Abstract
Recent developments in information technology operations have shown two distinct trends. Firstly, products and services have become increasingly commoditised, thus leading to successive waves of outsourcing and offshoring. Secondly, the introduction of intelligent end-point devices and direct accessibility of webbased services has blurred the boundaries of traditional companies and their perimeter. As a result, the “cloud computing” paradigm creates new challenges for security management, including the business value and cost-benefit considerations.
Traditional security models often fail to address this new universe, inasmuch as they are based upon the axiomatic idea of a “closed” corporate IT environment. Practical difficulties in outsourcing or third-party situations are therefore, at best, treated as a business issue that is addressed at the contractual or legal level. In many instances, this causes legal and technical problems, as service level agreements and contracts are flawed instruments for describing a fully de-perimeterised IT environment and its practical requirements. This in turn increases the risk of systemic failures, operational damage, and legal ramifications.
The ISACA Business Model for Information Security (BMIS) provides a systemic foundation for managing cloud-based products and services in terms of their security aspects. The paper shows how the general model is applied and how the use of BMIS enhances the overall security level. It is further shown how aspects of governance, risk and compliance (GRC) may be included in order to align operational information security management with business requirements. The paper addresses practical steps towards securing a heavily clouded environment using recognised frameworks such as COBIT or the ISO 27000 series. Recommendations are given to enable direct use of the BMIS in day-to-day security management.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cloud Security Alliance. Security Guidance for Critical Areas of Focus in Cloud Computing v2.1. www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf accessed 2010-07-19.
Cloud Security Alliance. Top Threats to Cloud Computing v1.0. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf accessed 2010-07-19.
DLA Piper [Peter van Eecke]. Cloud Computing Legal Risks. Presentation. http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/DLA_Cloud%20computing%20legal%20issues.pdf accessed 2010-07-19.
Farahmand, F. Risk Perception and Trust in Cloud. ISACA Journal vol. 4 (2010).
Fischoff, B.; P. Slovic; S. Lichtenstein; S. Read; B. Combs; “How Safe Is Safe Enough? A Psychometric Study of Attitudes Towards Technological Risks and Benefits,” Policy Sciences, 9(2), 1978, p. 127–152.
ISACA. COBIT 4.1. Rolling Meadows, IL: ISACA, 2008.
ISACA. An Introduction to the Business Model for Information Security. Rolling Meadows, IL: ISACA, 2009.
ISACA. Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives. Rolling Meadows, IL: ISACA, 2009.
ISACA. Enterprise Value: Governance of IT Investments – The ValIT Framework 2.0. Rolling Meadows, IL: ISACA, 2009.
ISACA. Mapping of ValIT 2.0 to MSP, PRINCE2 and ITIL v3. Rolling Meadows, IL: ISACA, 2009.
ISACA. The Risk IT Framework. Rolling Meadows, IL: ISACA, 2009.
ISACA. The Risk IT Practitioner Guide. Rolling Meadows, IL: ISACA, 2009.
ISACA. Business Model for Information Security. Rolling Meadows, IL: ISACA, 2010 (forthcoming).
ISACA. 2010 ISACA Risk/Reward Barometer, US Edition. Rolling Meadows, IL: ISACA, 2010 (March).
ISACA. 2010 ISACA Risk/Reward Barometer, Latin American Edition. Rolling Meadows, IL: ISACA, 2010 (April).
ISACA, 2010 ISACA Risk/Reward Barometer, Oceania Edition. Rolling Meadows, IL: ISACA, 2010 (July).
Jericho Forum. Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration. [https://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf] accessed 2007–07–19.
Johnson, E. J.; A. Tversky; “Representations of Perceptions of Risks,” Journal of Experimental Psychology, General, vol. 113, no. 1, 1984, p. 55–70.
Raval, V. Risk Landscape of Cloud Computing. ISACA Journal vol. 4 (2010).
Roessing, R. v. The ISACA Business Model for Information Security: An Integrative and Innovative Approach. Proceedings of ISSE 2009.
Slovic, P.; “Perceptions of Risk,” Science, 236, 1978, p. 280–285.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH
About this chapter
Cite this chapter
von Rössing, R. (2011). Applying BMIS to Cloud Security. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2010 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9788-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9788-6_10
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-1438-8
Online ISBN: 978-3-8348-9788-6
eBook Packages: EngineeringEngineering (R0)