A study of NIST SP 800-144 standard on IT risk management
in
cloud
computing:
Creating
a
novel
framework
for
implementing it in Small and Medium sized Enterprises (SMEs) by
applying COSO and ISACA’s Risk IT frameworks
Sandeep Kaur Sidhu
Master of Science (Computer & Information Science)
University of South Australia
Thesis submitted to the University of South Australia
School of Information Technology & Mathematical Sciences
in partial fulfilment of the
requirements for the degree of
Master of Science (Computer & Information Science)
Supervisor: Dr Kim-Kwang Raymond Choo
Date: 28 October 2013
Page 1 of 69
Abstract
Cloud computing is a new form of service-oriented computing in which, clients are
offered software applications, platforms, infrastructure, databases, and security as
services. It is cost effective given that there are minimal capital expenses and all
services are chargeable based on actual usage or subscriptions-based usage. This
model is very attractive for small and medium scale enterprises (SMEs). However, there
are a number of security risks in cloud computing that needs to be managed. Currently,
there are unclear regulations and models about how cloud computing vendors should
undertake IT security and risk management accountabilities. NIST SP 800-144 is the
first standard by a regulatory body on cloud computing security but it needs to be
supported by other standards and empirical theories. In this dissertation, a detailed
mapping of NIST standard with COSO and Risk IT standards supported by empirical
theories has been carried out. The synergised form of NIST SP 800-144 with COSO
and Risk IT has been proposed for SMEs to manage their own IT risks amidst limited
expectations from cloud service providers, and uncertainty of applicable regulations.
The three standards can be used with an assumption that not everything is in control of
even large-scale enterprises but they still manage their risks. The similar philosophy of
certain internal practices in uncertain external environment can be applied by SMEs as
well. The findings reveal how SMEs can plan their cloud hosting ambitions, how can
they define their own standards and expectations, how can they select multiple clouds,
and how can they build their own controls by using multiple cloud service providers,
investing some additional sums.
Page 2 of 69
Table of Contents
Table of Figures:......................................................................................................................................... 4
Chapter 1: Introduction .............................................................................................................................. 5
1.1. Background and context ................................................................................................................ 5
1.2. Research problem .......................................................................................................................... 8
1.3. Research aim and objectives ..................................................................................................... 10
1.4. Research questions ..................................................................................................................... 10
1.5. Research significance and expectations .................................................................................. 11
1.6. Structure of the dissertation ........................................................................................................ 12
Chapter 2: Literature review ................................................................................................................... 13
2.1. Introduction .................................................................................................................................... 13
2.2. Empirical review of IT risk management ................................................................................... 13
2.3. IT risk management frameworks ................................................................................................ 15
2.4. Empirical review of cloud computing ......................................................................................... 19
2.5. Security risks and IT risk management in cloud computing................................................... 22
2.6. A review of NIST 800-144 framework ....................................................................................... 25
2.7. Summary........................................................................................................................................ 26
Chapter 3: Research design ................................................................................................................... 27
Chapter 4: Findings against research question 1................................................................................ 30
4.1. Findings.......................................................................................................................................... 30
4.2. Discussions ................................................................................................................................... 38
4.3. Summary........................................................................................................................................ 39
Chapter 5: Findings against research question 2................................................................................ 40
5.1. Findings.......................................................................................................................................... 40
5.2. Discussions ................................................................................................................................... 49
5.3. Summary........................................................................................................................................ 51
Chapter 6: Findings against research question 3................................................................................ 53
6.1. Findings.......................................................................................................................................... 53
6.2. Discussions ................................................................................................................................... 58
6.3. Summary........................................................................................................................................ 59
Page 3 of 69
Chapter 7: Conclusions and recommendations .................................................................................. 61
7.1. Conclusions ................................................................................................................................... 61
7.2. Recommendations ....................................................................................................................... 63
References ................................................................................................................................................ 65
Table of Figures:
Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4) ............... 7
Figure 2: An example integrated model of risk management framework in cloud computing
based on COSO framework (Horwath et al. (2012: p. 9)..................................................... 8
Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33) ...........................................16
Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2) .........................................18
Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang, Cheng,
and Boutaba, 2009: p. 10) .................................................................................................20
Figure 6: Threat profiling in cloud computing environment ........................................................33
Figure 7: Threat of malicious attackers in cloud computing environment ...................................34
Figure 8: Illustration of virtualization and virtual boundary weakness threats (GOS stands for
guest operating system and HYP stands for Hypervisor) ...................................................36
Figure 9: Storage of data on multiple storage clusters spread globally poses data proliferation
threat on cloud computing .................................................................................................37
Figure 10: Integrated risk management framework by mapping the controls of COSO, NIST, and
Risk IT, as per Table 2 ......................................................................................................48
Figure 11: Multilayer integrated risk management framework with multiple parties taking
accountabilities of respective cloud layers .........................................................................56
Figure 12: Mapping the multi-layer risk management framework with the integrated framework
of NIST SP 800-144, COSO, and Risk IT ..........................................................................57
Page 4 of 69
Chapter 1: Introduction
1.1. Background and context
This research is related to IT risk management challenges in cloud computing
and the practical implementation of NIST SP 800-144 standard specifically designed for
risk management in the clouds. Cloud computing has emerged as a new concept of
commodity services in the world of computing, storage, broadband network access,
platform services, and software services (Doherty, Carcary, and Conway, 2012: p. 2).
Cloud computing vendors, like Google, Microsoft, and Amazon offer rapid provisioning
of on-demand self-operating services with minimal intervention by the service provider
(Clemons and Chen, 2010: p. 3). These benefits are mostly availed by small and
medium scale enterprises given their lack of capital funding for establishing expensive
self-hosted IT infrastructures (Miller, 2009: p. 9-10).
Cloud computing offers many business benefits to customers, especially in
saving operating costs, managing IT enabled businesses with minimum administrative
overheads, and getting access to world class software platforms and applications
managed by their original manufacturers (Doherty, Carcary, and Conway, 2012: p. 2).
However, cloud computing has multiple IT risks due to shared platforms, data
confidentiality and privacy in user areas protected by virtual boundaries, identity thefts,
privacy issues, vendor or data lock-in, loss of governance, loss of compliance, insider
trading, and shared network and software vulnerabilities (Doherty, Carcary, and
Conway, 2012: p. 3-4; ENISA, 2010: p. 5-6). Given that the cloud computing systems
are multi-vendor and multi-tenant, a standard legally-enforceable risk management
Page 5 of 69
framework incorporating all service providers and tenants is the key challenge (ENISA,
2010: p. 3).
Risks in cloud computing arise due to shared services, cross-border litigation,
data location, inter-cloud compatibility issues, lack of legal support for consumers, trust
issues on service providers, IT security risks, consumer issues, privacy issues, data
segregation issues, and data proliferation issues (Chandran and Agnepat, 2010: p. 3-5
Clemons and Chen, 2010: p. 5-7; Fan and Chen, 2012: p. 23-24; Jansen, 2011: 2-4;
Sabahi, 2011: p. 245-247).
Fan and Chen (2012: p. 20-21) proposed that there should be an integrated risk
management standard incorporating regulators, service providers, and customers. This
standard should take care of cross-border litigation issues and data location uncertainty,
as well. A model for analysing risks at component levels of multiple layers of cloud
computing needs to be established and agreed among all parties based on their
priorities and impacts. This can be done by applying globally accepted standards like
COSO, Risk IT (COBIT 5), and ISO 27005. For example, Ahmad and Janczewski
(2010: p. 4) presented a triangulated model of cloud computing security employing
integration of globally accepted security standards, statutory laws, and cloud services
(Figure 1). In this model, the cloud service provider can choose any standard or set of
standards for implementing risk management as long as they are integrated with the
statutory laws and regulations applicable on the services offered. Hence, if Sarbanes
Oxley 2002 regulators recognise ISO 27005 for self hosted IT infrastructures, cloud
computing service providers can adopt ISO 27005 and customise it for implementing an
Page 6 of 69
effective IT risk management framework covering each component on the cloud such
that they can demonstrate compliance to Sarbanes Oxley regulations.
Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4)
Horwath et al. (2012: p. 8-9) presented an example scenario (Figure 2) of how
such an integrated model can be implemented using COSO (Committee of Sponsoring
Organizations of the Treadway Commission) risk management framework. They
integrated the candidates offering cloud solutions, service delivery models, deployment
models, business processes, and regulatory governance requirements in a single risk
management framework based on COSO standard. They recommended that the COSO
enterprise risk management framework can be used to define, establish, and
Page 7 of 69
continuously improve an audit checklist used by regulators. Once standardised
enforced, all cloud services and solutions providers will implement controls in
accordance to the standard and incorporate terms in agreements with specific roles of
cloud tenants and service providers.
Figure 2: An example integrated model of risk management framework in cloud
computing based on COSO framework (Horwath et al. (2012: p. 9)
1.2. Research problem
The problem is that there is a lack of standardised risk management framework
for cloud computing framework accepted globally for regulatory compliance. Cloud
Security Alliance recommended standard methods for risk management on cloud
Page 8 of 69
computing (IET, 2012: p. 3). However, these recommendations have not been
standardised by regulation authorities. Mostly, regulation authorities prefer ISO 27005,
ISO 27001, ISO 27002, and COBIT standards for demonstrating regulatory compliance
of IT security and risk management (IET, 2012: p. 5-6). Cloud service providers need to
find ways for using these standards for IT risk management. A new ISO standard (ISO
27017) is emerging for cloud computing risk management that is expected to be ratified
in year 2014. It may be the preferred choice of regulators, but till then there is a serious
lack of internationally accepted standards fit for regulatory compliance of security and
risk management of cloud service providers (Rittinghouse and Ransome, 2010: p. 158159). This problem poses a serious business risk for SMEs given that they have most
prominent reasons to adopt cloud computing services and are rapidly moving their IT
systems to the clouds (Dai, 2009: p. 56; Haselmann and Vossen, 2011: p. 10; Jansen
and Grance, 2011: p. 21; Karabek, Kleinert, and Pohl, 2011: p. 28).
NIST SP 800-144 is the first US regulatory standard for implementing risk
management in the clouds (Jansen and Grance, 2011). This standard is released in
year 2011 but is not yet adequately supported by implementation procedures such that
cloud providers can adopt a standardised framework for managing cloud risks. This
standard needs exploratory study such that it can be mapped with other established risk
management standards used for IT risk management. The above problem description
and this challenge have been taken as the research problem of this dissertation. The
researcher intends to explore NIST SP 800-144 standard and map it with COSO and
ISACA’s Risk IT standards such that an appropriate risk management framework for
SMEs using cloud computing can be proposed.
Page 9 of 69
1.3. Research aim and objectives
With reference to the above established background and context, and the
research problem, following research aim is defined for this research:
Aim: To explore NIST SP 800-144, COSO, and Risk IT standards and the existing
theories complimenting their recommendations, and propose an IT risk management
framework for SMEs using cloud computing to run their businesses. In absence of
established standards proposed by regulators, this research will aim on how SMEs can
protect themselves from IT risks while using cloud hosted resources.
The aim is supported by the following research objectives:
(a) To study the IT risk exposures of businesses using cloud computing resources
(b) To explore NIST SP 800-144, COSO, and Risk IT standards and the existing
theories complimenting their recommendations
(c) To analyse how these standards can help the SMEs, dependent upon cloud
hosted resources for running their businesses, in managing IT risks
1.4. Research questions
This research is directed by the aim and objectives proposed above for finding
answers to the following research questions:
(a) What are the IT risk exposures of businesses that use cloud hosted resources for
running their business processes?
(b) How NIST SP 800-144 standard could be supported by COSO and Risk IT
standards and the existing theories complimenting their recommendations?
Page 10 of 69
(c) How can NIST SP 800-144, COSO, and Risk IT standards help SMEs dependent
upon cloud hosted resources in managing their IT risks?
These questions will be answered through exploratory studies of literatures on cloud
computing security and risk management and stated standard documents.
1.5. Research significance and expectations
This research will be significant for researchers studying change in business
risks and IT risks of SMEs that have moved their IT resources to cloud computing. This
research may serve as a useful reference document for such research aspirants,
especially in the fields of security controls and risk management for SMEs using cloud
computing. In addition, this research may be able to generate some useful information
for SMEs using cloud hosted resources looking forward to methods and ways for
managing IT risks. This research shall produce a synergy of three professional
standards and clarify their implementation approaches with the help of academic
literatures. Hence, it is expected that the results will be actionable in real world business
environments. Given an opportunity, the researcher will look forward to disseminate the
knowledge gained through the university website, journals, and conferences.
The following results are expected in this research:
(a) A detailed review of literatures for identifying controls that can be used with NIST
SP 800-144 standard
(b) Mapping of NIST SP 800-144 recommendations with the controls identified, and
with COSO and Risk IT standards
Page 11 of 69
(c) Analysis of how this mapping will help SMEs using cloud hosted resources in
managing their IT risks
These results will help in enhancing practical implementation of IT risk
management in cloud computing using NIST SP 800-144 standard. The results will
present a consolidated view of opportunities to address security and privacy issues on
the clouds. Some controls may be easily implementable and some of them may require
long term multi-agency alignments and policy changes. However, the consolidated view
can be helpful in preparing short-term and long-term goals for enhancing IT risk
management on the clouds.
1.6. Structure of the dissertation
This research is divided into seven chapters. The first chapter presents the
research attributes needed to establish the direction of data collection and exploratory
study. The second chapter presents a detailed literature review pertaining to the
research topic, research problem, and research objectives and questions, keeping the
research aim in mind. The third chapter is a review of literatures related to research
design, especially using the research onion concept of Saunders, Lewis, and Thornhill
(2011). The fourth chapter comprises findings against the first research question using
the data collected in Chapter 2 and additional reviews conducted. Similarly, Chapters 5
and 6 comprise findings against the second and third research questions, respectively
using the data collected in Chapter 2 and additional reviews conducted. Chapter 7
presents a consolidated analysis of findings in Chapters 2, 3, 4, and 5, conclusions
drawn from the analysis, and recommendations evolved from this research.
Page 12 of 69
Chapter 2: Literature review
2.1. Introduction
Cloud computing is a new framework for delivering IT services to customers
connecting to its various layers through Internet. It has gained significant popularity in
recent years due to lowered capital expenses and affordable revenue expenses offered
to cloud tenants. However, the threats and uncertainties looming on cloud computing
are wider due to shared infrastructures, virtual tenant boundaries, and spreading of data
across multiple locations beyond territorial jurisdiction due to virtualised storage
systems networked using virtual networking. These challenges have caused privacy
and trust issues leading to reluctance by many business entities and public sector
organisations in adopting cloud services. Looking into these challenges, NIST has
released a standard SP 800-144 for managing risks on cloud computing. Given that it is
a new standard, there are no academic references on practical implementation of SP
800-144 in organisations. In this dissertation, the researcher has targeted to combine
SP 800-144 with two popular risk management frameworks, ISACA’s Risk IT and
COSO, to design an actionable risk management framework for Small and Medium
scale enterprises using cloud hosting for their IT services needs. The resulting
framework will be validated by interviewing risk management practitioners.
2.2. Empirical review of IT risk management
Risk management in IT is concerned with protection of IT assets such that the
negative impacts on business due to loss, unauthorised modifications, or unavailability
of an IT asset can be minimised or eliminated completely (Humphreys, Moses, Plate,
Page 13 of 69
1998: p. 11). IT assets comprise of information units (business-related documents and
records), and the assets used for creating, processing, disseminating, storing,
transmitting, and archiving the information units (Humphreys, Moses, Plate, 1998: p.
11). IT assets are exposed to numerous threats emanating from the Internet or internal
hackers (Elgarnal, 2009: p. 12). These threats can compromise the confidentiality,
integrity, and availability of IT assets leading to financial, legal, reputational, customer,
and employee impacts to the organisation (Dhillon and Backhouse, 2000: p. 126;
Humphreys, Moses, Plate, 1998: 9). Identification, assessing, and management of IT
risks are needed to reduce or eliminate the vulnerabilities such that the external threats
do not compromise the IT assets and their confidentiality, integrity, and availability
(Anderson and Choobineh, 2008: p. 24; Humphreys, Moses, Plate, 1998: 14; Ozkan
and Karabacak, 2010: p. 568).
The risk identification, assessment, and management framework comprises
quantitative evaluation of influencing factors and assigning values to them (Ozkan and
Karabacak, 2010: p. 572; Humphreys, Moses, Plate, 1998: 22). They key values of
concern are importance of assets to the business, most relevant threats, magnitude of
impacts on business, probability of impacts, and internal vulnerabilities prevailing in the
IT systems of the organisation (Gandotra, Singhal, and Bedi, 2009: p. 720-721;
Humphreys, Moses, Plate, 1998: 24-25; Ozkan and Karabacak, 2010: p. 570). The risk
value is a quantitative outcome of asset value (a function of confidentiality, integrity, and
availability ratings), threat value (product of probability value and impact value), and
vulnerability value (probability of breach) (Gandotra, Singhal, and Bedi, 2009: p. 722;
Humphreys, Moses, Plate, 1998: 25). Finally, all risks are logged in an enterprise-wide
Page 14 of 69
risk register and assigned to individual risk managers for invoking risk treatment by
avoiding, accepting, transferring, or eliminating the risks (Shortreed, 2008: p. 10-11).
2.3. IT risk management frameworks
Some of the popular IT risk management frameworks are ISO 27001 (BSI, 2005),
ISO 27005 (BSI, 2008), NIST 800-30 (NIST, 2001), ISACA’s Risk IT (ISACA, 2009), and
COSO. ISO 27001 is a standard for implementing information risk management system
using information risk management as the fundamental framework and building upon it
the management system for establishing, operating, reviewing, and improving an
information security management system (BSI, 2005: p. 8-9). ISO 27005 and NIST 80030 deal with a framework of information risk management system comprising risk
identification, risk assessment, risk prioritisation, risk treatment, and application of
controls using qualitative and quantitative data collection and analytical methods (BSI,
2008: p. 10; NIST, 2001: p. 8). ISACA’s Risk IT is a modern IT risk management
framework that considers an organisation-wide risk view system as the core of the
framework enabling all departments to view the bigger picture and treat risks
accordingly. COSO risk management framework follows a similar approach with specific
focus on people aspects of IT risk management and risk aware culture in the
organisation at all levels of the organisational hierarchy, irrespective of designation,
role, and responsibilities (COSO, 2004: p. 18).
The frameworks chosen for integrating with NIST 800-144 framework are
ISACA’s Risk IT and COSO risk management framework. These frameworks have been
chosen because of two reasons:
Page 15 of 69
(a) There are sufficient references available on these standards for establishing a
theoretical foundation.
(b) Both these standards focus on organisation-wide risk views ensuring bigger
picture visualisation of IT and related risks. In cloud computing, the risk
management framework needs to protect all tenants and hence such a model
has been recommended by NIST 800-144, as well. Hence, it is expected that
the three models will synergise effectively.
Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33)
The ISACA’s Risk IT framework is presented in the Figure 1 above. The Risk IT
framework comprises three primary domains – risk governance, risk evaluation, and risk
Page 16 of 69
response. The idea of enterprise-wide view of IT risks is to ensure that they can be
treated keeping the bigger picture in consideration and ultimately are integrated with the
enterprise-wide risk management framework. This is to ensure that when risk-aware
analysis is done, the IT risks are included in the risks considered for making business
decisions. The focus is not only on technical risks but also is on IT-linked business risks
such that the risk profile of maintained for IT systems can be linked with business
objectives and business risks. In this way, IT-related risks are prioritised keeping in view
their linkage with high priority business risks. The IT systems linked with high business
risk profiles from business perspective are prioritised. Such decisions are made by
business in collaboration with IT, which is the key advantage of enterprise-wide visibility
of IT risks and their linkages with business risks. The risk response is carried out
accordingly. (ISACA, 2009: 34-37)
The COSO model of risk management is presented in the Figure 2. It is an
enterprise-wide risk management framework with IT risk management embedded within
the larger system. This model is based on risk appetite and risk management
philosophy defined in the organisation, which is based on various internal standards
maintained by the management. In this model, risk appetite and tolerance levels are
defined as a part of business objectives of the firm. The rest of the model has been
taken from NIST 800-30 and ISO 27005 standards for risk identification, assessment,
prioritisation, and treatment, and communications, monitoring, and control systems for
ensuring appropriate risk-aware culture within the organisation. Risk-related culture is
viewed as the core of COSO framework. (COSO, 2004: 3-12)
Page 17 of 69
Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2)
The risk management modelling for cloud computing has been carried out by
integrating COSO and ISACA’s Risk IT and using them as supporting frameworks for
NIST 800-144 standard. This integration can enable integration of two major
philosophies proposed by the two standards – organisation wide risk view and riskrelated organisational culture. These two philosophies can be viewed as primary
enablers of accurate categorisation and treatment strategy of risks and of effectiveness
of security controls for treatment of risks. In cloud computing, multiple flavours of
service providers (SaaS, PaaS, and IaaS, as discussed in the next section) serve
numerous tenants (clients) for various business purposes. Hence, the organisation wide
Page 18 of 69
risk view philosophy will result in sharing of risks-related information with all
stakeholders with clear demarcation of accountabilities at service providers’ end and
clients’ end.
Such a demarcation will enable the SaaS, PaaS, and IaaS providers
(discussed in the next section), and the clients to identify the controls needed at their
respective ends and own them.
Having reviewed the empirical theories and models in IT risk management, the
next step is to understand cloud computing closely and identify the risks prevailing in
cloud IT environments. The next section presents an empirical view of cloud computing.
2.4. Empirical review of cloud computing
Cloud computing is characterised by three forms of delivery, as described by
NIST in their technology roadmap for cloud computing, Vol. II (Badger et al., 2011: p.
11-15). These models are:
(a) Software as a service (SaaS)
(b) Platform as a service (PaaS)
(c) Infrastructure as a service (IaaS)
The three models have different service offerings and mode of deliveries. The
SaaS providers use PaaS clouds to host business applications on various platforms and
the PaaS providers use IaaS clouds to energise their platforms. Mostly, SaaS providers
are direct interfaces to customers. Customers interface with PaaS clouds for developing
in-house cloud-based development capabilities. Some customers interface with IaaS
clouds for renting raw storage and computing powers. (Badger et al., 2011: p. 16-21;
Chorafas, 2011: p. 24-30)
Page 19 of 69
As per Qian, Luo, Du, and Guo (2009: p. 628-629), Microsoft Azure and Google
App Engine can be classified as a PaaS clouds, Google Apps can be classified as SaaS
cloud, and Amazon Elastic Compute can be classified as an IaaS cloud. Zhang, Cheng,
and Boutaba (2009: p. 10) elaboration such a classification in their multi-level service
oriented model presented below:
Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang,
Cheng, and Boutaba, 2009: p. 10)
As per the multi-level service oriented model by Zhang, Cheng, and Boutaba
(2009: p. 10-12), cloud hosted applications like saleforce.com and mysap.com, that
keep their platforms hidden from customers, may be categorised as SaaS providers.
Page 20 of 69
Microsoft Azure and Google App Engine open their platforms for customers for
developing applications and hence may be categorised as PaaS providers. Amazon
EC2 and Go Grid offer their infrastructure services (elastic computing and storage) to
customers for deploying their own platforms. Hence, they may be categorised as IaaS
providers.
Tai, Nimis, Lenk, and Klems (2010: p. 4-9), Amburst et al. (2010: p. 50-54), and
Miller (2009: p. 23-30) presented the following benefits of cloud computing for endcustomers:
(a) Elastic computing and storage facilities
(b) Rapid application development and deployment
(c) Pay-per-usage model
(d) No administrative, obsolescence, and upgrading hassles
(e) State of the art infrastructure and platforms
(f) Access to world class business applications
(g) Ubiquitous access
(h) Easy commissioning and decommissioning
(i) No capital expenses
(j) Affordable recurring expenses
These benefits have attracted a number of end-customers to cloud computing resulting
in rapid and significant growth of this industry. However, there are some security risks
that needs to be managed effectively on cloud computing. Unlike self-hosted
Page 21 of 69
infrastructures, risk management is not that straightforward in cloud computing. These
aspects are discussed in the next section.
2.5. Security risks and IT risk management in cloud computing
Cloud computing employs the same IT infrastructure components as employed in
self hosted IT infrastructures. However, the differentiation is due to virtualisation and
web services architecture (web 2.0) based multi-tenancy framework. Modern
organisations maintain internal security controls and hire people to manage them.
However, if competitors connect to the same IT infrastructure and use shared IT
resources for running their business applications, there are doubts on trustworthiness
and reliability of the personalised environments provided by the service providers. The
competitors worry about data proliferation across the virtual boundaries established for
tenants on cloud computing. The scenario becomes more challenging when most of the
security controls are managed by the cloud service providers and the tenant
organisations lack visibility as well as control on their data security. These challenges
drives security risks and IT risk management on cloud computing. (Sabahi, 2011: p.
245-246; Jansen, 2011: 2-3)
The cloud service providers deploy large-scale infrastructures with state-of-theart security technologies. Hence, there is less chance that the traditional security risks
striking self-hosted IT may strike clouds. The challenges are more related to multitenancy, pooling of shared infrastructure components, and common access to
applications. The
IT resource provisioning is normally implemented
through
virtualisation and web 2.0 interfacing for applications access. Hence, virtualisation and
Page 22 of 69
web services security risks are more prominent on cloud computing. (Jansen and
Grance, 2011: p. 8-10; Jansen, 2011: 4-5)
Given that cloud computing comprises shared infrastructure components; the
boundaries around work areas offered to tenant are virtual and protected by security
settings in virtualised servers and network components. Hence, tenant organisations
perceive unclear risk profiles of identity theft, privilege hacking, exploits, session
masquerading, and other Internet and virtualisation-based exploits. In addition to
unknown risk profiles due to virtualised environments and web services architecture, the
tenant organisations have little controls on security-related settings on the clouds. Most
of the controls are managed by the platform and infrastructure services providers
interfacing with the software-as-a-service provider. Hence, tenant organisations are
unclear about their role in risk treatment and the effectiveness of risk treatments
conducted by the service providers. The strength of virtualised boundaries is unclear
and hence tenant organisations are unsure about protection of their data from Internet
threats, competitors’ activities, proliferation attempts, insider trading, lock-in attempts
(by the cloud service providers), and breaches of confidentiality, integrity, and reliability.
(Sabahi, 2011: p. 246-247; Jansen, 2011: p. 6; Jing and Jian-Jun, 2010: p. 477; Tripathi
and Mishra, 2011: p. 3)
Another significant challenge facing effective risk management on cloud
computing is related to auditing and forensics for control effectiveness testing and
regulatory compliance. The cloud providers need to provide standard interfaces, system
generated logs, tenant specific logs, auto-generated hash functions, virtual machine
cloning/regeneration, and snapshots of tenant databases for law enforcement, forensic
Page 23 of 69
investigations, and regulatory auditing. The traditional host-based forensics, system
auditing, vulnerability analysis, penetration testing, and other popular mechanisms need
to be taken to the clouds in service oriented approach. New technology and legal
dimensions need to involve for distributed computing, virtualised infrastructures, and
web services architectures to address this gap. (Chen et al., 2013: p. 44-46; Chen and
Yoon, 2010: p. 255-256; Ruan et al., 2011: p. 8-10; Taylor et al., 2011: p. 6)
Risk management in cloud computing is different compared to self-hosted IT
systems of individual organisations. In clouds, risk management needs to be
implemented in multi-agency mode, whereby each agent may be a different
organisation or a different service provider. In such a scenario, an enterprise-wide view
of risk may be difficult to achieve making risk treatments disconnected with business
objectives and performance goals. This is highly risky for tenant organisations as well
as service providers. Tenant organisations may be affected due to irrational approach of
risk identifications and treatments causing poorer security and privacy controls. Service
providers may by affected by losing clients and market share if a major data breach
occurs that affects multiple tenants hooked to their respective clouds. Hence, there
needs to be a mechanism of common risk view in which, all agents access a common
risk registry, log their risks, and publish reports of their mitigation activities. The tenant
organisations can log into the registry and view the treatments of the risks that they are
concerned about. In this way, there will be transparency and integration of risk
management on the cloud. The risks may be treated using hierarchical analytics of each
layer of the cloud such that the tenant organisations gain visibility into risk treatments of
the layers invisible to them. This framework combined with standardised forensics and
Page 24 of 69
cloud audits can enhance cloud computing reliability considerably. (Mukhin and
Volokyta, 2011: p. 739; Peiyu and Dong, 2011: p. 3202; Zech, 2011: 413; Zhang et al.,
2010: p. 1331-1332)
The reviews presented in above paragraphs are outcomes of academic research
studies. However, they are not standardised for application in a cloud environment.
NIST SP 800-144 is the first attempt to standardise cloud computing security. A review
of the standard is presented in the next section.
2.6. A review of NIST 800-144 framework
The NIST SP 800-144 standard’s framework is presented with six chapters
including introduction and conclusion. The key chapters are Chapter 4 on issues and
propositions concerning security and privacy on cloud computing, and Chapter 5 on
secured outsourcing of public clouds. The standard presents issues and propositions on
the following (Jansen and Grance, 2011: p. 14-35):
(a) Governing deployment, expansion, and change management in cloud
computing
(b) Meeting compliance obligations on the clouds
(c) Achieving trustworthy computing on the clouds
(d) Standardisation of cloud computing architecture taking care of security,
auditing, and other requirements
(e) Access control and identity protection on the clouds
(f) Isolating software and platform environments on cloud computing
(g) Protecting data and its life cycle on the clouds
Page 25 of 69
(h) Ensuring data availability on the clouds
(i) Responding to incidents in clouds
The standard addresses most of the concerns raised in academic literatures by
scholars. However, the recommendations need to be tested in practical environments
by executing pilot testing or running simulations. In addition to these propositions, the
standard presents detailed plan of activities when moving IT resources to cloud
computing environments. It has a separate section of recommendations for small and
medium scale enterprises that need cloud computing to run their IT-enabled
businesses. (Jansen and Grance, 2011: p. 14-35)
2.7. Summary
In this chapter, a detailed literature review pertaining to the research topic is
presented. The literature review forms a background of empirical theories on IT risk
management, popular risk management models and cloud computing in general. In
addition, specific sections on IT risks on cloud and NIST SP 800-144 standard’s
framework are presented. In this way, the context of this research with all background
information is clarified. The next chapter presents a detailed review of research
methods and presents a finalised research design for this study.
Page 26 of 69
Chapter 3: Research design
This is an archival research based on an in-depth study of published documents
on NIST SP 800-144, COSO, and ISACA’s Risk IT, and related research studies. The
research questions pertain to IT risk exposures of SMEs on cloud computing, employing
NIST 800-144 with supported standards (Risk IT and COSO), and formulating an IT risk
management framework for SMEs on cloud computing. These research questions have
been addressed through archival research because of excellent availability of
literatures, published standards, and published research reports. It is expected that this
research will gain sufficient insight into the standards and underlying theories supporting
them. This will help in gaining a reasonable level of generalisability in this research.
For choosing the document sources, the judgmental sampling type is chosen
such that the sample units are based on researcher’s chosen criteria for selection. The
following criteria have been used for choosing the sample units from the population
(books, journals, published research studies, standards documentation, and such other
reliable sources):
(a) Is a reliable and reviewed source
(b) Is based on primary or secondary data, and insights from experts in this field
(c) Relevant to the research topic and context (risk management on cloud
computing)
(d) Will help in answering research questions and meet the objectives
(e) Will help in developing a theoretical framework for managing risks on cloud
computing for SMEs
Page 27 of 69
Sampling has been conducted using an iterative reading approach. In the first
round a large number of references have been chosen with general keywords, like
cloud computing security, cloud computing risk management, and security standards on
cloud computing. The summaries of all these references were studied and a first sample
set was chosen based on the sampling criteria presented in above. The researcher
studied the references in the first sample set in detail and rejected the ones that do not
deliver relevant information needed for this research. After the rejections, the second
sample set was chosen and finalised.
The researcher has primarily accessed reputed databases for collecting the
sources in the sample. The key databases used are IEEE Xplore, ACM, Science Direct
(Elsevier and Pergamon), Emerald, and Springer. In addition, the researcher has
included published research studies on websites of universities at master and doctorate
levels. The core references about the standards reviewed have been taken from the
COBIT, COSO, and NIST websites. Some popular books published by reputed
publishers (like Pearson, Elsevier, IGI, and CRC) have been chosen, as well. Data was
collected in two forms – in exploratory form and reviewed in Chapter 2, and in tabulated
form and presented in Chapters 4, 5, and 6. In Chapter 2, data is collected and
reviewed to build the knowledge of theories and in Chapters 4, 5, and 6; data is
collected to find answers to the research questions.
Data analysis is conducted qualitatively by collecting the relevant definitive points
from the references and analysing them. In Chapter 2, the data collected from
references are reviewed and included in the form of a logical flow such that the
theoretical foundation can be established. This foundation helped in affirming the
Page 28 of 69
context and in preparing the background to collect data for answering the research
questions. In Chapters 4, 5, and 6, the relevant points are chosen and tabulated for
finding answers to the research questions. The findings are discussed in detail to
analyse reflections of existing theories in the data sets and finding new theories
evolving from them.
In this research, there are no human respondents and hence there are no ethical
issues related to research on people. However, use of secondary sources invokes the
need for protecting their intellectual property rights and protecting the research against
plagiarism. Hence, all sources have been cited within the contents and a list of
references is included at the end. In addition, all figures have been redrawn.
Page 29 of 69
Chapter 4: Findings against research question 1
4.1. Findings
The first research question of this dissertation is the following:
What are the IT risk exposures of businesses that use cloud hosted resources for
running their business processes?
The risk exposures on clouds have been studied in Chapter 2. A tabulated form of the
data collected is presented in Table 1 below. Some risks studied in Chapter 2 have
been combined given that they represent a common risk type. The discussion on these
findings is presented in Section 4.2.
Table 1:
IT risk exposures of businesses using cloud hosted resources
S. No. IT Risk exposures
1
Sources
The identity of business users may Tripathi and Mishra (2011), Jansen
be stolen by eavesdroppers such and Grance (2011), Jing and Jian-Jun
that their privileges can be misused.
(2010), Sabahi (2011), and Jansen
(2011), ,
2
Attackers may use exploits on the Tripathi and Mishra (2011), Jansen
Internet to target vulnerabilities of and Grance (2011), Jing and Jian-Jun
applications
and
underlying (2010), Sabahi (2011), and Jansen
platforms.
3
(2011), ,
All the threats prevailing at the Tripathi and Mishra (2011), Jansen
network
layer
in
self-hosted
IT and Grance (2011), Jing and Jian-Jun
systems exist in cloud computing, as (2010), Sabahi (2011), and Jansen
well.
This
is
because
the (2011), ,
components used to build cloud
LANs and WANs are similar to
Page 30 of 69
S. No. IT Risk exposures
Sources
traditional self-hosted networks.
4
Virtualisation results in spreading of Zhou et al., (2010), Zhang et al.
data over a number of servers (2010), and Sabahi (2011)
installed
at
multiple
physical
locations. In global clouds, data may
even cross national boundaries.
5
Cloud uses virtualised user spaces Jing and Jian-Jun (2010), Tripathi and
separated by virtual boundaries. Mishra
Security
vulnerabilities
in
(2011),
Sabahi
(2011),
these Kandukuri, Paturi, and Rakshit (2009),
virtual boundaries can cause data Pearson and Benameur (2010)
proliferation.
6
Existing technologies for technical Jansen (2011), Jansen and Grance
auditing and forensics analysis may (2011), Sabahi (2011), Pearson and
not be effective on cloud platforms.
7
Current
IT
risk
Benameur (2010)
management Sabahi (2011), Jansen (2011), Jansen
practices on cloud computing is and Grance (2011), Zhang et al.
inadequate.
8
(2010), Zhou et al., (2010)
Users do not get controls on their Pearson
virtual
computing
environments
and
because
and
Benameur
(2010),
storage Zhang et al. (2010), Jansen and
they
are Grance (2011), Zhou et al., (2010),
virtualised and are allocated from a Kandukuri, Paturi, and Rakshit (2009),
large-scale pool.
9
Jansen (2011)
In multi-cloud scenarios, end-to-end Jansen (2011), Jansen and Grance
accountability of services is unclear.
(2011), Kandukuri, Paturi, and Rakshit
(2009), Zhang et al. (2010), and Zhou
et al., (2010)
10
Cloud security controls are not yet Zhou et al., (2010), Jansen (2011),
standardised.
Jansen
and
Grance
(2011),
Kandukuri, Paturi, and Rakshit (2009),
Pearson
and
Benameur
(2010),
Page 31 of 69
S. No. IT Risk exposures
Sources
Tripathi and Mishra (2011), and Zhang
et al. (2010)
11
There may be additional threats that Zhou et al., (2010), Jansen (2011),
may arise in a shared virtualised Jansen
environment
with
settings.
and
Grance
(2011),
multi-tenancy Kandukuri, Paturi, and Rakshit (2009),
Pearson
and
Benameur
(2010),
Tripathi and Mishra (2011), Zhang et
al. (2010)
12
Cloud vendors may tend to lock the Zhang et al. (2010), Zhou et al.,
services of tenants making it difficult (2010), Tripathi and Mishra (2011),
for them to change service providers Pearson
and
Benameur
(2010),
in the scenario of unsatisfactory Kandukuri, Paturi, and Rakshit (2009),
services.
Jansen
and
Grance
(2011),
and
Jansen (2011)
The Table 1 presents the threat profiling of the cloud, which can be drawn in the
form presented in Figure 6. The dotted arrows indicate the threats positioned in various
sections on the cloud. The first level of threats that cloud users face is at the contractual
level. The users may face a scenario of unclear accountabilities on who will own the
security of their data during entry, retrieval, storage, transit, and destruction on the
cloud. The clouds are multitenant systems served by integrated services by multiple
service providers. In this design, clouds clearly lack definition of accountabilities for
tackling various risks. At the contractual level, tenants also face uncertainty of vendor
lock in if the decommissioning terms are not agreed and the assets to be returned to the
tenant are not identified clearly.
Page 32 of 69
Figure 6: Threat profiling in cloud computing environment
Referring to Figure 6 and the findings in Table 1, there may be Internet-based
exploits, network threats, and system threats similar to those found in self-hosted IT
infrastructures having servers enabled on the Internet. However, the scenario on cloud
does appear more complex than self-hosted infrastructures because the cloud systems
are exposed to Internet and multiple independent tenant organisations or independent
users. It is possible that attackers can gain access to cloud systems up to an extent by
simply signing up as a valid tenant. In such a scenario, these attackers are better
placed for launching attacks like denial of service and account hijacking than self-hosted
Page 33 of 69
infrastructures where they are outsiders. Essentially, they can become an insider
attacker to some extent. As a result of overall threats identified in Figure 6 (lack of
accountability, standards, transparency, forensics, and auditability) such attackers can
social engineer internal IT administrators for gaining better access within the cloud. The
Cloud Security Alliance (2013) report on cloud threats has highlighted malicious insider
threats as one of the most prominent challenge. The Figure 7 is presented to illustrate
why malicious insider threat is high in cloud computing.
Figure 7: Threat of malicious attackers in cloud computing environment
In self-hosted environments, a user access is controlled by a single risk
management framework controlled by the top management. In a cloud-hosted
environment, every tenant organisation may have its own risk management framework.
Page 34 of 69
Hence, while it can control access of users within its own virtual domain it cannot control
the access granted to a malicious attacker signing up as a valid cloud tenant. The
scenario becomes more dangerous if the multi-tenancy and weak virtual boundary
threats exist. The risk management framework needs to be implemented by the cloud
service providers in such a way that risk management of individual tenants are
integrated with it. In such a scenario, a sound tenant verification process controlled by
the cloud risk management framework can keep malicious attackers away from the
cloud. For example, scanned copies of all original identity documents along with a
verification report by local police or an authorised verification agency may be made
mandatory before tenancy agreement is signed.
The other prominent threats in cloud computing environments are virtualization
and virtual boundary weakness threats. The Figure 8 presents an illustration of how
these threats may operate in a cloud environment. In a virtualisation environment, a real
physical server is divided into multiple virtual machines using hypervisors that are
operating systems capable of hosting multiple operating systems as guests (VMware,
2012: p. 2-3). However, the hypervisors are susceptible to traditional OS exploits (like,
buffer overflow attacks, malware injections, or denial of service) because it is yet
another OS (VMware, 2012: p. 4). If the systems security controls (example, an
intrusion prevention device) is not in place, the hypervisors can be compromised by
attackers for taking control (VMware, 2012: p. 4). Once the hypervisor is penetrated
successfully, the attacker can take access of all the virtual machines hosted on it and
hence firewall and intrusion prevention controls are needed at the system level in the
hypervisor systems (VMware, 2012: p. 5).
Page 35 of 69
Figure 8: Illustration of virtualization and virtual boundary weakness threats (GOS
stands for guest operating system and HYP stands for Hypervisor)
The most complex threat on cloud computing is related to data storage, which
gets striped across multiple storage devices across the cloud. Data storage outside the
political boundaries of many countries may be illegal. However, in cloud computing data
is striped across multiple cloud storages, as illustrated in Figure 9. The data stored
outside the regulatory regime may be retrieved separately by insider traders or
attackers gaining access to hypervisors (as explained in the previous paragraph). The
risk management framework of the cloud service provider should incorporate a control
that the tenants can choose the location for data storage through a panel. Google and
Amazon are working on adding such a control.
Page 36 of 69
Figure 9: Storage of data on multiple storage clusters spread globally poses data
proliferation threat on cloud computing
The above discussion reveals that threats on cloud computing are distributed in
multiple
components
and
hence
an
integrated
multiparty
risk
management
accountability framework is needed. The largest player among them may drive the
system through a main risk management system and the other parties (including tenant
organisations) should plug their respective risk management systems into the primary
system. A more effective way is to offer risk management as a service on the cloud
such that tenant organisations and smaller cloud service providers may buy a
subscription in the application and log and mitigate their own risks.
Page 37 of 69
4.2. Discussions
The scholars have made it clear that all risks prevailing in self-hosted IT
infrastructures are present in cloud computing environments. There are many additional
risks in cloud computing, as well. This reflects that cloud computing environments are
generally riskier than self-hosted IT infrastructures given that risks pertaining to agency
exposures,
third
party
environment
exposures,
multiparty
service
exposures,
outsourcing exposures, shared platform exposures, legal and regulatory exposures, and
cross-border access/transfer exposures are added. It is interpreted that cloud
infrastructure owners will mitigate the risks prevailing in self-hosted environments in
much better ways because they will have better capital funds to invest on state-of-theart security products (like, firewalls and intrusion prevention devices). Hence, the
primary concern is related to the additional risk exposures stated above. For example,
data location and data proliferation issues cannot be solved by investing in state-of-theart security systems and applications. These issues can be solved through appropriate
procedures for ensuring transparency, auditing, forensics, and regulatory compliance
demonstration. The risk management framework of cloud service providers should
address these added exposures that businesses might face in using their services. The
issues of poor user controls, data ownership, data protection, privacy in multi-tenancy
environment, and transparency during commissioning of services, operations of running
services, and decommissioning of services can be addressed by employing a global
standard for risk management on cloud computing. NIST SP-800-144 offers such an
opportunity to global cloud vendors. The next chapter presents the findings on how
Page 38 of 69
NIST SP 800-144 can be supported by COSO and Risk IT to make it actionable in cloud
environments.
4.3. Summary
In this chapter, the first research question has been addressed. A tabulated
presentation of cloud computing risks and the references citing them is furnished.
Overall, it is discovered that there are additional risks in cloud computing environments,
which cannot be addressed using the strategies and technologies used in self-hosted IT
environments. A much broader standards and regulatory framework is needed to
mitigate cloud computing risks for protecting all the parties associated with the cloud. In
addition, risks with conflicting mitigation solutions from the perspective of provider
versus user interests need to be addressed.
Page 39 of 69
Chapter 5: Findings against research question 2
5.1. Findings
The second research question of this dissertation is the following:
How NIST SP 800-144 standard could be supported by COSO and Risk IT standards
and the existing theories complimenting their recommendations?
The findings are based on a carefully executed comparison of the three standards and
mapping the most relevant controls. The Table 2 presents mapping of controls chosen
in COSO and Risk IT with the controls in NIST SP 800-144 standard. A discussion is
presented in Section 5.2.
Table 2:
S.
Synergy among SP 800-144, COSO, and Risk IT standards
NIST SP 800-144
COSO
Risk IT
Sources
No.
1
Controls on policies, Common
standards,
and risk
underlying
procedures
view
appetite,
tolerance,
for
IT monitoring
services acquisition, updating
operations,
enhancements
of Common
risk view
communications
and
(risk Grance
assessment
(2011); ISACA
and plans,
risk (2009); COSO
risk register,
risk (2004)
and controls, risk-related analysis
roles,
risk Jansen
and reports,
mitigation
integrating
results,
and
plans)
IT
risks
with
enterprise
risk
management, and
making
risk-
Page 40 of 69
S.
NIST SP 800-144
COSO
Risk IT
Sources
No.
aware decisions.
2
Compliance
with Internal
Common
laws and regulations accountability,
pertaining
to
data executive
data risk-awareness
proliferation,
and culture,
with
(2011); ISACA
developing
mapping risks
business-unit
and
view, compliance Grance
support, checklists,
location,
electronic discovery.
risk Jansen
IT (2009); COSO
scenarios, (2004)
risks compliance
company-wide audits,
IT
risks
risks, policies and roles, stakeholder
procedures as per involvement,
compliance needs of responding
business, monitoring risks,
to
and
risk
procedures, auditing mitigation
procedures,
and prioritisation
compliance
reporting
3
Trustworthiness
of Risk-related
clouds pertaining to philosophy
the issues of insider goals,
access,
risk Jansen
and accountability,
and
Grance
managing integrate IT and (2011); ISACA
rewards
composite services, penalties,
data,
IT
data conflicts of interest, enterprise
ownership,
visibility,
Define
risks, (2009); COSO
and independent
(2004)
assurance for IT
ancillary transparency in risk risk management,
and
management.
risk management,
single risk view,
allocating resources enterprise-level IT
to risk management, risk
policy,
social responsibility, monitoring
and
conduct-related
and
controls,
accountabilities, and effective
Page 41 of 69
S.
NIST SP 800-144
COSO
Risk IT
Sources
No.
risk and compliance- communication of
related
human IT risks
resource
protocols
and procedures
4
Trustworthy
Determine
computing
tolerance levels of assessment,
architecture
capital assets, map risk
pertaining
issues
to
of
surface,
network
virtual
risk IT
attack industry
IT
risk (2009); COSO
(2004)
risk mapping
IT
into systems with IT
machines departmental
imaging, and client thresholds,
risk risks, develop IT
identify risk scenarios, IT
and measure events risks
against
levels,
IT Grance
averages, indicators,
protection, tolerances
and
tolerance (2011); ISACA
the tolerance levels with levels,
virtual breakup
side protection
risk Jansen
tolerance IT
and
monitoring,
risk
registry,
use preventive
advanced
controls,
techniques
(like response
process
flow priorities
analysis
and
and
surveys)
5
Identity and access Risk
management
protection
indicators, Identify
and escalation
IT
risk Jansen
triggers, scenarios,
and
Grance
loss event tracking, monitor IT risks, (2011); ISACA
ongoing
event identify incidents, (2009); COSO
identification,
initiate
incident (2004)
categorising events, response,
establishing
maintain incident
interrelationships
response
plans
Page 42 of 69
S.
NIST SP 800-144
COSO
Risk IT
among
events, against
Sources
No.
establishing
metrics,
risk
risk scenarios,
and
applying communicate
qualitative
and lessons
quantitative
learnt
from risk events
modelling
techniques,
assessing
inherent
and residual risks,
choosing
response
strategies, applying
controls,
and
information
and
communication
6
Isolation
areas
of
in
user Same as above
multi-
Identify
IT
risk Jansen
scenarios,
and
Grance
tenancy
monitor IT risks, (2011); ISACA
environments
identify incidents, (2009); COSO
initiate
incident (2004)
response,
maintain incident
response
plans
against
risk
scenarios,
and
communicate
lessons
learnt
from risk events
7
Data protection
Same as above
Identify
IT
scenarios,
risk Jansen
and
Grance
Page 43 of 69
S.
NIST SP 800-144
COSO
Risk IT
Sources
No.
monitor IT risks, (2011); ISACA
identify incidents, (2009); COSO
initiate
incident (2004)
response,
maintain incident
response
plans
against
risk
scenarios,
and
communicate
lessons
learnt
from risk events
(regulatory
compliance
controls will also
apply)
8
Availability
of Same as above
services
Identify
IT
risk Jansen
scenarios,
and
Grance
monitor IT risks, (2011); ISACA
identify incidents, (2009); COSO
initiate
incident (2004)
response,
maintain incident
response
plans
against
risk
scenarios,
and
communicate
lessons
learnt
from risk events
9
Incident
Same as above
Identify
IT
risk Jansen
and
Page 44 of 69
S.
NIST SP 800-144
COSO
Risk IT
Sources
scenarios,
Grance
No.
management
monitor IT risks, (2011); ISACA
identify incidents, (2009); COSO
initiate
incident (2004)
response,
maintain incident
response
plans
against
risk
scenarios,
and
communicate
lessons
learnt
from risk events
10
Outsourcing controls
Same as above
IT
risk Jansen
considerations
while
and
Grance
taking (2011); ISACA
business-related
(2009); COSO
decisions,
(2004)
obtaining
management and
stakeholder
buy
in, maintaining IT
risk scenarios, IT
risk transfer, and
provide
independent
assurance of IT
risk management
(regulatory
controls will also
Page 45 of 69
S.
NIST SP 800-144
COSO
Risk IT
Sources
No.
apply)
11
Contractual
Same as above
obligations
IT
risk Jansen
considerations
while
and
Grance
taking (2011); ISACA
business-related
(2009); COSO
decisions,
(2004)
obtaining
management and
stakeholder
buy
in, maintaining IT
risk scenarios, IT
risk transfer, and
provide
independent
assurance of IT
risk management
(regulatory
controls will also
apply)
12
Commissioning and Same as above
A combination of Jansen
and
decommissioning
controls
procedures
contractual
(2011); ISACA
obligations
/ (2009); COSO
in Grance
outsourcing, and (2004)
data protection
13
Principles
of
fair Same
information practices trustworthiness
for clients
clouds
trustworthy
as A combination of Jansen
of controls
and
in Grance
and contractual
(2011); ISACA
obligations
/ (2009); COSO
Page 46 of 69
S.
NIST SP 800-144
COSO
Risk IT
Sources
computing
outsourcing, and (2004)
architecture
data protection
No.
14
Independent security Independent
auditing
Independent
auditing,
Jansen
gap assurance of IT Grance
analysis
reporting, risk management
(2011); ISACA
and
certifying
(2009); COSO
practices
15
Security
(2004)
resources No specific controls Same
management
as Jansen
and mentioned; however trustworthy
monitoring
and
controls
Grance
identified computing
for
(2011); ISACA
trustworthy controls
computing
and
(2009); COSO
may
(2004)
apply
16
Certification
and Independent
accreditation
Independent
auditing,
Secure
analysis
reporting, risk management
(2011); ISACA
and
certifying
(2009); COSO
systems Same
configurations
managing
as
and and
(2004)
identity Same
access trustworthy
security management
patches
and
gap assurance of IT Grance
practices
17
Jansen
protection
as Jansen
and
Grance
computing
(2011); ISACA
controls
(2009); COSO
(2004)
18
Developing security- Risk
Management Build and allocate Jansen
related
committee
competencies
desired
competencies
identifying,
assessing
with adequate
and
Grance
resources for IT (2011); ISACA
for risk management, (2009); COSO
implementing
IT (2004)
and risks-related
Page 47 of 69
S.
NIST SP 800-144
COSO
Risk IT
managing risks
inventory
Sources
No.
controls,
and
effective
IT-risk
communications
The above integration can be accomplished in the form of the framework
presented in Figure 10.
Figure 10: Integrated risk management framework by mapping the controls of COSO,
NIST, and Risk IT, as per Table 2
Page 48 of 69
The NIST SP 800-144 is proposed as an umbrella framework because it
identifies all risks prevailing in the cloud computing environment. However, the NIST
standard does not identify the processes, underlying standards, and risk assessment
and mitigation frameworks needed to treat the risks. In this context, Risk IT and COSO
are used as additional standards integrated and positioned under the umbrella
framework. Risk IT has a strong process orientation whereas COSO has a strong
technical and mathematical / statistical orientation. The NIST SP 800-144 standard may
be used for defining the scope, statement of applicability, and risk identification. After
the roles of Risk IT and COSO are completed, NIST standard can be used to document
the security policy. Risk IT can be used for designing a risk management organisational
structure and roles and for processes and templates for reviews, assessments, and
reporting. COSO can be used for technical side of risk management for statistical
modelling of risk assessment and risk categorisation and prioritisation. This standard
can be further used for identifying controls, and testing their effectiveness. Once all
these tasks are accomplished, a security policy document can be designed as per the
NIST recommendations keeping in view all risks on the cloud and the compliance
needed from all participating agents.
5.2. Discussions
NIST SP 800-144 standard comprises a list of controls identified for managing
security risks in cloud computing environments. The standard does not present how
these
controls
can
be
implemented.
However,
the
standard
mentions
that
implementation approaches of the stated controls can be taken from existing standards
on IT risk management, like ISO 27005 and ISACA COBIT 5 (Risk IT). This is where
Page 49 of 69
this research can serve as a value addition. The Table 2 presents the names of most
appropriate procedures chosen from COSO and Risk IT to implement the controls
mentioned in NIST SP 800-144.
A close observation reveals that the focus of COSO is on identifying, developing,
implementing, and operating scientific approaches to identifying risks and implementing
controls, whereas the focus of Risk IT is on defining, implementing, and operating
organisational roles and processes for risk management. Hence, the hierarchy of
standards may be as the following:
(a) Risk assessment and analysis using scientific methods – COSO
(b) Identifying controls – NIST SP 800-144
(c) Implementing roles, structures, and processes – Risk IT
(d) Implementing organisation-wide risk view – Risk IT
(e) Implementing technical and systemic controls – COSO
(f) Technical and systems auditing – COSO
(g) Process auditing – Risk IT
(h) Implementing corrective actions related to roles, structures, and processes –
Risk IT
(i) Implementing corrective actions related to technologies and systems – COSO
In cloud computing environment, implementing these steps will require
collaboration among all cloud service providers offering bundled services to tenants.
The single risk view concept can be implemented by publishing an extranet on which, all
cloud service providers publish their respective risks and mitigation actions. The tenant
Page 50 of 69
organisations should be given access to the extranet such that they can know about the
risk management system, its processes, identified risks, mitigation actions, and audit
reports. This will help them to plan their respective risk management frameworks in line
with the framework used by cloud service providers and address the areas not covered
by the service providers. For example, user and group access and privileges within
tenant’s private environment need to be addressed by the tenant’s risk management
framework. If a single cloud service provider is not able to fulfil all the security controls
needed by the SME organisation, the services from various cloud service providers may
be chosen based on their abilities to fulfil the security controls. In this way, the risks will
be divided and an optimum selection cloud providers can be finalised keeping in mind
the overall risk mitigation objectives. For example, e-mails may be hired from one cloud
and collaboration applications may be hired from another cloud depending upon how
well they handle the risks related to these services. A possible combination is that the
cloud chosen for e-mail services has better e-mail protection features and the cloud
chosen for collaboration has better protection features for instant messaging and video
conferencing. The SMEs may have to pay an extra cost by segregating services in this
way, but they can achieve optimum mitigation of their risks identified with the help of
NIST SP 800-144 standard. The controls chosen from COSO and Risk IT will help in
consolidating identification, assessment, and mitigation of risks at one place irrespective
of which cloud provider is responsible for which risks.
5.3. Summary
The chapter presents the findings to the second research question. A close
mapping between controls recommended by NIST SP 800-144 with those of COSO and
Page 51 of 69
Risk IT is presented after careful interpretations of every control in these standards. It
has been observed that COSO has a lot of emphasis on applying scientific,
mathematical, and statistical theories in identifying risks, assessing them, assessing
impacts, and formulating controls. On the other hand, Risk IT is focussed on enterprisewide risk view to ensure transparency, and better and timely contributions from all roles
in the enterprise in mitigating the risks. Based on this understanding and keeping NIST
SP 800-144 standard as the umbrella framework, a hierarchy of standards for various
steps of risk assessment and management in cloud computing is proposed.
Page 52 of 69
Chapter 6: Findings against research question 3
6.1. Findings
Following is the third research question of this research. This question is
pertaining to the expected benefits to SMEs if these standards are employed by the
cloud service providers in the way the mappings are proposed in Chapter 5.
How can NIST SP 800-144, COSO, and Risk IT standards help SMEs dependent upon
cloud hosted resources in managing their IT risks?
As learnt from the literatures, a SME organisation should following the checklist
presented below for signing up with a cloud service provider:
(a) Documenting security requirements in detail
(b) Integrating security requirements in overall requirement specifications
(c) Detailed analysis on the bare minimum and desirable expectations on how these
specifications can be met
(d) Assess multiple cloud providers
(e) Shortlist the ones that match the expectations as closely as possible
(f) Initiate negotiations and contractual procedures
(g) Agree security and risk management roles, checklists, and accountabilities
(h) Implement services on one or more clouds after buying their subscriptions; build
tolerances against risk scenarios using multiple cloud services; prefer a phased
rollout
(McDonald, 2010; Chen and Yoon, 2010; Mukhin and Volokyta, 2011; Jansen and
Grance, 2011)
Page 53 of 69
NIST SP 800-144 presents a separate section on how SMEs should prepare
themselves before entering the clouds such that their risks are mitigated effectively in
the best possible ways. The most prominent recommendation is related to documenting
the security requirements of the organisation and testing them by taking pilot accesses
into multiple clouds. Some of the key aspects to be documented are incident
management, problem rectification, change management, access to information,
integrity, handling of information, information in transit, information destruction,
information availability, access controls, backups, recovery, auditing, assurance,
reliability, confidentiality, and risks mitigation of information assets, (Jansen and
Grance, 2011)
The SMEs may be benefitted from the integrated framework of NIST SP 800144, COSO, and Risk IT in the areas of documenting all security needs, conducting
scientific assessment of threats and security needs, identifying key controls, developing
a security policy, developing organisational structure, roles, and processes, developing
technical controls, and establishing monitoring and auditing mechanisms. The cloud
service providers may not allow technical auditing on their infrastructures. However, a
report by Institution of Engineering and Technology (IET, 2012) claimed that cloud
tenants need not worry about security controls of the technical infrastructures of the
clouds. They reported that SMEs will find their controls much better than what they
could have implemented in their self-hosted infrastructures. Moreover, a report by Ernst
and Young (2011) reported emergence of Cloud Trust Protocol (CTP), Cloud Auditing
Framework (CAF), Continuous Assessments Checklist (CAC), and Cloud Controls
Matrix (CCM) based on the efforts by Cloud Security Alliance (CSA). CSA is not a
Page 54 of 69
regulatory body but is an alliance of key industrial players in cloud computing. CSA
efforts may or may not result in evolution of a complete regulatory standard for cloud
computing. However, they are expected to strengthen the security of cloud technical
infrastructures much beyond the affordability of SMEs if they had tried to implement
them in their own infrastructures. This fact is emphasised in the report by Institution of
Engineering and Technology (IET, 2012), as well.
The integrated risk management framework with participation among the tenants
and all other agents attached with cloud computing is presented in Figure 11. This
model is based on the multi-layer cloud model proposed by Demchenko et al. (2011: p.
16-18). In this model, the cloud is modelled with seven layers with the layers 1 to 4
designated as IaaS layers (virtual servers, hypervisors, guest operating systems, and
virtual / real networking), the layer 5 designated as PaaS layer (databases, web servers,
and application servers), the layer 6 designated as SaaS layer (cloud based software
applications), and the layer 7 designated as tenant organisation’s layer (user defined
applications and workflows). Each of these layers will have their respective threats as
identified in Chapter 4. The researcher has extended this model by mapping a
multilayer risk management framework as shown in Figure 11. The risks prevailing in
layers 1 to 4 will be managed by the IaaS provider, the risks prevailing in layer 5 will be
managed by the PaaS provider, the risks prevailing in layer 6 will be managed by the
SaaS provider, and the risks prevailing in layer 7 will be managed by the tenant
organisations.
However, how will the risk management practices of these layers be integrated?
This query is solved in Figure 12.
Page 55 of 69
Figure 11: Multilayer integrated risk management framework with multiple parties taking
accountabilities of respective cloud layers
Figure 12 presents a mapping between the multi-layer risk management
framework with the integrated framework of NIST SP 800-144, COSO, and Risk IT. The
umbrella framework may be designed and hosted by the largest player (example, the
IaaS provider) based on NIST SP 800-144, along with technical systems (like statistical
analysis models) as per COSO and process workflows and risk organisation builders as
Page 56 of 69
per Risk IT. This framework may be used in the form of paid services for risk
management as a service, and all other agents may use its features for plugging their
own risk management systems. Other agents (including the tenant organisations) may
buy subscriptions on this framework and open their own access-controlled private areas
for identifying, assessing, analysing, logging, mitigating, and reporting their risks. The
risks on various layers may be identified using the NIST SP 800-144. The ownership will
be very clear if all assets are marked with clear information on which layer they belong
to on the seven layer cloud model. If the layers are identified, the ownerships will be
clear, as well. The systems and processes offered by the risk management as a service
provider will be as per COSO and Risk IT, as defined in Figure 10 and replicated again
in Figure 12.
Figure 12: Mapping the multi-layer risk management framework with the integrated
framework of NIST SP 800-144, COSO, and Risk IT
Page 57 of 69
In the system presented in Figure 12, the reports generated by all service
providers may be made transparent such that all tenant organisations can view them.
This will facilitate appropriate coordination among all service providers, and the primary
controller of the umbrella framework (the risk management as a service provider) can
monitor what other agents are doing and what is their overall compliance level. They
can own the role of setting, reviewing, and modifying standards, tools, and processes,
which can be used by all other agents plugged into this system.
6.2. Discussions
The SMEs may get the best benefits from the integrated standards framework in
the non-technical side of their security framework, and partial technical controls
manageable through the control panel offered to them. The benefits will be based on
the philosophy of deriving the best from the cloud in the interest of the organisation.
Hence, if they have carefully formulated organisations structure, roles, accountabilities,
processes, communications framework, and an enterprise-wide risk view, they can use
the cloud services in the most effective ways. Cloud service providers offer 24 X 7
helpline numbers and e-mail ids for taking client requests and concerns. If the internal
risk management framework of a SME is well structured and organised with the help of
the integrated standards, they can communicate effectively, ask the right questions, and
demand the right services from the cloud helpdesk. With emerging seriousness among
cloud vendors, they are willing to share their monitoring and performance related
reports if asked formally. The proposed framework is designed to be controlled by the
risk management as a service provider on cloud computing. In practical world, such a
service may be launched on cloud computing in due course.
Page 58 of 69
If risk management as a service model is not launched in near future, the SMEs
may share their internal risk management frameworks and structures with the cloud
providers, the latter will take them seriously knowing that they are dealing with parties
serious about their risk management. In order to get the best, the SMEs will have to ask
for the right and appropriate information and services. They should be concerned only if
they are refused, which is unlikely in many cases given the rising seriousness about risk
management because of efforts by CSA and the rising competition among cloud service
providers. The communications protocol between cloud service providers and SME
tenants may not emerge suddenly. It may take some time and the integrated standards
framework can be of great help. The SMEs may decide to form their own forums and
share their practices on risk management such that the standards could be adopted by
multiple organisations. If the cloud service providers observe the emerging trend of
standards like NIST SP 800-144, COSO, and Risk IT, they will begin to align their
services as per these standards. These are published standards and hence nothing is
hidden from anyone. One just needs to commit to them and start adopting their
practices.
6.3. Summary
NIST SP 800-144 comprises a separate section describing how SMEs should
prepare their risk management framework before entering the clouds. The standard
recommends a number of security requirements that the SMEs may consider before
choosing the right cloud service providers. However, the standard does not recommend
how the security requirements can be implemented in a risk management framework.
The integrated framework of NIST SP 800-144, COSO, and Risk IT may be launched as
Page 59 of 69
the risk management as a service by one of the largest agents of the cloud computing
system (like, the IaaS provider) and offer subscriptions to all other agents hooked to the
system. The other agents may buy subscriptions from this service provider and use the
tools, workflow engines, and processes designed by the service provider in line with
COSO and Risk IT recommendations, as presented in Figures 10 and 12. Each agent
may take accountability as per their respective layers on the seven layer model, as
shown in Figure 11. The integrated framework can help the SMEs in implementing a
comprehensive risk management framework and integrate it with the risk management
practices of cloud service providers through formation of a SME forum, sign appropriate
agreements, communications, and service requests.
Page 60 of 69
Chapter 7: Conclusions and recommendations
7.1. Conclusions
This research is an organised archival study into the risks faced by cloud
computing providers and tenants and the empirical theories and standards for mitigating
them for SMEs using cloud services as tenants. The focus has been on NIST SP 800144, COSO, and Risk IT standards. NIST SP 800-144 standard has been chosen
because it is specifically designed for cloud computing security only. Risk IT is a
standard specific for IT risk management and COSO is a standard specific for
enterprise risk management. This combination appeared suitable to the researcher with
an expectation that risk management practices from cloud purview, IT purview, and
enterprise purview will be covered comprehensively.
First of all, the risk exposures in cloud computing environment have been
researched. This is the context of the first research question. It has been observed that
all the risks prevailing in self-hosted IT infrastructures are evident in cloud computing
environments, as well. There are additional risks related to multi-tenancy, third party
dependence, multi-party outsourcing and shared infrastructures. These risks are related
primarily to compliance, trust, and privacy, whereas the security risks at the technology
layers of the cloud are well handled by most of the cloud service providers given the
wider bandwidth available to them for implementing state-of-the-art security
components.
NIST SP 800-144 standard offers a number of security controls for cloud
computing. In Chapter 5, the NIST recommended controls are mapped carefully with the
Page 61 of 69
corresponding controls of COSO and Risk IT. This is the context of the second research
question. It has been found that COSO recommendations comprise scientific methods
for identifying, assessing, and controlling risks whereas Risk IT recommendations
comprise organisations structures, roles, interfaces, processes, and procedures for
managing risks with an enterprise-wide risk view philosophy. Based on a close analysis
of the three standards, a hierarchy of steps is proposed for using the three standards in
an organised and structured enterprise risk management system.
The initiatives by Cloud Security Alliance as reported by IET (2012) and Ernst
and Young (2011) are highly commendable, especially when the cloud regulatory
frameworks are yet to be standardised. The Cloud Security Alliance has introduced
Cloud
Trust
Protocol
(CTP),
Cloud
Auditing
Framework
(CAF),
Continuous
Assessments Checklist (CAC), and Cloud Controls Matrix (CCM). SMEs can benefit
significantly from such initiatives. A risk management as a service framework is
proposed in Chapter 6 using the seven-layer cloud model and the integrated framework
of NIST SP 800-144, COSO, and Risk IT formed in Chapter 5. However, SMEs may
move one step ahead and undertake their own initiatives in building their respective risk
management frameworks before entering the clouds. NIST SP 800-144 standard
recommends a set of preparations that SMEs may like to complete before choosing the
right cloud service providers. NIST recommended a number of security requirements
that SMEs may consider in planning for their risk management framework on cloud
computing. If SMEs map these requirements with the corresponding controls in COSO
and Risk IT mapped in Chapter 5, they can be well prepared to choose the most
appropriate cloud service providers and manage their risks effectively with least
Page 62 of 69
involvement of the cloud providers. A structured framework of communications and
service requests will make sure that they can get the best support from cloud service
providers for mitigating risks.
7.2. Recommendations
This research recommends that SMEs should form a forum and agree upon set
of standards using NIST SP 800-144, COSO, and Risk IT, or similar known and
emerging standards. These standards are published and hence all SMEs can
implement them by going through the guides and by hiring consultants. Even cloud
service providers can gain access to these standards easily. If the SMEs join hands and
demand compliance to these standards, the cloud service providers will also find it
easier to align their services accordingly. It will be easier for both parties to implement a
collaborative framework of risk management. The mapping of controls presented in
Chapter 5 is just an illustration on how this could be achieved. It can be done in better
ways by involving professional consultants. Once the cloud service providers and the
SMEs align their risk management frameworks, it will be just a matter of appropriate
communications and service requests. By choosing multiple cloud service providers, the
SMEs may segregate their services and their controls among multiple clouds at slightly
additional costs.
This research is an archival study and hence is based on published literatures,
standards, and reports. It is recommended that future researchers may like to undertake
this study by conducting primary research among SMEs using cloud-hosted services
and among cloud service providers. In such studies, a practical viewpoint of how
Page 63 of 69
standards can be implemented for SMEs using cloud services may emerge. Such
studies may clarify the positioning of standards and Cloud Security Alliance initiatives,
which has not been addressed by this research. Such minute details can be learnt only
from experiences of SMEs and cloud service providers.
Page 64 of 69
References
Ahmad, R. and Janczewski, L. (2010). "Triangulation theory: An approach to mitigate
governance risks in clouds", IEEE: p. 1-8.
Amburst, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D.,
Rabkin, A., Stoica, I. and Zaharia, M. (2010). “A View of Cloud Computing”.
Communications of the ACM, Vol. 53 (4): p. 50-58. ACM.
Anderson, E. E. and Choobineh, J. (2008). "Enterprise information security strategies".
Computers and Security, Vol. 27: p. 22-29. Elsevier.
Badger, L., Bohn, R., Chu, S., Hogan, M., Liu, F., Kaufmann, V., Mao, J., Messina, J., Mills, K.,
Sokol, A., Tong, J., Whiteside, F. and Leaf, D. (2011). “U.S. Government cloud
computing technology roadmap – Volume II”, Special Publication 500-293, NIST (U.S.
Department of Commerce): p. 6-76.
Bakshi, K. (2011). “Considerations for Cloud Data Centers: Framework, Architecture and
Adoption”. IEEE: p. 1-7.
Bryman, A. and Bell, E. (2007). “Business Research Methods”. Second Edition. London: Oxford
University Press.
Chandran, S. P., and Angepat, M. (2010). "Cloud Computing: Analysing the risks involved in
cloud computing environments", IEEE: p. 1-6.
Chen, Z. and Yoon, J. (2010). "IT Auditing to Assure a Secure Cloud Computing", IEEE: p. 253259.
Chen, Z., Han, F., Cao, J., Jiang, X., and Chen, S. (2013), "Cloud Computing-Based Forensic
Analysis for Collaborative Network Security Management System", IEEE Computer
Society: p. 40-50.
Chorafas, D. N. (2011). “Cloud Computing Strategies”, London: CRC Press, Taylor and Francis
Group.
Page 65 of 69
Clemons, E. K., and Chen, Y. (2010). "Making the Decision to Contract for Cloud Services:
Managing the Risk of an Extreme Form of IT Outsourcing", In CloudAsia2010, 2-7 May,
2010, Singapore, p. 1-10.
Cloud Security Alliance (2013). "The notorious nine cloud computing top threats in 2013", p. 221. http://www.cloudsecurityalliance.org/topthreats [Accessed: 26 October 2013]
Dai, W. (2009). "The impact of emerging technologies on small and medium enterprises
(SMEs), Journal of Business Systems, Governance and Ethics, Vol. 4 (4): p. 53-60,
School of Law, Victoria University, Melbourne.
Demchenko, Y., Ngo, C., Makkes, M. X., Strijkers, R. (2011), "Intercloud Architecture
Framework for Interoperability and Integration Release 2, Draft Version 0.7", System and
Network Engineering, Universitiet van Amsterdam, p. 1-31.
Dhillon, G. and Backhouse, J. (2000). "Information System Security Management in the New
Millennium". Communications of the ACM, Vol. 43 (7), p. 125-128.
Doherty, E., Carcary, M. Dr., and Conway, G. (2012). "Risk Management Considerations in
Cloud Computing Adoption", Research by Innovation Value Institute (IVI), p. 2-7.
Elgarnal, T. (2009). "The new predicaments of security practitioners". Computer Fraud and
Security, Vol. November 2009: p. 12-14. Elsevier.
ENISA (2010). "Cloud computing: benefits, risks and recommendations for information security",
European Network and Information Security Agency, p. 1-6.
"Enterprise Risk Management–Integrated Framework: application techniques", Committee of
Sponsoring Organizations of the Treadway Commission (COSO), 2004, p. 2-112.
Ernst and Young (2011), "Cloud computing issues and impacts", Global Technology Industry
Discussion Series, p. 1-56.
Everett, C. (2011). “A risky business: ISO 31000 and 27005 unwrapped”, Computer Fraud and
Security, February 2011: p. 5-7. Elsevier.
Page 66 of 69
Fan, C. and Chen, T. (2012). "The Risk Management Strategy of Applying Cloud Computing",
International Journal of Advanced Computer Science and Applications, Vol. 3 (9): p. 1827.
Gandotra, V., Singhal, A. and Bedi, P. (2009). “Threat mitigation, monitoring and management
plan - a new approach in risk management”. IEEE Computer Society: p. 719-723.
Haselmann, T. and Vossen, G. (2011), "Software-as-a-Service in Small and Medium
Enterprises: An Empirical Attitude Assessment", European Research Center for
Information Systems (ERCIS), University of Munster, Germany, p. 1-14.
Herath, T. and Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Role of penalties, pressures and perceived effectiveness. Decision Support Systems,
Vol. 47: p. 154-165. Elsevier.
Herath, T. and Rao, H. R. (2009). "Protection motivation and deterrence: a framework for
security policy compliance in organizations". European Journal of Information Systems,
Vol. 18, p. 106–125, Operational Research Society. Palgrave Journals.
Horwath, C., Chan, W., Leung, E., and Pili, H. (2012). "Enterprise Risk Management for Cloud
Computing", Thought Leadership in ERM, Committee of Sponsoring Organizations of the
Treadway Commission (COSO) research paper, p. 3-32.
Humphreys, E. J., Moses, R. H., Plate, E. A. (1998). “Guide to BS7799 risk assessment and
management”. London: British Standards Institution, p. 1-74.
IET (2012), "Cloud Computing - The Security Challenge", Fact file by The Institution of
Engineering and Technology, p. 1-8.
“Information Technology — Security Techniques — Information Security Management System”.
International Standard. BS ISO/IEC 27001:2005. British Standards Institution (BSI),
2005: p. 7-35.
“Information Technology — Security Techniques — Information Security Risk Management”.
International Standard. BS ISO/IEC 27005:2008. British Standards Institution (BSI),
2008: p. 9-27.
Page 67 of 69
Jansen, W. A. and Grance, T. (2011). "Guidelines on Security and Privacy in Public Cloud
Computing", NIST Special Publication 800-144: p. 4-88, National Institute of Standards
and Technology, U.S. Department of Commerce.
Jansen, W. A. (2011). "Cloud Hooks: Security and Privacy Issues in Cloud Computing", IEEE: p.
1-10.
Jing, X. and Jian-Jun, Z (2010), "A Brief Survey on the Security Model of Cloud Computing",
IEEE Computer Society: p. 475-478.
Karabek, M. R. Dr., Kleinert, J. and Pohl, A. Dr. (2011). "Cloud Services for SMEs – Evolution or
Revolution?", Business Innovation, Quarter 1, 2011: p. 26-33.
Miller, M. (2009). “Cloud Computing: Web based applications that change the way you work and
collaborate online”. US: Que Publishing (Pearson).
Mukhin, V. and Volokyta, A. (2011). "Security Risk Analysis for Cloud Computing Systems", In
the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced
Computing Systems: Technology and Applications, 15-17th September 2011, Prague,
Czech Republic, IEEE: p. 737-742.
Ozkan, S. and Karabacak, B. (2010). “Collaborative risk method for information security
management practices: A case context within Turkey”, International Journal of
Information Management, Vol. 30: p. 567–572, Elsevier.
Peiyu, L. and Dong, L. (2011). "The New Risk Assessment Model for Information System in
Cloud Computing Environment", Procedia Engineering, Vol. 15: p. 3200-3204, Elsevier.
Qian, L., Luo, Z., Du, Y. and Guo, L. (2009). “Cloud Computing: An Overview”. Jaatun, M. G.,
Zhao, G. and Rong, C. (Eds.). LNCS 5931: p. 626–631, Berlin: Springer-Verlag.
Rittinghouse, J. W. and Ransome, J. F. (2010). "Cloud Computing: Implementation,
Management, and Security", CRC Press.
Ruan, K., Carthy, J., Kechadi, T., and Crosbie, M. (2011), "Cloud forensics: An overview",
Centre for Cybercrime Investigation, University College Dublin and IBM Ireland Ltd: p. 116.
Page 68 of 69
Shortreed, J. (2008). “ISO 31000 - Risk management standard”. Institute of Risk Research,
University of Waterloo: p. 2-24.
Tai, S., Nimis, J., Lenk, A. and Klems, M. (2010). “Cloud Service Engineering”. In proceedings
of ICSE 2010, 2 May 2010 to 8 May 2010, Cape Town, South Africa, ACM: p. 475-476.
Taylor, M., Haggerty, J., Gresty, D., Lamb, D. (2011), "Forensic investigation of cloud computing
systems", Network Security, Vol. Spring 2011: p. 4-10, Elsevier.
“The Risk IT framework: principles, process details, management guidelines, and maturity
models”, ISACA, 2009: p. 7-103.
Thompson, C. B. Dr. and Walker, B. L. Dr. (1998). “Basics of Qualitative Research”. A M
Journal. Vol.17 (2): p. 64-72. Elsevier.
Tripathi, A. and Mishra, A. (2011), "Cloud Computing Security Considerations", IEEE: p. 1-5.
VMware (2012),"VBLOCK Systems", version 1.0, p. 1-36.
Zech, P. (2011). "Risk–Based Security Testing in Cloud Computing Environments", IEEE: p.
411-414.
Zhang, Q., Cheng, L. and Boutaba, R. (2010). “Cloud computing: state-of-the-art and research
challenges”. Journal of Internet Services and Applications, Vol. 1: p. 7-18. Springer.
Zhang, X., Wuwong, N., Li, H., and Zhang, X. (2010). "Information Security Risk Management
Framework for the Cloud Computing Environments", IEEE: p. 1328-1334.
Page 69 of 69