Abstract
Managing information risk is a complex task that must continually adapt to business and technology changes. We argue that cloud computing presents a more significant step change and so implies a bigger change for the enterprise risk and security management lifecycle. Specifically, the economies of scale that large providers can achieve are creating an ecosystem of service providers in which the marketplace (rather than consuming enterprises) determines security standards and properties. Moreover, the ability to consume high-level services from different environments is changing the nature of one-size-fits-all security policies. At HP Labs, we are doing research on developing trusted infrastructure that will exploit and improve security management in the emerging cloud architectures. We are developing and using economic and mathematical modelling techniques to help cloud stakeholders make better risk decisions, and we are pulling these strands together to establish principles and mechanisms that will improve and enable federated assurance for the cloud.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
‘Trust Domains’ is a collaborative project funded by the UK’s Technology Strategy Board and EPSRC. It is led by HP Labs and includes the Universities of Aberdeen, Birmingham, and Oxford, and Perpetuity Group.
- 2.
Throughout this chapter, we are concerned with how companies use the cloud and ignore consumer cloud services.
- 3.
Much of this work was based on the UK Technology Strategy Board-funded Trust Economics project, with partners from University of Newcastle, University of Bath, University College London, Merrill Lynch, and National Grid.
- 4.
- 5.
This is particularly important for security processes, where failures may not be obvious, or not obvious until a serious incident has occurred.
References
Acquisti, A., Anderson, R., Schneier, B.: 4th Security and Human Behavior Workshop, Carnegie Mellon University. http://www.heinz.cmu.edu/∼acquisti/SHB/ (2011). Accessed 1 Jan 2012
Anderson, R.: Why information security is hard: an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 358–365. IEEE Computer Society Press (2001)
Armour, F.J., Kaisler, S.H., Liu, S.I.: Building an enterprise architecture step by step. IT Prof. 1(4), 31–39 (1999). doi:10.1109/6294.781623
Baldwin, A., Beres, Y., Shiu, S.: Using assurance models to aid the risk and governance life cycle. BT Technol. J. 25, 128–140 (2007). doi:10.1007/s10550-007-0015-7
Baldwin, A., Beres, Y., Shiu, S.: Using assurance models in IT audit engagements, HP Labs Technical Report HPL-2006–148 (2006)
Baldwin, A., Dalton, C.I., Shiu, S., Kostienk, K., Rajpoot, Q.: Providing secure services for a virtual infrastructure. SIGOPS Oper. Syst. Rev. 43(1), 44–51 (2009). doi:10.1145/1496909.1496919
Baldwin, A., Mont, M.C., Beres, Y., Shiu, S.: Assurance for federated identity management. J. Comput. Secur. 18(4), 541–572 (2010)
Baldwin, A., Mont, M.C., Shiu, S.: Using modelling and simulation for policy decision support in identity management. Policy 2009, 17–24 (2009)
Baldwin, A., Pym, D., Sadler M., Shiu, S.: Information stewardship in cloud ecosystems: towards models, economics and delivery. In: Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on, Athens (2011)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, Bolton Landing, NY, 19–22 Oct 2003. doi:10.1145/945445.945462
Beautement, A., Coles, R., Griffin, J., Ioannidis, C., Monahan, B., Pym, D., Sasse A., Wonham, M.,: Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security, in Managing Information Risk and the Economics of Security, Springer, New York (2009)
Beautement, A., Pym, D.: Structured systems economics for security management. In: Proceedings of the WEIS 2010, Harvard University. http://weis2010.econinfosec.org/papers/session6/weis2010_beautement.pdf (2010)
Beres, Y., Griffin, J., Shiu, S., Heitman, M., Markle, D., Ventura, P.: Analysing the performance of security solutions to reduce vulnerability exposure windows. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 33–42. IEEE, Anaheim (2008)
Beres, Y., Mont, M.C., Griffin, J., Shiu, S.: Using security metrics coupled with predictive modeling and simulation to assess security processes. Empir. Softw. Eng. Meas. 2009, 564–573 (2009)
Beres, Y., Pym, D., Shiu, S.: Decision support for systems security investment. In: Proceedings of the Business-driven IT Management (BDIM), IEEE Xplore (2010)
Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, Vancouver, 31 July–4 Aug 2006
Cabuk, S., Dalton, C.I., Eriksson, K., Kuhlmann, D., Ramasamy, H.V., Ramunno, G., Sadeghi, A., Schunter, M., Stüble, C.: Towards automated security policy enforcement in multi-tenant virtual data centers. J. Comput. Secur. 18(1), 89–121 (2010)
CAMM (Common Assurance Maturity Model Guiding Principles): http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf (2010)
Catteddu, D., Hogben, G.: Cloud computing information assurance framework, ENISA Report. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/ (2009). Accessed 1 Jan 2012
Chapin III, F.S., Kofinas, G.P., Folke, C. (eds.): Principles of Ecosystem Stewardship: Resilience-Based Natural Resource Management in a Changing World. Springer, New York (2009)
Chen, Y., Bharadwaj, A.: An empirical analysis of contract structures in IT outsourcing. Info. Syst. Res. 20, 484–506 (2009)
Cloud Stewardship Economics: http://www.hpl.hp.com/bristol/cloud_stewardship.htm (2012)
Collinson, M., Monahan, B., Pym, D.: A logical and computational theory of located resource. J. Log. Comput. 19(6), 1207–1244 (2009). doi:10.1093/logcom/exp021
Collinson, M., Monahan, B., Pym, D.: A discipline of mathematical systems modelling. Forthcoming monograph. College Publications (2012)
Collinson, M., Monahan, B., Pym, D.: Semantics for structured systems modelling and simulation. In: Proceedings of the Simutools 2010, ACM Digital Library and EU Digital Library. ISBN: 978–963–9799–87–5 (2010)
Core Gnosis: http://www.hpl.hp.com/research/systems_security/gnosis.html (2012). Accessed 1 Jan 2012
Dalton, C., Plaquin, D., Weidner, W., Kuhlmann, D., Balacheff, B., Brown, R.: Trusted virtual platforms: a key enabler for converged client devices. SIGOPS Oper. Syst. Rev. 43(1), 36–43 (2009). doi:10.1145/1496909.1496918
Degabriele, J.P., Pym, D.: Economic aspects or a utility computing service HP Labs technical report, HPL-2007–101 (2007)
Eskins, D., Sanders, W.H.: The multiple-asymmetric-utility system model: a framework for modeling cyber-human systems. In: Proceedings of the 8th International Conference on Quantitative Evaluation of Systems (QEST), Aachen (2011)
Goldsack, P., Guijarro, J., Loughran, S., Coles, A., Farrell, A., Lain, A., Murray, P., Toft, P.: The SmartFrog configuration management framework. SIGOPS Oper. Syst. Rev. 43(1), 16–25 (2009). doi:10.1145/1496909.1496915
Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: A Cost-Benefit Analysis.McGraw Hill, New York (2006)
Ioannidis, C., Pym, D., Williams, J.: Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2), 434–444 (2012). doi:10.1016/j.ejor.2011.05.050
Ioannidis, C., Pym, D., Williams, J.: Fixed costs, investment rigidities, and risk aversion in information security: a utility-theoretic approach. In: Schneier, B. (ed.) Proceedings of the Workshop on Economics of Information Security (WEIS 2011). Springer (in press)
Ioannidis, C., Pym, D., Williams, J.: Investments and trade-offs in the economics of information security. In: Dingledine, R. and Golle, P., eds. Financial Cryptography and Data Security: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. Berlin, Heidelberg: Springer, pp. 148–166 (2009)
ISO.: ISO 27000 Series of Standards (Supersedes ISO 17799). http://www.27000.org (2007). Accessed 1 Jan 2012
ITGI: Control Objectives for Information and Related Technologies (COBIT), 4th edn (2005)
Kallahalla, M., Uysal, M., Swaminathan, R., Lowell, D.E., Wray, M., Christian, T., Edwards, N., Dalton, C.I., Gittler, F.: SoftUDC: a software-based data center for utility computing. Computer 37(11), 38–46 (2004). doi:10.1109/MC.2004.221
Keeney, R.L., Raiffa, H.: Decisions with Multiple Objectives: Preferences and Value Tradeoffs. Wiley, New York [Reprinted, Cambridge University Press, New York (1993)] (1976)
Khwaja, T.: Should I stay or should I go? Migration under uncertainty: a real option approach, Public Policy Discussion Papers 002–10. Economics and Finance Section, School of Social Sciences, Brunel University (2002)
Krebs, B.: Epsilon breach raises specter of spear phishing. http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ (2011). Accessed 1 Jan 2012
Lloyd, V.: Planning to implement service management (IT Infrastructure Library). The Stationery Office Books. http://www.itil.co.uk/publications.htm (2011). Accessed 1 Jan 2012
Mell, P., Grance, T.: The NIST Definition of Cloud Computing (Draft). Technical report, National Institute of Standards and Technology, US Department of Commerce, 2011. Special Publication 800–145 (Draft) (2011)
Open Trusted Computing: http://www.opentc.net/ (2012). Accessed 1 Jan 2012
Pearson, S., Balacheff, B., Chen, L., Plaquin, D., Proudler, G.: Trusted Computing Platforms: TCPA in Context. HP Books, Prentice Hall (2003)
Pym, D., Sadler, M.: Information Stewardship in cloud computing. Int. J. Serv. Manage. Eng. Technol. 1(1), 50–67 (2010)
Pym, D., Sadler, M., Shiu, S., Mont, M.C.: Information stewardship in the cloud: a model-based approach. In: Proceedings of the CloudComp 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (LNICST). Springer (To appear, 2010)
Pym, D., Shiu, S., Coles, R., van Moorsel, A., Sasse, M.A., Johnson, H.: Trust economics: a systematic approach to information security decision making. Final Report for the UK Technology Strategy Board ‘Trust Economics’ project. http://www.hpl.hp.com/news/2011/oct-dec/Final_Report_collated.pdf (2011). Accessed 1 Jan 2012
Shiu, S., Baldwin A., Beres, Y., Casassa Mont, M, Duggan, G., Johnson, H., Middup, C.: Economic methods and decision making by security professionals. Schneier, B. (ed.) Proceedings of the Workshop on Economics of Information Security (WEIS 2011). Springer (in press)
Spewak, S.H., Hill, S.C.: Enterprise Architecture Planning: Developing a Blueprint for Data, Applications and Technology. QED Information Sciences, Inc., Wellesley (1993)
Squicciarini, A.C., Rajasekaran, S.D., Mont, M.C.: Using modeling and simulation to evaluate enterprises’ risk exposure to social networks. IEEE Comput. 44(1), 66–73 (2011)
Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems Technical Report, National Institute of Standards and Technology, U.S. Department of Commerce, NIST Special Publication 800–30. http://csrc.nist.gov/publications/nistpubs/800–30/sp800–30.pdf (2002)
The Trusted Computing Group: http://www.trustedcomputinggroup.org/. Accessed 1 Jan 2012
Trigeorgis, L.: Real options: an overview. In: Schwartz, E.S., Trigeorgis, L. (eds.) Real Options and Investment Under Uncertainty: Classical Readings and Recent Contribution. MIT Press, Cambridge (2001)
US Congress. S. 3742: Data Security and Breach Notification Act of 2010. http://www.govtrack.us/congress/bill.xpd?bill=s111–3742 Accessed 1 Jan 2012
Yam, C-Y., Baldwin, A., Ioannidis, C., Shiu, S.: Migration to Cloud as Real Option: Investment decision under uncertainty. In: Proceedings of the Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE (2011)
Acknowledgments
This chapter draws on the work of and conversations with all of the security research team in HP Labs. Specifically, we thank Boris Balacheff and Chris Dalton for their advice about all areas relating to trusted infrastructure, Yolanta Beres and Jonathan Griffin for their work on process modelling of vulnerability management, Chew Yean Yam and Christos Ioannidis (University of Bath) for work on the switching (real options) model, Matthew Collinson (University of Aberdeen) and Brian Monahan for work on foundations and process modelling across all the projects, Marco Casassa Mont for work on identity assurance, and Martin Sadler for overall vision. We would also like to thank and acknowledge all our partners in the Cloud Stewardship Economics and Trust Domains projects and the UK Technology Strategy Board for its funding of these projects.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag London
About this chapter
Cite this chapter
Baldwin, A., Pym, D., Shiu, S. (2013). Enterprise Information Risk Management: Dealing with Cloud Computing. In: Pearson, S., Yee, G. (eds) Privacy and Security for Cloud Computing. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-4189-1_8
Download citation
DOI: https://doi.org/10.1007/978-1-4471-4189-1_8
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-4188-4
Online ISBN: 978-1-4471-4189-1
eBook Packages: Computer ScienceComputer Science (R0)