Top

Published in:

2021 | OriginalPaper | Chapter

6. Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?

Authors : Dimitris Gritzalis, George Stergiopoulos, Efstratios Vasilellis, Argiro Anagnostopoulou

Published in: Advances in Core Computer Science-Based Technologies

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Cloud computing is a type of service that allows the use of computing resources from a distance, rather than a new technology. Various services exist on-demand, ranging from data storage and processing to software as a service, like email and developing platforms. Cloud computing enables ubiquitous, on-demand access over the net to a shared pool of configurable resources, like servers, applications, etc. that can be accessed, altered or even restored rapidly with minimal service provider interaction or management effort. Still, due to the vast growth of cloud computing, new security issues have been introduced. Key factors are the loss of control over any outsourced resources and cloud’s computing inherent security vulnerabilities. Managing these risks requires the adoption of an effective risk management method, capable of involving both the Cloud customer and the Cloud Service Provider. Risk assessment methods are common tools amongst IT security consultants for managing the risk of entire companies. Still, traditional risk management methodologies are having trouble managing cloud services. Extending our previous work, the purpose of this paper is to compare and examine whether popular risk management methods and tools (e.g. NIST SP800, EBIOS, MEHARI, OCTAVE, IT-Grundschutz, MAGERIT, CRAMM, HTRA, Risk-Safe Assessment, CORAS) are suitable for cloud computing environments. Specifically, based upon existing literature, this paper points out the essential characteristics that any risk assessment method addressed to cloud computing should incorporate, and suggests three new ones that are more appropriate based on their features.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Didactics for the Development of Mathematical Thinking and the Sense of Academic Agency

next chapter Challenges and Issues in Risk Assessment in Modern Maritime Systems

P.M. Mell, T. Grance, Sp 800-145. The NIST Definition of Cloud Computing (2011)

S.H. Albakri, B. Shanmugam, G.N. Samy, N.B. Idris, A. Ahmed, Traditional security risk assessment methods in cloud computing environment: usability analysis, in Proceedings of the 1st International Conference of Recent Trends in Information and Communication Technologies, Universiti Teknologi Malaysia, Johor, Malaysia (2014), pp. 483–495

D. Gritzalis, G. Iseppi, A. Mylonas, V. Stavrou, Exiting the risk assessment maze: a meta-survey. ACM Comput. Surv. (CSUR) 51(1), 11 (2018)CrossRef

T. Haeberlen, L. Dupré, Cloud computing—benefits, risks and recommendations for information security, in European Network and Information Security Agency (ENISA) (2012)

D. Catteddu, G. Hogben, Cloud computing information assurance framework. Eur. Netw. Inf. Secur. Agency (ENISA) 13, 14 (2009)

SME Cloud Security Tool—ENISA (2019), https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes/sme-guide-tool. Accessed 7 Jan 2019

E. Cayirci, A. Garaga, A. Santana, Y. Roudier, A cloud adoption risk assessment model, in 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC) (IEEE, 2014), pp. 908–913

E. Goettelmann, K. Dahman, B. Gateau, E. Dubois, C. Godart, A security risk assessment model for business process deployment in the cloud, in 2014 IEEE International Conference on Services Computing (SCC) (IEEE, 2014), pp. 307–314

P. Saripalli, B. Walters, QUIRC: a quantitative impact and risk assessment framework for cloud security, in 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD) (IEEE, 2010), pp. 280–288

10.

COBIT 2019 Publications & Resources (2019), http://www.isaca.org/COBIT/Pages/COBIT-2019-Publications-Resources.aspx

11.

S. Gadia, Cloud computing: cloud computing risk assessment: a case study. ISACA J. 4, 11 (2011)

12.

G. Stergiopoulos, D. Gritzalis, V. Kouktzoglou, Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment. Comput. Netw. 134, 23–45 (2018)CrossRef

13.

S. Taubenberger, J. Jürjens, Y. Yu, B. Nuseibeh, Problem analysis of traditional IT-security risk assessment methods—an experience report from the insurance and auditing domain, in IFIP International Information Security Conference (Springer, Berlin, Heidelberg, 2011), pp. 259–270

14.

Y. Sivasubramanian, A.S. Zubair, P. Ved, Risk assessment for cloud computing. Int. Res. J. Electron. Comput. Eng. 3, 7 (2017). ISSN Online: 2412-4370. https://doi.org/10.24178/irjece.2017.3.2.07

15.

S. Drissi, S. Benhadou, H. Medromi, Evaluation of risk assessment methods regarding cloud computing, in The 5th Conference on Multidisciplinary Design Optimization and Application (2016)

16.

G. Wangen, E. Snekkenes, A taxonomy of challenges in information security risk management, in Proceeding of Norwegian Information Security Conference/Norsk informasjonssikkerhetskonferanse-NISK 2013-Stavanger, 18th–20th November 2013 (Akademika Forlag, 2013)

17.

J.R. Nurse, S. Creese, D. De Roure, Security risk assessment in internet of things systems. IT Prof. 19(5), 20–26 (2017)CrossRef

18.

Glossary (2019), https://www.isaca.org/Pages/Glossary.aspx?tid=1087&char=A. Accessed 7 Jan 2019

19.

NIST Cloud Computing Standards Roadmap Working Group, NIST Cloud Computing Standards Roadmap (2013)

20.

S.H. Albakri, B. Shanmugam, G.N. Samy, N.B. Idris, A. Ahmed, Security risk assessment framework for cloud computing environments. Secur. Commun. Netw. 7(11), 2114–2124 (2014)CrossRef

21.

M. Theoharidou, N. Tsalis, D. Gritzalis, In cloud we trust: Risk-Assessment-as-a-Service, in IFIP International Conference on Trust Management (Springer, Berlin, Heidelberg, 2013), pp. 100–110

22.

OWASP Cloud—10 Project—OWASP (2019), https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project. Accessed 7 Jan 2019

23.

R. Latif, H. Abbas, S. Assar, Q. Ali, Cloud computing risk assessment: a systematic literature review, in Future Information Technology (Springer, Berlin, Heidelberg, 2014), pp. 285–295

24.

S.V. Garde, A. Mudaliar, B. NCHSE, Concurrency Lock Issues in Relational Cloud Computing (2013)

25.

F. Xie, Y. Peng, W. Zhao, D. Chen, X. Wang, X. Huo, A risk management framework for cloud computing, in 2012 IEEE 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), vol. 1 (IEEE, 2012), pp. 476–480

26.

R. Alosaimi, M. Alnuem, Risk management frameworks for cloud computing: a critical review. Int. J. Comput. Scie. Inf. Technol. 8(4) (2016)

27.

A.B. Ruighaver, M. Warren, A. Ahmad, Does traditional security risk assessment have a future in Information Security? J. Inf. Warf. 10(3), 16-IV (2011)

28.

NIST, S. 800-30, Guide for Conducting Risk Assessments (2012)

29.

M. Iorga, A. Karmel, Managing risk in a cloud ecosystem. IEEE Cloud Comput. 2(6), 51–57 (2015)CrossRef

30.

G. Stergiopoulos, V. Kouktzoglou, M. Theocharidou, D. Gritzalis, A process-based dependency risk analysis methodology for critical infrastructures. Int. J. Crit. Infrastruct. 13(2–3), 184–205 (2017)CrossRef

31.

EBIOS—Risk Management Methodology (2010), http://people.redhat.com/swells/anssi/EBIOS-1-GuideMethodologique-2010-01-25-english.pdf. Accessed 7 Jan 2019

32.

B. Rahmad, S.H. Supangkat, J. Sembiring, K. Surendro, Threat scenario dependency-based model of information security risk analysis. IJCSNS 10(8), 93 (2010)

33.

R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson, Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (No. CMU/SEI-2007-TR-012) (Carnegie-Mellon University, Software Engineering Institute, Pittsburgh, PA, 2007)

34.

F. Crespo, M. Gómez, J. Candau, J. Mañas, MAGERIT—Version 2 Methodology for Information Systems Risk Analysis and Management. Book (Ministerio de Administraciones Públicas, Madrid, 2006)

35.

J. Viehmann, Reusing risk analysis results—an extension for the CORAS risk analysis method, in 2012 International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2012 International Conference on Social Computing (SocialCom) (IEEE, 2012), pp. 742–751

36.

G. Brændeland, H.E. Dahl, I. Engan, K. Stølen, Using dependent CORAS diagrams to analyse mutual dependency, in International Workshop on Critical Information Infrastructures Security (Springer, Berlin, Heidelberg, 2007), pp. 135–148

37.

R. CSE, Harmonized Threat and Risk Assessment (TRA) Methodology. TRA-1 Date: October 23 (2007)

38.

L. Coles-Kemp, J.W. Bullee, L. Montoya, M. Junger, C. Heath, W. Pieters, L. Wolos, Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (2015)

39.

P. Bernard, COBIT® 5-A Management Guide (Van Haren, 2012)

40.

COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd Edition (2019), http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Control-Practices-Guidance-to-Achieve-Control-Objective-for-Successful-IT-Governance-2nd-Edition.aspx. Accessed 7 Jan 2019

41.

M. Grall, EBIOS: The Risk Management Toolbox (Club EBIOS, Viroflay, France, 2018), pp. 1–27, https://club-ebios.org/site/wp-content/uploads/productions/EBIOS-GenericApproach-2018-09-05-Approved.pdf

42.

Agence nationale de la sécurité des systèmes d’information (ANSSI), Fiches méthodes (2018), p. 43, https://www.ssi.gouv.fr/uploads/2018/10/fiches-methodes-ebios_projet.pdf

43.

Agence nationale de la sécurité des systèmes d’information (ANSSI), Prestataires de services d’informatique en nuage (SecNumCloud)—référentiel d’exigences (2018), https://www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1_anssi.pdf

44.

Agence nationale de la sécurité des systèmes d’information (ANSSI), Etude De Cas: Securite D’un Service Du Cloud (2011), https://julienlhonore.files.wordpress.com/2013/02/logiciel-ebios-etudedecassc3a9curitc3a9servicecloud-2011-07-e280a6.pdf

45.

Mehari—ENISA, https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html

46.

D.F.C. Velasco, J.E.F. Quinayás, S.A. Donado, Adaptación De La Metodología Mehari A La Fase De Planeación De Un Sgsi Para Un Procedimiento De Estudio Propuesto/Adaptation of the Mehari methodology to the planning phase of an ISMS for a proposed study procedure. Rev. Teckne 14(1) (2017)

47.

Mehari 2007—Security Stakes Analysis and Classification Guide, Club de la Sécurité de l’Information Français (CLUSIF) (2007)

48.

M. Masky, S.S. Young, T.Y. Choe, A novel risk identification framework for cloud computing security, in 2015 2nd International Conference on Information Science and Security (ICISS) (IEEE, 2015), pp. 1–4

49.

G. Wangen, C. Hallstensen, E. Snekkenes, A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 1–19 (2016)

50.

Federal Office for Information Security, Secure Use of Cloud Services. Bonn, Germany, pp. 1–23, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/SecureUseOfCloudServices/SecureUseOfCloudServices.pdf?__blob=publicationFile&v=6

51.

Federal Office for Information Security, IT-Grundschutz Catalogues. Bonn, Germany (2016), pp. 132–136, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/GSK_15_EL_EN_Draft.pdf?__blob=publicationFile&v=2

52.

K.V.D. Kiran, L.S.S. Reddy, N.L. Haritha, A comparative analysis on risk assessment information security models. Int. J. Comput. Appl. 82(9) (2013)

53.

EAR—Tools—versions, https://www.pilar-tools.com/download/stable_en.html

54.

PILAR—Manual de Usuario (6.2) (2016), https://www.pilar-tools.com/doc/v62/manual_std_risk_es_2016-08-21.pdf

55.

MAGERIT v. 3: Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información (2012)

56.

RiskSafe Assessment—ENISA, https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_risksafe-assessment

57.

A.U. Khan, M. Oriol, M. Kiran, M. Jiang, K. Djemame, Security risks and their management in cloud computing, in 2012 IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom) (IEEE, 2012), pp. 121–128

58.

Information Risk Analysis Methodology, IRAM, https://www.securityforum.org/iram#iramtva

59.

ISACA, Information Systems Audit, & Control Association, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud. ISACA (2011)

60.

G. Stergiopoulos, P. Kotzanikolaou, M. Theocharidou, D. Gritzalis, CIDA: Critical Infrastructure Dependency Analysis Tool, Information Security and Critical Infrastructure Protection Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece (2014), http://github.com/geostergiop/CIDA

61.

S. Drissi, H. Medromi, A new risk assessment approach for cloud consumer. J. Commun. Comput. 11, 52–58 (2014)

Title: Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?
Authors: Dimitris Gritzalis
George Stergiopoulos
Efstratios Vasilellis
Argiro Anagnostopoulou
Publisher: Springer International Publishing
Book: Advances in Core Computer Science-Based Technologies
Print ISBN: 978-3-030-41195-4

Electronic ISBN: 978-3-030-41196-1

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-3-030-41196-1_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partners