research-article

Towards Automated Assessment of Organizational Cybersecurity Posture in Cloud

Authors:

Michael ZanAuthors Info & Claims

CODS-COMAD '23: Proceedings of the 6th Joint International Conference on Data Science & Management of Data (10th ACM IKDD CODS and 28th COMAD)

Pages 167 - 175

https://doi.org/10.1145/3570991.3571008

Published: 04 January 2023 Publication History

Abstract

In a world where reliance on digital services becomes more critical every year with billions of dollars in penalties being levied annually by regulators and the impacts from security control failures growing, the potential consequence of organizations being unable to determine the completeness of their cybersecurity strategy and control environment are worsening. Established standards such as NIST 800-53, Cloud Security Alliance Cloud Controls Matrix (CSA-CCM) and CIS 20 Security Controls offer baselines against which organizations can mandate compliance, in the support of managing their security control environment and meeting risk and regulatory expectations. While there is increased security and compliance automation, it is hampered by the fact that control requirements are expressed in natural language text. With large organizations often needing to comply with several thousand security requirements across their IT enterprise, it becomes humanly impossible to assess coverage and identify potential gaps.

In this paper, we present a system that enables performing a coarse-grained assessment of an organization’s security posture, against a standard control framework. We propose an AI-based model for performing the mapping automatically and evaluate its performance empirically. We further develop the idea and employ a novel domain-specific taxonomy that enhances the granularity of the coverage assessment while providing explainability. We also describe how this system is being used in production.

References

[1]

A. Agarwal, B. Ganesan, A. Gupta, N. Jain, H. P. Karanam, A. Kumar, N. Madaan, V. Munigala, and S. G. Tamilselvam. 2017. Cognitive Compliance for Financial Regulations. IT Professional 19, 4 (2017), 28–35.

Digital Library

[2]

Vikas Agarwal, Roy Bar-Haim, Lilach Eden, Nisha Gupta, Yoav Kantor, and Arun Kumar. 2021. AI-Assisted Security Controls Mapping for Clouds Built for Regulated Workloads. In 2021 IEEE 14th International Conference on Cloud Computing (CLOUD). 136–146. https://doi.org/10.1109/CLOUD53861.2021.00027

[3]

CIS Controls 2019. CIS Critical Security Controls V7.1. https://workbench.cisecurity.org/files/2312/download/2608

[4]

CSA CCM 2021. Cloud Controls Matrix. https://cloudsecurityalliance.org/research/cloud-controls-matrix/

[5]

Tanusree De and Debapriya Mukherjee. 2021. Explainable NLP: A Novel Methodology to Generate Human-Interpretable Explanation for Semantic Text Similarity. In Advances in Signal Processing and Intelligent Recognition Systems. Springer Singapore.

[6]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Association for Computational Linguistics, Minneapolis, Minnesota, 4171–4186. https://doi.org/10.18653/v1/N19-1423

[7]

FFIEC 2019. FFIEC Information Technology Examination Handbook - Business Continuity Management. https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

[8]

FINRA 2015. FINRA Report on Cybersecurity Practices. https://www.finra.org/sites/default/files/2020-07/2015-report-on-cybersecurity-practices.pdf

[9]

FR-CNIL 2018. Security of Personal Data. https://www.cnil.fr/sites/default/files/atoms/files/guide_security-personal-data_en.pdf

[10]

gap-ana 2021. How to Perform an Information Security Gap Analysis. https://securityscorecard.com/blog/how-to-perform-an-information-security-gap-analysis

[11]

ISO27002 2013. ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls. https://www.iso.org/standard/54533.html

[12]

Yinhan Liu, Myle Ott, Naman Goyal, Jingfei Du, Mandar Joshi, Danqi Chen, Omer Levy, Mike Lewis, Luke Zettlemoyer, and Veselin Stoyanov. 2019. RoBERTa: A Robustly Optimized BERT Pretraining Approach. CoRR abs/1907.11692(2019). arxiv:1907.11692http://arxiv.org/abs/1907.11692

[13]

I. Lopez-Gazpio, M. Maritxalar, A. Gonzalez-Agirre, G. Rigau, L. Uria, and E. Agirre. 2017. Interpretable semantic textual similarity: Finding and explaining differences between sentences. Knowledge-Based Systems 119 (2017), 186–199. https://doi.org/10.1016/j.knosys.2016.12.013

Digital Library

[14]

Nishtha Madaan, Hima Karanam, Ankush Gupta, Nitisha Jain, Arun Kumar, and Srikanth Tamilselvam. 2017. Visual Exploration of Unstructured Regulatory Documents. In Proceedings of the 22nd International Conference on Intelligent User Interfaces Companion(Limassol, Cyprus) (IUI ’17 Companion). 129–132.

Digital Library

[15]

NIST 800-53 2013. Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

[16]

Nick Papanikolaou, Siani Pearson, and Marco Casassa Mont. 2011. Towards Natural-Language Understanding and Automated Enforcement of Privacy Rules and Regulations in the Cloud: Survey and Bibliography. In Secure and Trust Computing, Data Management, and Applications, Changhoon Lee, Jean-Marc Seigneur, James J. Park, and Roland R. Wagner (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 166–173.

[17]

Nils Reimers and Iryna Gurevych. 2019. Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks. In Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics. https://arxiv.org/abs/1908.10084

[18]

Krishna Sapkota, A. Aldea, Muhammad Younas, David Duce, and Rene Banares-Alcantara. 2016. Automating the semantic mapping between regulatory guidelines and organizational processes. Service Oriented Computing and Applications 10 (08 2016). https://doi.org/10.1007/s11761-016-0197-2

Digital Library

[19]

Kaitao Song, Xu Tan, Tao Qin, Jianfeng Lu, and Tie-Yan Liu. 2020. MPNet: Masked and Permuted Pre-training for Language Understanding. arxiv:2004.09297 [cs.CL]

[20]

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Ł ukasz Kaiser, and Illia Polosukhin. 2017. Attention is All you Need. In Advances in Neural Information Processing Systems, I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett (Eds.). Vol. 30. Curran Associates, Inc.https://proceedings.neurips.cc/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

[21]

Alex Wang, Amanpreet Singh, Julian Michael, Felix Hill, Omer Levy, and Samuel R. Bowman. 2019. GLUE: A Multi-Task Benchmark and Analysis Platform for Natural Language Understanding. In International Conference on Learning Representations. https://openreview.net/forum?id=rJ4km2R5t7

[22]

Zhilin Yang, Zihang Dai, Yiming Yang, Jaime G. Carbonell, Ruslan Salakhutdinov, and Quoc V. Le. 2019. XLNet: Generalized Autoregressive Pretraining for Language Understanding. In Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, 8-14 December 2019, Vancouver, BC, Canada, Hanna M. Wallach, Hugo Larochelle, Alina Beygelzimer, Florence d’Alché-Buc, Emily B. Fox, and Roman Garnett (Eds.). 5754–5764. http://papers.nips.cc/paper/8812-xlnet-generalized-autoregressive-pretraining-for-language-understanding

Cited By

Ahmed MWei JAl-Shaer ENiu JVaidya J(2024)Prompting LLM to Enforce and Validate CIS Critical Security ControlProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657036(93-104)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657036
Salman ACreese SGoldsmith M(2024)Position Paper: Leveraging Large Language Models for Cybersecurity Compliance2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00061(496-503)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00061
Wijenayake DHenna SFarrelly W(2023)A Graph Neural Network-based Security Posture-aware Cloud Service Provider Selection for Multi-cloud2023 31st Irish Conference on Artificial Intelligence and Cognitive Science (AICS)10.1109/AICS60730.2023.10470882(1-6)Online publication date: 7-Dec-2023
https://doi.org/10.1109/AICS60730.2023.10470882

Index Terms

Towards Automated Assessment of Organizational Cybersecurity Posture in Cloud

Recommendations

A Semantic Approach to Cloud Security and Compliance
CLOUD '15: Proceedings of the 2015 IEEE 8th International Conference on Cloud Computing

Cloud services are becoming an essential part of many organizations. Cloud providers have to adhere to security and privacy policies to ensure their users' data remains confidential and secure. Though there are some ongoing efforts on developing cloud ...
Different facets of security in the cloud
CNS '12: Proceedings of the 15th Communications and Networking Simulation Symposium

Cloud computing is a long fantasized visualization of computing as a utility, where data owners can remotely store and access their data in the cloud anytime and from anywhere. Using a shared pool of configurable resources, users can be relieved from ...
ARA-Assessor: Application-Aware Runtime Risk Assessment for Cloud-Based Business Continuity
Service-Oriented Computing
Abstract
Cloud-based systems are prone to be attacked because they share the same cloud infrastructure, where there may exist hackers and malicious users. As a result, cloud system owners need an on-going security risk assessment mechanism to monitor the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CODS-COMAD '23: Proceedings of the 6th Joint International Conference on Data Science & Management of Data (10th ACM IKDD CODS and 28th COMAD)

January 2023

357 pages

ISBN:9781450397971

DOI:10.1145/3570991

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

CODS-COMAD 2023

CODS-COMAD 2023: 6th Joint International Conference on Data Science & Management of Data (10th ACM IKDD CODS and 28th COMAD)

January 4 - 7, 2023

Mumbai, India

Acceptance Rates

Overall Acceptance Rate 197 of 680 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
146
Total Downloads

Downloads (Last 12 months)56
Downloads (Last 6 weeks)3

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ahmed MWei JAl-Shaer ENiu JVaidya J(2024)Prompting LLM to Enforce and Validate CIS Critical Security ControlProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657036(93-104)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657036
Salman ACreese SGoldsmith M(2024)Position Paper: Leveraging Large Language Models for Cybersecurity Compliance2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00061(496-503)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00061
Wijenayake DHenna SFarrelly W(2023)A Graph Neural Network-based Security Posture-aware Cloud Service Provider Selection for Multi-cloud2023 31st Irish Conference on Artificial Intelligence and Cognitive Science (AICS)10.1109/AICS60730.2023.10470882(1-6)Online publication date: 7-Dec-2023
https://doi.org/10.1109/AICS60730.2023.10470882

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents