Media:ResearchProposal - University of South Australia
advertisement
Research Proposal A study of NIST SP 800-144 standard on IT risk management in cloud computing: Creating a novel framework for implementing it in Small and Medium sized Enterprises (SMEs) by applying COSO and ISACA’s Risk IT frameworks Sandeep Kaur Sidhu Student ID – 110075823 sidsy006@mymail.unisa.edu.au Master of Science (Computer & Information Science) University of South Australia Proposal submitted to the University of South Australia School of Information Technology &Computer Sciences In partial fulfilment of the requirements for the degree of Master of Science (Computer & Information Science) Supervisor: Dr Kim-Kwang Raymond Choo Date: June 2013 1 Abstract Cloud computing is a new form of service-oriented computing in which, clients are offered software applications, platforms, infrastructure, databases, and security as services. Currently, there are unclear regulations and models about how cloud computing vendors should undertake IT security and risk management accountabilities. NIST SP 800-144 is the first standard by a regulatory body on cloud computing security but it needs to be supported by other standards and empirical theories. The synergised form of NIST SP 800-144 with COSO and Risk IT has been proposed for SMEs to manage their own IT risks amidst limited expectations from cloud service providers, and uncertainty of applicable regulations. The three standards can be used with an assumption that not everything is in control of even large-scale enterprises but they still manage their risks. The similar philosophy of certain internal practices in uncertain external environment can be applied by SMEs as well. The findings reveal how SMEs can plan their cloud hosting ambitions, how can they define their own standards and expectations, how can they select multiple clouds, and how can they build their own controls by using multiple cloud service providers, investing some additional sums. 2 Table of Contents Table of Figures:......................................................................................................................................... 4 Chapter 1: Introduction .............................................................................................................................. 5 1.1. Background and context ................................................................................................................ 5 1.2. Research motivation ...................................................................................................................... 8 1.3. Research aim and objectives ..................................................................................................... 10 1.4. Research questions ..................................................................................................................... 10 1.5. Contribution to the Research ..................................................................................................... 11 Chapter 2: Literature review ................................................................................................................... 12 2.1. Introduction .................................................................................................................................... 12 2.2. Empirical review of IT risk management ................................................................................... 12 2.3. IT risk management frameworks ................................................................................................ 14 2.4. Empirical review of cloud computing ......................................................................................... 18 2.5. Security risks and IT risk management in cloud computing................................................... 20 2.6. A review of NIST 800-144 framework ....................................................................................... 24 2.7. Summary........................................................................................................................................ 25 Chapter 3: Research Methodology ........................................................................................................ 26 3.1. Philosophy, approach, and methodology.................................................................................. 26 3.2. Research methods ....................................................................................................................... 27 3.3. Sampling ........................................................................................................................................ 29 3.4. Data collection............................................................................................................................... 30 3.5. Data analysis ................................................................................................................................. 31 3.6. Ethical considerations .................................................................................................................. 31 3.7. Summary........................................................................................................................................ 31 Chapter 4: Research significance and expectations ............................. Error! Bookmark not defined. 4.1 Research Plan & Schedule. ............................................................ Error! Bookmark not defined. 4.2. Provisional Thesis Table of Contents ........................................... Error! Bookmark not defined. References ................................................................................................ Error! Bookmark not defined. 3 Table of Figures: Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4) ... 7 Figure 2: An example integrated model of risk management framework in cloud computing based on COSO framework (Horwath et al. (2012: p. 9) ........................ 8 Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33) ............................... 15 Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2) ............................ 17 Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang, Cheng, and Boutaba, 2009: p. 10) ......................................................................... 19 Figure 6: Research Plan………………………………………………………………………34 4 Chapter 1: Introduction 1.1. Background and context This research is related to IT risk management challenges in cloud computing and the practical implementation of NIST SP 800-144 standard specifically designed for risk management in the clouds. Cloud computing has emerged as a new concept of commodity services in the world of computing, storage, broadband network access, platform services, and software services (Doherty, Carcary, and Conway, 2012: p. 2). Cloud computing vendors, like Google, Microsoft, and Amazon offer rapid provisioning of on-demand self-operating services with minimal intervention by the service provider (Clemons and Chen, 2010: p. 3). These benefits are mostly availed by small and medium scale enterprises given their lack of capital funding for establishing expensive self-hosted IT infrastructures (Miller, 2009: p. 9-10). Cloud computing offers many business benefits to customers, especially in saving operating costs, managing IT enabled businesses with minimum administrative overheads, and getting access to world class software platforms and applications managed by their original manufacturers (Doherty, Carcary, and Conway, 2012: p. 2). However, cloud computing has multiple IT risks due to shared platforms, data confidentiality and privacy in user areas protected by virtual boundaries, identity thefts, privacy issues, vendor or data lock-in, loss of governance, loss of compliance, insider trading, and shared network and software vulnerabilities (Doherty, Carcary, and Conway, 2012: p. 3-4; ENISA, 2010: p. 5-6). Given that the cloud computing systems 5 are multi-vendor and multi-tenant, a standard legally-enforceable risk management framework incorporating all service providers and tenants is the key challenge (ENISA, 2010: p. 3). Risks in cloud computing arise due to shared services, cross-border litigation, data location, inter-cloud compatibility issues, lack of legal support for consumers, trust issues on service providers, IT security risks, consumer issues, privacy issues, data segregation issues, and data proliferation issues (Chandran and Agnepat, 2010: p. 3-5 Clemons and Chen, 2010: p. 5-7; Fan and Chen, 2012: p. 23-24; Jansen, 2011: 2-4; Sabahi, 2011: p. 245-247). Fan and Chen (2012: p. 20-21) proposed that there should be an integrated risk management standard incorporating regulators, service providers, and customers. This standard should take care of cross-border litigation issues and data location uncertainty, as well. A model for analysing risks at component levels of multiple layers of cloud computing needs to be established and agreed among all parties based on their priorities and impacts. This can be done by applying globally accepted standards like COSO, Risk IT (COBIT 5), and ISO 27005. For example, Ahmad and Janczewski (2010: p. 4) presented a triangulated model of cloud computing security employing integration of globally accepted security standards, statutory laws, and cloud services (Figure 1). In this model, the cloud service provider can choose any standard or set of standards for implementing risk management as long as they are integrated with the statutory laws and regulations applicable on the services offered. Hence, if Sarbanes Oxley 2002 regulators recognise ISO 27005 for self hosted IT infrastructures, cloud computing service providers can adopt ISO 27005 and customise it for implementing an 6 effective IT risk management framework covering each component on the cloud such that they can demonstrate compliance to Sarbanes Oxley regulations. Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4) Horwath et al. (2012: p. 8-9) presented an example scenario (Figure 2) of how such an integrated model can be implemented using COSO (Committee of Sponsoring Organizations of the Treadway Commission) risk management framework. They integrated the candidates offering cloud solutions, service delivery models, deployment models, business processes, and regulatory governance requirements in a single risk management framework based on COSO standard. They recommended that the COSO enterprise risk management framework can be used to define, establish, and 7 continuously improve an audit checklist used by regulators. Once standardised enforced, all cloud services and solutions providers will implement controls in accordance to the standard and incorporate terms in agreements with specific roles of cloud tenants and service providers. Figure 2: An example integrated model of risk management framework in cloud computing based on COSO framework (Horwath et al. (2012: p. 9) 1.2. Research Motivation The problem is that there is a need of standardised risk management framework for cloud computing framework accepted globally for regulatory compliance. Cloud Security Alliance recommended standard methods for risk management on cloud 8 computing (IET, 2012: p. 3). However, these recommendations have not been standardised by regulation authorities. Mostly, regulation authorities prefer ISO 27005, ISO 27001, ISO 27002, and COBIT standards for demonstrating regulatory compliance of IT security and risk management (IET, 2012: p. 5-6). Cloud service providers need to find ways for using these standards for IT risk management. A new ISO standard (ISO 27017) is emerging for cloud computing risk management that is expected to be ratified in year 2014. It may be the preferred choice of regulators, but till then there is a serious lack of internationally accepted standards fit for regulatory compliance of security and risk management of cloud service providers (Rittinghouse and Ransome, 2010: p. 158159). This problem poses a serious business risk for SMEs given that they have most prominent reasons to adopt cloud computing services and are rapidly moving their IT systems to the clouds (Dai, 2009: p. 56; Haselmann and Vossen, 2011: p. 10; Jansen and Grance, 2011: p. 21; Karabek, Kleinert, and Pohl, 2011: p. 28). NIST SP 800-144 is the first US regulatory standard for implementing risk management in the clouds (Jansen and Grance, 2011). This standard is released in year 2011 but is not yet adequately supported by implementation procedures such that cloud providers can adopt a standardised framework for managing cloud risks. This standard needs exploratory study such that it can be mapped with other established risk management standards used for IT risk management. The above problem description and this challenge have been taken as the research problem. The researcher intends to explore NIST SP 800-144 standard and map it with COSO and ISACA’s Risk IT standards such that an appropriate risk management framework for SMEs using cloud computing can be proposed. 9 1.3. Research aim and objectives With reference to the above established background and context, and the research problem, following research aim is defined for this research: Aim: To explore NIST SP 800-144, COSO, and Risk IT standards and the existing theories complimenting their recommendations, and propose an IT risk management framework for SMEs using cloud computing to run their businesses. In absence of established standards proposed by regulators, this research will aim on how SMEs can protect themselves from IT risks while using cloud hosted resources. The aim is supported by the following research objectives: (a) To study the IT risk exposures of businesses using cloud computing resources (b) To explore NIST SP 800-144, COSO, and Risk IT standards and the existing theories complimenting their recommendations (c) To analyse how these standards can help the SMEs, dependent upon cloud hosted resources for running their businesses, in managing IT risks 1.4. Research questions This research is directed by the aim and objectives proposed above for finding answers to the following research questions: (a) What are the IT risk exposures of businesses that use cloud hosted resources for running their business processes? (b) How NIST SP 800-144 standard could be supported by COSO and Risk IT standards and the existing theories complimenting their recommendations? 10 (c) How can NIST SP 800-144, COSO, and Risk IT standards help SMEs dependent upon cloud hosted resources in managing their IT risks? These questions will be answered through exploratory studies of literatures on cloud computing security and risk management and stated standard documents. 1.5. Contribution of this research The NIST SP 800-144 standard cannot serve the purpose of creating and implementing security policies and procedures on cloud computing. It definitely has some firm guidelines but they need to be augmented by practical research studies and outcomes. In this research, the researcher has identified and reviewed the literatures presenting recommendations on controls useful for augmenting with the recommendations of this standard. This research presents a consolidated view of such controls and presents an actionable framework that can be tested and adopted in real world environments or used for further research. 11 Chapter 2: Literature review 2.1. Introduction Cloud computing is a new framework for delivering IT services to customers connecting to its various layers through Internet. It has gained significant popularity in recent years due to lowered capital expenses and affordable revenue expenses offered to cloud tenants. However, the threats and uncertainties looming on cloud computing are wider due to shared infrastructures, virtual tenant boundaries, and spreading of data across multiple locations beyond territorial jurisdiction due to virtualised storage systems networked using virtual networking. These challenges have caused privacy and trust issues leading to reluctance by many business entities and public sector organisations in adopting cloud services. Looking into these challenges, NIST has released a standard SP 800-144 for managing risks on cloud computing. Given that it is a new standard, there are no academic references on practical implementation of SP 800-144 in organisations. The research is proposed to combine SP 800-144 with two popular risk management frameworks, ISACA’s Risk IT and COSO, to design an actionable risk management framework for Small and Medium scale enterprises using cloud hosting for their IT services needs. The resulting framework will be validated by interviewing risk management practitioners. 2.2. Empirical review of IT risk management Risk management in IT is concerned with protection of IT assets such that the negative impacts on business due to loss, unauthorised modifications, or unavailability of an IT asset can be minimised or eliminated completely (Humphreys, Moses, Plate, 12 1998: p. 11). IT assets comprise of information units (business-related documents and records), and the assets used for creating, processing, disseminating, storing, transmitting, and archiving the information units (Humphreys, Moses, Plate, 1998: p. 11). IT assets are exposed to numerous threats emanating from the Internet or internal hackers (Elgarnal, 2009: p. 12). These threats can compromise the confidentiality, integrity, and availability of IT assets leading to financial, legal, reputational, customer, and employee impacts to the organisation (Dhillon and Backhouse, 2000: p. 126; Humphreys, Moses, Plate, 1998: 9). Identification, assessing, and management of IT risks are needed to reduce or eliminate the vulnerabilities such that the external threats do not compromise the IT assets and their confidentiality, integrity, and availability (Anderson and Choobineh, 2008: p. 24; Humphreys, Moses, Plate, 1998: 14; Ozkan and Karabacak, 2010: p. 568). The risk identification, assessment, and management framework comprises quantitative evaluation of influencing factors and assigning values to them (Ozkan and Karabacak, 2010: p. 572; Humphreys, Moses, Plate, 1998: 22). They key values of concern are importance of assets to the business, most relevant threats, magnitude of impacts on business, probability of impacts, and internal vulnerabilities prevailing in the IT systems of the organisation (Gandotra, Singhal, and Bedi, 2009: p. 720-721; Humphreys, Moses, Plate, 1998: 24-25; Ozkan and Karabacak, 2010: p. 570). The risk value is a quantitative outcome of asset value (a function of confidentiality, integrity, and availability ratings), threat value (product of probability value and impact value), and vulnerability value (probability of breach) (Gandotra, Singhal, and Bedi, 2009: p. 722; Humphreys, Moses, Plate, 1998: 25). Finally, all risks are logged in an enterprise-wide 13 risk register and assigned to individual risk managers for invoking risk treatment by avoiding, accepting, transferring, or eliminating the risks (Shortreed, 2008: p. 10-11). 2.3. IT risk management frameworks Some of the popular IT risk management frameworks are ISO 27001 (BSI, 2005), ISO 27005 (BSI, 2008), NIST 800-30 (NIST, 2001), ISACA’s Risk IT (ISACA, 2009), and COSO. ISO 27001 is a standard for implementing information risk management system using information risk management as the fundamental framework and building upon it the management system for establishing, operating, reviewing, and improving an information security management system (BSI, 2005: p. 8-9). ISO 27005 and NIST 80030 deal with a framework of information risk management system comprising risk identification, risk assessment, risk prioritisation, risk treatment, and application of controls using qualitative and quantitative data collection and analytical methods (BSI, 2008: p. 10; NIST, 2001: p. 8). ISACA’s Risk IT is a modern IT risk management framework that considers an organisation-wide risk view system as the core of the framework enabling all departments to view the bigger picture and treat risks accordingly. COSO risk management framework follows a similar approach with specific focus on people aspects of IT risk management and risk aware culture in the organisation at all levels of the organisational hierarchy, irrespective of designation, role, and responsibilities (COSO, 2004: p. 18). The frameworks chosen for integrating with NIST 800-144 framework are ISACA’s Risk IT and COSO risk management framework. These frameworks have been chosen because of two reasons: 14 (a) There are sufficient references available on these standards for establishing a theoretical foundation. (b) Both these standards focus on organisation-wide risk views ensuring bigger picture visualisation of IT and related risks. In cloud computing, the risk management framework needs to protect all tenants and hence such a model has been recommended by NIST 800-144, as well. Hence, it is expected that the three models will synergise effectively. Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33) The ISACA’s Risk IT framework is presented in the Figure 1 above. The Risk IT framework comprises three primary domains – risk governance, risk evaluation, and risk 15 response. The idea of enterprise-wide view of IT risks is to ensure that they can be treated keeping the bigger picture in consideration and ultimately are integrated with the enterprise-wide risk management framework. This is to ensure that when risk-aware analysis is done, the IT risks are included in the risks considered for making business decisions. The focus is not only on technical risks but also is on IT-linked business risks such that the risk profile of maintained for IT systems can be linked with business objectives and business risks. In this way, IT-related risks are prioritised keeping in view their linkage with high priority business risks. The IT systems linked with high business risk profiles from business perspective are prioritised. Such decisions are made by business in collaboration with IT, which is the key advantage of enterprise-wide visibility of IT risks and their linkages with business risks. The risk response is carried out accordingly. (ISACA, 2009: 34-37) The COSO model of risk management is presented in the Figure 2. It is an enterprise-wide risk management framework with IT risk management embedded within the larger system. This model is based on risk appetite and risk management philosophy defined in the organisation, which is based on various internal standards maintained by the management. In this model, risk appetite and tolerance levels are defined as a part of business objectives of the firm. The rest of the model has been taken from NIST 800-30 and ISO 27005 standards for risk identification, assessment, prioritisation, and treatment, and communications, monitoring, and control systems for ensuring appropriate risk-aware culture within the organisation. Risk-related culture is viewed as the core of COSO framework. (COSO, 2004: 3-12) 16 Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2) The risk management modelling for cloud computing has been carried out by integrating COSO and ISACA’s Risk IT and using them as supporting frameworks for NIST 800-144 standard. This integration can enable integration of two major philosophies proposed by the two standards – organisation wide risk view and riskrelated organisational culture. These two philosophies can be viewed as primary enablers of accurate categorisation and treatment strategy of risks and of effectiveness of security controls for treatment of risks. In cloud computing, multiple flavours of service providers (SaaS, PaaS, and IaaS, as discussed in the next section) serve numerous tenants (clients) for various business purposes. Hence, the organisation wide 17 risk view philosophy will result in sharing of risks-related information with all stakeholders with clear demarcation of accountabilities at service providers’ end and clients’ end. Such a demarcation will enable the SaaS, PaaS, and IaaS providers (discussed in the next section), and the clients to identify the controls needed at their respective ends and own them. Having reviewed the empirical theories and models in IT risk management, the next step is to understand cloud computing closely and identify the risks prevailing in cloud IT environments. The next section presents an empirical view of cloud computing. 2.4. Empirical review of cloud computing Cloud computing is characterised by three forms of delivery, as described by NIST in their technology roadmap for cloud computing, Vol. II (Badger et al., 2011: p. 11-15). These models are: (a) Software as a service (SaaS) (b) Platform as a service (PaaS) (c) Infrastructure as a service (IaaS) The three models have different service offerings and mode of deliveries. The SaaS providers use PaaS clouds to host business applications on various platforms and the PaaS providers use IaaS clouds to energise their platforms. Mostly, SaaS providers are direct interfaces to customers. Customers interface with PaaS clouds for developing in-house cloud-based development capabilities. Some customers interface with IaaS clouds for renting raw storage and computing powers. (Badger et al., 2011: p. 16-21; Chorafas, 2011: p. 24-30) 18 As per Qian, Luo, Du, and Guo (2009: p. 628-629), Microsoft Azure and Google App Engine can be classified as a PaaS clouds, Google Apps can be classified as SaaS cloud, and Amazon Elastic Compute can be classified as an IaaS cloud. Zhang, Cheng, and Boutaba (2009: p. 10) elaboration such a classification in their multi-level service oriented model presented below: Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang, Cheng, and Boutaba, 2009: p. 10) As per the multi-level service oriented model by Zhang, Cheng, and Boutaba (2009: p. 10-12), cloud hosted applications like saleforce.com and mysap.com, that keep their platforms hidden from customers, may be categorised as SaaS providers. 19 Microsoft Azure and Google App Engine open their platforms for customers for developing applications and hence may be categorised as PaaS providers. Amazon EC2 and Go Grid offer their infrastructure services (elastic computing and storage) to customers for deploying their own platforms. Hence, they may be categorised as IaaS providers. Tai, Nimis, Lenk, and Klems (2010: p. 4-9), Amburst et al. (2010: p. 50-54), and Miller (2009: p. 23-30) presented the following benefits of cloud computing for endcustomers: (a) Elastic computing and storage facilities (b) Rapid application development and deployment (c) Pay-per-usage model (d) No administrative, obsolescence, and upgrading hassles (e) State of the art infrastructure and platforms (f) Access to world class business applications (g) Ubiquitous access (h) Easy commissioning and decommissioning (i) No capital expenses (j) Affordable recurring expenses These benefits have attracted a number of end-customers to cloud computing resulting in rapid and significant growth of this industry. However, there are some security risks that needs to be managed effectively on cloud computing. Unlike self-hosted 20 infrastructures, risk management is not that straightforward in cloud computing. These aspects are discussed in the next section. 2.5. Security risks and IT risk management in cloud computing Cloud computing employs the same IT infrastructure components as employed in self hosted IT infrastructures. However, the differentiation is due to virtualisation and web services architecture (web 2.0) based multi-tenancy framework. Modern organisations maintain internal security controls and hire people to manage them. However, if competitors connect to the same IT infrastructure and use shared IT resources for running their business applications, there are doubts on trustworthiness and reliability of the personalised environments provided by the service providers. The competitors worry about data proliferation across the virtual boundaries established for tenants on cloud computing. The scenario becomes more challenging when most of the security controls are managed by the cloud service providers and the tenant organisations lack visibility as well as control on their data security. These challenges drives security risks and IT risk management on cloud computing. (Sabahi, 2011: p. 245-246; Jansen, 2011: 2-3) The cloud service providers deploy large-scale infrastructures with state-of-theart security technologies. Hence, there is less chance that the traditional security risks striking self-hosted IT may strike clouds. The challenges are more related to multitenancy, pooling of shared infrastructure components, and common access to applications. The IT resource provisioning is normally implemented through virtualisation and web 2.0 interfacing for applications access. Hence, virtualisation and 21 web services security risks are more prominent on cloud computing. (Jansen and Grance, 2011: p. 8-10; Jansen, 2011: 4-5) Given that cloud computing comprises shared infrastructure components; the boundaries around work areas offered to tenant are virtual and protected by security settings in virtualised servers and network components. Hence, tenant organisations perceive unclear risk profiles of identity theft, privilege hacking, exploits, session masquerading, and other Internet and virtualisation-based exploits. In addition to unknown risk profiles due to virtualised environments and web services architecture, the tenant organisations have little controls on security-related settings on the clouds. Most of the controls are managed by the platform and infrastructure services providers interfacing with the software-as-a-service provider. Hence, tenant organisations are unclear about their role in risk treatment and the effectiveness of risk treatments conducted by the service providers. The strength of virtualised boundaries is unclear and hence tenant organisations are unsure about protection of their data from Internet threats, competitors’ activities, proliferation attempts, insider trading, lock-in attempts (by the cloud service providers), and breaches of confidentiality, integrity, and reliability. (Sabahi, 2011: p. 246-247; Jansen, 2011: p. 6; Jing and Jian-Jun, 2010: p. 477; Tripathi and Mishra, 2011: p. 3) Another significant challenge facing effective risk management on cloud computing is related to auditing and forensics for control effectiveness testing and regulatory compliance. The cloud providers need to provide standard interfaces, system generated logs, tenant specific logs, auto-generated hash functions, virtual machine cloning/regeneration, and snapshots of tenant databases for law enforcement, forensic 22 investigations, and regulatory auditing. The traditional host-based forensics, system auditing, vulnerability analysis, penetration testing, and other popular mechanisms need to be taken to the clouds in service oriented approach. New technology and legal dimensions need to involve for distributed computing, virtualised infrastructures, and web services architectures to address this gap. (Chen et al., 2013: p. 44-46; Chen and Yoon, 2010: p. 255-256; Ruan et al., 2011: p. 8-10; Taylor et al., 2011: p. 6) Risk management in cloud computing is different compared to self-hosted IT systems of individual organisations. In clouds, risk management needs to be implemented in multi-agency mode, whereby each agent may be a different organisation or a different service provider. In such a scenario, an enterprise-wide view of risk may be difficult to achieve making risk treatments disconnected with business objectives and performance goals. This is highly risky for tenant organisations as well as service providers. Tenant organisations may be affected due to irrational approach of risk identifications and treatments causing poorer security and privacy controls. Service providers may by affected by losing clients and market share if a major data breach occurs that affects multiple tenants hooked to their respective clouds. Hence, there needs to be a mechanism of common risk view in which, all agents access a common risk registry, log their risks, and publish reports of their mitigation activities. The tenant organisations can log into the registry and view the treatments of the risks that they are concerned about. In this way, there will be transparency and integration of risk management on the cloud. The risks may be treated using hierarchical analytics of each layer of the cloud such that the tenant organisations gain visibility into risk treatments of the layers invisible to them. This framework combined with standardised forensics and 23 cloud audits can enhance cloud computing reliability considerably. (Mukhin and Volokyta, 2011: p. 739; Peiyu and Dong, 2011: p. 3202; Zech, 2011: 413; Zhang et al., 2010: p. 1331-1332) The reviews presented in above paragraphs are outcomes of academic research studies. However, they are not standardised for application in a cloud environment. NIST SP 800-144 is the first attempt to standardise cloud computing security. A review of the standard is presented in the next section. 2.6. A review of NIST 800-144 framework The NIST SP 800-144 standard’s framework is presented with six chapters including introduction and conclusion. The key chapters are Chapter 4 on issues and propositions concerning security and privacy on cloud computing, and Chapter 5 on secured outsourcing of public clouds. The standard presents issues and propositions on the following (Jansen and Grance, 2011: p. 14-35): (a) Governing deployment, expansion, and change management in cloud computing (b) Meeting compliance obligations on the clouds (c) Achieving trustworthy computing on the clouds (d) Standardisation of cloud computing architecture taking care of security, auditing, and other requirements (e) Access control and identity protection on the clouds (f) Isolating software and platform environments on cloud computing (g) Protecting data and its life cycle on the clouds 24 (h) Ensuring data availability on the clouds (i) Responding to incidents in clouds The standard addresses most of the concerns raised in academic literatures by scholars. However, the recommendations need to be tested in practical environments by executing pilot testing or running simulations. In addition to these propositions, the standard presents detailed plan of activities when moving IT resources to cloud computing environments. It has a separate section of recommendations for small and medium scale enterprises that need cloud computing to run their IT-enabled businesses. (Jansen and Grance, 2011: p. 14-35) 2.7. Summary In this chapter, a detailed literature review pertaining to the research topic is presented. The literature review forms a background of empirical theories on IT risk management, popular risk management models and cloud computing in general. In addition, specific sections on IT risks on cloud and NIST SP 800-144 standard’s framework are presented. In this way, the context of this research with all background information is clarified. The next chapter presents a detailed review of research methods and presents a finalised research design for this study. 25 Chapter 3: Research design 3.1. Philosophy, approach, and methodology Every research follows the epistemological or ontological philosophies that have emerged in hundreds of years of human knowledge building (Bryman and Bell, 2007: p. 9). Epistemology deals with acceptance of knowledge gained through knowledge building efforts (like research) by the interested communities (like, scientists, physicists, engineers, and philosophers) (Bryman and Bell, 2007: p. 9-10). Ontology deals with interrelationship between the structural frameworks of social systems and human beings (Bryman and Bell, 2007: p. 10). Hence, ontology is mostly concerned with social research (Bryman and Bell, 2007: p. 10). Epistemology has two philosophies depending upon the way knowledge is developed from a knowledge building exercise. Interpreters build knowledge by exploring and generating theories whereas positivists build knowledge by confirming and proving theories. Interpreters use an inductive approach of knowledge building in which, knowledge generation is based on evidences and examples. Positivists use the deductive approach of knowledge building in which, knowledge generation is based on scientific experiments, mathematics, statistics, simulation or any other accepted confirmatory technique. Inductive approach is mostly associated with qualitative research methodology that is used for organised data collection in the form of text and images. Deductive approach is mostly associated with quantitative research methodology that is used to collect data in numerical form only. (Bryman and Bell, 2007: p. 11-15; Collis and Hussey, 2009: p. 24-27; Saunders, Lewis, and Thornhill, 2011: p. 114-121) 26 In this research, the researcher wants to explore three standards of risk management – NIST SP 800-144, COSO, and ISACA’s Risk IT. The data collection will comprise mostly text and images. The researcher wants to use evidences from various literatures to generate theories. For this approach, the combination of interpretive philosophy, inductive approach, and qualitative methodology is most suitable. Accepting these as choices of this research, a review of research methods under qualitative methodology is presented in the next section. 3.2. Research methods Qualitative studies are conducted by collecting text and images, reducing, organising and coding of information, and making interpretations with the help of existing empirical theories (Saunders, Lewis, and Thornhill, 2011: p. 141). The key research methods under qualitative methodology are the following (Saunders, Lewis, and Thornhill, 2011: p. 141-151; Thompson and Walker, 1998: p. 65-70): (a) Anthropological Ethnography: This technique has been used historically for observing cultures and communities and collect significant amount of textual, image, and video data. Ethnography involves data collection through mostly observations and occasional chatting (not interviewing or surveying). It generates significant amount of data that needs to be sorted, categorised, reduced, and codified for deriving meaningful information for comparing/contrasting with results of other research studies. (b) Phenomenology: This technique is based on learning from collective experiences of human beings. It involves interviewing or surveying human 27 beings related to their experiences on the phenomena under study. Normally, such research studies return highly valid data given that collective experiences of a large number of human beings cannot be wrong. Accurate sampling is the key to success of phenomenology. (c) Grounded Theory: Grounded theory involves organised data collection from research settings and comparing them with pre-established theories. It is a lengthy process and requires high interpretation skills to analyse the data collected accurately as well as the results of comparing/contrasting with previously established theories. (d) Action Research: It is also referred to as participatory research. In action research, the researcher participates with subjects in a research setting and works closely with them to find out solutions to the research problems prevailing in the research setting. (e) Delphi: It is an iterative decision-making process in which, opinions of a group of respondents are taken in multiple rounds of questioning and sharing with the results each round. It is widely used for consensus building. (f) Archival study: It involves an organised study of archives related to the research problem. It is mostly based on secondary data. The choice of researcher in this study is archival research. The researcher intends to study published documents on NIST SP 800-144, COSO, and ISACA’s Risk IT, and related research studies. The research questions pertain to IT risk exposures of SMEs on cloud computing, employing NIST 800-144 with supported standards (Risk IT and COSO), and formulating an IT risk management framework for SMEs on cloud 28 computing. These research questions can be addressed through archival research because of excellent availability of literatures, published standards, and published research reports. It is expected that this research will gain sufficient insight into the standards and underlying theories supporting them. This will help in gaining a reasonable level of generalisability in this research. 3.3. Sampling In qualitative methodology, sampling may be of judgmental type, quota type, snowball type, or convenience (access-based) type (Collis and Hussey, 2009: p. 209214). Judgmental sampling type helps the researcher to choose units in the sample as per pre-determined criteria established to meet the research objectives. Quota sampling type employs judgmental sampling as well, but the sample units are taken from multiple populations based on a quota assigned per population. Snowball sampling type helps the researcher to build the sample gradually in parallel with progress of the research. Convenience sampling type helps the researcher to build the sample based on availability of population members. In this research, the judgmental sampling type is chosen such that the sample units are based on researcher’s chosen criteria for selection. The following criteria have been used for choosing the sample units from the population (books, journals, published research studies, standards documentation, and such other reliable sources): (a) Is a reliable and reviewed source (b) Is based on primary or secondary data, and insights from experts in this field 29 (c) Relevant to the research topic and context (risk management on cloud computing) (d) Will help in answering research questions and meet the objectives (e) Will help in developing a theoretical framework for managing risks on cloud computing for SMEs Sampling has been conducted using an iterative reading approach. In the first round a large number of references have been chosen with general keywords, like cloud computing security, cloud computing risk management, and security standards on cloud computing. The summaries of all these references were studied and a first sample set was chosen based on the sampling criteria presented in above. The researcher studied the references in the first sample set in detail and rejected the ones that do not deliver relevant information needed for this research. After the rejections, the second sample set was chosen and finalised. 3.4. Data collection The researcher has primarily accessed reputed databases for collecting the sources in the sample. The key databases used are IEEE Xplore, ACM, Science Direct (Elsevier and Pergamon), Emerald, and Springer. In addition, the researcher has included published research studies on websites of universities at master and doctorate levels. The core references about the standards reviewed have been taken from the COBIT, COSO, and NIST websites. Some popular books published by reputed publishers (like Pearson, Elsevier, IGI, and CRC) have been chosen, as well. Data was collected in two forms – in exploratory form and reviewed in Chapter 2, and in tabulated 30 form and presented in Chapters 4, 5, and 6. In Chapter 2, data is collected and reviewed to build the knowledge of theories and in Chapters 4, 5, and 6, data is collected to find answers to the research questions. 3.5. Data analysis Data analysis is conducted qualitatively by collecting the relevant definitive points from the references and analysing them. As proposed by Saunders, Lewis, and Thornhill (2011: p. 143-145), data analysis should be conducted in such a way that the data sets reflect the theories applied in them and point towards new theories evolving from such applications. In Chapter 2, the data collected from references will be reviewed. The theoretical foundation will be established and with its help background will be prepared for answering the research questions. 3.6. Ethical considerations Collis and Hussey (2009: p. 74-76) warned that the researcher should be careful in conducting the research ensuring that there is no deception, dishonesty, or bias. In this research, there are no human respondents. However, use of secondary sources invokes the need for protecting their intellectual property rights and protecting the research against plagiarism. Hence, all sources have been cited within the contents and a list of references is included at the end. In addition, all figures have been redrawn. 3.7. Summary The following is the summary of the research design chosen in this research: (a) Philosophy – interpretive 31 (b) Approach – inductive (c) Methodology – qualitative (d) Method – archival (e) Sampling – judgmental (f) Data collection – iterative reading and collecting definitive facts (g) Data analysis – qualitative interpretations of data tabulated against the research questions (h) Ethics – citation, referencing, and drawing original figures 32 Chapter 4: Research significance and expectations This research will be significant for researchers studying change in business risks and IT risks of SMEs that have moved their IT resources to cloud computing. This research may serve as a useful reference document for such research aspirants, especially in the fields of security controls and risk management for SMEs using cloud computing. In addition, this research may be able to generate some useful information for SMEs using cloud hosted resources looking forward to methods and ways for managing IT risks. This research shall produce a synergy of three professional standards and clarify their implementation approaches with the help of academic literatures. Hence, it is expected that the results will be actionable in real world business environments. Given an opportunity, the researcher will look forward to disseminate the knowledge gained through the university website, journals, and conferences. The following results are expected in this research: (a) A detailed review of literatures for identifying controls that can be used with NIST SP 800-144 standard (b) Mapping of NIST SP 800-144 recommendations with the controls identified, and with COSO and Risk IT standards (c) Analysis of how this mapping will help SMEs using cloud hosted resources in managing their IT risks These results will help in enhancing practical implementation of IT risk management in cloud computing using NIST SP 800-144 standard. The results will 33 present a consolidated view of opportunities to address security and privacy issues on the clouds. Some controls may be easily implementable and some of them may require long term multi-agency alignments and policy changes. However, the consolidated view can be helpful in preparing short-term and long-term goals for enhancing IT risk management on the clouds. 4.1 Research Plan & Schedule The following table provides the schedule and planned time for researching on the proposed topic. Date Assignment February 2013 Project & Supervisor nd 02 March 2013 Topic of thesis 03th March – 7th March 2013 Planning of research work th th 08 March – 30 April 2013 Literature Review 11th April – 20th April 2013 Annotated bibliography writing nd 22 April 2013 Annotated Bibliography submission rd th 23 April – 16 May 2013 Finalize Research Question 17th May – 30th May 2013 Research Proposal Writing rd th 1 June – 10 June 2013 Minor Thesis proposal Submission & presentation 11th June 2010 - 25th July 2013 Data Collection th th 26 July – 25 August 2013 Evaluation of data collected from theories 26rd August – 30th September 2013 Thesis writing 15th October 2013 Draft submission th 20 October 2013 Receive comments for Corrections 28th October 2013 Final Minor Thesis Figure 6: Research Plan Table 27th 4.2 Provisional Thesis Table of Contents Abstract Table of Figures Chapter 1: Introduction 34 1.1 Background and Context 1.2 Research Problem 1.3 Research aim and objectives 1.4 Research questions 1.5 Research significance and expectations 1.6 Structure of dissertation Chapter 2: Literature Review 2.1 Introduction 2.2 Empirical review of IT risk management 2.3 IT risk management frameworks 2.4 Empirical review of cloud computing 2.5 Security risks and IT risk management in cloud computing 2.6 A review of NIST 800-144 framework 2.7 Summary Chapter 3: Research design Chapter 4: Findings against research question 1 4.1 Findings 4.2 Discussions 4.3 Summary Chapter 5: Findings against research question 2 5.1 Findings 5.2 Discussions 5.3 Summary Chapter 6: Findings against research question 3 6.1 Findings 6.2 Discussions 6.3 Summary Chapter 7: Conclusions and Recommendations 7.1 Conclusions 7.2 Recommendations References 35 References Ahmad, R. and Janczewski, L. (2010). "Triangulation theory: An approach to mitigate governance risks in clouds", IEEE: p. 1-8. Amburst, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I. and Zaharia, M. (2010). “A View of Cloud Computing”. Communications of the ACM, Vol. 53 (4): p. 50-58. ACM. Anderson, E. E. and Choobineh, J. (2008). "Enterprise information security strategies". Computers and Security, Vol. 27: p. 22-29. Elsevier. Badger, L., Bohn, R., Chu, S., Hogan, M., Liu, F., Kaufmann, V., Mao, J., Messina, J., Mills, K., Sokol, A., Tong, J., Whiteside, F. and Leaf, D. (2011). “U.S. Government cloud computing technology roadmap – Volume II”, Special Publication 500-293, NIST (U.S. Department of Commerce): p. 6-76. Bakshi, K. (2011). “Considerations for Cloud Data Centers: Framework, Architecture and Adoption”. IEEE: p. 1-7. Bryman, A. and Bell, E. (2007). “Business Research Methods”. Second Edition. London: Oxford University Press. Chandran, S. P., and Angepat, M. (2010). "Cloud Computing: Analysing the risks involved in cloud computing environments", IEEE: p. 1-6. Chen, Z. and Yoon, J. (2010). "IT Auditing to Assure a Secure Cloud Computing", IEEE: p. 253259. Chen, Z., Han, F., Cao, J., Jiang, X., and Chen, S. (2013), "Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System", IEEE Computer Society: p. 40-50. Chorafas, D. N. (2011). “Cloud Computing Strategies”, London: CRC Press, Taylor and Francis Group. 36 Clemons, E. K., and Chen, Y. (2010). "Making the Decision to Contract for Cloud Services: Managing the Risk of an Extreme Form of IT Outsourcing", In CloudAsia2010, 2-7 May, 2010, Singapore, p. 1-10. Collis, J. and Hussey, R. (2003) “Business Research: a practical guide for undergraduate and postgraduate students”. second edition, Basingstoke: Palgrave Macmillan. Cooper, D. and Schindler, P. (2003). “Business Research Methods”. Statistics and Probability Series. Seventh Edition, London: McGraw Hill International Edition. Dai, W. (2009). "The impact of emerging technologies on small and medium enterprises (SMEs), Journal of Business Systems, Governance and Ethics, Vol. 4 (4): p. 53-60, School of Law, Victoria University, Melbourne. Dhillon, G. and Backhouse, J. (2000). "Information System Security Management in the New Millennium". Communications of the ACM, Vol. 43 (7), p. 125-128. Doherty, E., Carcary, M. Dr., and Conway, G. (2012). "Risk Management Considerations in Cloud Computing Adoption", Research by Innovation Value Institute (IVI), p. 2-7. Elgarnal, T. (2009). "The new predicaments of security practitioners". Computer Fraud and Security, Vol. November 2009: p. 12-14. Elsevier. ENISA (2010). "Cloud computing: benefits, risks and recommendations for information security", European Network and Information Security Agency, p. 1-6. "Enterprise Risk Management–Integrated Framework: application techniques", Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004, p. 2-112. Everett, C. (2011). “A risky business: ISO 31000 and 27005 unwrapped”, Computer Fraud and Security, February 2011: p. 5-7. Elsevier. Fan, C. and Chen, T. (2012). "The Risk Management Strategy of Applying Cloud Computing", International Journal of Advanced Computer Science and Applications, Vol. 3 (9): p. 1827. 37 Gandotra, V., Singhal, A. and Bedi, P. (2009). “Threat mitigation, monitoring and management plan - a new approach in risk management”. IEEE Computer Society: p. 719-723. Haselmann, T. and Vossen, G. (2011), "Software-as-a-Service in Small and Medium Enterprises: An Empirical Attitude Assessment", European Research Center for Information Systems (ERCIS), University of Munster, Germany, p. 1-14. Herath, T. and Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, Vol. 47: p. 154-165. Elsevier. Herath, T. and Rao, H. R. (2009). "Protection motivation and deterrence: a framework for security policy compliance in organizations". European Journal of Information Systems, Vol. 18, p. 106–125, Operational Research Society. Palgrave Journals. Horwath, C., Chan, W., Leung, E., and Pili, H. (2012). "Enterprise Risk Management for Cloud Computing", Thought Leadership in ERM, Committee of Sponsoring Organizations of the Treadway Commission (COSO) research paper, p. 3-32. Humphreys, E. J., Moses, R. H., Plate, E. A. (1998). “Guide to BS7799 risk assessment and management”. London: British Standards Institution, p. 1-74. IET (2012), "Cloud Computing - The Security Challenge", Fact file by The Institution of Engineering and Technology, p. 1-8. “Information Technology — Security Techniques — Information Security Management System”. International Standard. BS ISO/IEC 27001:2005. British Standards Institution (BSI), 2005: p. 7-35. “Information Technology — Security Techniques — Information Security Risk Management”. International Standard. BS ISO/IEC 27005:2008. British Standards Institution (BSI), 2008: p. 9-27. Jansen, W. A. and Grance, T. (2011). "Guidelines on Security and Privacy in Public Cloud Computing", NIST Special Publication 800-144: p. 4-88, National Institute of Standards and Technology, U.S. Department of Commerce. 38 Jansen, W. A. (2011). "Cloud Hooks: Security and Privacy Issues in Cloud Computing", IEEE: p. 1-10. Jing, X. and Jian-Jun, Z (2010), "A Brief Survey on the Security Model of Cloud Computing", IEEE Computer Society: p. 475-478. Karabek, M. R. Dr., Kleinert, J. and Pohl, A. Dr. (2011). "Cloud Services for SMEs – Evolution or Revolution?", Business Innovation, Quarter 1, 2011: p. 26-33. Miller, M. (2009). “Cloud Computing: Web based applications that change the way you work and collaborate online”. US: Que Publishing (Pearson). Mukhin, V. and Volokyta, A. (2011). "Security Risk Analysis for Cloud Computing Systems", In the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 15-17th September 2011, Prague, Czech Republic, IEEE: p. 737-742. Ozkan, S. and Karabacak, B. (2010). “Collaborative risk method for information security management practices: A case context within Turkey”, International Journal of Information Management, Vol. 30: p. 567–572, Elsevier. Peiyu, L. and Dong, L. (2011). "The New Risk Assessment Model for Information System in Cloud Computing Environment", Procedia Engineering, Vol. 15: p. 3200-3204, Elsevier. Qian, L., Luo, Z., Du, Y. and Guo, L. (2009). “Cloud Computing: An Overview”. Jaatun, M. G., Zhao, G. and Rong, C. (Eds.). LNCS 5931: p. 626–631, Berlin: Springer-Verlag. Rittinghouse, J. W. and Ransome, J. F. (2010). "Cloud Computing: Implementation, Management, and Security", CRC Press. Ruan, K., Carthy, J., Kechadi, T., and Crosbie, M. (2011), "Cloud forensics: An overview", Centre for Cybercrime Investigation, University College Dublin and IBM Ireland Ltd: p. 116. Saunders, M.N.K., Lewis, P., and Thornhill, A. (2007). “Research Methods for Business Students”. Fourth edition. London: Prentice Hall. 39 Shortreed, J. (2008). “ISO 31000 - Risk management standard”. Institute of Risk Research, University of Waterloo: p. 2-24. Tai, S., Nimis, J., Lenk, A. and Klems, M. (2010). “Cloud Service Engineering”. In proceedings of ICSE 2010, 2 May 2010 to 8 May 2010, Cape Town, South Africa, ACM: p. 475-476. Taylor, M., Haggerty, J., Gresty, D., Lamb, D. (2011), "Forensic investigation of cloud computing systems", Network Security, Vol. Spring 2011: p. 4-10, Elsevier. “The Risk IT framework: principles, process details, management guidelines, and maturity models”, ISACA, 2009: p. 7-103. Thompson, C. B. Dr. and Walker, B. L. Dr. (1998). “Basics of Qualitative Research”. A M Journal. Vol.17 (2): p. 64-72. Elsevier. Tripathi, A. and Mishra, A. (2011), "Cloud Computing Security Considerations", IEEE: p. 1-5. Zech, P. (2011). "Risk–Based Security Testing in Cloud Computing Environments", IEEE: p. 411-414. Zhang, Q., Cheng, L. and Boutaba, R. (2010). “Cloud computing: state-of-the-art and research challenges”. Journal of Internet Services and Applications, Vol. 1: p. 7-18. Springer. Zhang, X., Wuwong, N., Li, H., and Zhang, X. (2010). "Information Security Risk Management Framework for the Cloud Computing Environments", IEEE: p. 1328-1334. 40
