臺灣博碩士論文加值系統

由於現今全世界過度的濫用能源，並且大量的排放二氧化碳，已經造成地球環境的損害，然而電腦機房擺放了許多的伺服器，也消耗了許多的電力、空調等許多的能源，這幾年來由於虛擬化技術日漸發展，讓人們開始慢慢使用虛擬化技術來進行伺服器整倂(Server Consolidation)，虛擬化技術不但可以減少機房空間的使用、伺服器數量，同時也可降低電力、空調需求，並充分發揮伺服器的效能；雖然，使用虛擬化技術可以節能並有效管理資訊環境，但是，對於資訊化的環境中還是有許多的議題是必須注重的，資訊安全就是讓企業不可輕忽的一個重要的議題，許多的資訊安全事件歸究其原因，都顯示因為資訊安全管理沒有落實執行，而讓企業處於一個不安全的資訊環境。因此，本論文將探討企業在導入虛擬化資訊環境後，以資訊安全管理的觀點上，來了解虛擬化資訊環境與資訊安全之間的相關性。研究首先針對13位資訊安全及虛擬化技術專家進行問卷調查，其問卷選項是使用ISO27001規範中之133條控制要點來進行檢驗，使用Lawshe提出之內容效度比率(Content Validity Ratio，CVR），找出32個控制要項與虛擬化資訊環境有關，利用此32個控制要項來進行問卷調查。回收問卷資料後，經過資料分析得到企業導入虛擬化資訊環境對資訊安全是有助益的，並無其負面之影響，在研究過程中得知銀行證券業為高風險之作業，並無法立即接受虛擬化技術，資訊業界工程師及資訊業界從業人員較能接受虛擬化技術，在電子業、資訊業、汽機車業這3行業中，發現到虛擬化環境中的虛擬機器是實際被隔離之優點，此研究結果提供給企業在導入虛擬化資訊環境時，在資訊安全方面要注意的事項，也讓其企業因為導入虛擬化資訊環境提升企業的資訊安全等級。

The overuse of energy and over-emission of carbon dioxide has already caused damage to our environment. The great amounts of servers and their cooling equipments in the “computer farms” around the world also contributed to a significant share of energy consumption. The recent progress in virtualization allows us to implement server consolidation. Virtualization not only reduces the use of computer rooms, the number of servers, it also reduces the use of power and cooling. Furthermore, it helps to utilize the full capacity of remaining servers. Although virtualization saves energy and simplifies management, it has its own side-effects. For one, security can be a major issue. Many security breaches that left the business exposed to hostility are known to be caused by compromised security procedures. This thesis is a survey of the post-virtualization business security landscape from the point of view of system security. We have surveyed 13 security and virtualization experts using a questionnaire constructed by us. The questions in our questionnaire are based on the 133 control managements of ISO 27001. By using the Content Validity Ratio analysis ( Lawshe ), we have found 32 control managements are related to virtualization. We then constructed the questions based on these 32 control managements. Based on the collected replies, we have found that virtualization actually benefits security. Its adverse effects are negligible. We have found that banking and securities business have a very low tolerance to risks. As a result, currently they cannot adopt virtualization. We have also found that IT engineers and workers usually are more likely to embrace virtualization technologies. The electronics, information and mobile vehicle industries have found that the sand-boxed virtual machines in virtualized systems are in fact good for information security. Our findings can provide guidelines to the IT professionals when they are introducing virtualization to their own companies. We believe if proper security measures have been taken, virtualization actually makes you information system more secure.

致謝 I
摘要 II
Abstract III
圖目錄 VII
表目錄 VIII
第1章 緒論 1
1.1 研究背景 1
1.2 研究動機 3
1.3 研究目的 3
1.4 研究流程與架構 4
1.5 研究限制 6
第2章 文獻探討 7
2.1 資訊安全 7
2.1.1 資訊安全的定義 12
2.1.2 ISO 27001 16
2.1.3 COBIT 19
2.1.4 ITIL 21
2.1.5 ISO27001 vs COBIT vs ITIL 26
2.2 虛擬化技術 28
2.2.1 虛擬化技術研究 31
第3章 研究方法 36
3.1 研究設計 36
3.2 研究對象及取樣方法 41
3.3 研究測量工具設計 42
第4章 資料分析 52
4.1 問卷發放與回收 52
4.2 專家訪談與結果 52
4.3 敘述性統計量 56
4.4 個人(公司)基本資料與企業導入虛擬化資訊環境對資訊安全的影響之分析 64
4.5 企業導入虛擬化資訊環境對資訊安全的影響之相關分析 83
4.6 企業導入虛擬化資訊環境對資訊安全的影響之迴歸分析 84
4.7 總結 85
第5章 研究結論與未來研究 88
5.1 研究結論 88
5.2 未來研究 89
參考文獻 90
附錄一 專家問卷調查結果表 102
附錄二 研究問卷 106

【中文部份】
[1]國際資訊系統稽核與控制協會，2007內部稽核研討會，國際資訊系統稽核與控制協會，2007。
[2]經濟部標準檢驗局，CNS17800，經濟部標準檢驗局，2002年。
[3]周宣光，資訊管理系統，東華書局，2000年。
[4]邱皓政，量化研究與統計分析，五南圖書出版股份有限公司，2002年。
[5]林震岩，多變量分析：SPSS的操作與應用，智勝文件事業有限公司，2007年。
[6]黃俊英，多變量分析，中國經濟企業研究所，1998年。
[7]張紹勳、張紹評、林秀娟，SPSS For Windows多變量統計分析，松崗電腦圖書有限公司，2000年。
【英文部份】
[8]Adam D., "Multi-factor authentication for internet banking: The FFIEC guidance aftermath", Journal of Corporate Treasury Management, Vol.1, No.2, pp.176-181, 2007.
[9]Ahsan K. and Kundur D., "Practical Data Hiding in TCP/IP", Proc. Workshop on Multimedia Security at ACM, 2002.
[10]Alfaro J. G., Cuppens F. and Cuppens Boulahia N., "Aggregating and Deploying Network Access Control Policies", International Conference on Availability, Reliability and Security (ARES), pp.532-542, 2007.
[11]Baldwin A., Shiu S. and Beres Y., "Auditing in shared virtualized environments", Hewlett-Packard Development Company, 2008.
[12]Blumenthal U., Marcovici M., Mizikovsky S., Patel S., Sundaram G. S. and Wong M., "Wireless network security architecture", Bell Labs Technical Journal, Vol.7, Iss.2, pp.19-36, 2002.
[13]Brocke J. V. and Buddendick C., "Security Awareness Management-Foundations and Implementation of Security Awareness", Proceedings of The 2005 International Conference on Security and Management, pp.221-227, 2005.
[14]Butler K., Enck W., Plasterr J., Traynor P. and McDaniel P., "Privacy Preserving Web-Based Email", Springer US, 2006.
[15]Buyya R., Yeo C. S. and Venugopal S., "Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities", High Performance Computing and Communications Conference, pp5-13, 2008.
[16]Carpenter M., "Integrated Security Risk Management Solution is Key to Protecting Government Networks", Homeland Defense Journal, Vol.5, Iss.1, pp.40-41, 2007.
[17]Casey E. and Stellatos G. J., "The impact of full disk encryption on digital forensics", The ACM Special Interest Group on Operating Systems (SIGOPS): Operating Systems Review, Vol.42, Iss.3, pp.93-98, 2008.
[18]Castro J., Kolp M. and Mylopoulos J., "A Requirements-Driven Software Development Methodology", Proceedings of the 13th International Conference on Advanced Information Systems Engineering, pp.108-123, 2001.
[19]Cavalli e., Mattasoglio a., Pinciroli f. and Spaggiari p.,"Information security concepts and practices: the case of a provincial multi-specialty hospital", International Journal of Medical Informatics Vol.73, Iss.3, pp.297-303, 2004.
[20]Chen Q. and Xin R., "Optimizing Enterprise IT Infrastructure through Virtual Server Consolidation", Proceedings of the 2005 Informing Science and IT Education Joint Conference, 2005.
[21]Cheong L. K. and Chang V., "The Need for Data Governance: A Case Study", 18th Australasian Conference on Information Systems, pp.100, 2007.
[22]Citrix Sytems Inc, "Citrix XenApp Platinum Edition Advanced Concepts: The Official Guide, 3 edition", Citrix Sytems Inc, 2008.
[23]Collins J. M., "Business Identity Theft: The Latest Twist", Journal of Forensic Accounting, Vol.1524-5586, pp.303-306, 2003.
[24]Doherty W. J. and Kelisky R. P., "Managing VM/CMS systems for user effectiveness", IBM Systems Journal, Vol.18, No.1, pp.143, 1979.
[25]Elisa B. and Ravi S., "Database Security-Concepts, Approaches, and Challenges", IEEE Transactions on Dependable and Secure Computing, Vol. 2, No.1, pp.2-19, 2005.
[26]Engel E., Hayes R. M. and Wang X., "The Sarbanes-Oxley Act and firms' going-private decisions", Journal of Accounting and Economics, Vol.44, Iss.1-2, pp.116-145, 2007.
[27]Fernandez E. B., "Security Patterns and A Methodology to Apply them", Springer US, 2009.
[28]Friedman M., "The Reality of Virtualization for Windows Servers", Computer Measurement Group Conference, pp.907-918, 2006.
[29]Gerald K., "ISSO career development", Computers & Security, Vol.16, Iss.6, pp.455-458, 1997.
[30]Giunchiglia F., Mylopoulos J. and Perini A., "The Tropos Software Development Methodology: Processes, Models and Diagrams ", International Conference on Autonomous Agents, pp.35-36, 2002.
[31]Goth G., "Identity Theft Solutions Disagree on Problem", IEEE Distributed Systems Online, Vol. 6, Iss.8, pp.2, 2005.
[32]Grampp F. T. and Morris R. H., "UNIX operating system security", AT&T Bell Laboratories technical journal, Vol.63, No.8, pp.1649-1671, 1984.
[33]Grinter R. E. and Palen L., ""Instant messaging in teen life", Proceedings of the 2002 ACM conference on Computer Supported Cooperative Work, pp.21-30, 2002.
[34]Guldentops E., "Governing information technology through COBIT", International Federation For Information Processing (IFIP) Conference, pp.115-160, 2001.
[35]Haworth D. A. and Pietron L. R. "Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799", Information Systems Management, Vol.23, Iss.1, pp.73-87, 2006.
[36]Haslum K., Abraham A. and Knapskog S., "A Framework for Distributed Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk Assessment", Conference of Information Assurance and Security (IAS), pp.183-190, 2007.
[37]Higgins K. j., "Vm’s create potential risks", Technical report DarkReading, 2007.
[38]Hoesing M. T., "Virtualization Security Assessment", Information Security Journal, Vol.18, Iss.3, pp.124-130, 2009.
[39]Horie T., "IDS/IPS Functionalities of OS Kernel-The Concept, Implementation and Applications", IEIC Technical Report, Vol.104, No.276, pp.35-42, 2004.
[40]Householder A., Houle K. and Dougherty C., "Computer Attack Trends Challenge Internet Security", Computer, Vol.35, Iss.4, pp.5-7, 2002.
[41]Howard M. and Lipner S., "Inside the Windows Security Push", IEEE Security and Privacy, Vol.1, No.1, pp.57-61, 2003.
[42]Hulitt E. and Rayford B., "Information System Security Compliance to FISMA Standard: A Quantitative Measure", Proceedings of the International Multiconference on Computer Science and Information Technology, pp.799-806, 2008.
[43]ISO 27001, "ISO 27001 Information Security Management Standard, International Standard Organization", 2005.
[44]IT Governance Institute (ITGI) ,COBIT 4.1, 2007.
[45]Kahn C. M. and Roberds W., "Credit and identity theft", Journal of Monetary Economics, Vol.55, Iss.2, pp.251-264, 2008.
[46]Kallahalla M., Uysal M., Swaminathan D., Nigel E., Dalton C. I. and Gittler F., "SoftUDC: A Software-Based Data Center for Utility Computing", IEEE Computer society, Vol.37, Iss.11, pp.38-46, 2004.
[47]Keller M. S. and Unger E. A., "Database Systems: Inferential Security", Journal of Official Statistics, Vol.9, No.2, pp.475-499, 1993.
[48]Khanna G., Beaty Y., Kar G. and Kochut A., "Application Performance Management in Virtualized Server Environments", Network Operations and Management Symposium (NOMS), pp.373-381, 2006.
[49]Lawton G., "Virus Wars: Fewer Attacks, New Threats", IEEE Computer society, Vol.35, No.12, pp.22-24, 2002.
[50]Lawshe C. H., "A Quantitative Approach to Content Validity", Personnel Psychology, Vol28, pp563-575, 1975.
[51]Lee M. C. and Chang T., "Applying ISO 17799: 2005 in information security management", International Journal of Services and Standards, Vol.3, No.3, pp.352-373, 2007.
[52]Liao X., Xiong X., Jin H. and Hu L., "LVD: A Lightweight Virtual Desktop Management Architecture ", Springer US, 2008.
[53]Li H., Pincus M. and Rego S. O., "Market Reaction to Events Surrounding the Sarbanes‐Oxley Act of 2002 and Earnings Management", The Journal of Law and Economics, Vol.51, Iss.1, pp.111-134, 2008.
[54]Li J. and Shaw M. J., "Protection of health information in data mining", Springer US, 2004.
[55]Linde R. R., "Operating system penetration", AFIPS Joint Computer Conferences, pp.361-368, 1975.
[56]Lindquist T. E., Gary K. A., Koehnemann H. E. and Naccache H., "Component Framework for Web-Based Learning Environments", Fronties in Education Conference, pp.23-28, 1999.
[57]Ling F. M., "COBIT 4.1: An Update", ISACA/MNCC IT Governance Conference 22nd and 23rd, 2007.
[58]Logan P. Y. and Logan S. W., "Bitten by a Bug: A Case Study in Malware Infection", Journal of Information Systems Education, Vol.14, Iss.3, pp.301-305, 2003.
[59]Lopez G., Canovas O., Gomez A. F., Jiménez J. D. and Marín R., "A network access control approach based on the AAA architecture and authorization attributes", Journal of Network and Computer Applications, Vol.30, Iss.3, pp.900-919, 2007.
[60]Malin B. and Sweeney L., "How (not) to protect genomic data privacy in a distributed network: using trail reidentification to evaluate and design anonymity protection systems", Journal of Biomedical Informatics, Vol.36, No.3, pp179-192, 2004.
[61]Mamun A., Hassan M. K. and Lai S. V., "The impact of the Gramm-Leach-Bliley act on the financial services industry", Journal of Economics and Finance, Vol.28, Iss.3, pp.333-347, 2004.
[62]Matthews J. N., Herne J. J., Deshane T. M., Jablonski P. A., Cherian L. R. and McCabe M. T., “Data Protection and Rapid Recovery from Attack with a Virtual Private File Server and Virtual Machine Applicances “, Proceedings of the IASTED International Conference on Communication, Network and Information Security, pp.170-181, 2005.
[63]Maurer U., "The role of cryptography in database security", International Conference on Management of Data, pp.5-10, 2004.
[64]Menon A., Cox A. L. and Zwaenepoel W., "Optimizing Network Virtualization in Xen", USENIX Annual Technical Conference, pp.15-28, 2006.
[65]Mevag I., "Towards Automatic Management and Live Migration of Virtual Machines", University of OSLO Master Thesis, 2007.
[66]Nieh J. and Leonard O. C., "Examining Vmware", Dr. Dobb’s Journal, pp.60-76, 2000.
[67]Nowell C., "Regulatory Compliance-the Wonderful World of FISMA", Information Security Journal, Vol.16, Iss.5, pp.278-280, 2007.
[68]Nyanchama M., "Enterprise Vulnerability Management and Its Role in Information Security Management", Information Security Journal, Vol.14, Iss.3, pp.29-56, 2005.
[69]OECD, "OECD Recommenddation",Guidelines and Explanatory Memorandum for the security of Information Systems, 1992.
[70]Oppliger R., "Internet security: firewalls and beyond", Communications of the ACM, Vol.40, Iss.5, pp.92-102, 1997.
[71]Otto B., Wende K., Schmidt A. and Osl P., "Towards a Framework for Corporate Data Quality Management", 18th Australasian Conference on Information Systems, pp.916-926, 2007.
[72]Papadaki M. and Furnell S., "IDS or IPS: what is best? ", Network Security, Vol.2004, Iss.7, pp.15-19, 2004.
[73]Park J. and Noh B., "Web Attack Detection: Classifying Parameter Information according to Dynamic Web page", International Journal of Web Services Practices, Vol.2, No.1-2, pp.68-74, 2006.
[74]Piotroski J. D. and Srinivasa S., "The Sarbanes-Oxley Act and the Flow of International Listings", Journal of Accounting, Vol.46, Iss.2, pp.383-425, 2007.
[75]Qi Y., Yang B., Xu B. and Li J., "Towards System-level Optimization for High Performance Unified Threat Management", International Conference on Networking and Services (INCS), pp.7, 2007.
[76]Quétier B., Neri V. and Cappello F., "Scalability Comparison of Four Host Virtualization Tools", Journal of Grid Computing, Vol.5, Iss.1, pp.83-98, 2007.
[77]Rasmussen E. R., "Reducing IT Costs and Increasing IT Efficiency by Integrating Platform-Virtualization in the Enterprise", University of Oregon Applied Information Management, 2009.
[78]Reinhold C., Frolick M. N. and Okunoye A., "Managing Your Security Future", Information Security Journal, Vol.18, Iss.3, pp.116-123, 2009.
[79]Renauda K., "Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective", Journal of Web Engineering, Vol.3, No.2, pp.95-123, 2003.
[80]Reuben J. S., "A Survey on Virtual Machine Security", Helsinki University of Technology, 2007.
[81]Ridley G., Young J. and Carroll P., "COBIT and its utilization: a framework from the literature", System Sciences, Proceedings of the 37th Annual Hawaii International Conference on Ssytem Sciences, pp.8, 2004.
[82]Royer D., "Assessing the Value of Enterprise Identity Management-Towards a Generic Evaluation Approach", International Conference on Availability, Reliability and Security (ARES), 2008.
[83]Royer D. and Meints M., "Enterprise Identity Management-Towards a Decision Support Framework Based on the Balanced Scorecard Approach", Business and Information Systems Engineering, Vol.1, Iss.3, pp.245-253, 2009.
[84]Russe S. F., "Wireless Network Security for Users", International Conference on Information Technology: Coding and Computing (ICTC), pp.172, 2001.
[85]Schmitt M., Hu J. and Meinel C., "A tutoring system for IT security education", Journal of Information Warfare, Vol.2, Iss.3, pp.79-85, 2003.
[86]Schreck G., "Server Virtualization Security: 90% Process 10% Technology ", Forrester Research Report, 2008.
[87]Singh A., Korupolu M. and Mohapatra D., "Server-storage virtualization: integration and load balancing in data centers", Proceedings of the 2008 ACM/IEEE conference on Supercomputing, pp.1-12, 2008.
[88]Skaruz J. and Seredynski F., "Detecting web application attacks with use of Gene Expression Programming", IEEE Congress on Evolutionary Computation, pp.2029-2035, 2009.
[89]Smetters D. K. and Grinter R. E., "Moving from the design of usable security technologies to the design of useful secure applications", New Security Paradigms Workshop (NSPW), pp.82-89, 2002.
[90]Sotomayor B., Keahey K. and Foster I., "Overhead Matters: A Model for Virtual Resource Management", Virtualization Technology in Distributed Computing, pp.5-5, 2006.
[91]Sparks W. J. and James D. G., "Server Virtualization Products And Information Security", 2008.
[92]Symantec, "The Green Data Center—a Symantec Green IT Guide", White Paper on customize Symantec Green IT, 2009.
[93]Thein T., Chi S. D. and Park J. S.,"Availability Modeling and Analysis on Virtualized Clustering with Rejuvenation", International Journal of Computer Science and Network Security, Vol.8, No.9, pp.72-80, 2008.
[94]Thompson C. W. and Thompson D. R., "Identity Management", IEEE Internet Computing, Vol.11, No.3, pp.82-85, 2007.
[95]Toderick L., Mohammed T. and Tabrizi M. H. N., "A consortium of secure remote access Labs for information technology education", Conference On Information Technology Education (CITC), pp.295-299, 2005.
[96]Toval A., Olmos A. and Piattini M., "Legal requirements reuse: a critical success factor for requirements quality and personal data protection", IEEE Joint International Conference on Requirements Engineering, pp.95-103, 2002.
[97]Wang W., Du Z., Chen Y. and Li S., "Virtualization-based autonomic resource management for multi-tier Web applications in shared data center", Journal of Systems and Software, Vol.81. Iss.9, pp.1591-1608, 2008.
[98]Weber K., Otto B. and Osterle H., "One Size Does Not Fit All - A Contingency Approach to Data Governance", ACM Journal of Data and Information Quality, Vol, Iss.1, Article. 4, 2009.
[99]Wende K., "A Model for Data Governance-Organising Accountabilities for Data Quality Management", 18th Australasian Conference on Information Systems, pp.417-425, 2007.
[100]Wiander T., "Positive and Negative Findings of the ISO/IEC 17799 Framework", 18th Australasian Conference on Information Systems, pp.75, 2007.
[101]Yen D. C., Chou D. C. and Cao J., "Innovation in information technology: integration of web and database technologies", International Journal of Innovation and Learning, Vol.1, No.2, pp.143-157, 2004.
[102]Yokoyama T., Hanaoka M., Shimamura M. and Kono K., "Simplifying security policy descriptions for internet servers in secure operating systems", In Proceedings of the 2009 ACM Symposium on Applied Computing, pp.326-333, 2009.
[103]Yoshihiko O. and Tetsu Y., "Server Virtualization Technology and Its Latest Trends ", Fujitsu Scientific and Technical Journal, Vol.44, Iss.1, pp.46-52, 2008.
[104]Zhang I. X., "Economic consequences of the Sarbanes-Oxley Act of 2002", Journal of Accounting and Economics, Vol.44, Iss.1-2, pp.74-115, 2007.

【網站】
[105]CXOToday，"AMD Makes Available I/O Virtualization Technology"，http://www.cxotoday.com/India/News/AMD_Makes_Available_IO_Virtualization_Technology/551-71180-912.html，2006。
[106]HP，"ITIL成為企業CIO必修之顯學"，
http://h20427.www2.hp.com/Products/Category/tw/zh/info/050411_ITIL.asp。
[107]IDC，"Virtualization虛擬化應用無所不在"，http://www.idc.com.tw/research/detail.jsp?id=MTg=，2007。
[108]ISACA，COBIT，http://www.isaca.org。
[109]Jones T., "Discover the Linux Kernel Virtual Machine"，IBM，
http://www-128.ibm.com/developerworks/linux/library/l-linux-kvm/，2007。
[110]McAfee，"邁克菲 Avert Labs 2008年10大安全預測"，
http://www.mcafee.com/tw/about/press/corporate/2007/20071126_000000_b.html，2007。
[111]Symantec，"2009年資訊安全趨勢展望"，
http://protectyoursecrets.symantec.com/zh/tw/about/news/release/article.jsp?prid=20090202_02，2009。
[112]行政院研究發展考核委員會、政府資訊改造專案辦公室網站，
http://pmo.nat.gov.tw/Bulletin/bulletin_viewpost.aspx?B_PK=278，2009。
[113]許明治，"企業管理者推行IT治理需要那三大利器？"，
http://www.uuu.com.tw/data_article/article/090210tips.htm，2009。