Migration Goals and Risk Management in Cloud Computing: A Review of State of the Art and Survey Results on Practitioners

Organizations are now seriously considering adopting cloud into the existing business context, but migrating data, application and services into cloud doesn't come without substantial risks. These risks are the significant barriers for the wider cloud adoption. There are works that consolidate the existing work on cloud migration and technology. However, there is no secondary study that consolidates the state of the art research and existing practice on risk management in cloud computing. It makes difficult to understand the risks management trend, maturity, and research gaps. This paper investigates the state of the art research and practices relating to risk management in cloud computing and discusses survey results on migration goals and risks. The survey participants are practitioners from both public and private organizations of two different locations, i.e., UK and Malaysia. The authors identify and classify the relevant literature and systematically compare the existing works and survey results. The results show that most of the existing works do not consider the existing organization and business context for the risk assessment. The authors' study results also reveal that risk management in cloud computing research and practice is still not in a mature stage but gradually advancing. Finally, they propose a risk assessment approach and determine the relative importance of the migration goals from two real migration use cases.

[1]  Ali Khajeh-Hosseini,et al.  Research Agenda in Cloud Technologies , 2010, ArXiv.

[2]  Siani Pearson,et al.  Privacy Risk, Security, Accountability in the Cloud , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[3]  Seng Wai Loke,et al.  Quantitative Risk Analysis for Mobile Cloud Computing: A Preliminary Approach and a Health Application Case Study , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[4]  Ernesto Damiani,et al.  From Security to Assurance in the Cloud , 2015, ACM Comput. Surv..

[5]  E. Weippl,et al.  A Goal-Driven Risk Management Approach to Support Security and Privacy Analysis of Cloud-Based System , 2013 .

[6]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[7]  Frank Leymann,et al.  Improving the Manageability of Enterprise Topologies Through Segmentation, Graph Transformation, and Analysis Strategies , 2012, 2012 IEEE 16th International Enterprise Distributed Object Computing Conference.

[8]  Trevor Wood-Harper,et al.  A case study analysis of risk, trust and control in cloud computing , 2013, 2013 Science and Information Conference.

[9]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[10]  Haralambos Mouratidis,et al.  Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts , 2014, Comput. Stand. Interfaces.

[11]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[12]  Olaf David,et al.  Migration of Multi-tier Applications to Infrastructure-as-a-Service Clouds: An Investigation Using Kernel-Based Virtual Machines , 2011, 2011 IEEE/ACM 12th International Conference on Grid Computing.

[13]  Thomas L. Saaty,et al.  DECISION MAKING WITH THE ANALYTIC HIERARCHY PROCESS , 2008 .

[14]  Mark Ryan,et al.  Cloud computing security: The scientific challenge, and a survey of solutions , 2013, J. Syst. Softw..

[15]  Roy C. Schmidt,et al.  MANAGING DELPHI SURVEYS USING NONPARAMETRIC STATISTICAL TECHNIQUES , 1997 .

[16]  Daniele Catteddu and Giles Hogben Cloud Computing. Benefits, risks and recommendations for information security , 2009 .

[17]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[18]  Marco R. Spruit,et al.  Designing a Secure Cloud Architecture: The SeCA Model , 2012, Int. J. Inf. Secur. Priv..

[19]  Manuel Oriol,et al.  Security risks and their management in cloud computing , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[20]  Ian Sommerville,et al.  Cloud Migration: A Case Study of Migrating an Enterprise IT System to IaaS , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[21]  N. Huda,et al.  Critical risk factors in business model and IS innovations of a cloud-based gaming company: Case evidence from Scandinavia , 2012, 2012 Proceedings of PICMET '12: Technology Management for Emerging Technologies.

[22]  Marco R. Spruit,et al.  Analysing the Security Risks of Cloud Adoption Using the SeCA Model: A Case Study , 2012, J. Univers. Comput. Sci..

[23]  Henri Boshoff OVERVIEW OF SECURITY SECTOR REFORM PROCESSES IN THE DRC , 2004 .

[24]  Reijo Savola,et al.  Towards a Risk-Driven Methodology for Privacy Metrics Development , 2010, 2010 IEEE Second International Conference on Social Computing.

[25]  Patrick Allaire,et al.  Reduce Costs and Risks for Data Migrations - White Paper , 2012 .

[26]  Jin Tong,et al.  US Government Cloud Computing Technology Roadmap , 2014 .

[27]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[28]  Haralambos Mouratidis,et al.  Evaluating cloud deployment scenarios based on security and privacy requirements , 2013, Requirements Engineering.

[29]  Martin Fowler,et al.  Patterns of Enterprise Application Architecture , 2002 .

[30]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[31]  Sushil Jajodia,et al.  Over-Encryption: Management of Access Control Evolution on Encrypted Data , 2007, VLDB 2007.

[32]  Mario Piattini,et al.  Security Engineering for Cloud Computing: Approaches and Tools , 2012 .

[33]  Mario Macías,et al.  Toward business-driven risk management for Cloud computing , 2010, 2010 International Conference on Network and Service Management.

[34]  Kamal Dahbur,et al.  A survey of risks, threats and vulnerabilities in cloud computing , 2011, ISWSA '11.

[35]  Pearl Brereton,et al.  Lessons from applying the systematic literature review process within the software engineering domain , 2007, J. Syst. Softw..

[36]  Haralambos Mouratidis,et al.  A framework to support selection of cloud providers based on security and privacy requirements , 2013, J. Syst. Softw..

[37]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[38]  Martin Gilje Jaatun,et al.  Beyond lightning: A survey on security challenges in cloud computing , 2013, Comput. Electr. Eng..

[39]  Xuejie Zhang,et al.  Information Security Risk Management Framework for the Cloud Computing Environments , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[40]  N. Pletneva COMMENTARY ON THE INTERNATIONAL STANDARD ISO 31000–2009 “RISK MANAGEMENT. PRINCIPLES AND GUIDELINES” , 2014 .

[41]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.