A Goal-Driven Risk Management Approach to Support Security and Privacy Analysis of Cloud-Based System

A Goal-Driven Risk Management Approach to Support Security and Privacy Analysis of Cloud-Based System

Shareeful Islam (University of East London, UK), Haralambos Mouratidis (University of East London, UK) and Edgar R. Weippl (Secure Business Austria, Austria)
Copyright: © 2013 |Pages: 26
DOI: 10.4018/978-1-4666-2125-1.ch006
OnDemand PDF Download:


Cloud Computing is a rapidly evolving paradigm that is radically changing the way humans use their computers. Despite the many advantages, such as economic benefit, a rapid elastic resource pool, and on-demand service, the paradigm also creates challenges for both users and providers. There are issues, such as unauthorized access, loss of privacy, data replication, and regulatory violation that require adequate attention. A lack of appropriate solutions to such challenges might cause risks, which may outweigh the expected benefits of using the paradigm. In order to address the challenges and associated risks, a systematic risk management practice is necessary that guides users to analyze both benefits and risks related to cloud based systems. In this chapter the authors propose a goal-driven risk management modeling (GSRM) framework to assess and manage risks that supports analysis from the early stages of the cloud-based systems development. The approach explicitly identifies the goals that the system must fulfill and the potential risk factors that obstruct the goals so that suitable control actions can be identified to control such risks. The authors provide an illustrative example of the application of the proposed approach in an industrial case study where a cloud service is deployed to share data amongst project partners.
Chapter Preview


Cloud computing is a promising business concept that allows businesses to increase IT capacity in real time without investing more in new infrastructure, personnel training, and licensing of new software. The paradigm provides flexibility both in terms of possible delivery models, i.e., Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), and in terms of possible deployment models, i.e., private, community, public, and hybrid cloud. It is easier to deploy, maintain, and update software in the cloud compared to the end-user machine (Choo, 2010). As any new technology, it creates new opportunities but also introduces risks. In the case of cloud computing, many challenges are related to security, privacy, and control of data and resources. Such challenges can cause potential risks, which may outweigh the expected benefits. Attackers could steal users' intellectual property and other sensitive information that is stored, processed, and managed in the cloud. A small service failure on the provider’s end, which may last only an hour, sometimes has dramatic effects on an enterprise. The failure may stop usual operation, which in turn may cause financial losses. Challenges may also arise from the cloud provider's business model. For example, providers who frequently improve their range of services in response to evolving customer demand introduce the possibility of new security bugs with every additional feature. In a worst case scenario, cloud providers might not notify their clients of security breaches. According to the IT Cloud Service User Survey (Cloud Survey, (2008), many organizations consider security concerns to be the most serious barrier to cloud adoption. While the cloud offers a number of advantages, many of the major players will be tempted to hold back until some of the risks are better understood (Viega, 2009). It is important to consider those aspects that might cause risks before users decide whether to move their systems, services, applications, and/or data to the cloud. Understanding security and privacy risks and finding solutions to control these risks is a critical issue for the success of cloud computing paradigm (Takabi et al., 2010).

Complete Chapter List

Search this Book: