Skip to main content
SpringerLink
Log in

Enterprise Information Risk Management: Dealing with Cloud Computing

  • Chapter
  • First Online:
Privacy and Security for Cloud Computing

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

Managing information risk is a complex task that must continually adapt to business and technology changes. We argue that cloud computing presents a more significant step change and so implies a bigger change for the enterprise risk and security management lifecycle. Specifically, the economies of scale that large providers can achieve are creating an ecosystem of service providers in which the marketplace (rather than consuming enterprises) determines security standards and properties. Moreover, the ability to consume high-level services from different environments is changing the nature of one-size-fits-all security policies. At HP Labs, we are doing research on developing trusted infrastructure that will exploit and improve security management in the emerging cloud architectures. We are developing and using economic and mathematical modelling techniques to help cloud stakeholders make better risk decisions, and we are pulling these strands together to establish principles and mechanisms that will improve and enable federated assurance for the cloud.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    ‘Trust Domains’ is a collaborative project funded by the UK’s Technology Strategy Board and EPSRC. It is led by HP Labs and includes the Universities of Aberdeen, Birmingham, and Oxford, and Perpetuity Group.

  2. 2.

    Throughout this chapter, we are concerned with how companies use the cloud and ignore consumer cloud services.

  3. 3.

    Much of this work was based on the UK Technology Strategy Board-funded Trust Economics project, with partners from University of Newcastle, University of Bath, University College London, Merrill Lynch, and National Grid.

  4. 4.

    Gnosis is a discrete process modelling language that (partially) captures a discipline of mathematical system modelling based on mathematical models of the concepts of location, resource, and process (all modelled using algebraic/logical tools) and environment (modelled stochastically) [23–26].

  5. 5.

    This is particularly important for security processes, where failures may not be obvious, or not obvious until a serious incident has occurred.

References

  1. Acquisti, A., Anderson, R., Schneier, B.: 4th Security and Human Behavior Workshop, Carnegie Mellon University. http://www.heinz.cmu.edu/∼acquisti/SHB/ (2011). Accessed 1 Jan 2012

    Google Scholar 

  2. Anderson, R.: Why information security is hard: an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 358–365. IEEE Computer Society Press (2001)

    Google Scholar 

  3. Armour, F.J., Kaisler, S.H., Liu, S.I.: Building an enterprise architecture step by step. IT Prof. 1(4), 31–39 (1999). doi:10.1109/6294.781623

    Article  Google Scholar 

  4. Baldwin, A., Beres, Y., Shiu, S.: Using assurance models to aid the risk and governance life cycle. BT Technol. J. 25, 128–140 (2007). doi:10.1007/s10550-007-0015-7

    Article  Google Scholar 

  5. Baldwin, A., Beres, Y., Shiu, S.: Using assurance models in IT audit engagements, HP Labs Technical Report HPL-2006–148 (2006)

    Google Scholar 

  6. Baldwin, A., Dalton, C.I., Shiu, S., Kostienk, K., Rajpoot, Q.: Providing secure services for a virtual infrastructure. SIGOPS Oper. Syst. Rev. 43(1), 44–51 (2009). doi:10.1145/1496909.1496919

    Article  Google Scholar 

  7. Baldwin, A., Mont, M.C., Beres, Y., Shiu, S.: Assurance for federated identity management. J. Comput. Secur. 18(4), 541–572 (2010)

    Article  Google Scholar 

  8. Baldwin, A., Mont, M.C., Shiu, S.: Using modelling and simulation for policy decision support in identity management. Policy 2009, 17–24 (2009)

    Google Scholar 

  9. Baldwin, A., Pym, D., Sadler M., Shiu, S.: Information stewardship in cloud ecosystems: towards models, economics and delivery. In: Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on, Athens (2011)

    Google Scholar 

  10. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, Bolton Landing, NY, 19–22 Oct 2003. doi:10.1145/945445.945462

  11. Beautement, A., Coles, R., Griffin, J., Ioannidis, C., Monahan, B., Pym, D., Sasse A., Wonham, M.,: Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security, in Managing Information Risk and the Economics of Security, Springer, New York (2009)

    Google Scholar 

  12. Beautement, A., Pym, D.: Structured systems economics for security management. In: Proceedings of the WEIS 2010, Harvard University. http://weis2010.econinfosec.org/papers/session6/weis2010_beautement.pdf (2010)

  13. Beres, Y., Griffin, J., Shiu, S., Heitman, M., Markle, D., Ventura, P.: Analysing the performance of security solutions to reduce vulnerability exposure windows. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 33–42. IEEE, Anaheim (2008)

    Google Scholar 

  14. Beres, Y., Mont, M.C., Griffin, J., Shiu, S.: Using security metrics coupled with predictive modeling and simulation to assess security processes. Empir. Softw. Eng. Meas. 2009, 564–573 (2009)

    Google Scholar 

  15. Beres, Y., Pym, D., Shiu, S.: Decision support for systems security investment. In: Proceedings of the Business-driven IT Management (BDIM), IEEE Xplore (2010)

    Google Scholar 

  16. Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, Vancouver, 31 July–4 Aug 2006

    Google Scholar 

  17. Cabuk, S., Dalton, C.I., Eriksson, K., Kuhlmann, D., Ramasamy, H.V., Ramunno, G., Sadeghi, A., Schunter, M., Stüble, C.: Towards automated security policy enforcement in multi-tenant virtual data centers. J. Comput. Secur. 18(1), 89–121 (2010)

    Article  Google Scholar 

  18. CAMM (Common Assurance Maturity Model Guiding Principles): http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf (2010)

  19. Catteddu, D., Hogben, G.: Cloud computing information assurance framework, ENISA Report. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/ (2009). Accessed 1 Jan 2012

  20. Chapin III, F.S., Kofinas, G.P., Folke, C. (eds.): Principles of Ecosystem Stewardship: Resilience-Based Natural Resource Management in a Changing World. Springer, New York (2009)

    Google Scholar 

  21. Chen, Y., Bharadwaj, A.: An empirical analysis of contract structures in IT outsourcing. Info. Syst. Res. 20, 484–506 (2009)

    Article  Google Scholar 

  22. Cloud Stewardship Economics: http://www.hpl.hp.com/bristol/cloud_stewardship.htm (2012)

  23. Collinson, M., Monahan, B., Pym, D.: A logical and computational theory of located resource. J. Log. Comput. 19(6), 1207–1244 (2009). doi:10.1093/logcom/exp021

    Article  MathSciNet  MATH  Google Scholar 

  24. Collinson, M., Monahan, B., Pym, D.: A discipline of mathematical systems modelling. Forthcoming monograph. College Publications (2012)

    Google Scholar 

  25. Collinson, M., Monahan, B., Pym, D.: Semantics for structured systems modelling and simulation. In: Proceedings of the Simutools 2010, ACM Digital Library and EU Digital Library. ISBN: 978–963–9799–87–5 (2010)

    Google Scholar 

  26. Core Gnosis: http://www.hpl.hp.com/research/systems_security/gnosis.html (2012). Accessed 1 Jan 2012

  27. Dalton, C., Plaquin, D., Weidner, W., Kuhlmann, D., Balacheff, B., Brown, R.: Trusted virtual platforms: a key enabler for converged client devices. SIGOPS Oper. Syst. Rev. 43(1), 36–43 (2009). doi:10.1145/1496909.1496918

    Article  Google Scholar 

  28. Degabriele, J.P., Pym, D.: Economic aspects or a utility computing service HP Labs technical report, HPL-2007–101 (2007)

    Google Scholar 

  29. Eskins, D., Sanders, W.H.: The multiple-asymmetric-utility system model: a framework for modeling cyber-human systems. In: Proceedings of the 8th International Conference on Quantitative Evaluation of Systems (QEST), Aachen (2011)

    Google Scholar 

  30. Goldsack, P., Guijarro, J., Loughran, S., Coles, A., Farrell, A., Lain, A., Murray, P., Toft, P.: The SmartFrog configuration management framework. SIGOPS Oper. Syst. Rev. 43(1), 16–25 (2009). doi:10.1145/1496909.1496915

    Article  Google Scholar 

  31. Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: A Cost-Benefit Analysis.McGraw Hill, New York (2006)

    Google Scholar 

  32. Ioannidis, C., Pym, D., Williams, J.: Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2), 434–444 (2012). doi:10.1016/j.ejor.2011.05.050

    Article  Google Scholar 

  33. Ioannidis, C., Pym, D., Williams, J.: Fixed costs, investment rigidities, and risk aversion in information security: a utility-theoretic approach. In: Schneier, B. (ed.) Proceedings of the Workshop on Economics of Information Security (WEIS 2011). Springer (in press)

    Google Scholar 

  34. Ioannidis, C., Pym, D., Williams, J.: Investments and trade-offs in the economics of information security. In: Dingledine, R. and Golle, P., eds. Financial Cryptography and Data Security: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. Berlin, Heidelberg: Springer, pp. 148–166 (2009)

    Google Scholar 

  35. ISO.: ISO 27000 Series of Standards (Supersedes ISO 17799). http://www.27000.org (2007). Accessed 1 Jan 2012

  36. ITGI: Control Objectives for Information and Related Technologies (COBIT), 4th edn (2005)

    Google Scholar 

  37. Kallahalla, M., Uysal, M., Swaminathan, R., Lowell, D.E., Wray, M., Christian, T., Edwards, N., Dalton, C.I., Gittler, F.: SoftUDC: a software-based data center for utility computing. Computer 37(11), 38–46 (2004). doi:10.1109/MC.2004.221

    Article  Google Scholar 

  38. Keeney, R.L., Raiffa, H.: Decisions with Multiple Objectives: Preferences and Value Tradeoffs. Wiley, New York [Reprinted, Cambridge University Press, New York (1993)] (1976)

    Google Scholar 

  39. Khwaja, T.: Should I stay or should I go? Migration under uncertainty: a real option approach, Public Policy Discussion Papers 002–10. Economics and Finance Section, School of Social Sciences, Brunel University (2002)

    Google Scholar 

  40. Krebs, B.: Epsilon breach raises specter of spear phishing. http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ (2011). Accessed 1 Jan 2012

  41. Lloyd, V.: Planning to implement service management (IT Infrastructure Library). The Stationery Office Books. http://www.itil.co.uk/publications.htm (2011). Accessed 1 Jan 2012

  42. Mell, P., Grance, T.: The NIST Definition of Cloud Computing (Draft). Technical report, National Institute of Standards and Technology, US Department of Commerce, 2011. Special Publication 800–145 (Draft) (2011)

    Google Scholar 

  43. Open Trusted Computing: http://www.opentc.net/ (2012). Accessed 1 Jan 2012

  44. Pearson, S., Balacheff, B., Chen, L., Plaquin, D., Proudler, G.: Trusted Computing Platforms: TCPA in Context. HP Books, Prentice Hall (2003)

    Google Scholar 

  45. Pym, D., Sadler, M.: Information Stewardship in cloud computing. Int. J. Serv. Manage. Eng. Technol. 1(1), 50–67 (2010)

    Article  Google Scholar 

  46. Pym, D., Sadler, M., Shiu, S., Mont, M.C.: Information stewardship in the cloud: a model-based approach. In: Proceedings of the CloudComp 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (LNICST). Springer (To appear, 2010)

    Google Scholar 

  47. Pym, D., Shiu, S., Coles, R., van Moorsel, A., Sasse, M.A., Johnson, H.: Trust economics: a systematic approach to information security decision making. Final Report for the UK Technology Strategy Board ‘Trust Economics’ project. http://www.hpl.hp.com/news/2011/oct-dec/Final_Report_collated.pdf (2011). Accessed 1 Jan 2012

  48. Shiu, S., Baldwin A., Beres, Y., Casassa Mont, M, Duggan, G., Johnson, H., Middup, C.: Economic methods and decision making by security professionals. Schneier, B. (ed.) Proceedings of the Workshop on Economics of Information Security (WEIS 2011). Springer (in press)

    Google Scholar 

  49. Spewak, S.H., Hill, S.C.: Enterprise Architecture Planning: Developing a Blueprint for Data, Applications and Technology. QED Information Sciences, Inc., Wellesley (1993)

    Google Scholar 

  50. Squicciarini, A.C., Rajasekaran, S.D., Mont, M.C.: Using modeling and simulation to evaluate enterprises’ risk exposure to social networks. IEEE Comput. 44(1), 66–73 (2011)

    Article  Google Scholar 

  51. Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems Technical Report, National Institute of Standards and Technology, U.S. Department of Commerce, NIST Special Publication 800–30. http://csrc.nist.gov/publications/nistpubs/800–30/sp800–30.pdf (2002)

    Google Scholar 

  52. The Trusted Computing Group: http://www.trustedcomputinggroup.org/. Accessed 1 Jan 2012

  53. Trigeorgis, L.: Real options: an overview. In: Schwartz, E.S., Trigeorgis, L. (eds.) Real Options and Investment Under Uncertainty: Classical Readings and Recent Contribution. MIT Press, Cambridge (2001)

    Google Scholar 

  54. US Congress. S. 3742: Data Security and Breach Notification Act of 2010. http://www.govtrack.us/congress/bill.xpd?bill=s111–3742 Accessed 1 Jan 2012

    Google Scholar 

  55. Yam, C-Y., Baldwin, A., Ioannidis, C., Shiu, S.: Migration to Cloud as Real Option: Investment decision under uncertainty. In: Proceedings of the Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE (2011)

    Google Scholar 

Download references

Acknowledgments

This chapter draws on the work of and conversations with all of the security research team in HP Labs. Specifically, we thank Boris Balacheff and Chris Dalton for their advice about all areas relating to trusted infrastructure, Yolanta Beres and Jonathan Griffin for their work on process modelling of vulnerability management, Chew Yean Yam and Christos Ioannidis (University of Bath) for work on the switching (real options) model, Matthew Collinson (University of Aberdeen) and Brian Monahan for work on foundations and process modelling across all the projects, Marco Casassa Mont for work on identity assurance, and Martin Sadler for overall vision. We would also like to thank and acknowledge all our partners in the Cloud Stewardship Economics and Trust Domains projects and the UK Technology Strategy Board for its funding of these projects.

Author information

Authors and Affiliations

  1. HP Labs, Bristol, UK

    Adrian Baldwin & Simon Shiu

  2. University of Aberdeen, Aberdeen, UK

    David Pym

Authors
  1. Adrian Baldwin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Pym
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Simon Shiu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Cloud and Security Laboratory HP Labs, Filton, Bristol, UK

    Siani Pearson

  2. Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada

    George Yee

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag London

About this chapter

Cite this chapter

Baldwin, A., Pym, D., Shiu, S. (2013). Enterprise Information Risk Management: Dealing with Cloud Computing. In: Pearson, S., Yee, G. (eds) Privacy and Security for Cloud Computing. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-4189-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-1-4471-4189-1_8

  • Published:

  • Publisher Name: Springer, London

  • Print ISBN: 978-1-4471-4188-4

  • Online ISBN: 978-1-4471-4189-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation