Contribution to information security continuous audit in cloud-native environments

Abstract

In the digitalized world and Cyberspace, as symbiotic community of men and machines, Cloud computing technologies and digital services based on them have important role in everyday life and business processes. From an information security standpoint, a whole range of security challenges arise, starting with security goals and security architecture through their operationalization and implementation. This is particularly reflective of the information security audit as part of the audit of information systems. In terms of information security cryptographic algorithms and cryptographic protocols are significantly standardized and support the approach of continuous external audit and improvement of the security of the subject information system. On the other hand, all of these solutions involve the use of cryptographic parameters created appropriately and under certain conditions. This audit segment requires specialist knowledge and the ability to assess the adequacy of the procedures applied. Contrary to cryptographic algorithms and protocols in this segment, there is no generally accepted standardization. This research is an attempt to develop a method that would be reliable in theoretical terms and proofs and also independent of trusted third parties. Such a method would significantly improve the possibilities of continuous revision in this segment and information security in the systematic sense.Suggested method is based on biometrical data, recorded electro-encephalography signals, randomness extraction from stochastic processes with non-maximal entropy and methods for transformation stochastic sequences for their uncertainty improvement. It is shown that it is possible to obtain truly random sequence sheared between participants in the protocol using communication over publically available authenticated communication channel. An unauthorized observer is able to collect all exchanged messages but in information sense cannot collect enough data to reconstruct established content between the two entities, and this can be theoretically proven. In the process, there is no trusted third party that entities must trust and have control over them and their communication, implying autonomy in setting end-to-end protection