1 / 38

Cloud Computing: Implications on Software Network Structure and Security Risks

Cloud Computing: Implications on Software Network Structure and Security Risks. Terrence August Rady School of Management, UCSD Joint with Marius Florin Niculescu and Hyoduk Shin (Georgia Tech & UCSD) NSF Grant: 0954234. Software. On-premises Internet Explorer, Firefox

jonah-saunders
Download Presentation

Cloud Computing: Implications on Software Network Structure and Security Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing: Implications on SoftwareNetwork Structure and Security Risks Terrence August Rady School of Management, UCSD Joint with Marius Florin Niculescu and Hyoduk Shin (Georgia Tech & UCSD) NSF Grant: 0954234

  2. Software • On-premises • Internet Explorer, Firefox • Sophos Anti-Virus • IIS, Apache HTTP Server • Adobe Acrobat Reader • SaaS • Salesforce CRM • Netsuite ERP, CRM • Google Docs • IBM DemandTec • On-premises and SaaS • Microsoft Office and Office 365 • Microsoft Dynamics CRM On-premises / Online • SAP Business All-in-One / SAP Business One OnDemand • Oracle Siebel CRM / Oracle CRM OnDemand Where are we heading??

  3. On-premises vs. SaaS • When to use On-premises • Require solution that meets the unique needs of your company (extensive customization) • Require certain level of security and control over data • Have a dedicated IT staff • Do not want access to data to depend on Internet availability and speed • On-site hardware maintenance • When to use SaaS • Want to get up and running as quickly as possible • Require minimal customization (less integrated solution) • Have limited IT support and resources • Do not want to invest in hardware and license fees

  4. SAP

  5. Research questions What are the benefits of developing SaaS versions of on-premises software products, focusing on how the joint offering affects the security risk properties of the software? If versioning for risk diversification makes sense, who should be targeted to use SaaS versions via pricing? Compared to benchmark levels of vendor profits and social welfare, what is the impact of jointly offering SaaS versions? How will the security risk faced by users be affected? What are other options?

  6. Literature Review • Software Patching • Beattie et al. (2002) • August and Tunca (2006) • Arora et al. (2006) • Choi et al. (2007) • Software Diversification • Deswarte et al. (1999) • Jackson et al. (2011) • Chen et al. (2011) • SaaS • Choudhary (2007) • Ma and Seidmann (2008) • Zhang and Seidmann (2010) • Xin (2011)

  7. Model • Consumer valuation space: • Cost of patching: • Money and effort exerted to verify, test, and roll-out patched versions of existing systems

  8. Model • Security Risk comes in two forms: • Undirected: • Self-replicating attack such as a worm • Intent is to spread and distribute payload • Examples: Code Red, Slammer, Sasser, Stuxnet, AutoCad worm

  9. Undirected Risk Code Red • Worm that attacks web servers running IIS • Installs back door and propagates 100 times over per infection • Patch issued by Microsoft on June 18, 2001 • Struck on July 19, 2001

  10. Undirected Risk

  11. Model • Security Risk comes in two forms: • Undirected: • Self-replicating attack such as a worm • Intent is to spread and distribute payload • Examples: Code Red, Slammer, Sasser, Stuxnet, AutoCad worm • Directed: • Targeted attack such as a hacker infiltration • Intent is to penetrate a particular organization for either an economic or political objective • Examples: Sony PlayStation Network attack, Salesforce phishing attack, CardSystems Solutions

  12. Directed Risk Sony PlayStation Network Outage (April, 2011) • 77 million user accounts compromised including date of birth, address, password information • Outage lasted 3 weeks

  13. Directed Risk SonyPictures.com Hacked (June, 2011) • Again user accounts compromised including date of birth, address, password information (in plain text) • SQL Injection

  14. Implications of SaaS Offerings • LinkedIn facing $5 million class action lawsuit (6.5 million users) • Yahoo being sued for password breach affecting 450K users • Stratfor (subscription-based, analysis of international affairs) • Approximately 200 GB sensitive info (credit card stored in plain text) • Settled class action lawsuit for $1.75 million • Other examples: Wyndham, TD Ameritrade, TJ Maxx

  15. Model • Consumer Strategy Buy On-premises / Buy SaaS / Not Buy Patch / Not Patch

  16. On-premises Model Population of potential users

  17. On-premises Model Population of potential users Non-users Patched users Protect network from undirected risk Unpatched users Don’t contribute to undirected risk Contribute to undirected risk

  18. On-premises and SaaS Models

  19. On-premises and SaaS Models Contribute to directed risk

  20. Model Usage Costs where:

  21. Equilibrium Structure • SaaS for Low Tier • Conditions: • Equilibrium strategy profile: SaaS Users Non-users Patched On-premises Users Unpatched On-premises Users

  22. Equilibrium Structure • SaaS for Middle Tier • Conditions: • Equilibrium strategy profile: SaaS Users Non-users Patched On-premises Users Unpatched On-premises Users

  23. Equilibrium Equations SaaS Users Non-users Patched On-premises Users Unpatched On-premises Users

  24. Vendor’s Problem Pricing

  25. Security Risk Diversification Proposition • In equilibrium, there are always some on-premises users who remain unpatched • Cause a large externality under high security risk • Under SaaS, they will face directed risk • Segmenting usage across on-premises and SaaS diversifies this security risk

  26. Where should SaaS be targeted? Proposition • Low patching costs  strong incentives to patch • Vendor can charge high price because relatively small unpatched population  set low SaaS price to limit cannibalization

  27. Prices and the consumer market • Security Loss Factor:

  28. Where should SaaS be targeted? Proposition • High patching costs  still strong incentives to patch • Patching populations fall  overall usage declines in the face of high security risk • Reduce price of on-premises to increase purchasing and patching populations • Strategically target SaaS at middle tier to reduce security risk

  29. Prices and the consumer market • Security Loss Factor:

  30. Welfare Implications Proposition

  31. Comparison to Benchmarks Proposition

  32. Profit Potential

  33. Security Implications of SaaS Proposition

  34. Comparing Risk Diversification Benefits • Other possibilities • Reduce the likelihood of undirected attacks • Reduce the effective patching costs to users

  35. Versioning Proposition • Uniform valuations and no security externality • Don’t version • Uniform valuations and idiosyncratic risk • Version • Even if the strength of the losses becomes small

  36. Summary • Model of security risk that includes: • On-premises and SaaS versions of software • Security externalities stemming from usage and patching • Software vendor always versions • SaaS can be geared to either the middle or lower tiers sometimes splitting on-premises user populations • How pricing affects security risk • Average per-user security losses can increase when patching costs are low

More Related