Abstract
The present paper shows a proposal of the characteristics Cloud Risk Assessment Models should have and presents the review of the literature considering those characteristics in order to identify current gaps. This work shows a ranking of Cloud RA models and their degree of compliance with the theoretical reference Cloud Risk Assessment model. The review of literature shows that RA approaches leveraging CSA (Cloud Security Alliance) STAR Registry that have into account organization’s security requirements present higher degree of compliance but they still lack risk economic quantification. The myriad of conceptual models, methodologies and frameworks although based on current NIST SP 800:30, ISO 27001, ISO 27005, ISO 30001, ENISA standards could be enhanced by the use of techno-economic models like UTEM, created by the author, in order to conceive more simplified models for effective Risk Assessment and Mitigation closer to the theoretical reference model for Cloud Risk Assessment, available for all cloud models (IaaS, PaaS, SaaS) and easy to use for all stakeholders.
Dr. Carlos Bendicho holds M.Sc. and Ph.D. degrees in Telecommunications Engineering (EECS) from Bilbao School of Engineering, University of the Basque Country, Spain. He is also MBA from Technical University of Madrid and MIT Sloan Executive Program in Artificial Intelligence and Strategy, Massachusetts Institute of Technology. He is ACM Member and IEEE Communications Society Member.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Nhlabatsi, A., Hong, J.B., Kim, D.S., Fernandez, R., Fetais, N., Khan, K.M.: Spiral^SRA: a threat-specific security risk assessment framework for the cloud. In: 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), Lisbon, pp. 367–374 (2018). https://doi.org/10.1109/QRS.2018.00049
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)
Djemame, K., Armstrong, D., Guitart, J., Macias, M.: A risk assessment framework for cloud computing. IEEE Trans. Cloud Comput. 4(3), 265–278 (2016). https://doi.org/10.1109/TCC.2014.2344653.
Ferrer, A.J., Hernandez, F., Tordsson, J., Elmroth, E., Ali-Eldin, A., Zsigri, C., Sirvent, R., Guitart, J., Badia, R.M., Djemame, K., Ziegler, W., Dimitrakos, T., Nair, S.K., Kousiouris, G., Konstanteli, K., Varvarigou, T., Hudzia, B., Kipp, A., Wesner, S., Corrales, M., Forgo, N., Sharif, T., Sheridan, C.: Optimis: a holistic approach to cloud service provisioning. Future Generation Comput. Syst. 28(1), 66–77 (2012)
Optimis toolkit (2013). http://optimistoolkit.com/
Tanimoto, S., et al.: A study of risk assessment quantification in cloud computing. In: 2014 17th International Conference on Network-Based Information Systems, Salerno, pp. 426–431 (2014). https://doi.org/10.1109/NBiS.2014.11
Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B., Ahmed, A.: Security risk assessment framework for cloud computing environments. Secur. Commun. Netw. 7(11), 2114–2124 (2014)
Saripalli, P., Walters, B.: QUIRC: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD). IEEE, pp. 280–288 (2010)
Linstone, H.A.: The Delphi Method: Techniques and Applications. Addison-Wesley (1975)
RAND Corporation: A collection of RAND publications on the Delphi method (2007). http://www.rand.org/pardee/pubs/methodologies.html#delphi
Stuter, L.M.: The delphi technique: what is it? Lynn's Educ. Res. Netw. (1996). http://www.learnusa.com/transformation_process/acf001.htm
Microsoft: Microsoft threat modeling tool – threats - stride model. Accessed 14 Nov 2020. https://docs.microsoft.com/es-es/azure/security/develop/threat-modeling-tool-threats
Federal Information Processing Standards Pub 199: Standards for Security Categorization of Federal Information and Information Systems. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Akinrolabu, O., Nurse, J.R.C., Martin, A., New, S.: Cyber risk assessment in cloud provider environments: Current models and future needs. Comput. Secur. 87 (2019). https://doi.org/10.1016/j.cose.2019.101600
Cayirci, E., Garaga, A., Santana de Oliveira, A., Roudier, Y.: A risk assessment model for selecting cloud service providers. J. Cloud Comput. 5(1), 1–12 (2016). https://doi.org/10.1186/s13677-016-0064-x
Catteddu, D., Hogben, G.: Cloud computing. Benefits, risks and recommendations for information security. Technical report. ENISA (2009). Accessed http://www.enisa.europa.eu/activities/risk-management/files/ deliverables/cloud-computing-risk-assessment/at_download/fullReport
The Notorious Nine Cloud Computing Top Threats in 2013 Technical report. Cloud Security Alliance (2013). https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
Cloud Security Alliance: Consensus Assessment Initiative Questionnaire (CAIQ). Accessed https://cloudsecurityalliance.org/research/cai
Cloud Security Alliance: Cloud Control Matrix (CCM). Accessed https://cloudsecurityalliance.org/research/ccm/
Luna, J., Langenberg, R., Suri, N.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop – CCSW 2012, p. 103. ACM Press, New York (2012). https://doi.org/10.1145/2381913.2381932. Accessed http://dl.acm.org/citation.cfm?doid=2381913.2381932
Alturkistani, F.M., Emam, A.Z.: A review of security risk assessment methods in cloud computing. In: Rocha, Á., Correia, A.M., Tan, F.B., Stroetmann, K.A. (eds.) New Perspectives in Information Systems and Technologies, Volume 1. AISC, vol. 275, pp. 443–453. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05951-8_42
Drissi, S., Benhadou, S., Medromi, H.: Evaluation of risk assessment methods regarding cloud computing. In: The 5th Conference on Multidisciplinary Design Optimization and Applicaton (2016)
Tang, H., Yang, J., Wang, X., Zhou, Q.: A research for cloud computing security risk assessment. Open Cybern. Systemics J. 10, 210–217 (2016). http://benthamopen.com/ABSTRACT/TOCSJ-10-210
Bendicho, C.: Techno-economic assessment in communications: models for access network technologies, arXiv (2020). https://arxiv.org/abs/2006.07720
Bendicho, C.: Model for techno-economic assessment of access technologies. Doctoral dissertation for Ph.D., Telecommunications Engineering, University of the Basque Country, 2016, arXiv (2020). https://arxiv.org/abs/2008.07286
Ribbeck, B.: Cloud service provider risk assessment (2014). Accessed https://events.educause.edu/annual-conference/2014/proceedings/cloud-service-provider-risk-assessment
Macdonald, D.: Practical Machinery Safety. Newnes (2004)
Fito, J.O., Macias, M., Guitart, J.: Toward business-driven risk management for cloud computing. In: 2010 International Conference on Network and Service Management (CNSM), October 25–29, pp. 238–241 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bendicho, C. (2022). Cyber Security in Cloud: Risk Assessment Models. In: Arai, K. (eds) Intelligent Computing. Lecture Notes in Networks and Systems, vol 283. Springer, Cham. https://doi.org/10.1007/978-3-030-80119-9_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-80119-9_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80118-2
Online ISBN: 978-3-030-80119-9
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)