Safeguarding the Cloud: An Effective Risk Management Framework for Cloud Computing Services

Authors

  • Fahad F Alruwaili Shaqra University Saudi Arabia and College of Engineering/Department of Electrical and Computer Engineering University of Victoria Victoria, British Columbia Canada
  • T. Aaron Gulliver College of Engineering/Department of Electrical and Computer Engineering University of Victoria Victoria, British Columbia Canada

Keywords:

Information Security, Risk Management and Assessment, Cloud Security Services, Service Level Agreement (SLA), Security Operations Center (SOC)

Abstract

Cloud computing services have attracted the attention of many organizations seeking flexible, simple, and efficient system development, operation, and support. The cost advantages of cloud services motivate the outsourcing of IT systems to the cloud. However, there is a lack of awareness of the security risks associated with cloud services. These risks and the associated threats could jeopardize the success and even the survivability of organizations that adopt cloud services. To address this issue, a risk management framework is proposed in this paper which leverages the previously proposed security operations center as a service (SOCaaS) combined with a secure service level agreement (SecSLA) to provide security requirements and compliance. The framework is self-aware of the organization assets and the associated security risks and vulnerabilities. Automated tools are provided to identify, classify, evaluate, and control the information security and data privacy of cloud systems and services. The proposed framework supports cloud protection by identifying threats and vulnerabilities in cloud systems and recommending steps to ensure their confidentiality, integrity, and availability (CIA).

Author Biographies

  • Fahad F Alruwaili, Shaqra University Saudi Arabia and College of Engineering/Department of Electrical and Computer Engineering University of Victoria Victoria, British Columbia Canada

    Fahad Alruwaili is a faculty member and academic advisor at computer science department at University of Shaqra, Saudi Arabia. He freelance and works as information security and computer networks consultant with over six years of practical and administrative experience. He earned his BS degree in Computer Engineering from King Fahd University of Petroleum and Minerals, Saudi Arabia, in 2002. In 2008, he achieved his MS degree in Computer, Information, and Network Security with first class honor from DePaul University, Chicago USA. In 2011, he received his second MS in Information Systems and Technology from Claremont Graduate University, Los Angeles USA. He’s currently working on his Ph.D. at University of Victoria in Canada.

    To have access to my work and competencies, please visit my LinkedIn page

    http://www.linkedin.com/in/fahadalruwaili

  • T. Aaron Gulliver, College of Engineering/Department of Electrical and Computer Engineering University of Victoria Victoria, British Columbia Canada
    T. Aaron Gulliver received the B.Sc.(Eng.) and M.Sc.(Eng.) degrees in Electrical Engineering from the University of New Brunswick, Fredericton, New Brunswick, in 1982 and 1984, respectively, and the Ph.D. degree in Electrical Engineering from the University of Victoria in 1989.

    From 1989 to 1991 he was employed as a Defence Scientist at Defence Research Establishment Ottawa, Ottawa, Ontario, where he was primarily involved in research on frequency hop satellite communications.

    From 1990 to 1991 he was an Adjunct Research Professor in the Department of Systems and Computer Engineering at Carleton University, Ottawa. In 1991, he joined the department as an Assistant Professor, and was promoted to Associate Professor in 1995. From 1996 to 1999 he was a Senior Lecturer in the Department of Electrical and Electronic Engineering at the University of Canterbury, Christchurch, New Zealand. He is now a Professor in the Department of Electrical and Computer Engineering at the University of Victoria.

    He was registration chair for the 1995 IEEE International Symposium on Information Theory which was held in Whistler, BC, Canada. In 2001, 2005, 2007, 2009 and 2011 he was the co-chair of the IEEE Pacific Rim Conference on Communications, Computers and Signal Processing. He was also the co-chair of the 2003 Information Theory Workshop held in Paris. He has been on the organizing committees of numerous other international conferences.

    From 2000-2003, he was Secretary and a member of the Board of Governors of the IEEE Information Theory Society.

    He is a Senior Member of the Institute of Electrical and Electronic Engineers and a member of the Association of Professional Engineers and Geoscientists of British Columbia, Canada.

    He is the author or co-author of over 500 published papers.

    In 2000, he was awarded a Research Fellowship by the British Columbia Advanced Systems Institute.

    In 2002, he was made a Fellow of the Engineering Institute of Canada . In 2012, he was made a Fellow of the Canadian Academy of Engineering.

    His research interests include algebraic coding theory, information theory, cryptography, design and construction of error correcting codes decoding and implementation of error correcting codes, soft decision decoding of block codes, turbo codes and iterative decoding, error control coding for computer memories, ultra-wideband and spread spectrum communication systems, mobile and personal communications, OFDM, smart grid and green communications.

References

C. K. Fan, C. M. Chiang, and T. L. Kao, “Risk Management Strategies for the Use of Cloud Computing,†International Journal of Computer Network and Information Security, Vol. 4, No. 12, pp. 50-58, November 2012.

M. Dou El Kefel, and B. Mohamed, “Risk Management in Cloud Computing,†IEEE International Conference on Innovative Computing Technology, pp. 127-131, London, UK, August 2013.

Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing v3.0,†Cloud Security Alliance, https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf, 2011.

H. Sato, A. Kanai, and S. Tanimoto, “A Cloud Trust Model in a Security Aware Cloud,†IEEE/IPSJ International Symposium on Applications and the Internet, pp. 121-124, Seoul, Korea, July 2010.

N. A, Sultan, “Reaching for the Cloud: How SMEs Can Manage,†International Journal of Information Management, Vol. 31, No. 3, pp. 272-278, June 2011.

N. Stinchcombe, “Cloud Computing in the Spotlight,†Infosecurity Magazine, http://www.infosecurity-magazine.com/view/4755/cloud-computing-in-the-spotlight/, October 2009.

R. Chow, P. Golle, M. Jakobsson, E. Shi, J. Staddon, R. Masuoka, and J. Molina, “Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control,†Proceedings of the ACM Workshop on Cloud Computing Security, pp. 85-90, Chicago, IL, November 2009.

Symantec Corporation, “State of Enterprise Security Report 2010,†http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf, 2010.

C. K. Fan, and T.-C. Chen, “The Risk Management Strategy of Applying Cloud Computing,†International Journal of Advanced Computer Science and Applications, Vol. 3, No. 9, pp. 18-27, September 2012.

J. R. Kalyvas, M. R. Overly, and M. A. Karlyn, “Cloud Computing: A Practical Framework for Managing Cloud Computing Risk—Part I,†Intellectual Property and Technology Law Journal, Vol. 25, No. 4, pp. 7-18, March 2013.

Cloud Industry Forum, “Cloud UK: Adoption and Trends for 2011,†http://www.cloudindustryforum.org/downloads/whitepapers/cif-white-paper-1-2011-cloud-uk-adoption-and-trends.pdf, 2011.

X. Zhang, N. Wuwong, H. Li, and X. Zhang, “Information Security Risk Management Framework for the Cloud Computing Environments,†IEEE International Conference on Computer and Information Technology, pp. 1328-1334, Bradford, UK, June-July 2010.

Cloud Security Alliance Research, “Cloud Controls Matrix v3.0,†https://cloudsecurityalliance.org/research/ccm/, September 2013.

F. F. Alruwaili, and T. A. Gulliver, "SOCaaS: Security Operations Center as a Service for Cloud Computing Environments," International Journal of Cloud Computing and Services Science, Vol. 3, No. 2, pp. 87-96, April 2014.

F. F. Alruwaili and T. A. Gulliver, "CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services," International Journal of Latest Trends in Computing, Vol. 4, No. 4, pp. 151-158, December 2013.

F. F. Alruwaili and T. A. Gulliver, "SecSLA: A Proactive and Secure Service Level Agreement Framework for Cloud Services," International Journal of Cloud Computing and Services Science, submitted July 2014.

J. Morin, J. Aubert, and B. Gateau, “Towards Cloud Computing SLA Risk Management: Issues and Challenges,†IEEE International Conference on System Science, pp. 5509-5514, Maui, HI, January 2012.

A. van Cleeff, “A Risk Management Process for Consumers: The Next Step in Information Security,†ACM Workshop on New Security Paradigms, pp. 107-114, September 2010.

Cloud Security Alliance, “Governance, Risk Management and Compliance (GRC) Stack,†http://www.cloudsecurityalliance.org/grcstack.html, March 2013.

International Organization for Staandardization, ISO/IEC 27005:2011, “Information Technology-Security Techniques-Information Security Risk Management,†http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56742, 2011.

J. O. Fitó, M. Macías, and J. Guitart, “Towards Business-driven Risk Management for Cloud Computing,†IEEE International Conference on Network and Service Management, pp. 238-241, Niagara Falls, ON, October 2010.

G.-R. Li, H. Liu, and C.-H. Li, “Proposal of Cloud Computing Platform for Enterprise Comprehensive Risk Management,†Information Technology Journal, Vol. 12, No. 18, pp. 3843-3848, December 2013.

A. S. Abiodun, “A Framework for Implementation of Risk Management System in Third Party Managed Cloud,†Journal of IT and Economic Development, Vol. 4, No. 2, pp. 19-30, October 2013.

J. Gold, “Protection in the Cloud: Risk Management and Insurance for Cloud Computing,†Journal of Internet Law, Vol. 15, No. 12, pp. 24-28, June 2012.

V. Lalanne, M. Munier, and A. Gabillon, “Information Security Risk Management in a World of Services,†IEEE International Conference on Social Computing, pp. 586-593, Alexandria, VA, September 2013.

European Network and Information Security Agency (ENISA), “Cloud Computing: Benefits, Risks and Recommendations for Information Security,†https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment, November 2009.

K. Dahbur, B. Mohammad, and A. B. Tarakji, “A Survey of Risks, Threats and Vulnerabilities in Cloud Computing,†ACM International Conference on Intelligent Semantic Web-services and Applications, pp. 1-6, Amman, Jordan, April 2011.

Cloud Security Alliance, “Top Threats to Cloud Computing V1.0,†https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf, March 2010.

M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono, “On Technical Security Issues in Cloud Computing,†IEEE International Conference on Cloud Computing, pp. 109-116, Bangalore, India, September 2009.

M. E. Whitman, “Enemy at the Gate: Threats to Information Security,†Communications of the ACM, Vol. 46, No. 8, pp. 91-95, August 2003.

National Institute of Standards and Technology, “Risk Management Guide for Information Technology Systems,†NIST Special Publication 800-30, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf, July 2002.

S. Tanimoto, M. Hiramoto, M. Iwashita, H. Sato, and A. Kanai, “Risk Management on the Security Problem in Cloud Computing,†ACIS/JNU International Conference on Computers, Networks, Systems and Industrial Engineering, pp. 147-152, Jeju Island, Korea, May 2011.

S. Hiroyuki, A. Kanai, and S. Tanimoto, “A Cloud Trust Model in a Security Aware Cloud,†IEEE/IPSJ International Symposium on Applications and the Internet, pp. 121-124, Seoul, Korea, July 2010.

P. S. Pawar, M. Rajarajan, S. K. Nair, and A. Zisman, “Trust Model for Optimized Cloud Service,†Trust Management VI, IFIP Advances in Information and Communication Technology, Vol. 374, pp. 97-112, Surat, India, May 2012.

M. L. Kaufman, “Can Public-cloud Security Meet its Unique Challenges?,†IEEE Security and Privacy, Vol. 8, No. 4, pp. 55-57, July-August 2010.

A. Baldwin, D. Pym, and S. Shiu, “Enterprise Information Risk Management: Dealing with Cloud Computing,†Privacy and Security for Cloud Computing, Springer, pp. 257-291, 2013.

A. Baldwin, D. Pym, M. Sadler, S. Shiu, “Information Stewardship in Cloud Ecosystems: Towards Models, Economics and Delivery,†IEEE International Conference on Cloud Computing Technology and Science, pp. 784-791, Athens, Greece, November-December 2011.

D. Pym, M. Sadler, S. Shiu, and M. C. Mont, “Information Stewardship in the Cloud: A Model-based Approach,†International Conference on Cloud Comp, Guilin, China, October 2010.

N. Brender and I. Markov, “Risk Perception and Risk Management in Cloud Computing: Results from a Case Study of Swiss Companies,†International Journal of Information Management, Vol. 33, No. 5, pp. 726-733, May 2013.

S. Srinivasan, “Risk Management in the Cloud and Cloud Outages,†in Security, Trust and Regulatory Aspects of Cloud Computing in Business Environments, IGI Global, 2014.

Downloads

Published

2014-09-30

Issue

Vol. 4 No. 3 (2014): International Journal of Computer Communications and Networks (IJCCN)

Section

Articles

License

Authors who publish with this journal agree to the following terms:


  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).