Risk and Compliance Management for Cloud Computing Services: Designing a Reference Model

More and more companies are making use of Cloud Computing Services in order to reduce costs and to increase theflexibility of their IT infrastructures. Currently, the focus is shifting towards problems of risk and compliance which includeas well the realm of Cloud Computing security. For instance, since the storage locations of data may shift or remain unknownto the user, the problem of the applicable jurisdiction arises and impede the adoption and management of Cloud ComputingServices. Therefore, companies need new methods to avoid being fined for compliance violations, to manage risk factors aswell as to manage processes and decision rights. This paper presents a reference model that serves to support companies inmanaging and reducing risk and compliance efforts. We developed the model on the solid basis of a systematic literaturereview and practical requirements by analyzing Cloud Computing Service offers

The new cloud computing paradigm: the way to IT seen as a utility

In the present competitive environment, companies are wondering how to reduce their IT costs while increasing their efficiency and agility to react when changes in the business processes are required. Cloud Computing is the latest paradigm to optimize the use of IT resources considering ?everything as a service? and receiving these services from the Cloud (Internet) instead of owning and managing hardware and software assets. The benefits from the model are clear. However, there are also concerns and issues to be solved before Cloud Computing spreads across the different industries. This model will allow a pay-per-use model for the IT services and many benefits like cost savings, agility to react when business demands changes and simplicity because there will not be any infrastructure to operate and administrate. It will be comparable to the well known utilities like electricity, water or gas companies. However, this paper underlines several risk factors of the model. Leading technology companies should research on solutions to minimize the risks described in this article. Keywords - Cloud Computing, Utility Computing, Elastic Computing, Enterprise Agilit

Organisational sustainability modelling - An emerging service and analytics model for evaluating Cloud Computing adoption with two case studies

© 2015 Elsevier Ltd. Cloud Computing is an emerging technology which promises to bring with it great benefits to all types of computing activities including business support. However, the full commitment to Cloud Computing necessary to gain the full benefit is a major project for any organisation, since it necessitates adoption of new business processes and attitudes to computing services in addition to the immediately obvious systems changes. Hence the evaluation of a Cloud Computing project needs to consider the balance of benefits and risks to the organisation in the full context of the environment in which it operates; it is not sufficient or appropriate to examine technical considerations alone.In this paper, we consider the application of CAPM, a well established approach used for the analysis of risks and benefits of commercial projects to Cloud adoption projects and propose a revised and improved technique, OSM. To support the validity of OSM, two full case studies are presented. In the first, we describe an application of the approach to the iSolutions Group at University of Southampton, which focuses on evaluations of Cloud Computing service improvement. We then illustrate the use of OSM for measuring learning satisfaction of two cohort groups at the University of Greenwich. The results confirm the advantages of using OSM. We conclude that OSM can analyse the risk and return status of Cloud Computing services and help organisations that adopt Cloud Computing to evaluate and review their Cloud Computing projects and services. OSM is an emerging service and analytics model supported by several case studies

The second international workshop on enterprise security

Welcome to our second international workshop on Enterprise Security as part of CloudCom 2015, Vancouver, Canada, November 30-December 3, 2015. The first international workshop held in Singapore has been a major success since then we have achieved greater team activities, research, and international collaborations as the major and significant outcome of our first workshop on this topic. Enterprise Security involves all business, products, governments, organization, and their contractors. This also includes research areas of information security, software security, computer security, cloud security, IoT security, data and big data security. This workshop provides a significant contribution from experts on some of the following key research areas:* Incident response Systems Security - This involves many organisations are outsourcing computer operations to third parties, and the next logical step is to outsource management of computer security incidents as well.* Cloud Security Assurance Model - Defining proper measures for evaluating the effectiveness of an assurance model, which we have developed to ensure cloud security, is vital to ensure the successful implementation and continued running of the model. We need to understand that with security being such an essential component of business processes, responsibility must lie with the board.* Cloud Security - The development of cloud computing and the vast use of its services poses significant security and privacy concerns to the people and the organizations relying on these services. Diversification and obfuscation approaches are of the most promising proactive techniques that protect computers from harmful malware, by preventing them to take advantage of the security vulnerabilities. Mission critical applications are limited in the cloud as it has various security issues. As the data size are being increased gradually and the difficulty in storing, retrieving and managing data makes the application to move into cloud.* Cloud Forensics & Cryptanalysis and Enhancement - Password based authentication has been used extensively as a one of the most appropriate authentication techniques.* Validating technology and BI Techniques – This is useful for organizations to understand their status with return and risk. They can evaluate their security policies and technologies regularly.* Risk Analysis and Big Data – This is increasingly important for organizations since they deal with growing amount of data, dependency and complexity. Risk analysis can be applied to many areas related or outside cloud computing.We are pleased to receive 24 papers from researchers of 12 different countries. After the vigorous review process and careful considerations, 11 papers have been selected, with 5 full papers and 6 short papers. We have offered two prize awards. One award is to award the best paper in the information system category. The other award is to award the best paper in the computational category. Each winner can be invited to International Journal of Information Management (IJIM) and Future Generation Computer Systems (FGCS). Another good news we have is that extended version of conference papers and other security/risk researchers can contribute to our Springer book scheduled to call for papers after our workshop. We are honoured to have Dr. Konstantin Beznosov to be our keynote speaker.Enterprise Security has been a popular topic since it includes cyber security, risk management, information security, Cloud and Forensic security, risk analysis and Big Data. It is an area that can make theory into practice and allow any organizations that adopt our recommendations to enjoy the benefits of enforced Enterprise Security. The outputs of our workshop can provide organizations with several useful recommendations, proofs-of-concepts and demonstrations to improve current security and risk practices.We hope the second international workshop will foster collaborations of projects, research publications and funding opportunities at the international setting in Vancouver, Canada.Workshop Organizing Committee would like to thank CloudCom organizers for their fullest support

Managing IT Operations in a Cloud-driven Enterprise: Case Studies

Enterprise IT needs a new approach to manage processes, applications and infrastructure which are distributed across a mix of environments. In an Enterprise traditionally a request to deliver an application to business could take weeks or months due to decision-making functions, multiple approval bodies and processes that exist within IT departments. These delays in delivering a requested service can lead to dissatisfaction, with the result that the line-of-business group may seek alternative sources of IT capabilities. Also the complex IT infrastructure of these enterprises cannot keep up with the demand of new applications and services from an increasingly dispersed and mobile workforce which results in slower rollout of critical applications and services, limited resources, poor operation visibility and control. In such scenarios, it’s better to adopt cloud services to substitute for new application deployment otherwise most Enterprise IT organizations face the risk of losing 'market share' to the Public Cloud. Using Cloud Model the organizations should increase ROI, lower TCO and operate with seamless IT operations. It also helps to beat shadow IT and the practice of resource over-or under provisioning. In this research paper we have given two case studies where we migrated two Enterprise IT application to public clouds for the purpose of lower TCO and higher ROI. By migrating, the IT organizations improved IT agility, enterprise-class software for performance, security and control. In this paper, we also focus on the advantages and challenges while adopting cloud services

Towards business integration as a service 2.0 (BIaaS 2.0)

Cloud Computing Business Framework (CCBF) is a framework for designing and implementation of Could Computing solutions. This proposal focuses on how CCBF can help to address linkage in Cloud Computing implementations. This leads to the development of Business Integration as a Service 1.0 (BIaaS 1.0) allowing different services, roles and functionalities to work together in a linkage-oriented framework where the outcome of one service can be input to another, without the need to translate between domains or languages. BIaaS 2.0 aims to allow automation, enhanced security, advanced risk modelling and improved collaboration between processes in BIaaS 1.0. The benefits from adopting BIaaS 1.0 and developing BIaaS 2.0 are illustrated using a case study from the University of Southampton and several collaborators including IBM US. BIaaS 2.0 can work with mainstream technologies such as scientific workflows, and the proposal and demonstration of BIaaS 2.0 will be aimed to certainly benefit industry and academia. © 2011 IEEE

Towards Business Integration as a Service 2.0

Cloud Computing Business Framework (CCBF) is a framework for designing and implementation of Could Computing solutions. This proposal focuses on how CCBF can help to address linkage in Cloud Computing implementations. This leads to the development of Business Integration as a Service 1.0 (BIaS 1.0) allowing different services, roles and functionalities to work together in a linkage-oriented framework where the outcome of one service can be input to another, without the need to translate between domains or languages. BIaS 2.0 aims to allow full automation, enhanced security, advanced risk modelling and improved collaboration between processes in BIaaS 1.0. The benefits from adopting BIaS 1.0 and developing BIaS 2.0 are illustrated using a case study from the University of Southampton and several collaborators including IBM US. BIaS 2.0 can work with mainstream technologies such as scientific workflows, and the proposal and demonstration of BIaaS 2.0 will certainly benefit industry and academia

Probabilistic analysis of security attacks in cloud environment using hidden Markov models

© 2020 John Wiley & Sons, Ltd. The rapidly growing cloud computing paradigm provides a cost-effective platform for storing, sharing, and delivering data and computation through internet connectivity. However, one of the biggest barriers for massive cloud adoption is the growing cybersecurity threats/risks that influence its confidence and feasibility. Existing threat models for clouds may not be able to capture complex attacks. For example, an attacker may combine multiple security vulnerabilities into an intelligent, persistent, and sequence of attack behaviors that will continuously act to compromise the target on clouds. Hence, new models for detection of complex and diversified network attacks are needed. In this article, we introduce an effective threat modeling approach that has the ability to predict and detect the probability of occurrence of various security threats and attacks within the cloud environment using hidden Markov models (HMMs). The HMM is a powerful statistical analysis technique and is used to create a probability matrix based on the sensitivity of the data and possible system components that can be attacked. In addition, the HMM is used to provide supplemental information to discover a trend attack pattern from the implicit (or hidden) raw data. The proposed model is trained to identify anomalous sequences or threats so that accurate and up-to-date information on risk exposure of cloud-hosted services are properly detected. The proposed model would act as an underlying framework and a guiding tool for cloud systems security experts and administrators to secure processes and services over the cloud. The performance evaluation shows the effectiveness of the proposed approach to find attack probability and the number of correctly detected attacks in the presence of multiple attack scenarios

Determining Training Needs for Cloud Infrastructure Investigations using I-STRIDE

As more businesses and users adopt cloud computing services, security vulnerabilities will be increasingly found and exploited. There are many technological and political challenges where investigation of potentially criminal incidents in the cloud are concerned. Security experts, however, must still be able to acquire and analyze data in a methodical, rigorous and forensically sound manner. This work applies the STRIDE asset-based risk assessment method to cloud computing infrastructure for the purpose of identifying and assessing an organization's ability to respond to and investigate breaches in cloud computing environments. An extension to the STRIDE risk assessment model is proposed to help organizations quickly respond to incidents while ensuring acquisition and integrity of the largest amount of digital evidence possible. Further, the proposed model allows organizations to assess the needs and capacity of their incident responders before an incident occurs.Comment: 13 pages, 3 figures, 3 tables, 5th International Conference on Digital Forensics and Cyber Crime; Digital Forensics and Cyber Crime, pp. 223-236, 201