Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?

Cloud computing is a type of service that allows the use of computing resources from a distance, rather than a new technology. Various services exist on-demand, ranging from data storage and processing to software as a service, like email and developing platforms. Cloud computing enables ubiquitous, on-demand access over the net to a shared pool of configurable resources, like servers, applications, etc. that can be accessed, altered or even restored rapidly with minimal service provider interaction or management effort. Still, due to the vast growth of cloud computing, new security issues have been introduced. Key factors are the loss of control over any outsourced resources and cloud’s computing inherent security vulnerabilities. Managing these risks requires the adoption of an effective risk management method, capable of involving both the Cloud customer and the Cloud Service Provider. Risk assessment methods are common tools amongst IT security consultants for managing the risk of entire companies. Still, traditional risk management methodologies are having trouble managing cloud services. Extending our previous work, the purpose of this paper is to compare and examine whether popular risk management methods and tools (e.g. NIST SP800, EBIOS, MEHARI, OCTAVE, IT-Grundschutz, MAGERIT, CRAMM, HTRA, Risk-Safe Assessment, CORAS) are suitable for cloud computing environments. Specifically, based upon existing literature, this paper points out the essential characteristics that any risk assessment method addressed to cloud computing should incorporate, and suggests three new ones that are more appropriate based on their features.

[1]  Dimitris Gritzalis,et al.  Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment , 2018, Comput. Networks.

[2]  Hicham,et al.  A New Risk Assessment Approach for Cloud Consumer , 2014 .

[3]  Norbik Bashah Idris,et al.  Traditional Security Risk Assessment Methods in Cloud Computing Environment: Usability Analysis , 2014 .

[4]  Eric Dubois,et al.  A Security Risk Assessment Model for Business Process Deployment in the Cloud , 2014, 2014 IEEE International Conference on Services Computing.

[5]  AlbakriSameer Hasan,et al.  Security risk assessment framework for cloud computing environments , 2014 .

[6]  Anderson Santana de Oliveira,et al.  A Cloud Adoption Risk Assessment Model , 2014, 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.

[7]  Norbik Bashah Idris,et al.  Security risk assessment framework for cloud computing environments , 2014, Secur. Commun. Networks.

[8]  Wei Zhao,et al.  A risk management framework for cloud computing , 2012, 2012 IEEE 2nd International Conference on Cloud Computing and Intelligence Systems.

[9]  Tae-Young Choe,et al.  A Novel Risk Identification Framework for Cloud Computing Security , 2015, 2015 2nd International Conference on Information Science and Security (ICISS).

[10]  Einar Snekkenes,et al.  A framework for estimating information security risk assessment method completeness , 2017, International Journal of Information Security.

[11]  Siler Amador Donado,et al.  ADAPTACIÓN DE LA METODOLOGÍA MEHARI A LA FASE DE PLANEACIÓN DE UN SGSI PARA UN PROCEDIMIENTO DE ESTUDIO PROPUESTO / ADAPTATION OF THE MEHARI METHODOLOGY TO THE PLANNING PHASE OF AN ISMS FOR A PROPOSED STUDY PROCEDURE , 2017 .

[12]  Bashar Nuseibeh,et al.  Problem Analysis of Traditional IT-Security Risk Assessment Methods - An Experience Report from the Insurance and Auditing Domain , 2011, SEC.

[13]  Johannes Viehmann Reusing Risk Analysis Results -- An Extension for the CORAS Risk Analysis Method , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[14]  Matthew Warren,et al.  Does traditional security risk assessment have a future in Information Security , 2011 .

[15]  Isaca IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud , 2011 .

[16]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[17]  Dimitris Gritzalis,et al.  Exiting the Risk Assessment Maze , 2018, ACM Comput. Surv..

[18]  Dimitris Gritzalis,et al.  A process-based dependency risk analysis methodology for critical infrastructures , 2017, Int. J. Crit. Infrastructures.

[19]  Sadie Creese,et al.  Security Risk Assessment in Internet of Things Systems , 2017, IT Professional.

[20]  Ketil Stølen,et al.  Using Dependent CORAS Diagrams to Analyse Mutual Dependency , 2007, CRITIS.

[21]  Kridanto Surendro,et al.  Threat Scenario Dependency-Based Model of Information Security Risk Analysis , 2010 .

[22]  Haider Abbas,et al.  Cloud Computing Risk Assessment: A Systematic Literature Review , 2014 .

[23]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[24]  Manuel Oriol,et al.  Security risks and their management in cloud computing , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[25]  Michaela Iorga,et al.  Managing Risk in a Cloud Ecosystem , 2015, IEEE Cloud Computing.

[26]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[27]  Ved Prakash Mishra,et al.  Risk Assessment for Cloud Computing , 2017 .

[28]  Einar Snekkenes,et al.  A Taxonomy of Challenges in Information Security Risk Management , 2013 .

[29]  Dimitris Gritzalis,et al.  In Cloud We Trust: Risk-Assessment-as-a-Service , 2013, IFIPTM.

[30]  Ronald S. Ross,et al.  Guide for Conducting Risk Assessments , 2012 .

[31]  Wolter Pieters,et al.  Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security , 2015 .