Fluent Essays

After reading the article this week, please answer the following two questions. What are some of the potential risks involved with cloud computing? Does the research and model in this article propose a viable solution to cloud-based risk management? future internet Article ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,* 1 ING Bank, B-1040 Brussels, Belgium; [email protected] 2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea; [email protected] 3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea * Correspondence: [email protected]; Tel.: +82-54-478-7526 Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019 ���������� ������� Abstract: Many companies are adapting cloud computing technology because moving to the cloud has an array of benefits. During decision-making, having processed for adopting cloud computing, the importance of risk management is progressively recognized. However, traditional risk management methods cannot be applied directly to cloud computing when data are transmitted and processed by external providers. When they are directly applied, risk management processes can fail by ignoring the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix this backdrop, this paper introduces a new risk management method, Enterprise Risk Management for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management methods by combining each component with another processes for comprehensive perception of risks. In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives and strategies, critical assets, and risk measurement criteria. Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure 1. Introduction Cloud computing is a technology that uses virtualized resources to deliver IT services through the Internet. It can also be defined as a model that allows network access to a pool of computing resources such as servers, applications, storage, and services, which can be quickly offered by service providers [1]. One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become gradually distributed, moving from a centralized model to a distributed model. That distributed nature causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important resources needed for business transactions with customers [3]. The main cause of these incidences was poorly conducted risk identification during risk management process. Effective risk assess and being aware of different vulnerabilities are the best mechanism for Future Internet 2019, 11, 195; doi:10.3390/fi11090195 www.mdpi.com/journal/futureinternet http://www.mdpi.com/journal/futureinternet http://www.mdpi.com https://orcid.org/0000-0002-5253-3488 http://dx.doi.org/10.3390/fi11090195 http://www.mdpi.com/journal/futureinternet https://www.mdpi.com/1999-5903/11/9/195?type=check_update&version=2 Future Internet 2019, 11, 195 2 of 21 incidence prevention in cloud computing. Thus, a novel risk management framework is highly required to properly identify those risks and to provide an ultimate way of mitigating their occurrence. Our motivation comes from potential security risks of cloud computing due to their distributed nature and mainly the lack of dedicated risk management method. Many risk managers admit struggling to grasp the basics of how the cloud is deployed in their businesses, and how to manage risks linked to this new technology. Identifying risks and understanding them are the prime challenges. Risk management for cloud computing must discover some key risks, prioritize them, and formulate a mitigation plan. Due to the nature of cloud computing risks and the emergence of new risks, one-time risk assessment is not sufficient. The aim of the paper is to introduce a new risk management method ERMOCTAVE for mitigating risks in cloud computing environment. As a method, we coalesce Enterprise Risk Management (ERM) framework and risk-based information security methodology Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). Although OCTAVE is prone to IT-related risks, ERM prioritizes risks and brings risk management to a more strategic level. As an example of ERMOCTAVE application, we suggest a case study scenario of an Internet seller who migrates a part of their web system to a cloud system, Microsoft Azure. The remaining section is organized as follows. Section 2 explains terminologies and related works. Section 3 explains the proposed ERMOCTAVE method in detail. Section 4 helps understanding of ERMOCTAVE using a case study with Microsoft Azure cloud. Section 5 compares functionality of ERMOCTAVE and two existing methods. Finally, Section 6 finishes with conclusion. 2. Terminologies and Related Works 2.1. Terminologies Cloud computing is a model for delivering data virtually on the Internet through web-based tools and applications, rather than a direct connection to a server. Resources are stored in servers. In the IT security environment, “risk” is the probability that a confidential information is exposed, data integrity is damaged, or information availability is interfered. Risk formula is the result of likelihood probability multiplied by the impact of the above events. Also, risk can be defined as result of identified vulnerability being exploited by a specific threat [4]. “IT risk management” is the process enabling the balance between operational cost and economic costs of protective controls in order to protect IT systems that support their organization’s objectives. This process provides decision-making in all areas of our lives not only in IT environments. An effective risk management methodology helps managers determine appropriate actions for offering security capabilities [1]. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a strategic assessment method for risk-based security [5]. It uses people’s knowledge of security practices to understand the current security posture of the organization. Unlike typical assessments, which only target technological risk, OCTAVE also considers organizational and strategic risks. Using OCTAVE, a small team of people from the operational units and the technology department together address the security requirements, balancing three key aspects: operational risk, security practices, and technology. The OCTAVE method has three phases in which processes are described below [5]. Phase 1 Build asset-based threat profiles: Phase 1 gathers information from the organization and defines threat profiles for critical assets. Process 1 Identify senior management knowledge: Information about important assets, security requirements, threats, current strengths, and current vulnerabilities is collected from senior managers. Future Internet 2019, 11, 195 3 of 21 Process 2 Identify operational area knowledge: The information is collected from managers of selected operational areas. Process 3 Identify staff knowledge: The information is collected from general staff and IT staff members. Process 4 Create threat profiles: Critical information assets are selected and threat profiles for those assets are defined. Phase 2 Identify infrastructure vulnerabilities: This phase evaluates key components of systems supporting the critical assets for technological vulnerabilities. Process 5 Identify key components: This process identifies key components from the systems that support the critical assets. Process 6 Evaluate selected components: Tools are run to evaluate the selected components, and the results are analyzed to refine the threat profiles. Phase 3 Develop security strategy and plans: The primary purpose of this phase is to evaluate risks on critical assets and to develop a protection strategy and risk mitigation plans. Process 7 Conduct risk analysis: A set of impact evaluation criteria is defined to elaborate the impact value (high, medium, or low). Process 8 Develop protection strategy: The organization-wide protection strategy focuses on improving security practices and mitigation plans, which reduce the important risks on critical assets are developed. Enterprise risk management (ERM) is a framework affected by the board of directors and the management of an entity. ERM aims to identify potential events that may affect the entity and to manage risks using its risk appetite. “Risk appetite” is the level of risk that the entity is prepared to accept in pursuit of its objectives. The level could be averse, minimal, cautious, open, or hungry. ERM offers assurance regarding the accomplishment of objectives set by the entity [6]. In ERM, uncertainty has both risk and opportunity. Risk can reduce value while an opportunity can enhance value. ERM components are described as follows. • Internal environment: the internal environment provides basics on how risk and control are addressed. • Objective setting: before the management identifies potential events, objectives of the entity are set. ERM makes sure that the objectives are consistent with the risk appetite. • Event identification: potential events impacting the entity are identified. This process involves identification of events from internal or external sources which affect the accomplishment of objectives. • Risk assessment: identified risks are analyzed and assessed on both inherent and residual basis considering risk likelihood and impact. • Risk response: possible responses to risks are identified. They include avoiding, accepting, reducing, and sharing risks. • Control activities: policies, procedures, and controls are established and implemented to sustain the risk response decisions. • Information and communication: relevant information is captured and communicated enabling people to carry out their responsibilities. • Monitoring: ERM is entirely monitored to react dynamically as changes are made. Future Internet 2019, 11, 195 4 of 21 2.2. Related Works The advantages of cloud computing over traditional networks are well known and they include fast deployment. However, identification of the risks in cloud computing is more difficult because of the lack of a dedicated framework. Such risks make businesses feel difficulty when adopting cloud technology. Over the last few years, a lot of documents have been written about risks and guidelines regarding cloud computing adoption. These documents rank highly as a security concern, but rank low across risks where a dedicated risk management framework is required. In that perspective, some organizations related with standardization frameworks have published risk management frameworks for cloud computing. The International Organization for Standardization (ISO/IEC JTC 1/SC 27) has developed a set of standards aiming to address risk management for cloud computing [7]. The standards are applied to new service models, such as Data as a Service (DaaS) and the cloud service brokers emergence, which offers intermediation, portability, governance, provisioning, and service integration, in addition to existing cloud services. However, the framework standards seem more like tools that enable understanding of the risks around cloud migration rather than an effective method to mitigate these risks. The European Network and Information Security Agency (ENISA) identified 35 types of risks by 19 contributors and lists eight top security risks based on indicative likelihood and impact [8]. The 35 risks are ranked from the lowest to the highest. Risk analysis proposed by ENISA is based on a real-life case study of a small- and medium-sized enterprise (SME) using cloud computing [9]. However, any risk management framework for mitigating risks in cloud computing is not included. Cloud Security Alliance (CSA) published “Top Threats to Cloud Computing V1.0”, which includes the top seven threats as identified by its members [10]. The objective is to provide threat identification that can be updated, because dynamic and distributed properties are major natures of cloud computing [11]. The threat list roles more as managerial tool for higher strategic decisions in cloud adoption. Still, there is a lack of risk management framework in cloud computing. National Institute of Standards and Technology (NIST) published two drafts titled “Cloud Computing Synopsis and Recommendations” [12] and “NIST Cloud Computing Standards Roadmap” [13]. The drafts introduce a cloud-adopted risk management framework for services moved to the cloud. This framework enables federal organizations to develop a computer security plan based on risk tolerance and the information sensitivity. The provided set of standards and guidelines supports risk response strategies. However, the framework only allows analysis of risks in cloud computing than a comprehensive method to assess them. Information Systems Audit and Control Association (ISACA), published a document, “IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud”, which introduces a guide to cloud controls taken from COBIT, Val IT, and Risk IT [14]. Its framework is not quite structured to identify and mitigate potential risks in cloud computing. A cloud risk assessment framework based on the ISO 31000 standard was introduced by Microsoft [15]. It has six steps that evaluate risks for cloud service candidates and focuses on decision-making for cloud-based computing. The framework provides value to decision-making process. However, it lacks mitigation plan after a specific risk has been identified and assessed. Since the above-mentioned risk management frameworks lack details on real application, ideas especially for risk assessment methods, have been proposed as follows. Fitó et al. proposed SEmi-quantitative BLO-driven Cloud Risk Assessment (SEBCRA) for the risk assessment process [16]. SEBCRA uses the impact of risk on a given business-level objective (BLO) and its probability to calculate its risk level estimation (RLE). Priority of a BLO is decided by the RLE and risks are treated based on the Future Internet 2019, 11, 195 5 of 21 priority. Since SEBCRA uses semiquantitative risk assessment, choosing the most critical risks and treating them is still left to experts. Martens and Teuteberg proposed a decision-making method when choosing a cloud computing source among multiple providers using quantified cost including risk [17]. The method provides equations of component factors with parameters decided by experts and conditions. FICO Xpress Optimization is used to optimize the cost that satisfies the linear equations [18]. This method can be combined with any risk management framework when a decision-making is necessary. Fan and Chen proposed a risk evaluation method that qualifies identified risks using pairwise comparisons matrices [19]. After evaluating each risk to two values, frequency and severity, the method locates the risks to a quadrant space in order to visualize the effect of each risk. Above mentioned works demonstrate that there is no effective method for risk management on immigration to cloud computing. The works are just guidelines or reports on understanding cloud computing risks. If a researcher attempts to propose a framework on the immigration situation, the lack of important features required for proper risk management, such a mitigation plan, critical asset identification, or control activities, is evident. 3. ERMOCTAVE Method 3.1. Structure of ERMOCTAVE Although OCTAVE and ERM are good frameworks for risk management in their objectives, they are not sufficient for an organization that immigrates to cloud computing. The major advantage of OCTAVE is that three levels, IT technological department, security department, and operational units work in the combined manner. ERM pays attention to uncertainty that holds risk and opportunity at the same time. Since cloud computing is a popular IT technology with uncertainly, we suggest a combination of OCTAVE and ERM with supplements like mitigation plan step. Basically, ERMOCTAVE is constructed by distributing ERM components to OCTAVE phases as follows [20]. Phase 1: ERM components “Internal environment” and “Objective setting” are merged to OCTAVE phase 1 (Built asset based threat profiles). Such integration helps to make threat profiles in a viewpoint of the organization’s objective. Phase 2: ERM components “Event identification” and “Risk assessment” are merged to OCTAVE phase 2 (Identify infrastructure vulnerability). Since OCTAVE has component oriented viewpoints on assets, event and risk oriented viewpoints of ERM help correct identification of vulnerabilities. Phase 3: ERM components “Risk response”, “Control activities”, “Information and communication”, and “Monitoring” are merged to OCTAVE phase 3 (Develop protection strategies and mitigations plans.). The ERM components enrich protection and mitigation methods of OCTAVE. 3.2. ERMOCTAVE Phase 1 In the phase, threat profiles for critical assets are reported as a result. The profiles are used to identify vulnerabilities and risks. The phase proceeds in the following 8 processes. P1.1 Objective setting: this process defines core objectives of the organization who uses cloud computing services. From the objectives, the reason to use the cloud computing services is derived. P1.2 Internal environment: the main roles in the organization are described in detail to identify assets and vulnerabilities in the following processes. Future Internet 2019, 11, 195 6 of 21 P1.3 Identify assets: this process creates a list of assets. The following question should be answered. • what are important assets? P1.4 Identify current security practices: this process creates a list of security practices in use. The following question should be answered: • Which cloud functionalities are used to protect the important assets? P1.5 Identify critical assets: this process selects important assets critical to the objectives. The following questions should be answered. • Which assets largely impact on the objectives if they are disclosed to unauthorized people? • Which assets largely impact on the objectives if they are modified without authorization? • Which assets largely impact on the objectives if they are lost or unavailable? P1.6 Describe security requirements for critical assets: this process clarifies security properties of critical assets. The following questions should be answered. • Is the critical asset proprietary or sensitive? • What is the security requirement for the critical assets? Are confidentiality, integrity, or availability important for them? P1.7 Identify current vulnerability of the organization: this process creates a list of vulnerabilities using the following question. • Which damage on the assets injures the objectives? P1.8 Create threat profiles for critical assets: the goal of this process is to identify threats that affect critical assets through the vulnerabilities; the following question should be answered. • Which potential threats have a non-negligible possibility? 3.3. ERMOCTAVE Phase 2 In this phase, risks are identified and assessed by events and vulnerability identification. The phase is composed of the following 3 processes. P2.1 Event identification: this process identifies events that can affect on the assets. P2.2 Review of identified vulnerabilities: this process links each vulnerability presented on the assets to each potential risk. The following question should be answered. • Which technological vulnerabilities are presented on the assets? P2.3 Risk assessment: inherent and residual risks are identified. “Inherent risk” is a risk that has existed in the given organization, and “residual risk” is a risk that still exists even after all controls are applied. 3.4. ERMOCTAVE Phase 3 In this phase, risks on critical assets are evaluated, and protection strategies and mitigation plans are created. The phase is composed of the following 6 processes. P3.1 Identify risks to critical assets: the goal of the process is to link each critical asset to an identified risk. P3.2 Create risk evaluation criteria and evaluate risks: for each risk, the following question should be answered. • Which degree of impact is imposed on the organization’s impact area, e.g., reputation, productivity, and customer confidence? Future Internet 2019, 11, 195 7 of 21 Also, the process defines the risk evaluation criteria required to understand qualitative measures of the impacts. The following questions should be answered in order to design the risk evaluation criteria. • What defines the degree of each impact such as high, medium, or low? • What is the evaluation value of each degree of impact—high, medium, and low? If the number of risks is large and the evaluation is difficult, even for experts, a methodology proposed by Fan and Chen can be used [19]. In the simple case, the risk score, RSk, for risk k is defined as follows [21]. RSk = I ∑ i=1 rki vki (1) where • I: the number of impact areas • rki: ranking of impact area i on risk k (ri = 1, 2, · · · , I), high ranking has high value of rki and rankings are different for each. That is, rki 6= rkj if i 6= j. • vki: impact value of impact area i on risk k. The values are decided by experts, for example, low (1), medium (2), and high (3). P3.3 Create risk response and protection strategy: risk response is identified for each identified risk. Four types of risk responses are used, as follows [22]. • Avoidance: provides activities to eliminate the risk. • Reduction: implements control activities and takes actions to reduce the risk likelihood, risk impact, or both. • Sharing: reduces risk likelihood by transferring to or by sharing a portion of the risk with other subjects or organizations. • Acceptance: takes no action against the risk likelihood or impact. After determining risk responses, the goal of this process is to develop a protection strategy. The following key questions can be used during this activity. • Which training innovation could help the organization adopting cloud computing to improve its security posture? • How to ensure that all staff in the organization using cloud computing understands their security roles and responsibilities? • What can be done to improve protection of an organization when dealing with external partners? • How to ensure that all staff are aware of business continuity and disaster recovery plans? P3.4 Create risk mitigation plans: the goal of the process is to make a risk mitigation plan using the following questions. • Which risk will be mitigated immediately? • Which risk will be mitigated later? • What actions could be taken to make the mitigation plan? P3.5 Control activities: the mitigation plan composed of control activities is implemented in this process. The types of controls will be preventive, detective, manual, or automated. P3.6 Identify next steps and monitoring: The senior managers must identify the next steps, which will be considered after implementing the mitigation plans though the following questions: • Which security points should be reviewed? • How can senior managers support the initiative of security improvement? Future Internet 2019, 11, 195 8 of 21 • What are the plans for ongoing security evaluation activities? Management must continue to monitor the effectiveness of the entire ERMOCTAVE to verify that the program adequately addresses the relevant risks and facilitates achieving the cloud computing objectives. 4. Case Study with Microsoft Azure Cloud Selecting a good cloud vendor is an important step during the decision-making process of immigration to cloud computing. Instead of including the step in the proposed infrastructure, we propose two papers: Baldwin et al. recommended cloud computing environments that work as stable ecosystems for better risk management [23], and Martens and Teuteberg proposed a decision model that computes cost for each cloud source and property of a company who tries to adopt cloud computing. Baldwin et al. insisted that a cloud computing system evolves by overcoming attacks from outside and by adopting new concepts and technologies if the system is constructed as an ecosystem with interacting customers, software vendors, and a cloud platform. The feature of Martens and Teuteberg’s model is that it outputs costs as the decision background. Thus, it helps decision-making when selecting a cloud computing for immigration quite directly. We borrow a scenario where an organization adopts cloud computing from a Microsoft Azure manual [24]. Since Microsoft Azure takes 15.2\% market share in worldwide cloud infrastructure, it is a good choice with stable ecosystem especially for Microsoft Windows users [25]. The scenario involves a company who uses a web application called ’orders application’ to sell products over the Internet, quite common situation for small company to immigration toward cloud computing. As an Internet-focused organization, it has partnered with external companies that provide services such as transport and delivery. The transport partner merely needs to be advised when an order is made and may also advise the company when delivery to the customer has been done. Although the order is being used for the business interface, other on-premises applications are used for invoicing, supplier orders, planning management and more. However, this case study only deals with the order’s application and its integration with other systems, such as the main management and monitoring applications on-premises. The company adopts cloud computing to the web application using Microsoft Azure, which is used as a platform for new services and extended capabilities. The company aims to reduce on-premises office costs by exploiting new technologies such that the business offerings in the cloud. Although we are aware of the desire to keep the availability of existing applications to support an immense customer base, the company is willing to invest in the new services development and the change of existing services to enhance the profitability. This includes dealing ahead for concerns such as increased request for their services, offering better business information capabilities, enhancing application availability and performance, and dealing with complexity by, for example, adding external partners. In our scenario, some vital functions like management/operations applications and some databases are not located in the cloud but on premises. Separated transport partners perform transport and delivery functions. They may use cloud-based services by themselves, but this does not affect the company’s application design and implementation. Future Internet 2019, 11, 195 9 of 21 4.1. On-Premises Order Application In the original implementation, all applications ran on premises and data was stored in a local database server, as shown on Figure 1. The orders application was created as two separate components: the order’s application (the website and business logic) and the suite of management and reporting applications. transport partners orders application customers table products table audit log orders table reporting service monitoring and management application compliance application client transport partners Figure 1. Applications running on premises. Additionally, the order’s application would require the ability of scaling to accommodate the expected growth on demand and to change over time, while the management and reporting applications would not require scaling ability to anything like the same extent. 4.2. Azure Hybrid Application In the scenario, the company adopts an existing infrastructure into Azure hybrid cloud by migrating resources and applications to the cloud. Applications running across the cloud and on-premises use the Azure SQL platform in the same or different cloud data centers and resources on premises. Figure 2 shows the scenario architecture implemented for the hybrid application. In this figure, the orders application operates in much the same way as when it ran entirely on premises. Dashed undirected edges indicate control flows including small amount of data between entities. Dashed directed edges mean one way data flows especially for data replication. More details about the components and implementation of each part of the application are explained below. • Orders application: it is a web application that allows visitors …