A Scenario-Based Methodology for Cloud Computing Security Risk Assessment
Cloud computing has been one of the major emerging technologies in recent years. However, for cloud computing, the risk assessment becomes more complex since there are several issues that likely emerged. In this paper, we survey the existing work on assessing security risks in cloud computing applications. Existing work does not address the dynamic nature of cloud applications and there is a need for methods that calculate the security risk factor dynamically. In this paper, we use the National Institute of Standards and Technology (NIST) Risk Management Framework and present a dynamic scenario-based methodology for risk assessment. The methodology is based using Bayesian networks to estimate the likelihood of cloud application security failure which enables us to compute the probability distribution of failures over variables of interest given the evidence. We illustrate the methodology using two case studies and highlight the significant risk factors. We also show the effect of using security controls in reducing the risk factors.
Almathami, Mohammed, "SLA-based risk analysis in cloud computing environments" ,Thesis. Rochester Institute of Technology, 2012.2. http://blogs.datadirect.com/2013/07/banking-security-cloud.html 3. Fatimah M. Alturkistani, Ahmed Z. Emam, "A Review of Security Risk Assessment Methods in Cloud Computing", New Perspectives in Information Systems and Technologies, Volume 1 , Springer International Publishing, 2014. 4. Drissi S., Houmani H. and Medromi H., Survey: Risk Assessment for Cloud Computing, University Hassan II Aïn Chock. ENSEM Casablanca, Morocco, (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 4, No. 12, 2013. 5. J. Oriol Fit´o, Mario Mac´ıas and Jordi Guitart, Toward Business-driven Risk Management for Cloud Computing, Barcelona Supercomputing Center and Technical University of Catalonia, 978-1-4244-8909-1/$26.00 _c 2010 IEEE. 6. David Lopez,Oscar Pastor, Luis Javier Garcia Villalba," Data model extension for security event notification with dynamic risk assessment purpose",Science China Information Sciences, Volume 56, Issue 11, pp 1-9, November 2013.
Norman E. Fenton, Member, IEEE Computer Society, Martin Neil, And Jose Galan Caballero, "Using Ranked Nodes To Model Qualitative Judgments In Bayesian Networks",Ieee Transactions On Knowledge And Data Engineering, Vol. 19, No. 10, October 2007.
Peter Hearty, Norman Fenton, David Marquez, and Martin Neil, Predicting Project Velocity in XP Using a Learning Dynamic Bayesian Network Model, Ieee Transactions On Software Engineering, Vol. 35, No. 1, January/February 2009.
Daniele Catteddu and Giles Hogben," cloud computing :Benefits, risks and recommendations for information security", The European Network and Information Security Agency (ENISA),2009.
Amit Sangroya, Saurabh Kumar, Jaideep Dhok, Vasudeva Varma, "Towards analyzing data security risks in cloud computing environments", International Conference on Information Systems, Technology, and Management (ICISTM 2010).
Xuan Zhang, Nattapong Wuwong, Hao Li ,Xuejie Zhang, "Information security risk management framework for the cloud computing environments",10th IEEE International Conference on Computer and Information Technology (CIT 2010), China.
P. Saripalli and B. Walters, "QUIRC: A quantitative impact and risk assessment framework for cloud security", In the Proceedings of the IEEE 3rd International Conference on Cloud Computing, pp. 280-288, 2010.
Jaydip Sen, "Security and privacy issues in cloud computing", Innovation Labs, Tata Consultancy Services Ltd., Kolkata, INDIA
Burton S. Kaliski Jr. and Wayne Pauley “Toward risk assessment as a service in cloud environments,” EMC Corporation, Hopkinton, MA, USA 2010.
Afnan Ullah, Khan, Manuel Oriol, Mariam Kiran, Ming Jiang, Karim Djemame , "Security risks and their management in cloud computing", 4th International Conference on Cloud Computing Technology and Science ,UK,University of York, Switzerland ,Barcelona, Spain, 2012 IEEE.16. Saadia Drissi1, Siham Benhadou1, Hicham Medromi1,"A New Shared and Comprehensive Tool of Cloud Computing Security Risk Assessment", National High School of Electricity and Mechanics, ENSE, 2015.
Shareeful Islam ,Stefan Fenz , Edgar Weippl and Haralambos Mouratidis, "A Risk Management Framework for Cloud Migration Decision Support"
, J. Risk Financial Manag. 2017, 10, 10; doi:10.3390/jrfm10020010.
Gary Stoneburner, Alice Goguen, and Alexis Feringa ,”Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology”, NIST Special Publication 800-30, July 2002.
Marit E. Kragt,"A beginners guide to Bayesian network modelling for integrated catchment management", Landscape Logic Technical Report No. 9, July 2009.
Symantec Security Response,"Assessing the Severity of Threats, Events, Vulnerabilities", February 2006.
Shen Juncai and Qian Shao," Based on Cloud Computing E-commerce Models and Its Security”, International Journal of e-Education, e-Business, e-Management and e-Learning, Vol. 1, No. 2, June, 2011.
Fadi HajSaid, Yousef Hassouneh and Hany Ammar,” Security Risk Assessment of Software Architecture”, ICCTA 2011, 15-17 October 2011, Alexandria, Egypt.
Adam Goslin, Chief Operations Officer, PCI Compliance Updates, E-Commerce / Cloud Security.
Bernd Grobauer, Tobias Walloschek and Elmar Stöcker, “ Understanding Cloud Computing Vulnerabilities”, Aug 15, 2011.
Microsoft Corporation," Microsoft Dynamics CRM Online security and compliance planning guide" ,September 2013.
Pritesh Parekh and Joe Andrews ,”Keeping Your Cloud Secure – a CIO’s Favorite”.
Keiko Hashizume, ”A Reference Architecture For Cloud Computing And Its Security Applications ”,Florida Atlantic University , 2013
Kumar Narander and Saxena Swati ,”An Efficient Live VM Migration Technique in Clustered Datacenters”, Research Journal of Recent Sciences ISSN 2277-2502 Vol. 3(IVC-2014), INDIA , 2014
Mahdi Aiash, Glenford Mapp, Orhan Gemikonakli, "Secure Live Virtual Machines Migration: Issues and Solutions",Advanced Information Networking and Applications Workshops (WAINA), 2014.
CSA, The Notorious Nine: Cloud Computing Top Threats in 2013, Top Threats Working Group, CSA, 2013. Available:https://cloudsecurityalliance.org/download/the-notorious-nine-cloudcomputing-top-threats-in-2013
How to Cite
Copyright (c) 2017 Ishraga Mohamed Ahmed Khogali, Prof. Hany Ammar
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Submission of an article implies that the work described has not been published previously (except in the form of an abstract or as part of a published lecture or academic thesis), that it is not under consideration for publication elsewhere, that its publication is approved by all authors and tacitly or explicitly by the responsible authorities where the work was carried out, and that, if accepted, will not be published elsewhere in the same form, in English or in any other language, without the written consent of the Publisher. The Editors reserve the right to edit or otherwise alter all contributions, but authors will receive proofs for approval before publication.
Copyrights for articles published in IJIER journals are retained by the authors, with first publication rights granted to the journal. The journal/publisher is not responsible for subsequent uses of the work. It is the author's responsibility to bring an infringement action if so desired by the author.