Embed Size (px)
Citation preview
1. Introduction 2. Research Objectives 3. Literature Review 4. Research Questions 5. Research Methodology 6. Findings 7. Contribution 8. References
2
Cloud Computing offers many business benefits and have multiple IT risks (Doherty, Carcary, and Conway, 2012).
A standard legally-enforceable risk management framework incorporating all service providers and tenants is the key challenge (ENISA, 2010).
A lack of standardised risk management framework for regulatory compliance (IET, 2012).
The recommendations have not been standardised by regulation authorities (IET, 2012).
3
In 2014, ISO 27012 will be authorized (Rittinghouse and Ransome, 2010).
NIST 800-14 not yet adequately supported by implementation procedures such that cloud providers can adopt standardised framework for managing clouds.
The main concern is that cloud service provider need to find ways for using the existing standards for IT Risk Management.
4
Objective 1: To study the IT risk exposures of businesses using cloud computing resources.
Objective 2: To explore NIST SP 800-144, COSO, and Risk IT standards and the existing theories complimenting their recommendations.
Objective 3: To analyse how these standards can help the SMEs, dependent upon cloud hosted resources for running their businesses, in managing IT risks.
5
Risk Management in IT is concerned with the protecting IT assets that exposed to numerous threats. It comprises Risk Identification, Risk Assessment and Risk Management (Ozkan and Karabacak, 2010, Humphreys, Moses, Plate, 1998).
This research is related to IT risk management challenges in cloud computing and the practical implementation of NIST SP 800-144 standard specifically designed for risk management in the clouds.
6
ISO 27001 - comprise establishing, operating, reviewing and improving an information security management system ((BSI, 2005).
ISO 27005 and NIST 800-30 – comprises risk identification, risk assessment, risk prioritisation, risk treatment, and application of controls (BSI, 2008; NIST, 2001).
ISACA’s Risk IT - comprises of Risk Governance, Risk Evaluation, risk response (ISACA, 2009).
COSO – based on risk appetite and risk management philosophy in the organisation at all levels and rest of the model has been taken from NIST 800-30 and ISO 27005 (COSO,2004).
7
The frameworks chosen for integrating with NIST SP 800-144 framework are COSO and ISACA’s Risk IT risk management framework because
There are sufficient references available on these standards for establishing a theoretical foundation.
Both these standards focus on organisation-wide risk views ensuring bigger visualisation of IT and related risks.
NIST SP 800-14 has recommended model for managing risk in cloud computing. Hence, it is expected that the three models will synergise effectively.
8
Software as a serviceSaaS
On demand access to any application
Users Dropbox, Google Apps
Platform as a servicePaaS
Platform for building and delivery web applications
DevelopersGoogle APP engine
Infrastructure as a serviceIaaS
Virtualized machine Infrastructure
System administratorAmazon web -services
(Badger et al., 2011)
Security Risk and IT Risk management in cloud computing
Virtualization (Jansen and Grance, 2011) Web services security risk (Jansen and Grance, 2011) Auditing and Forensics (Chen et al., 2013)
10
1. What are the IT risk exposures of businesses that use cloud hosted resources for running their business processes?
2. How NIST SP 800-144 standard could be supported by COSO and Risk IT standards and the existing theories complimenting their recommendations?
3. How can NIST SP 800-144, COSO, and Risk IT standards help SMEs dependent upon cloud hosted resources in managing their IT risks?
11
It is combination of interpretive philosophy, inductive approach and qualitative methodology .
Research method Archival Study - studied published documents on NIST
SP 800-144, COSO, and ISACA’s Risk IT, and related research studies.
12
The identity of business users may be stolen by eavesdroppers such that their privileges can be misused.
Attackers may use exploits on the Internet to target vulnerabilities of applications and underlying platforms.
All the threats prevailing at the network layer in self-hosted IT systems exist because the components used to build cloud LANs and WANs are similar to traditional self-hosted networks
Sources: Tripathi and Mishra (2011), Jansen and Grance (2011), Jing and Jian-Jun (2010), Sabahi (2011), and Jansen (2011)
13
Virtualisation results in spreading of data over a number of servers installed at multiple physical locations. In global clouds, data may even cross national boundaries.
Cloud security controls are not yet standardised.
Cloud vendors may tend to lock the services of tenants making it difficult for them to change service providers in the scenario of unsatisfactory services.
Current IT risk management practices on cloud computing is inadequate.
Sources: Zhou et al., (2010), Zhang et al. (2010), and Sabahi (2011)
14
Existing technologies for technical auditing and forensics analysis may not be effective on cloud platforms.
Users do not get controls on their virtual computing and storage environments because they are virtualised and are allocated from a large-scale pool.
There may be additional threats that may arise in a shared virtualised environment with multi-tenancy settings.
Sources: Pearson and Benameur (2010), Jansen (2011), Jansen and Grance (2011)
15
NIST SP 800-14 COSO RISK IT
Controls on policies , procedures for IT services acquisition, operations, and enhancement
Risk appetite, risk tolerance, monitor and update risk controls, related roles, and communications
Integrate IT risks with enterprise risk management, and making risk-aware decisions.
Compliance with laws and regulations pertaining to data location, data proliferation and electronic discovery
Internal accountability , risk awareness culture, map unit risks with company policies and procedures as per compliance needs of business.
Compliance check lists and audits, develop IT risk scenarios and roles, respond to risks and risk mitigation prioritization
Jansen and Grance (2011); ISACA (2009); COSO (2004)
NIST SP 800-14 COSO RISK IT
Trustworthy computing architecture pertaining to the issues of attack surface, virtual network protection, and client side protection
Determine, map and breakup risk tolerances into departmental risk thresholds, identify and measure events against tolerance levels, and use advanced techniques
IT risk assessment, IT risk tolerance levels, IT risk indicators, develop IT risk scenarios, IT risks monitoring, IT risk registry, preventive controls, and response priorities
Identity and access management and protectionIsolation of user areas in multi-tenancy environmentsData protectionAvailability of services
Risk indicators, track lost events, identify and categorise events, establish interrelationships risk metrics, access residual risks, choose response strategies, apply controls
Identify IT risk scenarios, monitor IT risks, identify incidents, initiate and maintain incident response plans against risk scenarios, and communicate lessons learnt from risk events
Jansen and Grance (2011); ISACA (2009); COSO (2004)
NIST SP 800-14 COSO RISK IT
Principles of fair information practices for clients
Same as trustworthy computing architecture
A combination of controls in contractual obligations / outsourcing, and data protection
Security resources management and monitoring
No specific controls mentioned; however controls identified for trustworthy computing may apply
Same as trustworthy computing controls
Secure systems configurations and managing security patches
identity and access management protection
trustworthy computing controls
Developing security-related competencies
Risk Management committee with desired competencies for identifying, assessing and managing risks
Build and allocate adequate resources for IT risk management, implement inventory controls, and communications
Jansen and Grance (2011); ISACA (2009); COSO (2004)
Documenting and Integrating security requirements in overall requirement specifications.
Detailed analysis on the bare minimum and desirable expectations on how these specifications can be met.
Assess multiple cloud providers and shortlist the ones that match the expectations as closely as possible.
Initiate negotiations and contractual procedures.
Agree security and risk management roles, checklists, and accountabilities.
Implement services on one or more clouds after buying their subscriptions
(Chen and Yoon, 2010; Mukhin and Volokyta, 2011; Jansen and Grance, 2011)
Build tolerances against risk scenarios using multiple cloud services (example, multiple data storages, multiple e-mail domains, and multiple application instances), and dividing tenants among them
Prefer a phased rollout.
Test and compare performances.
Report performance measurement results to the respective cloud contacts.
Agree very clearly on commissioning and decommissioning terms and procedures.
Agree on data cleaning procedures and guarantees.
(Chen and Yoon, 2010; Mukhin and Volokyta, 2011; Jansen and Grance, 2011)
21
Identified and reviewed the literatures presenting recommendations on controls useful for augmenting with the recommendations of NIST SP 800-144standard.
Presents a consolidated view of such controls.
Presents an actionable framework that can be tested and adopted in real world environments.
Badger, L., Bohn, R., Chu, S., Hogan, M., Liu, F., Kaufmann, V., Mao, J., Messina, J., Mills, K., Sokol, A., Tong, J., Whiteside, F. and Leaf, D. (2011). “U.S. Government cloud computing technology roadmap – Volume II”, Special Publication 500-293, NIST (U.S. Department of Commerce): p. 6-76.
Chen, Z., Han, F., Cao, J., Jiang, X., and Chen, S. (2013), "Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System", IEEE Computer Society: p. 40-50.
Doherty, E., Carcary, M. Dr., and Conway, G. (2012). "Risk Management Considerations in Cloud Computing Adoption", Research by Innovation Value Institute (IVI), p. 2-7.
ENISA (2010). "Cloud computing: benefits, risks and recommendations for information security", European Network and Information Security Agency, p. 1-6.
"Enterprise Risk Management–Integrated Framework: application techniques", Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004, p. 2-112.
IET (2012), "Cloud Computing - The Security Challenge", Fact file by The Institution of Engineering and Technology, p. 1-8, Theiet.org/factfiles [Accessed: 14 August 2013].
Information Technology — Security Techniques — Information Security Management System”. International Standard. BS ISO/IEC 27001:2005. British Standards Institution (BSI), 2005: p. 7-35
“Information Technology — Security Techniques — Information Security Risk Management”. International Standard. BS ISO/IEC 27005:2008. British Standards Institution (BSI), 2008: p. 9-27.
Jansen, W. A. and Grance, T. (2011). "Guidelines on Security and Privacy in Public Cloud Computing", NIST Special Publication 800-144: p. 4-88, National Institute of Standards and Technology, U.S. Department of Commerce.
Jansen, W. A. (2011). "Cloud Hooks: Security and Privacy Issues in Cloud Computing", IEEE: p. 1-10. Jing, X. and Jian-Jun, Z (2010), "A Brief Survey on the Security Model of Cloud Computing", IEEE Computer Society: p. 475-478. Mukhin, V. and Volokyta, A. (2011). "Security Risk Analysis for Cloud Computing Systems", In the 6th IEEE International Conference on
Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 15-17th September 2011, Prague, Czech Republic, IEEE: p. 737-742.
Ozkan, S. and Karabacak, B. (2010). “Collaborative risk method for information security management practices: A case context within Turkey”, International Journal of Information Management, Vol. 30: p. 567–572, Elsevier.
Rittinghouse, J. W. and Ransome, J. F. (2010). "Cloud Computing: Implementation, Management, and Security", CRC Press. “The Risk IT framework: principles, process details, management guidelines, and maturity models”, ISACA, 2009: p. 7-103. Tripathi, A. and Mishra, A. (2011), "Cloud Computing Security Considerations", IEEE: p. 1-5. Zhang, Q., Cheng, L. and Boutaba, R. (2010). “Cloud computing: state-of-the-art and research challenges”. Journal of Internet Services and
Applications, Vol. 1: p. 7-18. Springer. Zhang, X., Wuwong, N., Li, H., and Zhang, X. (2010). "Information Security Risk Management Framework for the Cloud Computing
Environments", IEEE: p. 1328-1334. 22
![[IJCST-V3I5P32]:Jigyasa Sidhu](https://img.pdfslide.us/doc/110x75/563db84f550346aa9a928257/ijcst-v3i5p32jigyasa-sidhu.jpg)
