Abstract
Cloud computing is an extremely attractive model for both the users and the providers of Cloud-based infrastructure, who have their own business angle for using and providing these services. However, as with many business ventures, as the use of Cloud environments grow, the risks and the threats associated with a successful use of the model also increase. Although, the Cloud paradigm is an evolution of grid systems, Clouds have particular threats specific to virtualized and multi-tenant environments, which need to be managed with proper methodologies to ensure that the entire ecosystem is secure. Security consists of three main aspects—availability, integrity and confidentiality—and each of these needs to be considered to make sure that the complete ecosystem is secure. This chapter presents a comprehensive discussion of the concerns associated with the Cloud security depicting the best practices currently used in the industry. This chapter presents an in-depth analysis of these issues with an innovative holistic approach on how to manage and assess security risks for different kinds of Cloud ecosystems which allows documentation as well as design tools which can be in place to monitor security at both deployment and operation phases. The proposed risk methodology approach allows better management and mitigation of security threats when they occur during the service lifecycle of any kind of Cloud ecosystem and Cloud services provision.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Wills G (2009) Technical review of using Cloud for research, University of Southampton, Final Report 2009
Foster I, Zhao Y, Raicu I, Lu S (2008) Cloud computing and grid computing 360-degree compared. In GCE ’08: Grid Computing Environments Workshop, pp 1–10. IEEE, Nov 2008
Catteddu D, Hogben G (2009) Cloud computing: benefits, risks and recommendations for information security, Technical Report, European Network and Information Security Agency (ENISA) 2009
Ried S, Kisker H, Matzke P (2010) The evolution of Cloud computing markets. Forrester Research 2010
Stamford C (10 Aug 2011) Press Releases, Gartner’s 2011 Hype Cycle special report evaluates the maturity of 1,900 Technologies, 2011
Kiran M, Khan AU, Jiang M, Djemame K, Oriol M, Corrales M (2012) Managing security threats in Clouds, Digital Research 2012
Buyya R, Yeo CS, Venugopal S, Broberg J, Brandic I (2008) Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility. Future Gener Comput Syst 25:599–616
Information Security Forum (ISF), Information risk analysis methodology (IRAM). https://www.securityforum.org/iram#iramtva. Accessed April 2014
Symantec Ltd., Symantec Data Loss prevention. http://www.symantec.com/en/uk/business/solutions/solutiondetail.jsp?solid=sol_info_risk_comp&solfid=sol_data_loss_prevention&om_sem_cid=biz_sem_emea_uk_Google_DLP. Accessed Nov 2010
Carpenter M, Liston T, Skoudis E (2007) Hiding virtualization from attackers and malware. IEEE Secur Priv 5(3):62–65
Naraine R (2011) Blue pill prototype creates 100 % undetectable malware. http://www.eweek.com/c/a/Windows/Blue-Pill-Prototype-Creates-100-Undetectable-Malware, 2011. Accessed Dec 2013
Grid Security (2012) Industry insiders: insufficient security controls for smart meters, Published Online: 10 April 2012. http://www.homelandsecuritynewswire.com/dr20120410-industry-insiders-insufficient-security-controls-for-smart-meters, 2012. Accessed Dec 2013
HMGovernment (2010) HMGovernment G-Cloud, Crown copyright, 2010. http://gcloud.civilservice.gov.uk/. Accessed Dec 2013
Huddle Inc. Government storage. http://www.huddle.com/campaign/government-storage/. Accessed Oct 2012
UK Government (2012) G-Cloud brochures. http://www.fcoservices.gov.uk/eng/files/Government_Cloud_Solutions_Brochure.pdf. Accessed Oct 2012
Millman R (2012) SCC launches secure multi-tenancy Cloud on G-Cloud. Published Online: April 30, 2012. http://www.cloudpro.co.uk/cloud-essentials/3493/scc-launches-secure-multi-tenancy-cloud-g-cloud, 2012. Accessed Dec 2013
Scarfone K, Souppaya M, Cody A, Orebaugh A (2008) Information security testing and assessment, National Institute of Standards and Technology (NIST), Special Publication 800-115. http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf. Accessed Sept 2008
Whiteside F, Badger L, Iorga M, Shilong Chu JM (2012) Challenging security requirements for US government Cloud computing adoption (draft), Special publication 500-296, NIST, May, 2012
Pallman D (2010) Azure Blog, Threat modelling the Cloud, August 2010. http://davidpallmann.blogspot.com/2010/08/threat-modeling-cloud.html#fbid=8qxQ6O6UvEq. Accessed Dec 2010
Brink DE (2010) Security and the software development lifecycle: secure at the source. Aberdeen Group December 2010, research brief, 2010
Jansen W, Grance T (2011) Draft NIST special publication guidelines on security and privacy in public Cloud computing, Computer Security, Jan 2011
Brink D (2011) Security and cloud best practices July 2011, Aberdeen Group, 2011
Mell P, Grance T (2009) The NIST definition of Cloud computing, National Institute of Standards and Technology, Oct 2009
Khan AU, Kiran M, Oriol M, Jiang M, Djemame K (2012) Security risks and their management in Cloud computing. CloudCom, pp 121–128, 2012
Google Inc (2013) GoogleAppEngine platform as a service, Google developers. https://developers.google.com/appengine/. Accessed Dec 2013
Heroku Inc (2013) Heroku platform. https://www.heroku.com/. Accessed Dec 2013
den Braber F, Braendeland F, Dahl HEI, Engan I, Hogganvik I, Lund MS, Solhaug B, Stolen K, Vraalsen F (2006) The CORAS Model-based method for security risk analysis, SINTEF, Oslo, September, 2006. http://www.uio.no/studier/emner/matnat/ifi/INF5150/h06/undervisningsmateriale/060930.CORAS-handbook-v1.0.pdf. Accessed Dec 2013
Khan AU (2013) Data confidentiality and risk management in Cloud Computing, PhD thesis, Department of Computer Science, University of York, 2013
Khan AU, Kiran M, Oriol M (2013) Threat methodology for securing scalable video in the Cloud, 8th international conference for internet technology and secured transactions (ICITST-2013), Dec 9–12, 2013, London, UK
Acknowledgments
This work has been partially supported by the EU within the seventh framework programme under contract ICT-257115—Optimized Infrastructure Services (OPTIMIS).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Kiran, M. (2014). A Methodology for Cloud Security Risks Management. In: Mahmood, Z. (eds) Cloud Computing. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-10530-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-10530-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10529-1
Online ISBN: 978-3-319-10530-7
eBook Packages: Computer ScienceComputer Science (R0)