A study of NIST SP 800-144 standard on IT risk management

deliriousattackInternet και Εφαρμογές Web

4 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

228 εμφανίσεις

Page
1

of
69




A study of NIST SP 800
-
144 standard on IT risk management
in cloud computing:
Creating a novel framework for
implementing it in Small and Medium sized Enterprises (SMEs) by
applying COSO and ISACA’s Risk IT frameworks


Sandeep Kaur Sidhu

Master of
Science (Computer & Information Science)

University of South Australia


Thesis submitted to the University of South Australia

School of Information
Technology & Mathematical
Science
s


in partial fulfilment of the

requirements for the degree of

Master of
Science (Computer & Information Science)


Supervisor:
Dr Kim
-
Kwang Raymond Choo


Date: 28 October 2013




Page
2

of
69



Abstract

Cloud
computing is a new form of service
-
oriented computing in which, clients are
offered software applications, platforms, infrastructure, databases, and security as
services. It is cost effective given that there are minimal capital expenses and all
services a
re chargeable based on actual usage or subscriptions
-
based usage. This
model is very attractive for small and medium scale enterprises (SMEs). However, there
are a number of security risks in cloud computing that needs to be managed. Currently,
there are u
nclear regulations and models about how cloud computing vendors should
undertake IT security and risk management accountabilities. NIST SP 800
-
144 is the
first standard by a regulatory body on cloud computing security but it needs to be
supported by other
standards and empirical theories. In this dissertation, a detailed
mapping of NIST standard with COSO and Risk IT standards supported by empirical
theories has been carried out. The synergised form of NIST SP 800
-
144 with COSO
and Risk IT has been proposed

for SMEs to manage their own IT risks amidst limited
expectations from cloud service providers, and uncertainty of applicable regulations.
The three standards can be used with an assumption that not everything is in control of
even large
-
scale enterprises

but they still manage their risks. The similar philosophy of
certain internal practices in uncertain external environment can be applied by SMEs as
well. The findings reveal how SMEs can plan their cloud hosting ambitions, how can
they define their own st
andards and expectations,
how can they select multiple clouds,
and how can they build their own controls by using multiple cloud service providers,
investing some additional sums.

Page
3

of
69


Table of Contents


Table of Figures:
................................
................................
................................
................................
.........

4

Chapter 1: Introduction

................................
................................
................................
..............................

5

1.1. Background and context

................................
................................
................................
................

5

1.2. Research problem

................................
................................
................................
..........................

8

1.3. Res
earch aim and objectives

................................
................................
................................
.....

10

1.4. Research questions

................................
................................
................................
.....................

10

1.5. Research significance and expectations

................................
................................
..................

11

1.6. Structure of the dissertation

................................
................................
................................
........

12

Chapter 2: Literature review

................................
................................
................................
...................

13

2.1. Introduction

................................
................................
................................
................................
....

13

2.2. Empirical review of IT risk management

................................
................................
...................

13

2.3. IT risk management
frameworks

................................
................................
................................

15

2.4. Empirical review of cloud computing

................................
................................
.........................

19

2.5. Security risks and IT risk management in cloud computing

................................
...................

22

2.6. A rev
iew of NIST 800
-
144 framework

................................
................................
.......................

25

2.7. Summary

................................
................................
................................
................................
........

26

Chapter 3: Research design

................................
................................
................................
...................

27

Ch
apter 4: Findings against research question 1

................................
................................
................

30

4.1. Findings

................................
................................
................................
................................
..........

30

4.2. Discussions

................................
................................
................................
................................
...

38

4.3. Summary

................................
................................
................................
................................
........

39

Chapter 5: Findings against research question 2

................................
................................
................

40

5.1. Findings

................................
................................
................................
................................
..........

40

5.2. Discussions

................................
................................
................................
................................
...

49

5.3. Summary

................................
................................
................................
................................
........

51

Chapter 6: Findings against research question 3

................................
................................
................

53

6.1. Findings

................................
................................
................................
................................
..........

53

6.2. Discussions

................................
................................
................................
................................
...

58

6.3. Summary

................................
................................
................................
................................
........

59

Page
4

of
69


Chapter 7: Conclusions and recommendations

................................
................................
..................

61

7.1. Conclusions

................................
................................
................................
................................
...

61

7.2. Recommendations

................................
................................
................................
.......................

63

References

................................
................................
................................
................................
................

65



Table of Figures:

Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4)

...............

7

Figure 2: An example integrated model of risk management framework in cloud computing
based on COSO framework (Horwath
et al.

(2012: p. 9)
................................
.....................

8

Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33)

................................
...........
16

Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2)

................................
.........
18

Figure 5: The multi
-
level service oriented architecture in the cloud computing (Zhang, Cheng,
and Boutaba, 2009: p. 10)

................................
................................
................................
.
20

Figure 6: Threat profiling in cloud computing environment

................................
........................
33

Figure 7: Threat of malicious attackers in cloud computing environment

................................
...
34

Figure 8: Illustration of virtualization and virtual boundary weakness threats (GOS stands for
guest operating system and HYP stands for Hypervisor)

................................
...................
36

Figure 9: Storage of data on multiple storage clusters spread globally poses data proliferation
threat on cloud computing

................................
................................
................................
.
37

Figure 10: Integrated risk management framework by mapping the controls of COSO, NIST, and
Risk IT, as per Table 2

................................
................................
................................
......
48

Figure 11: Multilayer integrated risk management framework with multiple parties taking
accountabilities of respective cloud
layers

................................
................................
.........
56

Figure 12: Mapping the multi
-
layer risk management framework with the integrated framework
of NIST SP 800
-
144, COSO, and

Risk IT

................................
................................
..........
57






Page
5

of
69


Chapter 1: Introduction

1.1
.

Background and context

This research is related to IT risk management challenges
in cloud computing
and the practical implementation of
NIST SP 800
-
144 standard specifically designed for
risk management in the clouds.
Cloud computing has emerged as a new concept of
commodity services in the world of computing, storage,
broadband
networ
k access,
platform services, and software services

(Doherty, Carcary, and Conway, 2012
: p. 2
)
.
Cloud computing vendors, like Google
, Microsoft, and Amazon offer rapid provisioning
of on
-
demand self
-
operating services with minimal intervention by the servic
e provider
(Clemons and
Chen, 2010: p. 3)
.

These benefits are mostly availed by small and
medium scale enterprises given their lack of capital funding

for

establish
ing

expensive
self
-
hosted IT infrastructures

(
Miller, 2009: p. 9
-
10)
.

Cloud computing offers

many business benefits to customers, especially in
saving operating costs, managing IT enabled businesses with minimum administrative
overheads, and getting access to world class software

platforms and
applications
managed by their original manufacturers

(Doherty, Carcary, and Conway, 2012: p. 2)
.
However, cloud computing has multiple IT risks due to shared platforms
, data
confidentiality and privacy in user areas protected by virtual boundaries, identity thefts,
privacy issues,
vendor or data lock
-
in,
los
s of governance, loss of compliance, insider
trading,
and
shared network and
software vulnerabilities (Doherty, Carcary, and
Conway, 2012: p. 3
-
4
; ENISA, 2010: p. 5
-
6
).

Given that the cloud computing systems
are multi
-
vendor and multi
-
tenant, a standard
le
gally
-
enforceable
risk management
Page
6

of
69


framework incorporating all service providers and tenants is the key challenge
(ENISA,
2010: p. 3)
.

Risks in cloud computing arise due to shared services, cross
-
border litigation,
data location,
inter
-
cloud
compatibility issues, lack of legal support for consumers, trust
issues on service providers,
IT security risks,
consumer issues, privacy issues, data
segregation issues,
and data proliferation issues (
Chandran and Agnepat,

2010: p. 3
-
5

Clemons and Chen,
2
010: p. 5
-
7;
Fan and Chen, 2012: p. 23
-
24
; Jansen, 2011: 2
-
4;
Sabahi, 2011: p. 245
-
247
)
.

Fan and Chen (2012: p. 20
-
21) proposed that there should be an integrated risk
management standard incorporating regulators, service providers, and customers. This
sta
ndard should take care of
cross
-
border litigation issues and data location
uncertainty
,
as well.
A model for analysing risks at component levels of multiple layers of cloud
computing needs to be establishe
d and agreed among all parties based on their
priorities and impacts.
This can be done by applying globally accepted standards like
COSO, Risk IT (COBIT 5), and ISO 27005. For example, Ahmad and Janczewski
(2010: p. 4) presented a triangulated model of clo
ud computing security employing
integration of globally accepted security standards, statutory laws, and cloud services

(Figure 1)
.

In this model, the cloud service provider can choose any standard or set of
standards for implementing risk management as lo
ng as they are integrated with the
statutory laws and regulations applicable on the services offered.
Hence, if Sarbanes
Oxley 2002 regulators recognise ISO 27005 for self hosted IT infrastructures, cloud
computing service providers can adopt ISO 27005 and

customise it for implementing an
Page
7

of
69


effective IT risk management framework covering each component on the cloud such
that they can demonstrate compliance to Sarbanes Oxley regulations.


Figure
1
: A triangulated model of cloud securi
ty
(
Ahmad and Janczewski, 2010: p. 4
)


Horwath
et al.

(2012: p. 8
-
9
)
presented an example scenario

(Figure 2)

of how
such an integrated model can be implemented using COSO

(
Committee of Sponsoring
Organizations of the Treadway Commission
)

risk management framework.
They
integrated the candidates offering cloud solutions, service delivery models, deployment
models, business processes, and regulatory governance requirements

in a single risk
management framework based on COSO standard.
They recommended that the COSO
enterprise risk management framework can be used to define, establish, and
Page
8

of
69


continuously improve an audit checklist
used by regulators. Once standardised
enforced, all cloud services and solutions providers will implement cont
rols in
accordance to the standard and incorporate terms in agreements with specific roles of
cloud tenants and service providers.


Figure
2
: An example integrated model of risk management framework in cloud
computing

based on COSO framework

(
Horwath
et al.

(2012: p.
9
)

1.2
.

Research problem

The problem is that there is a lack of standardised risk management framework
for cloud computing framework

accepted globally for regulatory compliance
.
Cloud
Securit
y Alliance recommended standard methods
for risk management on cloud
Page
9

of
69


computing

(IET, 2012: p. 3)
. However, these recommendations have not been
standardised by regulation authorities. Mostly, regulation authorities prefer ISO 27005,
ISO 27001, ISO 27002,
and COBIT standards for demonstrating regulatory compliance

of IT security and risk management

(
IET, 2012: p. 5
-
6)
.

C
loud service providers
need to
find ways for using

these

standard
s

for
IT
risk management.
A new ISO standard (ISO
27017) is emerging for c
loud computing risk management that is expected to be ra
tified
in year 2014. It may be the

preferred choice of regulators
, but till then there is a serious
lack of international
ly accepted

standard
s

fit for regulatory compliance of
security and
risk manage
ment of
cloud service providers

(Rittinghouse and Ransome, 2010: p. 158
-
159
)
.

This problem poses a serious business risk for SMEs given that they have most
prominent reasons to adopt cloud computing services

and are rapidly moving their IT
systems to the clouds

(
Dai, 2009: p. 56; Haselmann and Vossen, 2011: p. 10;
Jansen
and Grance, 2011: p. 21;
Karabek, Kl
einert, and Pohl, 2011: p. 28
)
.

NIST SP 800
-
144 is the first
US
regulatory standard for implementing ri
sk
management in the clouds (Jansen and Grance, 2011). This standard is released in
year 2011 but is not yet adequately supported by implementation procedures such that
cloud providers can adopt a standardised framework for managing cloud risks.
This
stand
ard needs exploratory study such that it can be mapped with other established risk
management standards used for IT risk management. The above problem description
and this challenge have been taken as the research problem of this dissertation. The
research
er intends to explore NIST SP 800
-
144 standard and map it with COSO and
ISACA’s Risk IT standards such that an appropriate risk management framework for
SMEs using
cloud computing can be proposed.


Page
10

of
69


1.3
.

Research aim and objectives

With reference to the
above established background and context, and the
research problem, following research aim is defined for this research:

Aim: To
explore NIST SP 800
-
144, COSO, and Risk IT standards and the existing
theories complimenting their recommendations
,

and propose

an IT risk management
framework for SMEs
using cloud computing to run their businesses. In absence of
established standards proposed by regulators, this research will aim on how SMEs can
protect themselves from IT risks while using cloud hosted resources.

The aim is supported by the following research objectives:

(a)

To study the IT risk exposures of
businesses

using cloud computing resources

(b)

To explore NIST SP 800
-
144, COSO, and Risk IT standards and the existing
theories complimenting their recommendations

(c)

To
analyse how these standards can help the

SMEs
,

dependent upon cloud
hosted resources for running their businesses
, in managing IT risks

1.4
.

Research questions

This research is directed by the aim and objectives proposed above for finding
answers to the

following research questions:

(a)

What are the IT risk exposures of
businesses

that use cloud hosted resour
ces for
running their business processes
?

(b)

How NIST SP 800
-
144 standard could be supported by COSO and Risk IT
standards and the existing theories
complimenting their recommendations?

Page
11

of
69


(c)

How can

NIST SP 800
-
144, COSO, and Risk IT standards

help SMEs dependent
upon cloud hosted resources in managing their IT risks?

These questions will be answered through exploratory studies of literatures on cloud
compu
ting security and risk management and stated standard documents.

1.5
.

Research significance

and expectations

This research will be significant for researchers studying change in business
risks and IT risks of SMEs that have moved their IT resources to cloud computing.
This
research may serve as a useful reference document for such research aspirants,
especially i
n the fields of security controls and risk management for SMEs using cloud
computing.
In addition, this research may be able to generate some useful information
for SMEs using cloud hosted resources looking forward to methods and ways for
managing IT risks
.
This research shall produce a synergy of three professional
standards and clarify their implementation approaches with the help of academic
literatures. Hence, it is expected that the results will be actionable in real world business
environments. Given
an opportunity, the researcher will look forward to disseminate the
knowledge gained through the university website, journals, and conferences.

The following results are expected in this research:

(a)

A detailed review of literatures for identifying controls t
hat can be used with NIST
SP 800
-
144 standard

(b)

Mapping of NIST SP 800
-
144 recommendations with the controls identified, and
with COSO and Risk IT standards

Page
12

of
69


(c)

Analysis of how this mapping will help SMEs using cloud hosted resources in
managing their IT risks

T
hese results will help in enhancing practical implementation of IT risk
management in cloud computing using NIST SP 800
-
144 standard. The results will
present a consolidated view of opportunities to address security and privacy issues on
the clouds. Some c
ontrols may be easily implementable and some of them may require
long term multi
-
agency alignments and policy changes. However, the consolidated view
can be helpful in preparing short
-
term and long
-
term goals for enhancing IT risk
management on the clouds.

1.6
.

Structure of the dissertation

This research is divided into seven chapters. The first chapter presents the
research attributes needed to establish the direction of data collection and exploratory
study. The second chapter presents a detailed literatu
re review pertaining to the
research topic, research problem, and research objectives and questions, keeping the
research aim in mind. The third chapter is a review of literatures related to research
design, especially using the research onion concept of S
aunders, Lewis, and Thornhill
(2011). The fourth chapter comprises findings against the first research question using
the data collected in Chapter 2 and additional reviews conducted. Similarly, Chapters 5
and 6 comprise findings against the second and thi
rd research questions, respectively
using the data collected in Chapter 2 and additional reviews conducted.
Chapter 7
presents a consolidated analysis of findings in Chapters 2, 3, 4, and 5, conclusions
drawn from the analysis, and recommendations evolved
from this research.

Page
13

of
69


Chapter 2: Literature review

2.1
.

Introduction

Cloud computing is a new framework for delivering IT services to customers
connecting to its various layers through Internet.

It has gained significant popularity in
recent years due to low
ered capital expenses and affordable revenue expenses offered
to cloud tenants.
However, the threats and uncertainties looming on cloud computing
are wider due to shared infrastructures, virtual tenant boundaries, and spreading of data
across multiple loca
tions beyond territorial jurisdiction due to virtualised storage
systems networked using virtual networking.

These challenges have caused
privacy
and trust issues leading to
reluctance by many business entities and public sector
organisations in adopting cloud services.
Looking into these challenges, NIST has
released a standard SP 800
-
144 for managing risks on cloud computing. Given that it is
a new standard, there are no aca
demic references on practical implementation of SP
800
-
144 in organisations. In this dissertation, the researcher has targeted to combine
SP 800
-
144 with two popular risk management frameworks, ISACA’s Risk IT and
COSO, to design an
actionable risk managem
ent framework for Small and Medium
scale enterprises using cloud hosting for their IT services needs. The resulting
framework will be validated by interviewing risk management practitioners.

2.
2.

Empirical review of IT risk management

Risk management in IT

is concerned with protection of IT assets such that the
negative impacts on business due to loss, unauthorised modifications, or unavailability
of an IT asset

can be minimised or eliminated completely
(Humphreys, Moses, Plate,
Page
14

of
69


1998:
p.
11)
.

IT assets comprise of information units (business
-
related documents and
records), and the assets used for creating, processing, disseminating, storing,
transmitting, and archiving the information units
(Humphreys, Moses, Plate, 1998:
p.
11)
.
IT assets are
exposed to numerous threats
emanating from the Internet or internal
hackers
(Elgarnal, 2009:
p.
12)
.

These threats can compromise the confidentiality,
integrity, and availability of IT assets leading to financial, legal, reputational, customer,
and employe
e impacts to the organisation (Dhillon and Backhouse, 2000: p. 126;
H
umphreys, Moses, Plate, 1998: 9).

Identification, assessing, and management of IT
risks are needed to reduce or eliminate the vulnerabilities su
ch that the external threats
do
not compromise the IT assets and their confidentiality, integrity, and availability
(Anderson and Choobineh, 2008: p. 24;
H
umphreys, Moses, Plate, 1998: 14;
Ozkan

and Karabacak,
2010
: p. 568
)
.


The risk identification, assessment, and management framework
comprises
quantitative evaluation of influencing factors and assigning values to them (Ozkan and
Karabacak,
2010
: p. 572;
H
umphreys, Moses, Plate, 1998: 22).
They key values of
concern are importance of assets to the business, most relevant threats,
magnitude of
impacts on business, probability of impacts,

and internal vulnerabilities prevailing in the
IT systems of the organisation

(
Gandotra,

Singhal, and Bedi, 2009: p. 720
-
721
;
H
umphreys, Moses, Plate, 1998: 24
-
25
; Ozkan and Karabacak,
2010
: p. 570
)
.
The risk
value is a quantitative outcome of asset value (a function of confidentiality, integrity, and
availability ratings), threat value (product of probability value and impact value), and
vulnerability value (probability of breach) (
Gandotra,

Singhal
, and Bedi, 2009: p. 722;
H
umphreys, Moses, Plate, 1998: 25). Finally, all risks are logged in an enterprise
-
wide
Page
15

of
69


risk register and assigned to individual risk managers for invoking risk treatment by
avoiding, accepting
, transferring,
or eliminating the ri
sks (Shortreed, 2008: p. 10
-
11).

2.
3. IT risk management frameworks

Some of the popular IT risk management frameworks are ISO 27001

(BSI, 2005)
,
ISO 27005

(BSI, 2008)
, NIST 800
-
30

(NIST, 2001)
, ISACA’s Risk IT

(ISACA, 2009)
, and
COSO.

ISO 27001 is a standard for implementing information risk management system
using information risk management as the fundamental framework and building upon it
the management system for
establishing, operating, reviewing, and improving an
information secu
rity management system (BSI, 2005: p. 8
-
9).
ISO 27005 and NIST 800
-
30 deal with a framework of information risk management system comprising
risk
identification, risk assessment, risk prioritisation, risk treatment, and application of
controls using
qualit
ative and
quantitative data collection and analytical methods

(BSI
,
2008: p. 10; NIST, 2001: p. 8
)
.
ISACA’s Risk IT is a modern IT risk management
framework that considers an organisation
-
wide risk view system as the core of the
framework enabling all depa
rtments to view the bigger picture and treat risks
accordingly.
COSO
risk management framework follows a similar approach with specific
focus on people aspects of IT risk management and risk aware culture in the
organisation at all levels of the
organisational hierarchy, irrespective of designation,
role, and responsibilities (COSO, 2004: p. 18).

The frameworks chosen for integrating with NIST 800
-
144 framework are
ISACA’s Risk IT and COSO risk management framework. These frameworks have been
chos
en because of two reasons:

Page
16

of
69


(a)

There are sufficient references available on these standards for establishing a
theoretical foundation.

(b)

Both these standards focus on organisation
-
wide risk views ensuring bigger
picture visualisation of IT and related risks. In
cloud computing, the risk
management framework needs to protect all tenants and hence such a model
has been recommended by NIST 800
-
144, as well.

Hence, it is expected that
the three models will synergise effectively.


Figure
3
: An overview of Risk IT Framework
(ISACA, 2009, p.
33
)

The ISACA’s Risk IT framework is presented in the Figure 1 above.
The Risk IT
framework comprises three primary domains


risk governance, risk evaluation, and risk
Page
17

of
69


response. The idea of enterprise
-
wi
de view of IT risks is to ensure that they can be
treated keeping the bigger picture in consideration and ultimately are integrated with the
enterprise
-
wide

risk management framework.
This is to ensure that when risk
-
aware
analysis is done, the IT risks ar
e included in the risks considered for making business
decisions.

The focus is not only on technical risks but also is on IT
-
linked

business risks
such that the risk profile of maintained for IT systems can be linked with business
objectives and business r
isks.
In this way, IT
-
related risks are prioritised keeping in view
their linkage with high priority business risks. The IT systems linked with high business
risk profiles from business perspective are prioritised. Such decisions are made by
business in co
llaboration with IT, which is the key advantage of enterprise
-
wide visibility
of IT risks and their linkages with business risks. The risk response is carried out
accordingly. (ISACA, 2009: 34
-
37)

The COSO model of risk management is presented in the Figur
e 2. It is an
enterprise
-
wide risk management framework with IT risk management embedded within
the larger system. This model is based on risk appetite and risk management
philosophy defined in the organisation, which is based on various internal standards

maintained by the management. In this model, risk appetite and tolerance levels are
defined as a part of business objectives of the firm.
The rest of the model has been
taken from NIST 800
-
30 and ISO 27005 standards for risk identification, assessment,
pr
ioritisation, and treatment, and communications, monitoring, and control systems for
ensuring appropriate risk
-
aware culture within the organisation. Risk
-
related culture is
viewed as the core of COSO framework. (COSO, 2004: 3
-
12)

Page
18

of
69



Figure
4
: COSO Risk Management Framework
(
COSO
, 200
4
, p.
2
)

The risk management modelling for cloud computing has been carried out by
integrating COSO and ISACA’s Risk IT and using them as supporting frameworks for
NIST 800
-
144 standard.
This integration can enable integration of two major
philosophies proposed by the two standards


organisation wide risk view and risk
-
related organisational culture. These two philosophies can be viewed as primary
enablers of accurate categorisation and t
reatment strategy of risks and of effectiveness
of security controls for treatment of risks.
In cloud computing, multiple flavours of
service providers (SaaS, PaaS, and IaaS, as discussed in the next
section
) serve
numerous tenants (clients) for various business purposes. Hence, the organisation wide
Page
19

of
69


risk view philosophy will result in sharing of risks
-
related information with all
stakeholders with clear demarcation of accountabilities at service providers’ e
nd and
clients’ end. Such a demarcation will enable the SaaS, PaaS, and IaaS providers
(discussed in the next
section
), and the clients to identify the controls needed at their
respective ends and own them.

Having reviewed the empirical theories and mode
ls in IT risk management, the
next step is to understand cloud computing closely and identify the risks prevailing in
cloud IT environments.
The next
section

presents an empirical view of cloud computing.

2.
4. Empirical review of cloud computing

Cloud comp
uting is characterised by three forms of delivery, as described by
NIST
in their technology roadmap for cloud computing, Vol. II
(
Badger et al.,
2011
: p.
11
-
15
). These models are:

(a)

Software as a service

(SaaS)

(b)

Platform as a service

(PaaS)

(c)

Infrastructure as
a service

(IaaS)

The three models have different service offerings and mode of deliveries.
The
SaaS providers use PaaS clouds to host business applications on various platforms and
the PaaS providers use IaaS clouds to energise their platforms. Mostly, Saa
S providers
are direct interfaces to customers. Customers interface with PaaS clouds for developing
in
-
house cloud
-
based development capabilities. Some customers interface with IaaS
clouds for renting raw storage and computing powers. (Badger et al., 2011:

p. 16
-
21;
Chorafas, 2011: p. 24
-
30)

Page
20

of
69


As per Qian, Luo, Du, and Guo (2009: p. 628
-
629), Microsof
t Azure and Google
App Engine can be classified as a P
aaS cloud
s
, Google Apps can be classified as SaaS
cloud, and Amazon Elastic Compute can be classified as an

IaaS cloud.
Zhang, Cheng,
and Boutaba (2009: p. 10) elaboration such a classification in their multi
-
level service
oriented model presented below:


Figure
5
: The multi
-
level service oriented architecture in the cloud computing
(
Zhang,
Cheng
,

and Boutaba,

200
9:

p.
10
)


As per the multi
-
level service oriented model by Zhang, Cheng, and Boutaba
(2009: p. 10
-
12), cloud hosted applications like saleforce.com and mysap.com, that
keep their platforms hidden from customers, may be catego
rised as SaaS providers.
Page
21

of
69


Microsoft Azure and Google App Engine open their platforms for customers for
developing applications and hence may be categorised as PaaS providers.

Amazon
EC2 and Go Grid offer their infrastructure services (elastic computing and
storage) to
customers for deploying their own platforms. Hence, they may be categorised as IaaS
providers.

Tai, Nimis, Lenk, and Klems

(2010
: p. 4
-
9
)
, Amburst et al. (2010: p. 50
-
54),

and
Miller (2009: p. 23
-
30) presented the following benefits of cloud computing for end
-
customers:

(a)

Elastic computing and storage facilities

(b)

Rapid application development and deployment

(c)

Pay
-
per
-
usage model

(d)

No administrative, obsolescence, and upgrading
hassles

(e)

State of the art infrastructure and platforms

(f)

Access to world class business applications

(g)

Ubiquitous access

(h)

Easy commissioning and decommissioning

(i)

No capital expenses

(j)

Affordable recurring expenses

These benefits have attracted a number of end
-
custo
mers to cloud computing resulting
in rapid and significant growth of this industry. However, there are some security risks
that needs to be managed effectively on cloud computing. Unlike self
-
hosted
Page
22

of
69


infrastructures, risk management is not that straightforw
ard in cloud computing. These
aspects are discussed in the next
section
.

2.
5. Security risks and IT risk management in cloud computing

Cloud computing employs the same IT infrastructure components as employed in
self hosted IT infrastructures. However, the differentiation is due to virtualisation and
web services architecture (web 2.0) based multi
-
tenancy framework.
Modern
organisations m
aintain internal security controls and hire people to manage them.
However, if competitors connect to the same IT infrastructure and use shared IT
resources for running their business applications, there are doubts on trustworthiness
and reliability of the

personalised environments provided by the service providers. The
competitors worry about data proliferation across the virtual boundaries established for
tenants on cloud computing. The scenario becomes more challenging when most of the
security controls
are managed by the cloud service providers and the tenant
organisations lack visibility as well as cont
rol on their data security. These

challenge
s

drives security risks and IT risk management on cloud computing.

(Sabahi, 2011
: p.
245
-
246
; Jansen, 2011
: 2
-
3
)

The cloud service providers deploy large
-
scale infrastructures with state
-
of
-
the
-
art security technologies. Hence, there is less chance that the traditional security risks
striking self
-
hosted IT may strike clouds. The challenges are more related to mul
ti
-
tenancy, pooling of shared infrastructure components, and common access to
applications. The IT resource provisioning is normally implemented through
virtualisation and web 2.0 interfacing for applications access.
Hence, virtualisation and
Page
23

of
69


web services
security risks are more prominent on cloud computing.

(Jansen and
Grance, 2011: p. 8
-
1
0
; Jansen
, 2011: 4
-
5
)

Given that cloud computing comprises shared infrastructure components; the
boundaries around work areas offered to tenant are virtual and protected
by security
settings in virtualised servers and network components. Hence, tenant organisations
perceive unclear risk profiles of identity theft, privilege hacking, exploits, session
masquerading, and other Internet and virtualisation
-
based exploits.

In ad
dition to
unknown risk profiles due to virtualised environments and web services architecture, the
tenant organisations have little controls on security
-
related settings on the clouds. Most
of the controls are managed by the platform and infrastructure ser
vices providers
interfacing with the software
-
as
-
a
-
service provider. Hence, tenant organisations are
unclear about their role in risk treatment and the effectiveness of risk treatments
conducted by the service providers.
The strength of virtualised boundar
ies is unclear
and hence tenant organisations are unsure about protection of their data from
Internet
threats,
competitors’ activities, proliferation attempts,
insider trading, lock
-
in attempts
(by the cloud service providers),
and breaches of confidential
ity, integrity, and reliability.
(
Sabahi, 2011: p. 246
-
247; Jansen, 2011: p. 6; Jing and Jian
-
Jun, 2010: p. 477; Tripathi
and Mishra, 2011: p. 3)

Another significant challenge facing effective risk management on cloud
computing is related to auditing and f
orensics for control effectiveness testing and
regulatory compliance.
The cloud providers need to provide standard interfaces, system
generated logs, tenant specific logs, auto
-
generated hash functions, virtual machine
cloning/regeneration, and snapshots o
f tenant databases for law enforcement, forensic
Page
24

of
69


investigations, and regulatory auditing. The traditional host
-
based forensics, system
auditing, vulnerability analysis, penetration testing, and other popular mechanisms need
to be taken to the clouds in ser
vice oriented approach. New technology and legal
dimensions need to involve for distributed computing, virtualised infrastructures, and
web services architectures to address this gap.
(Chen et al., 2013: p. 44
-
46; Chen and
Yoon, 2010: p. 255
-
256; Ruan et
al., 2011: p. 8
-
10; Taylor et al., 2011: p. 6)

Risk management in cloud computing is different compared to self
-
hosted IT
systems of individual organisations. In clouds, risk management needs to be
implemented in multi
-
agency mode, whereby each agent may b
e a different
organisation or a different service provider.
In such a scenario, an enterprise
-
wide view
of risk may be difficult to achieve making risk treatments disconnected with business
objectives and performance goals. This is highly risky

for tenant
organisations as well
as service providers
.
Tenant organisations may be affected due to irrational approach of
risk identifications and treatments causing poorer security and privacy controls. Service
providers may by affected by losing clients and market
share if a major data breach
occurs that affects multiple tenants hooked to their respective clouds.

Hence, there
needs to be a mechanism of common risk view in which, all agents access a common
risk registry, log their risks, and publish reports of their
mitigation activities. The tenant
organisations can log into the registry and view the treatments of the risks that they are
concerned about. In this way, there will be transparency and integration of risk
management on the cloud.
The risks may be treated
using hierarchical analytics of each
layer of the cloud such that the tenant organisations gain visibility into risk treatments of
the layers invisible to them. This framework combined with standardised forensics and
Page
25

of
69


cloud audits can enhance cloud computin
g reliability considerably.

(Mukhin and
Volokyta, 2011: p. 739; Peiyu and Dong, 2011: p. 3202; Zech, 2011: 413; Zhang et al.,
2010: p. 1331
-
1332)

The reviews presented in above paragraphs are outcomes of academic research
studies. However, they are not sta
ndardised for application in a cloud environment.
NIST SP 800
-
144 is the first attempt to standardise cloud computing security. A review
of the standard is presented in the next section.

2.
6. A review of NIST 800
-
144 framework

The NIST SP 800
-
144 standard
’s framework

is presented with six chapters
including introduction and conclusion.
The key chapters are Chapter 4 on issues and
propositions concerning security and privacy on cloud computing, and Chapter 5 on
secured outsourcing of public clouds.
The stan
dard presents
issues and propositions on
the following

(Jansen and
Grance, 2011: p. 14
-
35)
:

(a)

Governing deployment, expansion, and change management in cloud
computing

(b)

Meeting compliance obligations on the clouds

(c)

Achieving trustworthy computing on the clouds

(d)

Standardisation of cloud computing architecture taking care of security,
auditing, and other requirements

(e)

Access control and identity protection on the clouds

(f)

Isolating software and platform environments on cloud computing

(g)

Protecting data and its life cyc
le on the clouds

Page
26

of
69


(h)

Ensuring data availability on the clouds

(i)

Responding to incidents in clouds

The standard addresses most of the concerns raised in academic literatures by
scholars.
However, the recommendations need to be tested in practical environments
by executing pilot testing or running simulations.
In addition to these propositions, the
standard presents detailed plan of activities when moving IT resources to cloud
computing env
ironments. It has a separate section of recommendations for small and
medium scale enterprises that need cloud computing to run their IT
-
enabled
businesses.
(Jansen and Grance, 2011: p. 14
-
35)

2.
7
. Summary

In this chapter, a detailed literature review pert
aining to the research topic is
presented.
The literature review forms a background of empirical theories on IT risk
management, popular risk management models and cloud computing in general. In
addition, specific sections on IT risks on cloud and NIST SP
800
-
144 standard’s
framework are presented. In this way, the context of this research with all background
information is clarified. The next chapter presents a detailed review of research
methods and presents a finalised research design for this study.





Page
27

of
69


Chapter 3
:
Research design

This is an

archival research

based on an in
-
depth

study
of
published documents
on NIST SP 800
-
144, COSO, and ISACA’s Risk IT, and related research studies.

The
research questions pertain to IT risk exposures of SMEs on cloud computing, employing
NIST 800
-
144 with supported standards (Risk IT and COSO), and formulating an IT risk
management framework for SMEs on cloud computing. These research questions
have

be
en

addressed through archival research because of excellent availability of
literatures, published standards, and published research reports. It is expected that this
research will gain sufficient insight into the standards and underlying theories suppor
ting
them. This will help in gaining a reasonable level of generalisability in this research.

For choosing the document sources,
the judgmental sampling type is chosen
such that the sample units are based on researcher’s chosen criteria for selection. The
following
criteria have

been used for choosing
the sample units from the population
(books, journals, published research studies, standards documentation, and such other
reliable sources):

(a)

Is a reliable and reviewed source

(b)

Is based on primary or secondary
data, and insights from experts in this field

(c)

Relevant to the research topic and context (risk management on cloud
computing)

(d)

Will help in answering research questions and meet the objectives

(e)

Will help in developing a theoretical framework for managing
risks on cloud
computing for SMEs

Page
28

of
69


Sampling has been conducted using an iterative reading approach. In the first
round a large number of references have been chosen with general keywords, like
cloud computing security, cloud computing risk management, and s
ecurity standards on
cloud computing. The summaries of all these references were studied and a first sample
set was chosen based on the sampling criteria presented in above. The researcher
studied the references in the first sample set in detail and reject
ed the ones that do not
deliver relevant information needed for this research. After the rejections, the second
sample set was chosen and finalised.

The researcher has primarily accessed reputed databases for collecting the
sources in the sample. The key d
atabases used are IEEE
Xplore
, ACM, Science Direct

(Elsevier and Pergamon)
, Emerald, and Springer. In addition, the researcher has
included published research studies on websites of universities at master and doctorate
levels.
The core references about the

standards reviewed have been taken from the
COBIT, COSO, and NIST websites. Some popular books published by reputed
publishers (like Pearson, Elsevier,

IGI,

and CRC)
have been chosen, as well.

Data was
collected in two forms


in exploratory form and revi
ewed in Chapter 2, and in tabulated
form and presented in Chapters 4, 5, and 6. In Chapter 2, data is collected and
reviewed to build the knowledge of theories and in Chapters 4, 5, and
6;

data is
collected to find answers to the research questions.

Data analysis is conducted qualitatively by collecting the relevant definitive points
from the references and analysing them. In Chapter 2, the data collected from
references
are reviewed and included in the form of a logical flow such that the
theoretical

foundation can be established.
This foundation helped in affirming the
Page
29

of
69


context and in preparing the background to collect data for answering the research
questions. In Chapters 4, 5, and 6, the relevant points are chosen and tabulated for
finding answers
to the research questions. The findings are discussed in detail to
analyse reflections of existing
theories in the data sets

and finding new theories
evolving from
them
.

In this research, there are no human respondents

and hence there are no ethical
issue
s related to research on people
. However,
use of secondary sources invokes the
need for protecting their intellectual property rights and protecting the research against
plagiarism. Hence, all sources have been cited within the contents and a list of
refer
ences is included at the end. In addition, all figures have been redrawn.










Page
30

of
69


Chapter 4
:
Findings against research question 1

4
.1
.

Findings

The first research question of this dissertation is the following:

What are the IT risk exposures of businesses

that use cloud hosted resources for
running their business processes?

The risk exposures on clouds have been studied in Chapter 2. A tabulated form of the
data collected is presented in Table 1 below. Some risks studied in Chapter 2 have
been combined giv
en that they represent a common risk type. The discussion on these
findings is presented in Section 4.2.

Table
1
:

IT risk exposures of businesses using cloud hosted resources

S. No.

IT Risk exposures

Sources

1

The identity of
business users may
be stolen by eavesdroppers such
that their privileges can be misused.

Tripathi and Mishra (2011)
, Jansen
and Grance (2011),
Jing and Jian
-
Jun
(2010)
,
Sabahi (2011),
and Jansen
(2011)
,
,

2

Attackers may use exploits on the
Internet to
target vulnerabilities of
applications and underlying
platforms.

Tripathi and Mishra (2011)
, Jansen
and Grance (2011),
Jing and Jian
-
Jun
(2010)
,
Sabahi (2011),
and Jansen
(2011),
,

3

All the threats prevailing at the
network layer in self
-
hosted IT
systems exist in cloud computing, as
well. This is because the
components used to build cloud
LANs and WANs are similar to
Tripathi and Mishra (2011)
, Janse
n
and Grance (2011),
Jing and Jian
-
Jun
(2010)
,
Sabahi (2011),
and Jansen
(2011),
,

Page
31

of
69


S. No.

IT Risk exposures

Sources

traditional self
-
hosted networks.

4

Virtualisation results in spreading of
data over a number of servers
installed at multiple physical
locations. In global clouds, data may
even cross national boundaries.

Zhou et al., (2010)
,
Zhang et al.
(2010),
and Sabahi (2011)

5

Cloud uses virtualised user spaces
separated by virtual boundaries.
Security vulnerabilities in these
virtual boundaries can cause data
proliferation.

Jing and Jian
-
Jun (2010)
,
Tripathi and
Mishra (2011)
,
Sabahi (2011)
,
Kandukuri, Paturi, and Rakshit (2009)
,
Pearson and Benameur (2010)

6

Existing technologies for technical
auditing and forensics analysis may
not be effective on cloud platforms.

Jansen (2011), Jansen and Grance
(2011)
,
Sabahi

(20
11),
Pearson and
Benameur (2010)

7

Current IT risk management
practices on cloud computing is
inadequate.

Sabahi (2011),
Jansen (2011), Jansen
and Grance (2011),
Zhang et al.
(2010), Zhou et al., (2010)

8

Users do not get controls on their
virtual
computing and storage
environments

because they are
virtualised and are allocated from a
large
-
scale pool.

Pearson and Benameur (2010),
Zhang et al. (2010),
Jansen and
Grance (2011),
Zhou et al., (2010)
,
Kandukuri, Paturi, and Rakshit (2009)
,
Jansen (2011)

9

In multi
-
cloud scenarios,

end
-
to
-
end

accountability

of services is unclear.

Jansen (2011), Jansen and Grance
(2011),
Kandukuri, Paturi, and Rakshit
(2009), Zhang et al. (2010),
and
Zhou
et al., (2010)

10

Cloud security controls are not yet
standardised.

Zhou et al., (2010)
,
Jansen (2011),
Jansen and Grance (2011),
Kandukuri, Paturi, and Rakshit (2009),
Pearson and Benameur (2010),
Page
32

of
69


S. No.

IT Risk exposures

Sources

Tripathi and Mish
ra (2011), and Zhang
et al. (2010)

11

There may be additional threats that
may arise in a shar
ed virtualised
environment with m
ulti
-
tenancy
settings.

Zhou et al., (2010)
,
Jansen (2011),
Jansen and Grance (2011),
Kandukuri, Paturi, and Rakshit (2009),
Pearson and Benameur (2010),
Tripathi and Mishra (2011),
Zhang et
al. (2010)

12

Cloud vendors may
tend to lock the
services of tenants making it difficult
for them to change service providers
in the scenario of unsatisfactory
services.

Zhang et al. (2010)
,
Zhou et al.,
(2010)
,
Tripathi and Mishra (2011)
,
Pearson and Benameur (2010)
,
Kanduku
ri, Paturi,
and Rakshit (2009),
Jansen and Grance (2011)
,

and

Jansen (2011)


The
T
able

1

presents the threat profiling of the cloud, which can be drawn in the
form presented in Figure 6. The dotted arrows indicate the threats positioned in various
sections on the cloud.
The first level of threats that cloud users face is at the contractual
level. The users may face a scenario of unclear accountabilities on who w
ill own the
security

of their data during entry,
retrieval,
storage, transit
, and destruction

on the
cloud. The clouds are multitenant systems served by integrated services by multiple
service providers.
In this design, clouds clearly lack definition of ac
countabilities for
tackling various risks. At the contractual level, tenants also face uncertainty of vendor
lock in if the decommissioning terms are not agreed and the assets to be returned to the
tenant are not identified clearly.

Page
33

of
69



Figure
6
: Threat profiling in cloud computing environment


Referring to Figure 6 and the findings in Table 1, there may be Internet
-
based
exploits, network threats, and system threats similar to those found in

self
-
hosted IT
infrastructur
es having servers enabled on the Internet.
However, the scenario on cloud
does appear more complex than self
-
hosted infrastructures because the cloud systems
are exposed to Internet and multiple independent te
nant organisations or independent

users. It is
possible that attackers can gain access to cloud systems up to an extent by
simply signing up as a valid tenant.
In such a scenario, these attackers are better
placed for launching attacks like denial of service and account hijacking than self
-
hosted
Page
34

of
69


infra
structures where they are outsiders. Essentially, they can become an insider
attacker to some extent.
As a result of overall threats identified in Figure 6 (lack of
accountability, standards, transparency, forensics, and auditability) such attackers can
so
cial engineer internal IT administrators for gaining better access within the cloud. The
Cloud Security Alliance (2013)
report on cloud threats has

highlighted malicious insider
threats as one of the most prominent challenge.
The Figure 7
is presented to
illustrate
why malicious insider threat is high in cloud computing.


Figure
7
: Threat of malicious attackers in cloud computing environment

In self
-
hosted environments, a user access is controlled by a single risk
management frame
work controlled by the top management.
In a cloud
-
hosted
environment, every tenant organisation may have its own risk management framework.
Page
35

of
69


Hence, while it can control access of users within its own virtual domain it cannot control
the access granted to a
malicious attacker signing up as a valid cloud tenant.
The
scenario becomes more dangerous if the multi
-
tenancy and weak virtual boundary
threats exist.
The risk management framework needs to be implemented by the cloud
service provider
s
in such a way that risk management of individual tenants are
integrated with it. In such a scenario, a sound tenant verification
process controlled by
the cloud risk management framework

can keep malicious attackers away from the
cloud.
For example, scanne
d copies of all original identity documents along with a
verification report by local police or an authorised verification agency may be made
mandatory
before tenancy

agreement is signed.

The other prominent threats in cloud computing environments are virt
ualization
and virtual boundary weakness threats.
The Figure 8 presents an illustration of how
these threats may operate

in a cloud environment
.
In a virtualisation environment, a real
physical server is divided into multiple virtual machines using hypervi
sors that are
operating systems capable of hosting multiple operating systems as guests (VMware,
2012: p. 2
-
3). However, the hypervisors are susceptible to traditional OS exploits (like,
buffer overflow attacks, malware injections, or denial of service) be
cause it is yet
another OS (VMware, 2012: p. 4). If the systems security controls (example, an
intrusion prevention device) is not in place, the hypervisors can be compromised by
attackers for taking control (VMware, 2012: p. 4). Once the hypervisor is pen
etrated
successfully, the attacker can take access of all the virtual machines hosted on it and
hence firewall and intrusion prevention controls are needed at the system level in the
hypervisor systems (VMware, 2012: p. 5).

Page
36

of
69



Figure
8
:
Illustration of virtualization and virtual boundary weakness threats

(GOS
stands for guest operating system and HYP stands for Hypervisor)


The most complex threat on cloud computing is related to data storage, which
gets striped across multiple stor
age devices across the cloud.
Data storage outside the
political boundaries of many countries may be illegal. However, in cloud computing data
is striped across multiple cloud storages, as illustrated in Figure 9. The data stored
outside the regulatory reg
ime may be retrieved separately by insider traders or
attackers gaining access to hypervisors (as explained in the previous paragraph). The
risk management framework of the cloud service provider should incorporate a control
that the tenants can choose the

location for data storage through a panel. Google and
Amazon are working on adding such a control.

Page
37

of
69



Figure
9
: Storage of data on multiple storage clusters spread globally poses data
proliferation threat on cloud computing


The
above discussion reveals that threats on cloud computing are distributed in
multiple components and hence an integrated multiparty risk management
accountability framework is needed. The largest player among them may drive the
system through a main risk ma
nagement system and the other parties (including tenant
organisations) should plug their respective risk management systems into the primary
system. A more effective way is to offer risk management as a service on the cloud
such that tenant organisations a
nd smaller cloud service providers may buy a
subscription in the application and log and mitigate their own risks.

Page
38

of
69


4
.2
.

Discussions

The scholars have made it clear that all risks prevailing in self
-
hosted IT
infrastructures are present in cloud computing e
nvironments. There are many additional
risks in cloud computing, as well. This reflects that cloud computing environments are
generally riskier than self
-
hosted IT infrastructures given that risks pertaining to agency
exposures, third party environment exp
osures,
multiparty service exposures,
outsourcing exposures, shared platform exposures,
legal and regulatory exposures,
and
cross
-
border access/transfer exposures are added.
It is interpreted that cloud
infrastructure owners will mitigate the risks prevailing in self
-
hosted environments in
much better ways because they will have better capital funds to invest on state
-
of
-
the
-
art security products (like, firewalls and intrusion

prevention devices). Hence, the
primary concern is related to the additional risk exposures stated above.
For example,
data location and data proliferation issues cannot be solved by investing in state
-
of
-
the
-
art security systems and applications. These i
ssues can be solved through appropriate
procedures for ensuring transparency, auditing, forensics, and regulatory compliance
demonstration.
The risk management framework of cloud service providers should
address these added exposures that businesses might
face in using their services.

The
issues of poor user controls, data ownership, data protection, privacy in multi
-
tenancy
environment, and transparency during commissioning of services, operations of running
services, and decommissioning of services can be

addressed by employing a global
standard for risk management on cloud computing. NIST SP
-
800
-
144 offers such an
opportunity to global cloud vendors. The next chapter presents the findings on how
Page
39

of
69


NIST SP 800
-
144 can be supported by COSO and Risk IT to make

it actionable in cloud
environments.

4
.3
.

Summary

In this chapter, the first research question has been addressed.
A tabulated
presentation of cloud computing risks and the references citing them is furnished.
Overall, it is discovered that there are addi
tional risks in cloud computing environments,
which cannot be addressed using the strategies and technologies used in self
-
hosted IT
environments. A much broader standards and regulatory framework is needed to
mitigate cloud computing risks for protecting
all the parties associated with the cloud. In
addition, risks with conflicting mitigation solutions from the perspective of provider
versus user interests need to be addressed.








Page
40

of
69


Chapter 5
:
Findings against research question 2

5
.1
.

Findings

The second

research question of this dissertation is the following:

How NIST SP 800
-
144 standard could be supported by COSO and Risk IT standards
and the existing theories complimenting their recommendations?

The findings are based on a carefully executed comparison

of the three standards and
mapping the most relevant controls. The Table 2 presents mapping of controls chosen
in COSO and Risk IT with the controls in NIST SP 800
-
144 standard. A discussion is
presented in Section 5.2.

Table
2
:

Synergy among SP 800
-
144, COSO, and Risk IT standards

S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

1

Controls on policies,
standards, and
underlying
procedures for IT
services acquisition,
operations, and
enhancements

Common view of
risk appetite, risk
tolerance,
monitoring and
updating risk
controls, risk
-
related
roles, and
communications

Common risk
view (risk
assessment
plans, risk
register, risk
analysis results,
reports, and
mitigation plans)
integrating IT
risks with
enterprise risk
management, and

making risk
-
Jansen and
Grance
(2011)
; ISACA
(2009);
COSO
(2004)

Page
41

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

aware decisions.

2

Compliance with
laws and regulations
pertaining to data
location, data
proliferation, and
electronic discovery.

Internal
accountability,
executive support,
risk
-
awareness
culture, mapping
business
-
unit risks
with company
-
wide
risks, policies and
procedures as per
compliance needs of
business, monitoring
procedures, auditing
procedures, and
compliance
reporting

Common risk
view, compliance
checklists,
developing IT
risks sce
narios,
compliance
audits, IT risks
roles, stakeholder
involvement,
responding to
risks, and risk
mitigation
prioritisation

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

3

Trustworthiness of
clouds pertaining to
the issues of insider
access, data
ownership,
composite services,
visibility, ancillary
data, and risk
management.

Risk
-
related
philosophy and
goals, managing
conflicts of interest,
rewards and
penalties,
transparency in risk
management,
allocating resources
to risk management,
social respo
nsibility,
conduct
-
related
accountabilities, and
Define IT risk
accountability,
integrate IT and
enterprise risks,
independent
assurance for IT
risk management,
single risk view,
enterpris
e
-
level IT
risk policy,
monitoring and
controls, and
effective
Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

Page
42

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

risk and compliance
-
related human
resource protocols
and procedures

communication of
IT risks

4

Trustworthy
computing
architecture
pertaining to the
issues of attack
surface, virtual
network protection,
virtu
al machines
imaging, and client
side protection

Determine risk
tolerance levels of
capital assets,
map
tolerance levels with
industry averages,
breakup risk
tolerances into
departmental risk
thresholds, identify
and measure events
against tolerance
levels,

and use
advanced
techniques (like
process flow
analysis and
surveys)

IT risk
assessment, IT
risk tolerance
levels, IT risk
indicators,
mapping IT
systems with IT
risks, develop IT
risk scenarios,
IT
risks monitoring,
IT risk registry,
preventive
controls,

and
response
priorities

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

5

Identity and access
management and
protection

Risk indicators,
escalation triggers,
loss event tracking,
ongoing event
identification,
categorising events,
establishing
interre
lationships
Identify IT risk
scen
arios,
monitor IT risks,
identify incidents,
initiate incident
response,
maintain incident
response plans
Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

Page
43

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

among events,
establishing risk
metrics, applying
qualitative and
quantitative
modelling
techniques,
assessing inherent
and residual risks,

choosing response
strategies,

applying
controls
, and
information and
communication

against risk
scenarios, and
communicate
lessons learnt
from risk events

6

Isolation of user
areas

in multi
-
tenancy
environments

Same as above

Identify IT risk
scenarios,
monitor IT risks,
identify incidents,
initiate incident
response,
maintain incident
response plans
against risk
scenarios, and
communicate
lessons learnt
from risk events

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

7

Data protection

Same as above

Identify IT risk
scenarios,
Jansen and
Grance
Page
44

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

monitor IT risks,
identify incidents,
initiate incident
response,
maintain incident
response plans
against risk
scenarios, and
communicate
lessons learnt
from risk events
(regulatory
compliance
controls will also
apply)

(2011); ISACA
(2009); COSO
(2004)

8

Availability of
services

Same as above

Identify IT risk
scenarios,
monitor IT risks,
identify incidents,
initiate incident
response,
ma
intain incident
response plans
against risk
scenarios, and
communicate
lessons learnt
from risk events

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

9

Incident
Same as above

Identify IT risk
Jansen and
Page
45

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

management

scenarios,
monitor IT risks,
identify
incidents,
initiate incident
response,
maintain incident
response plans
against risk
scenarios, and
communicate
lessons learnt
from risk events

Grance
(2011); ISACA
(2009); COSO
(2004)

10

Outsourcing controls

Same as above

IT risk
consideration
s
while taking
business
-
related
decisions,
obtaining
management and
stakeholder buy
in, maintaining IT
risk scenarios, IT
risk transfer, and
provide
independent
assurance of IT
risk management
(regulatory
controls will also
Jansen and
Grance
(2011);

ISACA
(2009); COSO
(2004)

Page
46

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

apply)

11

Contractual
obligations

Same as above

IT risk
considerations
while taking
business
-
related
decisions,
obtaining
management and
stakeholder buy
in, maintaining IT
risk scenarios, IT
risk transfer, and
provide
independent
assur
ance of IT
risk management
(regulatory
controls will also
apply)

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

12

Commissioning and
decommissioning
procedures

Same as above

A combination of
controls in
contractual
obligations /
outsourcing, and
data

protection

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

13

Principles of fair
information practices
for clients

Same as
trustworthiness of
clouds and
trustworthy
A combination of
controls in
contractual
obligations /
Jansen and
Grance
(2011); ISACA
(2009); COSO
Page
47

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

computing
architecture

outsourcing, and
data protection

(2004)

14

Independent security
auditing

Independent
auditing, gap
analysis reporting,
and certifying
practices

Independent
assurance of IT
risk management

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

15

Security resources
management and
monitoring

No specific controls
mentioned; however
controls identified
for trustworthy
computing may
apply

Same as
trustworthy
computing
controls

Jansen and
Grance
(2011); ISACA
(2009)
; COSO
(2004)

16

Certification and
accreditation

Independent
auditing, gap
analysis reporting,
and certifying
practices

Independent
assurance of IT
risk management

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

17

Secure systems
configurations and
managing security
patches

Same as identity
and access
management
protection

Same as
trustworthy
computing
controls

Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

18

Developing security
-
related
competencies

Risk Management
committee with
desired
compe
tencies for
identifying,
assessing and
Build and allocate
adequate
resources for IT
risk management,
implementing IT
risks
-
related
Jansen and
Grance
(2011); ISACA
(2009); COSO
(2004)

Page
48

of
69


S.
No.

NIST SP 800
-
144

COSO

Risk IT

Sources

managing risks

inventory
controls, and
effective IT
-
risk
communications


The above integration can be accomplished in the form of the framework
presented in Figure 10.


Figure
10
: Integrated risk management framework by mapping the controls of COSO,
NIST, and Risk IT, as per Table 2


Page
49

of
69


The NIST SP 800
-
144 is proposed as an umbrella framework because it
identifies all risks prevailing in the cloud computing environment.
However, the NIST
standard does not identify the processes, underlying standards, and risk assessment
and mitigation fra
meworks needed to treat the risks. In this context, Risk IT and COSO
are used as additional standards integrated and positioned under the umbrella
framework.
Risk IT has a strong process orientation whereas COSO has a strong
technical and mathematical / st
atistical orientation.
The NIST SP 800
-
144 standard may
be used for defining
the scope, statement of applicability, and risk identification. After
the roles of Risk IT and COSO are completed, NIST standard can be used to document
the security policy. Risk
IT can be used for designing a risk management organisational
structure and roles and for processes and templates for reviews, assessments, and
reporting.
COSO can be used for technical side of risk management for statistical
modelling of risk assessment a
nd risk categorisation and prioritisation. This standard
can be further used for identifying controls, and testing their effectiveness. Once all
these tasks are accomplished, a security policy document can be designed as per the
NIST recommendations keepin
g in view all risks on the cloud and the compliance
needed from all participating agents.

5
.2
.

Discussions

NIST SP 800
-
144 standard comprises a list of controls identified for managing
security risks in cloud computing environments. The standard does not present how
these controls can be implemented. However, the standard mentions that
implementation approaches

of the stated controls can be taken from existing standards
on IT risk management, like ISO 27005 and ISACA COBIT 5 (Risk IT).
This is where
Page
50

of
69


this research can serve as a value addition.
The Table 2 presents the name
s

of most
appropriate procedures chosen
from COSO and Risk IT to implement the controls
mentioned in NIST SP 800
-
144.

A close observation rev
eals that the focus of COSO is o
n identifying, developing,
implementing, and operating scientific approaches to

identifying risks and

implementing
control
s, whereas
the focus of Risk IT is on defining, implementing, and operating
organisational roles and processes for risk management. Hence, the hierarchy of
standards may be as the following:

(a)

Risk assessment and analysis using scientific methods


COSO

(b)

Identifying controls


NIST SP 800
-
144

(c)

Implementing roles, structures, and processes


Risk IT

(d)

Implementing organisation
-
wide risk view


Risk IT

(e)

Implementing technical and systemic controls


COSO

(f)

Technical and systems auditing


COSO

(g)

Process auditing


Risk IT

(h)

Implementing corrective actions related to roles, structures, and processes


Risk IT

(i)

Implementing corrective actions related to technologies and systems


COSO

In cloud computing environment, implementing these steps will require
collaboration am
ong all cloud service providers offering bundled services to tenants.
The single risk view concept can be implemented by publishing an extranet on which, all
cloud service providers publish their respective risks and mitigation actions. The tenant
Page
51

of
69


organisa
tions should be given access to the extranet such that they can know about the
risk management system, its processes, identified risks, mitigation actions, and audit
reports. This will help them to plan their respective risk management frameworks in line
w
ith the framework used by cloud service providers and address the areas not covered
by the service providers. For example, user and group access and privileges within
tenant’s private environment need to be addressed by the tenant’s risk management
framewo
rk.

If a single cloud service provider is not able to fulfil all the security controls
needed by the SME organisation, the services from various cloud service providers may
be chosen based on their abilities to fulfil the security controls. In this way, th
e risks will
be divided and an optimum selection cloud providers can be finalised keeping in mind
the overall risk mitigation objectives. For example, e
-
mails may be hired from one cloud
and collaboration applications may be hired from another cloud depend
ing upon how
well they handle the risks related to these services. A possible combination is that the
cloud chosen for e
-
mail services has better e
-
mail protection features and the cloud
chosen for collaboration has better protection features for instant m
essaging and video
conferencing.

The SMEs may have to pay an extra cost by segregating services in this
way, but they can achieve optimum mitigation of their risks identified with the help of
NIST SP 800
-
144 standard. The controls chosen from COSO and Risk

IT will help in
consolidating identification, assessment, and mitigation of risks at one place irrespective
of which cloud provider is responsible for which risks.

5
.3
.

Summary

The chapter presents the findings to the second research question. A close
map
ping between controls recommended by NIST SP 800
-
144 with those of COSO and
Page
52

of
69


Risk IT is presented after careful interpretations of every control in these standards.
It
has been observed that COSO has a lot of emphasis on applying scientific,
mathematical,
and statistical theories in identifying risks, assessing them, assessing
impacts, and formulating controls. On the other hand, Risk IT is focussed on enterprise
-
wide risk view to ensure transparency, and better and timely contributions from all roles
in th
e enterprise in mitigating the risks. Based on this understanding and keeping NIST
SP 800
-
144 standard as the umbrella framework, a hierarchy of standards for various
steps of risk assessment and management in cloud computing is proposed.










Page
53

of
69


Chapter
6
:
Findings against research question 3

6
.1
.

Findings

Following is the third research question of this research. This question is
pertaining to the expected benefits to SMEs if these standards are employed by the
cloud service providers in the way the
mappings are proposed in Chapter 5.

How can NIST SP 800
-
144, COSO, and Risk IT standards help SMEs dependent upon
cloud hosted resources in managing their IT risks?

As learnt from the literatures, a

SME organisation should following the checklist
presented

below

for signing up with a cloud service provider
:

(a)

Documenting security requirements in detail

(b)

Integrating security requirements in overall requirement specifications

(c)

Detailed analysis on the bare minimum and desirable expectations on how these
specifica
tions can be met

(d)

Assess multiple cloud providers

(e)

Shortlist the ones that match the expectations as closely as possible

(f)

Initiate negotiations and contractual procedures

(g)

Agree security and risk management roles, checklists, and accountabilities

(h)

Implement

ser
vices on one or more clouds after buying their subscriptions; build
tolerances against risk scenarios using multiple cloud services; prefer a phased
rollout

(McDonald, 2010; Chen and Yoon, 2010; Mukhin and Volokyta, 2011; Jansen and
Grance, 2011)

Page
54

of
69


NIST SP 800
-
144 presents a separate section on how SMEs should prepare
themselves before entering the clouds such that their risks are mitigated effectively in
the best possible ways