Safeguarding the Cloud: An Effective Risk Management Framework for Cloud Computing Services

Fahad F Alruwaili, T. Aaron Gulliver


Cloud computing services have attracted the attention of many organizations seeking flexible, simple, and efficient system development, operation, and support. The cost advantages of cloud services motivate the outsourcing of IT systems to the cloud. However, there is a lack of awareness of the security risks associated with cloud services. These risks and the associated threats could jeopardize the success and even the survivability of organizations that adopt cloud services. To address this issue, a risk management framework is proposed in this paper which leverages the previously proposed security operations center as a service (SOCaaS) combined with a secure service level agreement (SecSLA) to provide security requirements and compliance. The framework is self-aware of the organization assets and the associated security risks and vulnerabilities. Automated tools are provided to identify, classify, evaluate, and control the information security and data privacy of cloud systems and services. The proposed framework supports cloud protection by identifying threats and vulnerabilities in cloud systems and recommending steps to ensure their confidentiality, integrity, and availability (CIA).


Information Security; Risk Management and Assessment; Cloud Security Services; Service Level Agreement (SLA); Security Operations Center (SOC)

Full Text:



C. K. Fan, C. M. Chiang, and T. L. Kao, “Risk Management Strategies for the Use of Cloud Computing,” International Journal of Computer Network and Information Security, Vol. 4, No. 12, pp. 50-58, November 2012.

M. Dou El Kefel, and B. Mohamed, “Risk Management in Cloud Computing,” IEEE International Conference on Innovative Computing Technology, pp. 127-131, London, UK, August 2013.

Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing v3.0,” Cloud Security Alliance,, 2011.

H. Sato, A. Kanai, and S. Tanimoto, “A Cloud Trust Model in a Security Aware Cloud,” IEEE/IPSJ International Symposium on Applications and the Internet, pp. 121-124, Seoul, Korea, July 2010.

N. A, Sultan, “Reaching for the Cloud: How SMEs Can Manage,” International Journal of Information Management, Vol. 31, No. 3, pp. 272-278, June 2011.

N. Stinchcombe, “Cloud Computing in the Spotlight,” Infosecurity Magazine,, October 2009.

R. Chow, P. Golle, M. Jakobsson, E. Shi, J. Staddon, R. Masuoka, and J. Molina, “Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control,” Proceedings of the ACM Workshop on Cloud Computing Security, pp. 85-90, Chicago, IL, November 2009.

Symantec Corporation, “State of Enterprise Security Report 2010,”, 2010.

C. K. Fan, and T.-C. Chen, “The Risk Management Strategy of Applying Cloud Computing,” International Journal of Advanced Computer Science and Applications, Vol. 3, No. 9, pp. 18-27, September 2012.

J. R. Kalyvas, M. R. Overly, and M. A. Karlyn, “Cloud Computing: A Practical Framework for Managing Cloud Computing Risk—Part I,” Intellectual Property and Technology Law Journal, Vol. 25, No. 4, pp. 7-18, March 2013.

Cloud Industry Forum, “Cloud UK: Adoption and Trends for 2011,”, 2011.

X. Zhang, N. Wuwong, H. Li, and X. Zhang, “Information Security Risk Management Framework for the Cloud Computing Environments,” IEEE International Conference on Computer and Information Technology, pp. 1328-1334, Bradford, UK, June-July 2010.

Cloud Security Alliance Research, “Cloud Controls Matrix v3.0,”, September 2013.

F. F. Alruwaili, and T. A. Gulliver, "SOCaaS: Security Operations Center as a Service for Cloud Computing Environments," International Journal of Cloud Computing and Services Science, Vol. 3, No. 2, pp. 87-96, April 2014.

F. F. Alruwaili and T. A. Gulliver, "CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services," International Journal of Latest Trends in Computing, Vol. 4, No. 4, pp. 151-158, December 2013.

F. F. Alruwaili and T. A. Gulliver, "SecSLA: A Proactive and Secure Service Level Agreement Framework for Cloud Services," International Journal of Cloud Computing and Services Science, submitted July 2014.

J. Morin, J. Aubert, and B. Gateau, “Towards Cloud Computing SLA Risk Management: Issues and Challenges,” IEEE International Conference on System Science, pp. 5509-5514, Maui, HI, January 2012.

A. van Cleeff, “A Risk Management Process for Consumers: The Next Step in Information Security,” ACM Workshop on New Security Paradigms, pp. 107-114, September 2010.

Cloud Security Alliance, “Governance, Risk Management and Compliance (GRC) Stack,”, March 2013.

International Organization for Staandardization, ISO/IEC 27005:2011, “Information Technology-Security Techniques-Information Security Risk Management,”, 2011.

J. O. Fitó, M. Macías, and J. Guitart, “Towards Business-driven Risk Management for Cloud Computing,” IEEE International Conference on Network and Service Management, pp. 238-241, Niagara Falls, ON, October 2010.

G.-R. Li, H. Liu, and C.-H. Li, “Proposal of Cloud Computing Platform for Enterprise Comprehensive Risk Management,” Information Technology Journal, Vol. 12, No. 18, pp. 3843-3848, December 2013.

A. S. Abiodun, “A Framework for Implementation of Risk Management System in Third Party Managed Cloud,” Journal of IT and Economic Development, Vol. 4, No. 2, pp. 19-30, October 2013.

J. Gold, “Protection in the Cloud: Risk Management and Insurance for Cloud Computing,” Journal of Internet Law, Vol. 15, No. 12, pp. 24-28, June 2012.

V. Lalanne, M. Munier, and A. Gabillon, “Information Security Risk Management in a World of Services,” IEEE International Conference on Social Computing, pp. 586-593, Alexandria, VA, September 2013.

European Network and Information Security Agency (ENISA), “Cloud Computing: Benefits, Risks and Recommendations for Information Security,”, November 2009.

K. Dahbur, B. Mohammad, and A. B. Tarakji, “A Survey of Risks, Threats and Vulnerabilities in Cloud Computing,” ACM International Conference on Intelligent Semantic Web-services and Applications, pp. 1-6, Amman, Jordan, April 2011.

Cloud Security Alliance, “Top Threats to Cloud Computing V1.0,”, March 2010.

M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono, “On Technical Security Issues in Cloud Computing,” IEEE International Conference on Cloud Computing, pp. 109-116, Bangalore, India, September 2009.

M. E. Whitman, “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, Vol. 46, No. 8, pp. 91-95, August 2003.

National Institute of Standards and Technology, “Risk Management Guide for Information Technology Systems,” NIST Special Publication 800-30,, July 2002.

S. Tanimoto, M. Hiramoto, M. Iwashita, H. Sato, and A. Kanai, “Risk Management on the Security Problem in Cloud Computing,” ACIS/JNU International Conference on Computers, Networks, Systems and Industrial Engineering, pp. 147-152, Jeju Island, Korea, May 2011.

S. Hiroyuki, A. Kanai, and S. Tanimoto, “A Cloud Trust Model in a Security Aware Cloud,” IEEE/IPSJ International Symposium on Applications and the Internet, pp. 121-124, Seoul, Korea, July 2010.

P. S. Pawar, M. Rajarajan, S. K. Nair, and A. Zisman, “Trust Model for Optimized Cloud Service,” Trust Management VI, IFIP Advances in Information and Communication Technology, Vol. 374, pp. 97-112, Surat, India, May 2012.

M. L. Kaufman, “Can Public-cloud Security Meet its Unique Challenges?,” IEEE Security and Privacy, Vol. 8, No. 4, pp. 55-57, July-August 2010.

A. Baldwin, D. Pym, and S. Shiu, “Enterprise Information Risk Management: Dealing with Cloud Computing,” Privacy and Security for Cloud Computing, Springer, pp. 257-291, 2013.

A. Baldwin, D. Pym, M. Sadler, S. Shiu, “Information Stewardship in Cloud Ecosystems: Towards Models, Economics and Delivery,” IEEE International Conference on Cloud Computing Technology and Science, pp. 784-791, Athens, Greece, November-December 2011.

D. Pym, M. Sadler, S. Shiu, and M. C. Mont, “Information Stewardship in the Cloud: A Model-based Approach,” International Conference on Cloud Comp, Guilin, China, October 2010.

N. Brender and I. Markov, “Risk Perception and Risk Management in Cloud Computing: Results from a Case Study of Swiss Companies,” International Journal of Information Management, Vol. 33, No. 5, pp. 726-733, May 2013.

S. Srinivasan, “Risk Management in the Cloud and Cloud Outages,” in Security, Trust and Regulatory Aspects of Cloud Computing in Business Environments, IGI Global, 2014.


  • There are currently no refbacks.