Skip to main content
SpringerLink
Log in
Book cover

Fourth International Congress on Information and Communication Technology pp 249–265Cite as

Derivation of a Conceptual Framework to Assess and Mitigate Identified Customer Cybersecurity Risks by Utilizing the Public Cloud

  • Conference paper
  • First Online:

  • 632 Accesses

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1027))

Abstract

The number of end points connecting to the cloud can increase distributed attack vectors due to vulnerable devices connecting from the front end. The risk is also enhanced due to the technological abstractions associated with public cloud computing models at the back end. On the one hand, cloud service providers make sets of defined service criteria and supporting documentation, publicly available to assist customers with their public cloud deployments. However, on the other hand, a cacophony of security incidents over the past five years involving vulnerable cloud customer instantiations reveals that cloud security risks may not be completely comprehended. Essentially, the fundamental principle of cloud computing is the ‘shared security responsibility’ model. It is argued in this paper that from a cloud customer perspective, there is either too much reliance upon legacy risk assessment methods and/or standards orientated compliance-mapping approaches when trying to apply due diligence for cybersecurity. This can be amplified by different cloud service providers using terms like ‘core services’ and ‘managed services’ rather than traditional terms such as Infrastructure-as-a-Service and Platform-as-a-Service. This extended paper describes the myriad of techniques used to derive a conceptual framework through post-graduate research. Based around a defense-in-depth model, the proposed conceptual framework is a proof of concept to enable customers to focus on the contextualized risks when using the public cloud. A method of reducing the risks using mitigation categories is also proposed. Consequently, a method of calculating residual risk against the identified risks levels is theoretically defined and dependent upon the rigor of counter-measure selection.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Pistorious, M.: The Quick Guide to Cloud Computing and Cyber Security. StreetLib, USA (2015)

    Google Scholar 

  2. EY.: Building trust in the cloud: creating confidence in your cloud ecosystem, insights on governance, risk and compliance. EYGM Limited, USA (2014)

    Google Scholar 

  3. The attack that forced Code Spaces out of business—what went wrong? https://www.itgovernance.co.uk/blog/the-attack-that-forced-code-spaces-out-of-business-what-went-wrong/. Last accessed 3/1/2019

  4. Old AWS API key led to search provider’s cloud security breach. http://searchcloudsecurity.techtarget.com/news/2240224543/Old-AWS-API-key-led-to-search-providers-cloud-security-breach. Last accessed 19/1/2019

  5. Deloitte hit by cyber-attack revealing clients’ secret emails. https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails. last accessed 3/1/2019

  6. Keeping Britain safe: how GCHQ’s new cyber security agency will protect us from hackers. http://www.wired.co.uk/article/national-centre-cyber-security-ian-levy. Last accessed 3/1/2019

  7. Everything you need to know about the NIS Directive. https://blog.infinigate.co.uk/everything-you-need-to-know-nis-directive-network-information-security. Last accessed 19/1/2019

  8. Understanding the risks of cloud computing. http://searchcloudsecurity.techtarget.com/tip/Understanding-the-risks-of-cloud-computing. Last accessed 19/1/2019

  9. End complacency and help address cyber crime threat, NCA tells business. http://www.computerweekly.com/news/450412817/End-complacency-and-help-address-cyber-crime-threat-NCA-tells-business. Last accessed 19/1/2019

  10. Public snapshots pose significant Amazon EBS Security Risks. https://searchaws.techtarget.com/tip/Public-snapshots-pose-significant-Amazon-EBS-security-risks. Last accessed 12/1/2019

  11. McAfee says cloud security not as bad as we feared…it’s much worse. https://www.theregister.co.uk/2018/10/30/mcafee_cloud_security_terrible/. Last accessed 3/1/2019

  12. Amazon S3 users exposing sensitive data, study finds. http://m.crn.com/news/security/240151857/amazon-s3-users-exposing-sensitive-data-study-finds.htm?itc=xbodyrobwes. Last accessed 19 January 2019

  13. Default AWS S3 encryption walls off vulnerable customer data. http://searchaws.techtarget.com/news/450429898/Default-S3-encryption-walls-off-vulnerable-customer-data/. Last accessed 3/1/2019

  14. Study: Lax Security Enforcement Behind Rise in Amazon S3 Exposures. https://awsinsider.net/articles/2017/10/11/redlock-lax-cloud-security.aspx. Last accessed 3/1/2019

  15. Ahmed, N., Albakri, S., Idris, N., Samy, G., Shanmugam, B.: Traditional security risk assessment methods in cloud computing environment: usability analysis. Jurnal Teknologi 73(2), 483–495 (Penerbit UTM Press, Malaysia) (2015)

    Google Scholar 

  16. Risk Matrices Failures. https://www.causalcapital.club/single-post/2019/01/09/Risk-Matrices-Failures. Last accessed 12/1/2019

  17. Nurse, J., Radanliev, P., Creese, S., De Roure, D.: If you can’t understand it, you can’t properly assess it! The reality of assessing security risks in IoT systems. In: PETRAS Living in the Internet of Things Conference Proceedings (2018). https://doi.org/10.1049/cp.2018.0001

  18. Booz Allen stock plummets on word of federal government probe. https://www.cnbc.com/amp/2017/06/15/booz-allen-stock-plummets-on-word-of-federal-government-probe.html. Last accessed 3/1/2019

  19. AWS and the General Data Protection Regulation (GDPR). https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/. Last accessed 19/1/2019

  20. A shared responsibility. https://www.bcs.org/content/conWebDoc/58147. Last accessed 1 February 2019

  21. Alexander, D., Amanda, F., Sutton, D., Taylor, A.: Information Security Management Principles, 2nd edn. BCS Learning and Development Ltd, UK (2013)

    Google Scholar 

  22. Information Security Forum: Security Architecture Workshop. Information Security Forum Limited, USA (2006)

    Google Scholar 

  23. Bird, D.: Information Security risk considerations for the processing of IoT sourced data in the Public Cloud. In: PETRAS Living in the Internet of Things Conference Proceedings, pp. 1–10. IEEE Xplore, USA (2018). https://doi.org/10.1049/cp.2018.0040

  24. Hoffman, B.: Red Teaming: Transform Your Business by Thinking Like the Enemy, 1st edn. Piatkus, UK (2017)

    Google Scholar 

  25. Bird, D.: A conceptual framework to identify cyber risks associated with the use of public cloud computing. In: 11th International Conference on Security of Information and Networks Proceedings, pp. 1–4. ACM International, USA (2018). https://doi.org/10.1145/3264437.3264466

  26. Why the ‘Risk = Threats x Vulnerabilities x Impact’ Formula is Mathematical Nonsense. https://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/. Last accessed 3/1/2019

  27. Bodungen, C., Singer, B., Shbeeb, A., Hilt, S., Wilhoit, K.: Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions. McGraw Hill Education, USA (2017)

    Google Scholar 

  28. Function (mathematics). https://simple.wikipedia.org/wiki/Function_(mathematics). Last accessed 19/1/2019

  29. Reasons We Need to Boost Cybersecurity Focus in 2019. https://securityaffairs.co/wordpress/80080/security/6-reasons-boost-cybersecurity.html. Last accessed 19/1/2019

  30. A New ISO Standard for Cloud Computing. http://privacylawblog.fieldfisher.com/2014/a-new-iso-standard-for-cloud-computing/. Last accessed 3/1/2019

Download references

Acknowledgements

Table 1 and Figs. 3, 4, and 5 have been adapted from Bird [23, 25].

Author information

Authors and Affiliations

  1. British Computer Society, Swindon, UK

    David Bird

Authors
  1. David Bird
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Bird .

Editor information

Editors and Affiliations

  1. School of Science and Technology, Middlesex University, London, UK

    Xin-She Yang

  2. University of Reading, Reading, UK

    Simon Sherratt

  3. Department of Information Technology, Techno India College of Technology, Kolkata, West Bengal, India

    Nilanjan Dey

  4. Global Knowledge Research Foundation, Ahmedabad, Gujarat, India

    Amit Joshi

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bird, D. (2020). Derivation of a Conceptual Framework to Assess and Mitigate Identified Customer Cybersecurity Risks by Utilizing the Public Cloud. In: Yang, XS., Sherratt, S., Dey, N., Joshi, A. (eds) Fourth International Congress on Information and Communication Technology. Advances in Intelligent Systems and Computing, vol 1027. Springer, Singapore. https://doi.org/10.1007/978-981-32-9343-4_20

Download citation

  • DOI: https://doi.org/10.1007/978-981-32-9343-4_20

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-32-9342-7

  • Online ISBN: 978-981-32-9343-4

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation