Abstract
The number of end points connecting to the cloud can increase distributed attack vectors due to vulnerable devices connecting from the front end. The risk is also enhanced due to the technological abstractions associated with public cloud computing models at the back end. On the one hand, cloud service providers make sets of defined service criteria and supporting documentation, publicly available to assist customers with their public cloud deployments. However, on the other hand, a cacophony of security incidents over the past five years involving vulnerable cloud customer instantiations reveals that cloud security risks may not be completely comprehended. Essentially, the fundamental principle of cloud computing is the ‘shared security responsibility’ model. It is argued in this paper that from a cloud customer perspective, there is either too much reliance upon legacy risk assessment methods and/or standards orientated compliance-mapping approaches when trying to apply due diligence for cybersecurity. This can be amplified by different cloud service providers using terms like ‘core services’ and ‘managed services’ rather than traditional terms such as Infrastructure-as-a-Service and Platform-as-a-Service. This extended paper describes the myriad of techniques used to derive a conceptual framework through post-graduate research. Based around a defense-in-depth model, the proposed conceptual framework is a proof of concept to enable customers to focus on the contextualized risks when using the public cloud. A method of reducing the risks using mitigation categories is also proposed. Consequently, a method of calculating residual risk against the identified risks levels is theoretically defined and dependent upon the rigor of counter-measure selection.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Pistorious, M.: The Quick Guide to Cloud Computing and Cyber Security. StreetLib, USA (2015)
EY.: Building trust in the cloud: creating confidence in your cloud ecosystem, insights on governance, risk and compliance. EYGM Limited, USA (2014)
The attack that forced Code Spaces out of business—what went wrong? https://www.itgovernance.co.uk/blog/the-attack-that-forced-code-spaces-out-of-business-what-went-wrong/. Last accessed 3/1/2019
Old AWS API key led to search provider’s cloud security breach. http://searchcloudsecurity.techtarget.com/news/2240224543/Old-AWS-API-key-led-to-search-providers-cloud-security-breach. Last accessed 19/1/2019
Deloitte hit by cyber-attack revealing clients’ secret emails. https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails. last accessed 3/1/2019
Keeping Britain safe: how GCHQ’s new cyber security agency will protect us from hackers. http://www.wired.co.uk/article/national-centre-cyber-security-ian-levy. Last accessed 3/1/2019
Everything you need to know about the NIS Directive. https://blog.infinigate.co.uk/everything-you-need-to-know-nis-directive-network-information-security. Last accessed 19/1/2019
Understanding the risks of cloud computing. http://searchcloudsecurity.techtarget.com/tip/Understanding-the-risks-of-cloud-computing. Last accessed 19/1/2019
End complacency and help address cyber crime threat, NCA tells business. http://www.computerweekly.com/news/450412817/End-complacency-and-help-address-cyber-crime-threat-NCA-tells-business. Last accessed 19/1/2019
Public snapshots pose significant Amazon EBS Security Risks. https://searchaws.techtarget.com/tip/Public-snapshots-pose-significant-Amazon-EBS-security-risks. Last accessed 12/1/2019
McAfee says cloud security not as bad as we feared…it’s much worse. https://www.theregister.co.uk/2018/10/30/mcafee_cloud_security_terrible/. Last accessed 3/1/2019
Amazon S3 users exposing sensitive data, study finds. http://m.crn.com/news/security/240151857/amazon-s3-users-exposing-sensitive-data-study-finds.htm?itc=xbodyrobwes. Last accessed 19 January 2019
Default AWS S3 encryption walls off vulnerable customer data. http://searchaws.techtarget.com/news/450429898/Default-S3-encryption-walls-off-vulnerable-customer-data/. Last accessed 3/1/2019
Study: Lax Security Enforcement Behind Rise in Amazon S3 Exposures. https://awsinsider.net/articles/2017/10/11/redlock-lax-cloud-security.aspx. Last accessed 3/1/2019
Ahmed, N., Albakri, S., Idris, N., Samy, G., Shanmugam, B.: Traditional security risk assessment methods in cloud computing environment: usability analysis. Jurnal Teknologi 73(2), 483–495 (Penerbit UTM Press, Malaysia) (2015)
Risk Matrices Failures. https://www.causalcapital.club/single-post/2019/01/09/Risk-Matrices-Failures. Last accessed 12/1/2019
Nurse, J., Radanliev, P., Creese, S., De Roure, D.: If you can’t understand it, you can’t properly assess it! The reality of assessing security risks in IoT systems. In: PETRAS Living in the Internet of Things Conference Proceedings (2018). https://doi.org/10.1049/cp.2018.0001
Booz Allen stock plummets on word of federal government probe. https://www.cnbc.com/amp/2017/06/15/booz-allen-stock-plummets-on-word-of-federal-government-probe.html. Last accessed 3/1/2019
AWS and the General Data Protection Regulation (GDPR). https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/. Last accessed 19/1/2019
A shared responsibility. https://www.bcs.org/content/conWebDoc/58147. Last accessed 1 February 2019
Alexander, D., Amanda, F., Sutton, D., Taylor, A.: Information Security Management Principles, 2nd edn. BCS Learning and Development Ltd, UK (2013)
Information Security Forum: Security Architecture Workshop. Information Security Forum Limited, USA (2006)
Bird, D.: Information Security risk considerations for the processing of IoT sourced data in the Public Cloud. In: PETRAS Living in the Internet of Things Conference Proceedings, pp. 1–10. IEEE Xplore, USA (2018). https://doi.org/10.1049/cp.2018.0040
Hoffman, B.: Red Teaming: Transform Your Business by Thinking Like the Enemy, 1st edn. Piatkus, UK (2017)
Bird, D.: A conceptual framework to identify cyber risks associated with the use of public cloud computing. In: 11th International Conference on Security of Information and Networks Proceedings, pp. 1–4. ACM International, USA (2018). https://doi.org/10.1145/3264437.3264466
Why the ‘Risk = Threats x Vulnerabilities x Impact’ Formula is Mathematical Nonsense. https://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/. Last accessed 3/1/2019
Bodungen, C., Singer, B., Shbeeb, A., Hilt, S., Wilhoit, K.: Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions. McGraw Hill Education, USA (2017)
Function (mathematics). https://simple.wikipedia.org/wiki/Function_(mathematics). Last accessed 19/1/2019
Reasons We Need to Boost Cybersecurity Focus in 2019. https://securityaffairs.co/wordpress/80080/security/6-reasons-boost-cybersecurity.html. Last accessed 19/1/2019
A New ISO Standard for Cloud Computing. http://privacylawblog.fieldfisher.com/2014/a-new-iso-standard-for-cloud-computing/. Last accessed 3/1/2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bird, D. (2020). Derivation of a Conceptual Framework to Assess and Mitigate Identified Customer Cybersecurity Risks by Utilizing the Public Cloud. In: Yang, XS., Sherratt, S., Dey, N., Joshi, A. (eds) Fourth International Congress on Information and Communication Technology. Advances in Intelligent Systems and Computing, vol 1027. Springer, Singapore. https://doi.org/10.1007/978-981-32-9343-4_20
Download citation
DOI: https://doi.org/10.1007/978-981-32-9343-4_20
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-32-9342-7
Online ISBN: 978-981-32-9343-4
eBook Packages: EngineeringEngineering (R0)