Toward business-driven risk management for cloud computing

The Cloud computing paradigm is offering an innovative and promising vision concerning the Information and Communications Technology (ICT). Notwithstanding, the use of Cloud resources, which usually are external assets to their consumers, implies risk issues that must be taken into account. In this paper, we present a Cloud computing risk management approach aware of the Business-Level Objectives (BLOs) of a given Cloud organization. More to the point, we propose an innovatory SEmi-quantitative BLO-driven Cloud Risk Assessment (SEBCRA) as its core subprocess. In addition, we present, as a use case, a Cloud Service Provider (CSP) that is able to improve the achievement of a BLO, i.e. profit maximization, by managing, assessing, and treating Cloud risks. As demonstrated in the experimentation, this provider maximizes its profit by transferring risks of provisioning its private Cloud to third-party providers of Cloud infrastructures.Postprint (published version

Traditional security risk assessment methods in cloud computing environment: usability analysis

The term "Cloud Computing" has become very common in our daily life. Cloud computing has emerged with promises to decrease the cost of computing implementation and deliver the computing as service, where the clients pay only for what he needed and used. However, due to the new structure of the cloud computing model, several security concerns have been raised and many other security threats have been needed to be reevaluated according to the cloud structure. Besides, the traditional security risk assessment methods become unfit for cloud computing model due to its new distinguished characteristics. In this paper, we analysis the ability to assess the security risks in cloud computing environments

Cloud Security Risk Management: A Critical Review

Cloud computing has created a remarkable paradigm shift in the IT industry and brought several advantages such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. These advantages enabled cloud to have significant impact on different sectors of smart cites. However, cloud adoption has increased the sophistication of the ever changing security risks which frustrate enterprises on expanding their on-premises infrastructure towards cloud horizons. These risks have the potential of being a major concern for smart cities due to the increasing impact of cloud on them. Managing these security risks requires adopting effective risk management method which involve both the cloud service provider and the customer. The risk management frameworks currently applied to manage enterprise IT risks do not readily fit the cloud environment and the dynamic nature of clouds, which are characterized by on demand self-service and rapid elasticity. Therefore, researchers have proposed different cloud security risk management methods and frameworks. This paper critically reviews these risk management methods and frameworks. In addition, it conducts critical analysis on two of them using qualitative content analysis technique, and evaluates their effectiveness for assessing and mitigating cloud security risks

Risk-driven proactive fault-tolerant operation of IaaS providers

In order to improve service execution in Clouds, the management of Cloud Infrastructure has to take measures to adhere to Service Level Agreements and Business Level Objectives, from the application layer through to how services are supported at the lowest hardware levels. In this paper a risk model methodology and holistic management approach is developed specific to the operation of the Cloud Infrastructure Provider and is applied through improvements to SLA fault tolerance in Cloud Infrastructure. Risk assessments are used to analyse execution specific data from the Cloud Infrastructure and linked to a business driven holistic management component that is part of a Cloud Manager. Initial results show improved eco-efficiency, virtual machine availability and reductions in SLA failure across the whole Cloud infrastructure by applying our combined risk-based fault tolerance approach.Postprint (author’s final draft

Cloud Computing: Challenges And Risk Management Framework

Cloud-computing technology has developed rapidly. It can be found in a wide range of social, business and computing applications. Cloud computing would change the Internet into a new computing and collaborative platform. It is a business model that achieves purchase ondemand and pay-per-use in network. Many competitors, organizations and companies in the industry have jumped into cloud computing and implemented it. Cloud computing provides us with things such as convenience, reduced cost and high scalability. But despite all of these advantages, there are many enterprises, individual users and organizations that still have not deployed this innovative technology. Several reasons lead to this problem; however, the main concerns are related to security, privacy and trust. Low trust between users and cloud computing providers has been found in the literature

Migration goals and risk management in cloud computing: A review of state of the art and survey results on practitioners

Organizations are now seriously considering adopting cloud into the existing business context, but migrating data, application and services into cloud doesn’t come without substantial risks. These risks are the significant barriers for the wider cloud adoption. Cloud computing has obtained a lot of attention by both research and industry communities in recent years. There are works that consolidate the existing work on cloud migration and technology. However, there is no secondary study that consolidates the state of the art research and existing practice on risk management in cloud computing. It makes difficult to understand the risks management trend, maturity, and research gaps. This paper investigates the state of the art research and practices relating to risk management in cloud computing and discusses survey results on migration goals and risks. The survey participants are practitioners from both public and private organizations of two different locations, i.e., UK and Malaysia. We identify and classify the relevant literature and systematically compare the existing works and survey results. The results show that most of the existing works do not consider the existing organization and business context for the risk assessment only emphasize on security and privacy risks. Our study results also reveal that risk management in cloud computing research and practice is still not in a mature stage but gradually advancing. Our observation emphasizes the necessity of a comprehensive risk management framework to support the migration decision and to monitor the risks after migration. Finally, we propose a risk assessment approach based on the six prioritized cloud migration goals using analytic hierarchy process and determine the relative importance of these migration goals from two real migration use cases

Cloud outsourcing:Theoretical & practical evidence of cloud governance strategies by financial institutions in Europe, the United States and Canada

This study examined the risk and governance challenges experienced by financial institutions that outsource cloud technologies. Cloud outsourcing prompts a new way of working and fosters an environment in which technology and data are shared across groups and are housed in regional hubs, according to global standards that are influenced by various countries’ policies. Therefore, to effectively manage the cloud, institutions need a thorough understanding of the applicable laws governing the cloud relationship and those that influence the internal control environment. The study explains that, conceptually, the framework nature of cloud contracts and flexibility of the regulation makes it especially difficult for institutions to efficiently manage risks. A real case study on a cloud outsourcing transaction and survey data from financial institution experts were used to study expert perceptions on the severity of various types of cloud risks and the effectiveness of institutional risk management approaches. These findings were also confirmed in a comparative institutional study, where similarities were found in the risk and governance concerns of experts working at 13 different institutions in the United States, Europe, and Canada. Through this investigation, it was found that efficient governance can be more difficult for institutions that comply with US regulations owing to considerable differences in state policies on data privacy. Finally, this study examined how uncertainties in the evaluation of data breaches and network failures become visible in other internal practices, such as cloud risk assessments. A series of cloud risk experiments was created and distributed to 131 cloud risk experts working at financial institutions in the EU and the US to compare whether their risk assessments would differ significantly. The results show that the lack of specification in the regulations and experience of cloud experts can contribute to considerable differences in their risk and disclosure choices. In practice, most experts face significant challenges in assessing the severity of cloud risk events, which have broader implications for enterprise risk management. The results suggest that internal governance continues to be a challenge for firms as they outsource cloud technologies. The knowledge derived from this Ph.D. is useful, as it shows that institutions can benefit if they prioritize the evaluation of liability provisions in their cloud contracts, especially in cases where cloud risk events are a consequence of third-party risks. The findings also establish that internal governance is necessary to reduce the spillover effects of cloud contracts and that institutions can devise sufficient governance structures by implementing data policies and mechanisms that promote cooperation and coordination to oversee data management responsibilities. _Dit onderzoek onderzocht de risico- en governance-uitdagingen van financiële instellingen die cloudtechnologieën uitbesteden. Het uitbesteden van de cloud leidt tot een nieuwe manier van werken en bevordert een omgeving waarin technologie en data worden gedeeld tussen groepen en worden ondergebracht in regionale hubs, volgens wereldwijde standaarden die worden beïnvloed door het beleid van verschillende landen. Om de cloud effectief te beheren, moeten instellingen daarom een grondig begrip hebben van de toepasselijke wetten die de cloudrelatie regelen en van de wetten die de interne controleomgeving beïnvloeden. In dit onderzoek wordt uitgelegd dat, conceptueel gezien, het kaderkarakter van cloudcontracten en de flexibiliteit van de regelgeving het bijzonder moeilijk maakt voor instellingen om hun risico's effectief te beheren. Een echte casus over een cloud outsourcing-transactie en enquêtegegevens van experts van financiële instellingen zijn gebruikt om de percepties van experts te bestuderen over de ernst van verschillende soorten cloudrisico's en de effectiviteit van institutionele risicomanagementbenaderingen. Deze bevindingen werden ook bevestigd in een vergelijkende institutionele studie, waar overeenkomsten werden gevonden in de zorgen rondom risico en governance van experts bij 13 verschillende instellingen in de Verenigde Staten, Europa en Canada. Uit dit onderzoek blijkt dat effectieve governance moeilijker kan zijn voor instellingen die de Amerikaanse regelgeving naleven vanwege de aanzienlijke verschillen in het beleid van de staten met betrekking tot dataprivacy. Tot slot wordt in dit onderzoek gekeken naar hoe onzekerheden in de evaluatie van datalekken en netwerkstoringen zichtbaar worden in andere interne praktijken zoals cloudrisicobeoordelingen. Er is een reeks experimenten met cloudrisico's gemaakt en verspreid onder 131 deskundigen op het gebied van cloudrisico's die werkzaam zijn bij financiële instellingen in de EU en de VS om te vergelijken of hun risicobeoordelingen significant zouden verschillen. De resultaten laten zien dat het gebrek aan specificatie in de regelgeving en de ervaring van cloudexperts kan bijdragen aan aanzienlijke verschillen in risico- en openbaarmakingskeuzes. In de praktijk krijgen de meeste experts te maken met aanzienlijke uitdagingen bij het inschatten van de ernst van cloudrisicogebeurtenissen, die bredere implicaties hebben voor het risicomanagement van bedrijven. De resultaten suggereren dat interne governance een uitdaging blijft voor bedrijven die cloudtechnologieën uitbesteden. De bevindingen van dit proefschrift zijn nuttig, omdat ze laten zien dat instellingen er baat bij kunnen hebben als ze prioriteit geven aan de evaluatie van aansprakelijkheidsbepalingen in hun cloudcontracten, vooral in gevallen waarin cloudrisico's het gevolg zijn van risico's van derden. De bevindingen tonen ook aan dat interne governance nodig is om de overloopeffecten van cloudcontracten te verminderen en dat instellingen toereikende governancestructuren kunnen ontwikkelen door databeleid en -mechanismen te implementeren die samenwerking en coördinatie bevorderen om toezicht te houden op de verantwoordelijkheden voor databeheer

Cloud adoption: a goal-oriented requirements engineering approach

The enormous potential of cloud computing for improved and cost-effective service has generated unprecedented interest in its adoption. However, a potential cloud user faces numerous risks regarding service requirements, cost implications of failure and uncertainty about cloud providers’ ability to meet service level agreements. These risks hinder the adoption of cloud computing. We motivate the need for a new requirements engineering methodology for systematically helping businesses and users to adopt cloud services and for mitigating risks in such transition. The methodology is grounded in goal-oriented approaches for requirements engineering. We argue that Goal-Oriented Requirements Engineering (GORE) is a promising paradigm to adopt for goals that are generic and flexible statements of users’ requirements, which could be refined, elaborated, negotiated, mitigated for risks and analysed for economics considerations. The methodology can be used by small to large scale organisations to inform crucial decisions related to cloud adoption. We propose a risk management framework based on the principle of GORE. In this approach, we liken risks to obstacles encountered while realising cloud user goals, therefore proposing cloud-specific obstacle resolution tactics for mitigating identified risks. The proposed framework shows benefits by providing a principled engineering approach to cloud adoption and empowering stakeholders with tactics for resolving risks when adopting the cloud. We extend the work on GORE and obstacles for informing the adoption process. We argue that obstacles’ prioritisation and their resolution is core to mitigating risks in the adoption process. We propose a novel systematic method for prioritising obstacles and their resolution tactics using Analytical Hierarchy Process (AHP). To assess the AHP choice of the resolution tactics we support the method by stability and sensitivity analysis