Dr Kim Kwang Raymond Choo
Sandeep Kaur Sidhu
Student ID 110075823
sidsy006@myunisa.edu.au








1. Introduction
2. Research Objectives
3. Literature Review
4. Research Questions
5. Research Methodology
6. Findings
7. Contribution
8. References
2

Cloud Computing offers many business benefits and have
multiple IT risks (Doherty, Carcary, and Conway, 2012).

A standard legally-enforceable risk management framework
incorporating all service providers and tenants is the key
challenge (ENISA, 2010).

A lack of standardised risk management framework for
regulatory compliance (IET, 2012).

The recommendations have not been standardised by
regulation authorities (IET, 2012).
3

In 2014, ISO 27012 will be authorized (Rittinghouse and
Ransome, 2010).

NIST 800-14 not yet adequately supported by
implementation procedures such that cloud providers can
adopt standardised framework for managing clouds.

The main concern is that cloud service provider need to find
ways for using the existing standards for IT Risk
Management.
4

Objective 1: To study the IT risk exposures of businesses using
cloud computing resources.

Objective 2: To explore NIST SP 800-144, COSO, and Risk IT
standards and the existing theories complimenting their
recommendations.

Objective 3: To analyse how these standards can help the SMEs,
dependent upon cloud hosted resources for running their businesses,
in managing IT risks.
5

Risk Management in IT is concerned with the protecting IT
assets that exposed to numerous threats. It comprises Risk
Identification, Risk Assessment and Risk Management
(Ozkan and Karabacak, 2010, Humphreys, Moses, Plate,
1998).

This research is related to IT risk management challenges in
cloud computing and the practical implementation of NIST
SP 800-144 standard specifically designed for risk
management in the clouds.
6

ISO 27001 - comprise establishing, operating, reviewing and
improving an information security management system ((BSI,
2005).

ISO 27005 and NIST 800-30 – comprises risk identification, risk
assessment, risk prioritisation, risk treatment, and application of
controls (BSI, 2008; NIST, 2001).

ISACA’s Risk IT - comprises of Risk Governance, Risk Evaluation,
risk response (ISACA, 2009).

COSO – based on risk appetite and risk management philosophy in
the organisation at all levels and rest of the model has been taken
from NIST 800-30 and ISO 27005 (COSO,2004).
7
The frameworks chosen for integrating with NIST SP 800-144
framework are COSO and ISACA’s Risk IT risk management
framework because

There are sufficient references available on these standards for
establishing a theoretical foundation.

Both these standards focus on organisation-wide risk views ensuring
bigger visualisation of IT and related risks.

NIST SP 800-14 has recommended model for managing risk in
cloud computing. Hence, it is expected that the three models will
synergise effectively.
8
Software as a service On demand access to Users
SaaS
any application
Dropbox, Google
Apps
Platform as a service
PaaS
Platform for building Developers
and delivery web
Google APP engine
applications
Infrastructure as a
service
IaaS
Virtualized machine
Infrastructure
System administrator
Amazon web services
(Badger et al., 2011)
Security Risk and IT Risk management in cloud computing



Virtualization (Jansen and Grance, 2011)
Web services security risk (Jansen and Grance, 2011)
Auditing and Forensics (Chen et al., 2013)
10

1. What are the IT risk exposures of businesses that use
cloud hosted resources for running their business processes?

2. How NIST SP 800-144 standard could be supported by
COSO and Risk IT standards and the existing theories
complimenting their recommendations?

3. How can NIST SP 800-144, COSO, and Risk IT standards
help SMEs dependent upon cloud hosted resources in
managing their IT risks?
11

It is combination of interpretive philosophy, inductive
approach and qualitative methodology .

Research method
Archival Study - studied published documents on NIST
SP 800-144, COSO, and ISACA’s Risk IT, and related
research studies.
12

The identity of business users may be stolen by eavesdroppers such that their
privileges can be misused.

Attackers may use exploits on the Internet to target vulnerabilities of applications
and underlying platforms.

All the threats prevailing at the network layer in self-hosted IT systems exist
because the components used to build cloud LANs and WANs are similar to
traditional self-hosted networks
Sources: Tripathi and Mishra (2011), Jansen and Grance (2011), Jing and Jian-Jun
(2010), Sabahi (2011), and Jansen (2011)
13

Virtualisation results in spreading of data over a number of servers installed at
multiple physical locations. In global clouds, data may even cross national
boundaries.

Cloud security controls are not yet standardised.

Cloud vendors may tend to lock the services of tenants making it difficult for
them to change service providers in the scenario of unsatisfactory services.

Current IT risk management practices on cloud computing is inadequate.
Sources: Zhou et al., (2010), Zhang et al. (2010), and Sabahi (2011)
14

Existing technologies for technical auditing and forensics analysis may not be
effective on cloud platforms.

Users do not get controls on their virtual computing and storage environments
because they are virtualised and are allocated from a large-scale pool.

There may be additional threats that may arise in a shared virtualised environment
with multi-tenancy settings.
Sources: Pearson and Benameur (2010), Jansen (2011), Jansen and Grance (2011)
15
NIST SP 800-14
COSO
RISK IT
Controls on policies ,
procedures for IT services
acquisition, operations, and
enhancement
Risk appetite, risk tolerance,
monitor and update risk
controls, related roles, and
communications
Integrate IT risks with
enterprise risk management,
and making risk-aware
decisions.
Compliance with laws and
regulations pertaining to data
location, data proliferation
and electronic discovery
Internal accountability , risk
awareness culture, map unit
risks with company policies
and procedures as per
compliance needs of business.
Compliance check lists and
audits, develop IT risk
scenarios and roles, respond to
risks and risk mitigation
prioritization
Jansen and Grance (2011); ISACA (2009); COSO (2004)
NIST SP 800-14
COSO
RISK IT
Trustworthy computing
architecture pertaining to the
issues of attack surface, virtual
network protection, and client side
protection
Determine, map and breakup risk
tolerances into departmental risk
thresholds, identify and measure
events against tolerance levels,
and use advanced techniques
IT risk assessment, IT risk
tolerance levels, IT risk indicators,
develop IT risk scenarios, IT risks
monitoring, IT risk registry,
preventive controls, and response
priorities
Identity and access management
and protection
Isolation of user areas in multitenancy environments
Data protection
Availability of services
Risk indicators, track lost events,
identify and categorise events,
establish interrelationships risk
metrics, access residual risks,
choose response strategies, apply
controls
Identify IT risk scenarios, monitor
IT risks, identify incidents, initiate
and maintain incident response
plans against risk scenarios, and
communicate lessons learnt from
risk events
Jansen and Grance (2011); ISACA (2009); COSO (2004)
NIST SP 800-14
COSO
RISK IT
Principles of fair information
practices for clients
Same as trustworthy
computing architecture
A combination of controls in
contractual obligations /
outsourcing, and data
protection
Security resources
management and monitoring
No specific controls
mentioned; however controls
identified for trustworthy
computing may apply
Same as trustworthy
computing controls
Secure systems configurations identity and access
and managing security
management protection
patches
trustworthy computing
controls
Developing security-related
competencies
Build and allocate adequate
resources for IT risk
management, implement
inventory controls, and
communications
Risk Management committee
with desired competencies for
identifying, assessing and
managing risks
Jansen and Grance (2011); ISACA (2009); COSO (2004)

Documenting and Integrating security requirements in overall requirement
specifications.

Detailed analysis on the bare minimum and desirable expectations on how these
specifications can be met.

Assess multiple cloud providers and shortlist the ones that match the expectations
as closely as possible.

Initiate negotiations and contractual procedures.

Agree security and risk management roles, checklists, and accountabilities.

Implement services on one or more clouds after buying their subscriptions
(Chen and Yoon, 2010; Mukhin and Volokyta, 2011; Jansen and Grance, 2011)

Build tolerances against risk scenarios using multiple cloud services (example,
multiple data storages, multiple e-mail domains, and multiple application
instances), and dividing tenants among them

Prefer a phased rollout.

Test and compare performances.

Report performance measurement results to the respective cloud contacts.

Agree very clearly on commissioning and decommissioning terms and
procedures.

Agree on data cleaning procedures and guarantees.
(Chen and Yoon, 2010; Mukhin and Volokyta, 2011; Jansen and Grance, 2011)

Identified and reviewed the literatures presenting
recommendations on controls useful for augmenting with
the recommendations of NIST SP 800-144standard.

Presents a consolidated view of such controls.

Presents an actionable framework that can be tested and
adopted in real world environments.
21

Badger, L., Bohn, R., Chu, S., Hogan, M., Liu, F., Kaufmann, V., Mao, J., Messina, J., Mills, K., Sokol, A., Tong, J., Whiteside, F. and Leaf, D.
(2011). “U.S. Government cloud computing technology roadmap – Volume II”, Special Publication 500-293, NIST (U.S. Department of Commerce):
p. 6-76.

Chen, Z., Han, F., Cao, J., Jiang, X., and Chen, S. (2013), "Cloud Computing-Based Forensic Analysis for Collaborative Network Security
Management System", IEEE Computer Society: p. 40-50.

Doherty, E., Carcary, M. Dr., and Conway, G. (2012). "Risk Management Considerations in Cloud Computing Adoption", Research by Innovation
Value Institute (IVI), p. 2-7.

ENISA (2010). "Cloud computing: benefits, risks and recommendations for information security", European Network and Information Security
Agency, p. 1-6.

"Enterprise Risk Management–Integrated Framework: application techniques", Committee of Sponsoring Organizations of the Treadway
Commission (COSO), 2004, p. 2-112.

IET (2012), "Cloud Computing - The Security Challenge", Fact file by The Institution of Engineering and Technology, p. 1-8, Theiet.org/factfiles
[Accessed: 14 August 2013].

Information Technology — Security Techniques — Information Security Management System”. International Standard. BS ISO/IEC 27001:2005.
British Standards Institution (BSI), 2005: p. 7-35

“Information Technology — Security Techniques — Information Security Risk Management”. International Standard. BS ISO/IEC 27005:2008.
British Standards Institution (BSI), 2008: p. 9-27.

Jansen, W. A. and Grance, T. (2011). "Guidelines on Security and Privacy in Public Cloud Computing", NIST Special Publication 800-144: p. 4-88,
National Institute of Standards and Technology, U.S. Department of Commerce.

Jansen, W. A. (2011). "Cloud Hooks: Security and Privacy Issues in Cloud Computing", IEEE: p. 1-10.

Jing, X. and Jian-Jun, Z (2010), "A Brief Survey on the Security Model of Cloud Computing", IEEE Computer Society: p. 475-478.

Mukhin, V. and Volokyta, A. (2011). "Security Risk Analysis for Cloud Computing Systems", In the 6th IEEE International Conference on
Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 15-17th September 2011, Prague, Czech Republic,
IEEE: p. 737-742.

Ozkan, S. and Karabacak, B. (2010). “Collaborative risk method for information security management practices: A case context within Turkey”,
International Journal of Information Management, Vol. 30: p. 567–572, Elsevier.

Rittinghouse, J. W. and Ransome, J. F. (2010). "Cloud Computing: Implementation, Management, and Security", CRC Press.

“The Risk IT framework: principles, process details, management guidelines, and maturity models”, ISACA, 2009: p. 7-103.

Tripathi, A. and Mishra, A. (2011), "Cloud Computing Security Considerations", IEEE: p. 1-5.

Zhang, Q., Cheng, L. and Boutaba, R. (2010). “Cloud computing: state-of-the-art and research challenges”. Journal of Internet Services and
Applications, Vol. 1: p. 7-18. Springer.

Zhang, X., Wuwong, N., Li, H., and Zhang, X. (2010). "Information Security Risk Management Framework for the Cloud Computing
Environments", IEEE: p. 1328-1334.
22