進階搜尋


   電子論文尚未授權公開,紙本請查館藏目錄
(※如查詢不到或館藏狀況顯示「閉架不公開」,表示該本論文不在書庫,無法取用。)
系統識別號 U0026-2108201912201500
論文名稱(中文) 應用業務流程模型評估區塊鏈雲端服務的資訊安全風險
論文名稱(英文) A Business Process Model for Information Security Risk Assessment in the Blockchain Cloud
校院名稱 成功大學
系所名稱(中) 電信管理研究所
系所名稱(英) Institute of Telecommunications and Management
學年度 107
學期 2
出版年 108
研究生(中文) 張騏鈞
研究生(英文) Chi-Chun Chang
學號 R96061120
學位類別 碩士
語文別 中文
論文頁數 45頁
口試委員 指導教授-沈宗緯
口試委員-陳文字
召集委員-林易泉
中文關鍵字 資訊安全  風險評估  業務流程模型  區塊鏈  雲端 
英文關鍵字 Information Security  Risk Assessment  Business Process Model  Blockchain  Cloud 
學科別分類
中文摘要   區塊鏈雲端服務(Blockchain-as-a-Service, BaaS)因協助企業降低運用區塊鏈技術的門檻,以更安全有效率的方式進行B2B交易,並在全球供應鏈追蹤貨物,近年來逐漸受到業界與學界的重視。區塊鏈技術結合雲端服務之研究多著重於效益層面,而對該服務之資訊安全風險則較少有系統性的討論。本研究針對企業部署業務流程於區塊鏈雲端服務前,必須考量不同服務之風險等級之需要,根據國際標準化組織編纂的風險管理原則及指導綱要ISO 31000:2018所定義,提出一種評估其資訊安全風險的方法,找出適當的風險評估指標,嘗試建構一套可供評估相異區塊鏈雲端服務中資訊安全的風險架構。
  為了驗證提出之區塊鏈雲端風險評估架構,以業者欲佈署電子商務之業務流程於區塊鏈雲端服務為例,先選取支援Hyperledger Fabric(超級帳本結構)之企業級區塊鏈框架的供應商名單,進而透過本研究提出之風險評估架構,比較各區塊鏈雲端服務供應商,部署電子商務業務流程的資安風險程度。研究結果顯示,本範例中風險程度最高的資安威脅為「不安全的使用介面與應用程式介面」,最低者為「惡意濫用服務」;而Amazon與Microsoft為較適合本研究電子商務範例的區塊鏈雲端服務供應商。
英文摘要 Blockchain-as-a-Service (BaaS), which mainly facilitates B2B transactions for companies in a safer and more efficient way than other alternatives, is drawing increasingly more attention from industry and academics. It helps companies reduce the barriers to using blockchain technology and tracking goods in the global supply chain. In addition to the benefits of blockchain technology in cloud services, security issues around its use should be of equal concern. Therefore, in this study, a method is proposed for assessing the information security risks associated with the use of this technology before deploying business processes to blockchain cloud service providers based on the risk management principles compiled by the International Organization for Standardization and the guidelines outlined in ISO 31000:2018.
In order to verify the feasibility of this assessment framework, we take the e-commerce logistics supply chain business process model as an example. Through the deployment of e-commerce logistics on different blockchain cloud service providers, the proposed framework was tested, and their security risk levels were compared. The research results showed that the greatest risky information security threat in our example was “Insecure Interfaces and APIs” and the lowest was “Malicious Insiders.” Amazon and Microsoft were found to be the most suitable examples of the e-commerce logistics supply chain.
論文目次 第一章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 4
1.3 研究架構與流程 4
第二章 文獻回顧 6
2.1 資訊安全風險管理 6
2.2 區塊鏈雲端服務的安全性 8
2.3 區塊鏈雲端資安風險管理 11
2.4 小結 12
第三章 研究方法 13
3.1 模型概念 13
3.2 模型建構 14
3.2.1 區塊鏈雲端服務消費者模型 14
3.2.2 區塊鏈雲端服務供應商模型 16
3.2.3 區塊鏈雲端服務代理商模型 18
3.3 研究流程及步驟 20
第四章 研究結果 24
4.1 資安威脅危害程度測試結果 24
4.2 資安威脅危害程度測試結果 25
4.2 供應商緩解涵蓋程度測試結果 26
4.3 資安威脅風險程度測試結果 27
4.3.1 資料洩漏威脅風險程度測試結果 27
4.3.2 資料遺失威脅風險程度測試結果 28
4.3.3 帳號挾持威脅風險程度測試結果 28
4.3.4 不安全介面威脅風險程度測試結果 29
4.3.5 阻斷服務攻擊威脅風險程度測試結果 29
4.3.6 惡意內部威脅風險程度測試結果 30
4.3.7 惡意濫用服務威脅風險程度測試結果 30
4.3.8 審慎評鑑不足威脅風險程度測試結果 31
4.3.9 共享技術的漏洞威脅風險程度測試結果 31
4.4 小結 32
第五章 結論及未來研究建議 34
5.1 結論 34
5.2 未來研究建議 34
參考文獻 35
附錄一 雲端控制矩陣對應資訊安全管理作業法規 38
附錄二 緩解資安威脅的資訊安全管理作業法規 43
附錄三 緩解資安威脅的雲端安全控制矩陣 44
附錄四 研究實作指南 45
參考文獻 1. Bag, S., Ruj, S., & Sakurai, K. (2017). Bitcoin block withholding attack: Analysis and mitigation. IEEE Transactions on Information Forensics and Security, 12(8), 1967-1978.
2. Bahack, L. (2013). Theoretical Bitcoin Attacks with less than Half of the Computational Power (draft). arXiv preprint arXiv:1312.7013.
3. Brashear, J. P., & Jones, J. W. (2008). Risk analysis and management for critical asset protection (RAMCAP plus). Wiley handbook of science and technology for homeland security, 1-15.
4. Catteddu, D. (2010). Cloud Computing: benefits, risks and recommendations for information security. In Web application security (pp. 17-17): Springer.
5. Catteddu, D., & Hogben, G. (2009). Cloud computing information assurance framework. European Network and Information Security Agency (ENISA), 13, 14.
6. Courtois, N. T., & Bahack, L. (2014). On subversive miner strategies and block withholding attack in bitcoin digital currency. arXiv preprint arXiv:1402.1718.
7. Cox, J., Louis Anthony. (2008). Some limitations of “Risk= Threat× Vulnerability× Consequence” for risk analysis of terrorist attacks. Risk Analysis: An International Journal, 28(6), 1749-1761.
8. CSA. (2014). Cloud Controls Matrix v3.0.1.
9. Curtis, P., & Carey, M. (2012). Risk assessment in practice. Committee of Sponsoring Organizations of the Treadway Commission, 1-28.
10. Eyal, I., & Sirer, E. G. (2018). Majority is not enough: Bitcoin mining is vulnerable. Communications of the ACM, 61(7), 95-102.
11. Goettelmann, E., Dahman, K., Gateau, B., Dubois, E., & Godart, C. (2014). A security risk assessment model for business process deployment in the cloud. Paper presented at the Services Computing (SCC), 2014 IEEE International Conference on.
12. Heilman, E., Kendler, A., & Zohar, A. (2015). Eclipse Attacks on Bitcoin's Peer-to-Peer Network.
13. ISO. (2015). Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
14. ISO, B. (2018). 31000,(2018) Risk management–Principles and guidelines. International Organization for Standardization, Geneva, Switzerland.
15. Klipper, S. (2011). Information Security Risk Management. Verlag Vieweg+ Teubner. Wiesbaden.
16. Knorr, K., & Röhrig, S. (2001). Security requirements of e-business processes. In Towards the E-Society (pp. 72-86): Springer.
17. Koshy, P., Koshy, D., & McDaniel, P. (2014). An analysis of anonymity in bitcoin using p2p network traffic. Paper presented at the International Conference on Financial Cryptography and Data Security.
18. Li, X., Jiang, P., Chen, T., Luo, X., & Wen, Q. (2017). A survey on the security of blockchain systems. Future Generation Computer Systems.
19. Luu, L., Chu, D.-H., Olickel, H., Saxena, P., & Hobor, A. (2016). Making smart contracts smarter. Paper presented at the Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.
20. Marcus, Y., Heilman, E., & Goldberg, S. (2018). Low-Resource Eclipse Attacks on Ethereum's Peer-to-Peer Network.
21. Microsoft. (2009). The STRIDE Threat Model.
22. Mosakheil, J. H. (2018). Security Threats Classification in Blockchains.
23. Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system.
24. Norta, A. (2015). Creation of smart-contracting collaborations for decentralized autonomous organizations. Paper presented at the International Conference on Business Informatics Research.
25. Park, J., & Park, J. (2017). Blockchain security in cloud computing: Use cases, challenges, and solutions. Symmetry, 9(8), 164.
26. Prasad, S., Shankar, R., Gupta, R., & Roy, S. (2018). A TISM modeling of critical success factors of blockchain based cloud services. Journal of Advances in Management Research, 15(4), 434-456.
27. Rosenfeld, M. (2014). Analysis of hashrate-based double spending. arXiv preprint arXiv:1402.2009.
28. Schneier, B. (2009). People Understand Risks–But do security staff understand people? The Guardian, The Sydney Morning Herald, and The Age.
29. Sharma, P. K., Chen, M.-Y., & Park, J. H. (2017). A software defined fog node based distributed blockchain cloud architecture for IoT. IEEE Access, 6, 115-124.
30. STAR, C. (2018). STAR Attestation.
31. Tosh, D. K., Shetty, S., Liang, X., Kamhoua, C. A., Kwiat, K. A., & Njilla, L. (2017). Security implications of blockchain cloud with analysis of block withholding attack. Paper presented at the Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.
32. Watson, P. (2012). A multi-level security model for partitioning workflows over federated clouds. Journal of Cloud Computing: Advances, Systems and Applications, 1(1), 15.
33. Weber, I., Xu, X., Riveret, R., Governatori, G., Ponomarev, A., & Mendling, J. (2016). Untrusted business process monitoring and execution using blockchain. Paper presented at the International Conference on Business Process Management.
34. Weiss, A. (2014). EuroCloud Star Audit. Datenschutz und Datensicherheit-DuD, 38(3), 170-174.
35. Wenzel, S., Wessel, C., Humberg, T., & Jürjens, J. (2012). Securing Processes for Outsourcing into the Cloud. Paper presented at the CLOSER.
36. Xia, Q., Sifah, E. B., Asamoah, K. O., Gao, J., Du, X., & Guizani, M. (2017). MeDShare: Trust-less medical data sharing among cloud service providers via blockchain. IEEE Access, 5, 14757-14767.
37. Zamani, E., He, Y., & Phillips, M. (2018). On the Security Risks of the Blockchain. Journal of Computer Information Systems, 1-12.
38. Zur Muehlen, M., & Recker, J. (2013). How much language is enough? Theoretical and practical use of the business process modeling notation. In Seminal Contributions to Information Systems Engineering (pp. 429-443): Springer.
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2024-08-21起公開。
  • 同意授權校外瀏覽/列印電子全文服務,於2024-08-21起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw