

Zotob

8.13.2005

4 days

Undirected RiskSlide10

Security Risk comes in two forms:

Undirected:

Self-replicating attack such as a worm

Intent is to spread and distribute payloadExamples: Code Red, Slammer, Sasser

, Stuxnet, AutoCad worm

Directed:

Targeted attack such as a hacker infiltrationIntent is to penetrate a particular organization for either an economic or political objectiveExamples: distribute.IT, Office 365 token management vulnerability

Security AttacksSlide11

Sony PlayStation Network Outage (April, 2011)

77 million user accounts compromised including date of birth, address, password information

Outage lasted 3 weeksTargeted AttackSlide12

Both variants are affected by

undirected and directed security attacks On-Premises Characterized by a large network of servers, each running distinct instances of the software Heterogeneous users make independent patching decisions

Undirected risk SaaS

Characterized by a centralized server or bank of servers

Acts more a single, large node Directed risk

Risk Profile: On-Premises vs.

SaaSSlide13

Research questions

What are the benefits of developing

SaaS

versions of on-premises software products, focusing on how the joint offering affects the security risk properties of the software?How does the effect on security of having both on-premises and SaaS variants relate to the classic information good versioning problem? Who

should the firm target to use SaaS versions?

Compared to benchmark levels of vendor profits and social welfare, what is the impact of jointly offering

SaaS versions?How will the security risk faced by users be affected?Slide14

Literature Review

Software Patching

Beattie et al. (2002)

August and Tunca (2006) Arora et al. (2006) Choi et al. (2007)

Software Diversification Deswarte et al. (1999)

Schneider and Birman (2009)

Jackson et al. (2011) Chen et al. (2011)SaaS Choudhary (2007) Ma and Seidmann (2008)

Zhang and

Seidmann

(2010) Xin (2011)Versioning Bhargava and Choudhary (2001, 2008)

Wei and Nault (2011) Jones and Medelson (2011) Chellappa and Jia (2011) Chellappa and Mehra (2013)Slide15

Consumer valuation space:

Cost of patching:

Money and effort exerted to verify, test, and roll-out patched versions of existing systems

On-premises

SaaS

(On-demand)

Valuation

Security Losses

Price

ModelSlide16

Consumer Strategy

Buy

On-premises

Patch / Not Patch

Model

Buy SaaS /

Not BuySlide17

Population of potential users

On-premises ModelSlide18

Non-users

Patched users

Unpatched

usersPopulation of potential users

Don’t contribute to undirected risk

Contribute to undirected risk

Protect network from undirected risk

On-premises ModelSlide19

On-premises and

SaaS

ModelsSlide20

On-premises and

SaaS

Models

Contribute to directed risk Slide21

Security Costs

where:

ModelSlide22

Consumer Market Equilibrium Structure

Unpatched

On-premises

Users

Patched

On-premises

Users

Non-users

Threshold structure (2 possible orderings)

SaaS

UsersSlide23

Unpatched

On-premises

Users

Patched

On-premises

Users

Non-users

SaaS

Users

Equilibrium EquationsSlide24

Consumer Market Equilibrium Structure

Other ordering

Unpatched

On-premises

Users

Patched

On-premises

Users

Non-users

SaaS

UsersSlide25

Vendor’s Problem

Security

Losses

Social

WelfareSlide26

Proposition

In equilibrium, there are always some on-premises users who remain unpatched

Cause a large externality under high security risk

Under

SaaS, they will face directed risk Segmenting usage across on-premises and

SaaS

diversifies this security riskHigh Security-Loss EnvironmentsSlide27

Proposition

Low patching costs

 strong incentives to patch

Vendor can charge high price because relatively small

unpatched population  set low SaaS price to

version at low end while limiting

cannibalizationWhere should SaaS be targeted?Slide28

Security Loss Factor:

Optimal pricing

and the consumer marketSlide29

Proposition

High patching costs

 still strong incentives to patch

Patching populations fall  overall usage declines in the face of high security risk

Reduce price of on-premises to increase purchasing and patching populations Strategically target SaaS at middle tier to reduce security risk

Where should

SaaS be targeted?Slide30

Security Loss

Factor:

Optimal pricing

and the consumer marketSlide31

Proposition

Welfare ImplicationsSlide32

Benchmark Case

Only an on-premises offering (or can set )

In a high security-loss environment, patched and unpatched populations exist in equilibrium under optimal price Use measures of profit, security losses, consumer surplus, and social welfare as benchmarksSlide33

Proposition

Comparison to BenchmarksSlide34

Proposition

Comparison to BenchmarksSlide35

Proposition

Low Security-Loss Environments

Uniform valuations and no security externality

Don’t version

Uniform valuations and idiosyncratic risk

Version

Even if the strength of the losses becomes smallSlide36

Proposition

Comparison to BenchmarksSlide37

Relative Profit ImprovementSlide38

Proposition

Low Security-Loss EnvironmentsSlide39

Summary TableSlide40

Invest to reduce attack likelihood

Security Investment

Undirected

Directed

Effort

Cost of Effort

LikelihoodSlide41

Proposition

Investment Comparative Statics

Low security-loss environment Security investments in on-premises and SaaS

both increase as the loss factor increases High security-loss environment

Security investment in on-premises can increase while it can decrease in

SaaS as the loss factor increasesSlide42

Security InvestmentSlide43

Summary

Model of security risk that includes:

On-premises and

SaaS versions of software Security externalities stemming from usage and patching Software vendor always versions

SaaS can be geared to either the middle or lower tiers sometimes splitting on-premises user populations Average per-user security losses can increase when patching costs are

low

SaaS targeted to middle tier maintains under security investment