Abstract
Cloud computing is an emerging paradigm that allows adoption of on-demand services in a cost-effective way. Migrating services to the Cloud also means been exposed to new threats and vulnerabilities, thus, resulting in a modified assessment of risk. Assessing risk in the Cloud remains an open research issue, as it requires a given level of trust of the Cloud service provider for providing assessment data and implementing controls. This paper surveys existing knowledge, regarding risk assessment for the Cloud, and highlights the requirements for the design of a cloud-targeted method that is offered as a service, which is also in compliance with the specific characteristics of the Cloud.
Chapter PDF
References
Mell, P., Grance, T.: The NIST Definition of Cloud Computing. NIST SP-800-145 (2011)
Catteddu, D., Hogben, G. (eds.): Cloud Computing: Benefits, risks and recommendations for information security. ENISA (2009)
CSA: Top Threats to Cloud Computing v1.0. Cloud Security Alliance (2010)
Grance, T., Jansen, W.: Guidelines on Security and Privacy in Public Cloud Computing. NIST SP-800-144 (2011)
Theoharidou, M., Mylonas, A., Gritzalis, D.: A risk assessment method for smartphones. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 443–456. Springer, Heidelberg (2012)
Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Computers & Security 32(3) (2013)
Dahbur, K., Mohammad, B., Tarakji, A.B.: A survey of risks, threats and vulnerabilities in cloud computing. In: Proc. of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, pp. 1–6 (2011)
Chhabra, B., Taneja, B.: “Cloud Computing: Towards Risk Assessment”. In: Mantri, A., Nandi, S., Kumar, G., Kumar, S. (eds.) HPAGC 2011. CCIS, vol. 169, pp. 84–91. Springer, Heidelberg (2011)
Carroll, M., van der Merwe, A., Kotze, P.: Secure cloud computing: Benefits, risks and controls. In: Information Security South Africa, ISSA (2011)
Xiao, Z., Xiao, Y.: Security and Privacy in Cloud Computing. IEEE Communications Surveys & Tutorials (to appear, 2013)
Tsai, H.Y., Siebenhaar, M., Miede, A., Huang, Y., Steinmetz, R.: Threat as a Service?: Virtualization’s impact on Cloud security. IT Professional 14(1), 32–37 (2012)
Luo, X., Yang, L., Ma, L., Chu, S., Dai, H.: Virtualization security risks and solutions of Cloud Computing via divide-conquer strategy. In: Proc. of the 3rd International Conference on Multimedia Information Networking and Security (MINES), pp. 637–641 (2011)
Srinivasan, M., Sarukesi, K., Rodrigues, P., Manoj, S., Revathy, A.: State-of-the-art cloud computing security taxonomies: A classification of security challenges in the present cloud computing environment. In: Proc. of the International Conference on Advances in Computing, Communications and Informatics, pp. 470–476 (2012)
NIST. Guide for Conducting Risk Assessments. NIST SP-800-30, Rev.1 (2012)
ISO/IEC. Information technology - Security techniques - Information security risk management. ISO/IEC27005:2011, 2nd edn. (2011)
Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing, http://www.cloudsecurityalliance.org/guidance/
Wang, H., Liu, F., Liu, H.: A method of the cloud computing security management risk assessment. In: Zeng, D. (ed.) Advances in Computer Science and Engineering. AISC, vol. 141, pp. 609–618. Springer, Heidelberg (2012)
Martens, B., Teuteberg, F.: Decision-making in cloud computing environments: A cost and risk based approach. Information System Frontiers 14, 871–893 (2012)
Kantarcioglu, M., Bensoussan, A., SingRu, H.: Impact of security risks on cloud computing adoption. In: Proc. of the 49th Annual Allerton Conference on Communication, Control, and Computing, pp. 670–674 (2011)
Johnson, B., Qu, Y.: A Holistic model for making Cloud migration decision: A consideration of security, architecture and business economics. In: Proc. of the IEEE 10th International Symposium on Parallel and Distributed Processing with Applications, pp. 435–441 (2012)
Morin, J., Aubert, J., Gateau, B.: Towards Cloud Computing SLA Risk Management: Issues and Challenges. In: Proc. of the 45th Hawaii International Conference on System Science (HICSS), pp. 5509–5514 (2012)
Kaliski, B., Pauley, W.: Toward risk assessment as a service in cloud environments. In: Proc. of the 2nd USENIX Conference on Hot Topics in Cloud Computing (2010)
Mazur, S., Blasch, E., Chen, Y., Skormin, V.: Mitigating Cloud Computing security risks using a self-monitoring defensive scheme. In: Proc. of the 2011 IEEE National Aerospace and Electronics Conference, pp. 39–45 (2011)
Zhang, X., Wuwong, N., Li, H., Zhang, X.: Information security risk management framework for the Cloud Computing environments. In: Proc. of the IEEE 10th International Conference on Computer and Information Technology, pp. 1328–1334 (2010)
Saripalli, P., Walters, B.: QUIRC: A Quantitative impact and risk assessment framework for Cloud Security. In: Proc. of the IEEE 3rd International Conference on Cloud Computing, pp. 280–288 (2010)
Wang, P., Lin, W., Kuo, P., Lin, H., Wang, T.: Threat risk analysis for cloud security based on Attack-Defense Trees. In: Proc. of the 8th International Conference on Computing Technology & Information Management, pp. 106–111 (2012)
Hussain, M., Abdulsalam, H.: SECaaS: Security as a service for cloud-based applications. In: Proc. of the 2nd Kuwait Conference on e-Services and e-Systems, pp. 1–4 (2011)
Al-Aqrabi, H., Liu, L., Xu, J., Hill, R., Antonopoulos, N., Zhan, Y.: Investigation of IT security and compliance challenges in Security-as-a-Service for Cloud Computing. In: Proc. of the 15th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops, pp. 124–129 (2012)
Dritsas, S., Tsoumas, B., Dritsou, V., Konstantopoulos, P., Gritzalis, D.: OntoSPIT: SPIT Management through Ontologies. Computer Communications 32(2), 203–212 (2009)
Theoharidou, M., Gritzalis, D.: A Common Body of Knowledge for Information Security. IEEE Security & Privacy 5(2), 64–67 (2007)
Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Accessing n-order dependencies between critical infrastructures. International Journal of Critical Infrastructure Protection 9(1-2), 93–110 (2013)
Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: Risk assessment methodology for inter-dependent Critical Infrastructures. International Journal of Risk Assessment and Management 15(2-3), 128–148 (2011)
Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: A multi-layer criticality assessment methodology based on interdependencies. Computers & Security 29(6), 643–658 (2010)
Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Cascading effects of common-cause failures on Critical Infrastructures. In: Proc. of the 7th IFIP International Conference on Critical Infrastructure Protection. Springer, USA (2013)
Dritsas, S., Mallios, J., Theoharidou, M., Marias, G., Gritzalis, D.: Threat analysis of the Session Initiation Protocol, regarding spam. In: Proc. of the 3rd IEEE International Workshop on Information Assurance, pp. 426–433. IEEE Press, USA (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Theoharidou, M., Tsalis, N., Gritzalis, D. (2013). In Cloud We Trust: Risk-Assessment-as-a-Service. In: Fernández-Gago, C., Martinelli, F., Pearson, S., Agudo, I. (eds) Trust Management VII. IFIPTM 2013. IFIP Advances in Information and Communication Technology, vol 401. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38323-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-38323-6_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38322-9
Online ISBN: 978-3-642-38323-6
eBook Packages: Computer ScienceComputer Science (R0)